1
0
Fork 0

Secrets: reformatting

This commit is contained in:
Aires 2024-09-02 11:06:57 -04:00
parent 1b47418675
commit 26a78a8f24
5 changed files with 58 additions and 54 deletions

View file

@ -234,11 +234,10 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"dirtyRev": "26588368303142902ef91c67ad679da6be5bbeee-dirty",
"dirtyShortRev": "2658836-dirty",
"lastModified": 1725028484, "lastModified": 1725028484,
"narHash": "sha256-bqPYW6fYTul0RpInWxJxaLpn31y0aYi4bMRCnWjhFPk=", "narHash": "sha256-GJerArXURZD3VfNScxpa73QKajylnfpeG0U6Z6/XxA8=",
"ref": "refs/heads/main",
"rev": "26588368303142902ef91c67ad679da6be5bbeee",
"revCount": 63,
"type": "git", "type": "git",
"url": "file:./nix-secrets" "url": "file:./nix-secrets"
}, },

View file

@ -10,18 +10,12 @@ let
stateVersion = "24.11"; stateVersion = "24.11";
hostName = "Dimaga"; hostName = "Dimaga";
# Where to store service files
services-root = "/storage/services";
# Script to start services
start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh); start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh);
services-root = "/storage/services"; # Credentials for interacting with the Namecheap API
subdomains = [
config.secrets.services.deluge.url
config.secrets.services.forgejo.url
config.secrets.services.gremlin-lab.url
config.secrets.services.jellyfin.url
config.secrets.services.netdata.url
];
namecheapCredentials = { namecheapCredentials = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" '' "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user} ${config.secrets.networking.namecheap.api.user}
@ -30,6 +24,15 @@ let
${config.secrets.networking.namecheap.api.key} ${config.secrets.networking.namecheap.api.key}
''}"; ''}";
}; };
# List of subdomains to add to the TLS certificate
subdomains = [
config.secrets.services.deluge.url
config.secrets.services.forgejo.url
config.secrets.services.gremlin-lab.url
config.secrets.services.jellyfin.url
config.secrets.services.netdata.url
];
in in
{ {
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware-configuration.nix ];
@ -44,7 +47,8 @@ in
# Build Nix packages for other hosts. # Build Nix packages for other hosts.
# Runs every day at 4 AM # Runs every day at 4 AM
systemd.services."build-hosts" = { systemd = {
services."build-hosts" = {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
@ -55,7 +59,7 @@ in
nh os build . --hostname Khanda nh os build . --hostname Khanda
''; '';
}; };
systemd.timers."build-hosts" = { timers."build-hosts" = {
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
@ -65,6 +69,7 @@ in
Unit = "build-hosts.service"; Unit = "build-hosts.service";
}; };
}; };
};
# Configure the system. # Configure the system.
aux.system = { aux.system = {
@ -109,13 +114,13 @@ in
enable = true; enable = true;
defaultEmail = config.secrets.users.aires.email; defaultEmail = config.secrets.users.aires.email;
certs = { certs = {
"${config.secrets.networking.primaryDomain}" = { "${config.secrets.networking.domains.primary}" = {
dnsProvider = "namecheap"; dnsProvider = "namecheap";
extraDomainNames = subdomains; extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials; credentialFiles = namecheapCredentials;
}; };
"${config.secrets.networking.blogDomain}" = { "${config.secrets.networking.domains.blog}" = {
dnsProvider = "namecheap"; dnsProvider = "namecheap";
webroot = null; # Required in order to prevent a failed assertion webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials; credentialFiles = namecheapCredentials;
@ -137,7 +142,7 @@ in
deluge = { deluge = {
enable = true; enable = true;
home = "${services-root}/deluge"; home = "${services-root}/deluge";
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
url = config.secrets.services.deluge.url; url = config.secrets.services.deluge.url;
}; };
duplicacy-web = { duplicacy-web = {
@ -147,7 +152,7 @@ in
forgejo = { forgejo = {
enable = true; enable = true;
home = "${services-root}/forgejo"; home = "${services-root}/forgejo";
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
url = config.secrets.services.forgejo.url; url = config.secrets.services.forgejo.url;
actions = { actions = {
enable = true; enable = true;
@ -157,13 +162,13 @@ in
jellyfin = { jellyfin = {
enable = true; enable = true;
home = "${services-root}/jellyfin"; home = "${services-root}/jellyfin";
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
url = config.secrets.services.jellyfin.url; url = config.secrets.services.jellyfin.url;
}; };
msmtp.enable = true; msmtp.enable = true;
netdata = { netdata = {
enable = true; enable = true;
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
type = "parent"; type = "parent";
url = config.secrets.services.netdata.url; url = config.secrets.services.netdata.url;
auth = { auth = {
@ -176,7 +181,7 @@ in
enable = true; enable = true;
autostart = false; autostart = false;
virtualHosts = { virtualHosts = {
"${config.secrets.networking.primaryDomain}" = { "${config.secrets.networking.domains.primary}" = {
default = true; default = true;
enableACME = true; # Enable Let's Encrypt enableACME = true; # Enable Let's Encrypt
locations."/" = { locations."/" = {
@ -184,13 +189,13 @@ in
return = "301 https://${config.secrets.services.forgejo.url}"; return = "301 https://${config.secrets.services.forgejo.url}";
}; };
}; };
"${config.secrets.networking.blogDomain}" = { "${config.secrets.networking.domains.blog}" = {
useACMEHost = config.secrets.networking.blogDomain; useACMEHost = config.secrets.networking.domains.blog;
forceSSL = true; forceSSL = true;
root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}"; root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}";
}; };
"${config.secrets.services.gremlin-lab.url}" = { "${config.secrets.services.gremlin-lab.url}" = {
useACMEHost = config.secrets.networking.primaryDomain; useACMEHost = config.secrets.networking.domains.primary;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";

View file

@ -56,13 +56,13 @@ in
enable = true; enable = true;
defaultEmail = config.secrets.users.aires.email; defaultEmail = config.secrets.users.aires.email;
certs = { certs = {
"${config.secrets.networking.primaryDomain}" = { "${config.secrets.networking.domains.primary}" = {
dnsProvider = "namecheap"; dnsProvider = "namecheap";
extraDomainNames = subdomains; extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials; credentialFiles = namecheapCredentials;
}; };
"${config.secrets.networking.blogDomain}" = { "${config.secrets.networking.domains.blog}" = {
dnsProvider = "namecheap"; dnsProvider = "namecheap";
webroot = null; # Required in order to prevent a failed assertion webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials; credentialFiles = namecheapCredentials;
@ -76,7 +76,7 @@ in
airsonic = { airsonic = {
enable = true; enable = true;
home = "${services-root}/airsonic-advanced"; home = "${services-root}/airsonic-advanced";
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
url = config.secrets.services.airsonic.url; url = config.secrets.services.airsonic.url;
}; };
autoUpgrade = { autoUpgrade = {
@ -99,7 +99,7 @@ in
forgejo = { forgejo = {
enable = true; enable = true;
home = "${services-root}/forgejo"; home = "${services-root}/forgejo";
domain = config.secrets.networking.primaryDomain; domain = config.secrets.networking.domains.primary;
url = config.secrets.services.forgejo.url; url = config.secrets.services.forgejo.url;
actions = { actions = {
enable = true; enable = true;
@ -111,7 +111,7 @@ in
enable = true; enable = true;
autostart = false; autostart = false;
virtualHosts = { virtualHosts = {
"${config.secrets.networking.primaryDomain}" = { "${config.secrets.networking.domains.primary}" = {
default = true; default = true;
enableACME = true; # Enable Let's Encrypt enableACME = true; # Enable Let's Encrypt
locations."/" = { locations."/" = {
@ -119,13 +119,13 @@ in
return = "301 https://${config.secrets.services.forgejo.url}"; return = "301 https://${config.secrets.services.forgejo.url}";
}; };
}; };
"${config.secrets.networking.blogDomain}" = { "${config.secrets.networking.domains.blog}" = {
useACMEHost = config.secrets.networking.blogDomain; useACMEHost = config.secrets.networking.domains.blog;
forceSSL = true; forceSSL = true;
root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}"; root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}";
}; };
"${config.secrets.services.gremlin-lab.url}" = { "${config.secrets.services.gremlin-lab.url}" = {
useACMEHost = config.secrets.networking.primaryDomain; useACMEHost = config.secrets.networking.domains.primary;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";

View file

@ -21,7 +21,7 @@ in
tls = true; tls = true;
tls_starttls = true; tls_starttls = true;
port = 587; port = 587;
from = "${config.networking.hostName}@${config.secrets.networking.primaryDomain}"; from = "${config.networking.hostName}@${config.secrets.networking.domains.primary}";
}; };
}; };

@ -1 +1 @@
Subproject commit 26588368303142902ef91c67ad679da6be5bbeee Subproject commit a321a1ba2e23b59a6d39a33258a82021feaa853f