diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..943ea6a --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ + +keys: + - &alpine age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *alpine diff --git a/flake.lock b/flake.lock index 05416c8..a8aae37 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" - }, - "locked": { - "lastModified": 1707830867, - "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", - "owner": "ryantm", - "repo": "agenix", - "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -168,28 +147,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -240,27 +197,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -281,7 +217,7 @@ "type": "github" } }, - "home-manager_3": { + "home-manager_2": { "inputs": { "nixpkgs": [ "stylix", @@ -305,8 +241,8 @@ "hyprland": { "inputs": { "hyprland-protocols": "hyprland-protocols", - "nixpkgs": "nixpkgs_2", - "systems": "systems_2", + "nixpkgs": "nixpkgs", + "systems": "systems", "wlroots": "wlroots", "xdph": "xdph" }, @@ -373,22 +309,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { "locked": { "lastModified": 1706191920, "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=", @@ -404,7 +324,23 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs-stable": { + "locked": { + "lastModified": 1708210246, + "narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1707268954, "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=", @@ -419,6 +355,22 @@ "type": "indirect" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1708151420, + "narHash": "sha256-MGT/4aGCWQPQiu6COqJdCj9kSpLPiShgbwpbC38YXC8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6e2f00c83911461438301db0dba5281197fe4b3a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_4": { "locked": { "lastModified": 1700856099, @@ -437,14 +389,33 @@ }, "root": { "inputs": { - "agenix": "agenix", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "hyprland": "hyprland", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix", "stable-nixpkgs": "stable-nixpkgs", "stylix": "stylix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1708500294, + "narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stable-nixpkgs": { "locked": { "lastModified": 1707347730, @@ -473,7 +444,7 @@ "base16-vim": "base16-vim", "flake-compat": "flake-compat", "gnome-shell": "gnome-shell", - "home-manager": "home-manager_3", + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -491,21 +462,6 @@ } }, "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", diff --git a/flake.nix b/flake.nix index ccf714b..1033f14 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ }; stylix.url = "github:danth/stylix"; hyprland.url = "github:hyprwm/Hyprland/v0.35.0"; - agenix.url = "github:ryantm/agenix"; + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = inputs: let diff --git a/hardware/alpine.nix b/hardware/alpine.nix index f93b4a5..b191fcc 100644 --- a/hardware/alpine.nix +++ b/hardware/alpine.nix @@ -17,6 +17,7 @@ in { ../nixos/services/prometheus.nix ../nixos/services/grafana.nix ../nixos/services/synapse.nix + ../nixos/services/nextcloud.nix ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"]; @@ -188,5 +189,7 @@ in { http_port = 3001; # forgejo and grafana default to 3000 }; + services.nextcloud.hostName = "files.tristans.cloud"; + services.forgejo.settings.server.DOMAIN = "git.tristans.cloud"; } diff --git a/lib/mkconf.nix b/lib/mkconf.nix index b59fade..369bb7c 100644 --- a/lib/mkconf.nix +++ b/lib/mkconf.nix @@ -6,7 +6,7 @@ ... }: modules: home-modules: let - inherit (inputs) home-manager nixpkgs hyprland agenix; + inherit (inputs) home-manager nixpkgs hyprland sops-nix; in nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs;}; @@ -17,7 +17,7 @@ in modules ++ [ home-manager.nixosModules.home-manager - agenix.nixosModules.default + sops-nix.nixosModules.sops { home-manager = { useGlobalPkgs = true; @@ -33,6 +33,11 @@ in } ]; }; + sops = { + defaultSopsFile = ../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; + }; imports = [ { options.user = nixpkgs.lib.mkOption {default = user;}; diff --git a/nixos/services/grafana.nix b/nixos/services/grafana.nix index 47f1633..6c3ae5b 100644 --- a/nixos/services/grafana.nix +++ b/nixos/services/grafana.nix @@ -1,9 +1,8 @@ {config, ...}: let cfg = config.services.grafana; - secrets = config.age.secrets; + secrets = config.sops.secrets; in { - age.secrets.grafana_oidc_client_secret = { - file = ../../secrets/grafana/oidc/client_secret.age; + sops.secrets."grafana/oidc_client_secret" = { owner = "grafana"; }; services.grafana = { @@ -16,7 +15,7 @@ in { enabled = true; name = "authentik"; client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE"; - client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}"; + client_secret = "$__file{${secrets."grafana/oidc_client_secret".path}}"; scopes = toString ["openid" "profile" "email"]; auth_url = "https://auth.tristans.cloud/application/o/authorize/"; token_url = "https://auth.tristans.cloud/application/o/token/"; diff --git a/nixos/services/nextcloud.nix b/nixos/services/nextcloud.nix new file mode 100644 index 0000000..7424bae --- /dev/null +++ b/nixos/services/nextcloud.nix @@ -0,0 +1,69 @@ +{config, pkgs, ...}: +let + nextcloud = config.services.nextcloud; + secrets = config.sops.secrets; + sops = config.sops; +in { + sops.secrets = { + "nextcloud/admin_password" = { + owner = "nextcloud"; + }; + "nextcloud/oidc_client_secret" = {}; + }; + sops.templates = { + "nextcloud/secrets.json" = { + owner = "nextcloud"; + content = builtins.toJSON { + oidc_login_client_secret = sops.placeholder."nextcloud/oidc_client_secret"; + }; + }; + }; + + environment.systemPackages = with pkgs; [ ffmpeg ]; + + services.nextcloud = { + enable = true; + https = true; + configureRedis = true; + config = { + adminpassFile = secrets."nextcloud/admin_password".path; + }; + secretFile = sops.templates."nextcloud/secrets.json".path; + settings = { + trusted_proxies = ["192.168.1.2"]; + maintenance_window_start = 2; + default_phone_region = "GB"; + # https://github.com/pulsejet/nextcloud-oidc-login + oidc_login_provider_url = "https://auth.tristans.cloud/application/o/nextcloud/"; + oidc_login_client_id = "Fo0OMWCHBlJNw5DsEI0IzeCk0HpU1TIZpy3D5Tix"; + oidc_login_button_text = "Log in with Authentik"; + oidc_login_use_id_token = true; + oidc_login_attributes = { + id = "preferred_username"; + name = "name"; + mail = "email"; + groups = "groups"; + is_admin = "NextcloudAdmin"; + login_filter = "groups"; + }; + oidc_login_filter_allowed_values = { + "0" = "Nextcloud users"; + }; + oidc_login_use_external_storage = false; + oidc_login_scope = "email openid profile NextcloudAdmin"; + oidc_login_proxy_ldap = false; + oidc_login_disable_registration = false; + oidc_login_redir_fallback = false; + oidc_login_tls_verify = true; + oidc_create_groups = true; + oidc_login_webdav_enabled = true; + oidc_login_public_key_caching_time = 604800; + oidc_login_min_time_between_jwks_requests = 10; + oidc_login_well_known_caching_time = 86400; + }; + }; + services.nginx.virtualHosts.${nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + }; +} diff --git a/secrets.nix b/secrets.nix deleted file mode 100644 index a624012..0000000 --- a/secrets.nix +++ /dev/null @@ -1,9 +0,0 @@ -let - alpine = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkVkc3JV1rEMSxDhdxIbONLQPiXi3uANign9G3ap8PR"; - zenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyirMHhLksc5eLp1jL/NYLSv+2Z67mRJQdljVLWMqKs"; - tristan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINl4Mbp0CwfLVuqxRdiUE66Rcj3HAw164XhI3WYGOnc6"; - hosts = [ alpine ]; -in -{ - "secrets/grafana/oidc/client_secret.age".publicKeys = [alpine tristan]; -} diff --git a/secrets/grafana/oidc/client_secret.age b/secrets/grafana/oidc/client_secret.age deleted file mode 100644 index a6138ec..0000000 Binary files a/secrets/grafana/oidc/client_secret.age and /dev/null differ diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..618db05 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,25 @@ +nextcloud: + admin_password: ENC[AES256_GCM,data:ZBc/Z5F/DWPM78XhO3mVxEfEYjPoXHgqfg==,iv:ih9YuI+k4ksKBOhpezoJ/L5ac7P/JGLqs2B6ZuqZrj0=,tag:IDFU9NQoXHR1Ph5YtLC4lQ==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:nIVLfC+22fEurR6FXdUwz4+rPuXzlM5HG4lnRI/m1lOaiw+C9DA3WV15DP5IXMn6BeBmDMnXbfdGt0hoV32y8bkfcals0C4wUitI63sYRJ6+f+N85IeAolfvYi+6gCwKZZhwRZdZJOQVOoFH8bvC0zLz6dzjL1/C5POX4C57URs=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:gEvApHIStThboRsP0YEoFw==,type:str] +grafana: + oidc_client_secret: ENC[AES256_GCM,data:XU81XrM/aTZ/RDc3UPunOFQdfjJldKw3usMA5NfQkgxJYSq5NSu1ZQXsMuly4xbcYULiuUtkTAnb7Xzge+yIDoLfrZHab4mQgtLeK6hzZgLHYeSSEtQCXEYsL0p6ulA2OLrW6KoKl/o1EjiA+8htimgc7yNatdo6pBwwUXZFxpQ=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:1u0Wd9HRzbJRQtNbwDHOIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a3EwTXQwV3hxNW1zNXow + Q1UxRHcwaVdhNHo5N0QvbE1maTkxdFBKZUJvCnpVYklIamlic1A4SDluQnhod2Z3 + MTVxRlJLVWd5dkZlTjE1OGRIZVo4QmsKLS0tIHI4bm01WjNucUlvYzFTSzhNSkQ3 + NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG + A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-22T13:04:06Z" + mac: ENC[AES256_GCM,data:iwwc4Yl6W8ALOTrgB+zSl46OxoZ6+fWkPLPQH7+Pmhr+AGA99nBj22a7u97i2DX7dZTzHYfPkmuHNYGAsYh//DBCWZFB/2uT9LasSlyu8Oa3fzseC/IthMNXdxIw6Iw29MvzlMIrLExsC6gk3AAaSgJLJxbUafQ1rBXZIpWnCd4=,iv:qq07Po3S+tQ32xqlUahxWv/WPdJSFOdVntifaG12L3E=,tag:2XByLW2YIe5ufaoT1Vtlrg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1