68 lines
1.6 KiB
Nix
68 lines
1.6 KiB
Nix
{ modulesPath, tree, config, pkgs, lib, ... }:
|
|
let secrets-db = (import ./secrets-db.nix { });
|
|
in {
|
|
imports = with tree; [
|
|
users.root
|
|
|
|
profiles.base
|
|
profiles.sshd
|
|
profiles.nix-gc
|
|
profiles.nginx
|
|
|
|
./hardware.nix
|
|
./networking.nix
|
|
./secrets.nix
|
|
];
|
|
|
|
services.vault = {
|
|
enable = true;
|
|
package = pkgs.vault-bin;
|
|
address = "127.0.0.1:8200";
|
|
storageBackend = "file";
|
|
extraConfig = ''
|
|
ui = true
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.nginx.virtualHosts."vault.owo.monster" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; };
|
|
};
|
|
|
|
services.restic.backups.vault = {
|
|
user = "root";
|
|
paths = [ "/var/lib/vault" "/var/lib/acme" ];
|
|
timerConfig = {
|
|
OnBootSec = "1m";
|
|
OnCalendar = "daily";
|
|
};
|
|
# env contains fixed repository with auth
|
|
repository = "rest:https://storage-restic.owo.monster/HetznerVM";
|
|
passwordFile = "${secrets-db.restic_password.path}";
|
|
environmentFile = "${secrets-db.restic_env.path}";
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
(pkgs.writeShellScriptBin "restic-vault" ''
|
|
env \
|
|
RESTIC_PASSWORD_FILE=${secrets-db.restic_password.path} \
|
|
$(cat ${secrets-db.restic_env.path}) \
|
|
${pkgs.restic}/bin/restic $@
|
|
'')
|
|
];
|
|
|
|
home-manager.users.root = {
|
|
imports = with tree; [ home.base home.dev.small ];
|
|
home.stateVersion = "22.05";
|
|
};
|
|
|
|
networking.hostName = "vault";
|
|
time.timeZone = "Europe/London";
|
|
|
|
system.stateVersion = "21.11";
|
|
}
|
|
|