From f637236c51b03c91d77997b898b0fa5e605020d2 Mon Sep 17 00:00:00 2001 From: sefidel Date: Sat, 3 Feb 2024 04:19:48 +0900 Subject: feat(nixos/kanata): switch to new modules --- modules/services/blocky/default.nix | 26 +------ nixos/kanata/configuration.nix | 138 ++++++++++++++++++++++++++++++------ nixos/kanata/secrets/secrets.yaml | 8 ++- 3 files changed, 123 insertions(+), 49 deletions(-) diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix index 5afa4a8..81c517e 100644 --- a/modules/services/blocky/default.nix +++ b/modules/services/blocky/default.nix @@ -32,11 +32,6 @@ in ips = [ "9.9.9.9" "149.112.112.112" ]; }; - customDNS.mapping = { - "metrics.internal" = "100.93.1.1"; # kanata - "nextcloud.internal" = "100.93.1.1"; # kanata - }; - caching = { minTime = "0m"; maxTime = "12h"; @@ -68,8 +63,6 @@ in services.prometheus = { enable = true; - listenAddress = "127.0.0.1"; - port = 9000; globalConfig.scrape_interval = "15s"; globalConfig.evaluation_interval = "15s"; scrapeConfigs = [{ @@ -79,14 +72,7 @@ in }; services.grafana = { - enable = true; settings = { - analytics.reporting_enabled = false; - server = { - domain = "127.0.0.1:3000"; - http_addr = "127.0.0.1"; - enable_gzip = true; - }; # Required for blocky panel panels.disable_sanitize_html = true; }; @@ -99,7 +85,7 @@ in access = "proxy"; orgId = 1; uid = "5Z0Y8D3GXAMDODSF"; - url = "http://127.0.0.1:9000"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; isDefault = true; jsonData = { graphiteVersion = "1.1"; @@ -116,16 +102,6 @@ in }; }; - services.nginx.virtualHosts."metrics.internal" = { - locations."/" = { - proxyPass = "http://localhost:3000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - environment.etc."grafana-dashboards/blocky_rev3.json" = { source = ./grafana_blocky_rev3.json; group = "grafana"; diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index e19ee25..357c0bd 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -3,6 +3,8 @@ let sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ]; maintainerKeys = [ ] ++ sefidelKeys; + + poorObfuscation = y: x: "${x}@${y}"; in { imports = [ ]; @@ -68,27 +70,21 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - fileSystems."/persist".neededForBoot = true; - - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - - services.tailscale = { - enable = true; - useRoutingFeatures = "both"; - openFirewall = true; - }; - - environment.persistence."/persist".directories = [ "/var/lib/tailscale" ]; + # NOTE: managed by modules.persistence + # TODO: remove? + # fileSystems."/persist".neededForBoot = true; + # + # services.openssh.hostKeys = [ + # { + # path = "/persist/ssh/ssh_host_ed25519_key"; + # type = "ed25519"; + # } + # { + # path = "/persist/ssh/ssh_host_rsa_key"; + # type = "rsa"; + # bits = 4096; + # } + # ]; sops.defaultSopsFile = ./secrets/secrets.yaml; @@ -96,6 +92,10 @@ in sops.secrets.zfs-smol-key = { }; sops.secrets.nextcloud-admin-pass = { owner = "nextcloud"; }; + sops.secrets.acme-credentials = { owner = "acme"; }; + sops.secrets.grafana-admin-pass = { owner = "grafana"; }; + sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; + sops.secrets.nitter-account-jsonl = { }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; @@ -110,13 +110,107 @@ in enableIPv6 = true; }; + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + openFirewall = true; + }; + + services.nginx.enable = true; + services.cloudflared = { + enable = true; + + tunnels."bf6dcc14-d315-41c7-b798-3fe0e0e968eb" = { + default = "http_status:404"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { + persistence.directories = [ "/var/lib/tailscale" ]; + + persistence = { + enable = true; + storagePath = "/persist"; + }; + + # NOTE: This module only populates route entries, + # each service needs to be enabled individually. + expose = { + enable = true; + + routes = { + "dns.kusanari.network" = "http://localhost:4000"; + "metrics.kusanari.network" = "http://localhost:4001"; + "nitter.kusanari.network" = "http://localhost:4002"; + + # Nginx pre-configured routes + # NOTE: Routes with port 80 or 443 will NOT create corresponding nginx virtualHosts. + "nextcloud.kusanari.network" = "http://localhost:80"; + }; + + ssl = { + enable = true; + acmeHost = "kusanari.network"; + }; + + tailscaleIp = "100.93.1.1"; + # kusanari-kanata @ core + cloudflareUUID = "bf6dcc14-d315-41c7-b798-3fe0e0e968eb"; + secrets.cloudflare-credentials = config.sops.secrets.cf-kusanari-kanata-credentials.path; + }; + + services.nginx.enable = true; + + services.acme = { + enable = true; + email = poorObfuscation "sefidel.net" "postmaster"; + + certs = { + "kusanari.network" = { + subDomains = [ + "nitter" + "nextcloud" + "jellyfin" + "dns" + "metrics" + ]; + }; + }; + + secrets.acme-credentials = config.sops.secrets.acme-credentials.path; + }; + + services.metrics = { + enable = true; + realHost = "metrics.kusanari.network"; + secrets.adminPassword = config.sops.secrets.grafana-admin-pass.path; + }; + services.blocky.enable = true; - services.nextcloud = { + services.nextcloud = rec { enable = true; + + ssl = { + enable = true; + acmeHost = domain; + }; + + domain = "kusanari.network"; + realHost = "nextcloud.kusanari.network"; secrets.admin-pass = config.sops.secrets.nextcloud-admin-pass.path; }; + + services.nitter = { + enable = true; + + title = "Kusanari Nitter"; + + domain = "kusanari.network"; + realHost = "nitter.kusanari.network"; + secrets.nitter-guest-accounts = config.sops.secrets.nitter-account-jsonl.path; + }; }; # This option defines the first version of NixOS you have installed on this particular machine, diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml index 91a3595..c24ab8f 100644 --- a/nixos/kanata/secrets/secrets.yaml +++ b/nixos/kanata/secrets/secrets.yaml @@ -3,6 +3,10 @@ initrd-ssh-host-ed25519-key: ENC[AES256_GCM,data:eD8UZZ6FnqT5tP+y1xDrtjKjl/DQLXE initrd-ts-state: ENC[AES256_GCM,data:8xftKiXfuaWB4XxvP9LBAmFTbX1VbGJix6SqkIbDliUzaiJwO9lrhYMTs2J4tGi4r56skPH1u8GUcUPZx90akXJbvZK+FMwNDxOBFr5nvXDTkkw2G/raBskwGFEpQbcQ6j+pCeh2pUq7EHw8JDSvj27uCrpau6MkjrO2ni/Eefce7EKBxwrFUc4x/Y2VymF48ovcBQsiYeeG7mbHLV1kBHvyqLkPVDX/Y+vkKACADi5QC5/Kg0ZVjXNqCHNDdjv0beOsq6hL7V7msfAfiNPceK8Yc6iyp1hlqyDPWZav5X8sYgD5mV7/G6304Am2435tyI/KQq6XHsd+JGUj/s8hHDfDZ6uz2iNgbDKxxWaOdvODrnqNQ+nNne5TIc1flZvXjEFNBkrMWAgos3J1Tx7jZmJfej51P0k9wQK3QMl9ADQnmn6GvvYrFCboaHO9SYeP+R09K0Tg29BEqvvJcc4MIrEzDyg28mxWAzVp96QfU2Qe4tRpC4yTJlFuXGeY1EWQB9qmGzzYZ2Jn1p+UXPJsrdiIsKkpeFS5fXQF5++UTC24XheXE6OZjYY94u2UpTM2lhLk3CWUe1KdHWYtpxRv6PEcl2QA1KhdvK/0ZvzQ9ercqjkjmOCKkThnI2pJDvU0FA5rjlRc1146AbI2LBklgqsPsesEoKSGaBEITGiHa2uwUlPNu/lesyl9+jPWEo62oT7na/WaYUJZPmAk5XL4BtZDHHfyssy7USoC7nKjc5ij9Y7ZMrmiHXQZiAS9XxvF1jmxhCIEYLBu3+tOaJW3BMDAWDmvQcAl4lQvTwprr7mO3+D3wyXFo7bYkALptA76LfUuzIrO5G8y4ijdcJYEYHw6wmGdvrmMZkzd5Wdu9I9CjSBodxbGQaxKBShfO1uwvCiKqqVPvn9hz59awUVuuPbo2Ev8xN27F5ntemZ1kdfStUVecLskVfm7lpWxLMqU9FWVGhZXTh5TRINNjKiRZin8lTZiIuZK2GwDnTO+XDhdCrcTVBrOl/oCpw7Ym+p4LYjeFhjNeroAm0j8PiYh471LOF6MrYtxb5YRdbp+z5VNWaWf6Lg7ZtDmZtBniyFHaa8iVLFjUUDRa3OhX+hNJ0P+mU1YPmAKjjqWBd0FSPLrnv0P3sizoC8ba0qqREzpcCMRAWHvK3VRfwRNklXxGzP8Az66ZayT4u5XPXLxCYZTa9xMsn72Kypz2HV7jAgvG9rN31pUHGCU8YurRWnK8sqQ5yNoNaWBsL2ypM/f9HfisacLMUazitgfFgP9agAdssSBdtp8BB6MMISq42RjPNCpeMth78egUbHOfqXkYjDs0FwjaIctKvq9myjHfqklZyiV6dh0gJKwoSRIXn+aGgr2/H2ltejT87Zj7IXOk7VD0N8rMcLJgiwFmjj3X1ecI8gJGwNLYRczH82NGWdYGAmCYiJ87kv7PBK++iRM22vK8diIjCepjj+FQgTHLy6Ig5UQ92PPsdLp8EQVtsVKBSHhVtX0sOsnIEnHUARsmLbkNQqA2nWNQB6XvwBPUOR+EhkL1sgeGf1Jq9ncDKbs7ZmbpQ0I5QH1C87m/KltOkinnIoktBQQdTvtoUL7EIdue+SeCwcAIuTdSHRvcUfn1AJtt6jdM0/B3PS23NXHRBe/3J2ejiXn5r2udQ1uE/u2eAfQjegJtx2ynxMOSyILeX8xqjtbhotO7f8R9A8pVaGKmFaMmz0vZtvKNaEKyWPM5YoQPGHq8v1e1WGsr4QmTD9tbnbxclq8CN82VPhPtwZFfhikwbuvdYIAd5tSIR40qW/3Zw3QmyE2Wp9sWwfauTr0K4qz1yj7W6/SiQFRO7RYCsOoTMQ3qTN/Uww2rY0xs9cTK/8h7Q590F65HEsE4V9DdrQ9hU127O3anWNhPXrJM7LTMYOwjW1x/jJSeU8y/SFOCrCz7zv3myIABJulGa1HYQn9y0sho6EFBECD5t6eYeCqWNgqREQaJs4PpyCCv49DThjim4DmkI+nf1CyZnJ1BED6555tFCEg3Rfzq86Z7PPtJ91bFpnYUWtPWOlKZbvun+TdqCFmWELRyVU7GA09mqefWqZYGtWoKX0HeHzj5np3q3G8ij7e159LU9uh3hvahth5yV8Xk3N7/hvefVUxQLkW2GbhOsNJX76q+2Fw8HicBN+z587ZhZzOx8kmqk1ZQqFnjG9wYpkxjz7gRk+gCyj+DNYZpBhUsUmz0f9JCfGJACyKYe/SaXHtE2Det2SQ/b3f4txe/DlHzsLmiSCU4GHrORw9jQFVrBPOISDKJyAh3VA7P50R+0m1bD6XVU048s7pjFg/rMsOy7JW3yyJVFQqGRyPC/yfNLeON7wX2wxYzk0RV/U+65Y5YnmxvIPP8i41cO2bJ3sZYgCVTK+uNfIL5+LWx9jvzN5EW9lHT4So5ny5ylpgW0CQBneYmFIIwuNY+539XgDhGEPIMk3yx4b/pCF532+q40EOtzCdsahAf8u7y5YAnfLYnlrdcXjnVbVFxh/r91BcbEN5ulOHGey1KYAXozh+8FFsD2LjNGWatb+b62HGgh6UcdmrIPHVu0jM+TDAC7rgaUHmRMpTUz5YgITKNA/sCtikpIEuSAKgpcUvhoHujBwe92LFE/0MI3vGLD7YhrEAF01lxwn5dbbuDkgq+WTBeYmrX784m5FiOD4FJiN6fc4oH9x6MWW/TTHmRW22WnMqirX5l/Pr6o6eEHmTYVoWP0wBiXCqjzYgMSvkym83J+6WZKPhbg4YqIj6xTsiXJIsTDW7tF2wEkgdGSK3YzryQb1CR98nyGYQr+01yArmhNPPxRY0Ozc50sBBvkjZAcc1Jr9Coj/xwPDa/onr/vg5seT4DzIQCDRm2dAWOGiugzYMpWn2AW08CsfNCYSaNrsMKbAVGB2syBdMHAxyEQUeOWkmttYJBvj+YDGYWZIZ6lXXidPPM6GI4rvKZ9I3fnFjxUkAgg5BrIYS7PYjzyFcAOGQ7Kc4a7nopi3LXLlkKMe6ubzgDcZt59YtFcUuZQ+67g3wDG32KCX97aapc7V1kkj5gplPFFzl9L7ONLyPzbJMkGYa6rfceeVjb6yPDQ4vGspJMY/oeEOfUhKeV9aoJvq8yU6Zu8K1hDcmcZ3sKswMB9DdTA00clq4Ay1HEQSNY8qjl2hHRzRMABCxWSPmDSv0vsx2pOZOBJoXuOF7Mxl4tGODhnckgP1phBebSwLbpOGoyY397t1NFNhVYXKgP7gx+B7iOgXlsEQsUnfs8XsFiOtiZyBGReGZzk7D4vg9EHRB7v1VlrX8SqUcBSYcPhBHWvqi5DUt+RBOJTdMnJiTWMQRO4AcxjTuiJF9gcg9oxVrg/ic7Vni4mu/xafGY9r5A+02P7B7tD3x,iv:sGA4zACuGYJ3P/auaHXOttP8TGyVgf++Ppk6jiekUbw=,tag:/+XtiRJIjTA7MM5sYdPlSg==,type:str] zfs-smol-key: ENC[AES256_GCM,data:M6JUsFoAvt2nqI/9bVq0slhrcQE8sGgC3s0x,iv:hZK99Veh+oMhxxA9BbBe7OBisjhF00baAb1JQ7yfMaA=,tag:30GjpPzIpgw5htoK1BcmUg==,type:str] nextcloud-admin-pass: ENC[AES256_GCM,data:Lvk/j/3fissx6Kyccp9q2gi7ahbd+pR7jFXnx5OL0JRG,iv:Y0GI/z4pFW98Ll6xpuENr+fTrm7JoE9KadDKx2O4WLI=,tag:ofln+SgrhJm8BpKnVSngoQ==,type:str] +grafana-admin-pass: ENC[AES256_GCM,data:waHiV4NyatwQrvRkws8FQut49/ryh9srNSshUbvm,iv:XvU06AqljDsUk9smAak/4OCursX6U/SckPc92AkSTWk=,tag:xBcELmTUUs0mzOY+oiqidA==,type:str] +cf-kusanari-kanata-credentials: ENC[AES256_GCM,data:whwnxMT9JS3iDHbGTk2FoeDBiug26JoRWlyA3sOij861PVJZBEvQJubXD2E5hSwJhyoMIUpb8wgnvB/6GhznouwWfsNh7I39wcaxvHArTNkW+LXrAu8m7ra5dtSUHhPUQifLNYB/TsKHsB+TMhc5IMD6hAHs4uraZHmF1cej8PufTDKDLHjwVwDDJSP1ujQaUrRUvp4NUc8ImVCwnG0PYCVv,iv:umi4Yj11E6+BriksGLzvm+YW7NuARmRtvHz2cixILQA=,tag:+LQs2veOW0CmSKCUNtd9KA==,type:str] +nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqaLZtFISG5Fc/0mMwRxKdArp9pwdUrteSUWzoKlkeTfsHsoS4TmPMuna/nLKSjBV1bvPdOuBEIi6IP9o6zb9izUvcwTAcMiWPjeRYNyLy5p9tvdIQ0MmRmd5UW9WUILLs7r5dmIK/ssNgYf89jJsdhBRpzOmjOtBbzn2uTA6+3s7ldswSWhAP94654Hrbg1IKxvefAgAqm+/2aNvY1Jxh71bNlWH+/WNBtH7pC24NeNWjiNHKzGhix2UecmcQ5/CEo8DBa6mg4gpe9i+VxzHhl3NJoFrfuicFT2ebTEjv8p7ZXLF3ZRgscXXb9YJ5CjmVILiUh/yYqM2jzSLbGHKIetlNFlmNkAYXN3j+A4w4Jiu4lVA3jwFPVxk92pSHi7hhib5gP3P20Zfbr89zk9tGIBQVDWo4p1LrwumH6aCq+XaIPAHOspFheIteZUJ1q0V2vylrBfkrj+ISDQ94aWgSKC74dynGL4joH4DJ2g6xSh26FMNlvBR7Mwg1PpfmJKx0I3iROoEc3RCPdxaoPiJNL7gpRlHV2a5H+ZCgpuWxcQ=,iv:joZcbUidniBqGu9Lkg6wd+mBdmgU/inbPEOlXewU5U4=,tag:y8Uv4zxuTAsTKB+OB4S6Xw==,type:str] +acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +31,8 @@ sops: YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-24T12:28:05Z" - mac: ENC[AES256_GCM,data:1rW3YkvwbHiupjT62XxQwLEEGo1dMJkSbFUOaLqMXaVxmCebMWkQLWh72xr+VPF4MVU8vgz9GVmZap2uQ3/y+xkkrshaUIvDM2iznTrAIKyK8I5jSvZYqz9zxRBd8SGrPvZXzwCziDAEgfiAO7Yz5N5Z7KopEREN0XmtjDb4uMk=,iv:EVRCIeyQI8Lz+wkB42nz++Z2AkONs6pd9gylCdogUOc=,tag:YhCLF0/mYKxuO6SoQlmoGw==,type:str] + lastmodified: "2024-02-02T18:48:14Z" + mac: ENC[AES256_GCM,data:YOxc3pObGAcGy4tenuxsOTLr8uKMud/z/MarbTTZFv2VKT0DQPOdMVMWL52Ho4B2JcmAPzDjKhtOyLQi9VTA3NAEJyuroqsQri9G2atd8KluCv6puKO+ZjYyDvYlgErCfpAdhUs3xU53HEKKqicqMGc/qg2h+LEdYE4ECW+1/Mk=,iv:B0PcNaedmI+AoQu6nR5TpHi7BjLV3XP5ZLpEERMqw3k=,tag:Dpr7fbK7w6sbMCb8uK9LWA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- cgit 1.4.1