feat(nixos/kanata): switch to new modules

author: sefidel <contact@sefidel.net> 2024-02-03 04:19:48 +0900
committer: sefidel <contact@sefidel.net> 2024-02-03 04:19:48 +0900
commit: f637236c51b03c91d77997b898b0fa5e605020d2 (patch)
tree: c2480a029d8c6b0e270e6c391bf7c97f5447f68d /nixos/kanata/configuration.nix
parent: 18a770ba6cdbfdfe7c1508b0af68243c606ea51c (diff)
download: nixrc-f637236c51b03c91d77997b898b0fa5e605020d2.zip
1 files changed, 116 insertions, 22 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index e19ee25..357c0bd 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -3,6 +3,8 @@
 let
   sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
   maintainerKeys = [ ] ++ sefidelKeys;
+
+  poorObfuscation = y: x: "${x}@${y}";
 in
 {
   imports = [ ];
@@ -68,27 +70,21 @@ in
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
 
-  fileSystems."/persist".neededForBoot = true;
-
-  services.openssh.hostKeys = [
-    {
-      path = "/persist/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-    {
-      path = "/persist/ssh/ssh_host_rsa_key";
-      type = "rsa";
-      bits = 4096;
-    }
-  ];
-
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "both";
-    openFirewall = true;
-  };
-
-  environment.persistence."/persist".directories = [ "/var/lib/tailscale" ];
+  # NOTE: managed by modules.persistence
+  # TODO: remove?
+  # fileSystems."/persist".neededForBoot = true;
+  #
+  # services.openssh.hostKeys = [
+  #   {
+  #     path = "/persist/ssh/ssh_host_ed25519_key";
+  #     type = "ed25519";
+  #   }
+  #   {
+  #     path = "/persist/ssh/ssh_host_rsa_key";
+  #     type = "rsa";
+  #     bits = 4096;
+  #   }
+  # ];
 
   sops.defaultSopsFile = ./secrets/secrets.yaml;
 
@@ -96,6 +92,10 @@ in
 
   sops.secrets.zfs-smol-key = { };
   sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; };
+  sops.secrets.acme-credentials = { owner = "acme"; };
+  sops.secrets.grafana-admin-pass = { owner = "grafana"; };
+  sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; };
+  sops.secrets.nitter-account-jsonl = { };
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@@ -110,13 +110,107 @@ in
     enableIPv6 = true;
   };
 
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+    openFirewall = true;
+  };
+
+  services.nginx.enable = true;
+  services.cloudflared = {
+    enable = true;
+
+    tunnels."bf6dcc14-d315-41c7-b798-3fe0e0e968eb" = {
+      default = "http_status:404";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   modules = {
+    persistence.directories = [ "/var/lib/tailscale" ];
+
+    persistence = {
+      enable = true;
+      storagePath = "/persist";
+    };
+
+    # NOTE: This module only populates route entries,
+    # each service needs to be enabled individually.
+    expose = {
+      enable = true;
+
+      routes = {
+        "dns.kusanari.network" = "http://localhost:4000";
+        "metrics.kusanari.network" = "http://localhost:4001";
+        "nitter.kusanari.network" = "http://localhost:4002";
+
+        # Nginx pre-configured routes
+        # NOTE: Routes with port 80 or 443 will NOT create corresponding nginx virtualHosts.
+        "nextcloud.kusanari.network" = "http://localhost:80";
+      };
+
+      ssl = {
+        enable = true;
+        acmeHost = "kusanari.network";
+      };
+
+      tailscaleIp = "100.93.1.1";
+      # kusanari-kanata @ core
+      cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb";
+      secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path;
+    };
+
+    services.nginx.enable = true;
+
+    services.acme = {
+      enable = true;
+      email = poorObfuscation "sefidel.net" "postmaster";
+
+      certs = {
+        "kusanari.network" = {
+          subDomains = [
+            "nitter"
+            "nextcloud"
+            "jellyfin"
+            "dns"
+            "metrics"
+          ];
+        };
+      };
+
+      secrets.acme-credentials = config.sops.secrets.acme-credentials.path;
+    };
+
+    services.metrics = {
+      enable = true;
+      realHost = "metrics.kusanari.network";
+      secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path;
+    };
+
     services.blocky.enable = true;
 
-    services.nextcloud = {
+    services.nextcloud = rec {
       enable = true;
+
+      ssl = {
+        enable = true;
+        acmeHost = domain;
+      };
+
+      domain = "kusanari.network";
+      realHost = "nextcloud.kusanari.network";
       secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path;
     };
+
+    services.nitter = {
+      enable = true;
+
+      title = "Kusanari Nitter";
+
+      domain = "kusanari.network";
+      realHost = "nitter.kusanari.network";
+      secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path;
+    };
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
author	sefidel <contact@sefidel.net>	2024-02-03 04:19:48 +0900
committer	sefidel <contact@sefidel.net>	2024-02-03 04:19:48 +0900
commit	f637236c51b03c91d77997b898b0fa5e605020d2 (patch)
tree	c2480a029d8c6b0e270e6c391bf7c97f5447f68d /nixos/kanata/configuration.nix
parent	18a770ba6cdbfdfe7c1508b0af68243c606ea51c (diff)
download	nixrc-f637236c51b03c91d77997b898b0fa5e605020d2.zip