defiant #2
15
.sops.yaml
15
.sops.yaml
|
@ -3,7 +3,7 @@ keys:
|
||||||
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
|
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
|
||||||
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
|
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
|
||||||
- &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
|
- &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
|
||||||
- &host_janeway age1sjk38fy5dk2nn0q0rmxuvr9uw3ttgz7mq4632f8jllzqryft0y3s46j65k
|
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Global secrets
|
# Global secrets
|
||||||
|
@ -21,16 +21,15 @@ creation_rules:
|
||||||
- *user_felixalb_old
|
- *user_felixalb_old
|
||||||
- *user_felixalb
|
- *user_felixalb
|
||||||
|
|
||||||
|
- path_regex: secrets/defiant/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *host_defiant
|
||||||
|
- *user_felixalb
|
||||||
|
|
||||||
- path_regex: secrets/sarek/[^/]+\.yaml$
|
- path_regex: secrets/sarek/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *host_sarek
|
- *host_sarek
|
||||||
- *user_felixalb_old
|
- *user_felixalb_old
|
||||||
- *user_felixalb
|
- *user_felixalb
|
||||||
|
|
||||||
- path_regex: secrets/janeway/[^/]+\.yaml$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *host_janeway
|
|
||||||
- *user_felixalb_old
|
|
||||||
- *user_felixalb
|
|
||||||
|
|
15
flake.nix
15
flake.nix
|
@ -62,6 +62,7 @@
|
||||||
|
|
||||||
./hosts/defiant/configuration.nix
|
./hosts/defiant/configuration.nix
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
|
matrix-synapse-next.nixosModules.default
|
||||||
home-manager.nixosModules.home-manager {
|
home-manager.nixosModules.home-manager {
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
home-manager.useUserPackages = true;
|
home-manager.useUserPackages = true;
|
||||||
|
@ -105,20 +106,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
janeway = nixpkgs.lib.nixosSystem {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
specialArgs = {
|
|
||||||
inherit inputs;
|
|
||||||
};
|
|
||||||
modules = [
|
|
||||||
# Overlays-module makes "pkgs.unstable" available in configuration.nix
|
|
||||||
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
|
|
||||||
|
|
||||||
./hosts/janeway/configuration.nix
|
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
matrix-synapse-next.nixosModules.default
|
|
||||||
];
|
|
||||||
};
|
|
||||||
redshirt = nixpkgs.lib.nixosSystem {
|
redshirt = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
|
|
|
@ -6,6 +6,10 @@
|
||||||
../../base.nix
|
../../base.nix
|
||||||
../../common/metrics-exporters.nix
|
../../common/metrics-exporters.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
./services/postgresql.nix
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/matrix-synapse.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -13,13 +17,13 @@
|
||||||
defaultGateway = "192.168.10.1";
|
defaultGateway = "192.168.10.1";
|
||||||
interfaces.enp3s0.ipv4 = {
|
interfaces.enp3s0.ipv4 = {
|
||||||
addresses = [
|
addresses = [
|
||||||
{ address = "192.168.10.175"; prefixLength = 24; }
|
{ address = "192.168.10.175"; prefixLength = 24; } # Main IP for defiant, internal
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
hostId = "8e84f235";
|
hostId = "8e84f235";
|
||||||
};
|
};
|
||||||
|
|
||||||
# sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
|
sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
|
||||||
|
|
||||||
environment.variables = { EDITOR = "vim"; };
|
environment.variables = { EDITOR = "vim"; };
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
|
@ -73,11 +73,12 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
services.redis.servers."".enable = true;
|
services.redis.servers."".enable = true;
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."matrix.feal.no" = {
|
services.nginx.virtualHosts."matrix.feal.no" = {
|
||||||
enableACME = lib.mkForce false;
|
listen = [
|
||||||
forceSSL = lib.mkForce false;
|
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
|
||||||
|
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, values, ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
enableReload = true;
|
||||||
|
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
|
||||||
|
defaultListen = [
|
||||||
|
{
|
||||||
|
addr = "192.168.10.175";
|
||||||
|
port = "80";
|
||||||
|
ssl = false;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80 443 # Internal / Default
|
||||||
|
43080 43443 # External / Publicly exposed
|
||||||
|
];
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "felix@albrigtsen.it";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,40 +0,0 @@
|
||||||
{ config, pkgs, lib, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
|
||||||
../../base.nix
|
|
||||||
../../common/metrics-exporters.nix
|
|
||||||
|
|
||||||
./services/nginx.nix
|
|
||||||
./services/postgresql.nix
|
|
||||||
./services/matrix-synapse.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
# Boot and console is handled by proxmoxLXC.
|
|
||||||
boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.
|
|
||||||
|
|
||||||
# Override proxmox networking
|
|
||||||
proxmoxLXC.manageNetwork = true;
|
|
||||||
networking = {
|
|
||||||
hostName = "janeway";
|
|
||||||
defaultGateway = "192.168.10.1";
|
|
||||||
interfaces."eth0".ipv4 = {
|
|
||||||
addresses = [
|
|
||||||
{ address = "192.168.10.183"; prefixLength = 24; }
|
|
||||||
];
|
|
||||||
};
|
|
||||||
hostId = "bed956ff";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
vim
|
|
||||||
bottom
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.defaultSopsFile = ../../secrets/janeway/janeway.yaml;
|
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
services.mx-puppet-discord = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
serviceDependencies = [
|
|
||||||
"matrix-synapse.service"
|
|
||||||
"postgresql.service"
|
|
||||||
];
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
bridge = {
|
|
||||||
bindAddress = "localhost";
|
|
||||||
domain = "feal.no";
|
|
||||||
homeserverUrl = "https://matrix.feal.no";
|
|
||||||
# homeserverUrl = "http://127.0.1.2:8008";
|
|
||||||
|
|
||||||
port = 8434;
|
|
||||||
enableGroupSync = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
|
|
||||||
|
|
||||||
provisioning.whitelist = [ "@felixalb:feal\\.no" ];
|
|
||||||
relay.whitelist = [ ".*" ];
|
|
||||||
selfService.whitelist = [ "@felixalb:feal\\.no" ];
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
|
|
||||||
}
|
|
|
@ -1,19 +0,0 @@
|
||||||
{ config, values, ... }:
|
|
||||||
{
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
enableReload = true;
|
|
||||||
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
/* security.acme = { */
|
|
||||||
/* acceptTerms = true; */
|
|
||||||
/* email = "felix@albrigtsen.it"; */
|
|
||||||
/* }; */
|
|
||||||
}
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
matrix:
|
||||||
|
synapse:
|
||||||
|
registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQXEzMHQzaTU2YW85Yjhh
|
||||||
|
eDZ1eG15UytULzhYaTBZemlRak5USmVrMlhRCmtOUmNqYS9xa0VHU2J1V0E0NjN0
|
||||||
|
ZDRhek9xNXJNY0FhZUJCVjJpYW1ZNHcKLS0tIER3OFlyV2Q3b2l0RkkzVkZMaHdt
|
||||||
|
MHI3WEV0RnZvWGw5a3BIV21kMlJxdU0Kpa1mjuwYoyk8Qfsst1k/pGGONYQf/sdZ
|
||||||
|
kfTZV2btleBISsP5aBDTF+I4AJZesumJuNVA0gPsI88GaQuf3rqb8w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRi9mRDMvcDhBN3RVcG90
|
||||||
|
Q2Y5NGhTVmVOaW9VRTl0R25QQXJsb2FQOTFrCnNsL0M2OTQ1KzJKSXJaVlVrL01v
|
||||||
|
R1RnOURGcDU3V2JldTdlRitQeDBIZE0KLS0tIHB2T3ZGQjZZRUlUL0FUSzhoZ1Ez
|
||||||
|
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
|
||||||
|
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-12-24T17:26:56Z"
|
||||||
|
mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in New Issue