diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix index f47204d..b8a7c06 100644 --- a/agenix/hosts/sail/config.nix +++ b/agenix/hosts/sail/config.nix @@ -54,6 +54,14 @@ group = "matrix-synapse"; }; + mosquitto-password-weewx-proxy = { + file = ./mosquitto/passwordWeewxProxy.age; + }; + + mosquitto-password-weewx = { + file = ./mosquitto/passwordWeewx.age; + }; + atuin-environment = { file = ./atuin/environment.age; owner = "atuin"; diff --git a/agenix/hosts/sail/mosquitto/passwordWeewx.age b/agenix/hosts/sail/mosquitto/passwordWeewx.age new file mode 100644 index 0000000..86f2d1a --- /dev/null +++ b/agenix/hosts/sail/mosquitto/passwordWeewx.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyAyU1ZF +UWtzZ3h0R3B1RWVYMWFMWllieHI5WTlVVXFteGhWckhFOVRwQlFFCnZJUUxVdFgr +OHUzc3lrSWpwVytMWDc0Z0FoTWhLREtEaVE0bkcxZEdGU2MKLT4gc3NoLWVkMjU1 +MTkgTmJWNGh3IG5DM2oyTVpnNitSSzU2am8rWDJSMXVmZGgvOGZNdWp3YktvVkNZ +TmE2U2MKYlJOUEFKZTF0UjNiVm5SNmpwaEIzaWhWWG9YZldiLzIyUWNxRE5NaHZY +YwotPiBRcmVHKS1ncmVhc2UgMyA1TCdCRm5fCllvNXk4RzVVekxGeXRDSWlacFI4 +U1RvRUQ1dDcvS0ZVZm5FNUt5TUlTNkFXdjVzCi0tLSBxeUowYnpuVG5BYUpOZlFT +c2NzOWhlQ1dVUFg0bDA5T2ROeHFvU2lJeE5JCqSG2JIv7FpYbfZ4ERbSW0G5vQeF +teqNb71repTGwOW5BiAadvWpiv0o5Oq2Plpq9etsm8Jgm21F8UFR71DlefpTXVOH +rIxfm4YTTY68aVGLx90/dxmw8qOZsGZvQ1EoKZQh+p+SO9BwC2//0uKhBFbSbwrK +sbRurKBcA+xr0LB1dxZZhEqe8CXLaVlvsMklT7A= +-----END AGE ENCRYPTED FILE----- diff --git a/agenix/hosts/sail/mosquitto/passwordWeewxProxy.age b/agenix/hosts/sail/mosquitto/passwordWeewxProxy.age new file mode 100644 index 0000000..f44a51d --- /dev/null +++ b/agenix/hosts/sail/mosquitto/passwordWeewxProxy.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBzVjZz +TG9memlGMXZwZFFVK3pNOXVrYjlkak90NkpLUEVBajVaNTNGdkNNCjdPNVYrdjVk +ZUVSeVJmS2QzaitIa014TGFKM01QVWN3bHhEbktjY0UvS1UKLT4gc3NoLWVkMjU1 +MTkgTmJWNGh3IGFab21mL2FVV3VVYXhYMjI2SGlZWVl3UW9RTzNEbU1qVVFMWHlo +eWM4UUEKODl1Zis5VlFtWTR0NWcvSFpHdk1EaG5BekttRk5GNktzNXU0c0xrQkFD +TQotPiByW1t4NkssLWdyZWFzZQpvYVBsK3ptYkRsRDEKLS0tIHRQVmhMY3JFYmE1 +dmdLai9CVkltM0VKcXJzNkEzMjN3TVVGeERvb3lZbTgK6mbrGDx3FqUB8YD+VHR5 +VcDitTAadwkqAqq6/0Zc0a45M5rJ5P6ThNKsrXpCc50YvtpEQM0kVBWyJIz2qXuE +z4/i7DY7MxpndiQhjaD4e2KToDRLa3uGYbnnKYE9ZhsmdDQqyM0lx9dMvo6aV/nt +WMRO84wxSi+jPoPYh7659IPOHbwGW1wZiJv1mGZA6bN3Dg== +-----END AGE ENCRYPTED FILE----- diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix index 6878e69..6ebe393 100644 --- a/container/proxitok/default.nix +++ b/container/proxitok/default.nix @@ -1,4 +1,4 @@ -{ config, secret, ... }: +{ config, ... }: { virtualisation.arion.projects.proxitok.settings = { diff --git a/container/webserver/config.nix b/container/webserver/config.nix deleted file mode 100644 index 664637a..0000000 --- a/container/webserver/config.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ secret, ... }: - -{ - systemd.tmpfiles.rules = [ - "d /etc/container-webserver/weewx 0755 421 421" - "d /etc/container-webserver/weewx/html 0755 421 421" - ]; - - # mosquitto - - environment.etc."container-webserver/mosquitto/mosquitto.conf" = { - text = '' - listener 1883 - password_file /mosquitto/config/users.conf - ''; - - mode = "0644"; - }; - - environment.etc."container-webserver/mosquitto/users.conf" = { - text = secret.container.webserver.mosquitto.users; - mode = "0644"; - }; - - # weewx - - environment.etc."container-webserver/weewx/weewx.conf" = { - source = ../../secret/container/webserver/config/weewx.conf; - mode = "0644"; - uid = 421; - gid = 421; - }; -} diff --git a/container/webserver/default.nix b/container/weewx/default.nix similarity index 50% rename from container/webserver/default.nix rename to container/weewx/default.nix index 938f5d2..3693760 100644 --- a/container/webserver/default.nix +++ b/container/weewx/default.nix @@ -1,26 +1,12 @@ +{ config, ... }: + let - secret = import ../../secret/container/webserver; - custom-config = import ./config.nix { inherit secret; }; + secret = import ../../secret/container/weewx; + data-dir = "/etc/container-weewx"; in { - virtualisation.arion.projects.webserver.settings = { + virtualisation.arion.projects.weewx.settings = { services = { - mosquitto = { - service = { - image = "eclipse-mosquitto:2"; - container_name = "mosquitto"; - restart = "unless-stopped"; - ports = [ "1883:1883" ]; - user = "nobody"; - volumes = [ - "/etc/container-webserver/mosquitto:/mosquitto/config:ro" - ]; - labels = { - "com.centurylinklabs.watchtower.enable" = "true"; - }; - }; - }; - weewx = { service = { image = "ghcr.io/nifoc/weewx-docker:master"; @@ -32,7 +18,7 @@ in "TZ" = "Europe/Berlin"; }; volumes = [ - "/etc/container-webserver/weewx:/data" + "${data-dir}:/data" ]; labels = { "com.centurylinklabs.watchtower.enable" = "true"; @@ -42,11 +28,45 @@ in }; }; - services.nginx.virtualHosts."${secret.container.webserver.hostname}" = { + systemd.tmpfiles.rules = [ + "d ${data-dir} 0755 421 421" + "d ${data-dir}/html 0755 421 421" + ]; + + environment.etc."container-weewx/weewx.conf" = { + source = ../../secret/container/weewx/config/weewx.conf; + mode = "0644"; + uid = 421; + gid = 421; + }; + + services.mosquitto.listeners = { + weewx-private = { + address = "0.0.0.0"; + port = 1883; + + users = { + weewx-proxy = { + hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; + acl = [ "write weewx/+" ]; + }; + + weewx = { + hashedPasswordFile = config.age.secrets.mosquitto-password-weewx.path; + acl = [ "read weewx/+" ]; + }; + }; + }; + }; + + networking.firewall.interfaces."enp7s0".allowedTCPPorts = [ 1883 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1883 ]; + + services.nginx.virtualHosts."${secret.container.weewx.hostname}" = { http3 = true; kTLS = true; - root = "/etc/container-webserver/weewx/html/wdc"; + root = "${data-dir}/html/wdc"; forceSSL = true; useACMEHost = "kempkens.io"; @@ -72,4 +92,4 @@ in expires modified 1h; ''; }; -} // custom-config +} diff --git a/secret/container/webserver/config/weewx.conf b/secret/container/webserver/config/weewx.conf deleted file mode 100644 index 3e09ac7..0000000 Binary files a/secret/container/webserver/config/weewx.conf and /dev/null differ diff --git a/secret/container/webserver/default.nix b/secret/container/webserver/default.nix deleted file mode 100644 index 640e8e3..0000000 Binary files a/secret/container/webserver/default.nix and /dev/null differ diff --git a/secret/container/weewx/config/weewx.conf b/secret/container/weewx/config/weewx.conf new file mode 100644 index 0000000..cf3bf24 Binary files /dev/null and b/secret/container/weewx/config/weewx.conf differ diff --git a/secret/container/weewx/default.nix b/secret/container/weewx/default.nix new file mode 100644 index 0000000..1470f10 Binary files /dev/null and b/secret/container/weewx/default.nix differ diff --git a/secrets.nix b/secrets.nix index afd3d24..2e68edd 100644 --- a/secrets.nix +++ b/secrets.nix @@ -19,6 +19,9 @@ in "agenix/hosts/sail/synapse/extraConfig.age".publicKeys = sail; + "agenix/hosts/sail/mosquitto/passwordWeewxProxy.age".publicKeys = sail; + "agenix/hosts/sail/mosquitto/passwordWeewx.age".publicKeys = sail; + "agenix/hosts/sail/atuin/environment.age".publicKeys = sail; "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail; diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix index 8af7628..fe65744 100644 --- a/system/hosts/sail.nix +++ b/system/hosts/sail.nix @@ -40,7 +40,7 @@ in (import ../nixos/tailscale.nix (args // { inherit secret; })) (import ../nixos/arion.nix (args // { inherit secret; })) - ../../container/webserver + ../../container/weewx ../../container/matrix ../../container/proxitok ]; diff --git a/system/nixos/arion.nix b/system/nixos/arion.nix index f5f5909..e345809 100644 --- a/system/nixos/arion.nix +++ b/system/nixos/arion.nix @@ -19,6 +19,7 @@ autoPrune = { enable = true; dates = "weekly"; + flags = [ "--all" ]; }; }; @@ -32,7 +33,7 @@ }; networking.firewall.interfaces."podman+" = { - allowedUDPPorts = [ 53 443 ]; - allowedTCPPorts = [ 53 443 ]; + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; }; } diff --git a/system/nixos/mosquitto.nix b/system/nixos/mosquitto.nix new file mode 100644 index 0000000..6b680ea --- /dev/null +++ b/system/nixos/mosquitto.nix @@ -0,0 +1,6 @@ +{ + services.mosquitto = { + enable = true; + persistence = true; + }; +}