xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions

Compare commits

base: xengi:854dace74e992bd86d8e9575581e47982809d5e9
Branches Tags
xengi:main
xengi:wip
..
compare: xengi:782ab24661a8c5db637b4a4b4ede4dc6f994ed1d
Branches Tags
xengi:main
xengi:wip

No commits in common. "854dace74e992bd86d8e9575581e47982809d5e9" and "782ab24661a8c5db637b4a4b4ede4dc6f994ed1d" have entirely different histories.
854dace74e ... 782ab24661

9 changed files with 66 additions and 149 deletions
Download patch file Download diff file Expand all files Collapse all files

20
flake.nix
View file

@ -93,14 +93,14 @@
./hosts/matrix ./hosts/matrix
]; ];
}; };
nixosConfigurations."md" = nixpkgs.lib.nixosSystem { nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux"; #system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; }; #pkgs = import nixpkgs { inherit system; };
inherit system; inherit system;
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; } { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
./hosts/md ./hosts/hedgedoc
]; ];
}; };
nixosConfigurations."sql" = nixpkgs.lib.nixosSystem { nixosConfigurations."sql" = nixpkgs.lib.nixosSystem {
@ -110,22 +110,6 @@
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; } { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
postgres-matrix-synapse = {
file = ./secrets/postgres-matrix-synapse.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
postgres-hedgedoc = {
file = ./secrets/postgres-hedgedoc.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
};
}
./hosts/sql ./hosts/sql
]; ];
}; };

38
hosts/hedgedoc/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
imports = [
../common.nix
../../services/openssh.nix
../../services/hedgedoc.nix
];
networking = {
hostName = "hedgedoc";
firewall = {
allowedTCPPorts = [
80 # HTTP/1
443 # HTTP/2
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
services = {
openssh.banner = ''
__ __ __
/\ \ /\ \ /\ \
\ \ \___ __ \_\ \ __ __ \_\ \ ___ ___
\ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\
\ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/
\ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
\/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/
/\____/
\_/__/
'';
};
system.stateVersion = "25.11";
}

36
hosts/md/default.nix
View file

@ -1,36 +0,0 @@
{ ... }:
{
imports = [
../common.nix
../../services/openssh.nix
../../services/hedgedoc.nix
];
networking = {
hostName = "md";
firewall = {
allowedTCPPorts = [
80 # HTTP/1
443 # HTTP/2
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
services = {
openssh.banner = ''
__
/\ \
___ ___ \_\ \
/' __` __`\ /'_` \
/\ \/\ \/\ \/\ \L\ \
\ \_\ \_\ \_\ \___,_\
\/_/\/_/\/_/\/__,_ /
'';
};
system.stateVersion = "25.11";
}

12
hosts/sql/default.nix
View file

@ -5,15 +5,17 @@
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/postgres.nix ../../services/postgres.nix
./postgres.nix
]; ];
networking = { networking = {
hostName = "sql"; hostName = "sql";
firewall.extraInputRules = '' firewall = {
ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept enable = true;
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept extraInputRules = ''
''; ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
'';
};
}; };
services = { services = {

64
hosts/sql/postgres.nix
View file

@ -1,41 +1,8 @@
{ config, pkgs, ... }: { config, ... }:
let let
fqdn = "sql.${config.networking.domain}"; fqdn = "sql.${config.networking.domain}";
# Create postgres-<username> entry in agenix mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines";
# mkEntry <username> <last IP address octet>
entries = [
(mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de
(mkEntry "hedgedoc" 26) # md.berlin.ccc.de
];
mkEntry = name: octet: {
user = {
name = name;
ensureDBOwnership = true;
};
database = name;
# TYPE DATABASE USER ADDRESS METHOD
auth = ''
#hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
#hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
'';
};
mkPasswordSQL = e: ''
DO $do$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
EXECUTE format(
'ALTER ROLE %I WITH PASSWORD %L',
'${e.user.name}',
trim(both E'\n' from pg_read_file('${config.age.secrets."postgres-${e.user.name}".path}'))
);
END IF;
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
in in
{ {
services = { services = {
@ -47,23 +14,30 @@ in
# }; # };
#}; #};
postgresql = { postgresql = {
enableTCPIP = true; #enableTCPIP = true;
#settings = { #settings = {
# ssl = "on"; # ssl = "on";
# ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt"; # ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt";
# ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
# ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
#}; #};
ensureUsers = map (e: e.user) entries; ensureUsers = [
ensureDatabases = map (e: e.database) entries; {
authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; name = "pda";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"pda"
];
authentication = ''
# TYPE DATABASE USER ADDRESS METHOD
#hostssl pda pda 195.160.173.15/32 scram-sha-256
#hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256
host pda pda 195.160.173.15/32 scram-sha-256
host pda pda 2001:678:760:cccb::15/128 scram-sha-256
'';
}; };
}; };
systemd.services.postgresql.postStart = ''
${config.services.postgresql.package}/bin/psql \
--dbname=postgres \
--no-password \
--file=${passwordScript}
'';
} }

19
secrets/postgres-hedgedoc.age
View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uH+n1w GLixFnca76xHm803JN+KAIfwV20OBqEDT3FeLeSB2l8
jPB5PyXf/YYeOGDa2TzgiE16n69i5L9hQarnkWo6mmQ
-> ssh-ed25519 EvLbWw EHxXWWxMVJb351HyeCg9ZwhuHa2EsXW9ikj1LEkeyh8
rN9f1ia2ns2vC8Vc0QKcf3JORhe8OKoHwy/2ayLW6Ak
-> ssh-ed25519 dM+fLQ O2+eaJPzd2+2E5mx/zQE4wRu6HBH6u19p23/HvPXrA8
RVLocbh9fM2YvyuAAHZZMlB16xj8nlfUd4XsvBwvZhs
-> ssh-ed25519 jxWM2Q oCQINVqZDm5f7QaJw9iP40FaMjoaXOkM1Ij7N7ntzHs
U8zqYADl+KcvcvF7jmaiuUBl2J2HiMGHvlHgmsf6Ew4
-> ssh-ed25519 /yCUCg Tof5WTA5hxHqGrMgXTIV2hkyw5i+/vxTPrphaZB/JzA
5JDdTlnMTkwb0wccvlrE4OENcGaLKELgrxfbSkeqbkw
-> ssh-ed25519 FGp51g BobAb/lSMY8cTVLcdCCGLOS0iWypf/lM2AMLrcPmdCc
WU8+jDAr1mYBxN9rZvuqQU+lnj8lpvTbsb9ZF9a9/d8
-> ssh-ed25519 I2FcBQ TLJ9nqhcOEfPOOTciWo/ulKuh7GtqZSDDXI4n1JZwRI
ldBwhmJv6Pw4Fmb3C/qz/JsWDbDICaIwyMoTvkMRt0I
-> ssh-ed25519 fEJY/A Ah/JhYfb+AhxVvr/Tuph4f8jPzlD0iIkHM2izcUfNn8
I9p4tl2irCop5p14Cu2mn6QyQRJzKMjSk1bvTSf6SZ4
--- Xy4DryiHOclGL1xaVyK3N3dVLBxr0gYwwTQPZlDNet4
ォ3p<EFBFBD>?ァ€h6<68>{rツノ橇ロ{稔ャ<E7A894>w(鐘<><E99098>uツ枯k{テ]埈チヰ<EFBE81>ュNワcホ<63>YIスE%US<55>RT赧ーJat|.∋、謄\fUレ約及xE<78><45>

20
secrets/postgres-matrix-synapse.age
View file

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 uH+n1w 2c8iSQLommYEwAbcdmos5NUTwxq0Syqzi33LKGheIks
69VeTwPvhySw8zAb7/wi5EjK32U4yUWlXtlhzXPo+5w
-> ssh-ed25519 EvLbWw zxAbVUac7j6ymHcR+veJj91wx6empIcESWry5SJAiSA
kQdfHgTcvwJ6cNOhTQ6n7jyfHwDECqhZKwLHA7EwI2Y
-> ssh-ed25519 dM+fLQ FjU1FmRLYxeWuc3fD1J7UEnQBjH2DkwSFTS0OfRdr0s
+nsheCYHFYSRSzn1rsVVZoywCNF4Nf9WwQQVMLXUTyE
-> ssh-ed25519 jxWM2Q 6s7G67QfhbEPc3dsePIJngE8vHK7uzjV6IqAOIAGX1A
RXz2d3Cmb/4bE+UDwamGmDTw4ITwOQdUJAKznbGV67U
-> ssh-ed25519 /yCUCg K7/3N+yqmtldaQGMwxnHbpCj46e0hQ+mlRbkr85uww8
7RIUbgdePKWI8nExPbF8b0tWbnf00iVgLiHf5gNfrj4
-> ssh-ed25519 FGp51g MAxcrUlLbxkEoAx5eb5GR1SB34f5Lo+1Bu4gB+Iuvko
04bv1ugxY1CTKzubwFrffpVGdB7BbWLGP1++NePwAo4
-> ssh-ed25519 I2FcBQ jVCB1GcCPUdGE4lqhx/tJSo6UBqvXXK/PT6MnaOC/QE
QIYELUgsFNronR2LUQz4vhyCwnUXI1CyzpTZcjGXHs0
-> ssh-ed25519 yoCmaA IGin0TzhVwNDaofpoRj5NDqkg1iyCx/CRKfjAH7exXE
jX+SCYwU4jsg8zb7hbQh1Oib1IjnKTwgtAr57RKJgck
--- sbAmUYpaAOgxptAoOv9s3V6jhC7uGq98MkV0plKRu8c
I#‘Ç %ÛOšçtk‡Ãx”錊 ¹IHOêk¼ší¸'hQ"àâ&Ôx»çÓÔ Àh
$§{œÂë9 6×È|D3¡Þ\é…1)<29><>CªûËe=5¦vMch

5
secrets/secrets.nix
View file

@ -15,8 +15,6 @@ let
]; ];
_matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
_md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md";
_sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql";
in in
{ {
"matrix_admin_password.age".publicKeys = users; "matrix_admin_password.age".publicKeys = users;
@ -27,7 +25,4 @@ in
"pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
"grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
"grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
} }

1
services/postgres.nix
View file

@ -10,7 +10,6 @@
"--locale=C" "--locale=C"
"--encoding=UTF8" "--encoding=UTF8"
]; ];
settings.listen_addresses = "*";
}; };
postgresqlBackup = { postgresqlBackup = {
enable = true; enable = true;