added stuff

2024-04-09 23:11:33 +02:00 · 2024-04-09 23:11:33 +02:00 · 236b8c2a6b
commit 236b8c2a6b
parent 937f28770d
907 changed files with 70990 additions and 0 deletions
--- a/nyx/modules/core/common/secrets/default.nix
+++ b/nyx/modules/core/common/secrets/default.nix
@ -0,0 +1,180 @@
+{
+  self,
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkIf optionalString;
+
+  sys = config.modules.system;
+  cfg = sys.services;
+
+  # mkSecret is an abstraction over agenix secrets
+  # it allows for secrets to be written conditionally and with
+  # relatively secure defaults without having to set each one of them
+  # manually.
+  mkSecret = enableCondition: {
+    file,
+    owner ? "root",
+    group ? "root",
+    mode ? "400",
+  }:
+    mkIf enableCondition {
+      file = "${self}/secrets/${file}";
+      inherit group owner mode;
+    };
+in {
+  age.identityPaths = [
+    "${optionalString sys.impermanence.root.enable "/persist"}/etc/ssh/ssh_host_ed25519_key"
+    "${optionalString sys.impermanence.home.enable "/persist"}/home/notashelf/.ssh/id_ed25519"
+  ];
+
+  age.secrets = {
+    # TODO: system option for declaring host as a potential builder
+    nix-builderKey = mkSecret true {
+      file = "common-nix-builder.age";
+    };
+
+    tailscale-client = mkSecret true {
+      file = "client-tailscale.age";
+      owner = "notashelf";
+      group = "users";
+      mode = "400";
+    };
+
+    # secrets needed for peers
+    spotify-secret = mkSecret config.modules.system.programs.spotify.enable {
+      file = "client-spotify.age";
+      owner = "notashelf";
+      group = "users";
+      mode = "400";
+    };
+
+    wg-client = mkSecret true {
+      file = "client-wg.age";
+      owner = "notashelf";
+      group = "users";
+      mode = "700";
+    };
+
+    client-email = mkSecret true {
+      file = "client-email.age";
+      owner = "notashelf";
+      group = "users";
+      mode = "400";
+    };
+
+    # database secrets
+    mongodb-secret = mkSecret cfg.database.mongodb.enable {
+      file = "db-mongodb.age";
+    };
+
+    garage-env = mkSecret cfg.database.garage.enable {
+      file = "db-garage.age";
+      mode = "400";
+      owner = "garage";
+      group = "garage";
+    };
+
+    # service secrets
+    wg-server = mkSecret cfg.networking.wireguard.enable {
+      file = "service-wg.age";
+    };
+
+    mkm-web = mkSecret cfg.mkm.enable {
+      file = "service-mkm-web.age";
+      mode = "400";
+    };
+
+    matrix-secret = mkSecret cfg.social.matrix.enable {
+      file = "service-matrix.age";
+      owner = "matrix-synapse";
+      mode = "400";
+    };
+
+    vaultwarden-env = mkSecret cfg.vaultwarden.enable {
+      file = "service-vaultwarden.age";
+      owner = "vaultwarden";
+      mode = "400";
+    };
+
+    searx-secretkey = mkSecret cfg.searxng.enable {
+      file = "service-searx.age";
+      mode = "400";
+      owner = "searx";
+      group = "searx";
+    };
+
+    nextcloud-secret = mkSecret cfg.nextcloud.enable {
+      file = "service-nextcloud.age";
+      mode = "400";
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+
+    attic-env = mkSecret cfg.bincache.atticd.enable {
+      file = "service-attic.age";
+      mode = "400";
+      owner = "atticd";
+      group = "atticd";
+    };
+
+    harmonia-privateKey = mkSecret cfg.bincache.harmonia.enable {
+      file = "service-harmonia.age";
+      mode = "770";
+      owner = "harmonia";
+      group = "harmonia";
+    };
+
+    forgejo-runner-token = mkSecret cfg.forgejo.enable {
+      file = "service-forgejo-runner-token.age";
+      mode = "400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
+    forgejo-runner-config = mkSecret cfg.forgejo.enable {
+      file = "service-forgejo-runner-config.age";
+      mode = "400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
+    # mailserver secrets
+    mailserver-secret = mkSecret cfg.mailserver.enable {
+      file = "mailserver-postmaster.age";
+      mode = "400";
+    };
+
+    mailserver-forgejo-secret = mkSecret cfg.forgejo.enable {
+      file = "mailserver-forgejo.age";
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+
+    mailserver-vaultwarden-secret = mkSecret cfg.vaultwarden.enable {
+      file = "mailserver-vaultwarden.age";
+      owner = "vaultwarden";
+      mode = "400";
+    };
+
+    mailserver-cloud-secret = mkSecret cfg.nextcloud.enable {
+      file = "mailserver-cloud.age";
+      owner = "nextcloud";
+      mode = "400";
+    };
+
+    mailserver-matrix-secret = mkSecret cfg.social.matrix.enable {
+      file = "mailserver-matrix.age";
+      owner = "matrix-synapse";
+      mode = "400";
+    };
+
+    mailserver-noreply-secret = mkSecret cfg.social.mastodon.enable {
+      file = "mailserver-noreply.age";
+      owner = "mastodon";
+      mode = "400";
+    };
+  };
+}