commit ec5c8c1b537cf20e43643e87761ead2a75f451da · pyrox.dev/nix

+2

flake.nix

···

       182
       182
        
                   buildbot-nix.nixosModules.buildbot-master

     

       183
       183
        
                   golink.nixosModules.default

     

       184
       184
        
                   iceshrimp.nixosModules.default

     

       185
       185
       +
                   tangled-sh.nixosModules.knot

     

       186
       186
       +
                   tangled-sh.nixosModules.spindle

     

       185
       187
        
                 ];

     

       186
       188
        
               };

     

       187
       189
        
             };

+12 -1

lib/data/services.toml

···

       107
       107
        
       extUrl = "auth.pyrox.dev"

     

       108
       108
        
       anubis = 8401

     

       109
       109
        
       

     

       110
       110
       -
       

     

       111
       110
        
       [redlib]

     

       112
       111
        
       port = 6901

     

       113
       112
        
       host = "marvin"

     
···

       117
       116
        
       port = 6931

     

       118
       117
        
       host = "marvin"

     

       119
       118
        
       tsHost = "scrutiny"

     

       119
       119
       +
       

     

       120
       120
       +
       [tangled-knot]

     

       121
       121
       +
       port = 6934

     

       122
       122
       +
       host = "marvin"

     

       123
       123
       +
       extUrl = "knot.pyrox.dev"

     

       124
       124
       +
       intListenPort = 30106

     

       125
       125
       +
       

     

       126
       126
       +
       [tangled-spindle]

     

       127
       127
       +
       port = 6935

     

       128
       128
       +
       host = "marvin"

     

       129
       129
       +
       extUrl = "spindle.pyrox.dev"

     

       130
       130
       +
       

     

       120
       131
        
       

     

       121
       132
        
       [vaultwarden]

     

       122
       133
        
       port = 6912

+1

systems/x86_64-linux/marvin/default.nix

···

       34
       34
        
           ./services/scrutiny.nix

     

       35
       35
        
           ./services/syncthing.nix

     

       36
       36
        
           ./services/tailscale.nix

     

       37
       37
       +
           ./services/tangled.nix

     

       37
       38
        
           ./services/vaultwarden.nix

     

       38
       39
        
           ./services/zfs.nix

     

       39
       40
        
         ];

+1

systems/x86_64-linux/marvin/services/secrets/secrets.nix

···

       38
       38
        
         "pingvin-secrets.age".publicKeys = marvinDefault;

     

       39
       39
        
         "planka-env.age".publicKeys = marvinDefault;

     

       40
       40
        
         "pocket-id-secrets.age".publicKeys = marvinDefault;

     

       41
       41
       +
         "tangled-knot-secrets.age".publicKeys = marvinDefault;

     

       41
       42
        
         "vaultwarden-vars.age".publicKeys = marvinDefault;

     

       42
       43
        
         "vaultwarden-pgpass.age".publicKeys = marvinDefault;

     

       43
       44
        
         "webmentiond-env.age".publicKeys = marvinDefault;

systems/x86_64-linux/marvin/services/secrets/tangled-knot-secrets.age

This is a binary file and will not be displayed.

+43

systems/x86_64-linux/marvin/services/tangled.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       let

     

       7
       7
       +
         cfg = config.services.tangled-knot;

     

       8
       8
       +
         dk = lib.py.data.services.tangled-knot;

     

       9
       9
       +
         ds = lib.py.data.services.tangled-spindle;

     

       10
       10
       +
       in

     

       11
       11
       +
       {

     

       12
       12
       +
         services = {

     

       13
       13
       +
           tangled-knot = {

     

       14
       14
       +
             enable = true;

     

       15
       15
       +
             gitUser = "git";

     

       16
       16
       +
             stateDir = "/var/lib/tangled-knot";

     

       17
       17
       +
             repo.scanPath = "${cfg.stateDir}/repos";

     

       18
       18
       +
             server = {

     

       19
       19
       +
               listenAddr = "0.0.0.0:${toString dk.port}";

     

       20
       20
       +
               hostname = dk.extUrl;

     

       21
       21
       +
               internalListenAddr = "127.0.0.1:${toString dk.intListenPort}";

     

       22
       22
       +
               secretFile = config.age.secrets.tangled-knot-secrets.path;

     

       23
       23
       +
             };

     

       24
       24
       +
           };

     

       25
       25
       +
           tangled-spindle = {

     

       26
       26
       +
             enable = true;

     

       27
       27
       +
             server = {

     

       28
       28
       +
               listenAddr = "0.0.0.0:${ds.port}";

     

       29
       29
       +
               hostname = ds.extUrl;

     

       30
       30
       +
               owner = "did:plc:5cqzysioqzttihsnbsaxrggu";

     

       31
       31
       +
             };

     

       32
       32
       +
             pipelines.workflowTimeout = "10m";

     

       33
       33
       +
           };

     

       34
       34
       +
           openssh.ports = [ 2222 ];

     

       35
       35
       +
           openssh.settings.AllowUsers = [ "git" ];

     

       36
       36
       +
           openssh.settings.AllowGroups = [ "git" ];

     

       37
       37
       +
         };

     

       38
       38
       +
         age.secrets.tangled-knot-secrets = {

     

       39
       39
       +
           file = ./secrets/tangled-knot-secrets.age;

     

       40
       40
       +
           owner = "git";

     

       41
       41
       +
           group = "git";

     

       42
       42
       +
         };

     

       43
       43
       +
       }

+45 -26

systems/x86_64-linux/prefect/services/caddy.nix

···

       241
       241
        
                 }

     

       242
       242
        
               '';

     

       243
       243
        
             };

     

       244
       244
       +
             # Tangled Services

     

       245
       245
       +
             ${pns.tangled-knot.extUrl} = {

     

       246
       246
       +
               extraConfig = ''

     

       247
       247
       +
                 reverse_proxy ${marvin}:${toString pns.tangled-knot.port}

     

       248
       248
       +
               '';

     

       249
       249
       +
             };

     

       250
       250
       +
             ${pns.tangled-spindle.extUrl} = {

     

       251
       251
       +
               extraConfig = ''

     

       252
       252
       +
                 reverse_proxy ${marvin}:${toString pns.tangled-spindle.port}

     

       253
       253
       +
               '';

     

       254
       254
       +
             };

     

       244
       255
        
       

     

       245
       256
        
             # Simple Tailscale Hosts

     

       246
       257
        
       

     
···

       273
       284
        
               refresh_period 10m

     

       274
       285
        
             }

     

       275
       286
        
           '';

     

       276
       276
       -
           # layer4 {

     

       277
       277
       -
           #   0.0.0.0:465 {

     

       278
       278
       -
           #     route {

     

       279
       279
       -
           #       proxy {

     

       280
       280
       -
           #         proxy_protocol v2

     

       281
       281
       -
           #         upstream ${marvinIP}:${mail.intSMTPS}

     

       282
       282
       -
           #       }

     

       283
       283
       -
           #     }

     

       284
       284
       -
           #   }

     

       285
       285
       -
           #   0.0.0.0:993 {

     

       286
       286
       -
           #     route {

     

       287
       287
       -
           #       proxy {

     

       288
       288
       -
           #         proxy_protocol v2

     

       289
       289
       -
           #         upstream ${marvinIP}:${mail.intIMAPS}

     

       290
       290
       -
           #       }

     

       291
       291
       -
           #     }

     

       292
       292
       -
           #   }

     

       293
       293
       -
           #   0.0.0.0:4190 {

     

       294
       294
       -
           #     route {

     

       295
       295
       -
           #       proxy {

     

       296
       296
       -
           #         proxy_protocol v2

     

       297
       297
       -
           #         upstream ${marvinIP}:${mail.intManageSieve}

     

       298
       298
       -
           #       }

     

       299
       299
       -
           #     }

     

       300
       300
       -
           #   }

     

       301
       301
       -
           # }

     

       287
       287
       +
           extraConfig = ''

     

       288
       288
       +
             layer4 {

     

       289
       289
       +
               :22 {

     

       290
       290
       +
                 @a ssh

     

       291
       291
       +
                 route @a {

     

       292
       292
       +
                   proxy ${marvinIP}:2222

     

       293
       293
       +
                 }

     

       294
       294
       +
               }

     

       295
       295
       +
               # 0.0.0.0:465 {

     

       296
       296
       +
               #   route {

     

       297
       297
       +
               #     proxy {

     

       298
       298
       +
               #       proxy_protocol v2

     

       299
       299
       +
               #       upstream ${marvinIP}:${mail.intSMTPS}

     

       300
       300
       +
               #     }

     

       301
       301
       +
               #   }

     

       302
       302
       +
               # }

     

       303
       303
       +
               # 0.0.0.0:993 {

     

       304
       304
       +
               #   route {

     

       305
       305
       +
               #     proxy {

     

       306
       306
       +
               #       proxy_protocol v2

     

       307
       307
       +
               #       upstream ${marvinIP}:${mail.intIMAPS}

     

       308
       308
       +
               #     }

     

       309
       309
       +
               #   }

     

       310
       310
       +
               # }

     

       311
       311
       +
               # 0.0.0.0:4190 {

     

       312
       312
       +
               #   route {

     

       313
       313
       +
               #     proxy {

     

       314
       314
       +
               #       proxy_protocol v2

     

       315
       315
       +
               #       upstream ${marvinIP}:${mail.intManageSieve}

     

       316
       316
       +
               #     }

     

       317
       317
       +
               #   }

     

       318
       318
       +
               # }

     

       319
       319
       +
             }

     

       320
       320
       +
           '';

     

       302
       321
        
         };

     

       303
       322
        
         systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";

     

       304
       323
        
         systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE";