mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

some sops

Browse Source
This commit is contained in:
mjallen18
2025-12-19 13:32:07 -06:00
parent ba446f408a
commit 479ac18f20
7 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/module/default.nix
View File

@@ -39,7 +39,7 @@ rec {
reverseProxyConfig = lib.${namespace}.mkReverseProxy { reverseProxyConfig = lib.${namespace}.mkReverseProxy {
inherit name; inherit name;
subdomain = cfg.reverseProxy.subdomain; subdomain = cfg.reverseProxy.subdomain;
url = "http://${config.${namespace}.network.ipv4.address}:${toString cfg.port}"; # TODO: address url = "http://${config.${namespace}.network.ipv4.address}:${toString cfg.port}";
middlewares = cfg.reverseProxy.middlewares; middlewares = cfg.reverseProxy.middlewares;
}; };

32
modules/nixos/services/glance/default.nix
View File

@@ -13,9 +13,31 @@ let
description = "glance"; description = "glance";
options = { }; options = { };
moduleConfig = { moduleConfig = {
sops = {
secrets = {
"jallen-nas/glance/arr-username" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
};
"jallen-nas/glance/arr-password" = {
sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
};
};
templates = {
"glance.env" = {
mode = "660";
restartUnits = [ "glance.service" ];
content = ''
ARR_USER=${config.sops.placeholder."jallen-nas/glance/arr-username"}
ARR_PASS=${config.sops.placeholder."jallen-nas/glance/arr-password"}
'';
};
};
};
services.glance = { services.glance = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
environmentFile = config.sops.templates."glance.env".path;
settings = { settings = {
server = { server = {
host = "0.0.0.0"; host = "0.0.0.0";
@@ -47,7 +69,7 @@ let
{ {
type = "local"; type = "local";
name = "Jallen-NAS"; name = "Jallen-NAS";
cpu-temp-sensor = "/sys/class/hwmon/hwmon2/temp2_input"; # TODO cpu-temp-sensor = "/sys/devices/pci0000:00/0000:00:08.1/0000:cd:00.0/hwmon/hwmon*/temp1_input"; # Tctl
mountpoints = { mountpoints = {
"/home" = { "/home" = {
name = "Home"; name = "Home";
@@ -129,8 +151,8 @@ let
icon = "si:sonarr"; icon = "si:sonarr";
allow-insecure = true; allow-insecure = true;
basic-auth = { basic-auth = {
username = "mjallen"; username = "\${ARR_USER}";
password = "BogieDudie1"; # todo password = "\${ARR_PASS}";
}; };
} }
{ {
@@ -139,8 +161,8 @@ let
icon = "si:radarr"; icon = "si:radarr";
allow-insecure = true; allow-insecure = true;
basic-auth = { basic-auth = {
username = "mjallen"; username = "\${ARR_USER}";
password = "BogieDudie1"; password = "\${ARR_PASS}";
}; };
} }
# { # {

1
modules/nixos/services/matrix/default.nix
View File

@@ -105,7 +105,6 @@ let
# Registration settings # Registration settings
enable_registration = false; # Set to true initially to create admin user enable_registration = false; # Set to true initially to create admin user
enable_registration_without_verification = false; enable_registration_without_verification = false;
# registration_shared_secret = "BogieDudie1";
# Media settings # Media settings
max_upload_size = "50M"; max_upload_size = "50M";

2
modules/nixos/services/minecraft/default.nix
View File

@@ -13,7 +13,7 @@ let
eula = true; eula = true;
declarative = true; declarative = true;
openFirewall = cfg.openFirewall; openFirewall = cfg.openFirewall;
dataDir = "/media/nas/main/ssd_app_data/minecraft"; # todo dataDir = "${cfg.configDir}/minecraft"; # todo
serverProperties = { serverProperties = {
enforce-whitelist = true; enforce-whitelist = true;
white-list = true; white-list = true;

12
modules/nixos/services/traefik/default.nix
View File

@@ -158,12 +158,10 @@ in
templates = { templates = {
"traefik.env" = { "traefik.env" = {
content = '' content = ''
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"} CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${ CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token" CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
} CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
''; '';
owner = config.users.users.traefik.name; owner = config.users.users.traefik.name;
group = config.users.users.traefik.group; group = config.users.users.traefik.group;
@@ -181,7 +179,7 @@ in
enable = true; enable = true;
dataDir = dataDir; dataDir = dataDir;
group = "jallen-nas"; # group; group = "jallen-nas"; # group;
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops environmentFiles = [ config.sops.templates."traefik.env".path ];
staticConfigOptions = { staticConfigOptions = {
entryPoints = { entryPoints = {

7
secrets/nas-secrets.yaml
View File

@@ -60,6 +60,9 @@ jallen-nas:
matrix: matrix:
client-id: ENC[AES256_GCM,data:Cv5nbJQPo2YkNwVlzaquXguaVpfVxmYu4LvwlgLJw1EVfDz8ZqgCtQ==,iv:OO9q+q36wCq0yuTxLpqh5Nn0oVWdNISTMZzeQedPcGE=,tag:KDsox/yemi9t76xr2/yvbg==,type:str] client-id: ENC[AES256_GCM,data:Cv5nbJQPo2YkNwVlzaquXguaVpfVxmYu4LvwlgLJw1EVfDz8ZqgCtQ==,iv:OO9q+q36wCq0yuTxLpqh5Nn0oVWdNISTMZzeQedPcGE=,tag:KDsox/yemi9t76xr2/yvbg==,type:str]
client-secret: ENC[AES256_GCM,data:5OcfUAVZ0xfGEkGr8rp08lFRbcvMf2XvCU08XnaK8iwjWEmVJjLHtBV0rzulPpdJf9eVapCz0udC8v1bPgD2tvVLNNdSUK5CMwYIB6dsa44/lkUe+EvNl/7w68vUqyo3rWAgTLIUksglvk/aCXH0p3ZIrQgQgeI6EbvdS5bcLqY=,iv:OeCnHFGaXUQhqdPX4XksKwwZrbhBr8bsNeDTiIbfSpY=,tag:KWqDU9iJmIQpObxNdLs6AQ==,type:str] client-secret: ENC[AES256_GCM,data:5OcfUAVZ0xfGEkGr8rp08lFRbcvMf2XvCU08XnaK8iwjWEmVJjLHtBV0rzulPpdJf9eVapCz0udC8v1bPgD2tvVLNNdSUK5CMwYIB6dsa44/lkUe+EvNl/7w68vUqyo3rWAgTLIUksglvk/aCXH0p3ZIrQgQgeI6EbvdS5bcLqY=,iv:OeCnHFGaXUQhqdPX4XksKwwZrbhBr8bsNeDTiIbfSpY=,tag:KWqDU9iJmIQpObxNdLs6AQ==,type:str]
glance:
arr-username: ENC[AES256_GCM,data:PlLrcaYLmvv5,iv:ZdBAkR93TLh0FMYhqBhxw8hZI5a/UeS3fpWkORH2e4k=,tag:hpuEgLnF5hCtt0XJTC/gAg==,type:str]
arr-password: ENC[AES256_GCM,data:K8J3fPGWc3SWeKo=,iv:pkr+m92OlAszLXmGn34tEtaEvvBV+ohObj2uRDqKIYc=,tag:wBxe9gijHie6sq0brtpMRQ==,type:str]
sops: sops:
shamir_threshold: 1 shamir_threshold: 1
age: age:
@@ -180,8 +183,8 @@ sops:
NXZkbVZyV0VtTzArOE1uU1JwMXZZN0EKLDU1x+rIWecDD9x//huoM2BM9NRSa4g1 NXZkbVZyV0VtTzArOE1uU1JwMXZZN0EKLDU1x+rIWecDD9x//huoM2BM9NRSa4g1
L5nodU/J0XsfB9z3kr7eY5LYSwsqGkAxI1cXJYZGHF+bozJjweyXTQ== L5nodU/J0XsfB9z3kr7eY5LYSwsqGkAxI1cXJYZGHF+bozJjweyXTQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-19T18:25:38Z" lastmodified: "2025-12-19T19:13:19Z"
mac: ENC[AES256_GCM,data:iJ5W0/Vc3P1uADpyPHKkpiBV3b4ls6zrkSvNKlLtKu0avFdf0zEQlxHRIdMqN9AY0CVnOeEu58kxI9J0ld8cTJtgnNvRWhWys4G8a5hCLkTdOB1uJvpRKu+ju+DbKJ2x5ozgDrzXweeG5Mt7vh8ZUFQ9LM3FEuFOzBokLhx6VCA=,iv:WbqHUYLHeG7rY17QN+MFp1UEpgYliT0ULiMah0TQtNo=,tag:Y9cL9KqSgcO11dYhBy6eNw==,type:str] mac: ENC[AES256_GCM,data:WxMZoYKjoEF1VLtmf8HvPqBizpoOTXUdVA7/IIYN0X4mBrg5Bcqj4fLx9hog6UbSQG5hbKxJzHxyeHJldun5bImmdrrE86aWWen3ukmOWxbT5TSVvZvqiwip3xDn4KmAjdoxkrL4SZrgvO6cHY8yTwbKIb3NtUIAKexsgfz6QjY=,iv:PSlNC2z4LZ/Vp0zaP7yyPvoojea9s3/CwnrrPMhF3YU=,tag:Wvc/aXzYLrl7DJe0AI8RyQ==,type:str]
pgp: pgp:
- created_at: "2025-08-24T02:21:34Z" - created_at: "2025-08-24T02:21:34Z"
enc: |- enc: |-

1
systems/aarch64-linux/pi4/default.nix
View File

@@ -39,7 +39,6 @@
user = { user = {
name = "matt"; name = "matt";
hashedPasswordFile = null; hashedPasswordFile = null;
password = "BogieDudie1";
mutableUsers = false; mutableUsers = false;
extraGroups = [ extraGroups = [
"docker" "docker"