From bc9f3f9951f59eb4546734c99e95f2873f42f533 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 23 Sep 2024 16:57:09 +0200 Subject: [PATCH 01/48] feat(hosts): Added new `OVHCloud` basic host config --- flake.nix | 8 ++++ hosts/OVHCloud/default.nix | 25 +++++++++++ hosts/OVHCloud/disko-config.nix | 54 +++++++++++++++++++++++ hosts/OVHCloud/hardware-configuration.nix | 11 +++++ 4 files changed, 98 insertions(+) create mode 100644 hosts/OVHCloud/default.nix create mode 100644 hosts/OVHCloud/disko-config.nix create mode 100644 hosts/OVHCloud/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index d0074b1..b38ae73 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,14 @@ home-manager.nixosModules.home-manager ]; }; + + OVHCloud = nixpkgs.lib.nixosSystem { + extraArgs = {inherit inputs;}; + modules = [ + ./hosts/OVHCloud + disko.nixosModules.disko + ]; + }; }; homeConfigurations = { diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix new file mode 100644 index 0000000..d37609a --- /dev/null +++ b/hosts/OVHCloud/default.nix @@ -0,0 +1,25 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + ]; + + # Nix + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + }; + }; + + environment.systemPackages = with pkgs; [ + helix + git + ]; +} diff --git a/hosts/OVHCloud/disko-config.nix b/hosts/OVHCloud/disko-config.nix new file mode 100644 index 0000000..8f36ed4 --- /dev/null +++ b/hosts/OVHCloud/disko-config.nix @@ -0,0 +1,54 @@ +{lib, ...}: { + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix new file mode 100644 index 0000000..1cd7099 --- /dev/null +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -0,0 +1,11 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ./disko-config.nix + ]; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; +} From 12c5ebb13dfb20f425a6c67cb4b43ca8e1d758c3 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 23 Sep 2024 16:58:45 +0200 Subject: [PATCH 02/48] chore(flake): Added `deploy-rs` input --- flake.lock | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 5 ++++ 2 files changed, 78 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 49b196e..7f2a249 100644 --- a/flake.lock +++ b/flake.lock @@ -37,6 +37,28 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1718194053, + "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -77,6 +99,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -155,7 +193,7 @@ "hyprutils": "hyprutils", "hyprwayland-scanner": "hyprwayland-scanner", "nixpkgs": "nixpkgs", - "systems": "systems", + "systems": "systems_2", "xdph": "xdph" }, "locked": { @@ -324,6 +362,7 @@ }, "root": { "inputs": { + "deploy-rs": "deploy-rs", "disko": "disko", "end-rs": "end-rs", "home-manager": "home-manager", @@ -336,6 +375,21 @@ } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -350,6 +404,24 @@ "type": "github" } }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "xdph": { "inputs": { "hyprland-protocols": "hyprland-protocols", diff --git a/flake.nix b/flake.nix index b38ae73..8aaeeb6 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Hyprland hyprland = { url = "git+https://github.com/hyprwm/Hyprland?submodules=1"; From fa927492aa0ee3433a30ea3139c83eb309bed465 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 23 Sep 2024 17:27:19 +0200 Subject: [PATCH 03/48] chore(flake): Added deploy-rs config for OVHCloud --- flake.nix | 14 ++++++++++++++ hosts/OVHCloud/default.nix | 8 +++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 8aaeeb6..edd8f62 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ self, nixpkgs, disko, + deploy-rs, home-manager, ... } @ inputs: let @@ -82,6 +83,19 @@ }; }; + deploy.nodes.OVHCloud = { + hostname = "gasdev.fr"; + profiles.system = { + user = "root"; + sshUser = "root"; + sshOpts = ["-p" "22"]; + sudo = ""; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud; + }; + }; + + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + devShells.${system}.default = pkgs.mkShell { nativeBuildInputs = with pkgs; [ git diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index d37609a..e129578 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -1,4 +1,10 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + ... +}: { + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + imports = [ ./hardware-configuration.nix ]; From fde946b371fe91e2cc5831f7bd74c039fabb68cf Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Tue, 24 Sep 2024 10:13:04 +0200 Subject: [PATCH 04/48] chore(OVHCloud): Added authorized ssh key for root user --- hosts/OVHCloud/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index e129578..ef53cd4 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -23,6 +23,9 @@ PasswordAuthentication = false; }; }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos" + ]; environment.systemPackages = with pkgs; [ helix From 3e3d45f18bd7982dff435529d4d32b57d48122a0 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Tue, 24 Sep 2024 10:18:30 +0200 Subject: [PATCH 05/48] docs: Added docs for OVHCloud config deployment procedure --- docs/gasdev.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 docs/gasdev.md diff --git a/docs/gasdev.md b/docs/gasdev.md new file mode 100644 index 0000000..ba596a2 --- /dev/null +++ b/docs/gasdev.md @@ -0,0 +1,33 @@ +# Gasdev infrastructure + +## Initial installation + +Cloud providers not always provide a NixOS install option, so I use [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) for remote NixOS installation using SSH + +### Kexec installation + +As specified in [nixos-images](https://github.com/nix-community/nixos-images#kexec-tarballs): + +```sh +# Run as root +curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root +/root/kexec/run +``` + +The machine will restart in a new NixOS installation. The existing SSH keys are copied to the new installation's _root_ user. + +### NixOS-everywhere + +```sh +nix run github:nix-community/nixos-anywhere -- --flake .# root@ +``` + +## Deploy configuration + +In order to deploy new configuration changes after the initial NixOS installation, I use [deploy-rs](https://github.com/serokell/deploy-rs). It requires a properly set-up **ssh-agent** and SSH keys being installed on the **gaspard** user. + +Then you can deploy the new configuration: + +```sh +nix run github:serokell/deploy-rs .# +``` From 7f5dcd9190e30278109bca51410e20e1e89ba583 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Tue, 24 Sep 2024 10:20:26 +0200 Subject: [PATCH 06/48] docs: Fix ssh user instruction --- docs/gasdev.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/gasdev.md b/docs/gasdev.md index ba596a2..4cec2d9 100644 --- a/docs/gasdev.md +++ b/docs/gasdev.md @@ -24,7 +24,7 @@ nix run github:nix-community/nixos-anywhere -- --flake .# ro ## Deploy configuration -In order to deploy new configuration changes after the initial NixOS installation, I use [deploy-rs](https://github.com/serokell/deploy-rs). It requires a properly set-up **ssh-agent** and SSH keys being installed on the **gaspard** user. +In order to deploy new configuration changes after the initial NixOS installation, I use [deploy-rs](https://github.com/serokell/deploy-rs). It requires a properly set-up **ssh-agent** and SSH keys being installed on the **root** user. Then you can deploy the new configuration: From b8345d5e0666570d5d228f0e44322115c71a35a9 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 26 Sep 2024 10:17:09 +0200 Subject: [PATCH 07/48] feat(OVHCloud): Added normal user config --- flake.nix | 1 + hosts/OVHCloud/default.nix | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/flake.nix b/flake.nix index edd8f62..87020f8 100644 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ modules = [ ./hosts/OVHCloud disko.nixosModules.disko + home-manager.nixosModules.home-manager ]; }; }; diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index ef53cd4..7906b15 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -1,4 +1,6 @@ { + inputs, + config, pkgs, lib, ... @@ -31,4 +33,39 @@ helix git ]; + + # User config + users.groups.gaspard = { + name = "gaspard"; + }; + users.users.gaspard = { + isNormalUser = true; + extraGroups = [ + "wheel" + ]; + group = "gaspard"; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + }; + + home-manager = { + extraSpecialArgs = {inherit inputs;}; + users = { + # FIX: No user config file + "gaspard" = { + home.username = "gaspard"; + home.homeDirectory = "/home/gaspard"; + home.stateVersion = "24.05"; + + programs.home-manager.enable = true; + programs.direnv.enable = true; + + imports = [ + ../../shell + ../../editor + ]; + }; + }; + }; + + system.stateVersion = "24.11"; } From 9600f18ada57138e1f535008724485f4f6b5dd8c Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 26 Sep 2024 10:24:32 +0200 Subject: [PATCH 08/48] feat(OVHCloud -> hw-config): Added simple firewall config Using nftables --- hosts/OVHCloud/hardware-configuration.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix index 1cd7099..4abba82 100644 --- a/hosts/OVHCloud/hardware-configuration.nix +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -8,4 +8,11 @@ efiSupport = true; efiInstallAsRemovable = true; }; + + # Firewall + networking.nftables.enable = true; + networking.firewall = { + enable = true; + allowedTCPPorts = [22 80 443]; + }; } From 5bff8ead3b454029a558c6fde1b9815571af5afc Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 26 Sep 2024 10:31:34 +0200 Subject: [PATCH 09/48] feat: Added `deploy-rs` to devShell environment --- docs/gasdev.md | 2 +- flake.nix | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/gasdev.md b/docs/gasdev.md index 4cec2d9..1c94edb 100644 --- a/docs/gasdev.md +++ b/docs/gasdev.md @@ -29,5 +29,5 @@ In order to deploy new configuration changes after the initial NixOS installatio Then you can deploy the new configuration: ```sh -nix run github:serokell/deploy-rs .# +deploy .# ``` diff --git a/flake.nix b/flake.nix index 87020f8..69db95c 100644 --- a/flake.nix +++ b/flake.nix @@ -98,12 +98,13 @@ checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; devShells.${system}.default = pkgs.mkShell { - nativeBuildInputs = with pkgs; [ + packages = with pkgs; [ + alejandra git helix - pkgs.home-manager - alejandra nil + pkgs.home-manager + pkgs.deploy-rs ]; shellHook = '' From 64dcc1d1565e832f96da41b6efec6c645048ed65 Mon Sep 17 00:00:00 2001 From: Updater Date: Thu, 26 Sep 2024 11:49:20 +0200 Subject: [PATCH 10/48] chore(flake): Added `nixos-caddy-ovh` input --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 5 +++++ 2 files changed, 26 insertions(+) diff --git a/flake.lock b/flake.lock index 7f2a249..6c8f6c5 100644 --- a/flake.lock +++ b/flake.lock @@ -37,6 +37,26 @@ "type": "github" } }, + "caddy": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727343602, + "narHash": "sha256-V1HAB1p11dcUyurJAB60tcgn4Su2gPoPJ6dZqmCDfiE=", + "owner": "GaspardCulis", + "repo": "nixos-caddy-ovh", + "rev": "df515b6bfd497de2d150867c4c13aab1e3d011ce", + "type": "github" + }, + "original": { + "owner": "GaspardCulis", + "repo": "nixos-caddy-ovh", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -362,6 +382,7 @@ }, "root": { "inputs": { + "caddy": "caddy", "deploy-rs": "deploy-rs", "disko": "disko", "end-rs": "end-rs", diff --git a/flake.nix b/flake.nix index 69db95c..acb5cb0 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + caddy = { + url = "github:GaspardCulis/nixos-caddy-ovh"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; From 86a896c688d4499814b2282d896d2459f1e39835 Mon Sep 17 00:00:00 2001 From: Updater Date: Thu, 26 Sep 2024 11:50:00 +0200 Subject: [PATCH 11/48] feat(OVHCloud): Added simple caddy config --- hosts/OVHCloud/hardware-configuration.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix index 4abba82..fdd1034 100644 --- a/hosts/OVHCloud/hardware-configuration.nix +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -1,4 +1,9 @@ -{modulesPath, ...}: { +{ + modulesPath, + inputs, + pkgs, + ... +}: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disko-config.nix @@ -15,4 +20,13 @@ enable = true; allowedTCPPorts = [22 80 443]; }; + + # Proxy + services.caddy = { + enable = true; + package = inputs.caddy.packages.${pkgs.system}.caddy; + virtualHosts."localhost".extraConfig = '' + respond "Hello, world!" + ''; + }; } From a9e075ed8c51bc6fc5704ea53a8e722379457d6f Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 26 Sep 2024 14:09:28 +0200 Subject: [PATCH 12/48] chore(flake): Added `sops-nix` input --- flake.lock | 40 +++++++++++++++++++++++++++++++++++++++- flake.nix | 7 +++++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 6c8f6c5..97c1507 100644 --- a/flake.lock +++ b/flake.lock @@ -364,6 +364,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1726243404, @@ -392,7 +408,29 @@ "hy3", "hyprland" ], - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index acb5cb0..bd1e8a0 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Hyprland hyprland = { url = "git+https://github.com/hyprwm/Hyprland?submodules=1"; @@ -43,6 +48,7 @@ nixpkgs, disko, deploy-rs, + sops-nix, home-manager, ... } @ inputs: let @@ -64,6 +70,7 @@ modules = [ ./hosts/OVHCloud disko.nixosModules.disko + sops-nix.nixosModules.sops home-manager.nixosModules.home-manager ]; }; From 84225a9a7151bd8e728726fffd495d69f9c49ae5 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 26 Sep 2024 16:06:14 +0200 Subject: [PATCH 13/48] feat(OVHCloud): Added sops configuration with test secrets file --- .sops.yaml | 10 ++++++++++ hosts/OVHCloud/default.nix | 1 + hosts/OVHCloud/sops.nix | 23 +++++++++++++++++++++++ secrets/OVHCloud.yaml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 .sops.yaml create mode 100644 hosts/OVHCloud/sops.nix create mode 100644 secrets/OVHCloud.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..66469cf --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr + - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + age: + - *admin_gaspard + - *server_ovh diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index 7906b15..e3269eb 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -9,6 +9,7 @@ imports = [ ./hardware-configuration.nix + ./sops.nix ]; # Nix diff --git a/hosts/OVHCloud/sops.nix b/hosts/OVHCloud/sops.nix new file mode 100644 index 0000000..edbc448 --- /dev/null +++ b/hosts/OVHCloud/sops.nix @@ -0,0 +1,23 @@ +{config, ...}: { + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ../../secrets/OVHCloud.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + + sops.secrets."caddy/ovh_endpoint".owner = "caddy"; + sops.secrets."caddy/ovh_application_key".owner = "caddy"; + sops.secrets."caddy/ovh_application_secret".owner = "caddy"; + sops.secrets."caddy/ovh_consumer_key".owner = "caddy"; + + sops.templates."caddy.env" = { + content = '' + OVH_ENDPOINT=${config.sops.placeholder."caddy/ovh_endpoint"} + OVH_APPLICATION_KEY=${config.sops.placeholder."caddy/ovh_application_key"} + OVH_APPLICATION_SECRET=${config.sops.placeholder."caddy/ovh_application_secret"} + OVH_CONSUMER_KEY=${config.sops.placeholder."caddy/ovh_consumer_key"} + ''; + owner = "caddy"; + }; +} diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml new file mode 100644 index 0000000..b498669 --- /dev/null +++ b/secrets/OVHCloud.yaml @@ -0,0 +1,34 @@ +caddy: + ovh_endpoint: ENC[AES256_GCM,data:VkchYxz0QK8=,iv:NufvzW2DCt2HE9rr3knzEP5urUtY+lhjNbVgy+NXSz4=,tag:EWwNRkx5VSuB4pgJ+JmBXQ==,type:str] + ovh_application_key: ENC[AES256_GCM,data:jq4=,iv:0Q+ZWrimJdbjqFeOD7cLjB6QeCAcfbp0FU/xC06uSto=,tag:n7jhp8xAQ73bmdNXPXx+jA==,type:str] + ovh_application_secret: ENC[AES256_GCM,data:9YAF6xVN,iv:Rb/Bv33N4Gyxu4XNrDz5VuLT+aTojT3WoVJf+gyxDBk=,tag:nXWQRjfORJV6/CqFQpGmxQ==,type:str] + ovh_consumer_key: ENC[AES256_GCM,data:lwP6/kHp,iv:oNs4QuCqOSrawXGdEG5QO2ATTKqjg1x6C1SzRbgWm2E=,tag:piTViTsKIsp+SJ+P7a8znA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqckxiTmx3Rm12ZFJ2ZXBn + VVdOeCtWeE5xZGExOE4wTFliOGlqWWpWSFNBCmFSWS9MQmt1TWg4VFJzZmNpdStv + dThvSFlPSjk0dHZGTlEraldHSklDUkkKLS0tIFVjbFliTFZjUlkrejR2RnAwVTRU + U0NEaEpLREVNMUlxUFNIbTVKaUpoc1EKRC6skQPEMA4odk3yD66bqPa/2rvLGztx + FTwwdJuE1CXaErwtt7wOfMsb3c9HhpT2R+c76woP20+VsMJdrwdeHg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSLy8yZlBuUU5QRXptZmZQ + UzlLUmxSblpFVCtFdE4vWmUreThhT090aEFrCkV6b2FaVy83QnBTZTVrcWE2RGNE + VldUZVkveUl5bnFLZzRBR0JCWGhseEUKLS0tIDNZeGczT1BxV21VcnFmSkN0V09P + MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN + y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-26T13:50:20Z" + mac: ENC[AES256_GCM,data:swF5s4D2zyO1sRxoZnYQ5oNx9psl5YjW0afuozdqODObUvkVfHo5IClRZ3EOMsly5Hvr5If04TBVf2/qTQv7SVVr1jUpyVnirgY6l8SH/Fvp2JWYdgUYRUR9wdzTDfqmYwf+vIxP2o7kPKpVg4Ek0ipewIf/3XHfiFfKmDCea5c=,iv:VKsbK9gfdj68Xr44v2oL4YoljRfyyF+53s2bdyedPwA=,tag:8hQ8pHctHJa0Jbgk0ZChGg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 From 4283a215a1c3333eac50224e51ca5c8aa7c044e6 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 27 Sep 2024 15:40:29 +0200 Subject: [PATCH 14/48] chore(secrets): Updated `OVHCloud` secrets --- secrets/OVHCloud.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index b498669..be659b5 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -1,8 +1,8 @@ caddy: - ovh_endpoint: ENC[AES256_GCM,data:VkchYxz0QK8=,iv:NufvzW2DCt2HE9rr3knzEP5urUtY+lhjNbVgy+NXSz4=,tag:EWwNRkx5VSuB4pgJ+JmBXQ==,type:str] - ovh_application_key: ENC[AES256_GCM,data:jq4=,iv:0Q+ZWrimJdbjqFeOD7cLjB6QeCAcfbp0FU/xC06uSto=,tag:n7jhp8xAQ73bmdNXPXx+jA==,type:str] - ovh_application_secret: ENC[AES256_GCM,data:9YAF6xVN,iv:Rb/Bv33N4Gyxu4XNrDz5VuLT+aTojT3WoVJf+gyxDBk=,tag:nXWQRjfORJV6/CqFQpGmxQ==,type:str] - ovh_consumer_key: ENC[AES256_GCM,data:lwP6/kHp,iv:oNs4QuCqOSrawXGdEG5QO2ATTKqjg1x6C1SzRbgWm2E=,tag:piTViTsKIsp+SJ+P7a8znA==,type:str] + ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str] + ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] + ovh_application_secret: ENC[AES256_GCM,data:X+grjuPsaIRYUEZZyoL1Tqx55tNYpvovYsXEwB15+K0=,iv:b88NCbfxahkryBp6eey74hc2IBwLTbTBe001uVJHaKw=,tag:HDw8w4g5ZS4m8ePCvvwJqw==,type:str] + ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +27,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-26T13:50:20Z" - mac: ENC[AES256_GCM,data:swF5s4D2zyO1sRxoZnYQ5oNx9psl5YjW0afuozdqODObUvkVfHo5IClRZ3EOMsly5Hvr5If04TBVf2/qTQv7SVVr1jUpyVnirgY6l8SH/Fvp2JWYdgUYRUR9wdzTDfqmYwf+vIxP2o7kPKpVg4Ek0ipewIf/3XHfiFfKmDCea5c=,iv:VKsbK9gfdj68Xr44v2oL4YoljRfyyF+53s2bdyedPwA=,tag:8hQ8pHctHJa0Jbgk0ZChGg==,type:str] + lastmodified: "2024-09-26T14:24:37Z" + mac: ENC[AES256_GCM,data:ZogwRhz1TqI47baW9j6hJwooIfIQtSuAYWAz4gs6a+UocsHLl5+GasLZSOhQvlRsvz8Vcgp5AeLN0ehAOrDItT7SqvepdwelaJo/irS3Wq5MfM+jemZZtOUXzshq8rueffyV9Ra2JiiYqNtZQ2w8GtgjEdpwWgwbIhb0u7fheGM=,iv:X9MB2IQ1LdQNv/ldwbzF1q8LCXArDiWMk5fet1IOzaE=,tag:73JhlFP2gYI5l8Ml5e1maw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 From 000b708e810573ff0ce9d7831660e549e17d8a36 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 27 Sep 2024 15:41:13 +0200 Subject: [PATCH 15/48] feat(OVHCloud): Setup example caddy virtualHost --- hosts/OVHCloud/hardware-configuration.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix index fdd1034..a0c764e 100644 --- a/hosts/OVHCloud/hardware-configuration.nix +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -1,5 +1,6 @@ { modulesPath, + config, inputs, pkgs, ... @@ -22,11 +23,20 @@ }; # Proxy + environment.systemPackages = with pkgs; [ + nss.tools + ]; + services.caddy = { enable = true; package = inputs.caddy.packages.${pkgs.system}.caddy; - virtualHosts."localhost".extraConfig = '' + virtualHosts."siuu.gasdev.fr".extraConfig = '' respond "Hello, world!" ''; }; + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.templates."caddy.env".path; + }; + }; } From dcef2ee26d96698bc43f0560f24a89021f18632d Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 27 Sep 2024 15:57:06 +0200 Subject: [PATCH 16/48] feat: Create `services` folder with test `uptime-kuma` service First-try deploy yay --- hosts/OVHCloud/default.nix | 1 + services/default.nix | 5 +++++ services/uptime-kuma/default.nix | 13 +++++++++++++ 3 files changed, 19 insertions(+) create mode 100644 services/default.nix create mode 100644 services/uptime-kuma/default.nix diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index e3269eb..ff58cab 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -10,6 +10,7 @@ imports = [ ./hardware-configuration.nix ./sops.nix + ../../services ]; # Nix diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 0000000..ae35c80 --- /dev/null +++ b/services/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./uptime-kuma + ]; +} diff --git a/services/uptime-kuma/default.nix b/services/uptime-kuma/default.nix new file mode 100644 index 0000000..de71af4 --- /dev/null +++ b/services/uptime-kuma/default.nix @@ -0,0 +1,13 @@ +{...}: { + services.caddy.virtualHosts."uptime.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:3001 + ''; + + virtualisation.oci-containers.containers = { + container-name = { + image = "docker.io/louislam/uptime-kuma:1"; + autoStart = true; + ports = ["127.0.0.1:3001:3001"]; + }; + }; +} From 9338a7d2ef8302664beefca0796736a3149c3dd3 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 27 Sep 2024 15:59:18 +0200 Subject: [PATCH 17/48] fix(services/uptime-kuma): Added volume config --- services/uptime-kuma/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/services/uptime-kuma/default.nix b/services/uptime-kuma/default.nix index de71af4..ff4a588 100644 --- a/services/uptime-kuma/default.nix +++ b/services/uptime-kuma/default.nix @@ -8,6 +8,7 @@ image = "docker.io/louislam/uptime-kuma:1"; autoStart = true; ports = ["127.0.0.1:3001:3001"]; + volumes = ["uptime-kuma:/app/data"]; }; }; } From fecfce7ad9f3f6290b9341941996a735c5371896 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 12:10:39 +0200 Subject: [PATCH 18/48] fix(services -> uptime-kuma): Fixed container name --- services/uptime-kuma/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/uptime-kuma/default.nix b/services/uptime-kuma/default.nix index ff4a588..42fd01b 100644 --- a/services/uptime-kuma/default.nix +++ b/services/uptime-kuma/default.nix @@ -4,7 +4,7 @@ ''; virtualisation.oci-containers.containers = { - container-name = { + uptime-kuma = { image = "docker.io/louislam/uptime-kuma:1"; autoStart = true; ports = ["127.0.0.1:3001:3001"]; From 028e4725b942beefe6854cd92162dfc3ef641371 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 12:12:05 +0200 Subject: [PATCH 19/48] chore(OVHCloud): Removed test caddy virtualHost --- hosts/OVHCloud/hardware-configuration.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix index a0c764e..71fd56d 100644 --- a/hosts/OVHCloud/hardware-configuration.nix +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -30,9 +30,6 @@ services.caddy = { enable = true; package = inputs.caddy.packages.${pkgs.system}.caddy; - virtualHosts."siuu.gasdev.fr".extraConfig = '' - respond "Hello, world!" - ''; }; systemd.services.caddy = { serviceConfig = { From 1f9f05fa9a49db9224722a26cc46afd8e5073cf5 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 12:13:14 +0200 Subject: [PATCH 20/48] feat(services): Added `garage` service config --- secrets/OVHCloud.yaml | 6 ++++-- services/default.nix | 1 + services/garage/default.nix | 36 ++++++++++++++++++++++++++++++++++++ services/garage/garage.toml | 22 ++++++++++++++++++++++ 4 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 services/garage/default.nix create mode 100644 services/garage/garage.toml diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index be659b5..4514fd4 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -3,6 +3,8 @@ caddy: ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] ovh_application_secret: ENC[AES256_GCM,data:X+grjuPsaIRYUEZZyoL1Tqx55tNYpvovYsXEwB15+K0=,iv:b88NCbfxahkryBp6eey74hc2IBwLTbTBe001uVJHaKw=,tag:HDw8w4g5ZS4m8ePCvvwJqw==,type:str] ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] +garage: + rpc_secret: ENC[AES256_GCM,data:xuophXVfHY3Xw+RyDPnZ5LCQXB+cHyRCWvT2l5MiyXGAlP6GSJpewDqJ5xvLclHfHNJP9YKJ3scJV/iX5FE+rw==,iv:wtlrpUUkXa2WYvQS/vfJJBS34V5CIAYQ8oCf/SjHp5k=,tag:r16InXGTKIBPOHjMSYlEog==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +29,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-26T14:24:37Z" - mac: ENC[AES256_GCM,data:ZogwRhz1TqI47baW9j6hJwooIfIQtSuAYWAz4gs6a+UocsHLl5+GasLZSOhQvlRsvz8Vcgp5AeLN0ehAOrDItT7SqvepdwelaJo/irS3Wq5MfM+jemZZtOUXzshq8rueffyV9Ra2JiiYqNtZQ2w8GtgjEdpwWgwbIhb0u7fheGM=,iv:X9MB2IQ1LdQNv/ldwbzF1q8LCXArDiWMk5fet1IOzaE=,tag:73JhlFP2gYI5l8Ml5e1maw==,type:str] + lastmodified: "2024-09-27T14:21:34Z" + mac: ENC[AES256_GCM,data:OkF7A/94sqkmHNcBq9uA+tJCJhFiaoZvQRfR1rtLlgmCsusbeF/rSekQaP2WE4K29aGD6mYZxcnvcCewYiEEXA6S6rpwuCOje+ti5dfg8BFaxivWxtRKQjS3az+z/AkLfE7EYBbMwsZX2T52zZaXW6d49u68++Lg8Y+vC/aRGHw=,iv:MoFQEc3C6DIlwM7r16lr9KqA1TZ2Pmk0s+mlSC5+PW8=,tag:RMsodI9Nzt8t2fYXPDTibQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/default.nix b/services/default.nix index ae35c80..066f456 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./uptime-kuma + ./garage ]; } diff --git a/services/garage/default.nix b/services/garage/default.nix new file mode 100644 index 0000000..1c2277e --- /dev/null +++ b/services/garage/default.nix @@ -0,0 +1,36 @@ +# TODO: Run as different user +{...}: { + sops.secrets."garage/rpc_secret".owner = "root"; + + services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:3900 + ''; + + services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:3902 + ''; + + virtualisation.oci-containers.containers = { + garage = { + image = "docker.io/dxflrs/garage:v1.0.0"; + autoStart = true; + ports = [ + "127.0.0.1:3900:3900" + "127.0.0.1:3901:3901" + "127.0.0.1:3902:3902" + ]; + volumes = [ + "/etc/garage.toml:/etc/garage.toml" + "/var/lib/garage/meta:/var/lib/garage/meta" + "/var/lib/garage/data:/var/lib/garage/data" + "/run/secrets/garage/rpc_secret:/run/secrets/garage/rpc_secret" + ]; + }; + }; + + environment.etc."garage.toml".text = builtins.readFile ./garage.toml; + systemd.tmpfiles.rules = [ + "d /var/lib/garage/meta 0700 root root -" + "d /var/lib/garage/data 0700 root root -" + ]; +} diff --git a/services/garage/garage.toml b/services/garage/garage.toml new file mode 100644 index 0000000..7fc8003 --- /dev/null +++ b/services/garage/garage.toml @@ -0,0 +1,22 @@ +metadata_dir = "/var/lib/garage/meta" +data_dir = "/var/lib/garage/data" +db_engine = "lmdb" +metadata_auto_snapshot_interval = "6h" + +replication_factor = 3 + +compression_level = 2 + +rpc_bind_addr = "[::]:3901" +rpc_public_addr = "gasdev.fr:3901" +rpc_secret_file = "/run/secrets/garage/rpc_secret" + +[s3_api] +s3_region = "garage" +api_bind_addr = "[::]:3900" +root_domain = ".s3.gasdev.fr" + +[s3_web] +bind_addr = "[::]:3902" +root_domain = ".s3web.gasdev.fr" +index = "index.html" From 8da4050d774da6663fc11c16e3239e30f3bc69ae Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 12:33:16 +0200 Subject: [PATCH 21/48] fix(OVHCloud): Fixed Caddy OVH prodiver specific config --- hosts/OVHCloud/hardware-configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/OVHCloud/hardware-configuration.nix b/hosts/OVHCloud/hardware-configuration.nix index 71fd56d..5cafbd9 100644 --- a/hosts/OVHCloud/hardware-configuration.nix +++ b/hosts/OVHCloud/hardware-configuration.nix @@ -30,6 +30,15 @@ services.caddy = { enable = true; package = inputs.caddy.packages.${pkgs.system}.caddy; + + globalConfig = '' + acme_dns ovh { + endpoint {$OVH_ENDPOINT} + application_key {$OVH_APPLICATION_KEY} + application_secret {$OVH_APPLICATION_SECRET} + consumer_key {$OVH_CONSUMER_KEY} + } + ''; }; systemd.services.caddy = { serviceConfig = { From 95ce17fdef5d5256ad0b8cf8dde4ac1455ca81f7 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 12:37:40 +0200 Subject: [PATCH 22/48] fix(services -> garage): Set `replication_factor` to 1 --- services/garage/garage.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/garage/garage.toml b/services/garage/garage.toml index 7fc8003..687438d 100644 --- a/services/garage/garage.toml +++ b/services/garage/garage.toml @@ -3,7 +3,7 @@ data_dir = "/var/lib/garage/data" db_engine = "lmdb" metadata_auto_snapshot_interval = "6h" -replication_factor = 3 +replication_factor = 1 compression_level = 2 From 1f235f4e915dd55899ae2aed30303c498d7d86f7 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 30 Sep 2024 13:16:48 +0200 Subject: [PATCH 23/48] feat(services): Added `wireguard` service config --- secrets/OVHCloud.yaml | 7 +++-- services/default.nix | 1 + services/wireguard/default.nix | 52 ++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 services/wireguard/default.nix diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 4514fd4..7edcda0 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -5,6 +5,9 @@ caddy: ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: rpc_secret: ENC[AES256_GCM,data:xuophXVfHY3Xw+RyDPnZ5LCQXB+cHyRCWvT2l5MiyXGAlP6GSJpewDqJ5xvLclHfHNJP9YKJ3scJV/iX5FE+rw==,iv:wtlrpUUkXa2WYvQS/vfJJBS34V5CIAYQ8oCf/SjHp5k=,tag:r16InXGTKIBPOHjMSYlEog==,type:str] +wireguard: + private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str] + public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +32,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-27T14:21:34Z" - mac: ENC[AES256_GCM,data:OkF7A/94sqkmHNcBq9uA+tJCJhFiaoZvQRfR1rtLlgmCsusbeF/rSekQaP2WE4K29aGD6mYZxcnvcCewYiEEXA6S6rpwuCOje+ti5dfg8BFaxivWxtRKQjS3az+z/AkLfE7EYBbMwsZX2T52zZaXW6d49u68++Lg8Y+vC/aRGHw=,iv:MoFQEc3C6DIlwM7r16lr9KqA1TZ2Pmk0s+mlSC5+PW8=,tag:RMsodI9Nzt8t2fYXPDTibQ==,type:str] + lastmodified: "2024-09-30T11:01:11Z" + mac: ENC[AES256_GCM,data:DRo6UcDQ8nJgUome5VLy5DVlRWB2tAFSATK1JUwwdtB2vZ8V+2FK5yGDE701vaxkJukO/lKnC0TzP3/hwprMzSOgTaOfaAFyPDDSTUS7Z6moc31J1RtbOFFoStPD1LnQyfsd0XGdhSEekLKgT3djMH++jo1KBjzcIz6OYsdDRDw=,iv:b5Nlt8SC3MLAdTzhNs44IImtUlgJRGhvB72rd8ovpWk=,tag:FGkkeT78OAWl/KqYplEsTA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/default.nix b/services/default.nix index 066f456..6c3c5d6 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,5 +2,6 @@ imports = [ ./uptime-kuma ./garage + ./wireguard ]; } diff --git a/services/wireguard/default.nix b/services/wireguard/default.nix new file mode 100644 index 0000000..1fc31bd --- /dev/null +++ b/services/wireguard/default.nix @@ -0,0 +1,52 @@ +{pkgs, ...}: { + sops.secrets."wireguard/private_key".owner = "root"; + + networking.nat.enable = true; + networking.nat.externalInterface = "ens3"; + networking.nat.internalInterfaces = ["wg0"]; + networking.firewall = { + allowedUDPPorts = [993]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = ["10.8.0.1/24"]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 993; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/secrets/wireguard/private_key"; + + peers = [ + { + # Pixel + publicKey = "xMO5xTvBXtikri0WS9wpzGvSWITjkQV5oUOYwFjqB0g="; + allowedIPs = ["10.8.0.69/32"]; + } + { + # Zephyrus + publicKey = "TwXHVANaKZsvP/hfjkQXkLwCtFuDeDmQ2Q7jlaxl5SU="; + allowedIPs = ["10.8.0.42/32"]; + } + ]; + }; + }; +} From ffc1621a8e6a5fe108debaa973f6c6f141bbd987 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 08:44:59 +0200 Subject: [PATCH 24/48] feat(flake.nix): Added `sops` to local devShell --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index bd1e8a0..90d767a 100644 --- a/flake.nix +++ b/flake.nix @@ -115,6 +115,7 @@ git helix nil + pkgs.sops pkgs.home-manager pkgs.deploy-rs ]; From 5e61bcb30f7fcbfb9ee9ce0c4e0e739fc3b556b6 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 08:59:02 +0200 Subject: [PATCH 25/48] chore(services -> garage): Uppercase secret file name --- secrets/OVHCloud.yaml | 6 +++--- services/garage/default.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 7edcda0..998fd2a 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -4,7 +4,7 @@ caddy: ovh_application_secret: ENC[AES256_GCM,data:X+grjuPsaIRYUEZZyoL1Tqx55tNYpvovYsXEwB15+K0=,iv:b88NCbfxahkryBp6eey74hc2IBwLTbTBe001uVJHaKw=,tag:HDw8w4g5ZS4m8ePCvvwJqw==,type:str] ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: - rpc_secret: ENC[AES256_GCM,data:xuophXVfHY3Xw+RyDPnZ5LCQXB+cHyRCWvT2l5MiyXGAlP6GSJpewDqJ5xvLclHfHNJP9YKJ3scJV/iX5FE+rw==,iv:wtlrpUUkXa2WYvQS/vfJJBS34V5CIAYQ8oCf/SjHp5k=,tag:r16InXGTKIBPOHjMSYlEog==,type:str] + RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str] wireguard: private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str] public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str] @@ -32,8 +32,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-30T11:01:11Z" - mac: ENC[AES256_GCM,data:DRo6UcDQ8nJgUome5VLy5DVlRWB2tAFSATK1JUwwdtB2vZ8V+2FK5yGDE701vaxkJukO/lKnC0TzP3/hwprMzSOgTaOfaAFyPDDSTUS7Z6moc31J1RtbOFFoStPD1LnQyfsd0XGdhSEekLKgT3djMH++jo1KBjzcIz6OYsdDRDw=,iv:b5Nlt8SC3MLAdTzhNs44IImtUlgJRGhvB72rd8ovpWk=,tag:FGkkeT78OAWl/KqYplEsTA==,type:str] + lastmodified: "2024-10-02T06:58:48Z" + mac: ENC[AES256_GCM,data:REJysIueXjjxMVFMNNR3gyuRJgbDmerIo/Fb8I+QP4812sa7wAWCx7caaeUVXmbIjyX0qEVwMocav2vTgL4GnwSmKK9EpOUb8WoV3ZzTqzhbEGD5frE6fEVvvnOMwhtrh3K2KuMUmy4VkWI34naSel+pzvYa5Tfu7n+YvNyfhW4=,iv:onGPouQFfMO+X1q2rMsaV9oR3l86k3J7wY7bQNJp8wY=,tag:L4RM66rRWFQKpIeSC7mQyA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/garage/default.nix b/services/garage/default.nix index 1c2277e..2ac4499 100644 --- a/services/garage/default.nix +++ b/services/garage/default.nix @@ -1,6 +1,6 @@ # TODO: Run as different user {...}: { - sops.secrets."garage/rpc_secret".owner = "root"; + sops.secrets."garage/RPC_SECRET".owner = "root"; services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = '' reverse_proxy http://127.0.0.1:3900 @@ -23,7 +23,7 @@ "/etc/garage.toml:/etc/garage.toml" "/var/lib/garage/meta:/var/lib/garage/meta" "/var/lib/garage/data:/var/lib/garage/data" - "/run/secrets/garage/rpc_secret:/run/secrets/garage/rpc_secret" + "/run/secrets/garage/RPC_SECRET:/run/secrets/garage/RPC_SECRET" ]; }; }; From 1e7b7e168e4e6d425441965056592d0fac6faefb Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 09:18:41 +0200 Subject: [PATCH 26/48] fix(services -> wireguard): Fixed masquerade interface name --- services/wireguard/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/wireguard/default.nix b/services/wireguard/default.nix index 1fc31bd..99166b1 100644 --- a/services/wireguard/default.nix +++ b/services/wireguard/default.nix @@ -20,12 +20,12 @@ # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE ''; # This undoes the above command postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE ''; # Path to the private key file. From f48456452bacaa9a0d1e3af01617e86a373bfa03 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 15:02:13 +0200 Subject: [PATCH 27/48] feat(services): Added `shadowsocks` service --- secrets/OVHCloud.yaml | 6 +++-- services/shadowsocks/default.nix | 43 ++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 services/shadowsocks/default.nix diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 998fd2a..7237a0b 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -5,6 +5,8 @@ caddy: ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str] +shadowsocks: + password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] wireguard: private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str] public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str] @@ -32,8 +34,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-02T06:58:48Z" - mac: ENC[AES256_GCM,data:REJysIueXjjxMVFMNNR3gyuRJgbDmerIo/Fb8I+QP4812sa7wAWCx7caaeUVXmbIjyX0qEVwMocav2vTgL4GnwSmKK9EpOUb8WoV3ZzTqzhbEGD5frE6fEVvvnOMwhtrh3K2KuMUmy4VkWI34naSel+pzvYa5Tfu7n+YvNyfhW4=,iv:onGPouQFfMO+X1q2rMsaV9oR3l86k3J7wY7bQNJp8wY=,tag:L4RM66rRWFQKpIeSC7mQyA==,type:str] + lastmodified: "2024-10-02T07:32:18Z" + mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/shadowsocks/default.nix b/services/shadowsocks/default.nix new file mode 100644 index 0000000..0703dee --- /dev/null +++ b/services/shadowsocks/default.nix @@ -0,0 +1,43 @@ +{ + config, + pkgs, + ... +}: let + port = "8388"; +in { + sops.secrets."shadowsocks/password".owner = "root"; + sops.templates."shadowsocks/config.json" = { + content = '' + { + "server": "0.0.0.0", + "server_port": ${port}, + "password": "${config.sops.placeholder."shadowsocks/password"}", + "method": "aes-256-gcm", + "timeout": 300, + "plugin": "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin", + "plugin_opts":"server;loglevel=none", + + "local_port": ${port}, + "local_address": "127.0.0.1" + } + ''; + owner = "root"; + }; + + services.caddy.virtualHosts."shadowsocks.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:${port} + ''; + + systemd.services = { + shadowsocks = { + description = "Shadowsocks tunnel"; + after = ["network-online.target"]; + wants = ["network-online.target"]; + enable = true; + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver -c ${config.sops.templates."shadowsocks/config.json".path}"; + }; + }; + }; +} From 34c106dadccee59aa36187c33dc74d1d2ab6b708 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 15:03:00 +0200 Subject: [PATCH 28/48] fix(OVHCloud): Properly configure podman --- hosts/OVHCloud/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hosts/OVHCloud/default.nix b/hosts/OVHCloud/default.nix index ff58cab..afada42 100644 --- a/hosts/OVHCloud/default.nix +++ b/hosts/OVHCloud/default.nix @@ -31,6 +31,17 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos" ]; + # Podman + virtualisation = { + containers.enable = true; + oci-containers.backend = "podman"; + podman = { + enable = true; + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + }; + }; + environment.systemPackages = with pkgs; [ helix git From c30a74895df07b1ef48ba35b3f1eab5809eca56c Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 2 Oct 2024 15:03:21 +0200 Subject: [PATCH 29/48] chore(services): Disable `garage` and enable `shadowsocks` --- services/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/default.nix b/services/default.nix index 6c3c5d6..249768c 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,7 +1,7 @@ { imports = [ + ./shadowsocks ./uptime-kuma - ./garage ./wireguard ]; } From abc5c42aa700a1543479672bab62b5609a76d04d Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 9 Oct 2024 11:13:14 +0200 Subject: [PATCH 30/48] fix(sops): Changed path_regex for OVHCloud secrets --- .sops.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.sops.yaml b/.sops.yaml index 66469cf..cd971a3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/OVHConfig.yaml key_groups: - pgp: age: From 36f1a442531a2d6978bea9c30ef2a6411f4bbee7 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 9 Oct 2024 11:13:36 +0200 Subject: [PATCH 31/48] chore(wireguard): Updated Zephyrus key --- services/wireguard/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/wireguard/default.nix b/services/wireguard/default.nix index 99166b1..f4c550e 100644 --- a/services/wireguard/default.nix +++ b/services/wireguard/default.nix @@ -43,7 +43,7 @@ } { # Zephyrus - publicKey = "TwXHVANaKZsvP/hfjkQXkLwCtFuDeDmQ2Q7jlaxl5SU="; + publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo="; allowedIPs = ["10.8.0.42/32"]; } ]; From 0a9a7d0d02fb2eab840866c19ee07f777df1b993 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 11 Oct 2024 20:01:22 +0200 Subject: [PATCH 32/48] fix(garage): Fixed rpc secret path --- services/authelia/configuration.yml | 18 +++++++++++++++++ services/authelia/default.nix | 30 +++++++++++++++++++++++++++++ services/garage/garage.toml | 2 +- services/i2p/default.nix | 27 ++++++++++++++++++++++++++ 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 services/authelia/configuration.yml create mode 100644 services/authelia/default.nix create mode 100644 services/i2p/default.nix diff --git a/services/authelia/configuration.yml b/services/authelia/configuration.yml new file mode 100644 index 0000000..bbd1f70 --- /dev/null +++ b/services/authelia/configuration.yml @@ -0,0 +1,18 @@ +theme: 'auto' + +access_control: + default_policy: deny + rules: + - domain: '*.gasdev.fr' + policy: one_factor +server: + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' +session: + cookies: + - domain: 'gasdev.fr' + authelia_url: 'https://auth.gasdev.fr' + default_redirection_url: 'https://www.example.com' + diff --git a/services/authelia/default.nix b/services/authelia/default.nix new file mode 100644 index 0000000..07f46de --- /dev/null +++ b/services/authelia/default.nix @@ -0,0 +1,30 @@ +{...}: { + sops.secrets."authelia/JWT_SECRET".owner = "root"; + sops.secrets."authelia/SESSION_SECRET".owner = "root"; + sops.secrets."authelia/STORAGE_PASSWORD".owner = "root"; + sops.secrets."authelia/STORAGE_ENCRYPTION_KEY".owner = "root"; + + services.caddy.virtualHosts."auth.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:9091 + ''; + + virtualisation.oci-containers.containers = { + authelia = { + image = "docker.io/authelia/authelia:latest"; + autoStart = true; + ports = ["127.0.0.1:9091:9091"]; + environment = { + AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; + AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY"; + }; + volumes = [ + "/run/secrets/authelia:/secrets" + "/etc/authelia/configuration.yml:/config/configuration.yml" + ]; + }; + }; + + environment.etc."authelia/configuration.yml".text = builtins.readFile ./configuration.yml; +} diff --git a/services/garage/garage.toml b/services/garage/garage.toml index 687438d..b517365 100644 --- a/services/garage/garage.toml +++ b/services/garage/garage.toml @@ -9,7 +9,7 @@ compression_level = 2 rpc_bind_addr = "[::]:3901" rpc_public_addr = "gasdev.fr:3901" -rpc_secret_file = "/run/secrets/garage/rpc_secret" +rpc_secret_file = "/run/secrets/garage/RPC_SECRET" [s3_api] s3_region = "garage" diff --git a/services/i2p/default.nix b/services/i2p/default.nix new file mode 100644 index 0000000..77b1c8f --- /dev/null +++ b/services/i2p/default.nix @@ -0,0 +1,27 @@ +{...}: { + services.caddy.virtualHosts."console.i2p.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:7657 + ''; + + services.caddy.virtualHosts."proxy.i2p.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:7657 + ''; + + virtualisation.oci-containers.containers = { + uptime-kuma = { + image = "docker.io/geti2p/i2p"; + autoStart = true; + environment = { + JVM_XMX = "256m"; + }; + ports = [ + "4444:4444" + "6668:6668" + "7657:7657" + "54321:12345" + "54321:12345/udp" + ]; + volumes = ["i2phome:/i2p/.i2p" "i2ptorrents:/i2psnark"]; + }; + }; +} From 542e43228d423f7fcb68c8003560e34b215fef13 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 11 Oct 2024 20:56:16 +0200 Subject: [PATCH 33/48] fix(garage): Fixed `rpc_public_addr` value --- services/garage/garage.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/garage/garage.toml b/services/garage/garage.toml index b517365..523a6f7 100644 --- a/services/garage/garage.toml +++ b/services/garage/garage.toml @@ -8,7 +8,7 @@ replication_factor = 1 compression_level = 2 rpc_bind_addr = "[::]:3901" -rpc_public_addr = "gasdev.fr:3901" +rpc_public_addr = "0.0.0.0:3901" rpc_secret_file = "/run/secrets/garage/RPC_SECRET" [s3_api] From c07b6dc58baf71224bdce3362946e89f3afce8d4 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 11 Oct 2024 20:58:03 +0200 Subject: [PATCH 34/48] feat(garage): Add `garage` bash alias --- services/garage/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/garage/default.nix b/services/garage/default.nix index 2ac4499..002a5e8 100644 --- a/services/garage/default.nix +++ b/services/garage/default.nix @@ -33,4 +33,8 @@ "d /var/lib/garage/meta 0700 root root -" "d /var/lib/garage/data 0700 root root -" ]; + + programs.bash.shellAliases = { + garage = "podman exec -it garage /garage"; + }; } From 7d223fad784492f1d8c938842a5e8a29595003b3 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 11 Oct 2024 22:26:23 +0200 Subject: [PATCH 35/48] chore(wireguard): Added new peer for `Family desktop` --- services/wireguard/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/wireguard/default.nix b/services/wireguard/default.nix index f4c550e..7911198 100644 --- a/services/wireguard/default.nix +++ b/services/wireguard/default.nix @@ -46,6 +46,11 @@ publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo="; allowedIPs = ["10.8.0.42/32"]; } + { + # Family desktop + publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM="; + allowedIPs = ["10.8.0.11/32"]; + } ]; }; }; From b9ef06bfecf75934537b9e21b0b7f1d290fd0401 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 11 Oct 2024 22:27:03 +0200 Subject: [PATCH 36/48] feat(services): Added back now fixed `garage` service as default --- services/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/services/default.nix b/services/default.nix index 249768c..b6c457f 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./garage ./shadowsocks ./uptime-kuma ./wireguard From 9fa21dba9cb637b6ac6ae8495897e076e7fd8b3c Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Sat, 12 Oct 2024 18:10:49 +0200 Subject: [PATCH 37/48] fix(garage): Added new domains --- services/garage/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/garage/default.nix b/services/garage/default.nix index 002a5e8..57b3f95 100644 --- a/services/garage/default.nix +++ b/services/garage/default.nix @@ -2,10 +2,18 @@ {...}: { sops.secrets."garage/RPC_SECRET".owner = "root"; + services.caddy.virtualHosts."s3.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:3900 + ''; + services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = '' reverse_proxy http://127.0.0.1:3900 ''; + services.caddy.virtualHosts."s3web.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:3900 + ''; + services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = '' reverse_proxy http://127.0.0.1:3902 ''; From 9376dc8b71f7d22b3e02de49c509a2651cb74259 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 18 Oct 2024 10:28:01 +0200 Subject: [PATCH 38/48] Revert "fix(sops): Changed path_regex for OVHCloud secrets" This reverts commit abc5c42aa700a1543479672bab62b5609a76d04d. --- .sops.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.sops.yaml b/.sops.yaml index cd971a3..66469cf 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr creation_rules: - - path_regex: secrets/OVHConfig.yaml + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: age: From 0a110d549366bb9dade83bda2b72019576a1a391 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 18 Oct 2024 10:53:36 +0200 Subject: [PATCH 39/48] feat(services): Properly configure and enable authelia --- secrets/OVHCloud.yaml | 9 +++-- services/authelia/configuration.yml | 56 ++++++++++++++++++++++++++++- services/authelia/default.nix | 3 +- services/default.nix | 1 + 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 7237a0b..869f0be 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -1,3 +1,8 @@ +authelia: + JWT_SECRET: ENC[AES256_GCM,data:a1LyPNaojDm8JtcCahkYx8TGGjbh2Appz1s5ruZzQs4VOMgtdV7MWl3RMpk=,iv:7y+ZhNYMS8t6Y3YqBJjnESBCK5BPM6Y+BbXMDSUQcc0=,tag:ksoR48cTA2eIg+JEvCXFWw==,type:str] + SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str] + STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str] + STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str] caddy: ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str] ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] @@ -34,8 +39,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-02T07:32:18Z" - mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str] + lastmodified: "2024-10-18T08:30:16Z" + mac: ENC[AES256_GCM,data:c4Ngpz/GK+20/SvGVVzS1n6ChLCRHIdyHfvfapy5dkMMeWbxVbVgSz6G+q0CW38deQiGMbWO3V+w/dhyI6Re3A688X+RQBnsUSqsLpXZeamxUbtqzWaS/bedBfg1T5sQLwXYpeqWoCgpd4bHfT3DfApYW02ScU7gkFQiMRlpsXA=,iv:s+ah+0zA0jBv0aDJbB2C3Y38ifD7XFNEjjFS1hCplsE=,tag:mc8DgCyVP+4y+8nqitmE1w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/authelia/configuration.yml b/services/authelia/configuration.yml index bbd1f70..154b3b1 100644 --- a/services/authelia/configuration.yml +++ b/services/authelia/configuration.yml @@ -5,14 +5,68 @@ access_control: rules: - domain: '*.gasdev.fr' policy: one_factor + server: + address: 'tcp://:9091/' endpoints: authz: forward-auth: implementation: 'ForwardAuth' + session: cookies: - domain: 'gasdev.fr' authelia_url: 'https://auth.gasdev.fr' - default_redirection_url: 'https://www.example.com' + default_redirection_url: 'https://auth.gasdev.fr/authenticated' + +authentication_backend: + password_reset: + disable: false + + file: + path: '/data/users_database.yml' + password: + algorithm: 'argon2' + +password_policy: + standard: + enabled: true + min_length: 10 + max_length: 128 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: true + +storage: + local: + path: /data/db.sqlite3 + +notifier: + filesystem: + filename: '/data/notification.txt' + +log: + level: 'info' + format: 'json' + +totp: + issuer: 'gasdev.fr' + ## https://www.authelia.com/c/totp#algorithm + algorithm: 'SHA1' + + ## https://www.authelia.com/c/totp#digits + digits: 6 + period: 30 + ## See: https://www.authelia.com/c/totp#input-validation to read + skew: 1 + +webauthn: + disable: true + +duo_api: + disable: true + +ntp: + address: 'udp://time.cloudflare.com:123' diff --git a/services/authelia/default.nix b/services/authelia/default.nix index 07f46de..11f0f5a 100644 --- a/services/authelia/default.nix +++ b/services/authelia/default.nix @@ -16,10 +16,11 @@ environment = { AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; + # AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY"; }; volumes = [ + "authelia-data:/data" "/run/secrets/authelia:/secrets" "/etc/authelia/configuration.yml:/config/configuration.yml" ]; diff --git a/services/default.nix b/services/default.nix index b6c457f..6387c96 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./authelia ./garage ./shadowsocks ./uptime-kuma From ab7af0d67b6cb3b525b479d4efa73a8cc18a8b37 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Fri, 18 Oct 2024 11:13:14 +0200 Subject: [PATCH 40/48] feat(authelia): Configured SMTP notifier --- secrets/OVHCloud.yaml | 7 +++++-- services/authelia/configuration.yml | 6 ++++-- services/authelia/default.nix | 2 ++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 869f0be..10895c1 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -3,6 +3,9 @@ authelia: SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str] STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str] STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str] + SMTP_ADDRESS: ENC[AES256_GCM,data:490uwbjW79yKqFChSo6EzDDwIgk=,iv:HW+VVKjruP5vmJqlYSg9yR1K4R/mMeZipUX9EzTKaKk=,tag:to7dLSW/LF88SjJJaj7f0A==,type:str] + SMTP_USERNAME: ENC[AES256_GCM,data:1/5bB6lUnwdayw==,iv:T7b8i0QvPTOCtZ5/03trKUcpN+vABAfPdSECQLuhlZE=,tag:vvUuKUEK0Rw4JpOnQpMhcg==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:cO2y3TQx/HJpjgseJt9ju9BvjZ2ZLUMf,iv:cWQDU2gtcml4zHlvtINW6k/6CwZtjxkDNWBiMguSijw=,tag:kA3PptaPHszw1FLwA9BTvQ==,type:str] caddy: ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str] ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] @@ -39,8 +42,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-18T08:30:16Z" - mac: ENC[AES256_GCM,data:c4Ngpz/GK+20/SvGVVzS1n6ChLCRHIdyHfvfapy5dkMMeWbxVbVgSz6G+q0CW38deQiGMbWO3V+w/dhyI6Re3A688X+RQBnsUSqsLpXZeamxUbtqzWaS/bedBfg1T5sQLwXYpeqWoCgpd4bHfT3DfApYW02ScU7gkFQiMRlpsXA=,iv:s+ah+0zA0jBv0aDJbB2C3Y38ifD7XFNEjjFS1hCplsE=,tag:mc8DgCyVP+4y+8nqitmE1w==,type:str] + lastmodified: "2024-10-18T09:05:47Z" + mac: ENC[AES256_GCM,data:fF67+S0Zv2WCIeVlQ0E+Jtg8SrKX6IeV6NrI2YAug8oN80836Yx/X5vSEz8Gj9RbEPfZmEHqZF0ccFQvOZjdY4loXBNIVqLbGGH8CqrRHuzndu8AR6/pP5WZeHYxcfKOXH+GGfix34OSkELvyXHT5ih7xWeP2gwGFeEY7jI5qPI=,iv:JPQ3wfOTpmEvZUF99KP2rfLmxGtjwZDG3T12NXY5kIM=,tag:p1GkO+i3lJVa2UpnQwGf3w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/authelia/configuration.yml b/services/authelia/configuration.yml index 154b3b1..627c7ce 100644 --- a/services/authelia/configuration.yml +++ b/services/authelia/configuration.yml @@ -43,8 +43,10 @@ storage: path: /data/db.sqlite3 notifier: - filesystem: - filename: '/data/notification.txt' + smtp: + address: 'smtp.mail.ovh.net' + username: 'postmaster@gasdev.fr' + sender: 'Authelia ' log: level: 'info' diff --git a/services/authelia/default.nix b/services/authelia/default.nix index 11f0f5a..ea7ea78 100644 --- a/services/authelia/default.nix +++ b/services/authelia/default.nix @@ -1,5 +1,6 @@ {...}: { sops.secrets."authelia/JWT_SECRET".owner = "root"; + sops.secrets."authelia/SMTP_PASSWORD".owner = "root"; sops.secrets."authelia/SESSION_SECRET".owner = "root"; sops.secrets."authelia/STORAGE_PASSWORD".owner = "root"; sops.secrets."authelia/STORAGE_ENCRYPTION_KEY".owner = "root"; @@ -18,6 +19,7 @@ AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; # AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY"; + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; }; volumes = [ "authelia-data:/data" From 74510601b6bc96580a2979e9591b46dd1fce6af4 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Mon, 21 Oct 2024 10:48:54 +0200 Subject: [PATCH 41/48] feat(services): Added `penpot` service and relevant authelia config --- secrets/OVHCloud.yaml | 22 +++++- services/authelia/configuration.yml | 17 ++++ services/authelia/default.nix | 5 ++ services/default.nix | 1 + services/penpot/default.nix | 116 ++++++++++++++++++++++++++++ 5 files changed, 159 insertions(+), 2 deletions(-) create mode 100644 services/penpot/default.nix diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 10895c1..28e065a 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -6,6 +6,10 @@ authelia: SMTP_ADDRESS: ENC[AES256_GCM,data:490uwbjW79yKqFChSo6EzDDwIgk=,iv:HW+VVKjruP5vmJqlYSg9yR1K4R/mMeZipUX9EzTKaKk=,tag:to7dLSW/LF88SjJJaj7f0A==,type:str] SMTP_USERNAME: ENC[AES256_GCM,data:1/5bB6lUnwdayw==,iv:T7b8i0QvPTOCtZ5/03trKUcpN+vABAfPdSECQLuhlZE=,tag:vvUuKUEK0Rw4JpOnQpMhcg==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:cO2y3TQx/HJpjgseJt9ju9BvjZ2ZLUMf,iv:cWQDU2gtcml4zHlvtINW6k/6CwZtjxkDNWBiMguSijw=,tag:kA3PptaPHszw1FLwA9BTvQ==,type:str] + OIDC_HMAC_SECRET: ENC[AES256_GCM,data:AYVbbPVGqmx+ZOC6Y1xcHYZcz/aoTsv15v7FUL8MCU3+/VuEp0vE6pcxTxc=,iv:Pm/b1mEEgvfTKQr6FXibWAmcZGg9i+sxoqCQ+nD0aVE=,tag:6HaG0g6Rvf2lC9mzWpsHwg==,type:str] + #ENC[AES256_GCM,data:fCLX44MuqhAVHADGxHkVu53bnUSVKRzbUiucasqvu0gLbLOt1UWSyOTGhVUrgdjQC4QtemcqbTsVjBb0cvL7TA7EeYDKLg==,iv:cdhu+Vx/TfyDSsETHAfj3ZJSNRijr6pwW5Ca6uOVGLQ=,tag:2c3m2PmJ8hzU5XDk1eLJrw==,type:comment] + OIDC_JWKS_PRIVATE_KEY: ENC[AES256_GCM,data:jHGumhi77Hr8ZfR8zzNoSfKZvoc5RM35m+IzUybXtQANrT/JXCzWOOYI5cc9nRHJnKLEP80XvSEKzoFspMe1Xl28y1rJacPdx+HbvwEOP3JU+UxBRVjY7ptO/mtDaae7XWEDaEdna1ItqkXiJMkYc+XR0fb/UrD7x/DVNSUGamqTgNIi+oV3QzlVoLd3knVel/ujGaRNd/Dys7G1Ig7mDibH+8z4LTEiNdxJenYHAIFelJeiVWgFNtyT2Uljs9hjCtwJGwl+TmAykzggriTjenlLzmWgYt9kycxkR0hWRDS8zAzLbcloUy9wkNnDrxK9kLtr7G//eDC98UmupvVhDmJaZzgNQOHTVPsF0w7RQ6JRiu6tTbMVQN8g0pH11Zo9A8kJUgCKZWEuh9JbtvG2skrG5OVJVm2Hv0R/FIauypaXM+AXF49D+E0PGP6Os8azk2DDaTBTl8m+7x28VsZMxbwwZtmbPaAVXAyDoCYKa4Ac+LdE1QMv7biiTBOsd4G1iV3nE1b3KO/Jkhb8VS4rxfVbPtU6EOwrBXnZ+0RzK2dJakAkwvLeaUiRnVA8j2o+TKD7n8TPRhuVIfB4ru6LymttzLYveXju7tvN0HHkJL9OoIRFE8i82wSK6s6d1CVrJH1hJtwvZGemuaPRxG/bIJYEtRtsxZO2SPo1F7MLg4XrubaEuNFqJsQAmV2ip3XKsmzIz5yezz0YdgiyYj5i6mXQb4tO5Bmj0OxsmAv/loNHjREwnC5jECT8txKCqkV6V5y5DtLnRR7aZY6X+k84pfGXSi29xupEaU4/NCUM7T5rv8Gl076BSKAQnkwLW3PmtL4g3r/kU0woda0L4RHbgsPT6/kMe7Foxx5UtV4+kaJgA99nXIL2TaYlc9RZlVYOOhTxgT/ZBKdU8lF29sej4nMVQdc1NP2ujq2xG/fffZTHIyPV7W17NbjgRr17STpji1f1PSremU37kpk/hPeaj9F7fnuqNGPuh09EfpnXH3EKzu1gQamfvPNmH0rsglrtxoImaeok41Lrpa7/4CbS03fCwKfNLg7CGdJbUxl9v0hviB3vGj3dJm4DWRW/fAeaJVdxYsIOsRKZT4g32mjOiEcgH2JHOGTD/d64Z0TpvO57bYjBjSMO4oK59/XY8uD1PwqEsiigrAQW9Tww9711NBXlAqDPpgLou6SUrySq/ZnsUeZofpJPAt8VCmZAcGUxVrMTpvCTMkcp7dfrg2yuVqNcQGVtTeHNpX0GBLrlLTocsf7YU5RAoOzHBeT4PVRsKmupuT0zD1S6eBSTgRH7mR2gS5hR5XxbniIfHEXUC2mE6cydsdh7arD3M4mf9UzAoBs6w0pZyO7ztOGX4FaZf5rWE+lizGf2bfvZqXGTRX94h11gSt+VLQqRjb4b8h+ZVhKFwEiVxpFn6GmvuN4lIfK/7xfvwAisCUDAjbNaV5mFfeS7o8l9pclZ+mni86AFgNnMiAJaPKsoClBACabYCRdSxrtAWIsiM9pfQCeHHy6d18dJqLCOBB62IQ4iZJ7YtJF3dV2q6ZKmo9XQwA4YUpj93Qe9b6d7FPtOiBgySlUay5EwDXDteNMcH1hfbTOxMvau5JcePDsDkmH/fzLdBhszCECrsdQBDR+nSCsd8DLyKifyVdHhMd0YJU3oiCpMGIIYlDeLRmBwsXdY88xPhTlItko2bH38581uvPcrp03jXLD0IPPhAYxpjfSJQ33pGX7U0NMQgXH1W1+dqGFpDhX6o7e7lQ/uxXvi/DBz6zoORfSOs+TD0xi4ptkjbHu6xsH9Slrx0JsxyT5yWGBqlYd9QxwsOxbe6X5jZSgxPyRvUdLTGhs6BeZ8UO8/IAZaHQq3WRycnBsA1M0ZJ+HP86Xy9zKg5wCrKzIcoHLfylSBPiChOHvjhJP0C0gt4uSz2f/7hfeJ3JNfNp+yCWZ3VtgzatBkiegjC0V72/HwN9AeaGnoJJ6mC4D5wSoJ7y1bugtFSo9t3wIlA9UjtEPqi/O5C/liG3vCAXluE64J778PSQq1Bm7yztPvo0p460IwXmJ6p635gMVcAlCraBnKTBTwzz+hKIdj+Ok5NBvu0WG/zDXiIWHushIY4XneJC6qryqkBr3HMfYj/OkAkRX/hCbSnsZN8Fc69hyUzryu07up0/q9/R1uYKp6jbAHKONoPfEfip43v0FfP6ncQv9cDcvUE0W/z1TNkNNFDx8nEOtrAu+8fty1fQrj2w==,iv:YGEXMLWOoQ19cbftQU9/4kFNcWIqjnw2GgZIddBwbrc=,tag:og1Avj5ZcYblJWrE2q2Bcg==,type:str] + #ENC[AES256_GCM,data:gIGYsk5h40IBhtmRM4G/yA==,iv:6tdKmKcvTQH7STvVjPIpwmGS2TEzZjX25CBwRIF8fjY=,tag:9pO4w0Zw+5iNkxwWf5VJDw==,type:comment] caddy: ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str] ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] @@ -13,6 +17,20 @@ caddy: ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str] +penpot: + SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str] + OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str] + SMTP_HOST: ENC[AES256_GCM,data:uFrTj1OIjs+48AmcBhsCFdXEakg=,iv:lFcAjJAC3uIc8u5KNhyiH55oBriV3cnsZ9wRXDfNM0I=,tag:1SbyUxXiKmltinkxQS8SPg==,type:str] + SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str] + SMTP_USERNAME: ENC[AES256_GCM,data:g1NvuwN+tko/mg==,iv:kXUGrBHLmk8GmZPaaiafOqkKMFhcwIh9pAEFPp716QI=,tag:WkVt+jCjfadIcTrjE8QF5A==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:S/VKs3mMwgnlpiDLOrvMX0VLNdCseg==,iv:opj0KJq93DWljtnAmktpzAf1l9b9OCvEPAbTC06IEbQ=,tag:DkmgRJ1AodO/sEty3C6mxg==,type:str] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:1hXif1dLMVHTj7nvqExW6wzFP+1BTwRcqro=,iv:fXqD2fiVQa0DH7z4s70e7ggORppgqoccP+sD6eMQsvw=,tag:g18kahkiT2G9P0SBTB4HfQ==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:n+0cr0tDAUAdOu65YOj+reTzF+EoRFVAZVg5172ZKYnjWBuBYjNgy6QyqqcPvZMkBBtybdUimjDgWD6mVmNDew==,iv:UwgB7PLaCoXN/qAA63u9Q8ERkhRaNRlOpSFqrUBUExg=,tag:ggs1ED4Ryb+4+O+7VG0rTQ==,type:str] + STORAGE_ASSETS_S3_REGION: ENC[AES256_GCM,data:oV4ucbPe,iv:zNsUsftybGcQdryAB+mN9Xb/rVWOLFlVixqRLLz8WIY=,tag:FiiSjLyuK89HK1GEE3BSUA==,type:str] + STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str] + STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str] shadowsocks: password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] wireguard: @@ -42,8 +60,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-18T09:05:47Z" - mac: ENC[AES256_GCM,data:fF67+S0Zv2WCIeVlQ0E+Jtg8SrKX6IeV6NrI2YAug8oN80836Yx/X5vSEz8Gj9RbEPfZmEHqZF0ccFQvOZjdY4loXBNIVqLbGGH8CqrRHuzndu8AR6/pP5WZeHYxcfKOXH+GGfix34OSkELvyXHT5ih7xWeP2gwGFeEY7jI5qPI=,iv:JPQ3wfOTpmEvZUF99KP2rfLmxGtjwZDG3T12NXY5kIM=,tag:p1GkO+i3lJVa2UpnQwGf3w==,type:str] + lastmodified: "2024-10-21T07:59:44Z" + mac: ENC[AES256_GCM,data:CVwxPgx5y64xr5kHnXCmhUgghwvpa+/ulJjjHVr68EVVQp7phrIOES2oF18WF4+HFFJ64YHI9KbuOz2pTjC+7H1TDBzedtQ1azqHT/ADcnKtAdFALS6M3/CpoS8X+TFeU3P3uLEsUfR8UrPNhxm8dlH6m9A0jQMVW0Fqpsd7s0w=,iv:oVfpo0R0WY8pt8LkQv9LfqqsKcuCZNder+P6QiMyRMw=,tag:lbDls/D0f+QHRrkyaPVbww==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/authelia/configuration.yml b/services/authelia/configuration.yml index 627c7ce..fa18c18 100644 --- a/services/authelia/configuration.yml +++ b/services/authelia/configuration.yml @@ -19,6 +19,23 @@ session: authelia_url: 'https://auth.gasdev.fr' default_redirection_url: 'https://auth.gasdev.fr/authenticated' +identity_providers: + oidc: + jwks: + - key: {{ secret "/secrets/OIDC_JWKS_PRIVATE_KEY" | mindent 10 "|" | msquote }} + clients: + - client_id: 'penpot' + client_name: 'Penpot' + client_secret: $pbkdf2-sha512$310000$WuYHbHrVI3wMn/tZXwDTMA$WnS0VoR4jLNQnXjJUN46EfnC4QMdpdnNcYsGvSCpkbzguO4of.tCgAeLsfzLgWn9CSGMt20TZOQfc/7IbfwBHg + redirect_uris: 'https://penpot.gasdev.fr/api/auth/oauth/oidc/callback' + token_endpoint_auth_method: 'client_secret_post' + authorization_policy: 'one_factor' + scopes: + - 'email' + - 'openid' + - 'profile' + + authentication_backend: password_reset: disable: false diff --git a/services/authelia/default.nix b/services/authelia/default.nix index ea7ea78..e50d385 100644 --- a/services/authelia/default.nix +++ b/services/authelia/default.nix @@ -4,6 +4,8 @@ sops.secrets."authelia/SESSION_SECRET".owner = "root"; sops.secrets."authelia/STORAGE_PASSWORD".owner = "root"; sops.secrets."authelia/STORAGE_ENCRYPTION_KEY".owner = "root"; + sops.secrets."authelia/OIDC_HMAC_SECRET".owner = "root"; + sops.secrets."authelia/OIDC_JWKS_PRIVATE_KEY".owner = "root"; services.caddy.virtualHosts."auth.gasdev.fr".extraConfig = '' reverse_proxy http://127.0.0.1:9091 @@ -20,6 +22,9 @@ # AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY"; AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; + AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "/secrets/OIDC_HMAC_SECRET"; + + X_AUTHELIA_CONFIG_FILTERS = "template"; }; volumes = [ "authelia-data:/data" diff --git a/services/default.nix b/services/default.nix index 6387c96..2234a8e 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./authelia ./garage + ./penpot ./shadowsocks ./uptime-kuma ./wireguard diff --git a/services/penpot/default.nix b/services/penpot/default.nix new file mode 100644 index 0000000..208771f --- /dev/null +++ b/services/penpot/default.nix @@ -0,0 +1,116 @@ +{config, ...}: { + services.caddy.virtualHosts."penpot.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:9001 + ''; + + sops.secrets."penpot/SECRET_KEY".owner = "root"; + sops.secrets."penpot/OIDC_CLIENT_SECRET".owner = "root"; + sops.secrets."penpot/SMTP_HOST".owner = "root"; + sops.secrets."penpot/SMTP_PORT".owner = "root"; + sops.secrets."penpot/SMTP_USERNAME".owner = "root"; + sops.secrets."penpot/SMTP_PASSWORD".owner = "root"; + sops.secrets."penpot/POSTGRES_USER".owner = "root"; + sops.secrets."penpot/POSTGRES_PASSWORD".owner = "root"; + sops.secrets."penpot/AWS_ACCESS_KEY_ID".owner = "root"; + sops.secrets."penpot/AWS_SECRET_ACCESS_KEY".owner = "root"; + sops.secrets."penpot/STORAGE_ASSETS_S3_REGION".owner = "root"; + sops.secrets."penpot/STORAGE_ASSETS_S3_ENDPOINT".owner = "root"; + sops.secrets."penpot/STORAGE_ASSETS_S3_BUCKET".owner = "root"; + sops.templates."penpot.env" = { + content = '' + PENPOT_SECRET_KEY=${config.sops.placeholder."penpot/SECRET_KEY"} + PENPOT_OIDC_CLIENT_SECRET=${config.sops.placeholder."penpot/OIDC_CLIENT_SECRET"} + # SMTP + PENPOT_SMTP_HOST=${config.sops.placeholder."penpot/SMTP_HOST"} + PENPOT_SMTP_PORT=${config.sops.placeholder."penpot/SMTP_PORT"} + PENPOT_SMTP_USERNAME=${config.sops.placeholder."penpot/SMTP_USERNAME"} + PENPOT_SMTP_PASSWORD=${config.sops.placeholder."penpot/SMTP_PASSWORD"} + # Database + PENPOT_DATABASE_USERNAME=${config.sops.placeholder."penpot/POSTGRES_USER"} + PENPOT_DATABASE_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"} + POSTGRES_USER=${config.sops.placeholder."penpot/POSTGRES_USER"} + POSTGRES_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"} + # Storage + AWS_ACCESS_KEY_ID=${config.sops.placeholder."penpot/AWS_ACCESS_KEY_ID"} + AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."penpot/AWS_SECRET_ACCESS_KEY"} + PENPOT_STORAGE_ASSETS_S3_REGION=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_REGION"} + PENPOT_STORAGE_ASSETS_S3_BUCKET=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_BUCKET"} + PENPOT_STORAGE_ASSETS_S3_ENDPOINT=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_ENDPOINT"} + ''; + owner = "root"; + }; + + virtualisation.oci-containers.containers = { + penpot-frontend = { + image = "docker.io/penpotapp/frontend:latest"; + autoStart = true; + ports = ["127.0.0.1:9001:80"]; + volumes = [ + "penpot_assets:/opt/data/assets" + ]; + environment = { + PENPOT_FLAGS = "disable-login-with-password disable-registration enable-login-with-oidc"; + }; + dependsOn = [ + "penpot-backend" + "penpot-exporter" + ]; + }; + penpot-backend = { + image = "docker.io/penpotapp/backend:latest"; + autoStart = true; + volumes = [ + "penpot_assets:/opt/data/assets" + ]; + environment = { + PENPOT_FLAGS = "disable-login-with-password enable-login-with-oidc enable-oidc-registration enable-smtp"; + # Auth + PENPOT_OIDC_CLIENT_ID = "penpot"; + PENPOT_OIDC_BASE_URI = "https://auth.gasdev.fr"; + PENPOT_PUBLIC_URI = "https://penpot.gasdev.fr"; + # DB + PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot"; + PENPOT_REDIS_URI = "redis://penpot-redis/0"; + # Storage + PENPOT_ASSETS_STORAGE_BACKEND = "assets-s3"; + # SMTP + PENPOT_SMTP_DEFAULT_FROM = "no-reply@gasdev.fr"; + PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply@gasdev.fr"; + PENPOT_SMTP_SSL = "true"; + PENPOT_SMTP_TLS = "true"; + # Other + PENPOT_TELEMETRY_ENABLED = "false"; + }; + environmentFiles = [ + config.sops.templates."penpot.env".path + ]; + dependsOn = [ + "penpot-postgres" + "penpot-redis" + ]; + }; + penpot-exporter = { + image = "docker.io/penpotapp/exporter:latest"; + autoStart = true; + environment = { + PENPOT_PUBLIC_URI = "http://penpot-frontend"; + PENPOT_REDIS_URI = "redis://penpot-redis/0"; + }; + }; + penpot-postgres = { + image = "docker.io/postgres:15"; + autoStart = true; + environment = { + POSTGRES_INITDB_ARGS = "--data-checksums"; + POSTGRES_DB = "penpot"; + }; + environmentFiles = [ + config.sops.templates."penpot.env".path + ]; + }; + penpot-redis = { + image = "docker.io/redis:7"; + autoStart = true; + }; + }; +} From 5fb7082751801f61862b711f936fb0ccc390e0d1 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 13:42:45 +0200 Subject: [PATCH 42/48] fix(penpot): Asset storage backend now `assets-fs` Because S3 backend isn't currently compatible with garage (I guess) --- services/penpot/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/penpot/default.nix b/services/penpot/default.nix index 208771f..323396c 100644 --- a/services/penpot/default.nix +++ b/services/penpot/default.nix @@ -72,7 +72,7 @@ PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot"; PENPOT_REDIS_URI = "redis://penpot-redis/0"; # Storage - PENPOT_ASSETS_STORAGE_BACKEND = "assets-s3"; + PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs"; # SMTP PENPOT_SMTP_DEFAULT_FROM = "no-reply@gasdev.fr"; PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply@gasdev.fr"; From 97486473bc73e60eda4ab594dbf2cf534f3fc42d Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 13:46:39 +0200 Subject: [PATCH 43/48] chore(services/penpot): Disabled onboarding questions and newsletter --- services/penpot/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/penpot/default.nix b/services/penpot/default.nix index 323396c..2447176 100644 --- a/services/penpot/default.nix +++ b/services/penpot/default.nix @@ -49,7 +49,7 @@ "penpot_assets:/opt/data/assets" ]; environment = { - PENPOT_FLAGS = "disable-login-with-password disable-registration enable-login-with-oidc"; + PENPOT_FLAGS = "disable-login-with-password disable-registration enable-login-with-oidc disable-onboarding-newsletter disable-onboarding-questions"; }; dependsOn = [ "penpot-backend" From c522f2aac494443e4e39009b672cb7a0e040e5c0 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 13:58:36 +0200 Subject: [PATCH 44/48] fix(services -> penpot): Fixed onboarding messages not being disabled. And re-enabled password logging --- services/penpot/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/penpot/default.nix b/services/penpot/default.nix index 2447176..cba97af 100644 --- a/services/penpot/default.nix +++ b/services/penpot/default.nix @@ -49,7 +49,7 @@ "penpot_assets:/opt/data/assets" ]; environment = { - PENPOT_FLAGS = "disable-login-with-password disable-registration enable-login-with-oidc disable-onboarding-newsletter disable-onboarding-questions"; + PENPOT_FLAGS = "disable-registration enable-login-with-oidc"; }; dependsOn = [ "penpot-backend" @@ -63,7 +63,7 @@ "penpot_assets:/opt/data/assets" ]; environment = { - PENPOT_FLAGS = "disable-login-with-password enable-login-with-oidc enable-oidc-registration enable-smtp"; + PENPOT_FLAGS = "disable-login-with-password enable-login-with-oidc enable-oidc-registration enable-smtp disable-onboarding-newsletter disable-onboarding-questions"; # Auth PENPOT_OIDC_CLIENT_ID = "penpot"; PENPOT_OIDC_BASE_URI = "https://auth.gasdev.fr"; From 927ab2306d90c76fbd45aa28afc171e55cbe303a Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 14:05:26 +0200 Subject: [PATCH 45/48] fix(services/penpot): Added missing volume for penpot-postgres --- services/penpot/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/penpot/default.nix b/services/penpot/default.nix index cba97af..79e9def 100644 --- a/services/penpot/default.nix +++ b/services/penpot/default.nix @@ -100,6 +100,9 @@ penpot-postgres = { image = "docker.io/postgres:15"; autoStart = true; + volumes = [ + "penpot_postgres:/var/lib/postgresql/data" + ]; environment = { POSTGRES_INITDB_ARGS = "--data-checksums"; POSTGRES_DB = "penpot"; From d65d40ae4d157a37a20e39a58ecb7ea12e2996a8 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 14:19:00 +0200 Subject: [PATCH 46/48] chore(services -> penpot): Tweak `PENPOT_FLAGS` for frontend and backend --- services/penpot/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/penpot/default.nix b/services/penpot/default.nix index 79e9def..f7b88bf 100644 --- a/services/penpot/default.nix +++ b/services/penpot/default.nix @@ -49,7 +49,7 @@ "penpot_assets:/opt/data/assets" ]; environment = { - PENPOT_FLAGS = "disable-registration enable-login-with-oidc"; + PENPOT_FLAGS = "disable-registration enable-login-with-oidc enable-oidc-registration disable-onboarding disable-onboarding-newsletter disable-onboarding-questions"; }; dependsOn = [ "penpot-backend" @@ -63,7 +63,7 @@ "penpot_assets:/opt/data/assets" ]; environment = { - PENPOT_FLAGS = "disable-login-with-password enable-login-with-oidc enable-oidc-registration enable-smtp disable-onboarding-newsletter disable-onboarding-questions"; + PENPOT_FLAGS = "disable-registration enable-login-with-oidc enable-oidc-registration enable-smtp"; # Auth PENPOT_OIDC_CLIENT_ID = "penpot"; PENPOT_OIDC_BASE_URI = "https://auth.gasdev.fr"; From 3e795794d4d6c9f7c8c06ff9a6891d2fb6223d3f Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Wed, 23 Oct 2024 14:22:16 +0200 Subject: [PATCH 47/48] fix(secrets -> ovh): Fixed SMTP related secrets --- secrets/OVHCloud.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index 28e065a..a0dec03 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -3,8 +3,6 @@ authelia: SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str] STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str] STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str] - SMTP_ADDRESS: ENC[AES256_GCM,data:490uwbjW79yKqFChSo6EzDDwIgk=,iv:HW+VVKjruP5vmJqlYSg9yR1K4R/mMeZipUX9EzTKaKk=,tag:to7dLSW/LF88SjJJaj7f0A==,type:str] - SMTP_USERNAME: ENC[AES256_GCM,data:1/5bB6lUnwdayw==,iv:T7b8i0QvPTOCtZ5/03trKUcpN+vABAfPdSECQLuhlZE=,tag:vvUuKUEK0Rw4JpOnQpMhcg==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:cO2y3TQx/HJpjgseJt9ju9BvjZ2ZLUMf,iv:cWQDU2gtcml4zHlvtINW6k/6CwZtjxkDNWBiMguSijw=,tag:kA3PptaPHszw1FLwA9BTvQ==,type:str] OIDC_HMAC_SECRET: ENC[AES256_GCM,data:AYVbbPVGqmx+ZOC6Y1xcHYZcz/aoTsv15v7FUL8MCU3+/VuEp0vE6pcxTxc=,iv:Pm/b1mEEgvfTKQr6FXibWAmcZGg9i+sxoqCQ+nD0aVE=,tag:6HaG0g6Rvf2lC9mzWpsHwg==,type:str] #ENC[AES256_GCM,data:fCLX44MuqhAVHADGxHkVu53bnUSVKRzbUiucasqvu0gLbLOt1UWSyOTGhVUrgdjQC4QtemcqbTsVjBb0cvL7TA7EeYDKLg==,iv:cdhu+Vx/TfyDSsETHAfj3ZJSNRijr6pwW5Ca6uOVGLQ=,tag:2c3m2PmJ8hzU5XDk1eLJrw==,type:comment] @@ -20,9 +18,9 @@ garage: penpot: SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str] OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str] - SMTP_HOST: ENC[AES256_GCM,data:uFrTj1OIjs+48AmcBhsCFdXEakg=,iv:lFcAjJAC3uIc8u5KNhyiH55oBriV3cnsZ9wRXDfNM0I=,tag:1SbyUxXiKmltinkxQS8SPg==,type:str] + SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str] SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str] - SMTP_USERNAME: ENC[AES256_GCM,data:g1NvuwN+tko/mg==,iv:kXUGrBHLmk8GmZPaaiafOqkKMFhcwIh9pAEFPp716QI=,tag:WkVt+jCjfadIcTrjE8QF5A==,type:str] + SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str] POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str] POSTGRES_PASSWORD: ENC[AES256_GCM,data:S/VKs3mMwgnlpiDLOrvMX0VLNdCseg==,iv:opj0KJq93DWljtnAmktpzAf1l9b9OCvEPAbTC06IEbQ=,tag:DkmgRJ1AodO/sEty3C6mxg==,type:str] @@ -60,8 +58,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-21T07:59:44Z" - mac: ENC[AES256_GCM,data:CVwxPgx5y64xr5kHnXCmhUgghwvpa+/ulJjjHVr68EVVQp7phrIOES2oF18WF4+HFFJ64YHI9KbuOz2pTjC+7H1TDBzedtQ1azqHT/ADcnKtAdFALS6M3/CpoS8X+TFeU3P3uLEsUfR8UrPNhxm8dlH6m9A0jQMVW0Fqpsd7s0w=,iv:oVfpo0R0WY8pt8LkQv9LfqqsKcuCZNder+P6QiMyRMw=,tag:lbDls/D0f+QHRrkyaPVbww==,type:str] + lastmodified: "2024-10-23T12:22:14Z" + mac: ENC[AES256_GCM,data:+x/QFSLjXqgJ3FLTvXABF0dpLBMVKfTb3o2qmQvygzaPiXHP0rjGQbXKaxczMng8t8nGo8nEKbSvf/0Ih8ruOCnmpw5ByB4iLd5vtlhhYmQ7vXlpCDHAjtkwA/aTJpZbJLUvPnDLCDX1uopcVUfJZstuRgBBMqEa4TQ8uHZAQ5M=,iv:O5bozwctz2q0YERDllsGyUDHAPNtosqetaUqjC2pIac=,tag:NR671Rrpo3HuJl+o/9mPWw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 From 13d9acd26ed4c6edfe12548eb74347d97d70d666 Mon Sep 17 00:00:00 2001 From: GaspardCulis Date: Thu, 24 Oct 2024 12:29:18 +0200 Subject: [PATCH 48/48] feat(services): Added `gitlab` services. Not enabled tho --- secrets/OVHCloud.yaml | 11 +++++++++-- services/gitlab/default.nix | 27 +++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 services/gitlab/default.nix diff --git a/secrets/OVHCloud.yaml b/secrets/OVHCloud.yaml index a0dec03..74541cb 100644 --- a/secrets/OVHCloud.yaml +++ b/secrets/OVHCloud.yaml @@ -15,6 +15,13 @@ caddy: ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] garage: RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str] +gitlab: + DATABASE_PASSWORD: ENC[AES256_GCM,data:XINUoSf8FdPdZamlU5OlVf5cwNzd+1cC,iv:pdExA2VOiaQPEVSqNqnTLpqC72Q/bMlZqVVKuUOjTlg=,tag:nTZiUxo4YIDluRSJJ0yj0w==,type:str] + INITIAL_ROOT_PASSWORD: ENC[AES256_GCM,data:Bst1bbspfLgcvRk=,iv:3H2b9gL8jCEmMUWhrlzy05LghfMa/+6wRDNGITjO3XM=,tag:PXsZ6+2kp9SuS6XRUjCeGw==,type:str] + SECRET_KEY: ENC[AES256_GCM,data:JBaEx7ktyvbAHoShcgWygrOZcdRoNcpZfiQ8oksxWj+py0dSkbKjzQ0SRRQ=,iv:C6W2SJoIPMg2WYMj1ZrcabcYxwqUgGZzQcKOrBp+rFs=,tag:EpykSmAEvgryxNEca9TM8A==,type:str] + OTP_KEY: ENC[AES256_GCM,data:BphY+ZO26N82iN1782ephpyqYwTt3UmCawX9/1kwvWEo5OebpUOOOQnR03I=,iv:EaHAW/sb1MGfN9ZFeB8t4xxVUtxb5jM7uL06/eGPxck=,tag:Qg+0oBsc0oB1T8NO2Znw5g==,type:str] + DB_KEY: ENC[AES256_GCM,data:9Yso0CEnpAU/sX2NW8roSz+w/lhfK220f35U8Z3t+GNOi+Zd7Ybb/7kill4=,iv:fsQ86NRJbLYfjFZ/ka6po1o35dagqmiqhfQmUQNzlPg=,tag:LV9Sh+TlYv+kRW0bLWajnw==,type:str] + JWS_KEY: ENC[AES256_GCM,data:7QGTClTixUmLFuPwkdvaVbPfZhVFpjtnW4/T6W0Lpu2j5Xt1jxijgRSHYRo=,iv:9v5TGU8+SlKzAQtfF/3VBQ4D9asyNcOOa4ElEG7OQdE=,tag:MPWKPJtFfIeo38uCVG1H7w==,type:str] penpot: SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str] OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str] @@ -58,8 +65,8 @@ sops: MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-23T12:22:14Z" - mac: ENC[AES256_GCM,data:+x/QFSLjXqgJ3FLTvXABF0dpLBMVKfTb3o2qmQvygzaPiXHP0rjGQbXKaxczMng8t8nGo8nEKbSvf/0Ih8ruOCnmpw5ByB4iLd5vtlhhYmQ7vXlpCDHAjtkwA/aTJpZbJLUvPnDLCDX1uopcVUfJZstuRgBBMqEa4TQ8uHZAQ5M=,iv:O5bozwctz2q0YERDllsGyUDHAPNtosqetaUqjC2pIac=,tag:NR671Rrpo3HuJl+o/9mPWw==,type:str] + lastmodified: "2024-10-24T10:04:55Z" + mac: ENC[AES256_GCM,data:fXCKFVev+ALjXdSPDw7QynQvh2ItusAUq/ZHCUv2dTLZcoW1/42hOyRexQPoQTAw+mACB1Sp9IPu5N5Gg3TSoxV6I67q7+S8FZVzfB1a8wMTIDF1vSOp5eHM3g6i8Wjip23V0LqUqjok4tuunDVnkOmp0uD0fLlaIiTpFgS3HJo=,iv:iq8CYdzR2F4knyTBHYIsS/hF+WCYcWXrpBAl2Ow60A0=,tag:hmNaTtIUqHRbU9aFzD6gww==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/gitlab/default.nix b/services/gitlab/default.nix new file mode 100644 index 0000000..9502e90 --- /dev/null +++ b/services/gitlab/default.nix @@ -0,0 +1,27 @@ +{config, ...}: let + port = 8086; +in { + sops.secrets."gitlab/DATABASE_PASSWORD".owner = "gitlab"; + sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".owner = "gitlab"; + sops.secrets."gitlab/SECRET_KEY".owner = "gitlab"; + sops.secrets."gitlab/OTP_KEY".owner = "gitlab"; + sops.secrets."gitlab/DB_KEY".owner = "gitlab"; + sops.secrets."gitlab/JWS_KEY".owner = "gitlab"; + + services.caddy.virtualHosts."git.gasdev.fr".extraConfig = '' + reverse_proxy http://127.0.0.1:${toString port} + ''; + + services.gitlab = { + enable = true; + port = port; + databasePasswordFile = config.sops.secrets."gitlab/DATABASE_PASSWORD".path; + initialRootPasswordFile = config.sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".path; + secrets = { + secretFile = config.sops.secrets."gitlab/SECRET_KEY".path; + otpFile = config.sops.secrets."gitlab/OTP_KEY".path; + dbFile = config.sops.secrets."gitlab/DB_KEY".path; + jwsFile = config.sops.secrets."gitlab/JWS_KEY".path; + }; + }; +}