Gabe/nix-config
1
0
Fork 0
Code Issues 21 Pull requests Packages Projects Releases Wiki Activity

fixed bugs with cirrostratus.

Browse source
This commit is contained in:
Gabe Venberg 2024-08-07 15:24:17 -05:00
parent fa96291493
commit f37f68c70e
7 changed files with 36 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
configs/nixos/radicale.nix
View file

@ -11,7 +11,7 @@
auth = { auth = {
type = "htpasswd"; type = "htpasswd";
htpasswd_encryption = "md5"; htpasswd_encryption = "md5";
htpasswd_filename = "${inputs.nix-secrets}/radicale-users"; htpasswd_filename = config.sops.secrets.radicale-users.path;
}; };
}; };
}; };

6
flake.lock
View file

@ -235,10 +235,10 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1721938549, "lastModified": 1723051814,
"narHash": "sha256-Iy3o7Q9GQybHPgDLzxCRhLVI7Q7P9U7/TCDSEMmFuFs=", "narHash": "sha256-JdAUqMsEqvQZAoCBwiBNM1RboE05BxVaj4fuV0YPSto=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "f61fd3244eab8d1406f89867b8025d5fe9385551", "rev": "44935ad2ecb400d49ecee5e4f78f7c576c026a9a",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git" "url": "ssh://forgejo@git.venberg.xyz/Gabe/nix-secrets.git"

7
hosts/cirrostratus/default.nix
View file

@ -13,6 +13,7 @@ inputs.nixpkgs.lib.nixosSystem {
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./disk-config.nix ./disk-config.nix
./hardware-configuration.nix ./hardware-configuration.nix
./nginx.nix
../../configs/nixos/common.nix ../../configs/nixos/common.nix
../../configs/nixos/tailscale.nix ../../configs/nixos/tailscale.nix
../../configs/nixos/sshd.nix ../../configs/nixos/sshd.nix
@ -29,6 +30,7 @@ inputs.nixpkgs.lib.nixosSystem {
fullName = "Gabe Venberg"; fullName = "Gabe Venberg";
gui.enable = false; gui.enable = false;
}; };
boot.zfs.extraPools = ["storage"];
networking.hostName = "cirrostratus"; # Define your hostname. networking.hostName = "cirrostratus"; # Define your hostname.
networking.hostId = "1b9da0b9"; networking.hostId = "1b9da0b9";
networking.useNetworkd = true; networking.useNetworkd = true;
@ -52,6 +54,11 @@ inputs.nixpkgs.lib.nixosSystem {
sops = lib.mkIf (inputs ? nix-secrets) { sops = lib.mkIf (inputs ? nix-secrets) {
secrets = { secrets = {
duckdns-token.sopsFile = "${inputs.nix-secrets}/duckdns.yaml"; duckdns-token.sopsFile = "${inputs.nix-secrets}/duckdns.yaml";
gabevenberg-draft-credentials = {
sopsFile = "${inputs.nix-secrets}/draft.gabevenberg.com";
format = "binary";
owner = config.services.nginx.user;
};
}; };
}; };

8
hosts/cirrostratus/disk-config.nix
View file

@ -66,13 +66,7 @@
mode = "mirror"; mode = "mirror";
rootFsOptions = { rootFsOptions = {
compression = "zstd"; compression = "zstd";
}; mountpoint = "/storage";
datasets = {
dataset = {
type = "zfs_fs";
options.mountpoint = "/storage/dataset";
};
}; };
}; };
}; };

6
hosts/cirrus/nginx.nix → hosts/cirrostratus/nginx.nix
View file

@ -13,4 +13,10 @@
forceSSL = true; forceSSL = true;
root = "/var/www/gabevenberg.com"; root = "/var/www/gabevenberg.com";
}; };
services.nginx.virtualHosts."draft.gabevenberg.com" = {
enableACME = true;
forceSSL = true;
root = "/var/www/draft.gabevenberg.com";
basicAuthFile = config.sops.secrets.gabevenberg-draft-credentials.path;
};
} }

13
hosts/cirrus/default.nix
View file

@ -12,18 +12,18 @@ inputs.nixpkgs.lib.nixosSystem {
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./disk-config.nix ./disk-config.nix
./nginx.nix
../../roles/nixos/vm.nix ../../roles/nixos/vm.nix
../../configs/nixos/common.nix ../../configs/nixos/common.nix
../../configs/nixos/tailscale.nix ../../configs/nixos/tailscale.nix
../../configs/nixos/sshd.nix ../../configs/nixos/sshd.nix
# ../../configs/nixos/secrets.nix ../../configs/nixos/secrets.nix
../../configs/nixos/radicale.nix ../../configs/nixos/radicale.nix
../../configs/nixos/forgejo.nix ../../configs/nixos/forgejo.nix
({ ({
config, config,
pkgs, pkgs,
configLib, configLib,
lib,
... ...
}: { }: {
host = { host = {
@ -44,6 +44,15 @@ inputs.nixpkgs.lib.nixosSystem {
}; };
}; };
sops = lib.mkIf (inputs ? nix-secrets) {
secrets = {
radicale-users = {
sopsFile = "${inputs.nix-secrets}/radicale-users";
format = "binary";
owner = "radicale";
};
};
};
home-manager.users.${config.host.user} = { home-manager.users.${config.host.user} = {
inputs, inputs,
osConfig, osConfig,

9
modules/nixos/duckdns.nix
View file

@ -57,16 +57,21 @@ in {
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = "duckdns-update"; RuntimeDirectory = "duckdns-update";
RuntimeDirectoryMode = "700"; RuntimeDirectoryMode = "700";
LoadCredential =
[
"tokenFile:${cfg.tokenFile}"
]
++ lib.optionals (cfg.domainsFile != null) ["domainsFile:${cfg.domainsFile}"];
}; };
script = '' script = ''
install --mode 600 ${urlFile} $RUNTIME_DIRECTORY/curlurl install --mode 600 ${urlFile} $RUNTIME_DIRECTORY/curlurl
# replace the token # replace the token
${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ ${cfg.tokenFile} $RUNTIME_DIRECTORY/curlurl ${pkgs.replace-secret}/bin/replace-secret @token_placeholder@ $CREDENTIALS_DIRECTORY/tokenFile $RUNTIME_DIRECTORY/curlurl
# initalise the replacement file for the domains from the domains file if it exists, otherwise make it empty. # initalise the replacement file for the domains from the domains file if it exists, otherwise make it empty.
install --mode 600 ${ install --mode 600 ${
if (cfg.domainsFile != null) if (cfg.domainsFile != null)
then cfg.domainsFile then "$CREDENTIALS_DIRECTORY/domainsFile"
else "/dev/null" else "/dev/null"
} $RUNTIME_DIRECTORY/domains } $RUNTIME_DIRECTORY/domains
# these are already in the nix store, so doesnt matter if they leak via cmdline. # these are already in the nix store, so doesnt matter if they leak via cmdline.