···

       
6
       
6
       
 
       
    ./services/fail2ban.nix

     

       
7
       
7
       
 
       


     

       
8
       
8
       
 
       
    ../modules/basic.nix

     

       
9
       
9
       
+
       
    ../modules/caddy.nix

     

       
9
       
10
       
 
       
    ../modules/development/nix.nix

     

       
10
       
11
       
 
       
    ../modules/development/sh.nix

     

       
11
       
12
       
 
       
    ../modules/editor.nix

     
···

       
17
       
18
       
 
       
    ../modules/nix.nix

     

       
18
       
19
       
 
       
    ../modules/remote-builder.nix

     

       
19
       
20
       
 
       


     

       
21
       
21
       
+
       
    ../modules/services/caddy

     

       
22
       
22
       
+
       
    ../modules/services/caddy/atproto-did.nix

     

       
23
       
23
       
+
       
    ../modules/services/caddy/nextcloud.nix

     

       
24
       
24
       
+
       
    ../modules/services/caddy/pds.nix

     

       
25
       
25
       
+
       
    ../modules/services/caddy/soju.nix

     

       
26
       
26
       
+
       
    ../modules/services/caddy/tangled-knot.nix

     

       
27
       
27
       
+
       
    ../modules/services/caddy/websites/boo-b77.nix

     

       
28
       
28
       
+
       
    ../modules/services/caddy/websites/boo-y6d.nix

     

       
29
       
29
       
+
       
    ../modules/services/caddy/websites/org-biotabit.nix

     

       
30
       
30
       
+
       
    ../modules/services/caddy/websites/org-butwho.nix

     

       
31
       
31
       
+
       
    ../modules/services/caddy/websites/pink-lilac.nix

     

       
32
       
32
       
+
       
    ../modules/services/caddy/websites/pink-yemou.nix

     

       
33
       
33
       
+
       


     

       
20
       
34
       
 
       
    ../modules/services/nextcloud.nix

     

       
21
       
35
       
 
       
    ../modules/services/openssh.nix

     

       
22
       
36
       
 
       
    ../modules/services/pds.nix

     

       
37
       
37
       
+
       
    ../modules/services/soju.nix

     

       
23
       
38
       
 
       
    ../modules/services/tangled.nix

     

       
24
       
39
       
 
       
  ];

     

       
25
       
40
       
 
       


     

       
26
       
26
       
-
       
  garden.info.host = {

     

       
27
       
27
       
-
       
    server = true;

     

       
41
       
41
       
+
       
  garden = {

     

       
42
       
42
       
+
       
    caddy.package = {

     

       
43
       
43
       
+
       
      plugins = [

     

       
44
       
44
       
+
       
        "github.com/mholt/caddy-events-exec@v0.1.0"

     

       
45
       
45
       
+
       
        "github.com/mholt/caddy-l4@v0.0.0-20250530154005-4d3c80e89c5f"

     

       
46
       
46
       
+
       
      ];

     

       
47
       
47
       
+
       
      hash = "sha256-X+46XM2UzadAifeTvKOdUdawU8EaINUTIeCjAVVCGqU=";

     

       
48
       
48
       
+
       
    };

     

       
49
       
49
       
+
       
    info.host.server = true;

     

       
28
       
50
       
 
       
  };

     

       
29
       
51
       
 
       


     

       
30
       
52
       
 
       
  sops = {

     

···

       
19
       
19
       
 
       
    settings = {

     

       
20
       
20
       
 
       
      PasswordAuthentication = false;

     

       
21
       
21
       
 
       
      PermitRootLogin = "no";

     

       
22
       
22
       
-
       
      PerSourcePenalties = "no"; # TODO: Look into mmproxy or some other way of giving the client-ip to openssh

     

       
23
       
22
       
 
       
    };

     

       
24
       
23
       
 
       
  };

     

       
25
       
24
       
 
       
}

     

···

       
1
       
1
       
-
       
{ config, ... }:

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
 
       
{

     

       
3
       
3
       
 
       
  services.caddy.virtualHosts."cloud.lilac.pink".extraConfig = ''

     

       
4
       
4
       
 
       
    encode

     

       
5
       
5
       
-
       
    reverse_proxy ${config.garden.info.network.lily.netbird-ip}:80 {

     

       
5
       
5
       
+
       
    reverse_proxy [::1]:8080 {

     

       
6
       
6
       
 
       
      # NixOS uses nginx as a webserver for NextCloud by default and nginx will send 301 redirects to the client

     

       
7
       
7
       
 
       
      # using http as the protocol instead of https since it doesn't have SSL certs of its own.

     

       
8
       
8
       
 
       
      # Because the redirect isn't also https, this can cause a Content-Security-Policy error on the client.

     

···

       
1
       
1
       
-
       
{ config, ... }:

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
 
       
{

     

       
3
       
3
       
 
       
  services.caddy = {

     

       
4
       
4
       
 
       
    globalConfig = ''

     

       
5
       
5
       
 
       
      on_demand_tls {

     

       
6
       
6
       
-
       
        ask http://${config.garden.info.network.lily.netbird-ip}:3000/tls-check

     

       
6
       
6
       
+
       
        ask http://[::1]:3000/tls-check

     

       
7
       
7
       
 
       
      }

     

       
8
       
8
       
 
       
    '';

     

       
9
       
9
       
 
       
    virtualHosts = {

     
···

       
12
       
12
       
 
       
          on_demand

     

       
13
       
13
       
 
       
        }

     

       
14
       
14
       
 
       
        encode

     

       
15
       
15
       
-
       
        reverse_proxy ${config.garden.info.network.lily.netbird-ip}:3000

     

       
15
       
15
       
+
       
        reverse_proxy [::1]:3000

     

       
16
       
16
       
 
       
      '';

     

       
17
       
17
       
 
       
      "*.butwho.club".extraConfig = ''

     

       
18
       
18
       
 
       
        tls {

     

       
19
       
19
       
 
       
          on_demand

     

       
20
       
20
       
 
       
        }

     

       
21
       
21
       
 
       
        encode

     

       
22
       
22
       
-
       
        reverse_proxy ${config.garden.info.network.lily.netbird-ip}:3000

     

       
22
       
22
       
+
       
        reverse_proxy [::1]:3000

     

       
23
       
23
       
 
       
      '';

     

       
24
       
24
       
 
       
      "*.butwho.social".extraConfig = ''

     

       
25
       
25
       
 
       
        tls {

     

       
26
       
26
       
 
       
          on_demand

     

       
27
       
27
       
 
       
        }

     

       
28
       
28
       
 
       
        encode

     

       
29
       
29
       
-
       
        reverse_proxy ${config.garden.info.network.lily.netbird-ip}:3000

     

       
29
       
29
       
+
       
        reverse_proxy [::1]:3000

     

       
30
       
30
       
 
       
      '';

     

       
31
       
31
       
 
       
    };

     

       
32
       
32
       
 
       
  };

     

···

       
1
       
1
       
 
       
{ ... }:

     

       
2
       
2
       
 
       
{

     

       
3
       
3
       
-
       
  networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ 6697 ];

     

       
3
       
3
       
+
       
  networking.firewall.allowedTCPPorts = [ 6697 ];

     

       
4
       
4
       
 
       


     

       
5
       
5
       
 
       
  services.caddy.virtualHosts."soju.y6d.boo".extraConfig = ''

     

       
6
       
6
       
 
       
    encode

     

       
7
       
7
       
-
       
    reverse_proxy [::1]:8080

     

       
7
       
7
       
+
       
    reverse_proxy [::1]:8081

     

       
8
       
8
       
 
       
  '';

     

       
9
       
9
       
 
       


     

       
10
       
10
       
 
       
  garden.caddy.layer4 = ''

     

···

       
1
       
1
       
-
       
{ config, ... }:

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
 
       
{

     

       
3
       
3
       
-
       
  networking.firewall.interfaces."enp1s0".allowedTCPPorts = [ 22 ];

     

       
4
       
4
       
-
       


     

       
5
       
3
       
 
       
  services.caddy.virtualHosts."knot.butwho.org".extraConfig = ''

     

       
6
       
4
       
 
       
    encode

     

       
7
       
7
       
-
       
    reverse_proxy ${config.garden.info.network.lily.netbird-ip}:5555

     

       
8
       
8
       
-
       
  '';

     

       
9
       
9
       
-
       


     

       
10
       
10
       
-
       
  garden.caddy.layer4 = ''

     

       
11
       
11
       
-
       
    [::]:22 {

     

       
12
       
12
       
-
       
      route {

     

       
13
       
13
       
-
       
        proxy ${config.garden.info.network.lily.netbird-ip}:2222

     

       
14
       
14
       
-
       
      }

     

       
15
       
15
       
-
       
    }

     

       
5
       
5
       
+
       
    reverse_proxy [::1]:5555

     

       
16
       
6
       
 
       
  '';

     

       
17
       
7
       
 
       
}

     

···

       
21
       
21
       
 
       
        respond "{err.status_code} {err.status_text}"

     

       
22
       
22
       
 
       
      }

     

       
23
       
23
       
 
       
    '';

     

       
24
       
24
       
+
       
    "butwho.club".extraConfig = ''

     

       
25
       
25
       
+
       
      redir https://butwho.org{uri}

     

       
26
       
26
       
+
       
    '';

     

       
24
       
27
       
 
       
    "butwho.social".extraConfig = ''

     

       
25
       
28
       
 
       
      redir https://butwho.org{uri}

     

       
26
       
29
       
 
       
    '';

     

···

       
46
       
46
       
 
       
  };

     

       
47
       
47
       
 
       


     

       
48
       
48
       
 
       
  # This is the port that nginx listens on by default

     

       
49
       
49
       
-
       
  networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = [ 80 ];

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
  services.nginx.virtualHosts.${config.services.nextcloud.hostName}.listen = [

     

       
51
       
51
       
+
       
    {

     

       
52
       
52
       
+
       
      addr = "[::1]";

     

       
53
       
53
       
+
       
      port = 8080;

     

       
54
       
54
       
+
       
    }

     

       
55
       
55
       
+
       
  ];

     

       
50
       
56
       
 
       


     

       
51
       
57
       
 
       
  services = {

     

       
52
       
58
       
 
       
    redis.package = pkgs.valkey;

     
···

       
74
       
80
       
 
       
      maxUploadSize = "1G";

     

       
75
       
81
       
 
       
      notify_push = {

     

       
76
       
82
       
 
       
        enable = true;

     

       
77
       
77
       
-
       
        nextcloudUrl = "http://${config.garden.info.network.${config.networking.hostName}.netbird-ip}";

     

       
83
       
83
       
+
       
        nextcloudUrl = "http://[::1]:8080";

     

       
78
       
84
       
 
       
      };

     

       
79
       
85
       
 
       
      phpOptions = {

     

       
80
       
86
       
 
       
        "opcache.interned_strings_buffer" = "16";

     
···

       
103
       
109
       
 
       
        };

     

       
104
       
110
       
 
       
        "simpleSignUpLink.shown" = false;

     

       
105
       
111
       
 
       
        trusted_proxies = [

     

       
106
       
106
       
-
       
          config.garden.info.network.${config.networking.hostName}.netbird-ip

     

       
107
       
107
       
-
       
          config.garden.info.network.dandelion.netbird-ip

     

       
108
       
108
       
-
       
          config.garden.info.network.${config.networking.hostName}.ipv4-local

     

       
112
       
112
       
+
       
          "::1"

     

       
109
       
113
       
 
       
        ];

     

       
110
       
114
       
 
       
      };

     

       
111
       
115
       
 
       
    };

     
···

       
115
       
119
       
 
       
    services = {

     

       
116
       
120
       
 
       
      # TODO: Need to make sure that this runs after nextcloud to avoid startup errors especially when there is a nextcloud

     

       
117
       
121
       
 
       
      #       upgrade

     

       
118
       
118
       
-
       
      nextcloud-notify_push_setup.environment = {

     

       
119
       
119
       
-
       
        NEXTCLOUD_URL = config.services.nextcloud.notify_push.nextcloudUrl;

     

       
120
       
120
       
-
       
      };

     

       
121
       
122
       
 
       
      nextcloud-generate-previews = {

     

       
122
       
123
       
 
       
        enable = true;

     

       
123
       
124
       
 
       
        description = "Nextcloud preview generator app (https://github.com/nextcloud/previewgenerator)";

     

···

       
5
       
5
       
 
       
    hostName = "soju.y6d.boo";

     

       
6
       
6
       
 
       
    listen = [

     

       
7
       
7
       
 
       
      "irc+insecure://[::1]:6667"

     

       
8
       
8
       
-
       
      "http+insecure://[::1]:8080" # Needed for file-upload

     

       
8
       
8
       
+
       
      "http+insecure://[::1]:8081" # Needed for file-upload

     

       
9
       
9
       
 
       
    ];

     

       
10
       
10
       
 
       
    acceptProxyIP = [ "localhost" ];

     

       
11
       
11
       
 
       
    enableMessageLogging = false; # This stores messages using the filesystem, I want to use the database.

     

···

       
21
       
21
       
 
       
    '';

     

       
22
       
22
       
 
       
  };

     

       
23
       
23
       
 
       


     

       
24
       
24
       
-
       
  services.openssh.settings.AllowUsers = [

     

       
25
       
25
       
-
       
    "${config.services.tangled-knot.gitUser}@${config.garden.info.network.dandelion.netbird-ip}"

     

       
26
       
26
       
-
       
  ];

     

       
24
       
24
       
+
       
  services.openssh = {

     

       
25
       
25
       
+
       
    ports = [ 22 ];

     

       
26
       
26
       
+
       
    settings.AllowUsers = [ "${config.services.tangled-knot.gitUser}" ];

     

       
27
       
27
       
+
       
  };

     

       
27
       
28
       
 
       


     

       
28
       
28
       
-
       
  networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = [ 5555 ];

     

       
29
       
29
       
+
       
  networking.firewall.allowedTCPPorts = [

     

       
30
       
30
       
+
       
    22

     

       
31
       
31
       
+
       
    5555

     

       
32
       
32
       
+
       
  ];

     

       
29
       
33
       
 
       


     

       
30
       
34
       
 
       
  services.tangled-knot = {

     

       
31
       
35
       
 
       
    enable = true;