From 2dbe01524dcbdaad5e32b3dc55d054049046e713 Mon Sep 17 00:00:00 2001 From: kat witch Date: Thu, 12 Aug 2021 03:30:48 +0100 Subject: [PATCH] WIP networking overhaul --- depot/hosts/athame/nixos.nix | 33 +++--- depot/hosts/beltane/meta.nix | 1 + depot/hosts/beltane/nixos.nix | 28 +++-- depot/hosts/samhain/nixos.nix | 33 +++--- depot/modules/home/default.nix | 2 +- depot/modules/home/dns.nix | 40 ------- depot/modules/home/network.nix | 68 +++++++++++ depot/modules/nixos/default.nix | 3 +- depot/modules/nixos/dns.nix | 65 ----------- depot/modules/nixos/dyndns.nix | 4 +- depot/modules/nixos/network.nix | 148 ++++++++++++++++++++++++ depot/modules/nixos/yggdrasil.nix | 30 ----- depot/services/filehost/default.nix | 6 +- depot/services/gitea/default.nix | 12 +- depot/services/grafana/default.nix | 10 +- depot/services/jellyfin/default.nix | 19 +-- depot/services/kattv/default.nix | 49 +++++++- depot/services/mail/default.nix | 14 +-- depot/services/matrix/default.nix | 16 +-- depot/services/murmur/default.nix | 22 ++-- depot/services/netdata/default.nix | 11 +- depot/services/nfs/default.nix | 11 +- depot/services/nginx/default.nix | 2 +- depot/services/prometheus/default.nix | 8 +- depot/services/promtail/default.nix | 2 +- depot/services/radicale/default.nix | 6 +- depot/services/syncplay/default.nix | 10 +- depot/services/transmission/default.nix | 17 ++- depot/services/tvheadend/default.nix | 17 ++- depot/services/vaultwarden/default.nix | 8 +- depot/services/website/default.nix | 2 +- depot/services/weechat/default.nix | 6 +- depot/services/xmpp/default.nix | 48 ++++---- depot/trusted | 2 +- pkgs/lib/default.nix | 1 + pkgs/lib/virtual-host-gen.nix | 9 ++ 36 files changed, 446 insertions(+), 317 deletions(-) delete mode 100644 depot/modules/home/dns.nix create mode 100644 depot/modules/home/network.nix delete mode 100644 depot/modules/nixos/dns.nix create mode 100644 depot/modules/nixos/network.nix delete mode 100644 depot/modules/nixos/yggdrasil.nix create mode 100644 pkgs/lib/virtual-host-gen.nix diff --git a/depot/hosts/athame/nixos.nix b/depot/hosts/athame/nixos.nix index fee07c1c..5dea7df9 100644 --- a/depot/hosts/athame/nixos.nix +++ b/depot/hosts/athame/nixos.nix @@ -63,7 +63,7 @@ with lib; enp1s0 = { useDHCP = true; ipv6.addresses = [{ - address = "2a01:4f8:c2c:b7a8::1"; + address = config.network.addresses.public.ipv6.address; prefixLength = 64; }]; }; @@ -74,6 +74,22 @@ with lib; }; }; + network = { + addresses = { + public = { + enable = true; + ipv4.address = "168.119.126.111"; + ipv6.address = "2a01:4f8:c2c:b7a8::1"; + }; + }; + yggdrasil = { + enable = true; + pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575"; + listen.enable = true; + listen.endpoints = [ "tcp://${config.network.addresses.public.ipv4.address}:52969" "tcp://${config.network.addresses.public.ipv6.address}:52969" ]; + }; + }; + # Firewall kw.fw = { @@ -81,21 +97,6 @@ with lib; private.interfaces = singleton "yggdrasil"; }; - # Host-specific DNS Config - - kw.dns.ipv4 = "168.119.126.111"; - kw.dns.ipv6 = (lib.head config.networking.interfaces.enp1s0.ipv6.addresses).address; - kw.dns.isPublic = true; - - # Yggdrasil - - network.yggdrasil = { - enable = true; - pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575"; - listen.enable = true; - listen.endpoints = [ "tcp://${config.kw.dns.ipv4}:52969" ]; - }; - # State system.stateVersion = "20.09"; } diff --git a/depot/hosts/beltane/meta.nix b/depot/hosts/beltane/meta.nix index bc15391c..cc54d915 100644 --- a/depot/hosts/beltane/meta.nix +++ b/depot/hosts/beltane/meta.nix @@ -8,6 +8,7 @@ connection = { port = 62954; host = "192.168.1.223"; + #host = network.nodes.beltane.network.addresses.private.ipv4.address; }; }; }; diff --git a/depot/hosts/beltane/nixos.nix b/depot/hosts/beltane/nixos.nix index 4ba69fd7..c831d3dd 100644 --- a/depot/hosts/beltane/nixos.nix +++ b/depot/hosts/beltane/nixos.nix @@ -76,10 +76,27 @@ with lib; hostName = "beltane"; hostId = "3ef9a419"; useDHCP = false; - interfaces.eno1.useDHCP = true; + interfaces.eno1.ipv4.addresses = singleton { + inherit (config.network.addresses.private.ipv4) address; + prefixLength = 24; + }; + defaultGateway = config.network.privateGateway; }; - kw.dns.ipv4 = "192.168.1.223"; + network = { + addresses = { + private = { + ipv4.address = "10.1.2.2"; + # TODO ipv6.address + }; + }; + yggdrasil = { + enable = true; + pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52"; + listen.enable = false; + listen.endpoints = [ "tcp://0.0.0.0:0" ]; + }; + }; # Firewall @@ -90,13 +107,6 @@ with lib; # Yggdrasil - network.yggdrasil = { - enable = true; - pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52"; - # if server, enable this and set endpoint: - listen.enable = false; - listen.endpoints = [ "tcp://0.0.0.0:0" ]; - }; # State diff --git a/depot/hosts/samhain/nixos.nix b/depot/hosts/samhain/nixos.nix index 19000b6e..41240cc0 100644 --- a/depot/hosts/samhain/nixos.nix +++ b/depot/hosts/samhain/nixos.nix @@ -103,8 +103,8 @@ in { }; networks.br = { matchConfig.Name = "br"; - address = [ "192.168.1.135/24" ]; - gateway = [ "192.168.1.254" ]; + address = singleton "${config.network.addresses.private.ipv4.address}/24" ; + gateway = singleton config.network.privateGateway; }; netdevs.br = { netdevConfig = { @@ -117,6 +117,21 @@ in { services.avahi.enable = true; + network = { + addresses = { + private = { + ipv4.address = "10.1.2.3"; + }; + }; + dns.dynamic = true; + yggdrasil = { + enable = true; + pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47"; + listen.enable = false; + listen.endpoints = [ "tcp://0.0.0.0:0" ]; + }; + }; + # Firewall kw.fw = { @@ -126,20 +141,6 @@ in { }; }; - # Host-specific DNS Config - - kw.dns.dynamic = true; - - # Yggdrasil - - network.yggdrasil = { - enable = true; - pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47"; - # if server, enable this and set endpoint: - listen.enable = false; - listen.endpoints = [ "tcp://0.0.0.0:0" ]; - }; - # State system.stateVersion = "20.09"; diff --git a/depot/modules/home/default.nix b/depot/modules/home/default.nix index 20d83201..69a788b5 100644 --- a/depot/modules/home/default.nix +++ b/depot/modules/home/default.nix @@ -5,7 +5,7 @@ imports = with (import (sources.nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [ ./vim.nix ./fvwm.nix - ./dns.nix + ./network.nix ./deploy.nix ./theme.nix ./secrets.nix diff --git a/depot/modules/home/dns.nix b/depot/modules/home/dns.nix deleted file mode 100644 index 11a2cdb2..00000000 --- a/depot/modules/home/dns.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, superConfig, lib, tf, ... }: - -/* -This module: -* Provides options for setting the domain/tld/... used by default in my service configs. -*/ - -with lib; - -{ - options.kw.dns = { - email = mkOption { - type = types.nullOr types.str; - default = ""; - }; - tld = mkOption { - type = types.nullOr types.str; - default = ""; - }; - domain = mkOption { - type = types.nullOr types.str; - default = ""; - }; - ygg_prefix = mkOption { - type = types.nullOr types.str; - default = ""; - }; - isPublic = mkEnableOption "Provide DNS for the public primary IP addresses of the host"; - ipv4 = mkOption { - type = types.str; - }; - ipv6 = mkOption { - type = types.str; - }; - dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater"; - }; - config = { - kw.dns = superConfig.kw.dns; - }; -} diff --git a/depot/modules/home/network.nix b/depot/modules/home/network.nix new file mode 100644 index 00000000..953767c1 --- /dev/null +++ b/depot/modules/home/network.nix @@ -0,0 +1,68 @@ +{ config, superConfig, lib, ... }: + +with lib; + +{ + options.network = { + addresses = mkOption { + type = with types; attrsOf (submodule ({ name, ... }: { + options = { + enable = mkEnableOption "Is the system a part of the ${name} network?"; + ipv4 = { + enable = mkOption { + type = types.bool; + }; + address = mkOption { + type = types.str; + }; + }; + ipv6 = { + enable = mkOption { + type = types.bool; + }; + address = mkOption { + type = types.str; + }; + }; + prefix = mkOption { + type = types.nullOr types.str; + }; + domain = mkOption { + type = types.nullOr types.str; + }; + }; + })); + }; + privateGateway = mkOption { + type = types.str; + }; + tf = { + enable = mkEnableOption "Was the system provisioned by terraform?"; + ipv4_attr = mkOption { + type = types.str; + }; + ipv6_attr = mkOption { + type = types.str; + }; + }; + dns = { + email = mkOption { + type = types.nullOr types.str; + }; + tld = mkOption { + type = types.nullOr types.str; + }; + domain = mkOption { + type = types.nullOr types.str; + }; + dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater"; + }; + }; + + config = { + network.addresses = superConfig.network.addresses; + network.privateGateway = superConfig.network.privateGateway; + network.tf = superConfig.network.tf; + network.dns = superConfig.network.dns; + }; +} diff --git a/depot/modules/nixos/default.nix b/depot/modules/nixos/default.nix index 64799cab..de373226 100644 --- a/depot/modules/nixos/default.nix +++ b/depot/modules/nixos/default.nix @@ -5,9 +5,8 @@ ./nftables.nix ./firewall.nix ./deploy.nix - ./dns.nix ./dyndns.nix - ./yggdrasil.nix + ./network.nix ./secrets.nix (sources.tf-nix + "/modules/nixos/secrets.nix") (sources.tf-nix + "/modules/nixos/secrets-users.nix") diff --git a/depot/modules/nixos/dns.nix b/depot/modules/nixos/dns.nix deleted file mode 100644 index d4f561e7..00000000 --- a/depot/modules/nixos/dns.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, lib, tf, ... }: - -/* -This module: -* Provides options for setting the domain/tld/... used by default in my service configs. -*/ - -with lib; - -{ - options.kw.dns = { - email = mkOption { - type = types.nullOr types.str; - default = ""; - }; - tld = mkOption { - type = types.nullOr types.str; - default = ""; - }; - domain = mkOption { - type = types.nullOr types.str; - default = ""; - }; - ygg_prefix = mkOption { - type = types.nullOr types.str; - default = ""; - }; - isPublic = mkEnableOption "Provide DNS for the public primary IP addresses of the host"; - ipv4 = mkOption { - type = types.nullOr types.str; - default = null; - }; - ipv6 = mkOption { - type = types.nullOr types.str; - default = null; - }; - }; - - config = { - # Set these. - kw.dns.email = mkDefault "kat@kittywit.ch"; - kw.dns.tld = mkDefault "kittywit.ch."; - kw.dns.ygg_prefix = mkDefault "net"; - - # This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform. - kw.dns.ipv4 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address"))); - kw.dns.ipv6 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address"))); - - # These are derived. - kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld; - - deploy.tf.dns.records = lib.mkIf (config.kw.dns.isPublic) { - "node_${config.networking.hostName}_v4" = { - tld = config.kw.dns.tld; - domain = config.networking.hostName; - a.address = config.kw.dns.ipv4; - }; - "node_${config.networking.hostName}_v6" = { - tld = config.kw.dns.tld; - domain = config.networking.hostName; - aaaa.address = config.kw.dns.ipv6; - }; - }; - }; -} diff --git a/depot/modules/nixos/dyndns.nix b/depot/modules/nixos/dyndns.nix index a2289b1b..d75d852e 100644 --- a/depot/modules/nixos/dyndns.nix +++ b/depot/modules/nixos/dyndns.nix @@ -4,10 +4,10 @@ with lib; { options = { - kw.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater"; + network.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater"; }; - config = mkIf (config.kw.dns.dynamic) { + config = mkIf (config.network.dns.dynamic) { kw.secrets = [ "hexdns-key" "hexdns-secret" diff --git a/depot/modules/nixos/network.nix b/depot/modules/nixos/network.nix new file mode 100644 index 00000000..c1856ced --- /dev/null +++ b/depot/modules/nixos/network.nix @@ -0,0 +1,148 @@ +{ config, lib, tf, ... }: + +with lib; + +let + cfg = config.network; +in { + options.network = { + addresses = mkOption { + type = with types; attrsOf (submodule ({ name, options, config, ... }: { + options = { + enable = mkEnableOption "Is the system a part of the ${name} network?" // { + default = config.ipv4.enable || config.ipv6.enable; + }; + ipv4 = { + enable = mkOption { + type = types.bool; + default = options.ipv4.address.isDefined; + }; + address = mkOption { + type = types.str; + }; + }; + ipv6 = { + enable = mkOption { + type = types.bool; + default = options.ipv6.address.isDefined; + }; + address = mkOption { + type = types.str; + }; + }; + prefix = mkOption { + type = types.nullOr types.str; + }; + subdomain = mkOption { + type = types.nullOr types.str; + }; + domain = mkOption { + type = types.nullOr types.str; + default = "${config.subdomain}.${cfg.dns.domain}"; + }; + out.addressList = mkOption { + default = singleton config.domain ++ concatMap (i: optional i.enable i.address) [ config.ipv4 config.ipv6 ]; + }; + }; + })); + }; + privateGateway = mkOption { + type = types.str; + default = "10.1.2.1"; + }; + tf = { + enable = mkEnableOption "Was the system provisioned by terraform?"; + ipv4_attr = mkOption { + type = types.str; + default = "ipv4_address"; + }; + ipv6_attr = mkOption { + type = types.str; + default = "ipv6_address"; + }; + }; + dns = { + email = mkOption { + type = types.nullOr types.str; + }; + tld = mkOption { + type = types.nullOr types.str; + }; + domain = mkOption { + type = types.nullOr types.str; + }; + }; + }; + + config = let + networks = cfg.addresses; + networksWithDomains = filterAttrs (_: v: v.subdomain != null) networks; + in { + lib.kw.virtualHostGen = args: virtualHostGen ({ inherit config; } // args); + + network = { + dns = { + email = "kat@kittywit.ch"; + tld = "kittywit.ch."; + domain = builtins.substring 0 ((builtins.stringLength cfg.dns.tld) - 1) cfg.dns.tld; + }; + addresses = { + private = { + prefix = "int"; + subdomain = "${config.networking.hostName}.${cfg.addresses.private.prefix}"; + }; + public = mkMerge [ + (mkIf cfg.tf.enable { + ipv4.address = mkIf (cfg.tf.ipv4_attr != null) (tf.resources."${config.networking.hostName}".refAttr config.network.tf.ipv4_attr); + ipv6.address = mkIf (cfg.tf.ipv6_attr != null) (tf.resources."${config.networking.hostName}".refAttr config.network.tf.ipv6_attr); + }) + ({ + subdomain = "${config.networking.hostName}"; + }) + ]; + yggdrasil = mkIf cfg.yggdrasil.enable { + ipv6.address = cfg.yggdrasil.address; + prefix = "ygg"; + subdomain = "${config.networking.hostName}.${cfg.addresses.yggdrasil.prefix}"; + }; + }; + }; + + networking = mkIf cfg.addresses.private.enable { + defaultGateway = cfg.privateGateway; + }; + + deploy.tf.dns.records = let + recordsV4 = mapAttrs' (n: v: + nameValuePair "node_${n}_${config.networking.hostName}_v4" { + enable = v.ipv4.enable; + tld = cfg.dns.tld; + domain = v.subdomain; + a.address = v.ipv4.address; + }) networksWithDomains; + recordsV6 = mapAttrs' (n: v: + nameValuePair "node_${n}_${config.networking.hostName}_v6" { + enable = v.ipv6.enable; + tld = cfg.dns.tld; + domain = v.subdomain; + aaaa.address = v.ipv6.address; + }) networksWithDomains; + in recordsV4 // recordsV6; + + security.acme.certs = mapAttrs' (n: v: + nameValuePair "cert_${n}_${config.networking.hostName}" { + inherit (v) domain; + dnsProvider = "rfc2136"; + credentialsFile = config.secrets.files.dns_creds.path; + group = "nginx"; + }) networksWithDomains; + + services.nginx.virtualHosts = mapAttrs' (n: v: + nameValuePair v.domain { + useACMEHost = "cert_${n}_${config.networking.hostName}"; + forceSSL = true; + }) networksWithDomains; + + _module.args = { inherit (config.lib) kw; }; + }; +} diff --git a/depot/modules/nixos/yggdrasil.nix b/depot/modules/nixos/yggdrasil.nix deleted file mode 100644 index b0c6b01b..00000000 --- a/depot/modules/nixos/yggdrasil.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, ... }: - -/* -This module: - * Provides AAAA records on a per-host basis for each yggdrasil enabled host. - * Provides certificates for those hosts if they run NGINX. -*/ - -with lib; - -{ - config = mkIf (config.network.yggdrasil.enable) { - deploy.tf.dns.records."ygg_${config.networking.hostName}" = { - tld = config.kw.dns.tld; - domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}"; - aaaa.address = config.network.yggdrasil.address; - }; - security.acme.certs."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = - mkIf (config.services.nginx.enable) { - domain = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}"; - dnsProvider = "rfc2136"; - credentialsFile = config.secrets.files.dns_creds.path; - group = "nginx"; - }; - services.nginx.virtualHosts."${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = mkIf (config.services.nginx.enable) { - useACMEHost = "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}"; - forceSSL = true; - }; - }; -} diff --git a/depot/services/filehost/default.nix b/depot/services/filehost/default.nix index 4aac8232..b26d7719 100644 --- a/depot/services/filehost/default.nix +++ b/depot/services/filehost/default.nix @@ -2,7 +2,7 @@ { services.nginx.virtualHosts = { - "files.${config.kw.dns.domain}" = { + "files.${config.network.dns.domain}" = { root = "/var/www/files"; enableACME = true; forceSSL = true; @@ -10,8 +10,8 @@ }; deploy.tf.dns.records.services_filehost = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "files"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/gitea/default.nix b/depot/services/gitea/default.nix index be63bc59..d70199ca 100644 --- a/depot/services/gitea/default.nix +++ b/depot/services/gitea/default.nix @@ -25,8 +25,8 @@ services.gitea = { enable = true; disableRegistration = true; - domain = "git.${config.kw.dns.domain}"; - rootUrl = "https://git.${config.kw.dns.domain}"; + domain = "git.${config.network.dns.domain}"; + rootUrl = "https://git.${config.network.dns.domain}"; httpAddress = "127.0.0.1"; appName = "kittywitch git"; ssh = { clonePort = 62954; }; @@ -46,7 +46,7 @@ USER = "gitea@kittywit.ch"; #SEND_AS_PLAIN_TEXT = true; USE_SENDMAIL = false; - FROM = "\"kittywitch git\" "; + FROM = "\"kittywitch git\" "; }; service = { NO_REPLY_ADDRESS = "kittywit.ch"; @@ -66,15 +66,15 @@ ${pkgs.coreutils}/bin/ln -sfT ${./templates} /var/lib/gitea/custom/templates ''; - services.nginx.virtualHosts."git.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."git.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://127.0.0.1:3000"; }; }; deploy.tf.dns.records.services_gitea = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "git"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/grafana/default.nix b/depot/services/grafana/default.nix index d3a78089..4421a72d 100644 --- a/depot/services/grafana/default.nix +++ b/depot/services/grafana/default.nix @@ -12,8 +12,8 @@ services.grafana = { enable = true; port = 3001; - domain = "graph.${config.kw.dns.domain}"; - rootUrl = "https://graph.${config.kw.dns.domain}/"; + domain = "graph.${config.network.dns.domain}"; + rootUrl = "https://graph.${config.network.dns.domain}/"; database = { type = "postgres"; host = "/run/postgresql/"; @@ -22,15 +22,15 @@ }; }; - services.nginx.virtualHosts."graph.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."graph.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://127.0.0.1:3001"; }; }; deploy.tf.dns.records.services_grafana = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "graph"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/jellyfin/default.nix b/depot/services/jellyfin/default.nix index fdde9dac..acb1b18c 100644 --- a/depot/services/jellyfin/default.nix +++ b/depot/services/jellyfin/default.nix @@ -1,8 +1,9 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, kw, ... }: { - services.nginx.virtualHosts = { - "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations = { + services.nginx.virtualHosts = kw.virtualHostGen { + networkFilter = [ "private" "yggdrasil" ]; + block.locations = { "/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/"; "/jellyfin/socket" = { proxyPass = "http://127.0.0.1:8096/jellyfin/"; @@ -10,17 +11,7 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ''; - }; - }; - ${config.kw.dns.ipv4}.locations = { - "/jellyfin/".proxyPass = "http://127.0.0.1:8096/jellyfin/"; - "/jellyfin/socket" = { - proxyPass = "http://127.0.0.1:8096/jellyfin/"; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; - }; + }; }; }; diff --git a/depot/services/kattv/default.nix b/depot/services/kattv/default.nix index 2d84d5ae..66e016d7 100644 --- a/depot/services/kattv/default.nix +++ b/depot/services/kattv/default.nix @@ -1,6 +1,47 @@ -{ config, pkgs, lib, ... }: +{ meta, config, pkgs, lib, ... }: -{ +let + env = { + FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1"; + GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [ + gstreamer + gst-plugins-base + gst-plugins-good + gst-plugins-bad + gst-plugins-ugly + pkgs.gst-jpegtrunc + ]; + }; + cameracapture = { + element."v4l2src" = { + device = "/dev/videomew"; + saturation = 100; + brightness = 100; + extra-controls = "c,exposure_auto=3"; + }; + }; + v4l2src = [ + cameracapture + { + caps."image/jpeg" = { + width = 1280; + height = 720; + framerate = "30/1"; # "10/1" + }; + } + ]; + pipeline = v4l2src ++ [ + "jpegtrunc" + { element.matroskamux.streamable = true; } + { + element.tcpclientsink = { + host = meta.network.nodes.beltane.network.private.ipv4.address; + port = "4953"; + sync = false; + }; + } + ]; +in { services.udev.extraRules = '' KERNEL=="video[0-9]*", SUBSYSTEM=="video4linux", SUBSYSTEMS=="usb", ATTR{index}=="0", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="0779", SYMLINK+="videomew", TAG+="systemd" ''; @@ -10,8 +51,8 @@ after = [ "dev-videomew.device" "nginx.service" ]; description = "RTMP stream of kat cam"; bindsTo = [ "dev-videomew.device" ]; - environment = pkgs.kat-tv.env; - script = "exec ${pkgs.gst_all_1.gstreamer.dev}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pkgs.kat-tv.pipeline}"; + environment = env; + script = "exec ${pkgs.gst_all_1.gstreamer.dev}/bin/gst-launch-1.0 -e --no-position ${pipeline}"; serviceConfig = { Restart = "on-failure"; RestartSec = "10s"; diff --git a/depot/services/mail/default.nix b/depot/services/mail/default.nix index 9e3a0867..5c8342e5 100644 --- a/depot/services/mail/default.nix +++ b/depot/services/mail/default.nix @@ -10,35 +10,35 @@ with lib; ]; deploy.tf.dns.records.services_mail_mx = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; mx = { priority = 10; - target = "${config.networking.hostName}.${config.kw.dns.tld}"; + target = config.network.addresses.public.domain; }; }; deploy.tf.dns.records.services_mail_spf = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; - txt.value = "v=spf1 ip4:${config.kw.dns.ipv4} ip6:${config.kw.dns.ipv6} -all"; + txt.value = "v=spf1 ip4:${config.network.addresses.public.ipv4.address} ip6:${config.network.addresses.public.ipv6.address} -all"; }; deploy.tf.dns.records.services_mail_dmarc = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "_dmarc"; txt.value = "v=DMARC1; p=none"; }; deploy.tf.dns.records.services_mail_domainkey = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "mail._domainkey"; txt.value = tf.variables.mail-domainkey-kitty.ref; }; mailserver = { enable = true; - fqdn = "${config.networking.hostName}.${config.kw.dns.domain}"; + fqdn = config.network.addresses.public.domain; domains = [ "kittywit.ch" "dork.dev" ]; # Use Let's Encrypt certificates. Note that this needs to set up a stripped # down nginx and opens port 80. diff --git a/depot/services/matrix/default.nix b/depot/services/matrix/default.nix index 6e488968..b635b806 100644 --- a/depot/services/matrix/default.nix +++ b/depot/services/matrix/default.nix @@ -43,7 +43,7 @@ root: disable_existing_loggers: False ''; - server_name = config.kw.dns.domain; + server_name = config.network.dns.domain; app_service_config_files = [ "/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml" @@ -78,7 +78,7 @@ disable_existing_loggers: False settings = { homeserver = { address = "http://localhost:8008"; - domain = config.kw.dns.domain; + domain = config.network.dns.domain; }; appservice = { provisioning.enabled = false; @@ -86,14 +86,14 @@ disable_existing_loggers: False public = { enabled = false; prefix = "/public"; - external = "https://${config.kw.dns.domain}/public"; + external = "https://${config.network.dns.domain}/public"; }; }; bridge = { relaybot.authless_portals = false; permissions = { - "@kat:${config.kw.dns.domain}" = "admin"; - "${config.kw.dns.domain}" = "full"; + "@kat:${config.network.dns.domain}" = "admin"; + "${config.network.dns.domain}" = "full"; }; }; }; @@ -143,7 +143,7 @@ disable_existing_loggers: False after = [ "network.target" ]; }; - services.nginx.virtualHosts."${config.kw.dns.domain}" = { + services.nginx.virtualHosts."${config.network.dns.domain}" = { # allegedly fixes https://github.com/poljar/weechat-matrix/issues/240 extraConfig = '' keepalive_requests 100000; @@ -152,7 +152,7 @@ disable_existing_loggers: False locations = { "/_matrix" = { proxyPass = "http://[::1]:8008"; }; "= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "${config.kw.dns.domain}:443"; }; + let server = { "m.server" = "${config.network.dns.domain}:443"; }; in '' add_header Content-Type application/json; @@ -161,7 +161,7 @@ disable_existing_loggers: False "= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://${config.kw.dns.domain}"; }; + "m.homeserver" = { "base_url" = "https://${config.network.dns.domain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; in diff --git a/depot/services/murmur/default.nix b/depot/services/murmur/default.nix index b62c1052..aef83a6d 100644 --- a/depot/services/murmur/default.nix +++ b/depot/services/murmur/default.nix @@ -12,32 +12,32 @@ with lib; services.murmur = { enable = true; - hostName = "voice.${config.kw.dns.domain}"; + hostName = "voice.${config.network.dns.domain}"; bandwidth = 130000; welcometext = "mew!"; extraConfig = '' - sslCert=/var/lib/acme/voice.${config.kw.dns.domain}/fullchain.pem - sslKey=/var/lib/acme/voice.${config.kw.dns.domain}/key.pem + sslCert=/var/lib/acme/voice.${config.network.dns.domain}/fullchain.pem + sslKey=/var/lib/acme/voice.${config.network.dns.domain}/key.pem ''; }; - services.nginx.virtualHosts."voice.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."voice.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; }; users.groups."voice-cert".members = [ "nginx" "murmur" ]; - security.acme.certs = { "voice.${config.kw.dns.domain}" = { group = "voice-cert"; }; }; + security.acme.certs = { "voice.${config.network.dns.domain}" = { group = "voice-cert"; }; }; deploy.tf.dns.records.services_murmur = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "voice"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; deploy.tf.dns.records.services_murmur_tcp_srv = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; srv = { service = "mumble"; @@ -45,12 +45,12 @@ with lib; priority = 0; weight = 5; port = 64738; - target = "voice.${config.kw.dns.tld}"; + target = "voice.${config.network.dns.tld}"; }; }; deploy.tf.dns.records.services_murmur_udp_srv = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; srv = { service = "mumble"; @@ -58,7 +58,7 @@ with lib; priority = 0; weight = 5; port = 64738; - target = "voice.${config.kw.dns.tld}"; + target = "voice.${config.network.dns.tld}"; }; }; } diff --git a/depot/services/netdata/default.nix b/depot/services/netdata/default.nix index 3d404b3f..0375ba1f 100644 --- a/depot/services/netdata/default.nix +++ b/depot/services/netdata/default.nix @@ -1,15 +1,14 @@ -{ config, ... }: +{ config, kw, ... }: { kw.fw.private.tcp.ports = [ 19999 ]; services.netdata = { enable = true; }; - services.nginx = { - enable = true; - virtualHosts = { - "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}" = { - locations = { "/netdata" = { proxyPass = "http://[::1]:19999/"; }; }; + services.nginx.virtualHosts = kw.virtualHostGen { + block = { + locations."/netdata" = { + proxyPass = "http://[::1]:19999/"; }; }; }; diff --git a/depot/services/nfs/default.nix b/depot/services/nfs/default.nix index 4c2931b1..80c0a693 100644 --- a/depot/services/nfs/default.nix +++ b/depot/services/nfs/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, kw, ... }: { kw.fw = { @@ -9,12 +9,9 @@ services.nfs.server.enable = true; services.nfs.server.exports = "/mnt/zraw/media 192.168.1.0/24(rw) 200::/7(rw) 2a00:23c7:c597:7400::/56(rw)"; - services.nginx.virtualHosts = { - "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/" = { - alias = "/mnt/zraw/media/"; - extraConfig = "autoindex on;"; - }; - ${config.kw.dns.ipv4}.locations."/" = { + services.nginx.virtualHosts = kw.virtualHostGen { + networkFilter = [ "private" "yggdrasil" ]; + block.locations."/" = { alias = "/mnt/zraw/media/"; extraConfig = "autoindex on;"; }; diff --git a/depot/services/nginx/default.nix b/depot/services/nginx/default.nix index e3deaa2a..b1fd749c 100644 --- a/depot/services/nginx/default.nix +++ b/depot/services/nginx/default.nix @@ -39,7 +39,7 @@ with lib; }; security.acme = { - email = config.kw.dns.email; + email = config.network.dns.email; acceptTerms = true; }; } diff --git a/depot/services/prometheus/default.nix b/depot/services/prometheus/default.nix index 0b2b71e1..412c1d56 100644 --- a/depot/services/prometheus/default.nix +++ b/depot/services/prometheus/default.nix @@ -17,12 +17,12 @@ in scrapeConfigs = [ { job_name = "boline"; - static_configs = [{ targets = [ "boline.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:8002" ]; }]; + static_configs = [{ targets = [ "boline.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:8002" ]; }]; } { job_name = "samhain-vm"; metrics_path = "/metrics"; - static_configs = [{ targets = [ "samhain.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:10445" ]; }]; + static_configs = [{ targets = [ "samhain.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:10445" ]; }]; } ] ++ mapAttrsToList (hostName: prom: { @@ -30,13 +30,13 @@ in metrics_path = "/api/v1/allmetrics"; honor_labels = true; params = { format = [ "prometheus" ]; }; - static_configs = [{ targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:19999" ]; }]; + static_configs = [{ targets = [ "${hostName}.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:19999" ]; }]; }) nd_configs ++ mapAttrsToList (hostName: prom: { job_name = hostName; static_configs = [{ - targets = [ "${hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:${toString prom.port}" ]; + targets = [ "${hostName}.${config.network.dns.ygg_prefix}.${config.network.dns.domain}:${toString prom.port}" ]; }]; }) prom_configs; diff --git a/depot/services/promtail/default.nix b/depot/services/promtail/default.nix index c35d7809..0ae78f02 100644 --- a/depot/services/promtail/default.nix +++ b/depot/services/promtail/default.nix @@ -5,7 +5,7 @@ with lib; let promtail_config = pkgs.writeText "prom-config.json" (builtins.toJSON { clients = - [{ url = "http://${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}:3100/loki/api/v1/push"; }]; + [{ url = "http://${config.network.addresses.yggdrasil.domain}:3100/loki/api/v1/push"; }]; positions = { filename = "/tmp/positions.yaml"; }; scrape_configs = [{ job_name = "journal"; diff --git a/depot/services/radicale/default.nix b/depot/services/radicale/default.nix index 40fcbcfe..6addaf92 100644 --- a/depot/services/radicale/default.nix +++ b/depot/services/radicale/default.nix @@ -21,7 +21,7 @@ in }; services.nginx.virtualHosts = { - "cal.${config.kw.dns.domain}" = { + "cal.${config.network.dns.domain}" = { forceSSL = true; enableACME = true; locations."/" = { @@ -36,8 +36,8 @@ in }; deploy.tf.dns.records.services_radicale = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "cal"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/syncplay/default.nix b/depot/services/syncplay/default.nix index 7c1315e1..f0f4a689 100644 --- a/depot/services/syncplay/default.nix +++ b/depot/services/syncplay/default.nix @@ -12,7 +12,7 @@ with lib; users.groups."sync-cert".members = [ "nginx" "syncplay" ]; security.acme = { - certs."sync.${config.kw.dns.domain}" = { + certs."sync.${config.network.dns.domain}" = { group = "sync-cert"; postRun = '' cp key.pem privkey.pem @@ -23,15 +23,15 @@ with lib; kw.fw.public.tcp.ports = singleton 8999; - services.nginx.virtualHosts."sync.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."sync.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; }; deploy.tf.dns.records.services_syncplay = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "sync"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; secrets.files.syncplay-env = { @@ -51,7 +51,7 @@ with lib; serviceConfig = { EnvironmentFile = config.secrets.files.syncplay-env.path; ExecStart = - "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.kw.dns.domain}/ --disable-ready"; + "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.network.dns.domain}/ --disable-ready"; User = "syncplay"; Group = "sync-cert"; }; diff --git a/depot/services/transmission/default.nix b/depot/services/transmission/default.nix index ef39be6e..9c39c15e 100644 --- a/depot/services/transmission/default.nix +++ b/depot/services/transmission/default.nix @@ -1,14 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, kw, ... }: { - services.nginx.virtualHosts = { - "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/transmission" = { - proxyPass = "http://[::1]:9091"; - extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; - }; - ${config.kw.dns.ipv4}.locations."/transmission" = { - proxyPass = "http://[::1]:9091"; - extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; + services.nginx.virtualHosts = kw.virtualHostGen { + networkFilter = [ "private" "yggdrasil" ]; + block = { + locations."/transmission" = { + proxyPass = "http://[::1]:9091"; + extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; + }; }; }; diff --git a/depot/services/tvheadend/default.nix b/depot/services/tvheadend/default.nix index 63ae2144..3cda2d3f 100644 --- a/depot/services/tvheadend/default.nix +++ b/depot/services/tvheadend/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, kw, ... }: { hardware.firmware = [ pkgs.libreelec-dvb-firmware ]; @@ -9,14 +9,13 @@ tcp.ports = [ 9981 9982 ]; }; - services.nginx.virtualHosts = { - "${config.networking.hostName}.${config.kw.dns.ygg_prefix}.${config.kw.dns.domain}".locations."/tvheadend" = { - proxyPass = "http://127.0.0.1:9981"; - extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; - }; - ${config.kw.dns.ipv4}.locations."/tvheadend" = { - proxyPass = "http://127.0.0.1:9981"; - extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; + services.nginx.virtualHosts = kw.virtualHostGen { + networkFilter = [ "private" "yggdrasil" ]; + block = { + locations."/tvheadend" = { + proxyPass = "http://127.0.0.1:9981"; + extraConfig = "proxy_pass_header X-Transmission-Session-Id;"; + }; }; }; diff --git a/depot/services/vaultwarden/default.nix b/depot/services/vaultwarden/default.nix index 3ec0eb87..be7a4d5b 100644 --- a/depot/services/vaultwarden/default.nix +++ b/depot/services/vaultwarden/default.nix @@ -19,12 +19,12 @@ rocketPort = 4000; websocketEnabled = true; signupsAllowed = false; - domain = "https://vault.${config.kw.dns.domain}"; + domain = "https://vault.${config.network.dns.domain}"; databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs"; }; }; - services.nginx.virtualHosts."vault.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."vault.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; locations = { @@ -35,8 +35,8 @@ }; deploy.tf.dns.records.services_vaultwarden = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "vault"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/website/default.nix b/depot/services/website/default.nix index d25685bc..7a610745 100644 --- a/depot/services/website/default.nix +++ b/depot/services/website/default.nix @@ -2,7 +2,7 @@ { services.nginx.virtualHosts = { - "${config.kw.dns.domain}" = { + "${config.network.dns.domain}" = { root = pkgs.kat-website; enableACME = true; forceSSL = true; diff --git a/depot/services/weechat/default.nix b/depot/services/weechat/default.nix index 8cb6ca77..767d75cd 100644 --- a/depot/services/weechat/default.nix +++ b/depot/services/weechat/default.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - services.nginx.virtualHosts."irc.${config.kw.dns.domain}" = { + services.nginx.virtualHosts."irc.${config.network.dns.domain}" = { enableACME = true; forceSSL = true; locations = { @@ -14,8 +14,8 @@ }; deploy.tf.dns.records.services_weechat = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "irc"; - cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; + cname.target = "${config.networking.hostName}.${config.network.dns.tld}"; }; } diff --git a/depot/services/xmpp/default.nix b/depot/services/xmpp/default.nix index 8273e995..3cb07323 100644 --- a/depot/services/xmpp/default.nix +++ b/depot/services/xmpp/default.nix @@ -35,53 +35,53 @@ with lib; } ''; virtualHosts = { - "xmpp.${config.kw.dns.domain}" = { - domain = config.kw.dns.domain; + "xmpp.${config.network.dns.domain}" = { + domain = config.network.dns.domain; enabled = true; ssl.cert = "/var/lib/acme/prosody/fullchain.pem"; ssl.key = "/var/lib/acme/prosody/key.pem"; }; }; - muc = [{ domain = "conference.${config.kw.dns.domain}"; }]; - uploadHttp = { domain = "upload.${config.kw.dns.domain}"; }; + muc = [{ domain = "conference.${config.network.dns.domain}"; }]; + uploadHttp = { domain = "upload.${config.network.dns.domain}"; }; }; security.acme.certs.prosody = { - domain = "xmpp.${config.kw.dns.domain}"; + domain = "xmpp.${config.network.dns.domain}"; group = "prosody"; dnsProvider = "rfc2136"; credentialsFile = config.secrets.files.dns_creds.path; postRun = "systemctl restart prosody"; extraDomainNames = - [ config.kw.dns.domain "upload.${config.kw.dns.domain}" "conference.${config.kw.dns.domain}" ]; + [ config.network.dns.domain "upload.${config.network.dns.domain}" "conference.${config.network.dns.domain}" ]; }; deploy.tf.dns.records.services_prosody_xmpp = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "xmpp"; - a.address = config.kw.dns.ipv4; + a.address = config.network.addresses.public.ipv4.address; }; deploy.tf.dns.records.services_prosody_xmpp_v6 = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "xmpp"; - aaaa.address = config.kw.dns.ipv6; + aaaa.address = config.network.addresses.public.ipv6.address; }; deploy.tf.dns.records.services_prosody_upload = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "upload"; - cname.target = "xmpp.${config.kw.dns.tld}"; + cname.target = "xmpp.${config.network.dns.tld}"; }; deploy.tf.dns.records.services_prosody_conference = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "conference"; - cname.target = "xmpp.${config.kw.dns.tld}"; + cname.target = "xmpp.${config.network.dns.tld}"; }; deploy.tf.dns.records.services_prosody_muc = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "conference"; srv = { service = "xmpp-server"; @@ -89,12 +89,12 @@ with lib; priority = 0; weight = 5; port = 5269; - target = "xmpp.${config.kw.dns.tld}"; + target = "xmpp.${config.network.dns.tld}"; }; }; deploy.tf.dns.records.services_prosody_client_srv = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; srv = { service = "xmpp-client"; @@ -102,12 +102,12 @@ with lib; priority = 0; weight = 5; port = 5222; - target = "xmpp.${config.kw.dns.tld}"; + target = "xmpp.${config.network.dns.tld}"; }; }; deploy.tf.dns.records.services_prosody_secure_client_srv = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; srv = { service = "xmpps-client"; @@ -115,12 +115,12 @@ with lib; priority = 0; weight = 5; port = 5223; - target = "xmpp.${config.kw.dns.tld}"; + target = "xmpp.${config.network.dns.tld}"; }; }; deploy.tf.dns.records.services_prosody_server_srv = { - tld = config.kw.dns.tld; + tld = config.network.dns.tld; domain = "@"; srv = { service = "xmpp-server"; @@ -128,17 +128,17 @@ with lib; priority = 0; weight = 5; port = 5269; - target = "xmpp.${config.kw.dns.tld}"; + target = "xmpp.${config.network.dns.tld}"; }; }; services.nginx.virtualHosts = { - "upload.${config.kw.dns.domain}" = { + "upload.${config.network.dns.domain}" = { useACMEHost = "prosody"; forceSSL = true; }; - "conference.${config.kw.dns.domain}" = { + "conference.${config.network.dns.domain}" = { useACMEHost = "prosody"; forceSSL = true; }; diff --git a/depot/trusted b/depot/trusted index fc69a63a..67087730 160000 --- a/depot/trusted +++ b/depot/trusted @@ -1 +1 @@ -Subproject commit fc69a63a4941b1a3672a61d70989383854c98176 +Subproject commit 6708773084feede47c13793902f66b432b12ed19 diff --git a/pkgs/lib/default.nix b/pkgs/lib/default.nix index c05625f2..ef87d0e9 100644 --- a/pkgs/lib/default.nix +++ b/pkgs/lib/default.nix @@ -12,6 +12,7 @@ { inherit (colorHelpers) hextorgba; hostImport = import ./host-import.nix { inherit lib; }; + virtualHostGen = import ./virtual-host-gen.nix { inherit lib; }; domainMerge = import ./domain-merge.nix { inherit lib; }; modListMerge = import ./intersect-merge.nix { inherit lib; }; modList = import ./module-list.nix { inherit lib; }; diff --git a/pkgs/lib/virtual-host-gen.nix b/pkgs/lib/virtual-host-gen.nix new file mode 100644 index 00000000..fa216177 --- /dev/null +++ b/pkgs/lib/virtual-host-gen.nix @@ -0,0 +1,9 @@ +{ lib }: { config, networkFilter ? [ ], addresses ? [ ], block }: with lib; + +let + networks = config.network.addresses; + filteredNetworks = filterAttrs (n: v: elem n networkFilter && v.enable) networks; + networkValues = attrValues filteredNetworks; + addressList = concatMap (n: n.out.addressList) networkValues; + hostBlocks = map (host: nameValuePair host block) addressList; +in listToAttrs hostBlocks