commit d40c11d559edf9e6a01983bd3d62cdb15f592c11
parent 3866e0d5796aa1d12b1ee4fbb22e6f044158c6d1
Author: Leah (ctucx) <git@ctu.cx>
Date: Sun, 22 Oct 2023 17:32:45 +0200
parent 3866e0d5796aa1d12b1ee4fbb22e6f044158c6d1
Author: Leah (ctucx) <git@ctu.cx>
Date: Sun, 22 Oct 2023 17:32:45 +0200
machines/briefkasten/radicale: move to host `trabbi`
9 files changed, 81 insertions(+), 79 deletions(-)
diff --git a/machines/briefkasten/configuration.nix b/machines/briefkasten/configuration.nix @@ -14,8 +14,6 @@ # syncthing (and it's backup) ./syncthing.nix - # cal- and card-dav server - ./radicale.nix # fedi server ./gotosocial.nix
diff --git a/machines/briefkasten/radicale.nix b/machines/briefkasten/radicale.nix @@ -1,48 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - dns.zones."ctu.cx".subdomains.dav.CNAME = lib.mkIf config.networking.usePBBUplink [ "${config.networking.fqdn}." ]; - - age.secrets = { - restic-radicale.file = ./. + "/../../secrets/${config.networking.hostName}/restic/radicale.age"; - radicale-users = { - file = ./. + "/../../secrets/${config.networking.hostName}/radicale-users.age"; - owner = "radicale"; - }; - }; - - restic-backups.radicale = { - user = "radicale"; - passwordFile = config.age.secrets.restic-radicale.path; - paths = [ "/var/lib/radicale" ]; - }; - - systemd.services.radicale.onFailure = [ "email-notify@%i.service" ]; - - services = { - radicale = { - enable = true; - settings = { - server.hosts = [ "[::1]:5232" ]; - web.type = "internal"; - storage.filesystem_folder = "/var/lib/radicale/collections"; - headers.Access-Control-Allow-Origin = "*"; - auth.type = "htpasswd"; - auth.htpasswd_filename = config.age.secrets.radicale-users.path; - auth.htpasswd_encryption = "plain"; - }; - }; - - nginx = { - enable = true; - virtualHosts."dav.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; - locations."/".proxyPass = "http://[::1]:5232/"; - }; - }; - }; - -}
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix @@ -11,6 +11,9 @@ # git server (gitolite+stagit) ./git.nix + # cal- and card-dav server + ./radicale.nix + # monitoring ../../configurations/linux/services/prometheus-exporters.nix ./prometheus.nix
diff --git a/machines/trabbi/radicale.nix b/machines/trabbi/radicale.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +{ + + dns.zones."ctu.cx".subdomains.dav.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + restic-radicale.file = ./. + "/../../secrets/${config.networking.hostName}/restic/radicale.age"; + radicale-users = { + file = ./. + "/../../secrets/${config.networking.hostName}/radicale-users.age"; + owner = "radicale"; + }; + }; + + restic-backups.radicale = { + user = "radicale"; + passwordFile = config.age.secrets.restic-radicale.path; + paths = [ "/var/lib/radicale" ]; + }; + + systemd.services.radicale.onFailure = [ "email-notify@%i.service" ]; + + services = { + radicale = { + enable = true; + settings = { + server.hosts = [ "[::1]:5232" ]; + web.type = "internal"; + storage.filesystem_folder = "/var/lib/radicale/collections"; + headers.Access-Control-Allow-Origin = "*"; + auth.type = "htpasswd"; + auth.htpasswd_filename = config.age.secrets.radicale-users.path; + auth.htpasswd_encryption = "plain"; + }; + }; + + nginx = { + enable = true; + virtualHosts."dav.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://[::1]:5232/"; + }; + }; + }; + +}
diff --git a/secrets/briefkasten/radicale-users.age b/secrets/briefkasten/radicale-users.age @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNFFMRGJlM3MxblBmdWZY -OWNBUVNxMUMyZlVnSk43eHZXbFNRRlZBYWx3Cm9iYVlobllYd2ZCZzlodWU2Yit1 -dEdyS0t3RUNtZnhCZUpjbGtFb1pPK1EKLT4gc3NoLWVkMjU1MTkgNGhLQ013IDRo -SWw3V0JVd1V4TWEzc1BVc2JUYVhyRkxubXBtVzdrZDZveEFyVmYwbDgKMDI5ckxU -QmtpN09hVFVVU25ONXpaS1N6dnExK0hyMFhGcHRHUTh3M2lYRQotPiByal07OSsm -fi1ncmVhc2UgMFliW2VlZE4gOlp+SihjIFsrOQpNNTZpRjYwNWZScFd5Q0s2NE9P -LyszWXEwYnB6Wms5WHdUVFFKZXhGcERkWERNS0NFVERjNjNodUthNXVDZWxECkht -Qld5Zlk4OG5laDJLK1BBSFJHWUlvZkpYWmxBeUZ1UG41U3FIV0RISXdZSHdmeDBE -QQotLS0gVE1YNWxub2NKaHAyUktlNzgzNFlHYTFXaWZyNGh6MDV1K2EwSzdOSTdY -OAr+cSbThFDyFj6ssNfszJHrHUAZjxouGyF9Zjl18jRo+o1/87DiNR3NQgViipe3 -TGsBbJcLoZT8xweE9VtSxP41+Krmlrpcjlotcng6RfLnj7Slfxr/WC9oct3xqq34 -DdGuAvM7+3r+wcGrCewu4CPXetDcNSXJpSLEhyjQikN+Z1U= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/briefkasten/restic/radicale.age b/secrets/briefkasten/restic/radicale.age @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5aE5RNmZrNWxxOUoySDc2 -TG5Zb2hJc0FrdHNwQjhqRzEwVzZPaGJoUWpZCnVmYjhTaExGT3BZK2dycmNKVzF0 -RGJ0YXd5S21YY05wNkJpNmNBZTI2bHMKLT4gc3NoLWVkMjU1MTkgNGhLQ013IC9l -c3dnOVRVUXc0d2dldENVRmFxcjhua1B1S2ZEczJ5TjlPZDRqcGhCeFkKSU9OM1dI -YlB0V1lQT1YyN2JxUGNVdnp1NFEwTDhYSGhJNDRPMWF2MmRnUQotPiB3Ny5GPkIt -Z3JlYXNlIGQjbyBJOkFyWFRMJiBCCkFtL3VvSFYrbmVINjFYTUUzWnVtWE9qOWZF -Vnl4aVo2Ulcycmd6R00xZDNHOEpLM1hhT1l3bmUxNmxIbG8wV3cKUEZpZFhqUDRa -Y2NCYjlhVkRjelhvUENUWEFpdkM4RUhldEF3MzhkKzN3Ci0tLSBEN0VWWjZwb2ZZ -aHJGREdEMVhsNXRRRHlib0VLT2dmR29vR2RZanBjMVcwCkuunaW8IHnbWcGnEyzx -5UdQ/MSZB63Y7LDnyhQne+fdXFkcvDGQKD0LyYU4k4KgEv80b0rFKSr+Z3A= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -53,11 +53,8 @@ in { "briefkasten/gotosocial-env.age".publicKeys = [ leah briefkasten ]; "briefkasten/travelynx2fedi-env.age".publicKeys = [ leah briefkasten ]; - "briefkasten/radicale-users.age".publicKeys = [ leah briefkasten ]; - "briefkasten/restic-server-htpasswd.age".publicKeys = [ leah briefkasten ]; - "briefkasten/restic/radicale.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/gotosocial.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/influxdb.age".publicKeys = [ leah briefkasten ]; "briefkasten/restic/ctucx-things.age".publicKeys = [ leah briefkasten ]; @@ -78,7 +75,9 @@ in { "trabbi/matrix-synapse/registration_shared_secret.age".publicKeys = [ leah trabbi ]; + "trabbi/matrix-synapse/s3_secrets.age".publicKeys = [ leah trabbi ]; + "trabbi/restic/radicale.age".publicKeys = [ leah trabbi ]; "trabbi/restic/gitolite.age".publicKeys = [ leah trabbi ]; "trabbi/restic/pleroma.age".publicKeys = [ leah trabbi ]; "trabbi/restic/matrix-synapse.age".publicKeys = [ leah trabbi ]; @@ -88,6 +87,8 @@ in { "trabbi/mail/password-leah-ctu.cx.age".publicKeys = [ leah trabbi ]; "trabbi/mail/password-mail-zug.network.age".publicKeys = [ leah trabbi ]; + "trabbi/radicale-users.age".publicKeys = [ leah trabbi ]; + "wanderduene/wireguard-privkey.age".publicKeys = [ leah wanderduene ]; "wanderduene/restic-server-htpasswd.age".publicKeys = [ leah wanderduene ];
diff --git a/secrets/trabbi/radicale-users.age b/secrets/trabbi/radicale-users.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMXlWcFFZWGoyeVdCbGhH +UlpXV0JFRWVLZVFXK21VbFN2elYyN3JjaENJCmI2clJxSW0vaERxVUE2VlR2RTZq +ZVduMTVmSkhLWEpBNnJjY0NDK3J6NUkKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IEdL +S1NFbEFHTVc2RTNWWitDd3dLZGRiTzFLVHVBWENwb3FRN0xqMEk2bGsKR2c3blNT +YzQ4bnpOMWhTM3E1dDlpeHR3UlEvQi8vLzdva0dpSGRBRnAzdwotPiAjdn5VSWxh +Vy1ncmVhc2UgYCdlR1RRIVwgU1k7NiBYIntBeCMgZFVJVSV+bXMKZXJodE90UUZy +ekNrOThTbWJhcXhkV1dGbTdpZUhYa0ZsdmR0VlhaV1pxZkN2YXpYRVlzMms4RzZ4 +UUZtWkxPNApIOXVUQ0l0U01YeVhZc0xzbWRMcGF3VUxweE1HCi0tLSBrTnJMby9w +aVZ0YzlxY2x4MjFFWWd0cnE4a0xUbDFmVTlKNzlYdWFQb0FNCjHyhFf0N3SMWDeW +Sj+ufoZReY9U7xtvKdu8ufaOYX2v+7c6mE+GlNOAXHmye7qfu4aMreMJQvYjpUj9 +ELXqgNjOgu/dUgWI7Y+L5E9GLCjRmD5KTdSQ7GcL6OVfY4DkhaI3I1+gsrH00jal +nyfmB5wMUSwhF29Wx0oszOYQd/cDz+gxIU1SsEjGea7U +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/radicale.age b/secrets/trabbi/restic/radicale.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNUoraUlEc25DOVhlZE8v +c29Sa3hSdm54Tk03VytRcHQvSDlJU1NkQm04CldMMmZMR0x1SWNiUXZmTWpmdHRp +M2kxVUNaTFc5TGpvRTNHajlKYTc1cVkKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IGJv +MmEvdFJWQWNVWHczV01qTFMxbmY2SFRrUGVadWtQcUtld3IvaThIelEKUjh5TTZo +UlF5OGt5WXhjc1dpMjhRMVdpM2RFanZ5ME9vR2IveWlvUzY1WQotPiBjSjk/TDlt +bS1ncmVhc2UKRjV4bml3b21HUEFicWNSOWliaHpJTTg3NGpFdml1K0h0aE1nL0dY +ampuV3U4WDFuaEY1TTQwdGtWd2kyRjdaNApVcFZ0WTM5akw1UHJVSklVY3hxOE1J +RFZQS0lPZDhlSDlzOAotLS0gVTNNTWd5SDdaaklHYTBCSmNMekhhdDlScU12VXdZ +NFpzb2QyQ3VaUlZpawpEpWWWDYN8iF/Sso1YTOS10PsCxc7g7Swdwq1j58I6YinB +hIvLl3vF4X1fzLZmNO0DuLmb2iSAsrna +-----END AGE ENCRYPTED FILE-----