From beaceffff0accc30d7394c4e2865bea5797be6c0 Mon Sep 17 00:00:00 2001 From: andromeda Date: Tue, 6 Jan 2026 18:30:12 +0100 Subject: [PATCH] init --- flake.nix | 4 +++- machines.nix | 1 + machines/lenovo/configuration.nix | 1 - modules/nixos/common.nix | 8 ++++++-- modules/nixos/networking/ssh-as-root.nix | 4 ++-- modules/nixos/zulip.nix | 1 + pub-keys.nix | 5 +++++ secrets/secrets.nix | 5 +++++ secrets/zulip-avatarSaltKey.age | Bin 0 -> 493 bytes secrets/zulip-camoKey.age | Bin 0 -> 483 bytes secrets/zulip-rabbitmqPassword.age | 9 +++++++++ secrets/zulip-secretKey.age | Bin 0 -> 501 bytes secrets/zulip-sharedSecretKey.age | Bin 0 -> 483 bytes 13 files changed, 32 insertions(+), 6 deletions(-) create mode 100644 secrets/zulip-avatarSaltKey.age create mode 100644 secrets/zulip-camoKey.age create mode 100644 secrets/zulip-rabbitmqPassword.age create mode 100644 secrets/zulip-secretKey.age create mode 100644 secrets/zulip-sharedSecretKey.age diff --git a/flake.nix b/flake.nix index 0965a26..e6cf000 100644 --- a/flake.nix +++ b/flake.nix @@ -80,7 +80,9 @@ if machine.hostname != "109-199-104-83" then {config, ...}: { - imports = [./machines/${machine.hostname}/configuration.nix]; + imports = [ + ./machines/${machine.hostname}/configuration.nix + ]; networking.domain = config.networking.hostName; # temporary fix } else {imports = machine.modules;} diff --git a/machines.nix b/machines.nix index 90a2e61..69d0d14 100644 --- a/machines.nix +++ b/machines.nix @@ -10,6 +10,7 @@ ]; }; "109-199-104-83" = { + hostname = "109-199-104-83"; system = "x86_64-linux"; users = []; modules = [ diff --git a/machines/lenovo/configuration.nix b/machines/lenovo/configuration.nix index 05dd082..152d136 100644 --- a/machines/lenovo/configuration.nix +++ b/machines/lenovo/configuration.nix @@ -8,7 +8,6 @@ imports = [ ./impermanence.nix (modulesPath + "/installer/scan/not-detected.nix") - ../../modules/nixos/zulip.nix ]; boot.loader = { efi.canTouchEfiVariables = true; diff --git a/modules/nixos/common.nix b/modules/nixos/common.nix index 3c00de0..c0d1d73 100644 --- a/modules/nixos/common.nix +++ b/modules/nixos/common.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + lib, + ... +}: { # flakes usage nix.settings.experimental-features = [ "flakes" @@ -12,5 +16,5 @@ # cleans /tmp to maintain a tidy system boot.tmp.cleanOnBoot = true; - networking.domain = config.networking.hostname; + networking.domain = lib.mkDefault config.networking.hostName; } diff --git a/modules/nixos/networking/ssh-as-root.nix b/modules/nixos/networking/ssh-as-root.nix index d882a46..46cbde6 100644 --- a/modules/nixos/networking/ssh-as-root.nix +++ b/modules/nixos/networking/ssh-as-root.nix @@ -1,3 +1,3 @@ -{ - services.openssh.settings.PermitRootLogin = "yes"; +{lib, ...}: { + services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; } diff --git a/modules/nixos/zulip.nix b/modules/nixos/zulip.nix index 736ffad..de88f9f 100644 --- a/modules/nixos/zulip.nix +++ b/modules/nixos/zulip.nix @@ -15,6 +15,7 @@ EXTERNAL_HOST = "chat.${config.networking.domain}"; }; }; + services.postgresql.enable = true; mailserver.loginAccounts = { "zulip+admin@${config.networking.domain}" = { hashedPasswordFile = builtins.toString config.age.secrets."mailserver-acc-zulip+admin-pw".path; diff --git a/pub-keys.nix b/pub-keys.nix index c02ac37..04fae14 100644 --- a/pub-keys.nix +++ b/pub-keys.nix @@ -5,6 +5,11 @@ mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age; mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age; "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age"; + zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age; + zulip-camoKey.file = ./secrets/zulip-camoKey.age; + zulip-rabbitmqPassword.file = ./secrets/zulip-rabbitmqPassword.age; + zulip-secretKey.file = ./secrets/zulip-secretKey.age; + zulip-sharedSecretKey.file = ./secrets/zulip-sharedSecretKey.age; }; pub-keys = { ssh = { diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 56de4d5..62ec92a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,9 @@ in { "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; "mailserver-acc-zulip+admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "zulip-avatarSaltKey.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "zulip-camoKey.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "zulip-rabbitmqPassword.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "zulip-secretKey.age".publicKeys = [andromeda lenovo _109-199-104-83]; + "zulip-sharedSecretKey.age".publicKeys = [andromeda lenovo _109-199-104-83]; } diff --git a/secrets/zulip-avatarSaltKey.age b/secrets/zulip-avatarSaltKey.age new file mode 100644 index 0000000000000000000000000000000000000000..9d0ad8a742122b5376cb61024a0339cdf18fa177 GIT binary patch literal 493 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjj_r$Sn%> zHuMhlb}coE$ju2hb}K0}@J%huN(;2CGRn!S49>7j&2&%9$>%C@sYuFmNi3^~@<{hA zGAvFst8gszHFk^)HxIQ8EJ}9Gad8X}33Ku)^hLKV)T1J;%uyjR%(NgVCpj(5FC?wF zGT$#V&nVxo$VA^mztkf*!!sq*I4#sT#L~qz*MQ4h-#n?r!?PmU%`(gXqAaI^lu+j&KZES>^pxZZwCYyk}97pw}O=Piik+(oFdn>R3~Q>ZNosfh}3*b z=d=tDqfG5$V@Iw8uKaIHj25&uPoBP!!RDH}!{^wK6)j&^Ulvc6v@NZ7jedQWse0#g z7mnsKJyZ6(S6cpmw)gP1b(z%d>&4jqWaX)^6({3g-fY} JGZaSJ003KIt?K{) literal 0 HcmV?d00001 diff --git a/secrets/zulip-camoKey.age b/secrets/zulip-camoKey.age new file mode 100644 index 0000000000000000000000000000000000000000..b3913f28a06843c0648d3e0aa09495f0a434792c GIT binary patch literal 483 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjjt%)OO0! zPE0n>^bdB|_BAhb_X~_nF9`}Mh$=BNFAw+0@bw5Xb1ZUk%jXIUvIr}3DzDTxa5Ji` zjLga~3r`CU^bSl-()J1r4X!Nmb{H@6IDN0Z`W3zHnL5R-yTV{PBu+_a?NAWwJ4 zP|NTDxALm&u*~w%)N(FeU0sC?Qzx@f3rCOQJl|xKFy|n@5=ZR{lVDRPXBVfkz^ugN zRP&s0eP`{o#B#3BX9HK9zO-M?z;?~nw^2L%-zLAc+1q^2mi4&IlK831gPyUhKQQ4g z!?p*fCwCo*n?svzJrfXFwRtvmjC!oSY+8e0CN_t A4gdfE literal 0 HcmV?d00001 diff --git a/secrets/zulip-rabbitmqPassword.age b/secrets/zulip-rabbitmqPassword.age new file mode 100644 index 0000000..742689b --- /dev/null +++ b/secrets/zulip-rabbitmqPassword.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 mT2fyg N+K4UqHYGQTzqq5wMhEs5ijh8a8uXarYy2BpWH2GAUY +7mWlRNsudiBCr34QMXkzwkyRZa9K6pAPLX0phQBIH1A +-> ssh-ed25519 UHxfvA i5e8E+FMsG+n+jl5ASBYbPvnME7X58sMMAlYelZAm3A +ARlV+vWRRsFVAsjdk+JgUMgp49muyGFF5g+iyzpyJQY +-> ssh-ed25519 Xoin5w 0EH6bLW0DwwVi8GMjq4ZjlBak1QQ0cxh/+KK/e1rPTY +yIpSegzmBeJ86jApt23Kv9vZ2sVLC8dFYa9t43/x8MM +--- c4PhDnZ271mJc2sc7DSIRqVF503JSsZhBj2ANwcT2po +PKF !"Mgo/gF0@gA΄Pm+uLo  {,ʰF'E|- \ No newline at end of file diff --git a/secrets/zulip-secretKey.age b/secrets/zulip-secretKey.age new file mode 100644 index 0000000000000000000000000000000000000000..b56cf40f43a19fc91a664556207f4b670d6b0514 GIT binary patch literal 501 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjq!CtqRUa zEh+U&bSv_9DyR(d3Cs5>Dm17F_sOsbDi3ig(2nr+GxG9rE9c6M(hiUGs4|Xp^bd5+ z@^LE7OZ3$Di^}%MD9R7=&@XX{Ec7eMEAa}$ip%)s=~zA(Yq)r!pR~kU*D`a-7noKJdn%S%Qet3-8i($-z+j*-ykvHwKO}i zI3ggbw6wz5*dy5Az{NAg-zB2J!~os4i2Tev({crU6Mya8yvPdus>G~(-{7iZ6VGh- zV(s#@B2&-YkiaU7%rr~$;Ph1eOi!+yO5;kOaOdQFuksX6lfcrT$czv(6YpGK%iM}0 z!xVkf)a(dne^+f^r%*0kU0nr_boXp8r&Qyx{3K@=i##7A*HFVk&*ESg{St#vld_yN z{V)rUfUtDaVoxsS3FoHT&Mr0jYr1&d&@AE!TDq^hk~huS#|+G|Dk8_K$RraPkc*%F4|O&F6BDFwYJNNe{>hN=Zpc zDK1KNjV$zt3`{llDfEr>ED3i?wv6&~%k?$)Oh&gY)T1J;%uylV&^tT7yf`r2DZJFB z$e`TBBQn>ou*5Va$Th$*%EvPxC&SO*C@Cn|#g{A4Oh4Q(Jt?cKR6jD*)g!pfCCoI- z(V{Fe$<^36E7HuuKdHdny+S|D%>v!Fi2Tev({hDSa|09e^gIuP#0pcNq6)9bDl=#8 zjFLpN3e)fibC-(L!tzQ#*G$vQJQFVG;*_w;;Hbo$6i07Q%e;WZ2sclE4`&zCL|==_ zBr}t;BI6|gC@25?a$hc8U0nrpe}7Y>qGIjvaHArlqVgc~B>xbTwBYh$i=3!}Qe)$Y z)LaW+|H`!7KnpI0O-DkEe}`><`0JfWZJU&dM}D