emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Restructure DB config, add ssh keys

Browse source
This commit is contained in:
Emelie Graven 2022-02-14 12:29:36 +01:00
parent 9479490574
commit 8f8da2a071
Signed by: emelie
GPG key ID: C11123726DBB55A1
14 changed files with 155 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config/common/users.nix
View file

@ -6,8 +6,7 @@
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFKHlANxRo9NEU6GHMCiAhv3Kxbxd6mOrOiMBw3bGohOAAAABHNzaDo= emelie@flap-fed"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE7/U/Mk1jGofcommKmPfG+qwybiFH1nFkXzUqGiXSy/AAAABHNzaDo= emelie@thinky-fed"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGRtSxLRqPWmsn161ybDFcMYxrBKhay5a485tlM8hQEuAAAABHNzaDo= emelie@thinky-fed"
];
};

3
config/hosts/grondahl/configuration.nix
View file

@ -13,6 +13,9 @@
./services/restic.nix
./services/synapse.nix
./services/postgres.nix
#./services/mail.nix
#./services/containers.nix
#./services/redis.nix
];
boot.loader.grub.enable = true;

BIN
config/hosts/grondahl/data/secrets/authentik_env Normal file
View file

Binary file not shown.

BIN
config/hosts/grondahl/data/secrets/email_noreply
View file

Binary file not shown.

BIN
config/hosts/grondahl/data/secrets/mobilizon_env Normal file
View file

Binary file not shown.

BIN
config/hosts/grondahl/data/secrets/secrets.nix
View file

Binary file not shown.

BIN
config/hosts/grondahl/data/secrets/synapse_db_password Normal file
View file

Binary file not shown.

53
config/hosts/grondahl/services/containers.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, pkgs, ... }:
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
#mobilizon = {
# image = "framasoft/mobilizon";
# ports = [ "127.0.0.1:4000:4000" ];
# volumes = [
# "/var/lib/mobilizon/uploads:/var/lib/mobilizon/uploads"
# "/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
# ];
# environmentFiles = [ config.secrets.files.mobilizon_env.file ];
# };
authentik-server = {
image = "ghcr.io/goauthentik/server:stable";
ports = [
"127.0.0.1:9000:9000"
"127.0.0.1:9443:9443"
];
volumes = [
"/var/lib/authentik/media:/media"
"/var/lib/authentik/templates:/templates"
"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
"/run/redis/redis.sock:/run/redis/redis.sock"
];
environmentFiles = [ config.secrets.files.authentik_env.file ];
cmd = ["server"];
};
authentik-worker = {
image = "ghcr.io/goauthentik/server:stable";
volumes = [
"/var/lib/authentik/backups:/backups"
"/var/lib/authentik/media:/media"
"/var/lib/authentik/certs:/certs"
"/var/lib/authentik/templates:/templates"
];
environmentFiles = [ config.secrets.files.authentik_env.file ];
cmd = ["worker"];
};
};
};
config.systemd.services.create-authentik-pod = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot";
wantedBy = [ "podman-authentik-server.service" "podman-authentik-worker.service" ];
script = ''
${pkgs.podman}/bin/podman pod exists authentik || \
${pkgs.podman}/bin/podman pod create -n authentik -p '127.0.0.1:9000:9000' -p '127.0.0.1:9443:9443'
'';
};
}

29
config/hosts/grondahl/services/mail.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball {
# Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
# And set its hash
sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
})
];
mailserver = {
enable = true;
fqdn = "anarkafem.dev";
domains = [ "anarkafem.dev" ];
# A list of all login accounts. To create the password hashes, use
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
loginAccounts = {
"noreply@anarkafem.dev" = {
hashedPasswordFile = config.secrets.files.email_noreply.file;
};
};
keyFile = config.security.acme.certs."anarkafem.dev".directory + "/key.pem";
certificateFile = config.security.acme.certs."anarkafem.dev".directory + "/cert.pem";
certificateScheme = 1;
};
}

10
config/hosts/grondahl/services/nginx.nix
View file

@ -20,5 +20,15 @@
'';
};
};
"cal.anarkafem.dev" = {
useACMEHost = "anarkafem.dev";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:4000";
};
"auth.anarkafem.dev" = {
useACMEHost = "anarkafem.dev";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:9000";
};
};
}

43
config/hosts/grondahl/services/postgres.nix
View file

@ -1,26 +1,55 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_13;
extraPlugins = with config.services.postgresql.package.pkgs; [
postgis
];
ensureDatabases = [
"matrix-synapse"
"mobilizon"
"authentik"
];
ensureUsers = [
{
name = "matrix-synapse";
ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
}
{
name = "mobilizon";
ensurePermissions."DATABASE mobilizon" = "ALL PRIVILEGES";
}
{
name = "authentik";
ensurePermissions."DATABASE authentik" = "ALL PRIVILEGES";
}
];
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE synapse;
CREATE DATABASE synapse WITH OWNER synapse
CREATE ROLE matrix-synapse;
CREATE DATABASE matrix-synapse WITH OWNER matrix-synapse
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C"
ENCODING = "UTF8";
'';
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all ::1/128 trust
settings = { password_encryption = "scram-sha-256"; };
authentication = pkgs.lib.mkForce ''
local all postgres peer
local all matrix-synapse peer
local all mobilizon scram-sha-256
local all authentik scram-sha-256
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgresql/backup";
databases = [ "synapse" ];
databases = [
"matrix-synapse"
"mobilizon"
"authentik"
];
startAt = "02:30";
compression = "none";
};

11
config/hosts/grondahl/services/redis.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.redis = {
enable = true;
unixSocket = "/run/redis/redis.sock";
vmOverCommit = true;
unixSocketPerm = 770;
#requirePassfile = config.secrets.files.redis_pass.file;
};
}

5
config/hosts/grondahl/services/synapse.nix
View file

@ -9,8 +9,9 @@
turn_shared_secret = builtins.toString config.secrets.files.turn_shared_secret.file;
max_upload_size = "100M";
database_type = "psycopg2";
database_user = "synapse";
database_name = "synapse";
database_args = {
password = builtins.toString config.secrets.files.synapse_db_password.file;
};
turn_uris = [
"turn:turn.anarkafem.dev:3478?transport=udp"
"turn:turn.anarkafem.dev:3478?transport=tcp"

9
config/hosts/rudiger/services/postgres.nix
View file

@ -2,9 +2,12 @@
{
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureDatabases = [
"nextcloud"
];
ensureUsers = [
{ name = "nextcloud";
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
@ -13,7 +16,7 @@
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgresql/backup";
databases = [ "synapse" ];
databases = [ "nextcloud" ];
startAt = "02:30";
compression = "none";
};