treewide: remove more usage of nix-secrets repository

2024-11-15 10:20:32 +01:00 · 2024-11-15 10:20:32 +01:00 · 2c325cf540
parent e0a957e448
commit 2c325cf540
6 changed files with 39 additions and 34 deletions
--- a/hosts/common/nix-builders/bob.nix
+++ b/hosts/common/nix-builders/bob.nix
@ -3,7 +3,6 @@
  sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };

  nix.buildMachines = [{
-    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-bob";
    system = "x86_64-linux";
    speedFactor = 5;
@ -14,8 +13,8 @@
      "big-paralell"
    ];
    mandatoryFeatures = [ ];
-    # sshUser = secrets.ssh.users.pvv.normalUser;
-    # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
+    sshUser = "oysteikt";
+    sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
  }];

  programs.ssh = {
--- a/hosts/common/nix-builders/isvegg.nix
+++ b/hosts/common/nix-builders/isvegg.nix
@ -1,16 +1,15 @@
-{ config, secrets, ... }:
+{ config, ... }:
 {
  sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };

  nix.buildMachines = [{
-    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-isvegg";
    system = "x86_64-linux";
    speedFactor = 1;
    maxJobs = 8;
    supportedFeatures = [ ];
    mandatoryFeatures = [ ];
-    sshUser = secrets.ssh.users.pvv.normalUser;
+    sshUser = "oysteikt";
    sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
  }];

--- a/hosts/common/nix-builders/tsuki.nix
+++ b/hosts/common/nix-builders/tsuki.nix
@ -1,4 +1,4 @@
-{ config, secrets, ... }:
+{ config, ... }:
 {
  # TODO: install public key on tsuki declaratively
  sops.secrets = {
@ -7,7 +7,6 @@
  };

  nix.buildMachines = [{
-    # Login details configured in ssh module in nix-secrets
    hostName = "nix-builder-tsukir";
    system = "x86_64-linux";
    speedFactor = 2;
@ -26,7 +25,8 @@
    extraConfig = ''
      Host nix-builder-tsukir
        HostName gingakei.loginto.me
-        Port ${toString secrets.ports.ssh.home-in}
+        Port 45497
+        IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path}
    '';

    # knownHosts.tsukir = {
--- a/hosts/tsuki/services/matrix/coturn.nix
+++ b/hosts/tsuki/services/matrix/coturn.nix
@ -1,16 +1,22 @@
-{ secrets, ... }:
+{ config, secrets, ... }:
+let
+  cfg = config.services.coturn;
+in
 {
-  services.coturn = rec {
+  services.coturn = let
+    certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost;
+    certDir = config.security.acme.certs.${certName}.directory;
+  in rec {
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
-    min-port = secrets.ports.matrix.coturn.min;
-    max-port = secrets.ports.matrix.coturn.max;
+    min-port = 46000;
+    max-port = 47000;
    use-auth-secret = true;
    static-auth-secret = secrets.keys.matrix.static-auth-secret;
    realm = "turn.nani.wtf";
-    cert = "${secrets.keys.certificates.server.crt}";
-    pkey = "${secrets.keys.certificates.server.key}";
+    cert = "${certDir}/cert.pem";
+    pkey = "${certDir}/key.pem";
    extraConfig = ''
      # for debugging
      verbose
--- a/hosts/tsuki/services/matrix/default.nix
+++ b/hosts/tsuki/services/matrix/default.nix
@ -25,9 +25,11 @@

    settings = {
      turn_uris = let
-        inherit (config.services.coturn) realm;
-        p = toString secrets.ports.matrix.default;
-      in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
+        inherit (config.services.coturn) realm listening-port;
+      in [
+        "turn:${realm}:${toString listening-port}?transport=udp"
+        "turn:${realm}:${toString listening-port}?transport=tcp"
+      ];
      turn_shared_secret = config.services.coturn.static-auth-secret;
      turn_user_lifetime = "1h";

@ -67,7 +69,7 @@
          user = "matrix-synapse";
          database = "matrix-synapse";
          host = "/var/run/postgresql";
-          port = secrets.ports.postgres;
+          port = config.services.postgresql.settings.port;
        };
      };

@ -95,16 +97,16 @@

  networking.firewall = {
    interfaces.enp2s0 = let
-      range = with config.services.coturn; [ {
-      from = secrets.ports.matrix.coturn.min;
-      to = secrets.ports.matrix.coturn.max;
-    } ];
+      range = [{
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }];
    in
    {
      allowedUDPPortRanges = range;
-      allowedUDPPorts = [ secrets.ports.matrix.default ];
+      allowedUDPPorts = [ config.services.coturn.listening-port ];
      allowedTCPPortRanges = range;
-      allowedTCPPorts = [ secrets.ports.matrix.default ];
+      allowedTCPPorts = [ config.services.coturn.listening-port ];
    };
  };
 }
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, secrets, inputs, ... }:
+{ config, pkgs, lib, inputs, ... }:
 {
  sops.secrets."cloudflare/api-key" = {};

@ -37,19 +37,18 @@
    recommendedZstdSettings = true;

    upstreams = let
-      inherit (secrets) ips ports;
      srv = config.services;
      sa = config.local.socketActivation;
    in {
      "atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
-      "dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
+      "dynmap".servers."localhost:8123" = { };
      "grafana".servers."unix:/run/grafana/grafana.sock" = { };
      "headscale".servers."localhost:${s srv.headscale.port}" = { };
      "hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
-      "idrac".servers."${ips.idrac}" = { };
+      "idrac".servers."10.0.0.201" = { };
      "kanidm".servers."localhost:8300" = { };
-      "osuchan".servers."localhost:${s ports.osuchan}" = { };
-      "plex".servers."localhost:${s ports.plex}" = { };
+      "osuchan".servers."localhost:${s srv.osuchan.port}" = { };
+      "plex".servers."localhost:32400" = { };
      "vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
      "wstunnel".servers = let
        inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
@ -61,7 +60,7 @@
    virtualHosts = let
      inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
      inherit (lib.lists) head drop;
-      inherit (secrets) domains keys;
+      domains = [ "nani.wtf" ];

      cloudflare-origin-pull-ca = builtins.fetchurl {
        url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
@ -70,7 +69,7 @@

      # nonCFHost =
      #   subdomains: extraSettings: let
-      #     settings = with keys.certificates; {
+      #     settings = {
      #       useACMEHost = "nani.wtf";
      #       forceSSL = true;
      #       kTLS = true;
@ -84,7 +83,7 @@

      host =
        subdomains: extraSettings: let
-          settings = with keys.certificates; {
+          settings = {
            serverAliases = drop 1 (generateServerAliases domains subdomains);
            useACMEHost = "nani.wtf";
            forceSSL = true;