defiant #2

Merged
felixalb merged 6 commits from defiant into main 2023-12-25 02:09:25 +01:00
10 changed files with 80 additions and 119 deletions
Showing only changes of commit ffceacfbc0 - Show all commits

View File

@ -3,7 +3,7 @@ keys:
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
- &host_janeway age1sjk38fy5dk2nn0q0rmxuvr9uw3ttgz7mq4632f8jllzqryft0y3s46j65k - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
creation_rules: creation_rules:
# Global secrets # Global secrets
@ -21,16 +21,15 @@ creation_rules:
- *user_felixalb_old - *user_felixalb_old
- *user_felixalb - *user_felixalb
- path_regex: secrets/defiant/[^/]+\.yaml$
key_groups:
- age:
- *host_defiant
- *user_felixalb
- path_regex: secrets/sarek/[^/]+\.yaml$ - path_regex: secrets/sarek/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_sarek - *host_sarek
- *user_felixalb_old - *user_felixalb_old
- *user_felixalb - *user_felixalb
- path_regex: secrets/janeway/[^/]+\.yaml$
key_groups:
- age:
- *host_janeway
- *user_felixalb_old
- *user_felixalb

View File

@ -62,6 +62,7 @@
./hosts/defiant/configuration.nix ./hosts/defiant/configuration.nix
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default
home-manager.nixosModules.home-manager { home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@ -105,20 +106,6 @@
} }
]; ];
}; };
janeway = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/janeway/configuration.nix
sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default
];
};
redshirt = nixpkgs.lib.nixosSystem { redshirt = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {

View File

@ -6,6 +6,10 @@
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./hardware-configuration.nix ./hardware-configuration.nix
./services/postgresql.nix
./services/nginx.nix
./services/matrix-synapse.nix
]; ];
networking = { networking = {
@ -13,13 +17,13 @@
defaultGateway = "192.168.10.1"; defaultGateway = "192.168.10.1";
interfaces.enp3s0.ipv4 = { interfaces.enp3s0.ipv4 = {
addresses = [ addresses = [
{ address = "192.168.10.175"; prefixLength = 24; } { address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal
]; ];
}; };
hostId = "8e84f235"; hostId = "8e84f235";
}; };
# sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

View File

@ -73,11 +73,12 @@
}; };
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."matrix.feal.no" = { services.nginx.virtualHosts."matrix.feal.no" = {
enableACME = lib.mkForce false; listen = [
forceSSL = lib.mkForce false; { addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
}; };
} }

View File

@ -0,0 +1,30 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
defaultListen = [
{
addr = "192.168.10.175";
port = "80";
ssl = false;
}
];
};
networking.firewall.allowedTCPPorts = [
80 443 # Internal / Default
43080 43443 # External / Publicly exposed
];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

View File

@ -1,40 +0,0 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/virtualisation/proxmox-lxc.nix")
../../base.nix
../../common/metrics-exporters.nix
./services/nginx.nix
./services/postgresql.nix
./services/matrix-synapse.nix
];
# Boot and console is handled by proxmoxLXC.
boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.
# Override proxmox networking
proxmoxLXC.manageNetwork = true;
networking = {
hostName = "janeway";
defaultGateway = "192.168.10.1";
interfaces."eth0".ipv4 = {
addresses = [
{ address = "192.168.10.183"; prefixLength = 24; }
];
};
hostId = "bed956ff";
};
environment.systemPackages = with pkgs; [
vim
bottom
];
sops.defaultSopsFile = ../../secrets/janeway/janeway.yaml;
system.stateVersion = "23.05";
}

View File

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
{
services.mx-puppet-discord = {
enable = true;
serviceDependencies = [
"matrix-synapse.service"
"postgresql.service"
];
settings = {
bridge = {
bindAddress = "localhost";
domain = "feal.no";
homeserverUrl = "https://matrix.feal.no";
# homeserverUrl = "http://127.0.1.2:8008";
port = 8434;
enableGroupSync = true;
};
database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
provisioning.whitelist = [ "@felixalb:feal\\.no" ];
relay.whitelist = [ ".*" ];
selfService.whitelist = [ "@felixalb:feal\\.no" ];
};
};
services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
}

View File

@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
/* security.acme = { */
/* acceptTerms = true; */
/* email = "felix@albrigtsen.it"; */
/* }; */
}

View File

@ -0,0 +1,32 @@
matrix:
synapse:
registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQXEzMHQzaTU2YW85Yjhh
eDZ1eG15UytULzhYaTBZemlRak5USmVrMlhRCmtOUmNqYS9xa0VHU2J1V0E0NjN0
ZDRhek9xNXJNY0FhZUJCVjJpYW1ZNHcKLS0tIER3OFlyV2Q3b2l0RkkzVkZMaHdt
MHI3WEV0RnZvWGw5a3BIV21kMlJxdU0Kpa1mjuwYoyk8Qfsst1k/pGGONYQf/sdZ
kfTZV2btleBISsP5aBDTF+I4AJZesumJuNVA0gPsI88GaQuf3rqb8w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRi9mRDMvcDhBN3RVcG90
Q2Y5NGhTVmVOaW9VRTl0R25QQXJsb2FQOTFrCnNsL0M2OTQ1KzJKSXJaVlVrL01v
R1RnOURGcDU3V2JldTdlRitQeDBIZE0KLS0tIHB2T3ZGQjZZRUlUL0FUSzhoZ1Ez
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-24T17:26:56Z"
mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1