+8 -10

deploy.nu

reviewed

··· 104 104 webhook $hooktitle $"=== deploy for ($hostname): finished ===" 0 true 105 105 } 106 106 107 107 - def update-input [input: string] { 107 107 + def update-inputs [inputs: list<string>] { 108 108 + let inputsText = $inputs | str join ", " 108 109 let stashed = try { 109 110 let stash_result = git stash | complete 110 111 $stash_result.stdout | str contains "Saved working directory" 111 112 } catch { 112 113 false 113 114 } 114 114 - log info $"trying to update input ($input)" 115 115 - let result = nix flake update $input | complete 115 115 + log info $"trying to update inputs ($inputsText)" 116 116 + let result = nix run .#nvfetcher -- -f $"\(($inputs | str join '|')\)" | complete 116 117 let is_ok = ($result.stderr | str contains "Updated input") 117 118 let is_err = ($result.exit_code != 0) 118 119 if $is_ok or $is_err { 119 119 - webhook $"/inputs/($input)" $"=== updated input ($input) ===\n\n($result.stderr)" $result.exit_code 120 120 + webhook $"/inputs" $"=== updated inputs ===\n\n($result.stderr)" $result.exit_code 120 121 } 121 122 if $is_ok { 122 123 # try committing flake updates 123 124 try { 124 124 - git add flake.lock 125 125 - let commit_msg = $"chore\(nix\): update input ($input) [skip ci]" 126 126 - git commit -m $commit_msg 125 125 + git add _sources 126 126 + git commit -m "chore(nix): update inputs [skip ci]" 127 127 git push 128 128 } 129 129 } else { ··· 142 142 webhook "deploy" "=== started deploying all ===" 143 143 144 144 if $only_deploy == false { 145 145 - ["blog" "limbusart" "nsid-tracker"] 146 146 - | each {|input| update-input $input} 147 147 - 145 145 + update-inputs ["blog" "limbusart" "nsid-tracker"] 148 146 try { 149 147 log info "trying to update dns records" 150 148 nix run ".#dns" -- push

+1 -1

dns/dnsconfig.js

reviewed

··· 21 21 A("spindle", WOLUMONDE_IP, CF_PROXY_OFF), 22 22 A("skeetdeck", WOLUMONDE_IP, CF_PROXY_OFF), 23 23 A("likes", WOLUMONDE_IP, CF_PROXY_OFF), 24 24 - A("bird", WOLUMONDE_IP, CF_PROXY_OFF), 24 24 + A("vpn", WOLUMONDE_IP, CF_PROXY_OFF), 25 25 A("id", WOLUMONDE_IP, CF_PROXY_OFF), 26 26 // thing 27 27 // TXT("id", "a data endpoint for entity with serial id /90008/."),

+1

hosts/wolumonde/default.nix

reviewed

··· 6 6 }: 7 7 { 8 8 imports = [ 9 9 + ../../users/root 9 10 "${inputs.agenix}/modules/age.nix" 10 11 "${inputs.ncr}/firewall" 11 12 "${inputs.ncr}/firewall/hetzner"

+42

hosts/wolumonde/modules/headscale.nix

reviewed

··· 1 1 + {config, ...}: let 2 2 + rootDomain = "gaze.systems"; 3 3 + domain = "vpn.${rootDomain}"; 4 4 + in { 5 5 + age.secrets.headscaleOidcSecret = { 6 6 + file = ../../../secrets/headscaleOidcSecret.age; 7 7 + mode = "600"; 8 8 + owner = config.services.headscale.user; 9 9 + group = config.services.headscale.group; 10 10 + }; 11 11 + 12 12 + services.headscale = { 13 13 + enable = true; 14 14 + address = "0.0.0.0"; 15 15 + port = 1111; 16 16 + settings = { 17 17 + server_url = "https://${domain}"; 18 18 + dns = { 19 19 + base_domain = "lan.${rootDomain}"; 20 20 + nameservers.global = ["1.1.1.1" "1.0.0.1" "9.9.9.9" "149.112.112.112"]; 21 21 + }; 22 22 + oidc = { 23 23 + issuer = config.services.pocket-id.settings.APP_URL; 24 24 + client_id = "ba2c2024-f75f-49a2-a156-8593becfba28"; 25 25 + client_secret_path = config.age.secrets.headscaleOidcSecret.path; 26 26 + pkce.enabled = true; 27 27 + only_start_if_oidc_is_available = true; 28 28 + }; 29 29 + }; 30 30 + }; 31 31 + 32 32 + services.nginx.virtualHosts.${domain} = { 33 33 + useACMEHost = rootDomain; 34 34 + forceSSL = true; 35 35 + quic = true; 36 36 + kTLS = true; 37 37 + locations."/" = { 38 38 + proxyPass = "http://localhost:${toString config.services.headscale.port}"; 39 39 + proxyWebsockets = true; 40 40 + }; 41 41 + }; 42 42 + }

hosts/wolumonde/modules/netbird-client.nix hosts/wolumonde/modules/netbird-client.disabled

reviewed

hosts/wolumonde/modules/netbird.nix hosts/wolumonde/modules/netbird.disabled

reviewed

+3 -2

hosts/wolumonde/modules/nginx.nix

reviewed

··· 16 16 statusPage = true; 17 17 }; 18 18 19 19 - networking.firewall.public."http(s)".allowedTCPPorts = [80 443]; 19 19 + networking.firewall.public."http".allowedTCPPorts = [80]; 20 20 + networking.firewall.public."https".allowedTCPPorts = [443]; 20 21 21 22 # output json logs so we can consume them more easily 22 23 services.nginx.appendHttpConfig = '' ··· 63 64 "spindle.gaze.systems" 64 65 "skeetdeck.gaze.systems" 65 66 "likes.gaze.systems" 66 66 - "bird.gaze.systems" 67 67 "id.gaze.systems" 68 68 + "vpn.gaze.systems" 68 69 ]; 69 70 }; 70 71 };

hosts/wolumonde/modules/nsid-tracker.nix hosts/wolumonde/modules/nsid-tracker.disabled

reviewed

-4

hosts/wolumonde/modules/tailscale.disabled

reviewed

··· 1 1 - { 2 2 - services.tailscale.enable = true; 3 3 - services.tailscale.extraSetFlags = [ "--advertise-exit-node" ]; 4 4 - }

+17

hosts/wolumonde/modules/tailscale.nix

reviewed

··· 1 1 + {config, ...}: { 2 2 + age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age; 3 3 + 4 4 + services.tailscale = { 5 5 + enable = true; 6 6 + port = 41641; 7 7 + extraSetFlags = [ "--advertise-exit-node" ]; 8 8 + extraDaemonFlags = [ "--no-logs-no-support" ]; 9 9 + useRoutingFeatures = "both"; 10 10 + authKeyFile = config.age.secrets.tailscaleAuthKey.path; 11 11 + openFirewall = true; 12 12 + }; 13 13 + 14 14 + networking.firewall.public.tailscale.allowedUDPPorts = [ 15 15 + config.services.tailscale.port 16 16 + ]; 17 17 + }

-2

hosts/wolumonde/modules/victoria.nix

reviewed

··· 16 16 # extraOptions = ["-syslog.listenAddr.udp=:${toString syslogUdp}" "-journald.maxRequestSize=1024000000"]; 17 17 }; 18 18 19 19 - networking.firewall.allowedTCPPorts = [metricsPort logsPort]; 20 20 - 21 19 services.vmalert.instances."" = { 22 20 enable = true; 23 21 settings =

+18

secrets/headscaleOidcSecret.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa Abmvag 3 3 + Qh13LIT59dB6mn0FyXVA8+7+kwn0kw9kmQ0MgKG4o6ABTD99SsyTezCZEPfSUg3a 4 4 + U/pH+UTezBGFAVkYhvB+WP9rJT4zRWMng585JObbGUzCgau6+ImSZOnsjRB0CipK 5 5 + kYgpLcw+3OVZT2Kj1RAwee3rPbImfm2ubn8U/zEn3fmbxHXBXB9KO+TDWPf78cFT 6 6 + 3rpxkgVl1fxtOb3R+tSupj9J+RsGlrjPzDV4I/4DEuh9amEHTLphLZ/Cn4kwF/1u 7 7 + UySknhamanR5Aqg1pkx47SCcMSbEfJUjp0VfEMg19Sfdi2FWMhZQ80KvnMr/9okg 8 8 + sNZw14WeZYixd48cia5ky8P9HOgeLoglJButTjedP8GuPSWx9I4kx5O/TXDj2ZKc 9 9 + tC2GzhuFYfNloOsx9lNhweDjC6jnBuPyK93MnUrMoeaLgT80X7kdkCdh3NFZccsB 10 10 + Bz+2ewTIFBER9j80FPubMJc3EhfgKh/rSY6adDtXn7eAiwgt6hyuT3s/6A0qW1ns 11 11 + LU9SBO0e/Bi0/s17GomsIMldI0sN1qKC6R1Ub4W6V+1EsZfq1YTKvVasI7e8pHBg 12 12 + dez/ihtiYF6RIhisdZib0wAqVjhYH1mml5MBKacyUY7VaHcl6vfSFe3WeysNor07 13 13 + jlC1IPTngRsxItMV0wDb9/x9Uf1r+8fC19o3qPMBx8I 14 14 + -> ssh-ed25519 KjIL7g X9TumeXjPPf+9e3ouaqHowAagQE6tOrDb5pWp8uzyGE 15 15 + p8Z6ooZw8PZ0UgDbfw2RhfPT4iAnamialMN5Yimtbb8 16 16 + --- RLloYQEWGgr1lT/H1WwKTYaKTJs+pgCA79oOmZRbNWk 17 17 + )��@*�Q��fa����,� 18 18 + [��0�}1�G�X�rT:��t�?�S#��ɻ��

secrets/netbirdClientKey.age

reviewed

This is a binary file and will not be displayed.

-17

secrets/netbirdCoturnPass.age

reviewed

··· 1 1 - age-encryption.org/v1 2 2 - -> ssh-rsa Abmvag 3 3 - c5bol6A1rO09nb/JL0cnGAiurTVHodcd1ORtb8HRpNfyy7pmq6KgzjrKZBUy+ziV 4 4 - 6IoTHHGBJUthFvEO7/iMU7dm/ssH76nJl/mMdm8sxwX3dv/3VNVGenj6cHTsC+k6 5 5 - UymfIhgSTK4Yqqelt6UHCtuud/UB1bIgzh5Ino4YXiT8DyACSLyVa9LlSEzc1qLN 6 6 - CKHCUy+vPJQ5DiyrLei+J87kIAwxOs6lyJVkbXos+YhsWvhkR+rrkGDJzC3KFzQZ 7 7 - uStNQGXWQR61i8B6ck4O0yV1bbd3JlecevZti/6TxfW3+nyagDfZReli189dTzSn 8 8 - Gs86IPgELt06bdagzzPGf7gO1s8wXFvVUS3rX5lE6j5A3ma2Mt7YyouJn5x862c3 9 9 - N8Kbpx7pJCmgJUz+hiX6DCO1eeIuXIu+KoPGsP82VK3CNpBl2dNyFz40pciLLcY4 10 10 - ZZSFG2U0hhYA0G78oxNTESh2ouCrNID+X4B4SVQBVa8Ez/7WixZds67VdFry0gRi 11 11 - vbuXHYYx+HTHGrHmtQfTrNmsxojVqHDUVH8MtK203UbZSNW4tzuQAUNht02lK2Xi 12 12 - xt+w35rlJoYfYtpd9TPD3lE+azBv9VeRm4wuXbqChESa/QEmI81mf12ZrkAmuuIu 13 13 - LqgJ/Q1av+OBhL2d+U6ujtQXbo3e/bLkHfmFVQCGDzw 14 14 - -> ssh-ed25519 KjIL7g BDNhP7CqqoNcPKK9PJfVwcVXEvo/Yfej1g4rz7qeoG0 15 15 - uIyTLwcTil1yPqZFLCmLgISzWx3fOeRGfTN3RsjS5cw 16 16 - --- E2EOsQlt8Ge2E06+UCRAGVecikifIWHla+ATMnKYp6g 17 17 - �Z3�"�ɸ�Z��)9������o�h�;Re]�F�ε�@��t<00�B� �!�G�ý�\

secrets/netbirdDataStoreEncKey.age

reviewed

This is a binary file and will not be displayed.

-17

secrets/netbirdTurnSecret.age

reviewed

··· 1 1 - age-encryption.org/v1 2 2 - -> ssh-rsa Abmvag 3 3 - q1vTZZmWKxT76A80s0OVsZnIUMAVM5Bds6h8zI9ClVGOY4VsdtJiajzeXrC0aQ7S 4 4 - 1Mjsmu8Gn9f8T6EjdZhg5V6c5w+DZidJCj3CuQb5Nj+7/tUJf36tbG1dpcZmvx7r 5 5 - G2DQg1kk7t6gywW9zjsbdOdB1Pt6NwM8IyexUTjWbJ+dQcOJeOrB1iv9WDVt3Kil 6 6 - +zp/loYwiH05/lex6e20P8iSpEGCI22utGtG6kG1JbHmOBhIGU0C9EZwZ74Cebt6 7 7 - /y6NhM5PWQU3roBN2Mz3sYxsuewDSaMeop6LyFbh6ud5sLuX+rI3ISDczgBerxV8 8 8 - gvBiNQadFEFSgLhSEC6pYfStgQwJOCmI5nBju7aYwg1YwPZ1JtRkP3njg03GLc9+ 9 9 - 8Xxc6cRzDEX8MahLtlq5KPlinQjHiJ/H7K+KzXZMe63NnK6QbsNPqT0iZXTfzXxj 10 10 - NXui4xiybLwqdf00YI6MySD/0HcXgpRfBBP/aQbzYhxI1Vi1r1lSEqWjn5UzwqDn 11 11 - HfIVk37bCkQGmfI8rkzmhmtEOlKKfcKF3sMx9KH1PBsi4odEEbjmWwikDnHp2ml6 12 12 - lritjzfSZJLwJt4O8gxwHSNCVBEOhJ3+XxUo8agZz2dRcBhcmgESvSs5Pe8Y7G5k 13 13 - GMWylL40BW1Xd/hg6SPtd6XVZs1uHabrTPhtpSE7SbA 14 14 - -> ssh-ed25519 KjIL7g Nk2p0y0gT/8BvZUnv1O/E/oeqbNm1ZrxC0BLUbEdmGs 15 15 - AGui3gIBK27w6BapWS/aamWb/+J6rgS50+tubatJTQg 16 16 - --- FS0j9rSESVWuYHpBj/Gixu7bi9pj99DD8kUlc10xrTs 17 17 - ��{����g�B��*�Q5����=� �5�����`�����kp倏<g��}�;",<�.(�b =9��Z���/sa�h^�Ѭ;�i�{ԛ5�˂�������sK4��t�Zn�~A%�w�gVk�.w#�;l��Êco�y��

+2 -14

secrets/secrets.nix

reviewed

··· 54 54 yusdacra 55 55 wolumonde 56 56 ]; 57 57 - "netbirdCoturnPass.age".publicKeys = [ 58 58 - yusdacra 59 59 - wolumonde 60 60 - ]; 61 61 - "netbirdDataStoreEncKey.age".publicKeys = [ 62 62 - yusdacra 63 63 - wolumonde 64 64 - ]; 65 65 - "netbirdTurnSecret.age".publicKeys = [ 57 57 + "headscaleOidcSecret.age".publicKeys = [ 66 58 yusdacra 67 59 wolumonde 68 60 ]; 69 69 - "netbirdClientKey.age".publicKeys = [ 61 61 + "tailscaleAuthKey.age".publicKeys = [ 70 62 yusdacra 71 63 wolumonde 72 72 - ]; 73 73 - "develMobiNetbirdClientKey.age".publicKeys = [ 74 74 - yusdacra 75 75 - develMobi 76 64 ]; 77 65 }

+18

secrets/tailscaleAuthKey.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa Abmvag 3 3 + NKeTQ1taN613x+apPY0ZIeL5kisXNZ/BQkFaOUeGz1J6esoiTtHQb2c426iH/1Xr 4 4 + doQnrpveP1g3xAhmcwPSrTFM1ZGmaTXw7OmWJJruPoaUgvJ+mzeYpHlCFcP/jZLZ 5 5 + /DSZklljD1kaefNsZVFrL44P/N9us65RclC9LtWsBy9uHKDR9vpAg+a/BchY1pfd 6 6 + laukKd3V+aZGBucBvXlzYz1vhmV8gAmiTzV8az/QEnXTUSY+9IF3rMFT0ZpppJAA 7 7 + KJ4Rk+iDK/0lIkHUrOdoZneeENt55nvc22eBKAzyF1GrifuBt5/yk9kPS7sv1svV 8 8 + ruNAnJyvBIT7Vnwasv9ZTy7+U/VeFjWaTiSs1DewBPOiLpHw9mmxbmF28oIP6dLz 9 9 + oRo1ZoZHyjF0+kgsMco6d9VgOCqIRLj3ObXvvda8iJQThMZsPjEKmvHt64usxwjT 10 10 + cVaE240zswtjnHfdtC7nxDG2aUHr5oeH6QXH7sAwKwx31zoJX9J7N0nc/ctD40nQ 11 11 + z0oevXgzN0MD5L/X2cjwJ0L2qajJjyJBrAlb5XiaOK38MTwf32cQZnaIej8cDzfE 12 12 + ReXXOmFiXq/Dl8nEKoHDQI3p+4ZOLztXu/5i/TL1HuvF5Riod5hA1oW2ubwHeHxR 13 13 + ApZ7ry5dtbBUxnuTI5zRLQY78BnrqsuJ9ghp2fDzSsc 14 14 + -> ssh-ed25519 KjIL7g SFusm9HUDdCCjjjKwOji+X66SpI2TzEf7p7AthPAWQU 15 15 + 11ovCJnXkMlOz/6570chlP62LkBoKx64EkFkcTXKELg 16 16 + --- mufkRbwTo+mBT3hXsyh5Mv7O30CtTtqXtR6EaJ2tZY8 17 17 + BS>���;Q6/<���KGM��m!����*��,Ƥ����KlM"s[Z��>�Nv 18 18 + WQ�kD��$Q> za)2*'�Y_���<