tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: tbarnouin:51affbb4a3761b0b601b50b9ad42ae0f59d01cb1
Branches Tags
tbarnouin:main
..
compare: tbarnouin:8a593936de6b8a3e299d77f6cf167a60e0102961
Branches Tags
tbarnouin:main

No commits in common. "51affbb4a3761b0b601b50b9ad42ae0f59d01cb1" and "8a593936de6b8a3e299d77f6cf167a60e0102961" have entirely different histories.
51affbb4a3 ... 8a593936de

14 changed files with 373 additions and 192 deletions
Show stats Expand all files Collapse all files

252
flake.lock generated
View file

@ -46,6 +46,48 @@
"type": "github" "type": "github"
} }
}, },
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"napalm": "napalm",
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix",
"systems": "systems_3"
},
"locked": {
"lastModified": 1737810234,
"narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1725409566, "lastModified": 1725409566,
@ -84,6 +126,40 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
@ -104,7 +180,28 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@ -165,7 +262,7 @@
}, },
"microvm": { "microvm": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -185,6 +282,54 @@
"type": "github" "type": "github"
} }
}, },
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1725634671, "lastModified": 1725634671,
@ -201,10 +346,38 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1736200483, "lastModified": 1737632463,
"narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", "narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1737885640,
"narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4e96537f163fad24ed9eb317798a79afc85b51b7", "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
@ -217,12 +390,44 @@
"type": "github" "type": "github"
} }
}, },
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1736884309,
"narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"authentik-nix": "authentik-nix",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"microvm": "microvm", "microvm": "microvm",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_3"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -293,6 +498,21 @@
} }
}, },
"systems_3": { "systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_4": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -306,6 +526,28 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

64
flake.nix
View file

@ -7,10 +7,9 @@
url = "github:nix-community/home-manager/release-24.11"; url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
microvm = { microvm.url = "github:astro/microvm.nix";
url = "github:astro/microvm.nix"; microvm.inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixpkgs"; authentik-nix.url = "github:nix-community/authentik-nix";
};
agenix.url = "github:yaxitech/ragenix"; agenix.url = "github:yaxitech/ragenix";
}; };
@ -74,21 +73,6 @@
} }
]; ];
}; };
pgsql = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "pgsql";
services.vm_postgresql = {
enable = true;
};
}
];
};
onlyoffice = nixpkgs.lib.nixosSystem { onlyoffice = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
@ -186,6 +170,48 @@
} }
]; ];
}; };
authentik = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
inputs.authentik-nix.nixosModules.default
{
services.authentik = {
enable = true;
environmentFile = "/run/secrets/authentik/authentik-env";
settings = {
disable_startup_analytics = true;
avatars = "initials";
};
};
services.vm_authentik = {
enable = true;
};
}
microvm.nixosModules.microvm
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
microvm = {
volumes = [
{
mountPoint = "/media";
image = "/var/lib/microvms/authentik/media.img";
size = 2048;
}
];
};
services.micro_vm = {
enable = true;
hostname = "authentik";
vm_ip = "192.168.1.25";
vm_cpu = 2;
vm_mem = 2048;
macAddr = "02:00:00:00:00:25";
};
}
];
};
}; };
}; };
} }

5
secrets.nix
View file

@ -5,7 +5,6 @@ let
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice";
postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql";
systems = [forgejo grafana]; systems = [forgejo grafana];
in { in {
@ -15,8 +14,4 @@ in {
"services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana];
"services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice];
"services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice];
"services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ];
} }

22
secrets/initialPassword.age
View file

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBIZzc3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL
NEpKbjZKaHNJTkUwbUVVWkRNYzRVZ1g3aHFWbmw0RjByQy9DNUY0ClBraUZmM29P dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK
dW9RZXNhUVZQajQ0VVZzN3E2ZjlQa2hIN2QrOG4vamVhUTAKLT4gc3NoLWVkMjU1 OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1
MTkgTVRPMXBnIFBFbFVLNFBSdmQxeWhkWFcyRkdidUJDMHVhcWtuM0RNYU9MN25G MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS
bWtqaGMKM1dDYTJjY3lwQlRGSU1nSERxWkYzck1JU21kaDBvelgyMUhXd2NabzFJ STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h
QQotPiBzc2gtZWQyNTUxOSB3bkVVcHcgN3NVYnF3blJYdk9NMlpFeHBkSWpmL3hX dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ
SVlZakZ0VG5SZjJzODNKZ2UzRQpXeWhBWm1GU2czTzhZN3hvQXErQ2xzWlBrdGM3 anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH
bjFmQXRTQzJTNzlXeUFRCi0+ICZEazJMXy1ncmVhc2Ugb0Qga15CMW83OGAKSEk5 ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky
ek9EV09TMm4vUGJEWDgwRnY4b0I3Z3ZxQk5GS0x5eEgyNFUvS2h3Ci0tLSA0RHBw TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk
WXNxTGtDUHlVQ2ZHWk5WeGtuTTVseDFHeWxBcFZzNFRwUWptZHRvClgW5JGwRhTf Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e
X5W+zQOJKbaiChYCtdqrPnEd4tRJMnMtm19UIUnR7asWmDdl8LU7DvodK4UA jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

18
services/grafana/secrets/grafana-db.age
View file

@ -1,12 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBINHll YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy
clhGaUlhZ0VIZUV1b0lzYVpvbEVrUk1SRmdla2s5MVJRT0pYM2tVCldnMWprYVpo QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx
cHNkTGlUWHU4SzdwZDVkSlYxeUJXNlJ6TGpVVVdvVzErdlEKLT4gc3NoLWVkMjU1 TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IDhEOUt2anYvMjg0ejlhZk9NQy9aMi9zV3hHVzhsOXRlbHU4d2hL MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl
bi9lQk0KRUNpcnRVaXBWOGZEN0xSaURwanBEODhkWkVuYnBVbCs1V0c0YzBMOVlo RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ
bwotPiBCR3wtZ3JlYXNlIEVZc2Zcfgo3SHl2UUV2TUFSUVZnbjJ0WDdWb0lRTUFz UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV
bzhGNTd5dzdTN3VpUjBXdVZ5NGJwMkNLMTZncjFjTDNOQm5tVllZCmFZejlaS1FL V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV
UFZwK3hMT05KQ20ybS8yT0lCU0FaM280R1prRnVBCi0tLSB1MWoxYzJ2bVNuTTZN +Un8kZobFeAjeLCZ3r/Cb8vUtw==
eDE1dzFoNjBmc0dacXZrMXJkMUpKU3JReE93VEVnCmIawaa6DCtgRRHcp0kS6MCl
1MOX+wYg6YIE7UJ5cx6w9cQVIO4sfkx8e8U=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

22
services/grafana/secrets/grafana-oauth_secret.age
View file

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3YTc2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n
dFJoTkttVnYwNW0rY2pDWmVXV25aQTNvR2tKY3pZVmlvZlVrWkhNCkFXZkxrMXAz VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l
dVhrVXhVMnJOZ2ZlTE1LS1ZyckJuMHB0a2NjNDVIZFJGNlUKLT4gc3NoLWVkMjU1 cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IEZVT1dYZHprQXJpR3JjVzRWcVQ1WHcyTkxkZHNqM2syWkNzOHpQ MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm
OUx1VW8KVWlzSVhPZnhZcmJEMzFabytQY0MwbWNQenJRcUxvV2w5aW9LV3Fickh1 cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv
MAotPiBHTCcvQy1ncmVhc2UgTV1zNgpZNWswWE5DdEZXVVBzeFR3R2taZFpHakxS ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy
MEppblllczc3bWt0NmJzZDZrZTlYblJIWDQKLS0tIFJHWWVQL3VvTHF1OVBITXFH WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx
WVlhcUlrRldLQWNUZVJIOGY5OUtIZzlmdFkKHUb1KkIRJuEKk430LNP8gNQpDtlo Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE
ifMWwhBcrDDOUxQSpEow42sgbIbCpvHt+gMgMCz2sLbdBnEUfCAIuG2SRZF3sfvD QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk
JxY8/0mtK0upF+7jb3oCeGN9ah+gGoHEwKjRnBP6zFHG+yRMNQEiqO5h07JGEtrV RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W
junjkEC11HAgybtC+gzr7Visx91cyK52ZIsNdg0AI9wM6EGUIX3quC3zGpw= hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

20
services/grafana/secrets/kuma-token.age
View file

@ -1,11 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB1OE5Y YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTQUxm
T3FiL3VKNG1HRDZHcHpDMGtvaDR1V25tT1dOYXRRM0VEUjYyb3c4CkRkSE95dkpp NFREMUViaURWUURzNmxXMjRaZXlYVWczUUs5TXJ0WXIrdEhHTXljCnlBeEhhUmdq
SnVROXcyZGNmTkZUNjFtQnF5dDRRc2syaWoydGk0V0FBRWcKLT4gc3NoLWVkMjU1 eGlYbTV3eEg5blBaRnIwRWcycmJOd3NZZUpLMUU3RXo2SGsKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IG5yMjlBYThRMkdYZjVIWVhIbXk3UjNMTmtKTktkQTlVaEdqZDEw MTkgd25FVXB3IGlZVURNTGdzMGozbnJBMFdoRTI0aDhoeXk0UkxMYVFYaERXWHo2
d0NYUzgKbEo4bnVpOEFlT05PdWo2bGFlVTMzVmJOODFpTzErWDYvRm5tNk4wbm1G RjRLVzQKbjhDQWQrSlF3enRDcE5lcXRDYitvcDdlT3pEbjNUMDRDbE9tUGdUZWY4
WQotPiA5NHEtZ3JlYXNlIFlHI3NaIFNBfDIgKzBARwoxL1BNNzNQWkU1elZqVDhr SQotPiBRTCcuLWdyZWFzZQpHVGFOQ0NSZ2c5V1MvZ3UxZXZ6UFhaQ1pBT0NGa0RB
NEJURHI2TQotLS0gWFBJUXpmRU95S1p1eDR0cC9Pajc2aUZJL0JFbU5XWDZpU2Va MmVnakZMcTBLWnhEK3NWaGJEeU1Xd01lT1pWQ3N5aHFqCmlHelRmdUkrT0c1ZTZP
SGcvaHJDVQr9/6z8OCUSXg88ib9iqQAGp7ozAaslowdoONR/gSUelziKvaCEP/Cc VmJRQVlweURMd3htM2IvN3o4NDM0MjduQ0w1a1VaRjBjcgotLS0gTmRzWC9VZjhv
1GQOMJy8W2Q/oBwAavq+qi4QKTSYXQ5dDmkip8fBU+Df14euww== N0VjUnZjbUpCdWIvaVNSRFlObVc3T0NDMEpKWVFVS2RTOAoVROmS4bW4nX6JXqWC
DAcXSN8GvUVqrbnh7W6KHpPLvUc3AK1dZ6cKqb91WOQVBpEOfjWqd7tE8Rp+IAa7
/22y3xxHOz46gLDI4Byyjw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

17
services/onlyoffice/secrets/office-dbpass.age
View file

@ -1,10 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxVVZD YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS
ZUFVVTZESHNCb01Kc0pPb3dKOXZKR0RYS0ZQcXhvQ2RzbXNKRGpJCjFaV3AyQUY2 dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV
OTB1L0JrZTlFMy9keElTS01IVS92YWRBSVRuKzFFL2pSVU0KLT4gc3NoLWVkMjU1 b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1
MTkgSXpNcXdRIGI4U202VWRydGhVSzhJUFpLeDJZZkVoeFIzZFRQRjhYcWcybkhr MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM
ZWM4MFkKSXpzT3E2OXRJVjc3V05XaUxCNW1aQm5kKzlrYzhWRUxoWndCaTRqa2Q4 SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW
MAotPiBWLWdyZWFzZSAyOGsxIFI2R3EgIT0ueSBDd2o9NGp9CkZBCi0tLSBWRlc4 awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P
RFFYOEkvUmY3TUFSa0lmZ3kvMG9IdGxUakhvMWhPWjhzOXhERmZrCkil25ySWO1w dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt
BYB6Wt5MfsL7I5Izfdfpw0lqniC5r/4oh+lDQUcvsi1vQx+BRe8= UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW
r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

17
services/onlyoffice/secrets/office-jwtpass.age
View file

@ -1,11 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAvVWNp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG
a1BjZG8vWC81SlhUT09SSERWUGtzNGtFYzYwbjJYTEZZL1VZKzFZCjA5djJNQ0tJ ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1
SEIvSjVCaDVaK1FvUG8yNW4rd0N4cTdTLy9PT0p3WFd5bUUKLT4gc3NoLWVkMjU1 Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1
MTkgSXpNcXdRIFp1TmhSSlRKdkFSeUN6YnJwV2pXWVFyZTBkWWZNOG8vbDFrenlu MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp
QWF3VGcKUmNMbUVkbnpwQ3M5bnJTSjdGYWZiSldncWtwU3BZenZ2OWZ2YStrTHlh U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq
SQotPiAwRS1ncmVhc2UgT2lrPQo3YVREamovMVhQSSttUXNiNkVZMW83alFDaDRv RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1
N1JzOXg2b1dTNWxja2oyYlNaSS8KLS0tIFQzc1Bqdmt4Zkc4NVZBOHM5b1NNL0dC b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+
L1lRTjA2enE3NlFDRkN3cmV0MjQKEI287XlTGhe+gTmysPhQXPNALUj3QzDnmznB F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg==
dnY2NmBArjrXnanMONycttWH2hwz1Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

82
services/postgresql/default.nix
View file

@ -10,79 +10,43 @@ in {
enable = lib.mkEnableOption "Enable minimal config"; enable = lib.mkEnableOption "Enable minimal config";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudDBPass = {
file = ./secrets/nextcloudDBPass.age;
owner = "postgres";
};
giteaDBPass = {
file = ./secrets/giteaDBPass.age;
owner = "postgres";
};
authentikDBPass = {
file = ./secrets/authentikDBPass.age;
owner = "postgres";
};
grafanaDBPass = {
file = ./secrets/grafanaDBPass.age;
owner = "postgres";
};
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
enableTCPIP = true; enableTCPIP = true;
settings.port = 5432; settings.port = 5432;
ensureDatabases = [
"gitea"
"nextcloud"
"netbox"
"authentik"
"grafana"
];
ensureUsers = [
{
name = "gitea";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
authentication = " authentication = "
host nextcloud nextcloud 192.168.1.44/32 md5 host nextcloud nextcloud 192.168.1.44/32 md5
host gitea gitea 192.168.1.14/32 md5 host gitea gitea 192.168.1.14/32 md5
host netbox netbox 192.168.1.45/32 md5
host authentik authentik 192.168.1.125/32 md5 host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5 host grafana grafana 192.168.1.27/32 md5
"; ";
# Not great, not in prod, cleartext pass
# waiting for ensureUsers.*.passwordFile option
# https://github.com/NixOS/nixpkgs/pull/326306
initialScript = pkgs.writeText "init-sql-script" '' initialScript = pkgs.writeText "init-sql-script" ''
CREATE ROLE nextcloud WITH LOGIN CREATEDB; alter user gitea with password 'password';
CREATE DATABASE nextcloud; alter user nextcloud with password 'password';
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
CREATE ROLE gitea WITH LOGIN CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
CREATE ROLE authentik WITH LOGIN CREATEDB;
CREATE DATABASE authentik;
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
CREATE ROLE grafana WITH LOGIN CREATEDB;
CREATE DATABASE grafana;
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
''; '';
}; };
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
# This is an awful situation
systemd.services.postgresql.postStart = let
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
giteaDBPass = config.age.secrets.giteaDBPass.path;
authentikDBPass = config.age.secrets.authentikDBPass.path;
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
networking.firewall.allowedTCPPorts = [5432]; networking.firewall.allowedTCPPorts = [5432];
}; };
} }

11
services/postgresql/secrets/authentikDBPass.age
View file

@ -1,11 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDODRK
d2pTZktDczVpSjBYdWNSVFdUL1k2TVlmMzlJRnAxQ0dhcXV3elhjCkd2V3BXVWMw
YUdtYTFzUGZyaU05R0dPWGNHYVR2TWYvbUtSdSt4TUlVQ00KLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIDZ5L3I2ZmErNjNuYnh5QTRwNkNVVGhLSE9JMjZROFU0ZnMrelQw
WUJmQ1UKL2Y1T3pER2ZIdUloTTl1dU13RWRKL2tQangycTBzWHJ5dVByYVNuNVdY
WQotPiBrRTwnPigtZ3JlYXNlCit3QldhZUhmZ2kzS3VHK1pweGRxQ1V1eFA2eEtu
bmJWRzZqdjY0SUNlZFNaVG92dXRnCi0tLSBIb0JVbk42aVowT1p4cEtVbUJneFRP
dmNlZTdBcm9OZUVuOUxIbUc2VUZNCsahsNPPKDASJc0LKL+vxvXC81q3fBoSz9c3
Vxw9grzRH+aWXhKY+cxrOl6WOXTjCQ==
-----END AGE ENCRYPTED FILE-----

11
services/postgresql/secrets/giteaDBPass.age
View file

@ -1,11 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxUGZT
Y1JMSE5MNTlmR3N2ZXJQV2xoK3BTNWZJa21uVjhac0VQOTd2YVZnClJqbnNEWFln
NTZncyttV0RBU2NBbkRrME1mNjluaFkrQ3pMTWhBR2VPTEUKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIEZBVytVcWZ2QVRmQm1BblZ1UEgxWVRwTFgxU1BJRFRiUUdGa2Ny
bnJJMmcKRms5bUtDdHUvS1BzTFViOTJ5RnhuQ212aWFWSHFXdm9uYVZjcU9sWHlz
awotPiBRLWdyZWFzZSBkP1RWKHxtCi9LQWdLV0hwRTFhQzhSb2Y5Z2QzY2xWd1ZS
dFhoZGFRbnNIS2loeUZDVUZpd3VsTllLc0xva1ExYVpXRHY4ZwotLS0gbVd5NWZq
NDkvY3JUbkMyS1o0U0hiMkMxUjdFTTBqWGZDT3ZpUnNYQThUOAqBMtKcCEvvDrTm
Rz3S4csriN1X6gGEOURKVmKDXO5P8O7yMGzRjl8MkpSOIw==
-----END AGE ENCRYPTED FILE-----

12
services/postgresql/secrets/grafanaDBPass.age
View file

@ -1,12 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBQT3I4
MFB6SzNuTlFXbkdOcTlERnZTbmYvTEJUamlKS2tmWmpnZ1loTmhBCkpBaHVtbWQ5
QUFQTE5YR0VUSW15MHhlQkRxVVRyb0NQck5BbXM5NmtCdlEKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIHF5VXZqOXhlR0lMRDRrTk90bUw3dDIwN2NieGpjOHUvUUliTDBh
WG1VbDQKWjZ5NGZrQW1OS2tDL3JId0Q2WU1rdndmQ2svUE5nYlh6QVBUY29iSzFt
VQotPiAjLWdyZWFzZQpuSWxGdGhlU3NYUWh2RTU1R1dYYzg0OG1ndjRLUnA5UjlQ
ckxncDNUR2puQkhNOFJFNVgybkVPczRyUmJwanZFCmV6endjbmlKRXpIaVZ3Nith
Z0dDZ00rUGxzbGxpVnZoV3pIYUk1Q3J0R0RDWW1ITFpNWXMybi9YT1dBeAotLS0g
OFl1aktFMDh0b3lQdmoyOXcvZ1doTVh4U3JZd0hpcDAyc1J3QlZLZklLawoL8YjP
b+cpjtpje2h4fuxNLvEviqW92K6t8l4wf0sVlDtiH2Qf6FnwSYYkElb5
-----END AGE ENCRYPTED FILE-----

12
services/postgresql/secrets/nextcloudDBPass.age
View file

@ -1,12 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxaU02
T0swYkQ2S2cxblRuM2ZHZ0F4WmMzNDd5ZHJLcVF5SjJiYWhJS1NNCm9pcTRCWHJL
RWVUTEJTalEwOHh0aDlJZHF5S0NWN01zY3hMVG91SHk4NWcKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIHdoL0F2MHY4VWxTWDR1c1c4bTh2eHVQU0FoWDFwdHhsZE16Wms4
UXFFaXMKSFZhTi9TRUh3akNvNStlQ0w2T1FnRTdOWFhZaXh6RGYrQ0NlUkdyejAv
UQotPiAlJilLPy1ncmVhc2UgUWB3RApyZVFkR1Y0SXdFSUxzUzAvZVZuWEthODY3
Y3dVbVFWMGR3ZURqZXdsSzE4KzVNdzFlS2dRcW5maG5MQ3Y4SEdZCnlLMUlKWG1Q
eFpLTUtRCi0tLSBsU1pRemZQZmhDK21SbVRvQW9NSFlCdG9YR0ttRlM2NXUzTjM0
ajRBc05zCo0JQrIpSdXQTgcTULp18sAFF1aGwlgthv6lSetqlQLeusaEuVnR/rf2
G3ecxNZ2TA==
-----END AGE ENCRYPTED FILE-----