diff --git a/.sops.yaml b/.sops.yaml index 4c42092..a716cb1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta + - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -37,6 +38,11 @@ creation_rules: - age: - *xin - *host-la-00 + - path-regex: machines/weilite/secrets.yaml + key_groups: + - age: + - *xin + - *host-weilite - path_regex: machines/secrets.yaml key_groups: - age: @@ -53,4 +59,3 @@ creation_rules: - *xin - *host-raspite - *host-calcite - diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 83bd70b..0f6bf18 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,9 +1,10 @@ -{ config, pkgs, lib, modulesPath, ... }: +{ inputs, config, pkgs, lib, modulesPath, ... }: with lib; { imports = [ + inputs.sops-nix.nixosModules.sops (modulesPath + "/profiles/qemu-guest.nix") ]; @@ -30,10 +31,28 @@ with lib; pkgs.virtiofsd ]; + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + cloudflare_dns_token = { + owner = "caddy"; + mode = "400"; + }; + }; + }; + systemd.mounts = [ - { what = "XinPhotos"; - where = "/mnt/XinPhotos"; + { what = "immich"; + where = "/mnt/XinPhotos/immich"; type = "virtiofs"; + options = "rw"; + wantedBy = [ "immich-server.service" ]; + } + { what = "originals"; + where = "/mnt/XinPhotos/originals"; + type = "virtiofs"; + options = "ro,nodev,nosuid"; wantedBy = [ "immich-server.service" ]; } ]; @@ -65,9 +84,30 @@ with lib; services.caddy = { enable = true; + package = pkgs.caddy.withPlugins { + caddyModules = [ + { repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } + ]; + vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; + }; virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; + # API Token must be added in systemd environment file + virtualHosts."immich.xinyang.life:8000".extraConfig = '' + tls { + dns cloudflare {env.CLOUDFLARE_API_TOKEN} + } + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + }; + + networking.firewall.allowedTCPPorts = [ 8000 ]; + + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path; + }; }; time.timeZone = "Asia/Shanghai"; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml new file mode 100644 index 0000000..02f78d6 --- /dev/null +++ b/machines/weilite/secrets.yaml @@ -0,0 +1,30 @@ +cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYkRNYmtjUkpoOXhRY1Yz + UkxnSEJiSXRvMy9WQWx5R1VHYVlnL1R2Tm1jCk8yUi80MG9kTWtSRndXRThuVThv + bERaUGwzaVJDem9IeFFIb2hiT1ZjTzQKLS0tIHo4bDJQa2dVbTl1aWxyYVd6bkl0 + c0g5TW03TU51L1hiSk95S05Eaks5TEEKBfA6XNAtcl7bKgDyVmuO6M45x9IJ7gqV + Nd+BvOK+iomEubZqsyMPLM3NfOL1dwSOnmwSdUZasUzuGCaw6IdlOA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZlVTY1hhcC95RExJL1Jn + blBncWxlWmxsQS8vQ3dhd1pXR1VCbXltUEQ4ClE0NEZweERYK3cyelpDRjkrNlBH + RHBIQTI0M2pnNm5qdnorNWFmMmd0ZFUKLS0tIEE4cFVteUZjT04wbk1RSWlmOU1P + V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV + RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-29T09:05:41Z" + mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0