treewide: remove more usage of nix-secrets repository

This commit is contained in:
Oystein Kristoffer Tveit 2024-11-15 10:20:32 +01:00
parent e0a957e448
commit 2c325cf540
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
6 changed files with 39 additions and 34 deletions

View File

@ -3,7 +3,6 @@
sops.secrets."ssh/nix-builders/bob/key" = { sopsFile = ./../../../secrets/common.yaml; };
nix.buildMachines = [{
# Login details configured in ssh module in nix-secrets
hostName = "nix-builder-bob";
system = "x86_64-linux";
speedFactor = 5;
@ -14,8 +13,8 @@
"big-paralell"
];
mandatoryFeatures = [ ];
# sshUser = secrets.ssh.users.pvv.normalUser;
# sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
sshUser = "oysteikt";
sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
}];
programs.ssh = {

View File

@ -1,16 +1,15 @@
{ config, secrets, ... }:
{ config, ... }:
{
sops.secrets."ssh/nix-builders/isvegg/key" = { sopsFile = ./../../../secrets/common.yaml; };
nix.buildMachines = [{
# Login details configured in ssh module in nix-secrets
hostName = "nix-builder-isvegg";
system = "x86_64-linux";
speedFactor = 1;
maxJobs = 8;
supportedFeatures = [ ];
mandatoryFeatures = [ ];
sshUser = secrets.ssh.users.pvv.normalUser;
sshUser = "oysteikt";
sshKey = config.sops.secrets."ssh/nix-builders/isvegg/key".path;
}];

View File

@ -1,4 +1,4 @@
{ config, secrets, ... }:
{ config, ... }:
{
# TODO: install public key on tsuki declaratively
sops.secrets = {
@ -7,7 +7,6 @@
};
nix.buildMachines = [{
# Login details configured in ssh module in nix-secrets
hostName = "nix-builder-tsukir";
system = "x86_64-linux";
speedFactor = 2;
@ -26,7 +25,8 @@
extraConfig = ''
Host nix-builder-tsukir
HostName gingakei.loginto.me
Port ${toString secrets.ports.ssh.home-in}
Port 45497
IdentityFile ${config.sops.secrets."ssh/nix-builders/tsuki/key".path}
'';
# knownHosts.tsukir = {

View File

@ -1,16 +1,22 @@
{ secrets, ... }:
{ config, secrets, ... }:
let
cfg = config.services.coturn;
in
{
services.coturn = rec {
services.coturn = let
certName = config.services.nginx.virtualHosts.${cfg.realm}.useACMEHost;
certDir = config.security.acme.certs.${certName}.directory;
in rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = secrets.ports.matrix.coturn.min;
max-port = secrets.ports.matrix.coturn.max;
min-port = 46000;
max-port = 47000;
use-auth-secret = true;
static-auth-secret = secrets.keys.matrix.static-auth-secret;
realm = "turn.nani.wtf";
cert = "${secrets.keys.certificates.server.crt}";
pkey = "${secrets.keys.certificates.server.key}";
cert = "${certDir}/cert.pem";
pkey = "${certDir}/key.pem";
extraConfig = ''
# for debugging
verbose

View File

@ -25,9 +25,11 @@
settings = {
turn_uris = let
inherit (config.services.coturn) realm;
p = toString secrets.ports.matrix.default;
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
inherit (config.services.coturn) realm listening-port;
in [
"turn:${realm}:${toString listening-port}?transport=udp"
"turn:${realm}:${toString listening-port}?transport=tcp"
];
turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h";
@ -67,7 +69,7 @@
user = "matrix-synapse";
database = "matrix-synapse";
host = "/var/run/postgresql";
port = secrets.ports.postgres;
port = config.services.postgresql.settings.port;
};
};
@ -95,16 +97,16 @@
networking.firewall = {
interfaces.enp2s0 = let
range = with config.services.coturn; [ {
from = secrets.ports.matrix.coturn.min;
to = secrets.ports.matrix.coturn.max;
range = [{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ secrets.ports.matrix.default ];
allowedUDPPorts = [ config.services.coturn.listening-port ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ secrets.ports.matrix.default ];
allowedTCPPorts = [ config.services.coturn.listening-port ];
};
};
}

View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, secrets, inputs, ... }:
{ config, pkgs, lib, inputs, ... }:
{
sops.secrets."cloudflare/api-key" = {};
@ -37,19 +37,18 @@
recommendedZstdSettings = true;
upstreams = let
inherit (secrets) ips ports;
srv = config.services;
sa = config.local.socketActivation;
in {
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
"dynmap".servers."localhost:8123" = { };
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
"headscale".servers."localhost:${s srv.headscale.port}" = { };
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
"idrac".servers."${ips.idrac}" = { };
"idrac".servers."10.0.0.201" = { };
"kanidm".servers."localhost:8300" = { };
"osuchan".servers."localhost:${s ports.osuchan}" = { };
"plex".servers."localhost:${s ports.plex}" = { };
"osuchan".servers."localhost:${s srv.osuchan.port}" = { };
"plex".servers."localhost:32400" = { };
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
"wstunnel".servers = let
inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
@ -61,7 +60,7 @@
virtualHosts = let
inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
inherit (lib.lists) head drop;
inherit (secrets) domains keys;
domains = [ "nani.wtf" ];
cloudflare-origin-pull-ca = builtins.fetchurl {
url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
@ -70,7 +69,7 @@
# nonCFHost =
# subdomains: extraSettings: let
# settings = with keys.certificates; {
# settings = {
# useACMEHost = "nani.wtf";
# forceSSL = true;
# kTLS = true;
@ -84,7 +83,7 @@
host =
subdomains: extraSettings: let
settings = with keys.certificates; {
settings = {
serverAliases = drop 1 (generateServerAliases domains subdomains);
useACMEHost = "nani.wtf";
forceSSL = true;