john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:main
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
..
compare: john/dendritic:5cb1c88e517630a1f27332251a44216f48acf135
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

25 Commits
main .. 5cb1c88e51

Author SHA1 Message Date
John Lancaster 5cb1c88e51 lockfile update 2026-04-09 23:52:03 -05:00
John Lancaster 5fcd6abdb2 test-push using nh 2026-04-05 11:22:47 -05:00
John Lancaster e59aa7a5f1 home manager rebuilds using nh pacakge for nice outputs 2026-04-05 11:13:17 -05:00
John Lancaster bf9c3c2597 lf settings 2026-04-05 11:02:37 -05:00
John Lancaster 151512a071 added nix shell-tools 2026-04-05 10:38:46 -05:00
John Lancaster 8141662832 added some oauth2 client options 2026-04-04 17:28:20 -05:00
John Lancaster 1196d69778 broke out root_url option for forgejo 2026-04-04 13:51:40 -05:00
John Lancaster c1e00a7c45 clean script updates 2026-04-04 13:44:48 -05:00
John Lancaster fe19700514 set timezone on soteria 2026-04-04 13:33:20 -05:00
John Lancaster 25ea6ac502 fixed forgejo dump 2026-04-04 13:33:12 -05:00
John Lancaster 01fde39946 updated eza alias flags 2026-04-04 13:33:02 -05:00
John Lancaster 84b32cea01 service_status motd updates 2026-04-04 13:15:29 -05:00
John Lancaster bccb96a0b3 updated soteria settings 2026-04-04 12:26:05 -05:00
John Lancaster 44fd737afe reorg 2026-04-04 12:25:56 -05:00
John Lancaster 0854439bdf disabled TCP connections for postgres 2026-04-04 12:21:50 -05:00
John Lancaster ff70a35078 janus-ca pkg updates 2026-04-04 12:09:13 -05:00
John Lancaster b8b8a445f9 mTLS generate script improvements 2026-04-04 11:09:25 -05:00
John Lancaster 13a841c8db mtls optimizations 2026-04-04 10:44:37 -05:00
John Lancaster 6c26e898b2 improving renew script 2026-04-04 09:46:55 -05:00
John Lancaster 710f13ace4 renew script tweaks 2026-04-04 09:33:08 -05:00
John Lancaster 1a7a1189e7 privileged port permissions for https 2026-04-03 18:16:29 -05:00
John Lancaster ff74205c57 mtls file permissions 2026-04-03 18:16:12 -05:00
John Lancaster 32b7932916 script tweaks 2026-04-02 17:28:06 -05:00
John Lancaster f05a3af30d forgejo secrets 2026-04-02 17:24:32 -05:00
John Lancaster 3e84eb641f added forgejo secrets to soteria 2026-04-02 07:56:35 -05:00
12 changed files with 382 additions and 219 deletions
Expand all files Collapse all files
flake.lock
Generated
+28 -28
View File
@@ -95,11 +95,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1775080052, "lastModified": 1775781825,
"narHash": "sha256-jAB4ZZbx8ECu9GcE/PUUwT+wpooZ0Ssmn2imB8PVTdM=", "narHash": "sha256-L5yKTpR+alrZU2XYYvIxCeCP4LBHU5jhwSj7H1VAavg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "6267895e9898399f0ce2fe79b645e9ee4858aaff", "rev": "e35c39fca04fee829cecdf839a50eb9b54d8a701",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -184,11 +184,11 @@
"nixos-hardware": { "nixos-hardware": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1774933469, "lastModified": 1775490113,
"narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=", "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337", "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -199,11 +199,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1774709303, "lastModified": 1775423009,
"narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=", "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685", "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -215,11 +215,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1775064974, "lastModified": 1775763530,
"narHash": "sha256-PqhsO5qloSyvATi9qAIrgUcEFK67xSoacjacPw+t4H0=", "narHash": "sha256-QIGMZuG5QK1Z4OEMDSpEJc7JRonbemZ9S+xpBIsQuNE=",
"rev": "6ebfbc38bdc6b22822a6f991f2d922306f33cfbc", "rev": "b0188973b4b2a5b6bdba8b65381d6cd09a533da0",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre973084.6ebfbc38bdc6/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre977728.b0188973b4b2/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -228,11 +228,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1774610258, "lastModified": 1775579569,
"narHash": "sha256-HaThtroVD9wRdx7KQk0B75JmFcXlMUoEdDFNOMOlsOs=", "narHash": "sha256-/m3yyS/EnXqoPGBJYVy4jTOsirdgsEZ3JdN2gGkBr14=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "832efc09b4caf6b4569fbf9dc01bec3082a00611", "rev": "dfd9566f82a6e1d55c30f861879186440614696e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -254,11 +254,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1774852850, "lastModified": 1775756052,
"narHash": "sha256-7VK4v7ZbQw5apfgc+FvgRi8BUC45ERlcp8VTTTQ3tko=", "narHash": "sha256-B2O9vV5uLeXfUdDxMz3e1g1A1T9XXTl6hav0BOZzoFU=",
"owner": "notashelf", "owner": "notashelf",
"repo": "nvf", "repo": "nvf",
"rev": "b4d6539e7e9948aaba5efd7a67a63672d1fa80ef", "rev": "fee5ed510e9b1648bda3764b4009682dbbff90f4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -292,11 +292,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774910634, "lastModified": 1775682595,
"narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=", "narHash": "sha256-0E9PohY/VuESLq0LR4doaH7hTag513sDDW5n5qmHd1Q=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301", "rev": "d2e8438d5886e92bc5e7c40c035ab6cae0c41f76",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -340,11 +340,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1774879171, "lastModified": 1775724285,
"narHash": "sha256-a6JZDuBIwQmuEwYM4dziH+WyrpE8HCP8F7JFIn3CNvw=", "narHash": "sha256-/ukfzDYzcuz7i+unH7XioPS3Acam6FC935XsOCaJDmY=",
"owner": "BirdeeHub", "owner": "BirdeeHub",
"repo": "nix-wrapper-modules", "repo": "nix-wrapper-modules",
"rev": "bab35ffae25cf6f4e4fdb3c2f7f0ac80966ce737", "rev": "d79d2f910dd0d8bffd11113865923199cb304f86",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -360,11 +360,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774293387, "lastModified": 1775600302,
"narHash": "sha256-yVekLWxKTUfUyuvo9HVihtOK8llIP3IZCrJmftxT+Nc=", "narHash": "sha256-2fgKImv78CXIcfo1RsY7EI4uMZ84x/MggA5rrusYc7c=",
"owner": "lassulus", "owner": "lassulus",
"repo": "wrappers", "repo": "wrappers",
"rev": "3cf1e8371129e8746d37c863c5d56a81fb16caa0", "rev": "9d8397d8ef1ac35763085f3338589f558128f7db",
"type": "github" "type": "github"
}, },
"original": { "original": {
modules/features/forgejo.nix
+97 -14
View File
@@ -2,10 +2,14 @@
flake.modules.nixos.forgejo = {config, pkgs, lib, ... }: flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
let let
cfg = config.forgejo; cfg = config.forgejo;
needsPrivilegedPort = cfg.port < 1024;
in in
{ {
options.forgejo = { options.forgejo = {
enable = lib.mkEnableOption "Enable Forgejo backed with PostgreSQL"; enable = lib.mkEnableOption "Enable Forgejo backed with PostgreSQL";
root_url = lib.mkOption {
type = lib.types.str;
};
port = lib.mkOption { port = lib.mkOption {
type = lib.types.port; type = lib.types.port;
@@ -25,40 +29,119 @@
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
services.forgejo = { systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
sops.secrets = {
"forgejo/secret_key".owner = config.services.forgejo.user;
"forgejo/internal_token".owner = config.services.forgejo.user;
"forgejo/jwt_secret".owner = config.services.forgejo.user;
"forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
};
services = {
forgejo = {
enable = true; enable = true;
lfs.enable = true; lfs.enable = true;
settings.server = lib.mkMerge [ database.type = "postgres";
settings = {
DEFAULT = {
RUN_MODE = "dev";
};
server = lib.mkMerge [
{ {
HTTP_PORT = cfg.port; HTTP_PORT = cfg.port;
DISABLE_SSH = true; DISABLE_SSH = true;
ROOT_URL = cfg.root_url;
} }
(lib.mkIf cfg.https { (lib.mkIf cfg.https {
ROOT_URL = "https://forgejo.john-stream.com";
PROTOCOL = "https"; PROTOCOL = "https";
COOKIE_SECURE = true; COOKIE_SECURE = true;
KEY_FILE = config.mtls.keyFile; KEY_FILE = config.mtls.keyFile;
CERT_FILE = config.mtls.certFile; CERT_FILE = config.mtls.certFile;
}) })
]; ];
oauth2_client = {
database = { ENABLE_AUTO_REGISTRATION = true;
type = "postgres"; USERNAME = "nickname";
port = config.services.postgresql.settings.port; UPDATE_AVATAR = true;
# createDatabase = false; ACCOUNT_LINKING = "login";
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
ui.SHOW_USER_EMAIL = false;
markup = {
ENABLED = true;
}; };
# dump = {
# enable = true;
# interval = "12h";
# };
}; };
services.postgresql = { secrets = {
security = {
SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
};
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
};
dump = {
enable = true; enable = true;
settings = { type = "tar";
interval = "*-*-* 00/12:00:00";
};
};
postgresql = {
enable = true;
enableTCPIP = false;
}; };
}; };
# https://forgejo.org/docs/latest/admin/command-line/#dump
systemd.services.forgejo-dump.serviceConfig.ExecStart = lib.mkForce ''
${lib.getExe config.services.forgejo.package} dump --verbose \
--type ${config.services.forgejo.dump.type} \
--database postgres \
--work-path ${config.services.forgejo.dump.backupDir}
'';
environment.systemPackages =
let
systemctl = lib.getExe' pkgs.systemd "systemctl";
clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
set -euo pipefail
sudo ${systemctl} stop forgejo.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
'');
clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
set -euo pipefail
sudo ${systemctl} stop postgresql.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
'');
in [
clean-forgejo
clean-postgres
(pkgs.writeShellScriptBin "clean-all" ''
set -euo pipefail
GREEN_CHECK="\e[32m\e[0m"
YELLOW_BANG="\e[33m!\e[0m"
${lib.getExe' pkgs.coreutils "echo"} -n -e "$YELLOW_BANG Remove everything related to Forgejo and the PostgreSQL database behind it?"
read -p " (y/n) " -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
${lib.getExe clean-forgejo}
${lib.getExe clean-postgres}
${lib.getExe' pkgs.coreutils "echo"} -e "$GREEN_CHECK Removed everything related to forgejo"
fi
'')
];
}; };
}; };
} }
modules/features/mtls.nix
+80 -64
View File
@@ -66,9 +66,9 @@ let
default = "root"; default = "root";
}; };
group = lib.mkOption { group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null."; description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = "mtls";
}; };
reloadUnits = lib.mkOption { reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal."; description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,13 @@ let
keyFile, keyFile,
bundleFile, bundleFile,
lifetime, lifetime,
user,
group,
}: }:
let let
catCmd = lib.getExe' pkgs.coreutils "cat";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli; stepCmd = lib.getExe pkgs.step-cli;
sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san; sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
in in
@@ -105,7 +110,10 @@ let
--provisioner ${provisioner} \ --provisioner ${provisioner} \
${sanArgs} \ ${sanArgs} \
"$@" "$@"
cat ${certFile} ${keyFile} > ${bundleFile} (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
''; '';
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" '' mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -117,63 +125,71 @@ let
mkMtlsRenewScript = { mkMtlsRenewScript = {
pkgs, pkgs,
certFile, cfg,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
systemctlArgs ? [ ], systemctlArgs ? [ ],
}: }:
let let
catCmd = lib.getExe' pkgs.coreutils "cat";
echoCmd = lib.getExe' pkgs.coreutils "echo"; echoCmd = lib.getExe' pkgs.coreutils "echo";
systemctl = lib.getExe' pkgs.systemd "systemctl"; chownCmd = lib.getExe' pkgs.coreutils "chown";
escapedArgs = lib.escapeShellArgs systemctlArgs; chmodCmd = lib.getExe' pkgs.coreutils "chmod";
systemctlCommand = "${systemctl} ${escapedArgs}"; stepCmd = lib.getExe pkgs.step-cli;
systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
hasReloadUnits = cfg.renew.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: '' renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCommand} --quiet is-active "${unit}"; then if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCommand} try-reload-or-restart "${unit}" ${systemctlCmd} try-reload-or-restart "${unit}"
fi fi
'') reloadUnits; '') cfg.renew.reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands;
hasPostCommands = cfg.renew.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
in in
pkgs.writeShellScriptBin "mtls-renew" '' pkgs.writeShellScriptBin "mtls-renew" ''
set -euo pipefail set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then YELLOW_BANG="\e[33m!\e[0m"
${echoCmd} "Renewing mTLS certificate"
else force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
${echoCmd} "Skipping renew" ${echoCmd} "Skipping renew"
exit "$?" exit 0
fi fi
${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}" ${echoCmd} "Renewing mTLS certificate"
${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
(umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
umask 077 ${lib.optionalString hasReloadUnits ''
${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}" ${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
${echoCmd} "Reloading units:"
${renewReloadScript} ${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''
${echoCmd} "Post commands:" ${echoCmd} "Post commands:"
${renewPostCommands} ${renewPostCommands}
''}
''; '';
mkNixosMtlsRenewService = { mkNixosMtlsRenewService = { pkgs, cfg, ... }:
pkgs,
certFile,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
user ? "root",
group ? null,
}:
let
serviceGroup = if group == null then user else group;
renewScript = mkMtlsRenewScript {
inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
};
in
{ {
description = "Renew the mTLS certificate when Smallstep marks it ready"; description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ]; wantedBy = [ ];
@@ -181,9 +197,9 @@ let
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = user; User = cfg.renew.user;
Group = serviceGroup; Group = cfg.renew.group;
ExecStart = lib.getExe renewScript; ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
}; };
}; };
@@ -203,17 +219,10 @@ let
}; };
}; };
mkHomeManagerMtlsRenewService = { mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
pkgs,
certFile,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
}:
let let
renewScript = mkMtlsRenewScript { renewScript = mkMtlsRenewScript {
inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; inherit pkgs cfg;
systemctlArgs = [ "--user" ]; systemctlArgs = [ "--user" ];
}; };
in in
@@ -263,28 +272,36 @@ in
type = lib.types.str; type = lib.types.str;
default = "/etc/step-ca/certs"; default = "/etc/step-ca/certs";
}; };
certReaders = lib.mkOption {
description = "";
type = lib.types.listOf lib.types.str;
default = [ ];
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.groups.certReaders = {
name = cfg.renew.group;
members = cfg.certReaders;
};
environment.systemPackages = with pkgs; lib.optionals cfg.enable [ environment.systemPackages = with pkgs; lib.optionals cfg.enable [
# step-cli # step-cli
(mkMtlsGenerateScript { (mkMtlsGenerateScript {
inherit pkgs; inherit pkgs;
inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
inherit (cfg.renew) user group;
}) })
(mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
(mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; }) (mkMtlsRenewScript { inherit pkgs cfg; })
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -" "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
]; ];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { systemd.services.mtls-renew = lib.mkIf cfg.renew.enable
inherit pkgs; (mkNixosMtlsRenewService { inherit pkgs cfg; });
inherit (cfg) certFile keyFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands user group;
});
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer { systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec; inherit (cfg.renew) onCalendar randomizedDelaySec;
@@ -314,20 +331,19 @@ in
# step-cli # step-cli
(mkMtlsGenerateScript { (mkMtlsGenerateScript {
inherit (cfg) subject provisioner san lifetime; inherit (cfg) subject provisioner san lifetime;
inherit (cfg.renew) user group;
inherit pkgs certFile keyFile bundleFile; inherit pkgs certFile keyFile bundleFile;
}) })
(mkMtlsCheckScript { inherit pkgs bundleFile; }) (mkMtlsCheckScript { inherit pkgs bundleFile; })
(mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; }) (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
]; ];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -" "d ${cfg.certDir} 0700 - - -"
]; ];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable
inherit pkgs certFile keyFile bundleFile; (mkHomeManagerMtlsRenewService { inherit pkgs cfg; });
inherit (cfg.renew) reloadUnits postCommands;
});
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer { systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec; inherit (cfg.renew) onCalendar randomizedDelaySec;
modules/features/shell-tools.nix
+3
View File
@@ -21,6 +21,9 @@
home.shell.enableShellIntegration = true; home.shell.enableShellIntegration = true;
programs.zsh.enable = lib.mkForce (config.shell.program == "zsh"); programs.zsh.enable = lib.mkForce (config.shell.program == "zsh");
home.packages = with pkgs; [ home.packages = with pkgs; [
nh
nvd
nix-output-monitor
wget wget
curl curl
busybox busybox
modules/hosts/janus/default.nix
+26 -6
View File
@@ -9,26 +9,46 @@ in
flake.modules.nixos.janus-ca = flake.modules.nixos.janus-ca =
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.janus-ca;
johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config; johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config; johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
certDirEtcPath =
if cfgInEtc then
lib.removePrefix "/etc/" cfg.certDir
else
cfg.certDir;
certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
mkStepRules = home: user: group: [ mkStepRules = home: user: group: [
"d ${home}/.step 0700 ${user} ${group} -" "d ${home}/.step 0700 ${user} ${group} -"
"d ${home}/.step/config 0700 ${user} ${group} -" "d ${home}/.step/config 0700 ${user} ${group} -"
"d ${home}/.step/certs 0700 ${user} ${group} -" "d ${home}/.step/certs 0700 ${user} ${group} -"
"L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json" "L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
"L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt" "L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
]; ];
in in
{ {
environment.etc."step/config/defaults.json".text = builtins.toJSON { options.janus-ca = {
inherit ca-url fingerprint; certDir = lib.mkOption {
root = "/etc/step-ca/certs/root_ca.crt"; description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "/etc/step-ca/certs";
};
};
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
}; };
environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt;
systemd.tmpfiles.rules = systemd.tmpfiles.rules =
mkStepRules johnHome username johnGroup mkStepRules johnHome username johnGroup
++ mkStepRules "/root" "root" "root"; ++ mkStepRules "/root" "root" "root";
}; };
};
flake.modules.homeManager.janus-ca = { config, ... }: { flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON { home.file.".step/config/defaults.json".text = builtins.toJSON {
modules/hosts/john-pc/default.nix
+7 -7
View File
@@ -5,6 +5,7 @@ let
testHost = "soteria"; # which host to test build testHost = "soteria"; # which host to test build
testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix
resolvedTarget = "test-nix";
# testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria # testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria
in in
@@ -15,12 +16,12 @@ in
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt"; resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
testPushCmd = (pkgs.writeShellScriptBin "test-push" '' testPushCmd = (pkgs.writeShellScriptBin "test-push" ''
${lib.getExe' pkgs.coreutils "echo"} "Pushing ${testHost} to ${testTarget}" ${lib.getExe' pkgs.coreutils "echo"} "Pushing ${testHost} to ${resolvedTarget}"
${lib.getExe' pkgs.coreutils "mkdir"} -p /var/tmp/nix-build ${lib.getExe pkgs.nh} os switch ${flakeDir}#${testHost} \
${lib.getExe' pkgs.coreutils "chmod"} 1777 /var/tmp/nix-build -e passwordless \
${lib.getExe pkgs.nixos-rebuild} switch \ --target-host ${resolvedTarget} \
--flake ${flakeDir}#${testHost} \ --diff always \
--target-host root@${testTarget} "$@"
''); '');
in in
{ {
@@ -34,7 +35,6 @@ in
restic restic
docker docker
desktop desktop
# neovim
]; ];
# TODO: make this more restrictive, rather than allowing all unfree packages # TODO: make this more restrictive, rather than allowing all unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
modules/hosts/soteria/secrets.yaml
+11 -3
View File
@@ -1,5 +1,13 @@
janus: janus:
admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str] admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
forgejo:
#ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
#ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
#ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
sops: sops:
age: age:
- recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt - recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -29,7 +37,7 @@ sops:
Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg== E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-29T22:44:20Z" lastmodified: "2026-04-02T03:47:52Z"
mac: ENC[AES256_GCM,data:f2QVZsCNZJIxnsWsBXVyD6JFSmsMktZqCXQWAJcLfSaojEld9CMu1rJjDyCbG3GPJStrMS20WZbtQvx7H6gosnkxXL401L8SwIoy/gNNEIx0qVLUneoEsuvjSTIiiUG7B2Y9lBKQ/kO/iKrJMURSke0wWWC1Ng5mUePfZ94FVTg=,iv:xOFeak0pjBt4iTFr9vt4cuA9WzFD/ipVThgulNOp100=,tag:YPLXK4RmQLa+ADl6DohmBQ==,type:str] mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.2
modules/hosts/soteria/soteria.nix
+34 -22
View File
@@ -17,21 +17,9 @@ in
nixos.forgejo nixos.forgejo
# nixos.restic-server # nixos.restic-server
# nixos.restic-envoy # nixos.restic-envoy
({ pkgs, ... }: { ({ config, pkgs, ... }: {
networking.hostName = hostname; networking.hostName = hostname;
mtls = { time.timeZone = "America/Chicago";
enable = true;
subject = hostname;
san = [
"${hostname}.john-stream.com"
"192.168.1.142"
];
lifetime = "1h";
renew.onCalendar = "*:3/15";
renew.postCommands = [
"${lib.getExe pkgs.docker} restart envoy"
];
};
# Removes password for sudo # Removes password for sudo
security.sudo-rs.extraRules = lib.mkAfter [ security.sudo-rs.extraRules = lib.mkAfter [
@@ -45,13 +33,39 @@ in
]; ];
} }
]; ];
# nix.settings.build-dir = "/var/tmp/nix-build";
# systemd.tmpfiles.rules = [ users.users."${username}".extraGroups = [ "mtls" ];
# "d /var/tmp/nix-build 1777 root root -" mtls = {
# ]; enable = true;
step-ssh-host = { certDir = config.janus-ca.certDir;
hostname = hostname; subject = hostname;
san = [
"${hostname}.john-stream.com"
# "192.168.1.142"
"forgejo.john-stream.com"
"192.168.1.244"
];
lifetime = "12h";
renew.onCalendar = "*:3/15";
renew.reloadUnits = [ "forgejo.service" ];
certReaders = [ config.services.forgejo.user "postgres" ];
}; };
forgejo = {
enable = true;
root_url = "https://forgejo.john-stream.com";
https = true;
port = 443;
};
loginText.extraServiceStatus = {
Docker = "docker";
"mTLS Renewal" = "mtls-renew.timer";
Forgejo = "forgejo.service";
"Forgejo Backup" = "forgejo-dump.timer";
};
step-ssh-host.hostname = hostname;
# This provides the secrets at install time # This provides the secrets at install time
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
@@ -66,8 +80,6 @@ in
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
]; ];
forgejo.enable = true;
}) })
]; ];
}; };
modules/nix-tools/rebuild.nix
+2 -3
View File
@@ -43,7 +43,7 @@
nhms = (pkgs.writeShellScriptBin "nhms" '' nhms = (pkgs.writeShellScriptBin "nhms" ''
HOSTNAME=${hostnameCmd} HOSTNAME=${hostnameCmd}
${echoCmd} "Switching to the $HOSTNAME home-manager profile" ${echoCmd} "Switching to the $HOSTNAME home-manager profile"
${lib.getExe pkgs.home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME ${lib.getExe pkgs.nh} home switch ${flakeDir} -c $HOSTNAME "$@"
''); '');
in in
{ {
@@ -74,8 +74,7 @@
'') '')
nhms nhms
(writeShellScriptBin "nhmu" '' (writeShellScriptBin "nhmu" ''
${nixBin} flake update --flake ${flakeDir} ${lib.getExe nhms} --update
${lib.getExe nhms}
'') '')
(writeShellScriptBin "test-build" '' (writeShellScriptBin "test-build" ''
modules/nixos/login-text.nix
+19 -7
View File
@@ -1,5 +1,18 @@
{ inputs, ... }: { { inputs, ... }: {
flake.modules.nixos.login-text = { config, ... }: { flake.modules.nixos.login-text = { config, lib, ... }:
let
defaultServiceStatus = {
SSH = "sshd.socket";
"SSH Cert Renewal" = "step-ssh-host-renew.timer";
};
in {
options.loginText.extraServiceStatus = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
description = "Additional rust-motd service status entries keyed by display name.";
};
config = {
programs.rust-motd = { programs.rust-motd = {
enable = true; enable = true;
refreshInterval = "*:0/5"; refreshInterval = "*:0/5";
@@ -21,12 +34,10 @@
root = 3; root = 3;
}; };
service_status = { service_status = lib.mkMerge [
Docker = "docker"; defaultServiceStatus
SSH = "sshd.socket"; config.loginText.extraServiceStatus
"SSH Cert Renewal" = "step-ssh-host-renew.timer"; ];
"mTLS Renewal" = "mtls-renew.timer";
};
# This calculation is wrong for LXCs # This calculation is wrong for LXCs
# uptime = { # uptime = {
@@ -43,4 +54,5 @@
}; };
}; };
}; };
};
} }
modules/programs/eza.nix
+1 -1
View File
@@ -8,7 +8,7 @@
enableZshIntegration = true; enableZshIntegration = true;
}; };
home.shellAliases = { home.shellAliases = {
ls = "${lib.getExe pkgs.eza} -lgos type --no-time --follow-symlinks"; ls = "${lib.getExe pkgs.eza} -algos type --follow-symlinks --all --all";
}; };
}; };
} }
modules/programs/files.nix
+15 -5
View File
@@ -1,15 +1,25 @@
{ {
flake.modules.homeManager.files = { pkgs, ... }: flake.modules.homeManager.files = { pkgs, lib, ... }:
{ {
programs.lf.enable = true; programs.lf = {
programs.lf.cmdKeybindings = { enable = true;
cmdKeybindings = {
"D" = "delete"; "D" = "delete";
}; };
settings = {
preview = true;
hidden = true;
drawbox = true;
icons = true;
ignorecase = true;
};
};
home.packages = with pkgs; [ home.packages = with pkgs; [
gdu gdu
lf # (writeShellScriptBin "lfcd" ''
# TODO: find a CLI file editor that's not insane # . <(${lib.getExe pkgs.lf} -print-last-dir | sed 's/^/cd /')
# '')
]; ];
}; };
} }