nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

feat: use agenix to manage secrets

Browse source
This commit is contained in:
Nydragon 2024-08-20 17:06:36 +02:00
parent 3630cc995e
commit 48d6b6a5b9
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
10 changed files with 184 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
flake.lock generated
View file

@ -1,5 +1,48 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@ -42,7 +85,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
@ -59,6 +102,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -95,6 +159,22 @@
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1723175592,
"narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
@ -110,7 +190,7 @@
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs_3": {
"locked": {
"lastModified": 1718428119,
"narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=",
@ -150,17 +230,18 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"disko": "disko",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"rofi-obsidian": "rofi-obsidian"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1720318855,
@ -190,6 +271,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

4
flake.nix
View file

@ -3,7 +3,9 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -19,6 +21,8 @@
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
rofi-obsidian = {
url = "github:nydragon/rofi-obsidian";
inputs.nixpkgs.follows = "nixpkgs";

5
hosts/default.nix
View file

@ -23,7 +23,10 @@ in
raptus = lib.my.mkSystem {
hostname = "raptus";
system = "x86_64-linux";
extraModules = [ inputs.disko.nixosModules.disko ];
extraModules = [
inputs.disko.nixosModules.disko
inputs.agenix.nixosModules.default
];
};
};
}

12
hosts/raptus/configuration.nix
View file

@ -13,6 +13,8 @@
../../modules/nix
];
age.secrets.couchdb.file = ../../secrets/couchdb.age;
device.type = {
vm.enable = true;
server.enable = true;
@ -25,7 +27,11 @@
networking.firewall = lib.mkForce {
enable = true;
allowedTCPPorts = [ 80 ];
allowedTCPPorts = [
80
22
5984 # couchdb
];
};
services.nginx = {
@ -33,12 +39,10 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."rusty.ccnlc.eu" = {
#enableACME = true;
#forceSSL = true;
# TODO: Enable https
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;'';

1
hosts/raptus/disk-config.nix
View file

@ -32,7 +32,6 @@
mountOptions = [ "defaults" ];
};
};
};
};
};

14
hosts/raptus/docker-compose.nix
View file

@ -1,5 +1,10 @@
# Auto-generated using compose2nix v0.2.2-pre.
{ pkgs, lib, ... }:
{
pkgs,
lib,
config,
...
}:
{
# Runtime
@ -17,12 +22,9 @@
# Containers
virtualisation.oci-containers.containers."obsidian-livesync" = {
image = "couchdb";
environment = {
"COUCHDB_PASSWORD" = "";
"COUCHDB_USER" = "";
};
environmentFiles = [ config.age.secrets.couchdb.path ];
volumes = [
"${./local.ini}:/opt/couchdb/etc/local.ini:ro"
"${./local.ini}:/opt/couchdb/etc/local.ini:rw"
"test_dbdata:/opt/couchdb/data:rw"
];
ports = [ "5984:5984/tcp" ];

28
hosts/raptus/docker-compose.yml Normal file
View file

@ -0,0 +1,28 @@
services:
couchserver:
image: couchdb
container_name: obsidian-livesync
restart: always
ports:
- 5984:5984
environment:
- COUCHDB_USER=USERNAME
- COUCHDB_PASSWORD=PASSWORD
volumes:
- dbdata:/opt/couchdb/data
- ./local.ini:/opt/couchdb/etc/local.ini
rustypaste:
image: orhunp/rustypaste:${IMAGE_TAG:-latest}
build: .
container_name: rustypaste
restart: always
environment:
- RUST_LOG=debug
ports:
- "8000:8000"
volumes:
- rustypaste-data:/app/upload
- ./rusty.toml:/app/config.toml
volumes:
dbdata:
rustypaste-data:

10
hosts/raptus/rusty.toml
View file

@ -3,9 +3,9 @@ refresh_rate = "1s"
[server]
address = "127.0.0.1:8000"
url = "https://vps.ccnlc.eu"
#workers=4
max_content_length = "10MB"
url = "http://rusty.ccnlc.eu"
workers = 4
max_content_length = "50MB"
upload_path = "./upload"
timeout = "30s"
expose_version = false
@ -65,6 +65,6 @@ mime_blacklist = [
"application/java-archive",
"application/java-vm",
]
duplicate_files = true
# default_expiry = "1h"
duplicate_files = false
default_expiry = "1h"
delete_expired_files = { enabled = true, interval = "1h" }

10
secrets/couchdb.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 JjL30A 1/KAH0fjeZMgw4Dk/bC+CEf2NDQKdtfjSWxictQp5HI
6JHuy5vMZ6+v8G3PWfIEb3swCR59Tk0bDKKWya61LmM
-> ssh-ed25519 nueAfA MnaKgyOTgK1mPfjeZ4eb4MFj1zuOPDJhgzmCn5GaG3Y
Qh/hMUMNiCsgSiG7yisCnGixuWEvcK9X0OKhuzonIj8
-> ssh-ed25519 WcjW5A J4391GLRJBvK2j6K7uuFOlQSAvohDSGJCKff3yTwkGY
spDoDXT5elna781WJK+fynbSHaXsQacX+ED5Q1KDrfA
--- ZM3EXe2MWKhl9NfO0r8vKaC0dfCE75GB03+s9RkQye4
f4Ø,EWYYòG£ÜUÛ³«Í˜¨úÌ1Gnó³háQÉ^v TïDŒÉò†²Ÿ^X¹šc+Úÿ
QdÒ† EÚ»n«ýèªN”\ÒΑiôÀFÓGþ]çrÞE*éš¡‡—qølç¾ËMÿgÉü£•:¿«ŒŠ¥È¯ÏpÛìà|ƒ6D=Ÿ<ñ5,rÐ×ö:wÞGµÀ KÈpY]mhå?ŽD ˜sTÞ2

16
secrets/secrets.nix Normal file
View file

@ -0,0 +1,16 @@
let
userBrontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw";
userMarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO";
users = [
userMarr
userBrontes
];
raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbhkpCL0DuJQTxeTqxtrGvELCQFkyZmhTZ8fagszOU";
systems = [ raptus ];
in
{
"couchdb.age".publicKeys = [ raptus ] ++ users;
}