Compare commits
2 commits
b8b5a64485
...
58a2203bc3
| Author | SHA1 | Date | |
|---|---|---|---|
58a2203bc3
|
|||
|
0957dcc1ea
|
15 changed files with 83 additions and 103 deletions
|
|
@ -28,7 +28,6 @@
|
|||
# ./services/starbound.nix -- Not currently used
|
||||
./services/postgres.nix
|
||||
./nginx
|
||||
./sops.nix
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ];
|
||||
|
|
@ -124,6 +123,7 @@
|
|||
services.sudo.rssh = true;
|
||||
};
|
||||
};
|
||||
sops.defaultSopsFile = ../keys/production.yaml;
|
||||
|
||||
# Remove some unneeded packages
|
||||
environment.defaultPackages = [ ];
|
||||
|
|
|
|||
|
|
@ -64,5 +64,10 @@
|
|||
in
|
||||
''${pkgs.runtimeShell} -c '${confirm}' '';
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"porkbun/api-key".owner = "acme";
|
||||
"porkbun/secret-api-key".owner = "acme";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -265,5 +265,18 @@ in
|
|||
};
|
||||
groups.backup = { };
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"restic/storagebox-backups" = {
|
||||
owner = "root";
|
||||
group = "backup";
|
||||
mode = "0440";
|
||||
};
|
||||
"restic/storagebox-ssh-key" = {
|
||||
owner = "backup";
|
||||
group = "backup";
|
||||
mode = "0040";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,4 +13,9 @@
|
|||
log_level = "DEBUG";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"battery-manager/email" = { };
|
||||
"battery-manager/password" = { };
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -179,4 +179,11 @@ in
|
|||
systemd.services.coturn.serviceConfig.SupplementaryGroups = [
|
||||
config.security.acme.certs."tlater.net".group
|
||||
];
|
||||
|
||||
sops.secrets = {
|
||||
"turn/env" = { };
|
||||
"turn/secret" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,4 +75,10 @@ in
|
|||
# AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
# Accessed via systemd cred through /run/secrets/heisebridge
|
||||
"heisenbridge/as-token" = { };
|
||||
"heisenbridge/hs-token" = { };
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -163,4 +163,10 @@ in
|
|||
metrics.enabled = true;
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
# Accessed via systemd cred through /run/secrets/matrix-hookshot
|
||||
"matrix-hookshot/as-token" = { };
|
||||
"matrix-hookshot/hs-token" = { };
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -67,4 +67,15 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"grafana/adminPassword" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
"grafana/secretKey" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -96,4 +96,10 @@ in
|
|||
victorialogs.targets = [ config.services.victorialogs.bindAddress ];
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."forgejo/metrics-token" = {
|
||||
owner = "forgejo";
|
||||
group = "metrics";
|
||||
mode = "0440";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -100,4 +100,9 @@ in
|
|||
|
||||
# Ensure that this service doesn't start before postgres is ready
|
||||
systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
|
||||
|
||||
sops.secrets."nextcloud/tlater" = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -114,4 +114,7 @@ in
|
|||
paths = [ "/var/lib/private/starbound/storage/universe/" ];
|
||||
pauseServices = [ "starbound.service" ];
|
||||
};
|
||||
|
||||
# Accessed via systemd cred through /run/secrets/steam
|
||||
sops.secrets."steam/tlater" = { };
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,4 +62,10 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets."wireguard/server-key" = {
|
||||
owner = "root";
|
||||
group = "systemd-network";
|
||||
mode = "0440";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,89 +0,0 @@
|
|||
{
|
||||
sops = {
|
||||
defaultSopsFile = ../keys/production.yaml;
|
||||
|
||||
secrets = {
|
||||
"battery-manager/email" = { };
|
||||
|
||||
"battery-manager/password" = { };
|
||||
|
||||
# Gitea
|
||||
"forgejo/metrics-token" = {
|
||||
owner = "forgejo";
|
||||
group = "metrics";
|
||||
mode = "0440";
|
||||
};
|
||||
|
||||
# Grafana
|
||||
"grafana/adminPassword" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
"grafana/secretKey" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
|
||||
# Heisenbridge
|
||||
"heisenbridge/as-token" = { };
|
||||
"heisenbridge/hs-token" = { };
|
||||
|
||||
# Matrix-hookshot
|
||||
"matrix-hookshot/as-token" = { };
|
||||
"matrix-hookshot/hs-token" = { };
|
||||
|
||||
# Nextcloud
|
||||
"nextcloud/tlater" = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
|
||||
# Porkbub/ACME
|
||||
"porkbun/api-key" = {
|
||||
owner = "acme";
|
||||
};
|
||||
"porkbun/secret-api-key" = {
|
||||
owner = "acme";
|
||||
};
|
||||
|
||||
# Restic
|
||||
"restic/local-backups" = {
|
||||
owner = "root";
|
||||
group = "backup";
|
||||
mode = "0440";
|
||||
};
|
||||
"restic/storagebox-backups" = {
|
||||
owner = "root";
|
||||
group = "backup";
|
||||
mode = "0440";
|
||||
};
|
||||
"restic/storagebox-ssh-key" = {
|
||||
owner = "backup";
|
||||
group = "backup";
|
||||
mode = "0040";
|
||||
};
|
||||
|
||||
# Steam
|
||||
"steam/tlater" = { };
|
||||
|
||||
# Turn
|
||||
"turn/env" = { };
|
||||
"turn/secret" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
"turn/ssl-key" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
"turn/ssl-cert" = {
|
||||
owner = "turnserver";
|
||||
};
|
||||
|
||||
# Wireguard
|
||||
"wireguard/server-key" = {
|
||||
owner = "root";
|
||||
group = "systemd-network";
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
12
flake.lock
generated
12
flake.lock
generated
|
|
@ -136,11 +136,11 @@
|
|||
"pyproject-nix": "pyproject-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1754978539,
|
||||
"narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=",
|
||||
"lastModified": 1763413832,
|
||||
"narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "dream2nix",
|
||||
"rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214",
|
||||
"rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -356,11 +356,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1762868777,
|
||||
"narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=",
|
||||
"lastModified": 1763319842,
|
||||
"narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "c5c3147730384576196fb5da048a6e45dee10d56",
|
||||
"rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
Loading…
Add table
Add a link
Reference in a new issue