feat(nginxproxymanager): add container, raptus to tailnet and remove ssh from raptus

hosts/brontes/configuration.nix

@@ -1,15 +1,8 @@
 # vim:fileencoding=utf-8:foldmethod=marker
-{
-  pkgs,
-  inputs,
-  username,
-  ...
-}:
+{ pkgs, username, ... }:
 {
   imports = [
-    # Include the results of the hardware scan.
     ./hardware-configuration.nix
-    ../../modules
     ./home.nix
   ];
 
@@ -20,7 +13,10 @@
 
   age.secrets.rustypaste = {
     file = ../../secrets/rustypaste.age;
+    mode = "440";
+    group = "wheel";
   };
+
   #: Power Consumption {{{
   services.logind = {
     powerKey = "hibernate";

hosts/default.nix

@@ -1,41 +1,49 @@
 { inputs, withSystem, ... }:
 let
   inherit (inputs.self.lib.my) mkSystem;
+  inherit (inputs.self.lib) listToAttrs;
+
+  mkSystem' = sys: {
+    name = sys.hostname;
+    value = mkSystem ({ inherit withSystem; } // sys);
+  };
 in
 {
-  flake.nixosConfigurations = {
-    marr = mkSystem {
-      inherit withSystem;
+  flake.nixosConfigurations = listToAttrs [
+    (mkSystem' {
       hostname = "marr";
       system = "x86_64-linux";
       extraModules = [ inputs.agenix.nixosModules.default ];
-    };
+    })
 
-    brontes = mkSystem {
-      inherit withSystem;
+    (mkSystem' {
       hostname = "brontes";
       system = "x86_64-linux";
       extraModules = [ inputs.agenix.nixosModules.default ];
-    };
+    })
 
-    shan = mkSystem {
-      inherit withSystem;
+    (mkSystem' {
       hostname = "shan";
       system = "x86_64-linux";
       extraModules = [
         inputs.disko.nixosModules.disko
         inputs.agenix.nixosModules.default
       ];
-    };
+    })
 
-    raptus = mkSystem {
-      inherit withSystem;
+    (mkSystem' {
       hostname = "raptus";
       system = "x86_64-linux";
       extraModules = [
         inputs.disko.nixosModules.disko
         inputs.agenix.nixosModules.default
       ];
-    };
-  };
+    })
+
+    (mkSystem' {
+      hostname = "nihilus";
+      system = "aarch64-linux";
+      extraModules = [ ];
+    })
+  ];
 }

hosts/marr/configuration.nix

@@ -9,7 +9,6 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../modules
     ./home.nix
   ];
 

hosts/raptus/configuration.nix

@@ -17,7 +17,6 @@ in
     ./rustypaste
     ./forgejo
     ./headscale.nix
-    ../../modules
   ];
 
   age.secrets = {
@@ -29,15 +28,21 @@ in
     efiSupport = true;
     efiInstallAsRemovable = true;
   };
+
+  modules.services.tailscale = {
+    enable = true;
+    tags = [ "server" ];
+    extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
+  };
+
   services.headscale.enable = true;
+
   networking.firewall = lib.mkForce {
     enable = true;
     allowedTCPPorts = [
       80 # for acme challenges
       443
-      3000 # forgejo
-      8000 # rustypaste
-    ] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ];
+    ] ++ [ config.services.endlessh.port ];
   };
 
   age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@@ -56,11 +61,6 @@ in
     ];
   };
 
-  services.openssh = {
-    enable = true;
-    ports = [ 56528 ];
-  };
-
   services.endlessh = {
     enable = true;
     port = 22;
@@ -71,10 +71,5 @@ in
     pkgs.gitMinimal
   ];
 
-  users.users = {
-    root.openssh.authorizedKeys.keys = [ pubkeys.ny ];
-    ny.openssh.authorizedKeys.keys = [ pubkeys.ny ];
-  };
-
   system.stateVersion = "24.11";
 }

hosts/raptus/headscale.nix

@@ -49,6 +49,35 @@ mkIf config.services.headscale.enable {
           nameservers = [
             "100.64.0.4"
           ];
+          extra_records =
+            let
+              mkRecords = map (sub: {
+                name = "${sub}.ccnlc.eu";
+                type = "A";
+                value = "100.64.0.4";
+              });
+            in
+            [
+              {
+                name = "ccnlc.eu";
+                type = "A";
+                value = "100.64.0.4";
+              }
+            ]
+            # Tailscale doesn't seem to support wildcard A/AAAA records
+            # - https://github.com/juanfont/headscale/issues/2159#issuecomment-2393406444
+            ++ mkRecords [
+              "immich"
+              "adguard"
+              "nextcloud"
+              "kitchenowl"
+              "navidrome"
+              "subsonic"
+              "nextcloud"
+              "paperless"
+              "truenas"
+              "fritz"
+            ];
         };
       };
     };

hosts/shan/configuration.nix

@@ -9,7 +9,6 @@
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
     ./disk-config.nix
-    ../../modules
     ./adguard.nix
   ];
 
@@ -27,11 +26,16 @@
   };
 
   modules = {
-    container.kitchenowl = {
+    container = {
+      kitchenowl = {
         enable = true;
         openFirewall = true;
         version = "v0.5.2";
       };
+      nginxproxymanager = {
+        enable = true;
+      };
+    };
 
     server = {
       paperless = {

modules/default.nix

@@ -24,5 +24,6 @@
 
     ./nix
     ./themes
+    ./commons
   ];
 }

options/container/default.nix

@@ -4,7 +4,10 @@ let
   inherit (lib) mkIf mkEnableOption;
 in
 {
-  imports = [ ./kitchenowl ];
+  imports = [
+    ./kitchenowl
+    ./nginxproxymanager.nix
+  ];
 
   options.modules.container = {
     enable = mkEnableOption "container support";

options/container/kitchenowl/default.nix

@@ -11,7 +11,7 @@ let
 in
 {
   options.modules.container.kitchenowl = {
-    enable = mkEnableOption "Whether to enable the kitchenowl container";
+    enable = mkEnableOption "kitchenowl container";
     port = mkOption {
       type = port;
       default = 82;

options/container/nginxproxymanager.nix

@@ -0,0 +1,129 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkIf mkEnableOption mkOption;
+  inherit (lib.types) port;
+
+  cfg = config.modules.container.nginxproxymanager;
+  mkPortOption =
+    portNr: desc:
+    mkOption {
+      type = port;
+      default = portNr;
+      description = desc;
+    };
+in
+{
+  options.modules.container.nginxproxymanager = {
+    enable = mkEnableOption "Nginx Proxy Manager container";
+
+    ports = {
+      http = mkPortOption 80 "Port for http access";
+      https = mkPortOption 443 "Port for https access";
+      web = mkPortOption 81 "Port for the webpage";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    modules.container.enable = true;
+
+    # Containers
+    virtualisation.oci-containers.containers."nginxproxymanager" = {
+      image = "jc21/nginx-proxy-manager:latest";
+      volumes = [
+        "nginx_letsencrypt:/etc/letsencrypt:rw"
+        "nginx_nginx:/data:rw"
+      ];
+      ports = [
+        "${toString cfg.ports.http}:80/tcp"
+        "${toString cfg.ports.web}:81/tcp"
+        "${toString cfg.ports.https}:443/tcp"
+      ];
+      log-driver = "journald";
+      extraOptions = [
+        "--network-alias=nginxproxymanager"
+        "--network=nginx_default"
+      ];
+    };
+
+    #: Systemd services {{{
+    systemd = {
+      services = {
+        "podman-nginxproxymanager" = {
+          serviceConfig = {
+            Restart = lib.mkOverride 500 "always";
+          };
+          after = [
+            "podman-network-nginx_default.service"
+            "podman-volume-nginx_letsencrypt.service"
+            "podman-volume-nginx_nginx.service"
+          ];
+          requires = [
+            "podman-network-nginx_default.service"
+            "podman-volume-nginx_letsencrypt.service"
+            "podman-volume-nginx_nginx.service"
+          ];
+          partOf = [
+            "podman-compose-nginx-root.target"
+          ];
+          wantedBy = [
+            "podman-compose-nginx-root.target"
+          ];
+        };
+
+        # Networks
+        "podman-network-nginx_default" = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStop = "podman network rm -f nginx_default";
+          };
+          script = ''
+            podman network inspect nginx_default || podman network create nginx_default
+          '';
+          partOf = [ "podman-compose-nginx-root.target" ];
+          wantedBy = [ "podman-compose-nginx-root.target" ];
+        };
+
+        # Volumes
+        "podman-volume-nginx_letsencrypt" = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = ''
+            podman volume inspect nginx_letsencrypt || podman volume create nginx_letsencrypt
+          '';
+          partOf = [ "podman-compose-nginx-root.target" ];
+          wantedBy = [ "podman-compose-nginx-root.target" ];
+        };
+        "podman-volume-nginx_nginx" = {
+          path = [ pkgs.podman ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = ''
+            podman volume inspect nginx_nginx || podman volume create nginx_nginx
+          '';
+          partOf = [ "podman-compose-nginx-root.target" ];
+          wantedBy = [ "podman-compose-nginx-root.target" ];
+        };
+      };
+      targets."podman-compose-nginx-root" = {
+        unitConfig = {
+          Description = "Root target generated by compose2nix.";
+        };
+        wantedBy = [ "multi-user.target" ];
+      };
+    };
+    #: }}}
+  };
+
+}

options/services/tailscale.nix

@@ -43,6 +43,11 @@ in
       type = listOf str;
       default = [ "--ssh" ];
     };
+
+    extraFlags = mkOption {
+      type = listOf str;
+      default = [ ];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -50,6 +55,7 @@ in
       enable = true;
       extraUpFlags = concatLists [
         cfg.defaultFlags
+        cfg.extraFlags
         (
           mkIf cfg.tags != [ ] [
             "--advertise-tags"

parts/lib/functions.nix

@@ -32,7 +32,7 @@ in
         modules = [
           "${self}/hosts/${hostname}/configuration.nix"
           "${self}/options"
-          "${self}/modules/commons"
+          "${self}/modules"
           { networking.hostName = hostname; }
         ] ++ extraModules;
         specialArgs = {

secrets/couchdb.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 biwZXw Adz1IbWLQ7LnJlNGRlIhTQq0jJ0frIR+L0aGcE0d5nk
-xUGt5Us/cAU9JVeLv0Ia8peWZLct8YW9i+77IgiU2cI
--> ssh-ed25519 b3HlPA iVld+xe6mvJMzAvmjPOTahcUSqOE0uGS/2GdQc0dSTQ
-EG+h6L5v/KW3miD4Hy4goco2e507GOZKsHCE2kT5ERQ
--> ssh-ed25519 cdUqUg FNFD1htaxYDyhn/xBg1l/WnAytplKlzPWWI5zu7ntVc
-1IsEr/7H5fdtJII39pkktikJ/qwUn2eZ+/BowOVwkDo
---- tcg5/OhNjGKdd4nIYE1o5z6tY4W/eoA4OjgNvdFi4gM
-ßz<걶îK4µÑåó	ÖõšÏ'`®®¡ÉÁ>ý	2T®—àOuðÎjç*B°2•.pTt\
-¿´¿ XÃìÀ@©ê×¼}MU3÷^ú{ªB¸4—ÛÁj=éð©]ýAf˜È
Üì«8ιSQ}$0Š<30>°€;¤ ±â
+-> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4
+YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM
+-> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is
+bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE
+-> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk
+UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c
+-> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws
+rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ
+--- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs
+bw¾XÁm
Ÿ‚ws	hF1É­+‡ZÜ }LY	ZÝ<5A>¯fg³°¹q]̃tüxÊÛ¯¹õ`„¶Üw)—Y%u––ÚãåÅ^_v8QZfìq­u<C2AD>:¹¶g1 VÛþ!í–Â’»A[€€Çöe{TnÕ	-f×

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
   marr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMh2nUUKt3xsKiwZUuo6HgvR3lr7rRAl0SOH/502sFP";
   brontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgknH3OPazZNhH5xkYfXBcYpI3TXj/eRp0/zzjtVJBf";
   shan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnASO1+h9tUYsNrsePcmxFLpKBkyCXbcZB9W7f5Yt5U";
+  ny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw";
   devices = [
     marr
     raptus
@@ -12,7 +13,7 @@ let
 in
 {
   "couchdb.age".publicKeys = devices;
-  "rustypaste.age".publicKeys = devices;
+  "rustypaste.age".publicKeys = devices ++ [ ny ];
   "navidrome.age".publicKeys = devices;
   "adguard-dns-list.age".publicKeys = devices;
 }