kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity

feat: abstractions rework

Browse source
This commit is contained in:
Kat Inskip 2022-09-18 10:09:32 -07:00
parent ec7571171b
commit 0a6085cb49
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
48 changed files with 798 additions and 1219 deletions
Download patch file Download diff file Expand all files Collapse all files

129
services/access.nix
View file

@ -1,53 +1,50 @@
{ config, lib, meta, pkgs, ... }: with lib; {
deploy.tf.dns.records.services_plex = {
inherit (config.network.dns) zone;
domain = "plex";
cname = { inherit (config.network.addresses.public) target; };
};
deploy.tf.dns.records.services_cloud = {
inherit (config.network.dns) zone;
domain = "cloud";
cname = { inherit (config.network.addresses.public) target; };
};
deploy.tf.dns.records.services_home = {
inherit (config.network.dns) zone;
domain = "home";
cname = { inherit (config.network.addresses.public) target; };
};
deploy.tf.dns.records.gensokyo_home = {
zone = "gensokyo.zone.";
domain = "home";
cname = { inherit (config.network.addresses.public) target; };
};
deploy.tf.dns.records.gensokyo_root_v4 = {
zone = "gensokyo.zone.";
a = { inherit (config.network.addresses.public.tf.ipv4) address; };
};
deploy.tf.dns.records.gensokyo_root_v6 = {
zone = "gensokyo.zone.";
aaaa = { inherit (config.network.addresses.public.tf.ipv6) address; };
domains = {
kittywitch-plex = {
network = "internet";
type = "cname";
domain = "plex";
};
kittywitch-home = {
network = "internet";
type = "cname";
domain = "home";
};
kittywitch-cloud = {
network = "internet";
type = "cname";
domain = "cloud";
};
gensokyo-root = {
network = "internet";
type = "both";
zone = "gensokyo.zone.";
};
gensokyo-home = {
network = "internet";
type = "cname";
domain = "home";
zone = "gensokyo.zone.";
};
gensokyo-z2m = {
network = "internet";
type = "cname";
domain = "z2m";
zone = "gensokyo.zone.";
};
};
services.nginx.virtualHosts = mkMerge [
{
"gensokyo.zone" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = pkgs.gensokyoZone;
};
};
"home.gensokyo.zone" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${meta.tailnet.tewi.addresses.ipv4}:8123";
proxyPass = meta.tailnet.tewi.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
@ -56,52 +53,46 @@
};
};
};
"home.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
"home.${config.networking.domain}" = {
locations = {
"/" = {
proxyPass = "http://yukari.ygg.kittywit.ch:8123";
proxyPass = meta.tailnet.yukari.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_http_version 1.1;
'';
};
};
};
"cloud.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
"cloud.${config.networking.domain}" = {
locations = {
"/".proxyPass = "http://cloud.int.kittywit.ch/";
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
};
};
"plex.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
"plex.${config.networking.domain}" = {
locations = {
"/" = {
proxyPass = "http://[${meta.network.nodes.nixos.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
proxyPass = meta.tailnet.yukari.pp 4 32400;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
};
}

3
services/ha.nix
View file

@ -77,6 +77,5 @@
cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml"
'';
network.firewall.public.tcp.ports = [ 8123 8072 1883 ];
network.firewall.private.tcp.ports = [ 8123 ];
networks.chitei.tcp = [ 8123 8072 1883 ];
}

8
services/irlmail.nix
View file

@ -1,8 +1,4 @@
{ config, tf, meta, lib, ... }: with lib; {
dns.zones."inskip.me." = {
provider = "dns.katdns";
};
resources.gmail-mx = let
zone = config.dns.zones."inskip.me.";
in with zone; {
@ -25,11 +21,11 @@
dns.records = {
services_inskip_a = {
zone = "inskip.me.";
a.address = meta.network.nodes.nixos.marisa.network.addresses.public.nixos.ipv4.address;
a.address = meta.networks.internet.members.marisa.ipv4;
};
services_inskip_aaaa = {
zone = "inskip.me.";
aaaa.address = meta.network.nodes.nixos.marisa.network.addresses.public.nixos.ipv6.address;
aaaa.address = meta.networks.internet.members.marisa.ipv6;
};
services_gmail_spf = {
zone = "inskip.me.";

2
services/kattv-ingest.nix
View file

@ -74,7 +74,7 @@ let
{
element.tcpserversink = {
port = 8989;
host = config.network.addresses.yggdrasil.nixos.ipv6.address;
host = config.networks.tailscale.ipv4;
};
}
];

2
services/kattv2-ingest.nix
View file

@ -74,7 +74,7 @@ let
{
element.tcpserversink = {
port = 8990;
host = config.network.addresses.yggdrasil.nixos.ipv6.address;
host = config.networks.tailscale.ipv4;
};
}
];

11
services/keycloak.nix
View file

@ -24,16 +24,15 @@ in {
};
network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
security.acme.certs.domain-auth = {
/* security.acme.certs.domain-auth = {
group = "domain-auth";
postRun = ''
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
chown acme:domain-auth ./trust-store.jks
'';
};
}; */
users.groups.keycloak = { };
users.users.keycloak = {
@ -63,9 +62,9 @@ in {
};
};
deploy.tf.dns.records.services_keycloak = {
inherit (config.network.dns) zone;
domains.kittywitch-keycloak = {
network = "internet";
type = "cname";
domain = "auth";
cname = { inherit (config.network.addresses.public) target; };
};
}

8
services/knot/default.nix
View file

@ -1,8 +1,6 @@
{ config, lib, tf, pkgs, ... }:
{
network.dns.enable = false;
kw.secrets.variables = {
katdns-key-config = {
path = "secrets/katdns";
@ -10,9 +8,9 @@
};
};
network.firewall.public = {
tcp.ports = [ 53 ];
udp.ports = [ 53 ];
networks.internet = {
tcp = [ 53 ];
udp = [ 53 ];
};
/* environment.etc."katdns/zones/gensokyo.zone.zone".text = let

12
services/knot/knot.yaml
View file

@ -5,8 +5,6 @@ remote:
- id: benjojo-1
address: [ 185.230.223.84, 2a0c:2f07:4896:666:216:3eff:fedb:c742 ]
- id: benjojo-2
address: 185.236.240.26
- id: benjojo-3
address: 185.230.223.7
acl:
@ -14,7 +12,7 @@ acl:
key: dnsupdate.kittywit.ch.
action: update
- id: benjojo
remote: [ benjojo-1, benjojo-2, benjojo-3 ]
remote: [ benjojo-1, benjojo-2 ]
action: transfer
zone:
@ -24,7 +22,7 @@ zone:
file: kittywit.ch.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
notify: [ benjojo-1, benjojo-2 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: dork.dev
@ -33,7 +31,7 @@ zone:
file: dork.dev.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
notify: [ benjojo-1, benjojo-2 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: inskip.me
@ -42,7 +40,7 @@ zone:
file: inskip.me.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
notify: [ benjojo-1, benjojo-2 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: gensokyo.zone
@ -51,7 +49,7 @@ zone:
file: gensokyo.zone.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
notify: [ benjojo-1, benjojo-2 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]

36
services/murmur.nix
View file

@ -7,11 +7,9 @@ let
forking = (cfg.logFile != null);
in
{
network.firewall = {
public = {
tcp.ports = singleton 64738;
udp.ports = singleton 64738;
};
networks.internet = {
tcp = singleton 64738;
udp = singleton 64738;
};
kw.secrets.variables = {
@ -107,26 +105,24 @@ in
};
# Certs
network.extraCerts.services_murmur = "voice.${config.network.dns.domain}";
/*
network.extraCerts.services_murmur = "voice.${config.net";
users.groups."voice-cert".members = [ "nginx" "murmur" ];
security.acme.certs.services_murmur = {
group = "voice-cert";
postRun = "systemctl restart murmur";
extraDomainNames = [ config.network.dns.domain ];
extraDomainNames = [ config.networks.internet.dn ];
};*/
domains.kittywitch-murmur = {
network = "internet";
type = "cname";
domain = "voice";
};
# DNS
deploy.tf.dns.records = {
services_murmur = {
inherit (config.network.dns) zone;
domain = "voice";
cname = { inherit (config.network.addresses.public) target; };
};
services_murmur_tcp_srv = {
inherit (config.network.dns) zone;
inherit (config.networks.internet) zone;
domain = "@";
srv = {
service = "mumble";
@ -134,12 +130,12 @@ in
priority = 0;
weight = 5;
port = 64738;
target = "voice.${config.network.dns.zone}";
target = kittywitch-murmur.target;
};
};
services_murmur_udp_srv = {
inherit (config.network.dns) zone;
inherit (config.networks.internet) zone;
domain = "@";
srv = {
service = "mumble";
@ -147,7 +143,7 @@ in
priority = 0;
weight = 5;
port = 64738;
target = "voice.${config.network.dns.zone}";
target = kittywitch-murmur.target;
};
};
};

52
services/nextcloud.nix
View file

@ -1,12 +1,6 @@
{ config, pkgs, lib, tf, kw, ... }: with lib; let
cfg = config.services.nextcloud;
in {
deploy.tf.dns.records.services_internal_cloud = {
inherit (config.network.dns) zone;
domain = "cloud.int";
cname = { inherit (config.network.addresses.yggdrasil) target; };
};
kw.secrets.variables =
mapListToAttrs
(field:
@ -53,27 +47,27 @@ in {
};
};
services.nginx.virtualHosts."cloud.kittywit.ch".extraConfig = mkForce ''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
${optionalString cfg.webfinger ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''}
'';
services.nginx.virtualHosts."${config.networks.tailscale.ipv4}".locations."/nextcloud".extraConfig = mkForce ''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
${optionalString cfg.webfinger ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''}
'';
}

5
services/nfs.nix
View file

@ -3,9 +3,8 @@
with lib;
{
network.firewall = {
private.tcp.ports = [ 111 2049 ];
public.tcp.ports = [ 111 2049 ];
networks.chitei = {
tcp = [ 111 2049 ];
};
services.nfs.server.enable = true;

12
services/nginx.nix
View file

@ -12,10 +12,11 @@ with lib;
'';
};
network.firewall = {
public.tcp.ports = [ 443 80 ];
private.tcp.ports = [ 443 80 ];
};
networks = genAttrs [ "chitei" "gensokyo" "internet" "tailscale" ] (_: {
# NGINX
tcp = [ 80 443 ];
udp = [ 80 443 ];
});
services.nginx = {
enable = true;
@ -39,8 +40,7 @@ with lib;
};
security.acme = {
defaults.email = config.network.dns.email;
#email = config.network.dns.email;
defaults.email = "kat@inskip.me";
acceptTerms = true;
};
}

2
services/openldap/default.nix
View file

@ -1,5 +1,5 @@
{ config, pkgs, tf, lib, ... }: with lib; {
network.firewall.public.tcp.ports = [ 636 ];
networks.internet.tcp = [ 636 ];
services.openldap = {
enable = true;

27
services/plex.nix
View file

@ -1,6 +1,6 @@
{ config, kw, pkgs, lib, ... }: {
network.firewall.public.tcp.ports = [ 32400 ];
services = {
networks.chitei.tcp = [ 32400 ];
services = {
plex = {
enable = true;
package = pkgs.plex.overrideAttrs (x: let
@ -16,28 +16,5 @@
}
);
};
nginx.virtualHosts."plex.kittywit.ch".locations."/" = {
proxyPass = "http://127.0.0.1:32400";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
}

62
services/prosody.nix
View file

@ -3,7 +3,7 @@
with lib;
{
network.firewall.public.tcp.ports = [
networks.internet.tcp = [
5000
5222
5223
@ -65,33 +65,29 @@ with lib;
[ config.network.dns.domain "upload.${config.network.dns.domain}" "conference.${config.network.dns.domain}" ];
};
domains = rec {
kittywitch-prosody = {
network = "internet";
type = "both";
domain = "xmpp";
};
kittywitch-prosody-upload = {
network = "internet";
type = "cname";
domain = "upload";
cname.target = kittywitch-prosody.target;
};
kittywitch-prosody-conference = {
network = "internet";
type = "cname";
domain = "conference";
cname.target = kittywitch-prosody.target;
};
};
deploy.tf.dns.records = {
services_prosody_xmpp = {
inherit (config.network.dns) zone;
domain = "xmpp";
a.address = config.network.addresses.public.nixos.ipv4.selfaddress;
};
services_prosody_xmpp_v6 = {
inherit (config.network.dns) zone;
domain = "xmpp";
aaaa.address = config.network.addresses.public.nixos.ipv6.selfaddress;
};
services_prosody_upload = {
inherit (config.network.dns) zone;
domain = "upload";
cname.target = "xmpp.${config.network.dns.zone}";
};
services_prosody_conference = {
inherit (config.network.dns) zone;
domain = "conference";
cname.target = "xmpp.${config.network.dns.zone}";
};
services_prosody_muc = {
inherit (config.network.dns) zone;
inherit (config.domains.kittywitch-prosody) zone;
domain = "conference";
srv = {
service = "xmpp-server";
@ -99,12 +95,12 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = "xmpp.${config.network.dns.zone}";
target = config.domains.kittywitch-prosody.target;
};
};
services_prosody_client_srv = {
inherit (config.network.dns) zone;
inherit (config.domains.kittywitch-prosody) zone;
domain = "@";
srv = {
service = "xmpp-client";
@ -112,12 +108,12 @@ with lib;
priority = 0;
weight = 5;
port = 5222;
target = "xmpp.${config.network.dns.zone}";
target = config.domains.kittywitch-prosody.target;
};
};
services_prosody_secure_client_srv = {
inherit (config.network.dns) zone;
inherit (config.domains.kittywitch-prosody) zone;
domain = "@";
srv = {
service = "xmpps-client";
@ -125,12 +121,12 @@ with lib;
priority = 0;
weight = 5;
port = 5223;
target = "xmpp.${config.network.dns.zone}";
target = config.domains.kittywitch-prosody.target;
};
};
services_prosody_server_srv = {
inherit (config.network.dns) zone;
inherit (config.domains.kittywitch-prosody) zone;
domain = "@";
srv = {
service = "xmpp-server";
@ -138,7 +134,7 @@ with lib;
priority = 0;
weight = 5;
port = 5269;
target = "xmpp.${config.network.dns.zone}";
target = config.domains.kittywitch-prosody.target;
};
};
};

8
services/syncplay.nix
View file

@ -28,17 +28,17 @@ with lib;
};
};
network.firewall.public.tcp.ports = singleton 8999;
networks.internet.tcp = [ 8999 ];
services.nginx.virtualHosts."sync.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
};
deploy.tf.dns.records.services_syncplay = {
inherit (config.network.dns) zone;
domains.kittywitch-syncplay = {
network = "internet";
type = "cname";
domain = "sync";
cname = { inherit (config.network.addresses.public) target; };
};
secrets.files.syncplay-env = {

15
services/tvheadend.nix
View file

@ -7,14 +7,13 @@
users.users.tvheadend.group = "tvheadend";
users.groups.tvheadend = {};
network.firewall = {
private = {
tcp.ports = [ 9981 9982 ];
};
public = {
tcp.ports = [ 9981 9982 ];
};
};
networks.internet = {
tcp = [
9981
9982
5009
];
};
systemd.services.antennas = {
wantedBy = [ "plex.service" ];

2
services/website.nix
View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
{
network.dns.isRoot = true;
services.nginx.virtualHosts = {
"${config.network.dns.domain}" = {
root = pkgs.gensokyoZone;

3
services/znc.nix
View file

@ -48,7 +48,8 @@ let
in
{
network.firewall.public.tcp.ports = singleton 5001;
# ZNC
networks.internet.tcp = singleton 5001;
kw.secrets.variables =
let