From 52b4e2816db3315ae71484c8dad2482f446c584e Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Fri, 6 Sep 2024 20:14:56 +0300 Subject: [PATCH] feat: add social --- .sops.yaml | 7 ++++ hosts/social/default.nix | 17 ++++++++++ secrets/social/secrets.yaml | 34 ++++++++++++++++++++ systems/hosts/default.nix | 5 +++ systems/hosts/social/default.nix | 55 ++++++++++++++++++++++++++++++++ tamma.yaml | 4 +++ 6 files changed, 122 insertions(+) create mode 100644 hosts/social/default.nix create mode 100644 secrets/social/secrets.yaml create mode 100644 systems/hosts/social/default.nix diff --git a/.sops.yaml b/.sops.yaml index 845d5b5..a8623d3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,7 @@ keys: - &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4 - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw - &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05 + - &social age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98 # VMs - &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk creation_rules: @@ -48,6 +49,12 @@ creation_rules: - *liljamo_gpg age: - *metrics + - path_regex: secrets/social/[^/]+\.yaml$ + key_groups: + - pgp: + - *liljamo_gpg + age: + - *social - path_regex: secrets/sqbuilds/[^/]+\.yaml$ key_groups: diff --git a/hosts/social/default.nix b/hosts/social/default.nix new file mode 100644 index 0000000..d840393 --- /dev/null +++ b/hosts/social/default.nix @@ -0,0 +1,17 @@ +{config, ...}: { + sops.secrets.rootPwd.neededForUsers = true; + sops.secrets.liljamoPwd.neededForUsers = true; + + roles.base = { + root.hashedPasswordFile = config.sops.secrets.rootPwd.path; + primaryUser = { + username = "liljamo"; + hashedPasswordFile = config.sops.secrets.liljamoPwd.path; + }; + }; + + roles.tailscale = { + enable = true; + enableSSH = true; + }; +} diff --git a/secrets/social/secrets.yaml b/secrets/social/secrets.yaml new file mode 100644 index 0000000..3292d93 --- /dev/null +++ b/secrets/social/secrets.yaml @@ -0,0 +1,34 @@ +rootPwd: ENC[AES256_GCM,data:p41kSprRdol5rfaQ83t2upxKLZL0JnZzpdxIZV7YyX5RPd0Ot8HKMe/FfHWIhO+1T49PTLYOGN3ptQ4S2bq+C+qhBK1B0UCJ86wioObwcPsDzcv3M7xu3T4NVO+921RFrwD0zo8AVFhO6w==,iv:1amFJJyDV8H8vEB49oJsxlXsDIUcHr9gAbbwoCNYsZg=,tag:PpwZdDBlQmTGaQNv5YnGig==,type:str] +liljamoPwd: ENC[AES256_GCM,data:RXVqEBUxJV45CaKNMpAXbdh42uf5NQvWqlZennxW12+5Wo16kxtEdR7kZxyWmyQP4XJovf5iqVQoNMf7pq6b8kD9ZILo85nfMXgHpJN8sGB2otZ35Bih/gX+taSfQMi7/oYPtUgwtJVl3Q==,iv:GUzyIahXxn3gIHKJxnId42ibojaCGBhC+PVQIN4MrOc=,tag:TKEAyon/qPXzUc8JP4V/qg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbGhHS1ZtMm5kMmV0aDRW + UFhMYjROd1JlVWZrZUwxa3l4U295MFVIQ1hrCkN0RTVQOFJ6ZlJ5RUlpV2NiVjRm + WlQ2bGkyRDdacGc3Wi9DRDVNYllscGcKLS0tIEdzYVhZMjBFb2FCT2tYUzVVM1Fu + dVdhQldtS0F4L2RlazZwS2EwRkhzM0EKNbErU+f1mjgDIl34aCrQFIHpNneVLYHT + MpilN6Pqlddi5iVSXwgcgV24oMFQgqsLDRVynk848YsLGj7JLLCyxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-05T17:46:17Z" + mac: ENC[AES256_GCM,data:ku53/0KQIpnjCsZZaDDsEJhW72woyEQ72yft0gNgvbBKa2yTMuGJAtTMX0+H6K0TcD+ft2I9PLaruSrVzg3885j4bwCo5SaGDAD1Bwk6XAsPII7aHunofl2WJIby5YLw9xeRzzD3Am7jaY1fqrP/3XcVCOjjoic2PnF8w7XKlNk=,iv:CGbsgINu+d24mT1IaNq2uN7WFw4dgiXF8ifRG41LuzI=,tag:UijnxyMdvAXZk/dqkS3Jxg==,type:str] + pgp: + - created_at: "2024-09-05T17:45:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D8ab0ENzkR4wSAQdA+cBWG1vsNTU8/f8jxKpUkT590+gSDhTKC9rlb4q32RUw + BsrTmwJm1JpoTjuO4sfDHVZfNOkPFHVAzpT430lOu08baqNyIoHzAUsJ8Iw6oduR + 1GgBCQIQu6NUyiavQpSEQQmmMUnGcfnpG1h7O+ZEhr+WqYi0nG7Cgg+wJd5d3YP3 + c/wxhCfQljCodZBMpDTwImC9njIwJgiv4nd2It3+ZyqhvX54ePcMrqTI3zIQ0sbc + EV3pVgrX3DgCLg== + =F/Lk + -----END PGP MESSAGE----- + fp: 848EEBCEE9F0D29D25C321A658577946A65EB712 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index ac7f86f..5fda8b0 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -37,6 +37,11 @@ profile = lxc; modules = []; }; + social = { + system = "x86_64-linux"; + profile = lxc; + modules = []; + }; # VMs sqbuilds = { diff --git a/systems/hosts/social/default.nix b/systems/hosts/social/default.nix new file mode 100644 index 0000000..b4ebd76 --- /dev/null +++ b/systems/hosts/social/default.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + ... +}: let + akkomaPort = 4000; +in { + networking.firewall.allowedTCPPorts = [akkomaPort]; + + services.postgresql = { + package = pkgs.postgresql_16; + enable = true; + ensureDatabases = ["akkoma"]; + ensureUsers = [ + { + name = "akkoma"; + ensureDBOwnership = true; + } + ]; + }; + + services.akkoma = { + enable = true; + user = "akkoma"; + group = "akkoma"; + config = { + ":pleroma" = { + ":instance" = { + description = "Personal instance"; + email = "jonni@liljamo.com"; # FIXME: maybe abuse@liljamo.com? + name = "Lothlórien"; + registrations_open = false; + }; + + "Pleroma.Repo" = { + adapter = (pkgs.formats.elixirConf {}).lib.mkRaw "Ecto.Adapters.Postgres"; + socket_dir = "/run/postgresql"; + username = config.services.akkoma.user; + database = "akkoma"; + }; + + # FIXME: different subdomain as recommended + "Pleroma.Upload".base_url = "https://lothlorien.social/media/"; + + "Pleroma.Web.Endpoint".http.ip = "0.0.0.0"; + "Pleroma.Web.Endpoint".http.port = akkomaPort; + + "Pleroma.Web.Endpoint".url.host = "lothlorien.social"; + "Pleroma.Web.Endpoint".url.port = 443; + }; + }; + }; + + system.stateVersion = "24.05"; +} diff --git a/tamma.yaml b/tamma.yaml index 13704c3..942301e 100644 --- a/tamma.yaml +++ b/tamma.yaml @@ -5,3 +5,7 @@ hosts: ip: alderaan data: user: root + - name: social + ip: social + data: + user: root -- 2.44.1