Compare commits
No commits in common. "0c85fc118a31c49fc39bf4cc8c00215e84487ecb" and "b216f4f19f1bbb57386dacb7e985a007b8f0c53b" have entirely different histories.
0c85fc118a
...
b216f4f19f
10 changed files with 29 additions and 229 deletions
|
@ -6,5 +6,3 @@ Clone this repo and modify configuration.nix as needed, then deploy with:
|
||||||
```
|
```
|
||||||
./install.sh
|
./install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Make sure to create secrets files in the secrets folder, as described by the README file in that folder.
|
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
{ config, lib, ... }:
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./disk-config.nix
|
./disk-config.nix
|
||||||
./secrets.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -25,10 +24,6 @@
|
||||||
authorizedKeys = [
|
authorizedKeys = [
|
||||||
"<replace me>"
|
"<replace me>"
|
||||||
];
|
];
|
||||||
domain = "example.com";
|
|
||||||
additionalDomains = [ "domain2.com" ];
|
|
||||||
timeZone = "America/Los_Angeles";
|
|
||||||
countryCode = "US";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
network = {
|
network = {
|
||||||
|
@ -67,17 +62,25 @@
|
||||||
zones = [
|
zones = [
|
||||||
## Repace with your own domain
|
## Repace with your own domain
|
||||||
{
|
{
|
||||||
zone = "example.com";
|
zone = "homefree.host";
|
||||||
protocol = "hetzner";
|
|
||||||
username = "username";
|
|
||||||
passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
|
|
||||||
}
|
|
||||||
## Repace with your own domain
|
|
||||||
{
|
|
||||||
zone = "domain2.com";
|
|
||||||
protocol = "hetzner";
|
protocol = "hetzner";
|
||||||
username = "erahhal";
|
username = "erahhal";
|
||||||
passwordFile = config.sops.secrets."ddclient/ddclient-password".path;
|
passwordFile = "/run/secrets/ddclient/ddclient-password";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguard = {
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
name = "my-phone";
|
||||||
|
publicKey = "<replace me>=";
|
||||||
|
allowedIPs = [ "192.168.2.2/32"];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "bros-phone";
|
||||||
|
publicKey = "<replace me>";
|
||||||
|
allowedIPs = [ "192.168.2.3/32"];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -87,73 +90,15 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik = {
|
|
||||||
enable = true;
|
|
||||||
secrets = {
|
|
||||||
environment = config.sops.secrets."authentik/authentik-env".path;
|
|
||||||
ldap-environment = config.sops.secrets."authentik/authentik-ldap-env".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
baikal = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
cryptpad = {
|
|
||||||
enable = true;
|
|
||||||
adminKeys = [
|
|
||||||
"<public signing key of user that can access the admin panel>"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
homeassistant = {
|
homeassistant = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
frigate = {
|
|
||||||
enable = true;
|
|
||||||
cameras = [
|
|
||||||
{
|
|
||||||
enable = true;
|
|
||||||
name = "gate";
|
|
||||||
path = "rtsp://10.0.0.15/11";
|
|
||||||
width = 1920;
|
|
||||||
height = 1080;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
gitea = {
|
gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
public = true;
|
public = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
headscale = {
|
|
||||||
enable = true;
|
|
||||||
secrets = {
|
|
||||||
tailscale-key = config.sops.secrets."tailscale/key".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
headscale-ui = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
jellyfin = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
linkwarden = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
nextcloud = {
|
|
||||||
enable = true;
|
|
||||||
secrets = {
|
|
||||||
admin-password = config.sops.secrets."nextcloud/admin-password".path;
|
|
||||||
secret-file = config.sops.secrets."nextcloud/secret-file".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
radicale = {
|
radicale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
@ -167,41 +112,23 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
service-config = [
|
proxied-hosts = [
|
||||||
{
|
{
|
||||||
label = "att";
|
label = "att";
|
||||||
reverse-proxy = {
|
|
||||||
enable = true;
|
|
||||||
subdomains = [ "att" ];
|
subdomains = [ "att" ];
|
||||||
https-domains = [ "homefree.host" "rahh.al" ];
|
https-domains = [ "homefree.host" "rahh.al" ];
|
||||||
host = "att.localdomain";
|
host = "att.localdomain";
|
||||||
port = 80;
|
port = 80;
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
label = "yamaha-recevier-web-gui";
|
label = "yamaha-recevier-web-gui";
|
||||||
reverse-proxy = {
|
|
||||||
subdomains = [ "yamaha" ];
|
subdomains = [ "yamaha" ];
|
||||||
https-domains = [ "homefree-host" ];
|
https-domains = [ "homefree-host" ];
|
||||||
port = 443;
|
port = 443;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
ssl-no-verify = true;
|
ssl-no-verify = true;
|
||||||
host = "yamaha.localdomain";
|
host = "yamaha.localdomain";
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
backups = {
|
|
||||||
enable = true;
|
|
||||||
to-path = "/var/lib/backups";
|
|
||||||
extra-from-paths = [
|
|
||||||
"/mnt/nfs-volume/persona-files1"
|
|
||||||
"/mnt/nfs-volume/persona-files2"
|
|
||||||
"/home/username"
|
|
||||||
];
|
|
||||||
secrets = {
|
|
||||||
restic-password = config.sops.secrets."backup/restic-password".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
authentik:
|
|
||||||
postgres-password: <postgres password>
|
|
||||||
authentik-env: |-
|
|
||||||
AUTHENTIK_REDIS__HOST=localhost
|
|
||||||
AUTHENTIK_POSTGRESQL__HOST=localhost
|
|
||||||
AUTHENTIK_POSTGRESQL__USER=authentik
|
|
||||||
AUTHENTIK_POSTGRESQL__NAME=authentik
|
|
||||||
AUTHENTIK_POSTGRESQL__PASSWORD=<postgres password>
|
|
||||||
AUTHENTIK_SECRET_KEY=<authentik secret key>
|
|
||||||
AUTHENTIK_TOKEN=<authentik token>
|
|
||||||
authentik-ldap-env: |-
|
|
||||||
AUTHENTIK_HOST=http://localhost:9000
|
|
||||||
AUTHENTIK_TOKEN=<authenik ldap token>
|
|
||||||
AUTHENTIK_INSECURE=true
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
backup:
|
|
||||||
restic-password: <change me>
|
|
|
@ -1,2 +0,0 @@
|
||||||
ddclient:
|
|
||||||
ddclient-password: <change me>
|
|
|
@ -1,4 +0,0 @@
|
||||||
linkwarden:
|
|
||||||
env: |-
|
|
||||||
NEXTAUTH_SECRET=<changeme>
|
|
||||||
POSTGRESQL_PASSWORD=<postgres password>
|
|
|
@ -1,8 +0,0 @@
|
||||||
nextcloud:
|
|
||||||
admin-password: <change me>
|
|
||||||
secret-file: |-
|
|
||||||
{
|
|
||||||
"redis": {
|
|
||||||
"password": "secret"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,2 +0,0 @@
|
||||||
tailscale:
|
|
||||||
key: <change me>
|
|
76
secrets.nix
76
secrets.nix
|
@ -1,76 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
## @TODO: What to do about owner field an restartUnits?
|
|
||||||
## This file should probably be generated by the homefree repo
|
|
||||||
## In fact everything in this repo should be generated by
|
|
||||||
## the config editor in homefree repo.
|
|
||||||
sops.secrets = {
|
|
||||||
"authentik/authentik-env" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/authentik.yaml;
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/authentik/authentik-env";
|
|
||||||
restartUnits = [ "authentik.service" ];
|
|
||||||
};
|
|
||||||
"authentik/authentik-ldap-env" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/authentik.yaml;
|
|
||||||
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/authentik/authentik-ldap-env";
|
|
||||||
restartUnits = [ "authentik-ldap.service" ];
|
|
||||||
};
|
|
||||||
"authentik/postgres-password" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/authentik.yaml;
|
|
||||||
};
|
|
||||||
"backup/restic-password" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/backup.yaml;
|
|
||||||
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/backup/restic-password";
|
|
||||||
restartUnits = [ "restic.service" ];
|
|
||||||
};
|
|
||||||
"ddclient/ddclient-password" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/ddclient.yaml;
|
|
||||||
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/ddclient/ddclient-password";
|
|
||||||
restartUnits = [ "ddclient.service" ];
|
|
||||||
};
|
|
||||||
"linkwarden/env" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/linkwarden.yaml;
|
|
||||||
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/linkwarden/env";
|
|
||||||
restartUnits = [ "linkwarden.service" ];
|
|
||||||
};
|
|
||||||
"nextcloud/admin-password" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/nextcloud.yaml;
|
|
||||||
|
|
||||||
owner = "nextcloud";
|
|
||||||
path = "/run/secrets/nextcloud/admin-password";
|
|
||||||
restartUnits = [ "nextcloud.service" ];
|
|
||||||
};
|
|
||||||
"nextcloud/secret-file" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/nextcloud.yaml;
|
|
||||||
|
|
||||||
owner = "nextcloud";
|
|
||||||
path = "/run/secrets/nextcloud/secret-file";
|
|
||||||
restartUnits = [ "nextcloud.service" ];
|
|
||||||
};
|
|
||||||
"tailscale/key" = {
|
|
||||||
format = "yaml";
|
|
||||||
sopsFile = ./secrets/tailscale.yaml;
|
|
||||||
|
|
||||||
owner = config.homefree.system.adminUsername;
|
|
||||||
path = "/run/secrets/tailscale/key";
|
|
||||||
restartUnits = [ "tailscale.service" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,16 +0,0 @@
|
||||||
Secrets config
|
|
||||||
--------------
|
|
||||||
|
|
||||||
Create secrets file in this folder. Use the following commands:
|
|
||||||
|
|
||||||
```
|
|
||||||
sops authentik.yaml
|
|
||||||
sops backup.yaml
|
|
||||||
sops ddclient.yaml
|
|
||||||
sops linkwarden.yaml
|
|
||||||
sops nextcloud.yaml
|
|
||||||
sops tailscale.yaml
|
|
||||||
```
|
|
||||||
|
|
||||||
And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
|
|
||||||
the values as required.
|
|
Loading…
Add table
Reference in a new issue