treewide: remove more usage of nix-secrets repository
This commit is contained in:
parent
e0a957e448
commit
2c325cf540
|
@ -3,7 +3,6 @@
|
||||||
sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
||||||
|
|
||||||
nix.buildMachines = [{
|
nix.buildMachines = [{
|
||||||
# Login details configured in ssh module in nix-secrets
|
|
||||||
hostName = "nix-builder-bob";
|
hostName = "nix-builder-bob";
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
speedFactor = 5;
|
speedFactor = 5;
|
||||||
|
@ -14,8 +13,8 @@
|
||||||
"big-paralell"
|
"big-paralell"
|
||||||
];
|
];
|
||||||
mandatoryFeatures = [ ];
|
mandatoryFeatures = [ ];
|
||||||
# sshUser = secrets.ssh.users.pvv.normalUser;
|
sshUser = "oysteikt";
|
||||||
# sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
|
sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
|
|
|
@ -1,16 +1,15 @@
|
||||||
{ config, secrets, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };
|
||||||
|
|
||||||
nix.buildMachines = [{
|
nix.buildMachines = [{
|
||||||
# Login details configured in ssh module in nix-secrets
|
|
||||||
hostName = "nix-builder-isvegg";
|
hostName = "nix-builder-isvegg";
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
speedFactor = 1;
|
speedFactor = 1;
|
||||||
maxJobs = 8;
|
maxJobs = 8;
|
||||||
supportedFeatures = [ ];
|
supportedFeatures = [ ];
|
||||||
mandatoryFeatures = [ ];
|
mandatoryFeatures = [ ];
|
||||||
sshUser = secrets.ssh.users.pvv.normalUser;
|
sshUser = "oysteikt";
|
||||||
sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
|
sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, secrets, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
# TODO: install public key on tsuki declaratively
|
# TODO: install public key on tsuki declaratively
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
|
@ -7,7 +7,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.buildMachines = [{
|
nix.buildMachines = [{
|
||||||
# Login details configured in ssh module in nix-secrets
|
|
||||||
hostName = "nix-builder-tsukir";
|
hostName = "nix-builder-tsukir";
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
speedFactor = 2;
|
speedFactor = 2;
|
||||||
|
@ -26,7 +25,8 @@
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
Host nix-builder-tsukir
|
Host nix-builder-tsukir
|
||||||
HostName gingakei.loginto.me
|
HostName gingakei.loginto.me
|
||||||
Port ${toString secrets.ports.ssh.home-in}
|
Port 45497
|
||||||
|
IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# knownHosts.tsukir = {
|
# knownHosts.tsukir = {
|
||||||
|
|
|
@ -1,16 +1,22 @@
|
||||||
{ secrets, ... }:
|
{ config, secrets, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.coturn;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
services.coturn = rec {
|
services.coturn = let
|
||||||
|
certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost;
|
||||||
|
certDir = config.security.acme.certs.${certName}.directory;
|
||||||
|
in rec {
|
||||||
enable = true;
|
enable = true;
|
||||||
no-cli = true;
|
no-cli = true;
|
||||||
no-tcp-relay = true;
|
no-tcp-relay = true;
|
||||||
min-port = secrets.ports.matrix.coturn.min;
|
min-port = 46000;
|
||||||
max-port = secrets.ports.matrix.coturn.max;
|
max-port = 47000;
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
static-auth-secret = secrets.keys.matrix.static-auth-secret;
|
static-auth-secret = secrets.keys.matrix.static-auth-secret;
|
||||||
realm = "turn.nani.wtf";
|
realm = "turn.nani.wtf";
|
||||||
cert = "${secrets.keys.certificates.server.crt}";
|
cert = "${certDir}/cert.pem";
|
||||||
pkey = "${secrets.keys.certificates.server.key}";
|
pkey = "${certDir}/key.pem";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
# for debugging
|
# for debugging
|
||||||
verbose
|
verbose
|
||||||
|
|
|
@ -25,9 +25,11 @@
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
turn_uris = let
|
turn_uris = let
|
||||||
inherit (config.services.coturn) realm;
|
inherit (config.services.coturn) realm listening-port;
|
||||||
p = toString secrets.ports.matrix.default;
|
in [
|
||||||
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
|
"turn:${realm}:${toString listening-port}?transport=udp"
|
||||||
|
"turn:${realm}:${toString listening-port}?transport=tcp"
|
||||||
|
];
|
||||||
turn_shared_secret = config.services.coturn.static-auth-secret;
|
turn_shared_secret = config.services.coturn.static-auth-secret;
|
||||||
turn_user_lifetime = "1h";
|
turn_user_lifetime = "1h";
|
||||||
|
|
||||||
|
@ -67,7 +69,7 @@
|
||||||
user = "matrix-synapse";
|
user = "matrix-synapse";
|
||||||
database = "matrix-synapse";
|
database = "matrix-synapse";
|
||||||
host = "/var/run/postgresql";
|
host = "/var/run/postgresql";
|
||||||
port = secrets.ports.postgres;
|
port = config.services.postgresql.settings.port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -95,16 +97,16 @@
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
interfaces.enp2s0 = let
|
interfaces.enp2s0 = let
|
||||||
range = with config.services.coturn; [ {
|
range = [{
|
||||||
from = secrets.ports.matrix.coturn.min;
|
from = config.services.coturn.min-port;
|
||||||
to = secrets.ports.matrix.coturn.max;
|
to = config.services.coturn.max-port;
|
||||||
}];
|
}];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
allowedUDPPortRanges = range;
|
allowedUDPPortRanges = range;
|
||||||
allowedUDPPorts = [ secrets.ports.matrix.default ];
|
allowedUDPPorts = [ config.services.coturn.listening-port ];
|
||||||
allowedTCPPortRanges = range;
|
allowedTCPPortRanges = range;
|
||||||
allowedTCPPorts = [ secrets.ports.matrix.default ];
|
allowedTCPPorts = [ config.services.coturn.listening-port ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ pkgs, lib, config, secrets, inputs, ... }:
|
{ config, pkgs, lib, inputs, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets."cloudflare/api-key" = {};
|
sops.secrets."cloudflare/api-key" = {};
|
||||||
|
|
||||||
|
@ -37,19 +37,18 @@
|
||||||
recommendedZstdSettings = true;
|
recommendedZstdSettings = true;
|
||||||
|
|
||||||
upstreams = let
|
upstreams = let
|
||||||
inherit (secrets) ips ports;
|
|
||||||
srv = config.services;
|
srv = config.services;
|
||||||
sa = config.local.socketActivation;
|
sa = config.local.socketActivation;
|
||||||
in {
|
in {
|
||||||
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
|
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
|
||||||
"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
|
"dynmap".servers."localhost:8123" = { };
|
||||||
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
|
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
|
||||||
"headscale".servers."localhost:${s srv.headscale.port}" = { };
|
"headscale".servers."localhost:${s srv.headscale.port}" = { };
|
||||||
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
||||||
"idrac".servers."${ips.idrac}" = { };
|
"idrac".servers."10.0.0.201" = { };
|
||||||
"kanidm".servers."localhost:8300" = { };
|
"kanidm".servers."localhost:8300" = { };
|
||||||
"osuchan".servers."localhost:${s ports.osuchan}" = { };
|
"osuchan".servers."localhost:${s srv.osuchan.port}" = { };
|
||||||
"plex".servers."localhost:${s ports.plex}" = { };
|
"plex".servers."localhost:32400" = { };
|
||||||
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
|
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
|
||||||
"wstunnel".servers = let
|
"wstunnel".servers = let
|
||||||
inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
|
inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
|
||||||
|
@ -61,7 +60,7 @@
|
||||||
virtualHosts = let
|
virtualHosts = let
|
||||||
inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
|
inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
|
||||||
inherit (lib.lists) head drop;
|
inherit (lib.lists) head drop;
|
||||||
inherit (secrets) domains keys;
|
domains = [ "nani.wtf" ];
|
||||||
|
|
||||||
cloudflare-origin-pull-ca = builtins.fetchurl {
|
cloudflare-origin-pull-ca = builtins.fetchurl {
|
||||||
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
|
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
|
||||||
|
@ -70,7 +69,7 @@
|
||||||
|
|
||||||
# nonCFHost =
|
# nonCFHost =
|
||||||
# subdomains: extraSettings: let
|
# subdomains: extraSettings: let
|
||||||
# settings = with keys.certificates; {
|
# settings = {
|
||||||
# useACMEHost = "nani.wtf";
|
# useACMEHost = "nani.wtf";
|
||||||
# forceSSL = true;
|
# forceSSL = true;
|
||||||
# kTLS = true;
|
# kTLS = true;
|
||||||
|
@ -84,7 +83,7 @@
|
||||||
|
|
||||||
host =
|
host =
|
||||||
subdomains: extraSettings: let
|
subdomains: extraSettings: let
|
||||||
settings = with keys.certificates; {
|
settings = {
|
||||||
serverAliases = drop 1 (generateServerAliases domains subdomains);
|
serverAliases = drop 1 (generateServerAliases domains subdomains);
|
||||||
useACMEHost = "nani.wtf";
|
useACMEHost = "nani.wtf";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
Loading…
Reference in New Issue