diff --git a/README.md b/README.md
index 7ea1229..f0137d0 100644
--- a/README.md
+++ b/README.md
@@ -6,3 +6,5 @@ Clone this repo and modify configuration.nix as needed, then deploy with:
```
./install.sh
```
+
+Make sure to create secrets files in the secrets folder, as described by the README file in that folder.
diff --git a/configuration.nix b/configuration.nix
index f094a54..3a0ccf1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,7 +1,8 @@
-{ lib, ... }:
+{ config, lib, ... }:
{
imports = [
./disk-config.nix
+ ./secrets.nix
];
networking = {
@@ -24,6 +25,10 @@
authorizedKeys = [
"<replace me>"
];
+ domain = "example.com";
+ additionalDomains = [ "domain2.com" ];
+ timeZone = "America/Los_Angeles";
+ countryCode = "US";
};
network = {
@@ -62,25 +67,17 @@
zones = [
## Repace with your own domain
{
- zone = "homefree.host";
+ zone = "example.com";
+ protocol = "hetzner";
+ username = "username";
+ passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
+ }
+ ## Repace with your own domain
+ {
+ zone = "domain2.com";
protocol = "hetzner";
username = "erahhal";
- passwordFile = "/run/secrets/ddclient/ddclient-password";
- }
- ];
- };
-
- wireguard = {
- peers = [
- {
- name = "my-phone";
- publicKey = "<replace me>=";
- allowedIPs = [ "192.168.2.2/32"];
- }
- {
- name = "bros-phone";
- publicKey = "<replace me>";
- allowedIPs = [ "192.168.2.3/32"];
+ passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
}
];
};
@@ -90,15 +87,73 @@
enable = true;
};
+ authentik = {
+ enable = true;
+ secrets = {
+ environment = config.sops.secrets."authentik/authentik-env".path;
+ ldap-environment = config.sops.secrets."authentik/authentik-ldap-env".path;
+ };
+ };
+
+ baikal = {
+ enable = true;
+ };
+
+ cryptpad = {
+ enable = true;
+ adminKeys = [
+ "<public signing key of user that can access the admin panel>"
+ ];
+ };
+
homeassistant = {
enable = true;
};
+ frigate = {
+ enable = true;
+ cameras = [
+ {
+ enable = true;
+ name = "gate";
+ path = "rtsp://10.0.0.15/11";
+ width = 1920;
+ height = 1080;
+ }
+ ];
+ };
gitea = {
enable = true;
public = true;
};
+ headscale = {
+ enable = true;
+ secrets = {
+ tailscale-key = config.sops.secrets."tailscale/key".path;
+ };
+ };
+
+ headscale-ui = {
+ enable = true;
+ };
+
+ jellyfin = {
+ enable = true;
+ };
+
+ linkwarden = {
+ enable = true;
+ };
+
+ nextcloud = {
+ enable = true;
+ secrets = {
+ admin-password = config.sops.secrets."nextcloud/admin-password".path;
+ secret-file = config.sops.secrets."nextcloud/secret-file".path;
+ };
+ };
+
radicale = {
enable = true;
};
@@ -112,23 +167,41 @@
};
};
- proxied-hosts = [
+ service-config = [
{
label = "att";
- subdomains = [ "att" ];
- https-domains = [ "homefree.host" "rahh.al" ];
- host = "att.localdomain";
- port = 80;
+ reverse-proxy = {
+ enable = true;
+ subdomains = [ "att" ];
+ https-domains = [ "homefree.host" "rahh.al" ];
+ host = "att.localdomain";
+ port = 80;
+ };
}
{
label = "yamaha-recevier-web-gui";
- subdomains = [ "yamaha" ];
- https-domains = [ "homefree-host" ];
- port = 443;
- ssl = true;
- ssl-no-verify = true;
- host = "yamaha.localdomain";
+ reverse-proxy = {
+ subdomains = [ "yamaha" ];
+ https-domains = [ "homefree-host" ];
+ port = 443;
+ ssl = true;
+ ssl-no-verify = true;
+ host = "yamaha.localdomain";
+ };
}
];
+
+ backups = {
+ enable = true;
+ to-path = "/var/lib/backups";
+ extra-from-paths = [
+ "/mnt/nfs-volume/persona-files1"
+ "/mnt/nfs-volume/persona-files2"
+ "/home/username"
+ ];
+ secrets = {
+ restic-password = config.sops.secrets."backup/restic-password".path;
+ };
+ };
};
}
diff --git a/secrets-unencrypted/authentik.yaml b/secrets-unencrypted/authentik.yaml
new file mode 100644
index 0000000..59e8fe4
--- /dev/null
+++ b/secrets-unencrypted/authentik.yaml
@@ -0,0 +1,15 @@
+ authentik:
+ postgres-password: <postgres password>
+ authentik-env: |-
+ AUTHENTIK_REDIS__HOST=localhost
+ AUTHENTIK_POSTGRESQL__HOST=localhost
+ AUTHENTIK_POSTGRESQL__USER=authentik
+ AUTHENTIK_POSTGRESQL__NAME=authentik
+ AUTHENTIK_POSTGRESQL__PASSWORD=<postgres password>
+ AUTHENTIK_SECRET_KEY=<authentik secret key>
+ AUTHENTIK_TOKEN=<authentik token>
+ authentik-ldap-env: |-
+ AUTHENTIK_HOST=http://localhost:9000
+ AUTHENTIK_TOKEN=<authenik ldap token>
+ AUTHENTIK_INSECURE=true
+
diff --git a/secrets-unencrypted/backup.yaml b/secrets-unencrypted/backup.yaml
new file mode 100644
index 0000000..b22d337
--- /dev/null
+++ b/secrets-unencrypted/backup.yaml
@@ -0,0 +1,2 @@
+backup:
+ restic-password: <change me>
diff --git a/secrets-unencrypted/ddclient.yaml b/secrets-unencrypted/ddclient.yaml
new file mode 100644
index 0000000..50889d9
--- /dev/null
+++ b/secrets-unencrypted/ddclient.yaml
@@ -0,0 +1,2 @@
+ddclient:
+ ddclient-password: <change me>
diff --git a/secrets-unencrypted/linkwarden.yaml b/secrets-unencrypted/linkwarden.yaml
new file mode 100644
index 0000000..55d6bbd
--- /dev/null
+++ b/secrets-unencrypted/linkwarden.yaml
@@ -0,0 +1,4 @@
+linkwarden:
+ env: |-
+ NEXTAUTH_SECRET=<changeme>
+ POSTGRESQL_PASSWORD=<postgres password>
diff --git a/secrets-unencrypted/nextcloud.yaml b/secrets-unencrypted/nextcloud.yaml
new file mode 100644
index 0000000..65bae3d
--- /dev/null
+++ b/secrets-unencrypted/nextcloud.yaml
@@ -0,0 +1,8 @@
+nextcloud:
+ admin-password: <change me>
+ secret-file: |-
+ {
+ "redis": {
+ "password": "secret"
+ }
+ }
diff --git a/secrets-unencrypted/tailscale.yaml b/secrets-unencrypted/tailscale.yaml
new file mode 100644
index 0000000..39a545d
--- /dev/null
+++ b/secrets-unencrypted/tailscale.yaml
@@ -0,0 +1,2 @@
+tailscale:
+ key: <change me>
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..dd056a3
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,76 @@
+{ config, ... }:
+{
+ ## @TODO: What to do about owner field an restartUnits?
+ ## This file should probably be generated by the homefree repo
+ ## In fact everything in this repo should be generated by
+ ## the config editor in homefree repo.
+ sops.secrets = {
+ "authentik/authentik-env" = {
+ format = "yaml";
+ sopsFile = ./secrets/authentik.yaml;
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/authentik/authentik-env";
+ restartUnits = [ "authentik.service" ];
+ };
+ "authentik/authentik-ldap-env" = {
+ format = "yaml";
+ sopsFile = ./secrets/authentik.yaml;
+
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/authentik/authentik-ldap-env";
+ restartUnits = [ "authentik-ldap.service" ];
+ };
+ "authentik/postgres-password" = {
+ format = "yaml";
+ sopsFile = ./secrets/authentik.yaml;
+ };
+ "backup/restic-password" = {
+ format = "yaml";
+ sopsFile = ./secrets/backup.yaml;
+
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/backup/restic-password";
+ restartUnits = [ "restic.service" ];
+ };
+ "ddclient/ddclient-password" = {
+ format = "yaml";
+ sopsFile = ./secrets/ddclient.yaml;
+
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/ddclient/ddclient-password";
+ restartUnits = [ "ddclient.service" ];
+ };
+ "linkwarden/env" = {
+ format = "yaml";
+ sopsFile = ./secrets/linkwarden.yaml;
+
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/linkwarden/env";
+ restartUnits = [ "linkwarden.service" ];
+ };
+ "nextcloud/admin-password" = {
+ format = "yaml";
+ sopsFile = ./secrets/nextcloud.yaml;
+
+ owner = "nextcloud";
+ path = "/run/secrets/nextcloud/admin-password";
+ restartUnits = [ "nextcloud.service" ];
+ };
+ "nextcloud/secret-file" = {
+ format = "yaml";
+ sopsFile = ./secrets/nextcloud.yaml;
+
+ owner = "nextcloud";
+ path = "/run/secrets/nextcloud/secret-file";
+ restartUnits = [ "nextcloud.service" ];
+ };
+ "tailscale/key" = {
+ format = "yaml";
+ sopsFile = ./secrets/tailscale.yaml;
+
+ owner = config.homefree.system.adminUsername;
+ path = "/run/secrets/tailscale/key";
+ restartUnits = [ "tailscale.service" ];
+ };
+ };
+}
diff --git a/secrets/README.md b/secrets/README.md
new file mode 100644
index 0000000..27812c0
--- /dev/null
+++ b/secrets/README.md
@@ -0,0 +1,16 @@
+Secrets config
+--------------
+
+Create secrets file in this folder. Use the following commands:
+
+```
+sops authentik.yaml
+sops backup.yaml
+sops ddclient.yaml
+sops linkwarden.yaml
+sops nextcloud.yaml
+sops tailscale.yaml
+```
+
+And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
+the values as required.