Add new host sphinx.lewd.wtf
This commit is contained in:
parent
45fbd6e8a8
commit
b17770b56b
|
@ -7,6 +7,7 @@ keys:
|
|||
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
||||
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
||||
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||
- &host_sphinx_lewd_wtf age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
|
||||
creation_rules:
|
||||
# kinda.sus.lol
|
||||
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
||||
|
@ -26,3 +27,9 @@ creation_rules:
|
|||
- age:
|
||||
- *admin_ecchi
|
||||
- *host_phoenix_lewd_wtf
|
||||
# sphinx.lewd.wtf
|
||||
- path_regex: hosts/sphinx.lewd.wtf/secrets/.*
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_ecchi
|
||||
- *host_sphinx_lewd_wtf
|
||||
|
|
23
flake.nix
23
flake.nix
|
@ -21,6 +21,16 @@
|
|||
];
|
||||
};
|
||||
|
||||
"sphinx.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs self; };
|
||||
modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
./default.nix
|
||||
./hosts/sphinx.lewd.wtf/configuration.nix
|
||||
];
|
||||
};
|
||||
|
||||
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs self; };
|
||||
|
@ -75,7 +85,18 @@
|
|||
user = "root";
|
||||
};
|
||||
};
|
||||
|
||||
"sphinx.lewd.wtf" = {
|
||||
sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ];
|
||||
hostname = "sphinx.lewd.wtf";
|
||||
fastConnection = true;
|
||||
|
||||
profiles.system = {
|
||||
sshUser = "root";
|
||||
path =
|
||||
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."sphinx.lewd.wtf";
|
||||
user = "root";
|
||||
};
|
||||
};
|
||||
"aztul.elmosco.lewd.wtf" = {
|
||||
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
||||
hostname = "aztul.elmosco.lewd.wtf";
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
{ self, config, pkgs, lib, ... }:
|
||||
let
|
||||
utils = import ../../util/include.nix { lib = lib; };
|
||||
imports =
|
||||
(utils.includeDir ./services) ++
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
./secrets.nix
|
||||
];
|
||||
in
|
||||
{
|
||||
inherit imports;
|
||||
|
||||
networking.hostName = "sphinx";
|
||||
networking.domain = "lewd.wtf";
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false;
|
||||
devices = [ "/dev/sda" ];
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||
boot.kernelModules = [ "nvme" ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{ lib, ... }: {
|
||||
# This file was populated at runtime with the networking
|
||||
# details gathered from the active system.
|
||||
networking = {
|
||||
nameservers = [ "8.8.8.8" ];
|
||||
defaultGateway = "172.31.1.1";
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "eth0";
|
||||
};
|
||||
dhcpcd.enable = false;
|
||||
usePredictableInterfaceNames = lib.mkForce false;
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4.addresses = [
|
||||
{ address="116.203.182.240"; prefixLength=32; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address="2a01:4f8:1c1b:7a9b::1"; prefixLength=64; }
|
||||
{ address="fe80::9400:3ff:fe62:dffe"; prefixLength=64; }
|
||||
];
|
||||
ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ];
|
||||
ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ];
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
services.udev.extraRules = ''
|
||||
ATTR{address}=="96:00:03:62:df:fe", NAME="eth0"
|
||||
|
||||
'';
|
||||
}
|
|
@ -0,0 +1,13 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
# Vaultwarden
|
||||
sops.secrets."services/vaultwarden/.env" = {
|
||||
mode = "0400";
|
||||
owner = config.users.users.vaultwarden.name;
|
||||
group = config.users.users.vaultwarden.group;
|
||||
sopsFile = ./secrets/vaultwarden.env;
|
||||
format = "dotenv";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
ADMIN_TOKEN=ENC[AES256_GCM,data:xAMhqj/wAqmDPUEo+IUMsaY9+/dTOmdwm5NKu7LC9PGgyORRVjowI5Fu/3j47u9JKLXPyGvQM33s+S3VqNhspQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:QRsgnB9K1DcEcHlGrUA2EQ==,type:str]
|
||||
SMTP_PASSWORD=ENC[AES256_GCM,data:JvSxXTTPQmox2O7n28018A==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:v3Rkhp4HpjZE8Z45N3jcxQ==,type:str]
|
||||
YUBICO_SECRET_KEY=ENC[AES256_GCM,data:oUXZDR5F1eXNKFYYiK9BQfeuves36PdqfKE1Yb7Z,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:F5kb5XqY0JPeBGYOFrQC8g==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZxL3Q4dElaV0hjWm9J\nN1ViOEZkS3Z1RlAvRHFKZjdhU2drNWFZT3dBClY3Rm1lK1FaR1hmSTZ5dUJSNktK\ndGhneVdXS2R3MXB4N01yaTBlaGxjSEUKLS0tIHY3ejBnUzNlRWs3L0c3bkpBRFk5\ndHJNdG9ESHZ3ZzlPMExwNmpZSHpYZVUK9d6xS6ji8N3rZS1OmXJU7VZd6jZNETPK\nZTozNHhcvQiXTdlc23cSUZOHeJyugV+IjRpkDUBjh/0f/YzBNH7gsA==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
|
||||
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTEdOT3RaQWNzQkhzd0ds\ncS9tVWZJbDNMUmNCcWpRSDJwbDV4cUpHZ0ZJCkdBUGRxOUp2QnpYSnRpdzFxK2Fj\nSW9lRUIxbFBoWDFYVEhDK3FvOGk0VzgKLS0tIENBVkpTa0ZpTFFpVG4yR1p2c1lT\nZExSWmdUTXR5SS8yZzQ1VExGdkk0alkKIebJqoBgEv9KK8Nmtyo4xYAd8UA7czBC\noRHZv9cduFhA55iDvEQIdfrDJGMTCAbnuXEGlh0hee0KFFrsar7FEg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_1__map_recipient=age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h
|
||||
sops_lastmodified=2024-06-06T10:12:52Z
|
||||
sops_mac=ENC[AES256_GCM,data:KRi4A7W8/SWaSdX6kz1r00u0s0e+H9T1DlNlWXjbL5ZqUiACBGvmnlU0Ylqter7JBnP6hM3y34wuTH3XzqpAmcPLSCg6bhLqV24AIzTxb/xJJUj0G2uTle//LUipVVem19ECVS0refj36nDd4Lzuyy6fe6uowQMkt2vzLlmr6t8=,iv:1DTq4KQLJwyByoFP6inLp4DmrFra+ca1EEAGgUJ5NMs=,tag:oovcb4hGB1dyOzR5GV5wog==,type:str]
|
||||
sops_unencrypted_suffix=_unencrypted
|
||||
sops_version=3.7.3
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,60 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
environmentFile = "/run/secrets/services/vaultwarden/.env";
|
||||
config = {
|
||||
DOMAIN = "https://vault.lewd.wtf";
|
||||
SIGNUPS_ALLOWED = false;
|
||||
SIGNUPS_VERIFY = true;
|
||||
INVITATIONS_ALLOWED = false;
|
||||
WEBSOCKET_ENABLED = true;
|
||||
WEBSOCKET_PORT = 3012;
|
||||
ROCKET_PORT = 8222;
|
||||
SMTP_HOST = "mail.your-server.de";
|
||||
SMTP_FROM = "vaultwarden@lewd.wtf";
|
||||
SMTP_FROM_NAME = "Vaultwarden";
|
||||
SMTP_USERNAME = "vaultwarden@lewd.wtf";
|
||||
YUBICO_CLIENT_ID = 88022;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.clientMaxBodySize = "128M";
|
||||
|
||||
services.nginx.virtualHosts."vault.lewd.wtf" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8222";
|
||||
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||
extraConfig =
|
||||
"proxy_set_header Host $host;" +
|
||||
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||
;
|
||||
};
|
||||
locations."/notifications/hub/negotiate" = {
|
||||
proxyPass = "http://127.0.0.1:8222";
|
||||
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||
extraConfig =
|
||||
"proxy_set_header Host $host;" +
|
||||
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||
;
|
||||
};
|
||||
locations."/notifications/hub" = {
|
||||
proxyPass = "http://127.0.0.1:3012";
|
||||
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||
extraConfig =
|
||||
"proxy_set_header Host $host;" +
|
||||
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||
;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue