fixed bugs with cirrostratus.

2024-08-07 15:24:17 -05:00 · 2024-08-07 15:24:17 -05:00 · f37f68c70e
parent fa96291493
commit f37f68c70e
7 changed files with 36 additions and 15 deletions
--- a/configs/nixos/radicale.nix
+++ b/configs/nixos/radicale.nix
@ -11,7 +11,7 @@
      auth = {
        type = "htpasswd";
        htpasswd_encryption = "md5";
-        htpasswd_filename = "${inputs.nix-secrets}/radicale-users";
+        htpasswd_filename = config.sops.secrets.radicale-users.path;
      };
    };
  };
--- a/flake.lock
+++ b/flake.lock
@ -235,10 +235,10 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1721938549,
-        "narHash": "sha256-Iy3o7Q9GQybHPgDLzxCRhLVI7Q7P9U7/TCDSEMmFuFs=",
+        "lastModified": 1723051814,
+        "narHash": "sha256-JdAUqMsEqvQZAoCBwiBNM1RboE05BxVaj4fuV0YPSto=",
        "ref": "refs/heads/main",
-        "rev": "f61fd3244eab8d1406f89867b8025d5fe9385551",
+        "rev": "44935ad2ecb400d49ecee5e4f78f7c576c026a9a",
        "shallow": true,
        "type": "git",
        "url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git"
--- a/hosts/cirrostratus/default.nix
+++ b/hosts/cirrostratus/default.nix
@ -13,6 +13,7 @@ inputs.nixpkgs.lib.nixosSystem {
    inputs.disko.nixosModules.disko
    ./disk-config.nix
    ./hardware-configuration.nix
+    ./nginx.nix
    ../../configs/nixos/common.nix
    ../../configs/nixos/tailscale.nix
    ../../configs/nixos/sshd.nix
@ -29,6 +30,7 @@ inputs.nixpkgs.lib.nixosSystem {
        fullName = "Gabe Venberg";
        gui.enable = false;
      };
+      boot.zfs.extraPools = ["storage"];
      networking.hostName = "cirrostratus"; # Define your hostname.
      networking.hostId = "1b9da0b9";
      networking.useNetworkd = true;
@ -52,6 +54,11 @@ inputs.nixpkgs.lib.nixosSystem {
      sops = lib.mkIf (inputs ? nix-secrets) {
        secrets = {
          duckdns-token.sopsFile = "${inputs.nix-secrets}/duckdns.yaml";
+          gabevenberg-draft-credentials = {
+            sopsFile = "${inputs.nix-secrets}/draft.gabevenberg.com";
+            format = "binary";
+            owner = config.services.nginx.user;
+          };
        };
      };

--- a/hosts/cirrostratus/disk-config.nix
+++ b/hosts/cirrostratus/disk-config.nix
@ -66,13 +66,7 @@
        mode = "mirror";
        rootFsOptions = {
          compression = "zstd";
-        };
-
-        datasets = {
-          dataset = {
-            type = "zfs_fs";
-            options.mountpoint = "/storage/dataset";
-          };
+          mountpoint = "/storage";
        };
      };
    };
--- a/hosts/cirrostratus/nginx.nix
+++ b/hosts/cirrostratus/nginx.nix
@ -13,4 +13,10 @@
    forceSSL = true;
    root = "/var/www/gabevenberg.com";
  };
+  services.nginx.virtualHosts."draft.gabevenberg.com" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/www/draft.gabevenberg.com";
+    basicAuthFile = config.sops.secrets.gabevenberg-draft-credentials.path;
+  };
 }
--- a/hosts/cirrus/default.nix
+++ b/hosts/cirrus/default.nix
@ -12,18 +12,18 @@ inputs.nixpkgs.lib.nixosSystem {
    inputs.home-manager.nixosModules.home-manager
    inputs.disko.nixosModules.disko
    ./disk-config.nix
-    ./nginx.nix
    ../../roles/nixos/vm.nix
    ../../configs/nixos/common.nix
    ../../configs/nixos/tailscale.nix
    ../../configs/nixos/sshd.nix
-    # ../../configs/nixos/secrets.nix
+    ../../configs/nixos/secrets.nix
    ../../configs/nixos/radicale.nix
    ../../configs/nixos/forgejo.nix
    ({
      config,
      pkgs,
      configLib,
+      lib,
      ...
    }: {
      host = {
@ -44,6 +44,15 @@ inputs.nixpkgs.lib.nixosSystem {
        };
      };

+      sops = lib.mkIf (inputs ? nix-secrets) {
+        secrets = {
+          radicale-users = {
+            sopsFile = "${inputs.nix-secrets}/radicale-users";
+            format = "binary";
+            owner = "radicale";
+          };
+        };
+      };
      home-manager.users.${config.host.user} = {
        inputs,
        osConfig,
--- a/modules/nixos/duckdns.nix
+++ b/modules/nixos/duckdns.nix
@ -57,16 +57,21 @@ in {
        DynamicUser = true;
        RuntimeDirectory = "duckdns-update";
        RuntimeDirectoryMode = "700";
+        LoadCredential =
+          [
+            "tokenFile:${cfg.tokenFile}"
+          ]
+          ++ lib.optionals (cfg.domainsFile != null) ["domainsFile:${cfg.domainsFile}"];
      };
      script = ''
        install --mode 600 ${urlFile} $RUNTIME_DIRECTORY/curlurl
        # replace the token
-        ${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ ${cfg.tokenFile} $RUNTIME_DIRECTORY/curlurl
+        ${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ $CREDENTIALS_DIRECTORY/tokenFile $RUNTIME_DIRECTORY/curlurl

        # initalise the replacement file for the domains from the domains file if it exists, otherwise make it empty.
        install --mode 600 ${
          if (cfg.domainsFile != null)
-          then cfg.domainsFile
+          then "$CREDENTIALS_DIRECTORY/domainsFile"
          else "/dev/null"
        } $RUNTIME_DIRECTORY/domains
        # these are already in the nix store, so doesnt matter if they leak via cmdline.