This commit is contained in:
parent
3d47eb57f3
commit
638ad6d498
|
@ -5,7 +5,7 @@
|
||||||
inputs.srvos.nixosModules.mixins-telegraf
|
inputs.srvos.nixosModules.mixins-telegraf
|
||||||
# FIXME: switch to VPN later
|
# FIXME: switch to VPN later
|
||||||
{ networking.firewall.allowedTCPPorts = [ 9273 ]; }
|
{ networking.firewall.allowedTCPPorts = [ 9273 ]; }
|
||||||
inputs.sops-nix.nixosModules.default
|
inputs.clan-core.nixosModules.secrets
|
||||||
];
|
];
|
||||||
|
|
||||||
hcloud.imports = [
|
hcloud.imports = [
|
||||||
|
|
|
@ -1,14 +1,6 @@
|
||||||
{ config, ... }: {
|
{ config, ... }: {
|
||||||
# 100GB storagebox is under the nix-community hetzner account
|
# 100GB storagebox is under the nix-community hetzner account
|
||||||
|
|
||||||
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
|
|
||||||
sops.secrets.hetzner-borgbackup-ssh = { };
|
|
||||||
# Also enable ssh support in the storagebox web interface.
|
|
||||||
# By default the storage box is only accessible from the hetzner network.
|
|
||||||
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
|
|
||||||
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
|
||||||
sops.secrets.hetzner-borgbackup-passphrase = { };
|
|
||||||
|
|
||||||
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
|
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
|
||||||
"/var/log/telegraf"
|
"/var/log/telegraf"
|
||||||
];
|
];
|
||||||
|
@ -62,10 +54,16 @@
|
||||||
doInit = true;
|
doInit = true;
|
||||||
encryption = {
|
encryption = {
|
||||||
mode = "repokey-blake2";
|
mode = "repokey-blake2";
|
||||||
|
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
|
||||||
passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
|
passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
|
||||||
};
|
};
|
||||||
compression = "auto,zstd";
|
compression = "auto,zstd";
|
||||||
startAt = "daily";
|
startAt = "daily";
|
||||||
|
|
||||||
|
# Also enable ssh support in the storagebox web interface.
|
||||||
|
# By default the storage box is only accessible from the hetzner network.
|
||||||
|
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
|
||||||
|
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
|
||||||
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
|
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
|
||||||
preHook = ''
|
preHook = ''
|
||||||
set -x
|
set -x
|
||||||
|
|
|
@ -1,7 +1,4 @@
|
||||||
{ config, self, pkgs, ... }: {
|
{ config, self, pkgs, ... }: {
|
||||||
|
|
||||||
sops.secrets.merge-bot-gitea-token = { };
|
|
||||||
|
|
||||||
# service to for automatic merge bot
|
# service to for automatic merge bot
|
||||||
systemd.services.clan-merge = {
|
systemd.services.clan-merge = {
|
||||||
description = "Merge clan.lol PRs automatically";
|
description = "Merge clan.lol PRs automatically";
|
||||||
|
|
|
@ -13,4 +13,5 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
services.cloud-init.xfs.enable = true;
|
services.cloud-init.xfs.enable = true;
|
||||||
|
clan.sops.sopsDirectory = ../../sops;
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,19 +25,15 @@ let
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
|
|
||||||
sops.secrets.matrix-server-key = { };
|
|
||||||
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
|
|
||||||
|
|
||||||
# To create a user:
|
|
||||||
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
|
|
||||||
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
|
|
||||||
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
|
|
||||||
sops.secrets.registration-secret = { };
|
|
||||||
|
|
||||||
services.dendrite = {
|
services.dendrite = {
|
||||||
enable = true;
|
enable = true;
|
||||||
httpPort = 8043;
|
httpPort = 8043;
|
||||||
|
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
|
||||||
|
|
||||||
|
# To create a user:
|
||||||
|
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
|
||||||
|
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
|
||||||
|
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
|
||||||
environmentFile = config.sops.secrets.registration-secret.path;
|
environmentFile = config.sops.secrets.registration-secret.path;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -122,6 +118,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.dendrite.serviceConfig.LoadCredential = [
|
systemd.services.dendrite.serviceConfig.LoadCredential = [
|
||||||
|
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
|
||||||
"matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
|
"matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
services.harmonia.enable = true;
|
services.harmonia.enable = true;
|
||||||
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
|
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
|
||||||
services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
|
services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
|
||||||
sops.secrets.harmonia-key = { };
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
package = pkgs.nginxStable.override {
|
package = pkgs.nginxStable.override {
|
||||||
|
|
|
@ -1,16 +1,5 @@
|
||||||
{ config, self, pkgs, lib, ... }:
|
{ config, self, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
|
|
||||||
allFlakePackages = [
|
|
||||||
"job-flake-update-clan-core"
|
|
||||||
"job-flake-update-clan-homepage"
|
|
||||||
"job-flake-update-clan-infra"
|
|
||||||
];
|
|
||||||
|
|
||||||
allFlakeJobs = lib.filter (lib.hasPrefix "job-") allFlakePackages;
|
|
||||||
|
|
||||||
allSystemdConfigs = map configForJob allFlakeJobs;
|
|
||||||
|
|
||||||
configForJob = name: {
|
configForJob = name: {
|
||||||
systemd.timers.${name} = {
|
systemd.timers.${name} = {
|
||||||
description = "Time for flake update workflow";
|
description = "Time for flake update workflow";
|
||||||
|
@ -55,16 +44,11 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkMerge (
|
config = lib.mkMerge (map configForJob [
|
||||||
allSystemdConfigs
|
"job-flake-update-clan-core"
|
||||||
++ [
|
"job-flake-update-clan-homepage"
|
||||||
{
|
"job-flake-update-clan-infra"
|
||||||
sops.secrets.clan-bot-gitea-token = { };
|
]);
|
||||||
sops.secrets.clan-bot-ssh-key = { };
|
|
||||||
}
|
|
||||||
]
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user