commit 3a9be920188d0b0d2d47b8d335e51bca47687461 · ptr.pet/ark

+8 -10

deploy.nu

···

       104
       104
        
         webhook $hooktitle $"=== deploy for ($hostname): finished ===" 0 true

     

       105
       105
        
       }

     

       106
       106
        
       

     

       107
       107
       -
       def update-input [input: string] {

     

       107
       107
       +
       def update-inputs [inputs: list<string>] {

     

       108
       108
       +
         let inputsText = $inputs | str join ", "

     

       108
       109
        
         let stashed = try {

     

       109
       110
        
           let stash_result = git stash | complete

     

       110
       111
        
           $stash_result.stdout | str contains "Saved working directory"

     

       111
       112
        
         } catch {

     

       112
       113
        
           false

     

       113
       114
        
         }

     

       114
       114
       -
         log info $"trying to update input ($input)"

     

       115
       115
       -
         let result = nix flake update $input | complete

     

       115
       115
       +
         log info $"trying to update inputs ($inputsText)"

     

       116
       116
       +
         let result = nix run .#nvfetcher -- -f $"\(($inputs | str join '|')\)" | complete

     

       116
       117
        
         let is_ok = ($result.stderr | str contains "Updated input")

     

       117
       118
        
         let is_err = ($result.exit_code != 0)

     

       118
       119
        
         if $is_ok or $is_err {

     

       119
       119
       -
           webhook $"/inputs/($input)" $"=== updated input ($input) ===\n\n($result.stderr)" $result.exit_code

     

       120
       120
       +
           webhook $"/inputs" $"=== updated inputs ===\n\n($result.stderr)" $result.exit_code

     

       120
       121
        
         }

     

       121
       122
        
         if $is_ok {

     

       122
       123
        
           # try committing flake updates

     

       123
       124
        
           try {

     

       124
       124
       -
             git add flake.lock

     

       125
       125
       -
             let commit_msg = $"chore\(nix\): update input ($input) [skip ci]"

     

       126
       126
       -
             git commit -m $commit_msg

     

       125
       125
       +
             git add _sources

     

       126
       126
       +
             git commit -m "chore(nix): update inputs [skip ci]"

     

       127
       127
        
             git push

     

       128
       128
        
           }

     

       129
       129
        
         } else {

     
···

       142
       142
        
         webhook "deploy" "=== started deploying all ==="

     

       143
       143
        
       

     

       144
       144
        
         if $only_deploy == false {

     

       145
       145
       -
           ["blog" "limbusart" "nsid-tracker"]

     

       146
       146
       -
             | each {|input| update-input $input}

     

       147
       147
       -
       

     

       145
       145
       +
           update-inputs ["blog" "limbusart" "nsid-tracker"]

     

       148
       146
        
           try {

     

       149
       147
        
             log info "trying to update dns records"

     

       150
       148
        
             nix run ".#dns" -- push

+1 -1

dns/dnsconfig.js

···

       21
       21
        
           A("spindle", WOLUMONDE_IP, CF_PROXY_OFF),

     

       22
       22
        
           A("skeetdeck", WOLUMONDE_IP, CF_PROXY_OFF),

     

       23
       23
        
           A("likes", WOLUMONDE_IP, CF_PROXY_OFF),

     

       24
       24
       -
           A("bird", WOLUMONDE_IP, CF_PROXY_OFF),

     

       24
       24
       +
           A("vpn", WOLUMONDE_IP, CF_PROXY_OFF),

     

       25
       25
        
           A("id", WOLUMONDE_IP, CF_PROXY_OFF),

     

       26
       26
        
           // thing

     

       27
       27
        
           // TXT("id", "a data endpoint for entity with serial id /90008/."),

+1

hosts/wolumonde/default.nix

···

       6
       6
        
       }:

     

       7
       7
        
       {

     

       8
       8
        
         imports = [

     

       9
       9
       +
           ../../users/root

     

       9
       10
        
           "${inputs.agenix}/modules/age.nix"

     

       10
       11
        
           "${inputs.ncr}/firewall"

     

       11
       12
        
           "${inputs.ncr}/firewall/hetzner"

+42

hosts/wolumonde/modules/headscale.nix

···

       1
       1
       +
       {config, ...}: let

     

       2
       2
       +
         rootDomain = "gaze.systems";

     

       3
       3
       +
         domain = "vpn.${rootDomain}";

     

       4
       4
       +
       in {

     

       5
       5
       +
         age.secrets.headscaleOidcSecret = {

     

       6
       6
       +
           file = ../../../secrets/headscaleOidcSecret.age;

     

       7
       7
       +
           mode = "600";

     

       8
       8
       +
           owner = config.services.headscale.user;

     

       9
       9
       +
           group = config.services.headscale.group;

     

       10
       10
       +
         };

     

       11
       11
       +
       

     

       12
       12
       +
         services.headscale = {

     

       13
       13
       +
           enable = true;

     

       14
       14
       +
           address = "0.0.0.0";

     

       15
       15
       +
           port = 1111;

     

       16
       16
       +
           settings = {

     

       17
       17
       +
             server_url = "https://${domain}";

     

       18
       18
       +
             dns = {

     

       19
       19
       +
               base_domain = "lan.${rootDomain}";

     

       20
       20
       +
               nameservers.global = ["1.1.1.1" "1.0.0.1" "9.9.9.9" "149.112.112.112"];

     

       21
       21
       +
             };

     

       22
       22
       +
             oidc = {

     

       23
       23
       +
               issuer = config.services.pocket-id.settings.APP_URL;

     

       24
       24
       +
               client_id = "ba2c2024-f75f-49a2-a156-8593becfba28";

     

       25
       25
       +
               client_secret_path = config.age.secrets.headscaleOidcSecret.path;

     

       26
       26
       +
               pkce.enabled = true;

     

       27
       27
       +
               only_start_if_oidc_is_available = true;

     

       28
       28
       +
             };

     

       29
       29
       +
           };

     

       30
       30
       +
         };

     

       31
       31
       +
       

     

       32
       32
       +
         services.nginx.virtualHosts.${domain} = {

     

       33
       33
       +
           useACMEHost = rootDomain;

     

       34
       34
       +
           forceSSL = true;

     

       35
       35
       +
           quic = true;

     

       36
       36
       +
           kTLS = true;

     

       37
       37
       +
           locations."/" = {

     

       38
       38
       +
             proxyPass = "http://localhost:${toString config.services.headscale.port}";

     

       39
       39
       +
             proxyWebsockets = true;

     

       40
       40
       +
           };

     

       41
       41
       +
         };

     

       42
       42
       +
       }

hosts/wolumonde/modules/netbird-client.nix hosts/wolumonde/modules/netbird-client.disabled

hosts/wolumonde/modules/netbird.nix hosts/wolumonde/modules/netbird.disabled

+3 -2

hosts/wolumonde/modules/nginx.nix

···

       16
       16
        
           statusPage = true;

     

       17
       17
        
         };

     

       18
       18
        
       

     

       19
       19
       -
         networking.firewall.public."http(s)".allowedTCPPorts = [80 443];

     

       19
       19
       +
         networking.firewall.public."http".allowedTCPPorts = [80];

     

       20
       20
       +
         networking.firewall.public."https".allowedTCPPorts = [443];

     

       20
       21
        
       

     

       21
       22
        
         # output json logs so we can consume them more easily

     

       22
       23
        
         services.nginx.appendHttpConfig = ''

     
···

       63
       64
        
               "spindle.gaze.systems"

     

       64
       65
        
               "skeetdeck.gaze.systems"

     

       65
       66
        
               "likes.gaze.systems"

     

       66
       66
       -
               "bird.gaze.systems"

     

       67
       67
        
               "id.gaze.systems"

     

       68
       68
       +
               "vpn.gaze.systems"

     

       68
       69
        
             ];

     

       69
       70
        
           };

     

       70
       71
        
         };

hosts/wolumonde/modules/nsid-tracker.nix hosts/wolumonde/modules/nsid-tracker.disabled

-4

hosts/wolumonde/modules/tailscale.disabled

···

       1
       1
       -
       {

     

       2
       2
       -
         services.tailscale.enable = true;

     

       3
       3
       -
         services.tailscale.extraSetFlags = [ "--advertise-exit-node" ];

     

       4
       4
       -
       }

+17

hosts/wolumonde/modules/tailscale.nix

···

       1
       1
       +
       {config, ...}: {

     

       2
       2
       +
         age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age;

     

       3
       3
       +
       

     

       4
       4
       +
         services.tailscale = {

     

       5
       5
       +
           enable = true;

     

       6
       6
       +
           port = 41641;

     

       7
       7
       +
           extraSetFlags = [ "--advertise-exit-node" ];

     

       8
       8
       +
           extraDaemonFlags = [ "--no-logs-no-support" ];

     

       9
       9
       +
           useRoutingFeatures = "both";

     

       10
       10
       +
           authKeyFile = config.age.secrets.tailscaleAuthKey.path;

     

       11
       11
       +
           openFirewall = true;

     

       12
       12
       +
         };

     

       13
       13
       +
       

     

       14
       14
       +
         networking.firewall.public.tailscale.allowedUDPPorts = [

     

       15
       15
       +
           config.services.tailscale.port

     

       16
       16
       +
         ];

     

       17
       17
       +
       }

-2

hosts/wolumonde/modules/victoria.nix

···

       16
       16
        
           # extraOptions = ["-syslog.listenAddr.udp=:${toString syslogUdp}" "-journald.maxRequestSize=1024000000"];

     

       17
       17
        
         };

     

       18
       18
        
       

     

       19
       19
       -
         networking.firewall.allowedTCPPorts = [metricsPort logsPort];

     

       20
       20
       -
       

     

       21
       19
        
         services.vmalert.instances."" = {

     

       22
       20
        
           enable = true;

     

       23
       21
        
           settings =

+18

secrets/headscaleOidcSecret.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-rsa Abmvag

     

       3
       3
       +
       Qh13LIT59dB6mn0FyXVA8+7+kwn0kw9kmQ0MgKG4o6ABTD99SsyTezCZEPfSUg3a

     

       4
       4
       +
       U/pH+UTezBGFAVkYhvB+WP9rJT4zRWMng585JObbGUzCgau6+ImSZOnsjRB0CipK

     

       5
       5
       +
       kYgpLcw+3OVZT2Kj1RAwee3rPbImfm2ubn8U/zEn3fmbxHXBXB9KO+TDWPf78cFT

     

       6
       6
       +
       3rpxkgVl1fxtOb3R+tSupj9J+RsGlrjPzDV4I/4DEuh9amEHTLphLZ/Cn4kwF/1u

     

       7
       7
       +
       UySknhamanR5Aqg1pkx47SCcMSbEfJUjp0VfEMg19Sfdi2FWMhZQ80KvnMr/9okg

     

       8
       8
       +
       sNZw14WeZYixd48cia5ky8P9HOgeLoglJButTjedP8GuPSWx9I4kx5O/TXDj2ZKc

     

       9
       9
       +
       tC2GzhuFYfNloOsx9lNhweDjC6jnBuPyK93MnUrMoeaLgT80X7kdkCdh3NFZccsB

     

       10
       10
       +
       Bz+2ewTIFBER9j80FPubMJc3EhfgKh/rSY6adDtXn7eAiwgt6hyuT3s/6A0qW1ns

     

       11
       11
       +
       LU9SBO0e/Bi0/s17GomsIMldI0sN1qKC6R1Ub4W6V+1EsZfq1YTKvVasI7e8pHBg

     

       12
       12
       +
       dez/ihtiYF6RIhisdZib0wAqVjhYH1mml5MBKacyUY7VaHcl6vfSFe3WeysNor07

     

       13
       13
       +
       jlC1IPTngRsxItMV0wDb9/x9Uf1r+8fC19o3qPMBx8I

     

       14
       14
       +
       -> ssh-ed25519 KjIL7g X9TumeXjPPf+9e3ouaqHowAagQE6tOrDb5pWp8uzyGE

     

       15
       15
       +
       p8Z6ooZw8PZ0UgDbfw2RhfPT4iAnamialMN5Yimtbb8

     

       16
       16
       +
       --- RLloYQEWGgr1lT/H1WwKTYaKTJs+pgCA79oOmZRbNWk

     

       17
       17
       +
       )��@*�Q��fa����,�

     

       18
       18
       +
       [��0�}1�G�X�rT:��t�?�S#��ɻ��

secrets/netbirdClientKey.age

This is a binary file and will not be displayed.

-17

secrets/netbirdCoturnPass.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-rsa Abmvag

     

       3
       3
       -
       c5bol6A1rO09nb/JL0cnGAiurTVHodcd1ORtb8HRpNfyy7pmq6KgzjrKZBUy+ziV

     

       4
       4
       -
       6IoTHHGBJUthFvEO7/iMU7dm/ssH76nJl/mMdm8sxwX3dv/3VNVGenj6cHTsC+k6

     

       5
       5
       -
       UymfIhgSTK4Yqqelt6UHCtuud/UB1bIgzh5Ino4YXiT8DyACSLyVa9LlSEzc1qLN

     

       6
       6
       -
       CKHCUy+vPJQ5DiyrLei+J87kIAwxOs6lyJVkbXos+YhsWvhkR+rrkGDJzC3KFzQZ

     

       7
       7
       -
       uStNQGXWQR61i8B6ck4O0yV1bbd3JlecevZti/6TxfW3+nyagDfZReli189dTzSn

     

       8
       8
       -
       Gs86IPgELt06bdagzzPGf7gO1s8wXFvVUS3rX5lE6j5A3ma2Mt7YyouJn5x862c3

     

       9
       9
       -
       N8Kbpx7pJCmgJUz+hiX6DCO1eeIuXIu+KoPGsP82VK3CNpBl2dNyFz40pciLLcY4

     

       10
       10
       -
       ZZSFG2U0hhYA0G78oxNTESh2ouCrNID+X4B4SVQBVa8Ez/7WixZds67VdFry0gRi

     

       11
       11
       -
       vbuXHYYx+HTHGrHmtQfTrNmsxojVqHDUVH8MtK203UbZSNW4tzuQAUNht02lK2Xi

     

       12
       12
       -
       xt+w35rlJoYfYtpd9TPD3lE+azBv9VeRm4wuXbqChESa/QEmI81mf12ZrkAmuuIu

     

       13
       13
       -
       LqgJ/Q1av+OBhL2d+U6ujtQXbo3e/bLkHfmFVQCGDzw

     

       14
       14
       -
       -> ssh-ed25519 KjIL7g BDNhP7CqqoNcPKK9PJfVwcVXEvo/Yfej1g4rz7qeoG0

     

       15
       15
       -
       uIyTLwcTil1yPqZFLCmLgISzWx3fOeRGfTN3RsjS5cw

     

       16
       16
       -
       --- E2EOsQlt8Ge2E06+UCRAGVecikifIWHla+ATMnKYp6g

     

       17
       17
       -
       �Z3�"�ɸ�Z��)9������o�h�;Re]�F�ε�@��t<00�B�
�!�G�ý�\

secrets/netbirdDataStoreEncKey.age

This is a binary file and will not be displayed.

-17

secrets/netbirdTurnSecret.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-rsa Abmvag

     

       3
       3
       -
       q1vTZZmWKxT76A80s0OVsZnIUMAVM5Bds6h8zI9ClVGOY4VsdtJiajzeXrC0aQ7S

     

       4
       4
       -
       1Mjsmu8Gn9f8T6EjdZhg5V6c5w+DZidJCj3CuQb5Nj+7/tUJf36tbG1dpcZmvx7r

     

       5
       5
       -
       G2DQg1kk7t6gywW9zjsbdOdB1Pt6NwM8IyexUTjWbJ+dQcOJeOrB1iv9WDVt3Kil

     

       6
       6
       -
       +zp/loYwiH05/lex6e20P8iSpEGCI22utGtG6kG1JbHmOBhIGU0C9EZwZ74Cebt6

     

       7
       7
       -
       /y6NhM5PWQU3roBN2Mz3sYxsuewDSaMeop6LyFbh6ud5sLuX+rI3ISDczgBerxV8

     

       8
       8
       -
       gvBiNQadFEFSgLhSEC6pYfStgQwJOCmI5nBju7aYwg1YwPZ1JtRkP3njg03GLc9+

     

       9
       9
       -
       8Xxc6cRzDEX8MahLtlq5KPlinQjHiJ/H7K+KzXZMe63NnK6QbsNPqT0iZXTfzXxj

     

       10
       10
       -
       NXui4xiybLwqdf00YI6MySD/0HcXgpRfBBP/aQbzYhxI1Vi1r1lSEqWjn5UzwqDn

     

       11
       11
       -
       HfIVk37bCkQGmfI8rkzmhmtEOlKKfcKF3sMx9KH1PBsi4odEEbjmWwikDnHp2ml6

     

       12
       12
       -
       lritjzfSZJLwJt4O8gxwHSNCVBEOhJ3+XxUo8agZz2dRcBhcmgESvSs5Pe8Y7G5k

     

       13
       13
       -
       GMWylL40BW1Xd/hg6SPtd6XVZs1uHabrTPhtpSE7SbA

     

       14
       14
       -
       -> ssh-ed25519 KjIL7g Nk2p0y0gT/8BvZUnv1O/E/oeqbNm1ZrxC0BLUbEdmGs

     

       15
       15
       -
       AGui3gIBK27w6BapWS/aamWb/+J6rgS50+tubatJTQg

     

       16
       16
       -
       --- FS0j9rSESVWuYHpBj/Gixu7bi9pj99DD8kUlc10xrTs

     

       17
       17
       -
       ��{����g�B��*�Q5����=�
�5�����`�����kp倏<g��}�;",<�.(�b =9��Z���/sa�h^�Ѭ;�i�{ԛ5�˂�������sK4��t�Zn�~A%�w�gVk�.w#�;l��Êco�y��

+2 -14

secrets/secrets.nix

···

       54
       54
        
           yusdacra

     

       55
       55
        
           wolumonde

     

       56
       56
        
         ];

     

       57
       57
       -
         "netbirdCoturnPass.age".publicKeys = [

     

       58
       58
       -
           yusdacra

     

       59
       59
       -
           wolumonde

     

       60
       60
       -
         ];

     

       61
       61
       -
         "netbirdDataStoreEncKey.age".publicKeys = [

     

       62
       62
       -
           yusdacra

     

       63
       63
       -
           wolumonde

     

       64
       64
       -
         ];

     

       65
       65
       -
         "netbirdTurnSecret.age".publicKeys = [

     

       57
       57
       +
         "headscaleOidcSecret.age".publicKeys = [

     

       66
       58
        
           yusdacra

     

       67
       59
        
           wolumonde

     

       68
       60
        
         ];

     

       69
       69
       -
         "netbirdClientKey.age".publicKeys = [

     

       61
       61
       +
         "tailscaleAuthKey.age".publicKeys = [

     

       70
       62
        
           yusdacra

     

       71
       63
        
           wolumonde

     

       72
       72
       -
         ];

     

       73
       73
       -
         "develMobiNetbirdClientKey.age".publicKeys = [

     

       74
       74
       -
           yusdacra

     

       75
       75
       -
           develMobi

     

       76
       64
        
         ];

     

       77
       65
        
       }

+18

secrets/tailscaleAuthKey.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-rsa Abmvag

     

       3
       3
       +
       NKeTQ1taN613x+apPY0ZIeL5kisXNZ/BQkFaOUeGz1J6esoiTtHQb2c426iH/1Xr

     

       4
       4
       +
       doQnrpveP1g3xAhmcwPSrTFM1ZGmaTXw7OmWJJruPoaUgvJ+mzeYpHlCFcP/jZLZ

     

       5
       5
       +
       /DSZklljD1kaefNsZVFrL44P/N9us65RclC9LtWsBy9uHKDR9vpAg+a/BchY1pfd

     

       6
       6
       +
       laukKd3V+aZGBucBvXlzYz1vhmV8gAmiTzV8az/QEnXTUSY+9IF3rMFT0ZpppJAA

     

       7
       7
       +
       KJ4Rk+iDK/0lIkHUrOdoZneeENt55nvc22eBKAzyF1GrifuBt5/yk9kPS7sv1svV

     

       8
       8
       +
       ruNAnJyvBIT7Vnwasv9ZTy7+U/VeFjWaTiSs1DewBPOiLpHw9mmxbmF28oIP6dLz

     

       9
       9
       +
       oRo1ZoZHyjF0+kgsMco6d9VgOCqIRLj3ObXvvda8iJQThMZsPjEKmvHt64usxwjT

     

       10
       10
       +
       cVaE240zswtjnHfdtC7nxDG2aUHr5oeH6QXH7sAwKwx31zoJX9J7N0nc/ctD40nQ

     

       11
       11
       +
       z0oevXgzN0MD5L/X2cjwJ0L2qajJjyJBrAlb5XiaOK38MTwf32cQZnaIej8cDzfE

     

       12
       12
       +
       ReXXOmFiXq/Dl8nEKoHDQI3p+4ZOLztXu/5i/TL1HuvF5Riod5hA1oW2ubwHeHxR

     

       13
       13
       +
       ApZ7ry5dtbBUxnuTI5zRLQY78BnrqsuJ9ghp2fDzSsc

     

       14
       14
       +
       -> ssh-ed25519 KjIL7g SFusm9HUDdCCjjjKwOji+X66SpI2TzEf7p7AthPAWQU

     

       15
       15
       +
       11ovCJnXkMlOz/6570chlP62LkBoKx64EkFkcTXKELg

     

       16
       16
       +
       --- mufkRbwTo+mBT3hXsyh5Mv7O30CtTtqXtR6EaJ2tZY8

     

       17
       17
       +
       BS>���;Q6/<���KGM��m!����*��,Ƥ����KlM"s[Z��>�Nv

     

       18
       18
       +
       WQ�kD��$Q> za)2*'�Y_���<