13 changed files with 20 additions and 217 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,17 +1,10 @@
 keys:
  - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
  - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
  - &server_pi4 age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
 creation_rules:
-  - path_regex: secrets/OVHCloud/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      age:
      - *admin_gaspard
      - *server_ovh
  - path_regex: secrets/pi4/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      age:
      - *admin_gaspard
      - *server_pi4
--- a/flake.lock
+++ b/flake.lock
@ -479,21 +479,6 @@
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1730828750,
        "narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
        "owner": "nixos",
        "repo": "nixos-hardware",
        "rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1727348695,
@ -557,7 +542,6 @@
          "hyprland"
        ],
        "jovian": "jovian",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "sops-nix": "sops-nix"
      }
--- a/flake.nix
+++ b/flake.nix
@ -56,9 +56,6 @@
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # Rasoberry PI
    nixos-hardware.url = "github:nixos/nixos-hardware";
  };
  outputs = {
@ -69,12 +66,11 @@
    sops-nix,
    home-manager,
    jovian,
    nixos-hardware,
    ...
  } @ inputs: let
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
-  in rec {
+  in {
    nixosConfigurations = {
      Zephyrus = nixpkgs.lib.nixosSystem {
        extraArgs = {inherit inputs;};
@ -95,17 +91,6 @@
          home-manager.nixosModules.home-manager
        ];
      };
      pi4 = nixpkgs.lib.nixosSystem {
        extraArgs = {inherit inputs;};
        system = "aarch64-linux";
        modules = [
          ./hosts/pi4
          "${nixpkgs}/nixos/modules/profiles/minimal.nix"
          nixos-hardware.nixosModules.raspberry-pi-4
          sops-nix.nixosModules.sops
        ];
      };
    };
    homeConfigurations = {
@ -128,45 +113,17 @@
      };
    };
-    deploy.nodes = {
+    deploy.nodes.OVHCloud = {
-      OVHCloud = {
+      hostname = "gasdev.fr";
-        hostname = "gasdev.fr";
+      profiles.system = {
-        profiles.system = {
+        user = "root";
-          user = "root";
+        sshUser = "root";
-          sshUser = "root";
+        sshOpts = ["-p" "22"];
-          sshOpts = ["-p" "22"];
+        sudo = "";
-          sudo = "";
+        path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
          path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
        };
      };
      pi4 = {
        hostname = "10.8.0.31";
        profiles.system = {
          user = "root";
          sshUser = "root";
          sshOpts = ["-p" "22"];
          sudo = "";
          path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi4;
        };
      };
    };
    images.pi4 =
      (self.nixosConfigurations.pi4.extendModules {
        modules = [
          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
          {
            disabledModules = ["profiles/base.nix"];
          }
        ];
      })
      .config
      .system
      .build
      .sdImage;
    packages.x86_64-linux.pi4-image = images.pi4;
    packages.aarch64-linux.pi4-image = images.pi4;
    checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
    devShells.${system}.default = pkgs.mkShell {
--- a/hosts/OVHCloud/sops.nix
+++ b/hosts/OVHCloud/sops.nix
@ -2,7 +2,7 @@
  # This will add secrets.yml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/OVHCloud/default.yaml;
+  sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
--- a/hosts/Zephyrus/hardware-configuration.nix
+++ b/hosts/Zephyrus/hardware-configuration.nix
@ -34,7 +34,6 @@
      };
    };
    tmp.useTmpfs = true;
    binfmt.emulatedSystems = ["aarch64-linux"];
  };
  # Network & Bluetooth
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -1,69 +0,0 @@
 {
  config,
  pkgs,
  ...
 }: {
  imports = [
    ./hardware-configuration.nix
  ];
  # Nix
  nix.settings.experimental-features = ["nix-command" "flakes"];
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  environment.systemPackages = with pkgs; [
    helix
    git
  ];
  services.openssh = {
    enable = true;
    ports = [22];
    settings = {
      PasswordAuthentication = false;
    };
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
  ];
  networking = {
    interfaces."wlan0".useDHCP = true;
    wireless = {
      interfaces = ["wlan0"];
      enable = true;
      networks = {
        "TestNetwork".psk = "not_an_actual_password_leak";
      };
    };
  };
  # SOPS
  sops.defaultSopsFile = ../../secrets/pi4/default.yaml;
  sops.secrets."wireguard/private_key".owner = "root";
  # Wireguard
  networking.firewall = {
    allowedUDPPorts = [51820];
  };
  networking.wg-quick.interfaces = {
    wg0 = {
      address = ["10.8.0.31/32"];
      listenPort = 51820; # Should match firewall allowedUDPPorts
      privateKeyFile = config.sops.secrets."wireguard/private_key".path;
      peers = [
        {
          publicKey = "KLULII6VEUWMhyIba6oxxHdZsVP3TMVlNY1Vz49q7jg=";
          allowedIPs = ["0.0.0.0/0"];
          endpoint = "vpn.gasdev.fr:993";
          persistentKeepalive = 25;
        }
      ];
    };
  };
  system.stateVersion = "24.11";
 }
--- a/hosts/pi4/hardware-configuration.nix
+++ b/hosts/pi4/hardware-configuration.nix
@ -1,20 +0,0 @@
 {
  pkgs,
  lib,
  ...
 }: {
  # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
  # disk with this label on first boot. Therefore, we need to keep it. It is the
  # only information from the installer image that we need to keep persistent
  fileSystems."/" = {
    device = "/dev/disk/by-label/NIXOS_SD";
    fsType = "ext4";
  };
  boot = {
    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
    loader = {
      generic-extlinux-compatible.enable = lib.mkDefault true;
      grub.enable = lib.mkDefault false;
    };
  };
 }
--- a/secrets/OVHCloud/default.yaml
+++ b/secrets/OVHCloud/default.yaml
@ -34,7 +34,7 @@ outline:
 penpot:
    SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
-    SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str]
    SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
    SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
    SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
@ -78,8 +78,8 @@ sops:
            MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
            y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-05T13:47:17Z"
+    lastmodified: "2024-11-04T21:15:49Z"
-    mac: ENC[AES256_GCM,data:Lku06chnlLsqvvd5ud/ovY/ymGknyIxcPirvQ2lrc/+7jMa6cGu3Q9piVv/gx6jMhQIuYnNjS5AKoNvNfXRgrpakzET5aNzLtWkaUplNQCAy+yuKkIdmGoMZ+J+l4SyMydKERpZmN+pLWAld8U+CFRaWGoCLHHQ8i60u4Gti7DY=,iv:DVcjFoncW0vPhBEA042DAWxJLnSCfwsJeYQcmhsWrbI=,tag:dL6L5CfrB4ZVMytkGfPSYA==,type:str]
+    mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/pi4/default.yaml
+++ b/secrets/pi4/default.yaml
@ -1,31 +0,0 @@
 wireguard:
    private_key: ENC[AES256_GCM,data:L6FD+kBF7AoIrm3pMM6/pmWtX2FP5dUrJ9hUCuW9n4SlJ/JhpxI9m/1owIg=,iv:ok4pyUUv80kPY9n4WQmBGYHmMsPJnG0tnF+vbNhqc3s=,tag:OPribO7RoVCkFkTrYrHw7w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJamxiNDlnRWJ6ZGFRaEtu
            bGRveE9aWWY4c2duYkFYU2NKQlBSYjNWT3dZClNtNkpiRENNRFdUcTN6MENhU1Z1
            YzVDa21peTluVkFoQURnK0xZQjNFZm8KLS0tIGpPbE95NVM2aUNrWWlEVGUybXpP
            cXpCMmsxTkxKSXBjSmV2azNIcW04a1UKF8O99FpHDZSO0XFeCzWyoxJvjmvjvWFH
            aOFSWHO64UDlSY/1eQmIYr/xad/BxxYnkrqlJib5tpmPkoi1qyuZVg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlDMzJQSEM3cjdnZmpy
            RUgzZTYvT3RrQ2RMUmNNNWRvL2NjSUJvdW1jCkFvaVFOZUdPMWQxNnhGLzgwa2w4
            MHpwVzJkQjZvd25oaENqbzdrT1dmazQKLS0tIE1MdmVrNVRscGlXeTB0NXV6SUMv
            RDNob1FNdFZQUUk0SmVDUnZBc3FNdVEKcyNWzjvIZIBR39kQkUsSSmHJ+gePPtbS
            PUcLp6jYFvPDyldLm+PqIApEL9X0d/0ccvY+wwkPCiqSPFZbBLitgg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-05T22:30:48Z"
    mac: ENC[AES256_GCM,data:GI5Hb8zvafTdWhpm+D6qp9iefMD9NwYPRBKcxrIL9M1wTMzMzD4QsrbMDKQELfTYK3QhLZ0G4KTmLfoSB1zYO/GtslRDAAHmFzLuNNVJ9/8gIrd/Gb12JLnUDjJrxYEeF15NKnyqRMKUVQiJgYd8ggLGzT9pRqaMNTKCYutqsaE=,iv:XB/Ddi7mU9SdRD7nHkyAZR+gTZ9ZY2ZrvHlb0kFK/4Q=,tag:OgEw78w4o44CamP/4C6Y7g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/services/authelia/configuration.yml
+++ b/services/authelia/configuration.yml
@ -74,9 +74,8 @@ storage:
    path: /data/db.sqlite3
 notifier:
  disable_startup_check: true
  smtp:
-    address: 'smtp://smtp.gasdev.fr:25'
+    address: 'smtp.mail.ovh.net'
    username: 'postmaster@gasdev.fr'
    sender: 'Authelia <authelia@gasdev.fr>'
--- a/services/outline/default.nix
+++ b/services/outline/default.nix
@ -28,7 +28,7 @@
    };
    smtp = {
-      host = "smtp.gasdev.fr";
+      host = "smtp.mail.ovh.net";
      port = 465;
      username = "postmaster@gasdev.fr";
      passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;
--- a/services/stalwart-mail/default.nix
+++ b/services/stalwart-mail/default.nix
@ -1,20 +1,16 @@
 {config, ...}: let
-  domain = "gasdev.fr";
+  domain = "mail.gasdev.fr";
 in {
  sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    redir https://www.gasdev.fr
  '';
  services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
    reverse_proxy 127.0.0.1:8080
  '';
  services.stalwart-mail = {
    enable = true;
    settings = {
-      lookup.default.hostname = "mail.${domain}";
+      lookup.default.hostname = "${domain}";
      server = {
        tls.certificate = "default";
        http = {
@ -86,7 +82,7 @@ in {
    };
  };
-  networking.firewall.allowedTCPPorts = [25 465 993];
+  networking.firewall.allowedTCPPorts = [22 465 993];
  systemd.timers."stalwart-mail-update-certs" = {
    wantedBy = ["timers.target"];
@ -111,7 +107,7 @@ in {
      cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
      chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
-      chmod -R 0700 "''\${STALWART_CERT_DIR}"
+      chmod -R 0600 "''\${STALWART_CERT_DIR}"
    '';
    serviceConfig = {
      Type = "oneshot";
--- a/services/wireguard/default.nix
+++ b/services/wireguard/default.nix
@ -51,11 +51,6 @@
          publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
          allowedIPs = ["10.8.0.11/32"];
        }
        {
          # pi4
          publicKey = "F9AkCI0FGkrFhCq+SvCT1F2RG2ApNUy+SeIj1+VPtXI=";
          allowedIPs = ["10.8.0.31/32"];
        }
      ];
    };
  };