parent
5c964c065d
commit
9ba2dc2a77
|
@ -3,7 +3,7 @@ keys:
|
|||
- &admin_viv_vix age1rpglc4dtgkfth2prtnqveds63d7wg49x9k2l5atgay6upv36jsjssm9mue
|
||||
- &admin_viv_sky-reflected-in-mirrors age1eajejvws0qkqvs9qfp2cfxy77agtndr6xudl2h5afgx0k3ulysys4vqdxc
|
||||
- &machine_mastodon-snoottube age1ywn8lhj9vxp44454gty6jskevr5ugje5pzjv5nqt7rdglra8j4qqfn3qvd
|
||||
- &machine_wob age1066v49zugv9fuakq0wgp5d3swmdav480kwv3nvl2pnm8qsgehq9sf83l9w
|
||||
- &machine_wob age1ehyc0lekpzadd0gwue2h4pn87g5r56ea6jjklcf7jx4fzwn6gvfsvupyp8
|
||||
|
||||
creation_rules:
|
||||
- path_regex: ^secrets/backend.yaml$
|
||||
|
|
|
@ -16,10 +16,8 @@ in {
|
|||
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 80 443 6922 ];
|
||||
allowedUDPPorts = [ 51869 ];
|
||||
|
||||
checkReversePath = "loose";
|
||||
checkReversePath = "loose"; # for tailscale
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
|
|
|
@ -12,6 +12,12 @@ let
|
|||
'';
|
||||
};
|
||||
in {
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 80 443 6922 ]; # Expose 6922 for management because this machine isn't behind tailscale.
|
||||
allowedUDPPorts = [ 51869 ];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
autoResize = true; # embiggen
|
||||
};
|
||||
|
|
|
@ -2,6 +2,15 @@
|
|||
{ config, pkgs, nixpkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
interfaces."ens2".allowedTCPPorts = [ 80 443 6922 ];
|
||||
interfaces."tailscale0".allowedTCPPorts = [ 80 443 6922 ];
|
||||
interfaces."tailscale0".allowedUDPPorts = [ 51869 ];
|
||||
checkReversePath = "loose"; # for tailscale
|
||||
};
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
|
@ -86,6 +95,11 @@
|
|||
'';
|
||||
};
|
||||
|
||||
# use local 3proxy for http requests
|
||||
networking.proxy.httpProxy = "http://127.0.0.1:3128";
|
||||
networking.proxy.httpsProxy = "http://127.0.0.1:3128";
|
||||
services.tailscale.enable = true;
|
||||
|
||||
services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -198,28 +212,41 @@
|
|||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
#sops.defaultSopsFile = ../secrets/wob.yaml;
|
||||
#config.sops.secrets.borg_backup_repo_passphrase = { };
|
||||
#config.sops.secrets.borgbase_ssh_private_key =
|
||||
# { }; # it is extremely important for this to have a trailing newline, or connecting will fail
|
||||
sops.defaultSopsFile = ../secrets/wob.yaml;
|
||||
sops.secrets.gtsEnvironment = { };
|
||||
sops.secrets.borg_backup_repo_passphrase = { };
|
||||
sops.secrets.borgbase_ssh_private_key =
|
||||
{ }; # it is extremely important for this to have a trailing newline, or connecting will fail
|
||||
|
||||
# services.borgbackup.jobs."borgbase" = {
|
||||
#
|
||||
# paths = [ "/var/lib" ];
|
||||
# exclude = [
|
||||
# "/var/lib/systemd"
|
||||
# ];
|
||||
#
|
||||
# repo = "h5g87o5w@h5g87o5w.repo.borgbase.com:repo";
|
||||
# encryption = {
|
||||
# mode = "repokey-blake2";
|
||||
# passCommand =
|
||||
# "cat ${config.sops.secrets.borg_backup_repo_passphrase.path}";
|
||||
# };
|
||||
# environment.BORG_RSH =
|
||||
# "ssh -i ${config.sops.secrets.borgbase_ssh_private_key.path}";
|
||||
# compression = "auto,lzma";
|
||||
# startAt = "daily";
|
||||
# };
|
||||
services.borgbackup.jobs."borgbase" = {
|
||||
|
||||
paths = [ "/var/lib" "/var/backup" ];
|
||||
exclude = [
|
||||
"/var/lib/systemd"
|
||||
];
|
||||
|
||||
repo = "j4n0ylkc@j4n0ylkc.repo.borgbase.com:repo";
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
passCommand =
|
||||
"cat ${config.sops.secrets.borg_backup_repo_passphrase.path}";
|
||||
};
|
||||
environment.BORG_RSH =
|
||||
"ssh -i ${config.sops.secrets.borgbase_ssh_private_key.path}";
|
||||
compression = "auto,lzma";
|
||||
startAt = "daily";
|
||||
};
|
||||
|
||||
programs.ssh.knownHosts = {
|
||||
# obtain with ssh-keyscan, e.g. `ssh-keyscan j4n0ylkc.repo.borgbase.com`
|
||||
"j4n0ylkc.repo.borgbase.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGU0mISTyHBw9tBs6SuhSq8tvNM8m9eifQxM+88TowPO";
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "gotosocial" ];
|
||||
startAt = "*-*-* 04:15:00";
|
||||
location = "/var/backup/postgresql";
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -69,6 +69,7 @@ in {
|
|||
accounts-registration-open = false;
|
||||
accounts-allow-custom-css = true;
|
||||
};
|
||||
environmentFile = config.sops.secrets.gtsEnvironment.path;
|
||||
};
|
||||
environment.systemPackages = [
|
||||
goToSocialPkg
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
borgbase_ssh_private_key: ENC[AES256_GCM,data:G6sC8zdV5parUTah0tjgstIoczLo/ARb3l/jl/Vy4p7xqYN/JHzDTZgUG0tHeneim85VZyHxom63zhSZsblLeMgg90eRKPMyImB4H1tNzEDx4E2+UHtu3/gG17uKr7vbIQDX3Y2sOtrQRfTC4harvNZbFWaTSU20C63c+XtD+0ikw2LoT72oTrWIHp9T68uD2snOn/IYOQtVgmY7CCBSyoyoafwVQQd3y6yjySFbrkGxFXneJ9nXlzNvx1LiqB+ZbLAc4Y74BGe7ONklFodeqiCvMuqjMkyPkko80Cu485GuwJxKrhMJB+p4bZPMzWKzAS/KAgkWJyJh0cYt5fiKLHqZX3GwHMPhhVUxLzAv6M8b41mQnUcDfqMSeHsMjlpVWKeC/pNkgRMO266sxqXAS+yUrPhTO89igHLZXCHNeEbA0YsxM+FP46RqEgumPTbc0LnY84FIPZZSLxyW2DedJMAm1aX04JlWGVr3MD8YZ6Quto9AwCDid/W6CG92C0z0fBzNs/yziHBCN/FpaKo4dDUOr7hdIv2og28O,iv:WkCqLEVETft1Une91+i7dRkd6Y4zgx4e2kNLERMdkIA=,tag:idyIMcEO5kShXFP6GVO6EQ==,type:str]
|
||||
borg_backup_repo_passphrase: ENC[AES256_GCM,data:8zHnNw48P9WZjP7fTulTHurUXEJ217gKmbJOLUsfk8PYAyJnIYIEdL6dbP5lRNMzdU/1,iv:1yma8xCI47dCvhxTkCVlSLGGSu+SpfATFdIg7Wrs010=,tag:LhDtLqSvUarqGJ8xEPwn6w==,type:str]
|
||||
gtsEnvironment: ENC[AES256_GCM,data:SUpH1Pk/pPWCZ/TPgYeVB2JrUzxOFOXU8vXGiRLfU6klMSNG7/ESKEg/mYThq1gtOeTsEJuFv1CKeYfbReAbXcSUubVdfa5JnUITkVoat8TRA57mtMuMkP5trQn2OCDZkef6DpkiwUh/JbcXefu9cH/34/ojFwCTcH6iQcf/SpSFYEBvNIKJAxTUBhj0bMLisy+bZ47B7NHeREhXIF+9HVfU1qK2HY97IJVpqbKLhJbXeKMu/QjpSK34W7PvgFjEdDDmBTc=,iv:1yGEq9zjsGcR4f+ZUAi8YSAKWWKzaaJbRcOfrbffwp4=,tag:ZAl9bMLz1Gwo9RDaDzJXxg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1rpglc4dtgkfth2prtnqveds63d7wg49x9k2l5atgay6upv36jsjssm9mue
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRXA5QkV0N210SC9jcmc4
|
||||
bzR0VjlBbHZJMVljZGJ0Q280UHJ6YlZqRDBvCnZXZkVmQURDcWdKc2FFNXdRUndN
|
||||
Mi9GNEttT3Azd1JzWlNlYW4yS3NkNUEKLS0tIExXbnptUTYyenJaZWxTMUd4K284
|
||||
MlFMZTVkdEJrNVBodXlOK3RhSmxZcVEKYNUkZBSPSNkVdUvjq4wK51fwr2yLHytf
|
||||
Z7jqxJhk7enkjGZRafPsAZ6zXoKU6TjifMX5XHeo5Jk0y9jDFVBPxQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1eajejvws0qkqvs9qfp2cfxy77agtndr6xudl2h5afgx0k3ulysys4vqdxc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVWZhU29PQVJQb1R0S0VL
|
||||
aE4zQ3MzdmxYdHhyM0J2ZUJ4Tmw1bit1OEY4CmVuQkxPZXJTTjk4VEp0b2lTNFp1
|
||||
bHZ2Ukp1UTZJYXVFMCt0R3NtSm80cjQKLS0tIDIvQkdTQW5ZQ1hiMmxQeHBHcng4
|
||||
d0VxaGoxVlE4ekx2aUdpVXVxZUx1TFkKwIK5W26S0ATX4BYjZJoDoj08RTa6CdX4
|
||||
Ku27bUE/ht52FXRG0aR15xZgxw6YDW2nqNLYF9A1JbMjbeu8ruonoA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1rj45xn7emem7dv5rqpe6lea4mhxrja4fag9xfywtz80hgz24n42qnx3eae
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSEdqejdmVVhxMEhxVFdV
|
||||
RkpyeWFKODJXRkN0blM5UVVQNkpYa3V3a1JZCnFuZ1NhZTdoUHlVdWJSVGJaWm1Z
|
||||
aUJQRk9VeTFRRjlBMDlsWEh5M1pBVTAKLS0tIFU0a1J2elBDN1BOTTFBNkNsSUpv
|
||||
YVZoVTFzY0dXRytjWDVvT1FvOVdPbnMKvrqXktPBmGvuO09VuS7tkofa7fcAIi5v
|
||||
+XuUMeKbnv9QsJyB6M0SpQBPUptrrOCU26wEBDvSTj4W+Uo3LFH8CA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ehyc0lekpzadd0gwue2h4pn87g5r56ea6jjklcf7jx4fzwn6gvfsvupyp8
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYWpDanBFZDYwQXVPK2d2
|
||||
VG56ZEwxWldaWWEraDF1U0xSSU1sbE9UZ0hrCkZaQWFJK2YwSFBQNmxKSW51VW1o
|
||||
ZFpiTGdzUFlQNlRHOWIrZXU1d2tCeTgKLS0tIE5lSVpVRlBwU09mVjVna0F6Vk90
|
||||
NGhseHVJalAxZEpzT1Ntb2x6ZHhzcDQKHp6M0qb0dE2OyeYNSeO/WXntWFyyvRl7
|
||||
i/7vPvPuE+dd/ld884UJtZUO1K7qHkXraXjHx8p27uUnN8ruNUn0bQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-02-04T01:58:51Z"
|
||||
mac: ENC[AES256_GCM,data:QzO+EOejyPh0H64Cmf62Nv+7s41RmNwO4xNn3RLBYksQyqG/Em36rbBD4haLHv+fAXgWIzVCg4u5B2YJ3TMosggUwxH/5alLuH+hKKDLEiGMtvs2iO8q/AfYugn9/NRLnUvU19PGXaGJm2kEqoEE1fpMhuf6TK3o7drUQP3/95I=,iv:VJQqbuAMPrEMHLZA4sDGdDKwGz+AQa07UzMhWQMuOBA=,tag:IFyUGkcTsfC+2Sv0eYygBw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in New Issue