From 764b5bb9448c6f48b3f41478c68f2e3b718e74bf Mon Sep 17 00:00:00 2001 From: cnst Date: Sun, 7 Sep 2025 20:25:59 +0200 Subject: [PATCH] feat(LOTS): this needs work --- hosts/ziggy/server.nix | 2 +- modules/nixos/services/agenix/default.nix | 4 ++-- modules/server/caddy/default.nix | 13 +++++++++++-- modules/server/podman/default.nix | 21 +++++++++++++++++++-- secrets/cloudflareDnsCredentialsZiggy.age | 11 +++++++++++ secrets/piholeZiggy.age | 11 +++++++++++ secrets/secrets.nix | 8 ++++++++ 7 files changed, 63 insertions(+), 7 deletions(-) create mode 100644 secrets/cloudflareDnsCredentialsZiggy.age create mode 100644 secrets/piholeZiggy.age diff --git a/hosts/ziggy/server.nix b/hosts/ziggy/server.nix index b65a5d38..afd474ae 100644 --- a/hosts/ziggy/server.nix +++ b/hosts/ziggy/server.nix @@ -3,7 +3,7 @@ server = { enable = true; email = "adam@cnst.dev"; - domain = "cnix.dev"; + domain = "ziggy.local"; user = "share"; group = "share"; uid = 974; diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix index 53cf84c8..29651444 100644 --- a/modules/nixos/services/agenix/default.nix +++ b/modules/nixos/services/agenix/default.nix @@ -84,8 +84,8 @@ in }) (mkIf cfg.ziggy.enable { secrets = { - cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age"; - pihole.file = "${self}/secrets/pihole.age"; + cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age"; + piholeZiggy.file = "${self}/secrets/piholeZiggy.age"; }; }) (mkIf cfg.toothpc.enable { diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix index 784c6f1d..1d56d065 100644 --- a/modules/server/caddy/default.nix +++ b/modules/server/caddy/default.nix @@ -6,7 +6,16 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.server.caddy; -in + + getCloudflareCredentials = + hostname: + if hostname == "ziggy" then + config.age.secrets.cloudflareDnsCredentialsZiggy.path + else if hostname == "sobotka" then + config.age.secrets.cloudflareDnsCredentials.path + else + throw "Unknown hostname: ${hostname}"; + in { options = { server.caddy.enable = mkEnableOption "Enables caddy"; @@ -34,7 +43,7 @@ in dnsResolver = "1.1.1.1:53"; dnsPropagationCheck = true; group = config.services.caddy.group; - environmentFile = config.age.secrets.cloudflareDnsCredentials.path; + environmentFile = getCloudflareCredentials config.networking.hostName; }; }; diff --git a/modules/server/podman/default.nix b/modules/server/podman/default.nix index 684c35f6..d38c58da 100644 --- a/modules/server/podman/default.nix +++ b/modules/server/podman/default.nix @@ -6,6 +6,23 @@ let srv = config.server; cfg = config.server.podman; + + piholeUrl = + if config.networking.hostName == "sobotka" then + "pihole0" + else if config.networking.hostName == "ziggy" then + "pihole1" + else + throw "Unknown hostname"; + + getPiholeSecret = + hostname: + if hostname == "ziggy" then + [ config.age.secrets.piholeZiggy.path ] + else if hostname == "sobotka" then + [ config.age.secrets.pihole.path ] + else + throw "Unknown hostname: ${hostname}"; in { options.server.podman = { @@ -80,7 +97,7 @@ in }; url = lib.mkOption { type = lib.types.str; - default = "pihole.${srv.domain}"; + default = "${piholeUrl}.${srv.domain}"; }; homepage.name = lib.mkOption { type = lib.types.str; @@ -259,7 +276,7 @@ in # REV_SERVER = "true"; WEBTHEME = "default-darker"; }; - environmentFiles = [ config.age.secrets.pihole.path ]; + environmentFiles = getPiholeSecret config.networking.hostName; ports = [ "53:53/tcp" "53:53/udp" diff --git a/secrets/cloudflareDnsCredentialsZiggy.age b/secrets/cloudflareDnsCredentialsZiggy.age new file mode 100644 index 00000000..a023f77d --- /dev/null +++ b/secrets/cloudflareDnsCredentialsZiggy.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 t9iOEg fwIUYbDh7BaGI5buakqKNguBGdaeguynjERtCCYOHyA +YslX0C87abUC0nH6cmbHvloCPYt1udj8s2PBjLxV3ZM +-> ssh-ed25519 KUYMFA j4/66I7oCc8xQKyYm60sM+0+Mu5OELuiRksr9LWewlc +43W5+fmguuSFlX1W+roPBCgeM1yOi4gVLCWa4Kd0cb4 +-> ssh-ed25519 AzmhiA Lpm6W5/SgSwut7avMWgnxoEw0mo5sj9LmtvSc+SxxAo +lV3YELHkUtMWG+pM6y69nHhY6eD1YoeQQRzE71EL+KE +-> ssh-ed25519 qWEgFA pGLL8o6p5NGJgBbsdsto2Qp/aY62I4NrsLbmH3Dn60U +1rrZxG7F4EuP4CTEyayE52MbrEKoP2YUR3mBxExdp0Y +--- wvP3mMfgsNqU9QfuTSlIIhkcdTC60m7tQbWca2sALSY +&"rR|qxJX!J$&|j3+2whdx'9KA*èůk"~+I: ssh-ed25519 t9iOEg odEjwn/Rp//iANPIp/x1dM+4f84awTifdapQjG7sHWM +X6oQZFRcB5msBA3SSJYbG2ewNR9J9GvuFFDjuyL8JR0 +-> ssh-ed25519 KUYMFA /sXDDI7YLp9pccIO8ZfkdmJbOk+YzLzs0gvPMLkC3XQ +wAQ0zeCVl2Soj2nl5xvMN5QewdQ7gtbqFGMeeL/h3w8 +-> ssh-ed25519 AzmhiA OFEbMVrV7Y64x7/yL2JtxaljmrKs993zI/z39EdrXGo +P5Rqcf6CnYhOFGrSfbWYy3Y/84+fJqBA3UEBKWh/vFo +-> ssh-ed25519 qWEgFA WItETWlsJL/rHg1N3RRp/DbPYSDt0RVi68orXQbKSWk +mS28E5rQ6ytyMO34JWPe1u0mmZ889++pUU5USCkXqfE +--- WnId1RrJWwe6eqprrcaDNpYH/xVgA9MVU3Xl+qb027A +6)$%"ymxs<^z+,V| {Gc- jr~-kV3 p(&:Q'|RPB \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2753af5f..530e092d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -72,6 +72,10 @@ in kima usobotka rsobotka + ]; + "cloudflareDnsCredentialsZiggy.age".publicKeys = [ + cnst + kima uziggy rziggy ]; @@ -98,6 +102,10 @@ in kima usobotka rsobotka + ]; + "piholeZiggy.age".publicKeys = [ + cnst + kima uziggy rziggy ];