SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 15:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Refactor container configuration

Browse source
This commit is contained in:
SebastianStork 2024-09-02 13:33:44 +02:00
parent 8af96429ff
commit 380d8202ff
15 changed files with 288 additions and 241 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml
View file

@ -3,6 +3,8 @@ keys:
- &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
- &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
- &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
- &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
- &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
- &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
creation_rules: creation_rules:
@ -21,6 +23,16 @@ creation_rules:
- age: - age:
- *admin - *admin
- *stratus - *stratus
- path_regex: hosts/stratus/containers/nextcloud/secrets.yaml$
key_groups:
- age:
- *admin
- *nextcloud
- path_regex: hosts/stratus/containers/paperless/secrets.yaml$
key_groups:
- age:
- *admin
- *paperless
- path_regex: users/seb/@north/secrets.yaml$ - path_regex: users/seb/@north/secrets.yaml$
key_groups: key_groups:
- age: - age:

95
hosts/stratus/containers/default.nix Normal file
View file

@ -0,0 +1,95 @@
{
config,
inputs,
self,
lib,
...
}:
let
containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
interface = "eno1";
dataDirOf = name: "/data/${name}";
in
{
imports = [
./nextcloud
./paperless
];
sops.secrets = lib.mapAttrs' (
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
) containers;
systemd.tmpfiles.rules = lib.flatten (
lib.mapAttrsToList (name: _: [
"d ${dataDirOf name} - - -"
"d /var/lib/tailscale-${name} - - -"
]) containers
);
containers = lib.mapAttrs (name: _: {
autoStart = true;
ephemeral = true;
macvlans = [ interface ];
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
${dataDirOf name}.isReadOnly = false;
"/var/lib/tailscale" = {
hostPath = "/var/lib/tailscale-${name}";
isReadOnly = false;
};
};
specialArgs = {
inherit inputs self;
inherit (config.system) stateVersion;
inherit (config.networking) domain;
dataDir = dataDirOf name;
};
config =
{
self,
stateVersion,
domain,
...
}:
{
imports = [
"${self}/modules/system/sops.nix"
"${self}/modules/system/tailscale.nix"
];
system = {
inherit stateVersion;
};
networking = {
inherit domain;
useNetworkd = true;
useHostResolvConf = false;
};
systemd.network = {
enable = true;
networks."10-mv-${interface}" = {
matchConfig.Name = "mv-${interface}";
networkConfig.DHCP = "yes";
dhcpV4Config.ClientIdentifier = "mac";
};
};
myConfig.sops = {
enable = true;
defaultSopsFile = ./${name}/secrets.yaml;
};
sops.secrets."tailscale-auth-key" = { };
services.tailscale.interfaceName = "userspace-networking";
myConfig.tailscale = {
enable = true;
ssh.enable = true;
};
};
}) containers;
}

103
hosts/stratus/containers/nextcloud/default.nix
View file

@ -1,61 +1,62 @@
{ config, ... }:
{ {
sops.secrets = { containers.nextcloud.config =
"nextcloud/admin-password" = { }; {
"nextcloud/gmail-password" = { }; config,
tailscale-auth-key = { }; pkgs,
}; dataDir,
...
}:
{
imports = [ ./email-server.nix ];
systemd.tmpfiles.rules = [ sops.secrets."nextcloud/admin-password" = {
"d /data/nextcloud - - -" owner = config.users.users.nextcloud.name;
"d /var/lib/tailscale-nextcloud - - -" inherit (config.users.users.nextcloud) group;
];
containers.nextcloud = {
autoStart = true;
ephemeral = true;
macvlans = [ "eno1" ];
bindMounts = {
# Secrets
"/run/secrets/nextcloud".isReadOnly = false;
"/run/secrets/tailscale-auth-key" = { };
# State
"/data/nextcloud".isReadOnly = false;
"/var/lib/tailscale" = {
hostPath = "/var/lib/tailscale-nextcloud";
isReadOnly = false;
}; };
};
specialArgs = { systemd.tmpfiles.rules = [
inherit (config.networking) domain; "d ${dataDir}/home 750 nextcloud nextcloud -"
}; "d ${dataDir}/postgresql 700 postgres postgres -"
config = ];
{ domain, ... }:
{
system.stateVersion = "24.05";
networking = { services.postgresql.dataDir = "${dataDir}/postgresql";
inherit domain;
useNetworkd = true; services.nextcloud = {
useHostResolvConf = false; enable = true;
package = pkgs.nextcloud29;
home = "${dataDir}/home";
hostName = config.networking.fqdn;
database.createLocally = true;
config = {
dbtype = "pgsql";
adminuser = "admin";
adminpassFile = config.sops.secrets."nextcloud/admin-password".path;
}; };
systemd.network = {
https = true;
settings = {
overwriteProtocol = "https";
trusted_proxies = [ "127.0.0.1" ];
log_type = "file";
default_phone_region = "DE";
maintenance_window_start = "2"; # UTC
};
configureRedis = true;
maxUploadSize = "4G";
phpOptions."opcache.interned_strings_buffer" = "16";
autoUpdateApps = {
enable = true; enable = true;
networks."40-mv-eno1" = { startAt = "04:00:00";
matchConfig.Name = "mv-eno1"; };
networkConfig.DHCP = "yes"; extraApps = {
dhcpV4Config.ClientIdentifier = "mac"; inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
};
}; };
imports = [
./nextcloud.nix
./email-server.nix
./tailscale.nix
];
}; };
};
myConfig.tailscale.serve = "80";
};
} }

5
hosts/stratus/containers/nextcloud/email-server.nix
View file

@ -1,5 +1,6 @@
{ config, ... }:
{ {
systemd.tmpfiles.rules = [ "z /run/secrets/nextcloud/gmail-password 400 nextcloud nextcloud -" ]; sops.secrets."nextcloud/gmail-password" = { };
services.nextcloud.settings = { services.nextcloud.settings = {
mail_smtpmode = "sendmail"; mail_smtpmode = "sendmail";
@ -15,7 +16,7 @@
port = "587"; port = "587";
user = "nextcloud.stork"; user = "nextcloud.stork";
from = "nextcloud.stork@gmail.com"; from = "nextcloud.stork@gmail.com";
passwordeval = "cat /run/secrets/nextcloud/gmail-password"; passwordeval = "cat ${config.sops.secrets."nextcloud/gmail-password".path}";
}; };
}; };
} }

49
hosts/stratus/containers/nextcloud/nextcloud.nix
View file

@ -1,49 +0,0 @@
{
config,
pkgs,
...
}:
{
systemd.tmpfiles.rules = [
"z /run/secrets/nextcloud/admin-password 400 nextcloud nextcloud -"
"d /data/nextcloud/home 750 nextcloud nextcloud -"
"d /data/nextcloud/postgresql 700 postgres postgres -"
];
services.postgresql.dataDir = "/data/nextcloud/postgresql";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
home = "/data/nextcloud/home";
hostName = config.networking.fqdn;
database.createLocally = true;
config = {
dbtype = "pgsql";
adminuser = "admin";
adminpassFile = "/run/secrets/nextcloud/admin-password";
};
https = true;
settings = {
overwriteProtocol = "https";
trusted_proxies = [ "127.0.0.1" ];
log_type = "file";
default_phone_region = "DE";
maintenance_window_start = "2"; # UTC
};
configureRedis = true;
maxUploadSize = "4G";
phpOptions."opcache.interned_strings_buffer" = "16";
autoUpdateApps = {
enable = true;
startAt = "04:00:00";
};
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
};
};
}

33
hosts/stratus/containers/nextcloud/secrets.yaml Normal file
View file

@ -0,0 +1,33 @@
tailscale-auth-key: ENC[AES256_GCM,data:KshGpoyKTQQgshWFSwhGWPtwPfP3S2fLkJBxqfu1Mgs/6aexXRo0jMyzvnonxB/HsxFSRCffUuxwQNF8XJY=,iv:8MtERXmpwqgGZxIPmXAcj0KymWvRXKV5svOLZSfWdOU=,tag:refC9jmVzSrLuClo8+J7DA==,type:str]
nextcloud:
admin-password: ENC[AES256_GCM,data:RaFNoEJj2flmwIu2Q/5UgRbITve7CzFg8udQclJO,iv:d95Vo9HMRzmoSU3gcQqO5uP7yW6n7PF6Nx3s6A9bgmc=,tag:ruIW8Ov+wQPOPBWV61MnWw==,type:str]
gmail-password: ENC[AES256_GCM,data:RJXg4KYYwjg2CyzQM9wovDSqB8M=,iv:Tf8egrzoG3rRbzufJGHCTr6W+nCEnJJaSe6hpvr1AmM=,tag:GjlgIEqQDUtjn3mm1QT1uw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1
ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk
T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS
SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS
+WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha
c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM
dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1
aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-02T11:38:31Z"
mac: ENC[AES256_GCM,data:E2L8j21dhHLQ/OCIZNMqlH1C5XX0uSGmuQIjetiE8s/LX4fZSR9s4sPzub3gLI5h3EVJKzMU2UFXZATMUfe/1t4PP5nIuggUtxD+VWxtHNaVHJMs+wEWKYE+nITyZ7HGvwBr0sMQ3Sb2DuiQ729nr9hLn1Mbn7uc5o+Z2RJg5Cc=,iv:jEaBwYsO3hW5NtmmZrL6H23qDcTSAGuBLjPRi60Lzco=,tag:pGpL80onRUVQfIYChaBxSg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

31
hosts/stratus/containers/nextcloud/tailscale.nix
View file

@ -1,31 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
services.tailscale = {
enable = true;
authKeyFile = "/run/secrets/tailscale-auth-key";
useRoutingFeatures = "server";
openFirewall = true;
interfaceName = "userspace-networking";
extraUpFlags = [ "--ssh" ];
};
systemd.services.nextcloud-serve = {
after = [
"tailscaled.service"
"tailscaled-autoconnect.service"
];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn}
${lib.getExe pkgs.tailscale} serve reset
${lib.getExe pkgs.tailscale} serve --bg 80
'';
};
}

69
hosts/stratus/containers/paperless/default.nix
View file

@ -1,59 +1,20 @@
{ config, ... }:
{ {
sops.secrets = { containers.paperless.config =
"paperless-admin-password" = { }; {
tailscale-auth-key = { }; config,
}; dataDir,
...
}:
{
sops.secrets."paperless-admin-password" = { };
systemd.tmpfiles.rules = [ services.paperless = {
"d /data/paperless - - -" enable = true;
"d /var/lib/tailscale-paperless - - -" inherit dataDir;
]; passwordFile = config.sops.secrets."paperless-admin-password".path;
settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
containers.paperless = {
autoStart = true;
ephemeral = true;
macvlans = [ "eno1" ];
bindMounts = {
# Secrets
"/run/secrets/paperless-admin-password" = { };
"/run/secrets/tailscale-auth-key" = { };
# State
"/data/paperless".isReadOnly = false;
"/var/lib/tailscale" = {
hostPath = "/var/lib/tailscale-paperless";
isReadOnly = false;
}; };
myConfig.tailscale.serve = "28981";
}; };
specialArgs = {
inherit (config.networking) domain;
};
config =
{ domain, ... }:
{
system.stateVersion = "24.05";
networking = {
inherit domain;
useNetworkd = true;
useHostResolvConf = false;
};
systemd.network = {
enable = true;
networks."40-mv-eno1" = {
matchConfig.Name = "mv-eno1";
networkConfig.DHCP = "yes";
dhcpV4Config.ClientIdentifier = "mac";
};
};
imports = [
./paperless.nix
./tailscale.nix
];
};
};
} }

8
hosts/stratus/containers/paperless/paperless.nix
View file

@ -1,8 +0,0 @@
{
services.paperless = {
enable = true;
dataDir = "/data/paperless";
passwordFile = "/run/secrets/paperless-admin-password";
settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
};
}

31
hosts/stratus/containers/paperless/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
tailscale-auth-key: ENC[AES256_GCM,data:2vJoEaMZE1s2cVL20A7JCaZ525YkSXqCasKcCLwbYX+W8BVczEDThPqXm2PyKzo6zcdkZkbwONWIeLKEhyE=,iv:Z/B0tUMn+ACLT5is+TRjLOT16FpdWhTuDC1llvNZ7Ms=,tag:pwzlgMkuNYEhmZ/uiRJy4Q==,type:str]
paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jMIJNbqEo7IcHDYwvTmQnArYdt2PR9tp8coOXCZHkQw=,tag:kCejUFStTuosRblkbQMdew==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-02T11:38:42Z"
mac: ENC[AES256_GCM,data:IkUwDpVTUboAHQzFMaHhcGkNtW1eGUNrGDDEq9Zegwrwu6Xx5yFuxlmFMWIM7oX3voWjCx4A1u4sxfT4JHauhnJER7rXeF5qYuGSiIj8o2rMZYm7C6zkWumJ7kvt5nBML5+Jkd8n9fhbh9wSND1IbzsWwuURugeNLhYvUaCJA+Y=,iv:8aoHhE/rZYEf6vtvQvuuG1CDnCniarxxIC0ysH6Hemo=,tag:93B38zvR3Qx8rawO9CuJ4w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

31
hosts/stratus/containers/paperless/tailscale.nix
View file

@ -1,31 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
services.tailscale = {
enable = true;
authKeyFile = "/run/secrets/tailscale-auth-key";
useRoutingFeatures = "server";
openFirewall = true;
interfaceName = "userspace-networking";
extraUpFlags = [ "--ssh" ];
};
systemd.services.nextcloud-serve = {
after = [
"tailscaled.service"
"tailscaled-autoconnect.service"
];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn}
${lib.getExe pkgs.tailscale} serve reset
${lib.getExe pkgs.tailscale} serve --bg 28981
'';
};
}

4
hosts/stratus/default.nix
View file

@ -3,9 +3,7 @@
../common.nix ../common.nix
./hardware.nix ./hardware.nix
./disko.nix ./disko.nix
./containers
./containers/nextcloud
./containers/paperless
]; ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";

13
hosts/stratus/secrets.yaml
View file

@ -1,9 +1,10 @@
seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str] seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str]
tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq1/dw7eQq7BuzYMT5O5EAy+5A9ZP3fDaleO5nFXRFvg==,iv:p7Dpq30TZyb20E5TfscycxMiN1XUx66DbNPhwuZkwaA=,tag:V/fc99Zv4xJ6PDxNIWHRew==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq1/dw7eQq7BuzYMT5O5EAy+5A9ZP3fDaleO5nFXRFvg==,iv:p7Dpq30TZyb20E5TfscycxMiN1XUx66DbNPhwuZkwaA=,tag:V/fc99Zv4xJ6PDxNIWHRew==,type:str]
nextcloud: container:
admin-password: ENC[AES256_GCM,data:+gNp7oDzLk2gxalEtj8R0FWW3Jwvr1PzWo7+iZj0,iv:zZjwG+Z1KyrZN/i/rSg5LZ0lnQGBhxlAaREgKUCxco8=,tag:kBQjz1ISX5Gh9LeUfO4KdQ==,type:str] nextcloud:
gmail-password: ENC[AES256_GCM,data:lbdSZPEmXx1zU0fdaXHle9by9rk=,iv:SSN379SVvonVQjEpopFe8O6tY30k1l9YxKPB6a+xo6U=,tag:jiWy3b16i0zXTyaOhY+5Vw==,type:str] ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
paperless-admin-password: ENC[AES256_GCM,data:xBk3n5czMwuf0I7kU2WkTExJnw8=,iv:4Fegh3sogB1ga+zdBBlWdpsAgQmqmhZoun/ShfHISGk=,tag:s7U4gQK3E5mh3Rd0DAMEqA==,type:str] paperless:
ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -28,8 +29,8 @@ sops:
aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-31T15:16:37Z" lastmodified: "2024-09-01T22:31:28Z"
mac: ENC[AES256_GCM,data:moMeG8RCInTiMVBHca3Z4XxDT1p/51E/PEUDwTDk7skOYasAfse2VAGAI5c8TlwudrzNICDoKP7ks8KUfruv8WVSd+omUxjmSiO5ZuS7KdW9nu/vvTPwSOfk7wS39+Wt8B+/LNlkECOJeCOKIqiPeShDt0rf0shEOgmtj2jJXD8=,iv:P6hPnhpdr46FHfzZinPwZzDcjaRteSrCQwzGqk6iKc4=,tag:t8qYGxObcLuGIYtFdc3SLw==,type:str] mac: ENC[AES256_GCM,data:WUiRswjjZ2s2K2/B0PboppmktmtlZFMI6i99D3oI2tQDNCkEcr6gWxpyOXRskv9zjs7CEQ3f54v66La3FOwde87onuuBZVnjeaIPM5Og4+v6IQ/QlYWit7D1sRbxC4V2OCGbapn8stTO5jIuZhl5IxPEL/3dzpKVUMav7b2zt0w=,iv:73cprzlBVcRXxOHJskQCziOmoPAISyMmTBex2rFJjAE=,tag:rcED8ZfUESO2BLQLpg6L8w==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

15
modules/system/sops.nix
View file

@ -5,15 +5,24 @@
lib, lib,
... ...
}: }:
let
cfg = config.myConfig.sops;
in
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
options.myConfig.sops.enable = lib.mkEnableOption ""; options.myConfig.sops = {
enable = lib.mkEnableOption "";
defaultSopsFile = lib.mkOption {
type = lib.types.path;
default = "${self}/hosts/${config.networking.hostName}/secrets.yaml";
};
};
config = lib.mkIf config.myConfig.sops.enable { config = lib.mkIf cfg.enable {
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${self}/hosts/${config.networking.hostName}/secrets.yaml"; inherit (cfg) defaultSopsFile;
}; };
}; };
} }

30
modules/system/tailscale.nix
View file

@ -1,4 +1,9 @@
{ config, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.myConfig.tailscale; cfg = config.myConfig.tailscale;
in in
@ -7,16 +12,20 @@ in
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
ssh.enable = lib.mkEnableOption ""; ssh.enable = lib.mkEnableOption "";
exitNode.enable = lib.mkEnableOption ""; exitNode.enable = lib.mkEnableOption "";
serve = lib.mkOption {
type = lib.types.nullOr lib.types.nonEmptyStr;
default = null;
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets.tailscale-auth-key.restartUnits = [ "tailscaled-autoconnect.service" ]; sops.secrets.tailscale-auth-key = { };
services.tailscale = { services.tailscale = {
enable = true; enable = true;
authKeyFile = config.sops.secrets.tailscale-auth-key.path; authKeyFile = config.sops.secrets.tailscale-auth-key.path;
openFirewall = true; openFirewall = true;
useRoutingFeatures = if cfg.exitNode.enable then "server" else "client"; useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client";
extraUpFlags = [ "--reset=true" ]; extraUpFlags = [ "--reset=true" ];
extraSetFlags = [ extraSetFlags = [
"--ssh=${lib.boolToString cfg.ssh.enable}" "--ssh=${lib.boolToString cfg.ssh.enable}"
@ -25,5 +34,20 @@ in
}; };
systemd.services.tailscaled-set.after = [ "tailscaled-autoconnect.service" ]; systemd.services.tailscaled-set.after = [ "tailscaled-autoconnect.service" ];
systemd.services.tailscale-serve = lib.mkIf (cfg.serve != null) {
after = [
"tailscaled.service"
"tailscaled-autoconnect.service"
];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
${lib.getExe pkgs.tailscale} cert ${config.networking.fqdn}
${lib.getExe pkgs.tailscale} serve reset
${lib.getExe pkgs.tailscale} serve --bg ${cfg.serve}
'';
};
}; };
} }