gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: new networking abstractions full adoption

Browse source
This commit is contained in:
Kat Inskip 2022-09-25 17:42:17 -07:00
parent e6e4d4e37b
commit 595a0983cb
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
21 changed files with 146 additions and 262 deletions
Download patch file Download diff file Expand all files Collapse all files

51
nixos/network.nix
View file

@ -38,9 +38,9 @@
type = nullOr str;
default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}";
};
dn = mkOption {
cname = mkOption {
type = nullOr str;
default = lib.removeSuffix "." config.domain;
default = "${config.domain}.${config.zone}";
};
prefix = mkOption {
type = nullOr str;
@ -50,6 +50,14 @@
type = nullOr str;
default = "kittywit.ch.";
};
key_path = mkOption {
type = nullOr str;
default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-key".path else null;
};
cert_path = mkOption {
type = nullOr str;
default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-cert".path else null;
};
target = mkOption {
type = nullOr str;
default = if (config.type == "cname" && config.host != nixos.networking.hostName) then
@ -136,13 +144,25 @@
};
create_domain = mkOption {
type = bool;
default = false;
default = config.extra_domains != [];
};
create_cert = mkOption {
type = bool;
default = config.extra_domains != [];
};
extra_domains = mkOption {
type = listOf str;
description = "Domains to add to the certificate generated for this network.";
default = [];
};
key_path = mkOption {
type = nullOr str;
default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-key".path else null;
};
cert_path = mkOption {
type = nullOr str;
default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-cert".path else null;
};
domain = mkOption {
type = nullOr str;
default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}";
@ -155,6 +175,10 @@
type = nullOr str;
default = "kittywit.ch.";
};
domain_dotless = mkOption {
type = nullOr str;
default = lib.removeSuffix "." config.target;
};
target = mkOption {
type = nullOr str;
default = "${config.domain}.${config.zone}";
@ -190,6 +214,7 @@
interfaces = singleton "tailscale0";
zone = "inskip.me.";
create_domain = true;
create_cert = true;
}
];
};
@ -230,11 +255,12 @@
extraDomainedNetworks = filterAttrs (_: settings: settings.extra_domains != []) networks';
extraDomains = listToAttrs (concatLists (mapAttrsToList (network: settings:
map (domain: let
split_domain = splitString "." domain;
isRoot = (length split_domain) == 2;
in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain (length split_domain -2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." {
zone = "${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}.";
domain = if isRoot then null
split_domain = splitString "." domain;
isRoot = (length split_domain) <= 2;
in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain ((length split_domain) - 2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." {
zone = if isRoot then "${domain}." else "${concatStringsSep "." (sublist ((length split_domain) - 2) (length split_domain) split_domain)}.";
enable = true;
domain = if isRoot then "@"
else elemAt split_domain (length split_domain - 2);
cname = { inherit (settings) target; };
}) settings.extra_domains) extraDomainedNetworks));
@ -247,7 +273,6 @@
enable = mkForce settings.ipv6_defined;
} else {
enable = mkForce settings.ipv4_defined;
#a.address = if settings.ipv4_defined then settings.ipv4 else "127.0.0.1";
a.address = settings.ipv4;
})
)) networks') address_families;
@ -275,9 +300,9 @@
keyType = "4096";
dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
};
network_certs = mapAttrs' nvP sane_networks;
network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks);
domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains);
in network_certs // domain_certs;
in domain_certs // network_certs;
};
variables = {
@ -312,6 +337,7 @@
text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
owner = "nginx";
group = "domain-auth";
mode = "0440";
}
) sane_networks;
networks' = mapAttrs' (network: settings:
@ -319,6 +345,7 @@
text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
owner = "nginx";
group = "domain-auth";
mode = "0440";
}
) sane_networks;
domains = mapAttrs' (network: settings:
@ -326,6 +353,7 @@
text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
owner = settings.owner;
group = settings.group;
mode = "0440";
}
) (filterAttrs (network: settings: settings.create_cert) config.domains);
domains' = mapAttrs' (network: settings:
@ -333,6 +361,7 @@
text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
owner = settings.owner;
group = settings.group;
mode = "0440";
}
) (filterAttrs (network: settings: settings.create_cert) config.domains);
in networks // networks' // domains // domains';

6
nixos/systems/daiyousei.nix
View file

@ -37,5 +37,11 @@
};
};
networks.internet = {
extra_domains = [
"kittywit.ch"
];
};
system.stateVersion = "21.11";
}

2
services/filehost.nix
View file

@ -180,8 +180,8 @@ location CHANGELOG.md {
};
domains.kittywitch-filehost = {
network = "internet";
domain = "files";
type = "cname";
inherit (config.networks.internet) target;
};
}

53
services/fusionpbx.nix
View file

@ -1,53 +0,0 @@
{ config, pkgs, tf, lib, ... }: with lib;
{
deploy.tf.dns.records.services_fusionpbx = {
inherit (config.network.dns) zone;
domain = "pbx";
cname = { inherit (config.network.addresses.private) target; };
};
kw.secrets.variables = mapListToAttrs
(field:
nameValuePair "fusionpbx-${field}" {
path = "services/fusionpbx";
inherit field;
}) [ "username" "password" ];
secrets.files.fusionpbx_env = {
text = ''
USER_NAME=${tf.variables.fusionpbx-username.ref}
USER_PASSWORD=${tf.variables.fusionpbx-password.ref}
'';
owner = "fusionpbx";
group = "fusionpbx";
};
security.acme.certs.services_fusionpbx = {
domain = "pbx.${config.network.dns.domain}";
group = "fusionpbx";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
postRun = "systemctl restart nginx";
};
services.fusionpbx = {
enable = true;
openFirewall = true;
useLocalPostgreSQL = true;
environmentFile = config.secrets.files.fusionpbx_env.path;
hardphones = true;
useACMEHost = "services_fusionpbx";
domain = "pbx.${config.network.dns.domain}";
package = with pkgs; fusionpbxWithApps [ fusionpbx-apps.sms ];
freeSwitchPackage = with pkgs; freeswitch;
};
services.nginx.virtualHosts."altar.kittywit.ch" = {
locations = {
"app/sms/hook/" = {
proxyPass = "http://pbx.kittywit.ch/app/sms/hook";
};
};
};
}

83
services/glauth.nix
View file

@ -1,83 +0,0 @@
{ config, tf, lib, ... }: with lib; {
network.firewall.public.tcp.ports = [ 636 ];
network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
users.groups.domain-auth.members = [ "nginx" "glauth" "keycloak" ];
security.acme.certs.domain-auth.group = "domain-auth";
services.glauth = {
enable = true;
configFile = config.secrets.files.glauth-config-file.path;
database = {
enable = true;
local = true;
type = "postgres";
passwordFile = config.secrets.files.glauth-postgres-file.path;
};
settings = {
syslog = true;
ldap = {
enabled = false;
listen = "0.0.0.0:3893";
};
ldaps = {
enabled = true;
listen = "0.0.0.0:636";
cert = "/var/lib/acme/domain-auth/fullchain.pem";
key = "/var/lib/acme/domain-auth/key.pem";
};
backend = {
baseDN = "dc=kittywitc,dc=ch";
};
users = [
{
name = "kat";
mail = "kat@kittywit.ch";
loginshell="/usr/bin/env zsh";
homedirectory="/home/kat";
passsha256 = tf.variables.glauth-password-hash.ref;
uidnumber = 1000;
primarygroup = 1500;
givenname = "kat";
sn = "witch";
}
{
name = "kc";
passsha256 = tf.variables.glauth-kc-password-hash.ref;
uidnumber = 999;
primarygroup = 1499;
}
];
groups = [
{
name = "admins";
gidnumber = 1499;
}
{
name = "users";
gidnumber = 1500;
}
];
};
};
kw.secrets.variables = mapListToAttrs
(field:
nameValuePair "glauth-${field}" {
path = "services/glauth";
inherit field;
}) [ "password-hash" "kc-password-hash" "postgres" ];
secrets.files = {
glauth-postgres-file = {
text = tf.variables.glauth-postgres.ref;
owner = "postgres";
group = "glauth";
};
glauth-config-file = {
text = toTOML config.services.glauth.settings;
owner = "glauth";
group = "glauth";
};
};
}

10
services/hedgedoc.nix
View file

@ -24,7 +24,7 @@
services.hedgedoc = {
enable = true;
configuration = {
settings = {
debug = true;
path = "/run/hedgedoc/hedgedoc.sock";
domain = "md.kittywit.ch";
@ -50,10 +50,10 @@
environmentFile = config.secrets.files.hedgedoc-env.path;
};
deploy.tf.dns.records.services_hedgedoc = {
inherit (config.network.dns) zone;
domains.kittywitch_hedgedoc = {
network = "internet";
type = "cname";
domain = "md";
cname = { inherit (config.network.addresses.public) target; };
};
systemd.services.hedgedoc = {
@ -75,8 +75,6 @@
users.users.nginx.extraGroups = [ "hedgedoc" ];
services.nginx.virtualHosts."md.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/hedgedoc/hedgedoc.sock";
proxyWebsockets = true;

35
services/keycloak.nix
View file

@ -1,12 +1,11 @@
{ config, pkgs, lib, tf, ... }: with lib; let
keystore-pass = "zZX3eS";
id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id";
in {
services.keycloak = {
enable = builtins.getEnv "CI_PLATFORM" == "impure";
package = (pkgs.keycloak.override {
jre = pkgs.openjdk11;
});
initialAdminPassword = "mewpymewlymewlies";
database.passwordFile = config.secrets.files.keycloak-postgres-file.path;
settings = {
http-enabled = true;
@ -18,27 +17,31 @@ in {
hostname-strict = false;
http-relative-path = "/auth";
hostname-strict-backchannel = true;
https-key-store-file = "/var/lib/acme/auth.kittywit.ch/trust-store.jks";
https-key-store-password = keystore-pass;
https-key-store-file = "/run/keycloak/${id}.jks";
https-key-store-password = id;
};
};
domains.kittywitch-keycloak = {
network = "internet";
type = "cname";
domain = "auth";
};
users.groups.domain-auth = {
gid = 10600;
members = [ "keycloak" ];
};
/*
security.acme.certs."auth.kittywit.ch" = {
group = "domain-auth";
postRun = ''
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
chown acme:domain-auth ./trust-store.jks
'';
};*/
systemd.services.keycloak.script = lib.mkBefore ''
mkdir -p /run/keycloak
if [[ ! -e /run/keycloak/${id}.jks ]]; then
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path}
fi
'';
users.groups.keycloak = { };
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
@ -64,10 +67,4 @@ in {
"/auth".proxyPass = "http://127.0.0.1:8089/auth";
};
};
domains.kittywitch-keycloak = {
network = "internet";
type = "cname";
domain = "auth";
};
}

8
services/mail/dns.nix
View file

@ -13,26 +13,26 @@ in {
deploy.tf.dns.records = mkMerge (map
(domain:
let
zoneGet = domain: if domain == "dork" then "dork.dev." else config.network.dns.zone;
zoneGet = domain: if domain == "dork" then "dork.dev." else config.networks.internet.zone;
in
{
"services_mail_${domain}_autoconfig_cname" = {
zone = zoneGet domain;
domain = "autoconfig";
cname = { inherit (config.network.addresses.public) target; };
cname = { inherit (config.networks.internet) target; };
};
"services_mail_${domain}_mx" = {
zone = zoneGet domain;
mx = {
priority = 10;
inherit (config.network.addresses.public) target;
inherit (config.networks.internet) target;
};
};
"services_mail_${domain}_spf" = {
zone = zoneGet domain;
txt.value = "v=spf1 ip4:${config.network.addresses.public.tf.ipv4.address} ip6:${config.network.addresses.public.tf.ipv6.address} -all";
txt.value = "v=spf1 ip4:${config.networks.internet.ipv4} ip6:${config.networks.internet.ipv6} -all";
};
"services_mail_${domain}_dmarc" = {

28
services/mail/dovecot.nix
View file

@ -40,23 +40,19 @@ let
'';
in
{
security.acme.certs.dovecot_domains = {
inherit (config.network.dns) domain;
group = "postfix";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
postRun = "systemctl restart dovecot2";
extraDomainNames =
[
config.network.dns.domain
"mail.${config.network.dns.domain}"
config.network.addresses.public.domain
"dork.dev"
];
};
networks.internet.extra_domains = [
"mail.kittywit.ch"
"dork.dev"
];
users.groups.domain_auth.members = [
"postfix"
"dovecot2"
];
services.dovecot2 = {
enable = true;
group = "domain_auth";
enableImap = true;
enableLmtp = true;
enablePAM = false;
@ -99,7 +95,7 @@ in
}
protocol lmtp {
postmaster_address=postmaster@kittywit.ch
hostname=${config.network.addresses.public.domain}
hostname=${config.networks.internet.domain_dotless}
mail_plugins = $mail_plugins sieve
}
service auth {
@ -198,7 +194,7 @@ in
sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig-services} > /run/dovecot2/ldap-services.conf
'';
networking.firewall.allowedTCPPorts = [
networks.internet.tcp = [
143 # imap
993 # imaps
4190 # sieve

28
services/mail/postfix.nix
View file

@ -1,9 +1,9 @@
{ pkgs, lib, config, tf, ... }:
let
publicCert = "public_${config.networking.hostName}";
publicCert = "daiyousei.kittywit.ch";
ldaps = "ldaps://auth.${config.network.dns.domain}:636";
ldaps = "ldaps://auth.${config.networks.internet.domain_dotless}:636";
virtualRegex = pkgs.writeText "virtual-regex" ''
/^kat\.[^@.]+@kittywit\.ch$/ kat@kittywit.ch
@ -13,8 +13,8 @@ let
'';
helo_access = pkgs.writeText "helo_access" ''
${if tf.state.enable then config.network.addresses.public.nixos.ipv4.selfaddress else ""} REJECT Get lost - you're lying about who you are
${if tf.state.enable then config.network.addresses.public.nixos.ipv6.selfaddress else ""} REJECT Get lost - you're lying about who you are
${if tf.state.enable then config.networks.internet.ipv4 else ""} REJECT Get lost - you're lying about who you are
${if tf.state.enable then config.networks.internet.ipv6 else ""} REJECT Get lost - you're lying about who you are
kittywit.ch REJECT Get lost - you're lying about who you are
dork.dev REJECT Get lost - you're lying about who you are
'';
@ -24,8 +24,6 @@ in {
field = "password";
};
services.redis.enable = true;
secrets.files = {
domains-ldap = {
text = ''
@ -92,8 +90,8 @@ in {
services.postfix = {
enable = true;
enableSubmission = true;
hostname = config.network.addresses.public.domain;
domain = config.network.dns.domain;
hostname = config.networks.internet.domain_dotless;
domain = "kittywit.ch";
masterConfig."465" = {
type = "inet";
@ -117,7 +115,7 @@ in {
extraConfig = ''
smtp_bind_address = ${if tf.state.enable then tf.resources.${config.networking.hostName}.getAttr "private_ip" else ""}
smtp_bind_address6 = ${if tf.state.enable then config.network.addresses.public.nixos.ipv6.selfaddress else ""}
smtp_bind_address6 = ${if tf.state.enable then config.networks.internet.ipv6 else ""}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
masquerade_domains = ldap:${config.secrets.files.domains-ldap.path}
virtual_mailbox_domains = ldap:${config.secrets.files.domains-ldap.path}
@ -146,9 +144,9 @@ in {
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /var/lib/acme/${publicCert}/full.pem
smtpd_tls_key_file = /var/lib/acme/${publicCert}/key.pem
smtpd_tls_CAfile = /var/lib/acme/${publicCert}/fullchain.pem
smtpd_tls_cert_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path}
smtpd_tls_key_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-key".path}
smtpd_tls_CAfile = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path}
smtpd_tls_dh512_param_file = ${config.security.dhparams.params.postfix512.path}
smtpd_tls_dh1024_param_file = ${config.security.dhparams.params.postfix2048.path}
@ -205,8 +203,8 @@ in {
'';
};
systemd.services.postfix.wants = [ "openldap.service" "acme-${publicCert}.service" ];
systemd.services.postfix.after = [ "openldap.service" "acme-${publicCert}.service" "network.target" ];
systemd.services.postfix.wants = [ "openldap.service" ];
systemd.services.postfix.after = [ "openldap.service" "network.target" ];
security.dhparams = {
enable = true;
@ -214,7 +212,7 @@ in {
params.postfix2048.bits = 1024;
};
networking.firewall.allowedTCPPorts = [
networks.internet.tcp = [
25 # smtp
465 # stmps
587 # submission

4
services/mail/sogo.nix
View file

@ -46,8 +46,8 @@
SOGoMailingMechanism = "smtp";
SOGoForceExternalLoginWithEmail = YES;
SOGoSMTPAuthenticationType = PLAIN;
SOGoSMTPServer = "smtps://${config.network.addresses.public.domain}:465";
SOGoIMAPServer = "imaps://${config.network.addresses.public.domain}:993";
SOGoSMTPServer = "smtps://${config.networks.internet.domain_dotless}:465";
SOGoIMAPServer = "imaps://${config.networks.internet.domain_dotless}:993";
SOGoUserSources = (
{
type = ldap;

17
services/murmur.nix
View file

@ -65,8 +65,8 @@ in
package = pkgs.murmur.override (old: { iceSupport = true; });
password = tf.variables.murmur-password.ref;
extraConfig = ''
sslCert=/var/lib/acme/services_murmur/fullchain.pem
sslKey=/var/lib/acme/services_murmur/key.pem
sslCert=${config.networks.internet.cert_path}
sslKey=${config.networks.internet.key_path}
ice="tcp -h 127.0.0.1 -p 6502"
icesecretread=${tf.variables.murmur-ice.ref}
icesecretwrite=${tf.variables.murmur-ice.ref}
@ -106,11 +106,10 @@ in
networks.internet = {
extra_domains = [
"kittywit.ch"
"sync.kittywit.ch"
"voice.kittywit.ch"
];
};
users.groups."domain-auth".members = [ "murmur" ];
# Certs
/*
@ -122,12 +121,6 @@ in
extraDomainNames = [ config.networks.internet.dn ];
};*/
domains.kittywitch-murmur = {
network = "internet";
type = "cname";
domain = "voice";
};
deploy.tf.dns.records = {
services_murmur_tcp_srv = {
inherit (config.networks.internet) zone;
@ -138,7 +131,7 @@ in
priority = 0;
weight = 5;
port = 64738;
target = kittywitch-murmur.target;
inherit (config.networks.internet) target;
};
};
@ -151,7 +144,7 @@ in
priority = 0;
weight = 5;
port = 64738;
target = kittywitch-murmur.target;
inherit (config.networks.internet) target;
};
};
};

9
services/openldap/default.nix
View file

@ -1,6 +1,7 @@
{ config, pkgs, tf, lib, ... }: with lib; {
networks.internet.tcp = [ 636 ];
users.groups.domain-auth.members = [ "openldap" ];
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
@ -9,9 +10,9 @@
objectClass = "olcGlobal";
cn = "config";
olcPidFile = "/run/slapd/slapd.pid";
olcTLSCACertificateFile = "/var/lib/acme/domain-auth/fullchain.pem";
olcTLSCertificateFile = "/var/lib/acme/domain-auth/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/domain-auth/key.pem";
olcTLSCACertificateFile = config.domains.kittywitch-keycloak.cert_path;
olcTLSCertificateFile = config.domains.kittywitch-keycloak.cert_path;
olcTLSCertificateKeyFile = config.domains.kittywitch-keycloak.key_path;
};
children = {
"cn=module" = {
@ -72,7 +73,7 @@
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/db/ldap";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = "dc=kittywit,dc=ch";
olcRootDN = "cn=root,dc=kittywit,dc=ch";
olcRootPW.path = config.secrets.files.openldap-root-password-file.path;

22
services/prosody.nix
View file

@ -52,10 +52,10 @@ with lib;
'';
virtualHosts = {
"xmpp.kittywit.ch" = {
domain = config.network.dns.domain;
domain = "kittywit.ch";
enabled = true;
ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
ssl.key = "/var/lib/acme/prosody/key.pem";
ssl.cert = config.networks.internet.cert_path;
ssl.key = config.networks.internet.key_path;
};
};
muc = [{ domain = "conference.kittywit.ch"; }];
@ -66,7 +66,7 @@ with lib;
deploy.tf.dns.records = {
services_prosody_muc = {
inherit (config.domains.kittywitch-prosody) zone;
inherit (config.networks.internet) zone;
domain = "conference";
srv = {
service = "xmpp-server";
@ -74,12 +74,12 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = config.domains.kittywitch-prosody.target;
target = config.networks.internet.target;
};
};
services_prosody_client_srv = {
inherit (config.domains.kittywitch-prosody) zone;
inherit (config.networks.internet) zone;
domain = "@";
srv = {
service = "xmpp-client";
@ -87,12 +87,12 @@ with lib;
priority = 0;
weight = 5;
port = 5222;
target = config.domains.kittywitch-prosody.target;
target = config.networks.internet.target;
};
};
services_prosody_secure_client_srv = {
inherit (config.domains.kittywitch-prosody) zone;
inherit (config.networks.internet) zone;
domain = "@";
srv = {
service = "xmpps-client";
@ -100,12 +100,12 @@ with lib;
priority = 0;
weight = 5;
port = 5223;
target = config.domains.kittywitch-prosody.target;
target = config.networks.internet.target;
};
};
services_prosody_server_srv = {
inherit (config.domains.kittywitch-prosody) zone;
inherit (config.networks.internet) zone;
domain = "@";
srv = {
service = "xmpp-server";
@ -113,7 +113,7 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = config.domains.kittywitch-prosody.target;
target = config.networks.internet.target;
};
};
};

6
services/synapse.nix
View file

@ -228,7 +228,7 @@ CONFIG = {
settings = {
homeserver = {
address = "https://kittywit.ch";
domain = config.network.dns.domain;
domain = "kittywit.ch";
};
appservice = {
provisioning.enabled = false;
@ -294,7 +294,7 @@ CONFIG = {
};
domains.kittywitch-matrix = {
inherit (config.networks.internet) target;
network = "internet";
type = "cname";
domain = "matrix";
};
@ -323,7 +323,7 @@ CONFIG = {
locations = {
"/_matrix" = { proxyPass = "http://[::1]:8008"; };
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${config.network.dns.domain}:443"; };
let server = { "m.server" = "kittywit.ch:443"; };
in
''
add_header Content-Type application/json;

32
services/syncplay.nix
View file

@ -15,19 +15,10 @@ with lib;
field = fieldAdapt field;
}) [ "pass" "salt" ];
users.users.syncplay = { isSystemUser = true; group = "sync-cert"; };
users.users.syncplay = { isSystemUser = true; group = "domain-auth"; };
users.groups."domain-auth".members = [ "syncplay" ];
security.acme = {
certs."kittywit.ch" = {
postRun = ''
cp key.pem privkey.pem
chown acme:voice-cert privkey.pem
'';
};
};
networks.internet.tcp = [ 8999 ];
domains.kittywitch-syncplay = {
@ -42,20 +33,33 @@ with lib;
SYNCPLAY_SALT=${tf.variables.syncplay-salt.ref}
'';
owner = "syncplay";
group = "sync-cert";
group = "domain-auth";
};
systemd.tmpfiles.rules = [
"d /var/lib/syncplay 0711 syncplay domain-auth 90"
];
networks.internet = {
extra_domains = [
"sync.kittywit.ch"
];
};
systemd.services.syncplay = {
description = "Syncplay Service";
wantedBy = singleton "multi-user.target";
after = singleton "network-online.target";
preStart = ''
cp ${config.networks.internet.cert_path} /var/lib/syncplay/fullchain.pem
cp ${config.networks.internet.key_path} /var/lib/syncplay/privkey.pem
'';
serviceConfig = {
EnvironmentFile = config.secrets.files.syncplay-env.path;
ExecStart =
"${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.${config.network.dns.domain}/ --disable-ready";
"${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/syncplay --disable-ready";
User = "syncplay";
Group = "sync-cert";
Group = "domain-auth";
};
};
}

2
services/vaultwarden.nix
View file

@ -68,7 +68,7 @@
};
domains.kittywitch-vault = {
inherit (config.networks.internet) target;
network = "internet";
type = "cname";
domain = "vault";
};

2
services/website.nix
View file

@ -4,8 +4,6 @@
services.nginx.virtualHosts = {
"kittywit.ch" = {
root = pkgs.gensokyoZone;
enableACME = true;
forceSSL = true;
};
};
}

2
services/weechat.nix
View file

@ -12,9 +12,9 @@
};
domains.kittywitch_irc = {
network = "internet";
domain = "irc";
type = "cname";
inherit (config.networks.internet) target;
};
}

6
services/znc.nix
View file

@ -127,10 +127,10 @@ in
locations = { "/".proxyPass = "http://127.0.0.1:5002"; };
};
deploy.tf.dns.records.services_znc = {
inherit (config.network.dns) zone;
domains.kittywitch_znc = {
network = "internet";
type = "cname";
domain = "znc";
cname = { inherit (config.network.addresses.public) target; };
};
services.znc = {

2
tf

@ -1 +1 @@
Subproject commit c281c5cfbf4529748948974e8f85dd3db8e24995
Subproject commit 6a4d5a1c8ff9ba3a89be70f4a45131c495999038