diff options
Diffstat (limited to 'nixos/kanata')
| -rw-r--r-- | nixos/kanata/configuration.nix | 142 | ||||
| -rw-r--r-- | nixos/kanata/secrets/secrets.yaml | 10 |
2 files changed, 81 insertions, 71 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index a5ed1be..c0120bb 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -62,7 +62,7 @@ in modules.tailscale-initrd = { enable = true; - # XXX: This has to be manually generatd during NixOS install. + # XXX: This has to be manually generated during NixOS install. # The files are then copied to initrd secrets during activation. tailscaleStatePath = "/persist/initrd/tailscale-initrd.state"; }; @@ -70,22 +70,6 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - # NOTE: managed by modules.persistence - # TODO: remove? - # fileSystems."/persist".neededForBoot = true; - # - # services.openssh.hostKeys = [ - # { - # path = "/persist/ssh/ssh_host_ed25519_key"; - # type = "ed25519"; - # } - # { - # path = "/persist/ssh/ssh_host_rsa_key"; - # type = "rsa"; - # bits = 4096; - # } - # ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; powerManagement.cpuFreqGovernor = "ondemand"; @@ -94,7 +78,7 @@ in sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; }; sops.secrets.acme-credentials = { owner = "acme"; }; sops.secrets.grafana-admin-pass = { owner = "grafana"; }; - sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; + sops.secrets.cf-kanata-credentials = { owner = "cloudflared"; }; sops.secrets.nitter-account-jsonl = { }; # sops.secrets.interlink-private-key = { }; sops.secrets.interlink-wg-config = { }; @@ -118,6 +102,46 @@ in enableIPv6 = true; }; + services.nscd = { + enable = true; + config = '' + # We basically use nscd as a proxy for forwarding nss requests to appropriate + # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory + # containing all such modules + # Note that we can not use `enable-cache no` As this will actually cause nscd + # to just reject the nss requests it receives, which then causes glibc to + # fallback to trying to handle the request by itself. Which won't work as glibc + # is not aware of the path in which the nss modules live. As a workaround, we + # have `enable-cache yes` with an explicit ttl of 0 + server-user nscd + + enable-cache passwd yes + positive-time-to-live passwd 0 + negative-time-to-live passwd 0 + shared passwd yes + + enable-cache group yes + positive-time-to-live group 0 + negative-time-to-live group 0 + shared group yes + + enable-cache netgroup yes + positive-time-to-live netgroup 0 + negative-time-to-live netgroup 0 + shared netgroup yes + + enable-cache hosts yes + positive-time-to-live hosts 3600 # Invidious spams DNS queries to PubSubHubBub + negative-time-to-live hosts 0 + shared hosts yes + + enable-cache services yes + positive-time-to-live services 0 + negative-time-to-live services 0 + shared services yes + ''; + }; + services.tailscale = { enable = true; useRoutingFeatures = "both"; @@ -136,6 +160,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { persistence.directories = [ + "/var/lib/nixos" "/var/lib/tailscale" "/var/lib/nixos-containers" ]; @@ -143,6 +168,7 @@ in persistence = { enable = true; storagePath = "/persist"; + setupSshHostKeys = true; }; # NOTE: This module only populates route entries, @@ -151,18 +177,18 @@ in enable = true; routes = { - "dns.kusanari.network".to = "http://localhost:4000"; - "metrics.kusanari.network".to = "http://localhost:4001"; - "nitter.kusanari.network".to = "http://localhost:4002"; - "invidious.kusanari.network".to = "http://localhost:4003"; - "hydra.kusanari.network".to = "http://localhost:4004"; - "cache.kusanari.network".to = "http://localhost:4005"; - "torrent.kusanari.network".to = "http://localhost:4006"; - "paperless.kusanari.network".to = "http://localhost:4007"; - "change.labs.kusanari.network".to = "http://localhost:4901"; + "dns.kanata.network".to = "http://localhost:4000"; + "metrics.kanata.network".to = "http://localhost:4001"; + "nitter.kanata.network".to = "http://localhost:4002"; + "invidious.kanata.network".to = "http://localhost:4003"; + "hydra.kanata.network".to = "http://localhost:4004"; + "cache.kanata.network".to = "http://localhost:4005"; + "torrent.kanata.network".to = "http://localhost:4006"; + "paperless.kanata.network".to = "http://localhost:4007"; + "jellyfin.kanata.network".to = "http://localhost:8096"; # Nginx pre-configured routes - "nextcloud.kusanari.network" = { + "nextcloud.kanata.network" = { to = "http://localhost:80"; configureNginx = false; }; @@ -170,13 +196,13 @@ in ssl = { enable = true; - acmeHost = "kusanari.network"; + acmeHost = "kanata.network"; }; tailscaleIp = "100.93.1.1"; - # kusanari-kanata @ core + # kanata @ core cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb"; - secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path; + secrets.cloudflare-credentials = config.sops.secrets.cf-kanata-credentials.path; }; services.nginx.enable = true; @@ -186,7 +212,7 @@ in email = poorObfuscation "sefidel.net" "postmaster"; certs = { - "kusanari.network" = { + "kanata.network" = { subDomains = [ "*.labs" "cache" @@ -208,7 +234,7 @@ in services.metrics = { enable = true; - realHost = "metrics.kusanari.network"; + realHost = "metrics.kanata.network"; secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path; }; @@ -217,7 +243,7 @@ in services.blocky = { enable = true; - realHost = "dns.kusanari.network"; + realHost = "dns.kanata.network"; }; services.nextcloud = rec { @@ -228,40 +254,40 @@ in acmeHost = domain; }; - domain = "kusanari.network"; - realHost = "nextcloud.kusanari.network"; + domain = "kanata.network"; + realHost = "nextcloud.kanata.network"; secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path; }; services.nitter = { enable = true; - title = "Kusanari Nitter"; + title = "Kanata Nitter"; - domain = "kusanari.network"; - realHost = "nitter.kusanari.network"; + domain = "kanata.network"; + realHost = "nitter.kanata.network"; secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path; }; services.invidious = { enable = true; - domain = "kusanari.network"; - realHost = "invidious.kusanari.network"; + domain = "kanata.network"; + realHost = "invidious.kanata.network"; secrets.invidious-hmac-key = config.sops.secrets.invidious-hmac.path; }; services.hydra = { enable = true; - baseURL = "https://hydra.kusanari.network"; + baseURL = "https://hydra.kanata.network"; }; services.atticd = { enable = true; - hosts = [ "cache.kusanari.network" ]; - baseURL = "https://cache.kusanari.network/"; + hosts = [ "cache.kanata.network" ]; + baseURL = "https://cache.kanata.network/"; storagePath = "/smol/archive/attic"; @@ -280,33 +306,17 @@ in services.paperless = { enable = true; - realHost = "paperless.kusanari.network"; + realHost = "paperless.kanata.network"; secrets.paperless-superuser-password = config.sops.secrets.paperless-superuser-password.path; }; - }; - - services.changedetection-io = { - enable = true; - - listenAddress = "localhost"; - port = 4901; + services.jellyfin = { + enable = true; - baseURL = "https://change.labs.kusanari.network"; - behindProxy = true; - webDriverSupport = true; + dataDir = "/smol/moon/jellyfin"; + }; }; - services.nginx.virtualHosts."change.labs.kusanari.network".locations."/" = { - proxyWebsockets = true; - extraConfig = '' - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer "https://change.labs.kusanari.network"; - ''; - }; + users.groups.media.members = [ "jellyfin" "nextcloud" ]; containers.v-interlink = { autoStart = true; diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml index a32a80f..277ddd9 100644 --- a/nixos/kanata/secrets/secrets.yaml +++ b/nixos/kanata/secrets/secrets.yaml @@ -4,12 +4,12 @@ initrd-ts-state: ENC[AES256_GCM,data:8xftKiXfuaWB4XxvP9LBAmFTbX1VbGJix6SqkIbDliU zfs-smol-key: ENC[AES256_GCM,data:M6JUsFoAvt2nqI/9bVq0slhrcQE8sGgC3s0x,iv:hZK99Veh+oMhxxA9BbBe7OBisjhF00baAb1JQ7yfMaA=,tag:30GjpPzIpgw5htoK1BcmUg==,type:str] nextcloud-admin-pass: ENC[AES256_GCM,data:Lvk/j/3fissx6Kyccp9q2gi7ahbd+pR7jFXnx5OL0JRG,iv:Y0GI/z4pFW98Ll6xpuENr+fTrm7JoE9KadDKx2O4WLI=,tag:ofln+SgrhJm8BpKnVSngoQ==,type:str] grafana-admin-pass: ENC[AES256_GCM,data:waHiV4NyatwQrvRkws8FQut49/ryh9srNSshUbvm,iv:XvU06AqljDsUk9smAak/4OCursX6U/SckPc92AkSTWk=,tag:xBcELmTUUs0mzOY+oiqidA==,type:str] -cf-kusanari-kanata-credentials: ENC[AES256_GCM,data:whwnxMT9JS3iDHbGTk2FoeDBiug26JoRWlyA3sOij861PVJZBEvQJubXD2E5hSwJhyoMIUpb8wgnvB/6GhznouwWfsNh7I39wcaxvHArTNkW+LXrAu8m7ra5dtSUHhPUQifLNYB/TsKHsB+TMhc5IMD6hAHs4uraZHmF1cej8PufTDKDLHjwVwDDJSP1ujQaUrRUvp4NUc8ImVCwnG0PYCVv,iv:umi4Yj11E6+BriksGLzvm+YW7NuARmRtvHz2cixILQA=,tag:+LQs2veOW0CmSKCUNtd9KA==,type:str] +cf-kanata-credentials: ENC[AES256_GCM,data:zOKmtTXbmkFD8QOY2dO3pIhru3+2N5DqP+CQUPdiW5guXCzxBUI9ueosoT7qbmm9Ks1KlJ372Ah5riKHT4x2qUg642bnDrjbx4IvKZgenvLsf6XIEFKuV6XKfp6XI6cMoOGF6J/HGv0s/my9jBMAWMNgLC8ilQXH8L3BzjRANJpkzrak6oEMbarTIdwsZoBOD7xDnt4nDerAANsfaYEzt2YU,iv:imseTCuMGUSR9WkDHGlUmjdqOKGBigAEX3ClckIYa9U=,tag:0of2EZxi1QWejfK8s4x7mw==,type:str] nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqaLZtFISG5Fc/0mMwRxKdArp9pwdUrteSUWzoKlkeTfsHsoS4TmPMuna/nLKSjBV1bvPdOuBEIi6IP9o6zb9izUvcwTAcMiWPjeRYNyLy5p9tvdIQ0MmRmd5UW9WUILLs7r5dmIK/ssNgYf89jJsdhBRpzOmjOtBbzn2uTA6+3s7ldswSWhAP94654Hrbg1IKxvefAgAqm+/2aNvY1Jxh71bNlWH+/WNBtH7pC24NeNWjiNHKzGhix2UecmcQ5/CEo8DBa6mg4gpe9i+VxzHhl3NJoFrfuicFT2ebTEjv8p7ZXLF3ZRgscXXb9YJ5CjmVILiUh/yYqM2jzSLbGHKIetlNFlmNkAYXN3j+A4w4Jiu4lVA3jwFPVxk92pSHi7hhib5gP3P20Zfbr89zk9tGIBQVDWo4p1LrwumH6aCq+XaIPAHOspFheIteZUJ1q0V2vylrBfkrj+ISDQ94aWgSKC74dynGL4joH4DJ2g6xSh26FMNlvBR7Mwg1PpfmJKx0I3iROoEc3RCPdxaoPiJNL7gpRlHV2a5H+ZCgpuWxcQ=,iv:joZcbUidniBqGu9Lkg6wd+mBdmgU/inbPEOlXewU5U4=,tag:y8Uv4zxuTAsTKB+OB4S6Xw==,type:str] acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str] invidious-hmac: ENC[AES256_GCM,data:uIw4aQm6oYd5heSxrJnt6Nvc+fTPLMSEDtDyZ/ayogl6qx/gPg==,iv:8AVzwO9peE0UC70nLxBxHKzTcitrzvBvy120fdQD1+c=,tag:rr7MOqgOFFxXN8W+9MKvLg==,type:str] #ENC[AES256_GCM,data:c0B2RqGRFmyxyz93TCWL5wMTYiFmnvWU9aQwZszQ137fhL7bQdENPLWQkoiWyW6o3GXTyuL2bni1VnO4eD5idWzt7dw=,iv:147La8vNPRLMnK992cQD1NmQgbDrDBLwSPEX4haeIS4=,tag:hmGGslH4O9dlTSoDTWIdIg==,type:comment] -interlink-wg-config: ENC[AES256_GCM,data:zT0yr7O4JhpmnI5++cK7aJEKkLM9rxcWGyvwJ7Q4ZR6wWLe0LnNIzEpjjMAvh/If4NYOU8qpVOUgxaREij3hIhJ1QzyAb/nF80msZWDmmMvtVLZmC1wNw+p88UKrPwRBbLIwVbwCyWJtIdnZTHzscktfSY+mC/mB8fESh8XpRXH7YW/W1+nyrSQCmJ3LGopHBukqJstLunu7qW34xZ5k37/TKToyqW4JLUxamrPsBycR1ZnfTvIHluOvXhQLOleBEJN+GyduRqPV7tAajbMZAlyZa5Y6mGVA0kcba3GpuiV4uQjFJcSiYLa2JztWSbsWFJBl1YPXdsWzWOrQ,iv:iiye6Zb2OlctZFFuRbJ7RiXW0k400/DmWDlh5SXgp+Q=,tag:qa3BedClEOaSyst+xjPe4Q==,type:str] +interlink-wg-config: ENC[AES256_GCM,data:vao5c0rUCjjd+c2bqqpk7VQZ28yWmAEpBp9sXyh1IRE2MeoWNj0m+e4EbqmEFVKfRbOFgkj5Ek5dAKs7UEb2NMxNYh+s/3cDj8i0cls7fRyb02ctMEVQN2hgArOwG4MdFHPn8BDhyChnAo+FkSS7q8p3AOLehB2jrQg+tzY31l3d01Cfcqswh1wJ8p4eSevvmx5PwNeH7fh35HOh5qzcJFrHkr+eUnKWXyF3zKiKAf/KM5cfz/3WVg4omRjrQCWRHjXrCHh53a7QGlYy1V4KFjzJGriywicGsbvLrnR5Fr2AZCK781NWO/Vxf2PiFzsLHpJ4wTmfkUKNrWDu,iv:iJNc+HrCKs6fUtMkSZ8HZJQE0+GXzxZBIAWFO13DseY=,tag:wUww5nKO+h21HAor+UUIAg==,type:str] proton-private-key: ENC[AES256_GCM,data:OnZGYf/203XOLXyDRIqrRKwLe0cN2c0RF+CkwwNtttP+ACD3AJCY0rNgKoc=,iv:IWFF95Z3r+OuSu+GfJWJjwRv5b9KZSKGMuxSnkRGqlg=,tag:QvDBvSzzGxwawhaio47MEQ==,type:str] attic-credentials: ENC[AES256_GCM,data:S25D1E4kTp2Nre1uu1WWVV1jrEpQtPz5+5XQ/W0pr0CF5pFm0UEyGn2XdJKQzyM5CYSCo581JeJNMtTKIwEKm8lYY9X5e8Jgwe2o5f5YRwmHSfvK1UAJoUdM7Q0FaAcVTU3bNis1dClqDvB0QbNjF1xsYCKCgZRe8TSenmJgPjA=,iv:m+UzkoVsEfUtKIYaGZIej4efhVuWN4EKCqMamlQwWaI=,tag:vBPq0JkRDbKmyw9qLbh1gg==,type:str] transmission-extra-config: ENC[AES256_GCM,data:lyZ8Nkjp0Mjm4HFDqRN1G6iyBksHT6dKKQDSO8Br1DpXxKLDBclQ4L2F1FqQJ3OB/7o4EqWFX8J1ZjVYDCQkQnhr6v13glvFciICQ99hPsypUS349936vDCgEF/WP0RAHOsaRq81JnMDegZvEg==,iv:bfN2oEfQ3uk4i6hwHp2ZdYCf3l7Kb0EoXSEGyOSB8CM=,tag:fZkMayEJiXzifTCiVLJq6w==,type:str] @@ -38,8 +38,8 @@ sops: YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T15:01:25Z" - mac: ENC[AES256_GCM,data:ndnsAuHSyQSGx0G2YzECaZhGDvVbbXDbSWLdh1r2Vy6beVeX/e6JP7AxnIRfhipKfJLlhOA1rtbCOiwpq4FubozXDJOviI0oLZWU4ZDSCgWHKsUVoMdC3gqw87Qhts77PfDqdYVgglAr2/n6AzhY8NVkjuMWu4iDiD9yfb+bJ5o=,iv:J32wZYk6yiEgJBWrs6QTjM/EY6XqRfu/BkhiP9PxAWQ=,tag:eL3mcerITq55qYlxF5JhEw==,type:str] + lastmodified: "2024-12-08T16:00:13Z" + mac: ENC[AES256_GCM,data:6SjNDZWaGYObqWM9UXlxPEwbSdu74Ih21sYcUnqVDttznMtCTbsJ154bhNQXSK4LhKnfocp0IpO9Ft5ZLS4cEXJ6XqWeZKqTl+b14Y0Pw6xEq7330DxbDxwMSwk+0IEn0Xo3vMy6MisSgcOsm9R5E61vjNfWFH6EKTjE0MefbbQ=,iv:KvYvDo9GM+qimRjmE6NcGAoGfp8w+I+1YCI4gwrq9eI=,tag:96oHidSwuJdC8+HVNtD+zA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 |