ptr.pet / ark
nix machine / user configurations
fork atom

refactor(wolumonde): reorganize some modules into folders, add headscale acl [skip ci]

ptr.pet 02fa8d8d 93f1e8de

verified
options
unified split
Changed files
+81 -25
hosts
wolumonde
modules
forgejo.nix
default.nix
public
assets
css
theme-edge-dark.css
fonts
comic.woff2
comicbd.woff2
comici.woff2
img
favicon.png
grrr.webp
logo.png
wecode.gif
templates
base
head.tmpl
head_navbar.tmpl
home.tmpl
headscale.nix
acl.hujson
default.nix
perses.nix
dashboards
.gitignore
go.mod
go.sum
wolumonde.go
default.nix
provision
1-private-infra.yaml
2-admin-role.yaml
3-admin-bind-role.yaml
4-victoria.yaml
5-funny.yaml
6-guest-role.yaml
7-funny-bind-role.yaml
90-wolumonde.yaml
tailscale.nix
webhook.nix
default.nix
deploy-wolumonde.nix
lib
default.nix
secrets
develMobiNetbirdClientKey.age
develMobiTailscaleAuthKey.age
tailscaleAuthKey.age
+1 -1
hosts/wolumonde/modules/forgejo.nix hosts/wolumonde/modules/forgejo.nix/default.nix 
···

       
46

       
46

       
 

       
      makeCopyCommand = dir: ''


     

       
47

       
47

       
 

       
        mkdir -p ${customDir}


     

       
48

       
48

       
 

       
        rm -rf ${getCustomDir dir}


     

       
49

       

       
-

       
        cp -r --no-preserve=mode,ownership ${./forgejo/${dir}} ${getCustomDir dir}


     

       

       
49

       
+

       
        cp -r --no-preserve=mode,ownership ${./${dir}} ${getCustomDir dir}


     

       
50

       
50

       
 

       
      '';


     

       
51

       
51

       
 

       
    in


     

       
52

       
52

       
 

       
    lib.concatMapStrings makeCopyCommand [
hosts/wolumonde/modules/forgejo/public/assets/css/theme-edge-dark.css hosts/wolumonde/modules/forgejo.nix/public/assets/css/theme-edge-dark.css
hosts/wolumonde/modules/forgejo/public/assets/fonts/comic.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comic.woff2
hosts/wolumonde/modules/forgejo/public/assets/fonts/comicbd.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comicbd.woff2
hosts/wolumonde/modules/forgejo/public/assets/fonts/comici.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comici.woff2
hosts/wolumonde/modules/forgejo/public/assets/img/favicon.png hosts/wolumonde/modules/forgejo.nix/public/assets/img/favicon.png
hosts/wolumonde/modules/forgejo/public/assets/img/grrr.webp hosts/wolumonde/modules/forgejo.nix/public/assets/img/grrr.webp
hosts/wolumonde/modules/forgejo/public/assets/img/logo.png hosts/wolumonde/modules/forgejo.nix/public/assets/img/logo.png
hosts/wolumonde/modules/forgejo/public/assets/img/wecode.gif hosts/wolumonde/modules/forgejo.nix/public/assets/img/wecode.gif
hosts/wolumonde/modules/forgejo/templates/base/head.tmpl hosts/wolumonde/modules/forgejo.nix/templates/base/head.tmpl
hosts/wolumonde/modules/forgejo/templates/base/head_navbar.tmpl hosts/wolumonde/modules/forgejo.nix/templates/base/head_navbar.tmpl
hosts/wolumonde/modules/forgejo/templates/home.tmpl hosts/wolumonde/modules/forgejo.nix/templates/home.tmpl
+5 -2
hosts/wolumonde/modules/headscale.nix hosts/wolumonde/modules/headscale.nix/default.nix 
···

       
3

       
3

       
 

       
  domain = "vpn.${rootDomain}";


     

       
4

       
4

       
 

       
in {


     

       
5

       
5

       
 

       
  age.secrets.headscaleOidcSecret = {


     

       
6

       

       
-

       
    file = ../../../secrets/headscaleOidcSecret.age;


     

       

       
6

       
+

       
    file = ../../../../secrets/headscaleOidcSecret.age;


     

       
7

       
7

       
 

       
    mode = "600";


     

       
8

       
8

       
 

       
    owner = config.services.headscale.user;


     

       
9

       
9

       
 

       
    group = config.services.headscale.group;


     
···

       
15

       
15

       
 

       
    port = 1111;


     

       
16

       
16

       
 

       
    settings = {


     

       
17

       
17

       
 

       
      server_url = "https://${domain}";


     

       
18

       

       
-

       
      policy.mode = "database";


     

       

       
18

       
+

       
      policy = {


     

       

       
19

       
+

       
        mode = "file";


     

       

       
20

       
+

       
        file = ./acl.hujson;


     

       

       
21

       
+

       
      };


     

       
19

       
22

       
 

       
      dns = {


     

       
20

       
23

       
 

       
        base_domain = "lan.${rootDomain}";


     

       
21

       
24

       
 

       
        nameservers.global = ["1.1.1.1" "1.0.0.1" "9.9.9.9" "149.112.112.112"];
+53
hosts/wolumonde/modules/headscale.nix/acl.hujson 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
    // Headscale ACL Configuration


     

       

       
3

       
+

       
    // Defines groups, tags, and access control rules


     

       

       
4

       
+

       



     

       

       
5

       
+

       
    // Groups define collections of users


     

       

       
6

       
+

       
    "groups": {


     

       

       
7

       
+

       
        "group:admin": ["90008@"],


     

       

       
8

       
+

       
    },


     

       

       
9

       
+

       



     

       

       
10

       
+

       
    // Tags are used to label devices/nodes for access control


     

       

       
11

       
+

       
    "tagOwners": {


     

       

       
12

       
+

       
        "tag:private-infra": ["group:admin"],


     

       

       
13

       
+

       
        "tag:other-infra": ["group:admin"],


     

       

       
14

       
+

       
    },


     

       

       
15

       
+

       



     

       

       
16

       
+

       
    // Access Control Lists - define what can access what


     

       

       
17

       
+

       
    "acls": [


     

       

       
18

       
+

       
        // Admin group (user 90008) can access their own devices


     

       

       
19

       
+

       
        {


     

       

       
20

       
+

       
            "action": "accept",


     

       

       
21

       
+

       
            "src": ["group:admin"],


     

       

       
22

       
+

       
            "dst": ["group:admin:*"],


     

       

       
23

       
+

       
        },


     

       

       
24

       
+

       



     

       

       
25

       
+

       
        // Private infrastructure can access other infrastructure


     

       

       
26

       
+

       
        {


     

       

       
27

       
+

       
            "action": "accept",


     

       

       
28

       
+

       
            "src": ["tag:private-infra"],


     

       

       
29

       
+

       
            "dst": ["tag:other-infra:*"],


     

       

       
30

       
+

       
        },


     

       

       
31

       
+

       



     

       

       
32

       
+

       
        // Private infrastructure can access itself


     

       

       
33

       
+

       
        {


     

       

       
34

       
+

       
            "action": "accept",


     

       

       
35

       
+

       
            "src": ["tag:private-infra"],


     

       

       
36

       
+

       
            "dst": ["tag:private-infra:*"],


     

       

       
37

       
+

       
        },


     

       

       
38

       
+

       



     

       

       
39

       
+

       
        // Other infrastructure can access itself


     

       

       
40

       
+

       
        {


     

       

       
41

       
+

       
            "action": "accept",


     

       

       
42

       
+

       
            "src": ["tag:other-infra"],


     

       

       
43

       
+

       
            "dst": ["tag:other-infra:*"],


     

       

       
44

       
+

       
        },


     

       

       
45

       
+

       



     

       

       
46

       
+

       
        // Admin group can access both infrastructure tags


     

       

       
47

       
+

       
        {


     

       

       
48

       
+

       
            "action": "accept",


     

       

       
49

       
+

       
            "src": ["group:admin"],


     

       

       
50

       
+

       
            "dst": ["tag:private-infra:*", "tag:other-infra:*"],


     

       

       
51

       
+

       
        },


     

       

       
52

       
+

       
    ],


     

       

       
53

       
+

       
}
+3 -3
hosts/wolumonde/modules/perses.nix hosts/wolumonde/modules/perses.nix/default.nix 
···

       
78

       
78

       
 

       
  };


     

       
79

       
79

       
 

       



     

       
80

       
80

       
 

       
  age.secrets.persesSecret = {


     

       
81

       

       
-

       
    file = ../../../secrets/persesSecret.age;


     

       

       
81

       
+

       
    file = ../../../../secrets/persesSecret.age;


     

       
82

       
82

       
 

       
    owner = user;


     

       
83

       
83

       
 

       
    group = user;


     

       
84

       
84

       
 

       
  };


     

       
85

       
85

       
 

       
  age.secrets.persesAdminUser = {


     

       
86

       

       
-

       
    file = ../../../secrets/persesAdminUser.age;


     

       

       
86

       
+

       
    file = ../../../../secrets/persesAdminUser.age;


     

       
87

       
87

       
 

       
    owner = user;


     

       
88

       
88

       
 

       
    group = user;


     

       
89

       
89

       
 

       
  };


     
···

       
95

       
95

       
 

       
    ''


     

       
96

       
96

       
 

       
      rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder}


     

       
97

       
97

       
 

       
      cp -f ${secrets.persesAdminUser.path} ${provisioningFolder}/1-admin-user.json


     

       
98

       

       
-

       
      cp -f ${./perses/provision}/* ${provisioningFolder}


     

       

       
98

       
+

       
      cp -f ${./provision}/* ${provisioningFolder}


     

       
99

       
99

       
 

       
    '';


     

       
100

       
100

       
 

       



     

       
101

       
101

       
 

       
  virtualisation.oci-containers.containers.perses = {
hosts/wolumonde/modules/perses/dashboards/.gitignore hosts/wolumonde/modules/perses.nix/dashboards/.gitignore
hosts/wolumonde/modules/perses/dashboards/go.mod hosts/wolumonde/modules/perses.nix/dashboards/go.mod
hosts/wolumonde/modules/perses/dashboards/go.sum hosts/wolumonde/modules/perses.nix/dashboards/go.sum
hosts/wolumonde/modules/perses/dashboards/wolumonde.go hosts/wolumonde/modules/perses.nix/dashboards/wolumonde.go
hosts/wolumonde/modules/perses/provision/1-private-infra.yaml hosts/wolumonde/modules/perses.nix/provision/1-private-infra.yaml
hosts/wolumonde/modules/perses/provision/2-admin-role.yaml hosts/wolumonde/modules/perses.nix/provision/2-admin-role.yaml
hosts/wolumonde/modules/perses/provision/3-admin-bind-role.yaml hosts/wolumonde/modules/perses.nix/provision/3-admin-bind-role.yaml
hosts/wolumonde/modules/perses/provision/4-victoria.yaml hosts/wolumonde/modules/perses.nix/provision/4-victoria.yaml
hosts/wolumonde/modules/perses/provision/5-funny.yaml hosts/wolumonde/modules/perses.nix/provision/5-funny.yaml
hosts/wolumonde/modules/perses/provision/6-guest-role.yaml hosts/wolumonde/modules/perses.nix/provision/6-guest-role.yaml
hosts/wolumonde/modules/perses/provision/7-funny-bind-role.yaml hosts/wolumonde/modules/perses.nix/provision/7-funny-bind-role.yaml
hosts/wolumonde/modules/perses/provision/90-wolumonde.yaml hosts/wolumonde/modules/perses.nix/provision/90-wolumonde.yaml
+1
hosts/wolumonde/modules/tailscale.nix 
···

       
5

       
5

       
 

       
    enable = true;


     

       
6

       
6

       
 

       
    port = 41641;


     

       
7

       
7

       
 

       
    extraSetFlags = [ "--advertise-exit-node" ];


     

       

       
8

       
+

       
    extraUpFlags = [ "--ssh" ];


     

       
8

       
9

       
 

       
    extraDaemonFlags = [ "--no-logs-no-support" ];


     

       
9

       
10

       
 

       
    useRoutingFeatures = "both";


     

       
10

       
11

       
 

       
    authKeyFile = config.age.secrets.tailscaleAuthKey.path;
+2 -2
hosts/wolumonde/modules/webhook.nix hosts/wolumonde/modules/webhook.nix/default.nix 
···

       
1

       
1

       
 

       
{ config, tlib, ... }:


     

       
2

       
2

       
 

       
{


     

       
3

       

       
-

       
  imports = tlib.importFolder ./webhooks;


     

       

       
3

       
+

       
  imports = tlib.importFolder ./.;


     

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
  services.webhook = {


     

       
6

       
6

       
 

       
    enable = true;


     
···

       
8

       
8

       
 

       
  };


     

       
9

       
9

       
 

       



     

       
10

       
10

       
 

       
  age.secrets.webhookAuth = {


     

       
11

       

       
-

       
    file = ../../../secrets/webhookAuth.age;


     

       

       
11

       
+

       
    file = ../../../../secrets/webhookAuth.age;


     

       
12

       
12

       
 

       
    mode = "600";


     

       
13

       
13

       
 

       
    owner = "nginx";


     

       
14

       
14

       
 

       
    group = "nginx";
hosts/wolumonde/modules/webhooks/deploy-wolumonde.nix hosts/wolumonde/modules/webhook.nix/deploy-wolumonde.nix
+1 -1
lib/default.nix 
···

       
19

       
19

       
 

       
      files = b.readDir modules;


     

       
20

       
20

       
 

       
      fileNames = b.attrNames files;


     

       
21

       
21

       
 

       
      filesToImport = b.map (name: "${modules}/${name}") (


     

       
22

       

       
-

       
        b.filter (name: b.match ".*\.nix" name != null) fileNames


     

       

       
22

       
+

       
        b.filter (name: (b.match ".*\.nix" name != null) && (name != "default.nix")) fileNames


     

       
23

       
23

       
 

       
      );


     

       
24

       
24

       
 

       
    in


     

       
25

       
25

       
 

       
    filesToImport;
secrets/develMobiNetbirdClientKey.age

This is a binary file and will not be displayed.

secrets/develMobiTailscaleAuthKey.age

This is a binary file and will not be displayed.

+15 -16
secrets/tailscaleAuthKey.age 
···

       
1

       
1

       
 

       
age-encryption.org/v1


     

       
2

       
2

       
 

       
-> ssh-rsa Abmvag


     

       
3

       

       
-

       
NKeTQ1taN613x+apPY0ZIeL5kisXNZ/BQkFaOUeGz1J6esoiTtHQb2c426iH/1Xr


     

       
4

       

       
-

       
doQnrpveP1g3xAhmcwPSrTFM1ZGmaTXw7OmWJJruPoaUgvJ+mzeYpHlCFcP/jZLZ


     

       
5

       

       
-

       
/DSZklljD1kaefNsZVFrL44P/N9us65RclC9LtWsBy9uHKDR9vpAg+a/BchY1pfd


     

       
6

       

       
-

       
laukKd3V+aZGBucBvXlzYz1vhmV8gAmiTzV8az/QEnXTUSY+9IF3rMFT0ZpppJAA


     

       
7

       

       
-

       
KJ4Rk+iDK/0lIkHUrOdoZneeENt55nvc22eBKAzyF1GrifuBt5/yk9kPS7sv1svV


     

       
8

       

       
-

       
ruNAnJyvBIT7Vnwasv9ZTy7+U/VeFjWaTiSs1DewBPOiLpHw9mmxbmF28oIP6dLz


     

       
9

       

       
-

       
oRo1ZoZHyjF0+kgsMco6d9VgOCqIRLj3ObXvvda8iJQThMZsPjEKmvHt64usxwjT


     

       
10

       

       
-

       
cVaE240zswtjnHfdtC7nxDG2aUHr5oeH6QXH7sAwKwx31zoJX9J7N0nc/ctD40nQ


     

       
11

       

       
-

       
z0oevXgzN0MD5L/X2cjwJ0L2qajJjyJBrAlb5XiaOK38MTwf32cQZnaIej8cDzfE


     

       
12

       

       
-

       
ReXXOmFiXq/Dl8nEKoHDQI3p+4ZOLztXu/5i/TL1HuvF5Riod5hA1oW2ubwHeHxR


     

       
13

       

       
-

       
ApZ7ry5dtbBUxnuTI5zRLQY78BnrqsuJ9ghp2fDzSsc


     

       
14

       

       
-

       
-> ssh-ed25519 KjIL7g SFusm9HUDdCCjjjKwOji+X66SpI2TzEf7p7AthPAWQU


     

       
15

       

       
-

       
11ovCJnXkMlOz/6570chlP62LkBoKx64EkFkcTXKELg


     

       
16

       

       
-

       
--- mufkRbwTo+mBT3hXsyh5Mv7O30CtTtqXtR6EaJ2tZY8


     

       
17

       

       
-

       
BS>���;Q6/<���KGM��m!����*��,Ƥ����KlM"s[Z��>�Nv


     

       
18

       

       
-

       
WQ�kD��$Q> za)2*'�Y_���<

     

       

       
3

       
+

       
cdEH6fTtZbBDJzNHCRdD6/xjHl/CG//VQqF5qIdJ+CVBTYZ8cyaY13fkJG7hKPAR


     

       

       
4

       
+

       
WaMcRKyPwgAA1Dbhc3/K2VwGAZBSibIHhkj+iBOfu46WIRjEGPcz9HrMVMI6MmRf


     

       

       
5

       
+

       
cCOw4VdTWYrUbcOclC9mGy/dimw+hHaTFIuepuDulVsSjC56kYDrhBSg+nmBBY1n


     

       

       
6

       
+

       
7nHiHOznHhjXfao65AuB++1kxqf7RifEq6bDcfgkvaXhUDJrc2kDY78o9qctvfFR


     

       

       
7

       
+

       
6sX77+vt8xxRgTZvWkix14WQRfOvWfXsroFfoSnno0A3KYlkko0JKxwkd/G56efi


     

       

       
8

       
+

       
BA41j5OES3K+NxwdNvHlA73uXs/jumgtI76JXg7KHh2zWDbG6qtA290piKb6hSG8


     

       

       
9

       
+

       
VnWoFJ37SKFNZTOuMjgpwurzzyCscRf4RHGy3/anUd/1yAK8RS35nlOS3QDKECyu


     

       

       
10

       
+

       
Q6FIwcBItvZkzBmoFJKj6seUENZ46Wb6h1AOhaTCljkQyGTqti16Es0CGcyw+iTe


     

       

       
11

       
+

       
OFWj7C6JXIlr/D8PTFK0pR9bVWc+NcJ0EF12kCC7jeqkBZ1BCa/SI3y3RxEGxVBQ


     

       

       
12

       
+

       
qnJpeci/jEi6vUczx669+JU/WT015Ad73CwrILpY6GdvM5B5dLhKoiRTcrmZErLW


     

       

       
13

       
+

       
N3qR1s0e+GDMOD6j6KQ9p5ob4/Iwb4KyFT1ua3pvVeo


     

       

       
14

       
+

       
-> ssh-ed25519 KjIL7g BiO1JiyYp3Ekc5pPeMi8tMNcY+jaUcuDMrLl1r31FTk


     

       

       
15

       
+

       
6ynf4SG+Bg+vaTwiNssmwXUM7L8hIrkhK4OEPBCiyaY


     

       

       
16

       
+

       
--- Didicg7j8DbrYwg+DCCiLrfp92LLa4nim3oPnRESZSw


     

       

       
17

       
+

       
ւ���22�6Y[�"�u<s{�?��ʲ.�� 5�t0!ul5�Q�y�.dܰEz��%7&��CA��Ko�^ YvD�P�