homefree/sample-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: homefree:0c85fc118a31c49fc39bf4cc8c00215e84487ecb
Branches Tags
homefree:master
homefree:hf-7-move-out-sops
..
compare: homefree:b216f4f19f1bbb57386dacb7e985a007b8f0c53b
Branches Tags
homefree:master
homefree:hf-7-move-out-sops

No commits in common. "0c85fc118a31c49fc39bf4cc8c00215e84487ecb" and "b216f4f19f1bbb57386dacb7e985a007b8f0c53b" have entirely different histories.
0c85fc118a ... b216f4f19f

10 changed files with 29 additions and 229 deletions
Show stats Expand all files Collapse all files

2
README.md
View file

@ -6,5 +6,3 @@ Clone this repo and modify configuration.nix as needed, then deploy with:
``` ```
./install.sh ./install.sh
``` ```
Make sure to create secrets files in the secrets folder, as described by the README file in that folder.

111
configuration.nix
View file

@ -1,8 +1,7 @@
{ config, lib, ... }: { lib, ... }:
{ {
imports = [ imports = [
./disk-config.nix ./disk-config.nix
./secrets.nix
]; ];
networking = { networking = {
@ -25,10 +24,6 @@
authorizedKeys = [ authorizedKeys = [
"<replace me>" "<replace me>"
]; ];
domain = "example.com";
additionalDomains = [ "domain2.com" ];
timeZone = "America/Los_Angeles";
countryCode = "US";
}; };
network = { network = {
@ -67,17 +62,25 @@
zones = [ zones = [
## Repace with your own domain ## Repace with your own domain
{ {
zone = "example.com"; zone = "homefree.host";
protocol = "hetzner";
username = "username";
passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
}
## Repace with your own domain
{
zone = "domain2.com";
protocol = "hetzner"; protocol = "hetzner";
username = "erahhal"; username = "erahhal";
passwordFile = config.sops.secrets."ddclient/ddclient-password".path; passwordFile = "/run/secrets/ddclient/ddclient-password";
}
];
};
wireguard = {
peers = [
{
name = "my-phone";
publicKey = "<replace me>=";
allowedIPs = [ "192.168.2.2/32"];
}
{
name = "bros-phone";
publicKey = "<replace me>";
allowedIPs = [ "192.168.2.3/32"];
} }
]; ];
}; };
@ -87,73 +90,15 @@
enable = true; enable = true;
}; };
authentik = {
enable = true;
secrets = {
environment = config.sops.secrets."authentik/authentik-env".path;
ldap-environment = config.sops.secrets."authentik/authentik-ldap-env".path;
};
};
baikal = {
enable = true;
};
cryptpad = {
enable = true;
adminKeys = [
"<public signing key of user that can access the admin panel>"
];
};
homeassistant = { homeassistant = {
enable = true; enable = true;
}; };
frigate = {
enable = true;
cameras = [
{
enable = true;
name = "gate";
path = "rtsp://10.0.0.15/11";
width = 1920;
height = 1080;
}
];
};
gitea = { gitea = {
enable = true; enable = true;
public = true; public = true;
}; };
headscale = {
enable = true;
secrets = {
tailscale-key = config.sops.secrets."tailscale/key".path;
};
};
headscale-ui = {
enable = true;
};
jellyfin = {
enable = true;
};
linkwarden = {
enable = true;
};
nextcloud = {
enable = true;
secrets = {
admin-password = config.sops.secrets."nextcloud/admin-password".path;
secret-file = config.sops.secrets."nextcloud/secret-file".path;
};
};
radicale = { radicale = {
enable = true; enable = true;
}; };
@ -167,41 +112,23 @@
}; };
}; };
service-config = [ proxied-hosts = [
{ {
label = "att"; label = "att";
reverse-proxy = {
enable = true;
subdomains = [ "att" ]; subdomains = [ "att" ];
https-domains = [ "homefree.host" "rahh.al" ]; https-domains = [ "homefree.host" "rahh.al" ];
host = "att.localdomain"; host = "att.localdomain";
port = 80; port = 80;
};
} }
{ {
label = "yamaha-recevier-web-gui"; label = "yamaha-recevier-web-gui";
reverse-proxy = {
subdomains = [ "yamaha" ]; subdomains = [ "yamaha" ];
https-domains = [ "homefree-host" ]; https-domains = [ "homefree-host" ];
port = 443; port = 443;
ssl = true; ssl = true;
ssl-no-verify = true; ssl-no-verify = true;
host = "yamaha.localdomain"; host = "yamaha.localdomain";
};
} }
]; ];
backups = {
enable = true;
to-path = "/var/lib/backups";
extra-from-paths = [
"/mnt/nfs-volume/persona-files1"
"/mnt/nfs-volume/persona-files2"
"/home/username"
];
secrets = {
restic-password = config.sops.secrets."backup/restic-password".path;
};
};
}; };
} }

15
secrets-unencrypted/authentik.yaml
View file

@ -1,15 +0,0 @@
authentik:
postgres-password: <postgres password>
authentik-env: |-
AUTHENTIK_REDIS__HOST=localhost
AUTHENTIK_POSTGRESQL__HOST=localhost
AUTHENTIK_POSTGRESQL__USER=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__PASSWORD=<postgres password>
AUTHENTIK_SECRET_KEY=<authentik secret key>
AUTHENTIK_TOKEN=<authentik token>
authentik-ldap-env: |-
AUTHENTIK_HOST=http://localhost:9000
AUTHENTIK_TOKEN=<authenik ldap token>
AUTHENTIK_INSECURE=true

2
secrets-unencrypted/backup.yaml
View file

@ -1,2 +0,0 @@
backup:
restic-password: <change me>

2
secrets-unencrypted/ddclient.yaml
View file

@ -1,2 +0,0 @@
ddclient:
ddclient-password: <change me>

4
secrets-unencrypted/linkwarden.yaml
View file

@ -1,4 +0,0 @@
linkwarden:
env: |-
NEXTAUTH_SECRET=<changeme>
POSTGRESQL_PASSWORD=<postgres password>

8
secrets-unencrypted/nextcloud.yaml
View file

@ -1,8 +0,0 @@
nextcloud:
admin-password: <change me>
secret-file: |-
{
"redis": {
"password": "secret"
}
}

2
secrets-unencrypted/tailscale.yaml
View file

@ -1,2 +0,0 @@
tailscale:
key: <change me>

76
secrets.nix
View file

@ -1,76 +0,0 @@
{ config, ... }:
{
## @TODO: What to do about owner field an restartUnits?
## This file should probably be generated by the homefree repo
## In fact everything in this repo should be generated by
## the config editor in homefree repo.
sops.secrets = {
"authentik/authentik-env" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-env";
restartUnits = [ "authentik.service" ];
};
"authentik/authentik-ldap-env" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-ldap-env";
restartUnits = [ "authentik-ldap.service" ];
};
"authentik/postgres-password" = {
format = "yaml";
sopsFile = ./secrets/authentik.yaml;
};
"backup/restic-password" = {
format = "yaml";
sopsFile = ./secrets/backup.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/backup/restic-password";
restartUnits = [ "restic.service" ];
};
"ddclient/ddclient-password" = {
format = "yaml";
sopsFile = ./secrets/ddclient.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/ddclient/ddclient-password";
restartUnits = [ "ddclient.service" ];
};
"linkwarden/env" = {
format = "yaml";
sopsFile = ./secrets/linkwarden.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/linkwarden/env";
restartUnits = [ "linkwarden.service" ];
};
"nextcloud/admin-password" = {
format = "yaml";
sopsFile = ./secrets/nextcloud.yaml;
owner = "nextcloud";
path = "/run/secrets/nextcloud/admin-password";
restartUnits = [ "nextcloud.service" ];
};
"nextcloud/secret-file" = {
format = "yaml";
sopsFile = ./secrets/nextcloud.yaml;
owner = "nextcloud";
path = "/run/secrets/nextcloud/secret-file";
restartUnits = [ "nextcloud.service" ];
};
"tailscale/key" = {
format = "yaml";
sopsFile = ./secrets/tailscale.yaml;
owner = config.homefree.system.adminUsername;
path = "/run/secrets/tailscale/key";
restartUnits = [ "tailscale.service" ];
};
};
}

16
secrets/README.md
View file

@ -1,16 +0,0 @@
Secrets config
--------------
Create secrets file in this folder. Use the following commands:
```
sops authentik.yaml
sops backup.yaml
sops ddclient.yaml
sops linkwarden.yaml
sops nextcloud.yaml
sops tailscale.yaml
```
And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
the values as required.