diff --git a/README.md b/README.md index 0cf3286..eabc71a 100644 --- a/README.md +++ b/README.md @@ -12,3 +12,14 @@ This is my cobbled together NixOS configuration. There are many like it, but thi - [ ] game rom sync insomniac - [ ] insomniac backups - [ ] nginx websites + +## port allocation + +* 80X0: public HTTP services that are proxied through nginx +* 40X0: private HTTP services that are accessible via tailscale +* 20XX: Administrative stuff, like prometheus etc. + +* 8000: vaultwarden +* 8010: headscale + +* 4000: syncthing diff --git a/classes/headful/cosmic.nix b/classes/headful/cosmic.nix index 3c3caf6..29a20ad 100644 --- a/classes/headful/cosmic.nix +++ b/classes/headful/cosmic.nix @@ -4,7 +4,7 @@ ]; nix.settings = { - substituters = ["https://cosmic.cachix.org/"]; + substituters = ["https://cosmic.cachix.org"]; trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="]; }; @@ -12,4 +12,6 @@ desktopManager.cosmic.enable = true; displayManager.cosmic-greeter.enable = true; }; + + environment.sessionVariables.COSMIC_DATA_CONTROL_ENABLED = 1; } diff --git a/classes/headful/syncthing.nix b/common/syncthing.nix similarity index 82% rename from classes/headful/syncthing.nix rename to common/syncthing.nix index 89853f7..0b38cbd 100644 --- a/classes/headful/syncthing.nix +++ b/common/syncthing.nix @@ -3,6 +3,7 @@ enable = true; systemService = true; openDefaultPorts = true; + guiAddress = "localhost:4000"; overrideDevices = false; overrideFolders = false; }; diff --git a/flake.lock b/flake.lock index 1454ba4..283627f 100644 --- a/flake.lock +++ b/flake.lock @@ -95,11 +95,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1742659231, - "narHash": "sha256-7bvafmxXeRfoAtWSJeTFmHlCHMte0cZecGE/BvvgyqE=", + "lastModified": 1743292849, + "narHash": "sha256-rybjlr2xNmSHrlRVliYvI9bOPRnROecFqz+tO0V2woI=", "owner": "cachix", "repo": "devenv", - "rev": "c651cb04013be972767aaecb3e9a98fc930d080e", + "rev": "fa5cbf91fb1f1614936997badbb6018a2fdef320", "type": "github" }, "original": { @@ -332,11 +332,11 @@ }, "hardware": { "locked": { - "lastModified": 1742806253, - "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=", + "lastModified": 1743167577, + "narHash": "sha256-I09SrXIO0UdyBFfh0fxDq5WnCDg8XKmZ1HQbaXzMA1k=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726", + "rev": "0ed819e708af17bfc4bbc63ee080ef308a24aa42", "type": "github" }, "original": { @@ -446,11 +446,11 @@ ] }, "locked": { - "lastModified": 1742701275, - "narHash": "sha256-AulwPVrS9859t+eJ61v24wH/nfBEIDSXYxlRo3fL/SA=", + "lastModified": 1743306489, + "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "36dc43cb50d5d20f90a28d53abb33a32b0a2aae6", + "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d", "type": "github" }, "original": { @@ -467,11 +467,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1742863891, - "narHash": "sha256-/mGCIxO7zlWCHOZLaOMRoJgSLpIav0PBKWG3BQddElw=", + "lastModified": 1743332965, + "narHash": "sha256-PCzC/PqUi7sj2SeELx/eXNOoKbd/HJbQY0DIyzwcK1M=", "owner": "lilyinstarlight", "repo": "nixos-cosmic", - "rev": "366999efebcad2165f472ef93e9c996693bda75d", + "rev": "5a00e93576d3ae9c6ad21d139542c236337dc840", "type": "github" }, "original": { @@ -529,11 +529,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1742512142, - "narHash": "sha256-8XfURTDxOm6+33swQJu/hx6xw1Tznl8vJJN5HwVqckg=", + "lastModified": 1743231893, + "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7105ae3957700a9646cc4b766f5815b23ed0c682", + "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6", "type": "github" }, "original": { @@ -609,11 +609,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1742422364, - "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=", + "lastModified": 1743095683, + "narHash": "sha256-gWd4urRoLRe8GLVC/3rYRae1h+xfQzt09xOfb0PaHSk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a84ebe20c6bc2ecbcfb000a50776219f48d134cc", + "rev": "5e5402ecbcb27af32284d4a62553c019a3a49ea6", "type": "github" }, "original": { @@ -625,11 +625,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1742578646, - "narHash": "sha256-GiQ40ndXRnmmbDZvuv762vS+gew1uDpFwOfgJ8tLiEs=", + "lastModified": 1743076231, + "narHash": "sha256-yQugdVfi316qUfqzN8JMaA2vixl+45GxNm4oUfXlbgw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "94c4dbe77c0740ebba36c173672ca15a7926c993", + "rev": "6c5963357f3c1c840201eda129a99d455074db04", "type": "github" }, "original": { @@ -646,11 +646,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1742730186, - "narHash": "sha256-LSAS036RA4iXtJNBzdiOayHQ3ZUrLlgi//jqwsuqqv4=", + "lastModified": 1743328785, + "narHash": "sha256-bIpp6q4/mW0cB6UWz85j5+v9jzUxJBG1m8o/e7zLJPg=", "owner": "fossar", "repo": "nix-phps", - "rev": "032d917f90ac19899915bfc528ebf9ae7a58e53f", + "rev": "db64ff505e1b0026627ddb3f3666eb1911aca9c7", "type": "github" }, "original": { @@ -733,11 +733,11 @@ ] }, "locked": { - "lastModified": 1742437918, - "narHash": "sha256-Vflb6KJVDikFcM9E231mRN88uk4+jo7BWtaaQMifthI=", + "lastModified": 1743302122, + "narHash": "sha256-VWyaUfBY49kjN29N140INa9LEW0YIgAr+OEJRdbKfnQ=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "f03085549609e49c7bcbbee86a1949057d087199", + "rev": "15c2a7930e04efc87be3ebf1b5d06232e635e24b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index fc35944..f527322 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,11 @@ }; }; + nixConfig = { + extra-substituters = "https://cosmic.cachix.org"; + extra-trusted-public-keys = "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="; + }; + outputs = { self, nixpkgs, diff --git a/hosts/headless/abacus/headscale.nix b/hosts/headless/abacus/headscale.nix index 19b0a00..09c764b 100644 --- a/hosts/headless/abacus/headscale.nix +++ b/hosts/headless/abacus/headscale.nix @@ -1,23 +1,22 @@ -# {config, ...}: let -# virtualHostName = ""; -# in { -# services.headscale = { -# enable = true; -# address = "127.0.0.1"; -# port = 8070; -# server_url = "https://${virtualHostName}"; -# settings = { -# logtail.enabled = false; -# }; -# }; -# -# services.nginx.virtualHosts.${virtualHostName} = { -# forceSSL = true; -# enableACME = true; -# locations."/" = { -# proxyPass = "http://localhost:${toString config.services.headscale.port}"; -# proxyWebsockets = true; -# }; -# }; -# } -{} +{config, ...}: let + virtualHostName = "headscale.helveticanonstandard.net"; +in { + services.headscale = { + enable = true; + address = "127.0.0.1"; + port = 8010; + server_url = "https://${virtualHostName}"; + settings = { + logtail.enabled = false; + }; + }; + + services.nginx.virtualHosts.${virtualHostName} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/headless/abacus/microbin.nix b/hosts/headless/abacus/microbin.nix deleted file mode 100644 index d6274ff..0000000 --- a/hosts/headless/abacus/microbin.nix +++ /dev/null @@ -1,50 +0,0 @@ -# TODO: use another service for this -{ - config, - lib, - ... -}: let - inherit (config.networking) domain; - virtualHostName = "bin.${domain}"; -in { - age.secrets = lib.mkSecrets {microbin = {};}; - - services.microbin = { - enable = true; - passwordFile = config.age.secrets.microbin.path; - settings = { - MICROBIN_BIND = "127.0.0.1"; - MICROBIN_PORT = 8020; - - MICROBIN_PUBLIC_PATH = "https://${virtualHostName}/"; - - MICROBIN_READONLY = true; - - MICROBIN_EDITABLE = true; - MICROBIN_ETERNAL_PASTA = true; - MICROBIN_HIGHLIGHTSYNTAX = true; - MICROBIN_PRIVATE = true; - MICROBIN_ENABLE_BURN_AFTER = true; - MICROBIN_QR = true; - MICROBIN_NO_FILE_UPLOAD = false; - MICROBIN_ENCRYPTION_CLIENT_SIDE = true; - - MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024; - MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096; - - MICROBIN_DISABLE_UPDATE_CHECKING = true; - MICROBIN_DISABLE_TELEMETRY = true; - MICROBIN_LIST_SERVER = false; - }; - }; - - services.nginx.virtualHosts.${virtualHostName} = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = let - host = config.services.microbin.settings.MICROBIN_BIND; - port = builtins.toString config.services.microbin.settings.MICROBIN_PORT; - in "http://${host}:${port}"; - }; -} diff --git a/hosts/headless/abacus/syncthing.nix b/hosts/headless/abacus/syncthing.nix deleted file mode 100644 index e70bc62..0000000 --- a/hosts/headless/abacus/syncthing.nix +++ /dev/null @@ -1,18 +0,0 @@ -{config, ...}: let - inherit (config.networking) domain; - virtualHostName = "sync.${domain}"; -in { - services.syncthing = { - enable = true; - systemService = true; - openDefaultPorts = true; - guiAddress = "localhost:8040"; - }; - - services.nginx.virtualHosts.${virtualHostName} = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = "http://${config.services.syncthing.guiAddress}"; - }; -} diff --git a/hosts/headless/vessel/syncthing.nix b/hosts/headless/vessel/syncthing.nix deleted file mode 100644 index b184a4b..0000000 --- a/hosts/headless/vessel/syncthing.nix +++ /dev/null @@ -1,16 +0,0 @@ -# TODO: unify syncthing.nix files -let - guiPort = 8384; -in { - services.syncthing = { - enable = true; - systemService = true; - openDefaultPorts = true; - guiAddress = let - host = "0.0.0.0"; - port = builtins.toString guiPort; - in "${host}:${port}"; - }; - - networking.firewall.allowedTCPPorts = [guiPort]; -} diff --git a/secrets/microbin.age b/secrets/microbin.age deleted file mode 100644 index 56c801e..0000000 --- a/secrets/microbin.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 SFHVrw zQc/Ff2ZDIDRIAF+iJOH9d1dlK2CJImVGG0HkPpeEgc -uMvcMchUjU8MBgnQSSxi0q1IDW2/kvQnRn2CgTaK5CE --> ssh-ed25519 S+dwQQ hD4n7yXZ2SlC56zkN1DOU5uMCMk9u+3flIDu0V0TZyA -7TIxfNJvt2p247DwP2A7ngk0Yr2juzEAlYxVEp58rIk --> ssh-ed25519 bPbvlw 89fmWI4eUFpstBBBtf+giqlNkvZcdTgd2pU2zwnrvjc -3oACdvrPGC02HFYpGpJ9EBHyWHuHFO0mao02o1J4G5A --> ssh-ed25519 ffmsLw 7gJFX9Fu4mfZjjtExyX7CBWimIhG76vSzniqDzzSogY -FhDV1voL0ClZz59FMVL7zQBfmjYPHVQmeXAdS1GZjYk ---- PFWx9UzONDClbbTfmHO/fZ5u8TZy+RqzdyPqHFNYTI4 -7[ii׺ZsGaHjʄ!l?YZ'rE7*0>g[[lY{&tSd"1 0zC\A1ȇg69uoo 5{,k,=487պ|bHRǴ:X~CWK \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0f2d182..a50f702 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,9 +1,10 @@ -with import ../pubkeys.nix; { +let + pubkeys = import ../pubkeys.nix; + inherit (pubkeys) users hosts; +in { "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues (builtins.removeAttrs hosts ["insomniac"])); "user-insomniac.age".publicKeys = (builtins.attrValues users) ++ [hosts.insomniac]; - "microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; - "miniflux.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];