diff options
Diffstat (limited to 'nixos/kanata/configuration.nix')
| -rw-r--r-- | nixos/kanata/configuration.nix | 138 |
1 files changed, 116 insertions, 22 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index e19ee25..357c0bd 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -3,6 +3,8 @@ let sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ]; maintainerKeys = [ ] ++ sefidelKeys; + + poorObfuscation = y: x: "${x}@${y}"; in { imports = [ ]; @@ -68,27 +70,21 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - fileSystems."/persist".neededForBoot = true; - - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - - services.tailscale = { - enable = true; - useRoutingFeatures = "both"; - openFirewall = true; - }; - - environment.persistence."/persist".directories = [ "/var/lib/tailscale" ]; + # NOTE: managed by modules.persistence + # TODO: remove? + # fileSystems."/persist".neededForBoot = true; + # + # services.openssh.hostKeys = [ + # { + # path = "/persist/ssh/ssh_host_ed25519_key"; + # type = "ed25519"; + # } + # { + # path = "/persist/ssh/ssh_host_rsa_key"; + # type = "rsa"; + # bits = 4096; + # } + # ]; sops.defaultSopsFile = ./secrets/secrets.yaml; @@ -96,6 +92,10 @@ in sops.secrets.zfs-smol-key = { }; sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; }; + sops.secrets.acme-credentials = { owner = "acme"; }; + sops.secrets.grafana-admin-pass = { owner = "grafana"; }; + sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; + sops.secrets.nitter-account-jsonl = { }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; @@ -110,13 +110,107 @@ in enableIPv6 = true; }; + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + openFirewall = true; + }; + + services.nginx.enable = true; + services.cloudflared = { + enable = true; + + tunnels."bf6dcc14-d315-41c7-b798-3fe0e0e968eb" = { + default = "http_status:404"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { + persistence.directories = [ "/var/lib/tailscale" ]; + + persistence = { + enable = true; + storagePath = "/persist"; + }; + + # NOTE: This module only populates route entries, + # each service needs to be enabled individually. + expose = { + enable = true; + + routes = { + "dns.kusanari.network" = "http://localhost:4000"; + "metrics.kusanari.network" = "http://localhost:4001"; + "nitter.kusanari.network" = "http://localhost:4002"; + + # Nginx pre-configured routes + # NOTE: Routes with port 80 or 443 will NOT create corresponding nginx virtualHosts. + "nextcloud.kusanari.network" = "http://localhost:80"; + }; + + ssl = { + enable = true; + acmeHost = "kusanari.network"; + }; + + tailscaleIp = "100.93.1.1"; + # kusanari-kanata @ core + cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb"; + secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path; + }; + + services.nginx.enable = true; + + services.acme = { + enable = true; + email = poorObfuscation "sefidel.net" "postmaster"; + + certs = { + "kusanari.network" = { + subDomains = [ + "nitter" + "nextcloud" + "jellyfin" + "dns" + "metrics" + ]; + }; + }; + + secrets.acme-credentials = config.sops.secrets.acme-credentials.path; + }; + + services.metrics = { + enable = true; + realHost = "metrics.kusanari.network"; + secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path; + }; + services.blocky.enable = true; - services.nextcloud = { + services.nextcloud = rec { enable = true; + + ssl = { + enable = true; + acmeHost = domain; + }; + + domain = "kusanari.network"; + realHost = "nextcloud.kusanari.network"; secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path; }; + + services.nitter = { + enable = true; + + title = "Kusanari Nitter"; + + domain = "kusanari.network"; + realHost = "nitter.kusanari.network"; + secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path; + }; }; # This option defines the first version of NixOS you have installed on this particular machine, |