🏡 my personal home lab
add tangled knot
+45
+6
flake.nix
+6
flake.nix
···
21
21
url = "git+https://tangled.org/tranquil.farm/tranquil-pds";
22
22
inputs.nixpkgs.follows = "nixpkgs";
23
23
};
24
+
tangled = {
25
+
url = "git+https://tangled.org/@tangled.org/core";
26
+
inputs.nixpkgs.follows = "nixpkgs";
27
+
};
24
28
};
25
29
26
30
outputs =
···
33
37
turing-rk1,
34
38
sops-nix,
35
39
tranquil-pds,
40
+
tangled,
36
41
...
37
42
}@inputs:
38
43
let
···
103
108
host.hardware
104
109
sops-nix.nixosModules.sops
105
110
tranquil-pds.nixosModules.default
111
+
tangled.nixosModules.knot
106
112
./hosts/${name}.nix
107
113
];
108
114
};
+1
hosts/rk1-node-1.nix
+1
hosts/rk1-node-1.nix
+3
modules/caddy.nix
+3
modules/caddy.nix
···
136
136
"home.goo.garden".extraConfig = ''
137
137
reverse_proxy rk1-node-2:8123
138
138
'';
139
+
"knot.goo.garden".extraConfig = ''
140
+
reverse_proxy rk1-node-1:5555
141
+
'';
139
142
"probe.outerwilds.space".extraConfig = ''
140
143
reverse_proxy localhost:${config.services.uptime-kuma.settings.PORT}
141
144
'';
+35
modules/tangled-knot.nix
+35
modules/tangled-knot.nix
···
1
+
{ ... }:
2
+
{
3
+
services.tangled.knot = {
4
+
enable = true;
5
+
stateDir = "/var/lib/tangled-knot";
6
+
openFirewall = true;
7
+
server = {
8
+
hostname = "knot.goo.garden";
9
+
owner = "did:plc:jwgnraovgs3eeenh23tlllyk";
10
+
listenAddr = "0.0.0.0:5555";
11
+
};
12
+
};
13
+
14
+
# Only allow the git user from external IPs. root is LAN-only
15
+
services.openssh.extraConfig = ''
16
+
Match User root Address !10.0.0.0/24,*
17
+
DenyUsers root
18
+
'';
19
+
20
+
services.fail2ban = {
21
+
enable = true;
22
+
maxretry = 3;
23
+
ignoreIP = [
24
+
"10.0.0.0/24"
25
+
];
26
+
bantime = "24h";
27
+
bantime-increment = {
28
+
enable = true;
29
+
maxtime = "168h";
30
+
overalljails = true;
31
+
};
32
+
};
33
+
34
+
networking.firewall.allowedTCPPorts = [ 5555 ];
35
+
}