style: format · ptr.pet/ark@dac65b9

ptr.pet / ark

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

this repo has no description

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

style: format

dusk 6 months ago dac65b94 5751a039

+285 -211

27 changed files

expand all collapse all

hosts

dzwonek

default.nix

disk-config.nix

modules

hardware-configuration.nix

headscale.nix

acl.nix

default.nix

nginx.nix

tailscale.nix

volsinii

disk-config.nix

modules

hardware-configuration.nix

tailscale.nix

wolumonde

modules

atproto.nix

clickee-proxy.nix

email.nix

forgejo.nix

default.nix

hedgedoc.nix

openbao.disabled

default.nix

spindle-proxy

default.nix

perses.nix

default.nix

pocket-id.nix

tailscale.nix

tangled.nix

default.nix

knot.nix

spindle.nix

webhook.disabled

default.nix

deploy-wolumonde.nix

users

dusk@devel.mobi

default.nix

modules

ssh

default.nix

-1

hosts/dzwonek/default.nix

reviewed

··· 16 16 ] 17 17 ++ (tlib.importFolder (toString ./modules)); 18 18 19 19 - 20 19 environment.systemPackages = [ 21 20 pkgs.curl 22 21 pkgs.gitMinimal

+1 -1

hosts/dzwonek/disk-config.nix

reviewed

··· 51 51 }; 52 52 }; 53 53 }; 54 54 - } 54 54 + }

+17 -5

hosts/dzwonek/modules/hardware-configuration.nix

reviewed

··· 1 1 # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 2 # and may be overwritten by future invocations. Please make changes 3 3 # to /etc/nixos/configuration.nix instead. 4 4 - { config, lib, pkgs, modulesPath, ... }: 4 4 + { 5 5 + config, 6 6 + lib, 7 7 + pkgs, 8 8 + modulesPath, 9 9 + ... 10 10 + }: 5 11 6 12 { 7 7 - imports = 8 8 - [ (modulesPath + "/profiles/qemu-guest.nix") 9 9 - ]; 13 13 + imports = [ 14 14 + (modulesPath + "/profiles/qemu-guest.nix") 15 15 + ]; 10 16 11 11 - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; 17 17 + boot.initrd.availableKernelModules = [ 18 18 + "ata_piix" 19 19 + "uhci_hcd" 20 20 + "virtio_pci" 21 21 + "sr_mod" 22 22 + "virtio_blk" 23 23 + ]; 12 24 boot.initrd.kernelModules = [ ]; 13 25 boot.kernelModules = [ ]; 14 26 boot.extraModulePackages = [ ];

+30 -25

hosts/dzwonek/modules/headscale.nix/acl.nix

reviewed

··· 1 1 - {config, lib, ...}: let 1 1 + { config, lib, ... }: 2 2 + let 2 3 l = lib // builtins; 3 4 t = l.types; 4 5 ··· 10 11 default = "accept"; 11 12 }; 12 13 proto = l.mkOption { 13 13 - type = t.nullOr (t.enum ["tcp" "udp"]); 14 14 + type = t.nullOr ( 15 15 + t.enum [ 16 16 + "tcp" 17 17 + "udp" 18 18 + ] 19 19 + ); 14 20 default = null; 15 21 }; 16 22 src = l.mkOption { ··· 21 27 }; 22 28 }; 23 29 }; 24 24 - in { 30 30 + in 31 31 + { 25 32 options = { 26 33 services.headscale.acl = { 27 34 groups = l.mkOption { 28 35 type = t.attrsOf (t.listOf t.str); 29 29 - default = []; 36 36 + default = [ ]; 30 37 }; 31 38 tagOwners = l.mkOption { 32 39 type = t.attrsOf (t.listOf t.str); 33 33 - default = []; 40 40 + default = [ ]; 34 41 }; 35 42 hosts = l.mkOption { 36 43 type = t.attrsOf t.str; 37 37 - default = []; 44 44 + default = [ ]; 38 45 }; 39 46 rules = l.mkOption { 40 47 type = t.listOf ruleType; 41 41 - default = []; 48 48 + default = [ ]; 42 49 }; 43 50 }; 44 51 }; 45 52 46 46 - config = let 47 47 - generated = l.toFile "policy.hujson" (l.toJSON { 48 48 - groups = l.mapAttrs' (k: v: l.nameValuePair "group:${k}" v) cfg.groups; 49 49 - tagOwners = l.mapAttrs' (k: v: l.nameValuePair "tag:${k}" v) cfg.tagOwners; 50 50 - hosts = cfg.hosts; 51 51 - acls = l.map 52 52 - (rule: 53 53 - if rule.proto == null 54 54 - then l.removeAttrs rule ["proto"] 55 55 - else rule 56 56 - ) 57 57 - cfg.rules; 58 58 - }); 59 59 - in { 60 60 - services.headscale.settings.policy = { 61 61 - mode = "file"; 62 62 - path = generated; 53 53 + config = 54 54 + let 55 55 + generated = l.toFile "policy.hujson" ( 56 56 + l.toJSON { 57 57 + groups = l.mapAttrs' (k: v: l.nameValuePair "group:${k}" v) cfg.groups; 58 58 + tagOwners = l.mapAttrs' (k: v: l.nameValuePair "tag:${k}" v) cfg.tagOwners; 59 59 + hosts = cfg.hosts; 60 60 + acls = l.map (rule: if rule.proto == null then l.removeAttrs rule [ "proto" ] else rule) cfg.rules; 61 61 + } 62 62 + ); 63 63 + in 64 64 + { 65 65 + services.headscale.settings.policy = { 66 66 + mode = "file"; 67 67 + path = generated; 68 68 + }; 63 69 }; 64 64 - }; 65 70 }

+22 -17

hosts/dzwonek/modules/headscale.nix/default.nix

reviewed

··· 4 4 domain = "vpn.${rootDomain}"; 5 5 in 6 6 { 7 7 - imports = [./acl.nix]; 7 7 + imports = [ ./acl.nix ]; 8 8 9 9 age.secrets.headscaleOidcSecret = { 10 10 file = ../../../../secrets/headscaleOidcSecret.age; ··· 18 18 address = "0.0.0.0"; 19 19 port = 1111; 20 20 acl = { 21 21 - groups.admin = ["90008@gaze.systems"]; 21 21 + groups.admin = [ "90008@gaze.systems" ]; 22 22 tagOwners = { 23 23 - private-infra = ["group:admin"]; 24 24 - other-infra = ["group:admin"]; 23 23 + private-infra = [ "group:admin" ]; 24 24 + other-infra = [ "group:admin" ]; 25 25 }; 26 26 hosts = { 27 27 chernobog = "100.64.0.9"; ··· 30 30 }; 31 31 rules = lib.mkBefore [ 32 32 { 33 33 - src = ["group:admin"]; 34 34 - dst = ["tag:private-infra:*" "tag:other-infra:*"]; 33 33 + src = [ "group:admin" ]; 34 34 + dst = [ 35 35 + "tag:private-infra:*" 36 36 + "tag:other-infra:*" 37 37 + ]; 35 38 } 36 39 { 37 37 - src = ["tag:private-infra"]; 38 38 - dst = ["tag:other-infra:*"]; 40 40 + src = [ "tag:private-infra" ]; 41 41 + dst = [ "tag:other-infra:*" ]; 39 42 } 40 43 { 41 41 - src = ["wolumonde"]; 42 42 - dst = ["chernobog:*"]; 44 44 + src = [ "wolumonde" ]; 45 45 + dst = [ "chernobog:*" ]; 43 46 } 44 47 { 45 45 - src = ["90008@gaze.systems"]; 46 46 - dst = ["90008@gaze.systems:*"]; 48 48 + src = [ "90008@gaze.systems" ]; 49 49 + dst = [ "90008@gaze.systems:*" ]; 47 50 } 48 51 { 49 49 - src = ["90008@gaze.systems" "tag:private-infra"]; 50 50 - dst = ["autogroup:internet:*"]; 52 52 + src = [ 53 53 + "90008@gaze.systems" 54 54 + "tag:private-infra" 55 55 + ]; 56 56 + dst = [ "autogroup:internet:*" ]; 51 57 } 52 58 { 53 53 - src = ["ellite@ellite.dev"]; 54 54 - dst = ["chernobog:8463"]; 59 59 + src = [ "ellite@ellite.dev" ]; 60 60 + dst = [ "chernobog:8463" ]; 55 61 } 56 62 ]; 57 63 }; ··· 76 82 }; 77 83 }; 78 84 79 79 - 80 85 # security.acme.certs.${rootDomain}.extraDomainNames = [domain]; 81 86 services.nginx.virtualHosts.${domain} = { 82 87 useACMEHost = domain;

+4 -1

hosts/dzwonek/modules/nginx.nix

reviewed

··· 16 16 statusPage = true; 17 17 }; 18 18 19 19 - networking.firewall.allowedTCPPorts = [ 80 443 ]; 19 19 + networking.firewall.allowedTCPPorts = [ 20 20 + 80 21 21 + 443 22 22 + ]; 20 23 21 24 # output json logs so we can consume them more easily 22 25 services.nginx.appendHttpConfig = ''

+4 -3

hosts/dzwonek/modules/tailscale.nix

reviewed

··· 1 1 - {config, ...}: { 2 2 - imports = [../../../modules/network/tailscale.nix]; 3 3 - 1 1 + { config, ... }: 2 2 + { 3 3 + imports = [ ../../../modules/network/tailscale.nix ]; 4 4 + 4 5 # age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age; 5 6 # services.tailscale.authKeyFile = config.age.secrets.tailscaleAuthKey.path; 6 7 }

+1 -1

hosts/volsinii/disk-config.nix

reviewed

··· 51 51 }; 52 52 }; 53 53 }; 54 54 - } 54 54 + }

+17 -6

hosts/volsinii/modules/hardware-configuration.nix

reviewed

··· 1 1 # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 2 # and may be overwritten by future invocations. Please make changes 3 3 # to /etc/nixos/configuration.nix instead. 4 4 - { config, lib, pkgs, modulesPath, ... }: 4 4 + { 5 5 + config, 6 6 + lib, 7 7 + pkgs, 8 8 + modulesPath, 9 9 + ... 10 10 + }: 5 11 6 12 { 7 13 imports = [ ]; 8 14 9 9 - boot.initrd.availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ]; 15 15 + boot.initrd.availableKernelModules = [ 16 16 + "ata_piix" 17 17 + "sr_mod" 18 18 + "xen_blkfront" 19 19 + ]; 10 20 boot.initrd.kernelModules = [ ]; 11 21 boot.kernelModules = [ ]; 12 22 boot.extraModulePackages = [ ]; ··· 16 26 systemd.network.enable = true; 17 27 systemd.network.wait-online.enable = false; 18 28 systemd.network.networks."enX0" = { 19 19 - matchConfig = { Name = "enX0"; }; 20 20 - address = ["199.71.188.53/29"]; 21 21 - gateway = ["199.71.188.49"]; 29 29 + matchConfig = { 30 30 + Name = "enX0"; 31 31 + }; 32 32 + address = [ "199.71.188.53/29" ]; 33 33 + gateway = [ "199.71.188.49" ]; 22 34 }; 23 23 - 24 35 25 36 nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 26 37 }

+4 -3

hosts/volsinii/modules/tailscale.nix

reviewed

+15 -10

hosts/wolumonde/modules/atproto.nix

reviewed

··· 17 17 }) files 18 18 ); 19 19 }; 20 20 - mkHandleCfg = rootDomain: did: (mkWellKnownCfg { 21 21 - "atproto-did" = pkgs.writeText "server" did; 22 22 - }) 23 23 - // { 24 24 - useACMEHost = rootDomain; 25 25 - forceSSL = true; 26 26 - quic = true; 27 27 - kTLS = true; 28 28 - }; 20 20 + mkHandleCfg = 21 21 + rootDomain: did: 22 22 + (mkWellKnownCfg { 23 23 + "atproto-did" = pkgs.writeText "server" did; 24 24 + }) 25 25 + // { 26 26 + useACMEHost = rootDomain; 27 27 + forceSSL = true; 28 28 + quic = true; 29 29 + kTLS = true; 30 30 + }; 29 31 mkDidWebCfg = domain: { 30 32 "${domain}" = 31 33 (mkWellKnownCfg { ··· 44 46 in 45 47 { 46 48 security.acme.certs."gaze.systems".extraDomainNames = [ 47 47 - dawnDid guestbookDid "drew.gaze.systems" "test.gaze.systems" 49 49 + dawnDid 50 50 + guestbookDid 51 51 + "drew.gaze.systems" 52 52 + "test.gaze.systems" 48 53 ]; 49 54 services.nginx.virtualHosts = { 50 55 "test.gaze.systems" = mkHandleCfg "gaze.systems" "did:web:dawn.gaze.systems";

+4 -2

hosts/wolumonde/modules/clickee-proxy.nix

reviewed

··· 1 1 - {config, terra, ...}: let 1 1 + { config, terra, ... }: 2 2 + let 2 3 port = 7145; 3 3 - in { 4 4 + in 5 5 + { 4 6 age.secrets.clickeeProxyConfig = { 5 7 file = ../../../secrets/clickeeProxyConfig.age; 6 8 };

+59 -56

hosts/wolumonde/modules/email.nix

reviewed

··· 1 1 - {pkgs, ...}: { 2 2 - security.acme.certs."ptr.pet".extraDomainNames = [ 3 3 - "mta-sts.ptr.pet" 4 4 - "autoconfig.ptr.pet" 5 5 - "autodiscover.ptr.pet" 6 6 - "test.ptr.pet" 7 7 - ]; 8 8 - services.nginx.virtualHosts."test.ptr.pet" = { 9 9 - useACMEHost = "ptr.pet"; 10 10 - quic = true; 11 11 - kTLS = true; 12 12 - forceSSL = true; 1 1 + { pkgs, ... }: 2 2 + { 3 3 + security.acme.certs."ptr.pet".extraDomainNames = [ 4 4 + "mta-sts.ptr.pet" 5 5 + "autoconfig.ptr.pet" 6 6 + "autodiscover.ptr.pet" 7 7 + "test.ptr.pet" 8 8 + ]; 9 9 + services.nginx.virtualHosts."test.ptr.pet" = { 10 10 + useACMEHost = "ptr.pet"; 11 11 + quic = true; 12 12 + kTLS = true; 13 13 + forceSSL = true; 14 14 + }; 15 15 + services.nginx.virtualHosts."ptr.pet" = { 16 16 + useACMEHost = "ptr.pet"; 17 17 + quic = true; 18 18 + kTLS = true; 19 19 + forceSSL = true; 20 20 + locations."/mail/config-v1.1.xml" = { 21 21 + return = "301 https://autoconfig.migadu.com/mail/config-v1.1.xml"; 13 22 }; 14 14 - services.nginx.virtualHosts."ptr.pet" = { 15 15 - useACMEHost = "ptr.pet"; 16 16 - quic = true; 17 17 - kTLS = true; 18 18 - forceSSL = true; 19 19 - locations."/mail/config-v1.1.xml" = { 20 20 - return = "301 https://autoconfig.migadu.com/mail/config-v1.1.xml"; 21 21 - }; 22 22 - locations."/Autodiscover/Autodiscover.xml" = { 23 23 - return = "301 https://autodiscover.migadu.com/Autodiscover/Autodiscover.xml"; 24 24 - }; 23 23 + locations."/Autodiscover/Autodiscover.xml" = { 24 24 + return = "301 https://autodiscover.migadu.com/Autodiscover/Autodiscover.xml"; 25 25 }; 26 26 - services.nginx.virtualHosts."mta-sts.ptr.pet" = let 27 27 - file = pkgs.writeText "mta-sts.txt" '' 28 28 - version: STSv1 29 29 - mode: enforce 30 30 - mx: aspmx1.migadu.com 31 31 - mx: aspmx2.migadu.com 32 32 - max_age: 31557600 33 33 - ''; 34 34 - in { 35 35 - useACMEHost = "ptr.pet"; 36 36 - quic = true; 37 37 - kTLS = true; 38 38 - forceSSL = true; 39 39 - locations."=/.well-known/mta-sts.txt".extraConfig = '' 40 40 - alias ${file}; 41 41 - default_type text/plain; 42 42 - ''; 26 26 + }; 27 27 + services.nginx.virtualHosts."mta-sts.ptr.pet" = 28 28 + let 29 29 + file = pkgs.writeText "mta-sts.txt" '' 30 30 + version: STSv1 31 31 + mode: enforce 32 32 + mx: aspmx1.migadu.com 33 33 + mx: aspmx2.migadu.com 34 34 + max_age: 31557600 35 35 + ''; 36 36 + in 37 37 + { 38 38 + useACMEHost = "ptr.pet"; 39 39 + quic = true; 40 40 + kTLS = true; 41 41 + forceSSL = true; 42 42 + locations."=/.well-known/mta-sts.txt".extraConfig = '' 43 43 + alias ${file}; 44 44 + default_type text/plain; 45 45 + ''; 43 46 }; 44 44 - services.nginx.virtualHosts."autoconfig.ptr.pet" = { 45 45 - useACMEHost = "ptr.pet"; 46 46 - quic = true; 47 47 - kTLS = true; 48 48 - forceSSL = true; 49 49 - locations."/" = { 50 50 - return = "301 https://autoconfig.migadu.com$request_uri"; 51 51 - }; 47 47 + services.nginx.virtualHosts."autoconfig.ptr.pet" = { 48 48 + useACMEHost = "ptr.pet"; 49 49 + quic = true; 50 50 + kTLS = true; 51 51 + forceSSL = true; 52 52 + locations."/" = { 53 53 + return = "301 https://autoconfig.migadu.com$request_uri"; 52 54 }; 53 53 - services.nginx.virtualHosts."autodiscover.ptr.pet" = { 54 54 - useACMEHost = "ptr.pet"; 55 55 - quic = true; 56 56 - kTLS = true; 57 57 - forceSSL = true; 58 58 - locations."/" = { 59 59 - return = "301 https://autodiscover.migadu.com$request_uri"; 60 60 - }; 55 55 + }; 56 56 + services.nginx.virtualHosts."autodiscover.ptr.pet" = { 57 57 + useACMEHost = "ptr.pet"; 58 58 + quic = true; 59 59 + kTLS = true; 60 60 + forceSSL = true; 61 61 + locations."/" = { 62 62 + return = "301 https://autodiscover.migadu.com$request_uri"; 61 63 }; 64 64 + }; 62 65 }

+1 -1

hosts/wolumonde/modules/forgejo.nix/default.nix

reviewed

··· 54 54 "public" 55 55 ]; 56 56 57 57 - security.acme.certs."gaze.systems".extraDomainNames = [forgejoCfg.server.DOMAIN]; 57 57 + security.acme.certs."gaze.systems".extraDomainNames = [ forgejoCfg.server.DOMAIN ]; 58 58 services.nginx.virtualHosts.${forgejoCfg.server.DOMAIN} = { 59 59 useACMEHost = "gaze.systems"; 60 60 forceSSL = true;

+4 -4

hosts/wolumonde/modules/hedgedoc.nix

reviewed

··· 1 1 - { config, ... }: let 1 1 + { config, ... }: 2 2 + let 2 3 cfg = config.services.hedgedoc.settings; 3 4 in 4 5 { ··· 16 17 }; 17 18 }; 18 19 19 19 - security.acme.certs."gaze.systems".extraDomainNames = [cfg.domain]; 20 20 + security.acme.certs."gaze.systems".extraDomainNames = [ cfg.domain ]; 20 21 services.nginx.virtualHosts.${cfg.domain} = { 21 22 useACMEHost = "gaze.systems"; 22 23 forceSSL = true; 23 24 quic = true; 24 25 kTLS = true; 25 25 - locations."/".proxyPass = 26 26 - "http://${cfg.host}:${toString cfg.port}"; 26 26 + locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}"; 27 27 }; 28 28 }

+5 -3

hosts/wolumonde/modules/openbao.disabled/default.nix

reviewed

··· 1 1 - {lib, config, ...}: let 1 1 + { lib, config, ... }: 2 2 + let 2 3 port = 5394; 3 4 domain = "bao.${config.services.headscale.settings.dns.base_domain}"; 4 5 cfg = config.services.openbao.settings; 5 6 apiAddress = "127.0.0.1:${toString port}"; 6 6 - in { 7 7 - imports = [./spindle-proxy]; 7 7 + in 8 8 + { 9 9 + imports = [ ./spindle-proxy ]; 8 10 9 11 services.openbao = { 10 12 enable = true;

+48 -35

hosts/wolumonde/modules/openbao.disabled/spindle-proxy/default.nix

reviewed

··· 1 1 - { config, lib, pkgs, ... }: 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 2 7 let 3 8 port = 8945; 4 9 secrets = config.age.secrets; 5 10 cfgFile = pkgs.writeText "openbao-proxy-spindle-config.hcl" ( 6 11 lib.replaceStrings 7 7 - [ 8 8 - "%role_id%" 9 9 - "%secret_id%" 10 10 - "%vault_address%" 11 11 - "%listener_port%" 12 12 - "%name%" 13 13 - ] 14 14 - [ 15 15 - secrets.spindleOpenbaoRoleId.path 16 16 - secrets.spindleOpenbaoSecretId.path 17 17 - config.services.openbao.settings.api_addr 18 18 - (toString port) 19 19 - name 20 20 - ] 21 21 - (lib.fileContents ./config.hcl) 12 12 + [ 13 13 + "%role_id%" 14 14 + "%secret_id%" 15 15 + "%vault_address%" 16 16 + "%listener_port%" 17 17 + "%name%" 18 18 + ] 19 19 + [ 20 20 + secrets.spindleOpenbaoRoleId.path 21 21 + secrets.spindleOpenbaoSecretId.path 22 22 + config.services.openbao.settings.api_addr 23 23 + (toString port) 24 24 + name 25 25 + ] 26 26 + (lib.fileContents ./config.hcl) 22 27 ); 23 28 domain = "spindle.bao.lan.gaze.systems"; 24 29 name = "openbao-proxy-spindle"; ··· 42 47 group = name; 43 48 }; 44 49 users.groups.${name} = { 45 45 - members = [name]; 50 50 + members = [ name ]; 46 51 }; 47 52 48 53 systemd.services.${name} = { ··· 58 63 LimitNOFILE = "65536"; 59 64 User = name; 60 65 Group = name; 61 61 - RuntimeDirectory=name; 62 62 - RuntimeDirectoryMode=0700; 63 63 - StateDirectory=name; 64 64 - StateDirectoryMode=0700; 65 65 - ProcSubset="pid"; 66 66 - ProtectClock=true; 67 67 - ProtectControlGroups=true; 68 68 - ProtectHome=true; 69 69 - ProtectHostname=true; 70 70 - ProtectKernelLogs=true; 71 71 - ProtectKernelModules=true; 72 72 - ProtectKernelTunables=true; 73 73 - ProtectProc="invisible"; 74 74 - RestrictNamespaces=true; 75 75 - RestrictRealtime=true; 76 76 - RestrictAddressFamilies=["AF_INET" "AF_INET6" "AF_UNIX"]; 77 77 - SystemCallArchitectures="native"; 78 78 - SystemCallFilter=["@system-service" "@resources" "~@privileged"]; 66 66 + RuntimeDirectory = name; 67 67 + RuntimeDirectoryMode = 0700; 68 68 + StateDirectory = name; 69 69 + StateDirectoryMode = 0700; 70 70 + ProcSubset = "pid"; 71 71 + ProtectClock = true; 72 72 + ProtectControlGroups = true; 73 73 + ProtectHome = true; 74 74 + ProtectHostname = true; 75 75 + ProtectKernelLogs = true; 76 76 + ProtectKernelModules = true; 77 77 + ProtectKernelTunables = true; 78 78 + ProtectProc = "invisible"; 79 79 + RestrictNamespaces = true; 80 80 + RestrictRealtime = true; 81 81 + RestrictAddressFamilies = [ 82 82 + "AF_INET" 83 83 + "AF_INET6" 84 84 + "AF_UNIX" 85 85 + ]; 86 86 + SystemCallArchitectures = "native"; 87 87 + SystemCallFilter = [ 88 88 + "@system-service" 89 89 + "@resources" 90 90 + "~@privileged" 91 91 + ]; 79 92 }; 80 93 }; 81 94

+6 -3

hosts/wolumonde/modules/perses.nix/default.nix

reviewed

··· 66 66 67 67 systemd.services.perses = { 68 68 description = "perses"; 69 69 - after = ["network.target" "pocket-id.service"]; 70 70 - requires = ["pocket-id.service"]; 69 69 + after = [ 70 70 + "network.target" 71 71 + "pocket-id.service" 72 72 + ]; 73 73 + requires = [ "pocket-id.service" ]; 71 74 serviceConfig = { 72 75 ExecStart = "${pkgs.perses}/bin/perses --config=${persesConfigYaml} --web.listen-address=:${toString port} --log.level=info"; 73 76 EnvironmentFile = secrets.persesSecret.path; ··· 79 82 cp -f ${./provision}/* ${provisioningFolder} 80 83 ''; 81 84 82 82 - security.acme.certs."gaze.systems".extraDomainNames = [domain]; 85 85 + security.acme.certs."gaze.systems".extraDomainNames = [ domain ]; 83 86 services.nginx.virtualHosts.${domain} = { 84 87 useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains 85 88 quic = true;

+1 -1

hosts/wolumonde/modules/pocket-id.nix

reviewed

··· 13 13 }; 14 14 }; 15 15 16 16 - security.acme.certs."gaze.systems".extraDomainNames = [domain]; 16 16 + security.acme.certs."gaze.systems".extraDomainNames = [ domain ]; 17 17 18 18 services.nginx.virtualHosts.${domain} = { 19 19 useACMEHost = "gaze.systems";

+2 -2

hosts/wolumonde/modules/tailscale.nix

reviewed

··· 1 1 { config, ... }: 2 2 { 3 3 - imports = [../../../modules/network/tailscale.nix]; 4 4 - 3 3 + imports = [ ../../../modules/network/tailscale.nix ]; 4 4 + 5 5 # age.secrets.tailscaleAuthKey.file = ../../../secrets/tailscaleAuthKey.age; 6 6 # services.tailscale.authKeyFile = config.age.secrets.tailscaleAuthKey.path; 7 7

+4 -1

hosts/wolumonde/modules/tangled.nix/default.nix

reviewed

··· 1 1 { 2 2 - imports = [./knot.nix ./spindle.nix]; 2 2 + imports = [ 3 3 + ./knot.nix 4 4 + ./spindle.nix 5 5 + ]; 3 6 }

+1 -1

hosts/wolumonde/modules/tangled.nix/knot.nix

reviewed

··· 24 24 }; 25 25 }; 26 26 27 27 - security.acme.certs."gaze.systems".extraDomainNames = [knotCfg.server.hostname]; 27 27 + security.acme.certs."gaze.systems".extraDomainNames = [ knotCfg.server.hostname ]; 28 28 29 29 services.nginx.virtualHosts.${knotCfg.server.hostname} = { 30 30 useACMEHost = "gaze.systems";

+1 -1

hosts/wolumonde/modules/tangled.nix/spindle.nix

reviewed

··· 41 41 }; 42 42 }; 43 43 44 44 - security.acme.certs."gaze.systems".extraDomainNames = [spindleCfg.server.hostname]; 44 44 + security.acme.certs."gaze.systems".extraDomainNames = [ spindleCfg.server.hostname ]; 45 45 46 46 services.nginx.virtualHosts.${spindleCfg.server.hostname} = { 47 47 useACMEHost = "gaze.systems";

+5 -3

hosts/wolumonde/modules/webhook.disabled/default.nix

reviewed

··· 1 1 - { config, tlib, ... }: let 1 1 + { config, tlib, ... }: 2 2 + let 2 3 domain = "webhook.gaze.systems"; 3 3 - in { 4 4 + in 5 5 + { 4 6 imports = tlib.importFolder ./.; 5 7 6 8 services.webhook = { ··· 15 17 group = "nginx"; 16 18 }; 17 19 18 18 - security.acme.certs."gaze.systems".extraDomainNames = [domain]; 20 20 + security.acme.certs."gaze.systems".extraDomainNames = [ domain ]; 19 21 services.nginx.virtualHosts.${domain} = { 20 22 useACMEHost = "gaze.systems"; 21 23 forceSSL = true;

+15 -14

hosts/wolumonde/modules/webhook.disabled/deploy-wolumonde.nix

reviewed

··· 1 1 - { pkgs, ... }: let 1 1 + { pkgs, ... }: 2 2 + let 2 3 port = toString 9000; 3 3 - in { 4 4 + in 5 5 + { 4 6 services.webhook.hooks."deploy-wolumonde" = { 5 7 execute-command = "${pkgs.curl}/bin/curl"; 6 6 - pass-arguments-to-command = 7 7 - builtins.map 8 8 - (n: { 9 9 - source = "string"; 10 10 - name = n; 11 11 - }) 12 12 - [ "http://higashi:${port}/hooks/deploy-wolumonde" ]; 8 8 + pass-arguments-to-command = builtins.map (n: { 9 9 + source = "string"; 10 10 + name = n; 11 11 + }) [ "http://higashi:${port}/hooks/deploy-wolumonde" ]; 13 12 }; 14 13 15 15 - services.headscale.acl.rules = [{ 16 16 - proto = "tcp"; 17 17 - src = ["wolumonde"]; 18 18 - dst = ["higashi:${port}"]; 19 19 - }]; 14 14 + services.headscale.acl.rules = [ 15 15 + { 16 16 + proto = "tcp"; 17 17 + src = [ "wolumonde" ]; 18 18 + dst = [ "higashi:${port}" ]; 19 19 + } 20 20 + ]; 20 21 }

+4 -1

users/dusk@devel.mobi/default.nix

reviewed

··· 70 70 enable = true; 71 71 controlServer = "https://vpn.gaze.systems"; 72 72 authKeyFile = config.age.secrets.tailscaleAuthKey.path; 73 73 - extraUpFlags = [ "--advertise-exit-node=true" "--hostname=dusk-devel-mobi" ]; 73 73 + extraUpFlags = [ 74 74 + "--advertise-exit-node=true" 75 75 + "--hostname=dusk-devel-mobi" 76 76 + ]; 74 77 }; 75 78 76 79 programs = {

+10 -10

users/modules/ssh/default.nix

reviewed

··· 3 3 enable = true; 4 4 enableDefaultConfig = false; 5 5 matchBlocks."*" = { 6 6 - forwardAgent = false; 7 7 - serverAliveInterval = 0; 8 8 - serverAliveCountMax = 3; 9 9 - compression = true; 10 10 - hashKnownHosts = true; 11 11 - addKeysToAgent = "yes"; 12 12 - userKnownHostsFile = "~/.ssh/known_hosts"; 13 13 - controlMaster = "no"; 14 14 - controlPath = "~/.ssh/master-%r@%n:%p"; 15 15 - controlPersist = "no"; 6 6 + forwardAgent = false; 7 7 + serverAliveInterval = 0; 8 8 + serverAliveCountMax = 3; 9 9 + compression = true; 10 10 + hashKnownHosts = true; 11 11 + addKeysToAgent = "yes"; 12 12 + userKnownHostsFile = "~/.ssh/known_hosts"; 13 13 + controlMaster = "no"; 14 14 + controlPath = "~/.ssh/master-%r@%n:%p"; 15 15 + controlPersist = "no"; 16 16 }; 17 17 # Only needed for darcs hub 18 18 # extraConfig = ''