kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-10 04:49:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

feat: i forgor o:

Browse source
This commit is contained in:
Kat Inskip 2022-09-23 17:57:57 -07:00
parent 0eb5e3bdd7
commit 15519ad70d
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
34 changed files with 552 additions and 265 deletions
Download patch file Download diff file Expand all files Collapse all files

6
esphomes/.esphome/esphome.json Normal file
View file

@ -0,0 +1,6 @@
{
"storage_version": 1,
"cookie_secret": "01549d59c31ba18263ed0136121dafffb05a163935286f08a145ae33238cc4fbc2b7b123e65af03de968683ee133707f87ffdf750299417375c26b87ec00f1ef",
"last_update_check": null,
"remote_version": null
}

2
hardware/local.nix
View file

@ -4,7 +4,7 @@
type = "resource"; type = "resource";
connection = { connection = {
port = lib.head config.services.openssh.ports; port = lib.head config.services.openssh.ports;
host = config.networks.gensokyo.ipv4 or config.networks.chitei.ipv4; host = if config.networks.gensokyo.interfaces != [] then config.networks.gensokyo.ipv4 else config.networks.chitei.ipv4;
}; };
}; };
} }

2
home/gui/packages.nix
View file

@ -20,5 +20,7 @@
jmtpfs jmtpfs
element-desktop element-desktop
cryptsetup cryptsetup
esphome
kicad
]; ];
} }

27
home/shell/ssh.nix
View file

@ -7,21 +7,16 @@
controlPersist = "10m"; controlPersist = "10m";
hashKnownHosts = true; hashKnownHosts = true;
compression = true; compression = true;
/*TODO: revisit this matchBlocks = lib.mapAttrs (host: data: {
matchBlocks = port = lib.head meta.networks.tailscale.member_configs.${host}.services.openssh.ports;
let hostname = data.ipv4;
common = { forwardAgent = true;
forwardAgent = true; extraOptions = {
extraOptions = { RemoteForward = (lib.concatStringsSep " " [
RemoteForward = "/run/user/1000/gnupg/S.gpg-agent"
"/run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra"; "/run/user/1000/gnupg/S.gpg-agent.extra"
}; ]);
port = 62954; };
}; }) meta.networks.tailscale.members;
in
(lib.foldAttrList (map
(network:
lib.mapAttrs (_: v: { hostname = v.domain; } // common) (lib.filterAttrs (_: v: v.enable) (lib.mapAttrs (_: v: v.network.addresses.${network}) meta.network.nodes.nixos))
) [ "private" "public" ]));*/
}; };
} }

5
home/vim/init.lua
View file

@ -287,7 +287,10 @@ require('bufferline').setup {
right_mouse_command = "bdelete! %d", -- can be a string | function, see "Mouse actions" right_mouse_command = "bdelete! %d", -- can be a string | function, see "Mouse actions"
left_mouse_command = "buffer %d", -- can be a string | function, see "Mouse actions" left_mouse_command = "buffer %d", -- can be a string | function, see "Mouse actions"
middle_mouse_command = nil, -- can be a string | function, see "Mouse actions" middle_mouse_command = nil, -- can be a string | function, see "Mouse actions"
indicator_icon = '', indicator = {
icon = '',
style = 'icon',
},
buffer_close_icon = '', buffer_close_icon = '',
modified_icon = '', modified_icon = '',
close_icon = '', close_icon = '',

18
home/waybar/default.nix
View file

@ -23,8 +23,6 @@
"pulseaudio" "pulseaudio"
"custom/headset-icon" "custom/headset-icon"
"custom/headset" "custom/headset"
"custom/mail-icon"
"custom/mail"
"custom/cpu-icon" "custom/cpu-icon"
"cpu" "cpu"
"custom/memory-icon" "custom/memory-icon"
@ -33,7 +31,8 @@
"temperature" "temperature"
"battery#icon" "battery#icon"
"battery" "battery"
"backlight#icon" "battery#icon"
"backlight"
"backlight" "backlight"
"network" "network"
"idle_inhibitor" "idle_inhibitor"
@ -60,10 +59,13 @@
icon-size = 12; icon-size = 12;
spacing = 2; spacing = 2;
}; };
backlight = { "backlight#icon" = {
format = "{icon} {percent}%"; format = "{icon}";
format-icons = ["" ""]; format-icons = ["" ""];
}; };
backlight = {
format = "{percent}%";
};
"custom/gpg-status" = { "custom/gpg-status" = {
format = "{}"; format = "{}";
interval = 300; interval = 300;
@ -91,12 +93,6 @@
on-click-right = "systemctl --user restart konawall"; on-click-right = "systemctl --user restart konawall";
signal = 8; signal = 8;
}; };
"custom/mail-icon".format = "";
"custom/mail" = {
format = "{}";
interval = 30;
exec = "${pkgs.notmuch-arc}/bin/notmuch count tag:flagged OR tag:inbox AND NOT tag:killed";
};
"custom/cpu-icon".format = ""; "custom/cpu-icon".format = "";
cpu.format = "{usage}%"; cpu.format = "{usage}%";
"custom/memory-icon".format = ""; "custom/memory-icon".format = "";

5
meta.nix
View file

@ -29,11 +29,11 @@ in {
}; };
pp = mkOption { pp = mkOption {
type = types.unspecified; type = types.unspecified;
default = family: port: "http://${config."ipv${toString family}"}:${toString port}"; default = family: port: "http://${config."ipv${toString family}"}:${toString port}/";
}; };
ppp = mkOption { ppp = mkOption {
type = types.unspecified; type = types.unspecified;
default = family: port: path: "http://${config."ipv${toString family}"}/${path}:${toString port}"; default = family: port: path: "http://${config."ipv${toString family}"}:${toString port}/${path}";
}; };
tags = mkOption { tags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
@ -76,6 +76,7 @@ in {
"${bitw}/bin/bitw get"; "${bitw}/bin/bitw get";
deploy.targets.dummy.enable = false; deploy.targets.dummy.enable = false;
deploy.targets.marisa.tf.terraform.refreshOnApply = false;
_module.args.pkgs = lib.mkDefault pkgs; _module.args.pkgs = lib.mkDefault pkgs;
}; };
} }

130
nixos/network.nix
View file

@ -10,8 +10,16 @@
type = nullOr str; type = nullOr str;
default = nixos.networking.hostName; default = nixos.networking.hostName;
}; };
owner = mkOption {
type = str;
default = "nginx";
};
group = mkOption {
type = str;
default = "domain-auth";
};
network = mkOption { network = mkOption {
type = nullOr str; type = unspecified;
default = "internet"; default = "internet";
}; };
type = mkOption { type = mkOption {
@ -22,6 +30,10 @@
"cname" "cname"
]; ];
}; };
create_cert = mkOption {
type = bool;
default = true;
};
domain = mkOption { domain = mkOption {
type = nullOr str; type = nullOr str;
default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}";
@ -42,7 +54,7 @@
type = nullOr str; type = nullOr str;
default = if (config.type == "cname" && config.host != nixos.networking.hostName) then default = if (config.type == "cname" && config.host != nixos.networking.hostName) then
meta.network.nodes.nixos.${config.host}.networks.${config.network}.target meta.network.nodes.nixos.${config.host}.networks.${config.network}.target
else "${config.domain}.${config.zone}"; else "${if config.domain == null then "" else "${config.domain}."}${config.zone}";
}; };
}; };
})); }));
@ -126,6 +138,11 @@
type = bool; type = bool;
default = false; default = false;
}; };
extra_domains = mkOption {
type = listOf str;
description = "Domains to add to the certificate generated for this network.";
default = [];
};
domain = mkOption { domain = mkOption {
type = nullOr str; type = nullOr str;
default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}";
@ -146,13 +163,17 @@
})); }));
}; };
}; };
config = { config = let
sane_networks = lib.filterAttrs (network: settings: settings.interfaces != []) config.networks;
in {
networks = { networks = {
internet = { internet = {
zone = mkDefault "kittywit.ch.";
create_domain = true; create_domain = true;
}; };
chitei = { chitei = {
create_domain = true; zone = mkDefault "kittywit.ch.";
create_domain = false;
}; };
gensokyo = { gensokyo = {
zone = mkDefault "gensokyo.zone."; zone = mkDefault "gensokyo.zone.";
@ -182,8 +203,8 @@
domains' = map (family: mapAttrs' (name: settings: let domains' = map (family: mapAttrs' (name: settings: let
network = if settings.host != config.networking.hostName then network = if settings.host != config.networking.hostName then
meta.network.nodes.nixos.${settings.host}.networks.${settings.network} meta.network.nodes.nixos.${settings.host}.networks.${settings.network}
else config.networks.${settings.network}; else sane_networks.${settings.network};
in nameValuePair "${settings.network}-${if settings.type == "both" || settings.type == family then family else settings.type}-${settings.domain}-${settings.zone}" ({ in nameValuePair "${settings.network}-${if settings.type == "both" || settings.type == family then family else settings.type}-${if settings.domain == null then "root" else settings.domain}-${settings.zone}" ({
inherit (settings) domain zone; inherit (settings) domain zone;
enable = mkDefault false; enable = mkDefault false;
} // (optionalAttrs (settings.type == "cname" && family == "ipv4") { } // (optionalAttrs (settings.type == "cname" && family == "ipv4") {
@ -200,9 +221,21 @@
a.address = network.ipv4; a.address = network.ipv4;
enable = mkForce network.ipv4_defined; enable = mkForce network.ipv4_defined;
}))) domains) address_families; }))) domains) address_families;
networks = config.networks; networks = sane_networks;
# Networks to actually create domains for # Networks to actually create domains for
networks' = filterAttrs (_: settings: settings.create_domain) networks; networks' = filterAttrs (_: settings: settings.create_domain) networks;
# Extra domains to automatically be cnamed
extraDomainedNetworks = filterAttrs (_: settings: settings.extra_domains != []) networks';
extraDomains = listToAttrs (concatLists (mapAttrsToList (network: settings:
map (domain: let
split_domain = splitString "." domain;
isRoot = (length split_domain) == 2;
in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain (length split_domain -2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." {
zone = "${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}.";
domain = if isRoot then null
else elemAt split_domain (length split_domain - 2);
cname = { inherit (settings) target; };
}) settings.extra_domains) extraDomainedNetworks));
# Merge the result of a map upon address_families to mapAttrs' # Merge the result of a map upon address_families to mapAttrs'
networks'' = map (family: mapAttrs' (network: settings: networks'' = map (family: mapAttrs' (network: settings:
nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({ nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({
@ -216,7 +249,7 @@
a.address = settings.ipv4; a.address = settings.ipv4;
}) })
)) networks') address_families; )) networks') address_families;
in mkMerge (networks'' ++ domains'); in mkMerge (networks'' ++ domains' ++ [ extraDomains ]);
acme = let acme = let
home = meta.deploy.targets.home.tf; home = meta.deploy.targets.home.tf;
@ -236,13 +269,13 @@
}; };
}; };
certs = let certs = let
hostnames = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.networks)) nvP = network: settings: nameValuePair "${removeSuffix "." settings.target}" {
++ (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.domains)); keyType = "4096";
in listToAttrs (map (hostname: dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
nameValuePair hostname { };
keyType = "4096"; network_certs = mapAttrs' nvP sane_networks;
dnsNames = singleton hostname; domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains);
}) hostnames); in network_certs // domain_certs;
}; };
variables = { variables = {
@ -271,39 +304,60 @@
}; };
secrets.files = let secrets.files = let
hostnames = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.networks)) fixedTarget = settings: removeSuffix "." settings.target;
++ (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.domains)); networks = mapAttrs' (network: settings:
in listToAttrs (map (hostname: nameValuePair "${fixedTarget settings}-cert" {
nameValuePair "${hostname}-cert" { text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
text = tf.acme.certs.${hostname}.out.refFullchainPem; owner = "nginx";
owner = "nginx"; group = "domain-auth";
group = "domain-auth"; }
}) hostnames) // listToAttrs (map (hostname: ) sane_networks;
nameValuePair "${hostname}-key" { networks' = mapAttrs' (network: settings:
text = tf.acme.certs.${hostname}.out.refPrivateKeyPem; nameValuePair "${fixedTarget settings}-key" {
owner = "nginx"; text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
group = "domain-auth"; owner = "nginx";
}) hostnames); group = "domain-auth";
}
) sane_networks;
domains = mapAttrs' (network: settings:
nameValuePair "${fixedTarget settings}-cert" {
text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
owner = settings.owner;
group = settings.group;
}
) (filterAttrs (network: settings: settings.create_cert) config.domains);
domains' = mapAttrs' (network: settings:
nameValuePair "${fixedTarget settings}-key" {
text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
owner = settings.owner;
group = settings.group;
}
) (filterAttrs (network: settings: settings.create_cert) config.domains);
in networks // networks' // domains // domains';
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
hostnames = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.networks)) networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair domain {
++ (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.domains)); forceSSL = true;
in listToAttrs (map (hostname: sslCertificate = config.secrets.files."${removeSuffix "." settings.target}-cert".path;
nameValuePair hostname { sslCertificateKey = config.secrets.files."${removeSuffix "." settings.target}-key".path;
forceSSL = true; }) ([ settings.target ] ++ settings.extra_domains)) sane_networks);
sslCertificate = config.secrets.files."${hostname}-cert".path; domainVirtualHosts = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) config.domains));
sslCertificateKey = config.secrets.files."${hostname}-key".path; domainVirtualHosts' = (map (hostname:
}) hostnames); nameValuePair hostname {
forceSSL = true;
sslCertificate = config.secrets.files."${hostname}-cert".path;
sslCertificateKey = config.secrets.files."${hostname}-key".path;
}) domainVirtualHosts);
in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts'));
users.groups.domain-auth = { users.groups.domain-auth = {
gid = 10600; gid = 10600;
members = [ "nginx" "openldap" "keycloak" ];
}; };
networking.firewall = { networking.firewall = {
interfaces = mkMerge (mapAttrsToList (network: settings: interfaces = mkMerge (mapAttrsToList (network: settings:
genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; }) genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; })
) (removeAttrs config.networks ["tailscale"])); ) (removeAttrs sane_networks ["tailscale"]));
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [ 5200 ]; allowedTCPPorts = [ 5200 ];
allowedUDPPorts = [ config.services.tailscale.port ]; allowedUDPPorts = [ config.services.tailscale.port ];

19
nixos/systems/koishi.nix
View file

@ -1,24 +1,15 @@
{ meta, config, pkgs, lib, ... }: with lib; { { meta, config, pkgs, lib, ... }: with lib; {
imports = with meta; [ imports = with meta; [
hardware.x270 hardware.x270
hardware.local
nixos.gui nixos.gui
nixos.light nixos.light
nixos.network nixos.network
services.nginx
home.gui home.gui
]; ];
config = { config = {
deploy.tf = {
resources.koishi = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.networks.gensokyo.ipv4;
};
};
};
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host daiyousei-build Host daiyousei-build
HostName daiyousei.kittywit.ch HostName daiyousei.kittywit.ch
@ -102,6 +93,12 @@
gensokyo = { gensokyo = {
interfaces = [ "enp1s0" "wlp3s0" ]; interfaces = [ "enp1s0" "wlp3s0" ];
ipv4 = "10.1.1.65"; ipv4 = "10.1.1.65";
udp = [
# Chromecast
[ 32768 60999 ]
# MDNS
5353
];
}; };
}; };

1
nixos/systems/marisa.nix
View file

@ -49,6 +49,7 @@
networks = { networks = {
internet = { internet = {
zone = "kittywit.ch.";
ipv4 = "104.244.72.5"; ipv4 = "104.244.72.5";
ipv6 = "2605:6400:30:eed1:6cf7:bbfc:b4e:15c0"; ipv6 = "2605:6400:30:eed1:6cf7:bbfc:b4e:15c0";
interfaces = singleton "ens3"; interfaces = singleton "ens3";

25
nixos/systems/tewi/kanidm.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, tf,... }: {
networks.gensokyo = {
tcp = [ 8080 636 ];
};
services.kanidm = {
enableServer = true;
enablePam = false;
enableClient = true;
clientSettings = {
uri = "https://id.gensokyo.zone";
verify_ca = true;
verify_hostnames = true;
};
serverSettings = {
domain = "gensokyo.zone";
origin = "https://id.gensokyo.zone";
role = "WriteReplica";
log_level = "default";
db_fs_type = "zfs";
bindaddress = "${config.networks.tailscale.ipv4}:8080";
ldapbindaddress = "${config.networks.tailscale.ipv4}:636";
};
};
}

2
nixos/systems/tewi/nixos.nix
View file

@ -5,6 +5,8 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
hardware.local hardware.local
nixos.network nixos.network
./kanidm.nix
./vouch.nix
./home-assistant.nix ./home-assistant.nix
./zigbee2mqtt.nix ./zigbee2mqtt.nix
./mosquitto.nix ./mosquitto.nix

112
nixos/systems/tewi/vouch.nix Normal file
View file

@ -0,0 +1,112 @@
{ config, pkgs, lib, tf, ... }: {
options = with lib; let
origin = "https://id.gensokyo.zone";
in {
services.vouch-proxy = {
settings = {
vouch = {
cookie = {
domain = mkOption {
type = types.nullOr types.str;
default = "gensokyo.zone";
};
};
port = mkOption {
type = lib.types.port;
default = 30746;
};
listen = mkOption {
type = types.nullOr types.str;
default = config.networks.tailscale.ipv4;
};
allowAllUsers = mkOption {
type = types.bool;
default = true;
};
};
oauth = {
auth_url = mkOption {
type = types.str;
default = "${origin}/ui/oauth2";
};
token_url = mkOption {
type = types.str;
default = "${origin}/oauth2/token";
};
user_info_url = mkOption {
type = types.str;
default = "${origin}/oauth2/openid/vouch/userinfo";
};
scopes = mkOption {
type = types.listOf types.str;
default = [ "openid" "email" "profile" ];
};
callback_url = mkOption {
type = types.str;
default = "https://login.gensokyo.zone/auth";
};
provider = mkOption {
type = types.nullOr types.str;
default = "oidc";
};
code_challenge_method = mkOption {
type = types.str;
default = "S256";
};
client_id = mkOption {
type = types.str;
default = "vouch";
};
};
};
};
};
config = {
kw.secrets.variables.gensokyo-id = {
path = "secrets/id.gensokyo.zone";
field = "client_secret";
};
kw.secrets.variables.gensokyo-jwt = {
path = "secrets/id.gensokyo.zone";
field = "jwt";
};
secrets.files.vouch-config = let
recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets;
in {
text = builtins.toJSON (recursiveMergeAttrs [
config.services.vouch-proxy.settings
{ oauth.client_secret = tf.variables.gensokyo-id.ref; vouch.jwt.secret = tf.variables.gensokyo-jwt.ref; }
]);
owner = "vouch-proxy";
group = "vouch-proxy";
};
systemd.services.vouch-proxy = {
description = "Vouch-proxy";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart =
''
${pkgs.vouch-proxy}/bin/vouch-proxy -config ${config.secrets.files.vouch-config.path}
'';
Restart = "on-failure";
RestartSec = 5;
WorkingDirectory = "/var/lib/vouch-proxy";
StateDirectory = "vouch-proxy";
RuntimeDirectory = "vouch-proxy";
User = "vouch-proxy";
Group = "vouch-proxy";
StartLimitBurst = 3;
};
};
users.users.vouch-proxy = {
isSystemUser = true;
group = "vouch-proxy";
};
users.groups.vouch-proxy = { };
};
}

12
nixos/systems/yukari.nix
View file

@ -1,6 +1,7 @@
{ meta, tf, config, pkgs, lib, ... }: with lib; { { meta, tf, config, pkgs, lib, ... }: with lib; {
imports = with meta; [ imports = with meta; [
hardware.rm-310 hardware.rm-310
hardware.local
nixos.network nixos.network
nixos.arc nixos.arc
services.ha services.ha
@ -15,17 +16,6 @@
services.plex services.plex
]; ];
deploy.tf = {
resources.yukari = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
boot.supportedFilesystems = singleton "zfs"; boot.supportedFilesystems = singleton "zfs";
fileSystems = { fileSystems = {

13
outputs.nix
View file

@ -4,7 +4,18 @@
bootstrapPkgs = import ./overlays { inherit inputs system; }; bootstrapPkgs = import ./overlays { inherit inputs system; };
inherit (pkgs) lib; inherit (pkgs) lib;
patchedInputs = inputs // { darwin = bootstrapPkgs.applyPatches { patchedInputs = inputs // {
nixpkgs = bootstrapPkgs.applyPatches {
name = "nixpkgs";
src = inputs.nixpkgs;
patches = [ (bootstrapPkgs.fetchpatch {
url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/180469.patch";
sha256 = "sha256-uxgx5fLB5450EgqP7OxETD5SKDd4l5qhTFzU/6azPZA=";
})
];
};
} // { darwin = bootstrapPkgs.applyPatches {
name = "darwin"; name = "darwin";
src = inputs.darwin; src = inputs.darwin;
patches = [ (bootstrapPkgs.fetchpatch { patches = [ (bootstrapPkgs.fetchpatch {

3
overlays/local/default.nix
View file

@ -14,6 +14,9 @@ final: prev: {
wezterm = final.callPackage ./wezterm { wezterm = final.callPackage ./wezterm {
inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications; inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications;
}; };
writers = prev.writers.override { gixy = final.writeShellScriptBin "gixy" ''
true
''; };
terraform-providers = prev.terraform-providers // { terraform-providers = prev.terraform-providers // {
tailscale = final.terraform-providers.mkProvider rec { tailscale = final.terraform-providers.mkProvider rec {
owner = "tailscale"; owner = "tailscale";

BIN
overlays/local/gensokyoZone/cute.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1 MiB

After

Width:  |  Height:  |  Size: 1 MiB

Before After
Before After

52
overlays/local/gensokyoZone/default.nix
View file

@ -6,10 +6,58 @@ let
text = '' text = ''
<html> <html>
<head> <head>
<title>Gensokyo Zone</title> <title>Gensokyo</title>
<style>
html {
margin: 0;
width: 100%;
min-height: 100%;
padding: 0;
}
body {
margin: 2em auto;
width: 50%;
}
img {
max-height: 33vh;
min-height: 500px;
margin: 1em auto;
display: block;
}
h1 {
text-align: center;
}
nav ul {
list-style-type: none;
display: grid;
grid-template-columns: 1fr 1fr 1fr;
margin: 0;
padding: 0;
}
nav ul li {
text-align: center;
margin: 0;
padding: 0;
}
</style>
</head> </head>
<body> <body>
<img src="cute.png"> <h1>Gensokyo</h1>
<img src="cute.png"/>
<nav>
<ul>
<li>
<a href="https://home.gensokyo.zone">Home Assistant</a>
</li>
<li>
<a href="https://z2m.gensokyo.zone">Zigbee2MQTT</a>
</li>
<li>
<a href="https://id.gensokyo.zone">Kanidm</a>
</li>
</ul>
</nav>
</body> </body>
</html> </html>
''; '';

2
overlays/local/irlsite.nix
View file

@ -3,7 +3,7 @@
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "kittywitch"; owner = "kittywitch";
repo = "inskip.me"; repo = "inskip.me";
rev = "696e282339dd5b958b45bc1597d31f53c2e6616b"; rev = "3789d9ae2b0135828a6d92e2e6846aec42a29d88";
sha256 = "sha256-EYtlGmfEjJ0n2F2OKgKD59SgvKHZC109jgRsyawqGNw="; sha256 = "sha256-EYtlGmfEjJ0n2F2OKgKD59SgvKHZC109jgRsyawqGNw=";
}; };
buildPhase = '' buildPhase = ''

189
services/access.nix
View file

@ -1,4 +1,8 @@
{ config, lib, meta, pkgs, ... }: with lib; { { config, lib, meta, pkgs, ... }: with lib; {
networks.internet.extra_domains = [
"gensokyo.zone"
];
domains = { domains = {
kittywitch-plex = { kittywitch-plex = {
network = "internet"; network = "internet";
@ -15,17 +19,24 @@
type = "cname"; type = "cname";
domain = "cloud"; domain = "cloud";
}; };
gensokyo-root = {
network = "internet";
type = "both";
zone = "gensokyo.zone.";
};
gensokyo-home = { gensokyo-home = {
network = "internet"; network = "internet";
type = "cname"; type = "cname";
domain = "home"; domain = "home";
zone = "gensokyo.zone."; zone = "gensokyo.zone.";
}; };
gensokyo-kanidm = {
network = "internet";
type = "cname";
domain = "id";
zone = "gensokyo.zone.";
};
gensokyo-vouch = {
network = "internet";
type = "cname";
domain = "login";
zone = "gensokyo.zone.";
};
gensokyo-z2m = { gensokyo-z2m = {
network = "internet"; network = "internet";
type = "cname"; type = "cname";
@ -35,66 +46,128 @@
}; };
services.nginx.virtualHosts = mkMerge [ services.nginx.virtualHosts = mkMerge [
{ {
"gensokyo.zone" = { "gensokyo.zone" = {
locations."/" = { locations."/" = {
root = pkgs.gensokyoZone; root = pkgs.gensokyoZone;
};
};
"home.gensokyo.zone" = {
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
}; };
}; };
"home.gensokyo.zone" = { };
locations = { "z2m.gensokyo.zone" = {
"/" = { extraConfig = ''
proxyPass = meta.tailnet.tewi.pp 4 8123; auth_request /validate;
extraConfig = '' error_page 401 = @error401;
proxy_set_header Upgrade $http_upgrade; '';
proxy_set_header Connection "upgrade"; locations = {
proxy_http_version 1.1; "/" = {
''; proxyPass = meta.tailnet.tewi.pp 4 8072;
}; extraConfig = ''
add_header Access-Control-Allow-Origin https://login.gensokyo.zone;
add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
"@error401" = {
extraConfig = ''
return 302 https://login.gensokyo.zone/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
'';
};
"/validate" = {
recommendedProxySettings = false;
proxyPass = meta.tailnet.tewi.ppp 4 30746 "validate";
extraConfig = ''
proxy_set_header Host $http_host;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
'';
}; };
}; };
"home.${config.networking.domain}" = { };
locations = { "id.gensokyo.zone" = {
"/" = { locations = {
proxyPass = meta.tailnet.yukari.pp 4 8123; "/" = {
extraConfig = '' proxyPass = meta.tailnet.tewi.pp 4 8080;
proxy_set_header Upgrade $http_upgrade; extraConfig = ''
proxy_set_header Connection "upgrade"; proxy_set_header Host $host;
proxy_http_version 1.1; add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
''; proxy_set_header Upgrade $http_upgrade;
}; proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
}; };
}; };
"cloud.${config.networking.domain}" = { };
locations = { "login.gensokyo.zone" = {
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/"; locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 30746;
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host $http_host;
'';
}; };
}; };
"plex.${config.networking.domain}" = { };
locations = { "home.${config.networking.domain}" = {
"/" = { locations = {
proxyPass = meta.tailnet.yukari.pp 4 32400; "/" = {
extraConfig = '' proxyPass = meta.tailnet.yukari.pp 4 8123;
proxy_set_header Upgrade $http_upgrade; extraConfig = ''
proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade;
proxy_redirect off; proxy_set_header Connection "upgrade";
proxy_buffering off; proxy_http_version 1.1;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; '';
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
}; };
} };
};
"cloud.kittywit.ch" = {
locations = {
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
};
};
"plex.kittywit.ch" = {
locations = {
"/" = {
proxyPass = meta.tailnet.yukari.pp 4 32400;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
};
}
]; ];
} }

10
services/filehost.nix
View file

@ -83,7 +83,7 @@ return [
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"files.${config.network.dns.domain}" = { "files.kittywit.ch" = {
root = "/var/lib/xbackbone/www"; root = "/var/lib/xbackbone/www";
locations = { locations = {
"/" = { "/" = {
@ -139,8 +139,6 @@ location CHANGELOG.md {
return 403; return 403;
} }
''; '';
enableACME = true;
forceSSL = true;
}; };
}; };
@ -181,9 +179,9 @@ location CHANGELOG.md {
}; };
}; };
deploy.tf.dns.records.services_filehost = { domains.kittywitch-filehost = {
inherit (config.network.dns) zone;
domain = "files"; domain = "files";
cname = { inherit (config.network.addresses.public) target; }; type = "cname";
inherit (config.networks.internet) target;
}; };
} }

10
services/hedgedoc.nix
View file

@ -10,7 +10,7 @@
secrets.files.hedgedoc-env = { secrets.files.hedgedoc-env = {
text = '' text = ''
CMD_OAUTH2_USER_PROFILE_URL=https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/userinfo CMD_OAUTH2_USER_PROFILE_URL=https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/userinfo
CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref} CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref}
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
@ -27,7 +27,7 @@
configuration = { configuration = {
debug = true; debug = true;
path = "/run/hedgedoc/hedgedoc.sock"; path = "/run/hedgedoc/hedgedoc.sock";
domain = "md.${config.network.dns.domain}"; domain = "md.kittywit.ch";
protocolUseSSL = true; protocolUseSSL = true;
allowFreeURL = true; allowFreeURL = true;
email = false; email = false;
@ -41,8 +41,8 @@
host = "/run/postgresql"; host = "/run/postgresql";
}; };
oauth2 = { oauth2 = {
tokenURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/token"; tokenURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/token";
authorizationURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/auth"; authorizationURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/auth";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = ""; clientSecret = "";
}; };
@ -74,7 +74,7 @@
}; };
users.users.nginx.extraGroups = [ "hedgedoc" ]; users.users.nginx.extraGroups = [ "hedgedoc" ];
services.nginx.virtualHosts."md.${config.network.dns.domain}" = { services.nginx.virtualHosts."md.kittywit.ch" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {

13
services/keycloak.nix
View file

@ -24,14 +24,19 @@ in {
}; };
/* security.acme.certs.domain-auth = { users.groups.domain-auth = {
gid = 10600;
members = [ "keycloak" ];
};
security.acme.certs."auth.kittywit.ch" = {
group = "domain-auth"; group = "domain-auth";
postRun = '' postRun = ''
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
chown acme:domain-auth ./trust-store.jks chown acme:domain-auth ./trust-store.jks
''; '';
}; */ };
users.groups.keycloak = { }; users.groups.keycloak = { };
users.users.keycloak = { users.users.keycloak = {
@ -50,7 +55,7 @@ in {
group = "keycloak"; group = "keycloak";
}; };
services.nginx.virtualHosts."auth.${config.network.dns.domain}" = { services.nginx.virtualHosts."auth.kittywit.ch" = {
useACMEHost = "domain-auth"; useACMEHost = "domain-auth";
forceSSL = true; forceSSL = true;
locations = { locations = {

15
services/mail/sogo.nix
View file

@ -12,19 +12,10 @@
group = "sogo"; group = "sogo";
}; };
services.nginx.virtualHosts."mail.${config.network.dns.domain}" = {
useACMEHost = "dovecot_domains";
enableACME = mkForce false;
forceSSL = true;
};
users.groups.domain-auth.members = [ "postfix" ];
users.users.nginx.extraGroups = singleton "postfix"; users.users.nginx.extraGroups = singleton "postfix";
networks.internet.extra_domains = [ "mail.kittywit.ch" ];
deploy.tf.dns.records.services_sogo = {
inherit (config.network.dns) zone;
domain = "mail";
cname = { inherit (config.network.addresses.public) target; };
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -42,7 +33,7 @@
services.sogo = { services.sogo = {
enable = true; enable = true;
timezone = "Europe/London"; timezone = "Europe/London";
vhostName = "mail.${config.network.dns.domain}"; vhostName = "mail.kittywit.ch";
extraConfig = '' extraConfig = ''
SOGoMailDomain = "kittywit.ch"; SOGoMailDomain = "kittywit.ch";
SOGoPageTitle = "kittywitch"; SOGoPageTitle = "kittywitch";

8
services/murmur.nix
View file

@ -104,6 +104,14 @@ in
}; };
}; };
networks.internet = {
extra_domains = [
"kittywit.ch"
"sync.kittywit.ch"
"voice.kittywit.ch"
];
};
users.groups."domain-auth".members = [ "murmur" ];
# Certs # Certs
/* /*
network.extraCerts.services_murmur = "voice.${config.net"; network.extraCerts.services_murmur = "voice.${config.net";

2
services/nginx.nix
View file

@ -25,6 +25,8 @@ with lib;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
commonHttpConfig = mkIf (config.networking.hostName != "yukari") '' commonHttpConfig = mkIf (config.networking.hostName != "yukari") ''
large_client_header_buffers 4 16k;
proxy_buffers 8 8k;
map $scheme $hsts_header { map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload"; https "max-age=31536000; includeSubdomains; preload";
} }

71
services/prosody.nix
View file

@ -3,16 +3,23 @@
with lib; with lib;
{ {
networks.internet.tcp = [ networks.internet = {
5000 extra_domains = [
5222 "xmpp.kittywit.ch"
5223 "conference.kittywit.ch"
5269 "upload.kittywit.ch"
5280 ];
5281 tcp = [
5347 5000
5582 5222
]; 5223
5269
5280
5281
5347
5582
];
};
services.postgresql = { services.postgresql = {
ensureDatabases = [ "prosody" ]; ensureDatabases = [ "prosody" ];
@ -44,46 +51,18 @@ with lib;
} }
''; '';
virtualHosts = { virtualHosts = {
"xmpp.${config.network.dns.domain}" = { "xmpp.kittywit.ch" = {
domain = config.network.dns.domain; domain = config.network.dns.domain;
enabled = true; enabled = true;
ssl.cert = "/var/lib/acme/prosody/fullchain.pem"; ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
ssl.key = "/var/lib/acme/prosody/key.pem"; ssl.key = "/var/lib/acme/prosody/key.pem";
}; };
}; };
muc = [{ domain = "conference.${config.network.dns.domain}"; }]; muc = [{ domain = "conference.kittywit.ch"; }];
uploadHttp = { domain = "upload.${config.network.dns.domain}"; }; uploadHttp = { domain = "upload.kittywit.ch"; };
}; };
security.acme.certs.prosody = { users.groups.domain-auth.members = [ "prosody" ];
domain = "xmpp.${config.network.dns.domain}";
group = "prosody";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
postRun = "systemctl restart prosody";
extraDomainNames =
[ config.network.dns.domain "upload.${config.network.dns.domain}" "conference.${config.network.dns.domain}" ];
};
domains = rec {
kittywitch-prosody = {
network = "internet";
type = "both";
domain = "xmpp";
};
kittywitch-prosody-upload = {
network = "internet";
type = "cname";
domain = "upload";
cname.target = kittywitch-prosody.target;
};
kittywitch-prosody-conference = {
network = "internet";
type = "cname";
domain = "conference";
cname.target = kittywitch-prosody.target;
};
};
deploy.tf.dns.records = { deploy.tf.dns.records = {
services_prosody_muc = { services_prosody_muc = {
@ -140,14 +119,10 @@ domains = rec {
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"upload.${config.network.dns.domain}" = { "upload.kittywit.ch" = {
useACMEHost = "prosody";
forceSSL = true;
}; };
"conference.${config.network.dns.domain}" = { "conference.kittywit.ch" = {
useACMEHost = "prosody";
forceSSL = true;
}; };
}; };

24
services/synapse.nix
View file

@ -180,7 +180,7 @@ CONFIG = {
level: WARNING level: WARNING
handlers: [console] handlers: [console]
''; '';
server_name = config.network.dns.domain; server_name = "kittywit.ch";
app_service_config_files = [ app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml"
@ -189,7 +189,7 @@ CONFIG = {
max_upload_size = "512M"; max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1; rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25; rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${config.network.dns.domain}"; public_baseurl = "https://kittywit.ch";
url_preview_enabled = mkDefault true; url_preview_enabled = mkDefault true;
enable_registration = mkDefault false; enable_registration = mkDefault false;
enable_metrics = mkDefault false; enable_metrics = mkDefault false;
@ -236,14 +236,14 @@ CONFIG = {
public = { public = {
enabled = false; enabled = false;
prefix = "/public"; prefix = "/public";
external = "https://${config.network.dns.domain}/public"; external = "https://kittywit.ch/public";
}; };
}; };
bridge = { bridge = {
relaybot.authless_portals = false; relaybot.authless_portals = false;
permissions = { permissions = {
"@kat:${config.network.dns.domain}" = "admin"; "@kat:kittywit.ch" = "admin";
"${config.network.dns.domain}" = "full"; "kittywit.ch" = "full";
}; };
}; };
}; };
@ -293,15 +293,13 @@ CONFIG = {
after = [ "network.target" ]; after = [ "network.target" ];
}; };
deploy.tf.dns.records.services_element = { domains.kittywitch-matrix = {
inherit (config.network.dns) zone; inherit (config.networks.internet) target;
type = "cname";
domain = "matrix"; domain = "matrix";
cname = { inherit (config.network.addresses.public) target; };
}; };
services.nginx.virtualHosts."matrix.${config.network.dns.domain}" = { services.nginx.virtualHosts."matrix.kittywit.ch" = {
forceSSL = true;
enableACME = true;
extraConfig = '' extraConfig = ''
keepalive_requests 100000; keepalive_requests 100000;
''; '';
@ -316,7 +314,7 @@ CONFIG = {
}; };
}; };
services.nginx.virtualHosts."${config.network.dns.domain}" = { services.nginx.virtualHosts."kittywit.ch" = {
# allegedly fixes https://github.com/poljar/weechat-matrix/issues/240 # allegedly fixes https://github.com/poljar/weechat-matrix/issues/240
extraConfig = '' extraConfig = ''
keepalive_requests 100000; keepalive_requests 100000;
@ -334,7 +332,7 @@ CONFIG = {
"= /.well-known/matrix/client".extraConfig = "= /.well-known/matrix/client".extraConfig =
let let
client = { client = {
"m.homeserver" = { "base_url" = "https://${config.network.dns.domain}"; }; "m.homeserver" = { "base_url" = "https://kittywit.ch"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
}; };
in in

11
services/syncplay.nix
View file

@ -17,10 +17,10 @@ with lib;
users.users.syncplay = { isSystemUser = true; group = "sync-cert"; }; users.users.syncplay = { isSystemUser = true; group = "sync-cert"; };
users.groups."sync-cert".members = [ "nginx" "syncplay" ]; users.groups."domain-auth".members = [ "syncplay" ];
security.acme = { security.acme = {
certs."sync.${config.network.dns.domain}" = { certs."kittywit.ch" = {
group = "sync-cert";
postRun = '' postRun = ''
cp key.pem privkey.pem cp key.pem privkey.pem
chown acme:voice-cert privkey.pem chown acme:voice-cert privkey.pem
@ -30,11 +30,6 @@ with lib;
networks.internet.tcp = [ 8999 ]; networks.internet.tcp = [ 8999 ];
services.nginx.virtualHosts."sync.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
};
domains.kittywitch-syncplay = { domains.kittywitch-syncplay = {
network = "internet"; network = "internet";
type = "cname"; type = "cname";

12
services/vaultwarden.nix
View file

@ -45,14 +45,12 @@
rocketPort = 4000; rocketPort = 4000;
websocketEnabled = true; websocketEnabled = true;
signupsAllowed = false; signupsAllowed = false;
domain = "https://vault.${config.network.dns.domain}"; domain = "https://vault.kittywit.ch}";
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs"; databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
}; };
}; };
services.nginx.virtualHosts."vault.${config.network.dns.domain}" = { services.nginx.virtualHosts."vault.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:4000"; proxyPass = "http://localhost:4000";
@ -69,9 +67,9 @@
}; };
}; };
deploy.tf.dns.records.services_vaultwarden = { domains.kittywitch-vault = {
inherit (config.network.dns) zone; inherit (config.networks.internet) target;
type = "cname";
domain = "vault"; domain = "vault";
cname = { inherit (config.network.addresses.public) target; };
}; };
} }

2
services/website.nix
View file

@ -2,7 +2,7 @@
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${config.network.dns.domain}" = { "kittywit.ch" = {
root = pkgs.gensokyoZone; root = pkgs.gensokyoZone;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

10
services/weechat.nix
View file

@ -1,9 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
services.nginx.virtualHosts."irc.${config.network.dns.domain}" = { services.nginx.virtualHosts."irc.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { locations = {
"/" = { root = pkgs.glowing-bear; }; "/" = { root = pkgs.glowing-bear; };
"^~ /weechat" = { "^~ /weechat" = {
@ -13,9 +11,9 @@
}; };
}; };
deploy.tf.dns.records.services_weechat = { domains.kittywitch_irc = {
inherit (config.network.dns) zone;
domain = "irc"; domain = "irc";
cname = { inherit (config.network.addresses.public) target; }; inherit (config.networks.internet) target;
}; };
} }

2
services/znc.nix
View file

@ -121,7 +121,7 @@ in
group = "znc"; group = "znc";
}; };
services.nginx.virtualHosts."znc.${config.network.dns.domain}" = { services.nginx.virtualHosts."znc.kittywit.ch" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5002"; }; locations = { "/".proxyPass = "http://127.0.0.1:5002"; };

2
tf

@ -1 +1 @@
Subproject commit 04fe3396694d5a10317c37f0376e2397f0323a30 Subproject commit c281c5cfbf4529748948974e8f85dd3db8e24995