chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Start using age for secret management

Browse source
This commit is contained in:
Charlotte Van Petegem 2021-06-20 00:18:20 +02:00
parent 276c8f33c8
commit da9160559c
No known key found for this signature in database
GPG key ID: 019E764B7184435A
39 changed files with 281 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/accentor.nix
View file

@ -106,7 +106,7 @@ in
environment = env;
path = [ pkgs.ffmpeg gems gems.wrappedRuby ];
serviceConfig = {
EnvironmentFile = "${config.chvp.dataPrefix}/var/secrets/accentor-api";
EnvironmentFile = config.age.secrets."passwords/services/accentor".path;
Type = "simple";
User = "accentor";
Group = "accentor";
@ -128,7 +128,7 @@ in
environment = env;
path = [ pkgs.ffmpeg gems gems.wrappedRuby ];
serviceConfig = {
EnvironmentFile = "${config.chvp.dataPrefix}/var/secrets/accentor-api";
EnvironmentFile = config.age.secrets."passwords/services/accentor".path;
Type = "simple";
User = "accentor";
Group = "accentor";
@ -140,6 +140,11 @@ in
}) 4));
age.secrets."passwords/services/accentor" = {
file = ../secrets/passwords/services/accentor.age;
owner = "accentor";
};
users.users.accentor = {
group = "accentor";
home = "${config.chvp.dataPrefix}/var/lib/accentor";

8
modules/default.nix
View file

@ -2,7 +2,6 @@
{
imports = [
./default/secret.nix
./accentor.nix
./bluetooth.nix
./docker.nix
@ -132,8 +131,15 @@
home = "/home/charlotte";
description = "Charlotte Van Petegem";
extraGroups = [ "systemd-journal" ] ++ lib.optionals config.chvp.graphical [ "input" "video" ];
passwordFile = config.age.secrets."passwords/users/charlotte".path;
};
root.passwordFile = config.age.secrets."passwords/users/root".path;
};
};
age.secrets = {
"passwords/users/charlotte".file = ../secrets/passwords/users/charlotte.age;
"passwords/users/root".file = ../secrets/passwords/users/root.age;
};
};
}

BIN
modules/default/secret.nix
View file

Binary file not shown.

6
modules/global-mailer.nix
View file

@ -6,16 +6,18 @@
example = true;
};
config = lib.mkIf config.chvp.smartd.enable {
config = lib.mkIf config.chvp.globalMailer.enable {
services.ssmtp = {
enable = true;
authUser = "webmaster@vanpetegem.me";
authPassFile = "/data/var/secrets/ssmtp-mail-pass";
authPassFile = config.age.secrets."passwords/services/ssmtp-pass".path;
domain = "${config.networking.hostName}.vanpetegem.me";
hostName = "mail.vanpetegem.me:465";
root = "webmaster@vanpetegem.me";
setSendmail = true;
useTLS = true;
};
age.secrets."passwords/services/ssmtp-pass".file = ../secrets/passwords/services/ssmtp-pass.age;
};
}

6
modules/nextcloud.nix
View file

@ -20,7 +20,7 @@
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "admin";
adminpassFile = "${config.chvp.dataPrefix}/var/secrets/nextcloud-admin-password";
adminpassFile = config.age.secrets."passwords/services/nextcloud-admin".path;
};
};
nginx.virtualHosts."nextcloud.vanpetegem.me" = {
@ -37,6 +37,10 @@
}];
};
};
age.secrets."passwords/services/nextcloud-admin" = {
file = ../secrets/passwords/services/nextcloud-admin.age;
owner = "nextcloud";
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];

7
modules/nginx.nix
View file

@ -13,7 +13,6 @@
fqdn = "data.vanpetegem.me";
options = {
default = true;
basicAuthFile = "/data/var/secrets/data.vanpetegem.me.htpasswd";
root = "/srv/data";
locations = {
"/".extraConfig = ''
@ -47,7 +46,7 @@
security.acme = {
certs."vanpetegem.me" = {
dnsProvider = "cloudflare";
credentialsFile = "/data/var/secrets/vanpetegem.me-cloudflare";
credentialsFile = config.age.secrets."passwords/services/acme".path;
extraDomainNames = [
"*.vanpetegem.me"
"cvpetegem.be"
@ -61,6 +60,10 @@
acceptTerms = true;
preliminarySelfsigned = false;
};
age.secrets."passwords/services/acme" = {
file = ../secrets/passwords/services/acme.age;
owner = "acme";
};
chvp.zfs.systemLinks = [
{ type = "data"; path = "/var/lib/acme"; }
];

8
modules/sshd.nix
View file

@ -1,10 +1,6 @@
{ config, lib, ... }:
{
imports = [
./sshd/secret.nix
];
options.chvp.sshd.enable = lib.mkOption {
default = false;
example = true;
@ -19,6 +15,10 @@
{ bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
{ path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
];
authorizedKeysFiles = [ "/run/secrets/authorized_keys/%u" ];
};
age.secrets."authorized_keys/charlotte".file = ../secrets/authorized_keys/charlotte.age;
age.secrets."authorized_keys/root".file = ../secrets/authorized_keys/root.age;
};
}

BIN
modules/sshd/secret.nix
View file

Binary file not shown.

10
modules/syncthing-server.nix
View file

@ -9,8 +9,8 @@
config = lib.mkIf config.chvp.syncthing-server.enable {
services.syncthing = {
enable = true;
dataDir = "${config.chvp.dataPrefix}/var/lib/synthing";
configDir = "${config.chvp.dataPrefix}/var/lib/synthing/.config";
dataDir = "${config.chvp.dataPrefix}/var/lib/syncthing";
configDir = "${config.chvp.dataPrefix}/var/lib/syncthing/.config";
openDefaultPorts = true;
guiAddress = "127.0.0.1:8384";
};
@ -20,9 +20,13 @@
fqdn = "syncthing.vanpetegem.me";
basicProxy = "http://localhost:8384";
options = {
basicAuthFile = "${config.chvp.dataPrefix}/var/secrets/syncthing.vanpetegem.me.htpasswd";
basicAuthFile = config.age.secrets."passwords/services/syncthing-basic-auth".path;
};
}
];
age.secrets."passwords/services/syncthing-basic-auth" = {
file = ../secrets/passwords/services/syncthing-basic-auth.age;
owner = "nginx";
};
};
}