Compare commits
16 commits
10d4078fd2
...
dff14a180b
Author | SHA1 | Date | |
---|---|---|---|
|
dff14a180b | ||
|
bae75ef0a4 | ||
|
47f0dbd2d4 | ||
|
a4f8d01313 | ||
|
805e5ee2ae | ||
|
d8304b993d | ||
|
a1e3f8cfc3 | ||
|
29fc1dbf24 | ||
|
fd83bd2dc2 | ||
|
dab42bd8c2 | ||
|
1fa4d2bc87 | ||
|
0cb54a4a35 | ||
|
1207101eab | ||
|
913b582d2e | ||
|
9046a53e3e | ||
|
d2f311cbfc |
13 changed files with 217 additions and 20 deletions
|
@ -1,10 +1,17 @@
|
||||||
keys:
|
keys:
|
||||||
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||||
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
||||||
|
- &server_pi4 age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
- path_regex: secrets/OVHCloud/[^/]+\.(yaml|json|env|ini)$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
age:
|
age:
|
||||||
- *admin_gaspard
|
- *admin_gaspard
|
||||||
- *server_ovh
|
- *server_ovh
|
||||||
|
- path_regex: secrets/pi4/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
age:
|
||||||
|
- *admin_gaspard
|
||||||
|
- *server_pi4
|
||||||
|
|
16
flake.lock
16
flake.lock
|
@ -479,6 +479,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixos-hardware": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730828750,
|
||||||
|
"narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixos-hardware",
|
||||||
|
"rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixos-hardware",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727348695,
|
"lastModified": 1727348695,
|
||||||
|
@ -542,6 +557,7 @@
|
||||||
"hyprland"
|
"hyprland"
|
||||||
],
|
],
|
||||||
"jovian": "jovian",
|
"jovian": "jovian",
|
||||||
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2",
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
|
|
47
flake.nix
47
flake.nix
|
@ -56,6 +56,9 @@
|
||||||
url = "github:Jovian-Experiments/Jovian-NixOS";
|
url = "github:Jovian-Experiments/Jovian-NixOS";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Rasoberry PI
|
||||||
|
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = {
|
outputs = {
|
||||||
|
@ -66,11 +69,12 @@
|
||||||
sops-nix,
|
sops-nix,
|
||||||
home-manager,
|
home-manager,
|
||||||
jovian,
|
jovian,
|
||||||
|
nixos-hardware,
|
||||||
...
|
...
|
||||||
} @ inputs: let
|
} @ inputs: let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
in {
|
in rec {
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
Zephyrus = nixpkgs.lib.nixosSystem {
|
Zephyrus = nixpkgs.lib.nixosSystem {
|
||||||
extraArgs = {inherit inputs;};
|
extraArgs = {inherit inputs;};
|
||||||
|
@ -91,6 +95,17 @@
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
pi4 = nixpkgs.lib.nixosSystem {
|
||||||
|
extraArgs = {inherit inputs;};
|
||||||
|
system = "aarch64-linux";
|
||||||
|
modules = [
|
||||||
|
./hosts/pi4
|
||||||
|
"${nixpkgs}/nixos/modules/profiles/minimal.nix"
|
||||||
|
nixos-hardware.nixosModules.raspberry-pi-4
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
homeConfigurations = {
|
homeConfigurations = {
|
||||||
|
@ -113,7 +128,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.nodes.OVHCloud = {
|
deploy.nodes = {
|
||||||
|
OVHCloud = {
|
||||||
hostname = "gasdev.fr";
|
hostname = "gasdev.fr";
|
||||||
profiles.system = {
|
profiles.system = {
|
||||||
user = "root";
|
user = "root";
|
||||||
|
@ -123,6 +139,33 @@
|
||||||
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
|
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
pi4 = {
|
||||||
|
hostname = "10.8.0.31";
|
||||||
|
profiles.system = {
|
||||||
|
user = "root";
|
||||||
|
sshUser = "root";
|
||||||
|
sshOpts = ["-p" "22"];
|
||||||
|
sudo = "";
|
||||||
|
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi4;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
images.pi4 =
|
||||||
|
(self.nixosConfigurations.pi4.extendModules {
|
||||||
|
modules = [
|
||||||
|
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
|
||||||
|
{
|
||||||
|
disabledModules = ["profiles/base.nix"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
})
|
||||||
|
.config
|
||||||
|
.system
|
||||||
|
.build
|
||||||
|
.sdImage;
|
||||||
|
packages.x86_64-linux.pi4-image = images.pi4;
|
||||||
|
packages.aarch64-linux.pi4-image = images.pi4;
|
||||||
|
|
||||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
# This will add secrets.yml to the nix store
|
# This will add secrets.yml to the nix store
|
||||||
# You can avoid this by adding a string to the full path instead, i.e.
|
# You can avoid this by adding a string to the full path instead, i.e.
|
||||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
||||||
sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
|
sops.defaultSopsFile = ../../secrets/OVHCloud/default.yaml;
|
||||||
# This will automatically import SSH keys as age keys
|
# This will automatically import SSH keys as age keys
|
||||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
tmp.useTmpfs = true;
|
tmp.useTmpfs = true;
|
||||||
|
binfmt.emulatedSystems = ["aarch64-linux"];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Network & Bluetooth
|
# Network & Bluetooth
|
||||||
|
|
69
hosts/pi4/default.nix
Normal file
69
hosts/pi4/default.nix
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Nix
|
||||||
|
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||||
|
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
helix
|
||||||
|
git
|
||||||
|
];
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
ports = [22];
|
||||||
|
settings = {
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
|
||||||
|
];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
interfaces."wlan0".useDHCP = true;
|
||||||
|
wireless = {
|
||||||
|
interfaces = ["wlan0"];
|
||||||
|
enable = true;
|
||||||
|
networks = {
|
||||||
|
"TestNetwork".psk = "not_an_actual_password_leak";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# SOPS
|
||||||
|
sops.defaultSopsFile = ../../secrets/pi4/default.yaml;
|
||||||
|
sops.secrets."wireguard/private_key".owner = "root";
|
||||||
|
|
||||||
|
# Wireguard
|
||||||
|
networking.firewall = {
|
||||||
|
allowedUDPPorts = [51820];
|
||||||
|
};
|
||||||
|
networking.wg-quick.interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
address = ["10.8.0.31/32"];
|
||||||
|
listenPort = 51820; # Should match firewall allowedUDPPorts
|
||||||
|
privateKeyFile = config.sops.secrets."wireguard/private_key".path;
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "KLULII6VEUWMhyIba6oxxHdZsVP3TMVlNY1Vz49q7jg=";
|
||||||
|
allowedIPs = ["0.0.0.0/0"];
|
||||||
|
endpoint = "vpn.gasdev.fr:993";
|
||||||
|
persistentKeepalive = 25;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "24.11";
|
||||||
|
}
|
20
hosts/pi4/hardware-configuration.nix
Normal file
20
hosts/pi4/hardware-configuration.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
|
||||||
|
# disk with this label on first boot. Therefore, we need to keep it. It is the
|
||||||
|
# only information from the installer image that we need to keep persistent
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-label/NIXOS_SD";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
boot = {
|
||||||
|
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
|
||||||
|
loader = {
|
||||||
|
generic-extlinux-compatible.enable = lib.mkDefault true;
|
||||||
|
grub.enable = lib.mkDefault false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -34,7 +34,7 @@ outline:
|
||||||
penpot:
|
penpot:
|
||||||
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
|
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
|
||||||
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
|
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
|
||||||
SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str]
|
SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
|
||||||
SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
|
SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
|
||||||
SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
|
SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
|
||||||
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
|
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
|
||||||
|
@ -78,8 +78,8 @@ sops:
|
||||||
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
||||||
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-11-04T21:15:49Z"
|
lastmodified: "2024-11-05T13:47:17Z"
|
||||||
mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str]
|
mac: ENC[AES256_GCM,data:Lku06chnlLsqvvd5ud/ovY/ymGknyIxcPirvQ2lrc/+7jMa6cGu3Q9piVv/gx6jMhQIuYnNjS5AKoNvNfXRgrpakzET5aNzLtWkaUplNQCAy+yuKkIdmGoMZ+J+l4SyMydKERpZmN+pLWAld8U+CFRaWGoCLHHQ8i60u4Gti7DY=,iv:DVcjFoncW0vPhBEA042DAWxJLnSCfwsJeYQcmhsWrbI=,tag:dL6L5CfrB4ZVMytkGfPSYA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.1
|
version: 3.9.1
|
31
secrets/pi4/default.yaml
Normal file
31
secrets/pi4/default.yaml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
wireguard:
|
||||||
|
private_key: ENC[AES256_GCM,data:L6FD+kBF7AoIrm3pMM6/pmWtX2FP5dUrJ9hUCuW9n4SlJ/JhpxI9m/1owIg=,iv:ok4pyUUv80kPY9n4WQmBGYHmMsPJnG0tnF+vbNhqc3s=,tag:OPribO7RoVCkFkTrYrHw7w==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJamxiNDlnRWJ6ZGFRaEtu
|
||||||
|
bGRveE9aWWY4c2duYkFYU2NKQlBSYjNWT3dZClNtNkpiRENNRFdUcTN6MENhU1Z1
|
||||||
|
YzVDa21peTluVkFoQURnK0xZQjNFZm8KLS0tIGpPbE95NVM2aUNrWWlEVGUybXpP
|
||||||
|
cXpCMmsxTkxKSXBjSmV2azNIcW04a1UKF8O99FpHDZSO0XFeCzWyoxJvjmvjvWFH
|
||||||
|
aOFSWHO64UDlSY/1eQmIYr/xad/BxxYnkrqlJib5tpmPkoi1qyuZVg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlDMzJQSEM3cjdnZmpy
|
||||||
|
RUgzZTYvT3RrQ2RMUmNNNWRvL2NjSUJvdW1jCkFvaVFOZUdPMWQxNnhGLzgwa2w4
|
||||||
|
MHpwVzJkQjZvd25oaENqbzdrT1dmazQKLS0tIE1MdmVrNVRscGlXeTB0NXV6SUMv
|
||||||
|
RDNob1FNdFZQUUk0SmVDUnZBc3FNdVEKcyNWzjvIZIBR39kQkUsSSmHJ+gePPtbS
|
||||||
|
PUcLp6jYFvPDyldLm+PqIApEL9X0d/0ccvY+wwkPCiqSPFZbBLitgg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-05T22:30:48Z"
|
||||||
|
mac: ENC[AES256_GCM,data:GI5Hb8zvafTdWhpm+D6qp9iefMD9NwYPRBKcxrIL9M1wTMzMzD4QsrbMDKQELfTYK3QhLZ0G4KTmLfoSB1zYO/GtslRDAAHmFzLuNNVJ9/8gIrd/Gb12JLnUDjJrxYEeF15NKnyqRMKUVQiJgYd8ggLGzT9pRqaMNTKCYutqsaE=,iv:XB/Ddi7mU9SdRD7nHkyAZR+gTZ9ZY2ZrvHlb0kFK/4Q=,tag:OgEw78w4o44CamP/4C6Y7g==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
|
@ -74,8 +74,9 @@ storage:
|
||||||
path: /data/db.sqlite3
|
path: /data/db.sqlite3
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
|
disable_startup_check: true
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp.mail.ovh.net'
|
address: 'smtp://smtp.gasdev.fr:25'
|
||||||
username: 'postmaster@gasdev.fr'
|
username: 'postmaster@gasdev.fr'
|
||||||
sender: 'Authelia <authelia@gasdev.fr>'
|
sender: 'Authelia <authelia@gasdev.fr>'
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
smtp = {
|
smtp = {
|
||||||
host = "smtp.mail.ovh.net";
|
host = "smtp.gasdev.fr";
|
||||||
port = 465;
|
port = 465;
|
||||||
username = "postmaster@gasdev.fr";
|
username = "postmaster@gasdev.fr";
|
||||||
passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;
|
passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;
|
||||||
|
|
|
@ -1,16 +1,20 @@
|
||||||
{config, ...}: let
|
{config, ...}: let
|
||||||
domain = "mail.gasdev.fr";
|
domain = "gasdev.fr";
|
||||||
in {
|
in {
|
||||||
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
|
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
|
||||||
|
|
||||||
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
services.caddy.virtualHosts."${domain}".extraConfig = ''
|
||||||
|
redir https://www.gasdev.fr
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
|
||||||
reverse_proxy 127.0.0.1:8080
|
reverse_proxy 127.0.0.1:8080
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.stalwart-mail = {
|
services.stalwart-mail = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
lookup.default.hostname = "${domain}";
|
lookup.default.hostname = "mail.${domain}";
|
||||||
server = {
|
server = {
|
||||||
tls.certificate = "default";
|
tls.certificate = "default";
|
||||||
http = {
|
http = {
|
||||||
|
@ -82,7 +86,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [22 465 993];
|
networking.firewall.allowedTCPPorts = [25 465 993];
|
||||||
|
|
||||||
systemd.timers."stalwart-mail-update-certs" = {
|
systemd.timers."stalwart-mail-update-certs" = {
|
||||||
wantedBy = ["timers.target"];
|
wantedBy = ["timers.target"];
|
||||||
|
@ -107,7 +111,7 @@ in {
|
||||||
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
|
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
|
||||||
|
|
||||||
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
|
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
|
||||||
chmod -R 0600 "''\${STALWART_CERT_DIR}"
|
chmod -R 0700 "''\${STALWART_CERT_DIR}"
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
|
|
@ -51,6 +51,11 @@
|
||||||
publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
|
publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
|
||||||
allowedIPs = ["10.8.0.11/32"];
|
allowedIPs = ["10.8.0.11/32"];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
# pi4
|
||||||
|
publicKey = "F9AkCI0FGkrFhCq+SvCT1F2RG2ApNUy+SeIj1+VPtXI=";
|
||||||
|
allowedIPs = ["10.8.0.31/32"];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue