Format, clean out lib, remove sops default and implicit set options
This commit is contained in:
parent
e78931472e
commit
808cc29c6c
|
@ -23,7 +23,7 @@
|
|||
enableACME = true;
|
||||
locations = {
|
||||
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
|
||||
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -32,10 +32,10 @@
|
|||
enable = true;
|
||||
dex = {
|
||||
enable = true;
|
||||
oidcClients = [ {
|
||||
oidcClients = [{
|
||||
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
|
||||
id = "grafana";
|
||||
} ];
|
||||
}];
|
||||
};
|
||||
ldap = {
|
||||
searchUserName = "search";
|
||||
|
@ -48,9 +48,11 @@
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."dex/environment" = libS.sops.permissionForUser "dex";
|
||||
secrets."portunus/users/admin-password" = libS.sops.permissionForUser "portunus";
|
||||
secrets."portunus/users/search-password" = libS.sops.permissionForUser "portunus";
|
||||
secrets = {
|
||||
"dex/environment".owner = "dex";
|
||||
"portunus/users/admin-password".owner = "portunus";
|
||||
"portunus/users/search-password".owner = "portunus";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.dex.serviceConfig = {
|
||||
|
|
|
@ -80,12 +80,10 @@ in
|
|||
secrets = {
|
||||
"ssh-keys/c3d2-dns/private" = {
|
||||
owner = "c3d2-dns";
|
||||
mode = "400";
|
||||
path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
|
||||
};
|
||||
"ssh-keys/c3d2-dns/public" = {
|
||||
owner = "c3d2-dns";
|
||||
mode = "440";
|
||||
path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -146,7 +146,7 @@
|
|||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
|
||||
"gitea/ldapSearchUserPassword".owner = "gitea";
|
||||
"restic/password".owner = "root";
|
||||
"restic/repository/server8".owner = "root";
|
||||
};
|
||||
|
|
|
@ -71,6 +71,7 @@
|
|||
users.allow_sign_up = false;
|
||||
};
|
||||
};
|
||||
|
||||
influxdb =
|
||||
let
|
||||
collectdTypes = pkgs.runCommand "collectd-types" { } ''
|
||||
|
@ -92,6 +93,7 @@
|
|||
}];
|
||||
};
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
|
|
|
@ -175,9 +175,7 @@ in
|
|||
portunus.addToHosts = true;
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
};
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
}
|
||||
|
|
|
@ -286,7 +286,6 @@ in
|
|||
"ldap/search-user-pw" = {
|
||||
mode = "440";
|
||||
owner = config.users.users.hydra-queue-runner.name;
|
||||
inherit (config.users.users.hydra-queue-runner) group;
|
||||
path = "/var/lib/hydra/ldap-password.conf";
|
||||
};
|
||||
"machine-id" = {
|
||||
|
@ -299,13 +298,11 @@ in
|
|||
"nix/signing-key/secretKey" = {
|
||||
mode = "440";
|
||||
owner = config.users.users.hydra-queue-runner.name;
|
||||
inherit (config.users.users.hydra-queue-runner) group;
|
||||
};
|
||||
"restic/password".owner = "root";
|
||||
"restic/repository/server8".owner = "root";
|
||||
"ssh-keys/hydra/private" = {
|
||||
owner = "hydra";
|
||||
mode = "400";
|
||||
path = "/var/lib/hydra/.ssh/id_ed25519";
|
||||
};
|
||||
"ssh-keys/hydra/public" = {
|
||||
|
@ -315,7 +312,6 @@ in
|
|||
};
|
||||
"ssh-keys/root/private" = {
|
||||
owner = "hydra-queue-runner";
|
||||
mode = "400";
|
||||
path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519";
|
||||
};
|
||||
"ssh-keys/root/public" = {
|
||||
|
@ -325,7 +321,6 @@ in
|
|||
};
|
||||
"ssh-keys/updater/private" = {
|
||||
owner = "updater";
|
||||
mode = "400";
|
||||
path = "/var/lib/updater/.ssh/id_ed25519";
|
||||
};
|
||||
"ssh-keys/updater/public" = {
|
||||
|
|
|
@ -115,10 +115,10 @@
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = with libS.sops; {
|
||||
"matterbridge/config" = permissionForUser "matterbridge";
|
||||
"matrix-synapse/config" = permissionForUser "matrix-synapse";
|
||||
"matrix-synapse/ldapSearchUserPassword" = permissionForUser "matrix-synapse";
|
||||
secrets = {
|
||||
"matterbridge/config".owner = "matterbridge";
|
||||
"matrix-synapse/config".owner = "matrix-synapse";
|
||||
"matrix-synapse/ldapSearchUserPassword".owner = "matrix-synapse";
|
||||
"restic/password".owner = "root";
|
||||
"restic/repository/server8".owner = "root";
|
||||
};
|
||||
|
|
|
@ -77,8 +77,6 @@
|
|||
path = "/etc/machine-id";
|
||||
};
|
||||
"restic/htpasswd" = {
|
||||
group = config.systemd.services.restic-rest-server.serviceConfig.Group;
|
||||
mode = "400";
|
||||
owner = config.systemd.services.restic-rest-server.serviceConfig.User;
|
||||
path = "/var/lib/restic/.htpasswd";
|
||||
};
|
||||
|
|
|
@ -81,19 +81,16 @@ in
|
|||
|
||||
sops.secrets = lib.mkIf cfg.enable {
|
||||
"restic/offsite/private" = {
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
path = "/root/.ssh/id_offsite-backup";
|
||||
sopsFile = ./backup.yaml;
|
||||
};
|
||||
"restic/offsite/public" = {
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
path = "/root/.ssh/id_offsite-backup.pub";
|
||||
sopsFile = ./backup.yaml;
|
||||
};
|
||||
"restic/offsite/ssh-config" = {
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
path = "/root/.ssh/config";
|
||||
sopsFile = ./backup.yaml;
|
||||
|
|
Loading…
Reference in New Issue