about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/kanata/configuration.nix138
-rw-r--r--nixos/kanata/secrets/secrets.yaml8
2 files changed, 122 insertions, 24 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index e19ee25..357c0bd 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -3,6 +3,8 @@
 let
   sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
   maintainerKeys = [ ] ++ sefidelKeys;
+
+  poorObfuscation = y: x: "${x}@${y}";
 in
 {
   imports = [ ];
@@ -68,27 +70,21 @@ in
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
 
-  fileSystems."/persist".neededForBoot = true;
-
-  services.openssh.hostKeys = [
-    {
-      path = "/persist/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-    {
-      path = "/persist/ssh/ssh_host_rsa_key";
-      type = "rsa";
-      bits = 4096;
-    }
-  ];
-
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "both";
-    openFirewall = true;
-  };
-
-  environment.persistence."/persist".directories = [ "/var/lib/tailscale" ];
+  # NOTE: managed by modules.persistence
+  # TODO: remove?
+  # fileSystems."/persist".neededForBoot = true;
+  #
+  # services.openssh.hostKeys = [
+  #   {
+  #     path = "/persist/ssh/ssh_host_ed25519_key";
+  #     type = "ed25519";
+  #   }
+  #   {
+  #     path = "/persist/ssh/ssh_host_rsa_key";
+  #     type = "rsa";
+  #     bits = 4096;
+  #   }
+  # ];
 
   sops.defaultSopsFile = ./secrets/secrets.yaml;
 
@@ -96,6 +92,10 @@ in
 
   sops.secrets.zfs-smol-key = { };
   sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; };
+  sops.secrets.acme-credentials = { owner = "acme"; };
+  sops.secrets.grafana-admin-pass = { owner = "grafana"; };
+  sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; };
+  sops.secrets.nitter-account-jsonl = { };
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
@@ -110,13 +110,107 @@ in
     enableIPv6 = true;
   };
 
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+    openFirewall = true;
+  };
+
+  services.nginx.enable = true;
+  services.cloudflared = {
+    enable = true;
+
+    tunnels."bf6dcc14-d315-41c7-b798-3fe0e0e968eb" = {
+      default = "http_status:404";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
   modules = {
+    persistence.directories = [ "/var/lib/tailscale" ];
+
+    persistence = {
+      enable = true;
+      storagePath = "/persist";
+    };
+
+    # NOTE: This module only populates route entries,
+    # each service needs to be enabled individually.
+    expose = {
+      enable = true;
+
+      routes = {
+        "dns.kusanari.network" = "http://localhost:4000";
+        "metrics.kusanari.network" = "http://localhost:4001";
+        "nitter.kusanari.network" = "http://localhost:4002";
+
+        # Nginx pre-configured routes
+        # NOTE: Routes with port 80 or 443 will NOT create corresponding nginx virtualHosts.
+        "nextcloud.kusanari.network" = "http://localhost:80";
+      };
+
+      ssl = {
+        enable = true;
+        acmeHost = "kusanari.network";
+      };
+
+      tailscaleIp = "100.93.1.1";
+      # kusanari-kanata @ core
+      cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb";
+      secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path;
+    };
+
+    services.nginx.enable = true;
+
+    services.acme = {
+      enable = true;
+      email = poorObfuscation "sefidel.net" "postmaster";
+
+      certs = {
+        "kusanari.network" = {
+          subDomains = [
+            "nitter"
+            "nextcloud"
+            "jellyfin"
+            "dns"
+            "metrics"
+          ];
+        };
+      };
+
+      secrets.acme-credentials = config.sops.secrets.acme-credentials.path;
+    };
+
+    services.metrics = {
+      enable = true;
+      realHost = "metrics.kusanari.network";
+      secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path;
+    };
+
     services.blocky.enable = true;
 
-    services.nextcloud = {
+    services.nextcloud = rec {
       enable = true;
+
+      ssl = {
+        enable = true;
+        acmeHost = domain;
+      };
+
+      domain = "kusanari.network";
+      realHost = "nextcloud.kusanari.network";
       secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path;
     };
+
+    services.nitter = {
+      enable = true;
+
+      title = "Kusanari Nitter";
+
+      domain = "kusanari.network";
+      realHost = "nitter.kusanari.network";
+      secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path;
+    };
   };
 
   # This option defines the first version of NixOS you have installed on this particular machine,
diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml
index 91a3595..c24ab8f 100644
--- a/nixos/kanata/secrets/secrets.yaml
+++ b/nixos/kanata/secrets/secrets.yaml
@@ -3,6 +3,10 @@ initrd-ssh-host-ed25519-key: ENC[AES256_GCM,data:eD8UZZ6FnqT5tP+y1xDrtjKjl/DQLXE
 initrd-ts-state: ENC[AES256_GCM,data:8xftKiXfuaWB4XxvP9LBAmFTbX1VbGJix6SqkIbDliUzaiJwO9lrhYMTs2J4tGi4r56skPH1u8GUcUPZx90akXJbvZK+FMwNDxOBFr5nvXDTkkw2G/raBskwGFEpQbcQ6j+pCeh2pUq7EHw8JDSvj27uCrpau6MkjrO2ni/Eefce7EKBxwrFUc4x/Y2VymF48ovcBQsiYeeG7mbHLV1kBHvyqLkPVDX/Y+vkKACADi5QC5/Kg0ZVjXNqCHNDdjv0beOsq6hL7V7msfAfiNPceK8Yc6iyp1hlqyDPWZav5X8sYgD5mV7/G6304Am2435tyI/KQq6XHsd+JGUj/s8hHDfDZ6uz2iNgbDKxxWaOdvODrnqNQ+nNne5TIc1flZvXjEFNBkrMWAgos3J1Tx7jZmJfej51P0k9wQK3QMl9ADQnmn6GvvYrFCboaHO9SYeP+R09K0Tg29BEqvvJcc4MIrEzDyg28mxWAzVp96QfU2Qe4tRpC4yTJlFuXGeY1EWQB9qmGzzYZ2Jn1p+UXPJsrdiIsKkpeFS5fXQF5++UTC24XheXE6OZjYY94u2UpTM2lhLk3CWUe1KdHWYtpxRv6PEcl2QA1KhdvK/0ZvzQ9ercqjkjmOCKkThnI2pJDvU0FA5rjlRc1146AbI2LBklgqsPsesEoKSGaBEITGiHa2uwUlPNu/lesyl9+jPWEo62oT7na/WaYUJZPmAk5XL4BtZDHHfyssy7USoC7nKjc5ij9Y7ZMrmiHXQZiAS9XxvF1jmxhCIEYLBu3+tOaJW3BMDAWDmvQcAl4lQvTwprr7mO3+D3wyXFo7bYkALptA76LfUuzIrO5G8y4ijdcJYEYHw6wmGdvrmMZkzd5Wdu9I9CjSBodxbGQaxKBShfO1uwvCiKqqVPvn9hz59awUVuuPbo2Ev8xN27F5ntemZ1kdfStUVecLskVfm7lpWxLMqU9FWVGhZXTh5TRINNjKiRZin8lTZiIuZK2GwDnTO+XDhdCrcTVBrOl/oCpw7Ym+p4LYjeFhjNeroAm0j8PiYh471LOF6MrYtxb5YRdbp+z5VNWaWf6Lg7ZtDmZtBniyFHaa8iVLFjUUDRa3OhX+hNJ0P+mU1YPmAKjjqWBd0FSPLrnv0P3sizoC8ba0qqREzpcCMRAWHvK3VRfwRNklXxGzP8Az66ZayT4u5XPXLxCYZTa9xMsn72Kypz2HV7jAgvG9rN31pUHGCU8YurRWnK8sqQ5yNoNaWBsL2ypM/f9HfisacLMUazitgfFgP9agAdssSBdtp8BB6MMISq42RjPNCpeMth78egUbHOfqXkYjDs0FwjaIctKvq9myjHfqklZyiV6dh0gJKwoSRIXn+aGgr2/H2ltejT87Zj7IXOk7VD0N8rMcLJgiwFmjj3X1ecI8gJGwNLYRczH82NGWdYGAmCYiJ87kv7PBK++iRM22vK8diIjCepjj+FQgTHLy6Ig5UQ92PPsdLp8EQVtsVKBSHhVtX0sOsnIEnHUARsmLbkNQqA2nWNQB6XvwBPUOR+EhkL1sgeGf1Jq9ncDKbs7ZmbpQ0I5QH1C87m/KltOkinnIoktBQQdTvtoUL7EIdue+SeCwcAIuTdSHRvcUfn1AJtt6jdM0/B3PS23NXHRBe/3J2ejiXn5r2udQ1uE/u2eAfQjegJtx2ynxMOSyILeX8xqjtbhotO7f8R9A8pVaGKmFaMmz0vZtvKNaEKyWPM5YoQPGHq8v1e1WGsr4QmTD9tbnbxclq8CN82VPhPtwZFfhikwbuvdYIAd5tSIR40qW/3Zw3QmyE2Wp9sWwfauTr0K4qz1yj7W6/SiQFRO7RYCsOoTMQ3qTN/Uww2rY0xs9cTK/8h7Q590F65HEsE4V9DdrQ9hU127O3anWNhPXrJM7LTMYOwjW1x/jJSeU8y/SFOCrCz7zv3myIABJulGa1HYQn9y0sho6EFBECD5t6eYeCqWNgqREQaJs4PpyCCv49DThjim4DmkI+nf1CyZnJ1BED6555tFCEg3Rfzq86Z7PPtJ91bFpnYUWtPWOlKZbvun+TdqCFmWELRyVU7GA09mqefWqZYGtWoKX0HeHzj5np3q3G8ij7e159LU9uh3hvahth5yV8Xk3N7/hvefVUxQLkW2GbhOsNJX76q+2Fw8HicBN+z587ZhZzOx8kmqk1ZQqFnjG9wYpkxjz7gRk+gCyj+DNYZpBhUsUmz0f9JCfGJACyKYe/SaXHtE2Det2SQ/b3f4txe/DlHzsLmiSCU4GHrORw9jQFVrBPOISDKJyAh3VA7P50R+0m1bD6XVU048s7pjFg/rMsOy7JW3yyJVFQqGRyPC/yfNLeON7wX2wxYzk0RV/U+65Y5YnmxvIPP8i41cO2bJ3sZYgCVTK+uNfIL5+LWx9jvzN5EW9lHT4So5ny5ylpgW0CQBneYmFIIwuNY+539XgDhGEPIMk3yx4b/pCF532+q40EOtzCdsahAf8u7y5YAnfLYnlrdcXjnVbVFxh/r91BcbEN5ulOHGey1KYAXozh+8FFsD2LjNGWatb+b62HGgh6UcdmrIPHVu0jM+TDAC7rgaUHmRMpTUz5YgITKNA/sCtikpIEuSAKgpcUvhoHujBwe92LFE/0MI3vGLD7YhrEAF01lxwn5dbbuDkgq+WTBeYmrX784m5FiOD4FJiN6fc4oH9x6MWW/TTHmRW22WnMqirX5l/Pr6o6eEHmTYVoWP0wBiXCqjzYgMSvkym83J+6WZKPhbg4YqIj6xTsiXJIsTDW7tF2wEkgdGSK3YzryQb1CR98nyGYQr+01yArmhNPPxRY0Ozc50sBBvkjZAcc1Jr9Coj/xwPDa/onr/vg5seT4DzIQCDRm2dAWOGiugzYMpWn2AW08CsfNCYSaNrsMKbAVGB2syBdMHAxyEQUeOWkmttYJBvj+YDGYWZIZ6lXXidPPM6GI4rvKZ9I3fnFjxUkAgg5BrIYS7PYjzyFcAOGQ7Kc4a7nopi3LXLlkKMe6ubzgDcZt59YtFcUuZQ+67g3wDG32KCX97aapc7V1kkj5gplPFFzl9L7ONLyPzbJMkGYa6rfceeVjb6yPDQ4vGspJMY/oeEOfUhKeV9aoJvq8yU6Zu8K1hDcmcZ3sKswMB9DdTA00clq4Ay1HEQSNY8qjl2hHRzRMABCxWSPmDSv0vsx2pOZOBJoXuOF7Mxl4tGODhnckgP1phBebSwLbpOGoyY397t1NFNhVYXKgP7gx+B7iOgXlsEQsUnfs8XsFiOtiZyBGReGZzk7D4vg9EHRB7v1VlrX8SqUcBSYcPhBHWvqi5DUt+RBOJTdMnJiTWMQRO4AcxjTuiJF9gcg9oxVrg/ic7Vni4mu/xafGY9r5A+02P7B7tD3x,iv:sGA4zACuGYJ3P/auaHXOttP8TGyVgf++Ppk6jiekUbw=,tag:/+XtiRJIjTA7MM5sYdPlSg==,type:str]
 zfs-smol-key: ENC[AES256_GCM,data:M6JUsFoAvt2nqI/9bVq0slhrcQE8sGgC3s0x,iv:hZK99Veh+oMhxxA9BbBe7OBisjhF00baAb1JQ7yfMaA=,tag:30GjpPzIpgw5htoK1BcmUg==,type:str]
 nextcloud-admin-pass: ENC[AES256_GCM,data:Lvk/j/3fissx6Kyccp9q2gi7ahbd+pR7jFXnx5OL0JRG,iv:Y0GI/z4pFW98Ll6xpuENr+fTrm7JoE9KadDKx2O4WLI=,tag:ofln+SgrhJm8BpKnVSngoQ==,type:str]
+grafana-admin-pass: ENC[AES256_GCM,data:waHiV4NyatwQrvRkws8FQut49/ryh9srNSshUbvm,iv:XvU06AqljDsUk9smAak/4OCursX6U/SckPc92AkSTWk=,tag:xBcELmTUUs0mzOY+oiqidA==,type:str]
+cf-kusanari-kanata-credentials: ENC[AES256_GCM,data:whwnxMT9JS3iDHbGTk2FoeDBiug26JoRWlyA3sOij861PVJZBEvQJubXD2E5hSwJhyoMIUpb8wgnvB/6GhznouwWfsNh7I39wcaxvHArTNkW+LXrAu8m7ra5dtSUHhPUQifLNYB/TsKHsB+TMhc5IMD6hAHs4uraZHmF1cej8PufTDKDLHjwVwDDJSP1ujQaUrRUvp4NUc8ImVCwnG0PYCVv,iv:umi4Yj11E6+BriksGLzvm+YW7NuARmRtvHz2cixILQA=,tag:+LQs2veOW0CmSKCUNtd9KA==,type:str]
+nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqaLZtFISG5Fc/0mMwRxKdArp9pwdUrteSUWzoKlkeTfsHsoS4TmPMuna/nLKSjBV1bvPdOuBEIi6IP9o6zb9izUvcwTAcMiWPjeRYNyLy5p9tvdIQ0MmRmd5UW9WUILLs7r5dmIK/ssNgYf89jJsdhBRpzOmjOtBbzn2uTA6+3s7ldswSWhAP94654Hrbg1IKxvefAgAqm+/2aNvY1Jxh71bNlWH+/WNBtH7pC24NeNWjiNHKzGhix2UecmcQ5/CEo8DBa6mg4gpe9i+VxzHhl3NJoFrfuicFT2ebTEjv8p7ZXLF3ZRgscXXb9YJ5CjmVILiUh/yYqM2jzSLbGHKIetlNFlmNkAYXN3j+A4w4Jiu4lVA3jwFPVxk92pSHi7hhib5gP3P20Zfbr89zk9tGIBQVDWo4p1LrwumH6aCq+XaIPAHOspFheIteZUJ1q0V2vylrBfkrj+ISDQ94aWgSKC74dynGL4joH4DJ2g6xSh26FMNlvBR7Mwg1PpfmJKx0I3iROoEc3RCPdxaoPiJNL7gpRlHV2a5H+ZCgpuWxcQ=,iv:joZcbUidniBqGu9Lkg6wd+mBdmgU/inbPEOlXewU5U4=,tag:y8Uv4zxuTAsTKB+OB4S6Xw==,type:str]
+acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -27,8 +31,8 @@ sops:
             YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh
             qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-24T12:28:05Z"
-    mac: ENC[AES256_GCM,data:1rW3YkvwbHiupjT62XxQwLEEGo1dMJkSbFUOaLqMXaVxmCebMWkQLWh72xr+VPF4MVU8vgz9GVmZap2uQ3/y+xkkrshaUIvDM2iznTrAIKyK8I5jSvZYqz9zxRBd8SGrPvZXzwCziDAEgfiAO7Yz5N5Z7KopEREN0XmtjDb4uMk=,iv:EVRCIeyQI8Lz+wkB42nz++Z2AkONs6pd9gylCdogUOc=,tag:YhCLF0/mYKxuO6SoQlmoGw==,type:str]
+    lastmodified: "2024-02-02T18:48:14Z"
+    mac: ENC[AES256_GCM,data:YOxc3pObGAcGy4tenuxsOTLr8uKMud/z/MarbTTZFv2VKT0DQPOdMVMWL52Ho4B2JcmAPzDjKhtOyLQi9VTA3NAEJyuroqsQri9G2atd8KluCv6puKO+ZjYyDvYlgErCfpAdhUs3xU53HEKKqicqMGc/qg2h+LEdYE4ECW+1/Mk=,iv:B0PcNaedmI+AoQu6nR5TpHi7BjLV3XP5ZLpEERMqw3k=,tag:Dpr7fbK7w6sbMCb8uK9LWA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1