diff --git a/README.md b/README.md index 7ea1229..f0137d0 100644 --- a/README.md +++ b/README.md @@ -6,3 +6,5 @@ Clone this repo and modify configuration.nix as needed, then deploy with: ``` ./install.sh ``` + +Make sure to create secrets files in the secrets folder, as described by the README file in that folder. diff --git a/configuration.nix b/configuration.nix index f094a54..3a0ccf1 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,7 +1,8 @@ -{ lib, ... }: +{ config, lib, ... }: { imports = [ ./disk-config.nix + ./secrets.nix ]; networking = { @@ -24,6 +25,10 @@ authorizedKeys = [ "" ]; + domain = "example.com"; + additionalDomains = [ "domain2.com" ]; + timeZone = "America/Los_Angeles"; + countryCode = "US"; }; network = { @@ -62,25 +67,17 @@ zones = [ ## Repace with your own domain { - zone = "homefree.host"; + zone = "example.com"; + protocol = "hetzner"; + username = "username"; + passwordFile = config.sops.secrets."ddclient/ddclient-password".path; + } + ## Repace with your own domain + { + zone = "domain2.com"; protocol = "hetzner"; username = "erahhal"; - passwordFile = "/run/secrets/ddclient/ddclient-password"; - } - ]; - }; - - wireguard = { - peers = [ - { - name = "my-phone"; - publicKey = "="; - allowedIPs = [ "192.168.2.2/32"]; - } - { - name = "bros-phone"; - publicKey = ""; - allowedIPs = [ "192.168.2.3/32"]; + passwordFile = config.sops.secrets."ddclient/ddclient-password".path; } ]; }; @@ -90,15 +87,73 @@ enable = true; }; + authentik = { + enable = true; + secrets = { + environment = config.sops.secrets."authentik/authentik-env".path; + ldap-environment = config.sops.secrets."authentik/authentik-ldap-env".path; + }; + }; + + baikal = { + enable = true; + }; + + cryptpad = { + enable = true; + adminKeys = [ + "" + ]; + }; + homeassistant = { enable = true; }; + frigate = { + enable = true; + cameras = [ + { + enable = true; + name = "gate"; + path = "rtsp://10.0.0.15/11"; + width = 1920; + height = 1080; + } + ]; + }; gitea = { enable = true; public = true; }; + headscale = { + enable = true; + secrets = { + tailscale-key = config.sops.secrets."tailscale/key".path; + }; + }; + + headscale-ui = { + enable = true; + }; + + jellyfin = { + enable = true; + }; + + linkwarden = { + enable = true; + }; + + nextcloud = { + enable = true; + secrets = { + admin-password = config.sops.secrets."nextcloud/admin-password".path; + secret-file = config.sops.secrets."nextcloud/secret-file".path; + }; + }; + radicale = { enable = true; }; @@ -112,23 +167,41 @@ }; }; - proxied-hosts = [ + service-config = [ { label = "att"; - subdomains = [ "att" ]; - https-domains = [ "homefree.host" "rahh.al" ]; - host = "att.localdomain"; - port = 80; + reverse-proxy = { + enable = true; + subdomains = [ "att" ]; + https-domains = [ "homefree.host" "rahh.al" ]; + host = "att.localdomain"; + port = 80; + }; } { label = "yamaha-recevier-web-gui"; - subdomains = [ "yamaha" ]; - https-domains = [ "homefree-host" ]; - port = 443; - ssl = true; - ssl-no-verify = true; - host = "yamaha.localdomain"; + reverse-proxy = { + subdomains = [ "yamaha" ]; + https-domains = [ "homefree-host" ]; + port = 443; + ssl = true; + ssl-no-verify = true; + host = "yamaha.localdomain"; + }; } ]; + + backups = { + enable = true; + to-path = "/var/lib/backups"; + extra-from-paths = [ + "/mnt/nfs-volume/persona-files1" + "/mnt/nfs-volume/persona-files2" + "/home/username" + ]; + secrets = { + restic-password = config.sops.secrets."backup/restic-password".path; + }; + }; }; } diff --git a/secrets-unencrypted/authentik.yaml b/secrets-unencrypted/authentik.yaml new file mode 100644 index 0000000..59e8fe4 --- /dev/null +++ b/secrets-unencrypted/authentik.yaml @@ -0,0 +1,15 @@ + authentik: + postgres-password: + authentik-env: |- + AUTHENTIK_REDIS__HOST=localhost + AUTHENTIK_POSTGRESQL__HOST=localhost + AUTHENTIK_POSTGRESQL__USER=authentik + AUTHENTIK_POSTGRESQL__NAME=authentik + AUTHENTIK_POSTGRESQL__PASSWORD= + AUTHENTIK_SECRET_KEY= + AUTHENTIK_TOKEN= + authentik-ldap-env: |- + AUTHENTIK_HOST=http://localhost:9000 + AUTHENTIK_TOKEN= + AUTHENTIK_INSECURE=true + diff --git a/secrets-unencrypted/backup.yaml b/secrets-unencrypted/backup.yaml new file mode 100644 index 0000000..b22d337 --- /dev/null +++ b/secrets-unencrypted/backup.yaml @@ -0,0 +1,2 @@ +backup: + restic-password: diff --git a/secrets-unencrypted/ddclient.yaml b/secrets-unencrypted/ddclient.yaml new file mode 100644 index 0000000..50889d9 --- /dev/null +++ b/secrets-unencrypted/ddclient.yaml @@ -0,0 +1,2 @@ +ddclient: + ddclient-password: diff --git a/secrets-unencrypted/linkwarden.yaml b/secrets-unencrypted/linkwarden.yaml new file mode 100644 index 0000000..55d6bbd --- /dev/null +++ b/secrets-unencrypted/linkwarden.yaml @@ -0,0 +1,4 @@ +linkwarden: + env: |- + NEXTAUTH_SECRET= + POSTGRESQL_PASSWORD= diff --git a/secrets-unencrypted/nextcloud.yaml b/secrets-unencrypted/nextcloud.yaml new file mode 100644 index 0000000..65bae3d --- /dev/null +++ b/secrets-unencrypted/nextcloud.yaml @@ -0,0 +1,8 @@ +nextcloud: + admin-password: + secret-file: |- + { + "redis": { + "password": "secret" + } + } diff --git a/secrets-unencrypted/tailscale.yaml b/secrets-unencrypted/tailscale.yaml new file mode 100644 index 0000000..39a545d --- /dev/null +++ b/secrets-unencrypted/tailscale.yaml @@ -0,0 +1,2 @@ +tailscale: + key: diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..dd056a3 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,76 @@ +{ config, ... }: +{ + ## @TODO: What to do about owner field an restartUnits? + ## This file should probably be generated by the homefree repo + ## In fact everything in this repo should be generated by + ## the config editor in homefree repo. + sops.secrets = { + "authentik/authentik-env" = { + format = "yaml"; + sopsFile = ./secrets/authentik.yaml; + owner = config.homefree.system.adminUsername; + path = "/run/secrets/authentik/authentik-env"; + restartUnits = [ "authentik.service" ]; + }; + "authentik/authentik-ldap-env" = { + format = "yaml"; + sopsFile = ./secrets/authentik.yaml; + + owner = config.homefree.system.adminUsername; + path = "/run/secrets/authentik/authentik-ldap-env"; + restartUnits = [ "authentik-ldap.service" ]; + }; + "authentik/postgres-password" = { + format = "yaml"; + sopsFile = ./secrets/authentik.yaml; + }; + "backup/restic-password" = { + format = "yaml"; + sopsFile = ./secrets/backup.yaml; + + owner = config.homefree.system.adminUsername; + path = "/run/secrets/backup/restic-password"; + restartUnits = [ "restic.service" ]; + }; + "ddclient/ddclient-password" = { + format = "yaml"; + sopsFile = ./secrets/ddclient.yaml; + + owner = config.homefree.system.adminUsername; + path = "/run/secrets/ddclient/ddclient-password"; + restartUnits = [ "ddclient.service" ]; + }; + "linkwarden/env" = { + format = "yaml"; + sopsFile = ./secrets/linkwarden.yaml; + + owner = config.homefree.system.adminUsername; + path = "/run/secrets/linkwarden/env"; + restartUnits = [ "linkwarden.service" ]; + }; + "nextcloud/admin-password" = { + format = "yaml"; + sopsFile = ./secrets/nextcloud.yaml; + + owner = "nextcloud"; + path = "/run/secrets/nextcloud/admin-password"; + restartUnits = [ "nextcloud.service" ]; + }; + "nextcloud/secret-file" = { + format = "yaml"; + sopsFile = ./secrets/nextcloud.yaml; + + owner = "nextcloud"; + path = "/run/secrets/nextcloud/secret-file"; + restartUnits = [ "nextcloud.service" ]; + }; + "tailscale/key" = { + format = "yaml"; + sopsFile = ./secrets/tailscale.yaml; + + owner = config.homefree.system.adminUsername; + path = "/run/secrets/tailscale/key"; + restartUnits = [ "tailscale.service" ]; + }; + }; +} diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..27812c0 --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,16 @@ +Secrets config +-------------- + +Create secrets file in this folder. Use the following commands: + +``` +sops authentik.yaml +sops backup.yaml +sops ddclient.yaml +sops linkwarden.yaml +sops nextcloud.yaml +sops tailscale.yaml +``` + +And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing +the values as required.