From 7de2924d05f86066b168c191c443444df06f9cbc Mon Sep 17 00:00:00 2001 From: Carsten Kragelund Date: Thu, 27 Apr 2023 02:16:29 +0200 Subject: [PATCH] Finish up gitea host including secrets with sops --- .sops.yaml | 10 +++++ flake.lock | 40 +++++++++++++++++- flake.nix | 9 +++- hosts/common/default.nix | 1 + hosts/common/vm-guest.nix | 16 +++++++ hosts/common/wsl.nix | 3 -- hosts/gitea/default.nix | 8 ++++ hosts/gitea/hardware.nix | 70 +++++++++++++++---------------- hosts/gitea/services/gitea.nix | 66 ++++++++++++++++------------- hosts/gitea/services/postgres.nix | 27 ++++++------ secrets/gitea.yaml | 42 +++++++++++++++++++ 11 files changed, 210 insertions(+), 82 deletions(-) create mode 100644 .sops.yaml create mode 100644 hosts/common/vm-guest.nix create mode 100644 secrets/gitea.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..a156e33 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &carsten BD9A82C3AC8185DAD4CFDA47A34D551C8CCA7DCD + - &gitea age1r2xcvgph5egus0xmyypplpya5wlz5a5kxwydjakvx94eqpgyhgdqqnzd3j +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *carsten + age: + - *gitea diff --git a/flake.lock b/flake.lock index fd35df9..a5f8dcd 100644 --- a/flake.lock +++ b/flake.lock @@ -198,6 +198,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1682173319, + "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1681272286, @@ -288,7 +304,8 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", - "sanctureplicum-nur": "sanctureplicum-nur" + "sanctureplicum-nur": "sanctureplicum-nur", + "sops-nix": "sops-nix" } }, "sanctureplicum-nur": { @@ -309,6 +326,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1682338428, + "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1678901627, diff --git a/flake.nix b/flake.nix index 16ff54e..a24f405 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,8 @@ nekowinston-nur.url = "github:nekowinston/nur"; emacs-overlay.url = "github:nix-community/emacs-overlay"; emacs-overlay.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; mach-nixpkgs.url = "github:nixos/nixpkgs/9fd0585f7dc9b85eb5d426396004cc649261e60d"; mach-nix.url = "github:davhau/mach-nix/6cd3929b1561c3eef68f5fc6a08b57cf95c41ec1"; mach-nix.inputs.nixpkgs.follows = "mach-nixpkgs"; @@ -29,6 +31,7 @@ , mach-nix , mach-nixpkgs , nixos-wsl + , sops-nix , home-manager , ... } @inputs: @@ -86,6 +89,9 @@ home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; home-manager.backupFileExtension = "bak"; + home-manager.sharedModules = [ + sops-nix.homeManagerModule + ]; } ./hosts/eagle ]; @@ -121,7 +127,8 @@ ({ config, pkgs, ... }: { nixpkgs.overlays = overlays; }) - + + sops-nix.nixosModules.sops ./hosts/gitea ]; }; diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 3c6b933..782736e 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -9,6 +9,7 @@ with pkgs; { imports = [ ./graphical.nix + ./vm-guest.nix ./wsl.nix ./pkgs.nix ]; diff --git a/hosts/common/vm-guest.nix b/hosts/common/vm-guest.nix new file mode 100644 index 0000000..795dfc7 --- /dev/null +++ b/hosts/common/vm-guest.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +{ + options.vm-guest = lib.mkOption { + default = config.wsl.enable or false; + type = lib.types.bool; + description = "Whether this is a vm guest machine"; + }; + + config = lib.mkIf config.vm-guest { + graphical = false; + } // lib.mkIf (!config.vm-guest) { + virtualisation.virtualbox.host.enable = true; + virtualisation.docker.enable = true; + }; +} diff --git a/hosts/common/wsl.nix b/hosts/common/wsl.nix index 9dd88a4..6d38705 100644 --- a/hosts/common/wsl.nix +++ b/hosts/common/wsl.nix @@ -16,8 +16,5 @@ }; networking.nameservers = [ "192.168.1.1" "87.62.97.64" ]; - - virtualisation.virtualbox.host.enable = true; - virtualisation.docker.enable = true; }; } diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index daddbd0..162b63e 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -21,7 +21,15 @@ shell = pkgs.bash; }; + graphical = false; + vm-guest = true; + networking.hostName = "gitea"; + networking.firewall.allowedTCPPorts = [ 22 3000 ]; + + sops = { + defaultSopsFile = ../../secrets/gitea.yaml; + }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/gitea/hardware.nix b/hosts/gitea/hardware.nix index e0542a7..da884f9 100644 --- a/hosts/gitea/hardware.nix +++ b/hosts/gitea/hardware.nix @@ -1,35 +1,35 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/41d3a241-09d6-4a5d-8b55-7f284310a7a9"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/8206-16B6"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens192.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} \ No newline at end of file +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/41d3a241-09d6-4a5d-8b55-7f284310a7a9"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = + { device = "/dev/disk/by-uuid/8206-16B6"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens192.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/gitea/services/gitea.nix b/hosts/gitea/services/gitea.nix index bc98822..ed3e20e 100644 --- a/hosts/gitea/services/gitea.nix +++ b/hosts/gitea/services/gitea.nix @@ -1,29 +1,37 @@ -{ pkgs, ... }: { - services.gitea = rec { - enable = true; - package = pkgs.unstable.gitea; - database = { - type = "postgres"; - host = "unix:///var/run/postgresql/"; - }; - lfs.enable = true; - domain = "gitea.pid1.sh"; - rootUrl = "https://" + domain; - settings = { - server.SSH_PORT = 22007; - session.COOKIE_SECURE = true; - mailer = { - ENABLED = true; - SMTP_ADDR = "mail.pid1.sh"; - SMTP_PORT = 587; - FROM = "Root "; - USER = "root@pid1.sh"; - PASSWD = "***"; - MAILER_TYPE = "smtp"; - IS_TLS_ENABLED = true; - SUBJECT_PREFIX = "PID1 Gitea: "; - SEND_AS_PLAIN_TEXT = true; - }; - }; - }; -} \ No newline at end of file +{ pkgs, config, ... }: { + services.gitea = rec { + enable = true; + package = pkgs.unstable.gitea; + database = { + type = "postgres"; + host = "unix:///var/run/postgresql/"; + }; + lfs.enable = true; + domain = "gitea.pid1.sh"; + rootUrl = "https://" + domain; + mailerPasswordFile = config.sops.secrets.gitea_mailer_passwd.path; + settings = { + server.SSH_PORT = 22007; + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + SMTP_ADDR = "mail.pid1.sh"; + SMTP_PORT = 465; + FROM = "Root "; + USER = "root@pid1.sh"; + MAILER_TYPE = "smtp"; + IS_TLS_ENABLED = true; + SUBJECT_PREFIX = "PID1 Gitea: "; + SEND_AS_PLAIN_TEXT = true; + }; + }; + }; + systemd.services.gitea = { + after = [ "sops-nix.service" ]; + }; + sops.secrets = { + gitea_mailer_passwd = { + owner = config.systemd.services.gitea.serviceConfig.User; + }; + }; +} diff --git a/hosts/gitea/services/postgres.nix b/hosts/gitea/services/postgres.nix index 05c8ae3..3a9bcb9 100644 --- a/hosts/gitea/services/postgres.nix +++ b/hosts/gitea/services/postgres.nix @@ -1,13 +1,14 @@ -{ ... }: { - services.postgresql = { - enable = true; - ensureDatabases = [ "gitea" ]; - ensureUsers = [ - { - name = "gitea"; - ensurePermissions = { - "DATABASE gitea" = "ALL PRIVILEGES"; - }; - } - ]; -} \ No newline at end of file +{ ... }: { + services.postgresql = { + enable = true; + ensureDatabases = [ "gitea" ]; + ensureUsers = [ + { + name = "gitea"; + ensurePermissions = { + "DATABASE gitea" = "ALL PRIVILEGES"; + }; + } + ]; + }; +} diff --git a/secrets/gitea.yaml b/secrets/gitea.yaml new file mode 100644 index 0000000..fb66dd6 --- /dev/null +++ b/secrets/gitea.yaml @@ -0,0 +1,42 @@ +gitea_mailer_passwd: ENC[AES256_GCM,data:8cBxkVTSS5uJM5FXsro=,iv:LvRu6/bsq7+9pO304VZ9Bqu3cQC2VTzhJW1XBXOqeM4=,tag:0IHlogFEQCqVh2qHZmR/mg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1r2xcvgph5egus0xmyypplpya5wlz5a5kxwydjakvx94eqpgyhgdqqnzd3j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb1hFWElHL2ZaSnlLVzZM + dGNXa0lnRk83YmZ3amNkS3NZdkZxS2NrWEdJClVBWGYrbnIyZUhPNGZTVDc3SmRr + TmdueUk1OCt6S0lIUmRlUFc1bGRFNHcKLS0tIHFTSXdDelNFeS9FWjFzWmM2R3NW + ak85SHlPMW5zZ0lPc2tCbmRkMWZ4L28K2B7i21iAThigRr3lWAlhxaU468hINJd+ + IFRMI+GPa8KXsuvhD9sqrO7ZVnUBGutn2Ka7vKzw9pnBtn9xnjL7MA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-26T22:12:13Z" + mac: ENC[AES256_GCM,data:jltSFannVuFVA3GLJHYY5bd+10pSLKIfRZV5gPsuPwXpFgbvcoRhJSP79WuMV4m9V/Cr3O8on2CD2n0pm/BRx05UROw/37h8YvZ0RrMkWl+oxYf90PFW8Y7/WI187sNXVFeWzY95TN4xPvz7tU6Gm0otIxENg7WYcUuFM9WikV8=,iv:ACFUZXrLygl5KA5LYVgNbqg9Gs8ObCnmnG9/7sL50g8=,tag:XDzX1n+18ajghHLw7ShHzA==,type:str] + pgp: + - created_at: "2023-04-26T22:11:17Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6NNVRyMyn3NARAA0VdwNGAPsJpztgWzifqrDCe3PK6kqmaMev3rO0z0/acb + ivwgjA0C5Tz6eecAbVE7RI61ROC4N2nKAy0tQ7SKnukpCMtwBVh7UyZS6N83LZvC + fvbEm7v7EhRsPyOslMmD+p80P2pEHUfw/Hp2OpT6W3BjP1YA097Oesz4WpgKrIac + BNbW5OZFl60fMHcv3u1XfvR57ft0Am8Pc3qQGD8Ex0FqGfz/cFEyh7gojYnZcWDF + v6YELFJ9+ttsBjgrDvZ5mEU2V77Hb1NH1D98rnGWx19l0It8tAwV2P+cKnLQXJz6 + 8zISnQ8HMdgQ07p1QbbboFT16dVcZNNMWAehLQ7a5MrOTfhYosryAZQd/ZJjDQZM + w+MGhLxDug/8PJeD03IJx+SJKN3Wke+AbvlAgWrOEGQXxSDyLm6iLcfCTegHP6CR + M9rzaz9pDv3yqyVnU4Ptr1wNeMqpVt76NF3uLgC3AuUyIlgnkqNxAk8Je6XuxjRJ + WDpHiriAWoVySCHuIra2KHvGumtdF4/nz0E9xEVJuk+X40+LQKhh7UHm5taFPboi + 2yUZH7Gf1Xj1A2R6OeUopwJuEIuLzYRdJGvhGFLCgyts5Xa6UPOHp2pIzHtSn6lx + UY+f2K6U6vsMrkYbfXW3KeiHB0NET+KGBeCvAPw+1sdF1CL05oeHZasj8tnI+1TU + aAEJAhALEc2qzcI7OYizTPsfYywR0I4tL1cRrycufsaqMrvFWQ35WyHINgO93c0g + SnVr0Fmd6qzaafqh3xQdf7QfogTMzIgkUGyNkHbcsFbTDngoKlA85KANHF132Tw7 + Hr4DRLTvKtvx + =+v1p + -----END PGP MESSAGE----- + fp: BD9A82C3AC8185DAD4CFDA47A34D551C8CCA7DCD + unencrypted_suffix: _unencrypted + version: 3.7.3