treewide: replace <secrets> with sops.secrets

This commit is contained in:
makefu 2023-07-02 17:09:35 +02:00
parent f2b95c7617
commit a41e86290f
8 changed files with 32 additions and 25 deletions

View file

@ -56,9 +56,10 @@ in {
systemd.services.nginx.serviceConfig.ReadWritePaths = [ systemd.services.nginx.serviceConfig.ReadWritePaths = [
"/var/spool/nginx/logs/" "/var/spool/nginx/logs/"
]; ];
sops.secrets."lego-binaergewitter" = {};
security.acme.certs."download.binaergewitter.de" = { security.acme.certs."download.binaergewitter.de" = {
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = toString <secrets/lego-binaergewitter>; credentialsFile = config.sops.secrets."lego-binaergewitter".path;
webroot = lib.mkForce null; webroot = lib.mkForce null;
}; };

View file

@ -6,12 +6,12 @@ let
srvdir = "/var/lib/tor/onion/"; srvdir = "/var/lib/tor/onion/";
in in
{ {
sops.secrets."bgt_cyberwar_hidden_service/private_key" = { sops.secrets."${name}/private_key" = {
path = "${srvdir}/${name}/private_key"; path = "${srvdir}/${name}/private_key";
owner = "tor"; owner = "tor";
restartUnits = [ "tor.service" ]; restartUnits = [ "tor.service" ];
}; };
sops.secrets."bgt_cyberwar_hidden_service/hostname" = { sops.secrets."${name}/hostname" = {
path = "${srvdir}/${name}/hostname"; path = "${srvdir}/${name}/hostname";
owner = "tor"; owner = "tor";
restartUnits = [ "tor.service" ]; restartUnits = [ "tor.service" ];

View file

@ -1,12 +1,13 @@
{ config, lib, pkgs, ...}: { config, lib, pkgs, ...}:
{ {
sops.secrets."nix-serve.key" = {};
# generate private key with: # generate private key with:
# nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub # nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub
services.nix-serve = { services.nix-serve = {
enable = true; enable = true;
port = 5001; port = 5001;
secretKeyFile = toString <secrets> + "/nix-serve.key"; secretKeyFile = config.sops.secrets."nix-serve.key".path;
}; };
services.nginx = { services.nginx = {

View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
sops.secrets."dl.euer.krebsco.de-auth" = {};
sops.secrets."dl.gum-auth" = {};
users.groups.download.members = [ "nginx" ]; users.groups.download.members = [ "nginx" ];
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
@ -11,13 +13,13 @@
extraConfig = "autoindex on;"; extraConfig = "autoindex on;";
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
basicAuth = import <secrets/dl.euer.krebsco.de-auth.nix>; basicAuthFile = config.sops.secrets."dl.euer.krebsco.de-auth".path;
}; };
virtualHosts."dl.gum.r" = { virtualHosts."dl.gum.r" = {
serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ]; serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ];
root = config.makefu.dl-dir; root = config.makefu.dl-dir;
extraConfig = "autoindex on;"; extraConfig = "autoindex on;";
basicAuth = import <secrets/dl.gum-auth.nix>; basicAuthFile = config.sops.secrets."dl.gum-auth".path;
}; };
}; };
} }

View file

@ -2,7 +2,6 @@
with pkgs.stockholm.lib; with pkgs.stockholm.lib;
let let
sec = toString <secrets>;
ext-dom = "wiki.euer.krebsco.de"; ext-dom = "wiki.euer.krebsco.de";
user = config.services.nginx.user; user = config.services.nginx.user;
@ -18,9 +17,10 @@ let
# user1 = pass1 # user1 = pass1
# userN = passN # userN = passN
# afterwards put /var/www/<ext-dom>/user1.html as tiddlywiki # afterwards put /var/www/<ext-dom>/user1.html as tiddlywiki
tw-pass-file = "${sec}/tw-pass.ini"; tw-pass-file = config.sops.secrets."tw-pass.ini".path;
in { in {
sops.secrets."tw-pass.ini" = {};
state = [ base-dir ]; state = [ base-dir ];
# hotfix for broken wiki after reboot # hotfix for broken wiki after reboot
systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ]; systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ];

View file

@ -1,8 +1,12 @@
{ pkgs, ... }: { pkgs, config, ... }:
let
seccfg = toString <secrets/mediawikibot-config.json>; {
statecfg = "/var/lib/mediawiki-matrix-bot/config.json"; sops.secrets."mediawikibot-config.json" = {
in { mode = "0440";
group = config.users.groups.mediawiki.name;
};
users.groups.mediawiki = {};
systemd.services.mediawiki-matrix-bot = { systemd.services.mediawiki-matrix-bot = {
description = "Mediawiki Matrix Bot"; description = "Mediawiki Matrix Bot";
after = [ "network-online.target" ]; after = [ "network-online.target" ];
@ -12,11 +16,9 @@ in {
RestartSec = "60s"; RestartSec = "60s";
DynamicUser = true; DynamicUser = true;
StateDirectory = "mediawiki-matrix-bot"; StateDirectory = "mediawiki-matrix-bot";
PermissionsStartOnly = true; SupplementaryGroups = [ config.users.groups.mediawiki.name ];
ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" ''
install -D -m644 ${seccfg} ${statecfg} ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${config.sops.secrets."mediawikibot-config.json".path}";
'';
ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}";
PrivateTmp = true; PrivateTmp = true;
}; };
}; };

View file

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
basicAuth = import <torrent-secrets/auth.nix>;
peer-port = 51412; peer-port = 51412;
web-port = 8112; web-port = 8112;
daemon-port = 58846; daemon-port = 58846;
@ -30,14 +29,13 @@ in {
}; };
#security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL; #security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL;
sops.secrets."torrent-auth" = {
owner = "nginx";
};
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."torrent.${config.krebs.build.host.name}.r" = { virtualHosts."torrent.${config.krebs.build.host.name}.r" = {
# TODO basicAuthFile = config.sops.secrets."torrent-auth".path;
inherit basicAuth;
#enableACME = true;
#addSSL = true;
root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets"; root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets";
locations."/api".extraConfig = '' locations."/api".extraConfig = ''
proxy_pass http://localhost:${toString web-port}; proxy_pass http://localhost:${toString web-port};

View file

@ -7,6 +7,9 @@ in { # wireguard server
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1 # conf.all.proxy_arp =1
sops.secrets."wireguard.key" = {};
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ 51820 ]; allowedUDPPorts = [ 51820 ];
}; };
@ -20,7 +23,7 @@ in { # wireguard server
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ]; ips = [ "10.244.0.1/24" ];
listenPort = 51820; listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key"; privateKeyFile = config.sops.secrets."wireguard.key".path;
# allowedIPsAsRoutes = true; # allowedIPsAsRoutes = true;
postSetup = '' postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE