dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Split constants into separate lib file

Browse Source
This commit is contained in:
Jack O'Sullivan
2023-11-02 13:41:50 +00:00
parent 0659809c22
commit 2dbc8b398b
30 changed files with 269 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -14,12 +14,12 @@ in
config = ''
define OWNAS = 211024;
define CCVIP1 = ${lib.my.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.colony.prefixes.vip2};
define CCVIP1 = ${lib.my.c.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.c.colony.prefixes.vip2};
define OWNIP4 = ${assignments.internal.ipv4.address};
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ];
define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ];
define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6};

21
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44";
in
@@ -95,7 +95,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
lvm = {
dmeventd.enable = true;
};
@@ -182,7 +182,7 @@ in
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
ListenPort = lib.my.kelder.vpn.port;
ListenPort = lib.my.c.kelder.vpn.port;
};
wireguardPeers = [
{
@@ -306,27 +306,27 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
ipv6PrefixConfig.Prefix = prefixes.base.v6;
}
];
routes = map (r: { routeConfig = r; }) (flatten
([
{
Destination = lib.my.colony.prefixes.vip1;
Destination = prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.cust.v6;
Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
] ++
(map (pName: [
{
Gateway = allAssignments.colony.routing.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4;
Destination = prefixes."${pName}".v4;
}
{
Destination = lib.my.colony.prefixes."${pName}".v6;
Destination = prefixes."${pName}".v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
]) [ "vms" "ctrs" "oci" ])));
@@ -356,7 +356,6 @@ in
};
my = {
#deploy.generate.system.mode = "boot";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
files = {
@@ -369,7 +368,7 @@ in
firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ];
nat = {
enable = true;
@@ -458,7 +457,7 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
}
chain postrouting {
ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
}
}
'';

8
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -1,6 +1,8 @@
{ lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.colony) prefixes;
authZones = attrNames config.my.pdns.auth.bind.zones;
in
@@ -49,7 +51,7 @@ in
];
allowFrom = [
"127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
prefixes.all.v4 prefixes.all.v6
];
};
@@ -147,8 +149,8 @@ in
valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6}
mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

4
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.chatterbox = {
@@ -128,7 +128,7 @@ in
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]);
] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist =
with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ];

4
nixos/boxes/colony/vms/shill/containers/colony-psql.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.colony-psql = {
@@ -66,7 +66,7 @@ in
enable = true;
enableTCPIP = true;
authentication = with lib.my.colony.prefixes; ''
authentication = with lib.my.c.colony.prefixes; ''
local all postgres peer map=local
host all all ${all.v4} md5

2
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.jackflix = {

9
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@@ -2,6 +2,7 @@
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
inherit (lib.my.c.colony) prefixes;
wg = {
keyFile = "jackflix/airvpn-privkey";
@@ -102,23 +103,23 @@ in
}
{
From = lib.my.colony.prefixes.all.v4;
From = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
To = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
From = prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
To = prefixes.all.v6;
Table = "main";
Priority = 100;
}

23
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -1,7 +1,8 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.middleman = {
@@ -79,8 +80,8 @@ in
port = 8082;
};
login = {
title = "${lib.my.pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}";
title = "${pubDomain} login";
default_redirect = "https://${pubDomain}";
default_method = "google_oauth";
names = {
google_oauth = "Google account";
@@ -88,7 +89,7 @@ in
};
};
cookie = {
domain = ".${lib.my.pubDomain}";
domain = ".${pubDomain}";
secure = true;
};
audit_log = {
@@ -109,14 +110,14 @@ in
};
google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login";
redirect_url = "https://sso.${pubDomain}/login";
user_id_method = "user-id";
};
};
};
includes = {
endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}";
baseURL = "https://sso.${pubDomain}";
};
};
};
@@ -173,10 +174,10 @@ in
EXEC_PATH=${script}
'';
};
"${lib.my.pubDomain}" = {
"${pubDomain}" = {
extraDomainNames = [
"*.${lib.my.pubDomain}"
"*.s3.${lib.my.pubDomain}"
"*.${pubDomain}"
"*.s3.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
@@ -194,7 +195,7 @@ in
};
programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ];
ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ];
};
services = {
@@ -265,7 +266,7 @@ in
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
${lib.my.c.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

116
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -2,6 +2,8 @@
let
inherit (builtins) mapAttrs toJSON;
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) proxyHeaders;
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll);
@@ -80,7 +82,7 @@ in
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"localhost" = {
forceSSL = false;
@@ -98,12 +100,12 @@ in
};
};
"sso.${lib.my.pubDomain}" = {
"sso.${pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"netdata-colony.${lib.my.pubDomain}" =
"netdata-colony.${pubDomain}" =
let
hosts = [
"vm"
@@ -119,10 +121,10 @@ in
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args";
proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args";
extraConfig = ''
proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
@@ -134,14 +136,14 @@ in
(ssoLoc "generic")
];
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"pass.${lib.my.pubDomain}" =
"pass.${pubDomain}" =
let
upstream = "http://vaultwarden-ctr.${config.networking.domain}";
upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}";
in
{
locations = {
@@ -149,11 +151,11 @@ in
"/notifications/hub" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
"/notifications/hub/negotiate".proxyPass = upstream;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"matrix.nul.ie" = {
@@ -171,15 +173,15 @@ in
];
locations = mkMerge [
{
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
"= /".return = "301 https://element.${lib.my.pubDomain}";
"/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008";
"= /".return = "301 https://element.${pubDomain}";
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"element.${lib.my.pubDomain}" =
"element.${pubDomain}" =
let
headers = ''
# TODO: why are these here?
@@ -224,66 +226,66 @@ in
'';
}))
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"torrents.${lib.my.pubDomain}" = mkMerge [
"torrents.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackett.${lib.my.pubDomain}" = mkMerge [
"jackett.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"radarr.${lib.my.pubDomain}" = mkMerge [
"radarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"sonarr.${lib.my.pubDomain}" = mkMerge [
"sonarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackflix.${lib.my.pubDomain}" =
"jackflix.${pubDomain}" =
let
upstream = "http://jackflix-ctr.${config.networking.domain}:8096";
upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096";
in
{
extraConfig = ''
@@ -300,10 +302,10 @@ in
"/socket" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"toot.nul.ie" =
@@ -312,7 +314,7 @@ in
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
in
@@ -333,20 +335,20 @@ in
"/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
"@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
proxy_pass_header Server;
@@ -359,19 +361,19 @@ in
};
}
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"share.${lib.my.pubDomain}" = {
"share.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${config.networking.domain}:9090";
proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"stuff.${lib.my.pubDomain}" = {
"stuff.${pubDomain}" = {
locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff";
@@ -380,13 +382,13 @@ in
fancyindex_show_dotfiles on;
'';
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
};
minio =
let
host = "object-ctr.${config.networking.domain}";
host = "object-ctr.${config.networking.pubDomain}";
s3Upstream = "http://${host}:9000";
extraConfig = ''
chunked_transfer_encoding off;
@@ -401,7 +403,7 @@ in
'';
in
{
"minio.${lib.my.pubDomain}" = {
"minio.${pubDomain}" = {
inherit extraConfig;
locations = {
"/" = {
@@ -410,19 +412,19 @@ in
"/ws" = {
proxyPass = "http://${host}:9001";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"s3.${lib.my.pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
"s3.${pubDomain}" = {
serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig;
locations."/".proxyPass = s3Upstream;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"nix-cache.${lib.my.pubDomain}" = {
"nix-cache.${pubDomain}" = {
extraConfig = ''
${extraConfig}
proxy_set_header Host "nix-cache.s3.nul.ie";
@@ -434,14 +436,14 @@ in
extraConfig = nixCacheHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
onlySSL = false;
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}";
useACMEHost = mkDefault "${config.networking.pubDomain}";
kTLS = mkDefault true;
http2 = mkDefault true;
});

4
nixos/boxes/colony/vms/shill/containers/object.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.object = {
@@ -92,7 +92,7 @@ in
configOverridesFile = config.age.secrets."object/sharry.conf".path;
config = {
base-url = "https://share.${lib.my.pubDomain}";
base-url = "https://share.${lib.my.c.pubDomain}";
bind.address = "::";
alias-member-enabled = true;
webapp = {

2
nixos/boxes/colony/vms/shill/containers/toot.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.toot = {

6
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.vaultwarden = {
@@ -62,7 +62,7 @@ in
};
programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet
lib.my.c.sshKeyFiles.rsyncNet
];
services = {
@@ -79,7 +79,7 @@ in
SIGNUPS_ALLOWED = false;
DOMAIN = "https://pass.${lib.my.pubDomain}";
DOMAIN = "https://pass.${lib.my.c.pubDomain}";
ROCKET_ADDRESS = "::";
ROCKET_PORT = 80;

6
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
imports = [ ./containers ];
@@ -97,7 +97,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};
@@ -131,7 +131,7 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6;
ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
}
];
}

4
nixos/boxes/colony/vms/whale2/default.nix
View File

@@ -2,7 +2,7 @@
let
inherit (builtins) mapAttrs;
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.whale2 = {
@@ -94,7 +94,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};