dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Split constants into separate lib file

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-11-02 13:41:50 +00:00
parent 0659809c22
commit 2dbc8b398b
30 changed files with 269 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devshell/default.nix
View File

@ -15,7 +15,7 @@ in
experimental-features = nix-command flakes ca-derivations repl-flake
#substituters = https://nix-cache.nul.ie https://cache.nixos.org
substituters = https://cache.nixos.org
trusted-public-keys = ${concatStringsSep " " lib.my.nix.cacheKeys}
trusted-public-keys = ${concatStringsSep " " lib.my.c.nix.cacheKeys}
'');
INSTALLER_SSH_OPTS = "-i .keys/deploy.key";

4
home-manager/modules/common.nix
View File

@ -240,13 +240,13 @@ in
#"https://nix-cache.nul.ie"
"https://cache.nixos.org"
];
trusted-public-keys = lib.my.nix.cacheKeys;
trusted-public-keys = lib.my.c.nix.cacheKeys;
};
};
})
(mkIf config.my.isStandalone {
my = {
ssh.authKeys.files = [ lib.my.sshKeyFiles.me ];
ssh.authKeys.files = [ lib.my.c.sshKeyFiles.me ];
};
nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix;

92
lib/constants.nix Normal file
View File

@ -0,0 +1,92 @@
{ lib }: rec {
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with lib.my.net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with lib.my.net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
}

102
lib/default.nix
View File

@ -1,9 +1,9 @@
{ lib }:
let
inherit (builtins) length match replaceStrings elemAt mapAttrs head split filter;
inherit (builtins) length match elemAt filter;
inherit (lib)
genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional hasPrefix
genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional
showWarnings concatStringsSep flatten unique;
inherit (lib.flake) defaultSystems;
in
@ -12,6 +12,7 @@ rec {
inherit (import ./net.nix { inherit lib; }) net;
dns = import ./dns.nix { inherit lib; };
c = import ./constants.nix { inherit lib; };
# Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
isIPv6 = ip: length (lib.splitString ":" ip) > 2;
@ -128,6 +129,8 @@ rec {
UseDomains = true;
};
};
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
systemdAwaitPostgres = pkg: host: {
after = [ "systemd-networkd-wait-online.service" ];
@ -185,97 +188,4 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null);
};
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
}

2
nixos/boxes/castle/default.nix
View File

@ -84,7 +84,7 @@
};
networking = {
domain = "h.${lib.my.pubDomain}";
domain = "h.${lib.my.c.pubDomain}";
firewall.enable = false;
};

16
nixos/boxes/colony/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
imports = [ ./vms ];
@ -93,11 +93,11 @@ in
};
programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet
lib.my.c.sshKeyFiles.rsyncNet
];
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
lvm = {
boot.thin.enable = true;
dmeventd.enable = true;
@ -214,16 +214,16 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6;
ipv6PrefixConfig.Prefix = prefixes.vms.v6;
}
];
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.colony.prefixes.ctrs.v4;
Destination = prefixes.ctrs.v4;
Gateway = allAssignments.shill.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.ctrs.v6;
Destination = prefixes.ctrs.v6;
Gateway = allAssignments.shill.internal.ipv6.address;
}
{
@ -232,11 +232,11 @@ in
}
{
Destination = lib.my.colony.prefixes.oci.v4;
Destination = prefixes.oci.v4;
Gateway = allAssignments.whale2.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.oci.v6;
Destination = prefixes.oci.v6;
Gateway = allAssignments.whale2.internal.ipv6.address;
}
{

6
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@ -14,12 +14,12 @@ in
config = ''
define OWNAS = 211024;
define CCVIP1 = ${lib.my.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.colony.prefixes.vip2};
define CCVIP1 = ${lib.my.c.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.c.colony.prefixes.vip2};
define OWNIP4 = ${assignments.internal.ipv4.address};
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ];
define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ];
define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6};

21
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44";
in
@ -95,7 +95,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
lvm = {
dmeventd.enable = true;
};
@ -182,7 +182,7 @@ in
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
ListenPort = lib.my.kelder.vpn.port;
ListenPort = lib.my.c.kelder.vpn.port;
};
wireguardPeers = [
{
@ -306,27 +306,27 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6;
ipv6PrefixConfig.Prefix = prefixes.base.v6;
}
];
routes = map (r: { routeConfig = r; }) (flatten
([
{
Destination = lib.my.colony.prefixes.vip1;
Destination = prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.cust.v6;
Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
] ++
(map (pName: [
{
Gateway = allAssignments.colony.routing.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4;
Destination = prefixes."${pName}".v4;
}
{
Destination = lib.my.colony.prefixes."${pName}".v6;
Destination = prefixes."${pName}".v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
]) [ "vms" "ctrs" "oci" ])));
@ -356,7 +356,6 @@ in
};
my = {
#deploy.generate.system.mode = "boot";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
files = {
@ -369,7 +368,7 @@ in
firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ];
nat = {
enable = true;
@ -458,7 +457,7 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
}
chain postrouting {
ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
}
}
'';

8
nixos/boxes/colony/vms/estuary/dns.nix
View File

@ -1,6 +1,8 @@
{ lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.colony) prefixes;
authZones = attrNames config.my.pdns.auth.bind.zones;
in
@ -49,7 +51,7 @@ in
];
allowFrom = [
"127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
prefixes.all.v4 prefixes.all.v6
];
};
@ -147,8 +149,8 @@ in
valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6}
mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

4
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.chatterbox = {
@ -128,7 +128,7 @@ in
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]);
] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist =
with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ];

4
nixos/boxes/colony/vms/shill/containers/colony-psql.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.colony-psql = {
@ -66,7 +66,7 @@ in
enable = true;
enableTCPIP = true;
authentication = with lib.my.colony.prefixes; ''
authentication = with lib.my.c.colony.prefixes; ''
local all postgres peer map=local
host all all ${all.v4} md5

2
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.jackflix = {

9
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@ -2,6 +2,7 @@
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
inherit (lib.my.c.colony) prefixes;
wg = {
keyFile = "jackflix/airvpn-privkey";
@ -102,23 +103,23 @@ in
}
{
From = lib.my.colony.prefixes.all.v4;
From = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
To = prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
From = prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
To = prefixes.all.v6;
Table = "main";
Priority = 100;
}

23
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@ -1,7 +1,8 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.middleman = {
@ -79,8 +80,8 @@ in
port = 8082;
};
login = {
title = "${lib.my.pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}";
title = "${pubDomain} login";
default_redirect = "https://${pubDomain}";
default_method = "google_oauth";
names = {
google_oauth = "Google account";
@ -88,7 +89,7 @@ in
};
};
cookie = {
domain = ".${lib.my.pubDomain}";
domain = ".${pubDomain}";
secure = true;
};
audit_log = {
@ -109,14 +110,14 @@ in
};
google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login";
redirect_url = "https://sso.${pubDomain}/login";
user_id_method = "user-id";
};
};
};
includes = {
endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}";
baseURL = "https://sso.${pubDomain}";
};
};
};
@ -173,10 +174,10 @@ in
EXEC_PATH=${script}
'';
};
"${lib.my.pubDomain}" = {
"${pubDomain}" = {
extraDomainNames = [
"*.${lib.my.pubDomain}"
"*.s3.${lib.my.pubDomain}"
"*.${pubDomain}"
"*.s3.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
@ -194,7 +195,7 @@ in
};
programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ];
ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ];
};
services = {
@ -265,7 +266,7 @@ in
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
${lib.my.c.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

116
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@ -2,6 +2,8 @@
let
inherit (builtins) mapAttrs toJSON;
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) proxyHeaders;
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll);
@ -80,7 +82,7 @@ in
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"localhost" = {
forceSSL = false;
@ -98,12 +100,12 @@ in
};
};
"sso.${lib.my.pubDomain}" = {
"sso.${pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"netdata-colony.${lib.my.pubDomain}" =
"netdata-colony.${pubDomain}" =
let
hosts = [
"vm"
@ -119,10 +121,10 @@ in
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args";
proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args";
extraConfig = ''
proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
@ -134,14 +136,14 @@ in
(ssoLoc "generic")
];
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"pass.${lib.my.pubDomain}" =
"pass.${pubDomain}" =
let
upstream = "http://vaultwarden-ctr.${config.networking.domain}";
upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}";
in
{
locations = {
@ -149,11 +151,11 @@ in
"/notifications/hub" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
"/notifications/hub/negotiate".proxyPass = upstream;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"matrix.nul.ie" = {
@ -171,15 +173,15 @@ in
];
locations = mkMerge [
{
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
"= /".return = "301 https://element.${lib.my.pubDomain}";
"/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008";
"= /".return = "301 https://element.${pubDomain}";
}
wellKnown
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"element.${lib.my.pubDomain}" =
"element.${pubDomain}" =
let
headers = ''
# TODO: why are these here?
@ -224,66 +226,66 @@ in
'';
}))
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"torrents.${lib.my.pubDomain}" = mkMerge [
"torrents.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackett.${lib.my.pubDomain}" = mkMerge [
"jackett.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117";
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"radarr.${lib.my.pubDomain}" = mkMerge [
"radarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"sonarr.${lib.my.pubDomain}" = mkMerge [
"sonarr.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989";
proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
"jackflix.${lib.my.pubDomain}" =
"jackflix.${pubDomain}" =
let
upstream = "http://jackflix-ctr.${config.networking.domain}:8096";
upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096";
in
{
extraConfig = ''
@ -300,10 +302,10 @@ in
"/socket" = {
proxyPass = upstream;
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"toot.nul.ie" =
@ -312,7 +314,7 @@ in
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
in
@ -333,20 +335,20 @@ in
"/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
'';
};
"@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Proxy "";
proxy_pass_header Server;
@ -359,19 +361,19 @@ in
};
}
];
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"share.${lib.my.pubDomain}" = {
"share.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${config.networking.domain}:9090";
proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"stuff.${lib.my.pubDomain}" = {
"stuff.${pubDomain}" = {
locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff";
@ -380,13 +382,13 @@ in
fancyindex_show_dotfiles on;
'';
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
};
minio =
let
host = "object-ctr.${config.networking.domain}";
host = "object-ctr.${config.networking.pubDomain}";
s3Upstream = "http://${host}:9000";
extraConfig = ''
chunked_transfer_encoding off;
@ -401,7 +403,7 @@ in
'';
in
{
"minio.${lib.my.pubDomain}" = {
"minio.${pubDomain}" = {
inherit extraConfig;
locations = {
"/" = {
@ -410,19 +412,19 @@ in
"/ws" = {
proxyPass = "http://${host}:9001";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"s3.${lib.my.pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
"s3.${pubDomain}" = {
serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig;
locations."/".proxyPass = s3Upstream;
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
};
"nix-cache.${lib.my.pubDomain}" = {
"nix-cache.${pubDomain}" = {
extraConfig = ''
${extraConfig}
proxy_set_header Host "nix-cache.s3.nul.ie";
@ -434,14 +436,14 @@ in
extraConfig = nixCacheHeaders;
};
};
useACMEHost = lib.my.pubDomain;
useACMEHost = pubDomain;
onlySSL = false;
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}";
useACMEHost = mkDefault "${config.networking.pubDomain}";
kTLS = mkDefault true;
http2 = mkDefault true;
});

4
nixos/boxes/colony/vms/shill/containers/object.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.object = {
@ -92,7 +92,7 @@ in
configOverridesFile = config.age.secrets."object/sharry.conf".path;
config = {
base-url = "https://share.${lib.my.pubDomain}";
base-url = "https://share.${lib.my.c.pubDomain}";
bind.address = "::";
alias-member-enabled = true;
webapp = {

2
nixos/boxes/colony/vms/shill/containers/toot.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.toot = {

6
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.vaultwarden = {
@ -62,7 +62,7 @@ in
};
programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet
lib.my.c.sshKeyFiles.rsyncNet
];
services = {
@ -79,7 +79,7 @@ in
SIGNUPS_ALLOWED = false;
DOMAIN = "https://pass.${lib.my.pubDomain}";
DOMAIN = "https://pass.${lib.my.c.pubDomain}";
ROCKET_ADDRESS = "::";
ROCKET_PORT = 80;

6
nixos/boxes/colony/vms/shill/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
imports = [ ./containers ];
@ -97,7 +97,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};
@ -131,7 +131,7 @@ in
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6;
ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
}
];
}

4
nixos/boxes/colony/vms/whale2/default.nix
View File

@ -2,7 +2,7 @@
let
inherit (builtins) mapAttrs;
inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.whale2 = {
@ -94,7 +94,7 @@ in
};
services = {
fstrim = lib.my.colony.fstrimConfig;
fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true;
};

4
nixos/boxes/kelder/containers/acquisition/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
nixos.systems.kelder-acquisition = {
@ -44,7 +44,7 @@ in
};
users = {
groups.media.gid = lib.my.kelder.groups.media;
groups.media.gid = lib.my.c.kelder.groups.media;
users = {
"${config.my.user.config.name}".extraGroups = [ "media" ];

4
nixos/boxes/kelder/containers/acquisition/networking.nix
View File

@ -104,12 +104,12 @@ in
}
{
From = lib.my.kelder.prefixes.all.v4;
From = lib.my.c.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.kelder.prefixes.all.v4;
To = lib.my.c.kelder.prefixes.all.v4;
Table = "main";
Priority = 100;
}

12
nixos/boxes/kelder/containers/spoder/default.nix
View File

@ -2,7 +2,7 @@
let
inherit (lib) mkForce mkMerge;
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
nixos.systems.kelder-spoder = {
@ -54,9 +54,9 @@ in
dnsResolver = "8.8.8.8";
};
certs = {
"${lib.my.kelder.domain}" = {
"${domain}" = {
extraDomainNames = [
"*.${lib.my.kelder.domain}"
"*.${domain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
@ -65,7 +65,7 @@ in
};
users = {
groups.storage.gid = lib.my.kelder.groups.storage;
groups.storage.gid = lib.my.c.kelder.groups.storage;
users = {
nginx.extraGroups = [ "acme" ];
@ -93,11 +93,11 @@ in
enable = true;
package = pkgs.nextcloud27;
datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${lib.my.kelder.domain}";
hostName = "cloud.${domain}";
https = true;
enableBrokenCiphersForSSE = false;
config = {
extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ];
extraTrustedDomains = [ "cloud-local.${domain}" ];
adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
defaultPhoneRegion = "IE";
};

52
nixos/boxes/kelder/containers/spoder/nginx.nix
View File

@ -2,6 +2,8 @@
let
inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) proxyHeaders;
inherit (lib.my.c.kelder) domain;
in
{
config = {
@ -73,7 +75,7 @@ in
proxy_send_timeout 60s;
proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
@ -135,15 +137,15 @@ in
};
};
"monitor.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "monitor-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "monitor-local.${lib.my.kelder.domain}";
"monitor.${domain}" = withAuth {
serverAliases = [ "monitor-local.${domain}" ];
extraConfig = localRedirect "monitor-local.${domain}";
locations = {
"/" = {
proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
extraConfig = ''
proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders}
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
@ -155,8 +157,8 @@ in
};
};
"kontent.${lib.my.kelder.domain}" = {
serverAliases = [ "kontent-local.${lib.my.kelder.domain}" ];
"kontent.${domain}" = {
serverAliases = [ "kontent-local.${domain}" ];
locations = {
"/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/";
@ -164,47 +166,47 @@ in
"/socket" = {
proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
};
"torrents.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "torrents-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "torrents-local.${lib.my.kelder.domain}";
"torrents.${domain}" = withAuth {
serverAliases = [ "torrents-local.${domain}" ];
extraConfig = localRedirect "torrents-local.${domain}";
locations."/".proxyPass = "${acquisition}:9091";
};
"jackett.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "jackett-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "jackett-local.${lib.my.kelder.domain}";
"jackett.${domain}" = withAuth {
serverAliases = [ "jackett-local.${domain}" ];
extraConfig = localRedirect "jackett-local.${domain}";
locations."/".proxyPass = "${acquisition}:9117";
};
"radarr.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "radarr-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "radarr-local.${lib.my.kelder.domain}";
"radarr.${domain}" = withAuth {
serverAliases = [ "radarr-local.${domain}" ];
extraConfig = localRedirect "radarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:7878";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
"sonarr.${lib.my.kelder.domain}" = withAuth {
serverAliases = [ "sonarr-local.${lib.my.kelder.domain}" ];
extraConfig = localRedirect "sonarr-local.${lib.my.kelder.domain}";
"sonarr.${domain}" = withAuth {
serverAliases = [ "sonarr-local.${domain}" ];
extraConfig = localRedirect "sonarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:8989";
proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders;
extraConfig = proxyHeaders;
};
};
"cloud.${lib.my.kelder.domain}" = {
serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ];
"cloud.${domain}" = {
serverAliases = [ "cloud-local.${domain}" ];
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault lib.my.kelder.domain;
useACMEHost = mkDefault domain;
kTLS = mkDefault true;
http2 = mkDefault true;
});

15
nixos/boxes/kelder/default.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
inherit (lib.my.c.kelder) domain prefixes;
in
{
imports = [ ./containers ];
@ -14,7 +14,7 @@ in
assignments = {
estuary = {
ipv4 ={
address = net.cidr.host 0 lib.my.colony.prefixes.vip2;
address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2;
mask = 32;
gateway = null;
};
@ -85,7 +85,7 @@ in
};
users = {
groups = with lib.my.kelder.groups; {
groups = with lib.my.c.kelder.groups; {
storage.gid = storage;
media.gid = media;
};
@ -150,7 +150,7 @@ in
};
networking = {
domain = lib.my.kelder.domain;
inherit domain;
};
system.nixos.distroName = "KelderOS";
@ -180,7 +180,7 @@ in
{
wireguardPeerConfig = {
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}";
Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25;
};
@ -270,7 +270,6 @@ in
config.name = "kontent";
};
#deploy.generate.system.mode = "boot";
#deploy.node.hostname = "10.16.9.21";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
@ -311,7 +310,7 @@ in
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
}
chain output {
type filter hook output priority mangle; policy accept;
@ -320,7 +319,7 @@ in
}
table inet nat {
chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade
ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade
}
}
'';

2
nixos/installer.nix
View File

@ -39,7 +39,7 @@
environment.sessionVariables = {
INSTALL_ROOT = installRoot;
};
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ];
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.deploy ];
home-manager.users.root = {
programs = {
starship.settings = {

2
nixos/modules/common.nix
View File

@ -47,7 +47,7 @@ in
#"https://nix-cache.nul.ie"
"https://cache.nixos.org"
];
trusted-public-keys = lib.my.nix.cacheKeys;
trusted-public-keys = lib.my.c.nix.cacheKeys;
};
registry = {
pkgs = {

2
nixos/modules/deploy-rs.nix
View File

@ -86,7 +86,7 @@ in
options.my.deploy = with lib.types; {
authorizedKeys = {
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.c.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
};
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";

2
nixos/modules/network.nix
View File

@ -6,7 +6,7 @@ in
config = mkMerge [
{
networking = {
domain = mkDefault "int.${lib.my.pubDomain}";
domain = mkDefault "int.${lib.my.c.pubDomain}";
useDHCP = false;
enableIPv6 = mkDefault true;
useNetworkd = mkDefault true;

2
nixos/modules/user.nix
View File

@ -41,7 +41,7 @@ in
shell =
let shell = cfg.homeConfig.my.shell;
in mkIf (shell != null) (mkDefault' shell);
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.me ];
};
homeConfig = {
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the