From df3510700186b3e58c4e2756cbce8ca3ce5a415b Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 8 Apr 2025 19:06:54 +0200 Subject: [PATCH 01/10] zammad setup --- configs/containers/zammad_container.nix | 3 ++- configs/services/zammad.nix | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 configs/services/zammad.nix diff --git a/configs/containers/zammad_container.nix b/configs/containers/zammad_container.nix index 04c3e4d..53c0c6e 100644 --- a/configs/containers/zammad_container.nix +++ b/configs/containers/zammad_container.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: { deployment = { - targetHost = "192.168.178.50"; + targetHost = "192.168.178.58"; targetPort = 22; targetUser = "root"; }; @@ -13,5 +13,6 @@ ]; imports = [ ../container_config.nix + ../services/zammad.nix ]; } diff --git a/configs/services/zammad.nix b/configs/services/zammad.nix new file mode 100644 index 0000000..d22ca16 --- /dev/null +++ b/configs/services/zammad.nix @@ -0,0 +1,15 @@ +{ lib, pkgs, config, ... }: { + services.zammad = { + enable = true; + openPorts = true; + host = "10.8.1.3"; + database.createLocally = true; + redis.createLocally = true; + }; + + + networking.firewall.allowedTCPPorts = [ + config.services.zammad.port + config.services.zammad.websocketPort + ]; +} From d51709f0cde9850318726a5797d0dd2de47e4d42 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Mon, 14 Apr 2025 14:09:10 +0200 Subject: [PATCH 02/10] added sops-nix --- configs/container_config.nix | 9 ++++++--- flake.lock | 37 +++++++++++++++++++++++++++++++++++- flake.nix | 4 +++- 3 files changed, 45 insertions(+), 5 deletions(-) diff --git a/configs/container_config.nix b/configs/container_config.nix index a848ec8..ceb8281 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -1,5 +1,8 @@ -{ modulesPath, pkgs, lib, ... }: { - imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; +{ modulesPath, pkgs, lib, inputs, ... }: { + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + inputs.sops-nix.nixosModules.sops + ]; time.timeZone = "Europe/Berlin"; @@ -45,7 +48,7 @@ # Enable networking networking = { networkmanager.enable = true; - + # configure firewall firewall = { enable = true; diff --git a/flake.lock b/flake.lock index 700d0e9..9482ff1 100644 --- a/flake.lock +++ b/flake.lock @@ -16,9 +16,44 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1743689281, + "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2bfc080955153be0be56724be6fa5477b4eefabb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1744103455, + "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 9ce2413..5626a7e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,15 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { nixpkgs, ... }: { + outputs = { nixpkgs, sops-nix, ... } @ inputs: { colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + specialArgs = { inherit inputs; }; }; mcserver = import ./configs/containers/mc_container.nix; From 30156bad3384ba7d1ccca49dc618a87390510282 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 08:43:01 +0200 Subject: [PATCH 03/10] sops-nix setup --- .gitignore | 1 - .sops.yaml | 15 ++++++++++++++ configs/services/wireguard.nix | 12 +++++++++-- secrets/wireguard/secrets.yaml | 37 ++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/wireguard/secrets.yaml diff --git a/.gitignore b/.gitignore index 0f18981..e69de29 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +0,0 @@ -secrets/ \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..40c5b6e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,15 @@ +keys: + # People + - &clara 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + + # Servers + - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + +creation_rules: + - path_regex: secrets\/all\/* + key_groups: + - pgp: [*clara] + - path_regex: secrets\/wireguard\/* + key_groups: + - pgp: [*clara] + age: [*wireguard] \ No newline at end of file diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix index 002bf04..42b2af9 100644 --- a/configs/services/wireguard.nix +++ b/configs/services/wireguard.nix @@ -5,6 +5,14 @@ in { "net.ipv4.ip_forward" = lib.mkDefault true; "net.ipv6.conf.all.forwarding" = lib.mkDefault true; }; + + # set up secret key + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../../secrets/wireguard/secrets.yaml; + secrets.wg_private_key = { }; + }; + networking = { firewall.allowedUDPPorts = [ wg_port ]; firewall.rejectPackets = true; @@ -25,8 +33,8 @@ in { address = [ "10.8.1.1/16" ]; listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - # Path to the private key file. - privateKeyFile = "/root/privkey"; + # Path to the private key file (see sops). + privateKeyFile = "/run/secrets/wg_private_key"; peers = [ # For a client configuration, one peer entry for the server will suffice. diff --git a/secrets/wireguard/secrets.yaml b/secrets/wireguard/secrets.yaml new file mode 100644 index 0000000..6f5c8bf --- /dev/null +++ b/secrets/wireguard/secrets.yaml @@ -0,0 +1,37 @@ +wg_private_key: ENC[AES256_GCM,data:51eBmT70Y0dMcTs/tIZrLpPoXsC7YBcbKLl5UPnRp7iEw+ZSpSnrSrKI/uQ=,iv:ULxRzi1bv74WINeDtcw0LrSuquQfQuZTYz+n2eH1nCk=,tag:79oVQvpnYHihdQZviiClvg==,type:str] +sops: + age: + - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaUM0RHNTck5PMWtWcnh6 + R2dpSElSUjhheWZCazBDL2VtcXNLL2VCOW5RCmZIVVNkbi9hWnpMcjFGMldrWjVC + alhIMmZLZWVGam9Ld1ZIdjNvcm4xbGcKLS0tIEtYQ2RDWWtNSlpibmJXZHRQdlVD + ZFhFdHpSbkFSaTc2VmUyeHUwalZCVUUKNMDMcyrV2J2zhX/m6W5pIzp5YoQlPdKY + 0QA7RYTQQIBuu0C19+E3VlpU0eMHupsTpqTHMA6RNSwY3wyyV10hrA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-15T06:32:59Z" + mac: ENC[AES256_GCM,data:tJpQdvPndAmv9AG81vYlD7Bgf+/np2uOBZ4AjgBJc3D9l80Rb+BVS5DPjFpVhOiIxe5vrKDKfiYAe2Ke6x5F9bE6vIC7CA5pN2oAQ/h5K4wwyCrjCSPMqkjv3KB+a2EFKeX2JRHeGfz+RMMYjnk8lhG9DdxZT9q1T9TyKdFchbc=,iv:bY/hNb3QvCKC0bmtCWZeb4cNgbXNCAWcFhAuKQI4WPM=,tag:3MJGVP4aLuFrZ46rwOS0EA==,type:str] + pgp: + - created_at: "2025-04-15T06:28:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzwtBoBqH5ZOAQ//cOhooxvYdj++jbDDcv6w70gh3K62r5AcBf5iEXgtbHcZ + Ag0qQpGxb6dySyys/++//fRizVTokQUd+zFHMX8ppMri7JHlw0ioX7GvUAwlW2jE + 6nibHvbJFYEJ2xIunGHJwJ98ryPp65qdP0wCyMsdzCc+UOzgKeeyi3NccYbQXYCK + 0aQ0VnDHh0OF1B9vLbBCSaCfZstTCG8ADnK6FzANipoMoU8KytFdUqjj3zZxNwfx + 9lgZocFoNm7Kx4Uv5r0DXKrJe56q0UJPFMkDnPoRp8YRU9h7tt2yUvBL9lJyIoFy + D/eKIPokM4CjeqByecDfsRTlmmFLRPPoLXHWklcJFkmapfW/c3jmsUhZwq8WAaSa + LxtFkesveyXhn/xuL6uWWTtmGdmwk4gJ0QIDDlDhGrrkuHSgRqb+2wI90pIggmHS + tZvsSfT16FOWuWgO5Fx+PQqNLT2vvMnsVxFkWeNdvpQ1sBd3BPZiwE48pVaTNQwH + 2NNYY4gZPxKFPsj1CesPVa8x2jskguYMZ8Mo4O3GSn77jKbaj+GtrBSy+TE2dSJ7 + k7LEuqtnmGBE1JrsEeXXWmVAnY3mWcaTKmljFOSBOT9/jJPUATTbuB0CCIdlsxlB + O3egc9x5VRgYshBnznw/IipLFUGBD0idUFwch+ijPyLk3efhFDXuvId22IPfmjDS + XgH83/dkii+PTK0tNdtaeIx8zEtamRlS8UYSE8f/Oko78X2O7Vy/wRpdAgs9RslB + VP1Ti9J3yFvo6mhFZg4Mm//WFa8dsMbphjoKKAqrHP0Qa4Z2O5GJvUMkKC0Gy1s= + =pswU + -----END PGP MESSAGE----- + fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + unencrypted_suffix: _unencrypted + version: 3.10.1 From 05a89fe0f231e8aec531da1cd7b4dbef465ea3d6 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 08:44:52 +0200 Subject: [PATCH 04/10] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6607cf789e541e7873d40d3a8f7815ea92204f32?narHash=sha256-cPfs8qMccim2RBgtKGF%2Bx9IBCduRvd/N5F4nYpU0TVE%3D' (2025-03-13) → 'github:NixOS/nixpkgs/2631b0b7abcea6e640ce31cd78ea58910d31e650?narHash=sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR%2BXhw3kr/3Xd0GPTM%3D' (2025-04-12) • Updated input 'sops-nix': 'github:Mic92/sops-nix/69d5a5a4635c27dae5a742f36108beccc506c1ba?narHash=sha256-SR6%2BqjkPjGQG%2B8eM4dCcVtss8r9bre/LAxFMPJpaZeU%3D' (2025-04-08) → 'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a?narHash=sha256-pXyanHLUzLNd3MX9vsWG%2B6Z2hTU8niyphWstYEP3/GU%3D' (2025-04-14) • Updated input 'sops-nix/nixpkgs': 'github:NixOS/nixpkgs/2bfc080955153be0be56724be6fa5477b4eefabb?narHash=sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ%2BVoVdg%3D' (2025-04-03) → 'github:NixOS/nixpkgs/f6db44a8daa59c40ae41ba6e5823ec77fe0d2124?narHash=sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9%2Ba/ONO8qNBYJgM%3D' (2025-04-12) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9482ff1..51819f4 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1741851582, - "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=", + "lastModified": 1744463964, + "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32", + "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1743689281, - "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=", + "lastModified": 1744502386, + "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2bfc080955153be0be56724be6fa5477b4eefabb", + "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", "type": "github" }, "original": { @@ -43,11 +43,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1744103455, - "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=", + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", "type": "github" }, "original": { From 13a9c9f13ebced859ec56224f3489cab2dda500e Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 18:49:03 +0200 Subject: [PATCH 05/10] configure Password via Colmena --- .sops.yaml | 2 ++ configs/container_config.nix | 13 ++++++++-- configs/services/wireguard.nix | 5 ++-- secrets/all/secrets.yaml | 46 ++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 secrets/all/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 40c5b6e..be740da 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,11 +4,13 @@ keys: # Servers - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h creation_rules: - path_regex: secrets\/all\/* key_groups: - pgp: [*clara] + age: [*wireguard, *mcserver] - path_regex: secrets\/wireguard\/* key_groups: - pgp: [*clara] diff --git a/configs/container_config.nix b/configs/container_config.nix index ceb8281..dfcffd0 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -1,9 +1,18 @@ -{ modulesPath, pkgs, lib, inputs, ... }: { +{ modulesPath, pkgs, lib, inputs, config, ... }: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") inputs.sops-nix.nixosModules.sops ]; + # set up secret key + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/all/secrets.yaml; + secrets.initial_password_clara = { + neededForUsers = true; + }; + }; + time.timeZone = "Europe/Berlin"; # we want at least a possibility to download stuff, monitor activity and sudo @@ -25,7 +34,7 @@ # default user with sudo users.users.clara = { isNormalUser = true; - initialPassword = "123456"; + hashedPasswordFile = config.sops.secrets.initial_password_clara.path; extraGroups = [ "sudo" "wheel" ]; shell = pkgs.zsh; }; diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix index 42b2af9..13e3be0 100644 --- a/configs/services/wireguard.nix +++ b/configs/services/wireguard.nix @@ -9,8 +9,9 @@ in { # set up secret key sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = ../../secrets/wireguard/secrets.yaml; - secrets.wg_private_key = { }; + secrets.wg_private_key = { + sopsFile = ../../secrets/wireguard/secrets.yaml; + }; }; networking = { diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml new file mode 100644 index 0000000..c1acf30 --- /dev/null +++ b/secrets/all/secrets.yaml @@ -0,0 +1,46 @@ +initial_password_clara: ENC[AES256_GCM,data:9qq2u05PsDWBOSAKY/DslqyXxTpuy4OyRD8zJ2EmbvBFnafVuEVgn/U8QXkXIGrMWqXiDhee9hdKuai4VcQRxGkJFAC7HgteLw==,iv:WSgs0m60C7sSezKFFRq7O/LDWKl2zf4OMT3mEx+eX2Y=,tag:LAxjKNND3Ah0qMNKzmTfmQ==,type:str] +sops: + age: + - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHg4SmxHTGFVbm82VDFY + TG0ybDRWc1FRR3VLL1A1dk5jcWJzSmFRbFVZCk5lK2NjOTd5UGovVFZPNmwzZld0 + cEIzTXRBbE5TRUxWbk5NZFZZbkwvazgKLS0tIFN6aHpTZlM4N1Z0dkFZWVBERHEw + bjhTUXlFYS92aFpyc2E5NVF3T3JJZ0EK/212uZn6pEmHyIAxef/RZF2XeYbQk0W+ + PDdnOxO4hizczMjxkI7soMQJm+rn8E+yvv1RqXPCn2iMoZ6XMs7lxw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySkhJeTdyV0UzbEphV28x + aGRWNHAwalN5dEhuTy9NZUIyVGtFOHNpeFNnCm1rZTdrSHcwWGdwVU91WTVwUlIr + Z2JWSmtSVGp5akY4a0orWWt4ZkptNGcKLS0tIE9YSzVHS05HbjM0VUI3aGNyVDlo + MEc3TmdYd3dUTThIcG5nZmRWQ2RRVzAKWI/c5xcj0bNLUmYFIMuY+gOtmPCpd3Be + 5tFaJ+Dv6q4sT4OS4YxDUyVqoXXrPh3ZBjgVxuiXDSMq884BpJXx/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-15T16:44:33Z" + mac: ENC[AES256_GCM,data:T8IyZVfFNwapxymfsdaZoyeGq4cmk4otIuCfbZiRqF6NTJgRw3aIDmNmsT7ZMiyEzCrtpKue92HBA/yLdV+bkZqM+yBWKYM9Wu04nMhJgt5AmpXt0KfS9ISJlsLxuNMZBgSIxoMfndKakz+MW+wGomN7Of8UwQnNNqxH08O3Bh0=,iv:Vj+nlKh/lNxpJdI7WEYENqz4jVbtBErtRs3hutc4DZg=,tag:HRvnPQMyZS/cioj9b1IICw==,type:str] + pgp: + - created_at: "2025-04-15T16:29:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzwtBoBqH5ZOARAAkltkqMBtbtRrttiKUfZVRy/JxzND/LeAVtbB+NsHrIA0 + CRW4MizreJgAGiuRgkUMWq5QhYbADIrH4UpUJQb0fCfsc0rYcsY40rY1XsGokL/e + ABipOkXTt78oMzp7LsAsG+jf2WI+n/BJUmjvvEeyS6x0Z7xXYQ7iYx6ZJYg5W265 + fW6nxqH3L98GYDlGZ9TQUe2WfGZGtzthVtSx0fTr3z9QC8xsSMsyhLwwOsXjskOJ + S6JTAaHyqKGqkECBcV0jGVGH639CHj2QAjJyPjqCmyD9SD2H7oYXVHqsGIUwWyDC + p+Ya1YEEdt6twaAb9nw2i53+5fv5Cpok3auk27U8M/S/KOxtH5jbZuUFToHTqMDh + P7fXEi4AjuiQF2DuiDL5/4HiUcvKiT86MgdJDwpIbdHqdUrGrT8WYvlApYXBg1EH + adN4brPX0BJ/mWFvQl8eGGHnohxuQo9cf7UzWlxAb3jo+pAZHkjAxy8WpCbmdDKQ + +2lPXbyXQ0zu0tOdAtUjOVXCOrkPWro+bABw9Q27/Y+apkO4dW2ssGGm/qrm6l6X + qzAlzqrG98A66OuuKfaAy99qZflZ1oz+lpeCMaHG5AaLt0XZbE3XPUA/qHOD7WzT + 1MWvtisUUg3StCkHSbiOv6JZ9Ta2Ng2mlfdCqs7iHCNU05Fgtuj0BVgW/UxFqDTS + XgEeus2+EyHN5NVZWPD2zuAM3QJFQ/fpFRx3msP2cr7kueOa6e2Lt+EzkgMsEHm5 + 5OhzLsM+pCWIuZc7+fgGU64BKtFneBMO74TE4fgX204/lEFT3fuQfXFDv4TbK2s= + =etKI + -----END PGP MESSAGE----- + fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + unencrypted_suffix: _unencrypted + version: 3.10.1 From 84072ee09b4df182daf6a839b4611d8fdc9adf1a Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 18:52:51 +0200 Subject: [PATCH 06/10] added zammad server --- .sops.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.sops.yaml b/.sops.yaml index be740da..1aeae1d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,12 +5,13 @@ keys: # Servers - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h + - &zammad age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c creation_rules: - path_regex: secrets\/all\/* key_groups: - pgp: [*clara] - age: [*wireguard, *mcserver] + age: [*wireguard, *mcserver, *zammad] - path_regex: secrets\/wireguard\/* key_groups: - pgp: [*clara] From b521cb1e7204ff90a8539b3c9abba33685213f2f Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 19:01:08 +0200 Subject: [PATCH 07/10] sops for initial user password --- .sops.yaml | 4 +- configs/services/vaultwarden.nix | 8 ++-- secrets/all/secrets.yaml | 65 ++++++++++++++++++-------------- 3 files changed, 43 insertions(+), 34 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 1aeae1d..0acce9b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,8 +4,8 @@ keys: # Servers - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e - - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h - - &zammad age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c + - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h + - &zammad age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c creation_rules: - path_regex: secrets\/all\/* diff --git a/configs/services/vaultwarden.nix b/configs/services/vaultwarden.nix index 56b6789..bc793a3 100644 --- a/configs/services/vaultwarden.nix +++ b/configs/services/vaultwarden.nix @@ -10,8 +10,8 @@ in ROCKET_ADDRESS = "192.168.178.51"; DOMAIN = "http://192.168.178.51"; ROCKET_PORT = port; - ADMIN_TOKEN = + ADMIN_TOKEN = + }; }; - }; - networking.firewall.allowedTCPPorts = [ port ]; -} + networking.firewall.allowedTCPPorts = [ port ]; + } diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml index c1acf30..6da2253 100644 --- a/secrets/all/secrets.yaml +++ b/secrets/all/secrets.yaml @@ -1,45 +1,54 @@ -initial_password_clara: ENC[AES256_GCM,data:9qq2u05PsDWBOSAKY/DslqyXxTpuy4OyRD8zJ2EmbvBFnafVuEVgn/U8QXkXIGrMWqXiDhee9hdKuai4VcQRxGkJFAC7HgteLw==,iv:WSgs0m60C7sSezKFFRq7O/LDWKl2zf4OMT3mEx+eX2Y=,tag:LAxjKNND3Ah0qMNKzmTfmQ==,type:str] +initial_password_clara: ENC[AES256_GCM,data:4kTSXy5f6h/crmOOako0puZyxyeitqjSBKxB987Oh3ZatUy0aR+JwEFNVMGwu4nA1xJOrPyKsa1AUBoRY21mpiqX1oZnPChe+w==,iv:inA7Hnnl7rFR0ORTO7rvZJr+IfvoIP+kvlbnTJwLKFk=,tag:1nIJTuwJNhvId+YO4KgIjA==,type:str] sops: age: - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHg4SmxHTGFVbm82VDFY - TG0ybDRWc1FRR3VLL1A1dk5jcWJzSmFRbFVZCk5lK2NjOTd5UGovVFZPNmwzZld0 - cEIzTXRBbE5TRUxWbk5NZFZZbkwvazgKLS0tIFN6aHpTZlM4N1Z0dkFZWVBERHEw - bjhTUXlFYS92aFpyc2E5NVF3T3JJZ0EK/212uZn6pEmHyIAxef/RZF2XeYbQk0W+ - PDdnOxO4hizczMjxkI7soMQJm+rn8E+yvv1RqXPCn2iMoZ6XMs7lxw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cWVDWmx5d3c4MWk4Q1lB + RDBveHR0NGpnTkVxNTJ3S01iaHZTMmJZM25BCklxcDZjbWJReHl3TWxaMVFQUzh2 + TEt0WTlEbG1jL3NJWituWXVjckc1aUEKLS0tIFVaSllUTDZ1cGFuWkNOSWx1TzlL + NGF5cjN4bUxTeHgrM3BJWVF6ZjhudU0KeUkn4/R2kfrLZsAqE8+kiYi1L92U44oT + iQLYfEFVWJW404RsyHrU2hn348g6M5LXICqO5zgN9GeKgIyXRWqBPQ== -----END AGE ENCRYPTED FILE----- - recipient: age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySkhJeTdyV0UzbEphV28x - aGRWNHAwalN5dEhuTy9NZUIyVGtFOHNpeFNnCm1rZTdrSHcwWGdwVU91WTVwUlIr - Z2JWSmtSVGp5akY4a0orWWt4ZkptNGcKLS0tIE9YSzVHS05HbjM0VUI3aGNyVDlo - MEc3TmdYd3dUTThIcG5nZmRWQ2RRVzAKWI/c5xcj0bNLUmYFIMuY+gOtmPCpd3Be - 5tFaJ+Dv6q4sT4OS4YxDUyVqoXXrPh3ZBjgVxuiXDSMq884BpJXx/Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZ3FtekQ1K3JOZjB2bVVu + MGhER3h4RjVVYUx1RW54aXc0Q2JIdFVzR0VFCkRJbkVoNVlSTkJQaTNYNFQ4ak10 + ZDdmN1o2U2t4dnJPcXNaSW4xU1J5SUEKLS0tIGVTUXNWOSsrbUxXWENSRWVDSys3 + UUhENFp4amR5Mzh6ZWxEdjNBSmRZL2MKlMtaMFXYjrRaUBP41prBwrYS6Avqyy2d + aHoU85HdRsfYVu9PC8zjsSSeDrBvL6ByIpA9KpO5yeU8RxvHZOPFqQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-15T16:44:33Z" - mac: ENC[AES256_GCM,data:T8IyZVfFNwapxymfsdaZoyeGq4cmk4otIuCfbZiRqF6NTJgRw3aIDmNmsT7ZMiyEzCrtpKue92HBA/yLdV+bkZqM+yBWKYM9Wu04nMhJgt5AmpXt0KfS9ISJlsLxuNMZBgSIxoMfndKakz+MW+wGomN7Of8UwQnNNqxH08O3Bh0=,iv:Vj+nlKh/lNxpJdI7WEYENqz4jVbtBErtRs3hutc4DZg=,tag:HRvnPQMyZS/cioj9b1IICw==,type:str] + - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwelB5Y21GdjA0a0JObTIx + b0Voc1Q2cDFLODdFY0k4bXBTdHplWmpFSGkwCisrRG1XenZQWTlNYTBTVnhZVGxt + QzFycWRhRHV3b0xaaUM4QXFnc0dnWTgKLS0tIHkwa2hUQnptejlndDcyZ2lIWERq + ZUZVNjJ2L3dUdDBVZ0NXMzBXTXZVaE0KhG/hY232TkDRcAeQOBthQNZRzEryAcB6 + YiAGzA7LrZvDsDllYZ6riqmts9rZYZhk7N2CQ6hVVJ/p6X6Z3qfMwg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-15T17:00:20Z" + mac: ENC[AES256_GCM,data:v1UKMevNh/Om1dULmGOADsD6wQ0nhTsMtwT0qqDxtqdgBpmk2vD5VU732ZgQjornPc4ZeCgbfpFK16EVtx9gbwPLRQbgeh8I6BoqcpNkHkZnvGV4hpH2xKeRqOYvSg1ed1j7INLctt1q2O5bHC3ASmidP0zZoqLvgurwTP4t9Zo=,iv:4ji3Ob5mzS6qVWkKce66wZRfASXQi0MSC4m4f1HQlbw=,tag:gSDj3CQTp0NNrexKFxzAmQ==,type:str] pgp: - - created_at: "2025-04-15T16:29:51Z" + - created_at: "2025-04-15T17:00:11Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzwtBoBqH5ZOARAAkltkqMBtbtRrttiKUfZVRy/JxzND/LeAVtbB+NsHrIA0 - CRW4MizreJgAGiuRgkUMWq5QhYbADIrH4UpUJQb0fCfsc0rYcsY40rY1XsGokL/e - ABipOkXTt78oMzp7LsAsG+jf2WI+n/BJUmjvvEeyS6x0Z7xXYQ7iYx6ZJYg5W265 - fW6nxqH3L98GYDlGZ9TQUe2WfGZGtzthVtSx0fTr3z9QC8xsSMsyhLwwOsXjskOJ - S6JTAaHyqKGqkECBcV0jGVGH639CHj2QAjJyPjqCmyD9SD2H7oYXVHqsGIUwWyDC - p+Ya1YEEdt6twaAb9nw2i53+5fv5Cpok3auk27U8M/S/KOxtH5jbZuUFToHTqMDh - P7fXEi4AjuiQF2DuiDL5/4HiUcvKiT86MgdJDwpIbdHqdUrGrT8WYvlApYXBg1EH - adN4brPX0BJ/mWFvQl8eGGHnohxuQo9cf7UzWlxAb3jo+pAZHkjAxy8WpCbmdDKQ - +2lPXbyXQ0zu0tOdAtUjOVXCOrkPWro+bABw9Q27/Y+apkO4dW2ssGGm/qrm6l6X - qzAlzqrG98A66OuuKfaAy99qZflZ1oz+lpeCMaHG5AaLt0XZbE3XPUA/qHOD7WzT - 1MWvtisUUg3StCkHSbiOv6JZ9Ta2Ng2mlfdCqs7iHCNU05Fgtuj0BVgW/UxFqDTS - XgEeus2+EyHN5NVZWPD2zuAM3QJFQ/fpFRx3msP2cr7kueOa6e2Lt+EzkgMsEHm5 - 5OhzLsM+pCWIuZc7+fgGU64BKtFneBMO74TE4fgX204/lEFT3fuQfXFDv4TbK2s= - =etKI + hQIMAzwtBoBqH5ZOAQ/+Ph75DuL7rX4Wt+dXW8Gcc4ov2dZSaWKVpVngPrj6YvFu + 1PNAyglOenNTL4zP8g5Xcns4DkbQTRK0+g5HA8UtdpNB/CXNYXWVvzVIx/z2734p + d6QdN003s9b/1y1M/foSHXVdxYfq5OvNYMMukAS/ETAlF8bG/5IWQhGiYsCBaK+2 + Mizr1OSp/XLecJlGuf/2gMfzt6KSeYHe2wcxFntm2HpQgNmmHmCkb6dLTYwOABGH + pOKDBBl530dZOx9DM+XXthsMYvplvvUCSC1w7kLivt1H/F+gwqG+zwyQrKra8Fka + 2+o82eehzQSUzbEQvu9wz7QAmo0uc3vlF9xj3yRSHpmbRxRyVd88i3XlEDXiz9lH + 9G15PdU5XFUCpp6o+qBMpip8n5tvy6+6E/0r6QD74VS3Ha80mLd8jRWdLmehiJYf + FyT9r1XhFemRaPEBVCSWRt2Y6vvBe7x92ed+dIXG1sqcXJBAONs1O8FPCKjgrAfW + QPe0nrXVSYCbvldGS1Wx9ASknc/FU25IJydRcuq9NVd4rylK3C5WjnzLSJmDzkda + +xoCTmwdGAEGqJPrcC3GQrot/sZFK6Gz1ZQ03miABi+Agrr5Eh1bQzgh7e4YoUiL + y89DzlqTWXEvdNS4k0ps1mKg32zzkUkeIl8wiX0e9uil8OHQnL+rcqPe9NN05jDS + XgEi6DfmK0Hh6aYjeJMxKtRKYOQuSheRcrUFCfdr1AjXrWfGjjXX1cbfFU+O45tV + zhps4J5zhcCgPHNN2eWOE3DKMj4CT5x/ZXKFWSxbFcKNKy7hyVI/DR+i5urKVrA= + =UyZz -----END PGP MESSAGE----- fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 unencrypted_suffix: _unencrypted From f51a453c14cdac1d9bae31019cdd2b63adabc9ee Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Tue, 15 Apr 2025 19:07:27 +0200 Subject: [PATCH 08/10] motd --- configs/container_config.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/configs/container_config.nix b/configs/container_config.nix index dfcffd0..48ff9c4 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -37,8 +37,17 @@ hashedPasswordFile = config.sops.secrets.initial_password_clara.path; extraGroups = [ "sudo" "wheel" ]; shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC45xdNbidyqMV7CFxhObUFSuKKjDTE1+wCJFX8GC5uoV/dYmzNKxG5l8oMEQn6wVrWvOYNbuy4hsOxhBoVa9Y7YlgGZaStKPkjerafi4YUvQ5U2f5oztConmD1EHASOalDviHt+5HevokQDtZimx2sUYgz5lN/DtYzgsNgFueUt96iQEQ7zUDtSC5BiZ13lasyNcVQK1XuP9aqeoa11ce2CcDg3LMJ5tXn+yxRlN9v5R1Mkt028mqwLr8d/uAUbcgUo7j+ommrXoK6+/3n2SoAiTIp3UZPMOjMEMQUuSVBAjhycVoMM1hzGSoUsfXk0GZTDZQdvIBrjsIyysdsEtNWiu51F9OnX07YqEh9KEX1i7KK7U30MAl172Nf85egP/oRRUmZOm9JPEW8rlTbnQYSGvtDsFEcwzfvZODQW+Knb/n02RkHTyXVRgTkEdhavgSnSXeTJB8zn+OVpwYj1EQ1v+x9H9DDALAWj3ac61WAKk+SAa/1WjQNDt+bFQ/ehxkMTeLnaak+fWJO/pqwSrevJtlCC+5FbzSwlLOiqevOg97ciu1ESeYPYnTwU0rFSAh4ZEP7CbSg2vmniZNF3kbeZrw3a5ZlnFU29cPs0b5t8A3txGFQi1W1zK2Y2oFZqcm7u+WntH9Aq69g1vEPWT7yH4kK1Y5HumpPsP1II38evw== cardno:11_075_348" + ]; }; + users.motd = '' + ################################## + Logged in to: ${config.networking.hostName} + ################################## + ''; + # localization stuff console.keyMap = "de"; i18n.defaultLocale = "en_US.UTF-8"; From 7693a3ccc06bf21355dd12f999c638a42a59709f Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Thu, 17 Apr 2025 19:23:49 +0200 Subject: [PATCH 09/10] temporarily deploy forgejo --- .sops.yaml | 3 +- configs/containers/forgejo_container.nix | 19 ++++++ configs/services/forgejo.nix | 6 +- flake.nix | 2 + secrets/all/secrets.yaml | 75 +++++++++++++----------- 5 files changed, 69 insertions(+), 36 deletions(-) create mode 100644 configs/containers/forgejo_container.nix diff --git a/.sops.yaml b/.sops.yaml index 0acce9b..4f59156 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,12 +6,13 @@ keys: - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e - &mcserver age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h - &zammad age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c + - &forgejo age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh creation_rules: - path_regex: secrets\/all\/* key_groups: - pgp: [*clara] - age: [*wireguard, *mcserver, *zammad] + age: [*wireguard, *mcserver, *zammad, *forgejo] - path_regex: secrets\/wireguard\/* key_groups: - pgp: [*clara] diff --git a/configs/containers/forgejo_container.nix b/configs/containers/forgejo_container.nix new file mode 100644 index 0000000..920fa15 --- /dev/null +++ b/configs/containers/forgejo_container.nix @@ -0,0 +1,19 @@ +{ lib, pkgs, config, ... }: { + + deployment = { + targetHost = "192.168.178.60"; + targetPort = 22; + targetUser = "root"; + }; + networking.hostName = "forgejo"; + networking.interfaces.wgbr.ipv4.addresses = [ + { + address = "10.8.1.4"; + prefixLength = 24; + } + ]; + imports = [ + ../container_config.nix + ../services/forgejo.nix + ]; +} diff --git a/configs/services/forgejo.nix b/configs/services/forgejo.nix index 07e9bae..46935e3 100644 --- a/configs/services/forgejo.nix +++ b/configs/services/forgejo.nix @@ -1,7 +1,8 @@ { lib, pkgs, config, ... }: let dbname = "forgejo"; - ssh_port = 2000; + ssh_port = 2224; + domain = "new.git.cdaut.de"; in { @@ -15,7 +16,8 @@ in settings = { server = { - DOMAIN = "192.168.178.50"; + ROOT_URL = "https://${domain}"; + DOMAIN = domain; SSH_PORT = ssh_port; # important because otherwise ssh doesn't seem to work… START_SSH_SERVER = true; diff --git a/flake.nix b/flake.nix index 5626a7e..3633fa9 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,8 @@ wireguard = import ./configs/containers/wg_container.nix; zammad = import ./configs/containers/zammad_container.nix; + + forgejo = import ./configs/containers/forgejo_container.nix; }; }; } diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml index 6da2253..f4d7cba 100644 --- a/secrets/all/secrets.yaml +++ b/secrets/all/secrets.yaml @@ -1,54 +1,63 @@ -initial_password_clara: ENC[AES256_GCM,data:4kTSXy5f6h/crmOOako0puZyxyeitqjSBKxB987Oh3ZatUy0aR+JwEFNVMGwu4nA1xJOrPyKsa1AUBoRY21mpiqX1oZnPChe+w==,iv:inA7Hnnl7rFR0ORTO7rvZJr+IfvoIP+kvlbnTJwLKFk=,tag:1nIJTuwJNhvId+YO4KgIjA==,type:str] +initial_password_clara: ENC[AES256_GCM,data:ux8zKQbsw52SDMjX4wyXFp445vbCV4eFdvAJNzYSb3YMxbVWlBTV3KaEFYW0dKFwUvvserHPfyXmFgXJJ5Lx+D+49b8s8mVZqwVs,iv:2c8I40749+bXnwHJ2Gnjkv8a/AtV1P30sCE113jZcH4=,tag:b8kmLLZ80lytRH4dAl6tpg==,type:str] sops: age: - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cWVDWmx5d3c4MWk4Q1lB - RDBveHR0NGpnTkVxNTJ3S01iaHZTMmJZM25BCklxcDZjbWJReHl3TWxaMVFQUzh2 - TEt0WTlEbG1jL3NJWituWXVjckc1aUEKLS0tIFVaSllUTDZ1cGFuWkNOSWx1TzlL - NGF5cjN4bUxTeHgrM3BJWVF6ZjhudU0KeUkn4/R2kfrLZsAqE8+kiYi1L92U44oT - iQLYfEFVWJW404RsyHrU2hn348g6M5LXICqO5zgN9GeKgIyXRWqBPQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHFOQWNaTGxLTTVNWlpw + UUdZYklScktnL3QvM0xLMTkrTmpYTG1ocXdzCnlPNVdkQ1FwZ21wUlhiOXpCSmV2 + R0Q4RGlTNWRybTFRU1ZnK3VEU0NWUVkKLS0tIGFNRzVDMnkvRXhLTzMwVEpONGFr + RGFIVDZyL0dSTWNDMDZEWEJIamxRMDgKBeRdsbub+XhYKyCkpo9x1yXXqha7PP/s + /nzUyMNqDB7Fh5K9xY2BRxwpxIKYWpzFPjybt5mHL1NxbYheGle5hA== -----END AGE ENCRYPTED FILE----- - recipient: age1v98yggaarelrp7z8rljzpf3gm70up4q8460trejmptdpv7gjucrqssjz9h enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZ3FtekQ1K3JOZjB2bVVu - MGhER3h4RjVVYUx1RW54aXc0Q2JIdFVzR0VFCkRJbkVoNVlSTkJQaTNYNFQ4ak10 - ZDdmN1o2U2t4dnJPcXNaSW4xU1J5SUEKLS0tIGVTUXNWOSsrbUxXWENSRWVDSys3 - UUhENFp4amR5Mzh6ZWxEdjNBSmRZL2MKlMtaMFXYjrRaUBP41prBwrYS6Avqyy2d - aHoU85HdRsfYVu9PC8zjsSSeDrBvL6ByIpA9KpO5yeU8RxvHZOPFqQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaWxRVVd3bU84bGwrZk5F + blgyRnd3MmdSdGtaWHdnVVVIeUs5dGNkVDJVCmo1MU9PeVRrNEZzcHhKUVk1OXlG + MDNCRCtCOERnQmtmUmt4YXlWTVl1dmcKLS0tIGZiYnlveWlKd2VZaVhNaUtlWlVK + UXkzL3k4YW5ESGRza0hURC9wR0o3RGMKsvc9zCQ323d/eSP9vVDiYTNgZrNmVvfE + +GfDEc/4+OpG+RRmMrXvlvCYRof56ywWZJr9tpAlunZ/t8vHRCUJow== -----END AGE ENCRYPTED FILE----- - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwelB5Y21GdjA0a0JObTIx - b0Voc1Q2cDFLODdFY0k4bXBTdHplWmpFSGkwCisrRG1XenZQWTlNYTBTVnhZVGxt - QzFycWRhRHV3b0xaaUM4QXFnc0dnWTgKLS0tIHkwa2hUQnptejlndDcyZ2lIWERq - ZUZVNjJ2L3dUdDBVZ0NXMzBXTXZVaE0KhG/hY232TkDRcAeQOBthQNZRzEryAcB6 - YiAGzA7LrZvDsDllYZ6riqmts9rZYZhk7N2CQ6hVVJ/p6X6Z3qfMwg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YjhORkRmWk9pOVV6cUpo + RVRpNmhzWS9pZDMxTXViMDFLSVNYR1F5NkZZCnFCb0Q3QjMzNk5WVkM3K1JYYjJ4 + c1VER25FVUtyWHFpcVpKdUJ0YlhSTEEKLS0tIEF6a1dJY2JmelQyVzd4Mk9SK0R2 + WFZHdVZiMVdaNHFhTVZGMzdYRTl3ZU0K6yMpKKXKIaYHxR1cAHam7jogZShH5xsK + c43sMBz/WxHjvmI9TCNyxnkvgwC6kJUpV9vABduJg2INjkLltjNc/Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-15T17:00:20Z" - mac: ENC[AES256_GCM,data:v1UKMevNh/Om1dULmGOADsD6wQ0nhTsMtwT0qqDxtqdgBpmk2vD5VU732ZgQjornPc4ZeCgbfpFK16EVtx9gbwPLRQbgeh8I6BoqcpNkHkZnvGV4hpH2xKeRqOYvSg1ed1j7INLctt1q2O5bHC3ASmidP0zZoqLvgurwTP4t9Zo=,iv:4ji3Ob5mzS6qVWkKce66wZRfASXQi0MSC4m4f1HQlbw=,tag:gSDj3CQTp0NNrexKFxzAmQ==,type:str] + - recipient: age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPelBOdktOV3Naa1ZWdlFv + N1c1clFsZTlkbVlpYU81L3Y3L2UxTTJMaUdNCnJYd3Y0YWpRNTRsTkt4Q0ppblVB + K01HSzgvQ1lIaUNSR2lJZWY4NG1tL28KLS0tIGVjZ0svVlFrK1h1NFViVmV0bk5Q + MW5ZTWQwZy9iQnFNL2dRalM3VSswVkEKcE2M6Ph8d+7BafgjlARITRbxivOajQ3H + 7evjNzFDqga/AZ1rLG+5anuD2giAKVZGok10NvDroCKkobUpsXd6jQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-17T14:15:59Z" + mac: ENC[AES256_GCM,data:QBoeoWS2eoUjbXm40OLk8vxpdZRUkLgVLPQ6AX9JaYVLl4+reefFw269yngF2ZATBniuYLBHNhkSjOYttC+J7M2Zt8cQhhj4G2TFt7JkYHQRtkbuoa9ZiP3Oi3Jaj6z0w3cHsyMT+fBBdr02winxf8QggYHGmvcK8QXoayccyl8=,iv:lG94yszjtq1tDYrNM+xt5ehdrNYO6M+oqZg/Qg/cO4g=,tag:K3Cr7DySQ02fgHOaVtYmDA==,type:str] pgp: - - created_at: "2025-04-15T17:00:11Z" + - created_at: "2025-04-17T14:15:33Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzwtBoBqH5ZOAQ/+Ph75DuL7rX4Wt+dXW8Gcc4ov2dZSaWKVpVngPrj6YvFu - 1PNAyglOenNTL4zP8g5Xcns4DkbQTRK0+g5HA8UtdpNB/CXNYXWVvzVIx/z2734p - d6QdN003s9b/1y1M/foSHXVdxYfq5OvNYMMukAS/ETAlF8bG/5IWQhGiYsCBaK+2 - Mizr1OSp/XLecJlGuf/2gMfzt6KSeYHe2wcxFntm2HpQgNmmHmCkb6dLTYwOABGH - pOKDBBl530dZOx9DM+XXthsMYvplvvUCSC1w7kLivt1H/F+gwqG+zwyQrKra8Fka - 2+o82eehzQSUzbEQvu9wz7QAmo0uc3vlF9xj3yRSHpmbRxRyVd88i3XlEDXiz9lH - 9G15PdU5XFUCpp6o+qBMpip8n5tvy6+6E/0r6QD74VS3Ha80mLd8jRWdLmehiJYf - FyT9r1XhFemRaPEBVCSWRt2Y6vvBe7x92ed+dIXG1sqcXJBAONs1O8FPCKjgrAfW - QPe0nrXVSYCbvldGS1Wx9ASknc/FU25IJydRcuq9NVd4rylK3C5WjnzLSJmDzkda - +xoCTmwdGAEGqJPrcC3GQrot/sZFK6Gz1ZQ03miABi+Agrr5Eh1bQzgh7e4YoUiL - y89DzlqTWXEvdNS4k0ps1mKg32zzkUkeIl8wiX0e9uil8OHQnL+rcqPe9NN05jDS - XgEi6DfmK0Hh6aYjeJMxKtRKYOQuSheRcrUFCfdr1AjXrWfGjjXX1cbfFU+O45tV - zhps4J5zhcCgPHNN2eWOE3DKMj4CT5x/ZXKFWSxbFcKNKy7hyVI/DR+i5urKVrA= - =UyZz + hQIMAzwtBoBqH5ZOAQ/9Gx1uySXuafWQT/xz2b4yY37t3ZKE5SE4LxKoyOPXRhWR + yVISxG9MBrYeDe7DR4QYJ5KVpKUui/TMKv5+SFiDvlxgQdWVA2PZ2KXgGK0KDDEk + cOn3YNGLHpZL4ZHwAlbgeNWFjT/A99logCnv7D4VocAX9k+AMSh5ZQqI5HLmBHfO + ZQOugRfGDI28D/iH/8LUXoK+l6VDX3CLt0xfQmNN81q2IQzb2NK9GZvj5qyILR3c + MMzGDMU1pw0OWCZWZDRCE5YA71mrvflGOQPo3/JPsVg1Qr8l6TbGjbFwKlYUgGDU + JTSsZ1ATKjzbWg7KSdrBgztWHcSDdrCW1yytUh9uoJks2UHGdfb060k9DH99IYXk + +u5DutiPqiz8xwn5YHetO3SaJjJA9uIODQ+Em7ElZ+XbY81NIlhbdT8DZKdDHmOx + ozFIs5r1glRaojo8Yc9fym0j8cZ6Dr6rkD+nbgwzRCuUucuzOILIPrutdUSgdpbp + LnK8ScJnOBsF3AhKuOB4Qhnb6Q0ooT8Zt+R2uDdezfACFMa6nW95MP4sPYPqy7ee + ZGuWOaMGQ1Cn9Ck3nBCn8hROzHwp9pv56mqVIKu+oWCGsFm9GUZ5XFvZxez6Kq// + SVhH/qbV3RElBj/Q8u4Xcbl3ZNnHbMhvi/Xe2Ji64orZkzjHrsViB6KXR6uzY/7S + XAF4UTbjzSVkqbZ+IKQbkhoM62YQpT1bOgMk9djNFilauKRqD5x3eKTyuooOnMGh + jVjxulE755eSO6qvATN/P7OIXzaPKI+HSPcdm0WH8ZXVTXrZjkeO7D7gCfh/ + =qTot -----END PGP MESSAGE----- fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 unencrypted_suffix: _unencrypted From 9bec44c636ad72be9b18387f3a1d4126d0423785 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Fri, 18 Apr 2025 08:57:00 +0200 Subject: [PATCH 10/10] set up forgejo ports for ssh correctly --- configs/services/forgejo.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/configs/services/forgejo.nix b/configs/services/forgejo.nix index 46935e3..1ab8775 100644 --- a/configs/services/forgejo.nix +++ b/configs/services/forgejo.nix @@ -1,7 +1,8 @@ { lib, pkgs, config, ... }: let dbname = "forgejo"; - ssh_port = 2224; + ssh_port = 2225; + http_port = 3000; domain = "new.git.cdaut.de"; in { @@ -19,6 +20,7 @@ in ROOT_URL = "https://${domain}"; DOMAIN = domain; SSH_PORT = ssh_port; + HTTP_PORT = http_port; # important because otherwise ssh doesn't seem to work… START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; @@ -39,6 +41,6 @@ in ensureDatabases = [ dbname ]; }; - networking.firewall.allowedTCPPorts = [ 3000 ssh_port ]; + networking.firewall.allowedTCPPorts = [ http_port ssh_port ]; }