aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom
nixcfg-own-knot / modules / nixos / services / tangled-knot / default.nix
at main 2.0 kB view raw
1{ 2 config, 3 lib, 4 self, 5 ... 6}: let 7 name = "tangled-knot"; 8 cfg = config.myNixOS.services.${name}; 9 10 network = config.mySnippets.aylac-top; 11 service = network.networkMap.${name}; 12in { 13 options.myNixOS.services.${name} = { 14 enable = lib.mkEnableOption "${name} server"; 15 autoProxy = lib.mkOption { 16 default = true; 17 example = false; 18 description = "${name} auto proxy"; 19 type = lib.types.bool; 20 }; 21 }; 22 23 config = lib.mkIf cfg.enable { 24 services = { 25 cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy { 26 "${service.vHost}" = "http://localhost:${toString service.port}"; 27 }; 28 }; 29 30 containers.tangled-knot = { 31 autoStart = true; 32 config = { 33 imports = [self.inputs.tangled-core.nixosModules.knot]; 34 35 programs.ssh.knownHosts = config.mySnippets.ssh.knownHosts; 36 37 services.openssh = { 38 ports = [service.sshPort]; 39 settings = { 40 PasswordAuthentication = false; 41 PubkeyAuthentication = true; 42 }; 43 }; 44 45 users.users.git.openssh.authorizedKeys.keyFiles = 46 lib.map (file: "${self.inputs.secrets}/publicKeys/${file}") 47 # right now this config is fine but if i ever get another machine i daily drive or a build server i need to do something else here 48 (lib.filter (file: 49 if config.networking.hostName == "morgana" 50 then "ayla_m23.pub" == file 51 else (lib.elem file ["ayla_morgana.pub" "ayla_23.pub"])) 52 (builtins.attrNames (builtins.readDir "${self.inputs.secrets}/publicKeys"))); 53 54 services.tangled-knot = { 55 enable = true; 56 openFirewall = cfg.autoProxy; 57 stateDir = "/var/lib/knot"; 58 server = { 59 owner = "did:plc:3c6vkaq7xf5kz3va3muptjh5"; 60 hostname = service.vHost; 61 listenAddr = "localhost:${toString service.port}"; 62 }; 63 }; 64 65 system.stateVersion = "25.11"; 66 }; 67 }; 68 }; 69}