diff --git a/flake.lock b/flake.lock index 5e03548..99b74c2 100644 --- a/flake.lock +++ b/flake.lock @@ -46,48 +46,6 @@ "type": "github" } }, - "authentik-nix": { - "inputs": { - "authentik-src": "authentik-src", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", - "napalm": "napalm", - "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix", - "systems": "systems_3" - }, - "locked": { - "lastModified": 1737810234, - "narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "authentik-nix", - "type": "github" - } - }, - "authentik-src": { - "flake": false, - "locked": { - "lastModified": 1736440980, - "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", - "owner": "goauthentik", - "repo": "authentik", - "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", - "type": "github" - }, - "original": { - "owner": "goauthentik", - "ref": "version/2024.12.2", - "repo": "authentik", - "type": "github" - } - }, "crane": { "locked": { "lastModified": 1725409566, @@ -126,40 +84,6 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -180,28 +104,7 @@ }, "flake-utils_2": { "inputs": { - "systems": [ - "authentik-nix", - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -262,7 +165,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -282,54 +185,6 @@ "type": "github" } }, - "napalm": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725806412, - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", - "owner": "willibutz", - "repo": "napalm", - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", - "type": "github" - }, - "original": { - "owner": "willibutz", - "ref": "avoid-foldl-stack-overflow", - "repo": "napalm", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1725634671, @@ -346,38 +201,10 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1735774519, - "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1737632463, - "narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1737885640, - "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=", + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", "owner": "NixOS", "repo": "nixpkgs", "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7", @@ -390,44 +217,12 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ], - "systems": [ - "authentik-nix", - "systems" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1736884309, - "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", - "authentik-nix": "authentik-nix", "home-manager": "home-manager_2", "microvm": "microvm", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" } }, "rust-overlay": { @@ -498,21 +293,6 @@ } }, "systems_3": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_4": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -526,28 +306,6 @@ "repo": "default", "type": "github" } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4dbb568..d7d7706 100644 --- a/flake.nix +++ b/flake.nix @@ -7,9 +7,10 @@ url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm.url = "github:astro/microvm.nix"; - microvm.inputs.nixpkgs.follows = "nixpkgs"; - authentik-nix.url = "github:nix-community/authentik-nix"; + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; agenix.url = "github:yaxitech/ragenix"; }; @@ -73,6 +74,21 @@ } ]; }; + pgsql = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "pgsql"; + services.vm_postgresql = { + enable = true; + }; + } + ]; + }; onlyoffice = nixpkgs.lib.nixosSystem { inherit system; modules = [ @@ -170,48 +186,6 @@ } ]; }; - authentik = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - inputs.authentik-nix.nixosModules.default - { - services.authentik = { - enable = true; - environmentFile = "/run/secrets/authentik/authentik-env"; - settings = { - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - services.vm_authentik = { - enable = true; - }; - } - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - microvm = { - volumes = [ - { - mountPoint = "/media"; - image = "/var/lib/microvms/authentik/media.img"; - size = 2048; - } - ]; - }; - services.micro_vm = { - enable = true; - hostname = "authentik"; - vm_ip = "192.168.1.25"; - vm_cpu = 2; - vm_mem = 2048; - macAddr = "02:00:00:00:00:25"; - }; - } - ]; - }; }; }; } diff --git a/secrets.nix b/secrets.nix index b8b0abd..182f264 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,6 +5,7 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; + postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+Ol11EWgsAMB3OmwTWdBbhPBgtgWHR5h0lCAJDCgCX root@pgsql"; systems = [forgejo grafana]; in { @@ -14,4 +15,8 @@ in { "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; + "services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ]; } diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 5823ec3..9dfee7a 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -10,41 +10,43 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { + age.secrets = { + nextcloudDBPass.file = ./secrets/nextcloudDBPass.age; + giteaDBPass.file = ./secrets/giteaDBPass.age; + authentikDBPass.file = ./secrets/authentikDBPass.age; + grafanaDBPass.file = ./secrets/grafanaDBPass.age; + }; services.postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; settings.port = 5432; - ensureDatabases = [ - "gitea" - "nextcloud" - "netbox" - "authentik" - "grafana" - ]; - ensureUsers = [ - { - name = "gitea"; - ensureDBOwnership = true; - } - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; authentication = " host nextcloud nextcloud 192.168.1.44/32 md5 host gitea gitea 192.168.1.14/32 md5 - host netbox netbox 192.168.1.45/32 md5 host authentik authentik 192.168.1.125/32 md5 host grafana grafana 192.168.1.27/32 md5 "; - # Not great, not in prod, cleartext pass - # waiting for ensureUsers.*.passwordFile option - # https://github.com/NixOS/nixpkgs/pull/326306 initialScript = pkgs.writeText "init-sql-script" '' - alter user gitea with password 'password'; - alter user nextcloud with password 'password'; + nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path}) + CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + + giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path}) + CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + + authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path}) + CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + + grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path}) + CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; ''; }; networking.firewall.allowedTCPPorts = [5432]; diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age new file mode 100644 index 0000000..e69de29