diff --git a/flake.nix b/flake.nix index 6d6c0f4..fd129c3 100644 --- a/flake.nix +++ b/flake.nix @@ -93,14 +93,14 @@ ./hosts/matrix ]; }; - nixosConfigurations."md" = nixpkgs.lib.nixosSystem { + nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { #system = "x86_64-linux"; #pkgs = import nixpkgs { inherit system; }; inherit system; modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - ./hosts/md + ./hosts/hedgedoc ]; }; nixosConfigurations."sql" = nixpkgs.lib.nixosSystem { @@ -110,22 +110,6 @@ modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - { - age.secrets = { - postgres-matrix-synapse = { - file = ./secrets/postgres-matrix-synapse.age; - owner = "postgres"; - group = "postgres"; - mode = "0400"; - }; - postgres-hedgedoc = { - file = ./secrets/postgres-hedgedoc.age; - owner = "postgres"; - group = "postgres"; - mode = "0400"; - }; - }; - } ./hosts/sql ]; }; diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix new file mode 100644 index 0000000..92428bd --- /dev/null +++ b/hosts/hedgedoc/default.nix @@ -0,0 +1,38 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../../services/openssh.nix + ../../services/hedgedoc.nix + ]; + + networking = { + hostName = "hedgedoc"; + firewall = { + allowedTCPPorts = [ + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + services = { + openssh.banner = '' + __ __ __ + /\ \ /\ \ /\ \ + \ \ \___ __ \_\ \ __ __ \_\ \ ___ ___ + \ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\ + \ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/ + \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\ + \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/ + /\____/ + \_/__/ + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/md/default.nix b/hosts/md/default.nix deleted file mode 100644 index 9c7bc32..0000000 --- a/hosts/md/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ ... }: - -{ - imports = [ - ../common.nix - ../../services/openssh.nix - ../../services/hedgedoc.nix - ]; - - networking = { - hostName = "md"; - firewall = { - allowedTCPPorts = [ - 80 # HTTP/1 - 443 # HTTP/2 - ]; - allowedUDPPorts = [ - 443 # HTTP/3 - ]; - }; - }; - - services = { - openssh.banner = '' - __ - /\ \ - ___ ___ \_\ \ - /' __` __`\ /'_` \ - /\ \/\ \/\ \/\ \L\ \ - \ \_\ \_\ \_\ \___,_\ - \/_/\/_/\/_/\/__,_ / - ''; - }; - - system.stateVersion = "25.11"; -} diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index e5726f3..b1a26c4 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -5,15 +5,17 @@ ../common.nix ../../services/openssh.nix ../../services/postgres.nix - ./postgres.nix ]; networking = { hostName = "sql"; - firewall.extraInputRules = '' - ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept - ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept - ''; + firewall = { + enable = true; + extraInputRules = '' + ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept + ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept + ''; + }; }; services = { diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix index 61f3af8..338950a 100644 --- a/hosts/sql/postgres.nix +++ b/hosts/sql/postgres.nix @@ -1,41 +1,8 @@ -{ config, pkgs, ... }: +{ config, ... }: let fqdn = "sql.${config.networking.domain}"; - # Create postgres- entry in agenix - # mkEntry - entries = [ - (mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de - (mkEntry "hedgedoc" 26) # md.berlin.ccc.de - ]; - mkEntry = name: octet: { - user = { - name = name; - ensureDBOwnership = true; - }; - database = name; - # TYPE DATABASE USER ADDRESS METHOD - auth = '' - #hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 - #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 - host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 - host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 - ''; - }; - mkPasswordSQL = e: '' - DO $do$ - BEGIN - IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN - EXECUTE format( - 'ALTER ROLE %I WITH PASSWORD %L', - '${e.user.name}', - trim(both E'\n' from pg_read_file('${config.age.secrets."postgres-${e.user.name}".path}')) - ); - END IF; - END - $do$; - ''; - passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); + mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines"; in { services = { @@ -47,23 +14,30 @@ in # }; #}; postgresql = { - enableTCPIP = true; + #enableTCPIP = true; #settings = { # ssl = "on"; # ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; #}; - ensureUsers = map (e: e.user) entries; - ensureDatabases = map (e: e.database) entries; - authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; + ensureUsers = [ + { + name = "pda"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + "pda" + ]; + authentication = '' + # TYPE DATABASE USER ADDRESS METHOD + #hostssl pda pda 195.160.173.15/32 scram-sha-256 + #hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256 + host pda pda 195.160.173.15/32 scram-sha-256 + host pda pda 2001:678:760:cccb::15/128 scram-sha-256 + ''; }; }; - systemd.services.postgresql.postStart = '' - ${config.services.postgresql.package}/bin/psql \ - --dbname=postgres \ - --no-password \ - --file=${passwordScript} - ''; } diff --git a/secrets/postgres-hedgedoc.age b/secrets/postgres-hedgedoc.age deleted file mode 100644 index 4a37aea..0000000 --- a/secrets/postgres-hedgedoc.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uH+n1w GLixFnca76xHm803JN+KAIfwV20OBqEDT3FeLeSB2l8 -jPB5PyXf/YYeOGDa2TzgiE16n69i5L9hQarnkWo6mmQ --> ssh-ed25519 EvLbWw EHxXWWxMVJb351HyeCg9ZwhuHa2EsXW9ikj1LEkeyh8 -rN9f1ia2ns2vC8Vc0QKcf3JORhe8OKoHwy/2ayLW6Ak --> ssh-ed25519 dM+fLQ O2+eaJPzd2+2E5mx/zQE4wRu6HBH6u19p23/HvPXrA8 -RVLocbh9fM2YvyuAAHZZMlB16xj8nlfUd4XsvBwvZhs --> ssh-ed25519 jxWM2Q oCQINVqZDm5f7QaJw9iP40FaMjoaXOkM1Ij7N7ntzHs -U8zqYADl+KcvcvF7jmaiuUBl2J2HiMGHvlHgmsf6Ew4 --> ssh-ed25519 /yCUCg Tof5WTA5hxHqGrMgXTIV2hkyw5i+/vxTPrphaZB/JzA -5JDdTlnMTkwb0wccvlrE4OENcGaLKELgrxfbSkeqbkw --> ssh-ed25519 FGp51g BobAb/lSMY8cTVLcdCCGLOS0iWypf/lM2AMLrcPmdCc -WU8+jDAr1mYBxN9rZvuqQU+lnj8lpvTbsb9ZF9a9/d8 --> ssh-ed25519 I2FcBQ TLJ9nqhcOEfPOOTciWo/ulKuh7GtqZSDDXI4n1JZwRI -ldBwhmJv6Pw4Fmb3C/qz/JsWDbDICaIwyMoTvkMRt0I --> ssh-ed25519 fEJY/A Ah/JhYfb+AhxVvr/Tuph4f8jPzlD0iIkHM2izcUfNn8 -I9p4tl2irCop5p14Cu2mn6QyQRJzKMjSk1bvTSf6SZ4 ---- Xy4DryiHOclGL1xaVyK3N3dVLBxr0gYwwTQPZlDNet4 -3p?h6{rɞ{Ew(uŒk{]|NcYIE%USRTݰJat|.\fUږyxE \ No newline at end of file diff --git a/secrets/postgres-matrix-synapse.age b/secrets/postgres-matrix-synapse.age deleted file mode 100644 index b83955b..0000000 --- a/secrets/postgres-matrix-synapse.age +++ /dev/null @@ -1,20 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uH+n1w 2c8iSQLommYEwAbcdmos5NUTwxq0Syqzi33LKGheIks -69VeTwPvhySw8zAb7/wi5EjK32U4yUWlXtlhzXPo+5w --> ssh-ed25519 EvLbWw zxAbVUac7j6ymHcR+veJj91wx6empIcESWry5SJAiSA -kQdfHgTcvwJ6cNOhTQ6n7jyfHwDECqhZKwLHA7EwI2Y --> ssh-ed25519 dM+fLQ FjU1FmRLYxeWuc3fD1J7UEnQBjH2DkwSFTS0OfRdr0s -+nsheCYHFYSRSzn1rsVVZoywCNF4Nf9WwQQVMLXUTyE --> ssh-ed25519 jxWM2Q 6s7G67QfhbEPc3dsePIJngE8vHK7uzjV6IqAOIAGX1A -RXz2d3Cmb/4bE+UDwamGmDTw4ITwOQdUJAKznbGV67U --> ssh-ed25519 /yCUCg K7/3N+yqmtldaQGMwxnHbpCj46e0hQ+mlRbkr85uww8 -7RIUbgdePKWI8nExPbF8b0tWbnf00iVgLiHf5gNfrj4 --> ssh-ed25519 FGp51g MAxcrUlLbxkEoAx5eb5GR1SB34f5Lo+1Bu4gB+Iuvko -04bv1ugxY1CTKzubwFrffpVGdB7BbWLGP1++NePwAo4 --> ssh-ed25519 I2FcBQ jVCB1GcCPUdGE4lqhx/tJSo6UBqvXXK/PT6MnaOC/QE -QIYELUgsFNronR2LUQz4vhyCwnUXI1CyzpTZcjGXHs0 --> ssh-ed25519 yoCmaA IGin0TzhVwNDaofpoRj5NDqkg1iyCx/CRKfjAH7exXE -jX+SCYwU4jsg8zb7hbQh1Oib1IjnKTwgtAr57RKJgck ---- sbAmUYpaAOgxptAoOv9s3V6jhC7uGq98MkV0plKRu8c -I# %OtkxIHOk'hQ"&x h -${9 6|D3\1)Ce=5vMch \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e8853ac..c09b8c9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,8 +15,6 @@ let ]; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; - _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md"; - _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql"; in { "matrix_admin_password.age".publicKeys = users; @@ -27,7 +25,4 @@ in "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; - "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; - "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; } - diff --git a/services/postgres.nix b/services/postgres.nix index e50f232..75eb281 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -10,7 +10,6 @@ "--locale=C" "--encoding=UTF8" ]; - settings.listen_addresses = "*"; }; postgresqlBackup = { enable = true;