From 380d8202ff2f253017ff9dd36f25187381640969 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Mon, 2 Sep 2024 13:33:44 +0200 Subject: [PATCH] Refactor container configuration --- .sops.yaml | 12 ++ hosts/stratus/containers/default.nix | 95 ++++++++++++++++ .../stratus/containers/nextcloud/default.nix | 103 +++++++++--------- .../containers/nextcloud/email-server.nix | 5 +- .../containers/nextcloud/nextcloud.nix | 49 --------- .../stratus/containers/nextcloud/secrets.yaml | 33 ++++++ .../containers/nextcloud/tailscale.nix | 31 ------ .../stratus/containers/paperless/default.nix | 69 +++--------- .../containers/paperless/paperless.nix | 8 -- .../stratus/containers/paperless/secrets.yaml | 31 ++++++ .../containers/paperless/tailscale.nix | 31 ------ hosts/stratus/default.nix | 4 +- hosts/stratus/secrets.yaml | 13 ++- modules/system/sops.nix | 15 ++- modules/system/tailscale.nix | 30 ++++- 15 files changed, 288 insertions(+), 241 deletions(-) create mode 100644 hosts/stratus/containers/default.nix delete mode 100644 hosts/stratus/containers/nextcloud/nextcloud.nix create mode 100644 hosts/stratus/containers/nextcloud/secrets.yaml delete mode 100644 hosts/stratus/containers/nextcloud/tailscale.nix delete mode 100644 hosts/stratus/containers/paperless/paperless.nix create mode 100644 hosts/stratus/containers/paperless/secrets.yaml delete mode 100644 hosts/stratus/containers/paperless/tailscale.nix diff --git a/.sops.yaml b/.sops.yaml index fbe4bbf..fa533cb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,8 @@ keys: - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp + - &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr + - &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz creation_rules: @@ -21,6 +23,16 @@ creation_rules: - age: - *admin - *stratus + - path_regex: hosts/stratus/containers/nextcloud/secrets.yaml$ + key_groups: + - age: + - *admin + - *nextcloud + - path_regex: hosts/stratus/containers/paperless/secrets.yaml$ + key_groups: + - age: + - *admin + - *paperless - path_regex: users/seb/@north/secrets.yaml$ key_groups: - age: diff --git a/hosts/stratus/containers/default.nix b/hosts/stratus/containers/default.nix new file mode 100644 index 0000000..868f9d4 --- /dev/null +++ b/hosts/stratus/containers/default.nix @@ -0,0 +1,95 @@ +{ + config, + inputs, + self, + lib, + ... +}: +let + containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.); + interface = "eno1"; + dataDirOf = name: "/data/${name}"; +in +{ + imports = [ + ./nextcloud + ./paperless + ]; + + sops.secrets = lib.mapAttrs' ( + name: _: lib.nameValuePair "container/${name}/ssh-key" { } + ) containers; + + systemd.tmpfiles.rules = lib.flatten ( + lib.mapAttrsToList (name: _: [ + "d ${dataDirOf name} - - -" + "d /var/lib/tailscale-${name} - - -" + ]) containers + ); + + containers = lib.mapAttrs (name: _: { + autoStart = true; + ephemeral = true; + macvlans = [ interface ]; + + bindMounts = { + "/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path; + ${dataDirOf name}.isReadOnly = false; + "/var/lib/tailscale" = { + hostPath = "/var/lib/tailscale-${name}"; + isReadOnly = false; + }; + }; + + specialArgs = { + inherit inputs self; + inherit (config.system) stateVersion; + inherit (config.networking) domain; + dataDir = dataDirOf name; + }; + config = + { + self, + stateVersion, + domain, + ... + }: + { + imports = [ + "${self}/modules/system/sops.nix" + "${self}/modules/system/tailscale.nix" + ]; + + system = { + inherit stateVersion; + }; + + networking = { + inherit domain; + useNetworkd = true; + useHostResolvConf = false; + }; + + systemd.network = { + enable = true; + networks."10-mv-${interface}" = { + matchConfig.Name = "mv-${interface}"; + networkConfig.DHCP = "yes"; + dhcpV4Config.ClientIdentifier = "mac"; + }; + }; + + myConfig.sops = { + enable = true; + defaultSopsFile = ./${name}/secrets.yaml; + }; + + sops.secrets."tailscale-auth-key" = { }; + services.tailscale.interfaceName = "userspace-networking"; + myConfig.tailscale = { + enable = true; + ssh.enable = true; + }; + }; + }) containers; +} diff --git a/hosts/stratus/containers/nextcloud/default.nix b/hosts/stratus/containers/nextcloud/default.nix index c599707..4e3d9d2 100644 --- a/hosts/stratus/containers/nextcloud/default.nix +++ b/hosts/stratus/containers/nextcloud/default.nix @@ -1,61 +1,62 @@ -{ config, ... }: { - sops.secrets = { - "nextcloud/admin-password" = { }; - "nextcloud/gmail-password" = { }; - tailscale-auth-key = { }; - }; + containers.nextcloud.config = + { + config, + pkgs, + dataDir, + ... + }: + { + imports = [ ./email-server.nix ]; - systemd.tmpfiles.rules = [ - "d /data/nextcloud - - -" - "d /var/lib/tailscale-nextcloud - - -" - ]; - - containers.nextcloud = { - autoStart = true; - ephemeral = true; - macvlans = [ "eno1" ]; - - bindMounts = { - # Secrets - "/run/secrets/nextcloud".isReadOnly = false; - "/run/secrets/tailscale-auth-key" = { }; - - # State - "/data/nextcloud".isReadOnly = false; - "/var/lib/tailscale" = { - hostPath = "/var/lib/tailscale-nextcloud"; - isReadOnly = false; + sops.secrets."nextcloud/admin-password" = { + owner = config.users.users.nextcloud.name; + inherit (config.users.users.nextcloud) group; }; - }; - specialArgs = { - inherit (config.networking) domain; - }; - config = - { domain, ... }: - { - system.stateVersion = "24.05"; + systemd.tmpfiles.rules = [ + "d ${dataDir}/home 750 nextcloud nextcloud -" + "d ${dataDir}/postgresql 700 postgres postgres -" + ]; - networking = { - inherit domain; - useNetworkd = true; - useHostResolvConf = false; + services.postgresql.dataDir = "${dataDir}/postgresql"; + + services.nextcloud = { + enable = true; + package = pkgs.nextcloud29; + home = "${dataDir}/home"; + hostName = config.networking.fqdn; + + database.createLocally = true; + config = { + dbtype = "pgsql"; + adminuser = "admin"; + adminpassFile = config.sops.secrets."nextcloud/admin-password".path; }; - systemd.network = { + + https = true; + settings = { + overwriteProtocol = "https"; + trusted_proxies = [ "127.0.0.1" ]; + log_type = "file"; + default_phone_region = "DE"; + maintenance_window_start = "2"; # UTC + }; + + configureRedis = true; + maxUploadSize = "4G"; + phpOptions."opcache.interned_strings_buffer" = "16"; + + autoUpdateApps = { enable = true; - networks."40-mv-eno1" = { - matchConfig.Name = "mv-eno1"; - networkConfig.DHCP = "yes"; - dhcpV4Config.ClientIdentifier = "mac"; - }; + startAt = "04:00:00"; + }; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) contacts calendar; }; - - imports = [ - ./nextcloud.nix - ./email-server.nix - ./tailscale.nix - ]; }; - }; + + myConfig.tailscale.serve = "80"; + }; + } diff --git a/hosts/stratus/containers/nextcloud/email-server.nix b/hosts/stratus/containers/nextcloud/email-server.nix index c79dc30..f650a83 100644 --- a/hosts/stratus/containers/nextcloud/email-server.nix +++ b/hosts/stratus/containers/nextcloud/email-server.nix @@ -1,5 +1,6 @@ +{ config, ... }: { - systemd.tmpfiles.rules = [ "z /run/secrets/nextcloud/gmail-password 400 nextcloud nextcloud -" ]; + sops.secrets."nextcloud/gmail-password" = { }; services.nextcloud.settings = { mail_smtpmode = "sendmail"; @@ -15,7 +16,7 @@ port = "587"; user = "nextcloud.stork"; from = "nextcloud.stork@gmail.com"; - passwordeval = "cat /run/secrets/nextcloud/gmail-password"; + passwordeval = "cat ${config.sops.secrets."nextcloud/gmail-password".path}"; }; }; } diff --git a/hosts/stratus/containers/nextcloud/nextcloud.nix b/hosts/stratus/containers/nextcloud/nextcloud.nix deleted file mode 100644 index 5caabc1..0000000 --- a/hosts/stratus/containers/nextcloud/nextcloud.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - config, - pkgs, - ... -}: -{ - systemd.tmpfiles.rules = [ - "z /run/secrets/nextcloud/admin-password 400 nextcloud nextcloud -" - "d /data/nextcloud/home 750 nextcloud nextcloud -" - "d /data/nextcloud/postgresql 700 postgres postgres -" - ]; - - services.postgresql.dataDir = "/data/nextcloud/postgresql"; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud29; - home = "/data/nextcloud/home"; - hostName = config.networking.fqdn; - - database.createLocally = true; - config = { - dbtype = "pgsql"; - adminuser = "admin"; - adminpassFile = "/run/secrets/nextcloud/admin-password"; - }; - - https = true; - settings = { - overwriteProtocol = "https"; - trusted_proxies = [ "127.0.0.1" ]; - log_type = "file"; - default_phone_region = "DE"; - maintenance_window_start = "2"; # UTC - }; - - configureRedis = true; - maxUploadSize = "4G"; - phpOptions."opcache.interned_strings_buffer" = "16"; - - autoUpdateApps = { - enable = true; - startAt = "04:00:00"; - }; - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) contacts calendar; - }; - }; -} diff --git a/hosts/stratus/containers/nextcloud/secrets.yaml b/hosts/stratus/containers/nextcloud/secrets.yaml new file mode 100644 index 0000000..77c7a31 --- /dev/null +++ b/hosts/stratus/containers/nextcloud/secrets.yaml @@ -0,0 +1,33 @@ +tailscale-auth-key: ENC[AES256_GCM,data:KshGpoyKTQQgshWFSwhGWPtwPfP3S2fLkJBxqfu1Mgs/6aexXRo0jMyzvnonxB/HsxFSRCffUuxwQNF8XJY=,iv:8MtERXmpwqgGZxIPmXAcj0KymWvRXKV5svOLZSfWdOU=,tag:refC9jmVzSrLuClo8+J7DA==,type:str] +nextcloud: + admin-password: ENC[AES256_GCM,data:RaFNoEJj2flmwIu2Q/5UgRbITve7CzFg8udQclJO,iv:d95Vo9HMRzmoSU3gcQqO5uP7yW6n7PF6Nx3s6A9bgmc=,tag:ruIW8Ov+wQPOPBWV61MnWw==,type:str] + gmail-password: ENC[AES256_GCM,data:RJXg4KYYwjg2CyzQM9wovDSqB8M=,iv:Tf8egrzoG3rRbzufJGHCTr6W+nCEnJJaSe6hpvr1AmM=,tag:GjlgIEqQDUtjn3mm1QT1uw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1 + ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk + T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS + SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS + +WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha + c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM + dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1 + aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP + xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-02T11:38:31Z" + mac: ENC[AES256_GCM,data:E2L8j21dhHLQ/OCIZNMqlH1C5XX0uSGmuQIjetiE8s/LX4fZSR9s4sPzub3gLI5h3EVJKzMU2UFXZATMUfe/1t4PP5nIuggUtxD+VWxtHNaVHJMs+wEWKYE+nITyZ7HGvwBr0sMQ3Sb2DuiQ729nr9hLn1Mbn7uc5o+Z2RJg5Cc=,iv:jEaBwYsO3hW5NtmmZrL6H23qDcTSAGuBLjPRi60Lzco=,tag:pGpL80onRUVQfIYChaBxSg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/hosts/stratus/containers/nextcloud/tailscale.nix b/hosts/stratus/containers/nextcloud/tailscale.nix deleted file mode 100644 index 2eb0f10..0000000 --- a/hosts/stratus/containers/nextcloud/tailscale.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - services.tailscale = { - enable = true; - authKeyFile = "/run/secrets/tailscale-auth-key"; - useRoutingFeatures = "server"; - openFirewall = true; - interfaceName = "userspace-networking"; - extraUpFlags = [ "--ssh" ]; - }; - - systemd.services.nextcloud-serve = { - after = [ - "tailscaled.service" - "tailscaled-autoconnect.service" - ]; - wants = [ "tailscaled.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - script = '' - ${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn} - ${lib.getExe pkgs.tailscale} serve reset - ${lib.getExe pkgs.tailscale} serve --bg 80 - ''; - }; -} diff --git a/hosts/stratus/containers/paperless/default.nix b/hosts/stratus/containers/paperless/default.nix index 9176295..1a0cb7e 100644 --- a/hosts/stratus/containers/paperless/default.nix +++ b/hosts/stratus/containers/paperless/default.nix @@ -1,59 +1,20 @@ -{ config, ... }: { - sops.secrets = { - "paperless-admin-password" = { }; - tailscale-auth-key = { }; - }; + containers.paperless.config = + { + config, + dataDir, + ... + }: + { + sops.secrets."paperless-admin-password" = { }; - systemd.tmpfiles.rules = [ - "d /data/paperless - - -" - "d /var/lib/tailscale-paperless - - -" - ]; - - containers.paperless = { - autoStart = true; - ephemeral = true; - macvlans = [ "eno1" ]; - - bindMounts = { - # Secrets - "/run/secrets/paperless-admin-password" = { }; - "/run/secrets/tailscale-auth-key" = { }; - - # State - "/data/paperless".isReadOnly = false; - "/var/lib/tailscale" = { - hostPath = "/var/lib/tailscale-paperless"; - isReadOnly = false; + services.paperless = { + enable = true; + inherit dataDir; + passwordFile = config.sops.secrets."paperless-admin-password".path; + settings.PAPERLESS_OCR_LANGUAGE = "deu+eng"; }; + + myConfig.tailscale.serve = "28981"; }; - - specialArgs = { - inherit (config.networking) domain; - }; - config = - { domain, ... }: - { - system.stateVersion = "24.05"; - - networking = { - inherit domain; - useNetworkd = true; - useHostResolvConf = false; - }; - systemd.network = { - enable = true; - networks."40-mv-eno1" = { - matchConfig.Name = "mv-eno1"; - networkConfig.DHCP = "yes"; - dhcpV4Config.ClientIdentifier = "mac"; - }; - }; - - imports = [ - ./paperless.nix - ./tailscale.nix - ]; - }; - }; } diff --git a/hosts/stratus/containers/paperless/paperless.nix b/hosts/stratus/containers/paperless/paperless.nix deleted file mode 100644 index f9d0d72..0000000 --- a/hosts/stratus/containers/paperless/paperless.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - services.paperless = { - enable = true; - dataDir = "/data/paperless"; - passwordFile = "/run/secrets/paperless-admin-password"; - settings.PAPERLESS_OCR_LANGUAGE = "deu+eng"; - }; -} diff --git a/hosts/stratus/containers/paperless/secrets.yaml b/hosts/stratus/containers/paperless/secrets.yaml new file mode 100644 index 0000000..c807cde --- /dev/null +++ b/hosts/stratus/containers/paperless/secrets.yaml @@ -0,0 +1,31 @@ +tailscale-auth-key: ENC[AES256_GCM,data:2vJoEaMZE1s2cVL20A7JCaZ525YkSXqCasKcCLwbYX+W8BVczEDThPqXm2PyKzo6zcdkZkbwONWIeLKEhyE=,iv:Z/B0tUMn+ACLT5is+TRjLOT16FpdWhTuDC1llvNZ7Ms=,tag:pwzlgMkuNYEhmZ/uiRJy4Q==,type:str] +paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jMIJNbqEo7IcHDYwvTmQnArYdt2PR9tp8coOXCZHkQw=,tag:kCejUFStTuosRblkbQMdew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts + WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK + WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT + dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I + 8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj + UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF + VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs + cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF + tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-02T11:38:42Z" + mac: ENC[AES256_GCM,data:IkUwDpVTUboAHQzFMaHhcGkNtW1eGUNrGDDEq9Zegwrwu6Xx5yFuxlmFMWIM7oX3voWjCx4A1u4sxfT4JHauhnJER7rXeF5qYuGSiIj8o2rMZYm7C6zkWumJ7kvt5nBML5+Jkd8n9fhbh9wSND1IbzsWwuURugeNLhYvUaCJA+Y=,iv:8aoHhE/rZYEf6vtvQvuuG1CDnCniarxxIC0ysH6Hemo=,tag:93B38zvR3Qx8rawO9CuJ4w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/hosts/stratus/containers/paperless/tailscale.nix b/hosts/stratus/containers/paperless/tailscale.nix deleted file mode 100644 index 152bf80..0000000 --- a/hosts/stratus/containers/paperless/tailscale.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - services.tailscale = { - enable = true; - authKeyFile = "/run/secrets/tailscale-auth-key"; - useRoutingFeatures = "server"; - openFirewall = true; - interfaceName = "userspace-networking"; - extraUpFlags = [ "--ssh" ]; - }; - - systemd.services.nextcloud-serve = { - after = [ - "tailscaled.service" - "tailscaled-autoconnect.service" - ]; - wants = [ "tailscaled.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - script = '' - ${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn} - ${lib.getExe pkgs.tailscale} serve reset - ${lib.getExe pkgs.tailscale} serve --bg 28981 - ''; - }; -} diff --git a/hosts/stratus/default.nix b/hosts/stratus/default.nix index ae4befd..d28f4b9 100644 --- a/hosts/stratus/default.nix +++ b/hosts/stratus/default.nix @@ -3,9 +3,7 @@ ../common.nix ./hardware.nix ./disko.nix - - ./containers/nextcloud - ./containers/paperless + ./containers ]; system.stateVersion = "24.05"; diff --git a/hosts/stratus/secrets.yaml b/hosts/stratus/secrets.yaml index 073eaf8..74012a0 100644 --- a/hosts/stratus/secrets.yaml +++ b/hosts/stratus/secrets.yaml @@ -1,9 +1,10 @@ seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq1/dw7eQq7BuzYMT5O5EAy+5A9ZP3fDaleO5nFXRFvg==,iv:p7Dpq30TZyb20E5TfscycxMiN1XUx66DbNPhwuZkwaA=,tag:V/fc99Zv4xJ6PDxNIWHRew==,type:str] -nextcloud: - admin-password: ENC[AES256_GCM,data:+gNp7oDzLk2gxalEtj8R0FWW3Jwvr1PzWo7+iZj0,iv:zZjwG+Z1KyrZN/i/rSg5LZ0lnQGBhxlAaREgKUCxco8=,tag:kBQjz1ISX5Gh9LeUfO4KdQ==,type:str] - gmail-password: ENC[AES256_GCM,data:lbdSZPEmXx1zU0fdaXHle9by9rk=,iv:SSN379SVvonVQjEpopFe8O6tY30k1l9YxKPB6a+xo6U=,tag:jiWy3b16i0zXTyaOhY+5Vw==,type:str] -paperless-admin-password: ENC[AES256_GCM,data:xBk3n5czMwuf0I7kU2WkTExJnw8=,iv:4Fegh3sogB1ga+zdBBlWdpsAgQmqmhZoun/ShfHISGk=,tag:s7U4gQK3E5mh3Rd0DAMEqA==,type:str] +container: + nextcloud: + ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str] + paperless: + ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +29,8 @@ sops: aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-31T15:16:37Z" - mac: ENC[AES256_GCM,data:moMeG8RCInTiMVBHca3Z4XxDT1p/51E/PEUDwTDk7skOYasAfse2VAGAI5c8TlwudrzNICDoKP7ks8KUfruv8WVSd+omUxjmSiO5ZuS7KdW9nu/vvTPwSOfk7wS39+Wt8B+/LNlkECOJeCOKIqiPeShDt0rf0shEOgmtj2jJXD8=,iv:P6hPnhpdr46FHfzZinPwZzDcjaRteSrCQwzGqk6iKc4=,tag:t8qYGxObcLuGIYtFdc3SLw==,type:str] + lastmodified: "2024-09-01T22:31:28Z" + mac: ENC[AES256_GCM,data:WUiRswjjZ2s2K2/B0PboppmktmtlZFMI6i99D3oI2tQDNCkEcr6gWxpyOXRskv9zjs7CEQ3f54v66La3FOwde87onuuBZVnjeaIPM5Og4+v6IQ/QlYWit7D1sRbxC4V2OCGbapn8stTO5jIuZhl5IxPEL/3dzpKVUMav7b2zt0w=,iv:73cprzlBVcRXxOHJskQCziOmoPAISyMmTBex2rFJjAE=,tag:rcED8ZfUESO2BLQLpg6L8w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 029aca4..f90c1dc 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -5,15 +5,24 @@ lib, ... }: +let + cfg = config.myConfig.sops; +in { imports = [ inputs.sops-nix.nixosModules.sops ]; - options.myConfig.sops.enable = lib.mkEnableOption ""; + options.myConfig.sops = { + enable = lib.mkEnableOption ""; + defaultSopsFile = lib.mkOption { + type = lib.types.path; + default = "${self}/hosts/${config.networking.hostName}/secrets.yaml"; + }; + }; - config = lib.mkIf config.myConfig.sops.enable { + config = lib.mkIf cfg.enable { sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = "${self}/hosts/${config.networking.hostName}/secrets.yaml"; + inherit (cfg) defaultSopsFile; }; }; } diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index df9e62a..0107707 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.myConfig.tailscale; in @@ -7,16 +12,20 @@ in enable = lib.mkEnableOption ""; ssh.enable = lib.mkEnableOption ""; exitNode.enable = lib.mkEnableOption ""; + serve = lib.mkOption { + type = lib.types.nullOr lib.types.nonEmptyStr; + default = null; + }; }; config = lib.mkIf cfg.enable { - sops.secrets.tailscale-auth-key.restartUnits = [ "tailscaled-autoconnect.service" ]; + sops.secrets.tailscale-auth-key = { }; services.tailscale = { enable = true; authKeyFile = config.sops.secrets.tailscale-auth-key.path; openFirewall = true; - useRoutingFeatures = if cfg.exitNode.enable then "server" else "client"; + useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client"; extraUpFlags = [ "--reset=true" ]; extraSetFlags = [ "--ssh=${lib.boolToString cfg.ssh.enable}" @@ -25,5 +34,20 @@ in }; systemd.services.tailscaled-set.after = [ "tailscaled-autoconnect.service" ]; + + systemd.services.tailscale-serve = lib.mkIf (cfg.serve != null) { + after = [ + "tailscaled.service" + "tailscaled-autoconnect.service" + ]; + wants = [ "tailscaled.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + ${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn} + ${lib.getExe pkgs.tailscale} serve reset + ${lib.getExe pkgs.tailscale} serve --bg ${cfg.serve} + ''; + }; }; }