machines: porthos: services: switch to agenix

The prep-work should be done now, time to hit the switch.
This commit is contained in:
Bruno BELANYI 2021-09-25 12:49:08 +02:00
parent c7766afe90
commit 7257f3156e
3 changed files with 26 additions and 58 deletions

View file

@ -6,6 +6,7 @@
./boot.nix
./hardware.nix
./networking.nix
./secrets.nix
./services.nix
./users.nix
];

View file

@ -0,0 +1,8 @@
# Secrets configuration
{ ... }:
{
config.age.secrets = {
# Must be readable by the service
"nextcloud/password".owner = "nextcloud";
};
}

View file

@ -1,7 +1,7 @@
# Deployed services
{ config, ... }:
let
my = config.my;
secrets = config.age.secrets;
in
{
# List services that you want to enable:
@ -19,11 +19,8 @@ in
OnActiveSec = "6h";
OnUnitActiveSec = "6h";
};
# Insecure, I don't care.
passwordFile =
builtins.toFile "password.txt" my.secrets.backup.password;
credentialsFile =
builtins.toFile "creds.env" my.secrets.backup.credentials;
passwordFile = secrets."backup/password".path;
credentialsFile = secrets."backup/credentials".path;
};
# My blog and related hosts
blog.enable = true;
@ -34,11 +31,8 @@ in
drone = {
enable = true;
runners = [ "docker" "exec" ];
# Insecure, I don't care.
secretFile =
builtins.toFile "gitea.env" my.secrets.drone.gitea;
sharedSecretFile =
builtins.toFile "rpc.env" my.secrets.drone.secret;
secretFile = secrets."drone/gitea".path;
sharedSecretFile = secrets."drone/secret".path;
};
# Flood UI for transmission
flood = {
@ -56,41 +50,24 @@ in
# Gitea mirrorig service
lohr = {
enable = true;
sharedSecretFile =
let
content = "LOHR_SECRET=${my.secrets.lohr.secret}";
in
builtins.toFile "lohr-secret.env" content;
sharedSecretFile = secrets."lohr/secret".path;
};
# Matrix backend and Element chat front-end
matrix = {
enable = true;
mailConfigFile = builtins.toFile "matrix-mail.yaml" ''
email:
smtp_host: "smtp.migadu.com"
smtp_port: 587
smtp_user: "${my.secrets.matrix.mail.username}"
smtp_pass: "${my.secrets.matrix.mail.password}"
notif_from: "${my.secrets.matrix.mail.notifFrom}"
# Refuse to connect unless the server supports STARTTLS.
require_transport_security: true
'';
mailConfigFile = secrets."matrix/mail".path;
# Only necessary when doing the initial registration
# secret = "change-me";
};
miniflux = {
enable = true;
credentialsFiles = builtins.toFile "miniflux-creds.txt" ''
ADMIN_USERNAME=Ambroisie
ADMIN_PASSWORD=${my.secrets.miniflux.password}
'';
credentialsFiles = secrets."miniflux/credentials".path;
};
# Various monitoring dashboards
monitoring = {
enable = true;
grafana = {
passwordFile =
builtins.toFile "grafana.txt" my.secrets.monitoring.password; # Insecure, I don't care
passwordFile = secrets."monitoring/password".path;
};
};
# FLOSS music streaming server
@ -101,24 +78,19 @@ in
# Nextcloud self-hosted cloud
nextcloud = {
enable = true;
passwordFile =
builtins.toFile "nextcloud-pass.txt" my.secrets.nextcloud.password;
passwordFile = secrets."nextcloud/password".path;
};
nginx = {
enable = true;
acme = {
credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
credentialsFile = secrets."acme/dns-key".path;
};
sso = {
authKeyFile = secrets."sso/auth-key".path;
users = {
ambroisie = {
passwordHashFile = builtins.toFile
"ambroisie-sso-pass.txt"
my.secrets.sso.ambroisie.passwordHash;
totpSecretFile = builtins.toFile
"ambroisie-sso-totp.txt"
my.secrets.sso.ambroisie.totpSecret;
passwordHashFile = secrets."sso/ambroisie/password-hash".path;
totpSecretFile = secrets."sso/ambroisie/totp-secret".path;
};
};
groups = {
@ -129,23 +101,15 @@ in
paperless = {
enable = true;
documentPath = "/data/media/paperless";
# Insecure, I don't care
passwordFile =
builtins.toFile "paperless.env" my.secrets.paperless.password;
secretKeyFile = builtins.toFile "paperless-key.env" ''
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
'';
passwordFile = secrets."paperless/password".path;
secretKeyFile = secrets."paperless/secret-key".path;
};
# The whole *arr software suite
pirate.enable = true;
# Podcast automatic downloader
podgrab = {
enable = true;
passwordFile =
let
contents = "PASSWORD=${my.secrets.podgrab.password}";
in
builtins.toFile "podgrab.env" contents;
passwordFile = secrets."podgrab/password".path;
port = 9598;
};
# Regular backups
@ -161,12 +125,7 @@ in
# Torrent client and webui
transmission = {
enable = true;
credentialsFile = builtins.toFile "transmission-creds.txt" ''
{
"rpc-username": "Ambroisie",
"rpc-password": "${my.secrets.transmission.password}"
}
'';
credentialsFile = secrets."transmission/credentials".path;
};
# Simple, in-kernel VPN
wireguard = {