rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 05:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

better up purge and mail secrets

Browse source
This commit is contained in:
Rouven Seifert 2023-07-20 21:35:12 +02:00
parent 48225f3c36
commit f1f11eee2a
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
12 changed files with 101 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
flake.lock
View file

@ -171,11 +171,11 @@
]
},
"locked": {
"lastModified": 1689495092,
"narHash": "sha256-yZu2j5FpLZEPhJQQutMCPTxa1VMigLPabLYvLTq6ASM=",
"lastModified": 1689875525,
"narHash": "sha256-fgUrFH3bMZ6R7qgBTfuTRGlkZXIkdyjndl6ZbExbjE8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f84579a70b8c74e5ebb37299a0c3ba279f09382",
"rev": "1443abd2696ec6bd6fb9701e6c26b277a27b4a3e",
"type": "github"
},
"original": {
@ -301,11 +301,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1689444953,
"narHash": "sha256-0o56bfb2LC38wrinPdCGLDScd77LVcr7CrH1zK7qvDg=",
"lastModified": 1689679375,
"narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8acef304efe70152463a6399f73e636bcc363813",
"rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
"type": "github"
},
"original": {
@ -347,11 +347,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1689398528,
"narHash": "sha256-qVn/doWn20axR+KvmAAGexv0A5RVzcBbd5HfNMAMeVI=",
"lastModified": 1689473667,
"narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3dc2bc15956db2ff2316af45eefd45803fc1372b",
"rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6",
"type": "github"
},
"original": {
@ -399,11 +399,11 @@
]
},
"locked": {
"lastModified": 1689427636,
"narHash": "sha256-COACHJYnu/ngg/1R40s3zkeMwrBV1cVU6xUfZKAON0g=",
"lastModified": 1689880943,
"narHash": "sha256-qFUNtcCGfZldDgvuPLk4J2ww+CNwDmTUWLnn/jgxHJM=",
"owner": "therealr5",
"repo": "purge",
"rev": "3674000c8b6993c132aea92456394b49ca62e896",
"rev": "869b5723dfb5d7e7650d631215771dfa4f48bf11",
"type": "github"
},
"original": {
@ -460,11 +460,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1689405598,
"narHash": "sha256-80fuO3FiXgJmUDQgB7sc2lq8Qe/oSkqDNwx9N/fCtBs=",
"lastModified": 1689534977,
"narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "cfe47aff8660fd760b1db89613a3205c2c4ba7b6",
"rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
"type": "github"
},
"original": {

4
flake.nix
View file

@ -65,6 +65,7 @@
jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { };
adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
};
hydraJobs = self.packages;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
@ -114,6 +115,9 @@
modules = [
./hosts/falkenstein-1
./shared
{
nixpkgs.overlays = [ self.overlays.default ];
}
nix-index-database.nixosModules.nix-index
sops-nix.nixosModules.sops
purge.nixosModules.default

2
hosts/falkenstein-1/default.nix
View file

@ -39,6 +39,8 @@
helix
lsof
python3
crowdsec
crowdsec-firewall-bouncer
];
programs.git = {
enable = true;

7
hosts/falkenstein-1/modules/mail/default.nix
View file

@ -6,9 +6,6 @@ let
rspamd-domain = "rspamd.${domain}";
in
{
sops.secrets."mail/rouven".owner = config.users.users.postfix.name;
sops.secrets."rspamd".owner = config.users.users.rspamd.name;
networking.firewall.allowedTCPPorts = [
25 # insecure SMTP
465
@ -160,7 +157,9 @@ in
enable = true;
postfix.enable = true;
locals = {
"worker-controller.inc".source = config.sops.secrets."rspamd".path;
"worker-controller.inc".text = ''
password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
'';
"redis.conf".text = ''
read_servers = "127.0.0.1";
write_servers = "127.0.0.1";

4
hosts/falkenstein-1/modules/purge/default.nix
View file

@ -3,14 +3,14 @@ let
domain = "purge.rfive.de";
in
{
sops.secrets."purge/environment".owner = "purge";
sops.secrets."purge/token".owner = "purge";
services.purge = {
enable = true;
discord = {
clientId = "941041925216157746";
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
tokenFile = config.sops.secrets."purge/token".path;
};
environmentFile = config.sops.secrets."purge/environment".path;
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;

30
hosts/thinkpad/default.nix
View file

@ -44,21 +44,21 @@
"nuc.lan:a9UkVw3AizAKCER1CfNGhx8UOMF4t4UGE3GJ9dmHwJc="
];
};
distributedBuilds = true;
extraOptions = ''
builders-use-substitutes = true
'';
buildMachines = [
{
hostName = "nuc.lan";
system = "x86_64-linux";
protocol = "ssh-ng";
maxJobs = 4;
speedFactor = 1;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}
];
# distributedBuilds = true;
# extraOptions = ''
# builders-use-substitutes = true
# '';
# buildMachines = [
# {
# hostName = "nuc.lan";
# system = "x86_64-linux";
# protocol = "ssh-ng";
# maxJobs = 4;
# speedFactor = 1;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# mandatoryFeatures = [ ];
# }
# ];
};
environment.persistence."/nix/persist/system" = {

1
overlays/default.nix
View file

@ -28,6 +28,7 @@ in
});
pww = callPackage ../pkgs/pww { };
crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
jmri = callPackage ../pkgs/jmri { };
adguardian-term = callPackage ../pkgs/adguardian-term { };
}

22
pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch Normal file
View file

@ -0,0 +1,22 @@
From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 20 Jul 2023 17:15:58 +0200
Subject: [PATCH] remove natend go.mod for nix builds
---
koneu/natend/go.mod | 3 ---
1 file changed, 3 deletions(-)
delete mode 100644 koneu/natend/go.mod
diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod
deleted file mode 100644
index 92b93b4..0000000
--- a/koneu/natend/go.mod
+++ /dev/null
@@ -1,3 +0,0 @@
-module natend
-
-go 1.17
--
2.41.0

24
pkgs/crowdsec-firewall-bouncer/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, buildGoModule, makeWrapper, fetchFromGitHub, playerctl }:
buildGoModule rec {
pname = "crowdsec-firewall-bouncer";
version = "0.0.27";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "cs-firewall-bouncer";
rev = "v${version}";
hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34=";
};
patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ];
vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos=";
meta = with lib; {
description = "Crowdsec bouncer written in golang for firewalls";
homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
license = licenses.mit;
maintainers = with maintainers; [ therealr5 ];
platforms = platforms.all;
};
}

9
secrets/falkenstein-1.yaml
View file

@ -1,8 +1,5 @@
purge:
environment: ENC[AES256_GCM,data:4qxa4Jod8vFdd5NzHugeRlo5MtEMoUQfbCYhualyfF7RZMms7G/R4OB2RSfv5BekJechU8t8i0+2rHt/c9sVd+JU7Za20bzVqVz7wvMAiZKV,iv:1QesCJz2+tmvrNLIkAhvzMLKQy7IEP7muA7J1ijINI4=,tag:Bn3tIhMm+qOJ764XlAIm/A==,type:str]
mail:
rouven: ENC[AES256_GCM,data:aUUH36pDczOufIgDKWz3obcQOloKBpydZfXMUDHGrsJ3h8O0kZYFmq389L86PJ2YISTd7Jv8PfUYPdLi3e80UggKh7SdtP/bBw==,iv:XgZNmCR+XZhjMxV6H2mtepqt4YUADG+45m9P8jdLVNY=,tag:p2RNQ7uBNctJqm69kXxTug==,type:str]
rspamd: ENC[AES256_GCM,data:Q4V/0aPl9K+ba3aKAZH5Q0lnixIAQBMgPTmMfDP1ZnYAObVc,iv:NBlFpAVBw8az1qEQd+vDmzUHGPMQYuok9MXydHgx8IY=,tag:QptoxnuA+1XB4/0Zd9Yr3Q==,type:str]
token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str]
sops:
kms: []
gcp_kms: []
@ -18,8 +15,8 @@ sops:
NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam
20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-28T20:06:48Z"
mac: ENC[AES256_GCM,data:hZk9ltfNRKuTm+ePBpU5wKRexlmRd9oEuHRAjZ4kHRbJBEBTeALOcYXgNXu9ws70hZR7do869tdjY+k1Li+cquqgBFTMIs0R+hBmD9q1Tpv0bMEuQ1t3dHEiMvkm/oi19QKpZLDw9SWlwD1mw3J/4a+w/t1dR5PSrt9SWGkV6mU=,iv:DKjVYYyF5to9Bd84fT1Wl58dLs7Il160o210k/tEQaM=,tag:SgGkU0cDr61kYnmgGGkxGw==,type:str]
lastmodified: "2023-07-20T19:34:57Z"
mac: ENC[AES256_GCM,data:0/r6bPhpdjO/gmQik5NUKA028z0RGmJ7jzum5ZLr/H/540c5nHgPc7URyGcmp2xH5KkmxtcXPloUvZTDep3XsitJtWSmRhME31CrUNan0iWShj4ERbw8/hlLEy5ILc2ko79ofKjjmF6pPxoyeqqQQnSrJBF9qJfQDbQ2jY1GRmY=,iv:0LPC2g6eStt0+tTYBxN3d4sxr6fthCHsudiOhQJTj1A=,tag:nLPVgixzs1+3LroVyvgbFw==,type:str]
pgp:
- created_at: "2023-04-12T15:47:07Z"
enc: |-

11
shared/gpg.nix
View file

@ -1,9 +1,12 @@
{ ... }:
{
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
programs.gnupg = {
dirmngr.enable = true;
agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
};
};
services.pcscd.enable = true;
}

3
users/rouven/modules/accounts/default.nix
View file

@ -310,4 +310,7 @@ in
home.file.".urlview".text = ''
COMMAND ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null
'';
home.file.".gnupg/dirmngr_ldapservers.conf".text = ''
ldap.pca.dfn.de::::o=DFN-Verein,c=DE
'';
}