Merge branch 'zenix/master' of git.tristans.cloud:tristan/nix into nixbook/master

2024-05-31 12:58:09 +01:00 · 2024-05-31 12:58:09 +01:00 · b56eb2a8b6
commit b56eb2a8b6
parent 3b5b834899 09c776c912
7 changed files with 207 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -9,10 +9,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    stylix.url = "github:danth/stylix";
    # hyprland = {
    #   url = "github:hyprwm/Hyprland/v0.36.0";
    #   inputs.nixpkgs.follows = "nixpkgs";
    # };
    sops-nix.url = "github:Mic92/sops-nix";
  };
@ -45,7 +41,6 @@
      FCS-Tristan-Nixbook =
        mkConf [
          # inputs.hyprland.nixosModules.default
          ./hardware/fcs-tristan-nixbook.nix
          (auto-login "Hyprland")
          ./nixos/modules/work.nix
@ -71,6 +66,8 @@
        ./nixos/services/mautrix/signal.nix
        ./nixos/services/nextcloud.nix
        ./nixos/services/ntfy.nix
        ./nixos/services/authentik.nix
        ./nixos/services/monero.nix
      ] [];
      vm-sway =
--- a/hardware/alpine.nix
+++ b/hardware/alpine.nix
@ -140,14 +140,6 @@ in {
        enableACME = true;
        root = "/srv/www/tristans.cloud";
      };
      "auth.tristans.cloud" = {
        forceSSL = true;
        enableACME = true;
        locations."~" = {
          proxyPass = "http://localhost:8084";
          proxyWebsockets = true;
        };
      };
    };
  };
  security.acme = {
--- a/lib/mkconf.nix
+++ b/lib/mkconf.nix
@ -15,6 +15,7 @@ in
    modules =
      modules
      ++ [
        ../nixos/modules/podman.nix
        home-manager.nixosModules.home-manager
        sops-nix.nixosModules.sops
        {
--- a/nixos/modules/podman.nix
+++ b/nixos/modules/podman.nix
@ -0,0 +1,87 @@
 {
  lib,
  pkgs,
  config,
  ...
 }: let
  inherit (lib) mkOption types;
  mkRunCommand = name: {
    image,
    command ? "",
    environment ? {},
    ports ? [],
    volumes ? [],
    envFile ? null,
    ...
  }: ''
    ${pkgs.podman}/bin/podman run \
      ${toString (builtins.attrValues (builtins.mapAttrs (name: value: "-e ${name}='${value}'") environment))} \
      ${toString (builtins.map (mapping: "-p ${mapping}") ports)} \
      ${toString (builtins.map (mapping: "-v ${mapping}") volumes)} \
      ${
        if builtins.isNull envFile
        then ""
        else "--env-file ${toString envFile}"
      } \
      --detach --replace \
      --name ${name} \
      ${image} ${command}
  '';
  opts = {
    config,
    name,
    ...
  }: {
    options = {
      image = mkOption {
        type = types.str;
      };
      command = mkOption {
        type = types.str;
        default = "";
      };
      environment = mkOption {
        type = types.attrsOf types.str;
        default = {};
      };
      ports = mkOption {
        type = types.listOf types.str;
        default = [];
      };
      volumes = mkOption {
        type = types.listOf types.str;
        default = [];
      };
      envFile = mkOption {
        type = types.nullOr types.path;
        default = null;
      };
    };
  };
  mkService = name: config: {
    enable = true;
    wants = ["network-online.target"];
    after = ["network-online.target"];
    wantedBy = ["default.target"];
    unitConfig = {
      RequiresMountsFor = "/run/containers/storage";
    };
    serviceConfig = {
      Environment = "PODMAN_SYSTEMD_UNIT=%n";
      Restart = "on-failure";
      TimeoutStopSec = 70;
      ExecStart = mkRunCommand name config;
      ExecStop = "${pkgs.podman}/bin/podman stop -t 10 ${name}";
      ExecStopPost = "${pkgs.podman}/bin/podman stop -t 10 ${name}";
      Type = "forking";
    };
  };
 in {
  options.podman = mkOption {
    type = types.attrsOf (types.submodule opts);
    default = {};
  };
  config = {
    systemd.services = lib.mapAttrs mkService config.podman;
  };
 }
--- a/nixos/services/authentik.nix
+++ b/nixos/services/authentik.nix
@ -0,0 +1,91 @@
 {config, ...}: let
  inherit (config) sops;
  inherit (sops) templates placeholder;
  redis_port = "6380";
  authentik_port = "8084";
  postgres = {
    user = "authentik";
    db = "authentik";
    port = "5437";
  };
  authentik-config = {
    image = "ghcr.io/goauthentik/server:2023.10.7";
    volumes = ["/home/tristan/pods/authentik/media:/media"];
    environment = {
      AUTHENTIK_POSTGRESQL__USER = postgres.user;
      AUTHENTIK_POSTGRESQL__HOST = "192.168.1.2";
      AUTHENTIK_POSTGRESQL__PORT = postgres.port;
      AUTHENTIK_REDIS__HOST = "192.168.1.2";
      AUTHENTIK_REDIS__PORT = redis_port;
      AUTHENTIK_EMAIL__FROM = "Authentik <tristan@tristans.cloud>";
      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false";
    };
    envFile = templates."authentik/environment".path;
  };
 in {
  sops.secrets = {
    "authentik/postgres_password" = {};
    "authentik/secret_key" = {};
    "mail/host" = {};
    "mail/port" = {};
    "mail/username" = {};
    "mail/password" = {};
    "mail/ssl" = {};
  };
  sops.templates = {
    "authentik/environment" = {
      content = ''
        AUTHENTIK_POSTGRESQL__PASSWORD="${placeholder."authentik/postgres_password"}"
        AUTHENTIK_SECRET_KEY="${placeholder."authentik/secret_key"}"
        AUTHENTIK_EMAIL__HOST="${placeholder."mail/host"}"
        AUTHENTIK_EMAIL__PORT="${placeholder."mail/port"}"
        AUTHENTIK_EMAIL__USERNAME="${placeholder."mail/username"}"
        AUTHENTIK_EMAIL__PASSWORD="${placeholder."mail/password"}"
        AUTHENTIK_EMAIL__USE_SSL="${placeholder."mail/ssl"}"
      '';
    };
    "authentik/postgres_env" = {
      content = ''
        POSTGRES_PASSWORD="${placeholder."authentik/postgres_password"}"
      '';
    };
  };
  podman.authentik-redis = {
    image = "redis:latest";
    ports = ["${redis_port}:6379"];
  };
  podman.authentik-server =
    authentik-config
    // {
      command = "server";
      ports = ["${authentik_port}:9000" "9084:9300"];
    };
  podman.authentik-worker =
    authentik-config
    // {
      command = "worker";
    };
  podman.authentik-postgres = {
    image = "docker.io/postgres:14-alpine";
    ports = ["${postgres.port}:5432"];
    volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"];
    environment = {
      POSTGRES_USER = postgres.user;
      POSTGRES_DB = postgres.db;
    };
    envFile = templates."authentik/postgres_env".path;
  };
  services.nginx.virtualHosts."auth.tristans.cloud" = {
    forceSSL = true;
    enableACME = true;
    locations."~" = {
      proxyPass = "http://localhost:${authentik_port}";
      proxyWebsockets = true;
    };
  };
 }
--- a/nixos/services/monero.nix
+++ b/nixos/services/monero.nix
@ -0,0 +1,15 @@
 {...}: {
  services.monero = {
    enable = true;
    rpc = {
      address = "0.0.0.0";
      restricted = true;
    };
    extraConfig = ''
      prune-blockchain=1
      confirm-external-bind=1
      out-peers=64              # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
      in-peers=1024             # The default is unlimited; we prefer to put a cap on this
    '';
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -19,6 +19,15 @@ mautrix-signal:
 mautrix-instagram:
    as_token: ENC[AES256_GCM,data:pNO76BcGejQdCc5X4f/UvSsBIPU6QZCCQTJvwVIXRf3rnb9ewWNMEtYXlqj886yh3g5SgqQ4Uhqby/7vrMxREA==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:vJHOhwJBPlgUPu1SFqI4ew==,type:str]
    hs_token: ENC[AES256_GCM,data:m1CK8Ae6QyJKgDZm904xMpZ1KgKxEUpmQ1jdKOkjexgwAWjjtYF+RVximtcXwxPg/0jkbK/LMlxA89ic+zajiA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:rRwhYn88ZZwm5sDI1etR2g==,type:str]
 authentik:
    postgres_password: ENC[AES256_GCM,data:mdUFP92PQEsvXpgES/iG+zmse0AKJ2c1KdMQDWDWWzWAOn3YSAYJX/N0IIljoGNC,iv:UxFDFYWNBQospGoHlrvLQJyypIszPqpkeJy1IGr6/7I=,tag:99LWrGMaYpfTl0PM4AQaKg==,type:str]
    secret_key: ENC[AES256_GCM,data:JWcHd5FLhFt7gitVyv0l5Fc/sVrBlro026CPKrECPRGQHwjWQWsXTbKisM0vCKdB,iv:WN/LXUNrd+DbxfxwotedlYnyzE2D1c6C2e0UgCXUWX8=,tag:CAo6tX5RGdg67giMWa459g==,type:str]
 mail:
    host: ENC[AES256_GCM,data:TpJCxb8/qtGHA7ZQNFxRfzY0jz82,iv:+hjhL2jbMP9NWYub/etBhFXxAfzoIEneepRw5uHL8bs=,tag:J5Rb6BiFKqgqxZPFSGtXhA==,type:str]
    port: ENC[AES256_GCM,data:1DfD,iv:I3dK4v/h5nFLNk4yihQxkJiyAir9MLDAQIeGbSn3j+I=,tag:Xu8E6PN7u9YRVnFMWq85DQ==,type:str]
    username: ENC[AES256_GCM,data:yF3a6yJbvscUM8HRL9/Df5ZU4j5a3g==,iv:LkZh8eaBZ+Z3+bjpyB3MkWTRpjtk3/bszseT9KCfDmM=,tag:sdAp283HiwYWlVLc7c4waw==,type:str]
    password: ENC[AES256_GCM,data:queuYRYekTyynd6fxK4RNImMzQeR7xfNg9u96Fr+1tw=,iv:Rn30tJAoahkMr2ISDbyHClHDdjSF41MqtTwlSGUQELw=,tag:/sfAJXvFwvv3AMxTCONmkg==,type:str]
    ssl: ENC[AES256_GCM,data:K2pczQ==,iv:Us4kZfQ2wIx/qJXDaPDuUNvGU2F+U8EtV21SPbTebe8=,tag:lUY9pGQ7dtxIJqOOtIMA8Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -34,8 +43,8 @@ sops:
            NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG
            A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-23T23:24:16Z"
+    lastmodified: "2024-05-08T21:41:24Z"
-    mac: ENC[AES256_GCM,data:bs8t7nH5BdIz4uQd33M2pt+AVhqfBEJy9l8AFl8p80GLAMg5zKlDWxtVCPrWk8viJvfMkhvwEovBizoy3m7gt8iWLf+dtznBjALtUXVAc/+dmACUS8E9JHHKcvOHxT/cYCuU3t6pDJWlbfnpBtKSSHH8Z/YblYMlkeoNeNOoAwU=,iv:9fKO44c5TNMBgHqcuV6Fu+GW8TjND+32KDEerawpZL4=,tag:Ps8kelq+8iY88mdqugRTMg==,type:str]
+    mac: ENC[AES256_GCM,data:BMM/NP/ls0VdkL1jOqPeEmfxwoQR1Yi5DM2xb1p+Z3u9oo61Tkc2v2G7G9jWMfa2UwVlqYOGIZlwNj2ONhWhDDZBVTd3tTEbssbizNTUWGX7cQBfQm9K0/Mk+qXdug7AfjKnVXZlEbD7QLfqhz7sl/tDaPS9sstnivJENi2sIYI=,iv:nOoc+kiSbf89qJMtGYLURVToh6bCnEjg7zVQivzate4=,tag:ogEOMkRafxKLFX0N9hbOSw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1