diff --git a/.sops.yaml b/.sops.yaml index 63e67a7..b712e57 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -15,6 +16,12 @@ creation_rules: - age: - *xin - *host-raspite + - path_regex: machines/massicot/secrets.yaml + key_groups: + - age: + - *xin + - *host-massicot + - path_regex: machines/secrets.yaml key_groups: - age: diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 9b1dcd7..ab6a5f3 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,11 +1,25 @@ -{ config, libs, pkgs, ... }: +{ inputs, config, libs, pkgs, ... }: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./networking.nix ./services.nix ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + storage_box_mount = { + owner = "root"; + }; + gts_env = { + owner = "gotosocial"; + }; + }; + }; boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot"; @@ -14,7 +28,14 @@ efiSupport = true; }; + fileSystems."/mnt/storage" = { + device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; + fsType = "cifs"; + options = ["credentials=${config.sops.secrets.storage_box_mount.path}"]; + }; + environment.systemPackages = with pkgs; [ + cifs-utils git ]; @@ -59,5 +80,6 @@ commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; + } diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 4aadb44..9588be9 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,4 +1,4 @@ -{ +{ pkgs, ... }: { networking = { interfaces = { eth0.useDHCP = true; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml new file mode 100644 index 0000000..d2b0faa --- /dev/null +++ b/machines/massicot/secrets.yaml @@ -0,0 +1,31 @@ +storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] +gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD + K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp + N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45 + UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY + M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E + YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1 + V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2 + dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i + V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-15T13:06:05Z" + mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 84322c1..48cbed2 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -3,6 +3,23 @@ let kanidm_listen_port = 5324; in { + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; + + fileSystems = builtins.listToAttrs (map (share: { + name = "/mnt/storage/${share}"; + value = { + device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + fsType = "cifs"; + options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"]; + }; + }) [ "forgejo" "gotosocial" "conduit" ] ); + + system.activationScripts = { + conduit-media-link.text = '' + ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media + ''; + }; security.acme = { acceptTerms = true; certs."auth.xinyang.life" = { @@ -47,13 +64,19 @@ in oidc-idp-name = "Kanidm"; oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; oidc-client-id = "gts"; - oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; oidc-link-existing = true; + storage-local-base-path = "/mnt/storage/gotosocial/storage"; }; + environmentFile = config.sops.secrets.gts_env.path; }; services.forgejo = { enable = true; + repositoryRoot = "/mnt/storage/forgejo/repositories"; + lfs = { + enable = true; + contentDir = "/mnt/storage/forgejo/lfs"; + }; settings = { service.DISABLE_REGISTRATION = true; server = { @@ -62,6 +85,8 @@ in BUILTIN_SSH_SERVER_USER = "git"; SSH_DOMAIN = "ssh.xinyang.life"; SSH_PORT = 2222; + LFS_MAX_FILE_SIZE = 10737418240; + LANDING_PAGE = "/explore/repos"; }; repository = { ENABLE_PUSH_CREATE_USER = true; @@ -125,11 +150,5 @@ in } } ''; - # - # respond `Hello World` - }; - - networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; - networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; }