rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 13:23:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

better up purge and mail secrets

Browse source
This commit is contained in:
Rouven Seifert 2023-07-20 21:35:12 +02:00
parent 48225f3c36
commit f1f11eee2a
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
12 changed files with 101 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
flake.lock
View file

@ -171,11 +171,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1689495092, "lastModified": 1689875525,
"narHash": "sha256-yZu2j5FpLZEPhJQQutMCPTxa1VMigLPabLYvLTq6ASM=", "narHash": "sha256-fgUrFH3bMZ6R7qgBTfuTRGlkZXIkdyjndl6ZbExbjE8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2f84579a70b8c74e5ebb37299a0c3ba279f09382", "rev": "1443abd2696ec6bd6fb9701e6c26b277a27b4a3e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -301,11 +301,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1689444953, "lastModified": 1689679375,
"narHash": "sha256-0o56bfb2LC38wrinPdCGLDScd77LVcr7CrH1zK7qvDg=", "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8acef304efe70152463a6399f73e636bcc363813", "rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -347,11 +347,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1689398528, "lastModified": 1689473667,
"narHash": "sha256-qVn/doWn20axR+KvmAAGexv0A5RVzcBbd5HfNMAMeVI=", "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3dc2bc15956db2ff2316af45eefd45803fc1372b", "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -399,11 +399,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1689427636, "lastModified": 1689880943,
"narHash": "sha256-COACHJYnu/ngg/1R40s3zkeMwrBV1cVU6xUfZKAON0g=", "narHash": "sha256-qFUNtcCGfZldDgvuPLk4J2ww+CNwDmTUWLnn/jgxHJM=",
"owner": "therealr5", "owner": "therealr5",
"repo": "purge", "repo": "purge",
"rev": "3674000c8b6993c132aea92456394b49ca62e896", "rev": "869b5723dfb5d7e7650d631215771dfa4f48bf11",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1689405598, "lastModified": 1689534977,
"narHash": "sha256-80fuO3FiXgJmUDQgB7sc2lq8Qe/oSkqDNwx9N/fCtBs=", "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "cfe47aff8660fd760b1db89613a3205c2c4ba7b6", "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
flake.nix
View file

@ -65,6 +65,7 @@
jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { }; jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { };
adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { }; adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { }; pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
crowdsec-firewall-bouncer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/crowdsec-firewall-bouncer { };
}; };
hydraJobs = self.packages; hydraJobs = self.packages;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
@ -114,6 +115,9 @@
modules = [ modules = [
./hosts/falkenstein-1 ./hosts/falkenstein-1
./shared ./shared
{
nixpkgs.overlays = [ self.overlays.default ];
}
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
purge.nixosModules.default purge.nixosModules.default

2
hosts/falkenstein-1/default.nix
View file

@ -39,6 +39,8 @@
helix helix
lsof lsof
python3 python3
crowdsec
crowdsec-firewall-bouncer
]; ];
programs.git = { programs.git = {
enable = true; enable = true;

7
hosts/falkenstein-1/modules/mail/default.nix
View file

@ -6,9 +6,6 @@ let
rspamd-domain = "rspamd.${domain}"; rspamd-domain = "rspamd.${domain}";
in in
{ {
sops.secrets."mail/rouven".owner = config.users.users.postfix.name;
sops.secrets."rspamd".owner = config.users.users.rspamd.name;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 # insecure SMTP 25 # insecure SMTP
465 465
@ -160,7 +157,9 @@ in
enable = true; enable = true;
postfix.enable = true; postfix.enable = true;
locals = { locals = {
"worker-controller.inc".source = config.sops.secrets."rspamd".path; "worker-controller.inc".text = ''
password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
'';
"redis.conf".text = '' "redis.conf".text = ''
read_servers = "127.0.0.1"; read_servers = "127.0.0.1";
write_servers = "127.0.0.1"; write_servers = "127.0.0.1";

4
hosts/falkenstein-1/modules/purge/default.nix
View file

@ -3,14 +3,14 @@ let
domain = "purge.rfive.de"; domain = "purge.rfive.de";
in in
{ {
sops.secrets."purge/environment".owner = "purge"; sops.secrets."purge/token".owner = "purge";
services.purge = { services.purge = {
enable = true; enable = true;
discord = { discord = {
clientId = "941041925216157746"; clientId = "941041925216157746";
publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402"; publicKey = "d2945f6130d9b4a8dda8c8bf52db5dee127a82f89c6b8782e84aa8f45f61d402";
tokenFile = config.sops.secrets."purge/token".path;
}; };
environmentFile = config.sops.secrets."purge/environment".path;
}; };
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
enableACME = true; enableACME = true;

30
hosts/thinkpad/default.nix
View file

@ -44,21 +44,21 @@
"nuc.lan:a9UkVw3AizAKCER1CfNGhx8UOMF4t4UGE3GJ9dmHwJc=" "nuc.lan:a9UkVw3AizAKCER1CfNGhx8UOMF4t4UGE3GJ9dmHwJc="
]; ];
}; };
distributedBuilds = true; # distributedBuilds = true;
extraOptions = '' # extraOptions = ''
builders-use-substitutes = true # builders-use-substitutes = true
''; # '';
buildMachines = [ # buildMachines = [
{ # {
hostName = "nuc.lan"; # hostName = "nuc.lan";
system = "x86_64-linux"; # system = "x86_64-linux";
protocol = "ssh-ng"; # protocol = "ssh-ng";
maxJobs = 4; # maxJobs = 4;
speedFactor = 1; # speedFactor = 1;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ]; # mandatoryFeatures = [ ];
} # }
]; # ];
}; };
environment.persistence."/nix/persist/system" = { environment.persistence."/nix/persist/system" = {

1
overlays/default.nix
View file

@ -28,6 +28,7 @@ in
}); });
pww = callPackage ../pkgs/pww { }; pww = callPackage ../pkgs/pww { };
crowdsec-firewall-bouncer = callPackage ../pkgs/crowdsec-firewall-bouncer { };
jmri = callPackage ../pkgs/jmri { }; jmri = callPackage ../pkgs/jmri { };
adguardian-term = callPackage ../pkgs/adguardian-term { }; adguardian-term = callPackage ../pkgs/adguardian-term { };
} }

22
pkgs/crowdsec-firewall-bouncer/0001-remove-natend-go-mod-for-nix-builds.patch Normal file
View file

@ -0,0 +1,22 @@
From be0cc576bedade783a26b58b6577ce9903784251 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 20 Jul 2023 17:15:58 +0200
Subject: [PATCH] remove natend go.mod for nix builds
---
koneu/natend/go.mod | 3 ---
1 file changed, 3 deletions(-)
delete mode 100644 koneu/natend/go.mod
diff --git a/koneu/natend/go.mod b/koneu/natend/go.mod
deleted file mode 100644
index 92b93b4..0000000
--- a/koneu/natend/go.mod
+++ /dev/null
@@ -1,3 +0,0 @@
-module natend
-
-go 1.17
--
2.41.0

24
pkgs/crowdsec-firewall-bouncer/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, buildGoModule, makeWrapper, fetchFromGitHub, playerctl }:
buildGoModule rec {
pname = "crowdsec-firewall-bouncer";
version = "0.0.27";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = "cs-firewall-bouncer";
rev = "v${version}";
hash = "sha256-zrYs/9hH+sGG1RMFWMeTm1yIDPElGBr7rVGeWR3ff34=";
};
patches = [ ./0001-remove-natend-go-mod-for-nix-builds.patch ];
vendorSha256 = "sha256-7wIdwTv4jMpFQkl3tKeH3MWxJ/EbiFg5FtGSAvNNpos=";
meta = with lib; {
description = "Crowdsec bouncer written in golang for firewalls";
homepage = "https://github.com/crowdsecurity/cs-firewall-bouncer";
license = licenses.mit;
maintainers = with maintainers; [ therealr5 ];
platforms = platforms.all;
};
}

9
secrets/falkenstein-1.yaml
View file

@ -1,8 +1,5 @@
purge: purge:
environment: ENC[AES256_GCM,data:4qxa4Jod8vFdd5NzHugeRlo5MtEMoUQfbCYhualyfF7RZMms7G/R4OB2RSfv5BekJechU8t8i0+2rHt/c9sVd+JU7Za20bzVqVz7wvMAiZKV,iv:1QesCJz2+tmvrNLIkAhvzMLKQy7IEP7muA7J1ijINI4=,tag:Bn3tIhMm+qOJ764XlAIm/A==,type:str] token: ENC[AES256_GCM,data:mCK0xAgF4Q8DOTPVRg/O5L8kpDItNj8U0ikoKOOZC3Dv50Yt/nqvq4j4fM0CQ836pxCutir6FkTKbS5xS5XqKoSzu8E/0Q==,iv:JDqyeG+g3RAHmMD4uxS6eyQYYI50X6Bwutp+/v2ngq8=,tag:JkqLWoSwwghNUCD2+I6Njg==,type:str]
mail:
rouven: ENC[AES256_GCM,data:aUUH36pDczOufIgDKWz3obcQOloKBpydZfXMUDHGrsJ3h8O0kZYFmq389L86PJ2YISTd7Jv8PfUYPdLi3e80UggKh7SdtP/bBw==,iv:XgZNmCR+XZhjMxV6H2mtepqt4YUADG+45m9P8jdLVNY=,tag:p2RNQ7uBNctJqm69kXxTug==,type:str]
rspamd: ENC[AES256_GCM,data:Q4V/0aPl9K+ba3aKAZH5Q0lnixIAQBMgPTmMfDP1ZnYAObVc,iv:NBlFpAVBw8az1qEQd+vDmzUHGPMQYuok9MXydHgx8IY=,tag:QptoxnuA+1XB4/0Zd9Yr3Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -18,8 +15,8 @@ sops:
NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam NGlZbU8rcWJRbGE5OEFHdUNqZ2xUS2sK/r7qJHfTP0REcM2PYM95XT0onnCYXzam
20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg== 20BgfynX3PJE2QVcgl8rr7ssuKxESi+tY/1VB0l8Tryxe6hr/p5IVg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-28T20:06:48Z" lastmodified: "2023-07-20T19:34:57Z"
mac: ENC[AES256_GCM,data:hZk9ltfNRKuTm+ePBpU5wKRexlmRd9oEuHRAjZ4kHRbJBEBTeALOcYXgNXu9ws70hZR7do869tdjY+k1Li+cquqgBFTMIs0R+hBmD9q1Tpv0bMEuQ1t3dHEiMvkm/oi19QKpZLDw9SWlwD1mw3J/4a+w/t1dR5PSrt9SWGkV6mU=,iv:DKjVYYyF5to9Bd84fT1Wl58dLs7Il160o210k/tEQaM=,tag:SgGkU0cDr61kYnmgGGkxGw==,type:str] mac: ENC[AES256_GCM,data:0/r6bPhpdjO/gmQik5NUKA028z0RGmJ7jzum5ZLr/H/540c5nHgPc7URyGcmp2xH5KkmxtcXPloUvZTDep3XsitJtWSmRhME31CrUNan0iWShj4ERbw8/hlLEy5ILc2ko79ofKjjmF6pPxoyeqqQQnSrJBF9qJfQDbQ2jY1GRmY=,iv:0LPC2g6eStt0+tTYBxN3d4sxr6fthCHsudiOhQJTj1A=,tag:nLPVgixzs1+3LroVyvgbFw==,type:str]
pgp: pgp:
- created_at: "2023-04-12T15:47:07Z" - created_at: "2023-04-12T15:47:07Z"
enc: |- enc: |-

5
shared/gpg.nix
View file

@ -1,9 +1,12 @@
{ ... }: { ... }:
{ {
programs.gnupg.agent = { programs.gnupg = {
dirmngr.enable = true;
agent = {
enable = true; enable = true;
enableSSHSupport = true; enableSSHSupport = true;
pinentryFlavor = "gnome3"; pinentryFlavor = "gnome3";
}; };
};
services.pcscd.enable = true; services.pcscd.enable = true;
} }

3
users/rouven/modules/accounts/default.nix
View file

@ -310,4 +310,7 @@ in
home.file.".urlview".text = '' home.file.".urlview".text = ''
COMMAND ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null COMMAND ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null
''; '';
home.file.".gnupg/dirmngr_ldapservers.conf".text = ''
ldap.pca.dfn.de::::o=DFN-Verein,c=DE
'';
} }