From 26a78a8f24fe73cb975a79e1233472db1f437668 Mon Sep 17 00:00:00 2001 From: Andre Date: Mon, 2 Sep 2024 11:06:57 -0400 Subject: [PATCH] Secrets: reformatting --- flake.lock | 7 ++- hosts/Dimaga/default.nix | 83 +++++++++++++++++--------------- hosts/_retired/Haven/default.nix | 18 +++---- modules/services/msmtp.nix | 2 +- nix-secrets | 2 +- 5 files changed, 58 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index efff99e..3022b3b 100644 --- a/flake.lock +++ b/flake.lock @@ -234,11 +234,10 @@ "nix-secrets": { "flake": false, "locked": { + "dirtyRev": "26588368303142902ef91c67ad679da6be5bbeee-dirty", + "dirtyShortRev": "2658836-dirty", "lastModified": 1725028484, - "narHash": "sha256-bqPYW6fYTul0RpInWxJxaLpn31y0aYi4bMRCnWjhFPk=", - "ref": "refs/heads/main", - "rev": "26588368303142902ef91c67ad679da6be5bbeee", - "revCount": 63, + "narHash": "sha256-GJerArXURZD3VfNScxpa73QKajylnfpeG0U6Z6/XxA8=", "type": "git", "url": "file:./nix-secrets" }, diff --git a/hosts/Dimaga/default.nix b/hosts/Dimaga/default.nix index 5684e12..4692210 100644 --- a/hosts/Dimaga/default.nix +++ b/hosts/Dimaga/default.nix @@ -10,18 +10,12 @@ let stateVersion = "24.11"; hostName = "Dimaga"; + # Where to store service files + services-root = "/storage/services"; + # Script to start services start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh); - services-root = "/storage/services"; - - subdomains = [ - config.secrets.services.deluge.url - config.secrets.services.forgejo.url - config.secrets.services.gremlin-lab.url - config.secrets.services.jellyfin.url - config.secrets.services.netdata.url - ]; - + # Credentials for interacting with the Namecheap API namecheapCredentials = { "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" '' ${config.secrets.networking.namecheap.api.user} @@ -30,6 +24,15 @@ let ${config.secrets.networking.namecheap.api.key} ''}"; }; + + # List of subdomains to add to the TLS certificate + subdomains = [ + config.secrets.services.deluge.url + config.secrets.services.forgejo.url + config.secrets.services.gremlin-lab.url + config.secrets.services.jellyfin.url + config.secrets.services.netdata.url + ]; in { imports = [ ./hardware-configuration.nix ]; @@ -44,25 +47,27 @@ in # Build Nix packages for other hosts. # Runs every day at 4 AM - systemd.services."build-hosts" = { - serviceConfig = { - Type = "oneshot"; - User = "root"; + systemd = { + services."build-hosts" = { + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + path = config.aux.system.corePackages; + script = '' + cd ${config.secrets.nixConfigFolder} + nh os build . --hostname Khanda + ''; }; - path = config.aux.system.corePackages; - script = '' - cd ${config.secrets.nixConfigFolder} - nh os build . --hostname Khanda - ''; - }; - systemd.timers."build-hosts" = { - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "04:00"; - Persistent = true; - Unit = "build-hosts.service"; + timers."build-hosts" = { + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "04:00"; + Persistent = true; + Unit = "build-hosts.service"; + }; }; }; @@ -109,13 +114,13 @@ in enable = true; defaultEmail = config.secrets.users.aires.email; certs = { - "${config.secrets.networking.primaryDomain}" = { + "${config.secrets.networking.domains.primary}" = { dnsProvider = "namecheap"; extraDomainNames = subdomains; webroot = null; # Required in order to prevent a failed assertion credentialFiles = namecheapCredentials; }; - "${config.secrets.networking.blogDomain}" = { + "${config.secrets.networking.domains.blog}" = { dnsProvider = "namecheap"; webroot = null; # Required in order to prevent a failed assertion credentialFiles = namecheapCredentials; @@ -137,7 +142,7 @@ in deluge = { enable = true; home = "${services-root}/deluge"; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; url = config.secrets.services.deluge.url; }; duplicacy-web = { @@ -147,7 +152,7 @@ in forgejo = { enable = true; home = "${services-root}/forgejo"; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; url = config.secrets.services.forgejo.url; actions = { enable = true; @@ -157,13 +162,13 @@ in jellyfin = { enable = true; home = "${services-root}/jellyfin"; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; url = config.secrets.services.jellyfin.url; }; msmtp.enable = true; netdata = { enable = true; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; type = "parent"; url = config.secrets.services.netdata.url; auth = { @@ -176,7 +181,7 @@ in enable = true; autostart = false; virtualHosts = { - "${config.secrets.networking.primaryDomain}" = { + "${config.secrets.networking.domains.primary}" = { default = true; enableACME = true; # Enable Let's Encrypt locations."/" = { @@ -184,13 +189,13 @@ in return = "301 https://${config.secrets.services.forgejo.url}"; }; }; - "${config.secrets.networking.blogDomain}" = { - useACMEHost = config.secrets.networking.blogDomain; + "${config.secrets.networking.domains.blog}" = { + useACMEHost = config.secrets.networking.domains.blog; forceSSL = true; - root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}"; + root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}"; }; "${config.secrets.services.gremlin-lab.url}" = { - useACMEHost = config.secrets.networking.primaryDomain; + useACMEHost = config.secrets.networking.domains.primary; forceSSL = true; locations."/" = { proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; diff --git a/hosts/_retired/Haven/default.nix b/hosts/_retired/Haven/default.nix index c2d2b12..5f1f68a 100644 --- a/hosts/_retired/Haven/default.nix +++ b/hosts/_retired/Haven/default.nix @@ -56,13 +56,13 @@ in enable = true; defaultEmail = config.secrets.users.aires.email; certs = { - "${config.secrets.networking.primaryDomain}" = { + "${config.secrets.networking.domains.primary}" = { dnsProvider = "namecheap"; extraDomainNames = subdomains; webroot = null; # Required in order to prevent a failed assertion credentialFiles = namecheapCredentials; }; - "${config.secrets.networking.blogDomain}" = { + "${config.secrets.networking.domains.blog}" = { dnsProvider = "namecheap"; webroot = null; # Required in order to prevent a failed assertion credentialFiles = namecheapCredentials; @@ -76,7 +76,7 @@ in airsonic = { enable = true; home = "${services-root}/airsonic-advanced"; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; url = config.secrets.services.airsonic.url; }; autoUpgrade = { @@ -99,7 +99,7 @@ in forgejo = { enable = true; home = "${services-root}/forgejo"; - domain = config.secrets.networking.primaryDomain; + domain = config.secrets.networking.domains.primary; url = config.secrets.services.forgejo.url; actions = { enable = true; @@ -111,7 +111,7 @@ in enable = true; autostart = false; virtualHosts = { - "${config.secrets.networking.primaryDomain}" = { + "${config.secrets.networking.domains.primary}" = { default = true; enableACME = true; # Enable Let's Encrypt locations."/" = { @@ -119,13 +119,13 @@ in return = "301 https://${config.secrets.services.forgejo.url}"; }; }; - "${config.secrets.networking.blogDomain}" = { - useACMEHost = config.secrets.networking.blogDomain; + "${config.secrets.networking.domains.blog}" = { + useACMEHost = config.secrets.networking.domains.blog; forceSSL = true; - root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}"; + root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}"; }; "${config.secrets.services.gremlin-lab.url}" = { - useACMEHost = config.secrets.networking.primaryDomain; + useACMEHost = config.secrets.networking.domains.primary; forceSSL = true; locations."/" = { proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; diff --git a/modules/services/msmtp.nix b/modules/services/msmtp.nix index 6f4f78d..d5b7e30 100644 --- a/modules/services/msmtp.nix +++ b/modules/services/msmtp.nix @@ -21,7 +21,7 @@ in tls = true; tls_starttls = true; port = 587; - from = "${config.networking.hostName}@${config.secrets.networking.primaryDomain}"; + from = "${config.networking.hostName}@${config.secrets.networking.domains.primary}"; }; }; diff --git a/nix-secrets b/nix-secrets index 2658836..a321a1b 160000 --- a/nix-secrets +++ b/nix-secrets @@ -1 +1 @@ -Subproject commit 26588368303142902ef91c67ad679da6be5bbeee +Subproject commit a321a1ba2e23b59a6d39a33258a82021feaa853f