homefree/sample-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

HF-7: Move out sops config

Browse source 
* Updated configuration.nix to match latest homefree
* Added secrets config
This commit is contained in:
Ellis Rahhal 2024-12-13 17:14:13 -08:00
parent b216f4f19f
commit d3f8d588b5
10 changed files with 229 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -6,3 +6,5 @@ Clone this repo and modify configuration.nix as needed, then deploy with:
```
./install.sh
```
Make sure to create secrets files in the secrets folder, as described by the README file in that folder.

131
configuration.nix
View file

@ -1,7 +1,8 @@
{ lib, ... }:
{ config, lib, ... }:
{
imports = [
./disk-config.nix
./secrets.nix
];
networking = {
@ -24,6 +25,10 @@
authorizedKeys = [
"<replace me>"
];
domain = "example.com";
additionalDomains = [ "domain2.com" ];
timeZone = "America/Los_Angeles";
countryCode = "US";
};
network = {
@ -62,25 +67,17 @@
zones = [
## Repace with your own domain
{
zone = "homefree.host";
zone = "example.com";
protocol = "hetzner";
username = "username";
passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
}
## Repace with your own domain
{
zone = "domain2.com";
protocol = "hetzner";
username = "erahhal";
passwordFile = "/run/secrets/ddclient/ddclient-password";
}
];
};
wireguard = {
peers = [
{
name = "my-phone";
publicKey = "<replace me>=";
allowedIPs = [ "192.168.2.2/32"];
}
{
name = "bros-phone";
publicKey = "<replace me>";
allowedIPs = [ "192.168.2.3/32"];
passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
}
];
};
@ -90,15 +87,73 @@
enable = true;
};
authentik = {
enable = true;
secrets = {
environment = config.sops.secrets."authentik/authentik-env".path;
ldap-environment = config.sops.secrets."authentik/authentik-ldap-env".path;
};
};
baikal = {
enable = true;
};
cryptpad = {
enable = true;
adminKeys = [
"<public signing key of user that can access the admin panel>"
];
};
homeassistant = {
enable = true;
};
frigate = {
enable = true;
cameras = [
{
enable = true;
name = "gate";
path = "rtsp://10.0.0.15/11";
width = 1920;
height = 1080;
}
];
};
gitea = {
enable = true;
public = true;
};
headscale = {
enable = true;
secrets = {
tailscale-key = config.sops.secrets."tailscale/key".path;
};
};
headscale-ui = {
enable = true;
};
jellyfin = {
enable = true;
};
linkwarden = {
enable = true;
};
nextcloud = {
enable = true;
secrets = {
admin-password = config.sops.secrets."nextcloud/admin-password".path;
secret-file = config.sops.secrets."nextcloud/secret-file".path;
};
};
radicale = {
enable = true;
};
@ -112,23 +167,41 @@
};
};
proxied-hosts = [
service-config = [
{
label = "att";
subdomains = [ "att" ];
https-domains = [ "homefree.host" "rahh.al" ];
host = "att.localdomain";
port = 80;
reverse-proxy = {
enable = true;
subdomains = [ "att" ];
https-domains = [ "homefree.host" "rahh.al" ];
host = "att.localdomain";
port = 80;
};
}
{
label = "yamaha-recevier-web-gui";
subdomains = [ "yamaha" ];
https-domains = [ "homefree-host" ];
port = 443;
ssl = true;
ssl-no-verify = true;
host = "yamaha.localdomain";
reverse-proxy = {
subdomains = [ "yamaha" ];
https-domains = [ "homefree-host" ];
port = 443;
ssl = true;
ssl-no-verify = true;
host = "yamaha.localdomain";
};
}
];
backups = {
enable = true;
to-path = "/var/lib/backups";
extra-from-paths = [
"/mnt/nfs-volume/persona-files1"
"/mnt/nfs-volume/persona-files2"
"/home/username"
];
secrets = {
restic-password = config.sops.secrets."backup/restic-password".path;
};
};
};
}

15
secrets-unencrypted/authentik.yaml Normal file
View file

@ -0,0 +1,15 @@
authentik:
postgres-password: <postgres password>
authentik-env: |-
AUTHENTIK_REDIS__HOST=localhost
AUTHENTIK_POSTGRESQL__HOST=localhost
AUTHENTIK_POSTGRESQL__USER=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__PASSWORD=<postgres password>
AUTHENTIK_SECRET_KEY=<authentik secret key>
AUTHENTIK_TOKEN=<authentik token>
authentik-ldap-env: |-
AUTHENTIK_HOST=http://localhost:9000
AUTHENTIK_TOKEN=<authenik ldap token>
AUTHENTIK_INSECURE=true

2
secrets-unencrypted/backup.yaml Normal file
View file

@ -0,0 +1,2 @@
backup:
restic-password: <change me>

2
secrets-unencrypted/ddclient.yaml Normal file
View file

@ -0,0 +1,2 @@
ddclient:
ddclient-password: <change me>

4
secrets-unencrypted/linkwarden.yaml Normal file
View file

@ -0,0 +1,4 @@
linkwarden:
env: |-
NEXTAUTH_SECRET=<changeme>
POSTGRESQL_PASSWORD=<postgres password>

8
secrets-unencrypted/nextcloud.yaml Normal file
View file

@ -0,0 +1,8 @@
nextcloud:
admin-password: <change me>
secret-file: |-
{
"redis": {
"password": "secret"
}
}

2
secrets-unencrypted/tailscale.yaml Normal file
View file

@ -0,0 +1,2 @@
tailscale:
key: <change me>

76
secrets.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, ... }:
{
## @TODO: What to do about owner field an restartUnits?
## This file should probably be generated by the homefree repo
## In fact everything in this repo should be generated by
## the config editor in homefree repo.
sops.secrets = {
"authentik/authentik-env" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-env";
restartUnits = [ "authentik.service" ];
};
"authentik/authentik-ldap-env" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-ldap-env";
restartUnits = [ "authentik-ldap.service" ];
};
"authentik/postgres-password" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
};
"backup/restic-password" = {
format = "yaml";
sopsFile = ./secrets/backup.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/backup/restic-password";
restartUnits = [ "restic.service" ];
};
"ddclient/ddclient-password" = {
format = "yaml";
sopsFile = ./secrets/ddclient.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/ddclient/ddclient-password";
restartUnits = [ "ddclient.service" ];
};
"linkwarden/env" = {
format = "yaml";
sopsFile = ./secrets/linkwarden.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/linkwarden/env";
restartUnits = [ "linkwarden.service" ];
};
"nextcloud/admin-password" = {
format = "yaml";
sopsFile = ./secrets/nextcloud.yaml;
owner = "nextcloud";
path = "/run/secrets/nextcloud/admin-password";
restartUnits = [ "nextcloud.service" ];
};
"nextcloud/secret-file" = {
format = "yaml";
sopsFile = ./secrets/nextcloud.yaml;
owner = "nextcloud";
path = "/run/secrets/nextcloud/secret-file";
restartUnits = [ "nextcloud.service" ];
};
"tailscale/key" = {
format = "yaml";
sopsFile = ./secrets/tailscale.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/tailscale/key";
restartUnits = [ "tailscale.service" ];
};
};
}

16
secrets/README.md Normal file
View file

@ -0,0 +1,16 @@
Secrets config
--------------
Create secrets file in this folder. Use the following commands:
```
sops authentik.yaml
sops backup.yaml
sops ddclient.yaml
sops linkwarden.yaml
sops nextcloud.yaml
sops tailscale.yaml
```
And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
the values as required.