diff --git a/.sops.yaml b/.sops.yaml index c498892..22aa91b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,8 +2,7 @@ keys: - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk - - &host_janeway age1sjk38fy5dk2nn0q0rmxuvr9uw3ttgz7mq4632f8jllzqryft0y3s46j65k + - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 creation_rules: # Global secrets @@ -21,16 +20,8 @@ creation_rules: - *user_felixalb_old - *user_felixalb - - path_regex: secrets/sarek/[^/]+\.yaml$ + - path_regex: secrets/defiant/[^/]+\.yaml$ key_groups: - age: - - *host_sarek - - *user_felixalb_old - - *user_felixalb - - - path_regex: secrets/janeway/[^/]+\.yaml$ - key_groups: - - age: - - *host_janeway - - *user_felixalb_old + - *host_defiant - *user_felixalb diff --git a/README.md b/README.md index ade818e..6a4192e 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,10 @@ -# Work In Progress! -Notice, these things might be missing: -- Functionality -- Style -- Safety +## Felixalbs nixos config + +Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host. +Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). ### Build: -- Build locally on another machine (verify) +- Build locally on another machine: ``` nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurations.sarek.config.system.build.toplevel" ``` diff --git a/base.nix b/base.nix index 64ec6b8..8991f1c 100644 --- a/base.nix +++ b/base.nix @@ -6,7 +6,7 @@ networking = { domain = "home.feal.no"; - nameservers = [ "192.168.10.3" "192.168.11.100" "1.1.1.1" ]; + nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ]; useDHCP = lib.mkDefault false; }; diff --git a/flake.nix b/flake.nix index 132a164..0fbbc8e 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,25 @@ } ]; }; + defiant = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + # Overlays-module makes "pkgs.unstable" available in configuration.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + + ./hosts/defiant/configuration.nix + sops-nix.nixosModules.sops + matrix-synapse-next.nixosModules.default + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users."felixalb" = import ./hosts/defiant/home.nix; + } + ]; + }; edison = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { @@ -69,38 +88,6 @@ } ]; }; - sarek = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - # Overlays-module makes "pkgs.unstable" available in configuration.nix - ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - ./hosts/sarek/configuration.nix - sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users."felixalb" = import ./hosts/sarek/home.nix; - } - ]; - }; - janeway = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - # Overlays-module makes "pkgs.unstable" available in configuration.nix - ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) - - ./hosts/janeway/configuration.nix - sops-nix.nixosModules.sops - matrix-synapse-next.nixosModules.default - ]; - }; redshirt = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix new file mode 100644 index 0000000..776c5c0 --- /dev/null +++ b/hosts/defiant/configuration.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ../../base.nix + ../../common/metrics-exporters.nix + ./hardware-configuration.nix + + ./services/postgresql.nix + ./services/nginx.nix + ./services/matrix-synapse.nix + ./services/flame.nix + ./services/hedgedoc.nix + ./services/pihole.nix + ]; + + networking = { + hostName = "defiant"; + defaultGateway = "192.168.10.1"; + interfaces.enp3s0.ipv4 = { + addresses = [ + { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal + ]; + }; + hostId = "8e84f235"; + }; + + sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; + + environment.variables = { EDITOR = "vim"; }; + environment.systemPackages = with pkgs; [ + zfs + ]; + + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; + + system.stateVersion = "23.11"; +} + diff --git a/hosts/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix new file mode 100644 index 0000000..05ce9bc --- /dev/null +++ b/hosts/defiant/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/DDDC-5C0C"; + fsType = "vfat"; + }; + + swapDevices = [ { + device = "/swapfile"; + size = 8*1024; + } ]; + + networking.useDHCP = lib.mkDefault false; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/sarek/home.nix b/hosts/defiant/home.nix similarity index 95% rename from hosts/sarek/home.nix rename to hosts/defiant/home.nix index bb390ad..84fa68e 100644 --- a/hosts/sarek/home.nix +++ b/hosts/defiant/home.nix @@ -5,7 +5,6 @@ bottom ncdu neofetch - nix-index ]; imports = [ diff --git a/hosts/defiant/services/flame.nix b/hosts/defiant/services/flame.nix new file mode 100644 index 0000000..c7e7659 --- /dev/null +++ b/hosts/defiant/services/flame.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +let + domain = "flame.home.feal.no"; + host = "127.0.1.2"; + port = "5005"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + flame = { + image = "pawelmalak/flame"; + ports = [ "${host}:${port}:5005" ]; + volumes = [ + "/var/lib/flame/data:/app/data/" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${host}:${port}"; + }; +} + diff --git a/hosts/defiant/services/hedgedoc.nix b/hosts/defiant/services/hedgedoc.nix new file mode 100644 index 0000000..e5b50ce --- /dev/null +++ b/hosts/defiant/services/hedgedoc.nix @@ -0,0 +1,117 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.hedgedoc.settings; + domain = "md.feal.no"; + port = 3300; + host = "127.0.1.2"; + authServerUrl = "https://auth.feal.no"; +in { + # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET + sops.secrets."hedgedoc/env" = { + restartUnits = [ "hedgedoc.service" ]; + }; + + services.hedgedoc = { + enable = true; + environmentFile = config.sops.secrets."hedgedoc/env".path; + settings = { + inherit domain port host; + protocolUseSSL = true; + sessionSecret = "$CMD_SESSION_SECRET"; + + allowFreeURL = true; + allowAnonymous = false; + allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission + + # dbURL = "postgres://hedgedoc@localhost/hedgedoc"; + db = { + username = "hedgedoc"; + database = "hedgedoc"; + host = "/run/postgresql"; + dialect = "postgresql"; + }; + + email = false; + oauth2 = { + baseURL = "${authServerUrl}/oauth2"; + tokenURL = "${authServerUrl}/oauth2/token"; + authorizationURL = "${authServerUrl}/ui/oauth2"; + userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; + + clientID = "hedgedoc"; + clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + scope = "openid email profile"; + userProfileUsernameAttr = "name"; + userProfileEmailAttr = "email"; + userProfileDisplayNameAttr = "displayname"; + + providerName = "KaniDM"; + }; + }; + }; + + systemd.services.hedgedoc = { + requires = [ + "postgresql.service" + # "kanidm.service" + ]; + serviceConfig = let + workDir = "/var/lib/hedgedoc"; + in { + WorkingDirectory = lib.mkForce workDir; + StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; + + # Better safe than sorry :) + CapabilityBoundingSet = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ workDir ]; + RemoveIPC = true; + RestrictSUIDSGID = true; + UMask = "0007"; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + SystemCallArchitectures = "native"; + # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = [{ + name = "hedgedoc"; + ensureDBOwnership = true; + }]; + }; + + services.nginx.virtualHosts."${domain}" = { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://${host}:${toString port}"; + }; + "/socket.io" = { + proxyPass = "http://${host}:${toString port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/hosts/janeway/services/matrix-synapse.nix b/hosts/defiant/services/matrix-synapse.nix similarity index 92% rename from hosts/janeway/services/matrix-synapse.nix rename to hosts/defiant/services/matrix-synapse.nix index 61897af..f534cff 100644 --- a/hosts/janeway/services/matrix-synapse.nix +++ b/hosts/defiant/services/matrix-synapse.nix @@ -73,11 +73,12 @@ }; services.redis.servers."".enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx.virtualHosts."matrix.feal.no" = { - enableACME = lib.mkForce false; - forceSSL = lib.mkForce false; + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; }; } diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix new file mode 100644 index 0000000..576537b --- /dev/null +++ b/hosts/defiant/services/nginx.nix @@ -0,0 +1,48 @@ +{ config, values, ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + defaultListen = [ + { + addr = "192.168.10.175"; + port = 80; + ssl = false; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ + 80 443 # Internal / Default + 43080 43443 # External / Publicly exposed + ]; + + security.acme = { + acceptTerms = true; + defaults.email = "felix@albrigtsen.it"; + }; + + # Publicly exposed services: + + services.nginx.virtualHosts = let + publicProxy = upstream: { + listen = [ + { addr = "192.168.10.175"; port = 43443; ssl = true; } + { addr = "192.168.10.175"; port = 43080; ssl = false; } + ]; + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "${upstream}"; + }; + in { + "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/"; + "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/"; + }; +} diff --git a/hosts/defiant/services/pihole.nix b/hosts/defiant/services/pihole.nix new file mode 100644 index 0000000..b869826 --- /dev/null +++ b/hosts/defiant/services/pihole.nix @@ -0,0 +1,30 @@ +{ config, pkgs, lib, ... }: +let + domain = "pihole.home.feal.no"; + dnsHost = "192.168.10.175"; + webuiListen = "127.0.1.2:5053"; +in { + # Flame - Homelab dashboard/linktree + virtualisation.oci-containers.containers = { + pihole = { + image = "pihole/pihole"; + ports = [ + "${dnsHost}:53:53/tcp" + "${dnsHost}:53:53/udp" + "${webuiListen}:80" + ]; + + environment.TZ = "Europe/Oslo"; + + volumes = [ + "/var/lib/pihole/etc:/etc/pihole" + "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d" + ]; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + locations."/".proxyPass = "http://${webuiListen}"; + }; +} + diff --git a/hosts/janeway/services/postgresql.nix b/hosts/defiant/services/postgresql.nix similarity index 93% rename from hosts/janeway/services/postgresql.nix rename to hosts/defiant/services/postgresql.nix index 83b4285..a8d8d4f 100644 --- a/hosts/janeway/services/postgresql.nix +++ b/hosts/defiant/services/postgresql.nix @@ -6,12 +6,11 @@ }; services.postgresqlBackup = { - enable = true; + # enable = true; location = "/data/backup/postgresql/"; startAt = "*-*-* 03:15:00"; backupAll = true; }; - environment.systemPackages = [ config.services.postgresql.package ]; } diff --git a/hosts/janeway/configuration.nix b/hosts/janeway/configuration.nix deleted file mode 100644 index 60c35f0..0000000 --- a/hosts/janeway/configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../../base.nix - ../../common/metrics-exporters.nix - - ./services/nginx.nix - ./services/postgresql.nix - ./services/matrix-synapse.nix - ]; - - # Boot and console is handled by proxmoxLXC. - boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. - - # Override proxmox networking - proxmoxLXC.manageNetwork = true; - networking = { - hostName = "janeway"; - defaultGateway = "192.168.10.1"; - interfaces."eth0".ipv4 = { - addresses = [ - { address = "192.168.10.183"; prefixLength = 24; } - ]; - }; - hostId = "bed956ff"; - }; - - environment.systemPackages = with pkgs; [ - vim - bottom - ]; - - sops.defaultSopsFile = ../../secrets/janeway/janeway.yaml; - - system.stateVersion = "23.05"; -} - diff --git a/hosts/janeway/services/bridge-discord.nix b/hosts/janeway/services/bridge-discord.nix deleted file mode 100644 index 0d5586c..0000000 --- a/hosts/janeway/services/bridge-discord.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.mx-puppet-discord = { - enable = true; - - serviceDependencies = [ - "matrix-synapse.service" - "postgresql.service" - ]; - - settings = { - bridge = { - bindAddress = "localhost"; - domain = "feal.no"; - homeserverUrl = "https://matrix.feal.no"; - # homeserverUrl = "http://127.0.1.2:8008"; - - port = 8434; - enableGroupSync = true; - }; - - database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable"; - - provisioning.whitelist = [ "@felixalb:feal\\.no" ]; - relay.whitelist = [ ".*" ]; - selfService.whitelist = [ "@felixalb:feal\\.no" ]; - - }; - }; - - services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ]; -} diff --git a/hosts/janeway/services/nginx.nix b/hosts/janeway/services/nginx.nix deleted file mode 100644 index 4c376d7..0000000 --- a/hosts/janeway/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - /* security.acme = { */ - /* acceptTerms = true; */ - /* email = "felix@albrigtsen.it"; */ - /* }; */ -} diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix deleted file mode 100644 index 22eebbe..0000000 --- a/hosts/sarek/configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ../../base.nix - ../../common/metrics-exporters.nix - - ./services/flame.nix - ./services/hedgedoc.nix - ./services/nginx.nix - ./services/postgresql.nix - ]; - - # Boot and console is handled by proxmoxLXC. - boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here. - - # Override proxmox networking - proxmoxLXC.manageNetwork = true; - networking = { - hostName = "sarek"; - defaultGateway = "192.168.10.1"; - interfaces."eth0".ipv4 = { - addresses = [ - { address = "192.168.10.181"; prefixLength = 24; } - ]; - }; - hostId = "15dd36bc"; - }; - - sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; - virtualisation.docker.enable = true; - virtualisation.oci-containers.backend = "docker"; - - # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers - system.activationScripts.var = lib.mkForce '' - # Various log/runtime directories. - mkdir -p /var/tmp - chmod 1777 /var/tmp - # Empty, immutable home directory of many system accounts. - mkdir -p /var/empty - # Make sure it's really empty - ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true - find /var/empty -mindepth 1 -delete - chmod 0555 /var/empty - chown root:root /var/empty - ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true - ''; - systemd.tmpfiles.rules = lib.mkForce []; - - system.stateVersion = "23.05"; -} - diff --git a/hosts/sarek/services/flame.nix b/hosts/sarek/services/flame.nix deleted file mode 100644 index 455f8d1..0000000 --- a/hosts/sarek/services/flame.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, lib, ... }: -let - domain = "flame.home.feal.no"; - host = "127.0.1.2"; - port = "5005"; -in { - # Flame - Homelab dashboard/linktree - virtualisation.oci-containers.containers = { - flame = { - image = "pawelmalak/flame"; - ports = [ "${host}:${port}:5005" ]; - volumes = [ - "/var/lib/flame/data:/app/data/" - ]; - }; - }; - - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://${host}:${port}"; - }; - }; - } - diff --git a/hosts/sarek/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix deleted file mode 100644 index a63a238..0000000 --- a/hosts/sarek/services/hedgedoc.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.hedgedoc.settings; - domain = "md.feal.no"; - port = 3300; - host = "0.0.0.0"; - authServerUrl = "https://auth.feal.no"; -in { - # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET - sops.secrets."hedgedoc/env" = { - restartUnits = [ "hedgedoc.service" ]; - }; - - services.hedgedoc = { - enable = true; - environmentFile = config.sops.secrets."hedgedoc/env".path; - settings = { - inherit domain port host; - protocolUseSSL = true; - sessionSecret = "$CMD_SESSION_SECRET"; - - allowFreeURL = true; - allowAnonymous = false; - allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission - - dbURL = "postgres://hedgedoc:@localhost/hedgedoc"; - - email = false; - oauth2 = { - baseURL = "${authServerUrl}/oauth2"; - tokenURL = "${authServerUrl}/oauth2/token"; - authorizationURL = "${authServerUrl}/ui/oauth2"; - userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; - - clientID = "hedgedoc"; - clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - scope = "openid email profile"; - userProfileUsernameAttr = "name"; - userProfileEmailAttr = "email"; - userProfileDisplayNameAttr = "displayname"; - - providerName = "KaniDM"; - }; - - }; - }; - - systemd.services.hedgedoc = { - requires = [ - "postgresql.service" - # "kanidm.service" - ]; - serviceConfig = let - workDir = "/var/lib/hedgedoc"; - in { - WorkingDirectory = lib.mkForce workDir; - StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; - - # Better safe than sorry :) - CapabilityBoundingSet = ""; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ReadWritePaths = [ workDir ]; - RemoveIPC = true; - RestrictSUIDSGID = true; - UMask = "0007"; - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - SystemCallArchitectures = "native"; - # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; - }; - }; - - networking.firewall.allowedTCPPorts = [ port ]; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [{ - name = "hedgedoc"; - ensureDBOwnership = true; - }]; - }; -} diff --git a/hosts/sarek/services/nginx.nix b/hosts/sarek/services/nginx.nix deleted file mode 100644 index 4c376d7..0000000 --- a/hosts/sarek/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - /* security.acme = { */ - /* acceptTerms = true; */ - /* email = "felix@albrigtsen.it"; */ - /* }; */ -} diff --git a/hosts/sarek/services/postgresql.nix b/hosts/sarek/services/postgresql.nix deleted file mode 100644 index c7c804b..0000000 --- a/hosts/sarek/services/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - services.postgresql = { - enable = true; - enableTCPIP = true; # Expose on the network - authentication = pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - - services.postgresqlBackup = { - enable = true; - location = "/backup/postgresql/"; - startAt = "*-*-* 03:15:00"; - backupAll = true; - }; - - - environment.systemPackages = [ config.services.postgresql.package ]; -} diff --git a/hosts/worf/configuration.nix b/hosts/worf/configuration.nix index b8f6351..6b7af8d 100644 --- a/hosts/worf/configuration.nix +++ b/hosts/worf/configuration.nix @@ -34,7 +34,7 @@ sshKey = "/var/root/.ssh/nix-builder"; } { - hostName = "sarek.home.feal.no"; + hostName = "defiant.home.feal.no"; system = "x86_64-linux"; maxJobs = 6; diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml new file mode 100644 index 0000000..7678531 --- /dev/null +++ b/secrets/defiant/defiant.yaml @@ -0,0 +1,34 @@ +matrix: + synapse: + registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str] +hedgedoc: + env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQXEzMHQzaTU2YW85Yjhh + eDZ1eG15UytULzhYaTBZemlRak5USmVrMlhRCmtOUmNqYS9xa0VHU2J1V0E0NjN0 + ZDRhek9xNXJNY0FhZUJCVjJpYW1ZNHcKLS0tIER3OFlyV2Q3b2l0RkkzVkZMaHdt + MHI3WEV0RnZvWGw5a3BIV21kMlJxdU0Kpa1mjuwYoyk8Qfsst1k/pGGONYQf/sdZ + kfTZV2btleBISsP5aBDTF+I4AJZesumJuNVA0gPsI88GaQuf3rqb8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRi9mRDMvcDhBN3RVcG90 + Q2Y5NGhTVmVOaW9VRTl0R25QQXJsb2FQOTFrCnNsL0M2OTQ1KzJKSXJaVlVrL01v + R1RnOURGcDU3V2JldTdlRitQeDBIZE0KLS0tIHB2T3ZGQjZZRUlUL0FUSzhoZ1Ez + RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A + fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-24T23:15:29Z" + mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1