Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

traefik ssl and sops-nix

Browse Source
This commit is contained in:
blaknull
2024-11-02 18:17:27 -05:00
parent 98b6f41547
commit 72a8dba440
8 changed files with 170 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
flake.lock generated
View File

@@ -1161,11 +1161,11 @@
"locked": { "locked": {
"lastModified": 0, "lastModified": 0,
"narHash": "sha256-vhkyPcraN1gHPR50nUBwPGMdGP1p20/3n4i8uAuragY=", "narHash": "sha256-vhkyPcraN1gHPR50nUBwPGMdGP1p20/3n4i8uAuragY=",
"path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/home-manager", "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/home-manager",
"type": "path" "type": "path"
}, },
"original": { "original": {
"path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/home-manager", "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/home-manager",
"type": "path" "type": "path"
} }
}, },
@@ -1746,11 +1746,11 @@
"locked": { "locked": {
"lastModified": 1, "lastModified": 1,
"narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=", "narHash": "sha256-HAuZ9X84fuwUcit6NWUoJCjHj+29nST/YN6Rs8JQugY=",
"path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/programs", "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/programs",
"type": "path" "type": "path"
}, },
"original": { "original": {
"path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/programs", "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/programs",
"type": "path" "type": "path"
} }
}, },
@@ -1832,11 +1832,11 @@
"locked": { "locked": {
"lastModified": 1, "lastModified": 1,
"narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=",
"path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/services/sddm", "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/services/sddm",
"type": "path" "type": "path"
}, },
"original": { "original": {
"path": "/nix/store/kkxrpkxcbs8fngdrlmm4hcrxy1cq17w2-source/services/sddm", "path": "/nix/store/l5fryyz3kpp9643rwvj5x1yhpcnk4rf5-source/services/sddm",
"type": "path" "type": "path"
} }
}, },
@@ -1903,12 +1903,12 @@
}, },
"locked": { "locked": {
"lastModified": 1, "lastModified": 1,
"narHash": "sha256-/D17aRAD/fn6SBS9l3RJln+kTINI8DljIih0qc6Kdh4=", "narHash": "sha256-S4jXJkYHvv1ssTGJ/TbjZ1OPWjQSZWxjfcuhAMEpNJc=",
"path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/system-config", "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/system-config",
"type": "path" "type": "path"
}, },
"original": { "original": {
"path": "/nix/store/lrsmj060ljm23wc76633xbplar1hly3h-source/system-config", "path": "/nix/store/pvjjq7d2bcvrfx4jmgnpfj4mzwjjcncf-source/system-config",
"type": "path" "type": "path"
} }
}, },

1
home-manager/impermanence/default.nix
View File

@@ -17,6 +17,7 @@
]; ];
files = [ files = [
".zsh_history" ".zsh_history"
".config/sops/age/keys.txt"
]; ];
allowOther = true; allowOther = true;
}; };

7
system-config/configuration/homebox/.sops.yaml Normal file
View File

@@ -0,0 +1,7 @@
keys:
- &primary age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

22
system-config/configuration/homebox/default.nix
View File

@@ -86,9 +86,9 @@
hostName = "homebox"; hostName = "homebox";
nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
networkmanager.enable = true; networkmanager.enable = true;
firewall.allowedTCPPorts = [ 22 80 443 9080 9443 8080 ]; firewall.allowedTCPPorts = [ 22 80 443 8000 ];
hosts = { hosts = {
"127.0.0.1" = [ "blunkall.us" "www.blunkall.us" ]; "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ];
}; };
nftables = {}; nftables = {};
nat = { nat = {
@@ -102,7 +102,7 @@
users.users."nathan" = { users.users."nathan" = {
isNormalUser = true; isNormalUser = true;
initialPassword = "7567"; hashedPasswordFile = config.sops.secrets.nathan_pass.path;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop"
@@ -151,7 +151,7 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
{ directory = "/var/lib/colord"; user = "colord"; group = "colord"; mode = "u=rwx,g=rx,o="; } { directory = "/var/lib/sops"; user = "root"; group = "root"; mode = "u=rwx,g=,o="; }
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@@ -159,10 +159,20 @@
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub" "/etc/ssh/ssh_host_rsa_key.pub"
{ file = "/var/keys/secret_file"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
]; ];
}; };
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets = {
nathan_pass = {
neededForUsers = true;
};
};
};
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
home-manager = { home-manager = {
@@ -209,7 +219,7 @@
virtualization = { virtualization = {
traefik.enable = false; traefik.enable = true;
gitlab.enable = false; gitlab.enable = false;
}; };

21
system-config/configuration/homebox/secrets/secrets.yaml Normal file
View File

@@ -0,0 +1,21 @@
nathan_pass: ENC[AES256_GCM,data:9DUrW2JFWwwscRmMgNoYrMU0nrSDbz37tw+wershMsRxhSavUmQCVEkz8zZ71OguAh+2vIxWBaVk9lzL/wOMFY/vPX7Z5Jq4og==,iv:rDxMkKDVxcrehzM0MKN0nQ/+WW8MA69qiNNoeTHJ2h0=,tag:VMGwTtbPwjIhyfuhc2ArGA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1z20c7s7aw4jwdnfqp85lzx9gg3zk396x5pdw9gwzgvxs932m7d7qlhhwre
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUnNKWUVkV1d0STBNSFR4
c2RTRTN4K2x0Q2R2QzZoYzNOd2RGNk10SkFFCkxlTDduZzhZeHNSd2JmVjgwVzVW
SGozTFVpNW9kaUIvWEtWb3BGeGtrTVUKLS0tIHBXYS9xK2ZuUnZ6UTBFV3Y3MWU4
SGxFWjlLSVVNVDAwRTdXWENLK2x0ekEKh7NiaCQn6yvT6kyYFOXCiGv6C3PSOAky
Od5kW3fBMftfv1qrlhA4svT8s6KeM0ynbfNgb5wKtpZ/nfXYkcrmGw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-02T22:56:51Z"
mac: ENC[AES256_GCM,data:PVwC5OP3CDiCUTxNwPrxSgWbMp9EuAKP88tmHvrrxnT2IQ68V9THFjajnuNiEkkVvHG9FPp/R0in8nT1NoepaDEZkheyUYq1hKzRoGWxjwQwsvrjeTyUP50++Z/zW2KkOdqaB3r+eblpCxzgyd8FH8LcXRCeC9xq4p0mub3MNSs=,iv:jTIgFV0NydDOJ8cESsiY4mvQc76MbNfi8cM4CrWY2P8=,tag:6u90UUoTBA7lXlkfKoiI8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

7
system-config/packages/default.nix
View File

@@ -1 +1,6 @@
{} { pkgs, ... }: {
environment.systemPackages = with pkgs; [
sops
];
}

2
system-config/services/containers/gitlab/default.nix
View File

@@ -14,7 +14,7 @@
hostAddress = "192.168.100.10"; hostAddress = "192.168.100.10";
localAddress = "192.168.100.12"; localAddress = "192.168.100.12";
bindMounts = { bindMounts = {
"/root/data" = { "/etc/gitlab/data" = {
hostPath = "/ssd1/Gitlab/data"; hostPath = "/ssd1/Gitlab/data";
isReadOnly = false; isReadOnly = false;
}; };

120
system-config/services/containers/traefik/default.nix
View File

@@ -30,14 +30,10 @@
containerPort = 9443; containerPort = 9443;
hostPort = 9443; hostPort = 9443;
} }
{
containerPort = 8080;
hostPort = 8080;
}
]; ];
bindMounts = { bindMounts = {
"/root/data" = { "/etc/traefik/data" = {
hostPath = "/ssd1/Traefik/data"; hostPath = "/ssd1/Traefik/data";
isReadOnly = false; isReadOnly = false;
}; };
@@ -49,55 +45,141 @@
enable = true; enable = true;
dataDir = "/root/data"; dataDir = "/etc/traefik/data";
environmentFiles = [
"/etc/traefik/data/traefik.env"
];
staticConfigOptions = { staticConfigOptions = {
serversTransport.insecureSkipVerify = true;
api = { api = {
dashboard = true; dashboard = true;
insecure = true;
debug = true;
};
global = {
checknewversion = false;
sendanonymoususage = false;
}; };
entryPoints = { entryPoints = {
local = { local = {
address = ":80"; address = ":9080";
http.redirections.entryPoint = { http.redirections.entryPoint = {
to = "localsecure"; to = "localsecure";
scheme = "https"; scheme = "https";
}; };
}; };
localsecure = { localsecure = {
address = ":443"; address = ":9443";
asDefault = true;
http.tls.certResolver = "cloudflare";
}; };
web = { web = {
address = ":9080"; address = ":80";
http.redirections.entryPoint = { http.redirections.entryPoint = {
to = "websecure"; to = "websecure";
scheme = "https"; scheme = "https";
}; };
}; };
websecure = { websecure = {
address = ":9443"; address = ":443";
asDefault = true; asDefault = true;
http.tls.certResolver = "letsencrypt"; http.tls.certResolver = "cloudflare";
};
}; };
log = { log = {
level = "INFO"; level = "DEBUG";
filePath = "${config.services.traefik.dataDir}/traefik.log"; filePath = "/etc/traefik/data/traefik.log";
format = "json"; format = "json";
}; };
certificatesResolvers.cloudflare.acme = { certificatesResolvers = {
cloudflare = {
acme = {
email = "nathanblunkall5@gmail.com"; email = "nathanblunkall5@gmail.com";
storage = "${config.services.traefik.dataDir}/acme.json"; storage = "/etc/traefik/data/acme.json";
#httpChallenge.entryPoint = "web"; keyType = "EC256";
dnsChallenge = { dnsChallenge = {
provider = "cloudflare"; provider = "cloudflare";
resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ]; resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ];
#disablePropagationCheck = true; };
};
};
/*letsencrypt.acme = {
email = "postmaster@blunkall.us";
storage = "/root/data/acme.json";
httpChallenge.entryPoint = "web";
};*/
};
};
dynamicConfigOptions = {
http = {
routers = {
homepageSecure = {
entryPoints = [ "localsecure" "websecure" ];
rule = "Host(`blunkall.us`)";
service = "homepage";
tls = {
certResolver = "cloudflare";
domains = {
main = "blunkall.us";
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
};
};
};
homepage = {
entryPoints = [ "localsecure" "websecure" ];
rule = "Host(`www.blunkall.us`)";
service = "homepage";
tls = {
certResolver = "cloudflare";
domains = {
main = "blunkall.us";
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
};
};
};
gitlab = {
entryPoints = [ "localsecure" "websecure" ];
rule = "Host()";
service = "gitlab";
tls = {
certResolver = "cloudflare";
domains = {
main = "blunkall.us";
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
};
};
};
local = {
entryPoints = [ "localsecure" ];
rule = "Host(`traefik.local.blunkall.us`)";
service = "dashboard@internal";
tls = {
certResolver = "cloudflare";
domains = {
main = "blunkall.us";
sans = [ "*.blunkall.us" "*.local.blunkall.us" ];
}; };
}; };
}; };
}; };
dynamicConfigOptions = {}; services = {
gitlab.loadBalancer.servers = [ { url = "http://192.168.100.12:80"; } ];
homepage.loadBalancer.servers = [ { url = "http://192.168.100.10:8000"; } ];
};
};
};
}; };
networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ]; networking.firewall.allowedTCPPorts = [ 80 443 9080 9443 8080 ];