sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: update to new agenix-rekey format

Browse source
This commit is contained in:
oddlama 2023-06-07 19:48:15 +02:00
parent 972b0456da
commit dec790c589
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
21 changed files with 195 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

39
hosts/ward/default.nix
View file

@ -24,6 +24,7 @@ in {
./fs.nix
./net.nix
./promtail.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
@ -68,7 +69,7 @@ in {
parentNodeName,
...
}: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
@ -91,14 +92,14 @@ in {
};
};
rekey.secrets.grafana-secret-key = {
file = ./secrets/grafana-secret-key.age;
age.secrets.grafana-secret-key = {
rekeyFile = ./secrets/grafana-secret-key.age;
mode = "440";
group = "grafana";
};
rekey.secrets.loki-basic-auth-password-grafana = {
file = ./secrets/loki-basic-auth-password-grafana.age;
age.secrets.loki-basic-auth-password = {
rekeyFile = ./secrets/loki-basic-auth-password.age;
mode = "440";
group = "grafana";
};
@ -116,14 +117,11 @@ in {
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
http_port = 3001;
# cert_key = /etc/grafana/grafana.key;
# cert_file = /etc/grafana/grafana.crt;
# protocol = "https"
};
security = {
disable_initial_admin_creation = true;
secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}";
secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
cookie_secure = true;
disable_gravatar = true;
hide_version = true;
@ -137,7 +135,7 @@ in {
allow_sign_up = true;
auto_login = true;
client_id = "grafana";
#client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
#client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
@ -167,8 +165,8 @@ in {
url = "https://${lokiDomain}";
orgId = 1;
basicAuth = true;
basicAuthUser = "grafana";
secureJsonData.basicAuthPassword = "$__file{${config.rekey.secrets.loki-basic-auth-password-grafana.path}}";
basicAuthUser = "iB6UEjt4so4xWqei";
secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
}
];
};
@ -180,13 +178,12 @@ in {
config,
...
}: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
networking.nftables.firewall = {
zones = lib.mkForce {
#local-vms.interfaces = ["local-vms"];
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
@ -204,13 +201,13 @@ in {
};
};
rekey.secrets."kanidm-self-signed.crt" = {
file = ./secrets/kanidm-self-signed.crt.age;
age.secrets."kanidm-self-signed.crt" = {
rekeyFile = ./secrets/kanidm-self-signed.crt.age;
mode = "440";
group = "kanidm";
};
rekey.secrets."kanidm-self-signed.key" = {
file = ./secrets/kanidm-self-signed.key.age;
age.secrets."kanidm-self-signed.key" = {
rekeyFile = ./secrets/kanidm-self-signed.key.age;
mode = "440";
group = "kanidm";
};
@ -221,8 +218,8 @@ in {
serverSettings = {
domain = authDomain;
origin = "https://${config.services.kanidm.serverSettings.domain}";
tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path;
tls_key = config.rekey.secrets."kanidm-self-signed.key".path;
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
trust_x_forward_for = true;
};
@ -247,7 +244,7 @@ in {
utils,
...
}: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
extra.wireguard.proxy-sentinel.client.via = "sentinel";

66
hosts/ward/promtail.nix
View file

@ -1,20 +1,45 @@
{
lib,
config,
lib,
nodeName,
nodes,
parentNodeName,
...
}: {
}: let
inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
lokiDomain = "loki.${personalDomain}";
in {
age.secrets.loki-basic-auth-password = {
rekeyFile = ./secrets/loki-basic-auth-password.age;
file = ./aaa;
#file = ./aaa;
#generate = "alnum48";
mode = "440";
group = "promtail";
};
#age.secrets.loki-basic-auth-password = {
# generate = "alnum48";
# mode = "440";
# group = "promtail";
#};
services.promtail = {
enable = true;
configuration = {
server.http_listen_port = 9080;
server.grpc_listen_port = 0;
server = {
http_listen_port = 9080;
grpc_listen_port = 0;
log_level = "warn";
};
clients = [
{
basic_auth.username = "promtail@thalheim.io";
basic_auth.password_file = config.sops.secrets.promtail-password.path;
url = "http://loki.r/loki/api/v1/push";
#basic_auth.username = nodeName;
#basic_auth.password_file = config.age.random-secrets.loki-basic-auth-password.path;
basic_auth.username = "iB6UEjt4so4xWqei";
basic_auth.password_file = config.age.secrets.loki-basic-auth-password.path;
url = "https://${lokiDomain}/loki/api/v1/push";
}
];
@ -23,7 +48,7 @@
job_name = "journal";
journal = {
json = true;
max_age = "12h";
max_age = "24h";
labels.job = "systemd-journal";
};
pipeline_stages = [
@ -55,7 +80,6 @@
{
template = {
source = "msg";
# FIXME would be cleaner to have this in a match block, but could not get it to work
template = "{{if .coredump_exe}}{{.coredump_exe}} core dumped (user: {{.coredump_uid}}/{{.coredump_gid}}, command: {{.coredump_cmdline}}){{else}}{{.msg}}{{end}}";
};
}
@ -83,6 +107,30 @@
source_labels = ["__journal__hostname"];
target_label = "host";
}
{
source_labels = ["__journal_priority"];
target_label = "priority";
}
{
source_labels = ["__journal_priority_keyword"];
target_label = "level";
}
#{
# source_labels = ["__journal__systemd_unit"];
# target_label = "unit";
#}
{
source_labels = ["__journal__systemd_user_unit"];
target_label = "user_unit";
}
{
source_labels = ["__journal__boot_id"];
target_label = "boot_id";
}
{
source_labels = ["__journal__comm"];
target_label = "command";
}
];
}
];

0
hosts/ward/secrets/loki-basic-auth-password-grafana.age → hosts/ward/secrets/loki-basic-auth-password.age
View file

6
hosts/ward/vaultwarden.nix
View file

@ -33,7 +33,7 @@
#SMTP_SECURITY = "force_tls";
#SMTP_USERNAME={{ vaultwarden_smtp_username }};
#SMTP_PASSWORD={{ vaultwarden_smtp_password }};
#environmentFile = config.rekey.secrets.vaultwarden-env.path;
#environmentFile = config.age.secrets.vaultwarden-env.path;
};
# Replace uses of old name
@ -58,8 +58,8 @@
virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;
sslCertificateKey = config.rekey.secrets."selfcert.key".path;
sslCertificate = config.age.secrets."selfcert.crt".path;
sslCertificateKey = config.age.secrets."selfcert.key".path;
locations."/" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;