diff options
Diffstat (limited to 'nixos/kanata/configuration.nix')
| -rw-r--r-- | nixos/kanata/configuration.nix | 142 |
1 files changed, 76 insertions, 66 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index a5ed1be..c0120bb 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -62,7 +62,7 @@ in modules.tailscale-initrd = { enable = true; - # XXX: This has to be manually generatd during NixOS install. + # XXX: This has to be manually generated during NixOS install. # The files are then copied to initrd secrets during activation. tailscaleStatePath = "/persist/initrd/tailscale-initrd.state"; }; @@ -70,22 +70,6 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - # NOTE: managed by modules.persistence - # TODO: remove? - # fileSystems."/persist".neededForBoot = true; - # - # services.openssh.hostKeys = [ - # { - # path = "/persist/ssh/ssh_host_ed25519_key"; - # type = "ed25519"; - # } - # { - # path = "/persist/ssh/ssh_host_rsa_key"; - # type = "rsa"; - # bits = 4096; - # } - # ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; powerManagement.cpuFreqGovernor = "ondemand"; @@ -94,7 +78,7 @@ in sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; }; sops.secrets.acme-credentials = { owner = "acme"; }; sops.secrets.grafana-admin-pass = { owner = "grafana"; }; - sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; + sops.secrets.cf-kanata-credentials = { owner = "cloudflared"; }; sops.secrets.nitter-account-jsonl = { }; # sops.secrets.interlink-private-key = { }; sops.secrets.interlink-wg-config = { }; @@ -118,6 +102,46 @@ in enableIPv6 = true; }; + services.nscd = { + enable = true; + config = '' + # We basically use nscd as a proxy for forwarding nss requests to appropriate + # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory + # containing all such modules + # Note that we can not use `enable-cache no` As this will actually cause nscd + # to just reject the nss requests it receives, which then causes glibc to + # fallback to trying to handle the request by itself. Which won't work as glibc + # is not aware of the path in which the nss modules live. As a workaround, we + # have `enable-cache yes` with an explicit ttl of 0 + server-user nscd + + enable-cache passwd yes + positive-time-to-live passwd 0 + negative-time-to-live passwd 0 + shared passwd yes + + enable-cache group yes + positive-time-to-live group 0 + negative-time-to-live group 0 + shared group yes + + enable-cache netgroup yes + positive-time-to-live netgroup 0 + negative-time-to-live netgroup 0 + shared netgroup yes + + enable-cache hosts yes + positive-time-to-live hosts 3600 # Invidious spams DNS queries to PubSubHubBub + negative-time-to-live hosts 0 + shared hosts yes + + enable-cache services yes + positive-time-to-live services 0 + negative-time-to-live services 0 + shared services yes + ''; + }; + services.tailscale = { enable = true; useRoutingFeatures = "both"; @@ -136,6 +160,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { persistence.directories = [ + "/var/lib/nixos" "/var/lib/tailscale" "/var/lib/nixos-containers" ]; @@ -143,6 +168,7 @@ in persistence = { enable = true; storagePath = "/persist"; + setupSshHostKeys = true; }; # NOTE: This module only populates route entries, @@ -151,18 +177,18 @@ in enable = true; routes = { - "dns.kusanari.network".to = "http://localhost:4000"; - "metrics.kusanari.network".to = "http://localhost:4001"; - "nitter.kusanari.network".to = "http://localhost:4002"; - "invidious.kusanari.network".to = "http://localhost:4003"; - "hydra.kusanari.network".to = "http://localhost:4004"; - "cache.kusanari.network".to = "http://localhost:4005"; - "torrent.kusanari.network".to = "http://localhost:4006"; - "paperless.kusanari.network".to = "http://localhost:4007"; - "change.labs.kusanari.network".to = "http://localhost:4901"; + "dns.kanata.network".to = "http://localhost:4000"; + "metrics.kanata.network".to = "http://localhost:4001"; + "nitter.kanata.network".to = "http://localhost:4002"; + "invidious.kanata.network".to = "http://localhost:4003"; + "hydra.kanata.network".to = "http://localhost:4004"; + "cache.kanata.network".to = "http://localhost:4005"; + "torrent.kanata.network".to = "http://localhost:4006"; + "paperless.kanata.network".to = "http://localhost:4007"; + "jellyfin.kanata.network".to = "http://localhost:8096"; # Nginx pre-configured routes - "nextcloud.kusanari.network" = { + "nextcloud.kanata.network" = { to = "http://localhost:80"; configureNginx = false; }; @@ -170,13 +196,13 @@ in ssl = { enable = true; - acmeHost = "kusanari.network"; + acmeHost = "kanata.network"; }; tailscaleIp = "100.93.1.1"; - # kusanari-kanata @ core + # kanata @ core cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb"; - secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path; + secrets.cloudflare-credentials = config.sops.secrets.cf-kanata-credentials.path; }; services.nginx.enable = true; @@ -186,7 +212,7 @@ in email = poorObfuscation "sefidel.net" "postmaster"; certs = { - "kusanari.network" = { + "kanata.network" = { subDomains = [ "*.labs" "cache" @@ -208,7 +234,7 @@ in services.metrics = { enable = true; - realHost = "metrics.kusanari.network"; + realHost = "metrics.kanata.network"; secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path; }; @@ -217,7 +243,7 @@ in services.blocky = { enable = true; - realHost = "dns.kusanari.network"; + realHost = "dns.kanata.network"; }; services.nextcloud = rec { @@ -228,40 +254,40 @@ in acmeHost = domain; }; - domain = "kusanari.network"; - realHost = "nextcloud.kusanari.network"; + domain = "kanata.network"; + realHost = "nextcloud.kanata.network"; secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path; }; services.nitter = { enable = true; - title = "Kusanari Nitter"; + title = "Kanata Nitter"; - domain = "kusanari.network"; - realHost = "nitter.kusanari.network"; + domain = "kanata.network"; + realHost = "nitter.kanata.network"; secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path; }; services.invidious = { enable = true; - domain = "kusanari.network"; - realHost = "invidious.kusanari.network"; + domain = "kanata.network"; + realHost = "invidious.kanata.network"; secrets.invidious-hmac-key = config.sops.secrets.invidious-hmac.path; }; services.hydra = { enable = true; - baseURL = "https://hydra.kusanari.network"; + baseURL = "https://hydra.kanata.network"; }; services.atticd = { enable = true; - hosts = [ "cache.kusanari.network" ]; - baseURL = "https://cache.kusanari.network/"; + hosts = [ "cache.kanata.network" ]; + baseURL = "https://cache.kanata.network/"; storagePath = "/smol/archive/attic"; @@ -280,33 +306,17 @@ in services.paperless = { enable = true; - realHost = "paperless.kusanari.network"; + realHost = "paperless.kanata.network"; secrets.paperless-superuser-password = config.sops.secrets.paperless-superuser-password.path; }; - }; - - services.changedetection-io = { - enable = true; - - listenAddress = "localhost"; - port = 4901; + services.jellyfin = { + enable = true; - baseURL = "https://change.labs.kusanari.network"; - behindProxy = true; - webDriverSupport = true; + dataDir = "/smol/moon/jellyfin"; + }; }; - services.nginx.virtualHosts."change.labs.kusanari.network".locations."/" = { - proxyWebsockets = true; - extraConfig = '' - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer "https://change.labs.kusanari.network"; - ''; - }; + users.groups.media.members = [ "jellyfin" "nextcloud" ]; containers.v-interlink = { autoStart = true; |