treewide: replace <secrets> with sops.secrets
This commit is contained in:
parent
f2b95c7617
commit
a41e86290f
|
@ -56,9 +56,10 @@ in {
|
||||||
systemd.services.nginx.serviceConfig.ReadWritePaths = [
|
systemd.services.nginx.serviceConfig.ReadWritePaths = [
|
||||||
"/var/spool/nginx/logs/"
|
"/var/spool/nginx/logs/"
|
||||||
];
|
];
|
||||||
|
sops.secrets."lego-binaergewitter" = {};
|
||||||
security.acme.certs."download.binaergewitter.de" = {
|
security.acme.certs."download.binaergewitter.de" = {
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = toString <secrets/lego-binaergewitter>;
|
credentialsFile = config.sops.secrets."lego-binaergewitter".path;
|
||||||
webroot = lib.mkForce null;
|
webroot = lib.mkForce null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -6,12 +6,12 @@ let
|
||||||
srvdir = "/var/lib/tor/onion/";
|
srvdir = "/var/lib/tor/onion/";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."bgt_cyberwar_hidden_service/private_key" = {
|
sops.secrets."${name}/private_key" = {
|
||||||
path = "${srvdir}/${name}/private_key";
|
path = "${srvdir}/${name}/private_key";
|
||||||
owner = "tor";
|
owner = "tor";
|
||||||
restartUnits = [ "tor.service" ];
|
restartUnits = [ "tor.service" ];
|
||||||
};
|
};
|
||||||
sops.secrets."bgt_cyberwar_hidden_service/hostname" = {
|
sops.secrets."${name}/hostname" = {
|
||||||
path = "${srvdir}/${name}/hostname";
|
path = "${srvdir}/${name}/hostname";
|
||||||
owner = "tor";
|
owner = "tor";
|
||||||
restartUnits = [ "tor.service" ];
|
restartUnits = [ "tor.service" ];
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
{ config, lib, pkgs, ...}:
|
{ config, lib, pkgs, ...}:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
sops.secrets."nix-serve.key" = {};
|
||||||
# generate private key with:
|
# generate private key with:
|
||||||
# nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub
|
# nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub
|
||||||
services.nix-serve = {
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 5001;
|
port = 5001;
|
||||||
secretKeyFile = toString <secrets> + "/nix-serve.key";
|
secretKeyFile = config.sops.secrets."nix-serve.key".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
sops.secrets."dl.euer.krebsco.de-auth" = {};
|
||||||
|
sops.secrets."dl.gum-auth" = {};
|
||||||
users.groups.download.members = [ "nginx" ];
|
users.groups.download.members = [ "nginx" ];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
|
@ -11,13 +13,13 @@
|
||||||
extraConfig = "autoindex on;";
|
extraConfig = "autoindex on;";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
basicAuth = import <secrets/dl.euer.krebsco.de-auth.nix>;
|
basicAuthFile = config.sops.secrets."dl.euer.krebsco.de-auth".path;
|
||||||
};
|
};
|
||||||
virtualHosts."dl.gum.r" = {
|
virtualHosts."dl.gum.r" = {
|
||||||
serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ];
|
serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ];
|
||||||
root = config.makefu.dl-dir;
|
root = config.makefu.dl-dir;
|
||||||
extraConfig = "autoindex on;";
|
extraConfig = "autoindex on;";
|
||||||
basicAuth = import <secrets/dl.gum-auth.nix>;
|
basicAuthFile = config.sops.secrets."dl.gum-auth".path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
|
|
||||||
with pkgs.stockholm.lib;
|
with pkgs.stockholm.lib;
|
||||||
let
|
let
|
||||||
sec = toString <secrets>;
|
|
||||||
ext-dom = "wiki.euer.krebsco.de";
|
ext-dom = "wiki.euer.krebsco.de";
|
||||||
|
|
||||||
user = config.services.nginx.user;
|
user = config.services.nginx.user;
|
||||||
|
@ -18,9 +17,10 @@ let
|
||||||
# user1 = pass1
|
# user1 = pass1
|
||||||
# userN = passN
|
# userN = passN
|
||||||
# afterwards put /var/www/<ext-dom>/user1.html as tiddlywiki
|
# afterwards put /var/www/<ext-dom>/user1.html as tiddlywiki
|
||||||
tw-pass-file = "${sec}/tw-pass.ini";
|
tw-pass-file = config.sops.secrets."tw-pass.ini".path;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
sops.secrets."tw-pass.ini" = {};
|
||||||
state = [ base-dir ];
|
state = [ base-dir ];
|
||||||
# hotfix for broken wiki after reboot
|
# hotfix for broken wiki after reboot
|
||||||
systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ];
|
systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ];
|
||||||
|
|
|
@ -1,8 +1,12 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, config, ... }:
|
||||||
let
|
|
||||||
seccfg = toString <secrets/mediawikibot-config.json>;
|
{
|
||||||
statecfg = "/var/lib/mediawiki-matrix-bot/config.json";
|
sops.secrets."mediawikibot-config.json" = {
|
||||||
in {
|
mode = "0440";
|
||||||
|
group = config.users.groups.mediawiki.name;
|
||||||
|
};
|
||||||
|
users.groups.mediawiki = {};
|
||||||
|
|
||||||
systemd.services.mediawiki-matrix-bot = {
|
systemd.services.mediawiki-matrix-bot = {
|
||||||
description = "Mediawiki Matrix Bot";
|
description = "Mediawiki Matrix Bot";
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
|
@ -12,11 +16,9 @@ in {
|
||||||
RestartSec = "60s";
|
RestartSec = "60s";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = "mediawiki-matrix-bot";
|
StateDirectory = "mediawiki-matrix-bot";
|
||||||
PermissionsStartOnly = true;
|
SupplementaryGroups = [ config.users.groups.mediawiki.name ];
|
||||||
ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" ''
|
|
||||||
install -D -m644 ${seccfg} ${statecfg}
|
ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${config.sops.secrets."mediawikibot-config.json".path}";
|
||||||
'';
|
|
||||||
ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}";
|
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
basicAuth = import <torrent-secrets/auth.nix>;
|
|
||||||
peer-port = 51412;
|
peer-port = 51412;
|
||||||
web-port = 8112;
|
web-port = 8112;
|
||||||
daemon-port = 58846;
|
daemon-port = 58846;
|
||||||
|
@ -30,14 +29,13 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
#security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL;
|
#security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL;
|
||||||
|
sops.secrets."torrent-auth" = {
|
||||||
|
owner = "nginx";
|
||||||
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."torrent.${config.krebs.build.host.name}.r" = {
|
virtualHosts."torrent.${config.krebs.build.host.name}.r" = {
|
||||||
# TODO
|
basicAuthFile = config.sops.secrets."torrent-auth".path;
|
||||||
inherit basicAuth;
|
|
||||||
#enableACME = true;
|
|
||||||
#addSSL = true;
|
|
||||||
root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets";
|
root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets";
|
||||||
locations."/api".extraConfig = ''
|
locations."/api".extraConfig = ''
|
||||||
proxy_pass http://localhost:${toString web-port};
|
proxy_pass http://localhost:${toString web-port};
|
||||||
|
|
|
@ -7,6 +7,9 @@ in { # wireguard server
|
||||||
|
|
||||||
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||||
# conf.all.proxy_arp =1
|
# conf.all.proxy_arp =1
|
||||||
|
|
||||||
|
sops.secrets."wireguard.key" = {};
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedUDPPorts = [ 51820 ];
|
allowedUDPPorts = [ 51820 ];
|
||||||
};
|
};
|
||||||
|
@ -20,7 +23,7 @@ in { # wireguard server
|
||||||
networking.wireguard.interfaces.wg0 = {
|
networking.wireguard.interfaces.wg0 = {
|
||||||
ips = [ "10.244.0.1/24" ];
|
ips = [ "10.244.0.1/24" ];
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
privateKeyFile = (toString <secrets>) + "/wireguard.key";
|
privateKeyFile = config.sops.secrets."wireguard.key".path;
|
||||||
# allowedIPsAsRoutes = true;
|
# allowedIPsAsRoutes = true;
|
||||||
postSetup = ''
|
postSetup = ''
|
||||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
|
||||||
|
|
Loading…
Reference in a new issue