diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1f12d95 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug +creation_rules: + - path_regex: library/secrets/.*.yaml + key_groups: + - age: + - *sv1 diff --git a/library/default.nix b/library/default.nix index cb0edbd..fce3287 100644 --- a/library/default.nix +++ b/library/default.nix @@ -3,4 +3,5 @@ nixosSystems = lib.callFragment ./nixosSystems.nix {}; sshKeys = lib.callFragment ./sshKeys.nix {}; + secrets = lib.callFragment ./secrets {}; } diff --git a/library/secrets/default.nix b/library/secrets/default.nix new file mode 100644 index 0000000..fc449b3 --- /dev/null +++ b/library/secrets/default.nix @@ -0,0 +1,3 @@ +{ + sb1 = ./sb1.yaml; +} diff --git a/library/secrets/sb1.yaml b/library/secrets/sb1.yaml new file mode 100644 index 0000000..52ba84f --- /dev/null +++ b/library/secrets/sb1.yaml @@ -0,0 +1,22 @@ +sb1-username: ENC[AES256_GCM,data:c5Myt2AdnA==,iv:q36larVwGrBiCHBaUu54QdJggeL22QzOwkfiJfQjsVE=,tag:qsVj/akHjHZwjvnvaJRBEw==,type:str] +sb1-password: ENC[AES256_GCM,data:766xhD3hcwFM9pyu53uYMg==,iv:HYtfnUvl46N/z5UUTIz337rq/kAHJcvgAcMbVnluik0=,tag:1oSSB1UqQIWmh7PJGO+YfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdlpSYXhOdndtS0Y0QTRz + N2pxczhIQVBWSnV1dnY3WDVVRlErYnh4OWdnClRUSjVXeWMrTmxWVEVGT0V6YUMr + V2ovSVhpcmRIN3ljWUx0cmJnSnBzMzAKLS0tIHBNalN3emcrbjZZcytoVFgyQTh2 + elREcXRxeGdVTW1TZGtKelVURkdlWW8KSWpXIAL0Vb1a3un8WIcjMNbIbR41VcK2 + 604AZYjooB6OzX2sOkGOOAIvB17S2nesL/nQUobWkM8bQSuH/TgR5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-01T22:35:24Z" + mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/sv1.nix b/modules/sv1.nix index 3060e3e..85a5ab0 100644 --- a/modules/sv1.nix +++ b/modules/sv1.nix @@ -1,11 +1,13 @@ { lib, + config, pkgs, ... }: { imports = with lib.nixosModules; [ disko impermanence + sops ]; disko.devices.disk.NixOS = { @@ -98,6 +100,34 @@ fileSystems = { "/persist".neededForBoot = true; "/var/log".neededForBoot = true; + "/mnt/sb1" = { + device = "//u424050.your-storagebox.de/backup"; + fsType = "cifs"; + options = [ + "x-systemd.automount" + "noauto" + "x-systemd.idle-timeout=60" + "x-systemd.device-timeout=5s" + "x-systemd.mount-timeout=5s" + "credentials=${config.sops.templates.sb1-credentials.path}" + ]; + }; + }; + + sops = { + gnupg.sshKeyPaths = []; + age = { + sshKeyPaths = []; + keyFile = "/persist/sops.age"; + }; + secrets = { + sb1-username.sopsFile = lib.secrets.sb1; + sb1-password.sopsFile = lib.secrets.sb1; + }; + templates.sb1-credentials.content = '' + username=${config.sops.placeholder.sb1-username} + password=${config.sops.placeholder.sb1-password} + ''; }; boot = { @@ -152,6 +182,19 @@ networking = { hostName = "sv1"; networkmanager.enable = true; + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "acme.evict519@simplelogin.com"; + certs."dylanblades.com".extraDomainNames = [ + "gitea.dylanblades.com" + "jellyfin.dylanblades.com" + ]; }; time.timeZone = "Europe/London"; @@ -179,18 +222,114 @@ }; }; - services.openssh = { - enable = true; - settings.PermitRootLogin = "without-password"; + services = { + openssh = { + enable = true; + settings.PermitRootLogin = "without-password"; + }; + gitea = { + enable = true; + useWizard = true; + appName = "Gitea"; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + DOMAIN = "gitea.dylanblades.com"; + ROOT_URL = "https://gitea.dylanblades.com/"; + }; + ui.DEFAULT_THEME = "gitea-dark"; + }; + }; + jellyfin.enable = true; + nginx = { + enable = true; + virtualHosts = { + "dylanblades.com" = { + forceSSL = true; + enableACME = true; + root = pkgs.my-site; + }; + "gitea.dylanblades.com" = { + forceSSL = true; + useACMEHost = "dylanblades.com"; + locations."/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + client_max_body_size 512M; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + "jellyfin.dylanblades.com" = { + forceSSL = true; + useACMEHost = "dylanblades.com"; + locations = { + "/" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + client_max_body_size 20M; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + ''; + }; + "/socket" = { + proxyPass = "http://localhost:8096"; + extraConfig = '' + client_max_body_size 20M; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + }; + }; + }; + }; + }; }; nixpkgs.overlays = [lib.overlays.pkgs]; environment = { persistence."/persist" = { hideMounts = true; - directories = ["/var/lib/nixos"]; + directories = [ + { + directory = "/var/lib/nixos"; + user = "root"; + group = "root"; + mode = "u=rwx,g=rx,o=rx"; + } + { + directory = "/var/lib/gitea"; + user = "gitea"; + group = "gitea"; + mode = "u=rwx,g=rx,o="; + } + { + directory = "/var/lib/jellyfin"; + user = "jellyfin"; + group = "jellyfin"; + mode = "u=rwx,g=rx,o="; + } + ]; }; systemPackages = with pkgs; [ + cifs-utils git my-vim ]; diff --git a/packages/default.nix b/packages/default.nix index 20fc436..aad8295 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,3 +1,4 @@ {pkgs}: { my-vim = pkgs.callPackage ./my-vim {}; + my-site = pkgs.callPackage ./my-site {}; } diff --git a/packages/my-site/default.nix b/packages/my-site/default.nix new file mode 100644 index 0000000..50b1ec5 --- /dev/null +++ b/packages/my-site/default.nix @@ -0,0 +1,2 @@ +{writeTextDir}: +writeTextDir "index.html" "my-site"