lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: add hosting-01 to colmena

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-10-21 13:34:45 +02:00
parent f1f8662e98
commit 440e1a6541
Signed by: lander
GPG key ID: 0142722B4B0C536F
11 changed files with 155 additions and 223 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -52,6 +52,12 @@ creation_rules:
- *db-01 - *db-01
pgp: pgp:
- *lander - *lander
- path_regex: hosts/servers/hosting-01.yaml$
key_groups:
- age:
- *hosting-01
pgp:
- *lander
- path_regex: hosts/hosting-01/secrets.yam?l$ - path_regex: hosts/hosting-01/secrets.yam?l$
key_groups: key_groups:
- age: - age:

15
flake.nix
View file

@ -158,15 +158,6 @@
./hosts/heimdall ./hosts/heimdall
]; ];
}; };
# servers
hosting-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/hosting-01
];
};
}; };
colmenaHive = colmenaHive =
@ -187,6 +178,7 @@
{ {
imports = [ imports = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.headplane.nixosModules.headplane
inputs.nixos-mailserver.nixosModules.mailserver inputs.nixos-mailserver.nixosModules.mailserver
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
nixosModules.bandcamp-collection-downloader nixosModules.bandcamp-collection-downloader
@ -218,7 +210,10 @@
meta = { meta = {
nixpkgs = import nixpkgs { nixpkgs = import nixpkgs {
system = "aarch64-linux"; system = "aarch64-linux";
overlays = [ overlays.unstable-packages ]; overlays = [
overlays.unstable-packages
inputs.headplane.overlays.default
];
}; };
}; };
} }

52
hosts/hosting-01/disk-config.nix
View file

@ -1,52 +0,0 @@
{
lib,
disks ? [ "/dev/sda" ],
...
}:
{
disko.devices = {
disk = lib.genAttrs disks (disk: {
device = disk;
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
main = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # override existing partition
subvolumes = {
"/" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};
};
};
};
};
});
};
}

50
hosts/hosting-01/secrets.yaml
View file

@ -1,50 +0,0 @@
authelia:
hmac_secret: ENC[AES256_GCM,data:BKW1DTLgoGR5Z+lJxIzDugqDaJD4I9YgwPYKvaY3GyLsjZ+A9YmAKrSVIxixjaV465H2dJU1Gy9IFf1fL1IdKw==,iv:u3lN2yXlJ53Q+KHwjKNOUz+wdFziFGRPYrWYPvPbp3M=,tag:CslQZLCB40KfPnsGNBQh3w==,type:str]
jwt_secret: ENC[AES256_GCM,data:4FvIOu8GFTLfQ5n5owAd2gJxLmamyZaciJFDXG50SADIaS/BTK0e1wp7lw6YvPFmNnpzfUcQ7jxmYatNU1wZjg==,iv:gEu/hOsKAGdXBbvXZAEqaE1a5mIYD4eS80WlxRbDLaM=,tag:2IfNyPZUTsnilPD9a1GBCw==,type:str]
jwks: ENC[AES256_GCM,data:jqVP5S+b/KXDJzOkbSmq9IVr1Kjk4qp2VtVZFcW4GB7syISBcqFUFOJt7VZ9Wj+WksxdfxcNscxvTRe9etkU+foCf0MX5z65M3nOYdisApDc+Xiv014wWQqUp91tWEmR2lEHZY6fNtjx77BS4M3gkQLob4wIHfumKt9dWTfE6nk4NKRS2EDo2omIBzFgAplTnZkTC9gZI49HI+m7r4qWNnH5T7Lmd36ALhezV6H9S0sww271sIsQjFC+G1wTU3rnd2IRS415SQvzrqpdcdx+iSXa7wdqIXFOVFk5swhPhRNsmr7IMlLJAXne3h1hl1M+M89hSTO1dySFbTawS7TvPaBKbZ11LXhXD5PORzocUdR+jxsVtjsbAQBPR2rj13I1KuCRLgWo+P7CTRmueXiCc14rwLabR1AeEM64eF+CGJ6sbFQxkC+ZloN3qYYxo7UMSRReS6GYsNlT3Tgzb4c2WZ5/3vMT/ESE5yOaeSYEZ+T/nyN20sL7bumaA6t+u0vX4GLDkwNHhQ8ph38hLSfezlxrTJIqJVILaGH2cF7aNfCZ3vIA/IRoxKnhS66MKZvY3aWX1mZoLTnGpnXoIZvcKieF1jNpdjcUyUTXkCtB1aDauuE6gYITsvApUd3GLcQnga0iFeWsacghy5CBbqJLRdabvIKHSDFLI9BZlVlxiAXC8JS9b6JW6tKcsUNbrSc7XJn8MiTZDjsKQNrTaYYeqv/EaP/ToJBHmQpJ0Xg/q9dh4Tklhfqma4S02mqwrJ7S0K32vAGfUdt8NwukD6FOocysmh/sO/soiBEMgwO01InbroRRgYPeXrwxG7eRnHXGj+sRKaDa6BR/qxDLEVjxVRlOu2L+sXWE9rMUME7qUn/6oVCpxv4PwsEQ5IReL1tvi5wUzykXxScKOJPz8Djatjtw5xq/79mioasw0tF7K5zBEiSAZuuuq7+ndOtMCRmyg77SNYT/GDd2pwL+CvY7eEtZ0h367Zp+2t2r9qlrOgetckTrVBDApaYSwQCkEJweZ1RrPWUZdpvkV8x6JyHBY9+iN4bK39iFGeR0mzRStEzF5Zu7DfsHA2Sq4YIZz5ba91me2Jgh52CLM4Gis5goatJoRHcfMl5DYIxhOVo9DM2631DJDy5xHGf9tmZ5aO7PPjH46pzWsVj1Uh9i086Qd6FkOwPFVjfoMB1AdZl7AwKk4XHjavdINcBzr9roXlTIPGRyRCzfuodV1EptFQ6H+171NN7rDXZGXVvxkAJnxhpo/w5H7t6ST4/lnmDlr+Vgesa91rAEl9R74dmAiznc6CR9PVWk8dPvAdWIjiGYeXSrTEsqdBXW3Oh33A4j2F1jeUmWErL3RJbg1GoFbSZ43uBgJA58rylM0Xp+70sO0iROYyYK4Ow9wn7WRUIkIPRc5a5+xFsoS07Fd2siHw9mI2JNVTpbsYbi++0/Ffhmks1P5H1R63oNfk3tmcl2FH2jtA/T9wL6Zbk0ouMZGjjnV33lO8frHqfTm1uziIZa3nc40jN1cpTzjRxtKOCaUVk2be+RbUaqrNwicx755nosu5md8ULJE1g4nkbOLVPUfniMER8KlvSTISjPJqChnz8FtubqIOa/jca9Bd92ILxK0NumPubni/E4SecXcdH6RqAAMvpX1oXn87xZ66/BYBCR7iE0NZB1Ggqcudc5asYzBoBBetN516+ak4gD7eOZmX4AtXBZAvbPdQtigiVcN9IrvpodUNlPI/vI1OgczwMSehoI9Vx8wIV7wzp5HZka0y03soMFdpJvql6racyMC/ff2rgWAFgmxuShDkZJx20t/x4vr/zOcLhZA4AaFR9DbVgAHboB30NTs3fE1JecPvQNsxQQAfumwskpLSu9lMsBC9bdtti6tbCyVGmsZD4FmoebgepJ9G6UeC1psh5iVuSNs+Anovly9mcuqvGzL65s4qSDzAIrQlLIPqa1LqlQhdYv8epks7bBkisexlRygZhC9w/ru48XUWVQFfBLqYSBo4old1Ma4hyvBFBAyhILu215AcZ5mNEyP2v+7OJ5CWaCA0gwovW+A4Phr8lIO7Wo+eZtCKOY753US2SCOlIsc74j82U0TfG+7AwJON5Te7SKTXM5Gkxjv8WnNt2osqyY79c63R5UTrLADMh5kyL6QMUVREaTpFpjpJW/UbiHMbBKCxZ7cvpRcNBoq+WcREYB+C859yD4oV2G1DkTeIDeSr0V9ewd3RfFCTloqK/phMtdq3SuMsnzI112uIr6EI5bKDmkJ/BCx/5ChA==,iv:rN0J3aCHpdRSEyx8K8FQCuTvEBaKDV6+pQWZVB55wxo=,tag:StQWyn4EpUtRyium8Skg+Q==,type:str]
lldap_authelia_password: ENC[AES256_GCM,data:OdW47EXFf9AwDtnjy1BBeHnMA8Jj4SBjLIGMF8BR4sw=,iv:DWqLJ9Hu16H5mMUxDSEi78W9kdaPmGmtvd2PamM1NqY=,tag:1Im3hAAd17PWdSjH+w+LKA==,type:str]
session_secret: ENC[AES256_GCM,data:Xw4K4DA1jyJGg6nzLLv2y9j4vwoodHeZhL35DrNB9BKBx8Muv99BbPIvz3lDZ2xB2p+aqB+3WzY/8jgkANlgAg==,iv:CxMkaBnOty4Q7dFH6Kn5v3L+F5QWJP9TR86xVRXCKN8=,tag:KIa2BsNn5gzDiaOxEZ2LQg==,type:str]
smtp_password: ENC[AES256_GCM,data:L7yf9g01QysPSirr9IK5ITvnl6XNQONv1AS91zrkf7E=,iv:fRJ9ZIviravLvgdl5BigSoOjUiAfQGB492/bS5GvhL8=,tag:DLhVqa/2Xn/vdChz4/ZixA==,type:str]
storage_encryption_key: ENC[AES256_GCM,data:hl5ciFqrQzv0iGE1RlIFctDMIFv7QOrVqZfqWBuHqn792i8ewwQxWnWQOxglsxSmvZwWYK9c2FcPJuMBWsYlpg==,iv:FBJXZQeenoV84wGCDinerifofKMSqJIY9qw0o3qUmeY=,tag:cymRnw2Jp+VaOo/lhX1C8Q==,type:str]
lldap:
jwt_secret: ENC[AES256_GCM,data:9h7XljbIrLxK3ekcAP8dZTAwlx8u/2eLqdfRHhHn+Lwj/sav3QNmqgfee9pyHhaoLvgZKWwKr7I+ijLZtOpIgQ==,iv:+VZUqDTy9EOm65ATJ6fPGeyA6aR043VmvXTzVmeMH+o=,tag:8nyYCrwoZADmt05EgldymA==,type:str]
key_seed: ENC[AES256_GCM,data:gt3jgAk4upREudd1HYXCSsqg6E3Vuq0WbiDSTjYZF+QJXa7cdq0Ke8XrjJVCAokbp7ZZsf1MMo/wEkr47HXggg==,iv:7xrMZrWNpsAtBoOx4p3RjaEJru9jXrdXkR/Z8rA4vwI=,tag:oLbli5vAw8X00eiD87sSCA==,type:str]
admin_password: ENC[AES256_GCM,data:RBibqepGrtX8hKVzdcAtTbsVZg==,iv:RLu3JkhtmCfXVwZA8EX/dVgqqu7hWURIWNSywlW/8ew=,tag:jQXYo2a+Idh1AIfr1687gg==,type:str]
oidc_clients:
headscale:
hashed: ENC[AES256_GCM,data:WWD40bVWbFAp1qIDHjKhc2UWTtCuVPaMrU+NqHBwvc7CDQ9CiUIb19vGqvUR11dhg5XyX2TgDRKuwRusA6Sv7cKjiLS7Mh1vkPi2rthYt/v5xKK0dvdI7VykkJQ1PV15VWumVuswhHuTu1FHweTA9dnMyaz4fE3cWerb22SRbT7LCko=,iv:psR3lnD/kO5+WTqcmTKbuOFfnd/YNZFR0qYYMGYgzhM=,tag:QPgfxytRP+X6mgtRqZngBg==,type:str]
unhashed: ENC[AES256_GCM,data:UPW0HSB712h6sjSHdEf3dsJ5iwodNyzutxPQy4tFdSrjoBRxzr0ad8uzOsMtqGX7fEt7w88QQBNNvki/9IXRfV07vQMAcOnN,iv:EvdLrxdhq6nLBc8zaGmImRRiuHZJ/R0cofuoj4RNUHI=,tag:R0DLJ0fngr4MRx38bZ9WWA==,type:str]
forgejo:
access-key-id: ENC[AES256_GCM,data:LVlYp0wQ1gxTg/RVG9HduoVpiUKLNCzwmX6DX7dQrv0=,iv:Oh4CA1Gp+nSWmQhX5OGI9vf3yC1XU/VpV/oveQefz8c=,tag:RguhY9Zh2q+cZ8rthhVcrw==,type:str]
secret-access-key: ENC[AES256_GCM,data:nODhpLuUG2uaaSDbULstA6YFHIRPg3mvgIyHqRB0Vj11f5X0TMuLjp3Feq7UeV9DbQWyjDVtEsRg9VGIywrD/Q==,iv:hsStXkXVLBkEWtBP6dY6z2mwfzv3t4L6E+Ht/18KE4E=,tag:vQBUwqXq41bbQ/+aSUIQJg==,type:str]
mailer-password: ENC[AES256_GCM,data:sO8Tt1Smwcr8hME/zYs118DiUfbcmhKnT2FCyjyUZfId4cHfjvxHuqZIHvBSlec27sbCmxRBHeCJ3Can6IFCAA==,iv:kPmW6oFCRBEzKScpFrW3Z0xhFCRg+MpiA9qJozakHjE=,tag:9xCVN/wFjN8Kl95PSC9aXA==,type:str]
oidc-secret: ENC[AES256_GCM,data:NeLfEXssdP5f4ff1uz3RwURw+OWAm3QgYz/EPpWb1aE+vIDIhPigiPem1+NrVvdBQ5uysL3VdnLtJPxwppcouoT7VGJkcog+,iv:eCl4I7EC7GTeQNSthk5QrMqNl1B9qvGGxQTspjD+LEU=,tag:qyPKf7E5xNmUI913Fb8n8A==,type:str]
mealie-env: ENC[AES256_GCM,data:3fZJffJs/WwtmMirHBRkghfPPkTB5sgY6oWNs5GUbkUzOooWurOvm0OcQHAEQf+HLn21kCOk/ilmlrcdMFtzXijClpHuy8n7cwmdGI0bwZ14QPCVlSYvSPisjX0=,iv:tc77J3T4tNGzBnXNBlq4wmfFMFQ44ZFEtl2N1QAt77U=,tag:hW7YceS5/GQveJj8fcf5uA==,type:str]
vaultwarden: ENC[AES256_GCM,data:6yLk6ip/Bd/469XNDYq5kKl+fPy8/+9Ybhruyly0HopNXbrBmzfAkAhuP0geZZTeAkxp2k/nn8vQ9I10QwzQ5Si0RhQWWidUdd2VyAlDlppiGBhtpeiY3J/2tlEGH1rf1O0NL23oGtqvRe4mEMZtyqK6YPYv7skOjaV5mzxu97psTQlqnOOAaisIVN/LqmKmzR72T3/SxlN8I0JzMneICfSLcwEp2//qVplqvTwTQgWziMf/Gkf2kkbugKRWSbp7sQ6cel2Gk2zyREx86biTje6nOjZ5goT2dcXzGexp6bzFb+XKu1Zj5wfY7dmvxZzMyigm4SSkjLd0Fh0QxU9cEiMAe5Max8c0i4Nqfh3Y1JZFj5sMS7e34oERMSA5wNu0l9hTaM5AYWiNPpvi4T3kLlguX5oerWvZWzeQT53soZF2iKdah2+J/0Wck8FRU3JXhC56XfIb,iv:AFzQvZnD8Aswoshp6X3AFkdxRCvL7rbClMwoW9C8epA=,tag:+W4t7W59LQMc3JzwoaAAcA==,type:str]
sops:
age:
- recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcjltUDdJL2lrMEZvRk5Q
TFErTFYrYTlvbTc3OHd0SWZEQTNuQzFIZ2dJClNhcWRmWkh4MXlaeklJdEh0K3lp
MG9hMHU1OWcybUhKM1QrclBBeGpOaWcKLS0tIEZMYVNKN1ZxQmxHcFRUQ1BVUUtq
NW9CUkJQbis1NmpyU0xrb3J4UVNKTDgKsPFnlQBa8LGm6s8uZsUXq9RIt4WzzROc
mz9dEVq/R54xvjMRltgzZyu54BWWOQYgkZUEhOnDoqwVnA7XwGGYtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-21T09:26:44Z"
mac: ENC[AES256_GCM,data:yiWDzGJj/Yuq/Y8DvE+muEGiynr8TI0RkX2YAu3KdloSvtAvjBRbc3kkyFqEAjLA9EKJAhb+0O00Ugul5uo0icw8PMBOBg2lMgLGcW7w531O1DgSgoVloUNRp+YlAnFQMkBO/euRwWOgfHmp3Usj4NmnUStTXuZUH225EeSBYkE=,iv:dPnfHLkgpp/AyuAAY4r13toPlMa5myzo3ubNDDN8Ya0=,tag:FaA31H6Rd8RUJvixsIo9BQ==,type:str]
pgp:
- created_at: "2025-07-06T18:28:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAzqZHVo7/A+jPwSx63zOXGJ9tCF7qYDvu/Eg7HxCxhFYw
P277CjIB3imnRHCms18b+ze9Bv3A2wNdBGlbqhG/Z1R10NPx3nJydnYCUdZtbKFk
0lwBTahORz3Ha2RqKTiuUGhncNtz+4U5i08sbLCzp/1Vc32RAwEGtfbMFosS4Uf2
qCFsnEICj2MuXgBtub5Mw2zpDIFkjaIRGLPohiJy+Yrp9J14hWuZmC79lwGRgQ==
=umk4
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.11.0

53
hosts/hosting-01/auth/authelia.nix → hosts/servers/auth/authelia.nix
View file

@ -158,34 +158,31 @@
}; };
}; };
sops.secrets = { sops = {
"authelia/hmac_secret" = { defaultSopsFile = ../hosting-01.yaml;
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml; secrets = {
}; "authelia/hmac_secret" = {
"authelia/jwks" = { owner = "authelia-escapeangle";
owner = "authelia-escapeangle"; };
sopsFile = ../secrets.yaml; "authelia/jwks" = {
}; owner = "authelia-escapeangle";
"authelia/jwt_secret" = { };
owner = "authelia-escapeangle"; "authelia/jwt_secret" = {
sopsFile = ../secrets.yaml; owner = "authelia-escapeangle";
}; };
"authelia/session_secret" = { "authelia/session_secret" = {
owner = "authelia-escapeangle"; owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml; };
}; "authelia/storage_encryption_key" = {
"authelia/storage_encryption_key" = { owner = "authelia-escapeangle";
owner = "authelia-escapeangle"; };
sopsFile = ../secrets.yaml; "authelia/lldap_authelia_password" = {
}; owner = "authelia-escapeangle";
"authelia/lldap_authelia_password" = { };
owner = "authelia-escapeangle"; "authelia/smtp_password" = {
sopsFile = ../secrets.yaml; owner = "authelia-escapeangle";
}; };
"authelia/smtp_password" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
}; };
}; };
} }

0
hosts/hosting-01/auth/default.nix → hosts/servers/auth/default.nix
View file

24
hosts/hosting-01/auth/lldap.nix → hosts/servers/auth/lldap.nix
View file

@ -32,18 +32,18 @@
groups.lldap = { }; groups.lldap = { };
}; };
sops.secrets = { sops = {
"lldap/jwt_secret" = { defaultSopsFile = ../hosting-01.yaml;
owner = "lldap"; secrets = {
sopsFile = ../secrets.yaml; "lldap/jwt_secret" = {
}; owner = "lldap";
"lldap/key_seed" = { };
owner = "lldap"; "lldap/key_seed" = {
sopsFile = ../secrets.yaml; owner = "lldap";
}; };
"lldap/admin_password" = { "lldap/admin_password" = {
owner = "lldap"; owner = "lldap";
sopsFile = ../secrets.yaml; };
}; };
}; };
} }

0
hosts/hosting-01/git/default.nix → hosts/servers/git/default.nix
View file

84
hosts/hosting-01/git/forgejo.nix → hosts/servers/git/forgejo.nix
View file

@ -69,34 +69,35 @@ in
systemd.services.forgejo = { systemd.services.forgejo = {
requires = [ "tailscaled.service" ]; requires = [ "tailscaled.service" ];
preStart = '' preStart = # bash
auth="${lib.getExe config.services.forgejo.package} admin auth" ''
auth="${lib.getExe config.services.forgejo.package} admin auth"
echo "Trying to find existing sso configuration for Authelia"... echo "Trying to find existing sso configuration for Authelia"...
set +e -o pipefail set +e -o pipefail
id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)" id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)"
found=$? found=$?
set -e +o pipefail set -e +o pipefail
if [[ $found = 0 ]]; then if [[ $found = 0 ]]; then
echo Found sso configuration at id=$id, updating it if needed. echo Found sso configuration at id=$id, updating it if needed.
$auth update-oauth \ $auth update-oauth \
--id $id \ --id $id \
--name "Authelia" \ --name "Authelia" \
--provider openidConnect \ --provider openidConnect \
--key forgejo \ --key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
else else
echo Did not find any sso configuration, creating one with name Authelia. echo Did not find any sso configuration, creating one with name Authelia.
$auth add-oauth \ $auth add-oauth \
--name Authelia \ --name Authelia \
--provider openidConnect \ --provider openidConnect \
--key forgejo \ --key forgejo \
--secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \
--auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration
fi fi
''; '';
}; };
services.nginx.virtualHosts."git.escapeangle.com" = { services.nginx.virtualHosts."git.escapeangle.com" = {
@ -110,22 +111,21 @@ in
}; };
}; };
sops.secrets = { sops = {
"forgejo/mailer-password" = { defaultSopsFile = ../hosting-01.yaml;
owner = "forgejo"; secrets = {
sopsFile = ../secrets.yaml; "forgejo/mailer-password" = {
}; owner = "forgejo";
"forgejo/oidc-secret" = { };
owner = "forgejo"; "forgejo/oidc-secret" = {
sopsFile = ../secrets.yaml; owner = "forgejo";
}; };
"forgejo/access-key-id" = { "forgejo/access-key-id" = {
owner = "forgejo"; owner = "forgejo";
sopsFile = ../secrets.yaml; };
}; "forgejo/secret-access-key" = {
"forgejo/secret-access-key" = { owner = "forgejo";
owner = "forgejo"; };
sopsFile = ../secrets.yaml;
}; };
}; };
} }

44
hosts/hosting-01/default.nix → hosts/servers/hosting-01.nix
View file

@ -1,8 +1,7 @@
{ {
inputs,
config, config,
pkgs,
lib, lib,
pkgs,
... ...
}: }:
let let
@ -18,23 +17,10 @@ let
in in
{ {
imports = [ imports = [
./disk-config.nix
{
_module.args.disks = [ "/dev/sda" ];
}
inputs.headplane.nixosModules.headplane
../common/servers
./auth ./auth
./git ./git
]; ];
time.timeZone = "Europe/Berlin";
networking.hostName = "hosting-01";
networking.nameservers = [ "8.8.8.8" ];
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -43,8 +29,6 @@ in
]; ];
}; };
nixpkgs.overlays = [ inputs.headplane.overlays.default ];
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
@ -126,11 +110,6 @@ in
credentialsFile = config.sops.secrets.mealie-env.path; credentialsFile = config.sops.secrets.mealie-env.path;
}; };
sops.secrets.mealie-env = {
owner = "mealie";
sopsFile = ./secrets.yaml;
};
services.nginx.virtualHosts."recipes.escapeangle.com" = { services.nginx.virtualHosts."recipes.escapeangle.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -166,11 +145,6 @@ in
environmentFile = config.sops.secrets.vaultwarden.path; environmentFile = config.sops.secrets.vaultwarden.path;
}; };
sops.secrets.vaultwarden = {
owner = "root";
sopsFile = ./secrets.yaml;
};
services.nginx.virtualHosts."bitwarden.kinkystar.com" = { services.nginx.virtualHosts."bitwarden.kinkystar.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -179,8 +153,20 @@ in
}; };
}; };
security.acme.defaults.email = "landervandenbulcke@gmail.com"; sops = {
security.acme.acceptTerms = true; defaultSopsFile = ./hosting-01.yaml;
validateSopsFiles = false;
secrets = {
mealie-env = {
owner = "mealie";
};
vaultwarden = {
owner = "root";
};
};
};
system.stateVersion = "25.05"; system.stateVersion = "25.05";
} }

50
hosts/servers/hosting-01.yaml Normal file
View file

@ -0,0 +1,50 @@
authelia:
hmac_secret: ENC[AES256_GCM,data:DbU0RE1cM3W2nW0qSZWFH8NCmd9qkjOuhTfGMXn+q6+UoKzh4Gf5bma8iXha4Y4ZZjpAHsj0csStGkrdayzjdQ==,iv:Q3Usgu6GXR3n5p9E9r1tUeM8CELl1WJ2gUhbOF2vzlE=,tag:8dLj1PFA/+LU2ToC44mtyA==,type:str]
jwt_secret: ENC[AES256_GCM,data:jIUeEUlv2ghFieuiTgfY7EoirOial0ZVWzUIEhvAL71GVKtYC+YfHMERiQ8l3d4FHH5gGR4VwvfX2Qo0M8JYPQ==,iv:ZbyQeoXWQHm5ql1L14XtdKYELpmEgoc3o3uldZCJsaQ=,tag:6U5xPh4tRUcox3LvFyzYwg==,type:str]
jwks: ENC[AES256_GCM,data:r3P9NWIxhcrTWKEM5paz3J/41d9LPcwSLaw/u0yNtVU6s/B1UROHnRFJSev/ed215s1YzzR5ouiIChLKyLLO9EAiz+yZKdM2l9JH3d2LxxHqZMtL3tTfKjei1uqvpr9+zuw9T0U7y/IZOm81of/vOZa7JS5IzGuRj8w9zXZey0L8CWbq7dA1WMWYmT506VlxjcktCeZCNO0vndNLxhOzQl2334OtKrVFs0LNohLu1JgvsXA3qPPX/c7t2LbttlcNni+dIZlTWWKgtg7F1FuPxfi4j6qNVbgITf253P1h1u9UsG+TPdC9x6SDVDMNbz6zzMpR1kr4tv2euDV99SYYDAzpy7W1aaiqxew+rCPqYUSTEU2zymZrLGzP3RrNWKbaZPLD2eaT0hymIdoEVQOsNYgKM/pIUF7KKFg4BYm7WqEUIfoTcFe5p2+hYHop5tHivEAgyBMFU8SkcIUGMfZFmyjTeryUK8MG9VgG2ll8Y90BRp+VRqS9D3Y0YgKGP+UfkgISsjDwo+tu9oJ3duJgzYUrOPD6ongm+u2S0hPt8SUOBdbFRnF1MwYfehShrg8Jca6y55hvNe1InQwV/oDldkOFwmWNb0nzXNIeatjKsuAmOEXWniEk44GWGk5OumgL71pfqWW8S6djp7DeWoLfTFCLZwjD8i6IfvzgsaGYUcjfj4KeHCRcjL6fplfw12cCbymCMxmAWw8w43Nz56t+9nPRC0+neI9WX8PzLONB+m+p08KGLY+6jEcy+MCIEbTmN2+leqSsB0uk2ToCRzd0FmIGImVSaKgYCOaUoT2NYBGsjIN/31num6Im/gKnN39qO4hIvIz+h6QfJyKCdzcbZ2lggvxWau48PmoDKIjy0mzfa1g3ah0GBgqWbg4pOlaNCumQ6NyRH/oBS8xVKSMLp2D4LubDcbFsTTbiXfljwwrfMQz7Ne5GFeWBIN+5pjVUtbqDM+7HlFwrTuAUWLBDbeJUe2vJMWzqeSbBihKzYHrPFX8Ic4G1HJh68wHssGnWGXQ6pWU9C0w3zCOIXBzPr8q7fd9kcjr5hWwteydIAakvKPNTGFnsw3kHL9d4TmKftCRwitFOH2YaGs7olArMAWAGL7/n8YT60A+K3vGwgMRW3X8sbLOs7kirjYMm4i5PPSfg7e3acME5Cr58UmKO7nqu8MXgU6KaR7axA1ypRrjIY0dhIiUiTMW7WaiiPXMbgV5LzWVhzb3YzEczL9c9nQUkpLWh8YGufuifaaKJpopgZoSDfu7A8u8g4yweHtFtg+fMU2ayrTUyfgtHlJ/ULIrKad3bDrvOJDRODwkUNS7NrqWVbAMP6EBRVBj65WXgqhWgsKYw6p2x9sD+Cy4Q1w5YpczcnlUu+qiV/LyZZJ0SrsoEe6UUKC0fQS7T03DHur+htvcBGwCftHqYCvf1YVDDW/sSWkdGUW8vAl3ajZuD8jGuK4faKzPCZRiwqDWiINXy3v3MC4lPUBwO1uCKeu7rnzd00xvT/C66BIKVs7R3eq1UVhVsAEEQljOb1ch2v8qMSYRKJAEICLlWWdoQazUJDoG9O3IZukva9BQU1vC07Jq3qI7EtbJM3+M1p+otwOgfZD7QOOjw08D3LtOPBn450ydDI6cl8v0ZW09Esog9nCJcyt8DfDJ/Y+5FJZ7MgQsXKWJTjIzQ8mvu888BGWeYtgDOY2wEUpk3VwzBQQR3i/qyvQm5b6w4H2AFNIxakK0Y+WX58E1AYeO+kPgXqWhxSeY9+zbj14MOV5+00ExPIZtw/rYiZhlDyu/PQ8tGzUB8MiT+8QMYWVsFKJ8l+v6uB7mhnPSo+m1rOwZQs4CxW4HDC8No+8GFNmbBXxzbmZ9E6DonCaftYEBluAAGM1ONGUSkxnb+a0PTgbDSrQ2K03LJxrkdJwvK9mMrJJ3mCNKGePTEN9PwDhY3/uMD6KLvsWAkX7/8krK8LkuPIIk3JT4p01ZYWtBVY6WH7eOnC+5FaUbDxrpVNL5hS7DrAN4fSuHtYE7R4fYslImzTILvR3Zg7Z0gkbm+SDWjvnqHcXJv3yDM1LCLgJ7OUFL8oEG+PYtUVildEPW56Ng6uww+LfsV7hJ3BR6iINIyU79zsXtL1w+UJ641ORfdy1pikKlhDflXhbYqxDLzUbAKUjyFcwSNTFSJD7LE2Gc1HdKWM8sWiHWR2OP7S2ftVpeGj5KKQ2+5Y8/W15Di/QaaZAcicED4lYmrxOTYLdxR0CaAvGd5TmKfmjQ8ePsJN8xGJMRjiLwJ7p/AlQ==,iv:H32i8uJWcvMjL8HJcYfIrGcGINBDqasIXsRgITjMmxk=,tag:Jfn82j50QAljozvvqySlug==,type:str]
lldap_authelia_password: ENC[AES256_GCM,data:zc9TIslPGg6evzinIsuAJKjt2IADOQMjQjiRq88t8eM=,iv:6EvE9yS4e2fSuo06n2ARoOpcTXzjlwpMwgg4xrJVwcQ=,tag:5wWcJJotUlEV0umKjeMLQA==,type:str]
session_secret: ENC[AES256_GCM,data:pJ/DEcH9dydXQRPBW9bfmnTfRhCBK9uV0wtLFH7aTpj5i3Fa0UzrdsgPLvSPiG3XlQwHeALszzAkj+JpYI+dIQ==,iv:g5GFeOxrxYJU0B2o/eLfSmgbOPop0duuX5WhKJkttMg=,tag:Y7hsRtopuYmXWZly1DnOQA==,type:str]
smtp_password: ENC[AES256_GCM,data:Hca+LzID58tde/TXJuTaFj82kcWY3eGcc4ndvw7L7JE=,iv:Os/+7BSLHLwUHdeRkt1T/sLX/DCaNZGa9g/e9Fftfjk=,tag:fLYJ2ybRHV56m0BSzwfUxQ==,type:str]
storage_encryption_key: ENC[AES256_GCM,data:7tbBpgE48g4LvcE7KQUFQ18ejfOMEfxKRGMLe9dpu7sLftQbTVW9dGWcSiwW1NSomMefaflqISOV077y9/EqnQ==,iv:KtSQGFB4P8i9VphgNPHgqYytSeYA/kFnL4n6N87vqPI=,tag:bYR//XM8JhQDFiPK+pfPkw==,type:str]
lldap:
jwt_secret: ENC[AES256_GCM,data:T32xPJpMno8u1w1NJ+kar4yb3IKW+hQAfuxxBJ7uv8+tLAVi6YytTKwDz7dS3KCA1H7kxHmINEqbXng5qGP+Yg==,iv:EK3cVN7kpZnxldqSLd2OxyrGd1uCeEXpNcyIDUNxUI0=,tag:UZzrwhJ6isMNHLlFGFVvSg==,type:str]
key_seed: ENC[AES256_GCM,data:1y2snXLHVAnuwBSQ3ksvsMg9g3sozTkC5P0IgbJIg328RL8dZK3K9+mMe71W5a970NwP8agvEHaq4y/pQbbtIg==,iv:6sKjiaHPexmYjyzf+w1wU/rZk20cMawKXnsQ0PSbB2Y=,tag:kVi+s90LiLTgiYICjTNTUA==,type:str]
admin_password: ENC[AES256_GCM,data:08Wgc0iZGnd5MZm3BCiFY9VRGw==,iv:4RsV1KSfXk70zpMp589c5p8HOh6ybLULVXjevIdco2o=,tag:7ylVDQ9shfXUYWutzprP8g==,type:str]
oidc_clients:
headscale:
hashed: ENC[AES256_GCM,data:R1ePOxO+TBeM9oGjIayq34H3EBS7InGfbWtWc1+4GtQpUUDlk2elxPqzZf2fKcUcxJm5ToavRfJzkfv9G9RX1xm+YcP6J25anWUrjp4fkAL092CdYY4YxCti/nNqxm2IyeytyE9iS3p/fBGLdzQilXzsT2iW4tfW7mDtyh+ikp3I/po=,iv:E1+1K3oXYTv1xyFsyq9jHIjgHdrcRtSkv0WP2xePRm0=,tag:OlYBl3IJwSarpZDwfxKrmQ==,type:str]
unhashed: ENC[AES256_GCM,data:1+WcSLyYJofKz5VFgfPuAzreVOSTNiqLsavsL6fo0C0VW3tgINdvYeAqncr44ugrN3ZYkyo9KB/uN882/Vex/TAfUL4WSgkJ,iv:bXlqtcLFQv1cCravGYKuwImFKtYzjk39mFKAMy2PUKY=,tag:+vHaGjtldPvWlEpO86Ct1Q==,type:str]
forgejo:
access-key-id: ENC[AES256_GCM,data:RTNN8jVGLM1gLdLL8LIn8ntBBrrCevHTAweydc4cpLo=,iv:gU0vCbqgWAANBP/WsZwnoKpFeLgRlJhEWS7pxma2b8I=,tag:NSzRIQvS6A47bwUq+kRlrA==,type:str]
secret-access-key: ENC[AES256_GCM,data:sIubWLP6XT5rETypmHduKKdJmTGTsr0K9litkBqmLSNppqzaCNzK6XuTwn+3Ge22Pjk8hgk+cWbCGYID9gtYGg==,iv:3iZgxvXYkOppMTXZxpWWmgtd2gYnNXlg+WaUnlkxMhA=,tag:P7fZyHvUOaaFuzcOOQPrNw==,type:str]
mailer-password: ENC[AES256_GCM,data:smIdxI/OiqjDmatCV5nh2qkY4/2J9Vmi1lP5sEezduqpUp2Lsd7DkYJIpI5927Bf5Nb/rUlnYMipz9nd/KjfkA==,iv:rfMOGk2/bP1MxQVYQBgmR/Z6z2p1yWhejvz66OjqvH4=,tag:XvZfHh5ndpGQIN2cubYVHg==,type:str]
oidc-secret: ENC[AES256_GCM,data:CC78bq7nFYXAV0MLIshBkB1s7kQOgn0bkk21olNf9xT10KjJBB4KkbIZ6WI45T88MsK9Lv3FB6C9tRaPo3TLzcuz7D2Yk6O7,iv:ouUIoQY03DRlKpbEy8LTFnuClmYADa38Tp9EN932XSU=,tag:ieVnmE1A6g91qw9p1ek49Q==,type:str]
mealie-env: ENC[AES256_GCM,data:E9z2K/HJNs3MrYMG+WjxUjxl5vslVskQOyHSs2qwDWbL6Dzjqd3ifvwuT6vSufEce0QaU9d+lIC/EAwi3LIxl9M77eBaUq3QXLeTdJ87DObJOpsxhbelaV5rKec=,iv:w1cdMEIaHFES8oHvMGcGp4jHhMPMje3SVepbaMJcEe4=,tag:wl5+xDtjM8rd9ecq2ws/Xw==,type:str]
vaultwarden: ENC[AES256_GCM,data:YTGRVjajeSSRnjqaZHTa9HiV1c0kQj6+3m3BMirMH4Pu6NNlTYJgGOdz44jEmx4plbZkyM+ZkFVK3sL9rDryaxKGeDxZyM/2zPTlcosPVgA4ObzmmyT0XUoNRjOPYiE3CibmG9ZAEKp8hkGJGJATFOaQrphDS0Zczq/zc8+vUpVSJi8ycB1y1fxNAvfrftyETUsGYdKrD5+5s4fl422L6G12xdcy3TQNdfPz+SeXfhcTXSnORCglyYVzYlbUFQF9N6rpyZROv0dsN+s+c1d6Fsg6ROL3NrfQ0DkUy2rdmzAxrMNlRa89ZAybkDNeW/Wm24E/P+S5gqysRKA9ZJ6H/F9JZWJOazESgzcBLsWvSRO7U0O4Nou8uWAVuvQ/lmgwbepjUKG1EWRXJdNkZtL4EQiWR5G7NnhXjiLb22do7w5O8qiCXOHtQek/wfT57loLCn8oQfz6,iv:Sq7Mom6PwmmjU9t+qZM3I+Ybb416eEzqwAFeCHaeB8M=,tag:8mb+YC6zq22V/qgjMKHbPw==,type:str]
sops:
age:
- recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y3JKMVB6Mkw1QVRFTmtm
NnRBV2k0WDhoZ0pKUzJGS2JWbzFBb3RvNnlvCkVrT200bExhc3hxMTJ4N1NFdWlH
SDBmVzRGZXJaWWtsNEU3WDlXQ0NnV2sKLS0tIEQ5bldJNlUyVUlsdW5qUWtFaGdV
RWRCYlk1RkM1Z0ZiS25mYnRuWjYybzAKcZgEfGBifKHkEowQxe+1xQJhk6JuhJXQ
LLdL9jBdfMrqXz48653XRKf3h4Nn4K70E65Ek8sPyZ5qSJYJHOwjYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-21T11:33:52Z"
mac: ENC[AES256_GCM,data:6N0F+M2EyTiuXQokdVLGn3dZ5AG6Oq+uvrVoEvKPatyy8ynO0X7fS4GbvmHXmrzXcZwEIz16Y8M3Mk8S+PsVR0Zpc08HRwcIKtXCS7y00Y1iokAL83MoqG4m0kZbuvyY4nOvYAfH1VEJXsD5wSCYL2rMcer5oZ9zQagrNSjTUzw=,iv:+0990xD6258PwlWsggOLeXjSTqPSiN/qF6/xS9gRfXI=,tag:fZg+cQZncU0VV1maNSPOgg==,type:str]
pgp:
- created_at: "2025-10-21T11:33:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAnTJPigLMOtu+U77zU4a4lLCbOQXQEHA4nfTpE08zbB0w
84QM/lVMfCa0T6Gng3tmJoyrwzoQyuSlo78NQcHFziFKKgKHpMfm1iAVEh27UFz9
0lwB/J66BejarAaPZYV6Wfht0T4KAzT+3UE97YfTT8PqR4UP4oleZXB8GCEYcO7y
ioHi4s0HbdB452J1pmTe3MwkalmCWLr9dPLWk9KNNqn/k6c/L8F5YjtAdU775A==
=/Qvi
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.11.0