diff --git a/modules/config/default.nix b/modules/config/default.nix index 5c7cb29..86e8df0 100755 --- a/modules/config/default.nix +++ b/modules/config/default.nix @@ -60,7 +60,6 @@ let domains = genOptions stringType "url"; dns = genOptions stringType "provider"; localhost = genOptions stringType "address"; - wireguard = genOptions stringType "interface"; remotehost = genOptions stringType "address"; email = genOptions stringType "address"; sops = genOptions stringType "path"; @@ -88,7 +87,6 @@ let label = stringType; name = stringType; sync = genOptions stringType "address"; - wireguard = genOptions stringType "ip"; } // genOptions mountConfig "folder" // genOptions mountConfig "samba" diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix index 723cca4..4caeb4e 100755 --- a/modules/config/devices/config/ceres.nix +++ b/modules/config/devices/config/ceres.nix @@ -27,9 +27,6 @@ in boot = { options = ownerExclusiveReadWriteMask; }; - wireguard = { - ip0 = "10.100.0.1"; - }; storage0 = { mount = "/mnt/media/${ceresStorageDriveName}"; device = "/dev/disk/by-label/${ceresStorageDriveName}"; diff --git a/modules/config/devices/config/mars.nix b/modules/config/devices/config/mars.nix index 5ea9e56..0dc12d2 100755 --- a/modules/config/devices/config/mars.nix +++ b/modules/config/devices/config/mars.nix @@ -18,9 +18,6 @@ in boot = { options = ownerWriteOthersReadMask; }; - wireguard = { - ip0 = "10.100.0.2"; - }; storage0 = { mount = "/mnt/media/games"; device = "/dev/disk/by-label/Games"; diff --git a/modules/config/instances/config/firefly-iii.nix b/modules/config/instances/config/firefly-iii.nix new file mode 100644 index 0000000..2b8c1a1 --- /dev/null +++ b/modules/config/instances/config/firefly-iii.nix @@ -0,0 +1,38 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + servicePath + sslPath + sopsPath + ; + + label = "Firefly-III"; + name = "firefly-iii"; + subdomain = "finances"; + domain = "${subdomain}.${domain0}"; +in +{ + label = label; + name = name; + email = { + address0 = "noreply@${name}.${domain0}"; + }; + sops = { + path0 = "${sopsPath}/${name}"; + }; + domains = { + url0 = domain; + }; + subdomain = subdomain; + paths = { + path0 = "${servicePath}/${label}"; + }; + ports = { + port0 = 3306; + }; + ssl = { + cert = "${sslPath}/${subdomain}.${domain0}/fullchain.pem"; + key = "${sslPath}/${subdomain}.${domain0}/key.pem"; + }; +} diff --git a/modules/config/instances/config/kanboard.nix b/modules/config/instances/config/kanboard.nix new file mode 100755 index 0000000..045d1b1 --- /dev/null +++ b/modules/config/instances/config/kanboard.nix @@ -0,0 +1,38 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + servicePath + sslPath + sopsPath + ; + + label = "Kanboard"; + name = "kanboard"; + subdomain = "todo"; + domain = "${subdomain}.${domain0}"; +in +{ + label = label; + name = name; + email = { + address0 = "noreply@${name}.${domain0}"; + }; + sops = { + path0 = "${sopsPath}/${name}"; + }; + domains = { + url0 = domain; + }; + subdomain = subdomain; + paths = { + path0 = "${servicePath}/${label}"; + }; + ports = { + port0 = 3128; + }; + ssl = { + cert = "${sslPath}/${subdomain}.${domain0}/fullchain.pem"; + key = "${sslPath}/${subdomain}.${domain0}/key.pem"; + }; +} diff --git a/modules/config/instances/config/web.nix b/modules/config/instances/config/web.nix index 590f58b..ce8c8dd 100755 --- a/modules/config/instances/config/web.nix +++ b/modules/config/instances/config/web.nix @@ -26,7 +26,4 @@ in remotehost = { address0 = "24.76.173.0"; }; - wireguard = { - interface0 = "10.100.0.1"; - }; } diff --git a/modules/config/instances/config/wireGuard.nix b/modules/config/instances/config/wireGuard.nix index 4a8ed16..19f748b 100755 --- a/modules/config/instances/config/wireGuard.nix +++ b/modules/config/instances/config/wireGuard.nix @@ -14,6 +14,5 @@ in path0 = "${sopsPath}/${name}"; }; ports = { - port0 = 51821; }; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 27be9b5..955d979 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -66,6 +66,7 @@ in searx vaultwarden forgejo + firefly ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 659eff6..be6fedc 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -41,6 +41,7 @@ in "podgrab" "vaultwarden" "audiobookshelf" + "firefly-iii" ] ) ++ (map diff --git a/modules/nixos/services/firefly/default.nix b/modules/nixos/services/firefly/default.nix new file mode 100644 index 0000000..4dc6940 --- /dev/null +++ b/modules/nixos/services/firefly/default.nix @@ -0,0 +1,123 @@ +{ flake, config, ... }: +let + inherit (flake.config.people) user0; + inherit (flake.config.people.users.${user0}) email; + inherit (flake.config.services.instances) firefly-iii web; + inherit (flake.config.machines.devices) ceres; + service = firefly-iii; + localhost = web.localhost.address1; + host = service.domains.url0; +in +{ + services = { + firefly-iii = { + enable = true; + virtualHost = host; + enableNginx = true; + settings = { + APP_KEY_FILE = config.sops.secrets."${service.name}-key".path; + SITE_OWNER = email.address0; + DB_DATABASE = "firefly"; + DB_USERNAME = "firefly"; + DB_PASSWORD_FILE = config.sops.secrets."${service.name}-pass".path; + TRUSTED_PROXIES = "**"; + }; + }; + + nginx = { + enable = true; + virtualHosts.${config.services.firefly-iii.virtualHost} = { + listen = [ + { + addr = "0.0.0.0"; + port = 8080; + } + ]; + }; + }; + + caddy = { + virtualHosts = { + "${host}" = { + extraConfig = '' + encode gzip + + reverse_proxy localhost:8080 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto https + header_up X-Forwarded-Host {host} + header_up X-Forwarded-Ssl on + header_up Connection "" + timeout 240s + dial_timeout 240s + } + + @session_cookie header Cookie *session* + handle @session_cookie { + header Cache-Control "no-cache, no-store, must-revalidate" + } + + request_body { + max_size 64MB + } + + tls ${service.ssl.cert} ${service.ssl.key} + ''; + }; + }; + }; + }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "key" + "pass" + ] + ); + }; + + # fileSystems."/var/lib/${service.name}" = { + # device = service.paths.path0; + # fsType = "none"; + # options = [ + # "bind" + # ]; + # depends = [ + # ceres.storage0.mount + # ]; + # }; + + users.users.${service.name}.extraGroups = [ + "caddy" + ]; + + systemd.tmpfiles.rules = [ + # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + 8080 + service.ports.port0 + ]; + }; + }; +} diff --git a/modules/nixos/services/hLedger/default.nix b/modules/nixos/services/hLedger/default.nix new file mode 100755 index 0000000..b88433d --- /dev/null +++ b/modules/nixos/services/hLedger/default.nix @@ -0,0 +1,72 @@ +{ + flake, + pkgs, + ... +}: +let + inherit (flake.config.machines.devices) + ceres + ; + inherit (flake.config.services.instances) + hledger + web + ; + service = hledger; + localhost = web.localhost.address0; +in +{ + services = { + hledger-web = { + enable = true; + host = localhost; + # baseUrl = "https://${host}"; + stateDir = service.paths.path0; + port = service.ports.port0; + journalFiles = [ + ".hledger.journal" + ]; + allow = "edit"; + }; + }; + + environment = { + systemPackages = builtins.attrValues { + inherit (pkgs) + hledger + hledger-ui + ; + }; + }; + + users = { + users.${service.name} = { + isSystemUser = true; + group = service.name; + home = service.paths.path0; + }; + groups.${service.name} = { }; + }; + + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; + fsType = "none"; + options = [ + "bind" + ]; + depends = [ + ceres.storage0.mount + ]; + }; + + systemd.tmpfiles.rules = [ + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; +} diff --git a/modules/nixos/services/kanboard/default.nix b/modules/nixos/services/kanboard/default.nix new file mode 100755 index 0000000..7429d7a --- /dev/null +++ b/modules/nixos/services/kanboard/default.nix @@ -0,0 +1,83 @@ +{ flake, ... }: +let + inherit (flake.config.services.instances) kanboard web; + service = kanboard; + localhost = web.localhost.address0; + host = service.domains.url0; +in +{ + services = { + kanboard = { + enable = true; + domain = host; + nginx = null; + # dataDir = "/var/lib/${service.name}"; + # settings = { + # MAIL_FROM = service.email.address0; + # # HTTP_PROXY_HOSTNAME = host; + # HTTP_PROXY_PORT = service.ports.port0; + # MAIL_TRANSPORT = "smtp"; + # MAIL_SMTP_HOSTNAME = smtp.hostname; + # MAIL_SMTP_PORT = smtp.ports.port0; + # MAIL_SMTP_USERNAME = service.email.address0; + # MAIL_SMTP_PASSWORD = config.sops.secrets."${service.name}-smtp".path; + # MAIL_SMTP_ENCRYPTION = "ssl"; + # }; + }; + caddy = { + virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${localhost}:${toString service.ports.port0} + + tls ${service.ssl.cert} ${service.ssl.key} + ''; + }; + }; + }; + }; + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "smtp" + ] + ); + }; + + # fileSystems."/var/lib/${service.name}" = { + # device = service.paths.path0; + # fsType = "none"; + # options = [ + # "bind" + # ]; + # depends = [ + # ceres.storage0.mount + # ]; + # }; + + systemd.tmpfiles.rules = [ + # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; +} diff --git a/modules/nixos/services/searx/config/engines.nix b/modules/nixos/services/searx/config/engines.nix deleted file mode 100644 index bf09673..0000000 --- a/modules/nixos/services/searx/config/engines.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ lib, ... }: -lib.mapAttrsToList (name: value: { inherit name; } // value) { - "duckduckgo".disabled = false; - "brave".disabled = false; - "bing".disabled = false; - "mojeek".disabled = true; - "mwmbl".disabled = false; - "mwmbl".weight = 0.4; - "qwant".disabled = true; - "crowdview".disabled = false; - "crowdview".weight = 0.5; - "curlie".disabled = true; - "ddg definitions".disabled = false; - "ddg definitions".weight = 2; - "wikibooks".disabled = false; - "wikidata".disabled = false; - "wikiquote".disabled = true; - "wikisource".disabled = true; - "wikispecies".disabled = false; - "wikispecies".weight = 0.5; - "wikiversity".disabled = false; - "wikiversity".weight = 0.5; - "wikivoyage".disabled = false; - "wikivoyage".weight = 0.5; - "currency".disabled = true; - "dictzone".disabled = true; - "lingva".disabled = true; - "bing images".disabled = false; - "brave.images".disabled = false; - "duckduckgo images".disabled = false; - "google images".disabled = false; - "qwant images".disabled = true; - "1x".disabled = true; - "artic".disabled = false; - "deviantart".disabled = false; - "flickr".disabled = true; - "imgur".disabled = false; - "library of congress".disabled = false; - "material icons".disabled = true; - "material icons".weight = 0.2; - "openverse".disabled = false; - "pinterest".disabled = true; - "svgrepo".disabled = false; - "unsplash".disabled = false; - "wallhaven".disabled = false; - "wikicommons.images".disabled = false; - "yacy images".disabled = true; - "bing videos".disabled = false; - "brave.videos".disabled = true; - "duckduckgo videos".disabled = true; - "google videos".disabled = false; - "qwant videos".disabled = false; - "dailymotion".disabled = true; - "google play movies".disabled = true; - "invidious".disabled = true; - "odysee".disabled = true; - "peertube".disabled = true; - "piped".disabled = true; - "rumble".disabled = false; - "sepiasearch".disabled = false; - "vimeo".disabled = true; - "youtube".disabled = false; - "brave.news".disabled = true; - "google news".disabled = true; -} diff --git a/modules/nixos/services/searx/config/general.nix b/modules/nixos/services/searx/config/general.nix deleted file mode 100644 index 3c8dc61..0000000 --- a/modules/nixos/services/searx/config/general.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - debug = false; - instance_name = "SearXNG Instance"; - donation_url = false; - contact_url = false; - privacypolicy_url = false; - enable_metrics = false; -} diff --git a/modules/nixos/services/searx/config/outgoing.nix b/modules/nixos/services/searx/config/outgoing.nix deleted file mode 100644 index f71e6aa..0000000 --- a/modules/nixos/services/searx/config/outgoing.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - request_timeout = 5.0; - max_request_timeout = 15.0; - pool_connections = 100; - pool_maxsize = 15; - enable_http2 = true; -} diff --git a/modules/nixos/services/searx/config/plugins.nix b/modules/nixos/services/searx/config/plugins.nix deleted file mode 100644 index d58c480..0000000 --- a/modules/nixos/services/searx/config/plugins.nix +++ /dev/null @@ -1,9 +0,0 @@ -[ - "Basic Calculator" - "Hash plugin" - "Tor check plugin" - "Open Access DOI rewrite" - "Hostnames plugin" - "Unit converter plugin" - "Tracker URL remover" -] diff --git a/modules/nixos/services/searx/config/search.nix b/modules/nixos/services/searx/config/search.nix deleted file mode 100644 index 3d6c408..0000000 --- a/modules/nixos/services/searx/config/search.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - safe_search = 0; - autocomplete_min = 2; - autocomplete = "duckduckgo"; - ban_time_on_fail = 5; - max_ban_time_on_fail = 120; -} diff --git a/modules/nixos/services/searx/config/server.nix b/modules/nixos/services/searx/config/server.nix deleted file mode 100644 index b8fbb7d..0000000 --- a/modules/nixos/services/searx/config/server.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - flake, - config, - configHelpers, - ... -}: -let - inherit (flake.config.machines.devices) ceres; -in -{ - port = configHelpers.service.ports.port0; - bind_address = ceres.wireguard.ip0; - secret_key = config.sops.secrets.searx-key.path; - limiter = false; - public_instance = false; - image_proxy = true; - method = "GET"; -} -// ( - if configHelpers.hostname == ceres.name then - { - base_url = "https://${configHelpers.host}"; - } - else - { } -) diff --git a/modules/nixos/services/searx/config/ui.nix b/modules/nixos/services/searx/config/ui.nix deleted file mode 100644 index ab8cea6..0000000 --- a/modules/nixos/services/searx/config/ui.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - static_use_hash = true; - default_locale = "en"; - query_in_title = true; - infinite_scroll = true; - center_alignment = true; - default_theme = "simple"; - theme_args.simple_style = "auto"; - search_on_category_select = true; - hotkeys = "vim"; -} diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index c6ad71b..c3d286a 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -7,23 +7,10 @@ let inherit (flake.config.machines.devices) ceres; inherit (flake.config.services.instances) searx web; - configHelpers = { - service = searx; - hostname = config.networking.hostName; - localhost = web.localhost.address0; - host = configHelpers.service.domains.url0; - }; - configPath = ./config; - configImports = { - general = import (configPath + /general.nix); - ui = import (configPath + /ui.nix); - search = import (configPath + /search.nix); - server = import (configPath + /server.nix) { inherit config flake configHelpers; }; - engines = import (configPath + /engines.nix) { inherit lib; }; - outgoing = import (configPath + /outgoing.nix); - enabled_plugins = import (configPath + /plugins.nix); - }; - + service = searx; + hostname = config.networking.hostName; + localhost = web.localhost.address0; + host = service.domains.url0; in { services = @@ -33,31 +20,150 @@ in redisCreateLocally = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; - http = ":${builtins.toString configHelpers.service.ports.port0}"; + http = ":${builtins.toString service.ports.port0}"; chmod-socket = "660"; }; - settings = configImports; + settings = { + general = { + debug = false; + instance_name = "SearXNG Instance"; + donation_url = false; + contact_url = false; + privacypolicy_url = false; + enable_metrics = false; + }; + ui = { + static_use_hash = true; + default_locale = "en"; + query_in_title = true; + infinite_scroll = true; + center_alignment = true; + default_theme = "simple"; + theme_args.simple_style = "auto"; + search_on_category_select = true; + hotkeys = "vim"; + }; + search = { + safe_search = 0; + autocomplete_min = 2; + autocomplete = "duckduckgo"; + ban_time_on_fail = 5; + max_ban_time_on_fail = 120; + }; + server = + { + port = service.ports.port0; + bind_address = localhost; + secret_key = config.sops.secrets.searx-key.path; + limiter = false; + public_instance = false; + image_proxy = true; + method = "GET"; + } + // ( + if hostname == ceres.name then + { + base_url = "https://${host}"; + } + else + { } + ); + engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { + "duckduckgo".disabled = false; + "brave".disabled = false; + "bing".disabled = false; + "mojeek".disabled = true; + "mwmbl".disabled = false; + "mwmbl".weight = 0.4; + "qwant".disabled = true; + "crowdview".disabled = false; + "crowdview".weight = 0.5; + "curlie".disabled = true; + "ddg definitions".disabled = false; + "ddg definitions".weight = 2; + "wikibooks".disabled = false; + "wikidata".disabled = false; + "wikiquote".disabled = true; + "wikisource".disabled = true; + "wikispecies".disabled = false; + "wikispecies".weight = 0.5; + "wikiversity".disabled = false; + "wikiversity".weight = 0.5; + "wikivoyage".disabled = false; + "wikivoyage".weight = 0.5; + "currency".disabled = true; + "dictzone".disabled = true; + "lingva".disabled = true; + "bing images".disabled = false; + "brave.images".disabled = false; + "duckduckgo images".disabled = false; + "google images".disabled = false; + "qwant images".disabled = true; + "1x".disabled = true; + "artic".disabled = false; + "deviantart".disabled = false; + "flickr".disabled = true; + "imgur".disabled = false; + "library of congress".disabled = false; + "material icons".disabled = true; + "material icons".weight = 0.2; + "openverse".disabled = false; + "pinterest".disabled = true; + "svgrepo".disabled = false; + "unsplash".disabled = false; + "wallhaven".disabled = false; + "wikicommons.images".disabled = false; + "yacy images".disabled = true; + "bing videos".disabled = false; + "brave.videos".disabled = true; + "duckduckgo videos".disabled = true; + "google videos".disabled = false; + "qwant videos".disabled = false; + "dailymotion".disabled = true; + "google play movies".disabled = true; + "invidious".disabled = true; + "odysee".disabled = true; + "peertube".disabled = true; + "piped".disabled = true; + "rumble".disabled = false; + "sepiasearch".disabled = false; + "vimeo".disabled = true; + "youtube".disabled = false; + "brave.news".disabled = true; + "google news".disabled = true; + }; + outgoing = { + request_timeout = 5.0; + max_request_timeout = 15.0; + pool_connections = 100; + pool_maxsize = 15; + enable_http2 = true; + }; + enabled_plugins = [ + "Basic Calculator" + "Hash plugin" + "Tor check plugin" + "Open Access DOI rewrite" + "Hostnames plugin" + "Unit converter plugin" + "Tracker URL remover" + ]; + }; }; } // ( - if configHelpers.hostname == ceres.name then + if hostname == ceres.name then { caddy = { virtualHosts = { - "${configHelpers.host}" = { + "${host}" = { extraConfig = '' - @allowed_ips { - remote_ip 10.100.0.2 - } - handle @allowed_ips { - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} - } - handle { - respond "Access Denied" 403 - } - tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + reverse_proxy ${localhost}:${toString service.ports.port0} + + tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; @@ -73,8 +179,8 @@ in sops = let sopsPath = secret: { - path = "${configHelpers.service.sops.path0}/${configHelpers.service.name}-${secret}"; - owner = configHelpers.service.name; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; mode = "600"; }; in @@ -82,7 +188,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${configHelpers.service.name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) [ @@ -93,8 +199,8 @@ in networking = { firewall = { - interfaces.wg0.allowedTCPPorts = [ - configHelpers.service.ports.port0 + allowedTCPPorts = [ + service.ports.port0 ]; }; }; diff --git a/modules/nixos/services/wireGuard/default.nix b/modules/nixos/services/wireGuard/default.nix index 7717479..75b1e38 100755 --- a/modules/nixos/services/wireGuard/default.nix +++ b/modules/nixos/services/wireGuard/default.nix @@ -2,6 +2,7 @@ let inherit (flake.config.services.instances) wireGuard; service = wireGuard; + wireGuardInterface = { secret, @@ -24,6 +25,7 @@ let ]; }; }; + interfaces = [ { secret = "CA363"; @@ -46,24 +48,20 @@ let endpoint = "139.28.218.130:51820"; } ]; + + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = "root"; + mode = "600"; + }; in { - networking = { - wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces); - }; + networking.wg-quick.interfaces = builtins.listToAttrs (map wireGuardInterface interfaces); - sops.secrets = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = "root"; - mode = "600"; - }; - in - builtins.listToAttrs ( - (map (interface: { - name = "${service.name}-${interface.secret}"; - value = sopsPath interface.secret; - }) interfaces) - ); + sops.secrets = builtins.listToAttrs ( + map (interface: { + name = "${service.name}-${interface.secret}"; + value = sopsPath interface.secret; + }) interfaces + ); } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 34a8a1c..43f3976 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -34,12 +34,6 @@ wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1G wireguard-CA220: ENC[AES256_GCM,data:rNy/IMKqAOsgMUu5r8BZsjTCu0L5fDDDV3/g+pkhW1y44Y2rqhhsZgcXG5M=,iv:onyHBn4npqiwC/v37SOMJLLhdfcrtvPmKbMVTgxaSQg=,tag:OmXDL3oYCDPwH1yBsKAYKQ==,type:str] wireguard-CA358: ENC[AES256_GCM,data:/VewmiNfRc9/wSE7TT+z1F9LLIvr/5wPsQZ/zBwAh3dEi9yswOGyde2b/XQ=,iv:7U5dmqFiwhCoL1moGSfHprv85o5TdMr6T2sNk5gH82I=,tag:T1hqh8CiO2iBa+ksaiKCtA==,type:str] wireguard-CA627: ENC[AES256_GCM,data:chmDsH2nE0nagjFRZWuxX08/Ykt+rIgCHYkMHd+7nIqihK5SebF7MJlrp84=,iv:NVOlGE7W70nQ0UM/i5WixJvDULO3Y4cLf8h+OAGHhQQ=,tag:L123ShCnr9+kIg1itIoqBA==,type:str] -wireguard-private: ENC[AES256_GCM,data:JjkTL+ZiU90Rxq1Ut/0TuLLYINAVjOfjHEC8PvUQJLBCORoimUObKT5Q+XI=,iv:XFuc4SlgiVK0kp+QH/jXKyOrRpjSto+ilnkIxRXzWhQ=,tag:+DpxdNJQQWdbs39yCLFgVQ==,type:str] -wireguard-public: ENC[AES256_GCM,data:X2UEVJmLu24w5imKJ6z68wmp4hMdG5ugD59xa9m+xNFTVgOzzhE+0fLN7Rs=,iv:IzW5NkUE6MHpb6Vi2nzCmR9OfB6Ftca5M3xWWhNeZSU=,tag:I2OJPLDC/8YZTjchsIWAwg==,type:str] -wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhdaxUG2KryNGgKU3HO4yig7JxuE=,iv:WHDqJFJrNTWdq46VDj8Zf6zCgi6rXwSJvnkY2cyPv4o=,tag:BSzN6WyIJM558EW3q9LicQ==,type:str] -wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] -wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] -wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str] podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] @@ -56,7 +50,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-01T08:55:49Z" - mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str] + lastmodified: "2025-06-27T07:07:16Z" + mac: ENC[AES256_GCM,data:yNS+bjiHnrHHmmMkChrF5PmxrYAY9HEEErhScsxTNS2OIpiK3Q+ARiTfmT01vmqFBu63RtYJFPQ3gXM1iNrqjQcnp0btXPo2uvLewbHqfj6UaQsj34GXzf9dIzeHAnXWxtlJxkrCA1ufVwW78bzlDt0x64DhboWk5pqlDUaGR6Y=,iv:oEZzK7RBxIK/DbV3wvbL4UYB59PBygGFV3uktHtjVjg=,tag:Lldass5AJL3Ka1bniaxECg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix deleted file mode 100644 index 8547055..0000000 --- a/systems/ceres/config/wireguard.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, flake, ... }: -let - inherit (flake.config.services.instances) wireGuard web; - inherit (flake.config.machines.devices) mars ceres; - service = wireGuard; -in -{ - networking = { - firewall = { - allowedUDPPorts = [ - 53 - service.ports.port0 - ]; - interfaces.wg0.allowedTCPPorts = [ - 80 - 443 - 8080 - ]; - }; - - nat = { - enable = true; - enableIPv6 = true; - externalInterface = "eth0"; - internalInterfaces = [ "wg0" ]; - }; - - wireguard.interfaces = { - wg0 = { - ips = [ "${ceres.wireguard.ip0}/24" ]; - listenPort = service.ports.port0; - privateKeyFile = config.sops.secrets."${service.name}-private".path; - peers = [ - { - publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; - allowedIPs = [ "${mars.wireguard.ip0}/32" ]; - } - ]; - }; - }; - }; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; - owner = "root"; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "private" - "public" - ] - ); - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - }; -} diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix deleted file mode 100755 index b0d279b..0000000 --- a/systems/mars/config/wireguard.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, flake, ... }: -let - inherit (flake.config.services.instances) wireGuard web; - inherit (flake.config.machines.devices) mars; - service = wireGuard; -in -{ - networking = { - wg-quick.interfaces = { - wg0 = { - address = [ "${mars.wireguard.ip0}/24" ]; - privateKeyFile = config.sops.secrets."${service.name}-mars-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "10.100.0.0/24" - "192.168.1.0/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port0}"; - persistentKeepalive = 25; - } - ]; - }; - }; - }; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; - owner = "root"; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "mars-private" - "mars-public" - ] - ); - }; -}