dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: dev:0659809c22ea9bf633641bea7f1a5208f8cf126d
Branches Tags
dev:master dev:fastback-ssh
dev:installer
...
compare: dev:f8c7183594440dcafdc1a61b14fde6e59e3ed003
Branches Tags
dev:master dev:fastback-ssh
dev:installer

10 Commits
0659809c22 ... f8c7183594

Author SHA1 Message Date
Jack O'Sullivan
f8c7183594 nixos/gitea: Set up Gitea Actions 2023-11-13 14:24:08 +01:00
Jack O'Sullivan
17324455de nixos/shill: Add Gitea incoming mail support 2023-11-13 13:19:44 +01:00
Jack O'Sullivan
a94c778e10 nixos/shill: Add Gitea 2023-11-13 08:14:16 +00:00
Jack O'Sullivan
4f8bdc1219 nixos/tmproot: Persist rasdaemon DB 2023-11-12 19:35:41 +01:00
Jack O'Sullivan
02eb96fe46 nixos/colony: Backup LVM metadata 2023-11-12 19:30:06 +01:00
Jack O'Sullivan
14f1f5b575 nixos/colony: Add darts VM 2023-11-11 15:56:27 +00:00
Jack O'Sullivan
9df8a450e8 nixos/colony: Enable rasdaemon 2023-11-11 14:09:45 +00:00
Jack O'Sullivan
7b9045586f nixos/chatterbox: Add Matrix sliding sync proxy 
Also fix nginx upstream definitions
 2023-11-07 19:20:27 +00:00
Jack O'Sullivan
3f01baae38 nixos/jackflix: Fix transmission not starting 2023-11-03 12:58:55 +00:00
Jack O'Sullivan
2dbc8b398b Split constants into separate lib file 2023-11-02 13:41:50 +00:00
38 changed files with 676 additions and 267 deletions
Expand all files Collapse all files

2
devshell/default.nix
View File

@@ -15,7 +15,7 @@ in
experimental-features = nix-command flakes ca-derivations repl-flake experimental-features = nix-command flakes ca-derivations repl-flake
#substituters = https://nix-cache.nul.ie https://cache.nixos.org #substituters = https://nix-cache.nul.ie https://cache.nixos.org
substituters = https://cache.nixos.org substituters = https://cache.nixos.org
trusted-public-keys = ${concatStringsSep " " lib.my.nix.cacheKeys} trusted-public-keys = ${concatStringsSep " " lib.my.c.nix.cacheKeys}
''); '');
INSTALLER_SSH_OPTS = "-i .keys/deploy.key"; INSTALLER_SSH_OPTS = "-i .keys/deploy.key";

4
home-manager/modules/common.nix
View File

@@ -240,13 +240,13 @@ in
#"https://nix-cache.nul.ie" #"https://nix-cache.nul.ie"
"https://cache.nixos.org" "https://cache.nixos.org"
]; ];
trusted-public-keys = lib.my.nix.cacheKeys; trusted-public-keys = lib.my.c.nix.cacheKeys;
}; };
}; };
}) })
(mkIf config.my.isStandalone { (mkIf config.my.isStandalone {
my = { my = {
ssh.authKeys.files = [ lib.my.sshKeyFiles.me ]; ssh.authKeys.files = [ lib.my.c.sshKeyFiles.me ];
}; };
nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix; nix.package = mkIf (versionAtLeast config.home.stateVersion "22.05") pkgs.nix;

108
lib/constants.nix Normal file
View File

@@ -0,0 +1,108 @@
{ lib }: rec {
# See https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
ids = {
uids = {
matrix-syncv3 = 400;
gitea-runner = 401;
};
gids = {
matrix-syncv3 = 400;
gitea-runner = 401;
};
};
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with lib.my.net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
darts = {
v4 = "94.142.242.255/32";
v6 = subnet 8 1 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with lib.my.net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
}

102
lib/default.nix
View File

@@ -1,9 +1,9 @@
{ lib }: { lib }:
let let
inherit (builtins) length match replaceStrings elemAt mapAttrs head split filter; inherit (builtins) length match elemAt filter;
inherit (lib) inherit (lib)
genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional hasPrefix mkOption mkOverride mkForce mkIf mergeEqualOption optional
showWarnings concatStringsSep flatten unique; showWarnings concatStringsSep flatten unique;
inherit (lib.flake) defaultSystems; inherit (lib.flake) defaultSystems;
in in
@@ -12,6 +12,7 @@ rec {
inherit (import ./net.nix { inherit lib; }) net; inherit (import ./net.nix { inherit lib; }) net;
dns = import ./dns.nix { inherit lib; }; dns = import ./dns.nix { inherit lib; };
c = import ./constants.nix { inherit lib; };
# Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
isIPv6 = ip: length (lib.splitString ":" ip) > 2; isIPv6 = ip: length (lib.splitString ":" ip) > 2;
@@ -128,6 +129,8 @@ rec {
UseDomains = true; UseDomains = true;
}; };
}; };
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
systemdAwaitPostgres = pkg: host: { systemdAwaitPostgres = pkg: host: {
after = [ "systemd-networkd-wait-online.service" ]; after = [ "systemd-networkd-wait-online.service" ];
@@ -185,97 +188,4 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null); filterOpts = filterAttrsRecursive (_: v: v != null);
}; };
nginx = {
proxyHeaders = ''
# Setting any proxy_header in a child (e.g. location) will nuke the parents...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header Host $host;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme;
'';
};
nix = {
cacheKeys = [
"nix-cache.nul.ie-1:XofkqdHQSGFoPjB6aRohQbCU2ILKFqhNjWfoOdQgF5Y="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
pubDomain = "nul.ie";
dockerNetAssignment =
assignments: name: with assignments."${name}".internal; "ip=${ipv4.address},ip=${ipv6.address}";
colony = {
domain = "ams1.int.${pubDomain}";
prefixes = with net.cidr; rec {
all = {
v4 = "10.100.0.0/16";
v6 = "2a0e:97c0:4d2:10::/60";
};
base = {
v4 = subnet 8 0 all.v4;
v6 = subnet 4 0 all.v6;
};
vms = {
v4 = subnet 8 1 all.v4;
v6 = subnet 4 1 all.v6;
};
ctrs = {
v4 = subnet 8 2 all.v4;
v6 = subnet 4 2 all.v6;
};
oci = {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};
fstrimConfig = {
enable = true;
# backup happens at 05:00
interval = "04:45";
};
};
kelder = {
groups = {
storage = 2000;
media = 2010;
};
domain = "hentai.engineer";
vpn = {
port = 51820;
};
prefixes = with net.cidr; rec {
all.v4 = "172.16.64.0/20";
ctrs.v4 = subnet 4 0 all.v4;
};
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
rsyncNet = ../.keys/zh2855.rsync.net.pub;
mailcowAcme = ../.keys/mailcow-acme.pub;
};
sshHostKeys = {
mail-vm = ../.keys/mail-vm-host.pub;
};
} }

2
nixos/boxes/castle/default.nix
View File

@@ -84,7 +84,7 @@
}; };
networking = { networking = {
domain = "h.${lib.my.pubDomain}"; domain = "h.${lib.my.c.pubDomain}";
firewall.enable = false; firewall.enable = false;
}; };

59
nixos/boxes/colony/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
imports = [ ./vms ]; imports = [ ./vms ];
@@ -53,6 +53,7 @@ in
cpu = { cpu = {
amd.updateMicrocode = true; amd.updateMicrocode = true;
}; };
rasdaemon.enable = true;
}; };
boot = { boot = {
@@ -93,11 +94,11 @@ in
}; };
programs.ssh.knownHostsFiles = [ programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet lib.my.c.sshKeyFiles.rsyncNet
]; ];
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
lvm = { lvm = {
boot.thin.enable = true; boot.thin.enable = true;
dmeventd.enable = true; dmeventd.enable = true;
@@ -137,6 +138,23 @@ in
"serial-getty@ttyS0".enable = true; "serial-getty@ttyS0".enable = true;
"serial-getty@ttyS1".enable = true; "serial-getty@ttyS1".enable = true;
rsync-lvm-meta = {
description = "rsync lvm metadata backups / archives to rsync.net";
serviceConfig = {
Type = "oneshot";
# Only run when no other process is using CPU or disk
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
};
script = ''
${pkgs.rsync}/bin/rsync -av --delete --delete-after \
-e "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."colony/rsync.key".path}" \
/etc/lvm/{archive,backup} zh2855@zh2855.rsync.net:colony/lvm/
'';
wantedBy = [ "borgthin-job-main.service" ];
after = [ "borgthin-job-main.service" ];
};
borgthin-rsync = { borgthin-rsync = {
description = "rsync borgthin backups to rsync.net"; description = "rsync borgthin backups to rsync.net";
serviceConfig = { serviceConfig = {
@@ -214,16 +232,16 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.vms.v6; ipv6PrefixConfig.Prefix = prefixes.vms.v6;
} }
]; ];
routes = map (r: { routeConfig = r; }) [ routes = map (r: { routeConfig = r; }) [
{ {
Destination = lib.my.colony.prefixes.ctrs.v4; Destination = prefixes.ctrs.v4;
Gateway = allAssignments.shill.routing.ipv4.address; Gateway = allAssignments.shill.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.ctrs.v6; Destination = prefixes.ctrs.v6;
Gateway = allAssignments.shill.internal.ipv6.address; Gateway = allAssignments.shill.internal.ipv6.address;
} }
{ {
@@ -232,11 +250,11 @@ in
} }
{ {
Destination = lib.my.colony.prefixes.oci.v4; Destination = prefixes.oci.v4;
Gateway = allAssignments.whale2.routing.ipv4.address; Gateway = allAssignments.whale2.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.oci.v6; Destination = prefixes.oci.v6;
Gateway = allAssignments.whale2.internal.ipv6.address; Gateway = allAssignments.whale2.internal.ipv6.address;
} }
{ {
@@ -275,6 +293,29 @@ in
} }
]; ];
}; };
"90-vm-darts" = {
matchConfig.Name = "vm-darts";
address = [
(net.cidr.subnet 8 2 prefixes.cust.v4)
prefixes.darts.v6
];
networkConfig = {
IPv6AcceptRA = false;
IPv6SendRA = true;
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = prefixes.darts.v6;
}
];
routes = map (r: { routeConfig = r; }) [
{
Destination = prefixes.darts.v4;
Scope = "link";
}
];
};
}; };
}; };
}; };
@@ -306,7 +347,7 @@ in
firewall = { firewall = {
trustedInterfaces = [ "vms" ]; trustedInterfaces = [ "vms" ];
extraRules = '' extraRules = ''
define cust = { vm-mail } define cust = { vm-mail, vm-darts }
table inet filter { table inet filter {
chain forward { chain forward {
# Trust that the outer firewall has done the filtering! # Trust that the outer firewall has done the filtering!

34
nixos/boxes/colony/vms/default.nix
View File

@@ -31,7 +31,8 @@
driver = "file"; driver = "file";
#filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso"; #filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
#filename = "/persist/home/dev/nixos-installer-devplayer0.iso"; #filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso"; #filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso";
filename = "/persist/home/dev/ubuntu-22.04.3-live-server-amd64.iso";
read-only = "on"; read-only = "on";
}; };
format.driver = "raw"; format.driver = "raw";
@@ -166,6 +167,19 @@
}; };
frontend = "virtio-blk"; frontend = "virtio-blk";
} }
{
name = "git";
backend = {
driver = "host_device";
filename = "/dev/main/git";
discard = "unmap";
};
format = {
driver = "raw";
discard = "unmap";
};
frontend = "virtio-blk";
}
]); ]);
}; };
@@ -217,6 +231,24 @@
(vmLVM "mail" "data") (vmLVM "mail" "data")
]; ];
}; };
darts = {
uuid = "ee3882a9-5616-4fcb-83d7-89eb41a84d28";
cpu = "host,topoext";
smp = {
cpus = 4;
threads = 2;
};
memory = 16384;
networks.public = {
bridge = null;
mac = "52:54:00:a8:29:cd";
};
cleanShutdown.timeout = 120;
drives = [
(mkMerge [ (vmLVM "darts" "root") { frontendOpts.bootindex = 0; } ])
];
};
}; };
}; };
}; };

6
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -14,12 +14,12 @@ in
config = '' config = ''
define OWNAS = 211024; define OWNAS = 211024;
define CCVIP1 = ${lib.my.colony.prefixes.vip1}; define CCVIP1 = ${lib.my.c.colony.prefixes.vip1};
define CCVIP2 = ${lib.my.colony.prefixes.vip2}; define CCVIP2 = ${lib.my.c.colony.prefixes.vip2};
define OWNIP4 = ${assignments.internal.ipv4.address}; define OWNIP4 = ${assignments.internal.ipv4.address};
define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ]; define OWNNETSET4 = [ ${assignments.internal.ipv4.address}/32 ];
define CCNETSET4 = [ ${lib.my.colony.prefixes.vip1}, ${lib.my.colony.prefixes.vip2} ]; define CCNETSET4 = [ ${lib.my.c.colony.prefixes.vip1}, ${lib.my.c.colony.prefixes.vip2} ];
define INTNET6 = ${intnet6}; define INTNET6 = ${intnet6};
define AMSNET6 = ${amsnet6}; define AMSNET6 = ${amsnet6};

29
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
pubV4 = "94.142.240.44"; pubV4 = "94.142.240.44";
in in
@@ -95,7 +95,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
lvm = { lvm = {
dmeventd.enable = true; dmeventd.enable = true;
}; };
@@ -182,7 +182,7 @@ in
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path; PrivateKeyFile = config.age.secrets."estuary/kelder-wg.key".path;
ListenPort = lib.my.kelder.vpn.port; ListenPort = lib.my.c.kelder.vpn.port;
}; };
wireguardPeers = [ wireguardPeers = [
{ {
@@ -306,27 +306,31 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.base.v6; ipv6PrefixConfig.Prefix = prefixes.base.v6;
} }
]; ];
routes = map (r: { routeConfig = r; }) (flatten routes = map (r: { routeConfig = r; }) (flatten
([ ([
{ {
Destination = lib.my.colony.prefixes.vip1; Destination = prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address; Gateway = allAssignments.colony.routing.ipv4.address;
} }
{ {
Destination = lib.my.colony.prefixes.cust.v6; Destination = prefixes.darts.v4;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address; Gateway = allAssignments.colony.internal.ipv6.address;
} }
] ++ ] ++
(map (pName: [ (map (pName: [
{ {
Gateway = allAssignments.colony.routing.ipv4.address; Gateway = allAssignments.colony.routing.ipv4.address;
Destination = lib.my.colony.prefixes."${pName}".v4; Destination = prefixes."${pName}".v4;
} }
{ {
Destination = lib.my.colony.prefixes."${pName}".v6; Destination = prefixes."${pName}".v6;
Gateway = allAssignments.colony.internal.ipv6.address; Gateway = allAssignments.colony.internal.ipv6.address;
} }
]) [ "vms" "ctrs" "oci" ]))); ]) [ "vms" "ctrs" "oci" ])));
@@ -356,7 +360,6 @@ in
}; };
my = { my = {
#deploy.generate.system.mode = "boot";
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9up7pXu6M/OWCKufTOfSiGcxMUk4VqUe7fLuatNFFA";
files = { files = {
@@ -369,7 +372,7 @@ in
firewall = { firewall = {
trustedInterfaces = [ "as211024" ]; trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
enable = true; enable = true;
@@ -430,7 +433,7 @@ in
return return
} }
chain filter-routing { chain filter-routing {
ip daddr ${prefixes.mail.v4} accept ip daddr { ${prefixes.mail.v4}, ${prefixes.darts.v4} } accept
ip6 daddr ${prefixes.cust.v6} accept ip6 daddr ${prefixes.cust.v6} accept
tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp
@@ -456,9 +459,11 @@ in
table inet nat { table inet nat {
chain prerouting { chain prerouting {
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
ip daddr ${allAssignments.shill.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
ip6 daddr ${allAssignments.shill.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
} }
chain postrouting { chain postrouting {
ip saddr ${lib.my.colony.prefixes.all.v4} snat to ${assignments.internal.ipv4.address} ip saddr ${prefixes.all.v4} snat to ${assignments.internal.ipv4.address}
} }
} }
''; '';

13
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -1,6 +1,8 @@
{ lib, pkgs, config, assignments, allAssignments, ... }: { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (builtins) attrNames; inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.colony) prefixes;
authZones = attrNames config.my.pdns.auth.bind.zones; authZones = attrNames config.my.pdns.auth.bind.zones;
in in
@@ -49,7 +51,7 @@ in
]; ];
allowFrom = [ allowFrom = [
"127.0.0.0/8" "::1/128" "127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6 prefixes.all.v4 prefixes.all.v6
]; ];
}; };
@@ -147,8 +149,11 @@ in
valheim IN A ${assignments.internal.ipv4.address} valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address} valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4} mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6} mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
darts-cust IN A ${net.cidr.host 0 prefixes.darts.v4}
darts-cust IN AAAA ${net.cidr.host 1 prefixes.darts.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
@@ -200,6 +205,8 @@ in
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2 IN PTR mail.nul.ie. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2 IN PTR mail.nul.ie.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2 IN PTR darts-cust.${config.networking.domain}.
${lib.my.dns.ptr6Records { ${lib.my.dns.ptr6Records {
inherit allAssignments names; inherit allAssignments names;
domain = config.networking.domain; domain = config.networking.domain;

43
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.chatterbox = { nixos.systems.chatterbox = {
@@ -22,7 +22,7 @@ in
configuration = { lib, pkgs, config, assignments, allAssignments, ... }: configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (lib) mkMerge mkIf; inherit (lib) mkMerge mkIf mkForce;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
in in
{ {
@@ -43,16 +43,41 @@ in
owner = "matrix-synapse"; owner = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
}; };
"chatterbox/syncv3.env" = {
owner = "matrix-syncv3";
group = "matrix-syncv3";
};
}; };
}; };
firewall = { firewall = {
tcp.allowed = [ 19999 8008 ]; tcp.allowed = [ 19999 8008 8009 ];
};
};
users = with lib.my.c.ids; {
users = {
matrix-syncv3 = {
isSystemUser = true;
uid = uids.matrix-syncv3;
group = "matrix-syncv3";
};
};
groups = {
matrix-syncv3.gid = gids.matrix-syncv3;
}; };
}; };
systemd = { systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
matrix-sliding-sync.serviceConfig = {
# Needs to be able to read its secrets
DynamicUser = mkForce false;
User = "matrix-syncv3";
Group = "matrix-syncv3";
};
};
}; };
services = { services = {
@@ -128,7 +153,7 @@ in
"2001:db8::/32" "2001:db8::/32"
"ff00::/8" "ff00::/8"
"fec0::/10" "fec0::/10"
] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]); ] ++ (with lib.my.c.colony.prefixes; [ all.v4 all.v6 ]);
url_preview_ip_range_whitelist = url_preview_ip_range_whitelist =
with allAssignments.middleman.internal; with allAssignments.middleman.internal;
[ ipv4.address ipv6.address ]; [ ipv4.address ipv6.address ];
@@ -142,6 +167,16 @@ in
"/var/lib/heisenbridge/registration.yml" "/var/lib/heisenbridge/registration.yml"
]; ];
}; };
sliding-sync = {
enable = true;
createDatabase = false;
environmentFile = config.age.secrets."chatterbox/syncv3.env".path;
settings = {
SYNCV3_BINDADDR = "[::]:8009";
SYNCV3_SERVER = "http://localhost:8008";
};
};
}; };
heisenbridge = { heisenbridge = {

4
nixos/boxes/colony/vms/shill/containers/colony-psql.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.colony-psql = { nixos.systems.colony-psql = {
@@ -66,7 +66,7 @@ in
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = true;
authentication = with lib.my.colony.prefixes; '' authentication = with lib.my.c.colony.prefixes; ''
local all postgres peer map=local local all postgres peer map=local
host all all ${all.v4} md5 host all all ${all.v4} md5

8
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.jackflix = { nixos.systems.jackflix = {
@@ -55,6 +55,12 @@ in
radarr.serviceConfig.UMask = "0002"; radarr.serviceConfig.UMask = "0002";
sonarr.serviceConfig.UMask = "0002"; sonarr.serviceConfig.UMask = "0002";
# https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
transmission.serviceConfig = {
RootDirectoryStartOnly = lib.mkForce false;
RootDirectory = lib.mkForce "";
};
}; };
}; };

9
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@@ -2,6 +2,7 @@
let let
inherit (lib) mkMerge mkIf; inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
inherit (lib.my.c.colony) prefixes;
wg = { wg = {
keyFile = "jackflix/airvpn-privkey"; keyFile = "jackflix/airvpn-privkey";
@@ -102,23 +103,23 @@ in
} }
{ {
From = lib.my.colony.prefixes.all.v4; From = prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.colony.prefixes.all.v4; To = prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
From = lib.my.colony.prefixes.all.v6; From = prefixes.all.v6;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.colony.prefixes.all.v6; To = prefixes.all.v6;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }

23
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -1,7 +1,8 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.middleman = { nixos.systems.middleman = {
@@ -79,8 +80,8 @@ in
port = 8082; port = 8082;
}; };
login = { login = {
title = "${lib.my.pubDomain} login"; title = "${pubDomain} login";
default_redirect = "https://${lib.my.pubDomain}"; default_redirect = "https://${pubDomain}";
default_method = "google_oauth"; default_method = "google_oauth";
names = { names = {
google_oauth = "Google account"; google_oauth = "Google account";
@@ -88,7 +89,7 @@ in
}; };
}; };
cookie = { cookie = {
domain = ".${lib.my.pubDomain}"; domain = ".${pubDomain}";
secure = true; secure = true;
}; };
audit_log = { audit_log = {
@@ -109,14 +110,14 @@ in
}; };
google_oauth = { google_oauth = {
client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com"; client_id = "545475967061-cag4g1qf0pk33g3pdbom4v69562vboc8.apps.googleusercontent.com";
redirect_url = "https://sso.${lib.my.pubDomain}/login"; redirect_url = "https://sso.${pubDomain}/login";
user_id_method = "user-id"; user_id_method = "user-id";
}; };
}; };
}; };
includes = { includes = {
endpoint = "http://localhost:8082"; endpoint = "http://localhost:8082";
baseURL = "https://sso.${lib.my.pubDomain}"; baseURL = "https://sso.${pubDomain}";
}; };
}; };
}; };
@@ -173,10 +174,10 @@ in
EXEC_PATH=${script} EXEC_PATH=${script}
''; '';
}; };
"${lib.my.pubDomain}" = { "${pubDomain}" = {
extraDomainNames = [ extraDomainNames = [
"*.${lib.my.pubDomain}" "*.${pubDomain}"
"*.s3.${lib.my.pubDomain}" "*.s3.${pubDomain}"
]; ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path; credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
@@ -194,7 +195,7 @@ in
}; };
programs = { programs = {
ssh.knownHostsFiles = [ lib.my.sshHostKeys.mail-vm ]; ssh.knownHostsFiles = [ lib.my.c.sshHostKeys.mail-vm ];
}; };
services = { services = {
@@ -265,7 +266,7 @@ in
proxy_send_timeout 60s; proxy_send_timeout 60s;
proxy_http_version 1.1; proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders} ${lib.my.c.nginx.proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

127
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -2,6 +2,9 @@
let let
inherit (builtins) mapAttrs toJSON; inherit (builtins) mapAttrs toJSON;
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep; inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.nginx) proxyHeaders;
inherit (config.networking) domain;
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ]; dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll); dualStackListen = ll: flatten (map dualStackListen' ll);
@@ -32,6 +35,7 @@ let
# For clients # For clients
(mkWellKnown "matrix/client" (toJSON { (mkWellKnown "matrix/client" (toJSON {
"m.homeserver".base_url = "https://matrix.nul.ie"; "m.homeserver".base_url = "https://matrix.nul.ie";
"org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie";
})) }))
]; ];
}; };
@@ -80,7 +84,7 @@ in
} }
wellKnown wellKnown
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"localhost" = { "localhost" = {
forceSSL = false; forceSSL = false;
@@ -98,12 +102,12 @@ in
}; };
}; };
"sso.${lib.my.pubDomain}" = { "sso.${pubDomain}" = {
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint; locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"netdata-colony.${lib.my.pubDomain}" = "netdata-colony.${pubDomain}" =
let let
hosts = [ hosts = [
"vm" "vm"
@@ -119,10 +123,10 @@ in
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/"; "~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [ "~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{ {
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args"; proxyPass = "http://$behost.${domain}:19999/$ndpath$is_args$args";
extraConfig = '' extraConfig = ''
proxy_pass_request_headers on; proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Connection "keep-alive"; proxy_set_header Connection "keep-alive";
proxy_store off; proxy_store off;
@@ -134,14 +138,14 @@ in
(ssoLoc "generic") (ssoLoc "generic")
]; ];
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"pass.${lib.my.pubDomain}" = "pass.${pubDomain}" =
let let
upstream = "http://vaultwarden-ctr.${config.networking.domain}"; upstream = "http://vaultwarden-ctr.${domain}";
in in
{ {
locations = { locations = {
@@ -149,11 +153,11 @@ in
"/notifications/hub" = { "/notifications/hub" = {
proxyPass = upstream; proxyPass = upstream;
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
"/notifications/hub/negotiate".proxyPass = upstream; "/notifications/hub/negotiate".proxyPass = upstream;
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"matrix.nul.ie" = { "matrix.nul.ie" = {
@@ -171,15 +175,19 @@ in
]; ];
locations = mkMerge [ locations = mkMerge [
{ {
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008"; "/".proxyPass = "http://chatterbox-ctr.${domain}:8008";
"= /".return = "301 https://element.${lib.my.pubDomain}"; "= /".return = "301 https://element.${pubDomain}";
} }
wellKnown wellKnown
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
};
"matrix-syncv3.${pubDomain}" = {
locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009";
useACMEHost = pubDomain;
}; };
"element.${lib.my.pubDomain}" = "element.${pubDomain}" =
let let
headers = '' headers = ''
# TODO: why are these here? # TODO: why are these here?
@@ -224,66 +232,66 @@ in
''; '';
})) }))
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"torrents.${lib.my.pubDomain}" = mkMerge [ "torrents.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091"; proxyPass = "http://jackflix-ctr.${domain}:9091";
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"jackett.${lib.my.pubDomain}" = mkMerge [ "jackett.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117"; proxyPass = "http://jackflix-ctr.${domain}:9117";
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"radarr.${lib.my.pubDomain}" = mkMerge [ "radarr.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878"; proxyPass = "http://jackflix-ctr.${domain}:7878";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"sonarr.${lib.my.pubDomain}" = mkMerge [ "sonarr.${pubDomain}" = mkMerge [
{ {
locations."/" = mkMerge [ locations."/" = mkMerge [
{ {
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989"; proxyPass = "http://jackflix-ctr.${domain}:8989";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
} }
(ssoLoc "generic") (ssoLoc "generic")
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
} }
(ssoServer "generic") (ssoServer "generic")
]; ];
"jackflix.${lib.my.pubDomain}" = "jackflix.${pubDomain}" =
let let
upstream = "http://jackflix-ctr.${config.networking.domain}:8096"; upstream = "http://jackflix-ctr.${domain}:8096";
in in
{ {
extraConfig = '' extraConfig = ''
@@ -300,10 +308,10 @@ in
"/socket" = { "/socket" = {
proxyPass = upstream; proxyPass = upstream;
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"toot.nul.ie" = "toot.nul.ie" =
@@ -312,7 +320,7 @@ in
tryFiles = "$uri =404"; tryFiles = "$uri =404";
extraConfig = '' extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate"; add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
''; '';
}; };
in in
@@ -333,20 +341,20 @@ in
"/".tryFiles = "$uri @proxy"; "/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = { "^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000"; proxyPass = "http://toot-ctr.${domain}:55000";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Proxy ""; proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
''; '';
}; };
"@proxy" = { "@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001"; proxyPass = "http://toot-ctr.${domain}:55001";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_pass_header Server; proxy_pass_header Server;
@@ -359,19 +367,19 @@ in
}; };
} }
]; ];
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"share.${lib.my.pubDomain}" = { "share.${pubDomain}" = {
locations."/" = { locations."/" = {
proxyPass = "http://object-ctr.${config.networking.domain}:9090"; proxyPass = "http://object-ctr.${domain}:9090";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"stuff.${lib.my.pubDomain}" = { "stuff.${pubDomain}" = {
locations."/" = { locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path; basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff"; root = "/mnt/media/stuff";
@@ -380,13 +388,18 @@ in
fancyindex_show_dotfiles on; fancyindex_show_dotfiles on;
''; '';
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
};
"git.${pubDomain}" = {
locations."/".proxyPass = "http://shill-vm.${domain}:3000";
useACMEHost = pubDomain;
}; };
}; };
minio = minio =
let let
host = "object-ctr.${config.networking.domain}"; host = "object-ctr.${domain}";
s3Upstream = "http://${host}:9000"; s3Upstream = "http://${host}:9000";
extraConfig = '' extraConfig = ''
chunked_transfer_encoding off; chunked_transfer_encoding off;
@@ -401,7 +414,7 @@ in
''; '';
in in
{ {
"minio.${lib.my.pubDomain}" = { "minio.${pubDomain}" = {
inherit extraConfig; inherit extraConfig;
locations = { locations = {
"/" = { "/" = {
@@ -410,19 +423,19 @@ in
"/ws" = { "/ws" = {
proxyPass = "http://${host}:9001"; proxyPass = "http://${host}:9001";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"s3.${lib.my.pubDomain}" = { "s3.${pubDomain}" = {
serverAliases = [ "*.s3.${lib.my.pubDomain}" ]; serverAliases = [ "*.s3.${pubDomain}" ];
inherit extraConfig; inherit extraConfig;
locations."/".proxyPass = s3Upstream; locations."/".proxyPass = s3Upstream;
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
}; };
"nix-cache.${lib.my.pubDomain}" = { "nix-cache.${pubDomain}" = {
extraConfig = '' extraConfig = ''
${extraConfig} ${extraConfig}
proxy_set_header Host "nix-cache.s3.nul.ie"; proxy_set_header Host "nix-cache.s3.nul.ie";
@@ -434,14 +447,14 @@ in
extraConfig = nixCacheHeaders; extraConfig = nixCacheHeaders;
}; };
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = pubDomain;
onlySSL = false; onlySSL = false;
}; };
}; };
defaultsFor = mapAttrs (n: _: { defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true; onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}"; useACMEHost = mkDefault "${domain}";
kTLS = mkDefault true; kTLS = mkDefault true;
http2 = mkDefault true; http2 = mkDefault true;
}); });

4
nixos/boxes/colony/vms/shill/containers/object.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.object = { nixos.systems.object = {
@@ -92,7 +92,7 @@ in
configOverridesFile = config.age.secrets."object/sharry.conf".path; configOverridesFile = config.age.secrets."object/sharry.conf".path;
config = { config = {
base-url = "https://share.${lib.my.pubDomain}"; base-url = "https://share.${lib.my.c.pubDomain}";
bind.address = "::"; bind.address = "::";
alias-member-enabled = true; alias-member-enabled = true;
webapp = { webapp = {

2
nixos/boxes/colony/vms/shill/containers/toot.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.toot = { nixos.systems.toot = {

6
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.vaultwarden = { nixos.systems.vaultwarden = {
@@ -62,7 +62,7 @@ in
}; };
programs.ssh.knownHostsFiles = [ programs.ssh.knownHostsFiles = [
lib.my.sshKeyFiles.rsyncNet lib.my.c.sshKeyFiles.rsyncNet
]; ];
services = { services = {
@@ -79,7 +79,7 @@ in
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
DOMAIN = "https://pass.${lib.my.pubDomain}"; DOMAIN = "https://pass.${lib.my.c.pubDomain}";
ROCKET_ADDRESS = "::"; ROCKET_ADDRESS = "::";
ROCKET_PORT = 80; ROCKET_PORT = 80;

8
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
imports = [ ./containers ]; imports = [ ./containers ];
@@ -49,7 +49,7 @@ in
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
in in
{ {
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ]; imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ./gitea.nix ];
config = mkMerge [ config = mkMerge [
{ {
@@ -97,7 +97,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true; netdata.enable = true;
}; };
@@ -131,7 +131,7 @@ in
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = lib.my.colony.prefixes.ctrs.v6; ipv6PrefixConfig.Prefix = prefixes.ctrs.v6;
} }
]; ];
} }

113
nixos/boxes/colony/vms/shill/gitea.nix Normal file
View File

@@ -0,0 +1,113 @@
{ lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) prefixes;
in
{
config = {
fileSystems = {
"/var/lib/gitea" = {
device = "/dev/disk/by-label/git";
fsType = "ext4";
};
};
users = {
users.git = {
description = "Gitea Service";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = config.services.gitea.group;
isSystemUser = true;
};
groups.git = {};
};
services = {
gitea = {
enable = true;
user = "git";
group = "git";
appName = "/dev/player0 git";
stateDir = "/var/lib/gitea";
lfs.enable = true;
database = {
type = "postgres";
createDatabase = false;
host = "colony-psql";
user = "gitea";
passwordFile = config.age.secrets."gitea/db.txt".path;
};
mailerPasswordFile = config.age.secrets."gitea/mail.txt".path;
settings = {
server = {
DOMAIN = "git.${pubDomain}";
HTTP_ADDR = "::";
ROOT_URL = "https://git.${pubDomain}";
};
service = {
DISABLE_REGISTRATION = true;
ENABLE_NOTIFY_MAIL = true;
};
session = {
COOKIE_SECURE = true;
};
repository = {
DEFAULT_BRANCH = "master";
};
mailer = {
ENABLED = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.nul.ie";
SMTP_PORT = 587;
USER = "git@nul.ie";
FROM = "Gitea <git@nul.ie>";
};
"email.incoming" = {
ENABLED = true;
HOST = "mail.nul.ie";
PORT = 993;
USE_TLS = true;
USERNAME = "git@nul.ie";
PASSWORD = "#mailerpass#";
REPLY_TO_ADDRESS = "git+%{token}@nul.ie";
};
actions = {
ENABLED = true;
};
};
};
};
my = {
secrets = {
files =
let
ownedByGit = {
owner = "git";
group = "git";
};
in
{
"gitea/db.txt" = ownedByGit;
"gitea/mail.txt" = ownedByGit;
};
};
firewall.extraRules = ''
table inet filter {
chain input {
ip saddr ${prefixes.all.v4} tcp dport 3000 accept
ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
}
}
table inet nat {
chain prerouting {
ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
}
}
'';
};
};
}

5
nixos/boxes/colony/vms/whale2/default.nix
View File

@@ -2,7 +2,7 @@
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.colony) domain prefixes; inherit (lib.my.c.colony) domain prefixes;
in in
{ {
nixos.systems.whale2 = { nixos.systems.whale2 = {
@@ -63,6 +63,7 @@ in
"${modulesPath}/profiles/qemu-guest.nix" "${modulesPath}/profiles/qemu-guest.nix"
./valheim.nix ./valheim.nix
./gitea-actions.nix
]; ];
config = mkMerge [ config = mkMerge [
@@ -94,7 +95,7 @@ in
}; };
services = { services = {
fstrim = lib.my.colony.fstrimConfig; fstrim = lib.my.c.colony.fstrimConfig;
netdata.enable = true; netdata.enable = true;
}; };

62
nixos/boxes/colony/vms/whale2/gitea-actions.nix Normal file
View File

@@ -0,0 +1,62 @@
{ lib, pkgs, config, ... }:
let
inherit (builtins) toJSON;
inherit (lib) mkForce;
inherit (lib.my.c) pubDomain;
cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
container = {
network = "colony";
};
});
in
{
config = {
services = {
gitea-actions-runner.instances = {
main = {
enable = true;
name = "main-docker";
labels = [ ];
url = "https://git.${pubDomain}";
tokenFile = config.age.secrets."gitea/actions-runner.env".path;
};
};
};
users = with lib.my.c.ids; {
users = {
gitea-runner = {
isSystemUser = true;
uid = uids.gitea-runner;
group = "gitea-runner";
home = "/var/lib/gitea-runner";
};
};
groups = {
gitea-runner.gid = gids.gitea-runner;
};
};
systemd = {
services = {
gitea-runner-main.serviceConfig = {
# Needs to be able to read its secrets
DynamicUser = mkForce false;
User = "gitea-runner";
Group = "gitea-runner";
ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
};
};
};
my = {
secrets.files = {
"gitea/actions-runner.env" = {
owner = "gitea-runner";
group = "gitea-runner";
};
};
};
};
}

4
nixos/boxes/kelder/containers/acquisition/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
nixos.systems.kelder-acquisition = { nixos.systems.kelder-acquisition = {
@@ -44,7 +44,7 @@ in
}; };
users = { users = {
groups.media.gid = lib.my.kelder.groups.media; groups.media.gid = lib.my.c.kelder.groups.media;
users = { users = {
"${config.my.user.config.name}".extraGroups = [ "media" ]; "${config.my.user.config.name}".extraGroups = [ "media" ];

4
nixos/boxes/kelder/containers/acquisition/networking.nix
View File

@@ -104,12 +104,12 @@ in
} }
{ {
From = lib.my.kelder.prefixes.all.v4; From = lib.my.c.kelder.prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }
{ {
To = lib.my.kelder.prefixes.all.v4; To = lib.my.c.kelder.prefixes.all.v4;
Table = "main"; Table = "main";
Priority = 100; Priority = 100;
} }

12
nixos/boxes/kelder/containers/spoder/default.nix
View File

@@ -2,7 +2,7 @@
let let
inherit (lib) mkForce mkMerge; inherit (lib) mkForce mkMerge;
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
nixos.systems.kelder-spoder = { nixos.systems.kelder-spoder = {
@@ -54,9 +54,9 @@ in
dnsResolver = "8.8.8.8"; dnsResolver = "8.8.8.8";
}; };
certs = { certs = {
"${lib.my.kelder.domain}" = { "${domain}" = {
extraDomainNames = [ extraDomainNames = [
"*.${lib.my.kelder.domain}" "*.${domain}"
]; ];
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path; credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
@@ -65,7 +65,7 @@ in
}; };
users = { users = {
groups.storage.gid = lib.my.kelder.groups.storage; groups.storage.gid = lib.my.c.kelder.groups.storage;
users = { users = {
nginx.extraGroups = [ "acme" ]; nginx.extraGroups = [ "acme" ];
@@ -93,11 +93,11 @@ in
enable = true; enable = true;
package = pkgs.nextcloud27; package = pkgs.nextcloud27;
datadir = "/mnt/storage/nextcloud"; datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${lib.my.kelder.domain}"; hostName = "cloud.${domain}";
https = true; https = true;
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
config = { config = {
extraTrustedDomains = [ "cloud-local.${lib.my.kelder.domain}" ]; extraTrustedDomains = [ "cloud-local.${domain}" ];
adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path; adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
defaultPhoneRegion = "IE"; defaultPhoneRegion = "IE";
}; };

52
nixos/boxes/kelder/containers/spoder/nginx.nix
View File

@@ -2,6 +2,8 @@
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault; inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) proxyHeaders;
inherit (lib.my.c.kelder) domain;
in in
{ {
config = { config = {
@@ -73,7 +75,7 @@ in
proxy_send_timeout 60s; proxy_send_timeout 60s;
proxy_http_version 1.1; proxy_http_version 1.1;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
# caching # caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
@@ -135,15 +137,15 @@ in
}; };
}; };
"monitor.${lib.my.kelder.domain}" = withAuth { "monitor.${domain}" = withAuth {
serverAliases = [ "monitor-local.${lib.my.kelder.domain}" ]; serverAliases = [ "monitor-local.${domain}" ];
extraConfig = localRedirect "monitor-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "monitor-local.${domain}";
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999"; proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
extraConfig = '' extraConfig = ''
proxy_pass_request_headers on; proxy_pass_request_headers on;
${lib.my.nginx.proxyHeaders} ${proxyHeaders}
proxy_set_header Connection "keep-alive"; proxy_set_header Connection "keep-alive";
proxy_store off; proxy_store off;
@@ -155,8 +157,8 @@ in
}; };
}; };
"kontent.${lib.my.kelder.domain}" = { "kontent.${domain}" = {
serverAliases = [ "kontent-local.${lib.my.kelder.domain}" ]; serverAliases = [ "kontent-local.${domain}" ];
locations = { locations = {
"/".proxyPass = "${acquisition}:8096"; "/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/"; "= /".return = "302 $scheme://$host/web/";
@@ -164,47 +166,47 @@ in
"/socket" = { "/socket" = {
proxyPass = "${acquisition}:8096/socket"; proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
}; };
"torrents.${lib.my.kelder.domain}" = withAuth { "torrents.${domain}" = withAuth {
serverAliases = [ "torrents-local.${lib.my.kelder.domain}" ]; serverAliases = [ "torrents-local.${domain}" ];
extraConfig = localRedirect "torrents-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "torrents-local.${domain}";
locations."/".proxyPass = "${acquisition}:9091"; locations."/".proxyPass = "${acquisition}:9091";
}; };
"jackett.${lib.my.kelder.domain}" = withAuth { "jackett.${domain}" = withAuth {
serverAliases = [ "jackett-local.${lib.my.kelder.domain}" ]; serverAliases = [ "jackett-local.${domain}" ];
extraConfig = localRedirect "jackett-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "jackett-local.${domain}";
locations."/".proxyPass = "${acquisition}:9117"; locations."/".proxyPass = "${acquisition}:9117";
}; };
"radarr.${lib.my.kelder.domain}" = withAuth { "radarr.${domain}" = withAuth {
serverAliases = [ "radarr-local.${lib.my.kelder.domain}" ]; serverAliases = [ "radarr-local.${domain}" ];
extraConfig = localRedirect "radarr-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "radarr-local.${domain}";
locations."/" = { locations."/" = {
proxyPass = "${acquisition}:7878"; proxyPass = "${acquisition}:7878";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
"sonarr.${lib.my.kelder.domain}" = withAuth { "sonarr.${domain}" = withAuth {
serverAliases = [ "sonarr-local.${lib.my.kelder.domain}" ]; serverAliases = [ "sonarr-local.${domain}" ];
extraConfig = localRedirect "sonarr-local.${lib.my.kelder.domain}"; extraConfig = localRedirect "sonarr-local.${domain}";
locations."/" = { locations."/" = {
proxyPass = "${acquisition}:8989"; proxyPass = "${acquisition}:8989";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = lib.my.nginx.proxyHeaders; extraConfig = proxyHeaders;
}; };
}; };
"cloud.${lib.my.kelder.domain}" = { "cloud.${domain}" = {
serverAliases = [ "cloud-local.${lib.my.kelder.domain}" ]; serverAliases = [ "cloud-local.${domain}" ];
}; };
}; };
defaultsFor = mapAttrs (n: _: { defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true; onlySSL = mkDefault true;
useACMEHost = mkDefault lib.my.kelder.domain; useACMEHost = mkDefault domain;
kTLS = mkDefault true; kTLS = mkDefault true;
http2 = mkDefault true; http2 = mkDefault true;
}); });

15
nixos/boxes/kelder/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
let let
inherit (lib.my) net; inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes; inherit (lib.my.c.kelder) domain prefixes;
in in
{ {
imports = [ ./containers ]; imports = [ ./containers ];
@@ -14,7 +14,7 @@ in
assignments = { assignments = {
estuary = { estuary = {
ipv4 ={ ipv4 ={
address = net.cidr.host 0 lib.my.colony.prefixes.vip2; address = net.cidr.host 0 lib.my.c.colony.prefixes.vip2;
mask = 32; mask = 32;
gateway = null; gateway = null;
}; };
@@ -85,7 +85,7 @@ in
}; };
users = { users = {
groups = with lib.my.kelder.groups; { groups = with lib.my.c.kelder.groups; {
storage.gid = storage; storage.gid = storage;
media.gid = media; media.gid = media;
}; };
@@ -150,7 +150,7 @@ in
}; };
networking = { networking = {
domain = lib.my.kelder.domain; inherit domain;
}; };
system.nixos.distroName = "KelderOS"; system.nixos.distroName = "KelderOS";
@@ -180,7 +180,7 @@ in
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU="; PublicKey = "bP1XUNxp9i8NLOXhgPaIaRzRwi5APbam44/xjvYcyjU=";
Endpoint = "estuary-vm.${lib.my.colony.domain}:${toString lib.my.kelder.vpn.port}"; Endpoint = "estuary-vm.${lib.my.c.colony.domain}:${toString lib.my.c.kelder.vpn.port}";
AllowedIPs = [ "0.0.0.0/0" ]; AllowedIPs = [ "0.0.0.0/0" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
@@ -270,7 +270,6 @@ in
config.name = "kontent"; config.name = "kontent";
}; };
#deploy.generate.system.mode = "boot";
#deploy.node.hostname = "10.16.9.21"; #deploy.node.hostname = "10.16.9.21";
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFvUdJshXkqmchEgkZDn5rgtZ1NO9vbd6Px+S6YioWi";
@@ -311,7 +310,7 @@ in
chain prerouting { chain prerouting {
type filter hook prerouting priority mangle; policy accept; type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark} ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark ip saddr ${lib.my.c.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark
} }
chain output { chain output {
type filter hook output priority mangle; policy accept; type filter hook output priority mangle; policy accept;
@@ -320,7 +319,7 @@ in
} }
table inet nat { table inet nat {
chain postrouting { chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade ip saddr ${lib.my.c.kelder.prefixes.all.v4} oifname et1g0 masquerade
} }
} }
''; '';

2
nixos/installer.nix
View File

@@ -39,7 +39,7 @@
environment.sessionVariables = { environment.sessionVariables = {
INSTALL_ROOT = installRoot; INSTALL_ROOT = installRoot;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ]; users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.deploy ];
home-manager.users.root = { home-manager.users.root = {
programs = { programs = {
starship.settings = { starship.settings = {

2
nixos/modules/common.nix
View File

@@ -47,7 +47,7 @@ in
#"https://nix-cache.nul.ie" #"https://nix-cache.nul.ie"
"https://cache.nixos.org" "https://cache.nixos.org"
]; ];
trusted-public-keys = lib.my.nix.cacheKeys; trusted-public-keys = lib.my.c.nix.cacheKeys;
}; };
registry = { registry = {
pkgs = { pkgs = {

2
nixos/modules/deploy-rs.nix
View File

@@ -86,7 +86,7 @@ in
options.my.deploy = with lib.types; { options.my.deploy = with lib.types; {
authorizedKeys = { authorizedKeys = {
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user."; keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user."; keyFiles = mkOpt' (listOf path) [ lib.my.c.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
}; };
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system."; enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";

2
nixos/modules/network.nix
View File

@@ -6,7 +6,7 @@ in
config = mkMerge [ config = mkMerge [
{ {
networking = { networking = {
domain = mkDefault "int.${lib.my.pubDomain}"; domain = mkDefault "int.${lib.my.c.pubDomain}";
useDHCP = false; useDHCP = false;
enableIPv6 = mkDefault true; enableIPv6 = mkDefault true;
useNetworkd = mkDefault true; useNetworkd = mkDefault true;

25
nixos/modules/tmproot.nix
View File

@@ -256,6 +256,18 @@ in
my.tmproot.persistence.config.files = my.tmproot.persistence.config.files =
concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys; concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
}) })
(mkIf config.services.lvm.enable {
my.tmproot.persistence.config.directories = [
{
directory = "/etc/lvm/archive";
mode = "0700";
}
{
directory = "/etc/lvm/backup";
mode = "0700";
}
];
})
(mkIf (config.security.acme.certs != { }) { (mkIf (config.security.acme.certs != { }) {
my.tmproot.persistence.config.directories = [ my.tmproot.persistence.config.directories = [
{ {
@@ -424,6 +436,19 @@ in
"/var/lib/samba" "/var/lib/samba"
]; ];
}) })
(mkIf config.hardware.rasdaemon.enable {
my.tmproot.persistence.config.directories = [ "/var/lib/rasdaemon" ];
})
(mkIf (config.services.gitea-actions-runner.instances != { }) {
my.tmproot.persistence.config.directories = [
{
directory = "/var/lib/gitea-runner";
mode = "0750";
user = "gitea-runner";
group = "gitea-runner";
}
];
})
])) ]))
]); ]);

2
nixos/modules/user.nix
View File

@@ -41,7 +41,7 @@ in
shell = shell =
let shell = cfg.homeConfig.my.shell; let shell = cfg.homeConfig.my.shell;
in mkIf (shell != null) (mkDefault' shell); in mkIf (shell != null) (mkDefault' shell);
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ]; openssh.authorizedKeys.keyFiles = [ lib.my.c.sshKeyFiles.me ];
}; };
homeConfig = { homeConfig = {
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the

16
secrets/chatterbox/syncv3.env.age Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBYUTlr
Mm1ubFFPTHhhb3NERHJPaXoxamt5bUtqQmRkUTFGZCsvaUtyZGdrCmVNUEtrSTVQ
MkdHWnd1OTNSN3lOaFdrdWsxUHM2S0VZVlNRWGt4R0FyZ0UKLT4gWDI1NTE5IFNZ
QUhpVU04WWpEZThEaE82WDJvT3NVVWxNRVFEZjluVW8rbGhOQ0Rua0kKOWlZYlFh
RjduNDAwS0NJa0lPNmx6dmIvdmFtcXJyaG5FQ2hVU01qby9sTQotPiBVJjEhLWdy
ZWFzZSBOYyllZE4KV0lYMmErd3RvUWp1UVRvdlpKTUZWWlJHK1laN2FoZGh2aVlM
dTdLbWZsVkozVTBwb2JyeGpFMy9FcjR0eDhxQQpUL05uT2ZSUytNV01wMjFYRWZL
NTRkSmlkcUl4LzJYTDQwMm43cVJVeTdkY0dxdkI1ZjA3Z2NoU3NBCi0tLSB4Y3lV
UVphTEtIWFhVQ1h4MUZzNDYzSEhDUFpMcE1ZdFNtd1A2Rk5lMUhRCp/F11nGICQA
L5uInKKk8jVGzpG93U4Kz3zut6jGF/is4cVuvkRHZLKiUVC4kILirdinnbxlJY2Y
Gkpef0zthmNhfFhsgjj5Tmxyiu1L+6GkY0z2GlKR8uRUG4bXsDQzDkZQm8Wcmrrt
9lG04SI0Dj7Gc2HJEwjl7ZPBi9qnFU49on+/Y5DIpzTllgE7luduFLjLM2Q+kNGK
cU8cF+gvrpyAFytiUZ3jhATtXsqC0dzsugjj8pmT1WQzZd6iqVJ84G2pMg+boVyn
aVLGrcn3qOnIIJLKrYEjyxSYMGs=
-----END AGE ENCRYPTED FILE-----

11
secrets/gitea/actions-runner.env.age Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyA0Ynpx
ZU84aTNsaCsrd0ZXRHQxZmt6dnpGNUViQlhJSEs2d0lVQWhWN3gwCi9KQmJPN092
Tjl5UjFNeWtsdXhtNjhFdlNrS0Ezb1lqT1NjNDY2ZXd1cFUKLT4gWDI1NTE5IFRT
Rld4NUNOaHB0b0l2eTQ5STB5V0dnZS9YUjF1RTZ5VndDaW5SYzg3aU0KcU9jbDlx
czZkVm5pUVlmdEw1MEVheU9QN3hpRzlUbFR1WTdNOEpKU3lNTQotPiBkXDItZ3Jl
YXNlCnQrY3FaendQNVF6RXNUWGZ4TE81QXJycC9kVTZjMDY4dnVLVkhIVWlMSlRS
NjRsL0o0YVlUUQotLS0gY0tlekNPbzdaa1EySlA2bkdqbmRMbUhUVm01NjJ1MEgv
K2dqcDhQL3BCdwpUfh9ODJOtZ0jkeOSdCj17XbuALje7tBa41o2nl6at+WIgiodJ
xZ+COxUZ4W1ehK2Nrjqe0zGL08JwHB3vt3Y5oitdlrjZcQRsBmM/GRKu
-----END AGE ENCRYPTED FILE-----

10
secrets/gitea/db.txt.age Normal file
View File

@@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBRK3Zp
OTVnQ2lZRzloWE1hYmxMYWZERDdXL0pTdFVGYUN3Vk0wbkhBWTFBCkg1YkVidmwy
ZVhDSWJOTXB6Qmw5OXNVU0RVUlFyQkE4MVE2eUp6ZXZBOHMKLT4gWDI1NTE5IG9u
YUMxZkhHc0RVZkQ3UEEvazArRnl5NGpvTkJPRWdFbm9qYzdjZjNZZ28KRU1FdmMz
cVlzbHRFWUZqbkw2Ry9QVXppTFdNRTIwWnJBYzc0NUxieUMvRQotPiAxbn4nYSxC
LWdyZWFzZSBNRyAxO0EgVDoKQklPUS93Ci0tLSBoTXhqZ2VjNTlOVzdBN25CeUdD
VFJtT2pDWi9taXh1SHpNTG9oeHJsbE9jCgGD+69tbzN5f1FlBBSMb/2GgJW2cmXI
97MXqA888ugf0vppdqy5yu+D4GdjoIvkKv0=
-----END AGE ENCRYPTED FILE-----

11
secrets/gitea/mail.txt.age Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEJhUWxSZyBGekxK
ZFVBQkpTeGtzcHJuektzS0hPUFBIelg5UzQvVzg3SXJmSE9NbG5nCjFMbDBMcmFw
dG9xaHpGV2RvZDg3WjRueTZtUGR3TnUyZE8yM1Rhdi83MGcKLT4gWDI1NTE5IGRu
Ry9ZNVIyWEYvcWhCOWx0eEVVcnFaYm5IK3Fhc1Z1Ykg0VDFEbE0wU28KcnFGN3Rs
bEtUazc3dkFCMEN2V2hTNFhlK2Z0OWQyNjNjaW5kbVU2OVozQQotPiAlfj84LWdy
ZWFzZSBNLzc9fUcgNi5nKCBdRk50dSB1ClJkdmx0VjVUK0o3cmxrY1JycktXVkFS
Yk10a3plZmsKLS0tIEVzUEhoUEE5TkZFK01BckxpZ0tKV2hZRERRbnFQUnlXRjQx
RExPb1B3dHMKUaxZI1wEt10kHnWMgn3Na0UVpn/bhGpwXpToyH0Gzdjy5mQiPvcl
X8RKm1wpkrLhXA==
-----END AGE ENCRYPTED FILE-----