From a1a579662ec0d6a8987a421d6e2af4dde9170542 Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Sat, 7 Feb 2026 21:49:49 +0100 Subject: [PATCH] Update the database configuration to the current architecture. --- .sops.yaml | 7 +- .../configuration.nix | 1 + .../modules/desktop-manager/gnome.nix | 44 +++++++- ...sops-nix.nix => sops-composesongsheet.nix} | 0 .../modules/secrets-config/sops-database.nix | 28 +++++ .../modules/system/compose-songsheet.nix | 2 +- .../modules/system/database.nix | 100 ++++++++++++++++++ .../secrets/database/gcloud_bucket.json | 29 +++++ 8 files changed, 208 insertions(+), 3 deletions(-) rename nix-system-configs/{database => database-deprecated}/configuration.nix (99%) rename nix-system-configs/modules/secrets-config/{sops-nix.nix => sops-composesongsheet.nix} (100%) create mode 100644 nix-system-configs/modules/secrets-config/sops-database.nix create mode 100644 nix-system-configs/modules/system/database.nix create mode 100644 nix-system-configs/secrets/database/gcloud_bucket.json diff --git a/.sops.yaml b/.sops.yaml index 6c76b15..daa279c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,4 +12,9 @@ creation_rules: key_groups: - age: - *admin_christine - - *server_traefik \ No newline at end of file + - *server_traefik + - path_regex: nix-system-configs/secrets/database/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_christine + - *server_traefik diff --git a/nix-system-configs/database/configuration.nix b/nix-system-configs/database-deprecated/configuration.nix similarity index 99% rename from nix-system-configs/database/configuration.nix rename to nix-system-configs/database-deprecated/configuration.nix index 2332e32..63c377a 100644 --- a/nix-system-configs/database/configuration.nix +++ b/nix-system-configs/database-deprecated/configuration.nix @@ -120,6 +120,7 @@ fastfetch hyfetch pgadmin4 + google-cloud-sdk ]; # Some programs need SUID wrappers, can be configured further or are diff --git a/nix-system-configs/modules/desktop-manager/gnome.nix b/nix-system-configs/modules/desktop-manager/gnome.nix index eb95e04..2995aa5 100644 --- a/nix-system-configs/modules/desktop-manager/gnome.nix +++ b/nix-system-configs/modules/desktop-manager/gnome.nix @@ -4,7 +4,49 @@ lib, ... }: { + # Enable the X11 windowing system. services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome3.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + services.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Install firefox. + programs.firefox.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; } diff --git a/nix-system-configs/modules/secrets-config/sops-nix.nix b/nix-system-configs/modules/secrets-config/sops-composesongsheet.nix similarity index 100% rename from nix-system-configs/modules/secrets-config/sops-nix.nix rename to nix-system-configs/modules/secrets-config/sops-composesongsheet.nix diff --git a/nix-system-configs/modules/secrets-config/sops-database.nix b/nix-system-configs/modules/secrets-config/sops-database.nix new file mode 100644 index 0000000..2d1b4b3 --- /dev/null +++ b/nix-system-configs/modules/secrets-config/sops-database.nix @@ -0,0 +1,28 @@ +{ + config, + pkgs, + lib, + ... +}: { + imports = let + # replace this with an actual commit id or tag + commit = "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c"; + in [ + "${builtins.fetchTarball { + url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz"; + # replace this with an actual hash + sha256 = "ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY="; + }}/modules/sops" + ]; + + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519.pub"]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + sops.age.generateKey = true; +} diff --git a/nix-system-configs/modules/system/compose-songsheet.nix b/nix-system-configs/modules/system/compose-songsheet.nix index 928ecff..2a83324 100644 --- a/nix-system-configs/modules/system/compose-songsheet.nix +++ b/nix-system-configs/modules/system/compose-songsheet.nix @@ -38,7 +38,7 @@ # ## Compose modules for Portainer service ./modules/songsheet/wavelog/docker-compose.nix - ./modules/secrets-config/sops-nix.nix + ./modules/secrets-config/sops-composesongsheet.nix ]; config = { diff --git a/nix-system-configs/modules/system/database.nix b/nix-system-configs/modules/system/database.nix new file mode 100644 index 0000000..2041188 --- /dev/null +++ b/nix-system-configs/modules/system/database.nix @@ -0,0 +1,100 @@ +{ + config, + pkgs, + lib, + ... +}: { + options.local = { + hostname = lib.mkOption { + type = lib.types.str; + default = "nixos-default"; + description = "System hostname"; + }; + username = lib.mkOption { + type = lib.types.str; + default = "user"; + description = "Primary user username"; + }; + userDescription = lib.mkOption { + type = lib.types.str; + default = "NixOS User"; + description = "Primary user description"; + }; + address = lib.mkOption { + type = lib.types.str; + default = "10.1.1.100"; + description = "Static IP address"; + }; + }; + + imports = [ + ./modules/desktop-manager/gnome.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/lix-default.nix + ./modules/secrets-config/sops-database.nix + ./hardware-configuration.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + config = { + local.hostname = "nixosdd"; + local.username = "nixosdd"; + local.userDescription = "NixOS Dedicated Database"; + local.address = "10.1.1.251"; + + networking.firewall.allowedTCPPorts = [ + 5432 # PostgreSQL + 3306 # MariaDB/MySQL + ]; + networking.firewall.allowedUDPPorts = [ + 5432 # PostgreSQL + 3306 # MariaDB/MySQL + ]; + + # List services that you want to enable: + + # Enable PostgreSQL + services.postgresql = { + enable = true; + enableTCPIP = true; + ensureDatabases = ["forgejo" "part_db_database"]; + settings = { + listen_addresses = "*"; + }; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 10.1.1.4/32 scram-sha-256 + host all all 10.1.1.249/32 scram-sha-256 + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + + # Enable MariaDB + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + + # Enable Tailscale + services.tailscale.enable = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + helix + fastfetch + hyfetch + pgadmin4 + google-cloud-sdk + ]; + + system.stateVersion = "25.11"; + }; +} diff --git a/nix-system-configs/secrets/database/gcloud_bucket.json b/nix-system-configs/secrets/database/gcloud_bucket.json new file mode 100644 index 0000000..4ce4f60 --- /dev/null +++ b/nix-system-configs/secrets/database/gcloud_bucket.json @@ -0,0 +1,29 @@ +{ + "type": "ENC[AES256_GCM,data:bl74l+sY5V4qeLYBANRU,iv:uKOGWFTF6ltq3mQ4ojd1/bZgofPi1J4Gtz3/PUCfLLs=,tag:TxGwCf5qCDPVfIMzFgB01w==,type:str]", + "project_id": "ENC[AES256_GCM,data:6cW8StwOvkdGXIjuI5Jj8DuCoE/9z0ky7tEWMIbg,iv:bAyX1+phAdiMRVZNRwDGE+QkbFo71u+Gut+z+yPQjg8=,tag:9JuGbq13tBUJUb/tUWolbQ==,type:str]", + "private_key_id": "ENC[AES256_GCM,data:j9xf5MtzNTn7OV2PNWXPPSqSLU4elVLjF1MB6xmlFXSy6XXJEbz/uA==,iv:iVCTbjtVHGEsvKtBHnrwiI3MPgGKGQlyEv9zAMcQ7sE=,tag:VzsIQHMjBvrIl9X5Ul2j+Q==,type:str]", + "private_key": "ENC[AES256_GCM,data:X5HOWhmdI/J9TqQ9bVcplgeFXtZSk3m4+9duXzc38IZ+e8E2gBISq/bfQ8HGzK7r54c85aCNFiYYbzkNHRh+newlNSBCHhmfHc0Ko7OLQS3+wcEX6Z+D2llMJxKAFAXGh63L6gWdYCAgTgpL8OlKv4sW1V4yH2N+Ei+iiYcHfc6g/xDRky3PxBNQcoA2qTzfBpZ8lDRMFLQQDeKeGmiC8m5o0RPdiSdA9oDc4IMkWPPEidCTu4hUn4YLr3Yz5NMEFqMqaiVq4G9FsS3fVZdk4HSdFHNlse6apkIQDTUWkQhjSwktl4ul2jimgKBxa2aNcHmKZcxnoSgF1wg37P6b+RNAsUx5OgpqLmXoaSC9+5PHMkvUrnwp0kwMLqmtXhUDtJcA1zRGaWgI7jXXcHlvXMxtod+GdGygMsNNMPoNqAacT7OZ3Fc3TqoBERd2yvORbKQmKuXSOslFsWa17toqo42tUEZReXbnQkvHe9ZQKUAaPvjVX9pQzraR8tj2ReLsO/8L9gluRv5j9NSt1DnzBZyggRUj5trE81fJ6joiNCHQmcJyagInDeDXGZVmzPtXofOwjR8U8+fVbnxpp7ji7HLjFVtecxF2DteihTJ8SqsjQMpWwV5E241AK0N4gnnGi2QmvWpq+x83Xceu6zwNgTVnnyR7mWgOuYKnzeez9a9ozRPDkf2EvCxaTzyAzzXLem+Ui9m6hJ0IO3bZERvLZzCP0yykE7BhbF9LDwVfc6TSr2bCgdIy07DCI5ccNm8nqdtE1m/xqQRQ3uNrRkLzJOFUUXSfDwmE+dFPxbL1x5Bmqac+jvH8Coj10l1rdAExyOLNyIFJG4ZmmxVIsf0CnYc87ezZmF8nLcL/rLjg6lngAlqQo2KE8H2omAfFNDCAiqQGqLuqi6DBQS12K08Aqk9tN7zrmB5sRCzVDpo0SmCSS5VvPduaSk1TWAIH5Z1gHMU1cdz++3hyMZvvG9b7hiRFQoFBPHZnDyKta427X7ccsLM2OCIEI7Tb3T0zO6IK8/WrZolAqwxzJv4kJJUQan0lhASFC7koUEJ+1W6yycaLXeibNlzllP6Rc5ovp8QOuOgUNdR5dvEeVkAXqII49qvP/zr9N6aMGgFXNCZNKJq/nUSFAlOoawoJwWKowgDy2nmA/a9jamDT4cSxguOKa6JIBfT3aqZw7hVvMoqVzp47HI6FimEPxKPSJHbM3skEYEi3aLoDGPoG/NlT+uZ1ojqV0P0w0ESxb69RCnF8alvIIVZSMyC3YTbEfjdaOSl+UYvgkeWttujJ0z/utDOG2xe7fIkyI264tE91iebh2shHXri2I0vofL60DJBttYZ97cM26DzJTtOo6P30ilG5K0HRHc8K1O/yLZJroSjQXZM8O1Mk3b8cSYvjcbboOKCxPIxdqQpI3+AYHUvge4jqZHot+wOjIo+GKFDhxcTopkwJbKfayNAzQkac5DIBDmZWK5baNG9tG03NZGaRvP31mlmfBElr2s3EGbj3j4V7++rv+4mzleCH/oSGBob+crFbrq/QVU9zPtOKzKz5tQvb2BRlRE30hOkmq2cQfT3M2kS0fVjxBgCeFFPzMnXBs9kbg73zJZXLO3f7EhrmT9CbZjcW18D4ptqD6MZeojGn6+7D/JnccsVB4dYJg8MWDEDnHmCnL12gGQEWPwkZEchENginl28P3ZPTQwnFje+hnKWwCMa4TdqgD89bKksEuOP9PPe+3yGgjXWDj7E862bvCXVi1sHrHexkrcC1B+kdcnFGbsra/2K48+aWUED0405V7OqCYOygFLg7e1/oMN39PfDuX51A39Fi+/4sX6JCMRjG1/2EbKowcbNYnNjC7SWjYNWc062jA0PMYlhE4Tf8+1cdliAmuD+A6JyhcNZj2ulyBSqkR3tTV6UrnrWkaT+25ywWSkBiBkPWFt8sB0VOqZN4F6aBVrsjIFjZrx/GWDNXPpMiaEIokzlPLCvJ9XeKq6cWB/W3tAqog6GWorJcjsLi+glVjUvskDlLslj3Vd4eqnAjbktBIknzEv23557ghQMYpxIBFw3dqewz+Z6p+XoVsY73t84llbtT+PhhL/FdZJIlQ8iPnEdZTKfeTCcOQsbn1KXmEF1L9sdibCxi4qWdBkclnuH8VUpQto+2TDyQ2whJPASiiqNSV5W/QPDUjcR9AtEpRYXKmuXMts0M4X9sg6yLVq4QOe6rOPCPelxOC52I+FuVCOsoRQ8FGjFmhNQX2TN4UzJU9O0docpO0ubWuUCcoKr2,iv:KMBWDjUNBEGOEadSCzajAhaRgZy0x6ZJ53dQV4WsxuI=,tag:cqPBsxqiNlOWE5sv3gS2Qw==,type:str]", + "client_email": "ENC[AES256_GCM,data:5GS7lQmxfEhIiqLEOZQElCyL7mnrCPpWhBC5b9GsefHRu8MIZdiU/J5Kl2tAK7iGKlPVcoblYuwjg9jAxwq2Mwp6GBiVJ8pC80xwiC4g7w==,iv:bE4BhJTvprgW5NOJMspvEY43w0DB3B59dPP/iI7+9U8=,tag:tDEQXWClCHrE9zUbXbWVMA==,type:str]", + "client_id": "ENC[AES256_GCM,data:smvsjKHs4FZ545bbNnsKLyxklwJG,iv:UdbOhgdUkwLUF9BXpVZhs6bshCT/w2GsUBx8TA6IJYA=,tag:UgvsYx4bVUiLX/ivSn4V/g==,type:str]", + "auth_uri": "ENC[AES256_GCM,data:MoSyAWIMF31wGC1Th9lBVdxNUcKI9ChFQQ/9NcOpawZBKCWRpvUPPRk=,iv:0M/ckQguvifJswhl6fRZoLFDLotL4pqVWtgCJnneuvg=,tag:jg9yVdYsa3SzU15QodJSCg==,type:str]", + "token_uri": "ENC[AES256_GCM,data:VU6Jz5gmDMkRk8xVXz/GmBKqAU8LXWDWDd8wDG2LAgvYCf8=,iv:PsKBpoHzDJsrQgagYgSmDGfy/hi68PiDO5Cp1840gIE=,tag:4PnonD0ZhEb0ubshGY8wgQ==,type:str]", + "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:DUe6H/PflOHgZ8V25EzCqtpIHiMHCI6xmfEmOQOOJTxBgKYm+PRDxIDD,iv:hNAgapcSmqKuGYNS0Ru/OAVR7DIGV73TOdGZVwBgF1w=,tag:texXV9bYMsev8oZT/Zs0LQ==,type:str]", + "client_x509_cert_url": "ENC[AES256_GCM,data:8Herex6V+OajFPQHlSlEFWyY9UHZ1O59Uk6DhU/YN99Uapo2D0WkE9OBDRwI/CFbPWEg6i7yUHVTTCw132kC7tB+QeqX1GHLYedV3AE4QyRzHlQPSsLkxMFr/q283IAu5Evm4WtQdZYQcqF8+olqd9veQuxMpnfWzz9hD4PpV6djur8=,iv:wloNQK6DSXCk4x5p6Clyi90GXYBHkhgTcJ2HJdz5b48=,tag:coYQsiCRE2IakoWz4P5dOw==,type:str]", + "universe_domain": "ENC[AES256_GCM,data:Juy31OVAEIAvPDV1fow=,iv:GKLpORARKRm7Hm14/H44RdAcnQYIyqi6e+UWaG9KjlI=,tag:saBZsuMBlTSEcVoFbnoLNQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1746rvsvsc3snxfl7cndm222wd5kck4aqj3x7nednlegq0gdjhfcqx0qv7m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeTFMQlBOS1kyNjJkYito\nZG9XQ3NJSmJxNk1pZDF2T3FoOUU5SEhqYmw0CmN4VnE5cWR3Tm1kdkZnWEZJcHha\nejBNODZkOXFnckRFdTVwdFJwTUVWaDgKLS0tIGRCY2VaS2RMcjQ4clZRbG52ZGdI\nQXdZZ3hBcktmMUlhNDV4TGVaT2c0UEkKH9e+rTKrRt9JqYG+RkFrlcaNXd8zn+0/\no65SOKlwMC0VAAb7rDDU0xGmahW2/bWErW2qJ/88dvDuqdX2sD28Pg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rdcs8y4fjfyagwt2q9599ax329thceersh6dg2f0p6nsghm5xufq00qu0p", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZTI4dUQxdExvTjA1UDJj\nMUtFZ1F4SzZzVGhXTjJQYkRQaVlyUEZsaTFVCjdtc01Ydk9lMWd2cnVrbTAzeERN\nbG1XcTYzU1RPRXRYcFlzK3RJQzJUV2MKLS0tIEJETzZKaHZENTdrbUVTYWIxNmhB\ndWhvNEJpNVQvcG9lam1lbkV1dGxpMDAK9OspZrLOshe7JLROJvJ9dkzejkSRixyJ\nzD0IbFv3N+HIC3DeStDzCUnRdLmrM/q4HOYCPNCmAtT9jvOrD96ejw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-02-07T20:01:07Z", + "mac": "ENC[AES256_GCM,data:fjKrLuYFXZhHa2KwyWTmDiEyZInyJluI4QjevW2liWKyv7rtJbwzxlzUEb4hUG3pwFFOWeeNwAvIg+la+0Y+sERIEM5P5j60buia2cQZFTK6WvNwLsNN+/sDptznGfrUsI3GJOBtIQgdCCBrrDwj7YARP+T6kk0wh7iw6LgfuWY=,iv:Psy2bv2w9J4OXNH8MESCZD1zSCWDRKlmaOijgyKyorc=,tag:QpiPUT9WMzQQLUVTwtfWjw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +}