From 35a39995fc5eb61def841718f6225b4659092580 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Mon, 15 Jul 2024 23:41:19 +0200 Subject: [PATCH] read: init container --- .sops.yaml | 7 ++ machines/default.nix | 7 ++ machines/read/configuration.nix | 106 +++++++++++++++++++++++++++++ machines/read/miniflux/default.nix | 20 ++++++ machines/read/secrets.yaml | 43 ++++++++++++ 5 files changed, 183 insertions(+) create mode 100644 machines/read/configuration.nix create mode 100644 machines/read/miniflux/default.nix create mode 100644 machines/read/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 06ddb4c..9facbab 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,6 +13,7 @@ keys: - &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 + - &read age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v - &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f creation_rules: @@ -88,6 +89,12 @@ creation_rules: - *erwin - *erwin_horus - *proxy + - path_regex: machines/read/[^/]+\.ya?ml$ + key_groups: + - age: + - *erwin + - *erwin_horus + - *read - path_regex: machines/saga/[^/]+\.ya?ml$ key_groups: - age: diff --git a/machines/default.nix b/machines/default.nix index 3fd73cb..7f6721f 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -105,6 +105,13 @@ inputs: { tags = [ "metal" ]; }; }; + read = { + config = import ./read/configuration.nix inputs; + deploy = { + host = "10.0.0.101"; + tags = [ "container" ]; + }; + }; proxy = { config = import ./proxy/configuration.nix inputs; deploy = { diff --git a/machines/read/configuration.nix b/machines/read/configuration.nix new file mode 100644 index 0000000..03025ba --- /dev/null +++ b/machines/read/configuration.nix @@ -0,0 +1,106 @@ +{ self, caddy-with-plugins, ... }: +{ + modulesPath, + pkgs, + config, + ... +}: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + ../../users/root + ../../users/erwin + + ./miniflux + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + caddy-proxy = { + enable = true; + package = caddy-with-plugins.packages.${pkgs.system}.caddy-with-cloudflare; + proxyHosts = [ + { + externalHostname = "read.datarift.nl"; + proxyAddress = "${config.services.miniflux.config.LISTEN_ADDR}"; + } + ]; + }; + tailscale.enable = true; + }; + + boot = { + isContainer = true; + kernel.sysctl = { + "net.core.rmem_max" = 2500000; + "net.core.wmem_max" = 2500000; + }; + }; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "read"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall.trustedInterfaces = [ "tailscale0" ]; + }; + + systemd = { + services.logrotate-checkconf.enable = false; + + network = { + enable = true; + + wait-online.anyInterface = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.207/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + caddy-env = { }; + miniflux-admin-user = { }; + miniflux-admin-password = { }; + miniflux-oidc-client-id = { }; + miniflux-oidc-client-secret = { }; + }; + + system.stateVersion = "24.11"; +} diff --git a/machines/read/miniflux/default.nix b/machines/read/miniflux/default.nix new file mode 100644 index 0000000..862a64a --- /dev/null +++ b/machines/read/miniflux/default.nix @@ -0,0 +1,20 @@ +{ pkgs, config, ... }: +{ + services.miniflux = { + enable = true; + config = { + BASE_URL = "https://read.datarift.nl"; + LISTEN_ADDR = "/run/miniflux/miniflux.sock"; + POLLING_SCHEDULER = "entry_frequency"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID_FILE = config.sops.secrets.miniflux-oidc-client-id.path; + OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets.miniflux-oidc-client-secret.path; + OAUTH2_REDIRCT_URL = "https://read.datarift.nl/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.datarift.nl/realms/datarift/"; + ADMIN_USERNAME_FILE = config.sops.secrets.miniflux-admin-user.path; + ADMIN_PASSWORD_FILE = config.sops.secrets.miniflux-admin-password.path; + WEBAUTHN = 1; + }; + adminCredentialsFile = pkgs.writeText "miniflux-dummy-admin-credentials" ""; + }; +} diff --git a/machines/read/secrets.yaml b/machines/read/secrets.yaml new file mode 100644 index 0000000..df96740 --- /dev/null +++ b/machines/read/secrets.yaml @@ -0,0 +1,43 @@ +caddy-env: ENC[AES256_GCM,data:gw+QSN+c2Lp2F4wNzhTXklq9sUrDT389KLAh2YRpZbqxWpodx4LPJ1uIUsMC1TdeYmq+lkI+,iv:iXjLwOfQo9wEa9bBlE5HYUKDNriJgcm7hxPsBys62hk=,tag:DbutFgWz5ZqHE1/aP4+7Ag==,type:str] +miniflux-admin-user: ENC[AES256_GCM,data:G0JD/iI=,iv:CPVSFIr5TzOGmyAt1zkz37Zld1lfPrnDxdOoJ8oGivQ=,tag:2RmlqB5zNyTBVSPv3zankA==,type:str] +miniflux-admin-password: ENC[AES256_GCM,data:kIxW0Ybz5ZNCBaKiwg==,iv:HMbW6vfid8r9ZDpzlWGYJwALF1wz7NuVvEKtGW27twk=,tag:TXsYzDmIXSsACxe62F15sQ==,type:str] +miniflux-oidc-client-id: ENC[AES256_GCM,data:yCIEu1PBGAA=,iv:YpOU0lfzXNMlwb5jI8LO1WV58j3QwidbxbT5OJu2Vtw=,tag:MrnFlwxcg6wV9bG93XKyVg==,type:str] +miniflux-oidc-client-secret: ENC[AES256_GCM,data:0wVAofr4H7juq3QrqO0fH6lWpdxKbSbUjqo7GtVcnns=,iv:rnePz45XaTkshZ/0YsnmW6VVfJI3FIw4n+SN+2lVrcs=,tag:Mk7IVkrmDsF2sjszhbgf4A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRHo4TVNEeWhySXlVOWZs + amRZOWRCUzlvenNkeXY0MzFtNUl6dzJiR1hnCkJzZno4NE5lQzAzb3U5TGN5NnlG + dlh4VmxQWVRrZUFGUEs5OVFzV3FYbFUKLS0tIFJnMTVFVFlja2FNM1VPa0d5MDVZ + OG80aHp3OWRwWTZqWFBlSUhuZWFLRHcKjLMykruXBQxp5ncKqGJ6R1xcFx0xRJjW + +svOHaCOb+j7J8AFr/wLn1Cz9lhinqAfKL+rncCn+sq2tTsH1L0nrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMnVwSnhTNk9jM2pYWmVP + Q0t2RnJJNnZPRXpCQXlHQzB1YUl5aXpSc0RvClB5Q0xTemJpb3o3MUFjMlNuYlFO + LzZwRHZnVlU3OVB0bFZIektFMitiZXMKLS0tIHNKSzBVOVh5TXoySWxlOXFaQ25N + ZFlhanZ3WTZuR3Zoa3FiMGNHMXlkZFUKSR5yoXow2D07xpBIrgo2mDwjiWbWp1L9 + svyLVXtkxwSun0PqvZ4vg9dl7qLX3IwdaqtWvdetFF9ps7QEsnHzOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age193v7jejqu7dxk4xejs9cfcatz7605wf4fmytxst424xel2e4z48qj8fflj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSjJKRHV1azVyUGF6NVpL + NHlyWDBnbjRhdjRRR2ZxZy8rcDM1Q0Z4Um5RCjRjOExKWHJPSjExeSsxOEJLQlpI + Q0JkYlZGbVZuSy9yZTdRbFd2OGJwU00KLS0tIE1vbERsbDNOVWR3UHAxQVl2ZEts + alprbldiMEtZQ29DaUJzaEZlWmxXTmMKPYHIg4fMR5fbCoCAyHHuL/WGfn4D6mXJ + yulfOqthMxvvWr+9sOBeAWIWSCcc0DBmDjvUTaDqVA7pnhZE+hQ2mw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-15T21:34:14Z" + mac: ENC[AES256_GCM,data:NZ/kdtM1XFePRz6mbNhU1TZHsBSnQRU6k39dxYaXsDIS/oHM0Cy68qsCaniV309YmYSDmTFPJ9S9QAE3mVa7BbZvuYOcWkdMCRNC5gYKwvM2iP/gpu3XCm64emwDKm+bLL/kDFc69iCyyajPP/KhqvMoEgXrPCAnCWxzhER9LiI=,iv:UdFEQLegd7s0KUUt1BmRakFtEVE91L3M/pa59mjeKPc=,tag:iu8jzwYza7oa9a0lH1puaw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0