Remove some git-crypt usage

2021-09-16 13:41:55 +02:00 · 2021-09-16 13:41:55 +02:00 · 22836a44d7
commit 22836a44d7
parent 866658ca30
8 changed files with 89 additions and 4 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -8,13 +8,27 @@

  time.timeZone = "Europe/Berlin";

-  networking.hostId = "b352adfe";
+  networking = {
+    hostId = "b352adfe";
+    firewall.allowedTCPPorts = [ 25 143 465 587 993 4190 ];
+  };

  # Machine-specific module settings
  chvp = {
    stateVersion = "20.09";
    base = {
-      network.ovh.enable = true;
+      network.ovh = {
+        enable = true;
+        publicIPV4 = {
+          ip = "54.38.222.69";
+          gateway = "54.38.222.254";
+        };
+        publicIPV6 = {
+          ip = "2001:41d0:0700:1445::";
+          gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff";
+        };
+        internalIPV4 = "192.168.0.2";
+      };
      nix.enableDirenv = false;
      zfs = {
        backups = [{
@ -33,6 +47,55 @@
    games.tetris.server = true;
    services = {
      matrix.enable = true;
+      nginx = {
+        extraPostACMEScripts = [
+          ''
+            cp fullchain.pem /data/root/mailcow/data/assets/ssl/cert.pem
+            cp key.pem /data/root/mailcow/data/assets/ssl/key.pem
+            pushd /data/root/mailcow
+            ${pkgs.bash}/bin/bash -c "source mailcow.conf && ${pkgs.docker-compose}/bin/docker-compose restart"
+            popd
+          ''
+        ];
+        hosts = [
+          {
+            fqdn = "vanpetegem.me";
+            options = {
+              locations = let matrixRedirect = {
+                proxyPass = "http://127.0.0.1:8448";
+                extraConfig = ''
+                  proxy_read_timeout 600;
+                  client_max_body_size 10M;
+                  proxy_set_header X-Forwarded-Ssl on;
+                '';
+              }; in {
+                "/_matrix" = matrixRedirect;
+                "/.well-known/matrix" = matrixRedirect;
+                "/".return = "307 https://www.vanpetegem.me$request_uri";
+              };
+            };
+          }
+          { fqdn = "www.vanpetegem.me"; }
+          {
+            fqdn = "cvpetegem.be";
+            options = {
+              locations."/".return = "307 https://www.cvpetegem.be$request_uri";
+            };
+          }
+          { fqdn = "www.cvpetegem.be"; }
+          {
+            fqdn = "chvp.be";
+            options = {
+              locations."/".return = "307 https://www.chvp.be$request_uri";
+            };
+          }
+          { fqdn = "www.chvp.be"; }
+          {
+            fqdn = "mail.vanpetegem.me";
+            basicProxy = "http://127.0.0.1:8080";
+          }
+        ];
+      };
      nextcloud.enable = true;
      syncthing.enable = true;
    };
--- a/machines/lasting-integrity/secret.nix
+++ b/machines/lasting-integrity/secret.nix
--- a/machines/urithiru/default.nix
+++ b/machines/urithiru/default.nix
@ -18,7 +18,18 @@
    stateVersion = "20.09";
    base = {
      nix.enableDirenv = false;
-      network.ovh.enable = true;
+      network.ovh = {
+        enable = true;
+        publicIPV4 = {
+          ip = "193.70.44.178";
+          gateway = "193.70.44.254";
+        };
+        publicIPV6 = {
+          ip = "2001:41d0:0303:0ab2::";
+          gateway = "2001:41d0:0303:0aff:ff:ff:ff:ff";
+        };
+        internalIPV4 = "192.168.0.1";
+      };
      zfs = {
        backups = [
          {
@ -43,7 +54,12 @@
    };
    services = {
      accentor.enable = true;
+      containers.externalInterface = "eno3";
      data-access.enable = true;
+      deluge = {
+        enable = true;
+        count = 6;
+      };
    };
  };
 }
--- a/machines/urithiru/secret.nix
+++ b/machines/urithiru/secret.nix
--- a/modules/base/ssh/default.nix
+++ b/modules/base/ssh/default.nix
@ -22,10 +22,10 @@ let
      userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts";
      serverAliveInterval = 10;
      extraOptionOverrides = {
+        Include = config.age.secrets."files/programs/ssh/host_configuration".path;
        IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519";
        HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa";
      };
-      matchBlocks = import ./hosts.secret.nix;
    };
    home.packages = lib.mkIf config.chvp.graphical.enable [ ssh pkgs.sshfs ];
  };
@ -33,4 +33,8 @@ in
 {
  home-manager.users.root = { ... }: (base "/root");
  home-manager.users.charlotte = { ... }: (base "/home/charlotte");
+  age.secrets."files/programs/ssh/host_configuration" = {
+    file = ../../../secrets/files/programs/ssh/host_configuration.age;
+    owner = "charlotte";
+  };
 }
--- a/modules/base/ssh/hosts.secret.nix
+++ b/modules/base/ssh/hosts.secret.nix
--- a/secrets.nix
+++ b/secrets.nix
@ -46,6 +46,8 @@ in

  "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;

+  "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
+  
  "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
--- a/secrets/files/programs/ssh/host_configuration.age
+++ b/secrets/files/programs/ssh/host_configuration.age