tristan/nix
1
0
Fork 0
Code Projects Releases Packages Activity

nextcloud and sops-nix

Browse source
This commit is contained in:
Tristan 2024-02-22 17:16:38 +00:00
parent a49f3d34ab
commit c32ab6ba1f
10 changed files with 175 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml Normal file
View file

@ -0,0 +1,8 @@
keys:
- &alpine age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *alpine

162
flake.lock generated
View file

@ -1,26 +1,5 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1707830867,
"narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
"owner": "ryantm",
"repo": "agenix",
"rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"base16": {
"inputs": {
"fromYaml": "fromYaml"
@ -168,28 +147,6 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -240,27 +197,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -281,7 +217,7 @@
"type": "github"
}
},
"home-manager_3": {
"home-manager_2": {
"inputs": {
"nixpkgs": [
"stylix",
@ -305,8 +241,8 @@
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
"nixpkgs": "nixpkgs_2",
"systems": "systems_2",
"nixpkgs": "nixpkgs",
"systems": "systems",
"wlroots": "wlroots",
"xdph": "xdph"
},
@ -373,22 +309,6 @@
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1706191920,
"narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
@ -404,7 +324,23 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1708210246,
"narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1707268954,
"narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=",
@ -419,6 +355,22 @@
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1708151420,
"narHash": "sha256-MGT/4aGCWQPQiu6COqJdCj9kSpLPiShgbwpbC38YXC8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e2f00c83911461438301db0dba5281197fe4b3a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1700856099,
@ -437,14 +389,33 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"hyprland": "hyprland",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix",
"stable-nixpkgs": "stable-nixpkgs",
"stylix": "stylix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1708500294,
"narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stable-nixpkgs": {
"locked": {
"lastModified": 1707347730,
@ -473,7 +444,7 @@
"base16-vim": "base16-vim",
"flake-compat": "flake-compat",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_3",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_4"
},
"locked": {
@ -491,21 +462,6 @@
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",

2
flake.nix
View file

@ -10,7 +10,7 @@
};
stylix.url = "github:danth/stylix";
hyprland.url = "github:hyprwm/Hyprland/v0.35.0";
agenix.url = "github:ryantm/agenix";
sops-nix.url = "github:Mic92/sops-nix";
};
outputs = inputs: let

3
hardware/alpine.nix
View file

@ -17,6 +17,7 @@ in {
../nixos/services/prometheus.nix
../nixos/services/grafana.nix
../nixos/services/synapse.nix
../nixos/services/nextcloud.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"];
@ -188,5 +189,7 @@ in {
http_port = 3001; # forgejo and grafana default to 3000
};
services.nextcloud.hostName = "files.tristans.cloud";
services.forgejo.settings.server.DOMAIN = "git.tristans.cloud";
}

9
lib/mkconf.nix
View file

@ -6,7 +6,7 @@
...
}: modules: home-modules:
let
inherit (inputs) home-manager nixpkgs hyprland agenix;
inherit (inputs) home-manager nixpkgs hyprland sops-nix;
in
nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs;};
@ -17,7 +17,7 @@ in
modules
++ [
home-manager.nixosModules.home-manager
agenix.nixosModules.default
sops-nix.nixosModules.sops
{
home-manager = {
useGlobalPkgs = true;
@ -33,6 +33,11 @@ in
}
];
};
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
};
imports = [
{
options.user = nixpkgs.lib.mkOption {default = user;};

7
nixos/services/grafana.nix
View file

@ -1,9 +1,8 @@
{config, ...}: let
cfg = config.services.grafana;
secrets = config.age.secrets;
secrets = config.sops.secrets;
in {
age.secrets.grafana_oidc_client_secret = {
file = ../../secrets/grafana/oidc/client_secret.age;
sops.secrets."grafana/oidc_client_secret" = {
owner = "grafana";
};
services.grafana = {
@ -16,7 +15,7 @@ in {
enabled = true;
name = "authentik";
client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}";
client_secret = "$__file{${secrets."grafana/oidc_client_secret".path}}";
scopes = toString ["openid" "profile" "email"];
auth_url = "https://auth.tristans.cloud/application/o/authorize/";
token_url = "https://auth.tristans.cloud/application/o/token/";

69
nixos/services/nextcloud.nix Normal file
View file

@ -0,0 +1,69 @@
{config, pkgs, ...}:
let
nextcloud = config.services.nextcloud;
secrets = config.sops.secrets;
sops = config.sops;
in {
sops.secrets = {
"nextcloud/admin_password" = {
owner = "nextcloud";
};
"nextcloud/oidc_client_secret" = {};
};
sops.templates = {
"nextcloud/secrets.json" = {
owner = "nextcloud";
content = builtins.toJSON {
oidc_login_client_secret = sops.placeholder."nextcloud/oidc_client_secret";
};
};
};
environment.systemPackages = with pkgs; [ ffmpeg ];
services.nextcloud = {
enable = true;
https = true;
configureRedis = true;
config = {
adminpassFile = secrets."nextcloud/admin_password".path;
};
secretFile = sops.templates."nextcloud/secrets.json".path;
settings = {
trusted_proxies = ["192.168.1.2"];
maintenance_window_start = 2;
default_phone_region = "GB";
# https://github.com/pulsejet/nextcloud-oidc-login
oidc_login_provider_url = "https://auth.tristans.cloud/application/o/nextcloud/";
oidc_login_client_id = "Fo0OMWCHBlJNw5DsEI0IzeCk0HpU1TIZpy3D5Tix";
oidc_login_button_text = "Log in with Authentik";
oidc_login_use_id_token = true;
oidc_login_attributes = {
id = "preferred_username";
name = "name";
mail = "email";
groups = "groups";
is_admin = "NextcloudAdmin";
login_filter = "groups";
};
oidc_login_filter_allowed_values = {
"0" = "Nextcloud users";
};
oidc_login_use_external_storage = false;
oidc_login_scope = "email openid profile NextcloudAdmin";
oidc_login_proxy_ldap = false;
oidc_login_disable_registration = false;
oidc_login_redir_fallback = false;
oidc_login_tls_verify = true;
oidc_create_groups = true;
oidc_login_webdav_enabled = true;
oidc_login_public_key_caching_time = 604800;
oidc_login_min_time_between_jwks_requests = 10;
oidc_login_well_known_caching_time = 86400;
};
};
services.nginx.virtualHosts.${nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
}

9
secrets.nix
View file

@ -1,9 +0,0 @@
let
alpine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkVkc3JV1rEMSxDhdxIbONLQPiXi3uANign9G3ap8PR";
zenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyirMHhLksc5eLp1jL/NYLSv+2Z67mRJQdljVLWMqKs";
tristan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINl4Mbp0CwfLVuqxRdiUE66Rcj3HAw164XhI3WYGOnc6";
hosts = [ alpine ];
in
{
"secrets/grafana/oidc/client_secret.age".publicKeys = [alpine tristan];
}

BIN
secrets/grafana/oidc/client_secret.age
View file

Binary file not shown.

25
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
nextcloud:
admin_password: ENC[AES256_GCM,data:ZBc/Z5F/DWPM78XhO3mVxEfEYjPoXHgqfg==,iv:ih9YuI+k4ksKBOhpezoJ/L5ac7P/JGLqs2B6ZuqZrj0=,tag:IDFU9NQoXHR1Ph5YtLC4lQ==,type:str]
oidc_client_secret: ENC[AES256_GCM,data:nIVLfC+22fEurR6FXdUwz4+rPuXzlM5HG4lnRI/m1lOaiw+C9DA3WV15DP5IXMn6BeBmDMnXbfdGt0hoV32y8bkfcals0C4wUitI63sYRJ6+f+N85IeAolfvYi+6gCwKZZhwRZdZJOQVOoFH8bvC0zLz6dzjL1/C5POX4C57URs=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:gEvApHIStThboRsP0YEoFw==,type:str]
grafana:
oidc_client_secret: ENC[AES256_GCM,data:XU81XrM/aTZ/RDc3UPunOFQdfjJldKw3usMA5NfQkgxJYSq5NSu1ZQXsMuly4xbcYULiuUtkTAnb7Xzge+yIDoLfrZHab4mQgtLeK6hzZgLHYeSSEtQCXEYsL0p6ulA2OLrW6KoKl/o1EjiA+8htimgc7yNatdo6pBwwUXZFxpQ=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:1u0Wd9HRzbJRQtNbwDHOIQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a3EwTXQwV3hxNW1zNXow
Q1UxRHcwaVdhNHo5N0QvbE1maTkxdFBKZUJvCnpVYklIamlic1A4SDluQnhod2Z3
MTVxRlJLVWd5dkZlTjE1OGRIZVo4QmsKLS0tIHI4bm01WjNucUlvYzFTSzhNSkQ3
NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG
A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-22T13:04:06Z"
mac: ENC[AES256_GCM,data:iwwc4Yl6W8ALOTrgB+zSl46OxoZ6+fWkPLPQH7+Pmhr+AGA99nBj22a7u97i2DX7dZTzHYfPkmuHNYGAsYh//DBCWZFB/2uT9LasSlyu8Oa3fzseC/IthMNXdxIw6Iw29MvzlMIrLExsC6gk3AAaSgJLJxbUafQ1rBXZIpWnCd4=,iv:qq07Po3S+tQ32xqlUahxWv/WPdJSFOdVntifaG12L3E=,tag:2XByLW2YIe5ufaoT1Vtlrg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1