diff --git a/.gitignore b/.gitignore index 0f18981..e69de29 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +0,0 @@ -secrets/ \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..4f59156 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,19 @@ +keys: + # People + - &clara 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + + # Servers + - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h + - &zammad age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c + - &forgejo age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh + +creation_rules: + - path_regex: secrets\/all\/* + key_groups: + - pgp: [*clara] + age: [*wireguard, *mcserver, *zammad, *forgejo] + - path_regex: secrets\/wireguard\/* + key_groups: + - pgp: [*clara] + age: [*wireguard] \ No newline at end of file diff --git a/configs/container_config.nix b/configs/container_config.nix index a848ec8..48ff9c4 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -1,5 +1,17 @@ -{ modulesPath, pkgs, lib, ... }: { - imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; +{ modulesPath, pkgs, lib, inputs, config, ... }: { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + inputs.sops-nix.nixosModules.sops + ]; + + # set up secret key + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/all/secrets.yaml; + secrets.initial_password_clara = { + neededForUsers = true; + }; + }; time.timeZone = "Europe/Berlin"; @@ -22,11 +34,20 @@ # default user with sudo users.users.clara = { isNormalUser = true; - initialPassword = "123456"; + hashedPasswordFile = config.sops.secrets.initial_password_clara.path; extraGroups = [ "sudo" "wheel" ]; shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC45xdNbidyqMV7CFxhObUFSuKKjDTE1+wCJFX8GC5uoV/dYmzNKxG5l8oMEQn6wVrWvOYNbuy4hsOxhBoVa9Y7YlgGZaStKPkjerafi4YUvQ5U2f5oztConmD1EHASOalDviHt+5HevokQDtZimx2sUYgz5lN/DtYzgsNgFueUt96iQEQ7zUDtSC5BiZ13lasyNcVQK1XuP9aqeoa11ce2CcDg3LMJ5tXn+yxRlN9v5R1Mkt028mqwLr8d/uAUbcgUo7j+ommrXoK6+/3n2SoAiTIp3UZPMOjMEMQUuSVBAjhycVoMM1hzGSoUsfXk0GZTDZQdvIBrjsIyysdsEtNWiu51F9OnX07YqEh9KEX1i7KK7U30MAl172Nf85egP/oRRUmZOm9JPEW8rlTbnQYSGvtDsFEcwzfvZODQW+Knb/n02RkHTyXVRgTkEdhavgSnSXeTJB8zn+OVpwYj1EQ1v+x9H9DDALAWj3ac61WAKk+SAa/1WjQNDt+bFQ/ehxkMTeLnaak+fWJO/pqwSrevJtlCC+5FbzSwlLOiqevOg97ciu1ESeYPYnTwU0rFSAh4ZEP7CbSg2vmniZNF3kbeZrw3a5ZlnFU29cPs0b5t8A3txGFQi1W1zK2Y2oFZqcm7u+WntH9Aq69g1vEPWT7yH4kK1Y5HumpPsP1II38evw== cardno:11_075_348" + ]; }; + users.motd = '' + ################################## + Logged in to: ${config.networking.hostName} + ################################## + ''; + # localization stuff console.keyMap = "de"; i18n.defaultLocale = "en_US.UTF-8"; @@ -45,7 +66,7 @@ # Enable networking networking = { networkmanager.enable = true; - + # configure firewall firewall = { enable = true; diff --git a/configs/containers/forgejo_container.nix b/configs/containers/forgejo_container.nix new file mode 100644 index 0000000..920fa15 --- /dev/null +++ b/configs/containers/forgejo_container.nix @@ -0,0 +1,19 @@ +{ lib, pkgs, config, ... }: { + + deployment = { + targetHost = "192.168.178.60"; + targetPort = 22; + targetUser = "root"; + }; + networking.hostName = "forgejo"; + networking.interfaces.wgbr.ipv4.addresses = [ + { + address = "10.8.1.4"; + prefixLength = 24; + } + ]; + imports = [ + ../container_config.nix + ../services/forgejo.nix + ]; +} diff --git a/configs/containers/zammad_container.nix b/configs/containers/zammad_container.nix index 04c3e4d..53c0c6e 100644 --- a/configs/containers/zammad_container.nix +++ b/configs/containers/zammad_container.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: { deployment = { - targetHost = "192.168.178.50"; + targetHost = "192.168.178.58"; targetPort = 22; targetUser = "root"; }; @@ -13,5 +13,6 @@ ]; imports = [ ../container_config.nix + ../services/zammad.nix ]; } diff --git a/configs/services/forgejo.nix b/configs/services/forgejo.nix index 07e9bae..1ab8775 100644 --- a/configs/services/forgejo.nix +++ b/configs/services/forgejo.nix @@ -1,7 +1,9 @@ { lib, pkgs, config, ... }: let dbname = "forgejo"; - ssh_port = 2000; + ssh_port = 2225; + http_port = 3000; + domain = "new.git.cdaut.de"; in { @@ -15,8 +17,10 @@ in settings = { server = { - DOMAIN = "192.168.178.50"; + ROOT_URL = "https://${domain}"; + DOMAIN = domain; SSH_PORT = ssh_port; + HTTP_PORT = http_port; # important because otherwise ssh doesn't seem to work… START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; @@ -37,6 +41,6 @@ in ensureDatabases = [ dbname ]; }; - networking.firewall.allowedTCPPorts = [ 3000 ssh_port ]; + networking.firewall.allowedTCPPorts = [ http_port ssh_port ]; } diff --git a/configs/services/vaultwarden.nix b/configs/services/vaultwarden.nix index 56b6789..bc793a3 100644 --- a/configs/services/vaultwarden.nix +++ b/configs/services/vaultwarden.nix @@ -10,8 +10,8 @@ in ROCKET_ADDRESS = "192.168.178.51"; DOMAIN = "http://192.168.178.51"; ROCKET_PORT = port; - ADMIN_TOKEN = + ADMIN_TOKEN = + }; }; - }; - networking.firewall.allowedTCPPorts = [ port ]; -} + networking.firewall.allowedTCPPorts = [ port ]; + } diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix index 002bf04..13e3be0 100644 --- a/configs/services/wireguard.nix +++ b/configs/services/wireguard.nix @@ -5,6 +5,15 @@ in { "net.ipv4.ip_forward" = lib.mkDefault true; "net.ipv6.conf.all.forwarding" = lib.mkDefault true; }; + + # set up secret key + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets.wg_private_key = { + sopsFile = ../../secrets/wireguard/secrets.yaml; + }; + }; + networking = { firewall.allowedUDPPorts = [ wg_port ]; firewall.rejectPackets = true; @@ -25,8 +34,8 @@ in { address = [ "10.8.1.1/16" ]; listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - # Path to the private key file. - privateKeyFile = "/root/privkey"; + # Path to the private key file (see sops). + privateKeyFile = "/run/secrets/wg_private_key"; peers = [ # For a client configuration, one peer entry for the server will suffice. diff --git a/configs/services/zammad.nix b/configs/services/zammad.nix new file mode 100644 index 0000000..d22ca16 --- /dev/null +++ b/configs/services/zammad.nix @@ -0,0 +1,15 @@ +{ lib, pkgs, config, ... }: { + services.zammad = { + enable = true; + openPorts = true; + host = "10.8.1.3"; + database.createLocally = true; + redis.createLocally = true; + }; + + + networking.firewall.allowedTCPPorts = [ + config.services.zammad.port + config.services.zammad.websocketPort + ]; +} diff --git a/flake.lock b/flake.lock index 700d0e9..51819f4 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1741851582, - "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=", + "lastModified": 1744463964, + "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32", + "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", "type": "github" }, "original": { @@ -16,9 +16,44 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1744502386, + "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 9ce2413..3633fa9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,15 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { nixpkgs, ... }: { + outputs = { nixpkgs, sops-nix, ... } @ inputs: { colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + specialArgs = { inherit inputs; }; }; mcserver = import ./configs/containers/mc_container.nix; @@ -15,6 +17,8 @@ wireguard = import ./configs/containers/wg_container.nix; zammad = import ./configs/containers/zammad_container.nix; + + forgejo = import ./configs/containers/forgejo_container.nix; }; }; } diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml new file mode 100644 index 0000000..f4d7cba --- /dev/null +++ b/secrets/all/secrets.yaml @@ -0,0 +1,64 @@ +initial_password_clara: ENC[AES256_GCM,data:ux8zKQbsw52SDMjX4wyXFp445vbCV4eFdvAJNzYSb3YMxbVWlBTV3KaEFYW0dKFwUvvserHPfyXmFgXJJ5Lx+D+49b8s8mVZqwVs,iv:2c8I40749+bXnwHJ2Gnjkv8a/AtV1P30sCE113jZcH4=,tag:b8kmLLZ80lytRH4dAl6tpg==,type:str] +sops: + age: + - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHFOQWNaTGxLTTVNWlpw + UUdZYklScktnL3QvM0xLMTkrTmpYTG1ocXdzCnlPNVdkQ1FwZ21wUlhiOXpCSmV2 + R0Q4RGlTNWRybTFRU1ZnK3VEU0NWUVkKLS0tIGFNRzVDMnkvRXhLTzMwVEpONGFr + RGFIVDZyL0dSTWNDMDZEWEJIamxRMDgKBeRdsbub+XhYKyCkpo9x1yXXqha7PP/s + /nzUyMNqDB7Fh5K9xY2BRxwpxIKYWpzFPjybt5mHL1NxbYheGle5hA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaWxRVVd3bU84bGwrZk5F + blgyRnd3MmdSdGtaWHdnVVVIeUs5dGNkVDJVCmo1MU9PeVRrNEZzcHhKUVk1OXlG + MDNCRCtCOERnQmtmUmt4YXlWTVl1dmcKLS0tIGZiYnlveWlKd2VZaVhNaUtlWlVK + UXkzL3k4YW5ESGRza0hURC9wR0o3RGMKsvc9zCQ323d/eSP9vVDiYTNgZrNmVvfE + +GfDEc/4+OpG+RRmMrXvlvCYRof56ywWZJr9tpAlunZ/t8vHRCUJow== + -----END AGE ENCRYPTED FILE----- + - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YjhORkRmWk9pOVV6cUpo + RVRpNmhzWS9pZDMxTXViMDFLSVNYR1F5NkZZCnFCb0Q3QjMzNk5WVkM3K1JYYjJ4 + c1VER25FVUtyWHFpcVpKdUJ0YlhSTEEKLS0tIEF6a1dJY2JmelQyVzd4Mk9SK0R2 + WFZHdVZiMVdaNHFhTVZGMzdYRTl3ZU0K6yMpKKXKIaYHxR1cAHam7jogZShH5xsK + c43sMBz/WxHjvmI9TCNyxnkvgwC6kJUpV9vABduJg2INjkLltjNc/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPelBOdktOV3Naa1ZWdlFv + N1c1clFsZTlkbVlpYU81L3Y3L2UxTTJMaUdNCnJYd3Y0YWpRNTRsTkt4Q0ppblVB + K01HSzgvQ1lIaUNSR2lJZWY4NG1tL28KLS0tIGVjZ0svVlFrK1h1NFViVmV0bk5Q + MW5ZTWQwZy9iQnFNL2dRalM3VSswVkEKcE2M6Ph8d+7BafgjlARITRbxivOajQ3H + 7evjNzFDqga/AZ1rLG+5anuD2giAKVZGok10NvDroCKkobUpsXd6jQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-17T14:15:59Z" + mac: ENC[AES256_GCM,data:QBoeoWS2eoUjbXm40OLk8vxpdZRUkLgVLPQ6AX9JaYVLl4+reefFw269yngF2ZATBniuYLBHNhkSjOYttC+J7M2Zt8cQhhj4G2TFt7JkYHQRtkbuoa9ZiP3Oi3Jaj6z0w3cHsyMT+fBBdr02winxf8QggYHGmvcK8QXoayccyl8=,iv:lG94yszjtq1tDYrNM+xt5ehdrNYO6M+oqZg/Qg/cO4g=,tag:K3Cr7DySQ02fgHOaVtYmDA==,type:str] + pgp: + - created_at: "2025-04-17T14:15:33Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzwtBoBqH5ZOAQ/9Gx1uySXuafWQT/xz2b4yY37t3ZKE5SE4LxKoyOPXRhWR + yVISxG9MBrYeDe7DR4QYJ5KVpKUui/TMKv5+SFiDvlxgQdWVA2PZ2KXgGK0KDDEk + cOn3YNGLHpZL4ZHwAlbgeNWFjT/A99logCnv7D4VocAX9k+AMSh5ZQqI5HLmBHfO + ZQOugRfGDI28D/iH/8LUXoK+l6VDX3CLt0xfQmNN81q2IQzb2NK9GZvj5qyILR3c + MMzGDMU1pw0OWCZWZDRCE5YA71mrvflGOQPo3/JPsVg1Qr8l6TbGjbFwKlYUgGDU + JTSsZ1ATKjzbWg7KSdrBgztWHcSDdrCW1yytUh9uoJks2UHGdfb060k9DH99IYXk + +u5DutiPqiz8xwn5YHetO3SaJjJA9uIODQ+Em7ElZ+XbY81NIlhbdT8DZKdDHmOx + ozFIs5r1glRaojo8Yc9fym0j8cZ6Dr6rkD+nbgwzRCuUucuzOILIPrutdUSgdpbp + LnK8ScJnOBsF3AhKuOB4Qhnb6Q0ooT8Zt+R2uDdezfACFMa6nW95MP4sPYPqy7ee + ZGuWOaMGQ1Cn9Ck3nBCn8hROzHwp9pv56mqVIKu+oWCGsFm9GUZ5XFvZxez6Kq// + SVhH/qbV3RElBj/Q8u4Xcbl3ZNnHbMhvi/Xe2Ji64orZkzjHrsViB6KXR6uzY/7S + XAF4UTbjzSVkqbZ+IKQbkhoM62YQpT1bOgMk9djNFilauKRqD5x3eKTyuooOnMGh + jVjxulE755eSO6qvATN/P7OIXzaPKI+HSPcdm0WH8ZXVTXrZjkeO7D7gCfh/ + =qTot + -----END PGP MESSAGE----- + fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + unencrypted_suffix: _unencrypted + version: 3.10.1 diff --git a/secrets/wireguard/secrets.yaml b/secrets/wireguard/secrets.yaml new file mode 100644 index 0000000..6f5c8bf --- /dev/null +++ b/secrets/wireguard/secrets.yaml @@ -0,0 +1,37 @@ +wg_private_key: ENC[AES256_GCM,data:51eBmT70Y0dMcTs/tIZrLpPoXsC7YBcbKLl5UPnRp7iEw+ZSpSnrSrKI/uQ=,iv:ULxRzi1bv74WINeDtcw0LrSuquQfQuZTYz+n2eH1nCk=,tag:79oVQvpnYHihdQZviiClvg==,type:str] +sops: + age: + - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaUM0RHNTck5PMWtWcnh6 + R2dpSElSUjhheWZCazBDL2VtcXNLL2VCOW5RCmZIVVNkbi9hWnpMcjFGMldrWjVC + alhIMmZLZWVGam9Ld1ZIdjNvcm4xbGcKLS0tIEtYQ2RDWWtNSlpibmJXZHRQdlVD + ZFhFdHpSbkFSaTc2VmUyeHUwalZCVUUKNMDMcyrV2J2zhX/m6W5pIzp5YoQlPdKY + 0QA7RYTQQIBuu0C19+E3VlpU0eMHupsTpqTHMA6RNSwY3wyyV10hrA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-15T06:32:59Z" + mac: ENC[AES256_GCM,data:tJpQdvPndAmv9AG81vYlD7Bgf+/np2uOBZ4AjgBJc3D9l80Rb+BVS5DPjFpVhOiIxe5vrKDKfiYAe2Ke6x5F9bE6vIC7CA5pN2oAQ/h5K4wwyCrjCSPMqkjv3KB+a2EFKeX2JRHeGfz+RMMYjnk8lhG9DdxZT9q1T9TyKdFchbc=,iv:bY/hNb3QvCKC0bmtCWZeb4cNgbXNCAWcFhAuKQI4WPM=,tag:3MJGVP4aLuFrZ46rwOS0EA==,type:str] + pgp: + - created_at: "2025-04-15T06:28:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzwtBoBqH5ZOAQ//cOhooxvYdj++jbDDcv6w70gh3K62r5AcBf5iEXgtbHcZ + Ag0qQpGxb6dySyys/++//fRizVTokQUd+zFHMX8ppMri7JHlw0ioX7GvUAwlW2jE + 6nibHvbJFYEJ2xIunGHJwJ98ryPp65qdP0wCyMsdzCc+UOzgKeeyi3NccYbQXYCK + 0aQ0VnDHh0OF1B9vLbBCSaCfZstTCG8ADnK6FzANipoMoU8KytFdUqjj3zZxNwfx + 9lgZocFoNm7Kx4Uv5r0DXKrJe56q0UJPFMkDnPoRp8YRU9h7tt2yUvBL9lJyIoFy + D/eKIPokM4CjeqByecDfsRTlmmFLRPPoLXHWklcJFkmapfW/c3jmsUhZwq8WAaSa + LxtFkesveyXhn/xuL6uWWTtmGdmwk4gJ0QIDDlDhGrrkuHSgRqb+2wI90pIggmHS + tZvsSfT16FOWuWgO5Fx+PQqNLT2vvMnsVxFkWeNdvpQ1sBd3BPZiwE48pVaTNQwH + 2NNYY4gZPxKFPsj1CesPVa8x2jskguYMZ8Mo4O3GSn77jKbaj+GtrBSy+TE2dSJ7 + k7LEuqtnmGBE1JrsEeXXWmVAnY3mWcaTKmljFOSBOT9/jJPUATTbuB0CCIdlsxlB + O3egc9x5VRgYshBnznw/IipLFUGBD0idUFwch+ijPyLk3efhFDXuvId22IPfmjDS + XgH83/dkii+PTK0tNdtaeIx8zEtamRlS8UYSE8f/Oko78X2O7Vy/wRpdAgs9RslB + VP1Ti9J3yFvo6mhFZg4Mm//WFa8dsMbphjoKKAqrHP0Qa4Z2O5GJvUMkKC0Gy1s= + =pswU + -----END PGP MESSAGE----- + fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + unencrypted_suffix: _unencrypted + version: 3.10.1