From 2dbc8b398b7ae9bc2a2cb2026c1d7d07c9540a20 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Thu, 2 Nov 2023 13:41:50 +0000 Subject: [PATCH] Split constants into separate lib file --- devshell/default.nix | 2 +- home-manager/modules/common.nix | 4 +- lib/constants.nix | 92 ++++++++++++++ lib/default.nix | 102 +-------------- nixos/boxes/castle/default.nix | 2 +- nixos/boxes/colony/default.nix | 16 +-- nixos/boxes/colony/vms/estuary/bgp.nix | 6 +- nixos/boxes/colony/vms/estuary/default.nix | 21 ++-- nixos/boxes/colony/vms/estuary/dns.nix | 8 +- .../vms/shill/containers/chatterbox.nix | 4 +- .../vms/shill/containers/colony-psql.nix | 4 +- .../vms/shill/containers/jackflix/default.nix | 2 +- .../shill/containers/jackflix/networking.nix | 9 +- .../shill/containers/middleman/default.nix | 23 ++-- .../vms/shill/containers/middleman/vhosts.nix | 116 +++++++++--------- .../colony/vms/shill/containers/object.nix | 4 +- .../colony/vms/shill/containers/toot.nix | 2 +- .../vms/shill/containers/vaultwarden.nix | 6 +- nixos/boxes/colony/vms/shill/default.nix | 6 +- nixos/boxes/colony/vms/whale2/default.nix | 4 +- .../kelder/containers/acquisition/default.nix | 4 +- .../containers/acquisition/networking.nix | 4 +- .../kelder/containers/spoder/default.nix | 12 +- .../boxes/kelder/containers/spoder/nginx.nix | 52 ++++---- nixos/boxes/kelder/default.nix | 15 ++- nixos/installer.nix | 2 +- nixos/modules/common.nix | 2 +- nixos/modules/deploy-rs.nix | 2 +- nixos/modules/network.nix | 2 +- nixos/modules/user.nix | 2 +- 30 files changed, 269 insertions(+), 261 deletions(-) create mode 100644 lib/constants.nix diff --git a/devshell/default.nix b/devshell/default.nix index 249b856..5d30fec 100644 --- a/devshell/default.nix +++ b/devshell/default.nix @@ -15,7 +15,7 @@ in experimental-features = nix-command flakes ca-derivations repl-flake #substituters = https://nix-cache.nul.ie https://cache.nixos.org substituters = https://cache.nixos.org - trusted-public-keys = ${concatStringsSep " " lib.my.nix.cacheKeys} + trusted-public-keys = ${concatStringsSep " " lib.my.c.nix.cacheKeys} ''); INSTALLER_SSH_OPTS = "-i .keys/deploy.key"; diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix index 861a46d..d2a7ac0 100644 --- a/home-manager/modules/common.nix +++ b/home-manager/modules/common.nix @@ -240,13 +240,13 @@ in #"https://nix-cache.nul.ie" "https://cache.nixos.org" ]; - trusted-public-keys = lib.my.nix.cacheKeys; + trusted-public-keys = lib.my.c.nix.cacheKeys; }; }; }) (mkIf config.my.isStandalone { my = { - ssh.authKeys.files = [ lib.my.sshKeyFiles.me ]; + ssh.authKeys.files = [ lib.my.c.sshKeyFiles.me ]; }; nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix; diff --git a/lib/constants.nix b/lib/constants.nix new file mode 100644 index 0000000..31492d5 --- /dev/null +++ b/lib/constants.nix @@ -0,0 +1,92 @@ +{ lib }: rec { + nginx = { + proxyHeaders = '' + # Setting any proxy_header in a child (e.g. location) will nuke the parents... + proxy_set_header X-Origin-URI $request_uri; + proxy_set_header Host $host; + proxy_set_header X-Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Scheme $scheme; + ''; + }; + + nix = { + cacheKeys = [ + "nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + + pubDomain = "nul.ie"; + colony = { + domain = "ams1.int.${pubDomain}"; + prefixes = with lib.my.net.cidr; rec { + all = { + v4 = "10.100.0.0/16"; + v6 = "2a0e:97c0:4d2:10::/60"; + }; + base = { + v4 = subnet 8 0 all.v4; + v6 = subnet 4 0 all.v6; + }; + vms = { + v4 = subnet 8 1 all.v4; + v6 = subnet 4 1 all.v6; + }; + ctrs = { + v4 = subnet 8 2 all.v4; + v6 = subnet 4 2 all.v6; + }; + oci = { + v4 = subnet 8 3 all.v4; + v6 = subnet 4 3 all.v6; + }; + + cust = { + v4 = subnet 8 100 all.v4; # single ip for routing only + v6 = "2a0e:97c0:4d2:2000::/56"; + }; + mail = { + v4 = "94.142.241.227/32"; + v6 = subnet 8 0 cust.v6; + }; + + vip1 = "94.142.241.224/30"; + vip2 = "94.142.242.254/31"; + }; + fstrimConfig = { + enable = true; + # backup happens at 05:00 + interval = "04:45"; + }; + }; + kelder = { + groups = { + storage = 2000; + media = 2010; + }; + + domain = "hentai.engineer"; + vpn = { + port = 51820; + }; + prefixes = with lib.my.net.cidr; rec { + all.v4 = "172.16.64.0/20"; + ctrs.v4 = subnet 4 0 all.v4; + }; + }; + sshKeyFiles = { + me = ../.keys/me.pub; + deploy = ../.keys/deploy.pub; + rsyncNet = ../.keys/zh2855.rsync.net.pub; + mailcowAcme = ../.keys/mailcow-acme.pub; + }; + sshHostKeys = { + mail-vm = ../.keys/mail-vm-host.pub; + }; +} diff --git a/lib/default.nix b/lib/default.nix index ae2aef0..aef706c 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,9 +1,9 @@ { lib }: let - inherit (builtins) length match replaceStrings elemAt mapAttrs head split filter; + inherit (builtins) length match elemAt filter; inherit (lib) - genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types - mkOption mkOverride mkForce mkIf mergeEqualOption optional hasPrefix + genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types + mkOption mkOverride mkForce mkIf mergeEqualOption optional showWarnings concatStringsSep flatten unique; inherit (lib.flake) defaultSystems; in @@ -12,6 +12,7 @@ rec { inherit (import ./net.nix { inherit lib; }) net; dns = import ./dns.nix { inherit lib; }; + c = import ./constants.nix { inherit lib; }; # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix isIPv6 = ip: length (lib.splitString ":" ip) > 2; @@ -128,6 +129,8 @@ rec { UseDomains = true; }; }; + dockerNetAssignment = + assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}"; systemdAwaitPostgres = pkg: host: { after = [ "systemd-networkd-wait-online.service" ]; @@ -185,97 +188,4 @@ rec { filterOpts = filterAttrsRecursive (_: v: v != null); }; - - nginx = { - proxyHeaders = '' - # Setting any proxy_header in a child (e.g. location) will nuke the parents... - proxy_set_header X-Origin-URI $request_uri; - proxy_set_header Host $host; - proxy_set_header X-Host $http_host; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Scheme $scheme; - ''; - }; - - nix = { - cacheKeys = [ - "nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - pubDomain = "nul.ie"; - dockerNetAssignment = - assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}"; - colony = { - domain = "ams1.int.${pubDomain}"; - prefixes = with net.cidr; rec { - all = { - v4 = "10.100.0.0/16"; - v6 = "2a0e:97c0:4d2:10::/60"; - }; - base = { - v4 = subnet 8 0 all.v4; - v6 = subnet 4 0 all.v6; - }; - vms = { - v4 = subnet 8 1 all.v4; - v6 = subnet 4 1 all.v6; - }; - ctrs = { - v4 = subnet 8 2 all.v4; - v6 = subnet 4 2 all.v6; - }; - oci = { - v4 = subnet 8 3 all.v4; - v6 = subnet 4 3 all.v6; - }; - - cust = { - v4 = subnet 8 100 all.v4; # single ip for routing only - v6 = "2a0e:97c0:4d2:2000::/56"; - }; - mail = { - v4 = "94.142.241.227/32"; - v6 = subnet 8 0 cust.v6; - }; - - vip1 = "94.142.241.224/30"; - vip2 = "94.142.242.254/31"; - }; - fstrimConfig = { - enable = true; - # backup happens at 05:00 - interval = "04:45"; - }; - }; - kelder = { - groups = { - storage = 2000; - media = 2010; - }; - - domain = "hentai.engineer"; - vpn = { - port = 51820; - }; - prefixes = with net.cidr; rec { - all.v4 = "172.16.64.0/20"; - ctrs.v4 = subnet 4 0 all.v4; - }; - }; - sshKeyFiles = { - me = ../.keys/me.pub; - deploy = ../.keys/deploy.pub; - rsyncNet = ../.keys/zh2855.rsync.net.pub; - mailcowAcme = ../.keys/mailcow-acme.pub; - }; - sshHostKeys = { - mail-vm = ../.keys/mail-vm-host.pub; - }; } diff --git a/nixos/boxes/castle/default.nix b/nixos/boxes/castle/default.nix index b749d25..45d03e1 100644 --- a/nixos/boxes/castle/default.nix +++ b/nixos/boxes/castle/default.nix @@ -84,7 +84,7 @@ }; networking = { - domain = "h.${lib.my.pubDomain}"; + domain = "h.${lib.my.c.pubDomain}"; firewall.enable = false; }; diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 883a841..6a97f03 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { imports = [ ./vms ]; @@ -93,11 +93,11 @@ in }; programs.ssh.knownHostsFiles = [ - lib.my.sshKeyFiles.rsyncNet + lib.my.c.sshKeyFiles.rsyncNet ]; services = { - fstrim = lib.my.colony.fstrimConfig; + fstrim = lib.my.c.colony.fstrimConfig; lvm = { boot.thin.enable = true; dmeventd.enable = true; @@ -214,16 +214,16 @@ in }; ipv6Prefixes = [ { - ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6; + ipv6PrefixConfig.Prefix = prefixes.vms.v6; } ]; routes = map (r: { routeConfig = r; }) [ { - Destination = lib.my.colony.prefixes.ctrs.v4; + Destination = prefixes.ctrs.v4; Gateway = allAssignments.shill.routing.ipv4.address; } { - Destination = lib.my.colony.prefixes.ctrs.v6; + Destination = prefixes.ctrs.v6; Gateway = allAssignments.shill.internal.ipv6.address; } { @@ -232,11 +232,11 @@ in } { - Destination = lib.my.colony.prefixes.oci.v4; + Destination = prefixes.oci.v4; Gateway = allAssignments.whale2.routing.ipv4.address; } { - Destination = lib.my.colony.prefixes.oci.v6; + Destination = prefixes.oci.v6; Gateway = allAssignments.whale2.internal.ipv6.address; } { diff --git a/nixos/boxes/colony/vms/estuary/bgp.nix b/nixos/boxes/colony/vms/estuary/bgp.nix index 78ff883..c67ee53 100644 --- a/nixos/boxes/colony/vms/estuary/bgp.nix +++ b/nixos/boxes/colony/vms/estuary/bgp.nix @@ -14,12 +14,12 @@ in config = '' define OWNAS = 211024; - define CCVIP1 = ${lib.my.colony.prefixes.vip1}; - define CCVIP2 = ${lib.my.colony.prefixes.vip2}; + define CCVIP1 = ${lib.my.c.colony.prefixes.vip1}; + define CCVIP2 = ${lib.my.c.colony.prefixes.vip2}; define OWNIP4 = ${assignments.internal.ipv4.address}; define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ]; - define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ]; + define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ]; define INTNET6 = ${intnet6}; define AMSNET6 = ${amsnet6}; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index ba08b17..a4866d8 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; pubV4 = "94.142.240.44"; in @@ -95,7 +95,7 @@ in }; services = { - fstrim = lib.my.colony.fstrimConfig; + fstrim = lib.my.c.colony.fstrimConfig; lvm = { dmeventd.enable = true; }; @@ -182,7 +182,7 @@ in }; wireguardConfig = { PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path; - ListenPort = lib.my.kelder.vpn.port; + ListenPort = lib.my.c.kelder.vpn.port; }; wireguardPeers = [ { @@ -306,27 +306,27 @@ in }; ipv6Prefixes = [ { - ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6; + ipv6PrefixConfig.Prefix = prefixes.base.v6; } ]; routes = map (r: { routeConfig = r; }) (flatten ([ { - Destination = lib.my.colony.prefixes.vip1; + Destination = prefixes.vip1; Gateway = allAssignments.colony.routing.ipv4.address; } { - Destination = lib.my.colony.prefixes.cust.v6; + Destination = prefixes.cust.v6; Gateway = allAssignments.colony.internal.ipv6.address; } ] ++ (map (pName: [ { Gateway = allAssignments.colony.routing.ipv4.address; - Destination = lib.my.colony.prefixes."${pName}".v4; + Destination = prefixes."${pName}".v4; } { - Destination = lib.my.colony.prefixes."${pName}".v6; + Destination = prefixes."${pName}".v6; Gateway = allAssignments.colony.internal.ipv6.address; } ]) [ "vms" "ctrs" "oci" ]))); @@ -356,7 +356,6 @@ in }; my = { - #deploy.generate.system.mode = "boot"; secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA"; files = { @@ -369,7 +368,7 @@ in firewall = { trustedInterfaces = [ "as211024" ]; - udp.allowed = [ 5353 lib.my.kelder.vpn.port ]; + udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; tcp.allowed = [ 5353 "bgp" ]; nat = { enable = true; @@ -458,7 +457,7 @@ in ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} } chain postrouting { - ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address} + ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address} } } ''; diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index ee27276..f60d269 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -1,6 +1,8 @@ { lib, pkgs, config, assignments, allAssignments, ... }: let inherit (builtins) attrNames; + inherit (lib.my) net; + inherit (lib.my.c.colony) prefixes; authZones = attrNames config.my.pdns.auth.bind.zones; in @@ -49,7 +51,7 @@ in ]; allowFrom = [ "127.0.0.0/8" "::1/128" - lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6 + prefixes.all.v4 prefixes.all.v6 ]; }; @@ -147,8 +149,8 @@ in valheim IN A ${assignments.internal.ipv4.address} valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address} - mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4} - mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6} + mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4} + mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6} andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} diff --git a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix index 8c3cd6f..713b2df 100644 --- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix +++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.chatterbox = { @@ -128,7 +128,7 @@ in "2001:db8::/32" "ff00::/8" "fec0::/10" - ] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]); + ] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]); url_preview_ip_range_whitelist = with allAssignments.middleman.internal; [ ipv4.address ipv6.address ]; diff --git a/nixos/boxes/colony/vms/shill/containers/colony-psql.nix b/nixos/boxes/colony/vms/shill/containers/colony-psql.nix index b107269..7fd8446 100644 --- a/nixos/boxes/colony/vms/shill/containers/colony-psql.nix +++ b/nixos/boxes/colony/vms/shill/containers/colony-psql.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.colony-psql = { @@ -66,7 +66,7 @@ in enable = true; enableTCPIP = true; - authentication = with lib.my.colony.prefixes; '' + authentication = with lib.my.c.colony.prefixes; '' local all postgres peer map=local host all all ${all.v4} md5 diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix index 1bec733..2daffb4 100644 --- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.jackflix = { diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix index 3334e9b..a6c7771 100644 --- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix +++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix @@ -2,6 +2,7 @@ let inherit (lib) mkMerge mkIf; inherit (lib.my) networkdAssignment; + inherit (lib.my.c.colony) prefixes; wg = { keyFile = "jackflix/airvpn-privkey"; @@ -102,23 +103,23 @@ in } { - From = lib.my.colony.prefixes.all.v4; + From = prefixes.all.v4; Table = "main"; Priority = 100; } { - To = lib.my.colony.prefixes.all.v4; + To = prefixes.all.v4; Table = "main"; Priority = 100; } { - From = lib.my.colony.prefixes.all.v6; + From = prefixes.all.v6; Table = "main"; Priority = 100; } { - To = lib.my.colony.prefixes.all.v6; + To = prefixes.all.v6; Table = "main"; Priority = 100; } diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix index ccdc49d..f9c7a77 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix @@ -1,7 +1,8 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c) pubDomain; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.middleman = { @@ -79,8 +80,8 @@ in port = 8082; }; login = { - title = "${lib.my.pubDomain} login"; - default_redirect = "https://${lib.my.pubDomain}"; + title = "${pubDomain} login"; + default_redirect = "https://${pubDomain}"; default_method = "google_oauth"; names = { google_oauth = "Google account"; @@ -88,7 +89,7 @@ in }; }; cookie = { - domain = ".${lib.my.pubDomain}"; + domain = ".${pubDomain}"; secure = true; }; audit_log = { @@ -109,14 +110,14 @@ in }; google_oauth = { client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com"; - redirect_url = "https://sso.${lib.my.pubDomain}/login"; + redirect_url = "https://sso.${pubDomain}/login"; user_id_method = "user-id"; }; }; }; includes = { endpoint = "http://localhost:8082"; - baseURL = "https://sso.${lib.my.pubDomain}"; + baseURL = "https://sso.${pubDomain}"; }; }; }; @@ -173,10 +174,10 @@ in EXEC_PATH=${script} ''; }; - "${lib.my.pubDomain}" = { + "${pubDomain}" = { extraDomainNames = [ - "*.${lib.my.pubDomain}" - "*.s3.${lib.my.pubDomain}" + "*.${pubDomain}" + "*.s3.${pubDomain}" ]; dnsProvider = "cloudflare"; credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path; @@ -194,7 +195,7 @@ in }; programs = { - ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ]; + ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ]; }; services = { @@ -265,7 +266,7 @@ in proxy_send_timeout 60s; proxy_http_version 1.1; - ${lib.my.nginx.proxyHeaders} + ${lib.my.c.nginx.proxyHeaders} # caching proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index afe95eb..241ecb5 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -2,6 +2,8 @@ let inherit (builtins) mapAttrs toJSON; inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep; + inherit (lib.my.c) pubDomain; + inherit (lib.my.c.nginx) proxyHeaders; dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ]; dualStackListen = ll: flatten (map dualStackListen' ll); @@ -80,7 +82,7 @@ in } wellKnown ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; "localhost" = { forceSSL = false; @@ -98,12 +100,12 @@ in }; }; - "sso.${lib.my.pubDomain}" = { + "sso.${pubDomain}" = { locations."/".proxyPass = config.my.nginx-sso.includes.endpoint; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "netdata-colony.${lib.my.pubDomain}" = + "netdata-colony.${pubDomain}" = let hosts = [ "vm" @@ -119,10 +121,10 @@ in "~ /(?${matchHosts})$".return = "301 https://$host/$behost/"; "~ /(?${matchHosts})/(?.*)" = mkMerge [ { - proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args"; + proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args"; extraConfig = '' proxy_pass_request_headers on; - ${lib.my.nginx.proxyHeaders} + ${proxyHeaders} proxy_set_header Connection "keep-alive"; proxy_store off; @@ -134,14 +136,14 @@ in (ssoLoc "generic") ]; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; } (ssoServer "generic") ]; - "pass.${lib.my.pubDomain}" = + "pass.${pubDomain}" = let - upstream = "http://vaultwarden-ctr.${config.networking.domain}"; + upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}"; in { locations = { @@ -149,11 +151,11 @@ in "/notifications/hub" = { proxyPass = upstream; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; "/notifications/hub/negotiate".proxyPass = upstream; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; "matrix.nul.ie" = { @@ -171,15 +173,15 @@ in ]; locations = mkMerge [ { - "/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008"; - "= /".return = "301 https://element.${lib.my.pubDomain}"; + "/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008"; + "= /".return = "301 https://element.${pubDomain}"; } wellKnown ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "element.${lib.my.pubDomain}" = + "element.${pubDomain}" = let headers = '' # TODO: why are these here? @@ -224,66 +226,66 @@ in ''; })) ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "torrents.${lib.my.pubDomain}" = mkMerge [ + "torrents.${pubDomain}" = mkMerge [ { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091"; + proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091"; } (ssoLoc "generic") ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; } (ssoServer "generic") ]; - "jackett.${lib.my.pubDomain}" = mkMerge [ + "jackett.${pubDomain}" = mkMerge [ { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117"; + proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117"; } (ssoLoc "generic") ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; } (ssoServer "generic") ]; - "radarr.${lib.my.pubDomain}" = mkMerge [ + "radarr.${pubDomain}" = mkMerge [ { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878"; + proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; } (ssoLoc "generic") ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; } (ssoServer "generic") ]; - "sonarr.${lib.my.pubDomain}" = mkMerge [ + "sonarr.${pubDomain}" = mkMerge [ { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989"; + proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; } (ssoLoc "generic") ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; } (ssoServer "generic") ]; - "jackflix.${lib.my.pubDomain}" = + "jackflix.${pubDomain}" = let - upstream = "http://jackflix-ctr.${config.networking.domain}:8096"; + upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096"; in { extraConfig = '' @@ -300,10 +302,10 @@ in "/socket" = { proxyPass = upstream; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; "toot.nul.ie" = @@ -312,7 +314,7 @@ in tryFiles = "$uri =404"; extraConfig = '' add_header Cache-Control "public, max-age=2419200, must-revalidate"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains"; ''; }; in @@ -333,20 +335,20 @@ in "/".tryFiles = "$uri @proxy"; "^~ /api/v1/streaming" = { - proxyPass = "http://toot-ctr.${config.networking.domain}:55000"; + proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000"; proxyWebsockets = true; extraConfig = '' - ${lib.my.nginx.proxyHeaders} + ${proxyHeaders} proxy_set_header Proxy ""; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains"; ''; }; "@proxy" = { - proxyPass = "http://toot-ctr.${config.networking.domain}:55001"; + proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001"; proxyWebsockets = true; extraConfig = '' - ${lib.my.nginx.proxyHeaders} + ${proxyHeaders} proxy_set_header Proxy ""; proxy_pass_header Server; @@ -359,19 +361,19 @@ in }; } ]; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "share.${lib.my.pubDomain}" = { + "share.${pubDomain}" = { locations."/" = { - proxyPass = "http://object-ctr.${config.networking.domain}:9090"; + proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "stuff.${lib.my.pubDomain}" = { + "stuff.${pubDomain}" = { locations."/" = { basicAuthFile = config.age.secrets."middleman/htpasswd".path; root = "/mnt/media/stuff"; @@ -380,13 +382,13 @@ in fancyindex_show_dotfiles on; ''; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; }; minio = let - host = "object-ctr.${config.networking.domain}"; + host = "object-ctr.${config.networking.pubDomain}"; s3Upstream = "http://${host}:9000"; extraConfig = '' chunked_transfer_encoding off; @@ -401,7 +403,7 @@ in ''; in { - "minio.${lib.my.pubDomain}" = { + "minio.${pubDomain}" = { inherit extraConfig; locations = { "/" = { @@ -410,19 +412,19 @@ in "/ws" = { proxyPass = "http://${host}:9001"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "s3.${lib.my.pubDomain}" = { - serverAliases = [ "*.s3.${lib.my.pubDomain}" ]; + "s3.${pubDomain}" = { + serverAliases = [ "*.s3.${pubDomain}" ]; inherit extraConfig; locations."/".proxyPass = s3Upstream; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; }; - "nix-cache.${lib.my.pubDomain}" = { + "nix-cache.${pubDomain}" = { extraConfig = '' ${extraConfig} proxy_set_header Host "nix-cache.s3.nul.ie"; @@ -434,14 +436,14 @@ in extraConfig = nixCacheHeaders; }; }; - useACMEHost = lib.my.pubDomain; + useACMEHost = pubDomain; onlySSL = false; }; }; defaultsFor = mapAttrs (n: _: { onlySSL = mkDefault true; - useACMEHost = mkDefault "${config.networking.domain}"; + useACMEHost = mkDefault "${config.networking.pubDomain}"; kTLS = mkDefault true; http2 = mkDefault true; }); diff --git a/nixos/boxes/colony/vms/shill/containers/object.nix b/nixos/boxes/colony/vms/shill/containers/object.nix index b120085..7fc2714 100644 --- a/nixos/boxes/colony/vms/shill/containers/object.nix +++ b/nixos/boxes/colony/vms/shill/containers/object.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.object = { @@ -92,7 +92,7 @@ in configOverridesFile = config.age.secrets."object/sharry.conf".path; config = { - base-url = "https://share.${lib.my.pubDomain}"; + base-url = "https://share.${lib.my.c.pubDomain}"; bind.address = "::"; alias-member-enabled = true; webapp = { diff --git a/nixos/boxes/colony/vms/shill/containers/toot.nix b/nixos/boxes/colony/vms/shill/containers/toot.nix index 737d3d9..f4e5576 100644 --- a/nixos/boxes/colony/vms/shill/containers/toot.nix +++ b/nixos/boxes/colony/vms/shill/containers/toot.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.toot = { diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix index 456cb05..27cfea0 100644 --- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix +++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.vaultwarden = { @@ -62,7 +62,7 @@ in }; programs.ssh.knownHostsFiles = [ - lib.my.sshKeyFiles.rsyncNet + lib.my.c.sshKeyFiles.rsyncNet ]; services = { @@ -79,7 +79,7 @@ in SIGNUPS_ALLOWED = false; - DOMAIN = "https://pass.${lib.my.pubDomain}"; + DOMAIN = "https://pass.${lib.my.c.pubDomain}"; ROCKET_ADDRESS = "::"; ROCKET_PORT = 80; diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 5e74ecd..f47e1fa 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { imports = [ ./containers ]; @@ -97,7 +97,7 @@ in }; services = { - fstrim = lib.my.colony.fstrimConfig; + fstrim = lib.my.c.colony.fstrimConfig; netdata.enable = true; }; @@ -131,7 +131,7 @@ in }; ipv6Prefixes = [ { - ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6; + ipv6PrefixConfig.Prefix = prefixes.ctrs.v6; } ]; } diff --git a/nixos/boxes/colony/vms/whale2/default.nix b/nixos/boxes/colony/vms/whale2/default.nix index 1754a8f..6901b95 100644 --- a/nixos/boxes/colony/vms/whale2/default.nix +++ b/nixos/boxes/colony/vms/whale2/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) mapAttrs; inherit (lib.my) net; - inherit (lib.my.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes; in { nixos.systems.whale2 = { @@ -94,7 +94,7 @@ in }; services = { - fstrim = lib.my.colony.fstrimConfig; + fstrim = lib.my.c.colony.fstrimConfig; netdata.enable = true; }; diff --git a/nixos/boxes/kelder/containers/acquisition/default.nix b/nixos/boxes/kelder/containers/acquisition/default.nix index 85d9715..383d95c 100644 --- a/nixos/boxes/kelder/containers/acquisition/default.nix +++ b/nixos/boxes/kelder/containers/acquisition/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.kelder) domain prefixes; + inherit (lib.my.c.kelder) domain prefixes; in { nixos.systems.kelder-acquisition = { @@ -44,7 +44,7 @@ in }; users = { - groups.media.gid = lib.my.kelder.groups.media; + groups.media.gid = lib.my.c.kelder.groups.media; users = { "${config.my.user.config.name}".extraGroups = [ "media" ]; diff --git a/nixos/boxes/kelder/containers/acquisition/networking.nix b/nixos/boxes/kelder/containers/acquisition/networking.nix index 0f5afc7..b33c27f 100644 --- a/nixos/boxes/kelder/containers/acquisition/networking.nix +++ b/nixos/boxes/kelder/containers/acquisition/networking.nix @@ -104,12 +104,12 @@ in } { - From = lib.my.kelder.prefixes.all.v4; + From = lib.my.c.kelder.prefixes.all.v4; Table = "main"; Priority = 100; } { - To = lib.my.kelder.prefixes.all.v4; + To = lib.my.c.kelder.prefixes.all.v4; Table = "main"; Priority = 100; } diff --git a/nixos/boxes/kelder/containers/spoder/default.nix b/nixos/boxes/kelder/containers/spoder/default.nix index 8f2b3a2..f98f8b3 100644 --- a/nixos/boxes/kelder/containers/spoder/default.nix +++ b/nixos/boxes/kelder/containers/spoder/default.nix @@ -2,7 +2,7 @@ let inherit (lib) mkForce mkMerge; inherit (lib.my) net; - inherit (lib.my.kelder) domain prefixes; + inherit (lib.my.c.kelder) domain prefixes; in { nixos.systems.kelder-spoder = { @@ -54,9 +54,9 @@ in dnsResolver = "8.8.8.8"; }; certs = { - "${lib.my.kelder.domain}" = { + "${domain}" = { extraDomainNames = [ - "*.${lib.my.kelder.domain}" + "*.${domain}" ]; dnsProvider = "cloudflare"; credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path; @@ -65,7 +65,7 @@ in }; users = { - groups.storage.gid = lib.my.kelder.groups.storage; + groups.storage.gid = lib.my.c.kelder.groups.storage; users = { nginx.extraGroups = [ "acme" ]; @@ -93,11 +93,11 @@ in enable = true; package = pkgs.nextcloud27; datadir = "/mnt/storage/nextcloud"; - hostName = "cloud.${lib.my.kelder.domain}"; + hostName = "cloud.${domain}"; https = true; enableBrokenCiphersForSSE = false; config = { - extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ]; + extraTrustedDomains = [ "cloud-local.${domain}" ]; adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path; defaultPhoneRegion = "IE"; }; diff --git a/nixos/boxes/kelder/containers/spoder/nginx.nix b/nixos/boxes/kelder/containers/spoder/nginx.nix index 7f31994..7035cae 100644 --- a/nixos/boxes/kelder/containers/spoder/nginx.nix +++ b/nixos/boxes/kelder/containers/spoder/nginx.nix @@ -2,6 +2,8 @@ let inherit (builtins) mapAttrs; inherit (lib) mkMerge mkIf mkDefault; + inherit (lib.my.c.nginx) proxyHeaders; + inherit (lib.my.c.kelder) domain; in { config = { @@ -73,7 +75,7 @@ in proxy_send_timeout 60s; proxy_http_version 1.1; - ${lib.my.nginx.proxyHeaders} + ${proxyHeaders} # caching proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; @@ -135,15 +137,15 @@ in }; }; - "monitor.${lib.my.kelder.domain}" = withAuth { - serverAliases = [ "monitor-local.${lib.my.kelder.domain}" ]; - extraConfig = localRedirect "monitor-local.${lib.my.kelder.domain}"; + "monitor.${domain}" = withAuth { + serverAliases = [ "monitor-local.${domain}" ]; + extraConfig = localRedirect "monitor-local.${domain}"; locations = { "/" = { proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999"; extraConfig = '' proxy_pass_request_headers on; - ${lib.my.nginx.proxyHeaders} + ${proxyHeaders} proxy_set_header Connection "keep-alive"; proxy_store off; @@ -155,8 +157,8 @@ in }; }; - "kontent.${lib.my.kelder.domain}" = { - serverAliases = [ "kontent-local.${lib.my.kelder.domain}" ]; + "kontent.${domain}" = { + serverAliases = [ "kontent-local.${domain}" ]; locations = { "/".proxyPass = "${acquisition}:8096"; "= /".return = "302 $scheme://$host/web/"; @@ -164,47 +166,47 @@ in "/socket" = { proxyPass = "${acquisition}:8096/socket"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; }; }; - "torrents.${lib.my.kelder.domain}" = withAuth { - serverAliases = [ "torrents-local.${lib.my.kelder.domain}" ]; - extraConfig = localRedirect "torrents-local.${lib.my.kelder.domain}"; + "torrents.${domain}" = withAuth { + serverAliases = [ "torrents-local.${domain}" ]; + extraConfig = localRedirect "torrents-local.${domain}"; locations."/".proxyPass = "${acquisition}:9091"; }; - "jackett.${lib.my.kelder.domain}" = withAuth { - serverAliases = [ "jackett-local.${lib.my.kelder.domain}" ]; - extraConfig = localRedirect "jackett-local.${lib.my.kelder.domain}"; + "jackett.${domain}" = withAuth { + serverAliases = [ "jackett-local.${domain}" ]; + extraConfig = localRedirect "jackett-local.${domain}"; locations."/".proxyPass = "${acquisition}:9117"; }; - "radarr.${lib.my.kelder.domain}" = withAuth { - serverAliases = [ "radarr-local.${lib.my.kelder.domain}" ]; - extraConfig = localRedirect "radarr-local.${lib.my.kelder.domain}"; + "radarr.${domain}" = withAuth { + serverAliases = [ "radarr-local.${domain}" ]; + extraConfig = localRedirect "radarr-local.${domain}"; locations."/" = { proxyPass = "${acquisition}:7878"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; }; - "sonarr.${lib.my.kelder.domain}" = withAuth { - serverAliases = [ "sonarr-local.${lib.my.kelder.domain}" ]; - extraConfig = localRedirect "sonarr-local.${lib.my.kelder.domain}"; + "sonarr.${domain}" = withAuth { + serverAliases = [ "sonarr-local.${domain}" ]; + extraConfig = localRedirect "sonarr-local.${domain}"; locations."/" = { proxyPass = "${acquisition}:8989"; proxyWebsockets = true; - extraConfig = lib.my.nginx.proxyHeaders; + extraConfig = proxyHeaders; }; }; - "cloud.${lib.my.kelder.domain}" = { - serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ]; + "cloud.${domain}" = { + serverAliases = [ "cloud-local.${domain}" ]; }; }; defaultsFor = mapAttrs (n: _: { onlySSL = mkDefault true; - useACMEHost = mkDefault lib.my.kelder.domain; + useACMEHost = mkDefault domain; kTLS = mkDefault true; http2 = mkDefault true; }); diff --git a/nixos/boxes/kelder/default.nix b/nixos/boxes/kelder/default.nix index e3d6f84..d12e30c 100644 --- a/nixos/boxes/kelder/default.nix +++ b/nixos/boxes/kelder/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.kelder) domain prefixes; + inherit (lib.my.c.kelder) domain prefixes; in { imports = [ ./containers ]; @@ -14,7 +14,7 @@ in assignments = { estuary = { ipv4 ={ - address = net.cidr.host 0 lib.my.colony.prefixes.vip2; + address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2; mask = 32; gateway = null; }; @@ -85,7 +85,7 @@ in }; users = { - groups = with lib.my.kelder.groups; { + groups = with lib.my.c.kelder.groups; { storage.gid = storage; media.gid = media; }; @@ -150,7 +150,7 @@ in }; networking = { - domain = lib.my.kelder.domain; + inherit domain; }; system.nixos.distroName = "KelderOS"; @@ -180,7 +180,7 @@ in { wireguardPeerConfig = { PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU="; - Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}"; + Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}"; AllowedIPs = [ "0.0.0.0/0" ]; PersistentKeepalive = 25; }; @@ -270,7 +270,6 @@ in config.name = "kontent"; }; - #deploy.generate.system.mode = "boot"; #deploy.node.hostname = "10.16.9.21"; secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi"; @@ -311,7 +310,7 @@ in chain prerouting { type filter hook prerouting priority mangle; policy accept; ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark} - ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark + ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark } chain output { type filter hook output priority mangle; policy accept; @@ -320,7 +319,7 @@ in } table inet nat { chain postrouting { - ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade + ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade } } ''; diff --git a/nixos/installer.nix b/nixos/installer.nix index bfb3444..c3b590d 100644 --- a/nixos/installer.nix +++ b/nixos/installer.nix @@ -39,7 +39,7 @@ environment.sessionVariables = { INSTALL_ROOT = installRoot; }; - users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.deploy ]; home-manager.users.root = { programs = { starship.settings = { diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix index 8c36212..2132875 100644 --- a/nixos/modules/common.nix +++ b/nixos/modules/common.nix @@ -47,7 +47,7 @@ in #"https://nix-cache.nul.ie" "https://cache.nixos.org" ]; - trusted-public-keys = lib.my.nix.cacheKeys; + trusted-public-keys = lib.my.c.nix.cacheKeys; }; registry = { pkgs = { diff --git a/nixos/modules/deploy-rs.nix b/nixos/modules/deploy-rs.nix index b3c502b..5b78dfe 100644 --- a/nixos/modules/deploy-rs.nix +++ b/nixos/modules/deploy-rs.nix @@ -86,7 +86,7 @@ in options.my.deploy = with lib.types; { authorizedKeys = { keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user."; - keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user."; + keyFiles = mkOpt' (listOf path) [ lib.my.c.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user."; }; enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system."; diff --git a/nixos/modules/network.nix b/nixos/modules/network.nix index f8519ba..d041fa5 100644 --- a/nixos/modules/network.nix +++ b/nixos/modules/network.nix @@ -6,7 +6,7 @@ in config = mkMerge [ { networking = { - domain = mkDefault "int.${lib.my.pubDomain}"; + domain = mkDefault "int.${lib.my.c.pubDomain}"; useDHCP = false; enableIPv6 = mkDefault true; useNetworkd = mkDefault true; diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix index f0aea04..50164a4 100644 --- a/nixos/modules/user.nix +++ b/nixos/modules/user.nix @@ -41,7 +41,7 @@ in shell = let shell = cfg.homeConfig.my.shell; in mkIf (shell != null) (mkDefault' shell); - openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ]; + openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.me ]; }; homeConfig = { # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the