treewide: remove more usage of nix-secrets repository
This commit is contained in:
parent
e0a957e448
commit
2c325cf540
@ -3,7 +3,6 @@
|
||||
sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
||||
|
||||
nix.buildMachines = [{
|
||||
# Login details configured in ssh module in nix-secrets
|
||||
hostName = "nix-builder-bob";
|
||||
system = "x86_64-linux";
|
||||
speedFactor = 5;
|
||||
@ -14,8 +13,8 @@
|
||||
"big-paralell"
|
||||
];
|
||||
mandatoryFeatures = [ ];
|
||||
# sshUser = secrets.ssh.users.pvv.normalUser;
|
||||
# sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
|
||||
sshUser = "oysteikt";
|
||||
sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
|
||||
}];
|
||||
|
||||
programs.ssh = {
|
||||
|
@ -1,16 +1,15 @@
|
||||
{ config, secrets, ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
||||
|
||||
nix.buildMachines = [{
|
||||
# Login details configured in ssh module in nix-secrets
|
||||
hostName = "nix-builder-isvegg";
|
||||
system = "x86_64-linux";
|
||||
speedFactor = 1;
|
||||
maxJobs = 8;
|
||||
supportedFeatures = [ ];
|
||||
mandatoryFeatures = [ ];
|
||||
sshUser = secrets.ssh.users.pvv.normalUser;
|
||||
sshUser = "oysteikt";
|
||||
sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
|
||||
}];
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ config, secrets, ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
# TODO: install public key on tsuki declaratively
|
||||
sops.secrets = {
|
||||
@ -7,7 +7,6 @@
|
||||
};
|
||||
|
||||
nix.buildMachines = [{
|
||||
# Login details configured in ssh module in nix-secrets
|
||||
hostName = "nix-builder-tsukir";
|
||||
system = "x86_64-linux";
|
||||
speedFactor = 2;
|
||||
@ -26,7 +25,8 @@
|
||||
extraConfig = ''
|
||||
Host nix-builder-tsukir
|
||||
HostName gingakei.loginto.me
|
||||
Port ${toString secrets.ports.ssh.home-in}
|
||||
Port 45497
|
||||
IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path}
|
||||
'';
|
||||
|
||||
# knownHosts.tsukir = {
|
||||
|
@ -1,16 +1,22 @@
|
||||
{ secrets, ... }:
|
||||
{ config, secrets, ... }:
|
||||
let
|
||||
cfg = config.services.coturn;
|
||||
in
|
||||
{
|
||||
services.coturn = rec {
|
||||
services.coturn = let
|
||||
certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost;
|
||||
certDir = config.security.acme.certs.${certName}.directory;
|
||||
in rec {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
no-tcp-relay = true;
|
||||
min-port = secrets.ports.matrix.coturn.min;
|
||||
max-port = secrets.ports.matrix.coturn.max;
|
||||
min-port = 46000;
|
||||
max-port = 47000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret = secrets.keys.matrix.static-auth-secret;
|
||||
realm = "turn.nani.wtf";
|
||||
cert = "${secrets.keys.certificates.server.crt}";
|
||||
pkey = "${secrets.keys.certificates.server.key}";
|
||||
cert = "${certDir}/cert.pem";
|
||||
pkey = "${certDir}/key.pem";
|
||||
extraConfig = ''
|
||||
# for debugging
|
||||
verbose
|
||||
|
@ -25,9 +25,11 @@
|
||||
|
||||
settings = {
|
||||
turn_uris = let
|
||||
inherit (config.services.coturn) realm;
|
||||
p = toString secrets.ports.matrix.default;
|
||||
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
|
||||
inherit (config.services.coturn) realm listening-port;
|
||||
in [
|
||||
"turn:${realm}:${toString listening-port}?transport=udp"
|
||||
"turn:${realm}:${toString listening-port}?transport=tcp"
|
||||
];
|
||||
turn_shared_secret = config.services.coturn.static-auth-secret;
|
||||
turn_user_lifetime = "1h";
|
||||
|
||||
@ -67,7 +69,7 @@
|
||||
user = "matrix-synapse";
|
||||
database = "matrix-synapse";
|
||||
host = "/var/run/postgresql";
|
||||
port = secrets.ports.postgres;
|
||||
port = config.services.postgresql.settings.port;
|
||||
};
|
||||
};
|
||||
|
||||
@ -95,16 +97,16 @@
|
||||
|
||||
networking.firewall = {
|
||||
interfaces.enp2s0 = let
|
||||
range = with config.services.coturn; [ {
|
||||
from = secrets.ports.matrix.coturn.min;
|
||||
to = secrets.ports.matrix.coturn.max;
|
||||
} ];
|
||||
range = [{
|
||||
from = config.services.coturn.min-port;
|
||||
to = config.services.coturn.max-port;
|
||||
}];
|
||||
in
|
||||
{
|
||||
allowedUDPPortRanges = range;
|
||||
allowedUDPPorts = [ secrets.ports.matrix.default ];
|
||||
allowedUDPPorts = [ config.services.coturn.listening-port ];
|
||||
allowedTCPPortRanges = range;
|
||||
allowedTCPPorts = [ secrets.ports.matrix.default ];
|
||||
allowedTCPPorts = [ config.services.coturn.listening-port ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ pkgs, lib, config, secrets, inputs, ... }:
|
||||
{ config, pkgs, lib, inputs, ... }:
|
||||
{
|
||||
sops.secrets."cloudflare/api-key" = {};
|
||||
|
||||
@ -37,19 +37,18 @@
|
||||
recommendedZstdSettings = true;
|
||||
|
||||
upstreams = let
|
||||
inherit (secrets) ips ports;
|
||||
srv = config.services;
|
||||
sa = config.local.socketActivation;
|
||||
in {
|
||||
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
|
||||
"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
|
||||
"dynmap".servers."localhost:8123" = { };
|
||||
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
|
||||
"headscale".servers."localhost:${s srv.headscale.port}" = { };
|
||||
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
||||
"idrac".servers."${ips.idrac}" = { };
|
||||
"idrac".servers."10.0.0.201" = { };
|
||||
"kanidm".servers."localhost:8300" = { };
|
||||
"osuchan".servers."localhost:${s ports.osuchan}" = { };
|
||||
"plex".servers."localhost:${s ports.plex}" = { };
|
||||
"osuchan".servers."localhost:${s srv.osuchan.port}" = { };
|
||||
"plex".servers."localhost:32400" = { };
|
||||
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
|
||||
"wstunnel".servers = let
|
||||
inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
|
||||
@ -61,7 +60,7 @@
|
||||
virtualHosts = let
|
||||
inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
|
||||
inherit (lib.lists) head drop;
|
||||
inherit (secrets) domains keys;
|
||||
domains = [ "nani.wtf" ];
|
||||
|
||||
cloudflare-origin-pull-ca = builtins.fetchurl {
|
||||
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
|
||||
@ -70,7 +69,7 @@
|
||||
|
||||
# nonCFHost =
|
||||
# subdomains: extraSettings: let
|
||||
# settings = with keys.certificates; {
|
||||
# settings = {
|
||||
# useACMEHost = "nani.wtf";
|
||||
# forceSSL = true;
|
||||
# kTLS = true;
|
||||
@ -84,7 +83,7 @@
|
||||
|
||||
host =
|
||||
subdomains: extraSettings: let
|
||||
settings = with keys.certificates; {
|
||||
settings = {
|
||||
serverAliases = drop 1 (generateServerAliases domains subdomains);
|
||||
useACMEHost = "nani.wtf";
|
||||
forceSSL = true;
|
||||
|
Loading…
Reference in New Issue
Block a user