Secrets: reformatting
This commit is contained in:
parent
1b47418675
commit
26a78a8f24
|
@ -234,11 +234,10 @@
|
||||||
"nix-secrets": {
|
"nix-secrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
"dirtyRev": "26588368303142902ef91c67ad679da6be5bbeee-dirty",
|
||||||
|
"dirtyShortRev": "2658836-dirty",
|
||||||
"lastModified": 1725028484,
|
"lastModified": 1725028484,
|
||||||
"narHash": "sha256-bqPYW6fYTul0RpInWxJxaLpn31y0aYi4bMRCnWjhFPk=",
|
"narHash": "sha256-GJerArXURZD3VfNScxpa73QKajylnfpeG0U6Z6/XxA8=",
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "26588368303142902ef91c67ad679da6be5bbeee",
|
|
||||||
"revCount": 63,
|
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "file:./nix-secrets"
|
"url": "file:./nix-secrets"
|
||||||
},
|
},
|
||||||
|
|
|
@ -10,18 +10,12 @@ let
|
||||||
stateVersion = "24.11";
|
stateVersion = "24.11";
|
||||||
hostName = "Dimaga";
|
hostName = "Dimaga";
|
||||||
|
|
||||||
|
# Where to store service files
|
||||||
|
services-root = "/storage/services";
|
||||||
|
# Script to start services
|
||||||
start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh);
|
start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh);
|
||||||
|
|
||||||
services-root = "/storage/services";
|
# Credentials for interacting with the Namecheap API
|
||||||
|
|
||||||
subdomains = [
|
|
||||||
config.secrets.services.deluge.url
|
|
||||||
config.secrets.services.forgejo.url
|
|
||||||
config.secrets.services.gremlin-lab.url
|
|
||||||
config.secrets.services.jellyfin.url
|
|
||||||
config.secrets.services.netdata.url
|
|
||||||
];
|
|
||||||
|
|
||||||
namecheapCredentials = {
|
namecheapCredentials = {
|
||||||
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
||||||
${config.secrets.networking.namecheap.api.user}
|
${config.secrets.networking.namecheap.api.user}
|
||||||
|
@ -30,6 +24,15 @@ let
|
||||||
${config.secrets.networking.namecheap.api.key}
|
${config.secrets.networking.namecheap.api.key}
|
||||||
''}";
|
''}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# List of subdomains to add to the TLS certificate
|
||||||
|
subdomains = [
|
||||||
|
config.secrets.services.deluge.url
|
||||||
|
config.secrets.services.forgejo.url
|
||||||
|
config.secrets.services.gremlin-lab.url
|
||||||
|
config.secrets.services.jellyfin.url
|
||||||
|
config.secrets.services.netdata.url
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./hardware-configuration.nix ];
|
imports = [ ./hardware-configuration.nix ];
|
||||||
|
@ -44,7 +47,8 @@ in
|
||||||
|
|
||||||
# Build Nix packages for other hosts.
|
# Build Nix packages for other hosts.
|
||||||
# Runs every day at 4 AM
|
# Runs every day at 4 AM
|
||||||
systemd.services."build-hosts" = {
|
systemd = {
|
||||||
|
services."build-hosts" = {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = "root";
|
User = "root";
|
||||||
|
@ -55,7 +59,7 @@ in
|
||||||
nh os build . --hostname Khanda
|
nh os build . --hostname Khanda
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
systemd.timers."build-hosts" = {
|
timers."build-hosts" = {
|
||||||
wants = [ "network-online.target" ];
|
wants = [ "network-online.target" ];
|
||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
|
@ -65,6 +69,7 @@ in
|
||||||
Unit = "build-hosts.service";
|
Unit = "build-hosts.service";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Configure the system.
|
# Configure the system.
|
||||||
aux.system = {
|
aux.system = {
|
||||||
|
@ -109,13 +114,13 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
defaultEmail = config.secrets.users.aires.email;
|
defaultEmail = config.secrets.users.aires.email;
|
||||||
certs = {
|
certs = {
|
||||||
"${config.secrets.networking.primaryDomain}" = {
|
"${config.secrets.networking.domains.primary}" = {
|
||||||
dnsProvider = "namecheap";
|
dnsProvider = "namecheap";
|
||||||
extraDomainNames = subdomains;
|
extraDomainNames = subdomains;
|
||||||
webroot = null; # Required in order to prevent a failed assertion
|
webroot = null; # Required in order to prevent a failed assertion
|
||||||
credentialFiles = namecheapCredentials;
|
credentialFiles = namecheapCredentials;
|
||||||
};
|
};
|
||||||
"${config.secrets.networking.blogDomain}" = {
|
"${config.secrets.networking.domains.blog}" = {
|
||||||
dnsProvider = "namecheap";
|
dnsProvider = "namecheap";
|
||||||
webroot = null; # Required in order to prevent a failed assertion
|
webroot = null; # Required in order to prevent a failed assertion
|
||||||
credentialFiles = namecheapCredentials;
|
credentialFiles = namecheapCredentials;
|
||||||
|
@ -137,7 +142,7 @@ in
|
||||||
deluge = {
|
deluge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
home = "${services-root}/deluge";
|
home = "${services-root}/deluge";
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
url = config.secrets.services.deluge.url;
|
url = config.secrets.services.deluge.url;
|
||||||
};
|
};
|
||||||
duplicacy-web = {
|
duplicacy-web = {
|
||||||
|
@ -147,7 +152,7 @@ in
|
||||||
forgejo = {
|
forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
home = "${services-root}/forgejo";
|
home = "${services-root}/forgejo";
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
url = config.secrets.services.forgejo.url;
|
url = config.secrets.services.forgejo.url;
|
||||||
actions = {
|
actions = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -157,13 +162,13 @@ in
|
||||||
jellyfin = {
|
jellyfin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
home = "${services-root}/jellyfin";
|
home = "${services-root}/jellyfin";
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
url = config.secrets.services.jellyfin.url;
|
url = config.secrets.services.jellyfin.url;
|
||||||
};
|
};
|
||||||
msmtp.enable = true;
|
msmtp.enable = true;
|
||||||
netdata = {
|
netdata = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
type = "parent";
|
type = "parent";
|
||||||
url = config.secrets.services.netdata.url;
|
url = config.secrets.services.netdata.url;
|
||||||
auth = {
|
auth = {
|
||||||
|
@ -176,7 +181,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
autostart = false;
|
autostart = false;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${config.secrets.networking.primaryDomain}" = {
|
"${config.secrets.networking.domains.primary}" = {
|
||||||
default = true;
|
default = true;
|
||||||
enableACME = true; # Enable Let's Encrypt
|
enableACME = true; # Enable Let's Encrypt
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
@ -184,13 +189,13 @@ in
|
||||||
return = "301 https://${config.secrets.services.forgejo.url}";
|
return = "301 https://${config.secrets.services.forgejo.url}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"${config.secrets.networking.blogDomain}" = {
|
"${config.secrets.networking.domains.blog}" = {
|
||||||
useACMEHost = config.secrets.networking.blogDomain;
|
useACMEHost = config.secrets.networking.domains.blog;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}";
|
root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}";
|
||||||
};
|
};
|
||||||
"${config.secrets.services.gremlin-lab.url}" = {
|
"${config.secrets.services.gremlin-lab.url}" = {
|
||||||
useACMEHost = config.secrets.networking.primaryDomain;
|
useACMEHost = config.secrets.networking.domains.primary;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
|
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
|
||||||
|
|
|
@ -56,13 +56,13 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
defaultEmail = config.secrets.users.aires.email;
|
defaultEmail = config.secrets.users.aires.email;
|
||||||
certs = {
|
certs = {
|
||||||
"${config.secrets.networking.primaryDomain}" = {
|
"${config.secrets.networking.domains.primary}" = {
|
||||||
dnsProvider = "namecheap";
|
dnsProvider = "namecheap";
|
||||||
extraDomainNames = subdomains;
|
extraDomainNames = subdomains;
|
||||||
webroot = null; # Required in order to prevent a failed assertion
|
webroot = null; # Required in order to prevent a failed assertion
|
||||||
credentialFiles = namecheapCredentials;
|
credentialFiles = namecheapCredentials;
|
||||||
};
|
};
|
||||||
"${config.secrets.networking.blogDomain}" = {
|
"${config.secrets.networking.domains.blog}" = {
|
||||||
dnsProvider = "namecheap";
|
dnsProvider = "namecheap";
|
||||||
webroot = null; # Required in order to prevent a failed assertion
|
webroot = null; # Required in order to prevent a failed assertion
|
||||||
credentialFiles = namecheapCredentials;
|
credentialFiles = namecheapCredentials;
|
||||||
|
@ -76,7 +76,7 @@ in
|
||||||
airsonic = {
|
airsonic = {
|
||||||
enable = true;
|
enable = true;
|
||||||
home = "${services-root}/airsonic-advanced";
|
home = "${services-root}/airsonic-advanced";
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
url = config.secrets.services.airsonic.url;
|
url = config.secrets.services.airsonic.url;
|
||||||
};
|
};
|
||||||
autoUpgrade = {
|
autoUpgrade = {
|
||||||
|
@ -99,7 +99,7 @@ in
|
||||||
forgejo = {
|
forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
home = "${services-root}/forgejo";
|
home = "${services-root}/forgejo";
|
||||||
domain = config.secrets.networking.primaryDomain;
|
domain = config.secrets.networking.domains.primary;
|
||||||
url = config.secrets.services.forgejo.url;
|
url = config.secrets.services.forgejo.url;
|
||||||
actions = {
|
actions = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -111,7 +111,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
autostart = false;
|
autostart = false;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${config.secrets.networking.primaryDomain}" = {
|
"${config.secrets.networking.domains.primary}" = {
|
||||||
default = true;
|
default = true;
|
||||||
enableACME = true; # Enable Let's Encrypt
|
enableACME = true; # Enable Let's Encrypt
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
@ -119,13 +119,13 @@ in
|
||||||
return = "301 https://${config.secrets.services.forgejo.url}";
|
return = "301 https://${config.secrets.services.forgejo.url}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"${config.secrets.networking.blogDomain}" = {
|
"${config.secrets.networking.domains.blog}" = {
|
||||||
useACMEHost = config.secrets.networking.blogDomain;
|
useACMEHost = config.secrets.networking.domains.blog;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}";
|
root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}";
|
||||||
};
|
};
|
||||||
"${config.secrets.services.gremlin-lab.url}" = {
|
"${config.secrets.services.gremlin-lab.url}" = {
|
||||||
useACMEHost = config.secrets.networking.primaryDomain;
|
useACMEHost = config.secrets.networking.domains.primary;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
|
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
|
||||||
|
|
|
@ -21,7 +21,7 @@ in
|
||||||
tls = true;
|
tls = true;
|
||||||
tls_starttls = true;
|
tls_starttls = true;
|
||||||
port = 587;
|
port = 587;
|
||||||
from = "${config.networking.hostName}@${config.secrets.networking.primaryDomain}";
|
from = "${config.networking.hostName}@${config.secrets.networking.domains.primary}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit 26588368303142902ef91c67ad679da6be5bbeee
|
Subproject commit a321a1ba2e23b59a6d39a33258a82021feaa853f
|
Loading…
Reference in a new issue