jet/extremist-software
jet/extremist-software
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: implement intermediate mySecrets options

Browse source
This commit is contained in:
Jet 2026-02-16 21:32:30 -08:00
parent d756f302d5
commit 55876f2828
7 changed files with 50 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

5
configuration.nix
View file

@ -9,6 +9,7 @@
./modules/matrix.nix ./modules/matrix.nix
./modules/minecraft.nix ./modules/minecraft.nix
./modules/monitoring.nix ./modules/monitoring.nix
./modules/secrets-scheme.nix
# Impure Secrets # Impure Secrets
./secrets.nix ./secrets.nix
]; ];
@ -56,5 +57,7 @@
zramSwap.enable = true; zramSwap.enable = true;
zramSwap.memoryPercent = 50; zramSwap.memoryPercent = 50;
# Secrets handled via ./secrets/secrets.nix import # Secrets handled via ./secrets.nix importing to config.mySecrets
environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
} }

3
modules/forgejo.nix
View file

@ -14,7 +14,8 @@
}; };
# You can configure SMTP here using secrets if needed # You can configure SMTP here using secrets if needed
}; };
# Secret for DB password set in secrets.nix # Secret for DB password
settings.database.PASSWORD = config.mySecrets.forgejoDb;
}; };
services.postgresql = { services.postgresql = {

7
modules/mail.nix
View file

@ -11,7 +11,12 @@
implicit = false; # StartTLS usually on 587 implicit = false; # StartTLS usually on 587
}; };
}; };
# authentication.fallback-admin set in secrets.nix
authentication.fallback-admin = {
user = "admin";
secret = config.mySecrets.stalwartAdmin;
};
# Stalwart configuration is quite extensive. # Stalwart configuration is quite extensive.
# By default it listens on standard ports (25, 465, 587, 993, 4190) # By default it listens on standard ports (25, 465, 587, 993, 4190)
# and provides a web admin UI on 8080. # and provides a web admin UI on 8080.

2
modules/minecraft.nix
View file

@ -24,7 +24,7 @@
simulation-distance = 10; simulation-distance = 10;
max-players = 5; max-players = 5;
enable-rcon = true; enable-rcon = true;
# "rcon.password" set in secrets.nix "rcon.password" = config.mySecrets.minecraftRcon;
}; };
jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true"; jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
}; };

3
modules/searx.nix
View file

@ -3,12 +3,11 @@
{ {
services.searx = { services.searx = {
enable = true; enable = true;
# settings.server.secret_key set in secrets.nix
settings = { settings = {
server = { server = {
port = 8082; port = 8082;
bind_address = "127.0.0.1"; bind_address = "127.0.0.1";
# secret_key = ...; # Set via env var in file secret_key = config.mySecrets.searxKey;
}; };
}; };
}; };

28
modules/secrets-scheme.nix Normal file
View file

@ -0,0 +1,28 @@
{ lib, ... }:
with lib;
{
options.mySecrets = {
forgejoDb = mkOption {
type = types.str;
description = "Forgejo Database Password";
};
stalwartAdmin = mkOption {
type = types.str;
description = "Stalwart Mail Admin Password";
};
searxKey = mkOption {
type = types.str;
description = "Searx Secret Key";
};
minecraftRcon = mkOption {
type = types.str;
description = "Minecraft RCON Password";
};
tailscaleKey = mkOption {
type = types.str;
description = "Tailscale Auth Key";
};
};
}

29
secrets.nix.example
View file

@ -1,25 +1,12 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
{ {
# Forgejo # Copy this file to secrets.nix and fill in real values
services.forgejo.settings.database.PASSWORD = "changeme_forgejo_db"; mySecrets = {
forgejoDb = "changeme_forgejo_db";
# Stalwart Mail stalwartAdmin = "changeme_stalwart_admin";
services.stalwart.settings.authentication.fallback-admin.secret = "changeme_stalwart_admin"; searxKey = "changeme_searx_secret";
minecraftRcon = "changeme_rcon";
# Searx tailscaleKey = "tskey-auth-PLACEHOLDER";
services.searx.settings.server.secret_key = "changeme_searx_secret"; };
# Minecraft RCON
services.minecraft-servers.servers.fabric.serverProperties."rcon.password" = "changeme_rcon";
# Tailscale Auth Key (needs to be a file for the service usually, or use pre-auth)
# For Tailscale, standard module uses 'authKeyFile'.
# We can create a file in the store for it since this is an impure secrets file anyway.
# For Tailscale, let's just write valid one-liner to a file via environment.etc if needed,
# or use the 'authKey' option if available (it is not, usually).
# We will stick to environment.etc JUST for Tailscale or file-based secrets.
environment.etc."secrets/tailscale-auth".text = "tskey-auth-PLACEHOLDER";
services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
} }