From 72a8dba4409738c94c74ed5d1467e2205cab9c70 Mon Sep 17 00:00:00 2001 From: blaknull Date: Sat, 2 Nov 2024 18:17:27 -0500 Subject: [PATCH] traefik ssl and sops-nix --- flake.lock | 18 +-- home-manager/impermanence/default.nix | 1 + .../configuration/homebox/.sops.yaml | 7 + .../configuration/homebox/default.nix | 22 ++- .../homebox/secrets/secrets.yaml | 21 +++ system-config/packages/default.nix | 7 +- .../services/containers/gitlab/default.nix | 2 +- .../services/containers/traefik/default.nix | 136 ++++++++++++++---- 8 files changed, 170 insertions(+), 44 deletions(-) create mode 100644 system-config/configuration/homebox/.sops.yaml create mode 100644 system-config/configuration/homebox/secrets/secrets.yaml diff --git a/flake.lock b/flake.lock index da4f5f8..b0dbce7 100644 --- a/flake.lock +++ b/flake.lock @@ -1161,11 +1161,11 @@ "locked": { "lastModified": 0, "narHash": "sha256-vhkyPcraN1gHPR50nUBwPGMdGP1p20/3n4i8uAuragY=", - "path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/home-manager", + "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/home-manager", + "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/home-manager", "type": "path" } }, @@ -1746,11 +1746,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", - "path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/programs", + "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/programs", "type": "path" }, "original": { - "path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/programs", + "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/programs", "type": "path" } }, @@ -1832,11 +1832,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/services/sddm", + "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/services/sddm", + "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/services/sddm", "type": "path" } }, @@ -1903,12 +1903,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/D17aRAD/fn6SBS9l3RJln+kTINI8DljIih0qc6Kdh4=", - "path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/system-config", + "narHash": "sha256-S4jXJkYHvv1ssTGJ/TbjZ1OPWjQSZWxjfcuhAMEpNJc=", + "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/system-config", + "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/system-config", "type": "path" } }, diff --git a/home-manager/impermanence/default.nix b/home-manager/impermanence/default.nix index 1859b65..ac9a9a7 100644 --- a/home-manager/impermanence/default.nix +++ b/home-manager/impermanence/default.nix @@ -17,6 +17,7 @@ ]; files = [ ".zsh_history" + ".config/sops/age/keys.txt" ]; allowOther = true; }; diff --git a/system-config/configuration/homebox/.sops.yaml b/system-config/configuration/homebox/.sops.yaml new file mode 100644 index 0000000..88290a5 --- /dev/null +++ b/system-config/configuration/homebox/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 88adea4..ada94d1 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -86,9 +86,9 @@ hostName = "homebox"; nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; networkmanager.enable = true; - firewall.allowedTCPPorts = [ 22 80 443 9080 9443 8080 ]; + firewall.allowedTCPPorts = [ 22 80 443 8000 ]; hosts = { - "127.0.0.1" = [ "blunkall.us" "www.blunkall.us" ]; + "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ]; }; nftables = {}; nat = { @@ -102,7 +102,7 @@ users.users."nathan" = { isNormalUser = true; - initialPassword = "7567"; + hashedPasswordFile = config.sops.secrets.nathan_pass.path; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" @@ -151,7 +151,7 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" - { directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } + { directory = "/var/lib/sops"; user = "root"; group = "root"; mode = "u=rwx,g=,o="; } ]; files = [ "/etc/machine-id" @@ -159,10 +159,20 @@ "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" - { file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; } ]; }; + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + secrets = { + nathan_pass = { + neededForUsers = true; + }; + }; + }; + programs.fuse.userAllowOther = true; home-manager = { @@ -209,7 +219,7 @@ virtualization = { - traefik.enable = false; + traefik.enable = true; gitlab.enable = false; }; diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml new file mode 100644 index 0000000..0fc951d --- /dev/null +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -0,0 +1,21 @@ +nathan_pass: ENC[AES256_GCM,data:9DUrW2JFWwwscRmMgNoYrMU0nrSDbz37tw+wershMsRxhSavUmQCVEkz8zZ71OguAh+2vIxWBaVk9lzL/wOMFY/vPX7Z5Jq4og==,iv:rDxMkKDVxcrehzM0MKN0nQ/+WW8MA69qiNNoeTHJ2h0=,tag:VMGwTtbPwjIhyfuhc2ArGA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUnNKWUVkV1d0STBNSFR4 + c2RTRTN4K2x0Q2R2QzZoYzNOd2RGNk10SkFFCkxlTDduZzhZeHNSd2JmVjgwVzVW + SGozTFVpNW9kaUIvWEtWb3BGeGtrTVUKLS0tIHBXYS9xK2ZuUnZ6UTBFV3Y3MWU4 + SGxFWjlLSVVNVDAwRTdXWENLK2x0ekEKh7NiaCQn6yvT6kyYFOXCiGv6C3PSOAky + Od5kW3fBMftfv1qrlhA4svT8s6KeM0ynbfNgb5wKtpZ/nfXYkcrmGw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-02T22:56:51Z" + mac: ENC[AES256_GCM,data:PVwC5OP3CDiCUTxNwPrxSgWbMp9EuAKP88tmHvrrxnT2IQ68V9THFjajnuNiEkkVvHG9FPp/R0in8nT1NoepaDEZkheyUYq1hKzRoGWxjwQwsvrjeTyUP50++Z/zW2KkOdqaB3r+eblpCxzgyd8FH8LcXRCeC9xq4p0mub3MNSs=,iv:jTIgFV0NydDOJ8cESsiY4mvQc76MbNfi8cM4CrWY2P8=,tag:6u90UUoTBA7lXlkfKoiI8g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/system-config/packages/default.nix b/system-config/packages/default.nix index 0967ef4..6a43f1a 100644 --- a/system-config/packages/default.nix +++ b/system-config/packages/default.nix @@ -1 +1,6 @@ -{} +{ pkgs, ... }: { + + environment.systemPackages = with pkgs; [ + sops + ]; +} diff --git a/system-config/services/containers/gitlab/default.nix b/system-config/services/containers/gitlab/default.nix index 9b73738..18daa72 100644 --- a/system-config/services/containers/gitlab/default.nix +++ b/system-config/services/containers/gitlab/default.nix @@ -14,7 +14,7 @@ hostAddress = "192.168.100.10"; localAddress = "192.168.100.12"; bindMounts = { - "/root/data" = { + "/etc/gitlab/data" = { hostPath = "/ssd1/Gitlab/data"; isReadOnly = false; }; diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 9f62409..20361a6 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -30,14 +30,10 @@ containerPort = 9443; hostPort = 9443; } - { - containerPort = 8080; - hostPort = 8080; - } ]; bindMounts = { - "/root/data" = { + "/etc/traefik/data" = { hostPath = "/ssd1/Traefik/data"; isReadOnly = false; }; @@ -49,58 +45,144 @@ enable = true; - dataDir = "/root/data"; + dataDir = "/etc/traefik/data"; + + environmentFiles = [ + "/etc/traefik/data/traefik.env" + ]; staticConfigOptions = { + serversTransport.insecureSkipVerify = true; api = { dashboard = true; - + insecure = true; + debug = true; + }; + global = { + checknewversion = false; + sendanonymoususage = false; }; entryPoints = { local = { - address = ":80"; + address = ":9080"; http.redirections.entryPoint = { to = "localsecure"; scheme = "https"; }; }; + localsecure = { - address = ":443"; + address = ":9443"; + asDefault = true; + http.tls.certResolver = "cloudflare"; }; + web = { - address = ":9080"; + address = ":80"; http.redirections.entryPoint = { to = "websecure"; scheme = "https"; }; }; websecure = { - address = ":9443"; + address = ":443"; asDefault = true; - http.tls.certResolver = "letsencrypt"; + http.tls.certResolver = "cloudflare"; }; - log = { - level = "INFO"; - filePath = "${config.services.traefik.dataDir}/traefik.log"; - format = "json"; - }; - certificatesResolvers.cloudflare.acme = { - email = "nathanblunkall5@gmail.com"; - storage = "${config.services.traefik.dataDir}/acme.json"; -#httpChallenge.entryPoint = "web"; - dnsChallenge = { - provider = "cloudflare"; - resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ]; -#disablePropagationCheck = true; + }; + log = { + level = "DEBUG"; + filePath = "/etc/traefik/data/traefik.log"; + format = "json"; + }; + certificatesResolvers = { + cloudflare = { + acme = { + email = "nathanblunkall5@gmail.com"; + storage = "/etc/traefik/data/acme.json"; + keyType = "EC256"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ]; + }; }; }; + + /*letsencrypt.acme = { + email = "postmaster@blunkall.us"; + storage = "/root/data/acme.json"; + httpChallenge.entryPoint = "web"; + };*/ }; }; - dynamicConfigOptions = {}; + dynamicConfigOptions = { + http = { + routers = { + homepageSecure = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host(`blunkall.us`)"; + service = "homepage"; + tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + }; + }; + }; + + + homepage = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host(`www.blunkall.us`)"; + service = "homepage"; + tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + }; + }; + }; + + gitlab = { + entryPoints = [ "localsecure" "websecure" ]; + rule = "Host()"; + service = "gitlab"; + tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + }; + }; + }; + + local = { + entryPoints = [ "localsecure" ]; + rule = "Host(`traefik.local.blunkall.us`)"; + service = "dashboard@internal"; + tls = { + certResolver = "cloudflare"; + domains = { + main = "blunkall.us"; + sans = [ "*.blunkall.us" "*.local.blunkall.us" ]; + }; + }; + }; + }; + + services = { + gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ]; + + homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ]; + }; + }; + }; }; - networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080]; + networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ]; system.stateVersion = "24.05"; };