c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Format, clean out lib, remove sops default and implicit set options

This commit is contained in:
Sandro - 2023-07-01 23:41:50 +02:00
parent e78931472e
commit 808cc29c6c
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
9 changed files with 16 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hosts/auth/default.nix
View File

@ -23,7 +23,7 @@
enableACME = true;
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
};
};
};
@ -32,10 +32,10 @@
enable = true;
dex = {
enable = true;
oidcClients = [ {
oidcClients = [{
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
id = "grafana";
} ];
}];
};
ldap = {
searchUserName = "search";
@ -48,9 +48,11 @@
sops = {
defaultSopsFile = ./secrets.yaml;
secrets."dex/environment" = libS.sops.permissionForUser "dex";
secrets."portunus/users/admin-password" = libS.sops.permissionForUser "portunus";
secrets."portunus/users/search-password" = libS.sops.permissionForUser "portunus";
secrets = {
"dex/environment".owner = "dex";
"portunus/users/admin-password".owner = "portunus";
"portunus/users/search-password".owner = "portunus";
};
};
systemd.services.dex.serviceConfig = {

2
hosts/bind/default.nix
View File

@ -80,12 +80,10 @@ in
secrets = {
"ssh-keys/c3d2-dns/private" = {
owner = "c3d2-dns";
mode = "400";
path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
};
"ssh-keys/c3d2-dns/public" = {
owner = "c3d2-dns";
mode = "440";
path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
};
};

2
hosts/gitea/default.nix
View File

@ -146,7 +146,7 @@
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
"gitea/ldapSearchUserPassword" = libS.sops.permissionForUser "gitea";
"gitea/ldapSearchUserPassword".owner = "gitea";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
};

2
hosts/grafana/default.nix
View File

@ -71,6 +71,7 @@
users.allow_sign_up = false;
};
};
influxdb =
let
collectdTypes = pkgs.runCommand "collectd-types" { } ''
@ -92,6 +93,7 @@
}];
};
};
nginx = {
enable = true;
virtualHosts = {

4
hosts/home-assistant/default.nix
View File

@ -175,9 +175,7 @@ in
portunus.addToHosts = true;
};
sops = {
defaultSopsFile = ./secrets.yaml;
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "22.11";
}

5
hosts/hydra/default.nix
View File

@ -286,7 +286,6 @@ in
"ldap/search-user-pw" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
path = "/var/lib/hydra/ldap-password.conf";
};
"machine-id" = {
@ -299,13 +298,11 @@ in
"nix/signing-key/secretKey" = {
mode = "440";
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
};
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
"ssh-keys/hydra/private" = {
owner = "hydra";
mode = "400";
path = "/var/lib/hydra/.ssh/id_ed25519";
};
"ssh-keys/hydra/public" = {
@ -315,7 +312,6 @@ in
};
"ssh-keys/root/private" = {
owner = "hydra-queue-runner";
mode = "400";
path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519";
};
"ssh-keys/root/public" = {
@ -325,7 +321,6 @@ in
};
"ssh-keys/updater/private" = {
owner = "updater";
mode = "400";
path = "/var/lib/updater/.ssh/id_ed25519";
};
"ssh-keys/updater/public" = {

8
hosts/matrix/default.nix
View File

@ -115,10 +115,10 @@
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = with libS.sops; {
"matterbridge/config" = permissionForUser "matterbridge";
"matrix-synapse/config" = permissionForUser "matrix-synapse";
"matrix-synapse/ldapSearchUserPassword" = permissionForUser "matrix-synapse";
secrets = {
"matterbridge/config".owner = "matterbridge";
"matrix-synapse/config".owner = "matrix-synapse";
"matrix-synapse/ldapSearchUserPassword".owner = "matrix-synapse";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
};

2
hosts/server8/default.nix
View File

@ -77,8 +77,6 @@
path = "/etc/machine-id";
};
"restic/htpasswd" = {
group = config.systemd.services.restic-rest-server.serviceConfig.Group;
mode = "400";
owner = config.systemd.services.restic-rest-server.serviceConfig.User;
path = "/var/lib/restic/.htpasswd";
};

3
modules/backup.nix
View File

@ -81,19 +81,16 @@ in
sops.secrets = lib.mkIf cfg.enable {
"restic/offsite/private" = {
mode = "400";
owner = "root";
path = "/root/.ssh/id_offsite-backup";
sopsFile = ./backup.yaml;
};
"restic/offsite/public" = {
mode = "400";
owner = "root";
path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml;
};
"restic/offsite/ssh-config" = {
mode = "400";
owner = "root";
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;