massicot: add storage-box as extra storage

.sops.yaml

@@ -4,6 +4,7 @@ keys:
   - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
   - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
   - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
+  - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
 creation_rules:
   - path_regex: machines/calcite/secrets.yaml
     key_groups:
@@ -15,6 +16,12 @@ creation_rules:
     - age:
       - *xin
       - *host-raspite
+  - path_regex: machines/massicot/secrets.yaml
+    key_groups:
+    - age:
+      - *xin
+      - *host-massicot
+
   - path_regex: machines/secrets.yaml
     key_groups:
     - age:

machines/massicot/default.nix

@@ -1,11 +1,25 @@
-{ config, libs, pkgs, ... }:
+{ inputs, config, libs, pkgs, ... }:
 
 {
   imports = [
+    inputs.sops-nix.nixosModules.sops
     ./hardware-configuration.nix
     ./networking.nix
     ./services.nix
   ];
+  
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      storage_box_mount = {
+        owner = "root";
+      };
+      gts_env = {
+        owner = "gotosocial";
+      };
+    };
+  };
 
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot";
@@ -14,7 +28,14 @@
     efiSupport = true;
   };
 
+  fileSystems."/mnt/storage" = {
+    device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
+    fsType = "cifs";
+    options = ["credentials=${config.sops.secrets.storage_box_mount.path}"];
+  };
+
   environment.systemPackages = with pkgs; [
+    cifs-utils
     git
   ];
 
@@ -59,5 +80,6 @@
       commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
     }
   ];
+
   
 }

machines/massicot/networking.nix

@@ -1,4 +1,4 @@
-{
+{ pkgs, ... }: {
   networking = {
     interfaces = {
       eth0.useDHCP = true;

machines/massicot/secrets.yaml

@@ -0,0 +1,31 @@
+storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
+gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD
+            K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp
+            N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45
+            UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY
+            M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E
+            YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1
+            V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2
+            dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
+            V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-15T13:06:05Z"
+    mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/massicot/services.nix

@@ -3,6 +3,23 @@ let
   kanidm_listen_port = 5324;
 in
 {
+  networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
+
+  fileSystems = builtins.listToAttrs (map (share: {
+    name = "/mnt/storage/${share}";
+    value = { 
+      device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
+      fsType = "cifs";
+      options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"];
+    };
+  }) [ "forgejo" "gotosocial" "conduit" ] );
+
+  system.activationScripts = {
+    conduit-media-link.text = ''
+      ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
+    '';
+  };
   security.acme = {
     acceptTerms = true;
     certs."auth.xinyang.life" = {
@@ -47,13 +64,19 @@ in
       oidc-idp-name = "Kanidm";
       oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
       oidc-client-id = "gts";
-      oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5";
       oidc-link-existing = true;
+      storage-local-base-path = "/mnt/storage/gotosocial/storage";
     };
+    environmentFile = config.sops.secrets.gts_env.path;
   };
 
   services.forgejo = {
     enable = true;
+    repositoryRoot = "/mnt/storage/forgejo/repositories";
+    lfs = {
+      enable = true;
+      contentDir = "/mnt/storage/forgejo/lfs";
+    };
     settings = {
       service.DISABLE_REGISTRATION = true;
       server = {
@@ -62,6 +85,8 @@ in
         BUILTIN_SSH_SERVER_USER = "git";
         SSH_DOMAIN = "ssh.xinyang.life";
         SSH_PORT = 2222;
+        LFS_MAX_FILE_SIZE = 10737418240;
+        LANDING_PAGE = "/explore/repos";
       };
       repository = {
         ENABLE_PUSH_CREATE_USER = true;
@@ -125,11 +150,5 @@ in
           }
       }
     '';
-    # 
-    # respond `Hello World`
-
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
 }