Bun/nixos-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Agenix secrets overhaul

Browse source
This commit is contained in:
Jimbo 2024-10-28 23:24:12 -04:00
parent 83796f7cb2
commit 55dcb2fca7
56 changed files with 530 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/system/accounts/users/jimbo/default.nix
View file

@ -3,7 +3,7 @@
users.users = {
jimbo = {
description = "Jimbo";
hashedPassword = config.secrets.jimboAccPass;
hashedPasswordFile = config.age.secrets.jimboAccPass.path;
isNormalUser = true;
openssh.authorizedKeys.keys = [
(builtins.readFile ../../../../../hosts/firefly/id_ed25519.pub)
@ -17,7 +17,7 @@
(builtins.readFile ../../../../../hosts/cyberspark/id_ed25519.pub)
(builtins.readFile ../../../../../hosts/bomberman/id_ed25519.pub)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9 Pixel9"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9"
];
extraGroups = [
"wheel"

6
modules/system/devices/networking/firewall/server/default.nix
View file

@ -9,7 +9,7 @@
allowPing = false;
extraInputRules = ''
ip saddr { ${config.ips.localSpan}.0/24, ${config.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS"
ip saddr { ${config.ips.pc}, ${config.secrets.lunaIP}, ${config.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
ip saddr ${config.ips.pc} tcp dport { 1935, 1945 } accept comment "Accept RTMP"
'';
};
@ -34,8 +34,8 @@
udp dport { 7790, 7791, 7792 } dnat to ${config.ips.hx} comment "Deus Ex"
ip saddr ${config.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP"
ip saddr ${config.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP"
ip saddr ${builtins.readFile config.age.secrets.cornIP.path} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP"
ip saddr ${builtins.readFile config.age.secrets.cornIP.path} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP"
}
chain POSTROUTING {

6
modules/system/devices/networking/wireguard/pc/default.nix
View file

@ -8,12 +8,12 @@
"${config.ips.wgInt}" = {
# Define IP of client in per device config
listenPort = 51820;
privateKey = config.secrets.wgClientPriv;
privateKeyFile = config.age.secrets.wgClientPriv.path;
peers = [
{
publicKey = config.secrets.wgServerPub;
publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
allowedIPs = [ "${config.ips.wgSpan}.0/24" ];
endpoint = "sv.${config.secrets.jimDomain}:51820";
endpoint = "sv.${config.domains.jim1}:51820";
persistentKeepalive = 25;
}
];

12
modules/system/devices/networking/wireguard/server/default.nix
View file

@ -15,16 +15,16 @@
"${config.ips.wgInt}" = {
ips = [ "${config.ips.wgSpan}.1/24" ];
listenPort = 51820;
privateKey = config.secrets.wgServerPriv;
privateKeyFile = config.age.secrets.wgServerPriv.path;
peers = [
{ # Jimbo Pixel 9
publicKey = config.secrets.wgPixel9Pub;
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
}
{ # General Nix
publicKey = config.secrets.wgClientPub;
publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
allowedIPs = [ "${config.ips.wgSpan}.16/28" ];
}
{ # Jimbo Pixel 9
publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4=";
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
}
];
};
};

7
modules/system/programs/agenix/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
programs.appimage = {
enable = true;
binfmt = true;
};
}

2
modules/system/services/server/ddclient/default.nix
View file

@ -6,7 +6,7 @@
use = "web, web=https://ipinfo.io/ip";
zone = "${config.domains.jim1}";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
passwordFile = config.age.secrets.cloudflareKey.path;
domains = [
"${config.domains.jim1}"
"*.${config.domains.jim1}"

6
modules/system/services/server/fileserver/public/nextcloud/default.nix
View file

@ -1,5 +1,9 @@
{ pkgs, config, ... }:
{
imports = [
./nginx
];
services = {
nextcloud = {
enable = true;
@ -20,7 +24,7 @@
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${config.domains.jim1}";
mail_smtppassword = config.secrets.noreplyPassword;
mail_smtppassword = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
mail_smtpmode = "smtp";
mail_smtpport = 587;
};

18
modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, config, ... }:
{
services.nginx.virtualHosts."cloud.${config.domains.jim1}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
}

44
modules/system/services/server/fileserver/public/photoprism/default.nix
View file

@ -1,30 +1,24 @@
{ config, ... }:
{
services = {
photoprism = {
enable = true;
port = 2342;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_ADMIN_USER = "jimbo";
PHOTOPRISM_ADMIN_PASSWORD = "${config.secrets.prismAdminPass}";
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://gallery.${config.domains.jim1}";
PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism";
};
};
nginx.virtualHosts."gallery.${config.domains.jim1}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2342";
proxyWebsockets = true;
};
imports = [
./nginx
];
services.photoprism = {
enable = true;
port = 2342;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_ADMIN_USER = "jimbo";
PHOTOPRISM_ADMIN_PASSWORD = "${builtins.readFile config.age.secrets.prismAdminPass.path}";
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://gallery.${config.domains.jim1}";
PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism";
};
};
}

11
modules/system/services/server/fileserver/public/photoprism/nginx/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.nginx.virtualHosts."gallery.${config.domains.jim1}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2342";
proxyWebsockets = true;
};
};
}

2
modules/system/services/server/forgejo/default.nix
View file

@ -23,7 +23,7 @@
SMTP_ADDR = "mx.${config.domains.jim1}";
FROM = "Jimbo's Git <noreply@${config.domains.jim1}>";
USER = "noreply@${config.domains.jim1}";
PASSWD = config.secrets.noreplyPassword;
PASSWD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
PROTOCOL = "smtps";
};
service = {

82
modules/system/services/server/icecast/default.nix
View file

@ -2,64 +2,34 @@
{
imports = [
./nginx
./liquidsoap
];
services = {
icecast = {
enable = true;
listen.port = 265;
hostname = "icecast.${config.domains.jim1}";
admin = {
user = "jimbo";
password = "${config.secrets.castAdminPass}";
};
extraConf = ''
<authentication>
<source-password>${config.secrets.castSourcePass}</source-password>
</authentication>
<location>Canada</location>
<admin>jimbo@${config.domains.jim2}</admin>
<mount type="normal">
<mount-name>/jimbops.opus</mount-name>
<stream-name>JimBops Radio</stream-name>
<stream-description>Music gathered by me, Jimbo.</stream-description>
<stream-url>https://icecast.jimbosfiles.com/jimbops.opus</stream-url>
<genre>Anything</genre>
<type>application/ogg</type>
<subtype>vorbis</subtype>
</mount>
'';
};
# The audio stream
liquidsoap.streams = {
jimbops = pkgs.writeText "liquidjim" ''
settings.log.stdout.set(true)
settings.init.allow_root.set(true)
settings.scheduler.fast_queues.set(2)
settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
# Define the source with random playlist
jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/"))
# Ensure the stream never stops
jimbops_fallback = fallback([jimbops, jimbops])
# Output configuration to Icecast
output.icecast(
%ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
host="127.0.0.1",
port=265,
password="${config.secrets.castSourcePass}",
public=true,
icy_metadata=["artist", "title"],
mount="jimbops.opus",
encoding = "UTF-8",
jimbops_fallback
)
'';
services.icecast = {
enable = true;
listen.port = 265;
hostname = "icecast.${config.domains.jim1}";
admin = {
user = "jimbo";
password = "${builtins.readFile config.age.secrets.icecastAdminPass.path}";
};
extraConf = ''
<authentication>
<source-password>"${builtins.readFile config.age.secrets.icecastSourcePass.path}"</source-password>
</authentication>
<location>Canada</location>
<admin>jimbo@${config.domains.jim2}</admin>
<mount type="normal">
<mount-name>/jimbops.opus</mount-name>
<stream-name>JimBops Radio</stream-name>
<stream-description>Music gathered by me, Jimbo.</stream-description>
<stream-url>https://icecast.jimbosfiles.com/jimbops.opus</stream-url>
<genre>Anything</genre>
<type>application/ogg</type>
<subtype>vorbis</subtype>
</mount>
'';
};
}

30
modules/system/services/server/icecast/liquidsoap/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, config, ... }:
{
services.liquidsoap.streams = {
jimbops = pkgs.writeText "liquidjim" ''
settings.log.stdout.set(true)
settings.init.allow_root.set(true)
settings.scheduler.fast_queues.set(2)
settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
# Define the source with random playlist
jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/Synced"))
# Ensure the stream never stops
jimbops_fallback = fallback([jimbops, jimbops])
# Output configuration to Icecast
output.icecast(
%ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
host="127.0.0.1",
port=265,
password="${builtins.readFile config.age.secrets.icecastSourcePass.path}",
public=true,
icy_metadata=["artist", "title"],
mount="jimbops.opus",
encoding = "UTF-8",
jimbops_fallback
)
'';
};
}

10
modules/system/services/server/mailserver/simplenix/default.nix
View file

@ -28,11 +28,11 @@
# A list of accounts, passwords generated with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"noreply@${config.domains.jim1}" = {
hashedPasswordFile = pkgs.writeText "noreply" config.secrets.noreplyMailHash;
hashedPasswordFile = config.age.secrets.noreplyMailHash.path;
sendOnly = true;
};
"jimbo@${config.domains.jim2}" = {
hashedPasswordFile = pkgs.writeText "jimbo" config.secrets.jimboMailHash;
hashedPasswordFile = config.age.secrets.jimboMailHash.path;
aliases = [
"jimbo@${config.domains.jim1}"
"james@${config.domains.jim1}"
@ -42,13 +42,13 @@
];
};
"luna@${config.domains.luna}" = {
hashedPasswordFile = pkgs.writeText "luna" config.secrets.lunaMailHash;
hashedPasswordFile = config.age.secrets.lunaMailHash.path;
};
"corn@${config.domains.corn}" = {
hashedPasswordFile = pkgs.writeText "corn" config.secrets.cornMailHash;
hashedPasswordFile = config.age.secrets.cornMailHash.path;
};
"tiny@${config.domains.corn}" = {
hashedPasswordFile = pkgs.writeText "tiny" config.secrets.tinyMailHash;
hashedPasswordFile = config.age.secrets.tinyMailHash.path;
};
};
};

2
modules/system/services/server/social/lemmy/default.nix
View file

@ -14,7 +14,7 @@
smtp_server = "mx.${config.domains.jim1}:587";
smtp_login = "noreply@${config.domains.jim1}";
smtp_from_address = "Jimbo's Lemmy <noreply@${config.domains.jim1}>";
smtp_password = config.secrets.noreplyPassword;
smtp_password = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
tls_type = "starttls";
};
};

2
modules/system/services/server/social/mastodon/default.nix
View file

@ -12,7 +12,7 @@
authenticate = true;
fromAddress = "Jimbo's Mastodon <noreply@${config.domains.jim1}>";
user = "noreply@${config.domains.jim1}";
passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
passwordFile = config.age.secrets.noreplyMailPass.path;
};
};
}

2
modules/system/services/server/social/matrix/synapse/default.nix
View file

@ -26,7 +26,7 @@
notif_from = "Jimbo's Matrix <noreply@${config.domains.jim1}>";
smtp_host = "mx.${config.domains.jim1}";
smtp_user = "noreply@${config.domains.jim1}";
smtp_pass = config.secrets.noreplyPassword;
smtp_pass = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
enable_tls = true;
smtp_port = 587;
require_transport_security = true;

2
modules/system/services/server/social/matrix/synapse/slidingsync/default.nix
View file

@ -7,7 +7,7 @@
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${config.secrets.matrixSecret}
SYNCV3_SECRET="${builtins.readFile config.age.secrets.matrixSecret.path}"
''}";
};
}

4
modules/system/services/server/social/pixelfed/default.nix
View file

@ -3,7 +3,7 @@
services.pixelfed = {
enable = true;
domain = "pics.${config.domains.jim1}";
secretFile = pkgs.writeText "appkey" config.secrets.pixelfedKey;
secretFile = config.age.secrets.pixelfedKey.path;
settings = {
APP_NAME = ''"Jimbo's Pixelfed"'';
INSTANCE_DESCRIPTION = ''"The Jimbosfiles Pixelfed Instance"'';
@ -22,7 +22,7 @@
MAIL_HOST = "mx.${config.domains.jim1}";
MAIL_PORT = 587;
MAIL_USERNAME = "noreply@${config.domains.jim1}";
MAIL_PASSWORD = "${config.secrets.noreplyPassword}";
MAIL_PASSWORD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
};
nginx = {
enableACME = true;

2
modules/system/services/server/transmission/default.nix
View file

@ -6,7 +6,7 @@
services.transmission = {
enable = true;
credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
credentialsFile = config.age.secrets.transmissionPass.path;
openPeerPorts = true;
settings = {
rpc-authentication-required = true;