From af730c5b20e1c3b0e58b412370fa5f2cc87715d4 Mon Sep 17 00:00:00 2001 From: Nathan Date: Mon, 18 Nov 2024 15:24:15 -0600 Subject: [PATCH] set age key dir to be in persist dir --- flake.lock | 18 +-- .../configuration/homebox/default.nix | 7 +- .../services/containers/authentik/default.nix | 2 +- .../services/containers/gitlab/default.nix | 118 ++++++++---------- .../services/containers/nextcloud/default.nix | 49 ++++++-- .../services/containers/pihole/default.nix | 2 +- .../services/containers/traefik/default.nix | 2 +- 7 files changed, 102 insertions(+), 96 deletions(-) diff --git a/flake.lock b/flake.lock index 11ae083..005c5a3 100644 --- a/flake.lock +++ b/flake.lock @@ -1193,11 +1193,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-mrfMvef+tOYMK35horTWF43tQpES1zI7hb5RbzN3oIk=", - "path": "/nix/store/2iad54f45q80l7js354b3gjs8a9ywd2g-source/home-manager", + "path": "/nix/store/hpa0gcdys4xk1wif3ksp9yjkyd68lypx-source/home-manager", "type": "path" }, "original": { - "path": "/nix/store/2iad54f45q80l7js354b3gjs8a9ywd2g-source/home-manager", + "path": "/nix/store/hpa0gcdys4xk1wif3ksp9yjkyd68lypx-source/home-manager", "type": "path" } }, @@ -1807,11 +1807,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-QahOuoQdXshu38W5uO7hLhG/yFkT7S2l8Dxicq0wdGk=", - "path": "/nix/store/ipps7wbs0429asc5w15xlbhyy74k1xmy-source/programs", + "path": "/nix/store/1jlhs5z0fkw1z8jf5bb4s5bhdqhsw930-source/programs", "type": "path" }, "original": { - "path": "/nix/store/ipps7wbs0429asc5w15xlbhyy74k1xmy-source/programs", + "path": "/nix/store/1jlhs5z0fkw1z8jf5bb4s5bhdqhsw930-source/programs", "type": "path" } }, @@ -1882,11 +1882,11 @@ "locked": { "lastModified": 1, "narHash": "sha256-0Ztx5DVQ2I7hvCK/qjGa4XTdRgbzM8rhf19m0al8lVM=", - "path": "/nix/store/ipps7wbs0429asc5w15xlbhyy74k1xmy-source/services/sddm", + "path": "/nix/store/1jlhs5z0fkw1z8jf5bb4s5bhdqhsw930-source/services/sddm", "type": "path" }, "original": { - "path": "/nix/store/ipps7wbs0429asc5w15xlbhyy74k1xmy-source/services/sddm", + "path": "/nix/store/1jlhs5z0fkw1z8jf5bb4s5bhdqhsw930-source/services/sddm", "type": "path" } }, @@ -1976,12 +1976,12 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-cN8S1dX9UvYcLvw2DRKSY2NMhjwrPFA181sKCEJIrbQ=", - "path": "/nix/store/2iad54f45q80l7js354b3gjs8a9ywd2g-source/system-config", + "narHash": "sha256-4OsKmVNgQ6yPD++McosqTdHNXPMfSk/ooTzxwWxDXug=", + "path": "/nix/store/hpa0gcdys4xk1wif3ksp9yjkyd68lypx-source/system-config", "type": "path" }, "original": { - "path": "/nix/store/2iad54f45q80l7js354b3gjs8a9ywd2g-source/system-config", + "path": "/nix/store/hpa0gcdys4xk1wif3ksp9yjkyd68lypx-source/system-config", "type": "path" } }, diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index e69e1fc..a091111 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -167,7 +167,6 @@ "/var/lib/bluetooth" "/var/lib/nixos" "/var/lib/nixos-containers" - "/var/run/nixos-containers" "/var/lib/systemd/coredump" "/var/lib/docker" "/etc/NetworkManager/system-connections" @@ -182,7 +181,7 @@ }; sops = { - age.keyFile = "/home/nathan/.config/sops/age/keys.txt"; + age.keyFile = "/persist/home/nathan/.config/sops/age/keys.txt"; defaultSopsFile = ./secrets/secrets.yaml; defaultSopsFormat = "yaml"; @@ -197,7 +196,7 @@ "pihole/pass" = {}; "nextcloud/pass" = { - owner = "nextcloud"; + owner = "sshd"; }; }; }; @@ -258,7 +257,7 @@ pihole.enable = true; - nextcloud.enable = true; + nextcloud.enable = false; gitlab.enable = true; }; diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix index 7cbf9a6..78dbf35 100644 --- a/system-config/services/containers/authentik/default.nix +++ b/system-config/services/containers/authentik/default.nix @@ -21,7 +21,7 @@ systemd.services.launchAuthentik = { - enable = true; + enable = false; wantedBy = [ "multi-user.target" ]; diff --git a/system-config/services/containers/gitlab/default.nix b/system-config/services/containers/gitlab/default.nix index e1aa105..e3660aa 100644 --- a/system-config/services/containers/gitlab/default.nix +++ b/system-config/services/containers/gitlab/default.nix @@ -7,34 +7,20 @@ config = lib.mkIf config.sysconfig.opts.virtualization.gitlab.enable { - sops.secrets."gitlab/db_pass" = { - owner = "sshd"; - }; - sops.secrets."gitlab/root_pass" = { - owner = "sshd"; - }; - sops.secrets."gitlab/secrets/secret" = { - owner = "sshd"; - }; - sops.secrets."gitlab/secrets/otp" = { - owner = "sshd"; - }; - sops.secrets."gitlab/secrets/db" = { - owner = "sshd"; - }; - sops.secrets."gitlab/secrets/jws" = { - owner = "sshd"; - }; - sops.secrets."gitlab/oidc/id" = { - owner = "sshd"; - }; - sops.secrets."gitlab/oidc/secret" = { - owner = "sshd"; + sops.secrets = { + "gitlab/db_pass" = {}; + "gitlab/root_pass" = {}; + "gitlab/secrets/secret" = {}; + "gitlab/secrets/otp" = {}; + "gitlab/secrets/db" = {}; + "gitlab/secrets/jws" = {}; + "gitlab/oidc/id" = {}; + "gitlab/oidc/secret" = {}; }; containers.gitlab = { - autoStart = false; + autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.16"; @@ -43,51 +29,49 @@ hostPath = "/ssd1/Gitlab/data"; isReadOnly = false; }; - "/etc/gitlab/dbpass" = { - hostPath = config.sops.secrets."gitlab/db_pass".path; - isReadOnly = false; - }; - "/etc/gitlab/rootpass" = { - hostPath = config.sops.secrets."gitlab/root_pass".path; - isReadOnly = false; - }; - "/etc/gitlab/db" = { - hostPath = config.sops.secrets."gitlab/secrets/db".path; - isReadOnly = false; - }; - "/etc/gitlab/secret" = { - hostPath = config.sops.secrets."gitlab/secrets/secret".path; - isReadOnly = false; - }; - "/etc/gitlab/jws" = { - hostPath = config.sops.secrets."gitlab/secrets/jws".path; - isReadOnly = false; - }; - "/etc/gitlab/otp" = { - hostPath = config.sops.secrets."gitlab/secrets/otp".path; - isReadOnly = false; - }; - "/etc/gitlab/oidc-id" = { - hostPath = config.sops.secrets."gitlab/oidc/id".path; - isReadOnly = false; - }; - "/etc/gitlab/oidc-secret" = { - hostPath = config.sops.secrets."gitlab/oidc/secret".path; - isReadOnly = false; - }; }; + + extraFlags = [ + "--load-credential=dbpass:${config.sops.secrets."gitlab/db_pass".path}" + "--load-credential=rootpass:${config.sops.secrets."gitlab/root_pass".path}" + "--load-credential=secret:${config.sops.secrets."gitlab/secrets/secret".path}" + "--load-credential=otp:${config.sops.secrets."gitlab/secrets/otp".path}" + "--load-credential=db:${config.sops.secrets."gitlab/secrets/db".path}" + "--load-credential=jws:${config.sops.secrets."gitlab/secrets/jws".path}" + "--load-credential=oidc_id:${config.sops.secrets."gitlab/oidc/id".path}" + "--load-credential=oidc_secret:${config.sops.secrets."gitlab/oidc/secret".path}" + ]; config = { - systemd.tmpfiles.rules = [ - "z /etc/gitlab/dbpass - gitlab gitlab" - "z /etc/gitlab/rootpass - gitlab gitlab" - "z /etc/gitlab/db - gitlab gitlab" - "z /etc/gitlab/secret - gitlab gitlab" - "z /etc/gitlab/jws - gitlab gitlab" - "z /etc/gitlab/otp - gitlab gitlab" - "z /etc/gitlab/oidc-id - gitlab gitlab" - "z /etc/gitlab/oidc-secret - gitlab gitlab" - ]; + systemd.services.secrets_setup = { + wantedBy = [ "gitlab.service" ]; + + serviceConfig = { + LoadCredential = [ + "dbpass" + "rootpass" + "secret" + "db" + "otp" + "jws" + "oidc_id" + "oidc_secret" + ]; + }; + + script = '' + cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitlab/dbpass + cat ''${CREDENTIALS_DIRECTORY}/rootpass > /etc/gitlab/rootpass + cat ''${CREDENTIALS_DIRECTORY}/secret > /etc/gitlab/secret + cat ''${CREDENTIALS_DIRECTORY}/db > /etc/gitlab/db + cat ''${CREDENTIALS_DIRECTORY}/otp > /etc/gitlab/otp + cat ''${CREDENTIALS_DIRECTORY}/jws > /etc/gitlab/jws + cat ''${CREDENTIALS_DIRECTORY}/oidc_id > /etc/gitlab/oidc-id + cat ''${CREDENTIALS_DIRECTORY}/oidc_secret > /etc/gitlab/oidc-secret + + chown gitlab:gitlab /etc/gitlab/* + ''; + }; services.gitlab = { enable = true; @@ -162,7 +146,7 @@ systemd.services.gitlab-backup.environment.BACKUP = "dump"; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall.allowedTCPPorts = [ 22 80 ]; system.stateVersion = "24.05"; }; diff --git a/system-config/services/containers/nextcloud/default.nix b/system-config/services/containers/nextcloud/default.nix index cd46cd3..7c0ea88 100644 --- a/system-config/services/containers/nextcloud/default.nix +++ b/system-config/services/containers/nextcloud/default.nix @@ -40,7 +40,7 @@ containers.nextcloud = { - autoStart = false; + autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.15"; @@ -48,47 +48,70 @@ bindMounts = { "/etc/nextcloud" = { - hostPath = "/ssd1/Nextcloud"; + hostPath = "/ssd1/Nextcloud/data"; isReadOnly = false; }; - "/etc/nextcloud-admin-pass" = { - hostPath = config.sops.secrets."nextcloud/pass".path; - isReadOnly = false; - }; }; + extraFlags = [ + "--load-credential=nextcloud-admin-pass:${config.sops.secrets."nextcloud/pass".path}" + ]; + config = { config, lib, pkgs, ... }: { + /*systemd.tmpfiles.rules = [ + "Z /etc/nextcloud - nextcloud nextcloud" + ];*/ + + systemd.services.secrets_setup = { + wantedBy = [ "nextcloud-setup.service" ]; + + serviceConfig = { + LoadCredential = [ + "nextcloud-admin-pass" + ]; + }; + + script = '' + cat $CREDENTIALS_DIRECTORY/nextcloud-admin-pass > /etc/nextcloud-admin-pass + chown nextcloud:nextcloud /etc/nextcloud-admin-pass + ''; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx.virtualHosts."192.168.100.15".listen = [ { addr = "0.0.0.0"; port = 80; } ]; + services.nginx = { + virtualHosts."192.168.100.15".listen = [ { addr = "0.0.0.0"; port = 80; } ]; + user = "nextcloud"; + group = "nextcloud"; + }; services.nextcloud = { enable = true; package = pkgs.nextcloud30; - hostName = "localhost"; + hostName = "192.168.100.15"; config = { adminpassFile = "/etc/nextcloud-admin-pass"; adminuser = "root"; dbtype = "mysql"; }; https = true; - datadir = "/ssd1/Nextcloud/data"; - home = "/ssd1/Nextcloud/nextcloud_home"; - appstoreEnable = true; + #datadir = "/etc/nextcloud/data"; + #home = "/etc/nextcloud/nextcloud_home"; + #appstoreEnable = true; extraApps = with config.services.nextcloud.package.packages.apps; { inherit mail contacts calendar tasks user_oidc; }; extraAppsEnable = true; settings = { overwriteprotocol = "https"; - trusted_domains = [ "nextcloud.blunkall.us" "dummy.blunkall.us" ]; + trusted_domains = [ "nextcloud.blunkall.us" ]; trusted_proxies = [ "192.168.100.11" ]; default_phone_region = "US"; }; database.createLocally = true; }; - system.stateVersion = "23.05"; + system.stateVersion = "24.05"; }; }; }; diff --git a/system-config/services/containers/pihole/default.nix b/system-config/services/containers/pihole/default.nix index dbb3771..2431b21 100644 --- a/system-config/services/containers/pihole/default.nix +++ b/system-config/services/containers/pihole/default.nix @@ -16,7 +16,7 @@ }; systemd.services.launchPihole = { - enable = true; + enable = false; wantedBy = [ "multi-user.target" ]; diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 021c8eb..3200929 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -223,7 +223,7 @@ pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ]; - nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.10:8081"; } ]; + nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ]; }; }; };