2 files changed, 46 insertions, 43 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index a5ed1be..32e4cee 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -62,7 +62,7 @@ in
 
   modules.tailscale-initrd = {
     enable = true;
-    # XXX: This has to be manually generatd during NixOS install.
+    # XXX: This has to be manually generated during NixOS install.
     # The files are then copied to initrd secrets during activation.
     tailscaleStatePath = "/persist/initrd/tailscale-initrd.state";
   };
@@ -70,22 +70,6 @@ in
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
 
-  # NOTE: managed by modules.persistence
-  # TODO: remove?
-  # fileSystems."/persist".neededForBoot = true;
-  #
-  # services.openssh.hostKeys = [
-  #   {
-  #     path = "/persist/ssh/ssh_host_ed25519_key";
-  #     type = "ed25519";
-  #   }
-  #   {
-  #     path = "/persist/ssh/ssh_host_rsa_key";
-  #     type = "rsa";
-  #     bits = 4096;
-  #   }
-  # ];
-
   sops.defaultSopsFile = ./secrets/secrets.yaml;
 
   powerManagement.cpuFreqGovernor = "ondemand";
@@ -118,6 +102,46 @@ in
     enableIPv6 = true;
   };
 
+  services.nscd = {
+    enable = true;
+    config = ''
+      # We basically use nscd as a proxy for forwarding nss requests to appropriate
+      # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
+      # containing all such modules
+      # Note that we can not use `enable-cache no` As this will actually cause nscd
+      # to just reject the nss requests it receives, which then causes glibc to
+      # fallback to trying to handle the request by itself. Which won't work as glibc
+      # is not aware of the path in which the nss modules live.  As a workaround, we
+      # have `enable-cache yes` with an explicit ttl of 0
+      server-user             nscd
+
+      enable-cache            passwd          yes
+      positive-time-to-live   passwd          0
+      negative-time-to-live   passwd          0
+      shared                  passwd          yes
+
+      enable-cache            group           yes
+      positive-time-to-live   group           0
+      negative-time-to-live   group           0
+      shared                  group           yes
+
+      enable-cache            netgroup        yes
+      positive-time-to-live   netgroup        0
+      negative-time-to-live   netgroup        0
+      shared                  netgroup        yes
+
+      enable-cache            hosts           yes
+      positive-time-to-live   hosts           3600 # Invidious spams DNS queries to PubSubHubBub
+      negative-time-to-live   hosts           0
+      shared                  hosts           yes
+
+      enable-cache            services        yes
+      positive-time-to-live   services        0
+      negative-time-to-live   services        0
+      shared                  services        yes
+    '';
+  };
+
   services.tailscale = {
     enable = true;
     useRoutingFeatures = "both";
@@ -136,6 +160,7 @@ in
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   modules = {
     persistence.directories = [
+      "/var/lib/nixos"
       "/var/lib/tailscale"
       "/var/lib/nixos-containers"
     ];
@@ -143,6 +168,7 @@ in
     persistence = {
       enable = true;
       storagePath = "/persist";
+      setupSshHostKeys = true;
     };
 
     # NOTE: This module only populates route entries,
@@ -285,29 +311,6 @@ in
     };
   };
 
-  services.changedetection-io = {
-    enable = true;
-
-    listenAddress = "localhost";
-    port = 4901;
-
-    baseURL = "https://change.labs.kusanari.network";
-    behindProxy = true;
-    webDriverSupport = true;
-  };
-
-  services.nginx.virtualHosts."change.labs.kusanari.network".locations."/" = {
-    proxyWebsockets = true;
-    extraConfig = ''
-      proxy_redirect off;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header Referer "https://change.labs.kusanari.network";
-    '';
-  };
-
   containers.v-interlink = {
     autoStart = true;
     enableTun = true;
diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml
index a32a80f..daaa60e 100644
--- a/nixos/kanata/secrets/secrets.yaml
+++ b/nixos/kanata/secrets/secrets.yaml
@@ -9,7 +9,7 @@ nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqa
 acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str]
 invidious-hmac: ENC[AES256_GCM,data:uIw4aQm6oYd5heSxrJnt6Nvc+fTPLMSEDtDyZ/ayogl6qx/gPg==,iv:8AVzwO9peE0UC70nLxBxHKzTcitrzvBvy120fdQD1+c=,tag:rr7MOqgOFFxXN8W+9MKvLg==,type:str]
 #ENC[AES256_GCM,data:c0B2RqGRFmyxyz93TCWL5wMTYiFmnvWU9aQwZszQ137fhL7bQdENPLWQkoiWyW6o3GXTyuL2bni1VnO4eD5idWzt7dw=,iv:147La8vNPRLMnK992cQD1NmQgbDrDBLwSPEX4haeIS4=,tag:hmGGslH4O9dlTSoDTWIdIg==,type:comment]
-interlink-wg-config: ENC[AES256_GCM,data:zT0yr7O4JhpmnI5++cK7aJEKkLM9rxcWGyvwJ7Q4ZR6wWLe0LnNIzEpjjMAvh/If4NYOU8qpVOUgxaREij3hIhJ1QzyAb/nF80msZWDmmMvtVLZmC1wNw+p88UKrPwRBbLIwVbwCyWJtIdnZTHzscktfSY+mC/mB8fESh8XpRXH7YW/W1+nyrSQCmJ3LGopHBukqJstLunu7qW34xZ5k37/TKToyqW4JLUxamrPsBycR1ZnfTvIHluOvXhQLOleBEJN+GyduRqPV7tAajbMZAlyZa5Y6mGVA0kcba3GpuiV4uQjFJcSiYLa2JztWSbsWFJBl1YPXdsWzWOrQ,iv:iiye6Zb2OlctZFFuRbJ7RiXW0k400/DmWDlh5SXgp+Q=,tag:qa3BedClEOaSyst+xjPe4Q==,type:str]
+interlink-wg-config: ENC[AES256_GCM,data:vao5c0rUCjjd+c2bqqpk7VQZ28yWmAEpBp9sXyh1IRE2MeoWNj0m+e4EbqmEFVKfRbOFgkj5Ek5dAKs7UEb2NMxNYh+s/3cDj8i0cls7fRyb02ctMEVQN2hgArOwG4MdFHPn8BDhyChnAo+FkSS7q8p3AOLehB2jrQg+tzY31l3d01Cfcqswh1wJ8p4eSevvmx5PwNeH7fh35HOh5qzcJFrHkr+eUnKWXyF3zKiKAf/KM5cfz/3WVg4omRjrQCWRHjXrCHh53a7QGlYy1V4KFjzJGriywicGsbvLrnR5Fr2AZCK781NWO/Vxf2PiFzsLHpJ4wTmfkUKNrWDu,iv:iJNc+HrCKs6fUtMkSZ8HZJQE0+GXzxZBIAWFO13DseY=,tag:wUww5nKO+h21HAor+UUIAg==,type:str]
 proton-private-key: ENC[AES256_GCM,data:OnZGYf/203XOLXyDRIqrRKwLe0cN2c0RF+CkwwNtttP+ACD3AJCY0rNgKoc=,iv:IWFF95Z3r+OuSu+GfJWJjwRv5b9KZSKGMuxSnkRGqlg=,tag:QvDBvSzzGxwawhaio47MEQ==,type:str]
 attic-credentials: ENC[AES256_GCM,data:S25D1E4kTp2Nre1uu1WWVV1jrEpQtPz5+5XQ/W0pr0CF5pFm0UEyGn2XdJKQzyM5CYSCo581JeJNMtTKIwEKm8lYY9X5e8Jgwe2o5f5YRwmHSfvK1UAJoUdM7Q0FaAcVTU3bNis1dClqDvB0QbNjF1xsYCKCgZRe8TSenmJgPjA=,iv:m+UzkoVsEfUtKIYaGZIej4efhVuWN4EKCqMamlQwWaI=,tag:vBPq0JkRDbKmyw9qLbh1gg==,type:str]
 transmission-extra-config: ENC[AES256_GCM,data:lyZ8Nkjp0Mjm4HFDqRN1G6iyBksHT6dKKQDSO8Br1DpXxKLDBclQ4L2F1FqQJ3OB/7o4EqWFX8J1ZjVYDCQkQnhr6v13glvFciICQ99hPsypUS349936vDCgEF/WP0RAHOsaRq81JnMDegZvEg==,iv:bfN2oEfQ3uk4i6hwHp2ZdYCf3l7Kb0EoXSEGyOSB8CM=,tag:fZkMayEJiXzifTCiVLJq6w==,type:str]
@@ -38,8 +38,8 @@ sops:
             YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh
             qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-05T15:01:25Z"
-    mac: ENC[AES256_GCM,data:ndnsAuHSyQSGx0G2YzECaZhGDvVbbXDbSWLdh1r2Vy6beVeX/e6JP7AxnIRfhipKfJLlhOA1rtbCOiwpq4FubozXDJOviI0oLZWU4ZDSCgWHKsUVoMdC3gqw87Qhts77PfDqdYVgglAr2/n6AzhY8NVkjuMWu4iDiD9yfb+bJ5o=,iv:J32wZYk6yiEgJBWrs6QTjM/EY6XqRfu/BkhiP9PxAWQ=,tag:eL3mcerITq55qYlxF5JhEw==,type:str]
+    lastmodified: "2024-06-24T14:39:04Z"
+    mac: ENC[AES256_GCM,data:Gnx4wfiDqSvuYt2eOzAJhvL/t5lItsPajTykw1mONpCbdv03j/7bccyayvDajXQiD110fDN+gDDkux7IVWC1Zv/Gj2M3+qRq6OHCeDxtHwLW2KVdCoine2BxKN0RuIwkyJ9xNE6GQ1P7CaIjYrT2ilztjfZvIzydAZPsxCRV3Sg=,iv:w/XrddHvz1mi+SuyWavryk9duZMQay5ICd33ZTZynIg=,tag:TV7ekS5S01MoIpr8WGczrA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1