Jimbo/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jimbo:83796f7cb28fbe9fc8b701990425dbbb5314147f
Branches Tags
Jimbo:main
...
compare: Jimbo:169fd98f47d822b31feedff724674c9ad9b5e726
Branches Tags
Jimbo:main

2 commits
83796f7cb2 ... 169fd98f47

Author SHA1 Message Date
Jimbo 169fd98f47 Agenix secrets overhaul 2024-10-28 23:24:22 -04:00
Jimbo 55dcb2fca7 Agenix secrets overhaul 2024-10-28 23:24:12 -04:00
57 changed files with 530 additions and 146 deletions
Show stats Expand all files Collapse all files

1
.gitattributes vendored
View file

@ -1 +0,0 @@
variables/secrets/** filter=git-crypt diff=git-crypt

130
flake.lock
View file

@ -1,8 +1,29 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blender-bin": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1727370305,
@ -36,7 +57,7 @@
"chaotic": {
"inputs": {
"flake-schemas": "flake-schemas",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"jovian": "jovian",
"nixpkgs": [
"unstable"
@ -78,6 +99,28 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -163,7 +206,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
@ -181,7 +224,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1681202837,
@ -236,6 +279,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"chaotic",
@ -256,7 +320,7 @@
"type": "github"
}
},
"home-manager_2": {
"home-manager_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -330,7 +394,7 @@
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils"
},
@ -353,7 +417,7 @@
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1729993975,
@ -394,16 +458,18 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1722221733,
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-24_05": {
@ -438,6 +504,20 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1722221733,
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1717602782,
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
@ -452,7 +532,7 @@
"type": "indirect"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1715266358,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
@ -468,7 +548,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1729973466,
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
@ -527,14 +607,15 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"blender-bin": "blender-bin",
"chaotic": "chaotic",
"hardware": "hardware",
"home-manager": "home-manager_2",
"home-manager": "home-manager_3",
"lanzaboote": "lanzaboote",
"mailserver": "mailserver",
"minecraft": "minecraft",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nur": "nur",
"unstable": "unstable"
}
@ -609,6 +690,21 @@
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1729880355,
@ -626,7 +722,7 @@
},
"utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1709126324,

4
flake.nix
View file

@ -24,6 +24,8 @@
mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
minecraft.url = "github:Infinidoge/nix-minecraft";
agenix.url = "github:ryantm/agenix";
};
outputs = {
@ -37,6 +39,7 @@
lanzaboote,
mailserver,
minecraft,
agenix,
...
}:
let
@ -50,6 +53,7 @@
lanzaboote
mailserver
minecraft
agenix
;
};
};

9
hosts/bomberman/system/default.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, agenix, ... }:
{
imports = [
./hardware
@ -21,6 +21,13 @@
# Misc
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/server
# Imports
agenix.nixosModules.default
];
networking.hostName = "bomberman";

9
hosts/cyberspark/system/default.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ agenix, ... }:
{
imports = [
./hardware
@ -19,6 +19,13 @@
# Misc
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/server
# Imports
agenix.nixosModules.default
];
networking.hostName = "cyberspark";

9
hosts/detritus/system/default.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ agenix, ... }:
{
imports = [
./hardware
@ -20,6 +20,13 @@
# Extras
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
];
networking.hostName = "detritus";

7
hosts/firefly/system/default.nix
View file

@ -1,4 +1,4 @@
{ chaotic, pkgs, ... }:
{ pkgs, agenix, chaotic, ... }:
{
imports = [
./hardware
@ -24,7 +24,12 @@
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
chaotic.homeManagerModules.default
];

9
hosts/lacros/system/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, agenix, ... }:
{
imports = [
./hardware
@ -21,6 +21,13 @@
# Extras
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
];
services.keyd.keyboards.default.settings.main = {

9
hosts/redmond/system/default.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, agenix, ... }:
{
imports = [
./hardware
@ -21,6 +21,13 @@
# Extras
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
];
networking.hostName = "redmond";

8
hosts/shuttle/system/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, hardware, ... }:
{ config, lib, agenix, hardware, ... }:
{
imports = [
./hardware
@ -22,7 +22,13 @@
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
hardware.nixosModules.pine64-pinebook-pro
];

7
hosts/treefruit/system/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, hardware, ... }:
{ config, lib, agenix, hardware, ... }:
{
imports = [
./hardware
@ -22,7 +22,12 @@
../../../overlays
../../../variables
# Secrets
../../../variables/secrets/common
../../../variables/secrets/pc
# Imports
agenix.nixosModules.default
hardware.nixosModules.apple-macbook-pro-14-1
];

9
local.key.asc
View file

@ -1,9 +0,0 @@
-----BEGIN PGP MESSAGE-----
jA0ECQMIFZHLadz4mp//0r0BjVmDdxrt6Nz93QEoc32Gjs1AjGN7B1hkVNT+wvMe
dZbkk6QM13UIq7pf5VglpK7pKzqAb5/AHhxvsnjdHNgbcorkehFV0i1sKxCQDuJd
q4BGTSqg+FIaVGwXUz7OO1iosVpA6jLCNw/g1Os+jhrbMjIvhpQvtZkNbimqC7ut
mK1Qcp4D16ai+0rTBFeMddrreO7UnJPK+z386wEH0Ik341xWJvDvxyiLUJKun5lT
D7X7ATtX2tmLE69EN7M=
=3RYs
-----END PGP MESSAGE-----

4
modules/system/accounts/users/jimbo/default.nix
View file

@ -3,7 +3,7 @@
users.users = {
jimbo = {
description = "Jimbo";
hashedPassword = config.secrets.jimboAccPass;
hashedPasswordFile = config.age.secrets.jimboAccPass.path;
isNormalUser = true;
openssh.authorizedKeys.keys = [
(builtins.readFile ../../../../../hosts/firefly/id_ed25519.pub)
@ -17,7 +17,7 @@
(builtins.readFile ../../../../../hosts/cyberspark/id_ed25519.pub)
(builtins.readFile ../../../../../hosts/bomberman/id_ed25519.pub)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9 Pixel9"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9"
];
extraGroups = [
"wheel"

6
modules/system/devices/networking/firewall/server/default.nix
View file

@ -9,7 +9,7 @@
allowPing = false;
extraInputRules = ''
ip saddr { ${config.ips.localSpan}.0/24, ${config.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS"
ip saddr { ${config.ips.pc}, ${config.secrets.lunaIP}, ${config.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
ip saddr ${config.ips.pc} tcp dport { 1935, 1945 } accept comment "Accept RTMP"
'';
};
@ -34,8 +34,8 @@
udp dport { 7790, 7791, 7792 } dnat to ${config.ips.hx} comment "Deus Ex"
ip saddr ${config.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP"
ip saddr ${config.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP"
ip saddr ${builtins.readFile config.age.secrets.cornIP.path} tcp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR TCP"
ip saddr ${builtins.readFile config.age.secrets.cornIP.path} udp dport { 9943, 9944 } dnat to ${config.ips.vm} comment "VM ALVR UDP"
}
chain POSTROUTING {

6
modules/system/devices/networking/wireguard/pc/default.nix
View file

@ -8,12 +8,12 @@
"${config.ips.wgInt}" = {
# Define IP of client in per device config
listenPort = 51820;
privateKey = config.secrets.wgClientPriv;
privateKeyFile = config.age.secrets.wgClientPriv.path;
peers = [
{
publicKey = config.secrets.wgServerPub;
publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
allowedIPs = [ "${config.ips.wgSpan}.0/24" ];
endpoint = "sv.${config.secrets.jimDomain}:51820";
endpoint = "sv.${config.domains.jim1}:51820";
persistentKeepalive = 25;
}
];

12
modules/system/devices/networking/wireguard/server/default.nix
View file

@ -15,16 +15,16 @@
"${config.ips.wgInt}" = {
ips = [ "${config.ips.wgSpan}.1/24" ];
listenPort = 51820;
privateKey = config.secrets.wgServerPriv;
privateKeyFile = config.age.secrets.wgServerPriv.path;
peers = [
{ # Jimbo Pixel 9
publicKey = config.secrets.wgPixel9Pub;
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
}
{ # General Nix
publicKey = config.secrets.wgClientPub;
publicKey = "OKUH/h6YSURI4vgeTZKQD15QsqaygdbTn1mAWzQp9S0=";
allowedIPs = [ "${config.ips.wgSpan}.16/28" ];
}
{ # Jimbo Pixel 9
publicKey = "dPCtjm67adMZCnyL1O2L+uUOk0RbjA9T/tht1r+qcE4=";
allowedIPs = [ "${config.ips.wgSpan}.2/32" ];
}
];
};
};

7
modules/system/programs/agenix/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
programs.appimage = {
enable = true;
binfmt = true;
};
}

2
modules/system/services/server/ddclient/default.nix
View file

@ -6,7 +6,7 @@
use = "web, web=https://ipinfo.io/ip";
zone = "${config.domains.jim1}";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
passwordFile = config.age.secrets.cloudflareKey.path;
domains = [
"${config.domains.jim1}"
"*.${config.domains.jim1}"

6
modules/system/services/server/fileserver/public/nextcloud/default.nix
View file

@ -1,5 +1,9 @@
{ pkgs, config, ... }:
{
imports = [
./nginx
];
services = {
nextcloud = {
enable = true;
@ -20,7 +24,7 @@
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${config.domains.jim1}";
mail_smtppassword = config.secrets.noreplyPassword;
mail_smtppassword = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
mail_smtpmode = "smtp";
mail_smtpport = 587;
};

18
modules/system/services/server/fileserver/public/nextcloud/nginx/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, config, ... }:
{
services.nginx.virtualHosts."cloud.${config.domains.jim1}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
}

18
modules/system/services/server/fileserver/public/photoprism/default.nix
View file

@ -1,14 +1,17 @@
{ config, ... }:
{
services = {
photoprism = {
imports = [
./nginx
];
services.photoprism = {
enable = true;
port = 2342;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_ADMIN_USER = "jimbo";
PHOTOPRISM_ADMIN_PASSWORD = "${config.secrets.prismAdminPass}";
PHOTOPRISM_ADMIN_PASSWORD = "${builtins.readFile config.age.secrets.prismAdminPass.path}";
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
@ -18,13 +21,4 @@
PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism";
};
};
nginx.virtualHosts."gallery.${config.domains.jim1}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2342";
proxyWebsockets = true;
};
};
};
}

11
modules/system/services/server/fileserver/public/photoprism/nginx/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.nginx.virtualHosts."gallery.${config.domains.jim1}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2342";
proxyWebsockets = true;
};
};
}

2
modules/system/services/server/forgejo/default.nix
View file

@ -23,7 +23,7 @@
SMTP_ADDR = "mx.${config.domains.jim1}";
FROM = "Jimbo's Git <noreply@${config.domains.jim1}>";
USER = "noreply@${config.domains.jim1}";
PASSWD = config.secrets.noreplyPassword;
PASSWD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
PROTOCOL = "smtps";
};
service = {

38
modules/system/services/server/icecast/default.nix
View file

@ -2,20 +2,20 @@
{
imports = [
./nginx
./liquidsoap
];
services = {
icecast = {
services.icecast = {
enable = true;
listen.port = 265;
hostname = "icecast.${config.domains.jim1}";
admin = {
user = "jimbo";
password = "${config.secrets.castAdminPass}";
password = "${builtins.readFile config.age.secrets.icecastAdminPass.path}";
};
extraConf = ''
<authentication>
<source-password>${config.secrets.castSourcePass}</source-password>
<source-password>"${builtins.readFile config.age.secrets.icecastSourcePass.path}"</source-password>
</authentication>
<location>Canada</location>
@ -32,34 +32,4 @@
</mount>
'';
};
# The audio stream
liquidsoap.streams = {
jimbops = pkgs.writeText "liquidjim" ''
settings.log.stdout.set(true)
settings.init.allow_root.set(true)
settings.scheduler.fast_queues.set(2)
settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
# Define the source with random playlist
jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/"))
# Ensure the stream never stops
jimbops_fallback = fallback([jimbops, jimbops])
# Output configuration to Icecast
output.icecast(
%ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
host="127.0.0.1",
port=265,
password="${config.secrets.castSourcePass}",
public=true,
icy_metadata=["artist", "title"],
mount="jimbops.opus",
encoding = "UTF-8",
jimbops_fallback
)
'';
};
};
}

30
modules/system/services/server/icecast/liquidsoap/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, config, ... }:
{
services.liquidsoap.streams = {
jimbops = pkgs.writeText "liquidjim" ''
settings.log.stdout.set(true)
settings.init.allow_root.set(true)
settings.scheduler.fast_queues.set(2)
settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
# Define the source with random playlist
jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/Synced"))
# Ensure the stream never stops
jimbops_fallback = fallback([jimbops, jimbops])
# Output configuration to Icecast
output.icecast(
%ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
host="127.0.0.1",
port=265,
password="${builtins.readFile config.age.secrets.icecastSourcePass.path}",
public=true,
icy_metadata=["artist", "title"],
mount="jimbops.opus",
encoding = "UTF-8",
jimbops_fallback
)
'';
};
}

10
modules/system/services/server/mailserver/simplenix/default.nix
View file

@ -28,11 +28,11 @@
# A list of accounts, passwords generated with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"noreply@${config.domains.jim1}" = {
hashedPasswordFile = pkgs.writeText "noreply" config.secrets.noreplyMailHash;
hashedPasswordFile = config.age.secrets.noreplyMailHash.path;
sendOnly = true;
};
"jimbo@${config.domains.jim2}" = {
hashedPasswordFile = pkgs.writeText "jimbo" config.secrets.jimboMailHash;
hashedPasswordFile = config.age.secrets.jimboMailHash.path;
aliases = [
"jimbo@${config.domains.jim1}"
"james@${config.domains.jim1}"
@ -42,13 +42,13 @@
];
};
"luna@${config.domains.luna}" = {
hashedPasswordFile = pkgs.writeText "luna" config.secrets.lunaMailHash;
hashedPasswordFile = config.age.secrets.lunaMailHash.path;
};
"corn@${config.domains.corn}" = {
hashedPasswordFile = pkgs.writeText "corn" config.secrets.cornMailHash;
hashedPasswordFile = config.age.secrets.cornMailHash.path;
};
"tiny@${config.domains.corn}" = {
hashedPasswordFile = pkgs.writeText "tiny" config.secrets.tinyMailHash;
hashedPasswordFile = config.age.secrets.tinyMailHash.path;
};
};
};

2
modules/system/services/server/social/lemmy/default.nix
View file

@ -14,7 +14,7 @@
smtp_server = "mx.${config.domains.jim1}:587";
smtp_login = "noreply@${config.domains.jim1}";
smtp_from_address = "Jimbo's Lemmy <noreply@${config.domains.jim1}>";
smtp_password = config.secrets.noreplyPassword;
smtp_password = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
tls_type = "starttls";
};
};

2
modules/system/services/server/social/mastodon/default.nix
View file

@ -12,7 +12,7 @@
authenticate = true;
fromAddress = "Jimbo's Mastodon <noreply@${config.domains.jim1}>";
user = "noreply@${config.domains.jim1}";
passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
passwordFile = config.age.secrets.noreplyMailPass.path;
};
};
}

2
modules/system/services/server/social/matrix/synapse/default.nix
View file

@ -26,7 +26,7 @@
notif_from = "Jimbo's Matrix <noreply@${config.domains.jim1}>";
smtp_host = "mx.${config.domains.jim1}";
smtp_user = "noreply@${config.domains.jim1}";
smtp_pass = config.secrets.noreplyPassword;
smtp_pass = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
enable_tls = true;
smtp_port = 587;
require_transport_security = true;

2
modules/system/services/server/social/matrix/synapse/slidingsync/default.nix
View file

@ -7,7 +7,7 @@
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${config.secrets.matrixSecret}
SYNCV3_SECRET="${builtins.readFile config.age.secrets.matrixSecret.path}"
''}";
};
}

4
modules/system/services/server/social/pixelfed/default.nix
View file

@ -3,7 +3,7 @@
services.pixelfed = {
enable = true;
domain = "pics.${config.domains.jim1}";
secretFile = pkgs.writeText "appkey" config.secrets.pixelfedKey;
secretFile = config.age.secrets.pixelfedKey.path;
settings = {
APP_NAME = ''"Jimbo's Pixelfed"'';
INSTANCE_DESCRIPTION = ''"The Jimbosfiles Pixelfed Instance"'';
@ -22,7 +22,7 @@
MAIL_HOST = "mx.${config.domains.jim1}";
MAIL_PORT = 587;
MAIL_USERNAME = "noreply@${config.domains.jim1}";
MAIL_PASSWORD = "${config.secrets.noreplyPassword}";
MAIL_PASSWORD = "${builtins.readFile config.age.secrets.noreplyMailPass.path}";
};
nginx = {
enableACME = true;

2
modules/system/services/server/transmission/default.nix
View file

@ -6,7 +6,7 @@
services.transmission = {
enable = true;
credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
credentialsFile = config.age.secrets.transmissionPass.path;
openPeerPorts = true;
settings = {
rpc-authentication-required = true;

1
variables/default.nix
View file

@ -5,7 +5,6 @@
./domains
./ips
./look
./secrets
./workspaces
];
}

7
variables/secrets/agenix/cloudflareKey.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA khyW35trVIvCZHYB5J5vAdzNParttdbTb+Ycl6SaW2s
0W7fSM1qoI2BbnbOuN9OHk3hcXwWZ2cgi6sme0TBx9Y
-> ssh-ed25519 JvNkLw wdflnJ12VIbRRNbEGFW0LE6WaB/D5/G2pTEs3AGhgQU
N6KU0GMf1wIGRBJLVU5e1WcLvUEWk63Lr3GzpaojNgs
--- 6u2vl9lBq+MGbFb39wRyoeMyBOxCPGyO0iXeV0wwaJw
@oŒ³¬µYÙ¾bëIw8Ü­ŠÔ³?- Ÿ‰}½Rô/ŸÈZ3ÎÓøѸkZR=Ë®º¢Ú+z†*XøÀ¸f0Ób

7
variables/secrets/agenix/cornIP.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA CDmBLx1/+kPZXI3LqmJvAQOXskG/t40avr+hiqyQzhA
Q/5PDnyjxUQbCxHjluTETYTAi/zO7G0NvfSF3XEYinA
-> ssh-ed25519 JvNkLw V5FGN/1W9CEf3RT/nsnGiiJdOTsvDexEef+72f+Z0Ug
u1hSg+t4qO/N1Sw4t85/9qGt2TqlPDmujZoGOyMgUxY
--- 9NdLKkW30o1WRVCA0dI0vU1kNnvO2uEC36rOIbJ0wlI
ì¥ÙFè£SRR}–Æ<þ"w«{Ÿ°p@·I¿vJ|vÉ}œç1ü«­Û

BIN
variables/secrets/agenix/cornMailHash.age Normal file
View file

Binary file not shown.

8
variables/secrets/agenix/icecastAdminPass.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA fPD79NPMvwiL+hHk82IieajJa9yvH649bDMGmYREExM
Ju4a1ciZS7J/OSW9puFKnLX/oXjkOg+PwJoEjRLKlYA
-> ssh-ed25519 JvNkLw Pd7sCRAL6tmDvqEmuEcu0ciduOWqgD4/Ov3EwEneWxc
9/w5dGjJOMeT624ppz8UPX74McDNuOrr1siu5DR8S/g
--- b/FkQytFLY9xK+oyqe1Cw60y24oL9Z9w7F1OusI52o0
D+ÀvÝ ¨†rhÉê|
«vkò(”ëyâw+ÁBSÝžý<C5BE>„²L«ˆkAF3¾yúÞ$Tl±p$ù

7
variables/secrets/agenix/icecastSourcePass.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA PBcCxs6ilNvC/GpVaduXRioMk/XaZtvwkTtBhILLhH0
k7LzI2vYBumEKSQ4D08nNv254ffhsJv5bp491ViWN3o
-> ssh-ed25519 JvNkLw M3al6LP872JEtRZABFRUDAq2lVsGjjRueDSchC0s1ms
01N62bVOVqq5YHQSsBO0bCcaBgN155AZ05vp+19Hrvc
--- CVPFAJml7cINyE9tisp0eHsZgCSfHbMVpQV49knXiRs
zHRðîÅöÐZÏßóÕœ73õÙÑ4Ž&ìu 5r÷Þ>}jhÛ=Ak=Ckº³B¬iæÚl(`+ß,

BIN
variables/secrets/agenix/jimboAccPass.age Normal file
View file

Binary file not shown.

7
variables/secrets/agenix/jimboMailHash.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA nIhCitDd4goQvfnvggVnnP4bPrnxgEMVhwJNPd3hZnw
hCLbjL4kL+f1TobXASLRAPsHweXy+6vBvpUyP7RnURw
-> ssh-ed25519 JvNkLw HFjvkJMgtN6ul3N4bIfNwWC6PeNFgeNHILSpDzbF/ig
Z5EdHAr46sF4bSR5S4HmQZz/hHX84qxnxYRr7cO7dog
--- F7kG/ZHu+w9Gnnp8Nw6g49+LI4/2tvt8BKXO/mzQcWY
éN,Œi¼l±²ÐZã1˾g`ž§Úe<×d+Yr[ 4ÃŒo>ŒãÞßL…%eÅ-ëò%£æ?Gø±£Å4ȺdšK3e<>ìñ>ŒÎd}t²*±)“$Fî¨z

7
variables/secrets/agenix/lunaMailHash.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA 4s2R+OGOvJpMnquk2lWYOwLM4lyfyjKKfBMAR/DQWUM
l/ZbXrLnMy76ReqFdgbXb4UyGmPTf1zK5yHccFabTqs
-> ssh-ed25519 JvNkLw gNXQz/QABqMnaHrgSqqzhxZ73TSpzBXkPRyuvWjVN18
XVx2GT7wrE4yclT8Ana9fBMT1dd1eMCVAZB8e8ibX74
--- Y9piO/cFEvSLbO4ZaRrNLP7R9Ep5pRAfP/fUSgTqrRs
é¤7B¾û©Gi8êÄe'ËãÌ‹Úœ)“6Ïàܸ°´+j<>¾b]» Tbâ0ÉÞÊ•£ AØVÍ¡)XùwÊ=<3D>æSgËv^û­[/å Åša8Ê¡gïÁã<C381>

BIN
variables/secrets/agenix/matrixSecret.age Normal file
View file

Binary file not shown.

7
variables/secrets/agenix/noreplyMailHash.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA 83WwnK1TjVZv5/YQfvHBZk6nZIGA+m1U078+Y+MKUGw
Oq7LOdyHnUdYb6P/9PI/D2q9XrEaYTBNPfaAS3xK9jw
-> ssh-ed25519 JvNkLw b/lUmtQXSBYgMc6YHHD7vwBdAHnLcv/WRdZudxmhrzw
1rxu0ZZ5lqPUd7acjPv8z0cxJOPSgVp9PaC5w25MRoE
--- RVHHph3SEe1dlHCHDVnjmnuBEqNeQXuXA82TAikh1AQ
/ ïÆød~šwöÈÙÃg~¾8"Zw<5A>äÓWèlVŸ+ø´êŽ¨3(Kg³%ö?#õ‡QÁ<51>Ñ$¤=H GªH:(|_ä¨s7¨L0Ù¤èÛ(¡_{ßúqv&

7
variables/secrets/agenix/noreplyMailPass.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA 8Hp6x3Kv9dAdm8xoYfg2J2EVrZcUMZth2Db+OCOHrW0
byOSmkKkT2204RfTNVAzv70ojTmU2nhsDRYCl6dGpuw
-> ssh-ed25519 JvNkLw oTZ7j76JP6WjEUMFqXTY4SaELWIT7CgrToebhuoLUAA
0SY4EH9UpxRAWDEHVoGcIux//t6K6CrW/Y/jp+T1xHE
--- 7YjhlVqRia++HUg7tRcGjMGMvAY3b26ygh5DgGjTR/w
eé=¾_`RUNØjÀVH¬óäU¡„šÇg¿nÝÛûk“M÷Æ„)J¨ S@iv

7
variables/secrets/agenix/pixelfedKey.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA NdClQEJBUiVogrX42OHzaM1Mb4rUS0MKfUvYoG4Y7Rk
LY1AQc18I2jYRBGDD27M6OBVswYbdozYl0EIQ+R7r6E
-> ssh-ed25519 JvNkLw xVrNR1PmTJZqmZEUeb1pF9rAaeIz6ZTB6PeSNk6yA2Q
cbMa7O7HlGNa6//6D1Mk/2g0nIJlAzi04fR8CfgFX/g
--- +KZYx3ghNsfMKJf+UiHrzWwDJnUXJ0bas3bVtN23Vm4
U(•Ë‘šƒ·Ù©ŽzZjVÿœM~2^ æM;lIšuÙÿÏΨšÍü\7ñeBŒªæR¹nî®…î5Š8Ú?¦ (°7RÄj

7
variables/secrets/agenix/prismAdminPass.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA vRsXOqDJKLJnJ1PDFKUmW1x4GSj5ATHsNpondJgb6lY
l6hkimymlfKDo5GEXcqtWaUAPN0nNwZP/SBJ7Pqq4aA
-> ssh-ed25519 JvNkLw CmwQ9XCLaBqRTrUxkUsVb/j0anoA20DJAfyjhWhbuW8
u4C+LxF9hLBUdMBmBexk9jbNrFM7c9kjg5jxh45ARco
--- z7DgZANbdh8CM7HWb4mNnLNnkDFIpPrR60rf5vTtTZc
ùy'pMéIæ6܇ʣ9ÎfÂ:V ÃèIMV>9ÚýÏøX;}”ŒÝ¹õ“ Kã—ÓÕê†Ô"

44
variables/secrets/agenix/secrets.nix Normal file
View file

@ -0,0 +1,44 @@
let
pcs = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5gkx+aHESLl7w2LOR/LgzhC/WnXv/mz499LADnZ8/Q"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnWS8gkno+ZIDNDfvux7eXWhtfnz4fqpf6PNLyrITOW"
(builtins.readFile ../../../hosts/shuttle/id_ed25519.pub)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7Pnts6n70XTNp6qHxQg5KID6LcUEsz48gOMgPoBe/t"
(builtins.readFile ../../../hosts/redmond/id_ed25519.pub)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9HJATd+rgl0GD4/lZeidqIpQkZ6ED+03MkSKAlaDDv"
];
servers = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwQhs/J6d2U8ZhwdGEV6Cj59u0Wpi4Bek98R2t1PyJf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqszkKZQ2GsvTM0R7DSUEehm4G12K6OsZrcRE0vysJ3"
];
in
{
# User passwords 'mkpasswd -m sha-512'
"jimboAccPass.age".publicKeys = pcs ++ servers;
# Wireguard
"wgServerPriv.age".publicKeys = servers;
"wgClientPriv.age".publicKeys = pcs;
# Passwords and keys
"matrixSecret.age".publicKeys = servers;
"pixelfedKey.age".publicKeys = servers;
"prismAdminPass.age".publicKeys = servers;
"icecastAdminPass.age".publicKeys = servers;
"icecastSourcePass.age".publicKeys = servers;
"cloudflareKey.age".publicKeys = servers;
"transmissionPass.age".publicKeys = servers;
# Email, 'mkpasswd -m bcrypt'
"noreplyMailPass.age".publicKeys = servers;
"noreplyMailHash.age".publicKeys = servers;
"jimboMailHash.age".publicKeys = servers;
"lunaMailHash.age".publicKeys = servers;
"cornMailHash.age".publicKeys = servers;
"tinyMailHash.age".publicKeys = servers;
# IPs
"cornIP.age".publicKeys = servers;
}

7
variables/secrets/agenix/tinyMailHash.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA 1Jq7nzdZPvhw6McGTrOOZOtQ/LjOpdXTfxPHwxvoW1k
PmyyuWtzXOAVsZoZzx+s3s9PuN86b/NZx/SLO9Cu+iw
-> ssh-ed25519 JvNkLw 6C5UjHQPGJuwn63IOX5YmIuHwGU3n/Cs9BPqzgzykmw
xE9TsPfuRH4Xvd2uyhDyuJY9ajNq9FbYmCTWzTddFE8
--- G9oWTI+bBQf/Bn95G3C4CEV2bAO/S4fZGyGYnaDaEEM
°ë3FQÅÂ,<ÈHª<48>$}rkÔ¸6:i­øi©²4¡áT0Z1ØCÝw¨<77> 4G8ë­gð-ižeYß2?<>K®©JO<4A>ç¹d|ò»3ÞOI+Ëw)

8
variables/secrets/agenix/transmissionPass.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA DjFkxMzBbXups07bIJzK4ODIsAk/bfP8DEV2mFgQEkI
6i2ofona2MwxuCKozsX48X8Ea+Yd/kaIJCJEYdXSvj8
-> ssh-ed25519 JvNkLw NmD7NAzm67c5Ads+nA8n7aNeWBhSppmTG+iTMdQ/4Wc
1XV+cdFOhGkhM9iz6eK2unElDCMz63SCDkG0thN150E
--- OXUzxk3bvjEQpdIQNbf4oPrPUbY7KQBs9K8QdMvpRhU
 ý¬$j7äóï¨GgI¬Ç_5—4Ýcª…€Âû4Zcy¿mF"y¶%Kž!~âc|ÙufÝXøŽ„$GþÖv¡
Â+ÊÖ¼íÏUƒJ ÐPÅæ7…½ëä- %í©ˆs

16
variables/secrets/agenix/wgClientPriv.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 /ZcDag zl9Hh/03ChyHbNPUg5Ggn7LWvG2QVQmigSdBiAHdrxw
i9LUKzWmkdBn0VD5tq7lNg2GPVbvV1LMHOqDeBijS/I
-> ssh-ed25519 GKCTHQ wShLKgnCwo3+jmjqDX1u4bAbTP3AJVSm4P0SrVsSsUI
ufAyoYVnzNka44tww/6Miqk+9LwqwLT8GP2m8VLHpxY
-> ssh-ed25519 BctzVQ sIlr4byLpFH9Qo96gxOKqhhXp8A0wP5WPjMJXTFeYFE
HSX5mL4+PeSvXX+LwxC3WvSw1EfZFCWazwq4QSKOcYY
-> ssh-ed25519 ft2jqg Y0SiMwU2T2WhwD8EBLQNHhbWp3ltYKZOgpSwyMbDtF0
Yjfu+/CtJ+ybyoq+pueoY5Np/SiD7lJHJoBLmTnsAUI
-> ssh-ed25519 m6WZAA 01h6eDQ6lrpZnaof4DbxMEde8aDEbDkIV86I2cyzQGc
dv401nIANBXWzEA2/MgMZpbagAys5nJPxJqdbv98v10
-> ssh-ed25519 ZUFK4A J0C4YC9eXtMh/wnUY/OfNlyhIi6oMltBWkaMP2ECT3k
a4SL4cbI3oJpmILt1vN2E7yy8PBhvk88pYuhsHRx9b4
--- 1uXOqr769IAt4zPnAWiy6r1oh9bf/MKwZUJn0Mfzb/I
|S÷¥à4èŽcií<
븃<15>€å>§vÄ@ÁÿŠ´~Ä,+<2B>£×w[Y>¯,—Qfó»RÀ/²±e| OñLËøç¼\+¡q

7
variables/secrets/agenix/wgClientPub.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 e3smYA mRlVqaa50qM+f9Nhoy4wRumpweW/YnTXm1Q4T//ELVI
EmH08n178gsOdur6TwLnwx+YAYfq1zesGrI3/tQut70
-> ssh-ed25519 JvNkLw r7bS24QCTg+QN8mDEc+fBkH5G19eYYaHQzNZLekM3U8
+imhQJJdwJmEIDABvkazDT/khxmADfmuDaz6zi4SxJw
--- ZDa/qnfp6naVMNo+xCNQgeVT4te78T6dkYPUVTacvpc
ƙٔï%ý•Ÿ^Z€æ¾©`E²´ý~Ü-Ê!FÊÒŠ¯œ¤¿ fÇ€ïšØÍ ¾Iu<49>hó²Æ9¶CZ\…^œ»ë|ѶOñOD*èak.[

BIN
variables/secrets/agenix/wgServerPriv.age Normal file
View file

Binary file not shown.

16
variables/secrets/agenix/wgServerPub.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 /ZcDag 7KYEycha4k8XapsUdObvvuDRJ0NFhuQD9mIStgcGUmU
CVBQlNhrviAUVZbLQdFwTgX/kw28P4kic1hbfGTNGHs
-> ssh-ed25519 GKCTHQ ZFT60A8kpAGl97DOHvEDpe50eLlL4POSuGD+Rjjma2w
VMG0fmwRecJTRnKo6DIrAiXheHPonDeX1upsehtf9y4
-> ssh-ed25519 BctzVQ WlxIEZPFAKi1nD2wxyZ0i2uuMOqFQStDaA/qPsRabHc
rkU3dmMyMQXbDfrmUimCVSFRWTtgfsq6GlCOzzE5q4U
-> ssh-ed25519 ft2jqg EnTAY36wZTE5CYMS/O9KZB7QL2r444F2a+KZ70CEJXc
U54qJTJMNFd70qPO/YRcB/I+LqiFYnv7qJ3DujH6xwk
-> ssh-ed25519 m6WZAA t11cOv2J2xPYCiFuwS/WAAR9sq/K9Yj6+I8eRyQM6g4
o3382vvwCnrIWyXFFaNDnFtEpbYJ7k6myfrM+aoyUnU
-> ssh-ed25519 ZUFK4A SBejT9+GAMNaps+Q7Bupo0FehBAsRDAGz5nimJ6QvxA
WqZvPqm1+TgKK8Mrbh9w9I4RUyyy5l36AKGPeQXaBlo
--- wekIr1ZsI+b61xeK+ueUfs9e+D2wF0ewltiHJWaLKzA
äïA^uJ+¹Ž-èPëõÝ/³eÖå¨
Ÿ|éË/œŽ<1C>ÃK'"87ËýtÔnä¢â9|“â½V KwÖ¦Äj´ŠZ·á¼W¥²ñR

7
variables/secrets/common/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
age.secrets = {
# User passwords
jimboAccPass.file = ../agenix/jimboAccPass.age;
};
}

BIN
variables/secrets/default.nix
View file

Binary file not shown.

7
variables/secrets/pc/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
age.secrets = {
# Wireguard
wgClientPriv.file = ../agenix/wgClientPriv.age;
};
}

27
variables/secrets/server/default.nix Normal file
View file

@ -0,0 +1,27 @@
{ ... }:
{
age.secrets = {
# Wireguard
wgServerPriv.file = ../agenix/wgServerPriv.age;
# Passwords and keys
matrixSecret.file = ../agenix/matrixSecret.age;
pixelfedKey.file = ../agenix/pixelfedKey.age;
prismAdminPass.file = ../agenix/prismAdminPass.age;
icecastAdminPass.file = ../agenix/icecastAdminPass.age;
icecastSourcePass.file = ../agenix/icecastSourcePass.age;
cloudflareKey.file = ../agenix/cloudflareKey.age;
transmissionPass.file = ../agenix/transmissionPass.age;
# Email
noreplyMailPass.file = ../agenix/noreplyMailPass.age;
noreplyMailHash.file = ../agenix/noreplyMailHash.age;
jimboMailHash.file = ../agenix/jimboMailHash.age;
lunaMailHash.file = ../agenix/lunaMailHash.age;
cornMailHash.file = ../agenix/cornMailHash.age;
tinyMailHash.file = ../agenix/tinyMailHash.age;
# IPs
cornIP.file = ../agenix/cornIP.age;
};
}