Compare commits
No commits in common. "65ace16b843da660cbc85791a69bf024e533d3f0" and "535d4a3a7790b812cab9b73eab9064f3db9369a6" have entirely different histories.
65ace16b84
...
535d4a3a77
20 changed files with 17 additions and 1010 deletions
10
.sops.yaml
10
.sops.yaml
|
@ -1,10 +0,0 @@
|
||||||
keys:
|
|
||||||
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
|
||||||
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
|
||||||
creation_rules:
|
|
||||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
|
||||||
key_groups:
|
|
||||||
- pgp:
|
|
||||||
age:
|
|
||||||
- *admin_gaspard
|
|
||||||
- *server_ovh
|
|
|
@ -1,33 +0,0 @@
|
||||||
# Gasdev infrastructure
|
|
||||||
|
|
||||||
## Initial installation
|
|
||||||
|
|
||||||
Cloud providers not always provide a NixOS install option, so I use [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) for remote NixOS installation using SSH
|
|
||||||
|
|
||||||
### Kexec installation
|
|
||||||
|
|
||||||
As specified in [nixos-images](https://github.com/nix-community/nixos-images#kexec-tarballs):
|
|
||||||
|
|
||||||
```sh
|
|
||||||
# Run as root
|
|
||||||
curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root
|
|
||||||
/root/kexec/run
|
|
||||||
```
|
|
||||||
|
|
||||||
The machine will restart in a new NixOS installation. The existing SSH keys are copied to the new installation's _root_ user.
|
|
||||||
|
|
||||||
### NixOS-everywhere
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run github:nix-community/nixos-anywhere -- --flake .#<configuration name> root@<ip address>
|
|
||||||
```
|
|
||||||
|
|
||||||
## Deploy configuration
|
|
||||||
|
|
||||||
In order to deploy new configuration changes after the initial NixOS installation, I use [deploy-rs](https://github.com/serokell/deploy-rs). It requires a properly set-up **ssh-agent** and SSH keys being installed on the **root** user.
|
|
||||||
|
|
||||||
Then you can deploy the new configuration:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
deploy .#<configuration name>
|
|
||||||
```
|
|
159
flake.lock
159
flake.lock
|
@ -79,48 +79,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"caddy": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727938992,
|
|
||||||
"narHash": "sha256-uFzTqMYO9anwxQsfJ4AWEd0+FyBaiKjJ/bYF+ABFOB8=",
|
|
||||||
"owner": "GaspardCulis",
|
|
||||||
"repo": "nixos-caddy-ovh",
|
|
||||||
"rev": "01860dceb7292392addda3780c6c8832f345b0f0",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "GaspardCulis",
|
|
||||||
"repo": "nixos-caddy-ovh",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"deploy-rs": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-compat": "flake-compat",
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"utils": "utils"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727447169,
|
|
||||||
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
|
|
||||||
"owner": "serokell",
|
|
||||||
"repo": "deploy-rs",
|
|
||||||
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "serokell",
|
|
||||||
"repo": "deploy-rs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"disko": {
|
"disko": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -128,11 +86,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729712798,
|
"lastModified": 1729281548,
|
||||||
"narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=",
|
"narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "09a776702b004fdf9c41a024e1299d575ee18a7d",
|
"rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -161,22 +119,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-compat": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1696426674,
|
|
||||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
|
||||||
"owner": "edolstra",
|
|
||||||
"repo": "flake-compat",
|
|
||||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "edolstra",
|
|
||||||
"repo": "flake-compat",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"flake-parts": {
|
"flake-parts": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs-lib": [
|
"nixpkgs-lib": [
|
||||||
|
@ -205,11 +147,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729716953,
|
"lastModified": 1729459288,
|
||||||
"narHash": "sha256-FbRKGRRd0amsk/WS/UV9ukJ8jT1dZ2pJBISxkX+uq6A=",
|
"narHash": "sha256-gBOVJv+q6Mx8jGvwX7cE6J8+sZmi1uxpRVsO7WxvVuQ=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "a4353cc43d1b4dd6bdeacea90eb92a8b7b78a9d7",
|
"rev": "1e27f213d77fc842603628bcf2df6681d7d08f7e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -223,11 +165,11 @@
|
||||||
"hyprland": "hyprland"
|
"hyprland": "hyprland"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729590988,
|
"lastModified": 1729122023,
|
||||||
"narHash": "sha256-K/XcQJQ25SlG7My1EvF5JOEZduhHmGvbkSDATfdNwUw=",
|
"narHash": "sha256-OJNfAveVogmpSIJ7V3eCSWVGvmWOVQfMQTfOpK163HQ=",
|
||||||
"owner": "outfoxxed",
|
"owner": "outfoxxed",
|
||||||
"repo": "hy3",
|
"repo": "hy3",
|
||||||
"rev": "f919ed22ae177e4e5c81d3e14a52f0c32da4a899",
|
"rev": "29293bf7d509cd18e25a59e15841538fcdef580a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -277,7 +219,7 @@
|
||||||
"hyprutils": "hyprutils",
|
"hyprutils": "hyprutils",
|
||||||
"hyprwayland-scanner": "hyprwayland-scanner",
|
"hyprwayland-scanner": "hyprwayland-scanner",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"systems": "systems_3",
|
"systems": "systems_2",
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -452,29 +394,13 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1729357638,
|
|
||||||
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "NixOS",
|
|
||||||
"ref": "release-24.05",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1729665710,
|
"lastModified": 1729256560,
|
||||||
"narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
|
"narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
|
"rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -488,8 +414,6 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"anixrun": "anixrun",
|
"anixrun": "anixrun",
|
||||||
"anyrun": "anyrun",
|
"anyrun": "anyrun",
|
||||||
"caddy": "caddy",
|
|
||||||
"deploy-rs": "deploy-rs",
|
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"end-rs": "end-rs",
|
"end-rs": "end-rs",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
|
@ -498,29 +422,7 @@
|
||||||
"hy3",
|
"hy3",
|
||||||
"hyprland"
|
"hyprland"
|
||||||
],
|
],
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2"
|
||||||
"sops-nix": "sops-nix"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"sops-nix": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1729775275,
|
|
||||||
"narHash": "sha256-J2vtHq9sw1wWm0aTMXpEEAzsVCUMZDTEe5kiBYccpLE=",
|
|
||||||
"owner": "Mic92",
|
|
||||||
"repo": "sops-nix",
|
|
||||||
"rev": "78a0e634fc8981d6b564f08b6715c69a755c4c7d",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "Mic92",
|
|
||||||
"repo": "sops-nix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
|
@ -539,21 +441,6 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"systems_2": {
|
"systems_2": {
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"systems_3": {
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1689347949,
|
"lastModified": 1689347949,
|
||||||
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
|
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
|
||||||
|
@ -568,24 +455,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
|
||||||
"inputs": {
|
|
||||||
"systems": "systems_2"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1701680307,
|
|
||||||
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "numtide",
|
|
||||||
"repo": "flake-utils",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"xdph": {
|
"xdph": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"hyprland-protocols": "hyprland-protocols_2",
|
"hyprland-protocols": "hyprland-protocols_2",
|
||||||
|
|
48
flake.nix
48
flake.nix
|
@ -8,26 +8,11 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
caddy = {
|
|
||||||
url = "github:GaspardCulis/nixos-caddy-ovh";
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
};
|
|
||||||
|
|
||||||
disko = {
|
disko = {
|
||||||
url = "github:nix-community/disko";
|
url = "github:nix-community/disko";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy-rs = {
|
|
||||||
url = "github:serokell/deploy-rs";
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
};
|
|
||||||
|
|
||||||
sops-nix = {
|
|
||||||
url = "github:Mic92/sops-nix";
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Hyprland
|
# Hyprland
|
||||||
hyprland = {
|
hyprland = {
|
||||||
url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
|
url = "git+https://github.com/hyprwm/Hyprland?submodules=1";
|
||||||
|
@ -56,8 +41,6 @@
|
||||||
self,
|
self,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
disko,
|
disko,
|
||||||
deploy-rs,
|
|
||||||
sops-nix,
|
|
||||||
home-manager,
|
home-manager,
|
||||||
...
|
...
|
||||||
} @ inputs: let
|
} @ inputs: let
|
||||||
|
@ -73,16 +56,6 @@
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
OVHCloud = nixpkgs.lib.nixosSystem {
|
|
||||||
extraArgs = {inherit inputs;};
|
|
||||||
modules = [
|
|
||||||
./hosts/OVHCloud
|
|
||||||
disko.nixosModules.disko
|
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
home-manager.nixosModules.home-manager
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
homeConfigurations = {
|
homeConfigurations = {
|
||||||
|
@ -105,28 +78,13 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.nodes.OVHCloud = {
|
|
||||||
hostname = "gasdev.fr";
|
|
||||||
profiles.system = {
|
|
||||||
user = "root";
|
|
||||||
sshUser = "root";
|
|
||||||
sshOpts = ["-p" "22"];
|
|
||||||
sudo = "";
|
|
||||||
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
|
||||||
|
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
packages = with pkgs; [
|
nativeBuildInputs = with pkgs; [
|
||||||
alejandra
|
|
||||||
git
|
git
|
||||||
helix
|
helix
|
||||||
nil
|
|
||||||
pkgs.sops
|
|
||||||
pkgs.home-manager
|
pkgs.home-manager
|
||||||
pkgs.deploy-rs
|
alejandra
|
||||||
|
nil
|
||||||
];
|
];
|
||||||
|
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
|
|
|
@ -1,84 +0,0 @@
|
||||||
{
|
|
||||||
inputs,
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
./hardware-configuration.nix
|
|
||||||
./sops.nix
|
|
||||||
../../services
|
|
||||||
];
|
|
||||||
|
|
||||||
# Nix
|
|
||||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
|
||||||
|
|
||||||
# Set your time zone.
|
|
||||||
time.timeZone = "Europe/Paris";
|
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
ports = [22];
|
|
||||||
settings = {
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Podman
|
|
||||||
virtualisation = {
|
|
||||||
containers.enable = true;
|
|
||||||
oci-containers.backend = "podman";
|
|
||||||
podman = {
|
|
||||||
enable = true;
|
|
||||||
# Required for containers under podman-compose to be able to talk to each other.
|
|
||||||
defaultNetwork.settings.dns_enabled = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
helix
|
|
||||||
git
|
|
||||||
];
|
|
||||||
|
|
||||||
# User config
|
|
||||||
users.groups.gaspard = {
|
|
||||||
name = "gaspard";
|
|
||||||
};
|
|
||||||
users.users.gaspard = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [
|
|
||||||
"wheel"
|
|
||||||
];
|
|
||||||
group = "gaspard";
|
|
||||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
||||||
};
|
|
||||||
|
|
||||||
home-manager = {
|
|
||||||
extraSpecialArgs = {inherit inputs;};
|
|
||||||
users = {
|
|
||||||
# FIX: No user config file
|
|
||||||
"gaspard" = {
|
|
||||||
home.username = "gaspard";
|
|
||||||
home.homeDirectory = "/home/gaspard";
|
|
||||||
home.stateVersion = "24.05";
|
|
||||||
|
|
||||||
programs.home-manager.enable = true;
|
|
||||||
programs.direnv.enable = true;
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
../../shell
|
|
||||||
../../editor
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "24.11";
|
|
||||||
}
|
|
|
@ -1,54 +0,0 @@
|
||||||
{lib, ...}: {
|
|
||||||
disko.devices = {
|
|
||||||
disk.disk1 = {
|
|
||||||
device = lib.mkDefault "/dev/sda";
|
|
||||||
type = "disk";
|
|
||||||
content = {
|
|
||||||
type = "gpt";
|
|
||||||
partitions = {
|
|
||||||
boot = {
|
|
||||||
name = "boot";
|
|
||||||
size = "1M";
|
|
||||||
type = "EF02";
|
|
||||||
};
|
|
||||||
esp = {
|
|
||||||
name = "ESP";
|
|
||||||
size = "500M";
|
|
||||||
type = "EF00";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "vfat";
|
|
||||||
mountpoint = "/boot";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
root = {
|
|
||||||
name = "root";
|
|
||||||
size = "100%";
|
|
||||||
content = {
|
|
||||||
type = "lvm_pv";
|
|
||||||
vg = "pool";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
lvm_vg = {
|
|
||||||
pool = {
|
|
||||||
type = "lvm_vg";
|
|
||||||
lvs = {
|
|
||||||
root = {
|
|
||||||
size = "100%FREE";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "ext4";
|
|
||||||
mountpoint = "/";
|
|
||||||
mountOptions = [
|
|
||||||
"defaults"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,48 +0,0 @@
|
||||||
{
|
|
||||||
modulesPath,
|
|
||||||
config,
|
|
||||||
inputs,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
|
||||||
(modulesPath + "/profiles/qemu-guest.nix")
|
|
||||||
./disko-config.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.loader.grub = {
|
|
||||||
efiSupport = true;
|
|
||||||
efiInstallAsRemovable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Firewall
|
|
||||||
networking.nftables.enable = true;
|
|
||||||
networking.firewall = {
|
|
||||||
enable = true;
|
|
||||||
allowedTCPPorts = [22 80 443];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Proxy
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
nss.tools
|
|
||||||
];
|
|
||||||
|
|
||||||
services.caddy = {
|
|
||||||
enable = true;
|
|
||||||
package = inputs.caddy.packages.${pkgs.system}.caddy;
|
|
||||||
|
|
||||||
globalConfig = ''
|
|
||||||
acme_dns ovh {
|
|
||||||
endpoint {$OVH_ENDPOINT}
|
|
||||||
application_key {$OVH_APPLICATION_KEY}
|
|
||||||
application_secret {$OVH_APPLICATION_SECRET}
|
|
||||||
consumer_key {$OVH_CONSUMER_KEY}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
systemd.services.caddy = {
|
|
||||||
serviceConfig = {
|
|
||||||
EnvironmentFile = config.sops.templates."caddy.env".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,23 +0,0 @@
|
||||||
{config, ...}: {
|
|
||||||
# This will add secrets.yml to the nix store
|
|
||||||
# You can avoid this by adding a string to the full path instead, i.e.
|
|
||||||
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
|
|
||||||
sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
|
|
||||||
# This will automatically import SSH keys as age keys
|
|
||||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
|
||||||
|
|
||||||
sops.secrets."caddy/ovh_endpoint".owner = "caddy";
|
|
||||||
sops.secrets."caddy/ovh_application_key".owner = "caddy";
|
|
||||||
sops.secrets."caddy/ovh_application_secret".owner = "caddy";
|
|
||||||
sops.secrets."caddy/ovh_consumer_key".owner = "caddy";
|
|
||||||
|
|
||||||
sops.templates."caddy.env" = {
|
|
||||||
content = ''
|
|
||||||
OVH_ENDPOINT=${config.sops.placeholder."caddy/ovh_endpoint"}
|
|
||||||
OVH_APPLICATION_KEY=${config.sops.placeholder."caddy/ovh_application_key"}
|
|
||||||
OVH_APPLICATION_SECRET=${config.sops.placeholder."caddy/ovh_application_secret"}
|
|
||||||
OVH_CONSUMER_KEY=${config.sops.placeholder."caddy/ovh_consumer_key"}
|
|
||||||
'';
|
|
||||||
owner = "caddy";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,72 +0,0 @@
|
||||||
authelia:
|
|
||||||
JWT_SECRET: ENC[AES256_GCM,data:a1LyPNaojDm8JtcCahkYx8TGGjbh2Appz1s5ruZzQs4VOMgtdV7MWl3RMpk=,iv:7y+ZhNYMS8t6Y3YqBJjnESBCK5BPM6Y+BbXMDSUQcc0=,tag:ksoR48cTA2eIg+JEvCXFWw==,type:str]
|
|
||||||
SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str]
|
|
||||||
STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str]
|
|
||||||
STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str]
|
|
||||||
SMTP_PASSWORD: ENC[AES256_GCM,data:cO2y3TQx/HJpjgseJt9ju9BvjZ2ZLUMf,iv:cWQDU2gtcml4zHlvtINW6k/6CwZtjxkDNWBiMguSijw=,tag:kA3PptaPHszw1FLwA9BTvQ==,type:str]
|
|
||||||
OIDC_HMAC_SECRET: ENC[AES256_GCM,data:AYVbbPVGqmx+ZOC6Y1xcHYZcz/aoTsv15v7FUL8MCU3+/VuEp0vE6pcxTxc=,iv:Pm/b1mEEgvfTKQr6FXibWAmcZGg9i+sxoqCQ+nD0aVE=,tag:6HaG0g6Rvf2lC9mzWpsHwg==,type:str]
|
|
||||||
#ENC[AES256_GCM,data:fCLX44MuqhAVHADGxHkVu53bnUSVKRzbUiucasqvu0gLbLOt1UWSyOTGhVUrgdjQC4QtemcqbTsVjBb0cvL7TA7EeYDKLg==,iv:cdhu+Vx/TfyDSsETHAfj3ZJSNRijr6pwW5Ca6uOVGLQ=,tag:2c3m2PmJ8hzU5XDk1eLJrw==,type:comment]
|
|
||||||
OIDC_JWKS_PRIVATE_KEY: ENC[AES256_GCM,data:jHGumhi77Hr8ZfR8zzNoSfKZvoc5RM35m+IzUybXtQANrT/JXCzWOOYI5cc9nRHJnKLEP80XvSEKzoFspMe1Xl28y1rJacPdx+HbvwEOP3JU+UxBRVjY7ptO/mtDaae7XWEDaEdna1ItqkXiJMkYc+XR0fb/UrD7x/DVNSUGamqTgNIi+oV3QzlVoLd3knVel/ujGaRNd/Dys7G1Ig7mDibH+8z4LTEiNdxJenYHAIFelJeiVWgFNtyT2Uljs9hjCtwJGwl+TmAykzggriTjenlLzmWgYt9kycxkR0hWRDS8zAzLbcloUy9wkNnDrxK9kLtr7G//eDC98UmupvVhDmJaZzgNQOHTVPsF0w7RQ6JRiu6tTbMVQN8g0pH11Zo9A8kJUgCKZWEuh9JbtvG2skrG5OVJVm2Hv0R/FIauypaXM+AXF49D+E0PGP6Os8azk2DDaTBTl8m+7x28VsZMxbwwZtmbPaAVXAyDoCYKa4Ac+LdE1QMv7biiTBOsd4G1iV3nE1b3KO/Jkhb8VS4rxfVbPtU6EOwrBXnZ+0RzK2dJakAkwvLeaUiRnVA8j2o+TKD7n8TPRhuVIfB4ru6LymttzLYveXju7tvN0HHkJL9OoIRFE8i82wSK6s6d1CVrJH1hJtwvZGemuaPRxG/bIJYEtRtsxZO2SPo1F7MLg4XrubaEuNFqJsQAmV2ip3XKsmzIz5yezz0YdgiyYj5i6mXQb4tO5Bmj0OxsmAv/loNHjREwnC5jECT8txKCqkV6V5y5DtLnRR7aZY6X+k84pfGXSi29xupEaU4/NCUM7T5rv8Gl076BSKAQnkwLW3PmtL4g3r/kU0woda0L4RHbgsPT6/kMe7Foxx5UtV4+kaJgA99nXIL2TaYlc9RZlVYOOhTxgT/ZBKdU8lF29sej4nMVQdc1NP2ujq2xG/fffZTHIyPV7W17NbjgRr17STpji1f1PSremU37kpk/hPeaj9F7fnuqNGPuh09EfpnXH3EKzu1gQamfvPNmH0rsglrtxoImaeok41Lrpa7/4CbS03fCwKfNLg7CGdJbUxl9v0hviB3vGj3dJm4DWRW/fAeaJVdxYsIOsRKZT4g32mjOiEcgH2JHOGTD/d64Z0TpvO57bYjBjSMO4oK59/XY8uD1PwqEsiigrAQW9Tww9711NBXlAqDPpgLou6SUrySq/ZnsUeZofpJPAt8VCmZAcGUxVrMTpvCTMkcp7dfrg2yuVqNcQGVtTeHNpX0GBLrlLTocsf7YU5RAoOzHBeT4PVRsKmupuT0zD1S6eBSTgRH7mR2gS5hR5XxbniIfHEXUC2mE6cydsdh7arD3M4mf9UzAoBs6w0pZyO7ztOGX4FaZf5rWE+lizGf2bfvZqXGTRX94h11gSt+VLQqRjb4b8h+ZVhKFwEiVxpFn6GmvuN4lIfK/7xfvwAisCUDAjbNaV5mFfeS7o8l9pclZ+mni86AFgNnMiAJaPKsoClBACabYCRdSxrtAWIsiM9pfQCeHHy6d18dJqLCOBB62IQ4iZJ7YtJF3dV2q6ZKmo9XQwA4YUpj93Qe9b6d7FPtOiBgySlUay5EwDXDteNMcH1hfbTOxMvau5JcePDsDkmH/fzLdBhszCECrsdQBDR+nSCsd8DLyKifyVdHhMd0YJU3oiCpMGIIYlDeLRmBwsXdY88xPhTlItko2bH38581uvPcrp03jXLD0IPPhAYxpjfSJQ33pGX7U0NMQgXH1W1+dqGFpDhX6o7e7lQ/uxXvi/DBz6zoORfSOs+TD0xi4ptkjbHu6xsH9Slrx0JsxyT5yWGBqlYd9QxwsOxbe6X5jZSgxPyRvUdLTGhs6BeZ8UO8/IAZaHQq3WRycnBsA1M0ZJ+HP86Xy9zKg5wCrKzIcoHLfylSBPiChOHvjhJP0C0gt4uSz2f/7hfeJ3JNfNp+yCWZ3VtgzatBkiegjC0V72/HwN9AeaGnoJJ6mC4D5wSoJ7y1bugtFSo9t3wIlA9UjtEPqi/O5C/liG3vCAXluE64J778PSQq1Bm7yztPvo0p460IwXmJ6p635gMVcAlCraBnKTBTwzz+hKIdj+Ok5NBvu0WG/zDXiIWHushIY4XneJC6qryqkBr3HMfYj/OkAkRX/hCbSnsZN8Fc69hyUzryu07up0/q9/R1uYKp6jbAHKONoPfEfip43v0FfP6ncQv9cDcvUE0W/z1TNkNNFDx8nEOtrAu+8fty1fQrj2w==,iv:YGEXMLWOoQ19cbftQU9/4kFNcWIqjnw2GgZIddBwbrc=,tag:og1Avj5ZcYblJWrE2q2Bcg==,type:str]
|
|
||||||
#ENC[AES256_GCM,data:gIGYsk5h40IBhtmRM4G/yA==,iv:6tdKmKcvTQH7STvVjPIpwmGS2TEzZjX25CBwRIF8fjY=,tag:9pO4w0Zw+5iNkxwWf5VJDw==,type:comment]
|
|
||||||
caddy:
|
|
||||||
ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str]
|
|
||||||
ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str]
|
|
||||||
ovh_application_secret: ENC[AES256_GCM,data:X+grjuPsaIRYUEZZyoL1Tqx55tNYpvovYsXEwB15+K0=,iv:b88NCbfxahkryBp6eey74hc2IBwLTbTBe001uVJHaKw=,tag:HDw8w4g5ZS4m8ePCvvwJqw==,type:str]
|
|
||||||
ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
|
|
||||||
garage:
|
|
||||||
RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str]
|
|
||||||
gitlab:
|
|
||||||
DATABASE_PASSWORD: ENC[AES256_GCM,data:XINUoSf8FdPdZamlU5OlVf5cwNzd+1cC,iv:pdExA2VOiaQPEVSqNqnTLpqC72Q/bMlZqVVKuUOjTlg=,tag:nTZiUxo4YIDluRSJJ0yj0w==,type:str]
|
|
||||||
INITIAL_ROOT_PASSWORD: ENC[AES256_GCM,data:Bst1bbspfLgcvRk=,iv:3H2b9gL8jCEmMUWhrlzy05LghfMa/+6wRDNGITjO3XM=,tag:PXsZ6+2kp9SuS6XRUjCeGw==,type:str]
|
|
||||||
SECRET_KEY: ENC[AES256_GCM,data:JBaEx7ktyvbAHoShcgWygrOZcdRoNcpZfiQ8oksxWj+py0dSkbKjzQ0SRRQ=,iv:C6W2SJoIPMg2WYMj1ZrcabcYxwqUgGZzQcKOrBp+rFs=,tag:EpykSmAEvgryxNEca9TM8A==,type:str]
|
|
||||||
OTP_KEY: ENC[AES256_GCM,data:BphY+ZO26N82iN1782ephpyqYwTt3UmCawX9/1kwvWEo5OebpUOOOQnR03I=,iv:EaHAW/sb1MGfN9ZFeB8t4xxVUtxb5jM7uL06/eGPxck=,tag:Qg+0oBsc0oB1T8NO2Znw5g==,type:str]
|
|
||||||
DB_KEY: ENC[AES256_GCM,data:9Yso0CEnpAU/sX2NW8roSz+w/lhfK220f35U8Z3t+GNOi+Zd7Ybb/7kill4=,iv:fsQ86NRJbLYfjFZ/ka6po1o35dagqmiqhfQmUQNzlPg=,tag:LV9Sh+TlYv+kRW0bLWajnw==,type:str]
|
|
||||||
JWS_KEY: ENC[AES256_GCM,data:7QGTClTixUmLFuPwkdvaVbPfZhVFpjtnW4/T6W0Lpu2j5Xt1jxijgRSHYRo=,iv:9v5TGU8+SlKzAQtfF/3VBQ4D9asyNcOOa4ElEG7OQdE=,tag:MPWKPJtFfIeo38uCVG1H7w==,type:str]
|
|
||||||
penpot:
|
|
||||||
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
|
|
||||||
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
|
|
||||||
SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str]
|
|
||||||
SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
|
|
||||||
SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
|
|
||||||
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
|
|
||||||
POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str]
|
|
||||||
POSTGRES_PASSWORD: ENC[AES256_GCM,data:S/VKs3mMwgnlpiDLOrvMX0VLNdCseg==,iv:opj0KJq93DWljtnAmktpzAf1l9b9OCvEPAbTC06IEbQ=,tag:DkmgRJ1AodO/sEty3C6mxg==,type:str]
|
|
||||||
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:1hXif1dLMVHTj7nvqExW6wzFP+1BTwRcqro=,iv:fXqD2fiVQa0DH7z4s70e7ggORppgqoccP+sD6eMQsvw=,tag:g18kahkiT2G9P0SBTB4HfQ==,type:str]
|
|
||||||
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:n+0cr0tDAUAdOu65YOj+reTzF+EoRFVAZVg5172ZKYnjWBuBYjNgy6QyqqcPvZMkBBtybdUimjDgWD6mVmNDew==,iv:UwgB7PLaCoXN/qAA63u9Q8ERkhRaNRlOpSFqrUBUExg=,tag:ggs1ED4Ryb+4+O+7VG0rTQ==,type:str]
|
|
||||||
STORAGE_ASSETS_S3_REGION: ENC[AES256_GCM,data:oV4ucbPe,iv:zNsUsftybGcQdryAB+mN9Xb/rVWOLFlVixqRLLz8WIY=,tag:FiiSjLyuK89HK1GEE3BSUA==,type:str]
|
|
||||||
STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str]
|
|
||||||
STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str]
|
|
||||||
shadowsocks:
|
|
||||||
password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
|
|
||||||
wireguard:
|
|
||||||
private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str]
|
|
||||||
public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqckxiTmx3Rm12ZFJ2ZXBn
|
|
||||||
VVdOeCtWeE5xZGExOE4wTFliOGlqWWpWSFNBCmFSWS9MQmt1TWg4VFJzZmNpdStv
|
|
||||||
dThvSFlPSjk0dHZGTlEraldHSklDUkkKLS0tIFVjbFliTFZjUlkrejR2RnAwVTRU
|
|
||||||
U0NEaEpLREVNMUlxUFNIbTVKaUpoc1EKRC6skQPEMA4odk3yD66bqPa/2rvLGztx
|
|
||||||
FTwwdJuE1CXaErwtt7wOfMsb3c9HhpT2R+c76woP20+VsMJdrwdeHg==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSLy8yZlBuUU5QRXptZmZQ
|
|
||||||
UzlLUmxSblpFVCtFdE4vWmUreThhT090aEFrCkV6b2FaVy83QnBTZTVrcWE2RGNE
|
|
||||||
VldUZVkveUl5bnFLZzRBR0JCWGhseEUKLS0tIDNZeGczT1BxV21VcnFmSkN0V09P
|
|
||||||
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
|
|
||||||
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2024-10-24T10:04:55Z"
|
|
||||||
mac: ENC[AES256_GCM,data:fXCKFVev+ALjXdSPDw7QynQvh2ItusAUq/ZHCUv2dTLZcoW1/42hOyRexQPoQTAw+mACB1Sp9IPu5N5Gg3TSoxV6I67q7+S8FZVzfB1a8wMTIDF1vSOp5eHM3g6i8Wjip23V0LqUqjok4tuunDVnkOmp0uD0fLlaIiTpFgS3HJo=,iv:iq8CYdzR2F4knyTBHYIsS/hF+WCYcWXrpBAl2Ow60A0=,tag:hmNaTtIUqHRbU9aFzD6gww==,type:str]
|
|
||||||
pgp: []
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.9.0
|
|
|
@ -1,91 +0,0 @@
|
||||||
theme: 'auto'
|
|
||||||
|
|
||||||
access_control:
|
|
||||||
default_policy: deny
|
|
||||||
rules:
|
|
||||||
- domain: '*.gasdev.fr'
|
|
||||||
policy: one_factor
|
|
||||||
|
|
||||||
server:
|
|
||||||
address: 'tcp://:9091/'
|
|
||||||
endpoints:
|
|
||||||
authz:
|
|
||||||
forward-auth:
|
|
||||||
implementation: 'ForwardAuth'
|
|
||||||
|
|
||||||
session:
|
|
||||||
cookies:
|
|
||||||
- domain: 'gasdev.fr'
|
|
||||||
authelia_url: 'https://auth.gasdev.fr'
|
|
||||||
default_redirection_url: 'https://auth.gasdev.fr/authenticated'
|
|
||||||
|
|
||||||
identity_providers:
|
|
||||||
oidc:
|
|
||||||
jwks:
|
|
||||||
- key: {{ secret "/secrets/OIDC_JWKS_PRIVATE_KEY" | mindent 10 "|" | msquote }}
|
|
||||||
clients:
|
|
||||||
- client_id: 'penpot'
|
|
||||||
client_name: 'Penpot'
|
|
||||||
client_secret: $pbkdf2-sha512$310000$WuYHbHrVI3wMn/tZXwDTMA$WnS0VoR4jLNQnXjJUN46EfnC4QMdpdnNcYsGvSCpkbzguO4of.tCgAeLsfzLgWn9CSGMt20TZOQfc/7IbfwBHg
|
|
||||||
redirect_uris: 'https://penpot.gasdev.fr/api/auth/oauth/oidc/callback'
|
|
||||||
token_endpoint_auth_method: 'client_secret_post'
|
|
||||||
authorization_policy: 'one_factor'
|
|
||||||
scopes:
|
|
||||||
- 'email'
|
|
||||||
- 'openid'
|
|
||||||
- 'profile'
|
|
||||||
|
|
||||||
|
|
||||||
authentication_backend:
|
|
||||||
password_reset:
|
|
||||||
disable: false
|
|
||||||
|
|
||||||
file:
|
|
||||||
path: '/data/users_database.yml'
|
|
||||||
password:
|
|
||||||
algorithm: 'argon2'
|
|
||||||
|
|
||||||
password_policy:
|
|
||||||
standard:
|
|
||||||
enabled: true
|
|
||||||
min_length: 10
|
|
||||||
max_length: 128
|
|
||||||
require_uppercase: true
|
|
||||||
require_lowercase: true
|
|
||||||
require_number: true
|
|
||||||
require_special: true
|
|
||||||
|
|
||||||
storage:
|
|
||||||
local:
|
|
||||||
path: /data/db.sqlite3
|
|
||||||
|
|
||||||
notifier:
|
|
||||||
smtp:
|
|
||||||
address: 'smtp.mail.ovh.net'
|
|
||||||
username: 'postmaster@gasdev.fr'
|
|
||||||
sender: 'Authelia <authelia@gasdev.fr>'
|
|
||||||
|
|
||||||
log:
|
|
||||||
level: 'info'
|
|
||||||
format: 'json'
|
|
||||||
|
|
||||||
totp:
|
|
||||||
issuer: 'gasdev.fr'
|
|
||||||
## https://www.authelia.com/c/totp#algorithm
|
|
||||||
algorithm: 'SHA1'
|
|
||||||
|
|
||||||
## https://www.authelia.com/c/totp#digits
|
|
||||||
digits: 6
|
|
||||||
period: 30
|
|
||||||
## See: https://www.authelia.com/c/totp#input-validation to read
|
|
||||||
skew: 1
|
|
||||||
|
|
||||||
webauthn:
|
|
||||||
disable: true
|
|
||||||
|
|
||||||
duo_api:
|
|
||||||
disable: true
|
|
||||||
|
|
||||||
ntp:
|
|
||||||
address: 'udp://time.cloudflare.com:123'
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
{...}: {
|
|
||||||
sops.secrets."authelia/JWT_SECRET".owner = "root";
|
|
||||||
sops.secrets."authelia/SMTP_PASSWORD".owner = "root";
|
|
||||||
sops.secrets."authelia/SESSION_SECRET".owner = "root";
|
|
||||||
sops.secrets."authelia/STORAGE_PASSWORD".owner = "root";
|
|
||||||
sops.secrets."authelia/STORAGE_ENCRYPTION_KEY".owner = "root";
|
|
||||||
sops.secrets."authelia/OIDC_HMAC_SECRET".owner = "root";
|
|
||||||
sops.secrets."authelia/OIDC_JWKS_PRIVATE_KEY".owner = "root";
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."auth.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:9091
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = {
|
|
||||||
authelia = {
|
|
||||||
image = "docker.io/authelia/authelia:latest";
|
|
||||||
autoStart = true;
|
|
||||||
ports = ["127.0.0.1:9091:9091"];
|
|
||||||
environment = {
|
|
||||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
|
|
||||||
AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
|
|
||||||
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
|
|
||||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
|
|
||||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
|
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "/secrets/OIDC_HMAC_SECRET";
|
|
||||||
|
|
||||||
X_AUTHELIA_CONFIG_FILTERS = "template";
|
|
||||||
};
|
|
||||||
volumes = [
|
|
||||||
"authelia-data:/data"
|
|
||||||
"/run/secrets/authelia:/secrets"
|
|
||||||
"/etc/authelia/configuration.yml:/config/configuration.yml"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.etc."authelia/configuration.yml".text = builtins.readFile ./configuration.yml;
|
|
||||||
}
|
|
|
@ -1,10 +0,0 @@
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./authelia
|
|
||||||
./garage
|
|
||||||
./penpot
|
|
||||||
./shadowsocks
|
|
||||||
./uptime-kuma
|
|
||||||
./wireguard
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,48 +0,0 @@
|
||||||
# TODO: Run as different user
|
|
||||||
{...}: {
|
|
||||||
sops.secrets."garage/RPC_SECRET".owner = "root";
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."s3.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:3900
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:3900
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."s3web.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:3900
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:3902
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = {
|
|
||||||
garage = {
|
|
||||||
image = "docker.io/dxflrs/garage:v1.0.0";
|
|
||||||
autoStart = true;
|
|
||||||
ports = [
|
|
||||||
"127.0.0.1:3900:3900"
|
|
||||||
"127.0.0.1:3901:3901"
|
|
||||||
"127.0.0.1:3902:3902"
|
|
||||||
];
|
|
||||||
volumes = [
|
|
||||||
"/etc/garage.toml:/etc/garage.toml"
|
|
||||||
"/var/lib/garage/meta:/var/lib/garage/meta"
|
|
||||||
"/var/lib/garage/data:/var/lib/garage/data"
|
|
||||||
"/run/secrets/garage/RPC_SECRET:/run/secrets/garage/RPC_SECRET"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.etc."garage.toml".text = builtins.readFile ./garage.toml;
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d /var/lib/garage/meta 0700 root root -"
|
|
||||||
"d /var/lib/garage/data 0700 root root -"
|
|
||||||
];
|
|
||||||
|
|
||||||
programs.bash.shellAliases = {
|
|
||||||
garage = "podman exec -it garage /garage";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,22 +0,0 @@
|
||||||
metadata_dir = "/var/lib/garage/meta"
|
|
||||||
data_dir = "/var/lib/garage/data"
|
|
||||||
db_engine = "lmdb"
|
|
||||||
metadata_auto_snapshot_interval = "6h"
|
|
||||||
|
|
||||||
replication_factor = 1
|
|
||||||
|
|
||||||
compression_level = 2
|
|
||||||
|
|
||||||
rpc_bind_addr = "[::]:3901"
|
|
||||||
rpc_public_addr = "0.0.0.0:3901"
|
|
||||||
rpc_secret_file = "/run/secrets/garage/RPC_SECRET"
|
|
||||||
|
|
||||||
[s3_api]
|
|
||||||
s3_region = "garage"
|
|
||||||
api_bind_addr = "[::]:3900"
|
|
||||||
root_domain = ".s3.gasdev.fr"
|
|
||||||
|
|
||||||
[s3_web]
|
|
||||||
bind_addr = "[::]:3902"
|
|
||||||
root_domain = ".s3web.gasdev.fr"
|
|
||||||
index = "index.html"
|
|
|
@ -1,27 +0,0 @@
|
||||||
{config, ...}: let
|
|
||||||
port = 8086;
|
|
||||||
in {
|
|
||||||
sops.secrets."gitlab/DATABASE_PASSWORD".owner = "gitlab";
|
|
||||||
sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".owner = "gitlab";
|
|
||||||
sops.secrets."gitlab/SECRET_KEY".owner = "gitlab";
|
|
||||||
sops.secrets."gitlab/OTP_KEY".owner = "gitlab";
|
|
||||||
sops.secrets."gitlab/DB_KEY".owner = "gitlab";
|
|
||||||
sops.secrets."gitlab/JWS_KEY".owner = "gitlab";
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."git.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:${toString port}
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.gitlab = {
|
|
||||||
enable = true;
|
|
||||||
port = port;
|
|
||||||
databasePasswordFile = config.sops.secrets."gitlab/DATABASE_PASSWORD".path;
|
|
||||||
initialRootPasswordFile = config.sops.secrets."gitlab/INITIAL_ROOT_PASSWORD".path;
|
|
||||||
secrets = {
|
|
||||||
secretFile = config.sops.secrets."gitlab/SECRET_KEY".path;
|
|
||||||
otpFile = config.sops.secrets."gitlab/OTP_KEY".path;
|
|
||||||
dbFile = config.sops.secrets."gitlab/DB_KEY".path;
|
|
||||||
jwsFile = config.sops.secrets."gitlab/JWS_KEY".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,27 +0,0 @@
|
||||||
{...}: {
|
|
||||||
services.caddy.virtualHosts."console.i2p.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:7657
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."proxy.i2p.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:7657
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = {
|
|
||||||
uptime-kuma = {
|
|
||||||
image = "docker.io/geti2p/i2p";
|
|
||||||
autoStart = true;
|
|
||||||
environment = {
|
|
||||||
JVM_XMX = "256m";
|
|
||||||
};
|
|
||||||
ports = [
|
|
||||||
"4444:4444"
|
|
||||||
"6668:6668"
|
|
||||||
"7657:7657"
|
|
||||||
"54321:12345"
|
|
||||||
"54321:12345/udp"
|
|
||||||
];
|
|
||||||
volumes = ["i2phome:/i2p/.i2p" "i2ptorrents:/i2psnark"];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,119 +0,0 @@
|
||||||
{config, ...}: {
|
|
||||||
services.caddy.virtualHosts."penpot.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:9001
|
|
||||||
'';
|
|
||||||
|
|
||||||
sops.secrets."penpot/SECRET_KEY".owner = "root";
|
|
||||||
sops.secrets."penpot/OIDC_CLIENT_SECRET".owner = "root";
|
|
||||||
sops.secrets."penpot/SMTP_HOST".owner = "root";
|
|
||||||
sops.secrets."penpot/SMTP_PORT".owner = "root";
|
|
||||||
sops.secrets."penpot/SMTP_USERNAME".owner = "root";
|
|
||||||
sops.secrets."penpot/SMTP_PASSWORD".owner = "root";
|
|
||||||
sops.secrets."penpot/POSTGRES_USER".owner = "root";
|
|
||||||
sops.secrets."penpot/POSTGRES_PASSWORD".owner = "root";
|
|
||||||
sops.secrets."penpot/AWS_ACCESS_KEY_ID".owner = "root";
|
|
||||||
sops.secrets."penpot/AWS_SECRET_ACCESS_KEY".owner = "root";
|
|
||||||
sops.secrets."penpot/STORAGE_ASSETS_S3_REGION".owner = "root";
|
|
||||||
sops.secrets."penpot/STORAGE_ASSETS_S3_ENDPOINT".owner = "root";
|
|
||||||
sops.secrets."penpot/STORAGE_ASSETS_S3_BUCKET".owner = "root";
|
|
||||||
sops.templates."penpot.env" = {
|
|
||||||
content = ''
|
|
||||||
PENPOT_SECRET_KEY=${config.sops.placeholder."penpot/SECRET_KEY"}
|
|
||||||
PENPOT_OIDC_CLIENT_SECRET=${config.sops.placeholder."penpot/OIDC_CLIENT_SECRET"}
|
|
||||||
# SMTP
|
|
||||||
PENPOT_SMTP_HOST=${config.sops.placeholder."penpot/SMTP_HOST"}
|
|
||||||
PENPOT_SMTP_PORT=${config.sops.placeholder."penpot/SMTP_PORT"}
|
|
||||||
PENPOT_SMTP_USERNAME=${config.sops.placeholder."penpot/SMTP_USERNAME"}
|
|
||||||
PENPOT_SMTP_PASSWORD=${config.sops.placeholder."penpot/SMTP_PASSWORD"}
|
|
||||||
# Database
|
|
||||||
PENPOT_DATABASE_USERNAME=${config.sops.placeholder."penpot/POSTGRES_USER"}
|
|
||||||
PENPOT_DATABASE_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"}
|
|
||||||
POSTGRES_USER=${config.sops.placeholder."penpot/POSTGRES_USER"}
|
|
||||||
POSTGRES_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"}
|
|
||||||
# Storage
|
|
||||||
AWS_ACCESS_KEY_ID=${config.sops.placeholder."penpot/AWS_ACCESS_KEY_ID"}
|
|
||||||
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."penpot/AWS_SECRET_ACCESS_KEY"}
|
|
||||||
PENPOT_STORAGE_ASSETS_S3_REGION=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_REGION"}
|
|
||||||
PENPOT_STORAGE_ASSETS_S3_BUCKET=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_BUCKET"}
|
|
||||||
PENPOT_STORAGE_ASSETS_S3_ENDPOINT=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_ENDPOINT"}
|
|
||||||
'';
|
|
||||||
owner = "root";
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = {
|
|
||||||
penpot-frontend = {
|
|
||||||
image = "docker.io/penpotapp/frontend:latest";
|
|
||||||
autoStart = true;
|
|
||||||
ports = ["127.0.0.1:9001:80"];
|
|
||||||
volumes = [
|
|
||||||
"penpot_assets:/opt/data/assets"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
PENPOT_FLAGS = "disable-registration enable-login-with-oidc enable-oidc-registration disable-onboarding disable-onboarding-newsletter disable-onboarding-questions";
|
|
||||||
};
|
|
||||||
dependsOn = [
|
|
||||||
"penpot-backend"
|
|
||||||
"penpot-exporter"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
penpot-backend = {
|
|
||||||
image = "docker.io/penpotapp/backend:latest";
|
|
||||||
autoStart = true;
|
|
||||||
volumes = [
|
|
||||||
"penpot_assets:/opt/data/assets"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
PENPOT_FLAGS = "disable-registration enable-login-with-oidc enable-oidc-registration enable-smtp";
|
|
||||||
# Auth
|
|
||||||
PENPOT_OIDC_CLIENT_ID = "penpot";
|
|
||||||
PENPOT_OIDC_BASE_URI = "https://auth.gasdev.fr";
|
|
||||||
PENPOT_PUBLIC_URI = "https://penpot.gasdev.fr";
|
|
||||||
# DB
|
|
||||||
PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
|
|
||||||
PENPOT_REDIS_URI = "redis://penpot-redis/0";
|
|
||||||
# Storage
|
|
||||||
PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
|
|
||||||
# SMTP
|
|
||||||
PENPOT_SMTP_DEFAULT_FROM = "no-reply@gasdev.fr";
|
|
||||||
PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply@gasdev.fr";
|
|
||||||
PENPOT_SMTP_SSL = "true";
|
|
||||||
PENPOT_SMTP_TLS = "true";
|
|
||||||
# Other
|
|
||||||
PENPOT_TELEMETRY_ENABLED = "false";
|
|
||||||
};
|
|
||||||
environmentFiles = [
|
|
||||||
config.sops.templates."penpot.env".path
|
|
||||||
];
|
|
||||||
dependsOn = [
|
|
||||||
"penpot-postgres"
|
|
||||||
"penpot-redis"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
penpot-exporter = {
|
|
||||||
image = "docker.io/penpotapp/exporter:latest";
|
|
||||||
autoStart = true;
|
|
||||||
environment = {
|
|
||||||
PENPOT_PUBLIC_URI = "http://penpot-frontend";
|
|
||||||
PENPOT_REDIS_URI = "redis://penpot-redis/0";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
penpot-postgres = {
|
|
||||||
image = "docker.io/postgres:15";
|
|
||||||
autoStart = true;
|
|
||||||
volumes = [
|
|
||||||
"penpot_postgres:/var/lib/postgresql/data"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
POSTGRES_INITDB_ARGS = "--data-checksums";
|
|
||||||
POSTGRES_DB = "penpot";
|
|
||||||
};
|
|
||||||
environmentFiles = [
|
|
||||||
config.sops.templates."penpot.env".path
|
|
||||||
];
|
|
||||||
};
|
|
||||||
penpot-redis = {
|
|
||||||
image = "docker.io/redis:7";
|
|
||||||
autoStart = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,43 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: let
|
|
||||||
port = "8388";
|
|
||||||
in {
|
|
||||||
sops.secrets."shadowsocks/password".owner = "root";
|
|
||||||
sops.templates."shadowsocks/config.json" = {
|
|
||||||
content = ''
|
|
||||||
{
|
|
||||||
"server": "0.0.0.0",
|
|
||||||
"server_port": ${port},
|
|
||||||
"password": "${config.sops.placeholder."shadowsocks/password"}",
|
|
||||||
"method": "aes-256-gcm",
|
|
||||||
"timeout": 300,
|
|
||||||
"plugin": "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin",
|
|
||||||
"plugin_opts":"server;loglevel=none",
|
|
||||||
|
|
||||||
"local_port": ${port},
|
|
||||||
"local_address": "127.0.0.1"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
owner = "root";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."shadowsocks.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:${port}
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.services = {
|
|
||||||
shadowsocks = {
|
|
||||||
description = "Shadowsocks tunnel";
|
|
||||||
after = ["network-online.target"];
|
|
||||||
wants = ["network-online.target"];
|
|
||||||
enable = true;
|
|
||||||
serviceConfig = {
|
|
||||||
Restart = "always";
|
|
||||||
ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver -c ${config.sops.templates."shadowsocks/config.json".path}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,14 +0,0 @@
|
||||||
{...}: {
|
|
||||||
services.caddy.virtualHosts."uptime.gasdev.fr".extraConfig = ''
|
|
||||||
reverse_proxy http://127.0.0.1:3001
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualisation.oci-containers.containers = {
|
|
||||||
uptime-kuma = {
|
|
||||||
image = "docker.io/louislam/uptime-kuma:1";
|
|
||||||
autoStart = true;
|
|
||||||
ports = ["127.0.0.1:3001:3001"];
|
|
||||||
volumes = ["uptime-kuma:/app/data"];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,57 +0,0 @@
|
||||||
{pkgs, ...}: {
|
|
||||||
sops.secrets."wireguard/private_key".owner = "root";
|
|
||||||
|
|
||||||
networking.nat.enable = true;
|
|
||||||
networking.nat.externalInterface = "ens3";
|
|
||||||
networking.nat.internalInterfaces = ["wg0"];
|
|
||||||
networking.firewall = {
|
|
||||||
allowedUDPPorts = [993];
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
|
||||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
|
||||||
wg0 = {
|
|
||||||
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
|
||||||
ips = ["10.8.0.1/24"];
|
|
||||||
|
|
||||||
# The port that WireGuard listens to. Must be accessible by the client.
|
|
||||||
listenPort = 993;
|
|
||||||
|
|
||||||
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
|
||||||
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
|
||||||
postSetup = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
# This undoes the above command
|
|
||||||
postShutdown = ''
|
|
||||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Path to the private key file.
|
|
||||||
#
|
|
||||||
# Note: The private key can also be included inline via the privateKey option,
|
|
||||||
# but this makes the private key world-readable; thus, using privateKeyFile is
|
|
||||||
# recommended.
|
|
||||||
privateKeyFile = "/run/secrets/wireguard/private_key";
|
|
||||||
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
# Pixel
|
|
||||||
publicKey = "xMO5xTvBXtikri0WS9wpzGvSWITjkQV5oUOYwFjqB0g=";
|
|
||||||
allowedIPs = ["10.8.0.69/32"];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
# Zephyrus
|
|
||||||
publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo=";
|
|
||||||
allowedIPs = ["10.8.0.42/32"];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
# Family desktop
|
|
||||||
publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
|
|
||||||
allowedIPs = ["10.8.0.11/32"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue