diff --git a/flake.lock b/flake.lock index 5fb7fc2..a772469 100644 --- a/flake.lock +++ b/flake.lock @@ -101,11 +101,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1738161184, - "narHash": "sha256-8ma/3Ynp2AzRm9ER5IqFm3pV05WVf0MtVDKHkxZSftA=", + "lastModified": 1738516276, + "narHash": "sha256-ZA8mBJ0pogSL+gZYg+DUHJ8Arwi0bBIsLy+/OeHKwvk=", "ref": "refs/heads/master", - "rev": "300319bbe2c60b201e451fc74a49465a2f1c2681", - "revCount": 28, + "rev": "7c110c28d15076b694c534ffda14dcf8f69c98ed", + "revCount": 30, "type": "git", "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets" }, diff --git a/modules/users/overseer/acme.nix b/modules/users/overseer/acme.nix new file mode 100644 index 0000000..65db591 --- /dev/null +++ b/modules/users/overseer/acme.nix @@ -0,0 +1,44 @@ +{ + lib, + pkgs, + config, + ... +}: +lib.mkIf config.user.overseer.enable { + sops = { + secrets = { + "aws/access_key" = {}; + "aws/secret_key" = {}; + "aws/region" = {}; + }; + templates = { + "aws_shared_credentials".content = '' + [default] + aws_access_key_id=${config.sops.placeholder."aws/access_key"} + aws_secret_access_key=${config.sops.placeholder."aws/secret_key"} + ''; + "aws_config".content = '' + [default] + region=${config.sops.placeholder."aws/region"} + ''; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "infrastructure@wanderingcrow.net"; + dnsProvider = "route53"; + credentialFiles = { + "AWS_SHARED_CREDENTIALS_FILE" = config.sops.templates."aws_shared_credentials".path; + }; + environmentFile = config.sops.templates."aws_config".path; + }; + certs = { + "home.wanderingcrow.net" = {}; + "homebox.wanderingcrow.net" = {}; + "bar.wanderingcrow.net" = {}; + "bookstack.wanderingcrow.net" = {}; + }; + }; +} diff --git a/modules/users/overseer/default.nix b/modules/users/overseer/default.nix index 2ae2dc3..faa4cdd 100644 --- a/modules/users/overseer/default.nix +++ b/modules/users/overseer/default.nix @@ -1,12 +1,9 @@ { - lib, - config, - ... -}: { imports = [ ./user.nix ./setup.nix ./secrets.nix + ./acme.nix ./services ]; } diff --git a/modules/users/overseer/services/bar-assistant.nix b/modules/users/overseer/services/bar-assistant.nix index ed2e9ce..6784b1b 100644 --- a/modules/users/overseer/services/bar-assistant.nix +++ b/modules/users/overseer/services/bar-assistant.nix @@ -3,9 +3,7 @@ let in { lib, - inputs, config, - pkgs, ... }: lib.mkIf config.user.overseer.enable { @@ -13,16 +11,18 @@ in # SECRETS # ########### - # Meilisearch secrets - sops.secrets."meilisearch/masterkey" = {}; - sops.templates."meilisearch-environment".content = '' - MEILI_MASTER_KEY=${config.sops.placeholder."meilisearch/masterkey"} - ''; + sops = { + # Meilisearch secrets + secrets."meilisearch/masterkey" = {}; + templates."meilisearch-environment".content = '' + MEILI_MASTER_KEY=${config.sops.placeholder."meilisearch/masterkey"} + ''; - # Bar Assistant secrets - sops.templates."bar_assistant-env".content = '' - MEILISEARCH_KEY=${config.sops.placeholder."meilisearch/masterkey"} - ''; + # Bar Assistant secrets + templates."bar_assistant-env".content = '' + MEILISEARCH_KEY=${config.sops.placeholder."meilisearch/masterkey"} + ''; + }; systemd.tmpfiles.rules = [ "d ${volumePath}/bar-assistant 770 33 33" diff --git a/modules/users/overseer/services/default.nix b/modules/users/overseer/services/default.nix index 300dcd3..79b667e 100644 --- a/modules/users/overseer/services/default.nix +++ b/modules/users/overseer/services/default.nix @@ -1,8 +1,4 @@ { - lib, - config, - ... -}: { imports = [ ./bar-assistant.nix ./homebox.nix diff --git a/modules/users/overseer/services/grocy.nix b/modules/users/overseer/services/grocy.nix index 248f07e..1fb7d55 100644 --- a/modules/users/overseer/services/grocy.nix +++ b/modules/users/overseer/services/grocy.nix @@ -1,16 +1,12 @@ -let - volumePath = "/overseer/services"; -in - { - lib, - pkgs, - config, - ... - }: - lib.mkIf config.user.overseer.enable { - services.grocy = { - enable = true; - hostName = "grocy.wanderingcrow.net"; - nginx.enableSSL = false; - }; - } +{ + lib, + config, + ... +}: +lib.mkIf config.user.overseer.enable { + services.grocy = { + enable = true; + hostName = "grocy.wanderingcrow.net"; + nginx.enableSSL = false; + }; +} diff --git a/modules/users/overseer/services/homebox.nix b/modules/users/overseer/services/homebox.nix index 27fffd5..d70064f 100644 --- a/modules/users/overseer/services/homebox.nix +++ b/modules/users/overseer/services/homebox.nix @@ -1,41 +1,41 @@ { lib, - inputs, config, - pkgs, ... }: lib.mkIf config.user.overseer.enable { - services.restic.backups.homebox = { - user = "root"; - timerConfig = { - OnCalendar = "hourly"; - Persistent = true; + services = { + restic.backups.homebox = { + user = "root"; + timerConfig = { + OnCalendar = "hourly"; + Persistent = true; + }; + paths = [ + "/var/lib/homebox/data" + ]; + repositoryFile = config.sops.secrets."restic/url".path; + passwordFile = config.sops.secrets."restic/key".path; }; - paths = [ - "/var/lib/homebox/data" - ]; - repositoryFile = config.sops.secrets."restic/url".path; - passwordFile = config.sops.secrets."restic/key".path; - }; - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "homebox.wanderingcrow.net" = { - locations."/" = { - proxyPass = "http://localhost:7745"; - proxyWebsockets = true; + nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "homebox.wanderingcrow.net" = { + locations."/" = { + proxyPass = "http://localhost:7745"; + proxyWebsockets = true; + }; }; }; }; - }; - services.homebox = { - enable = true; - settings = { - HBOX_OPTIONS_ALLOW_REGISTRATION = "true"; + homebox = { + enable = true; + settings = { + HBOX_OPTIONS_ALLOW_REGISTRATION = "true"; + }; }; }; } diff --git a/modules/users/overseer/services/homepage.nix b/modules/users/overseer/services/homepage.nix index 1f13078..e1df9fa 100644 --- a/modules/users/overseer/services/homepage.nix +++ b/modules/users/overseer/services/homepage.nix @@ -1,18 +1,18 @@ { lib, - inputs, config, - pkgs, ... }: lib.mkIf config.user.overseer.enable { # Homepage.dev secrets - sops.secrets."homepage/openmeteo/lat" = {}; - sops.secrets."homepage/openmeteo/long" = {}; - sops.templates."homepage-environment".content = '' - HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"} - HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"} - ''; + sops = { + secrets."homepage/openmeteo/lat" = {}; + secrets."homepage/openmeteo/long" = {}; + templates."homepage-environment".content = '' + HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"} + HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"} + ''; + }; services.nginx = { enable = true; diff --git a/modules/users/overseer/services/invidious.nix b/modules/users/overseer/services/invidious.nix index 48146a4..fa1c435 100644 --- a/modules/users/overseer/services/invidious.nix +++ b/modules/users/overseer/services/invidious.nix @@ -1,8 +1,6 @@ { lib, - inputs, config, - pkgs, ... }: lib.mkIf config.user.overseer.enable {