phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update to NixOS 23.05

Browse source
This commit is contained in:
Paul-Henri Froidmont 2023-07-10 19:19:25 +02:00
parent e4c0ab4b3e
commit 27462b9e7e
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
7 changed files with 142 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

83
flake.lock generated
View file

@ -23,11 +23,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1683779844,
"narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=",
"lastModified": 1686747123,
"narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "c80189917086e43d49eece2bd86f56813500a0eb",
"rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github"
},
"original": {
@ -52,6 +52,22 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1671417167,
@ -83,29 +99,44 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684025543,
"narHash": "sha256-hGe7S+i5je+8E/b2mOXVI9nmr038Dw+bV8e1P8xHSe0=",
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c6d2f3dc0d3efd4285eebe4f8a36a47ba438138e",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1688868408,
"narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1684215771,
"narHash": "sha256-fsum28z+g18yreNa1Y7MPo9dtps5h1VkHfZbYQ+YPbk=",
"lastModified": 1688918189,
"narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "963006aab35e3e8ebbf6052b6bf4ea712fdd3c28",
"rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
"type": "github"
},
"original": {
@ -117,27 +148,27 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1684171562,
"narHash": "sha256-BMUWjVWAUdyMWKk0ATMC9H0Bv4qAV/TXwwPUvTiC5IQ=",
"lastModified": 1688939073,
"narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "55af203d468a6f5032a519cba4f41acf5a74b638",
"rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1669542132,
"narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a115bb9bd56831941be3776c8a94005867f316a7",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
@ -158,21 +189,23 @@
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils_2"
},
"locked": {
"lastModified": 1671659164,
"narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=",
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
@ -185,11 +218,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1684032930,
"narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=",
"lastModified": 1688873469,
"narHash": "sha256-9TMSXvXmrr7bDYi+WeskWe/yho9UP01dGbV9vW5bRVc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a376127bb5277cd2c337a9458744f370aaf2e08d",
"rev": "b2047c8fc963407916ad3834165309007dc5a1f7",
"type": "github"
},
"original": {

119
flake.nix
View file

@ -1,36 +1,32 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11";
simple-nixos-mailserver.url =
"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix, simple-nixos-mailserver }:
outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix
, simple-nixos-mailserver }:
let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
pkgs-unstable = nixpkgs-unstable.legacyPackages.x86_64-linux;
defaultModuleArgs = { pkgs, ... }: {
_module.args.pkgs-unstable = import nixpkgs-unstable {
inherit (pkgs.stdenv.targetPlatform) system;
config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [
"minecraft-server"
];
config.allowUnfreePredicate = pkg:
builtins.elem (pkgs.lib.getName pkg) [ "minecraft-server" ];
};
};
in
{
in {
devShells.x86_64-linux.default = pkgs.mkShell {
sopsPGPKeyDirs = [
"./keys/hosts"
"./keys/users"
];
sopsPGPKeyDirs = [ "./keys/hosts" "./keys/users" ];
nativeBuildInputs = [
(pkgs.callPackage sops-nix { }).sops-import-keys-hook
];
nativeBuildInputs =
[ (pkgs.callPackage sops-nix { }).sops-import-keys-hook ];
buildInputs = with pkgs-unstable; [
nixpkgs-fmt
@ -48,16 +44,14 @@
modules = [
sops-nix.nixosModules.sops
./profiles/db.nix
(
{
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "db1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
({
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "db1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05";
}
)
system.stateVersion = "21.05";
})
];
};
backend1 = nixpkgs.lib.nixosSystem {
@ -66,16 +60,14 @@
modules = [
sops-nix.nixosModules.sops
./profiles/backend.nix
(
{
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "backend1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
({
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "backend1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05";
}
)
system.stateVersion = "21.05";
})
];
};
storage1 = nixpkgs.lib.nixosSystem {
@ -86,43 +78,42 @@
sops-nix.nixosModules.sops
simple-nixos-mailserver.nixosModule
./profiles/storage.nix
(
{
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "storage1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
({
sops.defaultSopsFile = ./secrets.enc.yml;
networking.hostName = "storage1";
networking.domain = "banditlair.com";
nix.registry.nixpkgs.flake = nixpkgs;
system.stateVersion = "21.05";
}
)
system.stateVersion = "21.05";
})
];
};
};
deploy.nodes =
let
createSystemProfile = configuration: {
user = "root";
sshUser = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos configuration;
};
in
{
db1 = {
hostname = "db1.banditlair.com";
profiles.system = createSystemProfile self.nixosConfigurations.db1;
};
backend1 = {
hostname = "backend1.banditlair.com";
profiles.system = createSystemProfile self.nixosConfigurations.backend1;
};
storage1 = {
hostname = "78.46.96.243";
profiles.system = createSystemProfile self.nixosConfigurations.storage1;
};
deploy.nodes = let
createSystemProfile = configuration: {
user = "root";
sshUser = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos configuration;
};
in {
db1 = {
hostname = "db1.banditlair.com";
profiles.system = createSystemProfile self.nixosConfigurations.db1;
};
backend1 = {
hostname = "backend1.banditlair.com";
profiles.system =
createSystemProfile self.nixosConfigurations.backend1;
};
storage1 = {
hostname = "78.46.96.243";
profiles.system =
createSystemProfile self.nixosConfigurations.storage1;
};
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
checks = builtins.mapAttrs
(system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
};
}

2
hardware/hcloud.nix
View file

@ -9,7 +9,7 @@
time.timeZone = "Europe/Amsterdam";
boot.cleanTmpDir = true;
boot.tmp.cleanOnBoot = true;
networking.firewall.allowPing = true;
networking.usePredictableInterfaceNames = false;

27
modules/dokuwiki.nix
View file

@ -18,7 +18,8 @@ let
sops.secrets."usersFile-${name}" = {
owner = "dokuwiki";
key = "wiki/${name}/users_file";
restartUnits = [ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ];
restartUnits =
[ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ];
};
services.dokuwiki.sites = {
@ -26,12 +27,13 @@ let
enable = true;
stateDir = "/nix/var/data/dokuwiki/${name}/data";
usersFile = config.sops.secrets."usersFile-${name}".path;
disableActions = "register";
templates = [ template-chippedsnow ];
extraConfig = ''
$conf['title'] = 'Chroniques d\'Arkadia';
$conf['template'] = 'chippedsnow';
'';
settings = {
useacl = true;
title = "Chroniques d`Arkadia";
template = "chippedsnow";
disableactions = "register";
};
};
};
@ -40,21 +42,14 @@ let
enableACME = true;
};
};
in
{
in {
options.custom.services.dokuwiki = {
enable = mkEnableOption "dokuwiki";
secretKeyFile = mkOption {
type = types.path;
};
secretKeyFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable
(lib.mkMerge [
(configureWiki "anderia")
(configureWiki "arkadia")
]);
(lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]);
}

31
modules/mailserver.nix
View file

@ -1,22 +1,11 @@
{ config, lib, pkgs, ... }:
{
{ config, lib, pkgs, ... }: {
sops.secrets = {
paultrialPassword = {
key = "email/accounts_passwords/paultrial";
};
eliosPassword = {
key = "email/accounts_passwords/elios";
};
mariePassword = {
key = "email/accounts_passwords/marie";
};
alicePassword = {
key = "email/accounts_passwords/alice";
};
monitPassword = {
key = "email/accounts_passwords/monit";
};
paultrialPassword = { key = "email/accounts_passwords/paultrial"; };
eliosPassword = { key = "email/accounts_passwords/elios"; };
mariePassword = { key = "email/accounts_passwords/marie"; };
alicePassword = { key = "email/accounts_passwords/alice"; };
monitPassword = { key = "email/accounts_passwords/monit"; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
@ -41,10 +30,7 @@
"paultrial@banditlair.com" = {
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = config.sops.secrets.paultrialPassword.path;
aliases = [
"contact@froidmont.org"
"account@banditlair.com"
];
aliases = [ "contact@froidmont.org" "account@banditlair.com" ];
};
"marie-alice@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.mariePassword.path;
@ -190,8 +176,7 @@
"@falbo.fr" = "elios@banditlair.com";
};
certificateScheme = 3;
certificateScheme = "acme-nginx";
};
}

19
modules/openssh.nix
View file

@ -1,20 +1,13 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.openssh;
in
{
options.custom.services.openssh = {
enable = mkEnableOption "openssh";
};
let cfg = config.custom.services.openssh;
in {
options.custom.services.openssh = { enable = mkEnableOption "openssh"; };
config = mkIf cfg.enable {
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keyFiles = [
../ssh_keys/froidmpa-desktop.pub
../ssh_keys/froidmpa-laptop.pub
];
services.openssh.settings.PermitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keyFiles =
[ ../ssh_keys/froidmpa-desktop.pub ../ssh_keys/froidmpa-laptop.pub ];
};
}

4
profiles/storage.nix
View file

@ -107,7 +107,9 @@
users.users.www-data = {
uid = 993;
isNormalUser = true;
createHome = true;
home = "/home/www-data";
useDefaultShell = true;
group = config.users.groups.www-data.name;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"