mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move stuff

Browse Source
This commit is contained in:
mjallen18
2025-08-26 17:20:27 -05:00
parent f66c0726b0
commit d15762b199
68 changed files with 24 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

278
systems/x86_64-linux/jallen-nas/sops.nix Executable file
View File

@@ -0,0 +1,278 @@
{ config, lib, ... }:
let
user = "nix-apps";
defaultSops = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"jallen-nas/admin_password" = {
sopsFile = defaultSops;
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
"jallen-nas/nas_pool" = {
sopsFile = defaultSops;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
# ------------------------------
# ups
# ------------------------------
"jallen-nas/ups_password" = {
sopsFile = defaultSops;
mode = "0777";
restartUnits = [
"upsdrv.service"
"upsd.service"
"ups-killpower.service"
"upsmon.service"
];
};
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/jallen-nas-root" = {
path = "/root/.ssh/id_ed25519.pub";
mode = "0640";
};
"ssh-keys-private/jallen-nas-root" = {
path = "/root/.ssh/id_ed25519";
mode = "0600";
};
# ------------------------------
# authentik
# ------------------------------
"jallen-nas/authentik-env" = {
sopsFile = defaultSops;
restartUnits = [ "authentik.service" ];
};
# ------------------------------
# attic
# ------------------------------
"jallen-nas/attic-key" = {
sopsFile = defaultSops;
restartUnits = [ "atticd.service" ];
};
# ------------------------------
# collabora # TODO
# ------------------------------
"jallen-nas/collabora" = {
sopsFile = defaultSops;
restartUnits = [ "podman-collabora.service" ];
};
# ------------------------------
# mariadb # TODO
# ------------------------------
"jallen-nas/mariadb/db_pass" = {
sopsFile = defaultSops;
restartUnits = [ "podman-mariadb.service" ];
};
"jallen-nas/mariadb/root_pass" = {
sopsFile = defaultSops;
restartUnits = [ "podman-mariadb.service" ];
};
# ------------------------------
# nextcloud
# ------------------------------
"jallen-nas/nextcloud/dbpassword" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/adminpassword" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/smtp_settings" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# onlyoffice
# ------------------------------
"jallen-nas/onlyoffice-key" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# manyfold
# ------------------------------
"jallen-nas/manyfold/secretkeybase" = {
sopsFile = defaultSops;
restartUnits = [ "podman-manyfold.service" ];
};
# ------------------------------
# immich
# ------------------------------
"jallen-nas/immich/db-password" = {
sopsFile = defaultSops;
mode = "0440";
group = "keys";
restartUnits = [ "container@immich.service" ];
};
# ------------------------------
# open-webui
# ------------------------------
"jallen-nas/open-webui" = {
sopsFile = defaultSops;
restartUnits = [ "open-webui.service" ];
};
# ------------------------------
# paperless
# ------------------------------
"jallen-nas/paperless/secret" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-id" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-secret" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
# ------------------------------
# Gitea
# ------------------------------
"jallen-nas/gitea/mail-key" = {
sopsFile = defaultSops;
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
"jallen-nas/gitea/metrics-key" = {
sopsFile = defaultSops;
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
# ------------------------------
# free-games-claimer
# ------------------------------
"jallen-nas/free-games/eg-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/eg-pass" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/eg-otp" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/pg-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/pg-pass" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/gog-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/gog-pass" = {
sopsFile = defaultSops;
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
"fgc.env" = {
content = ''
EG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/eg-email"}
EG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/eg-pass"}
EG_OTPKEY = ${config.sops.placeholder."jallen-nas/free-games/eg-otp"}
PG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/pg-email"}
PG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/pg-pass"}
GOG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/gog-email"}
GOG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/gog-pass"}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "podman-free-games-claimer.service" ];
};
"paperless.env" = {
content = ''
PAPERLESS_URL = "https://paperless.jallen.dev"
PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"}
PAPERLESS_ENABLE_ALLAUTH = true
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"
PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${
config.sops.placeholder."jallen-nas/paperless/authentik-client-id"
}","secret":"${
config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"
}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@paperless.service" ];
};
};
};
}