jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jsw:2f4c2c8e3eb87b712d798933e8607d1f6a14b3cd
Branches Tags
jsw:master
jsw:derek-site
..
compare: jsw:71b64d8edcbfdc99f83c2b269ce514d2171af82f
Branches Tags
jsw:derek-site
jsw:master

No commits in common. "2f4c2c8e3eb87b712d798933e8607d1f6a14b3cd" and "71b64d8edcbfdc99f83c2b269ce514d2171af82f" have entirely different histories.
2f4c2c8e3e ... 71b64d8edc

6 changed files with 28 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

0
.locksverify
View file

51
secrets/default.nix
View file

@ -1,37 +1,40 @@
{ {config, ...}: let
config,
lib,
...
}: let
inherit (lib) mkIf;
inherit (config.niksos) server;
serviceUser = x: config.systemd.services.${x}.serviceConfig.User; serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
abstrServiceUser = x: config.services.${x}.user;
in { in {
age.secrets = { age.secrets = {
password.file = ./password.age; transferSh = {
file = ./transfer-sh.age;
# NOTE: server things owner = "jsw";
dcbot = mkIf server { };
dcbot = {
file = ./dcbot.age; file = ./dcbot.age;
owner = serviceUser "dcbot"; # owner =
if config.niksos.server
then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop.
else "root";
}; };
bread-dcbot = mkIf server { bread-dcbot = {
file = ./bread-dcbot.age; file = ./bread-dcbot.age;
owner = "bread-dcbot"; owner =
if config.niksos.server
then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop.
else "root";
}; };
matrix-registration = mkIf server { password.file = ./password.age;
matrix-registration = {
file = ./matrix-registration.age; file = ./matrix-registration.age;
owner = abstrServiceUser "matrix-continuwuity"; owner =
if config.niksos.server
then config.services.matrix-continuwuity.user
else "root";
}; };
mail-admin = mkIf server { cloudflare-acme.file = ./cloudflare-acme.age;
# owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. mail-admin = {
# owner = #FIXME: revert when stopped using docker for stalwart.
# if config.niksos.server
# then serviceUser "stalwart-mail"
# else "root";
file = ./mail-admin.age; file = ./mail-admin.age;
}; };
zitadel-key = mkIf server {
file = ./zitadel-key.age;
owner = abstrServiceUser "zitadel";
};
}; };
} }

2
secrets/secrets.nix
View file

@ -18,6 +18,6 @@ in {
"dcbot.age".publicKeys = keys; "dcbot.age".publicKeys = keys;
"bread-dcbot.age".publicKeys = keys; "bread-dcbot.age".publicKeys = keys;
"matrix-registration.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys;
"cloudflare-acme.age".publicKeys = keys;
"mail-admin.age".publicKeys = keys; "mail-admin.age".publicKeys = keys;
"zitadel-key.age".publicKeys = keys;
} }

15
secrets/zitadel-key.age
View file

@ -1,15 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8
XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8
-> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30
QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU
-> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE
vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE
-> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY
PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk
-> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c
UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og
-> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM
t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA
--- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8
“JçëªÐqUÐ0¿]D_ÿ—Õ<>Óáz ´ž×¶S!-.t‰="†„ç·¿¸eÂ<KÈáéïö[

1
system/server/default.nix
View file

@ -10,7 +10,6 @@
./matrix.nix ./matrix.nix
./seafile.nix ./seafile.nix
./temp.nix ./temp.nix
./zitadel.nix
]; ];
options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
} }

86
system/server/zitadel.nix
View file

@ -1,86 +0,0 @@
{
config,
lib,
...
}: let
ExternalDomain = "z.jsw.tf";
Port = 9000;
in {
config =
lib.mkIf config.niksos.server
{
services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
reverse_proxy localhost:${builtins.toString Port}
'';
# services.zitadel = {
# enable = true;
# masterKeyFile = config.age.secrets.zitadel-key.path;
# settings = {
# inherit Port ExternalDomain;
# ExternalPort = 443;
# };
# extraSettingsPaths = [config.age.secrets.zitadel.path];
# };
systemd.services.zitadel = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services = {
zitadel = {
enable = true;
masterKeyFile = config.age.secrets.zitadel-key.path;
settings = {
inherit Port ExternalDomain;
ExternalPort = 443;
Database.postgres = {
Host = "/var/run/postgresql/";
Port = 5432;
Database = "zitadel";
User = {
Username = "zitadel";
SSL.Mode = "disable";
};
Admin = {
Username = "zitadel";
SSL.Mode = "disable";
ExistingDatabase = "zitadel";
};
};
ExternalSecure = true;
};
steps.FirstInstance = {
InstanceName = "jsw";
Org = {
Name = "jsw";
Human = {
UserName = "jsw@jsw.tf";
FirstName = "Jurn";
LastName = "Wubben";
Email.Verified = true;
Password = "Changeme1!";
PasswordChangeRequired = true;
};
};
LoginPolicy.AllowRegister = false;
};
openFirewall = true;
};
postgresql = {
enable = true;
enableJIT = true;
ensureDatabases = ["zitadel"];
ensureUsers = [
{
name = "zitadel";
ensureDBOwnership = true;
ensureClauses.login = true;
ensureClauses.superuser = true;
}
];
};
};
};
}