dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Split constants into separate lib file

Browse Source
This commit is contained in:
Jack O'Sullivan
2023-11-02 13:41:50 +00:00
parent 0659809c22
commit 2dbc8b398b
30 changed files with 269 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/boxes/castle/default.nix
View File

@@ -84,7 +84,7 @@
};
networking = {
domain = "h.${lib.my.pubDomain}";
domain = "h.${lib.my.c.pubDomain}";
firewall.enable = false;
};

16
nixos/boxes/colony/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
imports = [ ./vms ];
@@ -93,11 +93,11 @@ in
};
programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet
lib.my.c.sshKeyFiles.rsyncNet
];
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
lvm = {
boot.thin.enable = true;
dmeventd.enable = true;
@@ -214,16 +214,16 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6;
ipv6PrefixConfig.Prefix = prefixes.vms.v6;
}
];
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.colony.prefixes.ctrs.v4;
Destination = prefixes.ctrs.v4;
Gateway = allAssignments.shill.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.ctrs.v6;
Destination = prefixes.ctrs.v6;
Gateway = allAssignments.shill.internal.ipv6.address;
}
{
@@ -232,11 +232,11 @@ in
}
{
Destination = lib.my.colony.prefixes.oci.v4;
Destination = prefixes.oci.v4;
Gateway = allAssignments.whale2.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.oci.v6;
Destination = prefixes.oci.v6;
Gateway = allAssignments.whale2.internal.ipv6.address;
}
{

6
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -14,12 +14,12 @@ in
config = ''
define OWNAS = 211024;
define CCVIP1 = ${lib.my.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.colony.prefixes.vip2};
define CCVIP1 = ${lib.my.c.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.c.colony.prefixes.vip2};
define OWNIP4 = ${assignments.internal.ipv4.address};
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ];
define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ];
define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6};

21
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44";
in
@@ -95,7 +95,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
lvm = {
dmeventd.enable = true;
};
@@ -182,7 +182,7 @@ in
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
ListenPort = lib.my.kelder.vpn.port;
ListenPort = lib.my.c.kelder.vpn.port;
};
wireguardPeers = [
{
@@ -306,27 +306,27 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
ipv6PrefixConfig.Prefix = prefixes.base.v6;
}
];
routes = map (r: { routeConfig = r; }) (flatten
([
{
Destination = lib.my.colony.prefixes.vip1;
Destination = prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.cust.v6;
Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
] ++
(map (pName: [
{
Gateway = allAssignments.colony.routing.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4;
Destination = prefixes."${pName}".v4;
}
{
Destination = lib.my.colony.prefixes."${pName}".v6;
Destination = prefixes."${pName}".v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
]) [ "vms" "ctrs" "oci" ])));
@@ -356,7 +356,6 @@ in
};
my = {
#deploy.generate.system.mode = "boot";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
files = {
@@ -369,7 +368,7 @@ in
firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ];
nat = {
enable = true;
@@ -458,7 +457,7 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
}
chain postrouting {
ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
}
}
'';

8
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -1,6 +1,8 @@
{ lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.colony) prefixes;
authZones = attrNames config.my.pdns.auth.bind.zones;
in
@@ -49,7 +51,7 @@ in
];
allowFrom = [
"127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
prefixes.all.v4 prefixes.all.v6
];
};
@@ -147,8 +149,8 @@ in
valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6}
mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

4
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.chatterbox = {
@@ -128,7 +128,7 @@ in
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]);
] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist =
with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ];

4
nixos/boxes/colony/vms/shill/containers/colony-psql.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.colony-psql = {
@@ -66,7 +66,7 @@ in
enable = true;
enableTCPIP = true;
authentication = with lib.my.colony.prefixes; ''
authentication = with lib.my.c.colony.prefixes; ''
local all postgres peer map=local
host all all ${all.v4} md5

2
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.jackflix = {

9
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@@ -2,6 +2,7 @@
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
inherit (lib.my.c.colony) prefixes;
wg = {
keyFile = "jackflix/airvpn-privkey";
@@ -102,23 +103,23 @@ in
}
{
From = lib.my.colony.prefixes.all.v4;
From = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
To = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
From = prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
To = prefixes.all.v6;
Table = "main";
Priority = 100;
}

23
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -1,7 +1,8 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.middleman = {
@@ -79,8 +80,8 @@ in
port = 8082;
};
login = {
title = "${lib.my.pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}";
title = "${pubDomain} login";
default_redirect = "https://${pubDomain}";
default_method = "google_oauth";
names = {
google_oauth = "Google account";
@@ -88,7 +89,7 @@ in
};
};
cookie = {
domain = ".${lib.my.pubDomain}";
domain = ".${pubDomain}";
secure = true;
};
audit_log = {
@@ -109,14 +110,14 @@ in
};
google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login";
redirect_url = "https://sso.${pubDomain}/login";
user_id_method = "user-id";
};
};
};
includes = {
endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}";
baseURL = "https://sso.${pubDomain}";
};
};
};
@@ -173,10 +174,10 @@ in
EXEC_PATH=${script}
'';
};
"${lib.my.pubDomain}" = {
"${pubDomain}" = {
extraDomainNames = [
"*.${lib.my.pubDomain}"
"*.s3.${lib.my.pubDomain}"
"*.${pubDomain}"
"*.s3.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
@@ -194,7 +195,7 @@ in
};
programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ];
ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ];
};
services = {
@@ -265,7 +266,7 @@ in
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
${lib.my.c.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

116
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -2,6 +2,8 @@
let
inherit (builtins) mapAttrs toJSON;
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) proxyHeaders;
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll);
@@ -80,7 +82,7 @@ in
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"localhost" = {
forceSSL = false;
@@ -98,12 +100,12 @@ in
};
};
"sso.${lib.my.pubDomain}" = {
"sso.${pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"netdata-colony.${lib.my.pubDomain}" =
"netdata-colony.${pubDomain}" =
let
hosts = [
"vm"
@@ -119,10 +121,10 @@ in
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args";
proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args";
extraConfig = ''
proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
@@ -134,14 +136,14 @@ in
(ssoLoc "generic")
];
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"pass.${lib.my.pubDomain}" =
"pass.${pubDomain}" =
let
upstream = "http://vaultwarden-ctr.${config.networking.domain}";
upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}";
in
{
locations = {
@@ -149,11 +151,11 @@ in
"/notifications/hub" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
"/notifications/hub/negotiate".proxyPass = upstream;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"matrix.nul.ie" = {
@@ -171,15 +173,15 @@ in
];
locations = mkMerge [
{
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
"= /".return = "301 https://element.${lib.my.pubDomain}";
"/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008";
"= /".return = "301 https://element.${pubDomain}";
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"element.${lib.my.pubDomain}" =
"element.${pubDomain}" =
let
headers = ''
# TODO: why are these here?
@@ -224,66 +226,66 @@ in
'';
}))
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"torrents.${lib.my.pubDomain}" = mkMerge [
"torrents.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackett.${lib.my.pubDomain}" = mkMerge [
"jackett.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"radarr.${lib.my.pubDomain}" = mkMerge [
"radarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"sonarr.${lib.my.pubDomain}" = mkMerge [
"sonarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackflix.${lib.my.pubDomain}" =
"jackflix.${pubDomain}" =
let
upstream = "http://jackflix-ctr.${config.networking.domain}:8096";
upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096";
in
{
extraConfig = ''
@@ -300,10 +302,10 @@ in
"/socket" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"toot.nul.ie" =
@@ -312,7 +314,7 @@ in
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
in
@@ -333,20 +335,20 @@ in
"/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
"@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
proxy_pass_header Server;
@@ -359,19 +361,19 @@ in
};
}
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"share.${lib.my.pubDomain}" = {
"share.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${config.networking.domain}:9090";
proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"stuff.${lib.my.pubDomain}" = {
"stuff.${pubDomain}" = {
locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff";
@@ -380,13 +382,13 @@ in
fancyindex_show_dotfiles on;
'';
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
};
minio =
let
host = "object-ctr.${config.networking.domain}";
host = "object-ctr.${config.networking.pubDomain}";
s3Upstream = "http://${host}:9000";
extraConfig = ''
chunked_transfer_encoding off;
@@ -401,7 +403,7 @@ in
'';
in
{
"minio.${lib.my.pubDomain}" = {
"minio.${pubDomain}" = {
inherit extraConfig;
locations = {
"/" = {
@@ -410,19 +412,19 @@ in
"/ws" = {
proxyPass = "http://${host}:9001";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"s3.${lib.my.pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
"s3.${pubDomain}" = {
serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig;
locations."/".proxyPass = s3Upstream;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"nix-cache.${lib.my.pubDomain}" = {
"nix-cache.${pubDomain}" = {
extraConfig = ''
${extraConfig}
proxy_set_header Host "nix-cache.s3.nul.ie";
@@ -434,14 +436,14 @@ in
extraConfig = nixCacheHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
onlySSL = false;
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}";
useACMEHost = mkDefault "${config.networking.pubDomain}";
kTLS = mkDefault true;
http2 = mkDefault true;
});

4
nixos/boxes/colony/vms/shill/containers/object.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.object = {
@@ -92,7 +92,7 @@ in
configOverridesFile = config.age.secrets."object/sharry.conf".path;
config = {
base-url = "https://share.${lib.my.pubDomain}";
base-url = "https://share.${lib.my.c.pubDomain}";
bind.address = "::";
alias-member-enabled = true;
webapp = {

2
nixos/boxes/colony/vms/shill/containers/toot.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.toot = {

6
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.vaultwarden = {
@@ -62,7 +62,7 @@ in
};
programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet
lib.my.c.sshKeyFiles.rsyncNet
];
services = {
@@ -79,7 +79,7 @@ in
SIGNUPS_ALLOWED = false;
DOMAIN = "https://pass.${lib.my.pubDomain}";
DOMAIN = "https://pass.${lib.my.c.pubDomain}";
ROCKET_ADDRESS = "::";
ROCKET_PORT = 80;

6
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
imports = [ ./containers ];
@@ -97,7 +97,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};
@@ -131,7 +131,7 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6;
ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
}
];
}

4
nixos/boxes/colony/vms/whale2/default.nix
View File

@@ -2,7 +2,7 @@
let
inherit (builtins) mapAttrs;
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.whale2 = {
@@ -94,7 +94,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};

4
nixos/boxes/kelder/containers/acquisition/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
nixos.systems.kelder-acquisition = {
@@ -44,7 +44,7 @@ in
};
users = {
groups.media.gid = lib.my.kelder.groups.media;
groups.media.gid = lib.my.c.kelder.groups.media;
users = {
"${config.my.user.config.name}".extraGroups = [ "media" ];

4
nixos/boxes/kelder/containers/acquisition/networking.nix
View File

@@ -104,12 +104,12 @@ in
}
{
From = lib.my.kelder.prefixes.all.v4;
From = lib.my.c.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.kelder.prefixes.all.v4;
To = lib.my.c.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}

12
nixos/boxes/kelder/containers/spoder/default.nix
View File

@@ -2,7 +2,7 @@
let
inherit (lib) mkForce mkMerge;
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
nixos.systems.kelder-spoder = {
@@ -54,9 +54,9 @@ in
dnsResolver = "8.8.8.8";
};
certs = {
"${lib.my.kelder.domain}" = {
"${domain}" = {
extraDomainNames = [
"*.${lib.my.kelder.domain}"
"*.${domain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
@@ -65,7 +65,7 @@ in
};
users = {
groups.storage.gid = lib.my.kelder.groups.storage;
groups.storage.gid = lib.my.c.kelder.groups.storage;
users = {
nginx.extraGroups = [ "acme" ];
@@ -93,11 +93,11 @@ in
enable = true;
package = pkgs.nextcloud27;
datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${lib.my.kelder.domain}";
hostName = "cloud.${domain}";
https = true;
enableBrokenCiphersForSSE = false;
config = {
extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ];
extraTrustedDomains = [ "cloud-local.${domain}" ];
adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
defaultPhoneRegion = "IE";
};

52
nixos/boxes/kelder/containers/spoder/nginx.nix
View File

@@ -2,6 +2,8 @@
let
inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) proxyHeaders;
inherit (lib.my.c.kelder) domain;
in
{
config = {
@@ -73,7 +75,7 @@ in
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
@@ -135,15 +137,15 @@ in
};
};
"monitor.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "monitor-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "monitor-local.${lib.my.kelder.domain}";
"monitor.${domain}" = withAuth {
serverAliases = [ "monitor-local.${domain}" ];
extraConfig = localRedirect "monitor-local.${domain}";
locations = {
"/" = {
proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
extraConfig = ''
proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
@@ -155,8 +157,8 @@ in
};
};
"kontent.${lib.my.kelder.domain}" = {
serverAliases = [ "kontent-local.${lib.my.kelder.domain}" ];
"kontent.${domain}" = {
serverAliases = [ "kontent-local.${domain}" ];
locations = {
"/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/";
@@ -164,47 +166,47 @@ in
"/socket" = {
proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
};
"torrents.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "torrents-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "torrents-local.${lib.my.kelder.domain}";
"torrents.${domain}" = withAuth {
serverAliases = [ "torrents-local.${domain}" ];
extraConfig = localRedirect "torrents-local.${domain}";
locations."/".proxyPass = "${acquisition}:9091";
};
"jackett.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "jackett-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "jackett-local.${lib.my.kelder.domain}";
"jackett.${domain}" = withAuth {
serverAliases = [ "jackett-local.${domain}" ];
extraConfig = localRedirect "jackett-local.${domain}";
locations."/".proxyPass = "${acquisition}:9117";
};
"radarr.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "radarr-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "radarr-local.${lib.my.kelder.domain}";
"radarr.${domain}" = withAuth {
serverAliases = [ "radarr-local.${domain}" ];
extraConfig = localRedirect "radarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
"sonarr.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "sonarr-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "sonarr-local.${lib.my.kelder.domain}";
"sonarr.${domain}" = withAuth {
serverAliases = [ "sonarr-local.${domain}" ];
extraConfig = localRedirect "sonarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
"cloud.${lib.my.kelder.domain}" = {
serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ];
"cloud.${domain}" = {
serverAliases = [ "cloud-local.${domain}" ];
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault lib.my.kelder.domain;
useACMEHost = mkDefault domain;
kTLS = mkDefault true;
http2 = mkDefault true;
});

15
nixos/boxes/kelder/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
imports = [ ./containers ];
@@ -14,7 +14,7 @@ in
assignments = {
estuary = {
ipv4 ={
address = net.cidr.host 0 lib.my.colony.prefixes.vip2;
address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2;
mask = 32;
gateway = null;
};
@@ -85,7 +85,7 @@ in
};
users = {
groups = with lib.my.kelder.groups; {
groups = with lib.my.c.kelder.groups; {
storage.gid = storage;
media.gid = media;
};
@@ -150,7 +150,7 @@ in
};
networking = {
domain = lib.my.kelder.domain;
inherit domain;
};
system.nixos.distroName = "KelderOS";
@@ -180,7 +180,7 @@ in
{
wireguardPeerConfig = {
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}";
Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
@@ -270,7 +270,6 @@ in
config.name = "kontent";
};
#deploy.generate.system.mode = "boot";
#deploy.node.hostname = "10.16.9.21";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
@@ -311,7 +310,7 @@ in
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
}
chain output {
type filter hook output priority mangle; policy accept;
@@ -320,7 +319,7 @@ in
}
table inet nat {
chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade
ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade
}
}
'';

2
nixos/installer.nix
View File

@@ -39,7 +39,7 @@
environment.sessionVariables = {
INSTALL_ROOT = installRoot;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ];
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.deploy ];
home-manager.users.root = {
programs = {
starship.settings = {

2
nixos/modules/common.nix
View File

@@ -47,7 +47,7 @@ in
#"https://nix-cache.nul.ie"
"https://cache.nixos.org"
];
trusted-public-keys = lib.my.nix.cacheKeys;
trusted-public-keys = lib.my.c.nix.cacheKeys;
};
registry = {
pkgs = {

2
nixos/modules/deploy-rs.nix
View File

@@ -86,7 +86,7 @@ in
options.my.deploy = with lib.types; {
authorizedKeys = {
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.c.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
};
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";

2
nixos/modules/network.nix
View File

@@ -6,7 +6,7 @@ in
config = mkMerge [
{
networking = {
domain = mkDefault "int.${lib.my.pubDomain}";
domain = mkDefault "int.${lib.my.c.pubDomain}";
useDHCP = false;
enableIPv6 = mkDefault true;
useNetworkd = mkDefault true;

2
nixos/modules/user.nix
View File

@@ -41,7 +41,7 @@ in
shell =
let shell = cfg.homeConfig.my.shell;
in mkIf (shell != null) (mkDefault' shell);
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.me ];
};
homeConfig = {
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the