phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update to NixOS 23.05

Browse source
This commit is contained in:
Paul-Henri Froidmont 2023-07-10 19:19:25 +02:00
parent e4c0ab4b3e
commit 27462b9e7e
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
7 changed files with 142 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

83
flake.lock generated
View file

@ -23,11 +23,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1683779844, "lastModified": 1686747123,
"narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=", "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "c80189917086e43d49eece2bd86f56813500a0eb", "rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -52,6 +52,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1671417167, "lastModified": 1671417167,
@ -83,29 +99,44 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": { "nixpkgs-23_05": {
"locked": { "locked": {
"lastModified": 1684025543, "lastModified": 1684782344,
"narHash": "sha256-hGe7S+i5je+8E/b2mOXVI9nmr038Dw+bV8e1P8xHSe0=", "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c6d2f3dc0d3efd4285eebe4f8a36a47ba438138e", "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1688868408,
"narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-22.11", "ref": "release-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1684215771, "lastModified": 1688918189,
"narHash": "sha256-fsum28z+g18yreNa1Y7MPo9dtps5h1VkHfZbYQ+YPbk=", "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "963006aab35e3e8ebbf6052b6bf4ea712fdd3c28", "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -117,27 +148,27 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1684171562, "lastModified": 1688939073,
"narHash": "sha256-BMUWjVWAUdyMWKk0ATMC9H0Bv4qAV/TXwwPUvTiC5IQ=", "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "55af203d468a6f5032a519cba4f41acf5a74b638", "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-22.11", "ref": "nixos-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1669542132, "lastModified": 1670751203,
"narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a115bb9bd56831941be3776c8a94005867f316a7", "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -158,21 +189,23 @@
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-22_11": "nixpkgs-22_11", "nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils_2" "utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1671659164, "lastModified": 1687462267,
"narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", "rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-22.11", "ref": "nixos-23.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
@ -185,11 +218,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1684032930, "lastModified": 1688873469,
"narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=", "narHash": "sha256-9TMSXvXmrr7bDYi+WeskWe/yho9UP01dGbV9vW5bRVc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "a376127bb5277cd2c337a9458744f370aaf2e08d", "rev": "b2047c8fc963407916ad3834165309007dc5a1f7",
"type": "github" "type": "github"
}, },
"original": { "original": {

59
flake.nix
View file

@ -1,36 +1,32 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; simple-nixos-mailserver.url =
"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix, simple-nixos-mailserver }: outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix
, simple-nixos-mailserver }:
let let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
pkgs-unstable = nixpkgs-unstable.legacyPackages.x86_64-linux; pkgs-unstable = nixpkgs-unstable.legacyPackages.x86_64-linux;
defaultModuleArgs = { pkgs, ... }: { defaultModuleArgs = { pkgs, ... }: {
_module.args.pkgs-unstable = import nixpkgs-unstable { _module.args.pkgs-unstable = import nixpkgs-unstable {
inherit (pkgs.stdenv.targetPlatform) system; inherit (pkgs.stdenv.targetPlatform) system;
config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ config.allowUnfreePredicate = pkg:
"minecraft-server" builtins.elem (pkgs.lib.getName pkg) [ "minecraft-server" ];
];
}; };
}; };
in in {
{
devShells.x86_64-linux.default = pkgs.mkShell { devShells.x86_64-linux.default = pkgs.mkShell {
sopsPGPKeyDirs = [ sopsPGPKeyDirs = [ "./keys/hosts" "./keys/users" ];
"./keys/hosts"
"./keys/users"
];
nativeBuildInputs = [ nativeBuildInputs =
(pkgs.callPackage sops-nix { }).sops-import-keys-hook [ (pkgs.callPackage sops-nix { }).sops-import-keys-hook ];
];
buildInputs = with pkgs-unstable; [ buildInputs = with pkgs-unstable; [
nixpkgs-fmt nixpkgs-fmt
@ -48,16 +44,14 @@
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/db.nix ./profiles/db.nix
( ({
{
sops.defaultSopsFile = ./secrets.enc.yml; sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "db1"; networking.hostName = "db1";
networking.domain = "banditlair.com"; networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} })
)
]; ];
}; };
backend1 = nixpkgs.lib.nixosSystem { backend1 = nixpkgs.lib.nixosSystem {
@ -66,16 +60,14 @@
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/backend.nix ./profiles/backend.nix
( ({
{
sops.defaultSopsFile = ./secrets.enc.yml; sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "backend1"; networking.hostName = "backend1";
networking.domain = "banditlair.com"; networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} })
)
]; ];
}; };
storage1 = nixpkgs.lib.nixosSystem { storage1 = nixpkgs.lib.nixosSystem {
@ -86,43 +78,42 @@
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
simple-nixos-mailserver.nixosModule simple-nixos-mailserver.nixosModule
./profiles/storage.nix ./profiles/storage.nix
( ({
{
sops.defaultSopsFile = ./secrets.enc.yml; sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "storage1"; networking.hostName = "storage1";
networking.domain = "banditlair.com"; networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} })
)
]; ];
}; };
}; };
deploy.nodes = deploy.nodes = let
let
createSystemProfile = configuration: { createSystemProfile = configuration: {
user = "root"; user = "root";
sshUser = "root"; sshUser = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos configuration; path = deploy-rs.lib.x86_64-linux.activate.nixos configuration;
}; };
in in {
{
db1 = { db1 = {
hostname = "db1.banditlair.com"; hostname = "db1.banditlair.com";
profiles.system = createSystemProfile self.nixosConfigurations.db1; profiles.system = createSystemProfile self.nixosConfigurations.db1;
}; };
backend1 = { backend1 = {
hostname = "backend1.banditlair.com"; hostname = "backend1.banditlair.com";
profiles.system = createSystemProfile self.nixosConfigurations.backend1; profiles.system =
createSystemProfile self.nixosConfigurations.backend1;
}; };
storage1 = { storage1 = {
hostname = "78.46.96.243"; hostname = "78.46.96.243";
profiles.system = createSystemProfile self.nixosConfigurations.storage1; profiles.system =
createSystemProfile self.nixosConfigurations.storage1;
}; };
}; };
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; checks = builtins.mapAttrs
(system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
}; };
} }

2
hardware/hcloud.nix
View file

@ -9,7 +9,7 @@
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
boot.cleanTmpDir = true; boot.tmp.cleanOnBoot = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;

27
modules/dokuwiki.nix
View file

@ -18,7 +18,8 @@ let
sops.secrets."usersFile-${name}" = { sops.secrets."usersFile-${name}" = {
owner = "dokuwiki"; owner = "dokuwiki";
key = "wiki/${name}/users_file"; key = "wiki/${name}/users_file";
restartUnits = [ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ]; restartUnits =
[ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ];
}; };
services.dokuwiki.sites = { services.dokuwiki.sites = {
@ -26,12 +27,13 @@ let
enable = true; enable = true;
stateDir = "/nix/var/data/dokuwiki/${name}/data"; stateDir = "/nix/var/data/dokuwiki/${name}/data";
usersFile = config.sops.secrets."usersFile-${name}".path; usersFile = config.sops.secrets."usersFile-${name}".path;
disableActions = "register";
templates = [ template-chippedsnow ]; templates = [ template-chippedsnow ];
extraConfig = '' settings = {
$conf['title'] = 'Chroniques d\'Arkadia'; useacl = true;
$conf['template'] = 'chippedsnow'; title = "Chroniques d`Arkadia";
''; template = "chippedsnow";
disableactions = "register";
};
}; };
}; };
@ -40,21 +42,14 @@ let
enableACME = true; enableACME = true;
}; };
}; };
in in {
{
options.custom.services.dokuwiki = { options.custom.services.dokuwiki = {
enable = mkEnableOption "dokuwiki"; enable = mkEnableOption "dokuwiki";
secretKeyFile = mkOption { secretKeyFile = mkOption { type = types.path; };
type = types.path;
}; };
};
config = mkIf cfg.enable config = mkIf cfg.enable
(lib.mkMerge [ (lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]);
(configureWiki "anderia")
(configureWiki "arkadia")
]);
} }

31
modules/mailserver.nix
View file

@ -1,22 +1,11 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }: {
{
sops.secrets = { sops.secrets = {
paultrialPassword = { paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
key = "email/accounts_passwords/paultrial"; eliosPassword = { key = "email/accounts_passwords/elios"; };
}; mariePassword = { key = "email/accounts_passwords/marie"; };
eliosPassword = { alicePassword = { key = "email/accounts_passwords/alice"; };
key = "email/accounts_passwords/elios"; monitPassword = { key = "email/accounts_passwords/monit"; };
};
mariePassword = {
key = "email/accounts_passwords/marie";
};
alicePassword = {
key = "email/accounts_passwords/alice";
};
monitPassword = {
key = "email/accounts_passwords/monit";
};
noreplyBanditlairPassword = { noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair"; key = "email/accounts_passwords/noreply_banditlair";
}; };
@ -41,10 +30,7 @@
"paultrial@banditlair.com" = { "paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path; hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [ aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
"contact@froidmont.org"
"account@banditlair.com"
];
}; };
"marie-alice@froidmont.org" = { "marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path; hashedPasswordFile = config.sops.secrets.mariePassword.path;
@ -190,8 +176,7 @@
"@falbo.fr" = "elios@banditlair.com"; "@falbo.fr" = "elios@banditlair.com";
}; };
certificateScheme = "acme-nginx";
certificateScheme = 3;
}; };
} }

19
modules/openssh.nix
View file

@ -1,20 +1,13 @@
{ config, lib, ... }: { config, lib, ... }:
with lib; with lib;
let let cfg = config.custom.services.openssh;
cfg = config.custom.services.openssh; in {
in options.custom.services.openssh = { enable = mkEnableOption "openssh"; };
{
options.custom.services.openssh = {
enable = mkEnableOption "openssh";
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password"; services.openssh.settings.PermitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles =
../ssh_keys/froidmpa-desktop.pub [ ../ssh_keys/froidmpa-desktop.pub ../ssh_keys/froidmpa-laptop.pub ];
../ssh_keys/froidmpa-laptop.pub
];
}; };
} }

4
profiles/storage.nix
View file

@ -107,7 +107,9 @@
users.users.www-data = { users.users.www-data = {
uid = 993; uid = 993;
isNormalUser = true; createHome = true;
home = "/home/www-data";
useDefaultShell = true;
group = config.users.groups.www-data.name; group = config.users.groups.www-data.name;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"