diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index b5d0211..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,96 +0,0 @@ -keys: - - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l - - &host_age_forgejo age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk - - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 - - &host_age_jellyfin age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt - - &host_age_keycloak age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd - - &host_age_lifeline age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua - - &host_age_mail-1 age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp - - &host_age_mastodon age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 - - &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 - - &host_age_metrics age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n - - &host_age_metrics-nekomesh age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse - - &host_age_nextcloud age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu - - &host_age_searx age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn - - &host_age_torrent age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c - - &host_age_valkyrie age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee -creation_rules: - - path_regex: config/hosts/coturn/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_coturn - - path_regex: config/hosts/forgejo/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_forgejo - - path_regex: config/hosts/ikiwiki/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_ikiwiki - - path_regex: config/hosts/jellyfin/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_jellyfin - - path_regex: config/hosts/keycloak/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_keycloak - - path_regex: config/hosts/lifeline/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_lifeline - - path_regex: config/hosts/mail-1/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_mail-1 - - path_regex: config/hosts/mastodon/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_mastodon - - path_regex: config/hosts/matrix/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_matrix - - path_regex: config/hosts/metrics/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_metrics - - path_regex: config/hosts/metrics-nekomesh/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_metrics-nekomesh - - path_regex: config/hosts/nextcloud/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_nextcloud - - path_regex: config/hosts/searx/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_searx - - path_regex: config/hosts/torrent/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_torrent - - path_regex: config/hosts/valkyrie/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_valkyrie -stores: - yaml: - indent: 2 diff --git a/config/common/default.nix b/config/common/default.nix index 0fa2d0b..459289f 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -35,7 +35,6 @@ parted tmux nano - ssh-to-age tcpdump ]; diff --git a/config/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix index 0b266ba..719c872 100644 --- a/config/hosts/coturn/coturn.nix +++ b/config/hosts/coturn/coturn.nix @@ -5,7 +5,7 @@ min-port = 49200; max-port = 49500; use-auth-secret = true; - static-auth-secret-file = "/run/secrets/static-auth-secret"; + static-auth-secret-file = "/secrets/static-auth-secret.secret"; realm = "turn.nekover.se"; cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem"; pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem"; @@ -42,11 +42,4 @@ total-quota=1200 ''; }; - - sops.secrets."static-auth-secret" = { - mode = "0440"; - owner = "turnserver"; - group = "turnserver"; - restartUnits = [ "coturn.service" ]; - }; } diff --git a/config/hosts/coturn/default.nix b/config/hosts/coturn/default.nix index 36644a0..bc32a3d 100644 --- a/config/hosts/coturn/default.nix +++ b/config/hosts/coturn/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./acme.nix ./coturn.nix - ./sops.nix ]; } diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix new file mode 100644 index 0000000..48fd211 --- /dev/null +++ b/config/hosts/coturn/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv,... }: +{ + deployment.keys."static-auth-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; + destDir = "/secrets"; + user = "turnserver"; + group = "turnserver"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/coturn/secrets.yaml b/config/hosts/coturn/secrets.yaml deleted file mode 100644 index d90c1c5..0000000 --- a/config/hosts/coturn/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ - ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS - S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda - S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS - 04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT - MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi - a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ - YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv - NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA== - -----END AGE ENCRYPTED FILE----- - recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l - lastmodified: "2026-05-16T23:13:15Z" - mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/coturn/sops.nix b/config/hosts/coturn/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/coturn/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/forgejo/default.nix b/config/hosts/forgejo/default.nix index 7de3a33..d71bcad 100644 --- a/config/hosts/forgejo/default.nix +++ b/config/hosts/forgejo/default.nix @@ -5,6 +5,5 @@ ./forgejo.nix ./redis.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index 21e9269..c60c00f 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -4,7 +4,6 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; - lfs.enable = true; settings = { DEFAULT = { @@ -18,7 +17,6 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. - OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -36,10 +34,11 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - ENABLE_NOTIFY_MAIL = true; + }; + repo = { + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; }; repository = { - DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; @@ -61,13 +60,6 @@ HOST = "redis+socket:///run/redis-forgejo/redis.sock"; }; }; - secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password"; - }; - - sops.secrets."forgejo-mailer-password" = { - mode = "0440"; - owner = "forgejo"; - group = "forgejo"; - restartUnits = [ "forgejo.service" ]; + secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret"; }; } diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 3602209..6df90b1 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,8 +29,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix new file mode 100644 index 0000000..5c23295 --- /dev/null +++ b/config/hosts/forgejo/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "forgejo-mailer-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/forgejo/secrets.yaml b/config/hosts/forgejo/secrets.yaml deleted file mode 100644 index e4a1309..0000000 --- a/config/hosts/forgejo/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3 - bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q - WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1 - a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC - m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL - aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2 - eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw - N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs - fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q== - -----END AGE ENCRYPTED FILE----- - recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk - lastmodified: "2026-05-17T00:50:59Z" - mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/forgejo/sops.nix b/config/hosts/forgejo/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/forgejo/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix new file mode 100644 index 0000000..9b554d8 --- /dev/null +++ b/config/hosts/hydra/configuration.nix @@ -0,0 +1,51 @@ +{ ... }: +{ + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + binfmt.emulatedSystems = [ + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + }; + + networking = { + hostName = "hydra"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + users.users.builder = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" + ]; + }; + + nix = { + settings = { + trusted-users = [ "builder" ]; + allowed-uris = "http:// https://"; + }; + buildMachines = [ + { + hostName = "localhost"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + } + ]; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix new file mode 100644 index 0000000..aeffee1 --- /dev/null +++ b/config/hosts/hydra/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hydra.nix + ./nix-serve.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix new file mode 100644 index 0000000..c8d4c3f --- /dev/null +++ b/config/hosts/hydra/hydra.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.nekover.se"; + listenHost = "localhost"; + port = 3001; + useSubstitutes = true; + notificationSender = "hydra@robot.grzb.de"; + extraConfig = " + binary_cache_public_uri = https://nix-cache.nekover.se + "; + }; +} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix new file mode 100644 index 0000000..5a15fe1 --- /dev/null +++ b/config/hosts/hydra/nginx.nix @@ -0,0 +1,42 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "hydra.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + proxyPass = "http://localhost:3001"; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + "nix-cache.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + proxyPass = "http://localhost:5005"; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; + }; +} diff --git a/config/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix new file mode 100644 index 0000000..75c18cb --- /dev/null +++ b/config/hosts/hydra/nix-serve.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + services.nix-serve = { + enable = true; + port = 5005; + bindAddress = "localhost"; + secretKeyFile = "/secrets/signing-key.secret"; + }; +} diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix new file mode 100644 index 0000000..43329f7 --- /dev/null +++ b/config/hosts/hydra/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix index 32d16c7..bc9766c 100644 --- a/config/hosts/ikiwiki/default.nix +++ b/config/hosts/ikiwiki/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./ikiwiki.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 6b09cb0..4bbcf0a 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -26,7 +26,7 @@ in tryFiles = "$uri $uri/ =404"; }; "~ .cgi" = { - basicAuthFile = "/run/secrets/auth_file"; + basicAuthFile = "/secrets/ikiwiki-auth-file.secret"; extraConfig = '' gzip off; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; @@ -39,17 +39,9 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; }; - - sops.secrets."auth_file" = { - mode = "0440"; - owner = "nginx"; - group = "nginx"; - restartUnits = [ "nginx.service" ]; - }; } diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix new file mode 100644 index 0000000..d366c75 --- /dev/null +++ b/config/hosts/ikiwiki/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."ikiwiki-auth-file.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ]; + destDir = "/secrets"; + user = "nginx"; + group = "nginx"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/ikiwiki/secrets.yaml b/config/hosts/ikiwiki/secrets.yaml deleted file mode 100644 index a707f57..0000000 --- a/config/hosts/ikiwiki/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3 - eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j - UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5 - b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu - zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp - RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j - ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1 - b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY - xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 - lastmodified: "2026-05-16T22:13:21Z" - mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/ikiwiki/sops.nix b/config/hosts/ikiwiki/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/ikiwiki/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix index 70a20a7..33e2290 100644 --- a/config/hosts/jellyfin/default.nix +++ b/config/hosts/jellyfin/default.nix @@ -5,6 +5,5 @@ ./hardware-configuration.nix ./jellyfin.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix index f89a9e5..764a903 100644 --- a/config/hosts/jellyfin/hardware-configuration.nix +++ b/config/hosts/jellyfin/hardware-configuration.nix @@ -5,7 +5,7 @@ fsType = "cifs"; options = [ "username=jellyfin" - "credentials=/run/secrets/samba-credentials" + "credentials=/secrets/samba-credentials.secret" "iocharset=utf8" "vers=3.1.1" "uid=jellyfin" @@ -13,10 +13,4 @@ "_netdev" ]; }; - - sops.secrets."samba-credentials" = { - mode = "0440"; - owner = "root"; - group = "root"; - }; } diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix new file mode 100644 index 0000000..922d4c4 --- /dev/null +++ b/config/hosts/jellyfin/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/jellyfin/secrets.yaml b/config/hosts/jellyfin/secrets.yaml deleted file mode 100644 index c4653bc..0000000 --- a/config/hosts/jellyfin/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6 - aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS - ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC - a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf - pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4 - Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC - Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i - cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB - GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A== - -----END AGE ENCRYPTED FILE----- - recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt - lastmodified: "2026-05-17T00:58:22Z" - mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/jellyfin/sops.nix b/config/hosts/jellyfin/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/jellyfin/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/keycloak/default.nix b/config/hosts/keycloak/default.nix index 83d170e..6289ce6 100644 --- a/config/hosts/keycloak/default.nix +++ b/config/hosts/keycloak/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./keycloak.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index a069fd1..2ae957b 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -10,13 +10,6 @@ http-host = "127.0.0.1"; http-port = 8080; }; - database.passwordFile = "/run/secrets/keycloak-database-password"; - }; - - sops.secrets."keycloak-database-password" = { - mode = "0440"; - owner = "root"; - group = "systemd-network"; - restartUnits = [ "keycloak.service" ]; + database.passwordFile = "/secrets/keycloak-database-password.secret"; }; } diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index e9b46cd..c82597d 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,8 +27,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix new file mode 100644 index 0000000..984e9ad --- /dev/null +++ b/config/hosts/keycloak/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "keycloak-database-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/keycloak/secrets.yaml b/config/hosts/keycloak/secrets.yaml deleted file mode 100644 index a84ab28..0000000 --- a/config/hosts/keycloak/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL - VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD - L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D - RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M - BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4 - WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2 - ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI - LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9 - aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ== - -----END AGE ENCRYPTED FILE----- - recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd - lastmodified: "2026-05-17T01:07:49Z" - mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/keycloak/sops.nix b/config/hosts/keycloak/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/keycloak/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 788c3fc..500c407 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -26,7 +26,7 @@ { name = "mail-2"; publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; - presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk"; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -38,7 +38,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; - privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey"; + privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; }; }; nat = { @@ -62,19 +62,5 @@ services.prometheus.exporters.node.enable = false; - sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - - sops.secrets."wireguard-lifeline-wg0-privatekey" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - system.stateVersion = "23.05"; } diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix index 36dea6d..9d284a8 100644 --- a/config/hosts/lifeline/default.nix +++ b/config/hosts/lifeline/default.nix @@ -3,6 +3,5 @@ imports = [ ./configuration.nix ./hardware-configuration.nix - ./sops.nix ]; } diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix new file mode 100644 index 0000000..f2b6e23 --- /dev/null +++ b/config/hosts/lifeline/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/lifeline/secrets.yaml b/config/hosts/lifeline/secrets.yaml deleted file mode 100644 index 01b2010..0000000 --- a/config/hosts/lifeline/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str] -wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz - YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM - bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz - ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa - Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp - WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG - MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr - SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C - XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw== - -----END AGE ENCRYPTED FILE----- - recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua - lastmodified: "2026-05-17T01:24:39Z" - mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/lifeline/sops.nix b/config/hosts/lifeline/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/lifeline/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index 3f27ce3..c94de3b 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -51,11 +51,11 @@ Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = "/run/secrets/wireguard-mail-1-wg0-privatekey"; + PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; wireguardPeers = [{ PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - PresharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-mail-1-psk"; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; Endpoint = "212.53.203.19:51822"; AllowedIPs = [ "0.0.0.0/0" ]; PersistentKeepalive = 25; @@ -77,18 +77,5 @@ wireguard-tools ]; - sops.secrets."wireguard-valkyrie-mail-1-mail-1-psk" = { - mode = "0440"; - owner = "systemd-network"; - group = "systemd-network"; - restartUnits = [ "systemd-networkd.service" ]; - }; - sops.secrets."wireguard-mail-1-wg0-privatekey" = { - mode = "0440"; - owner = "systemd-network"; - group = "systemd-network"; - restartUnits = [ "systemd-networkd.service" ]; - }; - system.stateVersion = "23.05"; } diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix index 28a5bdc..5537841 100644 --- a/config/hosts/mail-1/default.nix +++ b/config/hosts/mail-1/default.nix @@ -3,6 +3,5 @@ imports = [ ./configuration.nix ./simple-nixos-mailserver.nix - ./sops.nix ]; } diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix new file mode 100644 index 0000000..c7dd92c --- /dev/null +++ b/config/hosts/mail-1/secrets.nix @@ -0,0 +1,109 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-valkyrie-mail-1-mail-1-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-mail-1-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fiona-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-yuri-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-mio-vs-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-fubuki-wg-grzb-de.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-cloud-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-status-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-matrix-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-nekomesh-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-social-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-id-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/id-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-forgejo-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mail-1/secrets.yaml b/config/hosts/mail-1/secrets.yaml deleted file mode 100644 index 007b274..0000000 --- a/config/hosts/mail-1/secrets.yaml +++ /dev/null @@ -1,37 +0,0 @@ -wireguard-valkyrie-mail-1-mail-1-psk: ENC[AES256_GCM,data:qlmzG+qatZCGFqD2Yf9Nlc7tUUMr5JGIvwFcaBqmgwSFoRjVpObjpTn9h6Q=,iv:8kukGi7FyKY7Un5bfmD+xOrt57Zr4uGEho3GGFyy8KY=,tag:0SqD/4OCYC1gRcsDAK8oBw==,type:str] -wireguard-mail-1-wg0-privatekey: ENC[AES256_GCM,data:oI3NZ3QBaGsWPx8ajLtP2MUdVTpWlnmOF1j3aex+0rI5fixwtNwJvUZD3mA=,iv:ecO78C4upN99mm9ZosIxXR0RsZJRsL97FFvh6ktpczA=,tag:obxoVfxh49XznQykp1ROuA==,type:str] -mail-fiona-grzb-de: ENC[AES256_GCM,data:igpnhygXhe1kIMc+Dvj0LB+PFrJOJu53ZS5svt+B2qpXAk5kD9zQIRoU5TdHLyOdIOSSb2XBPkKgbShv,iv:MPgHxNvZGZ/NtflrxpazgryT+T1Qy/5z0klZ/BQ/mGA=,tag:8huvfd1eLJTQrKdDxFDsDw==,type:str] -mail-yuri-nekover-se: ENC[AES256_GCM,data:XsFmWttVmDnI9+q/7ZN0bDlRiYue1XPonQTfWMkkHfZ7mk1ZXlDjC3oYR3V3a3yEQrS4Jz0fAc/N4lnR,iv:RPqs8Q3QSGSJ0zSClKyIo5JmW5UEE6xYjEnqvmFE5C8=,tag:DZaDfFc+3RG9L0oIpj9f3Q==,type:str] -mail-mio-vs-grzb-de: ENC[AES256_GCM,data:R+eq1w3a6NLD20sMBejlnQ9asEGOxGBgPqQ+oLTwfryYu0b0by3rF0a7StCtSzsFMkzpAWw+En4Zreuw,iv:r7VLjix8sRSXbnpRS+9XzXI0qjklOXuQU77kU2LF7zA=,tag:BhqSLiMvnGHagq9Jg5852A==,type:str] -mail-fubuki-wg-grzb-de: ENC[AES256_GCM,data:pFPmrMtF33P3ANpnWB+qcTfEfAMJ0w4/fE/zAsVYKjEO1nhZtWSMQfyorYSq5GdbXuitIYdjx/IBCj0r,iv:FZtnyp90pB9R0nYaHsudnE7IyDi26UE+vxIpzZm0Q4s=,tag:XJcIP9LyYwbzw21QLpHfCA==,type:str] -mail-cloud-nekover-se: ENC[AES256_GCM,data:lY7ufbNOS+GPHAi1fJGhZNT0dMv1B7k+6BzGTb1IxWvvHmFv7u6NKGBmyQQD57Qvt2EwdtnGDJ2XugCD,iv:NZLdBFNHSkSj9pau0vWQzwznOjkFvhZcGalcfWoKI9w=,tag:8dn5ULJzaTYtnT3CBfpp8g==,type:str] -mail-status-nekover-se: ENC[AES256_GCM,data:blaHK5q8mJKQMo/UYf2NG2x7IsIkZD5cxaVv56Z7PFrn+pua821j8pwNGXCnmuGJFhDj16PkvfOuRXU7,iv:+Q2J73Af27qjta5xYtuF/mrwL45fyTV+K5GDpnA11Lo=,tag:OKhLFQfgKTAvg5wvID5RGA==,type:str] -mail-matrix-nekover-se: ENC[AES256_GCM,data:9Fs5Un2DI2ZHm1zLkbAsQ3tsuff9LjvuJkysxVWc1pdQuQsMHCNTHfioBMqJ1dH1E8ilkqCqljEmHh9+,iv:F73WEWyq7o06n0zkuu2cNYWUdmpX7YX4BGcR4Hgep2Y=,tag:+7BPbiCNM0QdBTBx6RKkHQ==,type:str] -mail-nekomesh-nekover-se: ENC[AES256_GCM,data:k25S+W3t4gn8HuUs4xge5iLjxtayB82y9PNs3lxxg3En7W4CbiSt1ccoiP4h9v9iN5rMHqiF8wg2ONlBJwQ6qA==,iv:LqjOUza0cioak0qeuBBkmRl3Kg8z05kqTeZCrgEX9qY=,tag:NkqrRxJp0c+h/C0+jfiQqg==,type:str] -mail-social-nekover-se: ENC[AES256_GCM,data:b+7hmL8yiqABkf5NFUQVTSBmj1EjImzB58Q0xpDkxSU9DVkhhURTzoi+HdgFgOOzDtkegzprokXA+I+j,iv:LtOn8+dx5Nhes4t5qpqWsnaOfD07IBZEaCXKIniJlJc=,tag:ipLZNPRN7YCkvVJYKonXmQ==,type:str] -mail-id-nekover-se: ENC[AES256_GCM,data:5odIPSrJEVoT95hch48lu4pmb0PVnjtTUOo3eohfbX1I8CNpwIuhz4Mjk5lam5q3toIKtXMhtA73RAup,iv:bvpCkS4Tz0/oorStgip0XXnsxkBMAoFJrTFAzrjPLYU=,tag:KOVNkURmuwb+8VRxfTxEDQ==,type:str] -mail-forgejo-nekover-se: ENC[AES256_GCM,data:PLZFl5aokzJorTCKD8/qJs0N1BlDLPl1tW23roMMCRkn9tAupaNwZASp1pKrPJBVBCAH4Ijj84WDIhsHdQzNhg==,iv:CExDJ2uwe0juL0f+SCyTGOfUHuEwPTHduHUkh8WAQMo=,tag:pf0QArVKBNh1F4TMxsJyRA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1ppWG1iZzJaaTJxMi9I - MTNvWUFWU1JRakpWbGxYQU9zdk5rVWMzZHdzCktRL1NEN01EY0lvVVJuQ3V2eTBZ - OFVnN1FiVTJndHZZeDBNQmloNndLY1EKLS0tIE5Lc0NqYzI4U29zamJaK2FiL1BZ - UTc2MkpZRmpVVVpvVSsxUkdpdVMzYW8KnCIMs31S6/SSx+vUAOYfjO21pGl/AMQa - iunevrTybuTFB2F/xePkdeIVvXLTLcj0XiAIw+qzAl/GvIWp7DDnTw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZVdRK214bVQyNVRWMXVI - dmNOWk9VMXRUWnpZaXRJQVIydmRTeDJrUzMwCi95VWVGU2t3U0dqTHVWbTVjakh6 - a2luYVZVdlFpVDRKeWpUZnpTY1J0eEkKLS0tIEtqTjBMY3UxU09jN2RuSzNGU3hX - UndxdWMyTVkzTUYzU3h6VjlyMjl6emsKNs+ED4FRI/+wrD3TUsQYyzuFvVEyrnBD - dsyjzSv8WubSloRUHkV7hwfHxgVzg37A5nlQo/qSdJC6TtfWmoXpsg== - -----END AGE ENCRYPTED FILE----- - recipient: age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp - lastmodified: "2026-05-24T00:23:52Z" - mac: ENC[AES256_GCM,data:QH4MalhMoA5CyNmGPksMRzn6LOfxxRSBlufJ6ejcDx+l6owNT3xqKAYE9EfIUMh8z7Sw+btHhn8q02K2FnWlYD2FUY187cCcoykGRU+juJEDZH6yQ5PCqrBKXDB0wv8IBI/xTeFS7mUOzlvZfHtnLKULNZBfojN9f9jDoZCUhYo=,iv:S0AU8Ox62kk3nwL31QzYT0CGDaYNYbG/ONaQhiUbGD4=,tag:qKUkkxNouKaDb/1ptXSobg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 0e8dba3..15318e8 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -15,55 +15,55 @@ domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; loginAccounts = { "fiona@grzb.de" = { - hashedPasswordFile = "/run/secrets/mail-fiona-grzb-de"; + hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret"; aliases = [ "@grzb.de" ]; catchAll = [ "grzb.de" ]; }; "yuri@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-yuri-nekover-se"; + hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret"; aliases = [ "@nekover.se" ]; catchAll = [ "nekover.se" ]; }; "mio@vs.grzb.de" = { - hashedPasswordFile = "/run/secrets/mail-mio-vs-grzb-de"; + hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret"; sendOnly = true; aliases = [ "root@vs.grzb.de" ]; }; "fubuki@wg.grzb.de" = { - hashedPasswordFile = "/run/secrets/mail-fubuki-wg-grzb-de"; + hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret"; sendOnly = true; aliases = [ "root@wg.grzb.de" ]; }; "cloud@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-cloud-nekover-se"; + hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret"; sendOnly = true; }; "status@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-status-nekover-se"; + hashedPasswordFile = "/secrets/mail-status-nekover-se.secret"; sendOnly = true; }; "matrix@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-matrix-nekover-se"; + hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "nekomesh@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-nekomesh-nekover-se"; + hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "social@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-social-nekover-se"; + hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "id@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-id-nekover-se"; + hashedPasswordFile = "/secrets/mail-id-nekover-se.secret"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; "forgejo@nekover.se" = { - hashedPasswordFile = "/run/secrets/mail-forgejo-nekover-se"; + hashedPasswordFile = "/secrets/mail-forgejo-nekover-se.secret"; sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; @@ -79,71 +79,4 @@ proxy_interfaces = "212.53.203.19"; }; }; - - sops.secrets."mail-fiona-grzb-de" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-yuri-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-mio-vs-grzb-de" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-fubuki-wg-grzb-de" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-cloud-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-status-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-matrix-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-nekomesh-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-social-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-id-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; - sops.secrets."mail-forgejo-nekover-se" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "postfix.service" ]; - }; } diff --git a/config/hosts/mail-1/sops.nix b/config/hosts/mail-1/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/mail-1/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix new file mode 100644 index 0000000..c6a353c --- /dev/null +++ b/config/hosts/mail-2/acme.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + security.acme.certs = { + "mail-2.grzb.de" = { + listenHTTP = ":80"; + reloadServices = [ "postfix.service" ]; + }; + }; +} diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix new file mode 100644 index 0000000..f1fa002 --- /dev/null +++ b/config/hosts/mail-2/configuration.nix @@ -0,0 +1,81 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.201.41.100/24" + ]; + routes = [ + { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + } + { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + } + { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + } + { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.18.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.18.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }]; + }; + }; + }; + + networking = { + hostName = "mail-2"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 80 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix new file mode 100644 index 0000000..ab5c757 --- /dev/null +++ b/config/hosts/mail-2/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./postfix.nix + ./acme.nix + ]; +} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix new file mode 100644 index 0000000..b7e54f3 --- /dev/null +++ b/config/hosts/mail-2/postfix.nix @@ -0,0 +1,37 @@ +{ config, ... }: +{ + # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup + services.postfix = { + enable = true; + hostname = "mail-2.grzb.de"; + relayDomains = [ + "grzb.de" + "nekover.se" + ]; + sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem"; + sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem"; + extraConfig = '' + message_size_limit = 20971520 + smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + proxy_interfaces = 217.160.117.160 + relay_recipient_maps = + smtp_tls_ciphers = high + smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_ciphers = high + smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_auth_only = yes + smtpd_tls_ciphers = high + smtpd_tls_eecdh_grade = ultra + smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_loglevel = 1 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + tls_preempt_cipherlist = yes + tls_random_source = dev:/dev/urandom + ''; + }; +} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix new file mode 100644 index 0000000..67beb5b --- /dev/null +++ b/config/hosts/mail-2/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix new file mode 100644 index 0000000..3f2617e --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/default.nix @@ -0,0 +1,23 @@ +{ nixpkgs-unstable, ... }: +{ + containers.fedifetcher = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + + bindMounts = { + "/secrets" = { + hostPath = "/secrets-fedifetcher"; + isReadOnly = true; + }; + }; + + config = { ... }: { + imports = [ + ./fedifetcher.nix + ]; + + networking.useHostResolvConf = true; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix new file mode 100644 index 0000000..7194c25 --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, ... }: +{ + # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix + systemd.services.fedifetcher = { + path = [ pkgs.fedifetcher ]; + description = "fetch fedi posts"; + script = '' + fedifetcher + ''; + environment = lib.mapAttrs' (n: v: + (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) + (builtins.toString v))) { + server = "social.nekover.se"; + state-dir = "/var/lib/fedifetcher"; + lock-file = "/run/fedifetcher/fedifetcher.lock"; + from-lists = 1; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + max-follow-requests = 80; + max-followers = 80; + max-followings = 80; + remember-hosts-for-days = 30; + remember-users-for-hours = 168; + reply-interval-in-hours = 2; + }; + serviceConfig = { + DynamicUser = true; + User = "fedifetcher"; + RuntimeDirectory = "fedifetcher"; + RuntimeDirectoryPreserve = true; + StateDirectory = "fedifetcher"; + UMask = "0077"; + EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; + }; + }; + + systemd.timers.fedifetcher = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { OnCalendar = "*:0/5"; }; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5166081..dc52ff4 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,6 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix - ./sops.nix + ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index e636bef..aa4fea4 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,9 +1,9 @@ -{ pkgs, nixpkgs-unstable, nixpkgs-master, ... }: +{ pkgs, ... }: let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.3"; - hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; + rev = "v2.5.2"; + hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.10"; + version = "4.5.2"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-aW5WMmhfV+q/ddebSuEuCL5Mdwav+qocMPBnbvXFBk4="; + sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; @@ -40,7 +40,7 @@ let modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml ''; }; - patches = prev.mastodon.src.patches ++ [ + patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" @@ -53,7 +53,7 @@ let yarnMissingHashes = prev.mastodon.src.yarnMissingHashes; }); }; - pkgs-overlay = nixpkgs-master.legacyPackages."x86_64-linux".extend mastodonNekoverseOverlay; + pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU="; in { @@ -61,21 +61,21 @@ in enable = true; package = pkgs-overlay.mastodon; localDomain = "social.nekover.se"; - secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base"; + secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; vapidPublicKeyFile = "${vapidPublicKey}"; - vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key"; + vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; smtp = { authenticate = true; host = "mail-1.grzb.de"; port = 465; user = "social@nekover.se"; - passwordFile = "/run/secrets/mastodon-email-smtp-pass"; + passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; fromAddress = "Nekoverse "; }; streamingProcesses = 3; - activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key"; - activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt"; - activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key"; + activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; + activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; + activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; @@ -94,52 +94,8 @@ in AUTHORIZED_FETCH = "true"; }; extraEnvFiles = [ - "/run/secrets/mastodon-keycloak-client-secret" + "/secrets/mastodon-keycloak-client-secret.secret" ]; elasticsearch.host = "127.0.0.1"; }; - - sops.secrets."mastodon-secret-key-base" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-vapid-private-key" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-email-smtp-pass" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-active-record-encryption-primary-key" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-active-record-encryption-deterministic-key" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; - sops.secrets."mastodon-keycloak-client-secret" = { - mode = "0440"; - owner = "mastodon"; - group = "mastodon"; - restartUnits = [ "mastodon-web.service" ]; - }; } - diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 02a0d0a..72aec08 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,8 +57,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix new file mode 100644 index 0000000..986a64b --- /dev/null +++ b/config/hosts/mastodon/secrets.nix @@ -0,0 +1,69 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "mastodon-secret-key-base.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-vapid-private-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-email-smtp-pass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-primary-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-key-derivation-salt.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-active-record-encryption-deterministic-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mastodon-fedifetcher-access-token.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; + destDir = "/secrets-fedifetcher"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mastodon/secrets.yaml b/config/hosts/mastodon/secrets.yaml deleted file mode 100644 index 0858aac..0000000 --- a/config/hosts/mastodon/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -mastodon-secret-key-base: ENC[AES256_GCM,data:GP8mtL5hkDqNjbiqONXJNDX+e9RuOejnAxX0fk1gvVR+Xkb99/wNPun1p85AVOv1rn8n0H4X8aZwPK/P2lljyGWs4RSwYaLOMMoowSu+QwDYzK2+uf2lsiM5esOAr/rfuX1BZIEnrJPYAIZYtTIBTyrMN9zTtPvyBaPn4cL0sKQ=,iv:jxy37Sa3ywLhVSYhgiC1spky6psxZzso74es5CnBObw=,tag:+nW6SxoYJgcSU2r6d2J00g==,type:str] -mastodon-vapid-private-key: ENC[AES256_GCM,data:mE29UuQGzQ/LPrvop0zODM3tI/DOXsCPemh/5Y7VribAUq25Fftoo3tWEbk=,iv:qJTJL4g9AOcPJIP9IWnSso6ECs3sSiubW9SNUaYIcXE=,tag:OnhsJeWYLDFMlmVsLf4syw==,type:str] -mastodon-email-smtp-pass: ENC[AES256_GCM,data:8UcjUSZMuUPZvc1hM79XGjor0LuKcGg8qLr/oFggcTMtQ9+ff2QHGaZFiHRcNFibdp0IexO2PDy0yMF5qivxJA==,iv:fd3vv21PnC2M/Ptdwy2j6vn+juWrEnZKtTtzhS71igI=,tag:8nmdu2TD0TTmCfA+kIkb4Q==,type:str] -mastodon-keycloak-client-secret: ENC[AES256_GCM,data:jLDVhGhUUI5o2UjHolahncXXiqHHyFT/SavQTaUTlaSje3l2khvAIzmEn8TfC6FrF8BMjzI=,iv:Hq5XrtpnFYnIxrIb8rX5PDL7z7bLuOrtTTubm7HsE88=,tag:ayNJWs3UROd/sBQ5rnuv6w==,type:str] -mastodon-active-record-encryption-primary-key: ENC[AES256_GCM,data:H45LQ1gXCaepRe1ftap5ruWwC7ThI8m/EBtKdqP8QHQ=,iv:wAYQW7INq36GscjdaldCCS0RpjYuemtveoNdeqS1wz0=,tag:hjlXqo9WmE57fENQZaRCXA==,type:str] -mastodon-active-record-encryption-key-derivation-salt: ENC[AES256_GCM,data:DeeXCelirIcDyTDdPeKoaAeD2jzWGLU3p28e5JX8m9E=,iv:yQcddWeesrMWgIAj/MnBwPUwikk2VHAbNDFs0r5Fp0Q=,tag:H6boQ5IEGEhx5Ha15eEUhw==,type:str] -mastodon-active-record-encryption-deterministic-key: ENC[AES256_GCM,data:yrakH+MxQ8/SmAtLOvGcyIAjfbVdb8NgqYqpm+ALKA0=,iv:ZbagvnAPTLBmzxAdXZ0Ecat0jTpeRWiudpk3U+1hEXE=,tag:pnF87Gg4nTRC1YVK1bbGCw==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTDB3d1FFWjY2LzhZUmVP - S1BicjRhc2ZzWWMvb2xjT1lzVVY3Z2hqYW53CndNaGJ6NXkyamg0a1BIdzlVL214 - dk5SbDFDdVNGNnp1citjZkQ3UTNHcUUKLS0tIGwvOHl4RUErRjR3Nm1paGVmZEhX - a1N2SlZlY05aN2hEcXlGdnA0ZndlUjgK01enGoJvkN5YMbm38wcRYaM1ogzybJIL - OTig1Fg2CopEmaE/Y6bpuMFIyCFXZDhJQ3LaI+0kydzPGB2nZyWZ2g== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnFPOEJVWXAxTEpiNUgw - SDliL3hZeWpaK3JMN0hyV09jUTBSV2pYN2gwCmd2STBsYzhNYlpWRzhCUWZhZ1Rw - Yzdta25vN0NKeTFXWXRiUWZsTGVaY28KLS0tIC8yUERNWHNqTTFQazQzRkYvNk9K - TjlQaVRFdXJ6WVRIVnczYmlFc2t6S2MK5wnjZnhL+GK1eXnANSDe5zcsZdb5N715 - odb/rjaIvUKaSUkmJfQK954pCBsiJXnURt5FKLnOGHtlQmt0kyg8dQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 - lastmodified: "2026-05-17T01:44:58Z" - mac: ENC[AES256_GCM,data:DV91qRrbXxS+yvknPuLjRWYdsJdWtODy9q2onrSpWv6P7YR1siNFNpDyioMLKLRby80kY1R1zSofiaepVmP/nWtqtSDsq/plNWIZi7FR7X0TG0hNc3S6GJ0UatXVxOGp6LxvO2doVIMUs3LKd4+16FFMQYEQJ35VbuYFVhWw5SU=,iv:zVmZ7Ho28I9y7IvCULWehzJB64FSLLaspa/Rj+EJpX0=,tag:HRBTVgvm8pZvUgFBqjCEoQ==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/mastodon/sops.nix b/config/hosts/mastodon/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/mastodon/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index 8dbb1ac..c6cd79a 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -8,6 +8,5 @@ ./matrix-authentication-service.nix ./matrix-synapse.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix index 7bfc32f..1c8b442 100644 --- a/config/hosts/matrix/element-call.nix +++ b/config/hosts/matrix/element-call.nix @@ -4,22 +4,12 @@ enable = true; settings.rtc.use_external_ip = true; openFirewall = true; - keyFile = "/run/secrets/matrix-livekit-secret-key"; + keyFile = "/secrets/matrix-livekit-secret-key.secret"; }; services.lk-jwt-service = { enable = true; port = 8082; livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; - keyFile = "/run/secrets/matrix-livekit-secret-key"; - }; - systemd.services.lk-jwt-service.environment = { - LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se"; - }; - - sops.secrets."matrix-livekit-secret-key" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "livekit.service" "lk-jwt-service.service" ]; + keyFile = "/secrets/matrix-livekit-secret-key.secret"; }; } diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 8fada3a..53674ad 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -11,7 +11,7 @@ let { name = "oauth"; } { name = "compat"; } { name = "graphql"; } - { + { name = "assets"; path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/"; } @@ -33,17 +33,6 @@ let }]; proxy_protocol = false; } - { - name = "admin"; - resources = [{ - name = "adminapi"; - }]; - binds = [{ - host = "localhost"; - port = 8083; - }]; - proxy_protocol = false; - } ]; trusted_proxies = [ "192.168.0.0/16" @@ -74,7 +63,8 @@ let version = 2; algorithm = "argon2id"; } - ]; + ]; + minimum_complexity = 8; }; }; masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); @@ -92,7 +82,7 @@ in serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/matrix-mas-secret-config"; + ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret"; WorkingDirectory = "${pkgs.matrix-authentication-service}"; User = "matrix-synapse"; Group = "matrix-synapse"; @@ -102,11 +92,4 @@ in "multi-user.target" ]; }; - - sops.secrets."matrix-mas-secret-config" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-authentication-service.service" ]; - }; } diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index df9c6af..371eb95 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -51,7 +51,7 @@ notif_from = "Nekoverse Matrix Server "; }; max_upload_size = "500M"; - signing_key_path = "/run/secrets/matrix-homeserver-signing-key"; + signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; admin_contact = "mailto:admin@nekover.se"; web_client_location = "https://element.nekover.se"; enable_metrics = true; @@ -86,41 +86,10 @@ }; extras = [ "oidc" ]; extraConfigFiles = [ - "/run/secrets/matrix-registration-shared-secret" - "/run/secrets/matrix-turn-shared-secret" - "/run/secrets/matrix-email-smtp-pass" - "/run/secrets/matrix-homeserver-mas-config" + "/secrets/matrix-registration-shared-secret.secret" + "/secrets/matrix-turn-shared-secret.secret" + "/secrets/matrix-email-smtp-pass.secret" + "/secrets/matrix-homeserver-mas-config.secret" ]; }; - - sops.secrets."matrix-homeserver-signing-key" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; - }; - sops.secrets."matrix-registration-shared-secret" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; - }; - sops.secrets."matrix-turn-shared-secret" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; - }; - sops.secrets."matrix-email-smtp-pass" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; - }; - sops.secrets."matrix-homeserver-mas-config" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; - }; } diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 0e419bc..ce3ab3d 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -11,17 +11,10 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8448; ssl = true; - proxyProtocol = true; } ]; locations = { @@ -41,23 +34,11 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; - "~ ^/_synapse/admin" = { - # Only proxy to the local host on IPv4, because localhost doesn't seem to work - # even if matrix-synapse is listening on ::1 as well. - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -69,29 +50,14 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } ]; - locations = { - "/" = { - proxyPass = "http://localhost:8080"; - }; - "~ ^/api/admin" = { - proxyPass = "http://localhost:8083"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - ''; - }; + locations."/" = { + proxyPass = "http://localhost:8080"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -103,12 +69,6 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } ]; locations."^~ /livekit/jwt/" = { proxyPass = "http://localhost:8082/"; @@ -118,8 +78,9 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix new file mode 100644 index 0000000..5121ded --- /dev/null +++ b/config/hosts/matrix/secrets.nix @@ -0,0 +1,61 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-turn-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-email-smtp-pass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-homeserver-signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-homeserver-mas-config.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-mas-secret-config.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-livekit-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/matrix/secrets.yaml b/config/hosts/matrix/secrets.yaml deleted file mode 100644 index 39f4078..0000000 --- a/config/hosts/matrix/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -matrix-registration-shared-secret: ENC[AES256_GCM,data:7ECdyhXVwDJW23eh2l8kJhQJoKeMeEQYzV1dbT72/9cqVtB7nAzGtiDDCh3YQlHp8Z6UuNddzhmLI204LrSf8QESqcwUc7I4DzUd2ufN5gAVfVFfNC/imqCnzro=,iv:eUhXcvYyYoRsiW6k54e654yfu6Kclx3EIls12RG4W6s=,tag:Ep3KV/O7xZF87ScOa1sB5w==,type:str] -matrix-turn-shared-secret: ENC[AES256_GCM,data:A7+1pogcH4V+3WnGhsaTN1TMn7NheFkc/vRoHKh/DMBC7L6b9Lfv1HvdJjSXs8kRI6R2gTxDWuvc6iKYOo80HfP/iPEv92b7AF2KT3EzyCKpaoPA,iv:0xztkTQHP9GhaZ9Y60XujMNUrcDr0H9xcnDa9dDH0kk=,tag:1e6HKoLiWOzKURZBA98CKw==,type:str] -matrix-email-smtp-pass: ENC[AES256_GCM,data:kr/5n3YGAoA7GTCpEgkIlp2v/ciN+TgjKuiHk3tkjhwGqStdIKPcFn1tqXtmDUIbQzQDYhSIx3UmfCLJteIUYI4JlIZig174K0ON,iv:4MP+Y20yv9CaCvqPeqAyOzaaJN728cqIh5b5siIEcJM=,tag:JXmpP6ivc1b/osIc5UaRyA==,type:str] -matrix-homeserver-signing-key: ENC[AES256_GCM,data:FyKkSncgQZRWJnEsFrxgMI3uorQSGntWaPpjfPzV0uIV3p+ESgTygDjd0ordwZIXcZ+mCasd5TCATw==,iv:WWtaCwwAJLI8UeQFWFnK0WlWDGsbwj+rULlJd4nJ1Cw=,tag:7t3jLu+Y2Ad2Wf5N2i2pxA==,type:str] -matrix-homeserver-mas-config: ENC[AES256_GCM,data:4Pypt1WasiRAOLeUfrEE4mo79w5NCv6cUBCSineyY79zdC0kaN319fIIDTA1Xfr39+jwA0TAvZ2BuKkfKzb4FgtOCLuQM6RFtVXVPHMksZ7W453pjcCQDkILr8GIW+GtYw0tupu8w+0k+alwgGCt0D83kOA2dF8RZOdLIfTenWdFkxpT0la2hoW0I/Orq8R4zudCmV1T24yHQDfMFRerygFScPyzaE3RVHbziahq4w67kBaVJc35+7+4M+z1IazEkWMZcFEHj4mwWFddHKbWdVw0UGXqnDJyYX35W1C06qX2qsc1+RfEH2EJzQFO6GQQpZNRPpezf6STAdcILWYckSDpcxEwvUO9FUBmLUMzHg5ZEToLJPqMnEFdvT/2dEmMwlK6QKW0RWg4Rk+fp3JOveuW30ZNP/oN2Id4ZCn7ckdPEVjlCSlrXRwxKC7U4jnQCTHPal9+nadge2Nqbp7zbEc+LeDP8pyjbUS3enZhT/I3Kz8SR6AAr0Zg9YqkCCakNye1gSxIkO5OuINFcx5YVx7hffj8aWT1cedigFcsNmoWMuULTuO/goSvhUg+Jm70xdjtuYhRO6cqhuWjkj9fIFiOmVUoQi7as06/H0mmQpeD0MQ/z8Q06RudJRBJa69TU8Gjc/EKSL54fGECPtsnmsej2cVXRNaWAXGl3saGndND5JvKyGFJ4ER79GtU1dpfFnPDZJ6eUNN8Aw2SKjsroXI+W7j81AwsOjv489MwjvK3Ni6drdZCI4gj28niaf39NvCyDcTwTkWrLaYImtnSJFM3C7UaDOmlGGqLWSzKK7jUBtIlPeYyZkIVSNAOXPSGR6YKtk1EH3ZFknd24v4vWVHN5Q+tmsKNMIT5ZREAsykTy2x8QNzjbFWDgJ0btkV4ftDbm58PTqflx2dxy3xUM840pLe8eIL12AwRhtHuDHcgLkA7QBmUQlrUzpNAVhyQaWTPoMR4+K4cBdm4P/e9CnqxJfPEUI4d0+he+P8Ambus9Axyp1HZsXKPjsV0lgqkSiMn0kFHv7G4+xWwnmxE8EEgtgdk+m/p9Za0Rd+mocoafqw2+KledaCeKHncYpbCWlBYVuZ5IrkIwuaW/GkykXZz+xuP0G2F8H+9D+kJkk0r9G1+53kHSZvI9JsSuqhKpptg2Nw/1Osr+QvNnu4PqzBdNNoPHeLIt7qbRmTGzC1g+GE4aP4JLr5hLiqJS4b991d8M+cCqe9gG9RS5YtS9ATYZKMwx8aMU0xSwwFUY16oMgJL6ew6DsKNFSdr9YjTGjjspv9gDoe5Oj8WPzZIkq8cK68TGqdlnkB1M1hHWz1iI4DJ2nQdwhLrjfG6vONLI7SNNFOn9uGKq/ew6TOAYwVGS2JRCB6nAbUlgUDfnxLIdwDnMYrUNZIOJW0uQP9NeRZ4Hl/lyo2bVCJ5hAMeB/zx0FUAUBZGZoYe/yCmKXkrJvgwDxliSZ7uuKLt8t1XsXqRezSkKe/x2rb+teeJopsnAi88l3LlhaBdfqGPibtjQ7ndIl49QES1S137T8HZxoshcOb0/Nmr/giwo3a28YAV2bWcNb64Jiz9/uXH+vPJjNaxdOBCUWsEDdXmQffnsPDwoAPyzuax7r+skzObCjreOMeKLQk1IrM5IyIUy56FbRbk69rkHqMd,iv:WnI2PUw4BTvyYU+POGI5bgxVrJfDsORIwbYPQwVnSRc=,tag:uguLxZ8UbXz5rhmbpeuXBA==,type:str] -matrix-mas-secret-config: ENC[AES256_GCM,data:L7OAEy0XXpPdeP9jTYGB3jBbm1NkNJzQ2s3SH9/YiT4anhNzryHj+Pzy66cCZ+nCzrw4j9Uthzc8MSMsrtRmikm4huCsUp7XEkJuiHYMq+h31WZC+wLu+h/QWsuBbdB+bdT94LeOdrY2gR9DX8NBIhUa8n5ztu4CNTdiH2aSV9wdI3+hUpgDf9n2fmrkla2k+iGcL6buy6w4pQgruXWXUGS2raRMOOdIo+qxlxqW66x669oc7nqAe60YAUfraHapICvIRb+oExBHeg5XYygXDXyAdCUFuOch4HDAsiTlYwErqalnped1qKFX1F9+iPDQ4LIb87xBaX+GqFeJSYFkb0Ls8wVcMoDgHTPo8VWSwOnEqh9ZpcM4/yluco8eqluYF/25TDxpOvRGWuCxTzKEfFdrNsng9inbPjQiyV91iJuHf2e2Nl3+GQJZ4iX5R8TTU2KuOoaUA3gxns9NPQxtEwViH5eLepHwszB0O+71chDID1WSFjFndDPeQEXJ7n5bgBQ4X5EEqXbWwUPdrPyng53gOgz7YHZpdJsPa15UZUJb/PR6u0rhPgudRt0rTqXFo0JTF40AjHq+61gBY+7O9LPwF+x+JlCDbwRiYljg+4dM85VzB43BR6Srn1hQO5dxUhG3PWXVjMCDXb2ozqdjBnhmwsaAZi3XxgyeRSh0qhRRp0lRraWArSxyKKT1yQfbbDNa7ct8llGJOS6xRi7cRSJzD2RQLnoLPcuchRj3cfYs26VW/yMy+uIy8sQaRMuwdmQsoNU1kj9/uazITWPtfpCy5r3R9w8m++DoxBWIJ3G6pSIPIAStqGH6oFSsTbRpsnb3BfLtUb7YbJqI8nLKqUziHjBB+mvUnKJCy+F42WFJ7oj6Y0hH0e6R88PPXAUEhgPGjMKOOXj4bdes+S1ilucr9tVEuhC2CE0jObyxKkN4CIVAcdupGsYAk+G/dbgLRRWeI0Dr95oM5nKlzZXjVdP6MFPGWcwBdhYWoD05xxP9ZH9GstWnposxA51otDKto5yljVCYpzl+Vo7OdxYpsVI1AKWpYhp0RqAQupu136XN5jh0EXLCTM2HpOXwFX77j5OCxtwFkBFDLFCFQiFvc8OMCo4LRbCoX4WZStWAXyhfFALCqd5VQ10/dOLXiWEmgt+dyuMBWkcrSWX2Cg6tN0fR2qzPQ+P7u0CUH3Yk40gUEBLDmhDFOzAQfAE0KXFb4F/jYkCILNsSHg+Dt7aupu9m70DVxLuWlzgVC0Lb9WcH9Wwcewek1VVLeJ1pBH5J/jXAm57Q6XQmAHz25tzI+rloNhS7vkIJJoSTi+2rJhEWyuupR+KizH7UYl21ya0meOzDLNDS6lqOx1qsFzSlWbrH3+Qu8boWgzEodJ1RBzj7lJ8AFrcoqJCesdnae7RsY6odiQ17/lIyij6s34rdWX2Aq9yQZeMP4FSbOXuzdJzoQDSoQ+iaAGamIsielIewC0CPHQLBQdQrcLix6V0EKlPL5WRk+sV7zNLA3hZwBtgYlpIktcSk7uc3DrNkRLZTZOMDPUW1LjkeUS72EZzhwM09pCTSoKMa6Roqpzbclv0450kbW0mWLv7hCB1S+Z7FGySvf8lacDnj5z3X+784NrqhDPNH3Bm2titcBkpZgG1DrHgz4QwS8pd+/CKKf/gvmvMdg6ewATTVj7NAK/2CbR4/AbyV18bHDQ5m55eRXQ8jEUCNj1eBPPRZXybEU9j/srjwe+WlbNrsOZNsFooNlyPLumcVwrqIWgOPOG23h9tF/s6J6OzpDJlMBPAkC2966Fb2YlUDR6GV+miiXhuEAOnRnrgdly3LPAhXdFByZGGTfUBn5iP3vNOQd36WUSpRUXblKInbH1Y+/JEje8V9kqvOR667yxKfwmMfcKZih61rmhIjWaBs0WZH0leQDRZ7XL85WNHlPBo3f26rfuYR8ESihABPcIvOCKSlJBVHep9ggGLgaouOw7gbruiqE+BC8fZBLQuywxZtA0uDXNKouYF0tMnnrn/Vx4J3fY9a+msNocXjBBt7pt7UejmcO16RREjVLq6BvF0Hc3kPXnnvyP4cJfnbZwD6fq9YnTQBqz70I3eXDhyPYEk8XuFT5h+WCPGEGykr2pbEGgULjQGWk+mN00L5xlotO/qbAGIe4p04FoqMWgVk4LYIRTxDwMig5bjEYJDsjDeptJilwXr6Ae/RnHp0PENKWMCc2n8pq291i1VzHWqsKOmXzkHdN2cSRdjJ4cDZRx6c/u/kiTkHYQnDChQpBcdvE+YvAFZwVuzfjPWzKqYwH19/9ROtoMLAxE26WN6vaS/gtwRkGOf/Q4HY5CXJmRY/LBLVlysRAUcboQaIue+Cehy1ExD8WkO2NjeuEIqR1WhyDBSB4Vy0wNXnyBpgOIssdBIEfIvmGrJj7G9qXJDirTJvgCRoRJi7Wy3K8s1DYKM9Jc1uFhKXaNf2aRWlsLF/bI6WEk/0kw5T/mm516K6LRVZGkfpDsEyEQ6GqoVbaBnvYG4S9eTX7RFuUoh7RXqHBBfZNlIijINllJR6nwBlmWtlW42568xR7bYi6XakTtKxAOag60DWlMUghFkZBmS1TX69K+pgVj780Ew3jSiwIbDBTpup3p5w/4zVd4K34/C5OE/woxjcZp7VVkSbjUCiGgw0wf0paD5A1rmooUaxsx6Aso/9xAmC1b06qdIPXXO7DXSN1EeYn9yrC8rT8AX2Z1opAH5sW3Pf+QyfPR8KHWKitU3M9LssFoy3/wX5XocSv6vO0u1/VwnvhZp2t4FBVyvpc+qaSaMABnEUnseaFMqTmOpIZTz01gRjYwIESoLMTCjjMzKmiSW/y+T4phtfMBg0QJGLY6ZgvQWky3Le/XKMdKwHe8BxUHZJiyFMrAwdmmjuhvrwhpls2LEUWIoZBNZ8s1+cfUjFGTedvvdR/sD9kxXZLrRFrKuLq3eNd41XrQFzmvqSQ/i+hS9lxIyLmGkn3Gfn6z0DawvudsVFiP7VYWONE7SdUrV81H8b4uE8gehkWRY/H1D9pT9i05EmEpoW/AZGWcg7zz/KuHMsMb8zuQeFZJ0LguZaGWFd/xvLCei/4NPCFwlz9NIpP33cUsYDAlnJkG8bzuyQROpvNIZX6ywMptRhH2eV2Xy1G2csXpc3NGkG1pOcncx951T2dPvonzmUoX3DT0tg5BueLmqghBA086kXIthyxRUKWEoyo9zs6c+V+lAbDfSdAtfVjAk3/rnpcF6PIfsniHsRjuJQ3xJwQ2zhypWQAd/pKdbuipYqUFOAMo2twxv7wUMKP2U6SLcEsmWzZLATQxfH+52g98Mwu54Vg+RwUao9LkvPraDXxeGwdyCFKJYGC36I4Co6g7oYNEeYMaVOcihiE7/CEzD7HqRvoSeL5k5xsly3J5hNpT0BbNxb2A54qJt81Akx7epDKXVoSqg8Rnjs8Hu4QQur4fvkHTbQaPm+LRzjNnUQwL5ZThTgsEpxOQcP8NPastEq0j9GROdSLO7HGDehYc1Ohg/oe2W5wXz4/z6Q0zU1IqC4jHOoXXR0qP1+yBkKoLuiPRwxrlx6c+IxcwGIvDp5mfh99xYORImp2m6spKooTjL7lKLAuMsxkIFkfsW5tbm2WJqBYtEHqGEphmHc9xLBPfVTh7g7jjOJVXjmKZtoaLQSBV6rxd78deblqhWkEpAfZUOWC+PvuYUSnGLah4u8HhM23VbalrN9Zn32lwucwMj5xWm+N8+v9X2TxdljA7u9JivRXzrqCjESd/ged9XKKkuQ9RsjNgylXP/hreD/0KDwSNgEy5UwGS1FKMWcs5xCuaRVy1WX6/tHX7ag5xUlE9vqrVkuvq5scjPuWd948xy5HVa9Yde3y5JBoiLSj7LReO0+3VsCdIu/N24tRhaNkcbu9VrJLR45eCLaiAghz5uHdJ4taO9xHTD9Twqx1/KP8iQZ6gN5AgxZMNkHgVusMF/0vFMRCAk3vDAOBPzpr0F504OmC/FRzEqz7PrFlXR/oxWYHPqpvclS8ot0TDAny3jVLI9S+WFPUp3m1r9kWFVisD5IpvBjEDm3+rF42PQG+HlBETV/ZCga5MOLt/123nUzTpT8JO2s4YT9TwWpWs6lZGImxydTTy5bHFjHrLVXXzAEoaZ5/8spGHMA9sZeLR8jCbXKxbLZ0zVsABDutIILKlLIaZSkfzowH1BGR16C/o5mWxojH3oizts57wYMQ3gmvKOzTcvGGwO5ToDNYFo9+8JG3GiAYRlyXTKe6R9OCE/bHBiiYbOvFuRBRnQO3RRdYyfcM0TOdorPJNBjnbBbAhemswD/C+Aysj/M9NgiRW1chpmg8UEU4QBCSSR1ysCw2ZdoIh5KlQkVDDOWXG2dBtP6ZXBofzsnCi7R7/LnvBv/eJpLLirGdB4ovtD6bvebnypkvVBxdLfBmDXn7Y3EH/jz9nRy0XVdf7T9UadShjuq41pEw1J4ypRitMUlQaiPotUZkaJGwg6wkaDqZzcMoGLZXH/GSXMiZeVNuqL0RGtWFlNi1eutkrKdy846NbS363TP8jkIxnkIipGoGzmP6WtabTPXDNCtIW+sldI5Xjhf1ldRSQ9fYroPhqeqjzQwS23eQsEpXQ8uKIOCH+e6NMTLOtB6mcl4o2sC87ylPV8NN7bWIZHi53vsevTq7xbEw8YjRPWho13MuC50qiZkbSXi30kdI4wTGdpsfCw5fbt3atWd5BrNUYK8bALH2ims4zKffIaJpX/hndvCo1cTTWsAjb+L+4ab7bYsS0pBVQZCfvZtMlP875uHMpd6FcovV0jBnTLiNlGIgzAMUi1agSFWfAB7hU1H09reR08OmwdNjSPhD/jMV6C58qAwMZjDtWc65d8t2Eed2Fw0HUT3vDfebaQNWzV+m/3ptk0wLAa1ayUI9bVIZdgyfb5VGVSd3w6V8JyOke/aSRdbUKSGkR0jlWQF88IiYpQ381S/we0Mkq4uClw+VngDYXOUOuCdueXSppKS8qhhVzFgisf0W8Oa+FKegtI0ewVPXhq+ZU12L/d7oLWuI5XZ1AKkWMZFaUey71ea/3nBYb7RcPYAoNvEjaSLcfEAL4kfppt5Dq7TdxqFdcyYjYd3UIXmXddZRgGY35dXoZsDSXB5BbrPcvbLKzEk6LDnvyNao4ZBBTom0ScStvynX0feH+j5cRFuaFrcd2AbsouX4kqMojHG94A0VYZ+t4ZLKQ+QEfLb0EIYOboz0zmalLDwelPYAYxQNMfN0CRKnLq5z4v1uzL6Gz99xsHYuGMS3tx8s+vGPZB+kCXjys21I2VwtRWVd1jqLHfjmv3i+HVKE39Dj4jOAQ06uSZrjx/B7hmVq7ScSqtOawRMz0lNUE9ZPR+rXOJnh1cXI4zx82YmxLQ6zUYE3O1QtL3ZrVJ45gcY4Hvv5miRYyzUTwmjX7psKPOa6dggf6Wh2dllIdDcO05aAdY7F1BRL4bXZlJo8GSonLpoq6l/9Mx8Hm0bCXMOER+MKNosoy1Wy72v2uvw3fqDaeu3iryaHBkVT/V9rcmgihCypwnkpFu4iQMCWIYkKQBO547pCrX5uxnQsuq2RcIcuXe/jZnq5i9vuMGVJ6kyhudVG/1H8zDwaKB1R+PJSDW1JoB0a942MNBOuCeTZivFNxPpDX57mrPJRJSSoxEuETgvGxTiAzkDbSOrXPhQY6UWOvOsOx/6dfEzQEd1gz4W7k0=,iv:DHHn5SX646k5naHyx8OdDWcmQMRUYKIKWGZ8IWVG8I0=,tag:YSHy/NXD0c3vZ52Im8ZgFg==,type:str] -matrix-livekit-secret-key: ENC[AES256_GCM,data:Qj89Swcj24jkNR2gmsdx3wfJ5PADU+uN7d1N3jNy8REfpL5MJUym3V14YqhCLbNzuihRGsXlUtboBVx+,iv:/TdoutHl39y/L8cqcOX78SAsB12RZTNCPXJrCHowwF4=,tag:pM2Mf0Rj2Qe6y+BxhT+3HQ==,type:str] -sops: - age: - - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYVh0dithekdBY0VNUTk3 - S2xBS2M1QVorVnRvdEdRM2MrODNXTmU2cWlJCjhkZTNhSGFTcGNNeFVXMjhISU5l - T0pqZVh4US9YSksvMDlNR1k2R01QRGsKLS0tIGhUQUlDZ1hUOTdPTGREVmlhY2gr - RUZtb01sOUFaVU56RjMyeDR1YTVvNW8KhYw8sxDzilAUePO/H7FFwHLbGMGaEmPQ - cnWWTSmBACJhh9PQL+I1RYwGTmxXgoYg2KW2Neg13znq2e2DsxW++Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMU1uYzlsTmNOdXF6dHpF - TWdyVjJQcEVQdFI5K2puc0s4TWI5T004cEV3CjhFbmI0LytDMUZDNHo2Q0U1UnNy - Vm93VmpkMjV0cmVSVTNYNXliNU81b28KLS0tIFJPS2VVb25oOG0zKzZ4MFgwTTNw - aDZkcDMzOHZrMWpHb1FYZTljQk80MlEKXun1lWxAyUC+abSc258Wl8YaJqJmWlpg - cbCotao9FjTlelqtERIdl1W/bdoVOV2JTgUDCAOPl9n33uKCEvg9mg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-18T19:52:51Z" - mac: ENC[AES256_GCM,data:XXdE62W90b2b6HyDSXqKFahBncu1yZWMD0vttjbBqGdZjYpRG5V3f9QunOVQ+1Rr0tADria0ecrlbcfkrHVU9l2oPlpaZ9DEgSuD8UEIRzWGgtIlM4lzMvvaTcZMz97vfbAv/Che+SBtQ8vrE8V4SPX5W0L86OLi7OalsuRDw78=,iv:nSo8iE/ma7+ihfSeOQMIxKrUcinBBVRr+bhYMvgbygo=,tag:ANfqvsfKiCHyZLy8/ZjIPA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.12.2 diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/matrix/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/metrics-nekomesh/default.nix index cc0af5c..c2d39a4 100644 --- a/config/hosts/metrics-nekomesh/default.nix +++ b/config/hosts/metrics-nekomesh/default.nix @@ -6,6 +6,5 @@ ./neo4j.nix ./prometheus.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 2c596c5..7697748 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -11,15 +11,14 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "admin"; - admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}"; + admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; - secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "nekomesh@grzb.de"; - password = "$__file{/run/secrets/mail-nekomesh-nekover-se}"; + password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; from_address = "nyareply@nekover.se"; from_name = "Nekomesh"; startTLS_policy = "NoStartTLS"; @@ -29,7 +28,7 @@ name = "Nekoverse ID"; allow_sign_up = true; client_id = "nekomesh"; - client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}"; + client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; scopes = "openid email profile offline_access roles"; email_attribute_path = "email"; login_attribute_path = "preferred_username"; @@ -52,29 +51,4 @@ } ]; }; - - sops.secrets."metrics-nekomesh-grafana-admin-password" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; - sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; - sops.secrets."metrics-nekomesh-grafana-secret-key" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; - sops.secrets."mail-nekomesh-nekover-se" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; } diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index a754cb6..e2fc483 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,8 +23,7 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix new file mode 100644 index 0000000..ef6bcec --- /dev/null +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -0,0 +1,29 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "metrics-nekomesh-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "metrics-nekomesh-grafana-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "mail-nekomesh-nekover-se.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/metrics-nekomesh/secrets.yaml b/config/hosts/metrics-nekomesh/secrets.yaml deleted file mode 100644 index 53bef00..0000000 --- a/config/hosts/metrics-nekomesh/secrets.yaml +++ /dev/null @@ -1,28 +0,0 @@ -metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str] -metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str] -metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str] -mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW - RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq - WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl - TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO - PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm - M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi - WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4 - TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo - auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A== - -----END AGE ENCRYPTED FILE----- - recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse - lastmodified: "2026-05-23T22:38:11Z" - mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/metrics-nekomesh/sops.nix b/config/hosts/metrics-nekomesh/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/metrics-nekomesh/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/metrics/default.nix b/config/hosts/metrics/default.nix index ea9bd08..ef5c25c 100644 --- a/config/hosts/metrics/default.nix +++ b/config/hosts/metrics/default.nix @@ -5,6 +5,5 @@ ./grafana.nix ./prometheus.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/metrics/grafana.nix b/config/hosts/metrics/grafana.nix index 05f80e3..7cf4dcf 100644 --- a/config/hosts/metrics/grafana.nix +++ b/config/hosts/metrics/grafana.nix @@ -11,14 +11,14 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "yuri"; - admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}"; + admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}"; admin_email = "yuri@nekover.se"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "grafana"; - password = "$__file{/run/secrets/metrics-grafana-smtp-password}"; + password = "$__file{/secrets/metrics-grafana-smtp-password.secret}"; from_address = "grafana@robot.grzb.de"; from_name = "Grafana"; startTLS_policy = "NoStartTLS"; @@ -33,17 +33,4 @@ } ]; }; - - sops.secrets."metrics-grafana-admin-password" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; - sops.secrets."metrics-grafana-smtp-password" = { - mode = "0440"; - owner = "grafana"; - group = "grafana"; - restartUnits = [ "grafana.service" ]; - }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix new file mode 100644 index 0000000..fcf9baa --- /dev/null +++ b/config/hosts/metrics/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "metrics-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "metrics-grafana-smtp-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/metrics/secrets.yaml b/config/hosts/metrics/secrets.yaml deleted file mode 100644 index 154cc13..0000000 --- a/config/hosts/metrics/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str] -metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx - bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0 - R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv - RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV - Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz - QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls - V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu - MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz - aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg== - -----END AGE ENCRYPTED FILE----- - recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n - lastmodified: "2026-05-23T22:14:10Z" - mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/metrics/sops.nix b/config/hosts/metrics/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/metrics/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..5bf8422 --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "netbox"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..b9ba2ad --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.netbox = { + enable = true; + package = pkgs.netbox; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix new file mode 100644 index 0000000..216aca4 --- /dev/null +++ b/config/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix index 5c78b7a..9677aef 100644 --- a/config/hosts/nextcloud/default.nix +++ b/config/hosts/nextcloud/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./hardware-configuration.nix ./nextcloud.nix - ./sops.nix ]; } diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 7c13bd4..88b842a 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -7,7 +7,7 @@ https = true; config = { dbtype = "pgsql"; - adminpassFile = "/run/secrets/nextcloud-adminpass"; + adminpassFile = "/secrets/nextcloud-adminpass.secret"; }; database.createLocally = true; configureRedis = true; @@ -30,7 +30,7 @@ default_phone_region = "DE"; }; # Only contains mail_smtppassword - secretFile = "/run/secrets/nextcloud-secretfile"; + secretFile = "/secrets/nextcloud-secretfile.secret"; phpOptions = { # The amount of memory for interned strings in Mbytes "opcache.interned_strings_buffer" = "64"; @@ -44,21 +44,9 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; }; - - sops.secrets."nextcloud-adminpass" = { - mode = "0440"; - owner = "nextcloud"; - group = "nextcloud"; - }; - sops.secrets."nextcloud-secretfile" = { - mode = "0440"; - owner = "nextcloud"; - group = "nextcloud"; - }; } diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix new file mode 100644 index 0000000..b344d78 --- /dev/null +++ b/config/hosts/nextcloud/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "nextcloud-adminpass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "nextcloud-secretfile.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ]; + destDir = "/secrets"; + user = "nextcloud"; + group = "nextcloud"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/nextcloud/secrets.yaml b/config/hosts/nextcloud/secrets.yaml deleted file mode 100644 index c92b6c0..0000000 --- a/config/hosts/nextcloud/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str] -nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC - SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a - cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS - eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l - E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK - bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp - VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr - TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0 - YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw== - -----END AGE ENCRYPTED FILE----- - recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu - lastmodified: "2026-05-23T23:09:29Z" - mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/nextcloud/sops.nix b/config/hosts/nextcloud/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/nextcloud/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix new file mode 100644 index 0000000..bc54db7 --- /dev/null +++ b/config/hosts/nitter/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/config/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix new file mode 100644 index 0000000..862405c --- /dev/null +++ b/config/hosts/nitter/nginx.nix @@ -0,0 +1,23 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix new file mode 100644 index 0000000..94165c4 --- /dev/null +++ b/config/hosts/nitter/nitter.nix @@ -0,0 +1,21 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "127.0.0.1"; + port = 8080; + hostname = "birdsite.nekover.se"; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + hlsPlayback = true; + }; + }; +} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..17b9b66 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..6726881 --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix index ab8d68f..ee2a678 100644 --- a/config/hosts/searx/default.nix +++ b/config/hosts/searx/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./nginx.nix ./searx.nix - ./sops.nix ]; } diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index 9283018..a84c171 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,8 +21,7 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix index 29a645e..cdb9940 100644 --- a/config/hosts/searx/searx.nix +++ b/config/hosts/searx/searx.nix @@ -24,13 +24,6 @@ ui.static_use_hash = true; enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ]; }; - environmentFile = "/run/secrets/searx-secret-key"; - }; - - sops.secrets."searx-secret-key" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "searx.service" ]; + environmentFile = "/secrets/searx-secret-key.secret"; }; } diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix new file mode 100644 index 0000000..38231fc --- /dev/null +++ b/config/hosts/searx/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."searx-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/searx/secrets.yaml b/config/hosts/searx/secrets.yaml deleted file mode 100644 index 70c5b8f..0000000 --- a/config/hosts/searx/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -searx-secret-key: ENC[AES256_GCM,data:FH/TfmvtaDIwVCDf69EJBgUljeUFGEzBBF2nUNPxZL5HKh4zPR5peVW1vld2OSNWd3UD72H+/F/7TArcV3nEJgqNc/rU9BXsUeS4tvsrZqlI,iv:p5Rdz8clGb8mBF8mVqSjYhDPXrsIVM4KC2WcXwAs8O4=,tag:C/wZoqqF+mcYRGjVUSLjhQ==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWVN5bnY5OTZlT3MwVFZR - YjhTR3Z6Q3QrRDVHN0pvVDl4ZTJXMHNLVEdBCjZHcW9uWStQUXBBcWRrZHlhbjlx - blhGOWRRS0UzSVFTQmJSWUZrQ3kwZlUKLS0tIFBLcDROOU1aU05hVFR0NGJWY0xY - Q2VmY0lHUmhKSGtWT01NN2t6amVVMzQKgpe5zffX6Pc1GDJ8zA7ipa257zG5ZRho - rLdQBJkA+N4crKj12lPLYf5fd4sowfFMTfsdyuxcZUD7Wwq8SO7aQA== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTmhNeUdMRnpWQ0JoWmRJ - Uk5ubUF3K3l2eDUzYnB4ZXQvRUJ5dnJmOXd3CnlhUEJHK0NvNVA5dWp0eGV5VWR1 - ZzV6S3hneiszZU4vaEg0R2laOU1XbTAKLS0tIDU2ZkFWcXl5TE9Sd1AxVjZ1Rzlq - UUFXZEQ2cDlsS2hnTVVlNWxDK3VyeWMKMvH2PBlKpyHt4WVp9BLJwAGm2h8QPMa1 - LCxybdE3+Gs6uQboKX6uo5pMXMQPOedyJZFBDhdu74BOd46u0rcMoQ== - -----END AGE ENCRYPTED FILE----- - recipient: age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn - lastmodified: "2026-05-23T23:16:55Z" - mac: ENC[AES256_GCM,data:yx+gxeRcl89iokWwH+a+t/OVtOUZUN3Sws/85o9hymtefBxNLqX7GGTMZfa/nQloD4avevWTU71TkYZWRZZj/qlW2B29BSPoIfadbba5rgJHu5D/ij4XrYY14wK3SwMTKpwkjhSBiFOFZLml0zADPWaJH0F6QCTSshUsFQapAW8=,iv:vZt/ejbutG+1UuIU+mQIVXbsl0TQhE+nrulvP0rIVpI=,tag:iSSbw67/A8oMknEzcoOgXw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/searx/sops.nix b/config/hosts/searx/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/searx/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix index e673884..83dbdab 100644 --- a/config/hosts/torrent/configuration.nix +++ b/config/hosts/torrent/configuration.nix @@ -15,7 +15,7 @@ fsType = "cifs"; options = [ "username=torrent" - "credentials=/run/secrets/torrent-samba-credentials" + "credentials=/secrets/torrent-samba-credentials.secret" "iocharset=utf8" "vers=3.1.1" "uid=torrent" @@ -25,11 +25,5 @@ }; }; - sops.secrets."torrent-samba-credentials" = { - mode = "0440"; - owner = "root"; - group = "root"; - }; - system.stateVersion = "24.11"; } diff --git a/config/hosts/torrent/default.nix b/config/hosts/torrent/default.nix index d10522c..dc6a854 100644 --- a/config/hosts/torrent/default.nix +++ b/config/hosts/torrent/default.nix @@ -7,6 +7,5 @@ ./radarr.nix ./sonarr.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/torrent/secrets.nix b/config/hosts/torrent/secrets.nix new file mode 100644 index 0000000..289778a --- /dev/null +++ b/config/hosts/torrent/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "torrent-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "torrent/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/torrent/secrets.yaml b/config/hosts/torrent/secrets.yaml deleted file mode 100644 index 021916b..0000000 --- a/config/hosts/torrent/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -torrent-samba-credentials: ENC[AES256_GCM,data:dPK2pePHoH+bOvE1NsQ5N6/UncaLCTqpTvQEI0lmYBxCpaI6F14+JwwTYDzqxuNAgLDRDdRINoLQWdkMR8Cwk1AzRWObE6BKHA==,iv:cEImJtn9N3O8RJUYe77BbuDAMbLAzqWu3WVbcM5B6k8=,tag:MXPRfjvqViNa0uvJvH449Q==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSE44bFdlQlArMUdwTDdD - TVdCdWF6QkVCTzFxRWd0T2xYSWJUWTdEY25rCnRhd0t6OVVpbzNQTDVwNHRybmMy - ZlYwdTRpVnFmTG1VbVlnT1ZtSHpMeFEKLS0tIGZNRDU0SFpMS0cvY3JOSnpLR2FK - TG1pZGpGRXA3bTc4NDQrWkFLVUxIS1EKrm9NENbpt/moVGrBhVLSOzFtBtLKoOJT - A87C8H4SHQ1W61X4Chz+eQdCRCqVUWUXvyOgJsC1cwECjXR177zQ3w== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTlpSQlFZOFZqZ3BTR3Fj - WEV3TTBIYjZaSTd0MVl2V2owbS9VRS81bTI0CkJKQVBtcnhmZ2tKaThocTM2Q29O - NHJCczNSY01EeDNZQTdjUjI5cHFnRnMKLS0tIDlUKzkyUHdGbDlhekY4N3NMRTNm - c2tmVHBQTWprSVE0eEJGajNPcFJCWTQKPopTbKZuLVxipgl9S4wMzYyjFj9T0Euq - t8Yw2jG8s09EeKq2slwBUqev0JpIptwItT/yiuWNQgu70V9Cd7uZhA== - -----END AGE ENCRYPTED FILE----- - recipient: age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c - lastmodified: "2026-05-23T23:24:28Z" - mac: ENC[AES256_GCM,data:3dwyQ1ZBoL/Pq8gqyBhGSLy3HHYCLtP75ezkJQR8ndY8n9yHtkfuR96H6+OkskASReDpFo4HfuYOLSiZZlli4pokYCrdtCbm53kE92L2n5jXWDXur/EIwjHfRe2rsPyvKbhe4zLB8GPQYMsxzHN0iYbO+6/TmPGTzi26iZvLlrc=,iv:Gf5oWQ7foRy1mb41X9+jYXS+20mSJBXWbuFtZP6FRmk=,tag:jigFUiga1zHJ+xLE4ObZTQ==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/torrent/sops.nix b/config/hosts/torrent/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/torrent/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 3534c33..aca6e04 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -7,7 +7,7 @@ nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 8448 ]; + allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { @@ -23,26 +23,26 @@ { name = "site1-grzb"; publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-grzb-psk"; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; endpoint = "site1.grzb.de:51826"; allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; } { name = "site2-grzb"; publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/run/secrets/wireguard-valkyrie-site2-grzb-psk"; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; endpoint = "site2.grzb.de:51826"; allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-jsts-psk"; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; endpoint = "site1.jsts.xyz:51823"; allowedIPs = [ "10.203.10.4/32" ]; } ]; - privateKeyFile = "/run/secrets/wireguard-valkyrie-wg0-privatekey"; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; }; # mail-1 VPN wg1 = { @@ -54,7 +54,7 @@ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-valkyrie-psk"; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -66,7 +66,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; - privateKeyFile = "/run/secrets/wireguard-valkyrie-wg1-privatekey"; + privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; }; }; @@ -96,42 +96,5 @@ services.prometheus.exporters.node.enable = false; - sops.secrets."wireguard-valkyrie-wg0-privatekey" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - sops.secrets."wireguard-valkyrie-site1-grzb-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - sops.secrets."wireguard-valkyrie-site2-grzb-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - sops.secrets."wireguard-valkyrie-site1-jsts-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - sops.secrets."wireguard-valkyrie-wg1-privatekey" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg1.service" ]; - }; - sops.secrets."wireguard-valkyrie-mail-1-valkyrie-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg1.service" ]; - }; - system.stateVersion = "24.11"; } diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix index 1f91238..68a1b85 100644 --- a/config/hosts/valkyrie/default.nix +++ b/config/hosts/valkyrie/default.nix @@ -5,6 +5,5 @@ ./nginx.nix ./containers/uptime-kuma ./services.nix - ./sops.nix ]; } diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index 2ea8db8..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,35 +33,5 @@ }; }; }; - - streamConfig = '' - map $ssl_preread_server_name $address { - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; - fi.nekover.se 10.202.41.125:8443; - git.nekover.se 10.202.41.106:8443; - id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; - matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; - mesh.nekover.se 10.202.41.126:8443; - nekover.se 10.202.41.100:8443; - nix-cache.nekover.se 10.202.41.121:8443; - searx.nekover.se 10.202.41.105:8443; - social.nekover.se 10.202.41.104:8443; - } - server { - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - server { - listen [::]:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } - ''; }; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix new file mode 100644 index 0000000..3acc555 --- /dev/null +++ b/config/hosts/valkyrie/secrets.nix @@ -0,0 +1,53 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/valkyrie/secrets.yaml b/config/hosts/valkyrie/secrets.yaml deleted file mode 100644 index 57e5ccb..0000000 --- a/config/hosts/valkyrie/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -wireguard-valkyrie-wg0-privatekey: ENC[AES256_GCM,data:9swm9dqXWFAcYIHyGjDEyxxr9BTio6RiRKCkdpNp4Y9Sr7W47j84w6kGcH4=,iv:kNOoW38EasmwgdY3P6+Tsd0ufJCL6n9SU9IjMgN5E+U=,tag:vLZqiv+ONLuKpogXM/Lbng==,type:str] -wireguard-valkyrie-site1-grzb-psk: ENC[AES256_GCM,data:b9OrqPFS0oBO8CegA23T9Vxb68hN5F2td6Z7NuIs8Rkr8dcfTAFnsBRNybY=,iv:B/qO6alDlDohDUMnDadMbqXTWi7q1c3B3sx7wk2MvL4=,tag:/Ene7PsPErH5rU+qaOA9wQ==,type:str] -wireguard-valkyrie-site2-grzb-psk: ENC[AES256_GCM,data:DTpDyVXnH9Vz+4YnLY3WbVhFEvjVh5t/M6l9N+gQSAVAg+NDZxhveBuR0O8=,iv:idIPxZ6Oxn0sob2lrGt2wsUWR8mlZ+ddRSlcb5uHbcA=,tag:qNXbUtwtY5KnPp1wHniD9g==,type:str] -wireguard-valkyrie-site1-jsts-psk: ENC[AES256_GCM,data:BJ2U779egMGG1DyuxcGYcX1yZdqybXqmtFJpzOZ5xOeHo98sb+j4O8Q3VVs=,iv:FDqcFdqPTn2CqY+lXSdXowEHAWIugkj+o+p3QNzYNWo=,tag:RXXhL3hgFjFPOSzNvqbpXw==,type:str] -wireguard-valkyrie-wg1-privatekey: ENC[AES256_GCM,data:5fyjBs7ZH1DomFKFXelVSRF0QvHnLrhztYCy2rghpNkHWEWaf0RJaCZHQ+8=,iv:aoYbWKcPW1LBljYFN5s3Le0LbQOBltTicEbyZCSFQ3o=,tag:MjmOG+79D3szR9tEFIaKCA==,type:str] -wireguard-valkyrie-mail-1-valkyrie-psk: ENC[AES256_GCM,data:g3IHwa5KBLGBYcl27UtHEn3oa2oFY9cZ4vVodhF3sHUmVPhwfrLulEkqXi0=,iv:yom0odezXCMf9uHVAJWil38R7jSy+D8spJC37EFnq1s=,tag:uCNG66hs3zKntrzBfWVdZg==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdkltL1RSSG1CczZnanRV - Zzd4aW1BbUR2S2NpcFZmNXZCQTNGdmQxVW5BCkVDRnZPNEl5MW5lY1ZDRnFBN3Y3 - bm1MSTVyZnp0M2pCbXhCQ2NjT28zdzgKLS0tIEFuNDhvMGZkaE5UbGQ4WlVvZUZo - YzR2Mm9sd3hWQkdvOGJ6MkhSa2J5bEEKWWzpmcva3cXFa53SrrSM+CPaj6tHRnRX - UkJELp8VQDgUOCWnWAy6gbmmu9bNYSEyjzufu0eW1GArOs9F/QvQPg== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZ2VNVGxWc3JLeFZDMFF2 - c3g0V2ZybnFNVkJUZlF4WWFHWWRCNHl5QVJNCk1PcU9yM3ZjakhMazZWSlFSN3pW - eEZTaWdqaDZkUE1qZ2MyM1RodkxOeUEKLS0tIGRicURwV1lhck1DTVo2YzhkeXlN - QnBnY3ViYUw4NkszVWhaMXhPM1BQdjAKFzJexdsikV4im1B50bKM6FKfN3RQHTqa - 9fU5X3xjdH7jpBhGn5HGROvMNjmPrlbz5DaxIJ1hUtUtc8fpYPoNgA== - -----END AGE ENCRYPTED FILE----- - recipient: age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee - lastmodified: "2026-05-24T00:00:10Z" - mac: ENC[AES256_GCM,data:Ioke9QIDw2GM36EMiHKVC00WyBbZbqNd+e/hF+ZUiFudH7GAVDfWBM8FaP3Q5uQBpoPvHzVsYIMV+15daVEKvU0zIep2Aqluxclijb9ljuxmn6JpC29tImyMzEMUw18bgqaoHQvCa5qscC01QFzpFN3mASeVlAJCPl8ggOu4gsE=,iv:JEwH0GLrLJd1ptQDJKpUJLCreYJGVeWzONBasIJ4ors=,tag:jo7p7HDBrV5XBPyKtpep+w==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index 83ad8ff..dc0fa6d 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -30,7 +30,5 @@ in User = "root"; Group = "root"; }; - - wantedBy = [ "multi-user.target" ]; }; } diff --git a/config/hosts/valkyrie/sops.nix b/config/hosts/valkyrie/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/valkyrie/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..c9b7e61 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,18 @@ +{ ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix index e942787..94e74b6 100644 --- a/config/hosts/web-public-2/configuration.nix +++ b/config/hosts/web-public-2/configuration.nix @@ -21,7 +21,7 @@ hostName = "web-public-2"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 5000 8443 8448 ]; + allowedTCPPorts = [ 80 443 5000 8448 ]; }; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 87a1ec9..608d6a7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,16 +16,20 @@ stream { map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; + element.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - nekover.se 10.202.41.100:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; @@ -33,15 +37,11 @@ } server { listen 0.0.0.0:443; + listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; } - server { - listen 0.0.0.0:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } } ''; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..9a3950a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index fc2b409..53294f7 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,8 +2,11 @@ { imports = [ ./acme-challenge.nix + ./anisync.grzb.de.nix ./element.nekover.se.nix - ./element-admin.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix deleted file mode 100644 index cb8a45a..0000000 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, pkgs, ... }: - -let - elementAdminVersion = "0.1.11"; - elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { - pname = "element-admin"; - version = elementAdminVersion; - - src = pkgs.fetchzip { - url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; - }; - - nativeBuildInputs = [ - pkgs.nodejs - pkgs.pnpm.configHook - ]; - - pnpmDeps = pkgs.pnpm.fetchDeps { - inherit (finalAttrs) pname version src; - fetcherVersion = 2; - hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; - }; - - buildPhase = '' - pnpm build - ''; - - installPhase = '' - cp -a dist $out - ''; - }); -in -{ - services.nginx.virtualHosts."element-admin.nekover.se" = { - forceSSL = true; - enableACME = true; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - - root = elementAdmin; - - locations."/assets" = { - extraConfig = '' - expires 1y; - add_header Cache-Control "public, max-age=31536000, immutable"; - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - locations."/" = { - index = "/index.html"; - tryFiles = "$uri $uri/ /"; - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index d60f70b..7576beb 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.17"; + elementWebVersion = "1.12.2"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-ZlL4lQar/nEqA/1Js/aQvlnscWfb41oPbK69jSL9584="; + sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs="; }; elementWebSecurityHeaders = '' # Configuration best practices @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,8 +60,7 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..c746f3d --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..ac9eefb --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..1ab842a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,20 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index f33a3b9..40ee30d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,7 +4,7 @@ forceSSL = true; enableACME = true; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -22,16 +22,8 @@ add_header Access-Control-Allow-Origin *; ''; }; - locations."/.well-known/matrix/support" = { - return = "200 '{\"contacts\": [{\"email_address\": \"admin@nekover.se\", \"role\": \"m.role.admin\"}]}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index 2ebb9a8..cc4029b 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,7 +8,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 54881d6..6aed7cf 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -8,7 +8,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index f4ca1c7..4b2b8ac 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,7 +7,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/flake.lock b/flake.lock index 4b2d904..1ba87cf 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1767039857, - "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1772893680, - "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1769813415, - "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8946737ff703382fda7623b9fab071d037e897d5", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1779516755, - "narHash": "sha256-4H8sc3E4lGoLmM5M5EmDoVpfAzMuz75q2/UNQV2h/Yg=", + "lastModified": 1765178948, + "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "63ec6699e426863863e065730574a1f336e4925a", + "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1779583734, - "narHash": "sha256-Q96rInBJ+Fj9uKWfESTZflRTaQAouNEN9yBLmYiXr+8=", + "lastModified": 1765227377, + "narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7187ab1fdea9daa9ed0267b791ac5837f123c5e2", + "rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1779543187, - "narHash": "sha256-6SjdsouT54k1+/DyBqTJwdFlja4RBNq9jP9N+8kBIa0=", + "lastModified": 1765183668, + "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "19942a940b16e7e7285e3cf58f09fa1aeb2f90cd", + "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1773831496, - "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", + "lastModified": 1764020296, + "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "826430a188181a750ffa5948daff334039c5d741", + "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", "type": "github" }, "original": { @@ -186,8 +186,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", - "simple-nixos-mailserver": "simple-nixos-mailserver", - "sops-nix": "sops-nix" + "simple-nixos-mailserver": "simple-nixos-mailserver" } }, "simple-nixos-mailserver": { @@ -198,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1773912645, - "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", + "lastModified": 1764185122, + "narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", + "rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba", "type": "gitlab" }, "original": { @@ -211,26 +210,6 @@ "repo": "nixos-mailserver", "type": "gitlab" } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1777944972, - "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 512ca5f..2841638 100644 --- a/flake.nix +++ b/flake.nix @@ -8,13 +8,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, sops-nix, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -33,10 +29,19 @@ specialArgs = { inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + + # Provide environment for secret key command + keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; + hydraJobs = { + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + }) hosts; + }; + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { diff --git a/hosts.nix b/hosts.nix index 83e3a63..b59e3d5 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, nixpkgs-master, sops-nix, ... }: +{ nixpkgs, nixpkgs-unstable, nixpkgs-master, ... }: let # Set of environment specific modules environments = { @@ -22,11 +22,14 @@ let modules = [ ./config/common ./config/hosts/${name} - sops-nix.nixosModules.sops ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in generateDefaults { + hydra = { + site = "vs"; + environment = "proxmox"; + }; ikiwiki = { site = "vs"; environment = "proxmox";