diff --git a/nix/hosts/hetznix/configuration.nix b/nix/hosts/hetznix/configuration.nix index 739135e..b19b11c 100644 --- a/nix/hosts/hetznix/configuration.nix +++ b/nix/hosts/hetznix/configuration.nix @@ -15,9 +15,17 @@ ./secrets.nix ./security ./services + + ../../users/opdavies ]; - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs-2405}" ]; + nix = { + extraOptions = '' + trusted-users = root opdavies + ''; + + nixPath = [ "nixpkgs=${inputs.nixpkgs-2405}" ]; + }; networking.firewall.allowedTCPPorts = [ 80 diff --git a/nix/hosts/hetznix/security/acme.nix b/nix/hosts/hetznix/security/acme.nix index efabb9a..b261623 100644 --- a/nix/hosts/hetznix/security/acme.nix +++ b/nix/hosts/hetznix/security/acme.nix @@ -18,6 +18,7 @@ # TODO Refactor to use a wildcard certificate. "2020.oliverdavies.uk" "bootstrap-with-tailwind.oliverdavies.uk" + "code.oliverdavies.uk" "florida-drupalcamp-tailwind-css.oliverdavies.uk" "luke.oliverdavies.uk" "phpsw-sculpin-demo.oliverdavies.uk" diff --git a/nix/hosts/hetznix/services/default.nix b/nix/hosts/hetznix/services/default.nix index 11aa65a..a3c9baf 100644 --- a/nix/hosts/hetznix/services/default.nix +++ b/nix/hosts/hetznix/services/default.nix @@ -1,10 +1,7 @@ { imports = [ - ./acme.nix ./caddy + ./forgejo.nix + ./openssl.nix ]; - - services = { - openssh.enable = true; - }; } diff --git a/nix/hosts/hetznix/services/forgejo.nix b/nix/hosts/hetznix/services/forgejo.nix new file mode 100644 index 0000000..ea54c4b --- /dev/null +++ b/nix/hosts/hetznix/services/forgejo.nix @@ -0,0 +1,28 @@ +{ config, ... }: + +{ + services = { + forgejo = { + enable = true; + + settings = { + server = { + DOMAIN = "code.oliverdavies.uk"; + HTTP_PORT = 2223; + }; + + service = { + DISABLE_REGISTRATION = true; + }; + }; + }; + + caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = { + useACMEHost = "oliverdavies.uk"; + + extraConfig = "reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + + openssh.settings.AllowUsers = [ "forgejo" ]; + }; +} diff --git a/nix/hosts/hetznix/services/openssl.nix b/nix/hosts/hetznix/services/openssl.nix new file mode 100644 index 0000000..53e4fde --- /dev/null +++ b/nix/hosts/hetznix/services/openssl.nix @@ -0,0 +1,10 @@ +{ + services.openssh = { + enable = true; + + settings = { + AllowUsers = [ "opdavies" ]; + PermitRootLogin = "no"; + }; + }; +} diff --git a/nix/hosts/lemp11/default.nix b/nix/hosts/lemp11/default.nix index 57b6c7c..83a8cb0 100644 --- a/nix/hosts/lemp11/default.nix +++ b/nix/hosts/lemp11/default.nix @@ -13,7 +13,6 @@ }; homelab = { - forgejo.enable = true; gitea.enable = true; immich.enable = true; jellyfin.enable = true; diff --git a/nix/hosts/nixedo/extra.nix b/nix/hosts/nixedo/extra.nix index 0218882..b4e5242 100644 --- a/nix/hosts/nixedo/extra.nix +++ b/nix/hosts/nixedo/extra.nix @@ -2,8 +2,4 @@ programs.dconf.enable = true; services.logind.lidSwitchExternalPower = "ignore"; - - age.identityPaths = [ - "/home/opdavies/.ssh/id_rsa" - ]; } diff --git a/nix/modules/nixos/features/homelab/default.nix b/nix/modules/nixos/features/homelab/default.nix index 897465c..c7da8eb 100644 --- a/nix/modules/nixos/features/homelab/default.nix +++ b/nix/modules/nixos/features/homelab/default.nix @@ -2,7 +2,6 @@ imports = [ ./audiobookshelf.nix ./beaverhabits.nix - ./forgejo.nix ./freshrss.nix ./gitea.nix ./immich.nix diff --git a/nix/modules/nixos/features/homelab/forgejo.nix b/nix/modules/nixos/features/homelab/forgejo.nix deleted file mode 100644 index 509c34c..0000000 --- a/nix/modules/nixos/features/homelab/forgejo.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, ... }: - -with lib; - -{ - options.features.homelab.forgejo.enable = mkEnableOption "Enable forgejo"; - - config = mkIf config.features.homelab.forgejo.enable { - services = { - forgejo = { - enable = true; - group = "media"; - stateDir = "/mnt/media/forgejo"; - - settings = { - server = { - DOMAIN = "forgejo.opdavies.uk"; - HTTP_PORT = 2223; - }; - - service = { - DISABLE_REGISTRATION = true; - }; - }; - }; - - caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = { - useACMEHost = "opdavies.uk"; - - extraConfig = "reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; - }; - }; - }; -} diff --git a/nix/secrets/cloudflare-opdavies-uk.age b/nix/secrets/cloudflare-opdavies-uk.age index 835ebf7..bdf2561 100644 --- a/nix/secrets/cloudflare-opdavies-uk.age +++ b/nix/secrets/cloudflare-opdavies-uk.age @@ -1,18 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 IsVD3g kacSrvgn/CGIwU05AkK6UGhxVm5oO/FRK2jgH1qHVg0 -JXzp1+Al5O8sBw3a4td7RA3HVP6C9tIdvvgZFZ9Se5w +-> ssh-ed25519 IsVD3g ZdGzOgZfbKkfBzwZRUvUm9HMBpJIJZhtcaxGSYOiXCM +99CJFSIYTpHX86rx2msqZudPCUBoW1hP9+uySFIuTfg -> ssh-rsa +vTWQw -ndPfUjqCzN5uqcrRvb/OGKmBouyM6qwf5ZmnfMg49NXcxt7bwCK0v7iPtOOOgDI2 -34Oi1EGgjkJ/YY+nxKuHZtRlq+wySbqeLVXUmb52reW4sj4PHEZOsFIO8Dnxmx9P -9AtISLIrdJd3V39v4+pXOo9tBvBcTAs7JKqDGFcfp7gcVH0vLga0l3jLUspZiNB9 -DXW6Gbttg8Z6El9J1fAqVXcDE3q7pPZE//zu/cIRyt4/kbK76bx7yEaKAy2GycZS -SCjjxsRtkBHOKQEQnFdKfWD/AG1USNmoiv4zHx1G9pIVJJA47yNWLwsx8Q7VrfNS -CXpxQt+ElOH5pRTpXMAx1/rHs/NpXMMUm0EVvWKTNbrbHvepTUvEYABo+DKicRVI -3H6RYWedXZ9ggpfID66CbF4HFtVJTXwHhvdzGfdna8J1Dy7nJyevT/fCz8tqlVIa -EFEFqUardSWj0zFL3PQgk2qmrC9W1+isp83Rioi/n/ow8O0Q+XlzO3rQjNYWtEgp -jufzw+3YI9HuNLPXB0xBfSgwP8Ao6iYskE+8IL+xu4ITCec/ItpoYk1Yeb38G2HQ -6JlIseQIgpOzw8DlMMWtWjO4U+9JAZh5XOlEgwFPFL25m//24UM7RB3/Yd1/it8i -cNaHR1L2/P8k5FnbR2jhxcTb2tEzlFo422brC0r/Ilc ---- MqcbFcs1myK1Dn1h/PQKZ59BdgYXIifkp0DkvoNQaL4 -W෹y -j`$En_<%s`#d,xMGdf:*`zRX>KJ0BDj<ţ=% \ No newline at end of file +KJKWXbY/qa2pZ9Xb6v4ca41rVY0nm6b/+pgcoKU6dbkRiHR3KLFw+E8CZT1dHkXY +3Az85roddG6O0nb39TQcteVqd0fKwQxmvFcpUsEaStDQiHtHc9r1A0mbUgmEcleP +dRo9U+jWuSnSFhnlNmul58/T5C92edlLvbGBo28BKIG2Jg4bdonDX4FUGmyfnUof +EicxZ2UxlEq6NdOm4FdV7df7GOMjyCSfRZ0XaZ4sPU/aa7iV6Nm6pIXgKZZtviNf +9ef/a5z6HgsQpHZ2Df7GE38I6qLKhG7Aau2gAiE+d4amg+djKmm2++WKvWN2Y5YF +PtxFvLhpc4vjzBOhwiKYjd3BcFCuJZQ2+SsLyNxhdb4J/v1MNAxNFKLdLX+/cvpk +pnITQShIRDZAd2GEBdOk+4PCCoEnBW6Y0IJGLv5NLYyLTSL0pKLIiTN0GKnWAv7B +1n+yHFRekC0G7AaHMB/JIemFwoTLq9Wm/mFTPol9UJTfAgem6F7895IpFkZAe3Lv ++0QHOgBQpNwVTtqZWi8cTgul+b9FLKd/99pSk72b7hIFF36AoyS5KeJfoUfXLONc +gZa1wra+VIaqV5gMihfb5Ll49QYRhlGn7x3KUkyuxlw6JWby6r6sAYRWprh0JGRb +LmFQzI4KiokzD8fq2wCUcr8T90EeAqkTUp6D3b0azoQ +--- lTlcpuKW/KS2v/85o9veQsuWTVRGl+ucx511oqQF8uY +[(Ŝ:`eo,'P0 +Z7k +D^|mP rWvF*v;ydXiNbTε \ No newline at end of file diff --git a/nix/secrets/cloudflare.age b/nix/secrets/cloudflare.age index d13366d..dc666f5 100644 --- a/nix/secrets/cloudflare.age +++ b/nix/secrets/cloudflare.age @@ -1,20 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 nmofLg X3PF+8zBQJgqyt8PckMdeThC89nOXHlCuVdZ8SJzDi8 -bi7GBOC2TyAtFCYW6RjtZnMeb04Eld0TNcS8yPY2eLU --> ssh-ed25519 IsVD3g 248O8+OBY5b0Y5r23rWZf+MQZH+Mcz3+dbiXxiu96S8 -r7gDLWAn0vfk/FYxyXOhd1sQSz48PnW2MNY1gwjAMZg +-> ssh-ed25519 M7i4ow DupawEkDJ8n4DcTLZyW6O13ow5OGZ0TGR074SLo49A8 +Q+DnroHs3Yl1/El80FH4VMXgophJGaJ9/HhubisZtkE +-> ssh-ed25519 IsVD3g 9yROmUaS4kVmTJUv39qdDvpYxsyegYOHdWwGreWG3XY +xe4D/5aP6zdQMEuQEMin3sqJHhJt/hXSbAIuqDEvDfY -> ssh-rsa +vTWQw -pqQzjCL1Nh31rkMtmN767I5V/7arkR2enx6Zt2IG8Wp+h7wkiziZjGWxIebqOulF -nmnxolpqtv1+OQiMnDfmXMQsMaLwuIbk+EoMuIEmFQrFRKvYrZL/uNJv3WKRYfif -x2fgJwfv1+lmj0vij6wo5QuWV7QmNSXd0kU7s69whxysgz+PzUnMnQXAee7kek3P -5TsOMWd3/zqIE1VWtroJjtaWYZRN0zaTU1DWeQN33u0TFVXakFwzvAT0u8YCa//C -VzfGTCj3SCXrmVU1h0RcXUsxr0Z+BNb3NYcsDUKK9hFA+DETugwll63FmU1Et9tR -LEysFpTKvkpjg8OHWlqA8ax1Lkv5B1QCFua1CPixk7G/XSQKGq45n8VNtxeBOhzp -BdQwxMu2LuNwYxHB9zSuTXnUA16WukTpPLmC21akGaQj6QDLr+KSCOOjR94QG07l -n3PuDVbjWOcpegmdfvKtBaLol4bL8dHIcGJqa30OW4RdHSKR+7dfg0rZt2BpAN3p -F3cC0Gy73DIYYGdEsg9iXjqIMDVHe051VfbsjETiMuQOOxDc1onrWRhAKV3BVhge -FGNU9oJ+xLkDtMH50ksngVvZw/zu7NwP45wzeGQOOmlKI3RGUX81xrt0QXGpI6dH -OBOMVA3kMEVnNf2mWaFpJnmAvkiSnPvlN3+Iaigc758 ---- PFEOB74ICKKmUBSAbcK+91U7KC8wjhKsibwzbn+7owk -z-b!ޡ+%JZcrl -t-$Ie5ÌW|O&A*L03Т"y(v |3f \ No newline at end of file +ZlK8ThN/NUf9o2/yshAM3we/MTp0S02RprfjmXE5sXpLwQp/V9VFtoDfYpi++Caq +l84x0r1/QofJRfaRuWdtVEh9SPrAYqXRnz3BqGHmdu0ds5YxvkXr51nWly9RzNrH +JWVMLnuNMq509Xp+GLDxCTqPhM6qMa6t7gWkfv67FxTmw4+RT6BOBSnF2BUN8jnB +wOWS1T5l/n+Y/YSG8TGuUG1ftDm/60wEtbCQmwV3nmEtHDkZVYLH289GFhf4jiym +kpmUxJMK87s/Kj5w3w2IfDOJwSJ6G6UmoQIcZBXdszLTUjRZFzioqGDvs4h5hu6P +XbvpTN8ajXH4gg8rzB/Jczl9K8L2ojQNH/qTKdnyUP5RP8njEsHSEFzCwtjupi8R ++BJla2EcrDx5vuulE1nbHy9cFrtwdLDhp+DlU9DcKyUUZ5Zv96ao+5Jf1yRAcm86 +OubYiu3eakds3AssCYXW+pNoxa76P8ez9bcjVJrgaMFjiElXxMq8qUyDMqAc+UBF +Sk2/Bw7oD2OTVQINdWM+BwqNaDH1aGs/Y+ua0x+ahkuYf/6L9PHyWe85sBCekhSI +D0Qx/RTMlOSDPbN9PoJFO39STIfA6Eo/k4y8UoVk1A6yYeT9c6/0YXTyjNaSazGV +5Alc7y4ovF1+vVoIrHo5toTj9HWfolTQEKlj3GhnsFU +-> ssh-ed25519 DCAArw YSWPa5Kp+3Xgtdd+CAjkmFKZGNijCeqdfmn3Pya50VY +kF8ko6J5D1WRJfbtcei7xrQbLhpiHvcwi7JUWI65x6s +--- JJYs6WWGpPxT0s1tEFA/5vZswQiF59V5BHejKwrxJps +`a1+ʎZ2_frZYm,̽BOj#=[-?zSr/ 1bY6GK~Zu-7@Gtbg J \ No newline at end of file diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix index 0bfbf80..38b175b 100644 --- a/nix/secrets/secrets.nix +++ b/nix/secrets/secrets.nix @@ -1,6 +1,6 @@ let hosts = { - hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk8n03VeShc0q4ztcaNrmScwM7u0j6fFVtmupy2RlM2"; + hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/Lylteb1le173In/X94jls+CXFg9RGCyJPBOL90zDD"; lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n"; nixedo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage"; t490 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage"; @@ -8,6 +8,7 @@ let users = { opdavies = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDkkbYaCD9NUIQT0NnsmlyfepwjxBYeiJSBCotOpdPTyc5inFAd29DiVw98j4skfaHdzjcqWmMFmDQWM6tGkK7eg8n0WuaABmsjdEbzTtfjHwM0tRDCIh5AtoT4IvoLhwLjEI2jKM05BGCQ2m5lS//AYJK1DjiV4UH+IjXHz6oy/3eFzQwANjxWS+mbR565p21yuAu1DKEyaGeVzT1xDhgzlnZG7Cys/rFgUYpIvYDHMOFxG6hsDB8vqyHiTXniniti5tdvGGYHgRGQcynRTU12aerrqHTIOefrElXJdf3/PA8FIY/Pd3MmZocY/vvQe0EVHXWrNtnHOF3MFQ1tFyfubKO51Dcp9KmzHnyBvO4CtvGVr/upSVWfo0I/EqkIqvCvBbdSIPeH9V5hAcyWENGF4Wf0/Yqtc0dBhfXJmPVBsC2ghZp9oERK+h5Xs7DpzkT0vtkN+wjgA5weIuG8e2UVNO29LWASzlychVqb7BVa6kNn5CyGwauyIGsYvAFnUjkyJpK8qleNM3VO5x9aw26IhSKlnSE9PAdX8p7PpdoWfxWRekKTc4h6iAe7pFOENvuokAvCNsE5LolR4VrYKXjA0m3nupDNWYexAWfR3lSeSlKd9nD3OENS0biJKayZHs11iDUTxm5u5gm/U60b4z0zDXjh1H/DI/pSCG6jjaXDpw=="; + opdavies-hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJStz4WQ5IerIyi8HqLB1gwoiKr87uH/bI+Q9sDxVu+a"; }; in { @@ -15,6 +16,7 @@ in hosts.hetznix hosts.t490 users.opdavies + users.opdavies-hetznix ]; "cloudflare-opdavies-uk.age".publicKeys = [ diff --git a/nix/secrets/tubearchivist.age b/nix/secrets/tubearchivist.age index 3687be7..3825f5d 100644 --- a/nix/secrets/tubearchivist.age +++ b/nix/secrets/tubearchivist.age @@ -1,19 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 sHhprA 51laRPX9Ekpa1X63TQKvlZSFTBOLwC8s2aDzvD2OmlE -Xs7z0c2uQxHJFgmDsczy8zpRl9wnacmBMr81xxJ4D0c --> ssh-ed25519 IsVD3g BWtBEJcfYhG00l3QLLW4xN9v57FwOSxjvdU2eZJ2tmE -TzEo/OkjGQgWDInAj6zEYbPwMGxOX7bdkG/Z+qsbe2E +-> ssh-ed25519 sHhprA Nsfwkbjh1xMbkfvYoJQ2eX4Os7eW/ync1TVDSRUtTwE +DIYEChpd5XLo7+8Bp8b4KKR6WjRkBOCFKvYs9HMaDXY +-> ssh-ed25519 IsVD3g I+0C0X1Yjw7CFIko83N0AUB5uxcc2xAw4MMuifQiEgw +rBx/qs+c7l74ehORmS/eXO1X62AaW7Q4V6pVNTK92Mg -> ssh-rsa +vTWQw -pi7x6nnLM4UgQAmY2y+EhQJK+W6nwL0atKIhSTt257lWeXy+AloOeTKlhbrGxagi -KTEO807hRMaKfxINUX4l9ui+8beXBfszgmGAISm8QSj3h3HKg48/hUrLJbsf+LvF -HbN+5rAuGk4Of7ogotbTK+kC7dD2sv66lIX22RdiuaYv+hjfV/NWrgDLbmBtJxjL -04uzxXC9bCyhZuVr7MduXMgOK7YkvDOd2yDqawq7u4K/H8Sf6EmFwT7eY0AlkKXO -3rBu/59Hu4I4gY3uqeqQyfdwQTpy12Ke6Aqs3vMEs1FTlf6Tpp/5aVFFckcl/F4M -dUTQurBudb4ECnYDGnaCFFb7nnBiUbe7ZvPfJnJNSOOdWH1v5ugo/KVqCJkB3Nbv -PAOvBo08/kmxl6+gZvNRyEjy1TY+1REYX8W4Rfpo5QjdUvCrBCxuybM7eVYMPVv5 -LWfymQ61wNRV+AQx+/pOC5K/S9xXnPyJCoqqH9OnPLSMLuOizMo+IcZyP67EnP2L -uESGw15697pCVf0oMuNmX2K/KkC+RcVkf6ZWNAECCYSox9Z/aHQCixLWFQoX1XN7 -9lajTEB/XFGCFTNZ/0C6Vj34vvSr9ymZOtLRdAX5IZjpZKmzQroZo1YMxsRRg0C4 -weEc0dVqdYi9bNSr+2QotCs1G2ezTbw7LY911GEMJzY ---- Tjaef+2qN//4+3hnlMoE+ViliwMOFDdN3LB3RO9hQL0 -_VuRa@Ųx.F2KbWA.} |(7gz5tLUҳ'(Ps}z3K?񔫤H<( \ No newline at end of file +g8aLlLKplkGAapAxZVIEmWqAOYBghIIN6TB1p9qGjsIGx9g6wG0qRcMkLL6rqmry +c7MPi9Lk4k65+mijhFL6d1rwwi0o0tHGK913xdCv1OxwjjyqCWAXGAawgtjMDEZz +bj9jj1Kpm+qvWf5KpVtEzkwe/Im4TXfoEhNC4rAGz3pDNy6OBV5Ztlt/icVhzVPy +yFSLkpLOgy2/fBMjesdLFgoeTK2kB3GoMioXNpCpAKHl8J8tiVHr4vFsE+mGJQ6y +bTG0BWacmGuuqXYYWfmJ8TyduMCkWQAqmHEPqMInpCmXYU1QS+vgULeM4Zw5II5j +/XQ1Bms50qlBOYkVitRWEz8R83PFqsIvtAsKf+xkjluJAI1fhlF/+YKLzfDfQRLL +I4RDfLpC6QaCvbYixKHaScfQYq+L389o6m4kHBoqj8diaN26lewADrMULxNhW7Lc +bVnUkU/yA22hMW22vhIlq2JJlIE9kUh/GXWxriM6bLI2hkCeWIH1IkjTELl+8RtL +aDyO+Dg68IzEx6yA6MuUoF7oeL6bgT+p7+huPAyg9ZHuJHEX6j8oi2WxHqzi7g54 +qH+iEw6jiaYabl/XYnrx1EsX4prGuGNvpbivOMPnjU3eIyo//U0pmioPMct9a3e0 +ZUwAjidqvIsrUKD1iibTgUlIIIpehqRfEwxJ+fZ2xCs +--- FjYSFcft/ABIEmVoaPiwxBMzI0TYHAHnsdxUVwbyTSE +z@љ\T$~x3-hتլ