diff --git a/flake.lock b/flake.lock index 99b74c2..5e03548 100644 --- a/flake.lock +++ b/flake.lock @@ -46,6 +46,48 @@ "type": "github" } }, + "authentik-nix": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "napalm": "napalm", + "nixpkgs": "nixpkgs_2", + "poetry2nix": "poetry2nix", + "systems": "systems_3" + }, + "locked": { + "lastModified": 1737810234, + "narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1736440980, + "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2024.12.2", + "repo": "authentik", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1725409566, @@ -84,6 +126,40 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -104,7 +180,28 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": [ + "authentik-nix", + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -165,7 +262,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ], @@ -185,6 +282,54 @@ "type": "github" } }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1725634671, @@ -201,10 +346,38 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + } + }, "nixpkgs_2": { "locked": { - "lastModified": 1736200483, - "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", + "lastModified": 1737632463, + "narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1737885640, + "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=", "owner": "NixOS", "repo": "nixpkgs", "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7", @@ -217,12 +390,44 @@ "type": "github" } }, + "poetry2nix": { + "inputs": { + "flake-utils": [ + "authentik-nix", + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "authentik-nix", + "nixpkgs" + ], + "systems": [ + "authentik-nix", + "systems" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1736884309, + "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "poetry2nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", + "authentik-nix": "authentik-nix", "home-manager": "home-manager_2", "microvm": "microvm", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" } }, "rust-overlay": { @@ -293,6 +498,21 @@ } }, "systems_3": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_4": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -306,6 +526,28 @@ "repo": "default", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "authentik-nix", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730120726, + "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d7d7706..4dbb568 100644 --- a/flake.nix +++ b/flake.nix @@ -7,10 +7,9 @@ url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + microvm.url = "github:astro/microvm.nix"; + microvm.inputs.nixpkgs.follows = "nixpkgs"; + authentik-nix.url = "github:nix-community/authentik-nix"; agenix.url = "github:yaxitech/ragenix"; }; @@ -74,21 +73,6 @@ } ]; }; - pgsql = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "pgsql"; - services.vm_postgresql = { - enable = true; - }; - } - ]; - }; onlyoffice = nixpkgs.lib.nixosSystem { inherit system; modules = [ @@ -186,6 +170,48 @@ } ]; }; + authentik = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + inputs.authentik-nix.nixosModules.default + { + services.authentik = { + enable = true; + environmentFile = "/run/secrets/authentik/authentik-env"; + settings = { + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + services.vm_authentik = { + enable = true; + }; + } + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + microvm = { + volumes = [ + { + mountPoint = "/media"; + image = "/var/lib/microvms/authentik/media.img"; + size = 2048; + } + ]; + }; + services.micro_vm = { + enable = true; + hostname = "authentik"; + vm_ip = "192.168.1.25"; + vm_cpu = 2; + vm_mem = 2048; + macAddr = "02:00:00:00:00:25"; + }; + } + ]; + }; }; }; } diff --git a/secrets.nix b/secrets.nix index 29bf405..b8b0abd 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,7 +5,6 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; - postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; systems = [forgejo grafana]; in { @@ -15,8 +14,4 @@ in { "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; - "services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ]; - "services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ]; - "services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ]; - "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ]; } diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index 4dd2382..7be04a4 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBIZzc3 -NEpKbjZKaHNJTkUwbUVVWkRNYzRVZ1g3aHFWbmw0RjByQy9DNUY0ClBraUZmM29P -dW9RZXNhUVZQajQ0VVZzN3E2ZjlQa2hIN2QrOG4vamVhUTAKLT4gc3NoLWVkMjU1 -MTkgTVRPMXBnIFBFbFVLNFBSdmQxeWhkWFcyRkdidUJDMHVhcWtuM0RNYU9MN25G -bWtqaGMKM1dDYTJjY3lwQlRGSU1nSERxWkYzck1JU21kaDBvelgyMUhXd2NabzFJ -QQotPiBzc2gtZWQyNTUxOSB3bkVVcHcgN3NVYnF3blJYdk9NMlpFeHBkSWpmL3hX -SVlZakZ0VG5SZjJzODNKZ2UzRQpXeWhBWm1GU2czTzhZN3hvQXErQ2xzWlBrdGM3 -bjFmQXRTQzJTNzlXeUFRCi0+ICZEazJMXy1ncmVhc2Ugb0Qga15CMW83OGAKSEk5 -ek9EV09TMm4vUGJEWDgwRnY4b0I3Z3ZxQk5GS0x5eEgyNFUvS2h3Ci0tLSA0RHBw -WXNxTGtDUHlVQ2ZHWk5WeGtuTTVseDFHeWxBcFZzNFRwUWptZHRvClgW5JGwRhTf -X5W+zQOJKbaiChYCtdqrPnEd4tRJMnMtm19UIUnR7asWmDdl8LU7DvodK4UA +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL +dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK +OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1 +MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS +STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h +dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ +anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH +ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky +TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk +Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e +jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index e4129a5..12da728 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,12 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBINHll -clhGaUlhZ0VIZUV1b0lzYVpvbEVrUk1SRmdla2s5MVJRT0pYM2tVCldnMWprYVpo -cHNkTGlUWHU4SzdwZDVkSlYxeUJXNlJ6TGpVVVdvVzErdlEKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDhEOUt2anYvMjg0ejlhZk9NQy9aMi9zV3hHVzhsOXRlbHU4d2hL -bi9lQk0KRUNpcnRVaXBWOGZEN0xSaURwanBEODhkWkVuYnBVbCs1V0c0YzBMOVlo -bwotPiBCR3wtZ3JlYXNlIEVZc2Zcfgo3SHl2UUV2TUFSUVZnbjJ0WDdWb0lRTUFz -bzhGNTd5dzdTN3VpUjBXdVZ5NGJwMkNLMTZncjFjTDNOQm5tVllZCmFZejlaS1FL -UFZwK3hMT05KQ20ybS8yT0lCU0FaM280R1prRnVBCi0tLSB1MWoxYzJ2bVNuTTZN -eDE1dzFoNjBmc0dacXZrMXJkMUpKU3JReE93VEVnCmIawaa6DCtgRRHcp0kS6MCl -1MOX+wYg6YIE7UJ5cx6w9cQVIO4sfkx8e8U= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy +QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx +TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl +RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ +UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV +V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV ++Un8kZobFeAjeLCZ3r/Cb8vUtw== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index a5df31e..1d606ce 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3YTc2 -dFJoTkttVnYwNW0rY2pDWmVXV25aQTNvR2tKY3pZVmlvZlVrWkhNCkFXZkxrMXAz -dVhrVXhVMnJOZ2ZlTE1LS1ZyckJuMHB0a2NjNDVIZFJGNlUKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEZVT1dYZHprQXJpR3JjVzRWcVQ1WHcyTkxkZHNqM2syWkNzOHpQ -OUx1VW8KVWlzSVhPZnhZcmJEMzFabytQY0MwbWNQenJRcUxvV2w5aW9LV3Fickh1 -MAotPiBHTCcvQy1ncmVhc2UgTV1zNgpZNWswWE5DdEZXVVBzeFR3R2taZFpHakxS -MEppblllczc3bWt0NmJzZDZrZTlYblJIWDQKLS0tIFJHWWVQL3VvTHF1OVBITXFH -WVlhcUlrRldLQWNUZVJIOGY5OUtIZzlmdFkKHUb1KkIRJuEKk430LNP8gNQpDtlo -ifMWwhBcrDDOUxQSpEow42sgbIbCpvHt+gMgMCz2sLbdBnEUfCAIuG2SRZF3sfvD -JxY8/0mtK0upF+7jb3oCeGN9ah+gGoHEwKjRnBP6zFHG+yRMNQEiqO5h07JGEtrV -junjkEC11HAgybtC+gzr7Visx91cyK52ZIsNdg0AI9wM6EGUIX3quC3zGpw= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n +VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l +cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm +cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv +ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy +WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx +Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE +QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk +RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W +hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index 9b3ca80..e63927d 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,11 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB1OE5Y -T3FiL3VKNG1HRDZHcHpDMGtvaDR1V25tT1dOYXRRM0VEUjYyb3c4CkRkSE95dkpp -SnVROXcyZGNmTkZUNjFtQnF5dDRRc2syaWoydGk0V0FBRWcKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IG5yMjlBYThRMkdYZjVIWVhIbXk3UjNMTmtKTktkQTlVaEdqZDEw -d0NYUzgKbEo4bnVpOEFlT05PdWo2bGFlVTMzVmJOODFpTzErWDYvRm5tNk4wbm1G -WQotPiA5NHEtZ3JlYXNlIFlHI3NaIFNBfDIgKzBARwoxL1BNNzNQWkU1elZqVDhr -NEJURHI2TQotLS0gWFBJUXpmRU95S1p1eDR0cC9Pajc2aUZJL0JFbU5XWDZpU2Va -SGcvaHJDVQr9/6z8OCUSXg88ib9iqQAGp7ozAaslowdoONR/gSUelziKvaCEP/Cc -1GQOMJy8W2Q/oBwAavq+qi4QKTSYXQ5dDmkip8fBU+Df14euww== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTQUxm +NFREMUViaURWUURzNmxXMjRaZXlYVWczUUs5TXJ0WXIrdEhHTXljCnlBeEhhUmdq +eGlYbTV3eEg5blBaRnIwRWcycmJOd3NZZUpLMUU3RXo2SGsKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IGlZVURNTGdzMGozbnJBMFdoRTI0aDhoeXk0UkxMYVFYaERXWHo2 +RjRLVzQKbjhDQWQrSlF3enRDcE5lcXRDYitvcDdlT3pEbjNUMDRDbE9tUGdUZWY4 +SQotPiBRTCcuLWdyZWFzZQpHVGFOQ0NSZ2c5V1MvZ3UxZXZ6UFhaQ1pBT0NGa0RB +MmVnakZMcTBLWnhEK3NWaGJEeU1Xd01lT1pWQ3N5aHFqCmlHelRmdUkrT0c1ZTZP +VmJRQVlweURMd3htM2IvN3o4NDM0MjduQ0w1a1VaRjBjcgotLS0gTmRzWC9VZjhv +N0VjUnZjbUpCdWIvaVNSRFlObVc3T0NDMEpKWVFVS2RTOAoVROmS4bW4nX6JXqWC +DAcXSN8GvUVqrbnh7W6KHpPLvUc3AK1dZ6cKqb91WOQVBpEOfjWqd7tE8Rp+IAa7 +/22y3xxHOz46gLDI4Byyjw== -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index 37dd633..488bba0 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,10 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxVVZD -ZUFVVTZESHNCb01Kc0pPb3dKOXZKR0RYS0ZQcXhvQ2RzbXNKRGpJCjFaV3AyQUY2 -OTB1L0JrZTlFMy9keElTS01IVS92YWRBSVRuKzFFL2pSVU0KLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIGI4U202VWRydGhVSzhJUFpLeDJZZkVoeFIzZFRQRjhYcWcybkhr -ZWM4MFkKSXpzT3E2OXRJVjc3V05XaUxCNW1aQm5kKzlrYzhWRUxoWndCaTRqa2Q4 -MAotPiBWLWdyZWFzZSAyOGsxIFI2R3EgIT0ueSBDd2o9NGp9CkZBCi0tLSBWRlc4 -RFFYOEkvUmY3TUFSa0lmZ3kvMG9IdGxUakhvMWhPWjhzOXhERmZrCkil25ySWO1w -BYB6Wt5MfsL7I5Izfdfpw0lqniC5r/4oh+lDQUcvsi1vQx+BRe8= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS +dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV +b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM +SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW +awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P +dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt +UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW +r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc= -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index 822f259..7157924 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,11 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAvVWNp -a1BjZG8vWC81SlhUT09SSERWUGtzNGtFYzYwbjJYTEZZL1VZKzFZCjA5djJNQ0tJ -SEIvSjVCaDVaK1FvUG8yNW4rd0N4cTdTLy9PT0p3WFd5bUUKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIFp1TmhSSlRKdkFSeUN6YnJwV2pXWVFyZTBkWWZNOG8vbDFrenlu -QWF3VGcKUmNMbUVkbnpwQ3M5bnJTSjdGYWZiSldncWtwU3BZenZ2OWZ2YStrTHlh -SQotPiAwRS1ncmVhc2UgT2lrPQo3YVREamovMVhQSSttUXNiNkVZMW83alFDaDRv -N1JzOXg2b1dTNWxja2oyYlNaSS8KLS0tIFQzc1Bqdmt4Zkc4NVZBOHM5b1NNL0dC -L1lRTjA2enE3NlFDRkN3cmV0MjQKEI287XlTGhe+gTmysPhQXPNALUj3QzDnmznB -dnY2NmBArjrXnanMONycttWH2hwz1Q== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG +ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1 +Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp +U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq +RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1 +b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+ +F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 4540e7d..5823ec3 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -10,79 +10,43 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - age.secrets = { - nextcloudDBPass = { - file = ./secrets/nextcloudDBPass.age; - owner = "postgres"; - }; - giteaDBPass = { - file = ./secrets/giteaDBPass.age; - owner = "postgres"; - }; - authentikDBPass = { - file = ./secrets/authentikDBPass.age; - owner = "postgres"; - }; - grafanaDBPass = { - file = ./secrets/grafanaDBPass.age; - owner = "postgres"; - }; - }; services.postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; settings.port = 5432; + ensureDatabases = [ + "gitea" + "nextcloud" + "netbox" + "authentik" + "grafana" + ]; + ensureUsers = [ + { + name = "gitea"; + ensureDBOwnership = true; + } + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; authentication = " host nextcloud nextcloud 192.168.1.44/32 md5 host gitea gitea 192.168.1.14/32 md5 + host netbox netbox 192.168.1.45/32 md5 host authentik authentik 192.168.1.125/32 md5 host grafana grafana 192.168.1.27/32 md5 "; + # Not great, not in prod, cleartext pass + # waiting for ensureUsers.*.passwordFile option + # https://github.com/NixOS/nixpkgs/pull/326306 initialScript = pkgs.writeText "init-sql-script" '' - CREATE ROLE nextcloud WITH LOGIN CREATEDB; - CREATE DATABASE nextcloud; - GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - - CREATE ROLE gitea WITH LOGIN CREATEDB; - CREATE DATABASE gitea; - GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - - CREATE ROLE authentik WITH LOGIN CREATEDB; - CREATE DATABASE authentik; - GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - - CREATE ROLE grafana WITH LOGIN CREATEDB; - CREATE DATABASE grafana; - GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; + alter user gitea with password 'password'; + alter user nextcloud with password 'password'; ''; }; - # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 - # This is an awful situation - systemd.services.postgresql.postStart = let - nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; - giteaDBPass = config.age.secrets.giteaDBPass.path; - authentikDBPass = config.age.secrets.authentikDBPass.path; - grafanaDBPass = config.age.secrets.grafanaDBPass.path; - in '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); - - password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; networking.firewall.allowedTCPPorts = [5432]; }; } diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age deleted file mode 100644 index d1988ed..0000000 --- a/services/postgresql/secrets/authentikDBPass.age +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDODRK -d2pTZktDczVpSjBYdWNSVFdUL1k2TVlmMzlJRnAxQ0dhcXV3elhjCkd2V3BXVWMw -YUdtYTFzUGZyaU05R0dPWGNHYVR2TWYvbUtSdSt4TUlVQ00KLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIDZ5L3I2ZmErNjNuYnh5QTRwNkNVVGhLSE9JMjZROFU0ZnMrelQw -WUJmQ1UKL2Y1T3pER2ZIdUloTTl1dU13RWRKL2tQangycTBzWHJ5dVByYVNuNVdY -WQotPiBrRTwnPigtZ3JlYXNlCit3QldhZUhmZ2kzS3VHK1pweGRxQ1V1eFA2eEtu -bmJWRzZqdjY0SUNlZFNaVG92dXRnCi0tLSBIb0JVbk42aVowT1p4cEtVbUJneFRP -dmNlZTdBcm9OZUVuOUxIbUc2VUZNCsahsNPPKDASJc0LKL+vxvXC81q3fBoSz9c3 -Vxw9grzRH+aWXhKY+cxrOl6WOXTjCQ== ------END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age deleted file mode 100644 index 15a2368..0000000 --- a/services/postgresql/secrets/giteaDBPass.age +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxUGZT -Y1JMSE5MNTlmR3N2ZXJQV2xoK3BTNWZJa21uVjhac0VQOTd2YVZnClJqbnNEWFln -NTZncyttV0RBU2NBbkRrME1mNjluaFkrQ3pMTWhBR2VPTEUKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIEZBVytVcWZ2QVRmQm1BblZ1UEgxWVRwTFgxU1BJRFRiUUdGa2Ny -bnJJMmcKRms5bUtDdHUvS1BzTFViOTJ5RnhuQ212aWFWSHFXdm9uYVZjcU9sWHlz -awotPiBRLWdyZWFzZSBkP1RWKHxtCi9LQWdLV0hwRTFhQzhSb2Y5Z2QzY2xWd1ZS -dFhoZGFRbnNIS2loeUZDVUZpd3VsTllLc0xva1ExYVpXRHY4ZwotLS0gbVd5NWZq -NDkvY3JUbkMyS1o0U0hiMkMxUjdFTTBqWGZDT3ZpUnNYQThUOAqBMtKcCEvvDrTm -Rz3S4csriN1X6gGEOURKVmKDXO5P8O7yMGzRjl8MkpSOIw== ------END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age deleted file mode 100644 index 828e9d2..0000000 --- a/services/postgresql/secrets/grafanaDBPass.age +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBQT3I4 -MFB6SzNuTlFXbkdOcTlERnZTbmYvTEJUamlKS2tmWmpnZ1loTmhBCkpBaHVtbWQ5 -QUFQTE5YR0VUSW15MHhlQkRxVVRyb0NQck5BbXM5NmtCdlEKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIHF5VXZqOXhlR0lMRDRrTk90bUw3dDIwN2NieGpjOHUvUUliTDBh -WG1VbDQKWjZ5NGZrQW1OS2tDL3JId0Q2WU1rdndmQ2svUE5nYlh6QVBUY29iSzFt -VQotPiAjLWdyZWFzZQpuSWxGdGhlU3NYUWh2RTU1R1dYYzg0OG1ndjRLUnA5UjlQ -ckxncDNUR2puQkhNOFJFNVgybkVPczRyUmJwanZFCmV6endjbmlKRXpIaVZ3Nith -Z0dDZ00rUGxzbGxpVnZoV3pIYUk1Q3J0R0RDWW1ITFpNWXMybi9YT1dBeAotLS0g -OFl1aktFMDh0b3lQdmoyOXcvZ1doTVh4U3JZd0hpcDAyc1J3QlZLZklLawoL8YjP -b+cpjtpje2h4fuxNLvEviqW92K6t8l4wf0sVlDtiH2Qf6FnwSYYkElb5 ------END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age deleted file mode 100644 index a9834b6..0000000 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxaU02 -T0swYkQ2S2cxblRuM2ZHZ0F4WmMzNDd5ZHJLcVF5SjJiYWhJS1NNCm9pcTRCWHJL -RWVUTEJTalEwOHh0aDlJZHF5S0NWN01zY3hMVG91SHk4NWcKLT4gc3NoLWVkMjU1 -MTkgc2luZ3ZRIHdoL0F2MHY4VWxTWDR1c1c4bTh2eHVQU0FoWDFwdHhsZE16Wms4 -UXFFaXMKSFZhTi9TRUh3akNvNStlQ0w2T1FnRTdOWFhZaXh6RGYrQ0NlUkdyejAv -UQotPiAlJilLPy1ncmVhc2UgUWB3RApyZVFkR1Y0SXdFSUxzUzAvZVZuWEthODY3 -Y3dVbVFWMGR3ZURqZXdsSzE4KzVNdzFlS2dRcW5maG5MQ3Y4SEdZCnlLMUlKWG1Q -eFpLTUtRCi0tLSBsU1pRemZQZmhDK21SbVRvQW9NSFlCdG9YR0ttRlM2NXUzTjM0 -ajRBc05zCo0JQrIpSdXQTgcTULp18sAFF1aGwlgthv6lSetqlQLeusaEuVnR/rf2 -G3ecxNZ2TA== ------END AGE ENCRYPTED FILE-----