diff options
Diffstat (limited to 'nixos/kanata')
-rw-r--r-- | nixos/kanata/configuration.nix | 83 | ||||
-rw-r--r-- | nixos/kanata/secrets/secrets.yaml | 6 |
2 files changed, 46 insertions, 43 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index a5ed1be..32e4cee 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -62,7 +62,7 @@ in modules.tailscale-initrd = { enable = true; - # XXX: This has to be manually generatd during NixOS install. + # XXX: This has to be manually generated during NixOS install. # The files are then copied to initrd secrets during activation. tailscaleStatePath = "/persist/initrd/tailscale-initrd.state"; }; @@ -70,22 +70,6 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - # NOTE: managed by modules.persistence - # TODO: remove? - # fileSystems."/persist".neededForBoot = true; - # - # services.openssh.hostKeys = [ - # { - # path = "/persist/ssh/ssh_host_ed25519_key"; - # type = "ed25519"; - # } - # { - # path = "/persist/ssh/ssh_host_rsa_key"; - # type = "rsa"; - # bits = 4096; - # } - # ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; powerManagement.cpuFreqGovernor = "ondemand"; @@ -118,6 +102,46 @@ in enableIPv6 = true; }; + services.nscd = { + enable = true; + config = '' + # We basically use nscd as a proxy for forwarding nss requests to appropriate + # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory + # containing all such modules + # Note that we can not use `enable-cache no` As this will actually cause nscd + # to just reject the nss requests it receives, which then causes glibc to + # fallback to trying to handle the request by itself. Which won't work as glibc + # is not aware of the path in which the nss modules live. As a workaround, we + # have `enable-cache yes` with an explicit ttl of 0 + server-user nscd + + enable-cache passwd yes + positive-time-to-live passwd 0 + negative-time-to-live passwd 0 + shared passwd yes + + enable-cache group yes + positive-time-to-live group 0 + negative-time-to-live group 0 + shared group yes + + enable-cache netgroup yes + positive-time-to-live netgroup 0 + negative-time-to-live netgroup 0 + shared netgroup yes + + enable-cache hosts yes + positive-time-to-live hosts 3600 # Invidious spams DNS queries to PubSubHubBub + negative-time-to-live hosts 0 + shared hosts yes + + enable-cache services yes + positive-time-to-live services 0 + negative-time-to-live services 0 + shared services yes + ''; + }; + services.tailscale = { enable = true; useRoutingFeatures = "both"; @@ -136,6 +160,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { persistence.directories = [ + "/var/lib/nixos" "/var/lib/tailscale" "/var/lib/nixos-containers" ]; @@ -143,6 +168,7 @@ in persistence = { enable = true; storagePath = "/persist"; + setupSshHostKeys = true; }; # NOTE: This module only populates route entries, @@ -285,29 +311,6 @@ in }; }; - services.changedetection-io = { - enable = true; - - listenAddress = "localhost"; - port = 4901; - - baseURL = "https://change.labs.kusanari.network"; - behindProxy = true; - webDriverSupport = true; - }; - - services.nginx.virtualHosts."change.labs.kusanari.network".locations."/" = { - proxyWebsockets = true; - extraConfig = '' - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer "https://change.labs.kusanari.network"; - ''; - }; - containers.v-interlink = { autoStart = true; enableTun = true; diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml index a32a80f..daaa60e 100644 --- a/nixos/kanata/secrets/secrets.yaml +++ b/nixos/kanata/secrets/secrets.yaml @@ -9,7 +9,7 @@ nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqa acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str] invidious-hmac: ENC[AES256_GCM,data:uIw4aQm6oYd5heSxrJnt6Nvc+fTPLMSEDtDyZ/ayogl6qx/gPg==,iv:8AVzwO9peE0UC70nLxBxHKzTcitrzvBvy120fdQD1+c=,tag:rr7MOqgOFFxXN8W+9MKvLg==,type:str] #ENC[AES256_GCM,data:c0B2RqGRFmyxyz93TCWL5wMTYiFmnvWU9aQwZszQ137fhL7bQdENPLWQkoiWyW6o3GXTyuL2bni1VnO4eD5idWzt7dw=,iv:147La8vNPRLMnK992cQD1NmQgbDrDBLwSPEX4haeIS4=,tag:hmGGslH4O9dlTSoDTWIdIg==,type:comment] -interlink-wg-config: ENC[AES256_GCM,data:zT0yr7O4JhpmnI5++cK7aJEKkLM9rxcWGyvwJ7Q4ZR6wWLe0LnNIzEpjjMAvh/If4NYOU8qpVOUgxaREij3hIhJ1QzyAb/nF80msZWDmmMvtVLZmC1wNw+p88UKrPwRBbLIwVbwCyWJtIdnZTHzscktfSY+mC/mB8fESh8XpRXH7YW/W1+nyrSQCmJ3LGopHBukqJstLunu7qW34xZ5k37/TKToyqW4JLUxamrPsBycR1ZnfTvIHluOvXhQLOleBEJN+GyduRqPV7tAajbMZAlyZa5Y6mGVA0kcba3GpuiV4uQjFJcSiYLa2JztWSbsWFJBl1YPXdsWzWOrQ,iv:iiye6Zb2OlctZFFuRbJ7RiXW0k400/DmWDlh5SXgp+Q=,tag:qa3BedClEOaSyst+xjPe4Q==,type:str] +interlink-wg-config: ENC[AES256_GCM,data:vao5c0rUCjjd+c2bqqpk7VQZ28yWmAEpBp9sXyh1IRE2MeoWNj0m+e4EbqmEFVKfRbOFgkj5Ek5dAKs7UEb2NMxNYh+s/3cDj8i0cls7fRyb02ctMEVQN2hgArOwG4MdFHPn8BDhyChnAo+FkSS7q8p3AOLehB2jrQg+tzY31l3d01Cfcqswh1wJ8p4eSevvmx5PwNeH7fh35HOh5qzcJFrHkr+eUnKWXyF3zKiKAf/KM5cfz/3WVg4omRjrQCWRHjXrCHh53a7QGlYy1V4KFjzJGriywicGsbvLrnR5Fr2AZCK781NWO/Vxf2PiFzsLHpJ4wTmfkUKNrWDu,iv:iJNc+HrCKs6fUtMkSZ8HZJQE0+GXzxZBIAWFO13DseY=,tag:wUww5nKO+h21HAor+UUIAg==,type:str] proton-private-key: ENC[AES256_GCM,data:OnZGYf/203XOLXyDRIqrRKwLe0cN2c0RF+CkwwNtttP+ACD3AJCY0rNgKoc=,iv:IWFF95Z3r+OuSu+GfJWJjwRv5b9KZSKGMuxSnkRGqlg=,tag:QvDBvSzzGxwawhaio47MEQ==,type:str] attic-credentials: ENC[AES256_GCM,data:S25D1E4kTp2Nre1uu1WWVV1jrEpQtPz5+5XQ/W0pr0CF5pFm0UEyGn2XdJKQzyM5CYSCo581JeJNMtTKIwEKm8lYY9X5e8Jgwe2o5f5YRwmHSfvK1UAJoUdM7Q0FaAcVTU3bNis1dClqDvB0QbNjF1xsYCKCgZRe8TSenmJgPjA=,iv:m+UzkoVsEfUtKIYaGZIej4efhVuWN4EKCqMamlQwWaI=,tag:vBPq0JkRDbKmyw9qLbh1gg==,type:str] transmission-extra-config: ENC[AES256_GCM,data:lyZ8Nkjp0Mjm4HFDqRN1G6iyBksHT6dKKQDSO8Br1DpXxKLDBclQ4L2F1FqQJ3OB/7o4EqWFX8J1ZjVYDCQkQnhr6v13glvFciICQ99hPsypUS349936vDCgEF/WP0RAHOsaRq81JnMDegZvEg==,iv:bfN2oEfQ3uk4i6hwHp2ZdYCf3l7Kb0EoXSEGyOSB8CM=,tag:fZkMayEJiXzifTCiVLJq6w==,type:str] @@ -38,8 +38,8 @@ sops: YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T15:01:25Z" - mac: ENC[AES256_GCM,data:ndnsAuHSyQSGx0G2YzECaZhGDvVbbXDbSWLdh1r2Vy6beVeX/e6JP7AxnIRfhipKfJLlhOA1rtbCOiwpq4FubozXDJOviI0oLZWU4ZDSCgWHKsUVoMdC3gqw87Qhts77PfDqdYVgglAr2/n6AzhY8NVkjuMWu4iDiD9yfb+bJ5o=,iv:J32wZYk6yiEgJBWrs6QTjM/EY6XqRfu/BkhiP9PxAWQ=,tag:eL3mcerITq55qYlxF5JhEw==,type:str] + lastmodified: "2024-06-24T14:39:04Z" + mac: ENC[AES256_GCM,data:Gnx4wfiDqSvuYt2eOzAJhvL/t5lItsPajTykw1mONpCbdv03j/7bccyayvDajXQiD110fDN+gDDkux7IVWC1Zv/Gj2M3+qRq6OHCeDxtHwLW2KVdCoine2BxKN0RuIwkyJ9xNE6GQ1P7CaIjYrT2ilztjfZvIzydAZPsxCRV3Sg=,iv:w/XrddHvz1mi+SuyWavryk9duZMQay5ICd33ZTZynIg=,tag:TV7ekS5S01MoIpr8WGczrA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 |