BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vps-arm-2024-08-31-19-31-36

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-08-31 19:31:37 +02:00
parent 1e11cac9c3
commit 6d5e9fe4ae
4 changed files with 45 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hostkey-to-agepub.sh Executable file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env bash
nix-shell -p ssh-to-age --run "cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age"

9
machine/desktop/configuration.nix
View File

@ -35,7 +35,7 @@ in
]; ];
sops = { sops = {
defaultSopsFile = ../../secrets-desktop.yaml; defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true; validateSopsFiles = true;
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@ -50,15 +50,8 @@ in
group = config.users.users.alex.group; group = config.users.users.alex.group;
}; };
borg-repo = {
sopsFile = ../../secrets-desktop.yaml;
owner = config.users.users.alex.name;
group = config.users.users.alex.group;
};
hashedPassword = { hashedPassword = {
neededForUsers = true; neededForUsers = true;
sopsFile = ../../secrets.yaml;
}; };
}; };
}; };

42
machine/vps-arm/configuration.nix
View File

@ -17,6 +17,7 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
inputs.sops-nix.nixosModules.sops
../../configs/common.nix ../../configs/common.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/user.nix ../../configs/user.nix
@ -31,6 +32,43 @@ in
../../services/goaccess.nix ../../services/goaccess.nix
]; ];
sops = {
defaultSopsFile = ../../secrets-vps-arm.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
borg-key = {
owner = config.users.users.alex.name;
group = config.users.users.alex.group;
};
# webdav-password = {
# owner = config.users.users.alex.name;
# group = config.users.users.alex.group;
# };
# goaccess-password = {
# owner = config.users.users.alex.name;
# group = config.users.users.alex.group;
# };
frigate-password = {
owner = config.services.nginx.user;
group = config.services.nginx.group;
};
hashedPassword = {
neededForUsers = true;
sopsFile = ../../secrets.yaml;
};
};
};
boot.loader = { boot.loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
@ -165,13 +203,13 @@ in
compression = "auto,zstd"; compression = "auto,zstd";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passphrase = secrets.borg-key; passCommand = "cat ${config.sops.secrets.borg-key.path}";
}; };
extraCreateArgs = extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches"; "--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ]; paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo; repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {
daily = 4; daily = 4;

2
services/frigate.nix
View File

@ -9,7 +9,7 @@ in
"frigate.szczepan.ski" = { "frigate.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
basicAuth = { alex = secrets.frigate-password; }; basicAuthFile = config.sops.secrets.frigate-password.path;
}; };
}; };
}; };