diff --git a/hosts/brontes/configuration.nix b/hosts/brontes/configuration.nix index 460f105..4a083e0 100644 --- a/hosts/brontes/configuration.nix +++ b/hosts/brontes/configuration.nix @@ -1,15 +1,8 @@ # vim:fileencoding=utf-8:foldmethod=marker -{ - pkgs, - inputs, - username, - ... -}: +{ pkgs, username, ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix - ../../modules ./home.nix ]; @@ -20,7 +13,10 @@ age.secrets.rustypaste = { file = ../../secrets/rustypaste.age; + mode = "440"; + group = "wheel"; }; + #: Power Consumption {{{ services.logind = { powerKey = "hibernate"; diff --git a/hosts/default.nix b/hosts/default.nix index 31871a1..b7db1d6 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,41 +1,49 @@ { inputs, withSystem, ... }: let inherit (inputs.self.lib.my) mkSystem; + inherit (inputs.self.lib) listToAttrs; + + mkSystem' = sys: { + name = sys.hostname; + value = mkSystem ({ inherit withSystem; } // sys); + }; in { - flake.nixosConfigurations = { - marr = mkSystem { - inherit withSystem; + flake.nixosConfigurations = listToAttrs [ + (mkSystem' { hostname = "marr"; system = "x86_64-linux"; extraModules = [ inputs.agenix.nixosModules.default ]; - }; + }) - brontes = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "brontes"; system = "x86_64-linux"; extraModules = [ inputs.agenix.nixosModules.default ]; - }; + }) - shan = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "shan"; system = "x86_64-linux"; extraModules = [ inputs.disko.nixosModules.disko inputs.agenix.nixosModules.default ]; - }; + }) - raptus = mkSystem { - inherit withSystem; + (mkSystem' { hostname = "raptus"; system = "x86_64-linux"; extraModules = [ inputs.disko.nixosModules.disko inputs.agenix.nixosModules.default ]; - }; - }; + }) + + (mkSystem' { + hostname = "nihilus"; + system = "aarch64-linux"; + extraModules = [ ]; + }) + ]; } diff --git a/hosts/marr/configuration.nix b/hosts/marr/configuration.nix index 4d161e3..06d9243 100644 --- a/hosts/marr/configuration.nix +++ b/hosts/marr/configuration.nix @@ -9,7 +9,6 @@ { imports = [ ./hardware-configuration.nix - ../../modules ./home.nix ]; diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 42042ae..cc1619e 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -17,7 +17,6 @@ in ./rustypaste ./forgejo ./headscale.nix - ../../modules ]; age.secrets = { @@ -29,15 +28,21 @@ in efiSupport = true; efiInstallAsRemovable = true; }; + + modules.services.tailscale = { + enable = true; + tags = [ "server" ]; + extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now + }; + services.headscale.enable = true; + networking.firewall = lib.mkForce { enable = true; allowedTCPPorts = [ 80 # for acme challenges 443 - 3000 # forgejo - 8000 # rustypaste - ] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ]; + ] ++ [ config.services.endlessh.port ]; }; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -56,11 +61,6 @@ in ]; }; - services.openssh = { - enable = true; - ports = [ 56528 ]; - }; - services.endlessh = { enable = true; port = 22; @@ -71,10 +71,5 @@ in pkgs.gitMinimal ]; - users.users = { - root.openssh.authorizedKeys.keys = [ pubkeys.ny ]; - ny.openssh.authorizedKeys.keys = [ pubkeys.ny ]; - }; - system.stateVersion = "24.11"; } diff --git a/hosts/raptus/headscale.nix b/hosts/raptus/headscale.nix index f95b2ea..0fc20a3 100644 --- a/hosts/raptus/headscale.nix +++ b/hosts/raptus/headscale.nix @@ -49,6 +49,35 @@ mkIf config.services.headscale.enable { nameservers = [ "100.64.0.4" ]; + extra_records = + let + mkRecords = map (sub: { + name = "${sub}.ccnlc.eu"; + type = "A"; + value = "100.64.0.4"; + }); + in + [ + { + name = "ccnlc.eu"; + type = "A"; + value = "100.64.0.4"; + } + ] + # Tailscale doesn't seem to support wildcard A/AAAA records + # - https://github.com/juanfont/headscale/issues/2159#issuecomment-2393406444 + ++ mkRecords [ + "immich" + "adguard" + "nextcloud" + "kitchenowl" + "navidrome" + "subsonic" + "nextcloud" + "paperless" + "truenas" + "fritz" + ]; }; }; }; diff --git a/hosts/shan/configuration.nix b/hosts/shan/configuration.nix index e504ba0..10740a0 100644 --- a/hosts/shan/configuration.nix +++ b/hosts/shan/configuration.nix @@ -9,7 +9,6 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix - ../../modules ./adguard.nix ]; @@ -27,10 +26,15 @@ }; modules = { - container.kitchenowl = { - enable = true; - openFirewall = true; - version = "v0.5.2"; + container = { + kitchenowl = { + enable = true; + openFirewall = true; + version = "v0.5.2"; + }; + nginxproxymanager = { + enable = true; + }; }; server = { diff --git a/modules/default.nix b/modules/default.nix index c8d308d..bf6155d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -24,5 +24,6 @@ ./nix ./themes + ./commons ]; } diff --git a/options/container/default.nix b/options/container/default.nix index 79c3ae1..e96acb7 100644 --- a/options/container/default.nix +++ b/options/container/default.nix @@ -4,7 +4,10 @@ let inherit (lib) mkIf mkEnableOption; in { - imports = [ ./kitchenowl ]; + imports = [ + ./kitchenowl + ./nginxproxymanager.nix + ]; options.modules.container = { enable = mkEnableOption "container support"; diff --git a/options/container/kitchenowl/default.nix b/options/container/kitchenowl/default.nix index 9512505..e515f7a 100644 --- a/options/container/kitchenowl/default.nix +++ b/options/container/kitchenowl/default.nix @@ -11,7 +11,7 @@ let in { options.modules.container.kitchenowl = { - enable = mkEnableOption "Whether to enable the kitchenowl container"; + enable = mkEnableOption "kitchenowl container"; port = mkOption { type = port; default = 82; diff --git a/options/container/nginxproxymanager.nix b/options/container/nginxproxymanager.nix new file mode 100644 index 0000000..3ee37cf --- /dev/null +++ b/options/container/nginxproxymanager.nix @@ -0,0 +1,129 @@ +{ + lib, + config, + pkgs, + ... +}: +let + inherit (lib) mkIf mkEnableOption mkOption; + inherit (lib.types) port; + + cfg = config.modules.container.nginxproxymanager; + mkPortOption = + portNr: desc: + mkOption { + type = port; + default = portNr; + description = desc; + }; +in +{ + options.modules.container.nginxproxymanager = { + enable = mkEnableOption "Nginx Proxy Manager container"; + + ports = { + http = mkPortOption 80 "Port for http access"; + https = mkPortOption 443 "Port for https access"; + web = mkPortOption 81 "Port for the webpage"; + }; + }; + + config = mkIf cfg.enable { + modules.container.enable = true; + + # Containers + virtualisation.oci-containers.containers."nginxproxymanager" = { + image = "jc21/nginx-proxy-manager:latest"; + volumes = [ + "nginx_letsencrypt:/etc/letsencrypt:rw" + "nginx_nginx:/data:rw" + ]; + ports = [ + "${toString cfg.ports.http}:80/tcp" + "${toString cfg.ports.web}:81/tcp" + "${toString cfg.ports.https}:443/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=nginxproxymanager" + "--network=nginx_default" + ]; + }; + + #: Systemd services {{{ + systemd = { + services = { + "podman-nginxproxymanager" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-nginx_default.service" + "podman-volume-nginx_letsencrypt.service" + "podman-volume-nginx_nginx.service" + ]; + requires = [ + "podman-network-nginx_default.service" + "podman-volume-nginx_letsencrypt.service" + "podman-volume-nginx_nginx.service" + ]; + partOf = [ + "podman-compose-nginx-root.target" + ]; + wantedBy = [ + "podman-compose-nginx-root.target" + ]; + }; + + # Networks + "podman-network-nginx_default" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f nginx_default"; + }; + script = '' + podman network inspect nginx_default || podman network create nginx_default + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + + # Volumes + "podman-volume-nginx_letsencrypt" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect nginx_letsencrypt || podman volume create nginx_letsencrypt + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + "podman-volume-nginx_nginx" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect nginx_nginx || podman volume create nginx_nginx + ''; + partOf = [ "podman-compose-nginx-root.target" ]; + wantedBy = [ "podman-compose-nginx-root.target" ]; + }; + }; + targets."podman-compose-nginx-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + #: }}} + }; + +} diff --git a/options/services/tailscale.nix b/options/services/tailscale.nix index 8dd3089..239f72b 100644 --- a/options/services/tailscale.nix +++ b/options/services/tailscale.nix @@ -43,6 +43,11 @@ in type = listOf str; default = [ "--ssh" ]; }; + + extraFlags = mkOption { + type = listOf str; + default = [ ]; + }; }; config = mkIf cfg.enable { @@ -50,6 +55,7 @@ in enable = true; extraUpFlags = concatLists [ cfg.defaultFlags + cfg.extraFlags ( mkIf cfg.tags != [ ] [ "--advertise-tags" diff --git a/parts/lib/functions.nix b/parts/lib/functions.nix index 4475ef0..b0b767a 100644 --- a/parts/lib/functions.nix +++ b/parts/lib/functions.nix @@ -32,7 +32,7 @@ in modules = [ "${self}/hosts/${hostname}/configuration.nix" "${self}/options" - "${self}/modules/commons" + "${self}/modules" { networking.hostName = hostname; } ] ++ extraModules; specialArgs = { diff --git a/secrets/adguard-dns-list.age b/secrets/adguard-dns-list.age index 90d3d30..6649fa4 100644 Binary files a/secrets/adguard-dns-list.age and b/secrets/adguard-dns-list.age differ diff --git a/secrets/couchdb.age b/secrets/couchdb.age index 698b1c5..4168bc2 100644 --- a/secrets/couchdb.age +++ b/secrets/couchdb.age @@ -1,10 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 biwZXw Adz1IbWLQ7LnJlNGRlIhTQq0jJ0frIR+L0aGcE0d5nk -xUGt5Us/cAU9JVeLv0Ia8peWZLct8YW9i+77IgiU2cI --> ssh-ed25519 b3HlPA iVld+xe6mvJMzAvmjPOTahcUSqOE0uGS/2GdQc0dSTQ -EG+h6L5v/KW3miD4Hy4goco2e507GOZKsHCE2kT5ERQ --> ssh-ed25519 cdUqUg FNFD1htaxYDyhn/xBg1l/WnAytplKlzPWWI5zu7ntVc -1IsEr/7H5fdtJII39pkktikJ/qwUn2eZ+/BowOVwkDo ---- tcg5/OhNjGKdd4nIYE1o5z6tY4W/eoA4OjgNvdFi4gM -z<K4 '`> 2TOuj*B2.pTt\ -X@׼}MU3^{B4j=]Af8ιSQ}$0; \ No newline at end of file +-> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4 +YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM +-> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is +bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE +-> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk +UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c +-> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws +rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ +--- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs +bwXm ws hF1ɭ+Zܠ}LY Zݍfgq]̃txۯ`w)Y%u^_v8QZfqu:g1 V!’A[e{Tn -f \ No newline at end of file diff --git a/secrets/navidrome.age b/secrets/navidrome.age index eedc7ef..5e4c32b 100644 Binary files a/secrets/navidrome.age and b/secrets/navidrome.age differ diff --git a/secrets/rustypaste.age b/secrets/rustypaste.age index 6ac8426..8dba28c 100644 Binary files a/secrets/rustypaste.age and b/secrets/rustypaste.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0c7b49e..327e512 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let marr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMh2nUUKt3xsKiwZUuo6HgvR3lr7rRAl0SOH/502sFP"; brontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgknH3OPazZNhH5xkYfXBcYpI3TXj/eRp0/zzjtVJBf"; shan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnASO1+h9tUYsNrsePcmxFLpKBkyCXbcZB9W7f5Yt5U"; + ny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw"; devices = [ marr raptus @@ -12,7 +13,7 @@ let in { "couchdb.age".publicKeys = devices; - "rustypaste.age".publicKeys = devices; + "rustypaste.age".publicKeys = devices ++ [ ny ]; "navidrome.age".publicKeys = devices; "adguard-dns-list.age".publicKeys = devices; }