M .sops.yaml => .sops.yaml +7 -0
@@ 8,6 8,7 @@ keys:
- &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4
- &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
- &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05
+ - &social age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98
# VMs
- &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk
creation_rules:
@@ 48,6 49,12 @@ creation_rules:
- *liljamo_gpg
age:
- *metrics
+ - path_regex: secrets/social/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *social
- path_regex: secrets/sqbuilds/[^/]+\.yaml$
key_groups:
A hosts/social/default.nix => hosts/social/default.nix +17 -0
@@ 0,0 1,17 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.liljamoPwd.neededForUsers = true;
+
+ roles.base = {
+ root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ primaryUser = {
+ username = "liljamo";
+ hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+ };
+ };
+
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+}
A secrets/social/secrets.yaml => secrets/social/secrets.yaml +34 -0
@@ 0,0 1,34 @@
+rootPwd: ENC[AES256_GCM,data:p41kSprRdol5rfaQ83t2upxKLZL0JnZzpdxIZV7YyX5RPd0Ot8HKMe/FfHWIhO+1T49PTLYOGN3ptQ4S2bq+C+qhBK1B0UCJ86wioObwcPsDzcv3M7xu3T4NVO+921RFrwD0zo8AVFhO6w==,iv:1amFJJyDV8H8vEB49oJsxlXsDIUcHr9gAbbwoCNYsZg=,tag:PpwZdDBlQmTGaQNv5YnGig==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:RXVqEBUxJV45CaKNMpAXbdh42uf5NQvWqlZennxW12+5Wo16kxtEdR7kZxyWmyQP4XJovf5iqVQoNMf7pq6b8kD9ZILo85nfMXgHpJN8sGB2otZ35Bih/gX+taSfQMi7/oYPtUgwtJVl3Q==,iv:GUzyIahXxn3gIHKJxnId42ibojaCGBhC+PVQIN4MrOc=,tag:TKEAyon/qPXzUc8JP4V/qg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbGhHS1ZtMm5kMmV0aDRW
+ UFhMYjROd1JlVWZrZUwxa3l4U295MFVIQ1hrCkN0RTVQOFJ6ZlJ5RUlpV2NiVjRm
+ WlQ2bGkyRDdacGc3Wi9DRDVNYllscGcKLS0tIEdzYVhZMjBFb2FCT2tYUzVVM1Fu
+ dVdhQldtS0F4L2RlazZwS2EwRkhzM0EKNbErU+f1mjgDIl34aCrQFIHpNneVLYHT
+ MpilN6Pqlddi5iVSXwgcgV24oMFQgqsLDRVynk848YsLGj7JLLCyxg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-05T17:46:17Z"
+ mac: ENC[AES256_GCM,data:ku53/0KQIpnjCsZZaDDsEJhW72woyEQ72yft0gNgvbBKa2yTMuGJAtTMX0+H6K0TcD+ft2I9PLaruSrVzg3885j4bwCo5SaGDAD1Bwk6XAsPII7aHunofl2WJIby5YLw9xeRzzD3Am7jaY1fqrP/3XcVCOjjoic2PnF8w7XKlNk=,iv:CGbsgINu+d24mT1IaNq2uN7WFw4dgiXF8ifRG41LuzI=,tag:UijnxyMdvAXZk/dqkS3Jxg==,type:str]
+ pgp:
+ - created_at: "2024-09-05T17:45:06Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdA+cBWG1vsNTU8/f8jxKpUkT590+gSDhTKC9rlb4q32RUw
+ BsrTmwJm1JpoTjuO4sfDHVZfNOkPFHVAzpT430lOu08baqNyIoHzAUsJ8Iw6oduR
+ 1GgBCQIQu6NUyiavQpSEQQmmMUnGcfnpG1h7O+ZEhr+WqYi0nG7Cgg+wJd5d3YP3
+ c/wxhCfQljCodZBMpDTwImC9njIwJgiv4nd2It3+ZyqhvX54ePcMrqTI3zIQ0sbc
+ EV3pVgrX3DgCLg==
+ =F/Lk
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
M systems/hosts/default.nix => systems/hosts/default.nix +5 -0
@@ 37,6 37,11 @@
profile = lxc;
modules = [];
};
+ social = {
+ system = "x86_64-linux";
+ profile = lxc;
+ modules = [];
+ };
# VMs
sqbuilds = {
A systems/hosts/social/default.nix => systems/hosts/social/default.nix +55 -0
@@ 0,0 1,55 @@
+{
+ config,
+ pkgs,
+ ...
+}: let
+ akkomaPort = 4000;
+in {
+ networking.firewall.allowedTCPPorts = [akkomaPort];
+
+ services.postgresql = {
+ package = pkgs.postgresql_16;
+ enable = true;
+ ensureDatabases = ["akkoma"];
+ ensureUsers = [
+ {
+ name = "akkoma";
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+
+ services.akkoma = {
+ enable = true;
+ user = "akkoma";
+ group = "akkoma";
+ config = {
+ ":pleroma" = {
+ ":instance" = {
+ description = "Personal instance";
+ email = "jonni@liljamo.com"; # FIXME: maybe abuse@liljamo.com?
+ name = "Lothlórien";
+ registrations_open = false;
+ };
+
+ "Pleroma.Repo" = {
+ adapter = (pkgs.formats.elixirConf {}).lib.mkRaw "Ecto.Adapters.Postgres";
+ socket_dir = "/run/postgresql";
+ username = config.services.akkoma.user;
+ database = "akkoma";
+ };
+
+ # FIXME: different subdomain as recommended
+ "Pleroma.Upload".base_url = "https://lothlorien.social/media/";
+
+ "Pleroma.Web.Endpoint".http.ip = "0.0.0.0";
+ "Pleroma.Web.Endpoint".http.port = akkomaPort;
+
+ "Pleroma.Web.Endpoint".url.host = "lothlorien.social";
+ "Pleroma.Web.Endpoint".url.port = 443;
+ };
+ };
+ };
+
+ system.stateVersion = "24.05";
+}
M tamma.yaml => tamma.yaml +4 -0
@@ 5,3 5,7 @@ hosts:
ip: alderaan
data:
user: root
+ - name: social
+ ip: social
+ data:
+ user: root