commit dac65b942f6b7807ed5affac1fa4a8d106d239d7 · ptr.pet/ark

-1

hosts/dzwonek/default.nix

···

       16
       16
        
         ]

     

       17
       17
        
         ++ (tlib.importFolder (toString ./modules));

     

       18
       18
        
       

     

       19
       19
       -
       

     

       20
       19
        
         environment.systemPackages = [

     

       21
       20
        
           pkgs.curl

     

       22
       21
        
           pkgs.gitMinimal

+1 -1

hosts/dzwonek/disk-config.nix

+17 -5

hosts/dzwonek/modules/hardware-configuration.nix

···

       1
       1
        
       # Do not modify this file!  It was generated by ‘nixos-generate-config’

     

       2
       2
        
       # and may be overwritten by future invocations.  Please make changes

     

       3
       3
        
       # to /etc/nixos/configuration.nix instead.

     

       4
       4
       -
       { config, lib, pkgs, modulesPath, ... }:

     

       4
       4
       +
       {

     

       5
       5
       +
         config,

     

       6
       6
       +
         lib,

     

       7
       7
       +
         pkgs,

     

       8
       8
       +
         modulesPath,

     

       9
       9
       +
         ...

     

       10
       10
       +
       }:

     

       5
       11
        
       

     

       6
       12
        
       {

     

       7
       7
       -
         imports =

     

       8
       8
       -
           [ (modulesPath + "/profiles/qemu-guest.nix")

     

       9
       9
       -
           ];

     

       13
       13
       +
         imports = [

     

       14
       14
       +
           (modulesPath + "/profiles/qemu-guest.nix")

     

       15
       15
       +
         ];

     

       10
       16
        
       

     

       11
       11
       -
         boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];

     

       17
       17
       +
         boot.initrd.availableKernelModules = [

     

       18
       18
       +
           "ata_piix"

     

       19
       19
       +
           "uhci_hcd"

     

       20
       20
       +
           "virtio_pci"

     

       21
       21
       +
           "sr_mod"

     

       22
       22
       +
           "virtio_blk"

     

       23
       23
       +
         ];

     

       12
       24
        
         boot.initrd.kernelModules = [ ];

     

       13
       25
        
         boot.kernelModules = [ ];

     

       14
       26
        
         boot.extraModulePackages = [ ];

+30 -25

hosts/dzwonek/modules/headscale.nix/acl.nix

···

       1
       1
       -
       {config, lib, ...}: let

     

       1
       1
       +
       { config, lib, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         l = lib // builtins;

     

       3
       4
        
         t = l.types;

     

       4
       5
        
       

     
···

       10
       11
        
               default = "accept";

     

       11
       12
        
             };

     

       12
       13
        
             proto = l.mkOption {

     

       13
       13
       -
               type = t.nullOr (t.enum ["tcp" "udp"]);

     

       14
       14
       +
               type = t.nullOr (

     

       15
       15
       +
                 t.enum [

     

       16
       16
       +
                   "tcp"

     

       17
       17
       +
                   "udp"

     

       18
       18
       +
                 ]

     

       19
       19
       +
               );

     

       14
       20
        
               default = null;

     

       15
       21
        
             };

     

       16
       22
        
             src = l.mkOption {

     
···

       21
       27
        
             };

     

       22
       28
        
           };

     

       23
       29
        
         };

     

       24
       24
       -
       in {

     

       30
       30
       +
       in

     

       31
       31
       +
       {

     

       25
       32
        
         options = {

     

       26
       33
        
           services.headscale.acl = {

     

       27
       34
        
             groups = l.mkOption {

     

       28
       35
        
               type = t.attrsOf (t.listOf t.str);

     

       29
       29
       -
               default = [];

     

       36
       36
       +
               default = [ ];

     

       30
       37
        
             };

     

       31
       38
        
             tagOwners = l.mkOption {

     

       32
       39
        
               type = t.attrsOf (t.listOf t.str);

     

       33
       33
       -
               default = [];

     

       40
       40
       +
               default = [ ];

     

       34
       41
        
             };

     

       35
       42
        
             hosts = l.mkOption {

     

       36
       43
        
               type = t.attrsOf t.str;

     

       37
       37
       -
               default = [];

     

       44
       44
       +
               default = [ ];

     

       38
       45
        
             };

     

       39
       46
        
             rules = l.mkOption {

     

       40
       47
        
               type = t.listOf ruleType;

     

       41
       41
       -
               default = [];

     

       48
       48
       +
               default = [ ];

     

       42
       49
        
             };

     

       43
       50
        
           };

     

       44
       51
        
         };

     

       45
       52
        
       

     

       46
       46
       -
         config = let

     

       47
       47
       -
           generated = l.toFile "policy.hujson" (l.toJSON {

     

       48
       48
       -
             groups = l.mapAttrs' (k: v: l.nameValuePair "group:${k}" v) cfg.groups;

     

       49
       49
       -
             tagOwners = l.mapAttrs' (k: v: l.nameValuePair "tag:${k}" v) cfg.tagOwners;

     

       50
       50
       -
             hosts = cfg.hosts;

     

       51
       51
       -
             acls = l.map

     

       52
       52
       -
               (rule:

     

       53
       53
       -
                 if rule.proto == null

     

       54
       54
       -
                 then l.removeAttrs rule ["proto"]

     

       55
       55
       -
                 else rule

     

       56
       56
       -
               )

     

       57
       57
       -
               cfg.rules;

     

       58
       58
       -
           });

     

       59
       59
       -
         in {

     

       60
       60
       -
           services.headscale.settings.policy = {

     

       61
       61
       -
             mode = "file";

     

       62
       62
       -
             path = generated;

     

       53
       53
       +
         config =

     

       54
       54
       +
           let

     

       55
       55
       +
             generated = l.toFile "policy.hujson" (

     

       56
       56
       +
               l.toJSON {

     

       57
       57
       +
                 groups = l.mapAttrs' (k: v: l.nameValuePair "group:${k}" v) cfg.groups;

     

       58
       58
       +
                 tagOwners = l.mapAttrs' (k: v: l.nameValuePair "tag:${k}" v) cfg.tagOwners;

     

       59
       59
       +
                 hosts = cfg.hosts;

     

       60
       60
       +
                 acls = l.map (rule: if rule.proto == null then l.removeAttrs rule [ "proto" ] else rule) cfg.rules;

     

       61
       61
       +
               }

     

       62
       62
       +
             );

     

       63
       63
       +
           in

     

       64
       64
       +
           {

     

       65
       65
       +
             services.headscale.settings.policy = {

     

       66
       66
       +
               mode = "file";

     

       67
       67
       +
               path = generated;

     

       68
       68
       +
             };

     

       63
       69
        
           };

     

       64
       64
       -
         };

     

       65
       70
        
       }

+22 -17

hosts/dzwonek/modules/headscale.nix/default.nix

···

       4
       4
        
         domain = "vpn.${rootDomain}";

     

       5
       5
        
       in

     

       6
       6
        
       {

     

       7
       7
       -
         imports = [./acl.nix];

     

       7
       7
       +
         imports = [ ./acl.nix ];

     

       8
       8
        
       

     

       9
       9
        
         age.secrets.headscaleOidcSecret = {

     

       10
       10
        
           file = ../../../../secrets/headscaleOidcSecret.age;

     
···

       18
       18
        
           address = "0.0.0.0";

     

       19
       19
        
           port = 1111;

     

       20
       20
        
           acl = {

     

       21
       21
       -
             groups.admin = ["90008@gaze.systems"];

     

       21
       21
       +
             groups.admin = [ "90008@gaze.systems" ];

     

       22
       22
        
             tagOwners = {

     

       23
       23
       -
               private-infra = ["group:admin"];

     

       24
       24
       -
               other-infra = ["group:admin"];

     

       23
       23
       +
               private-infra = [ "group:admin" ];

     

       24
       24
       +
               other-infra = [ "group:admin" ];

     

       25
       25
        
             };

     

       26
       26
        
             hosts = {

     

       27
       27
        
               chernobog = "100.64.0.9";

     
···

       30
       30
        
             };

     

       31
       31
        
             rules = lib.mkBefore [

     

       32
       32
        
               {

     

       33
       33
       -
                 src = ["group:admin"];

     

       34
       34
       -
                 dst = ["tag:private-infra:*" "tag:other-infra:*"];

     

       33
       33
       +
                 src = [ "group:admin" ];

     

       34
       34
       +
                 dst = [

     

       35
       35
       +
                   "tag:private-infra:*"

     

       36
       36
       +
                   "tag:other-infra:*"

     

       37
       37
       +
                 ];

     

       35
       38
        
               }

     

       36
       39
        
               {

     

       37
       37
       -
                 src = ["tag:private-infra"];

     

       38
       38
       -
                 dst = ["tag:other-infra:*"];

     

       40
       40
       +
                 src = [ "tag:private-infra" ];

     

       41
       41
       +
                 dst = [ "tag:other-infra:*" ];

     

       39
       42
        
               }

     

       40
       43
        
               {

     

       41
       41
       -
                 src = ["wolumonde"];

     

       42
       42
       -
                 dst = ["chernobog:*"];

     

       44
       44
       +
                 src = [ "wolumonde" ];

     

       45
       45
       +
                 dst = [ "chernobog:*" ];

     

       43
       46
        
               }

     

       44
       47
        
               {

     

       45
       45
       -
                 src = ["90008@gaze.systems"];

     

       46
       46
       -
                 dst = ["90008@gaze.systems:*"];

     

       48
       48
       +
                 src = [ "90008@gaze.systems" ];

     

       49
       49
       +
                 dst = [ "90008@gaze.systems:*" ];

     

       47
       50
        
               }

     

       48
       51
        
               {

     

       49
       49
       -
                 src = ["90008@gaze.systems" "tag:private-infra"];

     

       50
       50
       -
                 dst = ["autogroup:internet:*"];

     

       52
       52
       +
                 src = [

     

       53
       53
       +
                   "90008@gaze.systems"

     

       54
       54
       +
                   "tag:private-infra"

     

       55
       55
       +
                 ];

     

       56
       56
       +
                 dst = [ "autogroup:internet:*" ];

     

       51
       57
        
               }

     

       52
       58
        
               {

     

       53
       53
       -
                 src = ["ellite@ellite.dev"];

     

       54
       54
       -
                 dst = ["chernobog:8463"];

     

       59
       59
       +
                 src = [ "ellite@ellite.dev" ];

     

       60
       60
       +
                 dst = [ "chernobog:8463" ];

     

       55
       61
        
               }

     

       56
       62
        
             ];

     

       57
       63
        
           };

     
···

       76
       82
        
           };

     

       77
       83
        
         };

     

       78
       84
        
       

     

       79
       79
       -
         

     

       80
       85
        
         # security.acme.certs.${rootDomain}.extraDomainNames = [domain];

     

       81
       86
        
         services.nginx.virtualHosts.${domain} = {

     

       82
       87
        
           useACMEHost = domain;

+4 -1

hosts/dzwonek/modules/nginx.nix

···

       16
       16
        
           statusPage = true;

     

       17
       17
        
         };

     

       18
       18
        
       

     

       19
       19
       -
         networking.firewall.allowedTCPPorts = [ 80 443 ];

     

       19
       19
       +
         networking.firewall.allowedTCPPorts = [

     

       20
       20
       +
           80

     

       21
       21
       +
           443

     

       22
       22
       +
         ];

     

       20
       23
        
       

     

       21
       24
        
         # output json logs so we can consume them more easily

     

       22
       25
        
         services.nginx.appendHttpConfig = ''

+4 -3

hosts/dzwonek/modules/tailscale.nix

···

       1
       1
       -
       {config, ...}: {

     

       2
       2
       -
         imports = [../../../modules/network/tailscale.nix];

     

       3
       3
       -
         

     

       1
       1
       +
       { config, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         imports = [ ../../../modules/network/tailscale.nix ];

     

       4
       4
       +
       

     

       4
       5
        
         # age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age;

     

       5
       6
        
         # services.tailscale.authKeyFile = config.age.secrets.tailscaleAuthKey.path;

     

       6
       7
        
       }

+1 -1

hosts/volsinii/disk-config.nix

+17 -6

hosts/volsinii/modules/hardware-configuration.nix

···

       1
       1
        
       # Do not modify this file!  It was generated by ‘nixos-generate-config’

     

       2
       2
        
       # and may be overwritten by future invocations.  Please make changes

     

       3
       3
        
       # to /etc/nixos/configuration.nix instead.

     

       4
       4
       -
       { config, lib, pkgs, modulesPath, ... }:

     

       4
       4
       +
       {

     

       5
       5
       +
         config,

     

       6
       6
       +
         lib,

     

       7
       7
       +
         pkgs,

     

       8
       8
       +
         modulesPath,

     

       9
       9
       +
         ...

     

       10
       10
       +
       }:

     

       5
       11
        
       

     

       6
       12
        
       {

     

       7
       13
        
         imports = [ ];

     

       8
       14
        
       

     

       9
       9
       -
         boot.initrd.availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ];

     

       15
       15
       +
         boot.initrd.availableKernelModules = [

     

       16
       16
       +
           "ata_piix"

     

       17
       17
       +
           "sr_mod"

     

       18
       18
       +
           "xen_blkfront"

     

       19
       19
       +
         ];

     

       10
       20
        
         boot.initrd.kernelModules = [ ];

     

       11
       21
        
         boot.kernelModules = [ ];

     

       12
       22
        
         boot.extraModulePackages = [ ];

     
···

       16
       26
        
         systemd.network.enable = true;

     

       17
       27
        
         systemd.network.wait-online.enable = false;

     

       18
       28
        
         systemd.network.networks."enX0" = {

     

       19
       19
       -
           matchConfig = { Name = "enX0"; };

     

       20
       20
       -
           address = ["199.71.188.53/29"];

     

       21
       21
       -
           gateway = ["199.71.188.49"];

     

       29
       29
       +
           matchConfig = {

     

       30
       30
       +
             Name = "enX0";

     

       31
       31
       +
           };

     

       32
       32
       +
           address = [ "199.71.188.53/29" ];

     

       33
       33
       +
           gateway = [ "199.71.188.49" ];

     

       22
       34
        
         };

     

       23
       23
       -
       

     

       24
       35
        
       

     

       25
       36
        
         nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

     

       26
       37
        
       }

+4 -3

hosts/volsinii/modules/tailscale.nix

···

       1
       1
       -
       {config, ...}: {

     

       2
       2
       -
         imports = [../../../modules/network/tailscale.nix];

     

       3
       3
       -
         

     

       1
       1
       +
       { config, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         imports = [ ../../../modules/network/tailscale.nix ];

     

       4
       4
       +
       

     

       4
       5
        
         # age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age;

     

       5
       6
        
         # services.tailscale.authKeyFile = config.age.secrets.tailscaleAuthKey.path;

     

       6
       7
        
       }

+15 -10

hosts/wolumonde/modules/atproto.nix

···

       17
       17
        
             }) files

     

       18
       18
        
           );

     

       19
       19
        
         };

     

       20
       20
       -
         mkHandleCfg = rootDomain: did: (mkWellKnownCfg {

     

       21
       21
       -
           "atproto-did" = pkgs.writeText "server" did;

     

       22
       22
       -
         })

     

       23
       23
       -
         // {

     

       24
       24
       -
           useACMEHost = rootDomain;

     

       25
       25
       -
           forceSSL = true;

     

       26
       26
       -
           quic = true;

     

       27
       27
       -
           kTLS = true;

     

       28
       28
       -
         };

     

       20
       20
       +
         mkHandleCfg =

     

       21
       21
       +
           rootDomain: did:

     

       22
       22
       +
           (mkWellKnownCfg {

     

       23
       23
       +
             "atproto-did" = pkgs.writeText "server" did;

     

       24
       24
       +
           })

     

       25
       25
       +
           // {

     

       26
       26
       +
             useACMEHost = rootDomain;

     

       27
       27
       +
             forceSSL = true;

     

       28
       28
       +
             quic = true;

     

       29
       29
       +
             kTLS = true;

     

       30
       30
       +
           };

     

       29
       31
        
         mkDidWebCfg = domain: {

     

       30
       32
        
           "${domain}" =

     

       31
       33
        
             (mkWellKnownCfg {

     
···

       44
       46
        
       in

     

       45
       47
        
       {

     

       46
       48
        
         security.acme.certs."gaze.systems".extraDomainNames = [

     

       47
       47
       -
           dawnDid guestbookDid "drew.gaze.systems" "test.gaze.systems"

     

       49
       49
       +
           dawnDid

     

       50
       50
       +
           guestbookDid

     

       51
       51
       +
           "drew.gaze.systems"

     

       52
       52
       +
           "test.gaze.systems"

     

       48
       53
        
         ];

     

       49
       54
        
         services.nginx.virtualHosts = {

     

       50
       55
        
           "test.gaze.systems" = mkHandleCfg "gaze.systems" "did:web:dawn.gaze.systems";

+4 -2

hosts/wolumonde/modules/clickee-proxy.nix

···

       1
       1
       -
       {config, terra, ...}: let

     

       1
       1
       +
       { config, terra, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         port = 7145;

     

       3
       3
       -
       in {

     

       4
       4
       +
       in

     

       5
       5
       +
       {

     

       4
       6
        
         age.secrets.clickeeProxyConfig = {

     

       5
       7
        
           file = ../../../secrets/clickeeProxyConfig.age;

     

       6
       8
        
         };

+59 -56

hosts/wolumonde/modules/email.nix

···

       1
       1
       -
       {pkgs, ...}: {

     

       2
       2
       -
           security.acme.certs."ptr.pet".extraDomainNames = [

     

       3
       3
       -
             "mta-sts.ptr.pet"

     

       4
       4
       -
             "autoconfig.ptr.pet"

     

       5
       5
       -
             "autodiscover.ptr.pet"

     

       6
       6
       -
             "test.ptr.pet"

     

       7
       7
       -
           ];

     

       8
       8
       -
           services.nginx.virtualHosts."test.ptr.pet" = {

     

       9
       9
       -
               useACMEHost = "ptr.pet";

     

       10
       10
       -
               quic = true;

     

       11
       11
       -
               kTLS = true;

     

       12
       12
       -
               forceSSL = true;

     

       1
       1
       +
       { pkgs, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         security.acme.certs."ptr.pet".extraDomainNames = [

     

       4
       4
       +
           "mta-sts.ptr.pet"

     

       5
       5
       +
           "autoconfig.ptr.pet"

     

       6
       6
       +
           "autodiscover.ptr.pet"

     

       7
       7
       +
           "test.ptr.pet"

     

       8
       8
       +
         ];

     

       9
       9
       +
         services.nginx.virtualHosts."test.ptr.pet" = {

     

       10
       10
       +
           useACMEHost = "ptr.pet";

     

       11
       11
       +
           quic = true;

     

       12
       12
       +
           kTLS = true;

     

       13
       13
       +
           forceSSL = true;

     

       14
       14
       +
         };

     

       15
       15
       +
         services.nginx.virtualHosts."ptr.pet" = {

     

       16
       16
       +
           useACMEHost = "ptr.pet";

     

       17
       17
       +
           quic = true;

     

       18
       18
       +
           kTLS = true;

     

       19
       19
       +
           forceSSL = true;

     

       20
       20
       +
           locations."/mail/config-v1.1.xml" = {

     

       21
       21
       +
             return = "301 https://autoconfig.migadu.com/mail/config-v1.1.xml";

     

       13
       22
        
           };

     

       14
       14
       -
           services.nginx.virtualHosts."ptr.pet" = {

     

       15
       15
       -
               useACMEHost = "ptr.pet";

     

       16
       16
       -
               quic = true;

     

       17
       17
       -
               kTLS = true;

     

       18
       18
       -
               forceSSL = true;

     

       19
       19
       -
               locations."/mail/config-v1.1.xml" = {

     

       20
       20
       -
                   return = "301 https://autoconfig.migadu.com/mail/config-v1.1.xml";

     

       21
       21
       -
               };

     

       22
       22
       -
               locations."/Autodiscover/Autodiscover.xml" = {

     

       23
       23
       -
                   return = "301 https://autodiscover.migadu.com/Autodiscover/Autodiscover.xml";

     

       24
       24
       -
               };

     

       23
       23
       +
           locations."/Autodiscover/Autodiscover.xml" = {

     

       24
       24
       +
             return = "301 https://autodiscover.migadu.com/Autodiscover/Autodiscover.xml";

     

       25
       25
        
           };

     

       26
       26
       -
           services.nginx.virtualHosts."mta-sts.ptr.pet" = let

     

       27
       27
       -
               file = pkgs.writeText "mta-sts.txt" ''

     

       28
       28
       -
                   version: STSv1

     

       29
       29
       -
                   mode: enforce

     

       30
       30
       -
                   mx: aspmx1.migadu.com

     

       31
       31
       -
                   mx: aspmx2.migadu.com

     

       32
       32
       -
                   max_age: 31557600

     

       33
       33
       -
               '';

     

       34
       34
       -
           in {

     

       35
       35
       -
               useACMEHost = "ptr.pet";

     

       36
       36
       -
               quic = true;

     

       37
       37
       -
               kTLS = true;

     

       38
       38
       -
               forceSSL = true;

     

       39
       39
       -
               locations."=/.well-known/mta-sts.txt".extraConfig = ''

     

       40
       40
       -
                   alias ${file};

     

       41
       41
       -
                   default_type text/plain;

     

       42
       42
       -
               '';

     

       26
       26
       +
         };

     

       27
       27
       +
         services.nginx.virtualHosts."mta-sts.ptr.pet" =

     

       28
       28
       +
           let

     

       29
       29
       +
             file = pkgs.writeText "mta-sts.txt" ''

     

       30
       30
       +
               version: STSv1

     

       31
       31
       +
               mode: enforce

     

       32
       32
       +
               mx: aspmx1.migadu.com

     

       33
       33
       +
               mx: aspmx2.migadu.com

     

       34
       34
       +
               max_age: 31557600

     

       35
       35
       +
             '';

     

       36
       36
       +
           in

     

       37
       37
       +
           {

     

       38
       38
       +
             useACMEHost = "ptr.pet";

     

       39
       39
       +
             quic = true;

     

       40
       40
       +
             kTLS = true;

     

       41
       41
       +
             forceSSL = true;

     

       42
       42
       +
             locations."=/.well-known/mta-sts.txt".extraConfig = ''

     

       43
       43
       +
               alias ${file};

     

       44
       44
       +
               default_type text/plain;

     

       45
       45
       +
             '';

     

       43
       46
        
           };

     

       44
       44
       -
           services.nginx.virtualHosts."autoconfig.ptr.pet" = {

     

       45
       45
       -
               useACMEHost = "ptr.pet";

     

       46
       46
       -
               quic = true;

     

       47
       47
       -
               kTLS = true;

     

       48
       48
       -
               forceSSL = true;

     

       49
       49
       -
               locations."/" = {

     

       50
       50
       -
                   return = "301 https://autoconfig.migadu.com$request_uri";

     

       51
       51
       -
               };

     

       47
       47
       +
         services.nginx.virtualHosts."autoconfig.ptr.pet" = {

     

       48
       48
       +
           useACMEHost = "ptr.pet";

     

       49
       49
       +
           quic = true;

     

       50
       50
       +
           kTLS = true;

     

       51
       51
       +
           forceSSL = true;

     

       52
       52
       +
           locations."/" = {

     

       53
       53
       +
             return = "301 https://autoconfig.migadu.com$request_uri";

     

       52
       54
        
           };

     

       53
       53
       -
           services.nginx.virtualHosts."autodiscover.ptr.pet" = {

     

       54
       54
       -
               useACMEHost = "ptr.pet";

     

       55
       55
       -
               quic = true;

     

       56
       56
       -
               kTLS = true;

     

       57
       57
       -
               forceSSL = true;

     

       58
       58
       -
               locations."/" = {

     

       59
       59
       -
                   return = "301 https://autodiscover.migadu.com$request_uri";

     

       60
       60
       -
               };

     

       55
       55
       +
         };

     

       56
       56
       +
         services.nginx.virtualHosts."autodiscover.ptr.pet" = {

     

       57
       57
       +
           useACMEHost = "ptr.pet";

     

       58
       58
       +
           quic = true;

     

       59
       59
       +
           kTLS = true;

     

       60
       60
       +
           forceSSL = true;

     

       61
       61
       +
           locations."/" = {

     

       62
       62
       +
             return = "301 https://autodiscover.migadu.com$request_uri";

     

       61
       63
        
           };

     

       64
       64
       +
         };

     

       62
       65
        
       }

+1 -1

hosts/wolumonde/modules/forgejo.nix/default.nix

···

       54
       54
        
             "public"

     

       55
       55
        
           ];

     

       56
       56
        
       

     

       57
       57
       -
         security.acme.certs."gaze.systems".extraDomainNames = [forgejoCfg.server.DOMAIN];

     

       57
       57
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ forgejoCfg.server.DOMAIN ];

     

       58
       58
        
         services.nginx.virtualHosts.${forgejoCfg.server.DOMAIN} = {

     

       59
       59
        
           useACMEHost = "gaze.systems";

     

       60
       60
        
           forceSSL = true;

+4 -4

hosts/wolumonde/modules/hedgedoc.nix

···

       1
       1
       -
       { config, ... }: let

     

       1
       1
       +
       { config, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         cfg = config.services.hedgedoc.settings;

     

       3
       4
        
       in

     

       4
       5
        
       {

     
···

       16
       17
        
           };

     

       17
       18
        
         };

     

       18
       19
        
       

     

       19
       19
       -
         security.acme.certs."gaze.systems".extraDomainNames = [cfg.domain];

     

       20
       20
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ cfg.domain ];

     

       20
       21
        
         services.nginx.virtualHosts.${cfg.domain} = {

     

       21
       22
        
           useACMEHost = "gaze.systems";

     

       22
       23
        
           forceSSL = true;

     

       23
       24
        
           quic = true;

     

       24
       25
        
           kTLS = true;

     

       25
       25
       -
           locations."/".proxyPass =

     

       26
       26
       -
             "http://${cfg.host}:${toString cfg.port}";

     

       26
       26
       +
           locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";

     

       27
       27
        
         };

     

       28
       28
        
       }

+5 -3

hosts/wolumonde/modules/openbao.disabled/default.nix

···

       1
       1
       -
       {lib, config, ...}: let

     

       1
       1
       +
       { lib, config, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         port = 5394;

     

       3
       4
        
         domain = "bao.${config.services.headscale.settings.dns.base_domain}";

     

       4
       5
        
         cfg = config.services.openbao.settings;

     

       5
       6
        
         apiAddress = "127.0.0.1:${toString port}";

     

       6
       6
       -
       in {

     

       7
       7
       -
         imports = [./spindle-proxy];

     

       7
       7
       +
       in

     

       8
       8
       +
       {

     

       9
       9
       +
         imports = [ ./spindle-proxy ];

     

       8
       10
        
       

     

       9
       11
        
         services.openbao = {

     

       10
       12
        
           enable = true;

+48 -35

hosts/wolumonde/modules/openbao.disabled/spindle-proxy/default.nix

···

       1
       1
       -
       { config, lib, pkgs, ... }:

     

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         pkgs,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       2
       7
        
       let

     

       3
       8
        
         port = 8945;

     

       4
       9
        
         secrets = config.age.secrets;

     

       5
       10
        
         cfgFile = pkgs.writeText "openbao-proxy-spindle-config.hcl" (

     

       6
       11
        
           lib.replaceStrings

     

       7
       7
       -
           [

     

       8
       8
       -
             "%role_id%"

     

       9
       9
       -
             "%secret_id%"

     

       10
       10
       -
             "%vault_address%"

     

       11
       11
       -
             "%listener_port%"

     

       12
       12
       -
             "%name%"

     

       13
       13
       -
           ]

     

       14
       14
       -
           [

     

       15
       15
       -
             secrets.spindleOpenbaoRoleId.path

     

       16
       16
       -
             secrets.spindleOpenbaoSecretId.path

     

       17
       17
       -
             config.services.openbao.settings.api_addr

     

       18
       18
       -
             (toString port)

     

       19
       19
       -
             name

     

       20
       20
       -
           ]

     

       21
       21
       -
           (lib.fileContents ./config.hcl)

     

       12
       12
       +
             [

     

       13
       13
       +
               "%role_id%"

     

       14
       14
       +
               "%secret_id%"

     

       15
       15
       +
               "%vault_address%"

     

       16
       16
       +
               "%listener_port%"

     

       17
       17
       +
               "%name%"

     

       18
       18
       +
             ]

     

       19
       19
       +
             [

     

       20
       20
       +
               secrets.spindleOpenbaoRoleId.path

     

       21
       21
       +
               secrets.spindleOpenbaoSecretId.path

     

       22
       22
       +
               config.services.openbao.settings.api_addr

     

       23
       23
       +
               (toString port)

     

       24
       24
       +
               name

     

       25
       25
       +
             ]

     

       26
       26
       +
             (lib.fileContents ./config.hcl)

     

       22
       27
        
         );

     

       23
       28
        
         domain = "spindle.bao.lan.gaze.systems";

     

       24
       29
        
         name = "openbao-proxy-spindle";

     
···

       42
       47
        
           group = name;

     

       43
       48
        
         };

     

       44
       49
        
         users.groups.${name} = {

     

       45
       45
       -
           members = [name];

     

       50
       50
       +
           members = [ name ];

     

       46
       51
        
         };

     

       47
       52
        
       

     

       48
       53
        
         systemd.services.${name} = {

     
···

       58
       63
        
             LimitNOFILE = "65536";

     

       59
       64
        
             User = name;

     

       60
       65
        
             Group = name;

     

       61
       61
       -
             RuntimeDirectory=name;

     

       62
       62
       -
             RuntimeDirectoryMode=0700;

     

       63
       63
       -
             StateDirectory=name;

     

       64
       64
       -
             StateDirectoryMode=0700;

     

       65
       65
       -
             ProcSubset="pid";

     

       66
       66
       -
             ProtectClock=true;

     

       67
       67
       -
             ProtectControlGroups=true;

     

       68
       68
       -
             ProtectHome=true;

     

       69
       69
       -
             ProtectHostname=true;

     

       70
       70
       -
             ProtectKernelLogs=true;

     

       71
       71
       -
             ProtectKernelModules=true;

     

       72
       72
       -
             ProtectKernelTunables=true;

     

       73
       73
       -
             ProtectProc="invisible";

     

       74
       74
       -
             RestrictNamespaces=true;

     

       75
       75
       -
             RestrictRealtime=true;

     

       76
       76
       -
             RestrictAddressFamilies=["AF_INET" "AF_INET6" "AF_UNIX"];

     

       77
       77
       -
             SystemCallArchitectures="native";

     

       78
       78
       -
             SystemCallFilter=["@system-service" "@resources" "~@privileged"];

     

       66
       66
       +
             RuntimeDirectory = name;

     

       67
       67
       +
             RuntimeDirectoryMode = 0700;

     

       68
       68
       +
             StateDirectory = name;

     

       69
       69
       +
             StateDirectoryMode = 0700;

     

       70
       70
       +
             ProcSubset = "pid";

     

       71
       71
       +
             ProtectClock = true;

     

       72
       72
       +
             ProtectControlGroups = true;

     

       73
       73
       +
             ProtectHome = true;

     

       74
       74
       +
             ProtectHostname = true;

     

       75
       75
       +
             ProtectKernelLogs = true;

     

       76
       76
       +
             ProtectKernelModules = true;

     

       77
       77
       +
             ProtectKernelTunables = true;

     

       78
       78
       +
             ProtectProc = "invisible";

     

       79
       79
       +
             RestrictNamespaces = true;

     

       80
       80
       +
             RestrictRealtime = true;

     

       81
       81
       +
             RestrictAddressFamilies = [

     

       82
       82
       +
               "AF_INET"

     

       83
       83
       +
               "AF_INET6"

     

       84
       84
       +
               "AF_UNIX"

     

       85
       85
       +
             ];

     

       86
       86
       +
             SystemCallArchitectures = "native";

     

       87
       87
       +
             SystemCallFilter = [

     

       88
       88
       +
               "@system-service"

     

       89
       89
       +
               "@resources"

     

       90
       90
       +
               "~@privileged"

     

       91
       91
       +
             ];

     

       79
       92
        
           };

     

       80
       93
        
         };

     

       81
       94

+6 -3

hosts/wolumonde/modules/perses.nix/default.nix

···

       66
       66
        
       

     

       67
       67
        
         systemd.services.perses = {

     

       68
       68
        
           description = "perses";

     

       69
       69
       -
           after = ["network.target" "pocket-id.service"];

     

       70
       70
       -
           requires = ["pocket-id.service"];

     

       69
       69
       +
           after = [

     

       70
       70
       +
             "network.target"

     

       71
       71
       +
             "pocket-id.service"

     

       72
       72
       +
           ];

     

       73
       73
       +
           requires = [ "pocket-id.service" ];

     

       71
       74
        
           serviceConfig = {

     

       72
       75
        
             ExecStart = "${pkgs.perses}/bin/perses --config=${persesConfigYaml} --web.listen-address=:${toString port} --log.level=info";

     

       73
       76
        
             EnvironmentFile = secrets.persesSecret.path;

     
···

       79
       82
        
           cp -f ${./provision}/* ${provisioningFolder}

     

       80
       83
        
         '';

     

       81
       84
        
       

     

       82
       82
       -
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       85
       85
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ domain ];

     

       83
       86
        
         services.nginx.virtualHosts.${domain} = {

     

       84
       87
        
           useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains

     

       85
       88
        
           quic = true;

+1 -1

hosts/wolumonde/modules/pocket-id.nix

···

       13
       13
        
           };

     

       14
       14
        
         };

     

       15
       15
        
       

     

       16
       16
       -
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       16
       16
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ domain ];

     

       17
       17
        
       

     

       18
       18
        
         services.nginx.virtualHosts.${domain} = {

     

       19
       19
        
           useACMEHost = "gaze.systems";

+2 -2

hosts/wolumonde/modules/tailscale.nix

···

       1
       1
        
       { config, ... }:

     

       2
       2
        
       {

     

       3
       3
       -
         imports = [../../../modules/network/tailscale.nix];

     

       4
       4
       -
         

     

       3
       3
       +
         imports = [ ../../../modules/network/tailscale.nix ];

     

       4
       4
       +
       

     

       5
       5
        
         # age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age;

     

       6
       6
        
         # services.tailscale.authKeyFile = config.age.secrets.tailscaleAuthKey.path;

     

       7
       7

+4 -1

hosts/wolumonde/modules/tangled.nix/default.nix

···

       1
       1
        
       {

     

       2
       2
       -
         imports = [./knot.nix ./spindle.nix];

     

       2
       2
       +
         imports = [

     

       3
       3
       +
           ./knot.nix

     

       4
       4
       +
           ./spindle.nix

     

       5
       5
       +
         ];

     

       3
       6
        
       }

+1 -1

hosts/wolumonde/modules/tangled.nix/knot.nix

···

       24
       24
        
           };

     

       25
       25
        
         };

     

       26
       26
        
       

     

       27
       27
       -
         security.acme.certs."gaze.systems".extraDomainNames = [knotCfg.server.hostname];

     

       27
       27
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ knotCfg.server.hostname ];

     

       28
       28
        
       

     

       29
       29
        
         services.nginx.virtualHosts.${knotCfg.server.hostname} = {

     

       30
       30
        
           useACMEHost = "gaze.systems";

+1 -1

hosts/wolumonde/modules/tangled.nix/spindle.nix

···

       41
       41
        
           };

     

       42
       42
        
         };

     

       43
       43
        
       

     

       44
       44
       -
         security.acme.certs."gaze.systems".extraDomainNames = [spindleCfg.server.hostname];

     

       44
       44
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ spindleCfg.server.hostname ];

     

       45
       45
        
       

     

       46
       46
        
         services.nginx.virtualHosts.${spindleCfg.server.hostname} = {

     

       47
       47
        
           useACMEHost = "gaze.systems";

+5 -3

hosts/wolumonde/modules/webhook.disabled/default.nix

···

       1
       1
       -
       { config, tlib, ... }: let

     

       1
       1
       +
       { config, tlib, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         domain = "webhook.gaze.systems";

     

       3
       3
       -
       in {

     

       4
       4
       +
       in

     

       5
       5
       +
       {

     

       4
       6
        
         imports = tlib.importFolder ./.;

     

       5
       7
        
       

     

       6
       8
        
         services.webhook = {

     
···

       15
       17
        
           group = "nginx";

     

       16
       18
        
         };

     

       17
       19
        
       

     

       18
       18
       -
         security.acme.certs."gaze.systems".extraDomainNames = [domain];

     

       20
       20
       +
         security.acme.certs."gaze.systems".extraDomainNames = [ domain ];

     

       19
       21
        
         services.nginx.virtualHosts.${domain} = {

     

       20
       22
        
           useACMEHost = "gaze.systems";

     

       21
       23
        
           forceSSL = true;

+15 -14

hosts/wolumonde/modules/webhook.disabled/deploy-wolumonde.nix

···

       1
       1
       -
       { pkgs, ... }: let

     

       1
       1
       +
       { pkgs, ... }:

     

       2
       2
       +
       let

     

       2
       3
        
         port = toString 9000;

     

       3
       3
       -
       in {

     

       4
       4
       +
       in

     

       5
       5
       +
       {

     

       4
       6
        
         services.webhook.hooks."deploy-wolumonde" = {

     

       5
       7
        
           execute-command = "${pkgs.curl}/bin/curl";

     

       6
       6
       -
           pass-arguments-to-command =

     

       7
       7
       -
             builtins.map

     

       8
       8
       -
             (n: {

     

       9
       9
       -
               source = "string";

     

       10
       10
       -
               name = n;

     

       11
       11
       -
             })

     

       12
       12
       -
             [ "http://higashi:${port}/hooks/deploy-wolumonde" ];

     

       8
       8
       +
           pass-arguments-to-command = builtins.map (n: {

     

       9
       9
       +
             source = "string";

     

       10
       10
       +
             name = n;

     

       11
       11
       +
           }) [ "http://higashi:${port}/hooks/deploy-wolumonde" ];

     

       13
       12
        
         };

     

       14
       13
        
       

     

       15
       15
       -
         services.headscale.acl.rules = [{

     

       16
       16
       -
           proto = "tcp";

     

       17
       17
       -
           src = ["wolumonde"];

     

       18
       18
       -
           dst = ["higashi:${port}"];

     

       19
       19
       -
         }];

     

       14
       14
       +
         services.headscale.acl.rules = [

     

       15
       15
       +
           {

     

       16
       16
       +
             proto = "tcp";

     

       17
       17
       +
             src = [ "wolumonde" ];

     

       18
       18
       +
             dst = [ "higashi:${port}" ];

     

       19
       19
       +
           }

     

       20
       20
       +
         ];

     

       20
       21
        
       }

+4 -1

users/dusk@devel.mobi/default.nix

···

       70
       70
        
           enable = true;

     

       71
       71
        
           controlServer = "https://vpn.gaze.systems";

     

       72
       72
        
           authKeyFile = config.age.secrets.tailscaleAuthKey.path;

     

       73
       73
       -
           extraUpFlags = [ "--advertise-exit-node=true" "--hostname=dusk-devel-mobi" ];

     

       73
       73
       +
           extraUpFlags = [

     

       74
       74
       +
             "--advertise-exit-node=true"

     

       75
       75
       +
             "--hostname=dusk-devel-mobi"

     

       76
       76
       +
           ];

     

       74
       77
        
         };

     

       75
       78
        
       

     

       76
       79
        
         programs = {

+10 -10

users/modules/ssh/default.nix

···

       3
       3
        
           enable = true;

     

       4
       4
        
           enableDefaultConfig = false;

     

       5
       5
        
           matchBlocks."*" = {

     

       6
       6
       -
               forwardAgent = false;

     

       7
       7
       -
               serverAliveInterval = 0;

     

       8
       8
       -
               serverAliveCountMax = 3;

     

       9
       9
       -
               compression = true;

     

       10
       10
       -
               hashKnownHosts = true;

     

       11
       11
       -
               addKeysToAgent = "yes";

     

       12
       12
       -
               userKnownHostsFile = "~/.ssh/known_hosts";

     

       13
       13
       -
               controlMaster = "no";

     

       14
       14
       -
               controlPath = "~/.ssh/master-%r@%n:%p";

     

       15
       15
       -
               controlPersist = "no";

     

       6
       6
       +
             forwardAgent = false;

     

       7
       7
       +
             serverAliveInterval = 0;

     

       8
       8
       +
             serverAliveCountMax = 3;

     

       9
       9
       +
             compression = true;

     

       10
       10
       +
             hashKnownHosts = true;

     

       11
       11
       +
             addKeysToAgent = "yes";

     

       12
       12
       +
             userKnownHostsFile = "~/.ssh/known_hosts";

     

       13
       13
       +
             controlMaster = "no";

     

       14
       14
       +
             controlPath = "~/.ssh/master-%r@%n:%p";

     

       15
       15
       +
             controlPersist = "no";

     

       16
       16
        
           };

     

       17
       17
        
           # Only needed for darcs hub

     

       18
       18
        
           # extraConfig = ''