From 2c325cf5402275af561ac49cc507caaadc37b192 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Fri, 15 Nov 2024 10:20:32 +0100 Subject: [PATCH] treewide: remove more usage of nix-secrets repository --- hosts/common/nix-builders/bob.nix | 5 ++--- hosts/common/nix-builders/isvegg.nix | 5 ++--- hosts/common/nix-builders/tsuki.nix | 6 +++--- hosts/tsuki/services/matrix/coturn.nix | 18 ++++++++++++------ hosts/tsuki/services/matrix/default.nix | 22 ++++++++++++---------- hosts/tsuki/services/nginx/default.nix | 17 ++++++++--------- 6 files changed, 39 insertions(+), 34 deletions(-) diff --git a/hosts/common/nix-builders/bob.nix b/hosts/common/nix-builders/bob.nix index 29e50bf..7b1285e 100644 --- a/hosts/common/nix-builders/bob.nix +++ b/hosts/common/nix-builders/bob.nix @@ -3,7 +3,6 @@ sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; }; nix.buildMachines = [{ - # Login details configured in ssh module in nix-secrets hostName = "nix-builder-bob"; system = "x86_64-linux"; speedFactor = 5; @@ -14,8 +13,8 @@ "big-paralell" ]; mandatoryFeatures = [ ]; - # sshUser = secrets.ssh.users.pvv.normalUser; - # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path; + sshUser = "oysteikt"; + sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path; }]; programs.ssh = { diff --git a/hosts/common/nix-builders/isvegg.nix b/hosts/common/nix-builders/isvegg.nix index 65e937f..a20c885 100644 --- a/hosts/common/nix-builders/isvegg.nix +++ b/hosts/common/nix-builders/isvegg.nix @@ -1,16 +1,15 @@ -{ config, secrets, ... }: +{ config, ... }: { sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; }; nix.buildMachines = [{ - # Login details configured in ssh module in nix-secrets hostName = "nix-builder-isvegg"; system = "x86_64-linux"; speedFactor = 1; maxJobs = 8; supportedFeatures = [ ]; mandatoryFeatures = [ ]; - sshUser = secrets.ssh.users.pvv.normalUser; + sshUser = "oysteikt"; sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path; }]; diff --git a/hosts/common/nix-builders/tsuki.nix b/hosts/common/nix-builders/tsuki.nix index 524532a..0df4c16 100644 --- a/hosts/common/nix-builders/tsuki.nix +++ b/hosts/common/nix-builders/tsuki.nix @@ -1,4 +1,4 @@ -{ config, secrets, ... }: +{ config, ... }: { # TODO: install public key on tsuki declaratively sops.secrets = { @@ -7,7 +7,6 @@ }; nix.buildMachines = [{ - # Login details configured in ssh module in nix-secrets hostName = "nix-builder-tsukir"; system = "x86_64-linux"; speedFactor = 2; @@ -26,7 +25,8 @@ extraConfig = '' Host nix-builder-tsukir HostName gingakei.loginto.me - Port ${toString secrets.ports.ssh.home-in} + Port 45497 + IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path} ''; # knownHosts.tsukir = { diff --git a/hosts/tsuki/services/matrix/coturn.nix b/hosts/tsuki/services/matrix/coturn.nix index ddde8a3..91147b0 100644 --- a/hosts/tsuki/services/matrix/coturn.nix +++ b/hosts/tsuki/services/matrix/coturn.nix @@ -1,16 +1,22 @@ -{ secrets, ... }: +{ config, secrets, ... }: +let + cfg = config.services.coturn; +in { - services.coturn = rec { + services.coturn = let + certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost; + certDir = config.security.acme.certs.${certName}.directory; + in rec { enable = true; no-cli = true; no-tcp-relay = true; - min-port = secrets.ports.matrix.coturn.min; - max-port = secrets.ports.matrix.coturn.max; + min-port = 46000; + max-port = 47000; use-auth-secret = true; static-auth-secret = secrets.keys.matrix.static-auth-secret; realm = "turn.nani.wtf"; - cert = "${secrets.keys.certificates.server.crt}"; - pkey = "${secrets.keys.certificates.server.key}"; + cert = "${certDir}/cert.pem"; + pkey = "${certDir}/key.pem"; extraConfig = '' # for debugging verbose diff --git a/hosts/tsuki/services/matrix/default.nix b/hosts/tsuki/services/matrix/default.nix index ebfd10a..0f9e50e 100644 --- a/hosts/tsuki/services/matrix/default.nix +++ b/hosts/tsuki/services/matrix/default.nix @@ -25,9 +25,11 @@ settings = { turn_uris = let - inherit (config.services.coturn) realm; - p = toString secrets.ports.matrix.default; - in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"]; + inherit (config.services.coturn) realm listening-port; + in [ + "turn:${realm}:${toString listening-port}?transport=udp" + "turn:${realm}:${toString listening-port}?transport=tcp" + ]; turn_shared_secret = config.services.coturn.static-auth-secret; turn_user_lifetime = "1h"; @@ -67,7 +69,7 @@ user = "matrix-synapse"; database = "matrix-synapse"; host = "/var/run/postgresql"; - port = secrets.ports.postgres; + port = config.services.postgresql.settings.port; }; }; @@ -95,16 +97,16 @@ networking.firewall = { interfaces.enp2s0 = let - range = with config.services.coturn; [ { - from = secrets.ports.matrix.coturn.min; - to = secrets.ports.matrix.coturn.max; - } ]; + range = [{ + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + }]; in { allowedUDPPortRanges = range; - allowedUDPPorts = [ secrets.ports.matrix.default ]; + allowedUDPPorts = [ config.services.coturn.listening-port ]; allowedTCPPortRanges = range; - allowedTCPPorts = [ secrets.ports.matrix.default ]; + allowedTCPPorts = [ config.services.coturn.listening-port ]; }; }; } diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix index 8a8e0a9..fabdfc0 100644 --- a/hosts/tsuki/services/nginx/default.nix +++ b/hosts/tsuki/services/nginx/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, secrets, inputs, ... }: +{ config, pkgs, lib, inputs, ... }: { sops.secrets."cloudflare/api-key" = {}; @@ -37,19 +37,18 @@ recommendedZstdSettings = true; upstreams = let - inherit (secrets) ips ports; srv = config.services; sa = config.local.socketActivation; in { "atuin".servers."unix:${sa.atuin.newSocketAddress}" = { }; - "dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { }; + "dynmap".servers."localhost:8123" = { }; "grafana".servers."unix:/run/grafana/grafana.sock" = { }; "headscale".servers."localhost:${s srv.headscale.port}" = { }; "hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { }; - "idrac".servers."${ips.idrac}" = { }; + "idrac".servers."10.0.0.201" = { }; "kanidm".servers."localhost:8300" = { }; - "osuchan".servers."localhost:${s ports.osuchan}" = { }; - "plex".servers."localhost:${s ports.plex}" = { }; + "osuchan".servers."localhost:${s srv.osuchan.port}" = { }; + "plex".servers."localhost:32400" = { }; "vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { }; "wstunnel".servers = let inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port; @@ -61,7 +60,7 @@ virtualHosts = let inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate; inherit (lib.lists) head drop; - inherit (secrets) domains keys; + domains = [ "nani.wtf" ]; cloudflare-origin-pull-ca = builtins.fetchurl { url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem"; @@ -70,7 +69,7 @@ # nonCFHost = # subdomains: extraSettings: let - # settings = with keys.certificates; { + # settings = { # useACMEHost = "nani.wtf"; # forceSSL = true; # kTLS = true; @@ -84,7 +83,7 @@ host = subdomains: extraSettings: let - settings = with keys.certificates; { + settings = { serverAliases = drop 1 (generateServerAliases domains subdomains); useACMEHost = "nani.wtf"; forceSSL = true;