add anarkafem.dev, minor tweaks

2021-09-23 16:45:06 +02:00 · 2021-09-23 16:45:06 +02:00 · 0969b36564
commit 0969b36564
parent 3ed18d33fc
18 changed files with 374 additions and 15 deletions
--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@ -3,6 +3,7 @@
 {
  imports = [ 
    ./hardware-configuration.nix 
+    ../../common/services/openssh.nix
    ./services/acme.nix
    ./services/coturn.nix
    ./services/nginx.nix
@ -56,12 +57,6 @@
    ];
  };

-  services.openssh = {
-    enable = true;
-    passwordAuthentication = false;
-    permitRootLogin = "no";
-    challengeResponseAuthentication = false;
-  };

  # Use hetzner firewall instead
  networking.firewall.enable = false;
--- a/config/hosts/wind/services/acme.nix
+++ b/config/hosts/wind/services/acme.nix
@ -5,7 +5,7 @@
    acceptTerms = true;
    email = "admin+certs@graven.dev";
    certs."graven.dev" = {
-      extraDomainNames = "*.graven.dev";
+      extraDomainNames = [ "*.graven.dev" ];
      dnsProvider = "hurricane";
      credentialsFile = config.secrets.files.acme_graven_dev.file;
    };
--- a/config/hosts/wind/services/coturn.nix
+++ b/config/hosts/wind/services/coturn.nix
@ -4,7 +4,7 @@
    enable = true;
    lt-cred-mech = true;
    use-auth-secret = true;
-    static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
+    static-auth-secret = builtins.toString config.secrets.files.turn_shared_secret.file;
    realm = "turn.graven.dev";
    relay-ips = [
      "65.21.58.38"
--- a/config/hosts/wind/services/postgres.nix
+++ b/config/hosts/wind/services/postgres.nix
@ -20,7 +20,7 @@
  services.postgresqlBackup = {
    enable = true;
    location = "/var/lib/postgresql/backup";
-    databases = [ "gitea" "mogger" "synapse" "tt_rss" ];
+    databases = [ "synapse" ];
    startAt = "02:30";
    compression = "none";
  };
--- a/config/hosts/wind/services/restic.nix
+++ b/config/hosts/wind/services/restic.nix
@ -9,7 +9,7 @@
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "02:15"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
    };
    "postgres" = {
@ -18,7 +18,7 @@
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "03:00"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
    };
    "synapse" = {
@ -27,7 +27,7 @@
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "03:30"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
    };
    "vaultwarden" = {
@ -36,7 +36,7 @@
      initialize = true;
      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
      timerConfig = { "OnCalendar" = "23:45"; };
-      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
    };
  };
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@ -6,7 +6,7 @@
    server_name = "graven.dev";
    enable_registration = false;
    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-    turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
    max_upload_size = "100M";
    database_type = "psycopg2";
    database_user = "synapse";
--- a/config/hosts/wind/services/vaultwarden.nix
+++ b/config/hosts/wind/services/vaultwarden.nix
@ -6,7 +6,7 @@
    backupDir = "/var/lib/bitwarden_rs/backup";
    config = {
      domain = "https://vault.graven.dev";
-      signupsAllowed = true;
+      signupsAllowed = false;
      rocketPort = 8812;
      ipHeader = "X-Real-IP";
      websocketEnabled = true;