ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

machines: porthos: services: switch to agenix

Browse source 
The prep-work should be done now, time to hit the switch.
This commit is contained in:
Bruno BELANYI 2021-09-25 12:49:08 +02:00
parent c7766afe90
commit 7257f3156e
3 changed files with 26 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
machines/porthos/default.nix
View file

@ -6,6 +6,7 @@
./boot.nix ./boot.nix
./hardware.nix ./hardware.nix
./networking.nix ./networking.nix
./secrets.nix
./services.nix ./services.nix
./users.nix ./users.nix
]; ];

8
machines/porthos/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
# Secrets configuration
{ ... }:
{
config.age.secrets = {
# Must be readable by the service
"nextcloud/password".owner = "nextcloud";
};
}

75
machines/porthos/services.nix
View file

@ -1,7 +1,7 @@
# Deployed services # Deployed services
{ config, ... }: { config, ... }:
let let
my = config.my; secrets = config.age.secrets;
in in
{ {
# List services that you want to enable: # List services that you want to enable:
@ -19,11 +19,8 @@ in
OnActiveSec = "6h"; OnActiveSec = "6h";
OnUnitActiveSec = "6h"; OnUnitActiveSec = "6h";
}; };
# Insecure, I don't care. passwordFile = secrets."backup/password".path;
passwordFile = credentialsFile = secrets."backup/credentials".path;
builtins.toFile "password.txt" my.secrets.backup.password;
credentialsFile =
builtins.toFile "creds.env" my.secrets.backup.credentials;
}; };
# My blog and related hosts # My blog and related hosts
blog.enable = true; blog.enable = true;
@ -34,11 +31,8 @@ in
drone = { drone = {
enable = true; enable = true;
runners = [ "docker" "exec" ]; runners = [ "docker" "exec" ];
# Insecure, I don't care. secretFile = secrets."drone/gitea".path;
secretFile = sharedSecretFile = secrets."drone/secret".path;
builtins.toFile "gitea.env" my.secrets.drone.gitea;
sharedSecretFile =
builtins.toFile "rpc.env" my.secrets.drone.secret;
}; };
# Flood UI for transmission # Flood UI for transmission
flood = { flood = {
@ -56,41 +50,24 @@ in
# Gitea mirrorig service # Gitea mirrorig service
lohr = { lohr = {
enable = true; enable = true;
sharedSecretFile = sharedSecretFile = secrets."lohr/secret".path;
let
content = "LOHR_SECRET=${my.secrets.lohr.secret}";
in
builtins.toFile "lohr-secret.env" content;
}; };
# Matrix backend and Element chat front-end # Matrix backend and Element chat front-end
matrix = { matrix = {
enable = true; enable = true;
mailConfigFile = builtins.toFile "matrix-mail.yaml" '' mailConfigFile = secrets."matrix/mail".path;
email:
smtp_host: "smtp.migadu.com"
smtp_port: 587
smtp_user: "${my.secrets.matrix.mail.username}"
smtp_pass: "${my.secrets.matrix.mail.password}"
notif_from: "${my.secrets.matrix.mail.notifFrom}"
# Refuse to connect unless the server supports STARTTLS.
require_transport_security: true
'';
# Only necessary when doing the initial registration # Only necessary when doing the initial registration
# secret = "change-me"; # secret = "change-me";
}; };
miniflux = { miniflux = {
enable = true; enable = true;
credentialsFiles = builtins.toFile "miniflux-creds.txt" '' credentialsFiles = secrets."miniflux/credentials".path;
ADMIN_USERNAME=Ambroisie
ADMIN_PASSWORD=${my.secrets.miniflux.password}
'';
}; };
# Various monitoring dashboards # Various monitoring dashboards
monitoring = { monitoring = {
enable = true; enable = true;
grafana = { grafana = {
passwordFile = passwordFile = secrets."monitoring/password".path;
builtins.toFile "grafana.txt" my.secrets.monitoring.password; # Insecure, I don't care
}; };
}; };
# FLOSS music streaming server # FLOSS music streaming server
@ -101,24 +78,19 @@ in
# Nextcloud self-hosted cloud # Nextcloud self-hosted cloud
nextcloud = { nextcloud = {
enable = true; enable = true;
passwordFile = passwordFile = secrets."nextcloud/password".path;
builtins.toFile "nextcloud-pass.txt" my.secrets.nextcloud.password;
}; };
nginx = { nginx = {
enable = true; enable = true;
acme = { acme = {
credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key; credentialsFile = secrets."acme/dns-key".path;
}; };
sso = { sso = {
authKeyFile = secrets."sso/auth-key".path; authKeyFile = secrets."sso/auth-key".path;
users = { users = {
ambroisie = { ambroisie = {
passwordHashFile = builtins.toFile passwordHashFile = secrets."sso/ambroisie/password-hash".path;
"ambroisie-sso-pass.txt" totpSecretFile = secrets."sso/ambroisie/totp-secret".path;
my.secrets.sso.ambroisie.passwordHash;
totpSecretFile = builtins.toFile
"ambroisie-sso-totp.txt"
my.secrets.sso.ambroisie.totpSecret;
}; };
}; };
groups = { groups = {
@ -129,23 +101,15 @@ in
paperless = { paperless = {
enable = true; enable = true;
documentPath = "/data/media/paperless"; documentPath = "/data/media/paperless";
# Insecure, I don't care passwordFile = secrets."paperless/password".path;
passwordFile = secretKeyFile = secrets."paperless/secret-key".path;
builtins.toFile "paperless.env" my.secrets.paperless.password;
secretKeyFile = builtins.toFile "paperless-key.env" ''
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
'';
}; };
# The whole *arr software suite # The whole *arr software suite
pirate.enable = true; pirate.enable = true;
# Podcast automatic downloader # Podcast automatic downloader
podgrab = { podgrab = {
enable = true; enable = true;
passwordFile = passwordFile = secrets."podgrab/password".path;
let
contents = "PASSWORD=${my.secrets.podgrab.password}";
in
builtins.toFile "podgrab.env" contents;
port = 9598; port = 9598;
}; };
# Regular backups # Regular backups
@ -161,12 +125,7 @@ in
# Torrent client and webui # Torrent client and webui
transmission = { transmission = {
enable = true; enable = true;
credentialsFile = builtins.toFile "transmission-creds.txt" '' credentialsFile = secrets."transmission/credentials".path;
{
"rpc-username": "Ambroisie",
"rpc-password": "${my.secrets.transmission.password}"
}
'';
}; };
# Simple, in-kernel VPN # Simple, in-kernel VPN
wireguard = { wireguard = {