From 6a7d8fe4bee4f2fee8a4326eba7a22459d4c9924 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Fri, 15 Nov 2024 14:10:48 +0100 Subject: [PATCH 1/4] nx2site002 (unready) --- configuration.nix | 3 +- sops-secrets.yaml | 5 +- system-modules/nx2site/gitea.nix | 159 +++++++++++++++++++++---- system-modules/nx2site/proxy.nix | 7 +- system-modules/nx2site/vaultwarden.nix | 43 +++++++ system-modules/postgres.nix | 8 +- 6 files changed, 193 insertions(+), 32 deletions(-) diff --git a/configuration.nix b/configuration.nix index e64be4d..38fbeae 100755 --- a/configuration.nix +++ b/configuration.nix @@ -42,7 +42,7 @@ ./system-modules/postgres.nix ./system-modules/nx2site/proxy.nix # ./system-modules/nx2site/gitea.nix - # ./system-modules/nx2site/vaultwarden.nix + ./system-modules/nx2site/vaultwarden.nix ] else []); # Set your time zone. @@ -99,6 +99,7 @@ blueman dmidecode file + cowsay # ]) ++ (with pkgs-unstable; [ # # sendme ]); diff --git a/sops-secrets.yaml b/sops-secrets.yaml index 83699ae..3499e89 100644 --- a/sops-secrets.yaml +++ b/sops-secrets.yaml @@ -27,6 +27,7 @@ nx2site: sslCertificate.pem: ENC[AES256_GCM,data:kBbfaOGVpNWjmvSdGHgrZpCJR5zNLBO/n6drBmjlQKRAprNDZbzTtyQIARze1O8UqkSP9Ld83F3Dg8e99NSAgVYekh4nGTzJoxy9wFCzdgSoME9GMLqwtHeWwVbP+Xb7oJWl4umRFIwLyITX/6w3k74hCiIhG0/Yuc6BQtklAtLaCGCLNVH5ir4mEzVjQWkIOJt32mktiLbwoB7c0z1tIJFFnFbrnSaS1YT2O6JenzM9dvGDX31ErhSSkcI6d+YO3NTt/mYStsWNUCtTFa1MljIp+MgMNxY7A2jEvvepvI8yVJWbXyaBt0aXpk9etMukR8qdCJcvzJlenvFFOykGQcM4suIGZr1uc10ChHwtUz3UgQkT4dhSpclF5J57VT6+OYw0wS6Hz4ltcqW0+BlmFUGuanXx/XMEwSqXooIMO+e/a8sI9932IyeTp/5s18IfiBk6zXr42Qcr/IprwRNKiL9HZSA7m2XzQa/OcxBHCTym7z+Pvad+IjgcLalEQLMd2jVRZflRUew1WN1UABO1uS7Otf3QrKejbxZ9ENa5oL7tgY+xZQfLWnnGWjXOx/0MPh6+HJ9AHa+4EMW8Ckz6nse54uDB6DFg3OQeM0qisw9mry92IDPie9Zz8tC3LQtnoyJ3pkZDULJgRXTk1FpnP1An1GlxeDkazYWSv3qSKgalI8kEK4Wf5aD8C+rJ0fcFc7ePXtxwdvZHHnaOlZJ65BVBJiYm6FSZ79sb4CpTlJlNuO74af99320YgNILjJIjjJOisELTE96JvZb0g+F6E7fJ5egTk+j2JowmHaQ3cWWhni3e3t79P411xqcqC67uZbW5p2mQbgQu5fJkmj+SxhS+Tl8wX2RkAow8P911+RC0RyBXviNaW9merezTmD8iFHOREbA1hOgHWayW1rN4kKYnnofOqLa0vdP6Adqm67W4FKTSlYUCSJuO9RjjrfT0CHk2sOUrlEaEmtk+rQWRFJ0gPmgUiMhg6X32J1cvmLUaG4EDJoT2tkVwiJmLblS5z8hBsK+7IbvJ87QPlhrWbaiMCGLUIkLAOL7CZmk9J/ozB8j8oBV5xotNm8p5z3TTrL2hOfLAi7vl3Y6Psf5hPMu6Bmy0uVpSK1euowMHsJOPdpC7wSRZfk7NMYpD5PZTljC839HhCG1bEvwC16b2IpmOqmR1YUpDmqRlPOH4Teh0WIGXHynpC14B3RY9ILuii1ZJhir4XcM8eWLYaUCm/MmeqEy/At1TtVtpfU7moU6o3uoT0ijHNUqmR/B2Kd+444oA0vAqRiWLGpxE9zZ3jacXJoqNy1unt+uQbFcwfc3ECVPxsM0HcDMetxQbXL0AR8YGnY/fbYm5C/OF4wr2ft3JdHZWOn4RzBVMkvjGl08OPIBgUqnGopC0Ic/Gxsuz3Z5Ip3jq58AFnyicqUQDtfDn9ILJEhphtqZiZNbR/9jO1jtF/bOjQKKyg4DXa4pdWCUZ/wCUX4Jx3fChQehA9QQqkPm/SIRyjfpC3idjFnvTJ6Ixgza+YLWmOU3lTrPB66RWw0/o1TP78f01PcO+MrLki0F/TSptW8yKMOTv4XhpuP7evjUNJLXEIswN+vlWQmeKMJXms6Ju/8zgZF9kgeChPELqRA2LBMzrU3IFaUrNWMpvFddOavlJgusNgh2uwrfoteYaRiovbaKDoYLA7fdVrkGqekhb+zrjcUbOP7uGCbO1AwZ5K0akLld6dMVw24enbpBjYS93+DM3X6v1Ij3IunvaxTovi366MfL7nA6bWikPgoLCfyoJs3uCIPcNqPw/nsu0ASGaMHIwkf2Zv8VppRFKof19FfihNa9enEIlP4iwi35xnFsHkDeKOiO+fz90BI+JtXtM+OQ4oEz0LNv4D3WB4kThJV2wK93UL85k/dA2a0eu9BKukwigXslym3QrCTh55Ag9JoMe/MfAg3qEgg4//P+/ftcYaCcPm1c0jhZZ99vzZ8our3ZmQ5wEUH/bBncACpIGWhfk9YQUZrBLBMM5NHMuNrLeeMOyhi7BtDXYmzkYJPnXcVpF6bg5Q9+LtFBytAskelwQOFV18AqSd9RYPGktC8Be0ZAQSkMdnvu+cx7aA/XMia+qk+U6/cb6A0jM4IrzR+LT6WjxBIzEZIKBgj2J8GcaWcuL3CXqbJz8idFC0DQlxUNPwoEVuDMLHZ3KpRVjKFUiEMB+BGx1ty/9rWiinEZJ30qnIPKZHhKkR9kKqNRripQ53XOiElCYpi0hpQYXJeNu6XAtFmaZo8eYXS6ikSLBI7n3VZUqEBULqq55brD8W/J4Fv6euv+LHc9d4TJXWVRHLezEFWV6aoGIrnpbzQ1FfgeRnst1DtlHTB5VJTuIHaeAC+jktMvQThVw/GSu0azyPy46/gmG4CI5XktkyGANGZPRvB5ViL2iVH01/nV+R2jbcS72HRUIG02bKPknmafw+WVlJoeFbm+jykM2kDn2AH16Ovs2DeSEapShruuewu2mJRTqb7pL2WK66oIgYOwU1bCkSeBKYqNuLtufoccsnI+4nLdCfek3UzHQPG81EwvaOA+/k/R1Lj3DQxWqkG1hURi6C5Id1u2vrqGWyxF/sBeRCFu32BJzEPUDX7+o66b2meVVi52V+79+UpRAjVSIRMoXhZdh9Yda6wCN/zTguQ3ceGtHIfxffy3twTXgB0vLzXoZdDU0QWKssDgm7BHszdaULwZK5SX4c4fUDVwDlyDXFoVoFN9j/YTGAP1i4WsU7ysqA6ynFbTepEqDr4paU0d9rx4R46YU3+xO/XXHeXJJmH+siAZil+TQ70p26auXLj4jkJKI//EKm1i2I64psZZGjuRaZWpVat5xcOkosqjBLsd9e9qTpVZtQ96sOKrGSmknQ4XRF+lXH42EHGNUnJuvmWrln8iiMYzXh582nINFDpYYywajiDCaxn1Zxalhgcm6ejAW5NVoCtVJ/JeWlQLM2oPOF3fpsmIy5mVo3oiG/yWTBrxj14fPppT5muDWs5tlrLEXzMxhM+xD6J24POfazpqR3oPG6bUclcp+9z1SpCCk8FEWLkF+K7o/3LAmsMXR0CuNbHHdwZTLEdHE7AMYPlWsi6ulWEM9/YaYtx5WjsL4EgFrxTuPRspQC4p63JbADWbDG6E987Z9NWIxT0vnuKY6AyGbV81pQ7KmSmk+FXW/i6QA9pjtHziwyqoniTtJMYzXq9Up2yeIPGLUN9ldJyzofdlhlSonjd9+4zkwe3nh8IGuimjOf0OzbOOf2Oo1vsuzFlMSGweo29B8Q2kCv1DRH6BIKAEqSTAZlY7EbB1cwjXBumpqNvMDpd6V2tqK/btxAhfAEseMXEPTH7dfXPkBYhcwiHiBsPFSQ3lhi3/C8AB+ACHGpLUQQyM+2r2mYOhrdf/lfk1BAl5YT8m95DwD2INWAS86k4I0YWUgodn0rXMxqZeo/GABnBjlDcstZDcBzuSVylZTyq7gL6uuAv79Kn0NX/ZqGUZ+GD2Tp3hNR9ULm7Iz9Z7HlRSN3mMuQyFMtuTZxyN+69lLv6LNgUxa3Wk/hPifmihYA2S4J4QiCfFiKQkW8IdDYgfv8MCUzVg0MusNonwvEiAHob6pMRhMvVr5a40EYT8a4pQKVAIxEJlKBXvololMwEYkVLOaUWcupeXYXSSNYkf+5K/q6HWnK6pIzOrl2ImftqvS+Cu59XZXDWWMDI4vOOtZ2wIAiWuetBkX4j9wuSxIx3jcBLne1nGCntCZbqlJRQI9rRCDFibaWGN3jr1X4bGJuac8bVe0,iv:r4vqXNMieiy9+E1ZIknUxQtxgEoZh7zSSrJ0yS5KQUs=,tag:AYX7RayP3dmNgUnkytQg7Q==,type:str] sslCertificateKey.pem: ENC[AES256_GCM,data:Wzmi17UA4mpCr4VaUolfKwZJEZ5K9Ybp2/K3noC/D/QYlgJfwWnQEoXDfLj3lVVnz0V/m71NAtZ9p3/jhiQCyIwt0cOmsAmd1isHf0KQwGagc8cHttwDeZT7AzLW4axqevpZM8bjVk/TJ/k+uGbArqSwgu2W7C77uCltSS8AydWzD2D7eQciDZzQ4yyHShW9f0SH8Q/wumuY4ksjLs4roYtQgtr1ezUb1U329xA1y81apd47RHviJ/moOBQYY2Y8fbNryUmfqvGYtsfXxmNElJpGAStqjBCo0bncOetP+bfj90CJlbkIn1JzcPOa5ZJjDg==,iv:28PcaWyOsQ8gN6qvZYDS3H4lKKlU7ihxxLUXMYgHPEY=,tag:6t+jvoAZkYlqg/2d8V5Emw==,type:str] dhparams.pem: ENC[AES256_GCM,data:wGIUlT8QHruxHvrlaUdEDU3aKkB5hvQLZXic1ryKr1hIFw9uOv1hOCOPY+QUDBzfm+DXv62hTFAeq4siAoZ0wWvQ0uBuSZZBGrfuY1ZTsTJmpgTphdHi+S4/kl/Vt7nuBlvdW8VbwU+mzmSK4UuIjuvAl0RI+q9C/BAu0tsXvKfaCkrbYwSi6pdPjToEoATPWfuCdkZUulENBIdBkTLZ6F97fgNgsXub2xOEIRxqFAzg3G2nO3Mn7rSRRJraZNIsHgBTYpSNcijDBwZpgYKjcKsochYUNzVrCuLOu5xJPUU87pmd+Rup2hpMfWyK0xtUjncvHyfctEZANqfo+RdEBg81n1WHkFb1WnWUsRh8RmcVZuA9skI5S7Xhp4L2B5IKn0XGnKLG3og9iYb9tDVQys4o5/68+jjxdm51fmRYo3FvghnyFCYkQ/tm+ClCcRSPocYDrfSf0Rvg2v9nPmMj0IrEHlzVnafiJgp3VjI9cYLNW2wKiwf0Z8dWkrtnS8G7p072+w0fklmvLrdvlLZduAwrY6gS2nMbPUz1AwjAoMmQi7sFmbkP6M/PmkVV+hNP7T9ntmC4BQr2k5/3gKZPOEPO/xeMLlla68QpDVxU06NhC0Z3d5t3YY0wIVISNZXi4fgQO0G5nvFpPyyWCvvg39gulyAwUJfFQ3erNNFTjJe7X9RjqoJvjTgFm4IaYcL64Cr49KDu6Za01g492rBCEL842o3lVmZSqOYCG3UEEsSwOxn2iROZKgorZ5dyd1n1WevM+pKTUAaucy52iLJGLISRAVv82ZkmbS5L4zMHkYxVjUnqrYIZsk6+7sRHIQ31E0YtUFdMjRYUcOwfR1u+Ox+zV1NawpKjsuhKl+DRN+Q1TXUdEumUU1pDHT/RXtNHsyYOgeCBbTs93kdhFcHgO0dh5Ou/2N8EcTzWwAYd/qyE3wMZZTggTb44xwu6h0XhaLtnAk2lZ4vXwSaozf+Vq/uxAvYLxrhx6ujKVyX/O053YsKqOPKerYoN17uO8PrKoA==,iv:e0RPF9ZtzSRBRzMtWTWY3AVGsMXxvldA2HjiW9hf97Q=,tag:eb9ACnuGR+8eqncWoKQ/pw==,type:str] + vaultwarden.env: ENC[AES256_GCM,data:9LcB2B/IJ2xQCTNKtRr9bBbtFqZMGSi/9jPozmGUtMvgeVqlljpbtVgCzH62oeUQMLeKQ0SxHsQ7GDgU25X6wVZ8qMT4hzVzNYJnXljs1/ePPN+NfCsPtnBjo+jQLvhVPb8gIGpmT/ZqNMXBLNpLWu2U3RQVzwlJS2wQsP4kbR+z2nuEL/bs52qI9cNmsRTA/C8gIQHCHJby+PTh6BbXp0Wvy0xI+KHKx2qSYiVXsjowid+0h56/Ma1cqUcZlxUiDSUYmTvmgYPzigFD9jOkg1mhHRIi8iste6EDVWB0jHcKMMihd7dMZ64/UUY2y5/ardIP9jUA,iv:/EQv/PYTIHANDjbjMe/BmY6dwjok9YsYj5iKLWyu0eI=,tag:IMcJ3nle9wJANuogrJBUuQ==,type:str] USERTrust: ECC: ENC[AES256_GCM,data:yVSxTKRhXXPwfY7STz4YOWjgBSINYG4zjISQ/9Q9Zn1gZl/wbDQjSk7prN5fSn9aVH46TbT2mPlRDt7jcfbEZ5JmUnIfDZ7JqrAukOxy7wLAF+m4R7/KdLmdM3xJ6cnH6Tm3KQjRPL26zN4BD3T1oqNw/NPxlfqWeMrjMYZSktmoNAwAjntIqrnoXIuEPKvAsqIbg+SLvrSo05DhDy48c16jSi5zzfQ9M4fEgsugw8y7BWF/eAooLsvnpinc3Ek0XpSy2QJoD9plaW0z1lUT/UFmVVZsLDejb5hbzOnklhjSgE8S7wO4Zmvnu3It5M1YATSR5PsaG7QqaP1w6dd2DdvSnfeVeS28AdgVnOUM2MwJsgTWlvtol6ErIxaUf3n3+PAXTubhH37auOoMDeFeu1lAAe2lKiQcCtpE9gy1dkZ3vSZO6eHq7REo1qauao2LrrgBfPS0p0nhMBjOiORDI06JkNwDFBktjBI9JFHBNfd/CMrgXhfsxujbVxFSD6VD7DxBb3TDgOAm5GS6YJVC5bxQx038GnHorBsUBeR6BzpxG/lrNcBdNaHKqjngBbQmYR/skbLlrJblDyXdI4Xyh55Eogz28rwT5HhjoWOGjAk9P2qk9QAqKcWuRXsS77jRIeD59cqq9EKDRzixEJntCvxxsS1LLYBG4vmzXk4qgb1vGUgNKUaVXPNjXX2ueaLtkEMkx9sMmKcyKLzLoD3/yPYEiUTwCoXaNf3o4OUrvli7mW7qzGrqXTQtQfOd7fMGupgjtR68dEQxP2M/J1725phvSUQNx8SuERMOwzHwd7Yt/Z5TKJ+B/m7uxYyVeo9QYlkHrjVAVLmHc6qnKGVZrSGSkdVVr4dksOc7gyB28MP7JZRADCnHq7+1jhRMCiOT51I/ZyrqWtTqDNBFATCeDDWF7qZcrzWq4GrWm2dmWwQlUm5lW7+MsVgrFowjnbbjwcWy2ROIPiiC3cQ7ztxqXMZZjHUVDa4OC19d4vsDETphTuFQtNHTWGnps/phrV5X5QfIC5nmrHqeyJR2YRNb1M/IZMD1nWFvDJG0B46ES03YaIrQYt46HK3Pd25arssGS+Gzx8p65NTriRBp+KAkGf8dN9+/bECHI8coWKXpi31Uu1GoN4tf0f3OoQtpq2mCF9wz9B/cl/j7jBVKN1/OPqmd/IWr737eYQLeJ/XOKs3W5+5bdnl5I0ewaipPYelUY/ZNWCMN91U8PInGrThnASRdCkNMPOzU56MIBj3gFWn/DIq/kaFpf5CFq3Zvniy5HIf/+ZyLhMH4v7O4GSgMCcomEXLlQJZ9K4ZPHo1IYfHJqi0OEfmZageDkRrD9434ByYibg1wJRVvZfUbh4HJjgIrf1yZhTAe4DVBpYnf7wuJIw0HkNRu4piiNw8LIh2ga+f36iDs5Nl0qaZtMR3gLUBiMxrLS3Yakuof+xcglzfVMo8YBD90qBFKke7OUi7CQCZw6orE/EJ8pxDTWL4sedcv/OowKo4xqh5PtUBAOljs7i1z/zHtr4Cr64SH6DW/2vp7gYA62+BPrbhSRJbW6wkWR2hWn4pYJLirKwUBasO1Iewpj6ps3if5IKVrv6kfFoFYfLF8cEpIDjek61OU15tjXRMZENR0vSQRAm9D92VGCXcD3gnW34jF+i6HnArPF8hJ8vDIAb7LYf0xuCZ0JU8QNIUqSdHIcH/GAZGNHAP2EBV+Xbffw9rIycPM4JUIPvbUNVnXsR4+Hc1URd1FkTDlvQEE3lWlPVtcbChbg/221OdKVewi4YwXFWQV45fbwsZX05FGunVBr+/G0SEGeJ25kud9YbP/C2K1i/GQeGw5ItOmThpkXr2X/OyonnFSXnYQjy6fwEBnAX2KPVTqY7T8OxgAj7UT63Niv+w68uoay/pgyuAUBKOQ3t4HmfXPaKm0bYNQNt0r8CTLIxqFxJZxJ1syTqnMXLOdowWpDpDszFHQChiFAOuBwK61dYjUC/OHFlxDkLKkKe38EuWdBCyGqHPfj7m23+h/E09u1WzwksUk9jm6DfyTAoz/MZGsbm9pSQl22qzC3og2SwUi+smgCSrcojp4q0W92onAAxe3siPAPIPpt1Gj8GRvkImHQ/rNQkgiJ4jJfN3epiJgBJ+YCGIByivV0XFLB/9UVu7Vw554/nG9BlfKJ9h0G7VPQgd5MJGvkLqJzCrPh6QyK9uOjbJLO4dWkmaL3oZr4IVbwGk3NXZ7oef7A4RFOHDDevJintMLz1ZOkaaJKWe6YoijmAC2tQNGMIoRw6YcLjcmVPJz12W+6MEPH3YOdUl3b/NnfScuTVYBSP0cFXlDwg/rphUD7oykohsLtPOWhYW/GWvAdV4iwZpzQ0yFHasYGiERPytDKmRffoILDoTOn4HGVVCQaGnm/o7pl5BU4hFQOzvUC4C4LYRwpsz7EaRp0Y3Qqt4S2Xc/k0E0W3XU+sVNSvoBgweNhDlKaefjjSSjDNza6l9fTS3XPTprrEhMU7CvDjpsC8vfd5QTiNDxC7XGJEa0FTiCr2Xyz3YM5c8jWOk1hNOcSvJ1GvZhUWw0pX/HaihI49WQqA4/4GtLfG9f5TkCsLanj0wzVLM7XntN5ol0H5R69nJ5mPLIGXsErG9A/Xai9ol9joVUIJVRwLx8iJEyGx8m1pyOENjOkudgnKFryoWsNGbQo6G+0JEvEAjUuApkYNJvqKNRKrw+GSjxRZtewo8V9rC5a6nsUOPK/U5WaF5UMxu/L4fk8jQltcBRhQpuPZboEo6KNmUzMsK3aweMrQdHnLDlOIoJiDqj9ySPv2C3aeVoKWiscQ==,iv:GS5GMpbxeweqwjUvOzqg59xBOzNZqrL5t7RjsFjpucM=,tag:j0MaMw71fnRHxeydlqAaww==,type:str] RSA: ENC[AES256_GCM,data:pgCzxri1wLZbl5e/KeVvtHRRe0XkdB8GLp2UbQOlJ9hRvRerJ6r8VhSSDh5vfySL6ow4urXzTG5oZwOcXeZgb+DgT3ZFS+npPvbzcc8T/hU8C5tVXYdqdLJHLXAmVG2nbkuIE6z7Bu8SngBZx1jXNBBl2W4vO6GcL0naNj2IyT+1nGhwuNdn4iMMTIjZhlF81PwYRY/TzcljyST4FZc4u/55oSUNrb8Z7KmhkrmaHNPFACTXiXli/zrPKfisztRvZZLfRZ57067/fiOTdwxXyiSxsh+oKRG8JlvdLQvjZ9tMGagzAafEyWVYyrVJIRBme9Uy4HtG/uOZ39gXVE+D8sh1GWftrmvjXPO2OdD/tIa6kskfZNWWFoEOtiRcKH+fuBTe7/ezjzqJA0qZvfwduXqkfVbNcS3YRNRM3jpLwGHDEv2hnVqn4bjB5We/1KBMCtbrHtAc26M3AepeAUy+ka1xW5WO9LsZ5ck1gnFrV5bkFWDr+evBRUuiId5QuAifkDsKlqLsWAeWFpgc7DdjUrpRG0yry8PFEOZP7w7D2/AEeoGc1dMDgX95mvs+0EmA4lutmt2fF14QZJwzhH39/TLGrRmjrohqJ0kD+h8XykBt1JbOPg91dnxmEJuESPNAxhotrj8xuuklvyLKAcfWWRJ1NIvbG6rmlL+m1x+2hUVw9gVGzyGaaSLOqG/6kHwIV2v+ZvCm+n3JBle+ooSi9mxgefVvJc28hSdC5SvNN0KyDvAY32NgOqYFPrvwx4QHxdm6D5jHXOoFEAkN4duSmDwmVGUq9fL5ds4v815a2Fgn2IZB1l82mLFgy4xaBPlbjrqRnuhgpRRbKu+eSNh13lTEwbrEKJfL89cX1Q9N4Y9aK/I7nq9lfybZ+XYXfoLU+7yXZ6gmm2hw6EkwvmAg1zPnoec5hCOZxotPYByvROOK4TyBCWoF2w+5vmSatZdodLwyoNWSsqtpowWHImCH/UZZ5NkBs0pWOnLBSuP32nFN5GN+0y1EKq+4AxL3pwutpo2iMAFlXI5lu5S4fP6nreZUsYqpp9QpwQtmSbU3iMC4bMSHA4LrhLSCfa3AClVirB4xabCnDWDa8tD5j40Zy0gqk289/qbcmmNC9RpTzrI3aag/hZx4eKjb92Ma5s4E2FZL0BQVrdQ8vD0yuhIaU0qp0ahU1D0/H+HS6Gsi1mfWsfNhsSBBDW0IVC/+8zFxvWYysbVPJJj7m7JY0IwW1yKzPvPnMdkWVS8OcJoODa97V15TaXt7yAstmCVYGZS9qc6VurF5MqQM6c4PluJXPyMlZAwQojrnaCuGuljXpmot5M62MvNMdh4psfa0Y1YiCWjer8XtmYhVvzQPepD/YhsouMrCRGD5pxaXozhoS1bUVD9ReBQb9Gg2sQr8MEQ8oNB/a6fLmNwqY7IWmk9pAhBmk5ng120LS5q+3vjj/hw9+Dz6Ojp6BAVNGs1us5YW86GSSlqVmLew4p+HBiYQyhFCmi9p1WIjrNyT/oHUDYGreL2A6NEo6aePPYeVtbNEYi0UahEscGUrqu953MV+PpbanJI7WHKpHek3Nsdgwyel4V9wjgxSpLWvfwj7QqXL8Xngoyd/4FL+G9MvLc3cDYhIFAryBvqRgXrwRk3CkAijzpk/2hui0qlhmDza8KRpfo/4bwz0i4d/wRyWe3+24WY1CjPkDzclc3VZVQDiSg6KsUQvGnc6Wv1+awjE2kA18j3NR4RYBXgxEflj5Ft2BLG6rq+RakLguXDCAMQA4hcx1L+ThDCdn09c58H9Uc/GRLE5uuFRgLB5UtsQimGXuXzxsA3YIN3CijT6NJTKH9WCvQ4tZnk0Jq73rq4oynTCbZBVPgQi5SrfD1Zr0eXgmirLQZFCEV4EqNrtheZ+vqTkWf7rrvG04C6QqLIHWttdsL3ejfB6ddfwM/sou1JmmgTzEo52CCYf1otKNQwD+shx7Xcrm17vu+v57q6bOQrbeBNb/MDPm8qH4/J89NgSKHO8kzvfAm2qWxmr+90Of0cxVT5l7IdnOBCuYSHgTLIALgTmLmKvPm9l/pOjfIQZmvJ7Alo/eqKfcPw6uwoSDn/5+Pj1c9p2ub1CwRZKZlnULQLI0uyw5eQGceOsuivjO6iQjsk4iGecvlGYwZtlqidz359zCysMSuKrXS+XNGT1xy7fmnyct72HJvSeyq8bSNSAEc/iW+ia9n1GJDj4vW84v/zwi0dm1s/qKnq5M2m/pUvZembcOK/1vY0tsD2McTqIjgKPDS0UO3lgEr8vHFok5kJrU3rVV8iJeLHv3oCzKvjgR9jjqdlceRjSJarVFz1lSxenzoVq0JcH2cde2yQ3vdPusEd2LZC2tVYgqPprp/zOSbWsJPq57eiUl/UX2vOuNAV28HXVIuDqs27q2BOlUvBLCirIurjlONXpdRybN3dtevk/lIel0aRU5L5g9Mr1zhtHsoo6WI0In+RzFsD63AsBNDoufVmXgHr0G/bZLwPCdk1xCeEKv1Bq4fpappx8iEQv5GtwZBkPh8N8D0+ngbccx5N0pMcL2BM/HqeRDXR1Tw72EVEG8Bx4Twue5NBi6rtlfDnDvAj524fylSMSPgab8zq3tY9DnIci3ajnRYpIO3uDgH5cbMxqEb6gnpQNkzVUk0yJXR8nvS8qT6TbryX94howqnrID/8HQZ13ja2d8pW4Sro4+xI9WFFSx8bFSeBjhj4nzyvsyam9nJGDJnuYtNEod/CBMjkRPbBq1doske2twYLudoEObY3FXdZJ5VfiD/zGKXPHjL+pd9L8V2QFicazwE4CcIDoSaOr44VADVwh/Iu6Wr1fVZvmSRPmorlRS4DnUDXEC4dl+C2Z9JhxuL9CEoin+k6yILXsBcRrp2LrRs0U6IW2rVrrtD9MzBosjOGflVABVGhCA4q0LOWF+/5NonHaeB3E0mntFyTvuGTEN2fhnrpW86UERIXOySKTm6nN6BcgmvozgGKQ49jdzuzqVjfWGI9isL9UBNmkamrqbYmdqpoIiWycS7Aeyfh6XWMR+zEjeImqvdF8RQs7Ro9MJWj5Bm5bXs+gaLV4vzNj9/ZzzHZs/UmkBWEPtYs/5KO89Xj9lHBSVfE1c/sM6iDaGLOeO1v2MAIecOoMvIjBJ/YilYJmyywuILjxGN25jlyPVEy5DWnUOSIln6G9eyDjs3VLNsITXFH1co+M2KhDr9sQqJ5lKBitpZUsl/4KI2uiAXm7+kuQOn/27NDBZ0PdW8cwyVg2tirGJDvkmDH1umCas5/OhDEfu7+N9oW6wMpZCeR2lJwS0nTSEkk2Gis7WisgB7j9yY0evOeSecaKaq9RFxg2T3qJ9QR+ZssCXacezSZm/PTa2BByHeHJJ/P6p/f+rg+hziMkESOqx6C4BgGeEZKTAdwTyRfNmsp4bdg9XcqZAgnhtSHb24qAf7Upd/ttwS496H8HdS5bTrmSr8/JvwIKy+rs+id7CzcKYc2HEq0FSUt473Vb3s7kS2YDiqnGW7BRLIPDMApLuCDYeFfHExZhdtbX7O415herG52VffHfAoVfr+DQfipqkDUqno7+coZxthnBY1e8V4bJTcul36CO/sB2vP2/4yfzv/HSuviVVRLY58cGBVk9lSiTBQao3+N/f8a23k1wqEFy60uL4jW4X9swgFed8Q48kAUq9SSfxnKHeQrKrvo9rPHGcetrCC2GQP1u0gHD1TV4F1JGloN8MhMlBGtwBGhOIFcQvUomiTqNrDCobqOqcLUJuVL7jZ+Saw6CiH1QJrSQZ5QuCW9XHoOOgvZzdPqEGuSb6nky2OQ1EjLMQtp7SsrwYp32lkWJ9RY3OUk3LLvTM8Exxg56nDqiOopg0GaWAhf4H4MTrAlssM69epH+5SaJyUEhweg5BZP3mY9FnnkdhG7W9JeDQXu1JOhSm7Td0ForDAoznBcID3SacOCbeSAqtGRBZGxnXFN01MTmUnA7Sy+Sm1WoN+o9u28ttG372sVavQlDZvM+9qXr15hcXt/IYscnbpgw0L7DrcZ4RWb8ATtOov8zhtlwB7QvDQ1LX2g2+5Ag2QcuQJmAYH731XnctUsrCmPKfCVh3CzdNS7DH90bli3cC4t+fpAuAXVNh5wPrCEb9Xco/WUKYe6XNS0Z/xi7PbGBH0s6ThYNzCFbwH4e4CDwD8uP7UA6iL+Uuts5Cz5Fcm7WMqPDFYFAdcA38fOWpXqVRYo6Dan8x/RNAPVNko6MnwXeq061jz7XTk6zEpNymxgjNPJRgcvhItfDHtrGpUqSIJxkQv0g3wppXnWlNX6zGIelUJmLkWuJUJfbznXTdkCr+oF5vwuauwO8iCx/h+7AZBD61w47BmRQLLdDP5I2ptdbrIN4ygouDUVE6bwiw2nhBZuR9ufzcO+WyWNHt5h/N5IuErH/5QcfJOBVRcJYuyFgEWrFax7fiwMCzgKhxN0x1WHa7F8gxGNTIGG9QVNf/6tpYVCAao4pQGErxKVqfVQ1374zbsFSy5PF0oyW5ueEQOVJ82RBjwYtLjX2gXY56nfdLy+D22S3XEHeHLLLg16Vtkf4Twmvzkxjc/YfN2vxu8d5tFbHnyanicj3SBgiiZLvg5iDwjtfONFQ6oX0vfoJ7B5xBsnxiLptx+HPN2onwsF/e7pCl0cTRTLO8Jt7Z8Ob0FYcmd31R2d8paemcIRzfgsqS2JWtJBckAqeQit+Gn+U82aKGew+1FVjlGUrwTO6Q6ztXh75B71V3urA65MaLRX5/7t3nGE8FKip+KfG+yTCHu0F411obb8TME+YwBfz8M4kDUBVtmFUrXEEF9aYD/atxxF02yB/ABPybB6Zcyo5r/U6P0G6jVUGXn3hgQkl1OzkQt06aH/J/LwMN271gc8whsV3pfZC3YfQ3212BAviAshfPyNtHPkShpu6fx5iVDoaL5LHS/A1K7kQ5yya4ECCndpTpF1rYamNVw9a5m64Tma3AGFORy6ZQfaHcV2w0RUs3P3ZXGPcuE2VKeTLLGG43W/FbqGAvxjax2j3qGtZ99Ox85ZAVu5O6PvZSvGSpUW6ebGTCsAgSz5h8V8TfWpaQtR0RrjuzGWoWiW5R2VqfmmIQcn34+t2GgfkZB5QH/o7S5z86UL05dLzdyXXyxIn5sWi0Q1B3yAjFCOVstaAr92fGfx+JHOrMFFKu+bLBpez8lE6f+h4HHzTDVnIB1Zb7d3wNwLVk7PmFy6NeByj0kmjY3Ts5pWctWAAQkI+nOtuM4o101AwCMdMfj3M/mr1J7OWy3Rxgaj58IknfPJpeoMhgkvu66WrkgS3XZE6e/n55sPkGHSDMcHTm2364+oJOSMzDUAJgGjDt9Jvalo1wruDA5pPF4F6y/F/8njO8qkoXnuWRG5BpzO66LwDTDOcUCCFzym6eRBnLo9sGbGZxlvRRSHwIRMa80tcqZqbAuVeW+2/PiSMN7zhzLTNdzhaC4cIOuilcdat1+//+qI3OWC5y9sti3qGuHO1U8rhSOw8Laac7JgOGCo3FkekHe8PaFF8jSDliQnodO8rGCY36xHTQkUsQjb+5ginp/dBIAUIR3QxXsMaxP/yBLpRbvFhD3DeOJRQXWdLijTcxAxLhTIPav2WC1mwyve+Jd0djTajSBgSzPzHW5ajUBaol+dVJeCD9HqiOrUMEmcMQFZZcA+RCJdIOvkKlt/sAnhQ4RuwPmzck2RMXCQfiYn0pqpJDXmF7xWgvGDBtQKP7xLE1Hj5No2q85KjLsWu8xK99Y+j2ixfBsgdc53CR4rNplnPsFzBHOucqd+Ve0/gqZgF81RbGFV1T9Wn1XFrE0e7+EkNejKj7deRmy31PnVLcBp2NwtIkhrJ06J8hmGquwUm,iv:NJkjWL5kMHET68oR5Xp22kvkThXIp7WxRVajmTfsB5M=,tag:NSXeRItMKlOQYP4QtzMKIg==,type:str] @@ -80,8 +81,8 @@ sops: SHJLR3lvdlFiRmJuU25RUHFFTmpjamMKbzycdDvQBAuOiRROTZEQSnaXoPapz73L yVS9EUP25FSx/sGqRqaCefbeaybuM1aso6LDnlomv4Bib7zjugWKSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-10T17:15:08Z" - mac: ENC[AES256_GCM,data:VIPBKaDhSV7TG+pbo1OtdREJeqwdXqqDETeXkvhIs0Bz/c01MZXqPgubINW9tSLrNewFWSU5xI0O7L2ExBIjZxJ/nEmQkNkN+CUy1uGwatxsqa7gyVs1gXpIPPUGgStDMu8iukUSj9mLg9xQwGu0hGoC7DCbGqpu7blbUUzg0dE=,iv:+cR1vV7O3VdacP4MwAFkyBjKnqteL6AuV1H3Hh5hz28=,tag:WV/NHHPxvlkdslZbb0FBXA==,type:str] + lastmodified: "2024-11-12T11:43:15Z" + mac: ENC[AES256_GCM,data:pTPpth9Yx8YqCBhdoj5zwMNWVICwl2YIweEoqujainoizgTr4SIWE1dF+NUpYOYk/csZMvEImo9lJe6ywF5Yd9p+x4NyWAVIwGR5ylFT574u59ow/y2lTGWoiPS4oKjUFhdM2APk8Mfgk2/yP+ZyW0X2tiYz9CYp16v0xW8mtRk=,iv:kqRR/YMJDNLws4FtvCrE7JVVanXZ2zzYiC+Z6m6g/tk=,tag:OOGSofEVs+ms52dJ3WJmQQ==,type:str] pgp: - created_at: "2024-06-09T19:44:41Z" enc: |- diff --git a/system-modules/nx2site/gitea.nix b/system-modules/nx2site/gitea.nix index 746c90f..6f877ea 100644 --- a/system-modules/nx2site/gitea.nix +++ b/system-modules/nx2site/gitea.nix @@ -1,12 +1,16 @@ -{ config, pkgs-unstable, domain, ... }: +{ config, pkgs, lib, domain, ... }: { sops.secrets = { - "postgres-pw" = { owner = "gitea"; }; + "postgres-pw" = { owner = config.services.gitea.user; }; }; + environment.systemPackages = with pkgs; [ + gitea + ]; + services.gitea = { enable = true; - package = pkgs-unstable.gitea; + package = pkgs.gitea; group = "gitea"; # default user = "gitea"; # default appName = "NxGit"; @@ -26,20 +30,20 @@ name = "gitea"; # default user = "gitea"; # default }; - dump = { - enable = true; - backupDir = "${config.services.gitea.stateDir}/dump"; # default - file = null; # default - interval = "daily"; - type = "zip"; # default - }; - extraConfig = null; # default - lfs = { - enable = false; # default - contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default - }; - mailerPasswordFile = null; # default - metricsTokenFile = null; # default + # dump = { + # enable = true; + # backupDir = "${config.services.gitea.stateDir}/dump"; # default + # file = null; # default + # interval = "daily"; + # type = "zip"; # default + # }; + # extraConfig = null; # default + # lfs = { + # enable = false; # default + # contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default + # }; + # mailerPasswordFile = null; # default + # metricsTokenFile = null; # default repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default settings = { log = { @@ -47,17 +51,17 @@ # LEVEL = "Error"; ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default }; - i18n = { - LANGS = "en-US"; - }; + # i18n = { + # LANGS = "en-US"; + # }; server = { DISABLE_SSH = false; # default SSH_PORT = 20022; - DOMAIN = "pw2.${domain}"; - HTTP_ADDR = "http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/"; - HTTP_PORT = 3000; # default - PROTOCOL = "http"; # default - ROOT_URL = "https:pw2.${domain}/"; # default + # DOMAIN = "pw2.${domain}"; + # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/"; + # HTTP_PORT = 3000; # default + # PROTOCOL = "http"; # default + # ROOT_URL = "https:pw2.${domain}/"; # default STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static"; }; session = { @@ -69,3 +73,108 @@ }; }; } +# APP_NAME = Gitea: Git with a cup of tea +# RUN_MODE = prod +# RUN_USER = git +# WORK_PATH = /data/gitea + +# [repository] +# ROOT = /data/git/repositories +# ENABLE_PUSH_CREATE_ORG = true +# ENABLE_PUSH_CREATE_USER = true + +# [repository.local] +# LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +# [repository.upload] +# TEMP_PATH = /data/gitea/uploads + +# [server] +# APP_DATA_PATH = /data/gitea +# DOMAIN = git.nx2.site +# SSH_DOMAIN = git.nx2.site +# HTTP_PORT = 3000 +# ROOT_URL = https://git.nx2.site/ +# DISABLE_SSH = false +# SSH_PORT = 22 +# SSH_LISTEN_PORT = 22 +# LFS_START_SERVER = true +# LFS_JWT_SECRET = aitnnoway +# OFFLINE_MODE = false + +# [database] +# PATH = /data/gitea/gitea.db +# DB_TYPE = postgres +# HOST = giteadb:5432 +# NAME = gitea +# USER = gitea +# PASSWD = -lkjlkj +# LOG_SQL = false +# SCHEMA = +# SSL_MODE = disable + +# [indexer] +# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +# [session] +# PROVIDER_CONFIG = /data/gitea/sessions +# PROVIDER = file + +# [picture] +# AVATAR_UPLOAD_PATH = /data/gitea/avatars +# REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + +# [attachment] +# PATH = /data/gitea/attachments + +# [log] +# MODE = console +# LEVEL = info +# ROOT_PATH = /data/gitea/log + +# [security] +# INSTALL_LOCK = true +# SECRET_KEY = +# REVERSE_PROXY_LIMIT = 1 +# REVERSE_PROXY_TRUSTED_PROXIES = * +# INTERNAL_TOKEN = faaaaakeeyJuYmYiOjE3MTMxMTAzMjN9.iliwlrfZDTb8oL296gpXRYhC-6_AJdjePO7dk3NT-PE +# PASSWORD_HASH_ALGO = pbkdf2 + +# [service] +# DISABLE_REGISTRATION = true +# REQUIRE_SIGNIN_VIEW = false +# REGISTER_EMAIL_CONFIRM = false +# ENABLE_NOTIFY_MAIL = false +# ALLOW_ONLY_EXTERNAL_REGISTRATION = false +# ENABLE_CAPTCHA = false +# DEFAULT_KEEP_EMAIL_PRIVATE = false +# DEFAULT_ALLOW_CREATE_ORGANIZATION = true +# DEFAULT_ENABLE_TIMETRACKING = true +# NO_REPLY_ADDRESS = noreply.nx2.site + +# [lfs] +# PATH = /data/git/lfs + +# [mailer] +# ENABLED = true +# SMTP_ADDR = smtp.gmail.com +# SMTP_PORT = 587 +# FROM = git@nx2.site +# USER = lennart.kurzweg.lk@gmail.com +# PASSWD = "ihh" + +# [openid] +# ENABLE_OPENID_SIGNIN = true +# ENABLE_OPENID_SIGNUP = false + +# [cron.update_checker] +# ENABLED = false + +# [repository.pull-request] +# DEFAULT_MERGE_STYLE = merge + +# [repository.signing] +# DEFAULT_TRUST_MODEL = committer + +# [oauth2] +# JWT_SECRET = redavt diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix index e6aa7a9..df9f34a 100644 --- a/system-modules/nx2site/proxy.nix +++ b/system-modules/nx2site/proxy.nix @@ -110,7 +110,9 @@ }; "pw2.${domain}" = vh // { listen = dl; - locations = let d = "127.0.0.1:3000"; in { + locations = let + d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}"; + in { "/" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; }; @@ -126,8 +128,9 @@ locations = { "/" = { proxyPass = "http://git.docker:3000"; }; }; }; "git2.${domain}" = vh // { + http2 = false; listen = dl; - locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; }; }; + locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; }; }; "~^(.*).${domain}$" = { listen = dl; diff --git a/system-modules/nx2site/vaultwarden.nix b/system-modules/nx2site/vaultwarden.nix index e69de29..c7fe7e7 100644 --- a/system-modules/nx2site/vaultwarden.nix +++ b/system-modules/nx2site/vaultwarden.nix @@ -0,0 +1,43 @@ +{ config, pkgs, secrets, domain, ... }: +{ + sops.secrets = { + "nx2site/vaultwarden.env" = { + owner = "vaultwarden"; + }; + }; + services.vaultwarden = { + enable = true; + package = pkgs.vaultwarden; + webVaultPackage = pkgs.vaultwarden.webvault; + dbBackend = "postgresql"; + # backupDir = "/var/backup/vaultwarden"; + environmentFile = config.sops.secrets."nx2site/vaultwarden.env".path; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + DATABASE_URL = "@DATABASE_URL@"; + # DATABASE_URL = "postgresql://vaultwarden:fakepw123@127.0.0.1:5432/vaultwarden"; + + SMTP_HOST = "smtp.gmail.com"; + SMTP_FROM = secrets.email.gmail-online.mail; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + SMTP_USERNAME = secrets.email.gmail-online.mail; + SMTP_PASSWORD = "@SMTP_PASSWORD@"; + LOGIN_RATELIMIT_MAX_BURST = 10; + LOGIN_RATELIMIT_SECONDS = 60; + DOMAIN = "https://pw2.${domain}"; + INVITATION_ORG_NAME = "NxPW"; + INVITATIONS_ALLOWED = true; + ADMIN_TOKEN = "@ADMIN_TOKEN@"; + SIGNUPS_ALLOWED = false; + SIGNUPS_VERIFY = true; + SIGNUPS_VERIFY_RESEND_TIME = 3600; + SIGNUPS_VERIFY_RESEND_LIMIT = 6; + EMERGENCY_ACCESS_ALLOWED = true; + SENDS_ALLOWED = true; + WEB_VAULT_ENABLED = true; + }; + }; +} diff --git a/system-modules/postgres.nix b/system-modules/postgres.nix index 35909af..f37ad51 100644 --- a/system-modules/postgres.nix +++ b/system-modules/postgres.nix @@ -23,7 +23,7 @@ # recoveryConfig = null; ensureDatabases = [ "gitea" - # "vaultwarden" + "vaultwarden" ]; settings = { port = 5432; # default @@ -48,7 +48,11 @@ { # as liong as there is no declarative user management you gotta set a pw by hand # sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';" - name = "gitea"; + name = "gitea"; + ensureDBOwnership = true; + } + { + name = "vaultwarden"; ensureDBOwnership = true; } ]; From f5af726382feaeb26647eb9f0666c56441ce7bbc Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Wed, 20 Nov 2024 01:24:57 +0100 Subject: [PATCH 2/4] nx2site gitea and vaultwarden (working) --- configuration.nix | 2 +- git-crypt/secrets.nix | Bin 3134 -> 3129 bytes home-modules/ssh.nix | 2 +- system-modules/nx2site.nix | 109 ++++++++++++----- system-modules/nx2site/gitea.nix | 160 +++++-------------------- system-modules/nx2site/proxy.nix | 28 ++--- system-modules/nx2site/vaultwarden.nix | 2 +- system-modules/postgres.nix | 61 ++++------ system-modules/sshd.nix | 4 +- system-modules/users.nix | 2 +- 10 files changed, 157 insertions(+), 213 deletions(-) diff --git a/configuration.nix b/configuration.nix index 65a5205..9e989cb 100755 --- a/configuration.nix +++ b/configuration.nix @@ -42,7 +42,7 @@ ./system-modules/nx2site.nix ./system-modules/postgres.nix ./system-modules/nx2site/proxy.nix - # ./system-modules/nx2site/gitea.nix + ./system-modules/nx2site/gitea.nix ./system-modules/nx2site/vaultwarden.nix ] else []); diff --git a/git-crypt/secrets.nix b/git-crypt/secrets.nix index c6f0ad4cfb8d3016a42a0cf8a7610443d4a5d5aa..7f066b13a1e712156ab46843331e2fd5162c2ad2 100755 GIT binary patch literal 3129 zcmZQ@_Y83kiVO&0aQS#eNwO(#$)5u&ZMOwJT;5f#^v~7gxZcJ;3}3H#91o1mJALOw zIp=kgDZK8+pXNQEKJ%Ttfs|Iq`-88!ufJ9gjefhx`Kt6j0~z+e2hOt_K60^skv*G* z@$0WGbxD=n8*C(6moR>O-lp&O&s1(UTMsceqt2hDG;?%#tbl zsuh?EwrCvCWcGS|EBsp+$8E8zLN^mW2I>oPzzLQs7)BSwfG}q~^WAdXtB_$amSK^vy92MeXlvDHL3l!exvrOQ@k&eQ- zoGp`?FRj@Xu=eZSlo>zfv}fKl$W^ro+cd?U$KuKnTP2ISY3!z&x*dMuzveuCocj3e zN<))~`|SMOuh}^RAM_Rr2?=l55)`6(XXc_uy&o*o{$E=!{M+gKqKCeB*H4&xvXS}n zzu?=sap#lYm#JvPy+2=YP30ToLzR`yzRjV9eol{LSN1RN(QWylyNdVCW3RNm=bfSy zi%Ku2seK4obo-{^HLvdsMF$G&Osjb&d1+r@PiBhBo#>$SLLt?P{qFOL^FCV_c%Jh% zF>+Zh=#y{r?7-={)n|T73I}|;yN~1R=6UYECi2Cid2#Pm_pQ!qw>?-g`ISVN?74~~ zxz7Vub+u%K7=HTx`_mU6wMA;1j>R(KjqXKtuw(!O(Vr^0LQiQOhpLMG;pGwI^=8zUi93pi|@bsq*cAgEi|9U7WN%uld%_HYT^5 z8(Q?M1TD_(51;P)K)Uz-wkvllxBNNy^<2sNEnD0eA7uDlO-s4nnD=qlr%=~(r^0S3 ztu|v$3|+ok%P>A(AW@C4T$g`^Lw9msLqdw~(Ro&n&QI1Ajk(2{sB)$4@s|+8z6LJM zi_Xs;OzjjDwXWMwMR`iag$q!xMt?D^@mo9m}+T&xS%|Gp^y|d%i=zPw6_VT`H zwUupG!k$YpI~%zTn{0n-N7!*jM)@3)7(S7hQh^Vf*1+qRyIvplb+IhJX**nG3#nyVojGwt@L_!^3RU$XvX>}JnJ zg%SyeI!@JCOcLsrRql&2vn|b;q}g)p&b0HwiGfK|>?`D%pHvkz&2Nx%EUkaKeZ9?` z)duHp@C&`mct1VZKweVM{wnkGV(AqZB+l}dOe-|`vt229k>aW?Tc)j9!o2ubVcd$$ zsjrlh(^T)i^ew#I(7)%uc)P&#s-;VHr;BWg{oq}rm8thGopHkxg}1S3#oobY ziAVXV!}1pbxu>Zg?>TyJS87wkxyF8%85YvP3|sDK7pqzwRh+bLvv2yMujf1WFm2r$ zw|j*%W0;-dI-?nj?|WzYO%wU2#Je$(o$H5n`1wVV0R?n^B0V&YJ8~ z(`Pg1<%yc{T+EePiPGJF)Qw(?KDTgw?JWA^{rT5x%a>X% zTXXD)+?%*S^KDl9U4CmB|IbVB7puI?wPel#Pp3bO3GuN9gH~SUo~ttXK!uR~W!Hue zFHSp2wb~hdiQhjt)lPy}eEqsULatpB=&$gH? zx^Jtkf3WZ9+4DvGE-M@#n5cZ(eyHnR>ayQ0+?NgA_ls;Rww_ePvtnkSlfIO&#ay+T z*owU>mc~b~ac^B5;kwxO(jkYtJ5)D|?mQ4M&+|&{iO9q2xZii5ICJ3VyceGzc5msq zbYR9_<>zNFvul_AJoPO1XUXb`#g9LwZqw(ERd`?gIVCmdpZg8na!i#6?$~5aISnZqtYnQ;Qm>{1S zS5!h~Y^<}0Psq<-nV@)S_7Tr1nP0tb7lxm>_v)4LsukD7ia3jO9OfigzY%WTAbp}g zVr9kO(;pN{&u=u>nYH1zsezeFhor^4Bfk%d#BX@Wa!Ap6v2w9=$Sy6H()oWBjTYL< zeVO}Rtb|R_pGA3^u!Q51#EM7vQ!nmFnWC{vapSVb7fUmKYM!^e$$xZ$-?&A5MZCj0!jxOsmze40Ej-LSyLN#5M)?wJV(`6}gp?XF#}8Pk3) zeewQ}T0eF8E1ssatA>7h9b5lnqF7Cc=+kUH-#WFT4U<3iEPP-l`2PUI9n*4&pt*up zn>ZKT`hJu3DBIDybEd4Fa)9eE`10g34gZBWq0+@Ee?M()34ur#cF$&ao?nG zUspKITrAYA@q>+Jj~#2)vmFI3XPf`8*coU%!TjgZ@)NPM_~Y4_QY|ky%(1>(tv>T* z>u&ag7lL~)`i3YrWqw?D^5MDO4KKC^2Rm$C``NRA!&38oI)mk(9T%&vZvR!yJ!PY$ zk$_KUlZC_`zk0Q!^{%<|)3&_V`Dzx&7QFreXUFx~*WSJL;(el)@5yo}Cu6yqvK77BdFt2%Ho`vf2dEz?T0+=0Lby-W9B!B4f zw40}NZANawF_(m0myUj1G2ii??*>;R8O9A8s=oOx>;HQ)Y3&@@&GY8QJ!TIu4p?72 zoqLwtUhBeZ;+BTz&)TMkHNAc`FaFW2zf0FSXfE12_xDoQ%T9}TZ~A6?sA<8b9U?K^ z8(8L_=0Epf+l84zpPj7NYIMwA_5GOE#80O;a_wyM=MCHS_1)a9Vq%L#t8_M8es{@K zYSQBGM!PGX`^~jlZZ#_)%i+w)|4;kFb3Z;?|Ep<(m<#v(1IluJFVd#?+N{kuUgRfo z{8kA&&*PoTx_I*TTRz`kH*K-Qm-$-Z?N|NwuQk&bN|e1VRzH}`SH+d zlhUYv8!v9q-c(RJrRQW^r&Vn6ni(-pfolT!Zd(}tKeukvj^*bXlP9uHFk5zU<$Z;J z(#P7LU+Fix5*!pVdw!WI>w!b<|7S<+*rQW_xo_4FkAv#Tr;|e zZ|+VKL1Ox&2A<-BzE{ptI^BzZia;bC^>RX!u%nk?;KY zz^PNcil0uYFHRA!PKC?U7kl%bdADHh ghm+l*%*VG!Ilb`T?&|w%6>G-a%J91~%zZ+60JxtIApigX literal 3134 zcmZQ@_Y83kiVO&0sIxBhm>d*3`5L44)MIs z?reRKbKGry`nrYtxFasUd6XF?)Gf#?J#S;M-`B-%Y6s+R{F-qi`NVg@X)T*YEy@^v z9k585 za9w;5)pP6s@5@D=LUWWS9?No7bpdG&A8o|W&+OSa0at8bYfJ}FT;@#ndf(KDXNYO_yxyXUp48N0xm z3qQVl-!sl+&;EGX=j(!5%&8hm@?16VZqL&`JLjsEFGqdp%yTE_1wK5(t$X7|h|P>` zW_~K6jol9?p68xCm#cXn1JeYhR;z_4eZo}^-CUu=Ijg?y?<(8HE-63$y?>^Aa2rQw zceau7wdTf3*XXpOU51anYj)|`iT_;n*q>ohh}X#@g59eVL)4_QYNTZ{I@%{s{5O*) zw6A2sY4^WVyb|*cZMbXKa!x>u#b0xG_^-}nry0i4HSYTMYiBdfew#Pxv*CF=g%qx%A5P3` zKfGV?4tvOEe-4Fu&W$$zVvXgq6Mfdn&RwJTYtfUf>VqU&Vt=1Y+tPM^TDWffuc8a_!EJlbuP;y9 zciQ_~_2#0Bw!uH*-!FgoKFChwhpxqvKU*(yuhO*Gbb4XhES6618&B8X;d^>~sr};O z8Oq19FBPcd9sTyan-jRu6WedDj7pG63#?-T5^PD|=tul9KGYIeQ*4gmj&_2P%wO-7bvOycN zRTf5Hda*4+zM!psU(|{@4|U3J>8^fe`SROoj(g7CQ_L>=$9$AM!`vg_uX(HUy~97h zOe5=qbycozqGv)IoD!Byejn_yys7nN{>J`&%!O^MZU|a@dh{JXJEJ?-}*G?UOVr;JihO2e-dY|%#pjhvB0i*!EVku1*iX=oPcMg7QuxgVyi9I-|Li?YklgRz2eN8 z{fXz4czxb}tg+=&n(F;I{?!agy(^kJH(dVDnfCN^Y%f-~?VRNx8vgp`5>xRz3C4-* ze!pwwjV_t8XlYF1_TR@>yTqM26}O{r=Zwvtw@aV>JfAD^RO#*h?KhvYf6`6E+5frmQ+1 z@pDU-{X~m>j)rE(;-1B-&(kh0@jh`|%jO5u^!FPCgZ_(sy2rWrUy(*@ zXYK5-HT4HP1p`k;9&%i#*zlw5)+}4s!lQe)%RBKWYaFh=FWt3fuhWvsW!qgXrCOFH ztzYufIZF zxO;ipWzPT?olBXyYO^L=zMbjHERp=@Xl>GVM(>wRTkaj0viG!Y8Drs*jXnEoe|Y;G zljKPJaQf-)!}}WUrK}2AoO;lAyTrF1rM~dgg-`6?Ox(aAaHz{q(kvq}K`yjt9tZ13 zuK8~t^{igY$i1yDZjQbZe|pb~13ESZp0+C)&);7Zdr5v$&oUklb1jir4yo|f+6@m> z@4R3w^ZQZ8aL(tpYxSBR>)!UKF+FJZGxeUttWFJq*eQ$A3rnyN6+CTIX>HUHLs_{auzc5O%hqa{f0q4 z%jE046M8R-?sBb|ZSyZj!jOBhhG<)!yiTzbx1z$PM5a06DvzIKUfFeO!HPp$H%DK6%_Ceu(+%F7B9OBYsaxJ~-3q zz*M`{_dgY^yE}95%S^)zhrEjId&RfTmloUq^85o^pHe5E%coCg)Lsbw#BQRg`}TzS zmIluK5?NK*3&SQX_%F-ZCceAtN$2H*yUsPHo#D_tG;7(~zy4?5JX&qxm>FBKE^tZf zFR2fjT&0mVLd|mJ&Kutvd=Ck7QoqK2#L{_r^=Y-&YzL*Q6%Tu6vD@=ZxW+X7*I}kf zf|D<8oOwf>CFoF8WKG-TFrmA~@_$}x+?@Gl-2o<+jrViod_&Ifl9LoTzt%YUpg?`O zS^2>bzOu!}$zj&3&ONcbyXOH@|IH3Fo63j5Uk?*;*%L zn7^ApbM=d#KhJ4=^_{7=``h-UqbEM3KK5qQ>JT~4qb#|1LXJvH??t(})2!0dm6kY3 zF@ERbcU5KiXXWy$f7R^JX^huS?VEJG=GHf9!PV<~@8&c03xC)w7(AoEQ^Zc{%cdgP zoqI)-E6dodUwc&tURPoL(#B-9MNs=~`>XtKd8nsAx>2=W9FPPr9-Px(_$EoP8|29`$ z3;k^R_tevz;FAjCQICR`F1zCQ)2iUheo0Fucac()hrx!&ciJrwe&%Fg-7V0ycH^0% z?sH)gv9FINsN|-WG~DQ#wqov!JHC6ieN>t8^I!$nEkD74^52>FB3#sG_lv9vIP|8) z^T|u;9|tGbyuZ-h^YzJlp1%9NXa2n5XZv{7ap%Nyf1V_K+GDRFekeEL*!{v^X-gAr zPe(m2`no!ur_Oy+-RTbrH9Shy`kO4L=iT-E_R}Fmtk#n2*Ch6Ylj|d+@}mp4CiYl3 zDZlaAP&DhelV#q#u8s%FQ*7s{-J5rl$ML zDSMAdtQJUY;k|P9%A`L9-Jv?F4*ws|?GAksammj6Q}0qM>$1ilnTJB;C)AoOeZK8& z+_a^S`+hM*9f-7>bKLM!`*#b2orz~z(z9>yF0qxN-2L+oBX1|Rxa>cWq-@gZ06Ko|Cg~naN~};#c^DrTJvz@gmail.com' --header "X-Auth-Key: " -s | jq base = "58d3412e8d88889d1a611b3669f0700f"; - sub = "fc861353142bc05d5dbad1799178e6a1"; base6 = "d1b90e21d2d747dcb30448bd65312927"; + sub = "fc861353142bc05d5dbad1799178e6a1"; sub6 = "b8082b7afe9e80971fc9f9dda16ec284"; + ssh = "c0f14f17f32d6595c202f041dd836eb3"; + ssh6 = "f1ecb2d9d0522d4eec06437688ca76da"; }; passord-file-path = config.sops.secrets."nx2site/cloudflare/global-api-key".path; log-file-path = "/var/log/couldflare.log"; count-file-path = "/var/log/cloudflare-count.txt"; in pkgs.writers.writePython3Bin "dyn_dns" { libraries = with pkgs.python311Packages; [ requests ]; - flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" "E121" "E261" "E303"]; + flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" "E121" "E261" "E303" ]; } /* python */ '' import requests import subprocess - from datetime import datetime + # from datetime import datetime def get_public_ip(ipv6=False): return subprocess.run(['${pkgs.curl}/bin/curl', '-s', '-6' if ipv6 else '-4', 'https://ifconfig.me'], capture_output=True, text=True).stdout.strip() @@ -43,13 +59,13 @@ my_ip = get_public_ip() my_ip6 = get_public_ip(ipv6=True) - with open("${count-file-path}", "r") as f: - content = f.read() - if content == "": count = 0 - else: count = int(content) - count += 1 - with open("${count-file-path}", "w") as f: - f.write(str(count)) + # with open("${count-file-path}", "r") as f: + # content = f.read() + # if content == "": count = 0 + # else: count = int(content) + # count += 1 + # with open("${count-file-path}", "w") as f: + # f.write(str(count)) # 4 with open("${passord-file-path}", 'r') as pw_file: @@ -85,7 +101,7 @@ }, json={ "comment": "Domain verification record", - "name": "${domain}", + "name": "*.${domain}", "proxied": True, "settings": {}, "tags": [], @@ -95,15 +111,34 @@ } ) + resp_sshd = requests.patch( + 'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.ssh}', + headers={ + 'Content-Type': 'application/json', + 'X-Auth-Email': '${account_id}', + 'X-Auth-Key': pw + }, + json={ + "comment": "Domain verification record", + "name": "ssh.${domain}", + "proxied": False, + "settings": {}, + "tags": [], + "ttl": 1, # automatic + "content": my_ip, + "type": "A" + } + ) + if resp_base.status_code != 200: print(resp_base.text) - now_str = datetime.now().strftime('%Y/%m/%d-%R') - log_entry = f"At {now_str} - to {my_ip} - Response {resp_base.status_code}\n" - print(log_entry, end="") - with open("${log-file-path}", 'a') as log_file: - log_file.write(log_entry) + # now_str = datetime.now().strftime('%Y/%m/%d-%R') + # log_entry = f"At {now_str} - to {my_ip} - Response {resp_base.status_code}\n" + # print(log_entry, end="") + # with open("${log-file-path}", 'a') as log_file: + # log_file.write(log_entry) # Perform DNS updates # https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-update-dns-record @@ -135,7 +170,7 @@ }, json={ "comment": "Domain verification record", - "name": "${domain}", + "name": "*.${domain}", "proxied": True, "settings": {}, "tags": [], @@ -145,14 +180,32 @@ } ) + resp_sshd = requests.patch( + 'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.ssh6}', + headers={ + 'Content-Type': 'application/json', + 'X-Auth-Email': '${account_id}', + 'X-Auth-Key': pw + }, + json={ + "comment": "Domain verification record", + "name": "ssh.${domain}", + "proxied": False, + "settings": {}, + "tags": [], + "ttl": 1, # automatic + "content": my_ip6, + "type": "AAAA" + } + ) + if resp_base.status_code != 200: print(resp_base.text) - - now_str = datetime.now().strftime('%Y/%m/%d-%R') - log_entry = f"At {now_str} - to {my_ip6} - Response {resp_base.status_code}\n" - print(log_entry, end="") - with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry) + # now_str = datetime.now().strftime('%Y/%m/%d-%R') + # log_entry = f"At {now_str} - to {my_ip6} - Response {resp_base.status_code}\n" + # print(log_entry, end="") + # with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry) if __name__ == "__main__": main() @@ -164,7 +217,7 @@ ''; serviceConfig = { Type = "oneshot"; - User = "root"; + User = dns-user; }; }; }; @@ -174,7 +227,7 @@ # "172.1.0.9" = [ "matrixdb.docker" ]; # "172.1.4.1" = [ "matrix-ss.docker" ]; # "172.1.0.7" = [ "matrix-ssdb.docker" ]; - "172.1.5.1" = [ "pw.docker" ]; + # "172.1.5.1" = [ "pw.docker" ]; "172.1.6.1" = [ "git.docker" ]; # "172.1.0.10" = [ "gitdb.docker" ]; # "172.1.7.1" = [ "nn.docker" ]; diff --git a/system-modules/nx2site/gitea.nix b/system-modules/nx2site/gitea.nix index 6f877ea..df41284 100644 --- a/system-modules/nx2site/gitea.nix +++ b/system-modules/nx2site/gitea.nix @@ -1,4 +1,5 @@ -{ config, pkgs, lib, domain, ... }: +{ config, pkgs, secrets, user, domain, ... }: +let git-user = "git"; in { sops.secrets = { "postgres-pw" = { owner = config.services.gitea.user; }; @@ -7,36 +8,46 @@ environment.systemPackages = with pkgs; [ gitea ]; + users = { + users = { + "${user}".extraGroups = [ git-user ]; + "${git-user}" = { + isSystemUser = true; + group = git-user; + useDefaultShell = true; + home = config.services.gitea.stateDir; + openssh.authorizedKeys.keys = config.users.users."${user}".openssh.authorizedKeys.keys; + }; + }; + groups."${git-user}" = {}; + }; services.gitea = { enable = true; package = pkgs.gitea; - group = "gitea"; # default - user = "gitea"; # default + group = git-user; + user = git-user; appName = "NxGit"; stateDir = "/var/lib/gitea"; # default useWizard = false; # default # camoHmacKeyFile = ; - customDir = "${config.services.gitea.stateDir}/custom"; # default database = { createDatabase = false; # default host = "127.0.0.1"; # default port = 5432; passwordFile = config.sops.secrets."postgres-pw".path; - # path = "${config.services.gitea.stateDir}/data/gitea.db"; # default - # socket = "/run/postgresql"; socket = null; type = "postgres"; name = "gitea"; # default user = "gitea"; # default }; - # dump = { - # enable = true; - # backupDir = "${config.services.gitea.stateDir}/dump"; # default - # file = null; # default - # interval = "daily"; - # type = "zip"; # default - # }; + dump = { + enable = true; + backupDir = "/var/backup/gitea"; + file = null; # default = chosen by gitea + interval = "daily"; + type = "zip"; # default + }; # extraConfig = null; # default # lfs = { # enable = false; # default @@ -44,25 +55,23 @@ # }; # mailerPasswordFile = null; # default # metricsTokenFile = null; # default - repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default + # repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default settings = { log = { LEVEL = "Info"; # LEVEL = "Error"; - ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default }; - # i18n = { - # LANGS = "en-US"; - # }; server = { DISABLE_SSH = false; # default - SSH_PORT = 20022; - # DOMAIN = "pw2.${domain}"; - # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/"; + START_SSH_SERVER = false; # default + SSH_LISTEN_HOST = "0.0.0.0"; + SSH_PORT = secrets.ssh.port; + DOMAIN = "pw.${domain}"; + SSH_DOMAIN = "ssh.${domain}"; + # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}"; # HTTP_PORT = 3000; # default # PROTOCOL = "http"; # default - # ROOT_URL = "https:pw2.${domain}/"; # default - STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static"; + # ROOT_URL = "https:pw.${domain}/"; # default }; session = { COOKIE_SECURE = true; @@ -73,108 +82,3 @@ }; }; } -# APP_NAME = Gitea: Git with a cup of tea -# RUN_MODE = prod -# RUN_USER = git -# WORK_PATH = /data/gitea - -# [repository] -# ROOT = /data/git/repositories -# ENABLE_PUSH_CREATE_ORG = true -# ENABLE_PUSH_CREATE_USER = true - -# [repository.local] -# LOCAL_COPY_PATH = /data/gitea/tmp/local-repo - -# [repository.upload] -# TEMP_PATH = /data/gitea/uploads - -# [server] -# APP_DATA_PATH = /data/gitea -# DOMAIN = git.nx2.site -# SSH_DOMAIN = git.nx2.site -# HTTP_PORT = 3000 -# ROOT_URL = https://git.nx2.site/ -# DISABLE_SSH = false -# SSH_PORT = 22 -# SSH_LISTEN_PORT = 22 -# LFS_START_SERVER = true -# LFS_JWT_SECRET = aitnnoway -# OFFLINE_MODE = false - -# [database] -# PATH = /data/gitea/gitea.db -# DB_TYPE = postgres -# HOST = giteadb:5432 -# NAME = gitea -# USER = gitea -# PASSWD = -lkjlkj -# LOG_SQL = false -# SCHEMA = -# SSL_MODE = disable - -# [indexer] -# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve - -# [session] -# PROVIDER_CONFIG = /data/gitea/sessions -# PROVIDER = file - -# [picture] -# AVATAR_UPLOAD_PATH = /data/gitea/avatars -# REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars - -# [attachment] -# PATH = /data/gitea/attachments - -# [log] -# MODE = console -# LEVEL = info -# ROOT_PATH = /data/gitea/log - -# [security] -# INSTALL_LOCK = true -# SECRET_KEY = -# REVERSE_PROXY_LIMIT = 1 -# REVERSE_PROXY_TRUSTED_PROXIES = * -# INTERNAL_TOKEN = faaaaakeeyJuYmYiOjE3MTMxMTAzMjN9.iliwlrfZDTb8oL296gpXRYhC-6_AJdjePO7dk3NT-PE -# PASSWORD_HASH_ALGO = pbkdf2 - -# [service] -# DISABLE_REGISTRATION = true -# REQUIRE_SIGNIN_VIEW = false -# REGISTER_EMAIL_CONFIRM = false -# ENABLE_NOTIFY_MAIL = false -# ALLOW_ONLY_EXTERNAL_REGISTRATION = false -# ENABLE_CAPTCHA = false -# DEFAULT_KEEP_EMAIL_PRIVATE = false -# DEFAULT_ALLOW_CREATE_ORGANIZATION = true -# DEFAULT_ENABLE_TIMETRACKING = true -# NO_REPLY_ADDRESS = noreply.nx2.site - -# [lfs] -# PATH = /data/git/lfs - -# [mailer] -# ENABLED = true -# SMTP_ADDR = smtp.gmail.com -# SMTP_PORT = 587 -# FROM = git@nx2.site -# USER = lennart.kurzweg.lk@gmail.com -# PASSWD = "ihh" - -# [openid] -# ENABLE_OPENID_SIGNIN = true -# ENABLE_OPENID_SIGNUP = false - -# [cron.update_checker] -# ENABLED = false - -# [repository.pull-request] -# DEFAULT_MERGE_STYLE = merge - -# [repository.signing] -# DEFAULT_TRUST_MODEL = committer - -# [oauth2] -# JWT_SECRET = redavt diff --git a/system-modules/nx2site/proxy.nix b/system-modules/nx2site/proxy.nix index df9f34a..d22f510 100644 --- a/system-modules/nx2site/proxy.nix +++ b/system-modules/nx2site/proxy.nix @@ -14,7 +14,7 @@ }; certs = { "${domain}" = { - extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "git2" "pw" "pw2" "sync" ]; + extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "pw" "sync" ]; }; }; }; @@ -99,16 +99,16 @@ listen = dl; locations = { "~.*" = { return = "502"; }; }; }; + # "pw.${domain}" = vh // { + # listen = dl; + # locations = let d = "pw.docker:80"; in { + # "/" = { proxyPass = "http://${d}"; }; + # "/admin" = { proxyPass = "http://${d}"; }; + # "/notifications/hub" = { proxyPass = "http://${d}"; }; + # "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; + # }; + # }; "pw.${domain}" = vh // { - listen = dl; - locations = let d = "pw.docker:80"; in { - "/" = { proxyPass = "http://${d}"; }; - "/admin" = { proxyPass = "http://${d}"; }; - "/notifications/hub" = { proxyPass = "http://${d}"; }; - "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; - }; - }; - "pw2.${domain}" = vh // { listen = dl; locations = let d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}"; @@ -123,11 +123,11 @@ listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; }; }; + # "git.${domain}" = vh // { + # listen = dl; + # locations = { "/" = { proxyPass = "http://git.docker:3000"; }; }; + # }; "git.${domain}" = vh // { - listen = dl; - locations = { "/" = { proxyPass = "http://git.docker:3000"; }; }; - }; - "git2.${domain}" = vh // { http2 = false; listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; }; diff --git a/system-modules/nx2site/vaultwarden.nix b/system-modules/nx2site/vaultwarden.nix index c7fe7e7..d5e5546 100644 --- a/system-modules/nx2site/vaultwarden.nix +++ b/system-modules/nx2site/vaultwarden.nix @@ -27,7 +27,7 @@ SMTP_PASSWORD = "@SMTP_PASSWORD@"; LOGIN_RATELIMIT_MAX_BURST = 10; LOGIN_RATELIMIT_SECONDS = 60; - DOMAIN = "https://pw2.${domain}"; + DOMAIN = "https://pw.${domain}"; INVITATION_ORG_NAME = "NxPW"; INVITATIONS_ALLOWED = true; ADMIN_TOKEN = "@ADMIN_TOKEN@"; diff --git a/system-modules/postgres.nix b/system-modules/postgres.nix index f37ad51..b86a5cf 100644 --- a/system-modules/postgres.nix +++ b/system-modules/postgres.nix @@ -32,22 +32,9 @@ shared_preload_libraries = [ ]; # default }; ensureUsers = [ - # { - # name = "${user}"; - # ensureDBOwnership = false; - # ensureClauses = { - # login = true; - # # inherit - # createdb = true; - # bypassrls = true; - # superuser = true; - # createrole = true; - # replication = true; - # }; - # } + # as liong as there is no declarative user management you gotta set a pw by hand + # sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';" { - # as liong as there is no declarative user management you gotta set a pw by hand - # sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';" name = "gitea"; ensureDBOwnership = true; } @@ -57,28 +44,28 @@ } ]; }; -# postgresqlBackup = { -# enable -# startAt -# location -# databases -# backupAll -# compression -# } - - -# postgresqlWalReceiver.receivers."main" = { -# postgresqlPackage = pkgs.postgresql_15; -# directory = /mnt/pg_wal/main/; -# slot = "main_wal_receiver"; -# connection = "postgresql://user@somehost"; -# compress -# extraArgs -# synchronous -# environment -# statusInterval -# }; -# } + postgresqlBackup = { + enable = true; + # startAt = "*-*-* 01:15:00"; + # location = "/var/backup/postgresql"; + databases = config.services.postgresql.ensureDatabases; + backupAll = false; + # compression = "gzip"; + # pgdumpOptions = "-C"; + # compressionLevel = 6; + }; + # postgresqlWalReceiver.receivers."main" = { + # postgresqlPackage = pkgs.postgresql_15; + # directory = /mnt/pg_wal/main/; + # slot = "main_wal_receiver"; + # connection = "postgresql://user@somehost"; + # compress + # extraArgs + # synchronous + # environment + # statusInterval + # }; + # }; }; } diff --git a/system-modules/sshd.nix b/system-modules/sshd.nix index dff0395..7bdd4b3 100644 --- a/system-modules/sshd.nix +++ b/system-modules/sshd.nix @@ -3,7 +3,7 @@ { environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (host == "NxNORTH") then "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1r5gUQPPS/dGB0SsvWtP6WdNWoxMwhhHRrqlO19cJt root@NxNORTH" - else if ( host == "NxXPS") then + else if ( host == "NxXPS" ) then "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf+08+t8a0lY2+nR1mhIU3vuksStiJOlojJjzCwFk7r root@NxXPS" else "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFfZpWVPlujsz3FklSVAM+tuYn4pzDSijhp5CeYNOZk root@NxACE"; @@ -13,7 +13,7 @@ }; services.openssh = { enable = true; - ports = secrets.ssh.ports; + ports = [ secrets.ssh.port ]; settings = { PasswordAuthentication = false; }; diff --git a/system-modules/users.nix b/system-modules/users.nix index f43423e..7920c80 100755 --- a/system-modules/users.nix +++ b/system-modules/users.nix @@ -6,6 +6,7 @@ users.users."${user}" = { isNormalUser = true; extraGroups = [ + # TODO: actually put the groups into the relevant files "networkmanager" "wheel" "audio" @@ -18,7 +19,6 @@ "acme" "nginx" "adbusers" - "gitea" "postgres" ]; useDefaultShell = true; From dbccb827ad19c125b1aa35821662cf703378c24c Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Wed, 20 Nov 2024 01:25:42 +0100 Subject: [PATCH 3/4] games also on ACE --- home-modules/games.nix | 10 +++++----- system-modules/games.nix | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/home-modules/games.nix b/home-modules/games.nix index ac87b19..544539d 100755 --- a/home-modules/games.nix +++ b/home-modules/games.nix @@ -1,15 +1,15 @@ -{ pkgs-unstable, lib, host, ... }: -lib.mkIf (host == "NxNORTH") +{ pkgs-unstable, pkgs, lib, host, ... }: +lib.mkIf (host == "NxNORTH" || host == "NxACE") { home = { - packages = with pkgs-unstable; [ + packages = (with pkgs-unstable; [ protonup mangohud - heroic + # heroic mindustry-wayland - ]; + ]) ++ [ pkgs.heroic ]; sessionVariables = { STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; }; diff --git a/system-modules/games.nix b/system-modules/games.nix index 78ec3ed..c014fec 100644 --- a/system-modules/games.nix +++ b/system-modules/games.nix @@ -1,5 +1,5 @@ { lib, host, ... }: -lib.mkIf (host == "NxNORTH") +lib.mkIf (host == "NxNORTH" || host == "NxACE") { programs = { gamemode = { From edbe4e7f66293bb97564d52b03f3f4dd7bfe2c60 Mon Sep 17 00:00:00 2001 From: "Lennart J. Kurzweg (Nx2)" Date: Wed, 20 Nov 2024 01:27:20 +0100 Subject: [PATCH 4/4] moved NORTH screen --- home-modules/hyprland.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home-modules/hyprland.nix b/home-modules/hyprland.nix index 6f7e8b4..17c9b22 100755 --- a/home-modules/hyprland.nix +++ b/home-modules/hyprland.nix @@ -21,13 +21,13 @@ let main = { name = "DP-4"; resolution = "2560x1440"; - position = "1920x0"; + position = "1920x150"; scale = "1.0"; }; left = { name = "HDMI-A-2"; resolution = "1920x1080"; - position = "0x360"; + position = "0x0"; scale = "1.0"; }; # right = {