diff --git a/flake.lock b/flake.lock index 53a0e95..17eda5c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -24,15 +67,16 @@ "home-manager": { "inputs": { "nixpkgs": [ - "nixpkgs-unstable" + "agenix", + "nixpkgs" ] }, "locked": { - "lastModified": 1760239230, - "narHash": "sha256-eqSP/BAbQwNTlQ/6yuK0yILzZAPNNj91gp6oIfVtu/E=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "c4aaddeaecc09554c92518fd904e3e84b497ed09", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -62,18 +106,38 @@ "type": "github" } }, - "nixpkgs": { + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, "locked": { - "lastModified": 1760038930, - "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", + "lastModified": 1760239230, + "narHash": "sha256-eqSP/BAbQwNTlQ/6yuK0yILzZAPNNj91gp6oIfVtu/E=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c4aaddeaecc09554c92518fd904e3e84b497ed09", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -110,10 +174,26 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1760038930, + "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1760244049, @@ -131,12 +211,28 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "home-manager-stable": "home-manager-stable", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 37e242a..48f841b 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,7 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; nur.url = "github:nix-community/NUR"; + agenix.url = "github:ryantm/agenix"; }; outputs = { @@ -21,6 +22,7 @@ home-manager-stable, home-manager, nur, + agenix, ... }: let mkUnstablePkgsWithNur = { @@ -50,10 +52,12 @@ }; terre-neuvas = nixpkgs-stable.lib.nixosSystem { + specialArgs = { inherit agenix; }; system = "x86_64-linux"; modules = [ ./hosts/terre-neuvas/configuration.nix home-manager-stable.nixosModules.home-manager + agenix.nixosModules.default ]; }; diff --git a/modules/services/goaccess.nix b/modules/services/goaccess.nix index 2cc069c..b403917 100644 --- a/modules/services/goaccess.nix +++ b/modules/services/goaccess.nix @@ -1,7 +1,14 @@ -{pkgs, ...}: +{pkgs, config, ...}: let globals = import ../../config/globals.nix ; in { + age.secrets.goaccess-password = { + file = ../../secrets/goaccess-password.age; + owner = "caddy"; + group = "caddy"; + mode = "0400"; + }; + environment.systemPackages = with pkgs; [ goaccess ]; @@ -26,7 +33,6 @@ in { }; }; - # Timer pour régénérer le rapport toutes les heures systemd.timers.goaccess-report = { description = "Hourly GoAccess report generation"; wantedBy = ["timers.target"]; @@ -35,20 +41,43 @@ in { Persistent = true; }; }; + + systemd.services."goaccess-auth-sync" = { + description = "Sync goaccess password for Caddy"; + wantedBy = [ "caddy.service" ]; + before = [ "caddy.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.writeScript "sync-goaccess-auth" '' + #!${pkgs.bash}/bin/bash + mkdir -p /etc/caddy/extra + cp /run/agenix/goaccess-password /etc/caddy/extra/goaccess-auth.conf + chown caddy:caddy /etc/caddy/extra/goaccess-auth.conf + chmod 400 /etc/caddy/extra/goaccess-auth.conf + ''; + }; + }; + services.caddy = { virtualHosts = { "${globals.services.goaccess.url}" = { extraConfig = '' root * ${globals.services.goaccess.home} + + basic_auth /* { + import /etc/caddy/extra/goaccess-auth.conf + } + file_server browse try_files {path} {path}/ /index.html - ''; + }; }; }; systemd.tmpfiles.rules = [ "d ${globals.services.goaccess.home} 0755 root root -" + "d /etc/caddy/extra 0750 caddy caddy -" ]; } diff --git a/secrets/goaccess-password.age b/secrets/goaccess-password.age new file mode 100644 index 0000000..20d710c Binary files /dev/null and b/secrets/goaccess-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..6f16f6f --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + serveur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPRVxB7usThGHf8cuSPE4sjdqSaPNlwWAZPEo1wUgHz6 root@terre-neuvas"; + admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxranFaz3jRfvYE2M6FvRUWjzviIWjWd1mucgKeuSK2 lomig@nixos"; +in +{ + "goaccess-password.age".publicKeys = [ serveur admin ]; +} +