dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases1 Wiki Activity

Split constants into separate lib file

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-11-02 13:41:50 +00:00
parent 0659809c22
commit 2dbc8b398b
30 changed files with 269 additions and 261 deletions

2
devshell/default.nix

@ -15,7 +15,7 @@ in
experimental-features = nix-command flakes ca-derivations repl-flake experimental-features = nix-command flakes ca-derivations repl-flake
#substituters = https://nix-cache.nul.ie https://cache.nixos.org #substituters = https://nix-cache.nul.ie https://cache.nixos.org
substituters = https://cache.nixos.org substituters = https://cache.nixos.org
trusted-public-keys = ${concatStringsSep " " lib.my.nix.cacheKeys} trusted-public-keys = ${concatStringsSep " " lib.my.c.nix.cacheKeys}
''); '');
INSTALLER_SSH_OPTS = "-i .keys/deploy.key"; INSTALLER_SSH_OPTS = "-i .keys/deploy.key";

4
home-manager/modules/common.nix

@ -240,13 +240,13 @@ in
#"https://nix-cache.nul.ie" #"https://nix-cache.nul.ie"
"https://cache.nixos.org" "https://cache.nixos.org"
]; ];
trusted-public-keys = lib.my.nix.cacheKeys; trusted-public-keys = lib.my.c.nix.cacheKeys;
}; };
}; };
}) })
(mkIf config.my.isStandalone { (mkIf config.my.isStandalone {
my = { my = {
ssh.authKeys.files = [ lib.my.sshKeyFiles.me ]; ssh.authKeys.files = [ lib.my.c.sshKeyFiles.me ];
}; };
nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix; nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix;

92
lib/constants.nix Normal file

@ -0,0 +1,92 @@
{ lib }: rec {
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with lib.my.net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with lib.my.net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
}

102
lib/default.nix

@ -1,9 +1,9 @@
{ lib }: { lib }:
let let
inherit (builtins) length match replaceStrings elemAt mapAttrs head split filter; inherit (builtins) length match elemAt filter;
inherit (lib) inherit (lib)
genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional hasPrefix mkOption mkOverride mkForce mkIf mergeEqualOption optional
showWarnings concatStringsSep flatten unique; showWarnings concatStringsSep flatten unique;
inherit (lib.flake) defaultSystems; inherit (lib.flake) defaultSystems;
in in
@ -12,6 +12,7 @@ rec {
inherit (import ./net.nix { inherit lib; }) net; inherit (import ./net.nix { inherit lib; }) net;
dns = import ./dns.nix { inherit lib; }; dns = import ./dns.nix { inherit lib; };
c = import ./constants.nix { inherit lib; };
# Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
isIPv6 = ip: length (lib.splitString ":" ip) > 2; isIPv6 = ip: length (lib.splitString ":" ip) > 2;
@ -128,6 +129,8 @@ rec {
UseDomains = true; UseDomains = true;
}; };
}; };
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
systemdAwaitPostgres = pkg: host: { systemdAwaitPostgres = pkg: host: {
after = [ "systemd-networkd-wait-online.service" ]; after = [ "systemd-networkd-wait-online.service" ];
@ -185,97 +188,4 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null); filterOpts = filterAttrsRecursive (_: v: v != null);
}; };
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
} }

2
nixos/boxes/castle/default.nix

@ -84,7 +84,7 @@
}; };
networking = { networking = {
domain = "h.${lib.my.pubDomain}"; domain = "h.${lib.my.c.pubDomain}";
firewall.enable = false; firewall.enable = false;
}; };

16
nixos/boxes/colony/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
imports = [ ./vms ]; imports = [ ./vms ];
@ -93,11 +93,11 @@ in
}; };
programs.ssh.knownHostsFiles = [ programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet lib.my.c.sshKeyFiles.rsyncNet
]; ];
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
lvm = { lvm = {
boot.thin.enable = true; boot.thin.enable = true;
dmeventd.enable = true; dmeventd.enable = true;
@ -214,16 +214,16 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6; ipv6PrefixConfig.Prefix = prefixes.vms.v6;
} }
]; ];
routes = map (r: { routeConfig = r; }) [ routes = map (r: { routeConfig = r; }) [
{ {
Destination = lib.my.colony.prefixes.ctrs.v4; Destination = prefixes.ctrs.v4;
Gateway = allAssignments.shill.routing.ipv4.address; Gateway = allAssignments.shill.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.ctrs.v6; Destination = prefixes.ctrs.v6;
Gateway = allAssignments.shill.internal.ipv6.address; Gateway = allAssignments.shill.internal.ipv6.address;
} }
{ {
@ -232,11 +232,11 @@ in
} }
{ {
Destination = lib.my.colony.prefixes.oci.v4; Destination = prefixes.oci.v4;
Gateway = allAssignments.whale2.routing.ipv4.address; Gateway = allAssignments.whale2.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.oci.v6; Destination = prefixes.oci.v6;
Gateway = allAssignments.whale2.internal.ipv6.address; Gateway = allAssignments.whale2.internal.ipv6.address;
} }
{ {

6
nixos/boxes/colony/vms/estuary/bgp.nix

@ -14,12 +14,12 @@ in
config = '' config = ''
define OWNAS = 211024; define OWNAS = 211024;
define CCVIP1 = ${lib.my.colony.prefixes.vip1}; define CCVIP1 = ${lib.my.c.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.colony.prefixes.vip2}; define CCVIP2 = ${lib.my.c.colony.prefixes.vip2};
define OWNIP4 = ${assignments.internal.ipv4.address}; define OWNIP4 = ${assignments.internal.ipv4.address};
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ]; define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ]; define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ];
define INTNET6 = ${intnet6}; define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6}; define AMSNET6 = ${amsnet6};

21
nixos/boxes/colony/vms/estuary/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44"; pubV4 = "94.142.240.44";
in in
@ -95,7 +95,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
lvm = { lvm = {
dmeventd.enable = true; dmeventd.enable = true;
}; };
@ -182,7 +182,7 @@ in
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path; PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
ListenPort = lib.my.kelder.vpn.port; ListenPort = lib.my.c.kelder.vpn.port;
}; };
wireguardPeers = [ wireguardPeers = [
{ {
@ -306,27 +306,27 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6; ipv6PrefixConfig.Prefix = prefixes.base.v6;
} }
]; ];
routes = map (r: { routeConfig = r; }) (flatten routes = map (r: { routeConfig = r; }) (flatten
([ ([
{ {
Destination = lib.my.colony.prefixes.vip1; Destination = prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address; Gateway = allAssignments.colony.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.cust.v6; Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address; Gateway = allAssignments.colony.internal.ipv6.address;
} }
] ++ ] ++
(map (pName: [ (map (pName: [
{ {
Gateway = allAssignments.colony.routing.ipv4.address; Gateway = allAssignments.colony.routing.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4; Destination = prefixes."${pName}".v4;
} }
{ {
Destination = lib.my.colony.prefixes."${pName}".v6; Destination = prefixes."${pName}".v6;
Gateway = allAssignments.colony.internal.ipv6.address; Gateway = allAssignments.colony.internal.ipv6.address;
} }
]) [ "vms" "ctrs" "oci" ]))); ]) [ "vms" "ctrs" "oci" ])));
@ -356,7 +356,6 @@ in
}; };
my = { my = {
#deploy.generate.system.mode = "boot";
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
files = { files = {
@ -369,7 +368,7 @@ in
firewall = { firewall = {
trustedInterfaces = [ "as211024" ]; trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
enable = true; enable = true;
@ -458,7 +457,7 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
} }
chain postrouting { chain postrouting {
ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address} ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
} }
} }
''; '';

8
nixos/boxes/colony/vms/estuary/dns.nix

@ -1,6 +1,8 @@
{ lib, pkgs, config, assignments, allAssignments, ... }: { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (builtins) attrNames; inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.colony) prefixes;
authZones = attrNames config.my.pdns.auth.bind.zones; authZones = attrNames config.my.pdns.auth.bind.zones;
in in
@ -49,7 +51,7 @@ in
]; ];
allowFrom = [ allowFrom = [
"127.0.0.0/8" "::1/128" "127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6 prefixes.all.v4 prefixes.all.v6
]; ];
}; };
@ -147,8 +149,8 @@ in
valheim IN A ${assignments.internal.ipv4.address} valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address} valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4} mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6} mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

4
nixos/boxes/colony/vms/shill/containers/chatterbox.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.chatterbox = { nixos.systems.chatterbox = {
@ -128,7 +128,7 @@ in
"2001:db8::/32" "2001:db8::/32"
"ff00::/8" "ff00::/8"
"fec0::/10" "fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]); ] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist = url_preview_ip_range_whitelist =
with allAssignments.middleman.internal; with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ]; [ ipv4.address ipv6.address ];

4
nixos/boxes/colony/vms/shill/containers/colony-psql.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.colony-psql = { nixos.systems.colony-psql = {
@ -66,7 +66,7 @@ in
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = true;
authentication = with lib.my.colony.prefixes; '' authentication = with lib.my.c.colony.prefixes; ''
local all postgres peer map=local local all postgres peer map=local
host all all ${all.v4} md5 host all all ${all.v4} md5

2
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.jackflix = { nixos.systems.jackflix = {

9
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix

@ -2,6 +2,7 @@
let let
inherit (lib) mkMerge mkIf; inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
inherit (lib.my.c.colony) prefixes;
wg = { wg = {
keyFile = "jackflix/airvpn-privkey"; keyFile = "jackflix/airvpn-privkey";
@ -102,23 +103,23 @@ in
} }
{ {
From = lib.my.colony.prefixes.all.v4; From = prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.colony.prefixes.all.v4; To = prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
From = lib.my.colony.prefixes.all.v6; From = prefixes.all.v6;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.colony.prefixes.all.v6; To = prefixes.all.v6;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }

23
nixos/boxes/colony/vms/shill/containers/middleman/default.nix

@ -1,7 +1,8 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.middleman = { nixos.systems.middleman = {
@ -79,8 +80,8 @@ in
port = 8082; port = 8082;
}; };
login = { login = {
title = "${lib.my.pubDomain} login"; title = "${pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}"; default_redirect = "https://${pubDomain}";
default_method = "google_oauth"; default_method = "google_oauth";
names = { names = {
google_oauth = "Google account"; google_oauth = "Google account";
@ -88,7 +89,7 @@ in
}; };
}; };
cookie = { cookie = {
domain = ".${lib.my.pubDomain}"; domain = ".${pubDomain}";
secure = true; secure = true;
}; };
audit_log = { audit_log = {
@ -109,14 +110,14 @@ in
}; };
google_oauth = { google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com"; client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login"; redirect_url = "https://sso.${pubDomain}/login";
user_id_method = "user-id"; user_id_method = "user-id";
}; };
}; };
}; };
includes = { includes = {
endpoint = "http://localhost:8082"; endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}"; baseURL = "https://sso.${pubDomain}";
}; };
}; };
}; };
@ -173,10 +174,10 @@ in
EXEC_PATH=${script} EXEC_PATH=${script}
''; '';
}; };
"${lib.my.pubDomain}" = { "${pubDomain}" = {
extraDomainNames = [ extraDomainNames = [
"*.${lib.my.pubDomain}" "*.${pubDomain}"
"*.s3.${lib.my.pubDomain}" "*.s3.${pubDomain}"
]; ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path; credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
@ -194,7 +195,7 @@ in
}; };
programs = { programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ]; ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ];
}; };
services = { services = {
@ -265,7 +266,7 @@ in
proxy_send_timeout 60s; proxy_send_timeout 60s;
proxy_http_version 1.1; proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders} ${lib.my.c.nginx.proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

116
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@ -2,6 +2,8 @@
let let
inherit (builtins) mapAttrs toJSON; inherit (builtins) mapAttrs toJSON;
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep; inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) proxyHeaders;
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ]; dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll); dualStackListen = ll: flatten (map dualStackListen' ll);
@ -80,7 +82,7 @@ in
} }
wellKnown wellKnown
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"localhost" = { "localhost" = {
forceSSL = false; forceSSL = false;
@ -98,12 +100,12 @@ in
}; };
}; };
"sso.${lib.my.pubDomain}" = { "sso.${pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint; locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"netdata-colony.${lib.my.pubDomain}" = "netdata-colony.${pubDomain}" =
let let
hosts = [ hosts = [
"vm" "vm"
@ -119,10 +121,10 @@ in
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/"; "~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [ "~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{ {
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args"; proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args";
extraConfig = '' extraConfig = ''
proxy_pass_request_headers on; proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Connection "keep-alive"; proxy_set_header Connection "keep-alive";
proxy_store off; proxy_store off;
@ -134,14 +136,14 @@ in
(ssoLoc "generic") (ssoLoc "generic")
]; ];
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"pass.${lib.my.pubDomain}" = "pass.${pubDomain}" =
let let
upstream = "http://vaultwarden-ctr.${config.networking.domain}"; upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}";
in in
{ {
locations = { locations = {
@ -149,11 +151,11 @@ in
"/notifications/hub" = { "/notifications/hub" = {
proxyPass = upstream; proxyPass = upstream;
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
"/notifications/hub/negotiate".proxyPass = upstream; "/notifications/hub/negotiate".proxyPass = upstream;
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"matrix.nul.ie" = { "matrix.nul.ie" = {
@ -171,15 +173,15 @@ in
]; ];
locations = mkMerge [ locations = mkMerge [
{ {
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008"; "/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008";
"= /".return = "301 https://element.${lib.my.pubDomain}"; "= /".return = "301 https://element.${pubDomain}";
} }
wellKnown wellKnown
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"element.${lib.my.pubDomain}" = "element.${pubDomain}" =
let let
headers = '' headers = ''
# TODO: why are these here? # TODO: why are these here?
@ -224,66 +226,66 @@ in
''; '';
})) }))
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"torrents.${lib.my.pubDomain}" = mkMerge [ "torrents.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091"; proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091";
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"jackett.${lib.my.pubDomain}" = mkMerge [ "jackett.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117"; proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117";
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"radarr.${lib.my.pubDomain}" = mkMerge [ "radarr.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878"; proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"sonarr.${lib.my.pubDomain}" = mkMerge [ "sonarr.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989"; proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"jackflix.${lib.my.pubDomain}" = "jackflix.${pubDomain}" =
let let
upstream = "http://jackflix-ctr.${config.networking.domain}:8096"; upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096";
in in
{ {
extraConfig = '' extraConfig = ''
@ -300,10 +302,10 @@ in
"/socket" = { "/socket" = {
proxyPass = upstream; proxyPass = upstream;
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"toot.nul.ie" = "toot.nul.ie" =
@ -312,7 +314,7 @@ in
tryFiles = "$uri =404"; tryFiles = "$uri =404";
extraConfig = '' extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate"; add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
''; '';
}; };
in in
@ -333,20 +335,20 @@ in
"/".tryFiles = "$uri @proxy"; "/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = { "^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000"; proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Proxy ""; proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
''; '';
}; };
"@proxy" = { "@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001"; proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_pass_header Server; proxy_pass_header Server;
@ -359,19 +361,19 @@ in
}; };
} }
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"share.${lib.my.pubDomain}" = { "share.${pubDomain}" = {
locations."/" = { locations."/" = {
proxyPass = "http://object-ctr.${config.networking.domain}:9090"; proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"stuff.${lib.my.pubDomain}" = { "stuff.${pubDomain}" = {
locations."/" = { locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path; basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff"; root = "/mnt/media/stuff";
@ -380,13 +382,13 @@ in
fancyindex_show_dotfiles on; fancyindex_show_dotfiles on;
''; '';
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
}; };
minio = minio =
let let
host = "object-ctr.${config.networking.domain}"; host = "object-ctr.${config.networking.pubDomain}";
s3Upstream = "http://${host}:9000"; s3Upstream = "http://${host}:9000";
extraConfig = '' extraConfig = ''
chunked_transfer_encoding off; chunked_transfer_encoding off;
@ -401,7 +403,7 @@ in
''; '';
in in
{ {
"minio.${lib.my.pubDomain}" = { "minio.${pubDomain}" = {
inherit extraConfig; inherit extraConfig;
locations = { locations = {
"/" = { "/" = {
@ -410,19 +412,19 @@ in
"/ws" = { "/ws" = {
proxyPass = "http://${host}:9001"; proxyPass = "http://${host}:9001";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"s3.${lib.my.pubDomain}" = { "s3.${pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ]; serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig; inherit extraConfig;
locations."/".proxyPass = s3Upstream; locations."/".proxyPass = s3Upstream;
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"nix-cache.${lib.my.pubDomain}" = { "nix-cache.${pubDomain}" = {
extraConfig = '' extraConfig = ''
${extraConfig} ${extraConfig}
proxy_set_header Host "nix-cache.s3.nul.ie"; proxy_set_header Host "nix-cache.s3.nul.ie";
@ -434,14 +436,14 @@ in
extraConfig = nixCacheHeaders; extraConfig = nixCacheHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
onlySSL = false; onlySSL = false;
}; };
}; };
defaultsFor = mapAttrs (n: _: { defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true; onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}"; useACMEHost = mkDefault "${config.networking.pubDomain}";
kTLS = mkDefault true; kTLS = mkDefault true;
http2 = mkDefault true; http2 = mkDefault true;
}); });

4
nixos/boxes/colony/vms/shill/containers/object.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.object = { nixos.systems.object = {
@ -92,7 +92,7 @@ in
configOverridesFile = config.age.secrets."object/sharry.conf".path; configOverridesFile = config.age.secrets."object/sharry.conf".path;
config = { config = {
base-url = "https://share.${lib.my.pubDomain}"; base-url = "https://share.${lib.my.c.pubDomain}";
bind.address = "::"; bind.address = "::";
alias-member-enabled = true; alias-member-enabled = true;
webapp = { webapp = {

2
nixos/boxes/colony/vms/shill/containers/toot.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.toot = { nixos.systems.toot = {

6
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.vaultwarden = { nixos.systems.vaultwarden = {
@ -62,7 +62,7 @@ in
}; };
programs.ssh.knownHostsFiles = [ programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet lib.my.c.sshKeyFiles.rsyncNet
]; ];
services = { services = {
@ -79,7 +79,7 @@ in
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
DOMAIN = "https://pass.${lib.my.pubDomain}"; DOMAIN = "https://pass.${lib.my.c.pubDomain}";
ROCKET_ADDRESS = "::"; ROCKET_ADDRESS = "::";
ROCKET_PORT = 80; ROCKET_PORT = 80;

6
nixos/boxes/colony/vms/shill/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
imports = [ ./containers ]; imports = [ ./containers ];
@ -97,7 +97,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true; netdata.enable = true;
}; };
@ -131,7 +131,7 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6; ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
} }
]; ];
} }

4
nixos/boxes/colony/vms/whale2/default.nix

@ -2,7 +2,7 @@
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.whale2 = { nixos.systems.whale2 = {
@ -94,7 +94,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true; netdata.enable = true;
}; };

4
nixos/boxes/kelder/containers/acquisition/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
nixos.systems.kelder-acquisition = { nixos.systems.kelder-acquisition = {
@ -44,7 +44,7 @@ in
}; };
users = { users = {
groups.media.gid = lib.my.kelder.groups.media; groups.media.gid = lib.my.c.kelder.groups.media;
users = { users = {
"${config.my.user.config.name}".extraGroups = [ "media" ]; "${config.my.user.config.name}".extraGroups = [ "media" ];

4
nixos/boxes/kelder/containers/acquisition/networking.nix

@ -104,12 +104,12 @@ in
} }
{ {
From = lib.my.kelder.prefixes.all.v4; From = lib.my.c.kelder.prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.kelder.prefixes.all.v4; To = lib.my.c.kelder.prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }

12
nixos/boxes/kelder/containers/spoder/default.nix

@ -2,7 +2,7 @@
let let
inherit (lib) mkForce mkMerge; inherit (lib) mkForce mkMerge;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
nixos.systems.kelder-spoder = { nixos.systems.kelder-spoder = {
@ -54,9 +54,9 @@ in
dnsResolver = "8.8.8.8"; dnsResolver = "8.8.8.8";
}; };
certs = { certs = {
"${lib.my.kelder.domain}" = { "${domain}" = {
extraDomainNames = [ extraDomainNames = [
"*.${lib.my.kelder.domain}" "*.${domain}"
]; ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path; credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
@ -65,7 +65,7 @@ in
}; };
users = { users = {
groups.storage.gid = lib.my.kelder.groups.storage; groups.storage.gid = lib.my.c.kelder.groups.storage;
users = { users = {
nginx.extraGroups = [ "acme" ]; nginx.extraGroups = [ "acme" ];
@ -93,11 +93,11 @@ in
enable = true; enable = true;
package = pkgs.nextcloud27; package = pkgs.nextcloud27;
datadir = "/mnt/storage/nextcloud"; datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${lib.my.kelder.domain}"; hostName = "cloud.${domain}";
https = true; https = true;
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
config = { config = {
extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ]; extraTrustedDomains = [ "cloud-local.${domain}" ];
adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path; adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
defaultPhoneRegion = "IE"; defaultPhoneRegion = "IE";
}; };

52
nixos/boxes/kelder/containers/spoder/nginx.nix

@ -2,6 +2,8 @@
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault; inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) proxyHeaders;
inherit (lib.my.c.kelder) domain;
in in
{ {
config = { config = {
@ -73,7 +75,7 @@ in
proxy_send_timeout 60s; proxy_send_timeout 60s;
proxy_http_version 1.1; proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
@ -135,15 +137,15 @@ in
}; };
}; };
"monitor.${lib.my.kelder.domain}" = withAuth { "monitor.${domain}" = withAuth {
serverAliases = [ "monitor-local.${lib.my.kelder.domain}" ]; serverAliases = [ "monitor-local.${domain}" ];
extraConfig = localRedirect "monitor-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "monitor-local.${domain}";
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999"; proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
extraConfig = '' extraConfig = ''
proxy_pass_request_headers on; proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Connection "keep-alive"; proxy_set_header Connection "keep-alive";
proxy_store off; proxy_store off;
@ -155,8 +157,8 @@ in
}; };
}; };
"kontent.${lib.my.kelder.domain}" = { "kontent.${domain}" = {
serverAliases = [ "kontent-local.${lib.my.kelder.domain}" ]; serverAliases = [ "kontent-local.${domain}" ];
locations = { locations = {
"/".proxyPass = "${acquisition}:8096"; "/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/"; "= /".return = "302 $scheme://$host/web/";
@ -164,47 +166,47 @@ in
"/socket" = { "/socket" = {
proxyPass = "${acquisition}:8096/socket"; proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
}; };
"torrents.${lib.my.kelder.domain}" = withAuth { "torrents.${domain}" = withAuth {
serverAliases = [ "torrents-local.${lib.my.kelder.domain}" ]; serverAliases = [ "torrents-local.${domain}" ];
extraConfig = localRedirect "torrents-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "torrents-local.${domain}";
locations."/".proxyPass = "${acquisition}:9091"; locations."/".proxyPass = "${acquisition}:9091";
}; };
"jackett.${lib.my.kelder.domain}" = withAuth { "jackett.${domain}" = withAuth {
serverAliases = [ "jackett-local.${lib.my.kelder.domain}" ]; serverAliases = [ "jackett-local.${domain}" ];
extraConfig = localRedirect "jackett-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "jackett-local.${domain}";
locations."/".proxyPass = "${acquisition}:9117"; locations."/".proxyPass = "${acquisition}:9117";
}; };
"radarr.${lib.my.kelder.domain}" = withAuth { "radarr.${domain}" = withAuth {
serverAliases = [ "radarr-local.${lib.my.kelder.domain}" ]; serverAliases = [ "radarr-local.${domain}" ];
extraConfig = localRedirect "radarr-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "radarr-local.${domain}";
locations."/" = { locations."/" = {
proxyPass = "${acquisition}:7878"; proxyPass = "${acquisition}:7878";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
"sonarr.${lib.my.kelder.domain}" = withAuth { "sonarr.${domain}" = withAuth {
serverAliases = [ "sonarr-local.${lib.my.kelder.domain}" ]; serverAliases = [ "sonarr-local.${domain}" ];
extraConfig = localRedirect "sonarr-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "sonarr-local.${domain}";
locations."/" = { locations."/" = {
proxyPass = "${acquisition}:8989"; proxyPass = "${acquisition}:8989";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
"cloud.${lib.my.kelder.domain}" = { "cloud.${domain}" = {
serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ]; serverAliases = [ "cloud-local.${domain}" ];
}; };
}; };
defaultsFor = mapAttrs (n: _: { defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true; onlySSL = mkDefault true;
useACMEHost = mkDefault lib.my.kelder.domain; useACMEHost = mkDefault domain;
kTLS = mkDefault true; kTLS = mkDefault true;
http2 = mkDefault true; http2 = mkDefault true;
}); });

15
nixos/boxes/kelder/default.nix

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
imports = [ ./containers ]; imports = [ ./containers ];
@ -14,7 +14,7 @@ in
assignments = { assignments = {
estuary = { estuary = {
ipv4 ={ ipv4 ={
address = net.cidr.host 0 lib.my.colony.prefixes.vip2; address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2;
mask = 32; mask = 32;
gateway = null; gateway = null;
}; };
@ -85,7 +85,7 @@ in
}; };
users = { users = {
groups = with lib.my.kelder.groups; { groups = with lib.my.c.kelder.groups; {
storage.gid = storage; storage.gid = storage;
media.gid = media; media.gid = media;
}; };
@ -150,7 +150,7 @@ in
}; };
networking = { networking = {
domain = lib.my.kelder.domain; inherit domain;
}; };
system.nixos.distroName = "KelderOS"; system.nixos.distroName = "KelderOS";
@ -180,7 +180,7 @@ in
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU="; PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}"; Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
AllowedIPs = [ "0.0.0.0/0" ]; AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
@ -270,7 +270,6 @@ in
config.name = "kontent"; config.name = "kontent";
}; };
#deploy.generate.system.mode = "boot";
#deploy.node.hostname = "10.16.9.21"; #deploy.node.hostname = "10.16.9.21";
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
@ -311,7 +310,7 @@ in
chain prerouting { chain prerouting {
type filter hook prerouting priority mangle; policy accept; type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark} ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
} }
chain output { chain output {
type filter hook output priority mangle; policy accept; type filter hook output priority mangle; policy accept;
@ -320,7 +319,7 @@ in
} }
table inet nat { table inet nat {
chain postrouting { chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade
} }
} }
''; '';

2
nixos/installer.nix

@ -39,7 +39,7 @@
environment.sessionVariables = { environment.sessionVariables = {
INSTALL_ROOT = installRoot; INSTALL_ROOT = installRoot;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ]; users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.deploy ];
home-manager.users.root = { home-manager.users.root = {
programs = { programs = {
starship.settings = { starship.settings = {

2
nixos/modules/common.nix

@ -47,7 +47,7 @@ in
#"https://nix-cache.nul.ie" #"https://nix-cache.nul.ie"
"https://cache.nixos.org" "https://cache.nixos.org"
]; ];
trusted-public-keys = lib.my.nix.cacheKeys; trusted-public-keys = lib.my.c.nix.cacheKeys;
}; };
registry = { registry = {
pkgs = { pkgs = {

2
nixos/modules/deploy-rs.nix

@ -86,7 +86,7 @@ in
options.my.deploy = with lib.types; { options.my.deploy = with lib.types; {
authorizedKeys = { authorizedKeys = {
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user."; keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user."; keyFiles = mkOpt' (listOf path) [ lib.my.c.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
}; };
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system."; enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";

2
nixos/modules/network.nix

@ -6,7 +6,7 @@ in
config = mkMerge [ config = mkMerge [
{ {
networking = { networking = {
domain = mkDefault "int.${lib.my.pubDomain}"; domain = mkDefault "int.${lib.my.c.pubDomain}";
useDHCP = false; useDHCP = false;
enableIPv6 = mkDefault true; enableIPv6 = mkDefault true;
useNetworkd = mkDefault true; useNetworkd = mkDefault true;

2
nixos/modules/user.nix

@ -41,7 +41,7 @@ in
shell = shell =
let shell = cfg.homeConfig.my.shell; let shell = cfg.homeConfig.my.shell;
in mkIf (shell != null) (mkDefault' shell); in mkIf (shell != null) (mkDefault' shell);
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ]; openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.me ];
}; };
homeConfig = { homeConfig = {
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the