better up purge and mail secrets

2025-04-25 16:08:30 +02:00 · 2023-07-20 21:35:12 +02:00 · 2023-07-20 21:35:12 +02:00 · f1f11eee2a
commit f1f11eee2a
parent 48225f3c36
12 changed files with 101 additions and 46 deletions
--- a/hosts/falkenstein-1/default.nix
+++ b/hosts/falkenstein-1/default.nix
@ -39,6 +39,8 @@
    helix
    lsof
    python3
+    crowdsec
+    crowdsec-firewall-bouncer
  ];
  programs.git = {
    enable = true;
--- a/hosts/falkenstein-1/modules/mail/default.nix
+++ b/hosts/falkenstein-1/modules/mail/default.nix
@ -6,9 +6,6 @@ let
  rspamd-domain = "rspamd.${domain}";
 in
 {
-  sops.secrets."mail/rouven".owner = config.users.users.postfix.name;
-  sops.secrets."rspamd".owner = config.users.users.rspamd.name;
-
  networking.firewall.allowedTCPPorts = [
    25 # insecure SMTP
    465
@ -160,7 +157,9 @@ in
      enable = true;
      postfix.enable = true;
      locals = {
-        "worker-controller.inc".source = config.sops.secrets."rspamd".path;
+        "worker-controller.inc".text = ''
+          password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
+        '';
        "redis.conf".text = ''
          read_servers = "127.0.0.1";
          write_servers = "127.0.0.1";
--- a/hosts/falkenstein-1/modules/purge/default.nix
+++ b/hosts/falkenstein-1/modules/purge/default.nix
@ -3,14 +3,14 @@ let
  domain = "purge.rfive.de";
 in
 {
-  sops.secrets."purge/environment".owner = "purge";
+  sops.secrets."purge/token".owner = "purge";
  services.purge = {
    enable = true;
    discord = {
      clientId = "941041925216157746";
      publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
+      tokenFile = config.sops.secrets."purge/token".path;
    };
-    environmentFile = config.sops.secrets."purge/environment".path;
  };
  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -44,21 +44,21 @@
        "nuc.lan:a9UkVw3AizAKCER1CfNGhx8UOMF4t4UGE3GJ9dmHwJc="
      ];
    };
-    distributedBuilds = true;
-    extraOptions = ''
-      builders-use-substitutes = true
-    '';
-    buildMachines = [
-      {
-        hostName = "nuc.lan";
-        system = "x86_64-linux";
-        protocol = "ssh-ng";
-        maxJobs = 4;
-        speedFactor = 1;
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-        mandatoryFeatures = [ ];
-      }
-    ];
+    # distributedBuilds = true;
+    # extraOptions = ''
+    #   builders-use-substitutes = true
+    # '';
+    # buildMachines = [
+    #   {
+    #     hostName = "nuc.lan";
+    #     system = "x86_64-linux";
+    #     protocol = "ssh-ng";
+    #     maxJobs = 4;
+    #     speedFactor = 1;
+    #     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #     mandatoryFeatures = [ ];
+    #   }
+    # ];
  };

  environment.persistence."/nix/persist/system" = {