Compare commits

..

16 commits

Author SHA1 Message Date
GaspardCulis
dff14a180b fix(hosts/pi4): Now using networking.wg-quick module
Instead of `networking.wireguard` which seems to be broken
2024-11-06 01:02:16 +01:00
GaspardCulis
bae75ef0a4 feat(flake): Added pi4 deploy node 2024-11-06 00:58:57 +01:00
GaspardCulis
47f0dbd2d4 chore(sops): Update again pi4 age key 2024-11-06 00:18:28 +01:00
GaspardCulis
a4f8d01313 chore(sops): Sync pi4 secrets according to new age key 2024-11-06 00:13:48 +01:00
GaspardCulis
805e5ee2ae feat(hosts/pi4): Added wireguard config 2024-11-05 23:42:08 +01:00
GaspardCulis
d8304b993d feat(sops): Add sops config for pi4 2024-11-05 23:40:18 +01:00
GaspardCulis
a1e3f8cfc3 feat(services): Added new peer for pi4 2024-11-05 23:39:48 +01:00
GaspardCulis
29fc1dbf24 chore(sops): Setup actual pi4 age key 2024-11-05 23:37:57 +01:00
GaspardCulis
fd83bd2dc2 refactor(secrets): Moved host specific secrets to subdirs 2024-11-05 23:31:32 +01:00
GaspardCulis
dab42bd8c2 feat(hosts/pi4): Setup networking 2024-11-05 23:06:13 +01:00
GaspardCulis
1fa4d2bc87 refactor(hosts): Re-work pi config 2024-11-05 22:52:56 +01:00
GaspardCulis
0cb54a4a35 feat(Zephyrus): Enable binfmt aarch64 cross-compilation 2024-11-05 22:09:49 +01:00
GaspardCulis
1207101eab feat: Added new Pi4 host 2024-11-05 18:37:06 +01:00
GaspardCulis
913b582d2e chore(services): Tweak SMTP config 2024-11-05 18:35:52 +01:00
GaspardCulis
9046a53e3e fix(sservices/stalwart-mail): Fix firewall config typo 2024-11-05 14:52:43 +01:00
GaspardCulis
d2f311cbfc chore(services + secrets): Updated SMTP host 2024-11-05 14:48:31 +01:00
13 changed files with 217 additions and 20 deletions

View file

@ -1,10 +1,17 @@
keys: keys:
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
- &server_pi4 age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/OVHCloud/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:
age: age:
- *admin_gaspard - *admin_gaspard
- *server_ovh - *server_ovh
- path_regex: secrets/pi4/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
age:
- *admin_gaspard
- *server_pi4

View file

@ -479,6 +479,21 @@
"type": "github" "type": "github"
} }
}, },
"nixos-hardware": {
"locked": {
"lastModified": 1730828750,
"narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1727348695, "lastModified": 1727348695,
@ -542,6 +557,7 @@
"hyprland" "hyprland"
], ],
"jovian": "jovian", "jovian": "jovian",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }

View file

@ -56,6 +56,9 @@
url = "github:Jovian-Experiments/Jovian-NixOS"; url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Rasoberry PI
nixos-hardware.url = "github:nixos/nixos-hardware";
}; };
outputs = { outputs = {
@ -66,11 +69,12 @@
sops-nix, sops-nix,
home-manager, home-manager,
jovian, jovian,
nixos-hardware,
... ...
} @ inputs: let } @ inputs: let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in { in rec {
nixosConfigurations = { nixosConfigurations = {
Zephyrus = nixpkgs.lib.nixosSystem { Zephyrus = nixpkgs.lib.nixosSystem {
extraArgs = {inherit inputs;}; extraArgs = {inherit inputs;};
@ -91,6 +95,17 @@
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
]; ];
}; };
pi4 = nixpkgs.lib.nixosSystem {
extraArgs = {inherit inputs;};
system = "aarch64-linux";
modules = [
./hosts/pi4
"${nixpkgs}/nixos/modules/profiles/minimal.nix"
nixos-hardware.nixosModules.raspberry-pi-4
sops-nix.nixosModules.sops
];
};
}; };
homeConfigurations = { homeConfigurations = {
@ -113,7 +128,8 @@
}; };
}; };
deploy.nodes.OVHCloud = { deploy.nodes = {
OVHCloud = {
hostname = "gasdev.fr"; hostname = "gasdev.fr";
profiles.system = { profiles.system = {
user = "root"; user = "root";
@ -123,6 +139,33 @@
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud; path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
}; };
}; };
pi4 = {
hostname = "10.8.0.31";
profiles.system = {
user = "root";
sshUser = "root";
sshOpts = ["-p" "22"];
sudo = "";
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi4;
};
};
};
images.pi4 =
(self.nixosConfigurations.pi4.extendModules {
modules = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
{
disabledModules = ["profiles/base.nix"];
}
];
})
.config
.system
.build
.sdImage;
packages.x86_64-linux.pi4-image = images.pi4;
packages.aarch64-linux.pi4-image = images.pi4;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;

View file

@ -2,7 +2,7 @@
# This will add secrets.yml to the nix store # This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e. # You can avoid this by adding a string to the full path instead, i.e.
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ../../secrets/OVHCloud.yaml; sops.defaultSopsFile = ../../secrets/OVHCloud/default.yaml;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

View file

@ -34,6 +34,7 @@
}; };
}; };
tmp.useTmpfs = true; tmp.useTmpfs = true;
binfmt.emulatedSystems = ["aarch64-linux"];
}; };
# Network & Bluetooth # Network & Bluetooth

69
hosts/pi4/default.nix Normal file
View file

@ -0,0 +1,69 @@
{
config,
pkgs,
...
}: {
imports = [
./hardware-configuration.nix
];
# Nix
nix.settings.experimental-features = ["nix-command" "flakes"];
# Set your time zone.
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [
helix
git
];
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = false;
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
];
networking = {
interfaces."wlan0".useDHCP = true;
wireless = {
interfaces = ["wlan0"];
enable = true;
networks = {
"TestNetwork".psk = "not_an_actual_password_leak";
};
};
};
# SOPS
sops.defaultSopsFile = ../../secrets/pi4/default.yaml;
sops.secrets."wireguard/private_key".owner = "root";
# Wireguard
networking.firewall = {
allowedUDPPorts = [51820];
};
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.8.0.31/32"];
listenPort = 51820; # Should match firewall allowedUDPPorts
privateKeyFile = config.sops.secrets."wireguard/private_key".path;
peers = [
{
publicKey = "KLULII6VEUWMhyIba6oxxHdZsVP3TMVlNY1Vz49q7jg=";
allowedIPs = ["0.0.0.0/0"];
endpoint = "vpn.gasdev.fr:993";
persistentKeepalive = 25;
}
];
};
};
system.stateVersion = "24.11";
}

View file

@ -0,0 +1,20 @@
{
pkgs,
lib,
...
}: {
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
# disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
loader = {
generic-extlinux-compatible.enable = lib.mkDefault true;
grub.enable = lib.mkDefault false;
};
};
}

View file

@ -34,7 +34,7 @@ outline:
penpot: penpot:
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str] SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str] OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str] SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str] SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str] SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
@ -78,8 +78,8 @@ sops:
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-04T21:15:49Z" lastmodified: "2024-11-05T13:47:17Z"
mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str] mac: ENC[AES256_GCM,data:Lku06chnlLsqvvd5ud/ovY/ymGknyIxcPirvQ2lrc/+7jMa6cGu3Q9piVv/gx6jMhQIuYnNjS5AKoNvNfXRgrpakzET5aNzLtWkaUplNQCAy+yuKkIdmGoMZ+J+l4SyMydKERpZmN+pLWAld8U+CFRaWGoCLHHQ8i60u4Gti7DY=,iv:DVcjFoncW0vPhBEA042DAWxJLnSCfwsJeYQcmhsWrbI=,tag:dL6L5CfrB4ZVMytkGfPSYA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

31
secrets/pi4/default.yaml Normal file
View file

@ -0,0 +1,31 @@
wireguard:
private_key: ENC[AES256_GCM,data:L6FD+kBF7AoIrm3pMM6/pmWtX2FP5dUrJ9hUCuW9n4SlJ/JhpxI9m/1owIg=,iv:ok4pyUUv80kPY9n4WQmBGYHmMsPJnG0tnF+vbNhqc3s=,tag:OPribO7RoVCkFkTrYrHw7w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJamxiNDlnRWJ6ZGFRaEtu
bGRveE9aWWY4c2duYkFYU2NKQlBSYjNWT3dZClNtNkpiRENNRFdUcTN6MENhU1Z1
YzVDa21peTluVkFoQURnK0xZQjNFZm8KLS0tIGpPbE95NVM2aUNrWWlEVGUybXpP
cXpCMmsxTkxKSXBjSmV2azNIcW04a1UKF8O99FpHDZSO0XFeCzWyoxJvjmvjvWFH
aOFSWHO64UDlSY/1eQmIYr/xad/BxxYnkrqlJib5tpmPkoi1qyuZVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlDMzJQSEM3cjdnZmpy
RUgzZTYvT3RrQ2RMUmNNNWRvL2NjSUJvdW1jCkFvaVFOZUdPMWQxNnhGLzgwa2w4
MHpwVzJkQjZvd25oaENqbzdrT1dmazQKLS0tIE1MdmVrNVRscGlXeTB0NXV6SUMv
RDNob1FNdFZQUUk0SmVDUnZBc3FNdVEKcyNWzjvIZIBR39kQkUsSSmHJ+gePPtbS
PUcLp6jYFvPDyldLm+PqIApEL9X0d/0ccvY+wwkPCiqSPFZbBLitgg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-05T22:30:48Z"
mac: ENC[AES256_GCM,data:GI5Hb8zvafTdWhpm+D6qp9iefMD9NwYPRBKcxrIL9M1wTMzMzD4QsrbMDKQELfTYK3QhLZ0G4KTmLfoSB1zYO/GtslRDAAHmFzLuNNVJ9/8gIrd/Gb12JLnUDjJrxYEeF15NKnyqRMKUVQiJgYd8ggLGzT9pRqaMNTKCYutqsaE=,iv:XB/Ddi7mU9SdRD7nHkyAZR+gTZ9ZY2ZrvHlb0kFK/4Q=,tag:OgEw78w4o44CamP/4C6Y7g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View file

@ -74,8 +74,9 @@ storage:
path: /data/db.sqlite3 path: /data/db.sqlite3
notifier: notifier:
disable_startup_check: true
smtp: smtp:
address: 'smtp.mail.ovh.net' address: 'smtp://smtp.gasdev.fr:25'
username: 'postmaster@gasdev.fr' username: 'postmaster@gasdev.fr'
sender: 'Authelia <authelia@gasdev.fr>' sender: 'Authelia <authelia@gasdev.fr>'

View file

@ -28,7 +28,7 @@
}; };
smtp = { smtp = {
host = "smtp.mail.ovh.net"; host = "smtp.gasdev.fr";
port = 465; port = 465;
username = "postmaster@gasdev.fr"; username = "postmaster@gasdev.fr";
passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path; passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;

View file

@ -1,16 +1,20 @@
{config, ...}: let {config, ...}: let
domain = "mail.gasdev.fr"; domain = "gasdev.fr";
in { in {
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail"; sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
redir https://www.gasdev.fr
'';
services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
reverse_proxy 127.0.0.1:8080 reverse_proxy 127.0.0.1:8080
''; '';
services.stalwart-mail = { services.stalwart-mail = {
enable = true; enable = true;
settings = { settings = {
lookup.default.hostname = "${domain}"; lookup.default.hostname = "mail.${domain}";
server = { server = {
tls.certificate = "default"; tls.certificate = "default";
http = { http = {
@ -82,7 +86,7 @@ in {
}; };
}; };
networking.firewall.allowedTCPPorts = [22 465 993]; networking.firewall.allowedTCPPorts = [25 465 993];
systemd.timers."stalwart-mail-update-certs" = { systemd.timers."stalwart-mail-update-certs" = {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
@ -107,7 +111,7 @@ in {
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem" cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}" chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
chmod -R 0600 "''\${STALWART_CERT_DIR}" chmod -R 0700 "''\${STALWART_CERT_DIR}"
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

View file

@ -51,6 +51,11 @@
publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM="; publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
allowedIPs = ["10.8.0.11/32"]; allowedIPs = ["10.8.0.11/32"];
} }
{
# pi4
publicKey = "F9AkCI0FGkrFhCq+SvCT1F2RG2ApNUy+SeIj1+VPtXI=";
allowedIPs = ["10.8.0.31/32"];
}
]; ];
}; };
}; };