commit 124dc64d4d980799296a8ba1de8ebd04a03fa076 · wiro.world/dotfiles

+1 -1

README.md

···

       20
       20
        
       	- `fragments`: Home Manager configuration fragments

     

       21
       21
        
       	- `options`: Home Manager configuration flags

     

       22
       22
        
       	- `profiles`: Base Home Manager configurations to build upon (e.g. `desktop`, `minimal`)

     

       23
       23
       -
       - `lib`: Additional custom lib and flake helpers 

     

       23
       23
       +
       - `lib`: Additional custom lib and flake helpers

     

       24
       24
        
       - `modules`: modules that fill a missing feature of NixOS or Home Manager

     

       25
       25
        
       - `nixos`: NixOS related config

     

       26
       26
        
       	- `hardware/<hostname>.nix`: Device-specific settings like settings generated by `nixos-generate-config`

+1 -1

apps/flash-installer.nix

···

       29
       29
        
           fi

     

       30
       30
        
       

     

       31
       31
        
           echo "Flashing to $dev"

     

       32
       32
       -
           

     

       32
       32
       +
       

     

       33
       33
        
           # Format selected disk

     

       34
       34
        
           pv -tpreb "${isoPath}" | sudo dd bs=4M of="$dev" iflag=fullblock conv=notrunc,noerror oflag=sync

     

       35
       35
        
         '';

+2 -1

configurations.nix

···

       19
       19
        
       

     

       20
       20
        
           # Servers

     

       21
       21
        
           "weird-row-server" = createSystem pkgs [

     

       22
       22
       -
             (system "weird-row-server" "server")

     

       22
       22
       +
             (host "weird-row-server")

     

       23
       23
        
             (managedDiskLayout "ext4-hetzner" { device = "sda"; swapSize = 2; })

     

       24
       24
       +
             # TODO: should we keep a real user there?

     

       24
       25
        
             (user "milomoisson" { description = "Milo Moisson"; profile = "server"; keys = keys.users; })

     

       25
       26
        
           ];

     

       26
       27
        
         };

+3 -1

home-manager/fragments/git.nix

···

       162
       162
        
               };

     

       163
       163
        
       

     

       164
       164
        
               git = {

     

       165
       165
       -
                 pagers.externalDiffCommand = "difft --color=always";

     

       165
       165
       +
                 pagers = [

     

       166
       166
       +
                   { externalDiffCommand = "difft --color=always"; }

     

       167
       167
       +
                 ];

     

       166
       168
        
               };

     

       167
       169
        
       

     

       168
       170
        
               # to be declarative or not to be declarative?

+1 -1

home-manager/fragments/shell.nix

···

       150
       150
        
               '';

     

       151
       151
        
       

     

       152
       152
        
               # Quickly explore a derivation (using registry syntax)

     

       153
       153
       -
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge` 

     

       153
       153
       +
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge`

     

       154
       154
        
               cdd = "cd (nix build --no-link --print-out-paths $argv | ${lib.getExe pkgs.fzf})";

     

       155
       155
        
             } // lib.optionalAttrs (!flags.onlyCached) {

     

       156
       156
        
               # Quickly get outta here to test something

+5 -4

home-manager/fragments/stylix.nix

···

       11
       11
        
         cfg = config.local.fragment.stylix;

     

       12
       12
        
       in

     

       13
       13
        
       {

     

       14
       14
       -
         imports = [ stylix.homeModules.stylix ];

     

       14
       14
       +
         imports = [

     

       15
       15
       +
           stylix.homeModules.stylix

     

       16
       16
       +
           # issues a warning because we use `useGlobalPkgs`

     

       17
       17
       +
           { config.stylix.overlays.enable = false; }

     

       18
       18
       +
         ];

     

       15
       19
        
       

     

       16
       20
        
         options.local.fragment.stylix.enable = lib.mkEnableOption ''

     

       17
       21
        
           Stylix related

     
···

       26
       30
        
           stylix = {

     

       27
       31
        
             enable = true;

     

       28
       32
        
             base16Scheme = lib.mkDefault "${pkgs.base16-schemes}/share/themes/onedark-dark.yaml";

     

       29
       29
       -
       

     

       30
       30
       -
             # issues a warning because we use `useGlobalPkgs`

     

       31
       31
       -
             overlays.enable = false;

     

       32
       33
        
       

     

       33
       34
        
             image = ../../assets/wallpaper-binary-cloud.png;

     

       34
       35

+1 -1

home-manager/fragments/waybar.nix

···

       232
       232
        
               .modules-right widget .module {

     

       233
       233
        
                 padding: 0 1rem;

     

       234
       234
        
       

     

       235
       235
       -
                 color: @base07; 

     

       235
       235
       +
                 color: @base07;

     

       236
       236
        
               }

     

       237
       237
        
       

     

       238
       238
        
               /* Round first and last child of left, right and center modules. Disable rounding on the sides*/

+163

hosts/weird-row-server/authelia.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         authelia-port = 3008;

     

       7
       7
       +
         authelia-hostname = "auth.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         authelia-metrics-port = 9004;

     

       10
       10
       +
         headscale-hostname = "headscale.wiro.world";

     

       11
       11
       +
         grafana-hostname = "console.wiro.world";

     

       12
       12
       +
         miniflux-hostname = "news.wiro.world";

     

       13
       13
       +
       in

     

       14
       14
       +
       {

     

       15
       15
       +
         config = {

     

       16
       16
       +
           age.secrets.authelia-jwt-secret = { file = secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       17
       17
       +
           age.secrets.authelia-issuer-private-key = { file = secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       18
       18
       +
           age.secrets.authelia-storage-key = { file = secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       19
       19
       +
           age.secrets.authelia-ldap-password = { file = secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       20
       20
       +
           age.secrets.authelia-smtp-password = { file = secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       21
       21
       +
           services.authelia.instances.main = {

     

       22
       22
       +
             enable = true;

     

       23
       23
       +
       

     

       24
       24
       +
             secrets = {

     

       25
       25
       +
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       26
       26
       +
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       27
       27
       +
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       28
       28
       +
             };

     

       29
       29
       +
             environmentVariables = {

     

       30
       30
       +
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       31
       31
       +
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       32
       32
       +
             };

     

       33
       33
       +
             settings = {

     

       34
       34
       +
               server.address = "localhost:${toString authelia-port}";

     

       35
       35
       +
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       36
       36
       +
               telemetry.metrics = {

     

       37
       37
       +
                 enabled = true;

     

       38
       38
       +
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       39
       39
       +
               };

     

       40
       40
       +
       

     

       41
       41
       +
               session = {

     

       42
       42
       +
                 cookies = [{

     

       43
       43
       +
                   domain = "wiro.world";

     

       44
       44
       +
                   authelia_url = "https://${authelia-hostname}";

     

       45
       45
       +
                   default_redirection_url = "https://wiro.world";

     

       46
       46
       +
                 }];

     

       47
       47
       +
               };

     

       48
       48
       +
       

     

       49
       49
       +
               authentication_backend.ldap = {

     

       50
       50
       +
                 address = "ldap://localhost:3890";

     

       51
       51
       +
                 timeout = "5m"; # replace with systemd dependency

     

       52
       52
       +
       

     

       53
       53
       +
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       54
       54
       +
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       55
       55
       +
                 # password = "";

     

       56
       56
       +
       

     

       57
       57
       +
                 base_dn = "dc=wiro,dc=world";

     

       58
       58
       +
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       59
       59
       +
                 additional_users_dn = "ou=people";

     

       60
       60
       +
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       61
       61
       +
                 additional_groups_dn = "ou=groups";

     

       62
       62
       +
       

     

       63
       63
       +
                 attributes = {

     

       64
       64
       +
                   username = "uid";

     

       65
       65
       +
                   display_name = "cn";

     

       66
       66
       +
                   given_name = "givenname";

     

       67
       67
       +
                   family_name = "last_name";

     

       68
       68
       +
                   mail = "mail";

     

       69
       69
       +
                   picture = "avatar";

     

       70
       70
       +
       

     

       71
       71
       +
                   group_name = "cn";

     

       72
       72
       +
                 };

     

       73
       73
       +
               };

     

       74
       74
       +
       

     

       75
       75
       +
               access_control = {

     

       76
       76
       +
                 default_policy = "deny";

     

       77
       77
       +
                 # Rules are sequential and do not apply to OIDC

     

       78
       78
       +
                 rules = [

     

       79
       79
       +
                   {

     

       80
       80
       +
                     domain = "headscale.wiro.world";

     

       81
       81
       +
                     policy = "two_factor";

     

       82
       82
       +
       

     

       83
       83
       +
                   }

     

       84
       84
       +
                   {

     

       85
       85
       +
                     domain = "news.wiro.world";

     

       86
       86
       +
                     policy = "one_factor";

     

       87
       87
       +
       

     

       88
       88
       +
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       89
       89
       +
                   }

     

       90
       90
       +
                   {

     

       91
       91
       +
                     domain = "*.wiro.world";

     

       92
       92
       +
                     policy = "two_factor";

     

       93
       93
       +
                   }

     

       94
       94
       +
                 ];

     

       95
       95
       +
               };

     

       96
       96
       +
       

     

       97
       97
       +
               identity_providers.oidc = {

     

       98
       98
       +
                 enforce_pkce = "always";

     

       99
       99
       +
       

     

       100
       100
       +
                 authorization_policies =

     

       101
       101
       +
                   let

     

       102
       102
       +
                     mkStrictPolicy = policy: subject:

     

       103
       103
       +
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       104
       104
       +
                   in

     

       105
       105
       +
                   {

     

       106
       106
       +
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       107
       107
       +
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       108
       108
       +
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       109
       109
       +
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       110
       110
       +
                   };

     

       111
       111
       +
       

     

       112
       112
       +
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       113
       113
       +
       

     

       114
       114
       +
                 clients = [

     

       115
       115
       +
                   {

     

       116
       116
       +
                     client_name = "Headscale";

     

       117
       117
       +
                     client_id = "headscale";

     

       118
       118
       +
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       119
       119
       +
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       120
       120
       +
                     authorization_policy = "headscale";

     

       121
       121
       +
                     claims_policy = "headscale";

     

       122
       122
       +
                   }

     

       123
       123
       +
                   {

     

       124
       124
       +
                     client_name = "Tailscale";

     

       125
       125
       +
                     client_id = "tailscale";

     

       126
       126
       +
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       127
       127
       +
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       128
       128
       +
                     authorization_policy = "tailscale";

     

       129
       129
       +
                   }

     

       130
       130
       +
                   {

     

       131
       131
       +
                     client_name = "Grafana Console";

     

       132
       132
       +
                     client_id = "grafana";

     

       133
       133
       +
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       134
       134
       +
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       135
       135
       +
                     authorization_policy = "grafana";

     

       136
       136
       +
                   }

     

       137
       137
       +
                   {

     

       138
       138
       +
                     client_name = "Miniflux";

     

       139
       139
       +
                     client_id = "miniflux";

     

       140
       140
       +
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       141
       141
       +
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       142
       142
       +
                     authorization_policy = "miniflux";

     

       143
       143
       +
                   }

     

       144
       144
       +
                 ];

     

       145
       145
       +
               };

     

       146
       146
       +
       

     

       147
       147
       +
               notifier.smtp = {

     

       148
       148
       +
                 address = "smtp://smtp.resend.com:2587";

     

       149
       149
       +
                 username = "resend";

     

       150
       150
       +
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       151
       151
       +
                 # password = "";

     

       152
       152
       +
                 sender = "authelia@wiro.world";

     

       153
       153
       +
               };

     

       154
       154
       +
             };

     

       155
       155
       +
           };

     

       156
       156
       +
       

     

       157
       157
       +
           services.caddy = {

     

       158
       158
       +
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       159
       159
       +
               reverse_proxy http://localhost:${toString authelia-port}

     

       160
       160
       +
             '';

     

       161
       161
       +
           };

     

       162
       162
       +
         };

     

       163
       163
       +
       }

+137

hosts/weird-row-server/default.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , pkgs

     

       4
       4
       +
       , ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       

     

       7
       7
       +
       let

     

       8
       8
       +
         inherit (self.inputs) srvos;

     

       9
       9
       +
       

     

       10
       10
       +
         ext-if = "eth0";

     

       11
       11
       +
         external-ip = "91.99.55.74";

     

       12
       12
       +
         external-netmask = 27;

     

       13
       13
       +
         external-gw = "144.x.x.255";

     

       14
       14
       +
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       15
       15
       +
         external-netmask6 = 64;

     

       16
       16
       +
         external-gw6 = "fe80::1";

     

       17
       17
       +
       

     

       18
       18
       +
         website-hostname = "wiro.world";

     

       19
       19
       +
       

     

       20
       20
       +
         static-hostname = "static.wiro.world";

     

       21
       21
       +
       in

     

       22
       22
       +
       {

     

       23
       23
       +
         imports = [

     

       24
       24
       +
           srvos.nixosModules.server

     

       25
       25
       +
           srvos.nixosModules.hardware-hetzner-cloud

     

       26
       26
       +
           srvos.nixosModules.mixins-terminfo

     

       27
       27
       +
       

     

       28
       28
       +
           ./authelia.nix

     

       29
       29
       +
           ./goatcounter.nix

     

       30
       30
       +
           ./grafana.nix

     

       31
       31
       +
           ./headscale.nix

     

       32
       32
       +
           ./hypixel-bank-tracker.nix

     

       33
       33
       +
           ./lldap.nix

     

       34
       34
       +
           ./miniflux.nix

     

       35
       35
       +
           ./pds.nix

     

       36
       36
       +
           ./tangled.nix

     

       37
       37
       +
           ./thelounge.nix

     

       38
       38
       +
           ./tuwunel.nix

     

       39
       39
       +
           ./vaultwarden.nix

     

       40
       40
       +
           ./warrior.nix

     

       41
       41
       +
           ./webfinger.nix

     

       42
       42
       +
         ];

     

       43
       43
       +
       

     

       44
       44
       +
         config = {

     

       45
       45
       +
           boot.loader.grub.enable = true;

     

       46
       46
       +
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       47
       47
       +
       

     

       48
       48
       +
           # Single network card is `eth0`

     

       49
       49
       +
           networking.usePredictableInterfaceNames = false;

     

       50
       50
       +
       

     

       51
       51
       +
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       52
       52
       +
       

     

       53
       53
       +
           networking = {

     

       54
       54
       +
             interfaces.${ext-if} = {

     

       55
       55
       +
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       56
       56
       +
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       57
       57
       +
             };

     

       58
       58
       +
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       59
       59
       +
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       60
       60
       +
       

     

       61
       61
       +
             # Reflect firewall configuration on Hetzner

     

       62
       62
       +
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       63
       63
       +
           };

     

       64
       64
       +
       

     

       65
       65
       +
           services.qemuGuest.enable = true;

     

       66
       66
       +
       

     

       67
       67
       +
           services.openssh.enable = true;

     

       68
       68
       +
       

     

       69
       69
       +
           # age.secrets.tailscale-authkey.file = secrets/tailscale-authkey.age;

     

       70
       70
       +
           services.tailscale = {

     

       71
       71
       +
             enable = true;

     

       72
       72
       +
             extraSetFlags = [ "--advertise-exit-node" ];

     

       73
       73
       +
             # authKeyFile = config.age.secrets.tailscale-authkey.path;

     

       74
       74
       +
             authKeyParameters = {

     

       75
       75
       +
               baseURL = "https://headscale.wiro.world";

     

       76
       76
       +
               ephemeral = true;

     

       77
       77
       +
               preauthorized = true;

     

       78
       78
       +
             };

     

       79
       79
       +
           };

     

       80
       80
       +
       

     

       81
       81
       +
           security.sudo.wheelNeedsPassword = false;

     

       82
       82
       +
       

     

       83
       83
       +
           local.fragment.nix.enable = true;

     

       84
       84
       +
       

     

       85
       85
       +
           programs.fish.enable = true;

     

       86
       86
       +
       

     

       87
       87
       +
           services.fail2ban = {

     

       88
       88
       +
             enable = true;

     

       89
       89
       +
       

     

       90
       90
       +
             maxretry = 5;

     

       91
       91
       +
             ignoreIP = [ ];

     

       92
       92
       +
       

     

       93
       93
       +
             bantime = "24h";

     

       94
       94
       +
             bantime-increment = {

     

       95
       95
       +
               enable = true;

     

       96
       96
       +
               multipliers = "1 2 4 8 16 32 64";

     

       97
       97
       +
               maxtime = "168h";

     

       98
       98
       +
               overalljails = true;

     

       99
       99
       +
             };

     

       100
       100
       +
       

     

       101
       101
       +
             jails = { };

     

       102
       102
       +
           };

     

       103
       103
       +
       

     

       104
       104
       +
           services.caddy = {

     

       105
       105
       +
             enable = true;

     

       106
       106
       +
             package = pkgs.caddy.withPlugins {

     

       107
       107
       +
               doInstallCheck = false;

     

       108
       108
       +
               plugins = [

     

       109
       109
       +
                 "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb"

     

       110
       110
       +
                 "github.com/caddy-dns/hetzner@v2.0.0-preview-1"

     

       111
       111
       +
               ];

     

       112
       112
       +
               hash = "sha256-muKwDYs5Jp4ib/psZxpp1Kyfsqz6wPz/lpHFGtx67uY=";

     

       113
       113
       +
             };

     

       114
       114
       +
       

     

       115
       115
       +
             globalConfig = ''

     

       116
       116
       +
               tailscale {

     

       117
       117
       +
                 ephemeral

     

       118
       118
       +
               }

     

       119
       119
       +
             '';

     

       120
       120
       +
       

     

       121
       121
       +
             virtualHosts.${website-hostname}.extraConfig =

     

       122
       122
       +
               # TODO: host website on server with automatic deployment

     

       123
       123
       +
               ''

     

       124
       124
       +
                 reverse_proxy https://mrnossiom.github.io {

     

       125
       125
       +
                 	header_up Host {http.request.host}

     

       126
       126
       +
                 }

     

       127
       127
       +
               '';

     

       128
       128
       +
       

     

       129
       129
       +
             virtualHosts.${static-hostname}.extraConfig = ''

     

       130
       130
       +
               root /var/www/static

     

       131
       131
       +
               file_server browse

     

       132
       132
       +
             '';

     

       133
       133
       +
           };

     

       134
       134
       +
       

     

       135
       135
       +
           # TODO: use bind to declare dns records declaratively

     

       136
       136
       +
         };

     

       137
       137
       +
       }

+25

hosts/weird-row-server/goatcounter.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         goatcounter-port = 3010;

     

       7
       7
       +
         goatcounter-hostname = "stats.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           services.goatcounter = {

     

       12
       12
       +
             enable = true;

     

       13
       13
       +
       

     

       14
       14
       +
             port = goatcounter-port;

     

       15
       15
       +
             proxy = true;

     

       16
       16
       +
             extraArgs = [ "-automigrate" ];

     

       17
       17
       +
           };

     

       18
       18
       +
       

     

       19
       19
       +
           services.caddy = {

     

       20
       20
       +
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       21
       21
       +
               reverse_proxy http://localhost:${toString goatcounter-port}

     

       22
       22
       +
             '';

     

       23
       23
       +
           };

     

       24
       24
       +
         };

     

       25
       25
       +
       }

+84

hosts/weird-row-server/grafana.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         grafana-port = 3002;

     

       7
       7
       +
         grafana-hostname = "console.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         prometheus-port = 9001;

     

       10
       10
       +
         prometheus-node-exporter-port = 9002;

     

       11
       11
       +
         caddy-metrics-port = 2019;

     

       12
       12
       +
         authelia-metrics-port = 9004;

     

       13
       13
       +
         headscale-metrics-port = 9003;

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         config = {

     

       17
       17
       +
           age.secrets.grafana-oidc-secret = { file = secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       18
       18
       +
           services.grafana = {

     

       19
       19
       +
             enable = true;

     

       20
       20
       +
       

     

       21
       21
       +
             settings = {

     

       22
       22
       +
               server = {

     

       23
       23
       +
                 http_port = grafana-port;

     

       24
       24
       +
                 domain = grafana-hostname;

     

       25
       25
       +
                 root_url = "https://${grafana-hostname}";

     

       26
       26
       +
               };

     

       27
       27
       +
       

     

       28
       28
       +
               "auth.generic_oauth" = {

     

       29
       29
       +
                 enable = true;

     

       30
       30
       +
                 name = "Authelia";

     

       31
       31
       +
                 icon = "signin";

     

       32
       32
       +
       

     

       33
       33
       +
                 client_id = "grafana";

     

       34
       34
       +
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       35
       35
       +
                 auto_login = true;

     

       36
       36
       +
       

     

       37
       37
       +
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       38
       38
       +
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       39
       39
       +
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       40
       40
       +
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       41
       41
       +
                 use_pkce = true;

     

       42
       42
       +
               };

     

       43
       43
       +
             };

     

       44
       44
       +
           };

     

       45
       45
       +
       

     

       46
       46
       +
           services.prometheus = {

     

       47
       47
       +
             enable = true;

     

       48
       48
       +
             port = prometheus-port;

     

       49
       49
       +
       

     

       50
       50
       +
             exporters.node = {

     

       51
       51
       +
               enable = true;

     

       52
       52
       +
               port = prometheus-node-exporter-port;

     

       53
       53
       +
             };

     

       54
       54
       +
       

     

       55
       55
       +
             scrapeConfigs = [

     

       56
       56
       +
               {

     

       57
       57
       +
                 job_name = "caddy";

     

       58
       58
       +
                 static_configs = [{ targets = [ "localhost:${toString caddy-metrics-port}" ]; }];

     

       59
       59
       +
               }

     

       60
       60
       +
               {

     

       61
       61
       +
                 job_name = "node-exporter";

     

       62
       62
       +
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       63
       63
       +
               }

     

       64
       64
       +
               {

     

       65
       65
       +
                 job_name = "headscale";

     

       66
       66
       +
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       67
       67
       +
               }

     

       68
       68
       +
               {

     

       69
       69
       +
                 job_name = "authelia";

     

       70
       70
       +
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       71
       71
       +
               }

     

       72
       72
       +
             ];

     

       73
       73
       +
           };

     

       74
       74
       +
       

     

       75
       75
       +
           services.caddy = {

     

       76
       76
       +
             globalConfig = ''

     

       77
       77
       +
               metrics { per_host }

     

       78
       78
       +
             '';

     

       79
       79
       +
             virtualHosts.${grafana-hostname}.extraConfig = ''

     

       80
       80
       +
               reverse_proxy http://localhost:${toString grafana-port}

     

       81
       81
       +
             '';

     

       82
       82
       +
           };

     

       83
       83
       +
         };

     

       84
       84
       +
       }

+84

hosts/weird-row-server/headscale.nix

···

       1
       1
       +
       { pkgs

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         json-format = pkgs.formats.json { };

     

       8
       8
       +
       

     

       9
       9
       +
         headscale-port = 3006;

     

       10
       10
       +
         headscale-derp-port = 3478;

     

       11
       11
       +
         headscale-hostname = "headscale.wiro.world";

     

       12
       12
       +
       

     

       13
       13
       +
         headscale-metrics-port = 9003;

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         config = {

     

       17
       17
       +
           networking.firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       18
       18
       +
       

     

       19
       19
       +
           age.secrets.headscale-oidc-secret = { file = secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       20
       20
       +
           services.headscale = {

     

       21
       21
       +
             enable = true;

     

       22
       22
       +
       

     

       23
       23
       +
             port = headscale-port;

     

       24
       24
       +
             settings = {

     

       25
       25
       +
               server_url = "https://${headscale-hostname}";

     

       26
       26
       +
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       27
       27
       +
       

     

       28
       28
       +
               policy.path = json-format.generate "policy.json" {

     

       29
       29
       +
                 acls = [

     

       30
       30
       +
                   {

     

       31
       31
       +
                     action = "accept";

     

       32
       32
       +
                     src = [ "autogroup:member" ];

     

       33
       33
       +
                     dst = [ "autogroup:self:*" ];

     

       34
       34
       +
                   }

     

       35
       35
       +
                 ];

     

       36
       36
       +
                 ssh = [

     

       37
       37
       +
                   {

     

       38
       38
       +
                     action = "accept";

     

       39
       39
       +
                     src = [ "autogroup:member" ];

     

       40
       40
       +
                     dst = [ "autogroup:self" ];

     

       41
       41
       +
                     # Adding root here is privilege escalation as a feature :)

     

       42
       42
       +
                     users = [ "autogroup:nonroot" ];

     

       43
       43
       +
                   }

     

       44
       44
       +
                 ];

     

       45
       45
       +
               };

     

       46
       46
       +
       

     

       47
       47
       +
               # disable TLS

     

       48
       48
       +
               tls_cert_path = null;

     

       49
       49
       +
               tls_key_path = null;

     

       50
       50
       +
       

     

       51
       51
       +
               dns = {

     

       52
       52
       +
                 magic_dns = true;

     

       53
       53
       +
                 base_domain = "net.wiro.world";

     

       54
       54
       +
       

     

       55
       55
       +
                 override_local_dns = true;

     

       56
       56
       +
                 # Quad9 nameservers

     

       57
       57
       +
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       58
       58
       +
               };

     

       59
       59
       +
       

     

       60
       60
       +
               oidc = {

     

       61
       61
       +
                 only_start_if_oidc_is_available = true;

     

       62
       62
       +
                 issuer = "https://auth.wiro.world";

     

       63
       63
       +
                 client_id = "headscale";

     

       64
       64
       +
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       65
       65
       +
                 scope = [ "openid" "profile" "email" "groups" ];

     

       66
       66
       +
                 pkce.enabled = true;

     

       67
       67
       +
               };

     

       68
       68
       +
       

     

       69
       69
       +
               derp.server = {

     

       70
       70
       +
                 enable = true;

     

       71
       71
       +
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       72
       72
       +
               };

     

       73
       73
       +
             };

     

       74
       74
       +
           };

     

       75
       75
       +
           # headscale only starts if oidc is available

     

       76
       76
       +
           systemd.services.headscale.after = [ "authelia-main.service" ];

     

       77
       77
       +
       

     

       78
       78
       +
           services.caddy = {

     

       79
       79
       +
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       80
       80
       +
               reverse_proxy http://localhost:${toString headscale-port}

     

       81
       81
       +
             '';

     

       82
       82
       +
           };

     

       83
       83
       +
         };

     

       84
       84
       +
       }

+42

hosts/weird-row-server/hypixel-bank-tracker.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         inherit (self.inputs) hypixel-bank-tracker;

     

       8
       8
       +
       

     

       9
       9
       +
         hbt-main-port = 3013;

     

       10
       10
       +
         hbt-banana-port = 3014;

     

       11
       11
       +
       in

     

       12
       12
       +
       {

     

       13
       13
       +
         imports = [ hypixel-bank-tracker.nixosModules.default ];

     

       14
       14
       +
       

     

       15
       15
       +
         config = {

     

       16
       16
       +
           age.secrets.hypixel-bank-tracker-main.file = secrets/hypixel-bank-tracker-main.age;

     

       17
       17
       +
           services.hypixel-bank-tracker.instances.main = {

     

       18
       18
       +
             enable = true;

     

       19
       19
       +
       

     

       20
       20
       +
             port = hbt-main-port;

     

       21
       21
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       22
       22
       +
           };

     

       23
       23
       +
       

     

       24
       24
       +
           age.secrets.hypixel-bank-tracker-banana.file = secrets/hypixel-bank-tracker-banana.age;

     

       25
       25
       +
           services.hypixel-bank-tracker.instances.banana = {

     

       26
       26
       +
             enable = true;

     

       27
       27
       +
       

     

       28
       28
       +
             port = hbt-banana-port;

     

       29
       29
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       34
       34
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.main.port}

     

       35
       35
       +
             '';

     

       36
       36
       +
       

     

       37
       37
       +
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       38
       38
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.banana.port}

     

       39
       39
       +
             '';

     

       40
       40
       +
           };

     

       41
       41
       +
         };

     

       42
       42
       +
       }

+38

hosts/weird-row-server/lldap.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         lldap-port = 3007;

     

       7
       7
       +
         lldap-hostname = "ldap.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.lldap-env.file = secrets/lldap-env.age;

     

       12
       12
       +
           users.users.lldap = { isSystemUser = true; group = "lldap"; };

     

       13
       13
       +
           users.groups.lldap = { };

     

       14
       14
       +
           age.secrets.lldap-user-pass = { file = secrets/lldap-user-pass.age; owner = "lldap"; };

     

       15
       15
       +
           services.lldap = {

     

       16
       16
       +
             enable = true;

     

       17
       17
       +
       

     

       18
       18
       +
             silenceForceUserPassResetWarning = true;

     

       19
       19
       +
       

     

       20
       20
       +
             settings = {

     

       21
       21
       +
               http_url = "https://${lldap-hostname}";

     

       22
       22
       +
               http_port = lldap-port;

     

       23
       23
       +
       

     

       24
       24
       +
               ldap_user_pass_file = config.age.secrets.lldap-user-pass.path;

     

       25
       25
       +
               force_ldap_user_pass_reset = false;

     

       26
       26
       +
       

     

       27
       27
       +
               ldap_base_dn = "dc=wiro,dc=world";

     

       28
       28
       +
             };

     

       29
       29
       +
             environmentFile = config.age.secrets.lldap-env.path;

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts.${lldap-hostname}.extraConfig = ''

     

       34
       34
       +
               reverse_proxy http://localhost:${toString lldap-port}

     

       35
       35
       +
             '';

     

       36
       36
       +
           };

     

       37
       37
       +
         };

     

       38
       38
       +
       }

+52

hosts/weird-row-server/miniflux.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         miniflux-port = 3012;

     

       7
       7
       +
         miniflux-hostname = "news.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       12
       12
       +
           users.groups.miniflux = { };

     

       13
       13
       +
           age.secrets.miniflux-oidc-secret = { file = secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       14
       14
       +
           services.miniflux = {

     

       15
       15
       +
             enable = true;

     

       16
       16
       +
       

     

       17
       17
       +
             createDatabaseLocally = true;

     

       18
       18
       +
             config = {

     

       19
       19
       +
               BASE_URL = "https://${miniflux-hostname}/";

     

       20
       20
       +
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       21
       21
       +
               CREATE_ADMIN = 0;

     

       22
       22
       +
       

     

       23
       23
       +
               METRICS_COLLECTOR = 1;

     

       24
       24
       +
       

     

       25
       25
       +
               OAUTH2_PROVIDER = "oidc";

     

       26
       26
       +
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       27
       27
       +
               OAUTH2_CLIENT_ID = "miniflux";

     

       28
       28
       +
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       29
       29
       +
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       30
       30
       +
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       31
       31
       +
               OAUTH2_USER_CREATION = 1;

     

       32
       32
       +
               DISABLE_LOCAL_AUTH = 1;

     

       33
       33
       +
       

     

       34
       34
       +
               RUN_MIGRATIONS = 1;

     

       35
       35
       +
       

     

       36
       36
       +
               # NetNewsWire is a very good iOS oss client that integrates well

     

       37
       37
       +
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       38
       38
       +
             };

     

       39
       39
       +
           };

     

       40
       40
       +
       

     

       41
       41
       +
           services.prometheus.scrapeConfigs = [{

     

       42
       42
       +
             job_name = "miniflux";

     

       43
       43
       +
             static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       44
       44
       +
           }];

     

       45
       45
       +
       

     

       46
       46
       +
           services.caddy = {

     

       47
       47
       +
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       48
       48
       +
               reverse_proxy http://localhost:${toString miniflux-port}

     

       49
       49
       +
             '';

     

       50
       50
       +
           };

     

       51
       51
       +
         };

     

       52
       52
       +
       }

+43

hosts/weird-row-server/pds.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         pds-port = 3001;

     

       7
       7
       +
         pds-hostname = "pds.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.pds-env.file = secrets/pds-env.age;

     

       12
       12
       +
           services.bluesky-pds = {

     

       13
       13
       +
             enable = true;

     

       14
       14
       +
       

     

       15
       15
       +
             settings = {

     

       16
       16
       +
               PDS_HOSTNAME = "pds.wiro.world";

     

       17
       17
       +
               PDS_PORT = pds-port;

     

       18
       18
       +
               # is in systemd /tmp subfolder

     

       19
       19
       +
               LOG_DESTINATION = "/tmp/pds.log";

     

       20
       20
       +
             };

     

       21
       21
       +
       

     

       22
       22
       +
             environmentFiles = [

     

       23
       23
       +
               config.age.secrets.pds-env.path

     

       24
       24
       +
             ];

     

       25
       25
       +
           };

     

       26
       26
       +
       

     

       27
       27
       +
           services.caddy = {

     

       28
       28
       +
             globalConfig = ''

     

       29
       29
       +
               on_demand_tls {

     

       30
       30
       +
                 ask http://localhost:${toString pds-port}/tls-check

     

       31
       31
       +
               }

     

       32
       32
       +
             '';

     

       33
       33
       +
       

     

       34
       34
       +
             virtualHosts.${pds-hostname} = {

     

       35
       35
       +
               serverAliases = [ "*.${pds-hostname}" ];

     

       36
       36
       +
               extraConfig = ''

     

       37
       37
       +
                 	tls { on_demand }

     

       38
       38
       +
                   reverse_proxy http://localhost:${toString pds-port}

     

       39
       39
       +
               '';

     

       40
       40
       +
             };

     

       41
       41
       +
           };

     

       42
       42
       +
         };

     

       43
       43
       +
       }

+54

hosts/weird-row-server/tangled.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         inherit (self.inputs) tangled;

     

       8
       8
       +
       

     

       9
       9
       +
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       10
       10
       +
         tangled-knot-port = 3003;

     

       11
       11
       +
         tangled-knot-hostname = "knot.wiro.world";

     

       12
       12
       +
         tangled-spindle-port = 3004;

     

       13
       13
       +
         tangled-spindle-hostname = "spindle.wiro.world";

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         imports = [

     

       17
       17
       +
           tangled.nixosModules.knot

     

       18
       18
       +
           tangled.nixosModules.spindle

     

       19
       19
       +
         ];

     

       20
       20
       +
       

     

       21
       21
       +
         config = {

     

       22
       22
       +
           services.tangled.knot = {

     

       23
       23
       +
             enable = true;

     

       24
       24
       +
             openFirewall = true;

     

       25
       25
       +
       

     

       26
       26
       +
             motd = "Welcome to @wiro.world's knot!\n";

     

       27
       27
       +
             server = {

     

       28
       28
       +
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       29
       29
       +
               hostname = tangled-knot-hostname;

     

       30
       30
       +
               owner = tangled-owner;

     

       31
       31
       +
             };

     

       32
       32
       +
           };

     

       33
       33
       +
       

     

       34
       34
       +
           services.tangled.spindle = {

     

       35
       35
       +
             enable = true;

     

       36
       36
       +
       

     

       37
       37
       +
             server = {

     

       38
       38
       +
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       39
       39
       +
               hostname = tangled-spindle-hostname;

     

       40
       40
       +
               owner = tangled-owner;

     

       41
       41
       +
             };

     

       42
       42
       +
           };

     

       43
       43
       +
       

     

       44
       44
       +
           services.caddy = {

     

       45
       45
       +
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       46
       46
       +
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       47
       47
       +
             '';

     

       48
       48
       +
       

     

       49
       49
       +
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       50
       50
       +
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       51
       51
       +
             '';

     

       52
       52
       +
           };

     

       53
       53
       +
         };

     

       54
       54
       +
       }

+30

hosts/weird-row-server/thelounge.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         thelounge-port = 3005;

     

       7
       7
       +
         thelounge-hostname = "lounge.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           services.thelounge = {

     

       12
       12
       +
             enable = true;

     

       13
       13
       +
             port = thelounge-port;

     

       14
       14
       +
             public = false;

     

       15
       15
       +
       

     

       16
       16
       +
             extraConfig = {

     

       17
       17
       +
               host = "127.0.0.1";

     

       18
       18
       +
               reverseProxy = true;

     

       19
       19
       +
       

     

       20
       20
       +
               # TODO: use ldap, find a way to hide password

     

       21
       21
       +
             };

     

       22
       22
       +
           };

     

       23
       23
       +
       

     

       24
       24
       +
           services.caddy = {

     

       25
       25
       +
             virtualHosts.${thelounge-hostname}.extraConfig = ''

     

       26
       26
       +
               reverse_proxy http://localhost:${toString thelounge-port}

     

       27
       27
       +
             '';

     

       28
       28
       +
           };

     

       29
       29
       +
         };

     

       30
       30
       +
       }

+45

hosts/weird-row-server/tuwunel.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         matrix-port = 3009;

     

       7
       7
       +
         matrix-hostname = "matrix.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         website-hostname = "wiro.world";

     

       10
       10
       +
       in

     

       11
       11
       +
       {

     

       12
       12
       +
         config = {

     

       13
       13
       +
           age.secrets.tuwunel-registration-tokens = { file = secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       14
       14
       +
           services.matrix-tuwunel = {

     

       15
       15
       +
             enable = true;

     

       16
       16
       +
       

     

       17
       17
       +
             settings.global = {

     

       18
       18
       +
               address = [ "127.0.0.1" ];

     

       19
       19
       +
               port = [ matrix-port ];

     

       20
       20
       +
       

     

       21
       21
       +
               server_name = "wiro.world";

     

       22
       22
       +
               well_known = {

     

       23
       23
       +
                 client = "https://matrix.wiro.world";

     

       24
       24
       +
                 server = "matrix.wiro.world:443";

     

       25
       25
       +
               };

     

       26
       26
       +
       

     

       27
       27
       +
               grant_admin_to_first_user = true;

     

       28
       28
       +
               new_user_displayname_suffix = "";

     

       29
       29
       +
       

     

       30
       30
       +
               allow_registration = true;

     

       31
       31
       +
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       32
       32
       +
             };

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           services.caddy = {

     

       36
       36
       +
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       37
       37
       +
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       38
       38
       +
             '';

     

       39
       39
       +
       

     

       40
       40
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       41
       41
       +
               reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       42
       42
       +
             '';

     

       43
       43
       +
           };

     

       44
       44
       +
         };

     

       45
       45
       +
       }

+38

hosts/weird-row-server/vaultwarden.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         vaultwarden-port = 3011;

     

       7
       7
       +
         vaultwarden-hostname = "vault.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.vaultwarden-env.file = secrets/vaultwarden-env.age;

     

       12
       12
       +
           services.vaultwarden = {

     

       13
       13
       +
             enable = true;

     

       14
       14
       +
       

     

       15
       15
       +
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       16
       16
       +
             config = {

     

       17
       17
       +
               ROCKET_PORT = vaultwarden-port;

     

       18
       18
       +
               DOMAIN = "https://${vaultwarden-hostname}";

     

       19
       19
       +
               SIGNUPS_ALLOWED = false;

     

       20
       20
       +
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       21
       21
       +
       

     

       22
       22
       +
               SMTP_HOST = "smtp.resend.com";

     

       23
       23
       +
               SMTP_PORT = 2465;

     

       24
       24
       +
               SMTP_SECURITY = "force_tls";

     

       25
       25
       +
               SMTP_USERNAME = "resend";

     

       26
       26
       +
               # SMTP_PASSWORD = ...; # Via secret env

     

       27
       27
       +
               SMTP_FROM = "bitwarden@wiro.world";

     

       28
       28
       +
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       29
       29
       +
             };

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       34
       34
       +
               reverse_proxy http://localhost:${toString vaultwarden-port}

     

       35
       35
       +
             '';

     

       36
       36
       +
           };

     

       37
       37
       +
         };

     

       38
       38
       +
       }

+28

hosts/weird-row-server/warrior.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         warrior-port = 3015;

     

       7
       7
       +
         warrior-hostname = "warrior.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         authelia-port = 3008;

     

       10
       10
       +
       in

     

       11
       11
       +
       {

     

       12
       12
       +
         config = {

     

       13
       13
       +
           virtualisation.oci-containers.containers.archive-warrior = {

     

       14
       14
       +
             image = "atdr.meo.ws/archiveteam/warrior-dockerfile";

     

       15
       15
       +
             ports = [ "127.0.0.1:${toString warrior-port}:8001" ];

     

       16
       16
       +
             pull = "newer";

     

       17
       17
       +
           };

     

       18
       18
       +
       

     

       19
       19
       +
           services.caddy = {

     

       20
       20
       +
             virtualHosts.${warrior-hostname}.extraConfig = ''

     

       21
       21
       +
               forward_auth localhost:${toString authelia-port} {

     

       22
       22
       +
                   uri /api/authz/forward-auth

     

       23
       23
       +
               }

     

       24
       24
       +
               reverse_proxy http://localhost:${toString warrior-port}

     

       25
       25
       +
             '';

     

       26
       26
       +
           };

     

       27
       27
       +
         };

     

       28
       28
       +
       }

+77

hosts/weird-row-server/webfinger.nix

···

       1
       1
       +
       { pkgs

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       8
       8
       +
           {

     

       9
       9
       +
             "subject": "acct:milo@wiro.world",

     

       10
       10
       +
             "aliases": [

     

       11
       11
       +
               "mailto:milo@wiro.world",

     

       12
       12
       +
               "https://wiro.world/"

     

       13
       13
       +
             ],

     

       14
       14
       +
             "links": [

     

       15
       15
       +
               {

     

       16
       16
       +
                 "rel": "http://wiro.world/rel/avatar",

     

       17
       17
       +
                 "href": "https://wiro.world/logo.jpg",

     

       18
       18
       +
                 "type": "image/jpeg"

     

       19
       19
       +
               },

     

       20
       20
       +
               {

     

       21
       21
       +
                 "rel": "http://webfinger.net/rel/profile-page",

     

       22
       22
       +
                 "href": "https://wiro.world/",

     

       23
       23
       +
                 "type": "text/html"

     

       24
       24
       +
               },

     

       25
       25
       +
               {

     

       26
       26
       +
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       27
       27
       +
                 "href": "https://auth.wiro.world"

     

       28
       28
       +
               }

     

       29
       29
       +
             ]

     

       30
       30
       +
           }

     

       31
       31
       +
         '';

     

       32
       32
       +
       

     

       33
       33
       +
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       34
       34
       +
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       35
       35
       +
         '';

     

       36
       36
       +
       

     

       37
       37
       +
         website-hostname = "wiro.world";

     

       38
       38
       +
       in

     

       39
       39
       +
       {

     

       40
       40
       +
         config = {

     

       41
       41
       +
           services.caddy = {

     

       42
       42
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       43
       43
       +
               @webfinger {

     

       44
       44
       +
                 path /.well-known/webfinger

     

       45
       45
       +
                 method GET HEAD

     

       46
       46
       +
                 query resource=acct:milo@wiro.world

     

       47
       47
       +
                 query resource=mailto:milo@wiro.world

     

       48
       48
       +
                 query resource=https://wiro.world

     

       49
       49
       +
                 query resource=https://wiro.world/

     

       50
       50
       +
               }

     

       51
       51
       +
               route @webfinger {

     

       52
       52
       +
                 header {

     

       53
       53
       +
                   Content-Type "application/jrd+json"

     

       54
       54
       +
                   Access-Control-Allow-Origin "*"

     

       55
       55
       +
                   X-Robots-Tag "noindex"

     

       56
       56
       +
                 }

     

       57
       57
       +
                 root ${webfinger-dir}

     

       58
       58
       +
                 file_server

     

       59
       59
       +
               }

     

       60
       60
       +
             '' +

     

       61
       61
       +
             ''

     

       62
       62
       +
               @discord {

     

       63
       63
       +
                 path /.well-known/discord

     

       64
       64
       +
                 method GET HEAD

     

       65
       65
       +
               }

     

       66
       66
       +
               route @discord {

     

       67
       67
       +
                 header {

     

       68
       68
       +
                   Access-Control-Allow-Origin "*"

     

       69
       69
       +
                   X-Robots-Tag "noindex"

     

       70
       70
       +
                 }

     

       71
       71
       +
                 root ${well-known-discord-dir}

     

       72
       72
       +
                 file_server

     

       73
       73
       +
               }

     

       74
       74
       +
             '';

     

       75
       75
       +
           };

     

       76
       76
       +
         };

     

       77
       77
       +
       }

+8 -1

lib/flake/default.nix

···

       44
       44
        
               ../../nixos/hardware/${hostName}.nix

     

       45
       45
        
               ../../nixos/profiles/${profile}.nix

     

       46
       46
        
             ];

     

       47
       47
       -
             networking.hostName = hostName;

     

       47
       47
       +
             config.networking.hostName = hostName;

     

       48
       48
       +
           };

     

       49
       49
       +
           host = hostName: {

     

       50
       50
       +
             imports = [

     

       51
       51
       +
               ../../nixos/hardware/${hostName}.nix

     

       52
       52
       +
               ../../hosts/${hostName}/default.nix

     

       53
       53
       +
             ];

     

       54
       54
       +
             config.networking.hostName = hostName;

     

       48
       55
        
           };

     

       49
       56
        
           user = import ./user.nix;

     

       50
       57
        
           managedDiskLayout = import ./managedDiskLayout.nix;

+1 -1

lib/flake/managedDiskLayout.nix

···

       26
       26
        
       

     

       27
       27
        
               The recommended amount from RedHat is:

     

       28
       28
        
       

     

       29
       29
       -
               Amount of RAM    Recommended swap space       Recommended swap space 

     

       29
       29
       +
               Amount of RAM    Recommended swap space       Recommended swap space

     

       30
       30
        
               in the system                                 if allowing for hibernation

     

       31
       31
        
               ——————————————   ——————————————————————————   ———————————————————————————

     

       32
       32
        
               ⩽ 2 GB           2 times the amount of RAM    3 times the amount of RAM

+1 -1

modules/home-manager/xcompose.nix

···

       14
       14
        
           loadConfigInEnv = mkOption {

     

       15
       15
        
             description = ''

     

       16
       16
        
               Load the XCompose file by passing the `XCOMPOSEFILE` environment variable instead of linking to ~/.XCompose.

     

       17
       17
       -
               

     

       17
       17
       +
       

     

       18
       18
        
               That is nice to avoid cluttering the HOME directory, it's preferable to disable it when experimenting

     

       19
       19
        
               with your compose config to reload faster than having to reload your VM.

     

       20
       20
        
             '';

+1 -1

nixos/fragments/kanata/arsenik.kbd.lisp

···

       59
       59
        
       ;; Numrow layer

     

       60
       60
        
       (deflayer numrow

     

       61
       61
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       62
       62
       -
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX  

     

       62
       62
       +
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX

     

       63
       63
        
         @1   @2   @3   @4   @5        @6   @7   @8   @9   @0

     

       64
       64
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       65
       65
        
              XX   XX             XX             XX   XX

+2 -2

nixos/fragments/logiops.nix

···

       23
       23
        
             let

     

       24
       24
        
               cid = {

     

       25
       25
        
                 #                  Control IDs │ reprog? │ fn key? │ mouse key? │ gesture support?

     

       26
       26
       -
                 leftMouse = 80; #         0x50 │         │         │ YES        │ 

     

       27
       27
       -
                 rightMouse = 81; #        0x51 │         │         │ YES        │ 

     

       26
       26
       +
                 leftMouse = 80; #         0x50 │         │         │ YES        │

     

       27
       27
       +
                 rightMouse = 81; #        0x51 │         │         │ YES        │

     

       28
       28
        
                 middleMouse = 81; #       0x52 │ YES     │         │ YES        │ YES

     

       29
       29
        
                 back = 83; #              0x53 │ YES     │         │ YES        │ YES

     

       30
       30
        
                 forward = 86; #           0x56 │ YES     │         │ YES        │ YES

+1 -1

nixos/fragments/security.nix

···

       20
       20
        
           security.polkit.enable = true;

     

       21
       21
        
           security.rtkit.enable = true;

     

       22
       22
        
       

     

       23
       23
       -
           # Systemd Login  

     

       23
       23
       +
           # Systemd Login

     

       24
       24
        
           services.logind.settings.Login = {

     

       25
       25
        
             HandleLidSwitch = "suspend";

     

       26
       26
        
             IdleAction = "lock";

+1 -1

nixos/profiles/laptop.nix

···

       91
       91
        
           };

     

       92
       92
        
           users.users.${config.local.user.username}.extraGroups = [ "wireshark" "plugdev" ];

     

       93
       93
        
       

     

       94
       94
       -
           # This option is already filled with aliases that snowball and have 

     

       94
       94
       +
           # This option is already filled with aliases that snowball and have

     

       95
       95
        
           # priority on fish internal `ls` aliases

     

       96
       96
        
           environment.shellAliases = { ls = null; ll = null; l = null; };

     

       97
       97
        
           programs.fish.enable = true;

-724

nixos/profiles/server.nix

···

       1
       1
       -
       { self

     

       2
       2
       -
       , config

     

       3
       3
       -
       , pkgs

     

       4
       4
       -
       , ...

     

       5
       5
       -
       }:

     

       6
       6
       -
       

     

       7
       7
       -
       let

     

       8
       8
       -
         inherit (self.inputs) srvos hypixel-bank-tracker tangled;

     

       9
       9
       -
       

     

       10
       10
       -
         json-format = pkgs.formats.json { };

     

       11
       11
       -
       

     

       12
       12
       -
         ext-if = "eth0";

     

       13
       13
       -
         external-ip = "91.99.55.74";

     

       14
       14
       -
         external-netmask = 27;

     

       15
       15
       -
         external-gw = "144.x.x.255";

     

       16
       16
       -
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       17
       17
       -
         external-netmask6 = 64;

     

       18
       18
       -
         external-gw6 = "fe80::1";

     

       19
       19
       -
       

     

       20
       20
       -
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       21
       21
       -
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       22
       22
       -
         '';

     

       23
       23
       -
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       24
       24
       -
           {

     

       25
       25
       -
             "subject": "acct:milo@wiro.world",

     

       26
       26
       -
             "aliases": [

     

       27
       27
       -
               "mailto:milo@wiro.world",

     

       28
       28
       -
               "https://wiro.world/"

     

       29
       29
       -
             ],

     

       30
       30
       -
             "links": [

     

       31
       31
       -
               {

     

       32
       32
       -
                 "rel": "http://wiro.world/rel/avatar",

     

       33
       33
       -
                 "href": "https://wiro.world/logo.jpg",

     

       34
       34
       -
                 "type": "image/jpeg"

     

       35
       35
       -
               },

     

       36
       36
       -
               {

     

       37
       37
       -
                 "rel": "http://webfinger.net/rel/profile-page",

     

       38
       38
       -
                 "href": "https://wiro.world/",

     

       39
       39
       -
                 "type": "text/html"

     

       40
       40
       -
               },

     

       41
       41
       -
               {

     

       42
       42
       -
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       43
       43
       -
                 "href": "https://auth.wiro.world"

     

       44
       44
       -
               }

     

       45
       45
       -
             ]

     

       46
       46
       -
           }

     

       47
       47
       -
         '';

     

       48
       48
       -
       

     

       49
       49
       -
         website-hostname = "wiro.world";

     

       50
       50
       -
       

     

       51
       51
       -
         pds-port = 3001;

     

       52
       52
       -
         pds-hostname = "pds.wiro.world";

     

       53
       53
       -
       

     

       54
       54
       -
         grafana-port = 3002;

     

       55
       55
       -
         grafana-hostname = "console.wiro.world";

     

       56
       56
       -
       

     

       57
       57
       -
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       58
       58
       -
         tangled-knot-port = 3003;

     

       59
       59
       -
         tangled-knot-hostname = "knot.wiro.world";

     

       60
       60
       -
         tangled-spindle-port = 3004;

     

       61
       61
       -
         tangled-spindle-hostname = "spindle.wiro.world";

     

       62
       62
       -
       

     

       63
       63
       -
         thelounge-port = 3005;

     

       64
       64
       -
         thelounge-hostname = "lounge.wiro.world";

     

       65
       65
       -
       

     

       66
       66
       -
         headscale-port = 3006;

     

       67
       67
       -
         headscale-derp-port = 3478;

     

       68
       68
       -
         headscale-hostname = "headscale.wiro.world";

     

       69
       69
       -
       

     

       70
       70
       -
         lldap-port = 3007;

     

       71
       71
       -
         lldap-hostname = "ldap.wiro.world";

     

       72
       72
       -
       

     

       73
       73
       -
         authelia-port = 3008;

     

       74
       74
       -
         authelia-hostname = "auth.wiro.world";

     

       75
       75
       -
       

     

       76
       76
       -
         matrix-port = 3009;

     

       77
       77
       -
         matrix-hostname = "matrix.wiro.world";

     

       78
       78
       -
       

     

       79
       79
       -
         goatcounter-port = 3010;

     

       80
       80
       -
         goatcounter-hostname = "stats.wiro.world";

     

       81
       81
       -
       

     

       82
       82
       -
         vaultwarden-port = 3011;

     

       83
       83
       -
         vaultwarden-hostname = "vault.wiro.world";

     

       84
       84
       -
       

     

       85
       85
       -
         miniflux-port = 3012;

     

       86
       86
       -
         miniflux-hostname = "news.wiro.world";

     

       87
       87
       -
       

     

       88
       88
       -
         static-hostname = "static.wiro.world";

     

       89
       89
       -
       

     

       90
       90
       -
         hbt-main-port = 3013;

     

       91
       91
       -
         hbt-banana-port = 3014;

     

       92
       92
       -
       

     

       93
       93
       -
         warrior-port = 3015;

     

       94
       94
       -
         warrior-hostname = "warrior.wiro.world";

     

       95
       95
       -
       

     

       96
       96
       -
         prometheus-port = 9001;

     

       97
       97
       -
         prometheus-node-exporter-port = 9002;

     

       98
       98
       -
         headscale-metrics-port = 9003;

     

       99
       99
       -
         authelia-metrics-port = 9004;

     

       100
       100
       -
       in

     

       101
       101
       -
       {

     

       102
       102
       -
         imports = [

     

       103
       103
       -
           srvos.nixosModules.server

     

       104
       104
       -
           srvos.nixosModules.hardware-hetzner-cloud

     

       105
       105
       -
           srvos.nixosModules.mixins-terminfo

     

       106
       106
       -
       

     

       107
       107
       -
           hypixel-bank-tracker.nixosModules.default

     

       108
       108
       -
       

     

       109
       109
       -
           tangled.nixosModules.knot

     

       110
       110
       -
           tangled.nixosModules.spindle

     

       111
       111
       -
         ];

     

       112
       112
       -
       

     

       113
       113
       -
         config = {

     

       114
       114
       -
           boot.loader.grub.enable = true;

     

       115
       115
       -
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       116
       116
       -
       

     

       117
       117
       -
           # Single network card is `eth0`

     

       118
       118
       -
           networking.usePredictableInterfaceNames = false;

     

       119
       119
       -
       

     

       120
       120
       -
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       121
       121
       -
       

     

       122
       122
       -
           networking = {

     

       123
       123
       -
             interfaces.${ext-if} = {

     

       124
       124
       -
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       125
       125
       -
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       126
       126
       -
             };

     

       127
       127
       -
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       128
       128
       -
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       129
       129
       -
       

     

       130
       130
       -
             # Reflect firewall configuration on Hetzner

     

       131
       131
       -
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       132
       132
       -
             firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       133
       133
       -
           };

     

       134
       134
       -
       

     

       135
       135
       -
           services.qemuGuest.enable = true;

     

       136
       136
       -
       

     

       137
       137
       -
           services.openssh.enable = true;

     

       138
       138
       -
       

     

       139
       139
       -
           services.tailscale.enable = true;

     

       140
       140
       -
       

     

       141
       141
       -
           security.sudo.wheelNeedsPassword = false;

     

       142
       142
       -
       

     

       143
       143
       -
           local.fragment.nix.enable = true;

     

       144
       144
       -
       

     

       145
       145
       -
           programs.fish.enable = true;

     

       146
       146
       -
       

     

       147
       147
       -
           services.fail2ban = {

     

       148
       148
       -
             enable = true;

     

       149
       149
       -
       

     

       150
       150
       -
             maxretry = 5;

     

       151
       151
       -
             ignoreIP = [ ];

     

       152
       152
       -
       

     

       153
       153
       -
             bantime = "24h";

     

       154
       154
       -
             bantime-increment = {

     

       155
       155
       -
               enable = true;

     

       156
       156
       -
               multipliers = "1 2 4 8 16 32 64";

     

       157
       157
       -
               maxtime = "168h";

     

       158
       158
       -
               overalljails = true;

     

       159
       159
       -
             };

     

       160
       160
       -
       

     

       161
       161
       -
             jails = { };

     

       162
       162
       -
           };

     

       163
       163
       -
       

     

       164
       164
       -
           services.caddy = {

     

       165
       165
       -
             enable = true;

     

       166
       166
       -
       

     

       167
       167
       -
             globalConfig = ''

     

       168
       168
       -
               metrics { per_host }

     

       169
       169
       -
       

     

       170
       170
       -
               on_demand_tls {

     

       171
       171
       -
                 ask http://localhost:${toString pds-port}/tls-check

     

       172
       172
       -
               }

     

       173
       173
       -
             '';

     

       174
       174
       -
       

     

       175
       175
       -
             virtualHosts.${website-hostname}.extraConfig =

     

       176
       176
       -
               ''

     

       177
       177
       -
                 @discord {

     

       178
       178
       -
                   path /.well-known/discord

     

       179
       179
       -
                   method GET HEAD

     

       180
       180
       -
                 }

     

       181
       181
       -
                 route @discord {

     

       182
       182
       -
                   header {

     

       183
       183
       -
                     Access-Control-Allow-Origin "*"

     

       184
       184
       -
                     X-Robots-Tag "noindex"

     

       185
       185
       -
                   }

     

       186
       186
       -
                   root ${well-known-discord-dir}

     

       187
       187
       -
                   file_server

     

       188
       188
       -
                 }

     

       189
       189
       -
               '' +

     

       190
       190
       -
               ''

     

       191
       191
       -
                 @webfinger {

     

       192
       192
       -
                   path /.well-known/webfinger

     

       193
       193
       -
                   method GET HEAD

     

       194
       194
       -
                   query resource=acct:milo@wiro.world

     

       195
       195
       -
                   query resource=mailto:milo@wiro.world

     

       196
       196
       -
                   query resource=https://wiro.world

     

       197
       197
       -
                   query resource=https://wiro.world/

     

       198
       198
       -
                 }

     

       199
       199
       -
                 route @webfinger {

     

       200
       200
       -
                   header {

     

       201
       201
       -
                     Content-Type "application/jrd+json"

     

       202
       202
       -
                     Access-Control-Allow-Origin "*"

     

       203
       203
       -
                     X-Robots-Tag "noindex"

     

       204
       204
       -
                   }

     

       205
       205
       -
                   root ${webfinger-dir}

     

       206
       206
       -
                   file_server

     

       207
       207
       -
                 }

     

       208
       208
       -
               '' +

     

       209
       209
       -
               ''

     

       210
       210
       -
                 reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       211
       211
       -
               '' +

     

       212
       212
       -
               # TODO: host website on server with automatic deployment

     

       213
       213
       -
               ''

     

       214
       214
       -
                 reverse_proxy https://mrnossiom.github.io {

     

       215
       215
       -
                 	header_up Host {http.request.host}

     

       216
       216
       -
                 }

     

       217
       217
       -
               '';

     

       218
       218
       -
       

     

       219
       219
       -
             virtualHosts.${grafana-hostname}.extraConfig = ''

     

       220
       220
       -
               reverse_proxy http://localhost:${toString grafana-port}

     

       221
       221
       -
             '';

     

       222
       222
       -
       

     

       223
       223
       -
             virtualHosts.${pds-hostname} = {

     

       224
       224
       -
               serverAliases = [ "*.${pds-hostname}" ];

     

       225
       225
       -
               extraConfig = ''

     

       226
       226
       -
                 	tls { on_demand }

     

       227
       227
       -
                   reverse_proxy http://localhost:${toString pds-port}

     

       228
       228
       -
               '';

     

       229
       229
       -
             };

     

       230
       230
       -
       

     

       231
       231
       -
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       232
       232
       -
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       233
       233
       -
             '';

     

       234
       234
       -
       

     

       235
       235
       -
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       236
       236
       -
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       237
       237
       -
             '';

     

       238
       238
       -
       

     

       239
       239
       -
             virtualHosts.${thelounge-hostname}.extraConfig = ''

     

       240
       240
       -
               reverse_proxy http://localhost:${toString thelounge-port}

     

       241
       241
       -
             '';

     

       242
       242
       -
       

     

       243
       243
       -
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       244
       244
       -
               reverse_proxy http://localhost:${toString headscale-port}

     

       245
       245
       -
             '';

     

       246
       246
       -
       

     

       247
       247
       -
             virtualHosts.${lldap-hostname}.extraConfig = ''

     

       248
       248
       -
               reverse_proxy http://localhost:${toString lldap-port}

     

       249
       249
       -
             '';

     

       250
       250
       -
       

     

       251
       251
       -
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       252
       252
       -
               reverse_proxy http://localhost:${toString authelia-port}

     

       253
       253
       -
             '';

     

       254
       254
       -
       

     

       255
       255
       -
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       256
       256
       -
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       257
       257
       -
             '';

     

       258
       258
       -
       

     

       259
       259
       -
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       260
       260
       -
               reverse_proxy http://localhost:${toString goatcounter-port}

     

       261
       261
       -
             '';

     

       262
       262
       -
       

     

       263
       263
       -
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       264
       264
       -
               reverse_proxy http://localhost:${toString vaultwarden-port}

     

       265
       265
       -
             '';

     

       266
       266
       -
       

     

       267
       267
       -
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       268
       268
       -
               reverse_proxy http://localhost:${toString miniflux-port}

     

       269
       269
       -
             '';

     

       270
       270
       -
       

     

       271
       271
       -
             virtualHosts.${static-hostname}.extraConfig = ''

     

       272
       272
       -
               root /var/www/static

     

       273
       273
       -
               file_server browse

     

       274
       274
       -
             '';

     

       275
       275
       -
       

     

       276
       276
       -
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       277
       277
       -
               reverse_proxy http://localhost:${toString hbt-main-port}

     

       278
       278
       -
             '';

     

       279
       279
       -
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       280
       280
       -
               reverse_proxy http://localhost:${toString hbt-banana-port}

     

       281
       281
       -
             '';

     

       282
       282
       -
       

     

       283
       283
       -
             virtualHosts.${warrior-hostname}.extraConfig = ''

     

       284
       284
       -
               forward_auth localhost:${toString authelia-port} {

     

       285
       285
       -
                   uri /api/authz/forward-auth

     

       286
       286
       -
               }

     

       287
       287
       -
               reverse_proxy http://localhost:${toString warrior-port}

     

       288
       288
       -
             '';

     

       289
       289
       -
           };

     

       290
       290
       -
       

     

       291
       291
       -
           age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       292
       292
       -
           services.bluesky-pds = {

     

       293
       293
       -
             enable = true;

     

       294
       294
       -
       

     

       295
       295
       -
             settings = {

     

       296
       296
       -
               PDS_HOSTNAME = "pds.wiro.world";

     

       297
       297
       -
               PDS_PORT = pds-port;

     

       298
       298
       -
               # is in systemd /tmp subfolder

     

       299
       299
       -
               LOG_DESTINATION = "/tmp/pds.log";

     

       300
       300
       -
             };

     

       301
       301
       -
       

     

       302
       302
       -
             environmentFiles = [

     

       303
       303
       -
               config.age.secrets.pds-env.path

     

       304
       304
       -
             ];

     

       305
       305
       -
           };

     

       306
       306
       -
       

     

       307
       307
       -
           services.tangled.knot = {

     

       308
       308
       -
             enable = true;

     

       309
       309
       -
             openFirewall = true;

     

       310
       310
       -
       

     

       311
       311
       -
             motd = "Welcome to @wiro.world's knot!\n";

     

       312
       312
       -
             server = {

     

       313
       313
       -
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       314
       314
       -
               hostname = tangled-knot-hostname;

     

       315
       315
       -
               owner = tangled-owner;

     

       316
       316
       -
             };

     

       317
       317
       -
           };

     

       318
       318
       -
       

     

       319
       319
       -
           services.tangled.spindle = {

     

       320
       320
       -
             enable = true;

     

       321
       321
       -
       

     

       322
       322
       -
             server = {

     

       323
       323
       -
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       324
       324
       -
               hostname = tangled-spindle-hostname;

     

       325
       325
       -
               owner = tangled-owner;

     

       326
       326
       -
             };

     

       327
       327
       -
           };

     

       328
       328
       -
       

     

       329
       329
       -
           age.secrets.grafana-oidc-secret = { file = ../../secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       330
       330
       -
           services.grafana = {

     

       331
       331
       -
             enable = true;

     

       332
       332
       -
       

     

       333
       333
       -
             settings = {

     

       334
       334
       -
               server = {

     

       335
       335
       -
                 http_port = grafana-port;

     

       336
       336
       -
                 domain = grafana-hostname;

     

       337
       337
       -
                 root_url = "https://${grafana-hostname}";

     

       338
       338
       -
               };

     

       339
       339
       -
       

     

       340
       340
       -
               "auth.generic_oauth" = {

     

       341
       341
       -
                 enable = true;

     

       342
       342
       -
                 name = "Authelia";

     

       343
       343
       -
                 icon = "signin";

     

       344
       344
       -
       

     

       345
       345
       -
                 client_id = "grafana";

     

       346
       346
       -
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       347
       347
       -
                 auto_login = true;

     

       348
       348
       -
       

     

       349
       349
       -
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       350
       350
       -
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       351
       351
       -
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       352
       352
       -
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       353
       353
       -
                 use_pkce = true;

     

       354
       354
       -
               };

     

       355
       355
       -
             };

     

       356
       356
       -
           };

     

       357
       357
       -
       

     

       358
       358
       -
           services.prometheus = {

     

       359
       359
       -
             enable = true;

     

       360
       360
       -
             port = prometheus-port;

     

       361
       361
       -
       

     

       362
       362
       -
             scrapeConfigs = [

     

       363
       363
       -
               {

     

       364
       364
       -
                 job_name = "caddy";

     

       365
       365
       -
                 static_configs = [{ targets = [ "localhost:${toString 2019}" ]; }];

     

       366
       366
       -
               }

     

       367
       367
       -
               {

     

       368
       368
       -
                 job_name = "node-exporter";

     

       369
       369
       -
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       370
       370
       -
               }

     

       371
       371
       -
               {

     

       372
       372
       -
                 job_name = "headscale";

     

       373
       373
       -
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       374
       374
       -
               }

     

       375
       375
       -
               {

     

       376
       376
       -
                 job_name = "authelia";

     

       377
       377
       -
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       378
       378
       -
               }

     

       379
       379
       -
               {

     

       380
       380
       -
                 job_name = "miniflux";

     

       381
       381
       -
                 static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       382
       382
       -
               }

     

       383
       383
       -
             ];

     

       384
       384
       -
       

     

       385
       385
       -
             exporters.node = {

     

       386
       386
       -
               enable = true;

     

       387
       387
       -
               port = prometheus-node-exporter-port;

     

       388
       388
       -
             };

     

       389
       389
       -
           };

     

       390
       390
       -
       

     

       391
       391
       -
           services.thelounge = {

     

       392
       392
       -
             enable = true;

     

       393
       393
       -
             port = thelounge-port;

     

       394
       394
       -
             public = false;

     

       395
       395
       -
       

     

       396
       396
       -
             extraConfig = {

     

       397
       397
       -
               host = "127.0.0.1";

     

       398
       398
       -
               reverseProxy = true;

     

       399
       399
       -
       

     

       400
       400
       -
               # TODO: use ldap, find a way to hide password

     

       401
       401
       -
             };

     

       402
       402
       -
           };

     

       403
       403
       -
       

     

       404
       404
       -
           age.secrets.headscale-oidc-secret = { file = ../../secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       405
       405
       -
           # TODO: add dependency on authelia

     

       406
       406
       -
           services.headscale = {

     

       407
       407
       -
             enable = true;

     

       408
       408
       -
       

     

       409
       409
       -
             port = headscale-port;

     

       410
       410
       -
             settings = {

     

       411
       411
       -
               server_url = "https://${headscale-hostname}";

     

       412
       412
       -
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       413
       413
       -
       

     

       414
       414
       -
               policy.path = json-format.generate "policy.json" {

     

       415
       415
       -
                 acls = [

     

       416
       416
       -
                   {

     

       417
       417
       -
                     action = "accept";

     

       418
       418
       -
                     src = [ "autogroup:member" ];

     

       419
       419
       -
                     dst = [ "autogroup:self:*" ];

     

       420
       420
       -
                   }

     

       421
       421
       -
                 ];

     

       422
       422
       -
                 ssh = [

     

       423
       423
       -
                   {

     

       424
       424
       -
                     action = "accept";

     

       425
       425
       -
                     src = [ "autogroup:member" ];

     

       426
       426
       -
                     dst = [ "autogroup:self" ];

     

       427
       427
       -
                     # Adding root here is privilege escalation as a feature :)

     

       428
       428
       -
                     users = [ "autogroup:nonroot" ];

     

       429
       429
       -
                   }

     

       430
       430
       -
                 ];

     

       431
       431
       -
               };

     

       432
       432
       -
       

     

       433
       433
       -
               # disable TLS

     

       434
       434
       -
               tls_cert_path = null;

     

       435
       435
       -
               tls_key_path = null;

     

       436
       436
       -
       

     

       437
       437
       -
               dns = {

     

       438
       438
       -
                 magic_dns = true;

     

       439
       439
       -
                 base_domain = "net.wiro.world";

     

       440
       440
       -
       

     

       441
       441
       -
                 override_local_dns = true;

     

       442
       442
       -
                 # Quad9 nameservers

     

       443
       443
       -
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       444
       444
       -
               };

     

       445
       445
       -
       

     

       446
       446
       -
               oidc = {

     

       447
       447
       -
                 only_start_if_oidc_is_available = true;

     

       448
       448
       -
                 issuer = "https://auth.wiro.world";

     

       449
       449
       -
                 client_id = "headscale";

     

       450
       450
       -
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       451
       451
       -
                 scope = [ "openid" "profile" "email" "groups" ];

     

       452
       452
       -
                 pkce.enabled = true;

     

       453
       453
       -
               };

     

       454
       454
       -
       

     

       455
       455
       -
               derp.server = {

     

       456
       456
       -
                 enable = true;

     

       457
       457
       -
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       458
       458
       -
               };

     

       459
       459
       -
             };

     

       460
       460
       -
           };

     

       461
       461
       -
       

     

       462
       462
       -
           age.secrets.lldap-env.file = ../../secrets/lldap-env.age;

     

       463
       463
       -
           users.users.lldap = { isSystemUser = true; group = "lldap"; };

     

       464
       464
       -
           users.groups.lldap = { };

     

       465
       465
       -
           age.secrets.lldap-user-pass = { file = ../../secrets/lldap-user-pass.age; owner = "lldap"; };

     

       466
       466
       -
           services.lldap = {

     

       467
       467
       -
             enable = true;

     

       468
       468
       -
             settings = {

     

       469
       469
       -
               http_url = "https://${lldap-hostname}";

     

       470
       470
       -
               http_port = lldap-port;

     

       471
       471
       -
       

     

       472
       472
       -
               ldap_user_pass_file = config.age.secrets.lldap-user-pass.path;

     

       473
       473
       -
               force_ldap_user_pass_reset = false;

     

       474
       474
       -
       

     

       475
       475
       -
               ldap_base_dn = "dc=wiro,dc=world";

     

       476
       476
       -
             };

     

       477
       477
       -
             environmentFile = config.age.secrets.lldap-env.path;

     

       478
       478
       -
           };

     

       479
       479
       -
       

     

       480
       480
       -
           age.secrets.authelia-jwt-secret = { file = ../../secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       481
       481
       -
           age.secrets.authelia-issuer-private-key = { file = ../../secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       482
       482
       -
           age.secrets.authelia-storage-key = { file = ../../secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       483
       483
       -
           age.secrets.authelia-ldap-password = { file = ../../secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       484
       484
       -
           age.secrets.authelia-smtp-password = { file = ../../secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       485
       485
       -
           services.authelia.instances.main = {

     

       486
       486
       -
             enable = true;

     

       487
       487
       -
       

     

       488
       488
       -
             secrets = {

     

       489
       489
       -
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       490
       490
       -
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       491
       491
       -
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       492
       492
       -
             };

     

       493
       493
       -
             environmentVariables = {

     

       494
       494
       -
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       495
       495
       -
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       496
       496
       -
             };

     

       497
       497
       -
             settings = {

     

       498
       498
       -
               server.address = "localhost:${toString authelia-port}";

     

       499
       499
       -
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       500
       500
       -
               telemetry.metrics = {

     

       501
       501
       -
                 enabled = true;

     

       502
       502
       -
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       503
       503
       -
               };

     

       504
       504
       -
       

     

       505
       505
       -
               session = {

     

       506
       506
       -
                 cookies = [{

     

       507
       507
       -
                   domain = "wiro.world";

     

       508
       508
       -
                   authelia_url = "https://${authelia-hostname}";

     

       509
       509
       -
                   default_redirection_url = "https://wiro.world";

     

       510
       510
       -
                 }];

     

       511
       511
       -
               };

     

       512
       512
       -
       

     

       513
       513
       -
               authentication_backend.ldap = {

     

       514
       514
       -
                 address = "ldap://localhost:3890";

     

       515
       515
       -
                 timeout = "5m"; # replace with systemd dependency

     

       516
       516
       -
       

     

       517
       517
       -
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       518
       518
       -
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       519
       519
       -
                 # password = "";

     

       520
       520
       -
       

     

       521
       521
       -
                 base_dn = "dc=wiro,dc=world";

     

       522
       522
       -
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       523
       523
       -
                 additional_users_dn = "ou=people";

     

       524
       524
       -
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       525
       525
       -
                 additional_groups_dn = "ou=groups";

     

       526
       526
       -
       

     

       527
       527
       -
                 attributes = {

     

       528
       528
       -
                   username = "uid";

     

       529
       529
       -
                   display_name = "cn";

     

       530
       530
       -
                   given_name = "givenname";

     

       531
       531
       -
                   family_name = "last_name";

     

       532
       532
       -
                   mail = "mail";

     

       533
       533
       -
                   picture = "avatar";

     

       534
       534
       -
       

     

       535
       535
       -
                   group_name = "cn";

     

       536
       536
       -
                 };

     

       537
       537
       -
               };

     

       538
       538
       -
       

     

       539
       539
       -
               access_control = {

     

       540
       540
       -
                 default_policy = "deny";

     

       541
       541
       -
                 # Rules are sequential and do not apply to OIDC

     

       542
       542
       -
                 rules = [

     

       543
       543
       -
                   {

     

       544
       544
       -
                     domain = "headscale.wiro.world";

     

       545
       545
       -
                     policy = "two_factor";

     

       546
       546
       -
       

     

       547
       547
       -
                   }

     

       548
       548
       -
                   {

     

       549
       549
       -
                     domain = "news.wiro.world";

     

       550
       550
       -
                     policy = "one_factor";

     

       551
       551
       -
       

     

       552
       552
       -
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       553
       553
       -
                   }

     

       554
       554
       -
                   {

     

       555
       555
       -
                     domain = "*.wiro.world";

     

       556
       556
       -
                     policy = "two_factor";

     

       557
       557
       -
                   }

     

       558
       558
       -
                 ];

     

       559
       559
       -
               };

     

       560
       560
       -
       

     

       561
       561
       -
               identity_providers.oidc = {

     

       562
       562
       -
                 enforce_pkce = "always";

     

       563
       563
       -
       

     

       564
       564
       -
                 authorization_policies =

     

       565
       565
       -
                   let

     

       566
       566
       -
                     mkStrictPolicy = policy: subject:

     

       567
       567
       -
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       568
       568
       -
                   in

     

       569
       569
       -
                   {

     

       570
       570
       -
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       571
       571
       -
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       572
       572
       -
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       573
       573
       -
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       574
       574
       -
                   };

     

       575
       575
       -
       

     

       576
       576
       -
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       577
       577
       -
       

     

       578
       578
       -
                 clients = [

     

       579
       579
       -
                   {

     

       580
       580
       -
                     client_name = "Headscale";

     

       581
       581
       -
                     client_id = "headscale";

     

       582
       582
       -
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       583
       583
       -
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       584
       584
       -
                     authorization_policy = "headscale";

     

       585
       585
       -
                     claims_policy = "headscale";

     

       586
       586
       -
                   }

     

       587
       587
       -
                   {

     

       588
       588
       -
                     client_name = "Tailscale";

     

       589
       589
       -
                     client_id = "tailscale";

     

       590
       590
       -
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       591
       591
       -
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       592
       592
       -
                     authorization_policy = "tailscale";

     

       593
       593
       -
                   }

     

       594
       594
       -
                   {

     

       595
       595
       -
                     client_name = "Grafana Console";

     

       596
       596
       -
                     client_id = "grafana";

     

       597
       597
       -
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       598
       598
       -
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       599
       599
       -
                     authorization_policy = "grafana";

     

       600
       600
       -
                   }

     

       601
       601
       -
                   {

     

       602
       602
       -
                     client_name = "Miniflux";

     

       603
       603
       -
                     client_id = "miniflux";

     

       604
       604
       -
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       605
       605
       -
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       606
       606
       -
                     authorization_policy = "miniflux";

     

       607
       607
       -
                   }

     

       608
       608
       -
                 ];

     

       609
       609
       -
               };

     

       610
       610
       -
       

     

       611
       611
       -
               notifier.smtp = {

     

       612
       612
       -
                 address = "smtp://smtp.resend.com:2587";

     

       613
       613
       -
                 username = "resend";

     

       614
       614
       -
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       615
       615
       -
                 # password = "";

     

       616
       616
       -
                 sender = "authelia@wiro.world";

     

       617
       617
       -
               };

     

       618
       618
       -
             };

     

       619
       619
       -
           };

     

       620
       620
       -
       

     

       621
       621
       -
           age.secrets.tuwunel-registration-tokens = { file = ../../secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       622
       622
       -
           services.matrix-tuwunel = {

     

       623
       623
       -
             enable = true;

     

       624
       624
       -
       

     

       625
       625
       -
             settings.global = {

     

       626
       626
       -
               address = [ "127.0.0.1" ];

     

       627
       627
       -
               port = [ matrix-port ];

     

       628
       628
       -
       

     

       629
       629
       -
               server_name = "wiro.world";

     

       630
       630
       -
               well_known = {

     

       631
       631
       -
                 client = "https://matrix.wiro.world";

     

       632
       632
       -
                 server = "matrix.wiro.world:443";

     

       633
       633
       -
               };

     

       634
       634
       -
       

     

       635
       635
       -
               grant_admin_to_first_user = true;

     

       636
       636
       -
               new_user_displayname_suffix = "";

     

       637
       637
       -
       

     

       638
       638
       -
               allow_registration = true;

     

       639
       639
       -
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       640
       640
       -
             };

     

       641
       641
       -
           };

     

       642
       642
       -
       

     

       643
       643
       -
           services.goatcounter = {

     

       644
       644
       -
             enable = true;

     

       645
       645
       -
       

     

       646
       646
       -
             port = goatcounter-port;

     

       647
       647
       -
             proxy = true;

     

       648
       648
       -
             extraArgs = [ "-automigrate" ];

     

       649
       649
       -
           };

     

       650
       650
       -
       

     

       651
       651
       -
           age.secrets.vaultwarden-env.file = ../../secrets/vaultwarden-env.age;

     

       652
       652
       -
           services.vaultwarden = {

     

       653
       653
       -
             enable = true;

     

       654
       654
       -
       

     

       655
       655
       -
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       656
       656
       -
             config = {

     

       657
       657
       -
               ROCKET_PORT = vaultwarden-port;

     

       658
       658
       -
               DOMAIN = "https://${vaultwarden-hostname}";

     

       659
       659
       -
               SIGNUPS_ALLOWED = false;

     

       660
       660
       -
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       661
       661
       -
       

     

       662
       662
       -
               SMTP_HOST = "smtp.resend.com";

     

       663
       663
       -
               SMTP_PORT = 2465;

     

       664
       664
       -
               SMTP_SECURITY = "force_tls";

     

       665
       665
       -
               SMTP_USERNAME = "resend";

     

       666
       666
       -
               # SMTP_PASSWORD = ...; # Via secret env

     

       667
       667
       -
               SMTP_FROM = "bitwarden@wiro.world";

     

       668
       668
       -
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       669
       669
       -
             };

     

       670
       670
       -
           };

     

       671
       671
       -
       

     

       672
       672
       -
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       673
       673
       -
           users.groups.miniflux = { };

     

       674
       674
       -
           age.secrets.miniflux-oidc-secret = { file = ../../secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       675
       675
       -
           services.miniflux = {

     

       676
       676
       -
             enable = true;

     

       677
       677
       -
       

     

       678
       678
       -
             createDatabaseLocally = true;

     

       679
       679
       -
             config = {

     

       680
       680
       -
               BASE_URL = "https://${miniflux-hostname}/";

     

       681
       681
       -
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       682
       682
       -
               CREATE_ADMIN = 0;

     

       683
       683
       -
       

     

       684
       684
       -
               METRICS_COLLECTOR = 1;

     

       685
       685
       -
       

     

       686
       686
       -
               OAUTH2_PROVIDER = "oidc";

     

       687
       687
       -
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       688
       688
       -
               OAUTH2_CLIENT_ID = "miniflux";

     

       689
       689
       -
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       690
       690
       -
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       691
       691
       -
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       692
       692
       -
               OAUTH2_USER_CREATION = 1;

     

       693
       693
       -
               DISABLE_LOCAL_AUTH = 1;

     

       694
       694
       -
       

     

       695
       695
       -
               RUN_MIGRATIONS = 1;

     

       696
       696
       -
       

     

       697
       697
       -
               # NetNewsWire is a very good iOS oss client that integrates well

     

       698
       698
       -
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       699
       699
       -
             };

     

       700
       700
       -
           };

     

       701
       701
       -
       

     

       702
       702
       -
           age.secrets.hypixel-bank-tracker-main.file = ../../secrets/hypixel-bank-tracker-main.age;

     

       703
       703
       -
           services.hypixel-bank-tracker.instances.main = {

     

       704
       704
       -
             enable = true;

     

       705
       705
       -
       

     

       706
       706
       -
             port = hbt-main-port;

     

       707
       707
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       708
       708
       -
           };

     

       709
       709
       -
       

     

       710
       710
       -
           age.secrets.hypixel-bank-tracker-banana.file = ../../secrets/hypixel-bank-tracker-banana.age;

     

       711
       711
       -
           services.hypixel-bank-tracker.instances.banana = {

     

       712
       712
       -
             enable = true;

     

       713
       713
       -
       

     

       714
       714
       -
             port = hbt-banana-port;

     

       715
       715
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       716
       716
       -
           };

     

       717
       717
       -
       

     

       718
       718
       -
           virtualisation.oci-containers.containers.archive-warrior = {

     

       719
       719
       -
             image = "atdr.meo.ws/archiveteam/warrior-dockerfile";

     

       720
       720
       -
             ports = [ "127.0.0.1:${toString warrior-port}:8001" ];

     

       721
       721
       -
             pull = "newer";

     

       722
       722
       -
           };

     

       723
       723
       -
         };

     

       724
       724
       -
       }

+9 -2

secrets.nix

···

       1
       1
        
       let

     

       2
       2
        
         inherit (builtins) listToAttrs attrNames;

     

       3
       3
       +
       

     

       4
       4
       +
         # Map the name and value of all items of an attrset

     

       3
       5
        
         mapAttrs' =

     

       4
       6
        
           f:

     

       5
       7
        
           set:

     

       6
       8
        
           listToAttrs (map (attr: f attr set.${attr}) (attrNames set));

     

       9
       9
       +
       

     

       10
       10
       +
         keys = import ./secrets/keys.nix;

     

       11
       11
       +
       

     

       12
       12
       +
         prependAttrsName = prefix: mapAttrs' (name: value: { name = prefix + name; inherit value; });

     

       13
       13
       +
         secretsDir = path: prependAttrsName (path + "/") ((import ./${path}/default.nix) keys);

     

       7
       14
        
       in

     

       8
       15
        
       

     

       9
       9
       -
       # You can use agenix directly at repo top-level instead of having to change directory into `secrets/`

     

       10
       10
       -
       mapAttrs' (name: value: { name = ("secrets/" + name); inherit value; }) (import ./secrets/secrets.nix)

     

       16
       16
       +
       secretsDir "secrets"

     

       17
       17
       +
         // secretsDir "hosts/weird-row-server/secrets"

secrets/authelia-issuer-private-key.age hosts/weird-row-server/secrets/authelia-issuer-private-key.age

secrets/authelia-jwt-secret.age hosts/weird-row-server/secrets/authelia-jwt-secret.age

secrets/authelia-ldap-password.age hosts/weird-row-server/secrets/authelia-ldap-password.age

secrets/authelia-smtp-password.age hosts/weird-row-server/secrets/authelia-smtp-password.age

secrets/authelia-storage-key.age hosts/weird-row-server/secrets/authelia-storage-key.age

+22

secrets/default.nix

···

       1
       1
       +
       keys:

     

       2
       2
       +
       

     

       3
       3
       +
       let

     

       4
       4
       +
         inherit (keys) sessions systems users;

     

       5
       5
       +
       

     

       6
       6
       +
         nixos = systems ++ users;

     

       7
       7
       +
         home-manager = sessions ++ users;

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         # Used in NixOS config

     

       11
       11
       +
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       12
       12
       +
         "backup-restic-key.age".publicKeys = nixos;

     

       13
       13
       +
       

     

       14
       14
       +
         # Used in Home Manager

     

       15
       15
       +
         "api-crates-io.age".publicKeys = home-manager;

     

       16
       16
       +
         "api-wakatime.age".publicKeys = home-manager;

     

       17
       17
       +
         "api-wakapi.age".publicKeys = home-manager;

     

       18
       18
       +
       

     

       19
       19
       +
         # Not used in config but useful

     

       20
       20
       +
         "pgp-ca5e.age".publicKeys = users;

     

       21
       21
       +
         "ssh-uxgi.age".publicKeys = users;

     

       22
       22
       +
       }

secrets/grafana-oidc-secret.age hosts/weird-row-server/secrets/grafana-oidc-secret.age

secrets/headscale-oidc-secret.age hosts/weird-row-server/secrets/headscale-oidc-secret.age

secrets/hypixel-bank-tracker-banana.age hosts/weird-row-server/secrets/hypixel-bank-tracker-banana.age

secrets/hypixel-bank-tracker-main.age hosts/weird-row-server/secrets/hypixel-bank-tracker-main.age

secrets/lldap-env.age hosts/weird-row-server/secrets/lldap-env.age

secrets/lldap-user-pass.age hosts/weird-row-server/secrets/lldap-user-pass.age

secrets/miniflux-oidc-secret.age hosts/weird-row-server/secrets/miniflux-oidc-secret.age

secrets/pds-env.age hosts/weird-row-server/secrets/pds-env.age

+2 -19

secrets/secrets.nix hosts/weird-row-server/secrets/default.nix

···

       1
       1
       +
       keys:

     

       1
       2
        
       let

     

       2
       2
       -
         inherit (import ./keys.nix) servers sessions systems users;

     

       3
       3
       -
       

     

       4
       4
       -
         nixos = systems ++ users;

     

       5
       5
       -
         home-manager = sessions ++ users;

     

       3
       3
       +
         inherit (keys) servers users;

     

       6
       4
        
         deploy = servers ++ users;

     

       7
       5
        
       in

     

       8
       6
        
       {

     

       9
       9
       -
         # Used in NixOS config

     

       10
       10
       -
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       11
       11
       -
         "backup-restic-key.age".publicKeys = nixos;

     

       12
       12
       -
       

     

       13
       13
       -
         # Used in Home Manager

     

       14
       14
       -
         "api-crates-io.age".publicKeys = home-manager;

     

       15
       15
       -
         "api-wakatime.age".publicKeys = home-manager;

     

       16
       16
       -
         "api-wakapi.age".publicKeys = home-manager;

     

       17
       17
       -
       

     

       18
       18
       -
         # Used in server deployment

     

       19
       19
       -
       

     

       20
       7
        
         # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       21
       8
        
         "pds-env.age".publicKeys = deploy;

     

       22
       9
        
         # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     
···

       36
       23
        
         # Defines `HYPIXEL_API_KEY`, `PROFILE_UUID`

     

       37
       24
        
         "hypixel-bank-tracker-main.age".publicKeys = deploy;

     

       38
       25
        
         "hypixel-bank-tracker-banana.age".publicKeys = deploy;

     

       39
       39
       -
       

     

       40
       40
       -
         # Not used in config but useful

     

       41
       41
       -
         "pgp-ca5e.age".publicKeys = users;

     

       42
       42
       -
         "ssh-uxgi.age".publicKeys = users;

     

       43
       26
        
       }

secrets/tuwunel-registration-tokens.age hosts/weird-row-server/secrets/tuwunel-registration-tokens.age

secrets/vaultwarden-env.age hosts/weird-row-server/secrets/vaultwarden-env.age