commit 2b25acaa324804e8b56d4bd3058b701cee18fdee · sapphic.moe/flake

+16

secrets/minio.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSBDOTFh

     

       3
       3
       +
       RVVjOEI4bGF5bzgyZDVZQlEyUXlkUDRldlF2aFZ5OS8xWWlpLzI0CktPS05wd0tJ

     

       4
       4
       +
       aWc1bGUvMW4wdlRmdkxZaGRPZjZqU3F2bHhKdFkvencwdTgKLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IEh1eTJhRXp4NWd6Mkl1SDU3ZTZnbW1vUkFQVWI4V2xuVGRVL2Nm

     

       6
       6
       +
       eE1HSGsKTDlqRjJGYUkxQW0waFV0Z2hzOFRNNTIrc1FiaVlQLzJ2YkRnajd0cDNH

     

       7
       7
       +
       YwotPiBzc2gtZWQyNTUxOSBlUDNUdFEgSHZQOGVyZjNPVXRjb0JKcTZJZHZiNy9z

     

       8
       8
       +
       NSsxZU9BZ0diTzl5ZklDNE1URQpQWFE5VjlYTjF6ZHJIUmxWYXpScGorZzZxam5Q

     

       9
       9
       +
       SElSVExBL1Q3bnh2NGg0Ci0+IDY6Jy9MXnQiLWdyZWFzZSBaanRiIFlnPThSCng2

     

       10
       10
       +
       MFo3Y3JnYnBJbzlVNFZYejJoT0U2MklZV0liUm9iSE9XcnVmRW5LdEtxVGgvLzdM

     

       11
       11
       +
       MjB4aisyVWhvTDFUSnkKaDNIZDdCZkZXTE5KblFFM04zdGxwK3ZPYnBPVGVkanlZ

     

       12
       12
       +
       TU1DejB5U3dGQUlMQQotLS0gWENCd1R5RUZKWURiaGxPQzZkL3FsQnh5ZE1lM3Nq

     

       13
       13
       +
       QVFoNVlFUGhiTGNOVQqSuU8Z0Wuo8GeJUsd/Zg+ngX/w4g/9o9d3itW9LEr+l5oe

     

       14
       14
       +
       M+/cBeFH3QZcaHN+UPKvRJbNjM9WHyL4rXKaJrDV9j6oS5v++8DLsIaHpYIVfbA3

     

       15
       15
       +
       DelpN2dpynRpm1rp2Q==

     

       16
       16
       +
       -----END AGE ENCRYPTED FILE-----

+14

secrets/outline/client-secret.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSBGNVZv

     

       3
       3
       +
       djhvOVJyWVpHSjJudEJSRU5SRFpMOVliVFNxVVdtQnpubkhXamxNCjdNMUhJZFNu

     

       4
       4
       +
       NDI2K21XTmIyL3oxZTlGN2dVV2FESzV6VDlTQmhHSGFsOTQKLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IGVQRVlucDlESUZ6T09DcEtpU1Q1WWxEUE9KcktpUm83cmNZZDlS

     

       6
       6
       +
       SytpaHcKQmVLaHBqa0YzaWNoc1U5bGdmUlpHMGVpdDEzenBLbGJEaFV5RXZEeExn

     

       7
       7
       +
       TQotPiBzc2gtZWQyNTUxOSBlUDNUdFEgTUkvOUs1SStNL1NJSEN2WGlmN1g1cG41

     

       8
       8
       +
       RWR3YlRhYkJtaDl0dkJwVlVnZwpuc1lDWFpEUDIrOForV2k1VG05OHNNLzNxMlJ3

     

       9
       9
       +
       RUdOc1g4Y05vUDVuUExJCi0+IGU6TS1ncmVhc2UgRm4gaHAmdS9wcwpJN0FBWkRO

     

       10
       10
       +
       Qk50OW9FdGZMVlgvVDEzTG5CTGVFM2J5amN6a2RNR08zeGR0eGJucVkxN2QramY3

     

       11
       11
       +
       SlZzc3BSNHNyClhnYUFwZwotLS0gYjlkTjAyamNGa2pnSG5OV1ZZcG9LNGlacGp5

     

       12
       12
       +
       MDhPTnMwQUxZYjRmanRjOAr+bpss2iZCZyJskjMUJNqg8MMrUGqSTIr4Iamclg6G

     

       13
       13
       +
       sTC5ncGM5UJs2QIZFxD8Y03VmrA243hkPbgWYo07qOGDsg==

     

       14
       14
       +
       -----END AGE ENCRYPTED FILE-----

+13

secrets/outline/minio-password.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSBmMmVX

     

       3
       3
       +
       ZVZoRnhsUjVveDJxaVVlZHBIY0I0cERSY0VPbWdJQ0MrRjB6MFhFCkp4SkNSSXNw

     

       4
       4
       +
       WmRlbFV1SGRqNjR2NmFsWjQzUzhBQTJCUnNkOVRDb0FzWTAKLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IG9BMDA0c09Rb2g3eWdkQTdnZGM5K2tabEVXRHlyWlN4dzBscU1w

     

       6
       6
       +
       L2xPV1kKa0tpNU5IUVlEYW9ZU3FYN2hSZWZudUFFY3JLdGk4YjRqalJjRG1LT3Nv

     

       7
       7
       +
       WQotPiBzc2gtZWQyNTUxOSBlUDNUdFEgTDBuRTZ6Q2dIQ0Rrc080RS81THlxcXV3

     

       8
       8
       +
       MzBJaVFIUGEwUGlsV1hrZDAxdwpFa3VSTC9BNG1IODhPWXU5WG01THdKYjhQRzkw

     

       9
       9
       +
       UXIvMnBNTllncDBxSHhVCi0+IG81TV5fKi1ncmVhc2UgTCVZZFVcCjFFTG5yTi9j

     

       10
       10
       +
       Wk9OdktxakVSenRaOEEKLS0tIGFUNGdQZzVzNERrR09rekZ5OERRQUVIbmI2NGVj

     

       11
       11
       +
       TlQ2aC9lbmdCK2pMRFEKPcBHsjWuXoUnZRv7RLiL4hf6CR32WOKqC7V8mTSAoHw1

     

       12
       12
       +
       LO4MEs70xBttSpwpVGdSTw==

     

       13
       13
       +
       -----END AGE ENCRYPTED FILE-----

+15

secrets/outline/secret-key.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSBsVlpT

     

       3
       3
       +
       bUJIdjZPVGRRRy8vRzhOeGEyZkdBTDI5Q2wvT25BMWtJZ1dxVVRzCngvRTV6Sy9k

     

       4
       4
       +
       TFZmZUl1KzlwcUNTclh3NkJsZjA0d2NxeDRodElSL3hQazgKLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IG5PeVcwYWQ0S1VQTWwxSVcxemJQYnVKdGFMMDdDeSt4YmVjTzdv

     

       6
       6
       +
       VFp0QlkKZ1owb1BNczRBay9aZHNjaGV3OGlmRU8xKzB5Y1FlRjNzNmlQMlF0b2VZ

     

       7
       7
       +
       UQotPiBzc2gtZWQyNTUxOSBlUDNUdFEgK1M1c2xoK0swV3d3TDM5dC94WjlxWHYy

     

       8
       8
       +
       WEkyUkpzREdZRlpxMTJ5RGZ5RQpFdENmdlFNSnVHYVh6OWNrK1IvM1hFR0Q2TTVq

     

       9
       9
       +
       dEYyYUswWUpwVUpOU2lnCi0+ID4zOm9PZSktZ3JlYXNlCkt5MUNqNTRsb2NKTEJY

     

       10
       10
       +
       dlNFTm5JRDlsT2p2UTdXNUFCb3dhZTB5THMyc3Z5K2lrUGtmQk5GSU9UTUR1T0Zo

     

       11
       11
       +
       Z2QKQjh0eklBUQotLS0gZ0tJVkJyK2F5c05lWm13YUVkeFBqYUZ3NXpZdnVYazhJ

     

       12
       12
       +
       anRldlplMmtMTQqd+cP8tjByVx/R+4LZMpMT3JlNBJTq3ySp6hP3mi1qsEVCc+zV

     

       13
       13
       +
       a9gGrT1MjBlsWdITMaXt1XYJtC2HTzDfTzSankFHvEVkzhF8uOe9A1vZbsqKCyFU

     

       14
       14
       +
       2uUGZzP32ugQ0ITY

     

       15
       15
       +
       -----END AGE ENCRYPTED FILE-----

+14

secrets/outline/smtp-password.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSB3VTM3

     

       3
       3
       +
       M3YwSG96U3I2Z1ZqQ0MrZXV5dzhFdTVNYXR6VzlRays5SElVTUZrCmpkdnc3anJY

     

       4
       4
       +
       NUFCOWpGZ2V6WWVVY0xuY2RGTVhqMlh1UUo2dGdKVEVHRmsKLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IFNJaUpWSXc2K1I3bWkvYkNXNGdleXFTRlpZUTA4UC9tUlFqcmtT

     

       6
       6
       +
       dU9jU2sKSEI0TE83Rkw5U2QvZ3A4UlVWaWk5UWI1cktjNGVYaGJMeGtJOWZlYnJJ

     

       7
       7
       +
       bwotPiBzc2gtZWQyNTUxOSBlUDNUdFEgR3NMU3FGaFVpMldBZDNqaUlsdUU4SFFP

     

       8
       8
       +
       c1pCYnNDQzhmQ0JVTThGZVczdwpXQ2FJN3J2Y1BMUG8zNDBIV2JodVhpNlhOY1A3

     

       9
       9
       +
       RmNqOXZibG0wWXlHTk9nCi0+IEAnLWdyZWFzZSAmM3BpMTAvIEoibVlNIDdROTkp

     

       10
       10
       +
       VQp5aGdJYWlmb2Z6a0xBSmdpR0k1b1dkeWNCbmR4Tjg4TXh4bGlKaXVFaWVlSzkz

     

       11
       11
       +
       OWVRWlJYWmNhMDFwNDE1ZW10CjZrTWpGZUdyCi0tLSBQTG8vQllVZWlYZ3dZL1h6

     

       12
       12
       +
       UlNhVS91bThnWUUxK25GclErdlpoV3dJRklJCttr6JUh2OMxB3uo2bIZ3JXc4GcP

     

       13
       13
       +
       qZkFMVIchcr8M7ZVAL4Ia8vj9UuSnwjpJ0N/QajT4CM=

     

       14
       14
       +
       -----END AGE ENCRYPTED FILE-----

+14

secrets/outline/utils-secret.age

···

       1
       1
       +
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSBFT1lD

     

       3
       3
       +
       bjVTaGcxdWNRSzgzbURWOHg0WnZmQ0t0eTRkVDlMUlBLNmlWZGtNCjhzSmJVYXRs

     

       4
       4
       +
       cER1NlV3MFVndEJEN1k0OGRBeXZaZ0t1VTRKby9KOU5oTk0KLT4gc3NoLWVkMjU1

     

       5
       5
       +
       MTkgMUNUOTd3IFJPclVNKzFlTUlUTGMyV1AyZEZyWERQbnRuOEM3dGpac0R6eWFo

     

       6
       6
       +
       Y29uaWcKWjBSN3RwUEtQQjBZbmJxeUl3Zy9TL05SM1FnK0hYSzBvQ2F1RVNRUUYv

     

       7
       7
       +
       VQotPiBzc2gtZWQyNTUxOSBlUDNUdFEgVVl4UDh5eTZscUlDN29YdXpWU2YzSWh6

     

       8
       8
       +
       QnhzSmZBM0lZaW1NWmVtU3BEawpBVGNhR1FFMURDKys1MUlkYVU4V1dtaGNVZk0x

     

       9
       9
       +
       QTgrdWs2TWFyeit1UWhzCi0+IFlwLWdyZWFzZSBfRC9sRSBUSChLIHhyNjFoXSA8

     

       10
       10
       +
       aGNLKC5ueQpXU3lIaUpscGk3M01tNHprUFM5Y3Q5SFE1V1FULzhlbW9WbwotLS0g

     

       11
       11
       +
       Z0tUS1lROGRURU5sSSt6djVCVHFpWFpiTDFKOGFKYzNpSVhMMEEzMFk0cwpxKFyy

     

       12
       12
       +
       wc8vAactgJ7M61dTI/4MtoBSI9JmY8ICoEqNYdBdnHyjX7qfbLDRxeFXMrUylUv2

     

       13
       13
       +
       Ny01hJCF4/epApwVU+d7LAbIlbRi6BxHCYK+SDgUgO4ZzvgHvNo2xk8+qUY0

     

       14
       14
       +
       -----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

···

       14
       14
        
         "caddy.age".publicKeys = keys;

     

       15
       15
        
         "glance.age".publicKeys = keys;

     

       16
       16
        
         "lanyard.age".publicKeys = keys;

     

       17
       17
       +
         "minio.age".publicKeys = keys;

     

       17
       18
        
         "ntfy.age".publicKeys = keys;

     

       19
       19
       +
         "outline/client-secret.age".publicKeys = keys;

     

       20
       20
       +
         "outline/minio-password.age".publicKeys = keys;

     

       21
       21
       +
         "outline/secret-key.age".publicKeys = keys;

     

       22
       22
       +
         "outline/smtp-password.age".publicKeys = keys;

     

       23
       23
       +
         "outline/utils-secret.age".publicKeys = keys;

     

       18
       24
        
       }

-3

services/lanyard/default.nix

···

       1
       1
        
       { config, ... }:

     

       2
       2
        
       

     

       3
       3
        
       {

     

       4
       4
       -
         # Redis service (new style)

     

       5
       4
        
         services.redis.servers."lanyard" = {

     

       6
       5
        
           enable = true;

     

       7
       6
        
           port = 6379;

     

       8
       7
        
           bind = "127.0.0.1";

     

       9
       8
        
         };

     

       10
       9
        
       

     

       11
       11
       -
         # Age secret for Discord bot token

     

       12
       10
        
         age.secrets.lanyard = {

     

       13
       11
        
           file = ../../secrets/lanyard.age;

     

       14
       12
        
           mode = "600";

     

       15
       13
        
         };

     

       16
       14
        
       

     

       17
       17
       -
         # Lanyard Docker container

     

       18
       15
        
         virtualisation.oci-containers.containers.lanyard = {

     

       19
       16
        
           image = "phineas/lanyard:latest";

     

       20
       17
        
           ports = [ "4001:4001" ];

+149

services/outline/default.nix

···

       1
       1
       +
       { config, pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       {

     

       4
       4
       +
         age.secrets = {

     

       5
       5
       +
           minioCredentials = {

     

       6
       6
       +
             file = ../../secrets/minio.age;

     

       7
       7
       +
             mode = "600";

     

       8
       8
       +
             owner = "minio";

     

       9
       9
       +
             group = "minio";

     

       10
       10
       +
           };

     

       11
       11
       +
       

     

       12
       12
       +
           outlineClientSecret = {

     

       13
       13
       +
             file = ../../secrets/outline/client-secret.age;

     

       14
       14
       +
             mode = "600";

     

       15
       15
       +
             owner = "outline";

     

       16
       16
       +
             group = "outline";

     

       17
       17
       +
           };

     

       18
       18
       +
           outlineMinioSecret = {

     

       19
       19
       +
             file = ../../secrets/outline/minio-password.age;

     

       20
       20
       +
             mode = "600";

     

       21
       21
       +
             owner = "outline";

     

       22
       22
       +
             group = "outline";

     

       23
       23
       +
           };

     

       24
       24
       +
           outlineSecretKey = {

     

       25
       25
       +
             file = ../../secrets/outline/secret-key.age;

     

       26
       26
       +
             mode = "600";

     

       27
       27
       +
             owner = "outline";

     

       28
       28
       +
             group = "outline";

     

       29
       29
       +
           };

     

       30
       30
       +
           outlineSMTPPassword = {

     

       31
       31
       +
             file = ../../secrets/outline/smtp-password.age;

     

       32
       32
       +
             mode = "600";

     

       33
       33
       +
             owner = "outline";

     

       34
       34
       +
             group = "outline";

     

       35
       35
       +
           };

     

       36
       36
       +
           outlineUtilsSecret = {

     

       37
       37
       +
             file = ../../secrets/outline/utils-secret.age;

     

       38
       38
       +
             mode = "600";

     

       39
       39
       +
             owner = "outline";

     

       40
       40
       +
             group = "outline";

     

       41
       41
       +
           };

     

       42
       42
       +
         };

     

       43
       43
       +
       

     

       44
       44
       +
         services.outline = {

     

       45
       45
       +
           enable = true;

     

       46
       46
       +
           publicUrl = "https://wiki.sappho.systems";

     

       47
       47
       +
           port = 3300;

     

       48
       48
       +
           forceHttps = true;

     

       49
       49
       +
       

     

       50
       50
       +
           secretKeyFile = config.age.secrets.outlineSecretKey.path;

     

       51
       51
       +
           utilsSecretFile = config.age.secrets.outlineUtilsSecret.path;

     

       52
       52
       +
       

     

       53
       53
       +
           databaseUrl = "postgres://outline:${builtins.readFile config.age.secrets.outlineSecretKey.path}@localhost/outline?sslmode=disable";

     

       54
       54
       +
           redisUrl = "redis://127.0.0.1:6380";

     

       55
       55
       +
       

     

       56
       56
       +
           storage = {

     

       57
       57
       +
             storageType = "s3";

     

       58
       58
       +
             accessKey = "minio";

     

       59
       59
       +
             secretKeyFile = config.age.secrets.outlineMinioSecret.path;

     

       60
       60
       +
             uploadBucketUrl = "https://minio.sappho.systems";

     

       61
       61
       +
             uploadBucketName = "outline";

     

       62
       62
       +
             region = "us-east-1";

     

       63
       63
       +
             uploadMaxSize = 104857600;

     

       64
       64
       +
             importMaxSize = 104857600;

     

       65
       65
       +
             workspaceImportMaxSize = 104857600;

     

       66
       66
       +
             forcePathStyle = true;

     

       67
       67
       +
             acl = "private";

     

       68
       68
       +
           };

     

       69
       69
       +
       

     

       70
       70
       +
           smtp = {

     

       71
       71
       +
             host = "smtp.purelymail.com";

     

       72
       72
       +
             port = 587;

     

       73
       73
       +
             username = "noreply@sapphic.moe";

     

       74
       74
       +
             passwordFile = config.age.secrets.outlineSMTPPassword.path;

     

       75
       75
       +
             fromEmail = "noreply@sapphic.moe";

     

       76
       76
       +
             secure = false;

     

       77
       77
       +
           };

     

       78
       78
       +
       

     

       79
       79
       +
           oidcAuthentication = {

     

       80
       80
       +
             displayName = "Pocket ID";

     

       81
       81
       +
       

     

       82
       82
       +
             clientId = "257b92c1-6b7f-41e9-a9c6-858a083295d8";

     

       83
       83
       +
             clientSecretFile = config.age.secrets.outlineClientSecret.path;

     

       84
       84
       +
       

     

       85
       85
       +
             authUrl = "https://id.sappho.systems/authorize";

     

       86
       86
       +
             tokenUrl = "https://id.sappho.systems/api/oidc/token";

     

       87
       87
       +
             userinfoUrl = "https://id.sappho.systems/api/oidc/userinfo";

     

       88
       88
       +
             logoutUrl = "https://id.sappho.systems/api/oidc/end-session";

     

       89
       89
       +
       

     

       90
       90
       +
             usernameClaim = "preferred_username";

     

       91
       91
       +
             scopes = [

     

       92
       92
       +
               "openid"

     

       93
       93
       +
               "profile"

     

       94
       94
       +
               "email"

     

       95
       95
       +
               "groups"

     

       96
       96
       +
             ];

     

       97
       97
       +
       

     

       98
       98
       +
             disableRedirect = true;

     

       99
       99
       +
           };

     

       100
       100
       +
         };

     

       101
       101
       +
       

     

       102
       102
       +
         services.postgresql = {

     

       103
       103
       +
           enable = true;

     

       104
       104
       +
           package = pkgs.postgresql_15;

     

       105
       105
       +
           dataDir = "/var/lib/postgresql";

     

       106
       106
       +
           enableTCPIP = true;

     

       107
       107
       +
           ensureDatabases = [ "outline" ];

     

       108
       108
       +
           ensureUsers = [

     

       109
       109
       +
             {

     

       110
       110
       +
               name = "outline";

     

       111
       111
       +
               password = builtins.readFile config.age.secrets.outlineSecretKey.path;

     

       112
       112
       +
             }

     

       113
       113
       +
           ];

     

       114
       114
       +
           authentication = pkgs.lib.mkOverride 10 ''

     

       115
       115
       +
             #type database DBuser origin-address auth-method

     

       116
       116
       +
             local all      all     trust

     

       117
       117
       +
             host  all      all     127.0.0.1/32   scram-sha-256

     

       118
       118
       +
             host  all      all     ::1/128        scram-sha-256

     

       119
       119
       +
           '';

     

       120
       120
       +
         };

     

       121
       121
       +
       

     

       122
       122
       +
         # Ensure Outline waits for Postgres

     

       123
       123
       +
         systemd.services.outline.requires = [ "postgresql.service" ];

     

       124
       124
       +
         services.redis.servers."outline" = {

     

       125
       125
       +
           enable = true;

     

       126
       126
       +
           port = 6380;

     

       127
       127
       +
           bind = "127.0.0.1";

     

       128
       128
       +
         };

     

       129
       129
       +
       

     

       130
       130
       +
         services.minio = {

     

       131
       131
       +
           enable = true;

     

       132
       132
       +
           rootCredentialsFile = config.age.secrets.minioCredentials.path;

     

       133
       133
       +
           dataDir = "/var/lib/minio";

     

       134
       134
       +
           listenAddress = [

     

       135
       135
       +
             "0.0.0.0:9000"

     

       136
       136
       +
             "0.0.0.0:9001"

     

       137
       137
       +
           ];

     

       138
       138
       +
         };

     

       139
       139
       +
       

     

       140
       140
       +
         services.caddy.virtualHosts."wiki.sappho.systems" = {

     

       141
       141
       +
           extraConfig = ''

     

       142
       142
       +
             import common

     

       143
       143
       +
             import tls_cloudflare

     

       144
       144
       +
             reverse_proxy http://localhost:3300

     

       145
       145
       +
           '';

     

       146
       146
       +
         };

     

       147
       147
       +
       

     

       148
       148
       +
         settings.firewall.allowedTCPPorts = [ 3300 ];

     

       149
       149
       +
       }