diff --git a/README.md b/README.md
index d11785b..8d5da60 100644
--- a/README.md
+++ b/README.md
@@ -17,11 +17,11 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
- hosts - per-machine configurations
- kazuki - my linux arm server
- - legion - my linux x86 server
- hijiri - my macbook
- hijiri-vm - linux vm running on my macbook
- ude - another linux arm server
- kogata - my m1 mac mini doubling as a server
+ - youko - my linux x86 server
- modules - options which in principle should be reusable by others
- system - my opinionated nixos/nix-darwin modules
- home - my opinionated home-manager modules
diff --git a/assets/forgejo/apple-touch-icon.png b/assets/forgejo/apple-touch-icon.png
new file mode 100644
index 0000000..78da40f
Binary files /dev/null and b/assets/forgejo/apple-touch-icon.png differ
diff --git a/assets/forgejo/avatar_default.png b/assets/forgejo/avatar_default.png
new file mode 100644
index 0000000..ce6f772
Binary files /dev/null and b/assets/forgejo/avatar_default.png differ
diff --git a/assets/forgejo/favicon.png b/assets/forgejo/favicon.png
new file mode 100644
index 0000000..f6e48b9
Binary files /dev/null and b/assets/forgejo/favicon.png differ
diff --git a/assets/forgejo/favicon.svg b/assets/forgejo/favicon.svg
new file mode 100644
index 0000000..7cf10f5
--- /dev/null
+++ b/assets/forgejo/favicon.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/assets/forgejo/logo.png b/assets/forgejo/logo.png
new file mode 100644
index 0000000..ca1d390
Binary files /dev/null and b/assets/forgejo/logo.png differ
diff --git a/assets/forgejo/logo.svg b/assets/forgejo/logo.svg
new file mode 100644
index 0000000..7cf10f5
--- /dev/null
+++ b/assets/forgejo/logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/assets/ssh.nix b/assets/ssh.nix
index afdc92c..c699be9 100644
--- a/assets/ssh.nix
+++ b/assets/ssh.nix
@@ -9,7 +9,6 @@
hijiri-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6tfXLB6xhcl3rtI5x9NXSs12U4LVy06RRlyZxiORa0 nikodem@rabulinski.com";
kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImsFb9qRxX0n2Bmy00T8iPam+Fc3mgKkm7dfM7AQRHN nikodem@rabulinski.com";
- legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHX2MNGZGSTedYAepZHgcx+KK0A6ASulwSrpf9ytb5h nikodem@rabulinski.com";
miyagi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIf4Ypws+1v9WL9MibW1dELpa/7YixElaBE7S71jsTy nrabulinski@antmicro.com";
ude = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDm3M/i/4wP2BM4+9hHAOMospwvlBZ+FT+pJtVgaaMq nikodem@rabulinski.com";
kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com";
@@ -20,7 +19,6 @@
system = {
kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki";
- legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Ktyj0FSn8KLRwRGd0Tp/qNUPXV7+XyxAsWGWdMYp8 root@legion";
miyagi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbUcsZrZgGHojG+1yVyNEW5Fgr7/7qNaWxOt+lFrJaD root@miyagi";
ude = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZW15ObZ6XG776pdEvs9yqSuIiWlbGveEVA774Ri9/o root@ude";
kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l";
diff --git a/flake.lock b/flake.lock
index 5d68e57..3cd382a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -190,22 +190,6 @@
"type": "github"
}
},
- "fl-config": {
- "locked": {
- "lastModified": 1653159448,
- "narHash": "sha256-PvB9ha0r4w6p412MBPP71kS/ZTBnOjxL0brlmyucPBA=",
- "owner": "flakelib",
- "repo": "fl",
- "rev": "fcefb9738d5995308a24cda018a083ccb6b0f460",
- "type": "github"
- },
- "original": {
- "owner": "flakelib",
- "ref": "config",
- "repo": "fl",
- "type": "github"
- }
- },
"flake-compat": {
"flake": false,
"locked": {
@@ -351,25 +335,6 @@
"type": "github"
}
},
- "flakelib": {
- "inputs": {
- "fl-config": "fl-config",
- "std": "std"
- },
- "locked": {
- "lastModified": 1701802971,
- "narHash": "sha256-Zo5fJpXbe+xXOTiDT4JG2rExobMJTmFZ72+3XTMMHrQ=",
- "owner": "flakelib",
- "repo": "fl",
- "rev": "b71a91517f6b16aa5faefe8ec491d9f3062d7a20",
- "type": "github"
- },
- "original": {
- "owner": "flakelib",
- "repo": "fl",
- "type": "github"
- }
- },
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
@@ -531,21 +496,6 @@
"type": "github"
}
},
- "nix-std": {
- "locked": {
- "lastModified": 1701658249,
- "narHash": "sha256-KIt1TUuBvldhaVRta010MI5FeQlB8WadjqljybjesN0=",
- "owner": "chessai",
- "repo": "nix-std",
- "rev": "715db541ffff4194620e48d210b76f73a74b5b5d",
- "type": "github"
- },
- "original": {
- "owner": "chessai",
- "repo": "nix-std",
- "type": "github"
- }
- },
"nixpkgs": {
"locked": {
"lastModified": 1723603349,
@@ -621,44 +571,6 @@
"type": "github"
}
},
- "nvidia-patch": {
- "inputs": {
- "flakelib": "flakelib",
- "nixpkgs": [
- "nixpkgs"
- ],
- "nvidia-patch-src": "nvidia-patch-src"
- },
- "locked": {
- "lastModified": 1742460640,
- "narHash": "sha256-Qks0TRMOiuVKjcSPkg251Q2/wdU5ooMt4b2f2numPzg=",
- "owner": "arcnmx",
- "repo": "nvidia-patch.nix",
- "rev": "c85990250376300fe11413e22458911f408f64d0",
- "type": "github"
- },
- "original": {
- "owner": "arcnmx",
- "repo": "nvidia-patch.nix",
- "type": "github"
- }
- },
- "nvidia-patch-src": {
- "flake": false,
- "locked": {
- "lastModified": 1742384429,
- "narHash": "sha256-5O0TXVrLsFrULXli2vB2iJ7TECUckMHKvJZYmdkcnGE=",
- "owner": "keylase",
- "repo": "nvidia-patch",
- "rev": "07080317245ac30c38001d2149810b2dee3cce1f",
- "type": "github"
- },
- "original": {
- "owner": "keylase",
- "repo": "nvidia-patch",
- "type": "github"
- }
- },
"racket": {
"inputs": {
"nixpkgs": [
@@ -697,7 +609,6 @@
"mailserver": "mailserver",
"niko-nur": "niko-nur",
"nixpkgs": "nixpkgs_2",
- "nvidia-patch": "nvidia-patch",
"racket": "racket",
"treefmt": "treefmt",
"wrapper-manager": "wrapper-manager",
@@ -764,24 +675,6 @@
"type": "github"
}
},
- "std": {
- "inputs": {
- "nix-std": "nix-std"
- },
- "locked": {
- "lastModified": 1701802337,
- "narHash": "sha256-JCVCyjDZ6LA0xyVoDZzRXjy0OgWOZo3OpeZEVm/U97w=",
- "owner": "flakelib",
- "repo": "std",
- "rev": "443d1c8246b3d96a4822b02af907ca0d833e8b63",
- "type": "github"
- },
- "original": {
- "owner": "flakelib",
- "repo": "std",
- "type": "github"
- }
- },
"systems": {
"locked": {
"lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index 217b7cc..821117f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,6 +65,10 @@
# racket
"*.rkt"
"**/rashrc"
+
+ # custom assets
+ "*.png"
+ "*.svg"
];
settings.on-unmatched = "fatal";
};
@@ -121,10 +125,6 @@
url = "gitlab:famedly/conduit?ref=next";
flake = false;
};
- nvidia-patch = {
- url = "github:arcnmx/nvidia-patch.nix";
- inputs.nixpkgs.follows = "nixpkgs";
- };
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/default.nix b/hosts/default.nix
index 03d464d..d8ed8b3 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -9,7 +9,6 @@
./kazuki
./hijiri-vm
./hijiri
- ./legion
# TODO: Custom installer ISO
# ./installer
./ude
diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index df92f1c..8464cb5 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -15,7 +15,6 @@
./storage.nix
./ntfy.nix
./zitadel.nix
- ./forgejo.nix
./prometheus.nix
];
diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix
deleted file mode 100644
index 9f200e2..0000000
--- a/hosts/kazuki/forgejo.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ config, ... }:
-{
- age.secrets.rab-lol-cf = {
- file = ../../secrets/rab-lol-cf.age;
- owner = config.services.nginx.user;
- };
-
- services.forgejo = {
- enable = true;
- settings = {
- server = {
- DOMAIN = "git.rab.lol";
- ROOT_URL = "https://git.rab.lol/";
- };
- oauth2_client = {
- REGISTER_EMAIL_CONFIRM = false;
- ENABLE_AUTO_REGISTRATION = true;
- ACCOUNT_LINKING = "auto";
- UPDATE_AVATAR = true;
- };
- service = {
- DISABLE_REGISTRATION = false;
- ALLOW_ONLY_INTERNAL_REGISTRATION = false;
- ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
- };
- federation.ENABLED = true;
- };
- repositoryRoot = "/storage-box/forgejo/repos";
- lfs = {
- enable = true;
- contentDir = "/storage-box/forgejo/lfs";
- };
- };
-
- services.nginx = {
- enable = true;
- recommendedProxySettings = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedTlsSettings = true;
- virtualHosts."git.rab.lol" = {
- forceSSL = true;
- enableACME = true;
- acmeRoot = null;
- locations."/" = {
- proxyPass = "http://127.0.0.1:3000";
- extraConfig = ''
- proxy_set_header Connection $http_connection;
- proxy_set_header Upgrade $http_upgrade;
- '';
- };
- };
- };
-
- users.users.nginx.extraGroups = [ "acme" ];
- security.acme.acceptTerms = true;
- security.acme.certs."git.rab.lol" = {
- dnsProvider = "cloudflare";
- credentialsFile = config.age.secrets.rab-lol-cf.path;
- email = "nikodem@rabulinski.com";
- };
-}
diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix
deleted file mode 100644
index 92c95be..0000000
--- a/hosts/legion/default.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{
- configurations.nixos.legion =
- {
- config,
- username,
- ...
- }:
- {
- imports = [
- ./hardware.nix
- # ./disks.nix
- ./msmtp.nix
- ./desktop.nix
- ];
-
- nixpkgs.hostPlatform = "x86_64-linux";
-
- specialisation = {
- nas.configuration = ./nas;
- };
-
- boot = {
- loader.systemd-boot.enable = true;
- loader.efi.canTouchEfiVariables = true;
- };
-
- settei.tailscale = {
- ipv4 = "100.84.112.35";
- ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6254:7023";
- };
-
- networking = {
- hostName = "legion";
- hostId = builtins.substring 0 8 "524209a432724c7abaf04398cdd6eecd";
- networkmanager.enable = true;
- };
- systemd.services.NetworkManager-wait-online.enable = false;
-
- powerManagement.cpuFreqGovernor = "performance";
-
- age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age;
- users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
-
- settei.incus.enable = true;
- virtualisation.podman.enable = true;
- };
-}
diff --git a/hosts/legion/desktop.nix b/hosts/legion/desktop.nix
deleted file mode 100644
index 7d80cd9..0000000
--- a/hosts/legion/desktop.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-# TODO: Proper desktop module
-{
- config,
- pkgs,
- lib,
- username,
- ...
-}:
-{
- # Needed for nvidia and steam
- nixpkgs.config.allowUnfree = true;
-
- settei.user.config = {
- settei.desktop.enable = true;
- home.packages = with pkgs; [
- brightnessctl
- dmenu
- ];
-
- xsession.windowManager.i3 = {
- enable = true;
- config = {
- terminal = "wezterm";
- modifier = "Mod4";
- };
- };
-
- home.file.".xinitrc".source = pkgs.writeShellScript "xinitrc" ''
- xrandr --setprovideroutputsource modesetting NVIDIA-0
- xrandr --auto
- exec dbus-run-session i3
- '';
- };
-
- programs.steam = {
- enable = true;
- remotePlay.openFirewall = true;
- dedicatedServer.openFirewall = true;
- gamescopeSession = { };
- };
-
- hardware.steam-hardware.enable = true;
-
- services.logind = lib.genAttrs [
- "lidSwitch"
- "lidSwitchDocked"
- "lidSwitchExternalPower"
- ] (_: "ignore");
-
- services.pipewire = {
- enable = true;
- alsa.enable = true;
- pulse.enable = true;
- };
-
- programs.dconf.enable = true;
- services.dbus.enable = true;
-
- users.users.${username}.extraGroups = [
- "video"
- "input"
- ];
-
- # NVIDIA stuff
- services.xserver = {
- enable = true;
- excludePackages = [ pkgs.xterm ];
- videoDrivers = [ "nvidia" ];
- xkb.layout = "pl";
- displayManager.startx.enable = true;
- config = lib.mkForce ''
- Section "OutputClass"
- Identifier "intel"
- MatchDriver "i915"
- Driver "modesetting"
- EndSection
-
- Section "OutputClass"
- Identifier "nvidia"
- MatchDriver "nvidia-drm"
- Driver "nvidia"
- Option "AllowEmptyInitialConfiguration"
- Option "PrimaryGPU" "yes"
- ModulePath "${config.hardware.nvidia.package.bin}/lib/xorg/modules"
- ModulePath "${pkgs.xorg.xorgserver}/lib/xorg/modules"
- EndSection
-
- Section "InputClass"
- Identifier "touchpad"
- Driver "libinput"
- MatchIsTouchpad "on"
- Option "Tapping" "on"
- Option "TappingButtonMap" "lrm"
- Option "NaturalScrolling" "true"
- EndSection
- '';
- exportConfiguration = true;
- };
- services.libinput.enable = true;
-
- hardware.nvidia = {
- patch.enable = true;
- patch.nvidiaPackage = config.boot.kernelPackages.nvidia_x11_production;
- open = false;
- modesetting.enable = true;
- };
-
- hardware.graphics = {
- enable = true;
- enable32Bit = true;
- };
-}
diff --git a/hosts/legion/disks.nix b/hosts/legion/disks.nix
deleted file mode 100644
index 74ecef9..0000000
--- a/hosts/legion/disks.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-_args:
-/*
- let
- bootDevice = args.bootDevice or "/dev/nvme0n1";
- in
-*/
-{
- assertions = [
- {
- assertion = false;
- message = "Disko config TODO";
- }
- ];
-}
diff --git a/hosts/legion/hardware.nix b/hosts/legion/hardware.nix
deleted file mode 100644
index f1b8f71..0000000
--- a/hosts/legion/hardware.nix
+++ /dev/null
@@ -1,90 +0,0 @@
-{ config, ... }:
-{
- boot.initrd.availableKernelModules = [
- "xhci_pci"
- "ahci"
- "nvme"
- "usbhid"
- "usb_storage"
- "uas"
- ];
- boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
- boot.kernelModules = [
- "kvm-intel"
- "i2c-dev"
- "acpi_call"
- ];
- boot.blacklistedKernelModules = [ "nouveau" ];
-
- # Needed for enableAllFirmware
- nixpkgs.config.allowUnfree = true;
- hardware = {
- enableAllFirmware = true;
- cpu.intel.updateMicrocode = true;
- };
-
- services.smartd.enable = true;
-
- # TODO: Move to disko only
- # TODO: Actually set up impermanence
- boot.supportedFilesystems = [ "btrfs" ];
- boot.initrd.luks.devices."enc".device = "/dev/disk/by-label/LUKS";
-
- fileSystems."/" = {
- device = "/dev/disk/by-label/LINUX";
- fsType = "btrfs";
- options = [
- "subvol=root"
- "compress=zstd"
- "noatime"
- ];
- };
-
- fileSystems."/home" = {
- device = "/dev/disk/by-label/LINUX";
- fsType = "btrfs";
- options = [
- "subvol=home"
- "compress=zstd"
- "noatime"
- ];
- };
-
- fileSystems."/nix" = {
- device = "/dev/disk/by-label/LINUX";
- fsType = "btrfs";
- options = [
- "subvol=nix"
- "compress=zstd"
- "noatime"
- ];
- };
-
- fileSystems."/persist" = {
- device = "/dev/disk/by-label/LINUX";
- fsType = "btrfs";
- options = [
- "subvol=persist"
- "compress=zstd"
- "noatime"
- ];
- };
-
- fileSystems."/var/log" = {
- device = "/dev/disk/by-label/LINUX";
- fsType = "btrfs";
- options = [
- "subvol=log"
- "compress=zstd"
- "noatime"
- ];
- neededForBoot = true;
- };
-
- fileSystems."/boot" = {
- device = "/dev/disk/by-label/BOOT";
- fsType = "vfat";
- };
-
- swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
-}
diff --git a/hosts/legion/msmtp.nix b/hosts/legion/msmtp.nix
deleted file mode 100644
index dc51c15..0000000
--- a/hosts/legion/msmtp.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-# TODO: Potentially make this a common module?
-{
- pkgs,
- config,
- username,
- ...
-}:
-let
- mail = "alert@nrab.lol";
- aliases = pkgs.writeText "mail-aliases" ''
- ${username}: nikodem@rabulinski.com
- root: ${mail}
- '';
-in
-{
- age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
-
- programs.msmtp = {
- enable = true;
- setSendmail = true;
- defaults = {
- inherit aliases;
- tls = "on";
- auth = "login";
- tls_starttls = "off";
- };
- accounts = {
- default = {
- host = "mail.nrab.lol";
- passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
- user = mail;
- from = mail;
- };
- };
- };
-}
diff --git a/hosts/legion/nas/default.nix b/hosts/legion/nas/default.nix
deleted file mode 100644
index f01145a..0000000
--- a/hosts/legion/nas/default.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{
- pkgs,
- lib,
- username,
- ...
-}:
-{
- imports = [ ./media.nix ];
-
- boot.supportedFilesystems = [
- "ext4"
- "zfs"
- ];
-
- boot.zfs.extraPools = [ "yottapool" ];
- services.zfs = {
- autoScrub.enable = true;
- zed.settings = {
- ZED_DEBUG_LOG = "/tmp/zed.debug.log";
- ZED_EMAIL_ADDR = [ username ];
- ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
- ZED_EMAIL_OPTS = "@ADDRESS@";
-
- ZED_NOTIFY_INTERVAL_SECS = 3600;
- ZED_NOTIFY_VERBOSE = true;
-
- ZED_USE_ENCLOSURE_LEDS = true;
- ZED_SCRUB_AFTER_RESILVER = true;
- };
- };
-
- fileSystems."/bulk" = {
- device = "/dev/disk/by-label/BULK";
- fsType = "ext4";
- };
-
- systemd.mounts = [
- {
- type = "none";
- options = "bind";
- what = "/media/data";
- where = "/export/yotta-data";
- requires = [ "zfs-mount.service" ];
- after = [ "zfs-mount.service" ];
- wantedBy = [ "multi-user.target" ];
- before = [ "nfs-server.service" ];
- requiredBy = [ "nfs-server.service" ];
- }
- ];
-
- services.nfs.server = {
- enable = true;
- hostName = "100.84.112.35";
- exports = ''
- /export *(insecure,rw,crossmnt,fsid=0)
- /export/yotta-data *(insecure,rw,nohide)
- '';
- };
-}
diff --git a/hosts/legion/nas/media.nix b/hosts/legion/nas/media.nix
deleted file mode 100644
index 501e811..0000000
--- a/hosts/legion/nas/media.nix
+++ /dev/null
@@ -1,132 +0,0 @@
-{
- config,
- username,
- lib,
- ...
-}:
-{
- age.secrets.rab-lol-cf = {
- file = ../../../secrets/rab-lol-cf.age;
- owner = config.services.nginx.user;
- };
-
- services.jellyfin = {
- enable = true;
- openFirewall = true;
- };
- services.radarr.enable = true;
- # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged
- nixpkgs.config.permittedInsecurePackages = [
- "dotnet-sdk-6.0.428"
- "aspnetcore-runtime-6.0.36"
- ];
- services.sonarr.enable = true;
- services.prowlarr.enable = true;
- services.jellyseerr.enable = true;
- services.deluge = {
- enable = true;
- web.enable = true;
- config.download_location = "/media/deluge";
- };
-
- services.restic.server = {
- enable = true;
- dataDir = "/media/restic";
- extraFlags = [ "--no-auth" ];
- };
-
- users.users = {
- jellyfin.extraGroups = [
- "radarr"
- "sonarr"
- ];
- radarr.extraGroups = [ "deluge" ];
- sonarr.extraGroups = [ "deluge" ];
- ${username}.extraGroups = [ "deluge" ];
- };
-
- systemd.services = lib.mkMerge [
- (lib.genAttrs
- [
- "jellyfin"
- "radarr"
- "sonarr"
- "prowlarr"
- "deluged"
- "restic-rest-server"
- ]
- (_: {
- requires = [ "zfs-mount.service" ];
- after = [ "zfs-mount.service" ];
- })
- )
- {
- jellyseerr.requires = [
- "jellyfin.service"
- "radarr.service"
- "sonarr.service"
- ];
-
- radarr.requires = [ "deluged.service" ];
- sonarr.requires = [ "deluged.service" ];
- }
- ];
-
- services.nginx = {
- enable = true;
- recommendedProxySettings = true;
- virtualHosts =
- let
- services = [
- "jellyfin"
- "jellyseerr"
- "deluge"
- "prowlarr"
- "sonarr"
- "radarr"
- ];
- mkService = name: {
- forceSSL = true;
- useACMEHost = "_wildcard.legion.rab.lol";
- listen = lib.flatten (
- map
- (port: [
- (port // { addr = config.settei.tailscale.ipv4; })
- (port // { addr = "[${config.settei.tailscale.ipv6}]"; })
- ])
- [
- { port = 80; }
- {
- port = 443;
- ssl = true;
- }
- ]
- );
-
- locations."/".proxyPass = "http://${name}";
- };
- services' = map (service: {
- name = "${service}.legion.rab.lol";
- value = mkService service;
- }) services;
- in
- lib.listToAttrs services';
- upstreams = {
- jellyfin.servers."localhost:8096" = { };
- jellyseerr.servers."localhost:5055" = { };
- deluge.servers."localhost:8112" = { };
- prowlarr.servers."localhost:9696" = { };
- radarr.servers."localhost:7878" = { };
- sonarr.servers."localhost:8989" = { };
- };
- };
-
- users.users.nginx.extraGroups = [ "acme" ];
- security.acme.acceptTerms = true;
- security.acme.certs."_wildcard.legion.rab.lol" = {
- domain = "*.legion.rab.lol";
- dnsProvider = "cloudflare";
- credentialsFile = config.age.secrets.rab-lol-cf.path;
- email = "nikodem@rabulinski.com";
- };
-}
diff --git a/modules/default.nix b/modules/default.nix
index 32f8e5f..24a8f46 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -33,7 +33,6 @@ in
inputs.disko.nixosModules.disko
inputs.mailserver.nixosModules.default
inputs.home-manager.nixosModules.home-manager
- inputs.nvidia-patch.nixosModules.nvidia-patch
inputs.attic.nixosModules.atticd
inputs.lix-module.nixosModules.default
{
diff --git a/modules/system/containers.nix b/modules/system/containers.nix
index a0942f9..26e7e7e 100644
--- a/modules/system/containers.nix
+++ b/modules/system/containers.nix
@@ -85,6 +85,12 @@ let
services.openssh.hostKeys = [ ];
system.stateVersion = lib.mkDefault config.system.stateVersion;
+
+ networking.useHostResolvConf = false;
+ networking.nameservers = [
+ "1.1.1.1"
+ "1.0.0.1"
+ ];
};
bindMounts = {
@@ -95,6 +101,11 @@ let
privateNetwork = lib.mkForce true;
}
) config.settei.containers;
+
+ networking.nat = lib.mkIf (config.settei.containers != { }) {
+ enable = true;
+ internalInterfaces = [ "ve-+" ];
+ };
};
darwinConfig = lib.optionalAttrs (!isLinux) {
diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age
index 85d17ab..a5e31ca 100644
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
@@ -1,7 +1,8 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw XYwseCo1fgFTMZ4IL13orBFdnWo0is7fujpJ5vDEIXo
-5L2q/5umRSXrK1YGUXeUS3rpUlaGGwCKqzvUpQ5nk8s
--> ssh-ed25519 GKhvwg 2fSKj5gtCn8oj35oOgL3o8TxkkZNBlp+xy/W4mYghm8
-fNse8uiLWps7zSIY8826MRAY1PyO++G3+7tT6TDQeag
---- /1Qqdeo1Tvw3EQDGKc5D85eXTnJ/vmdtwfHf/WuvGwQ
-Z�Qr.KG�;�1W9>GjE(~]3"i
)�1[m;ܺWqn)vsEY��,0�X�3I1P`
\ No newline at end of file
+-> ssh-ed25519 84j9mw Uex/8V7Wq/9Bz9nvJRwfl5F6/QexinaDIhe14gAqWng
+/lvX7cziXcohWI8FS8eybbdAaWDgN2Nvv2/3/DDaCFg
+-> ssh-ed25519 GKhvwg JmC8WUB4SkpEy9nYGo9sfoNPx1pOAqvq0YDqd4l4vWw
+F7KRZaLxCs7eYlPvv+yLovyFAxkahr/p5apcL+Bilfk
+--- k5tZFrWFA+pUvgN2TYuIXzHBII2bLhB308qm5LFGJVg
+g�0ZTJJ)]>p
+?L�M�>���wПu�Y�x��"/"$L
����Y1Tm֑�s~
\ No newline at end of file
diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age
index 032dbb2..4c3882d 100644
--- a/secrets/alert-plain-pass.age
+++ b/secrets/alert-plain-pass.age
@@ -1,19 +1,20 @@
age-encryption.org/v1
--> ssh-ed25519 GKhvwg 5euhetVuCUsVmzsFBVQr0U709Ogv6j1m+rhaS1ZXQhw
-p9dTjCsqwXRFgY1qvZOmlpJGYIz+hj286sP/oaX15H4
--> ssh-ed25519 H0Rg/A MrlNR2XgW04Csdhpd1s2Tfr3gsD8l1YWj5l/5EJEtGI
-+3RiO5GHLJOstxEKvNvAlZ1ycWHLUun0K7raJ/86a/M
--> ssh-ed25519 84j9mw 2wIXF94Zbo3fB7fRzQWGv5mCwdiomYVoFU8p25olt1k
-S2A2AP8clxTkJBtqRTTSeHeKCkcveEYaaU41di0v9kM
--> ssh-ed25519 5A7peQ G+MxkpWskys34yRKVC9CEXdfqujMUG/v4Vp9WvPYRw0
-BA+l5LIAIX0/KeSRcxLRybQ42OZV/ZX9pLCHhvkI1gc
--> ssh-ed25519 ioPMHA EXnV+gYXCwuE9kL8HJDxwGTWRqfJQt4gO4IxDXNXCDM
-s2Ji8kJ+hl+3vy/kIIHyngIw6BGouXjLTbIK/AQYfNI
--> ssh-ed25519 g2vRWw Ir+r+/jelVmGjtahgKwTkiwZUWSxkCHJrYFkm+GqTDQ
-GsDZu3gaQArHOEFQH4qoJSQw1mflKWvWNYpI+RZgI/0
--> ssh-ed25519 IFuY+w tWgf0Nelr0ji9Kr9fBt+2rdr0alagGG960uzW8RL9yE
-FW5Wt5OMD887sClsLF/q4AlTDocImI72az465K/qZPs
--> ssh-ed25519 rA7dkQ 9apitDrmj/hY9bCHadtYFZmjGUwqXtFZiUypjt9Z1BQ
-l+4ZTzw1rAYQV9dWn2sAr6Q1UtwunbelGr+UqMwetsE
---- dmVol02/2xV9zEOzA8+n5fyyjEk5Tsq/3W1yZa07ntg
-P`nHm��X�D��`7{3P}vTb
\ No newline at end of file
+-> ssh-ed25519 GKhvwg ZvzKWT14nrdbiVRJf4hK3Gmb7pkLA1YrzIAXi7GqUm0
+OqGUgm/4oefj+J6JrIM42FPq/2tH/evQfKYQGCSMIc4
+-> ssh-ed25519 H0Rg/A ucyXgt869tI6HWLjrsg5o65HBBHnjiAyJ2T7aCps7iQ
+h58tIKkuHEFM+7VRl6u+3vvV3XQ0r+XqvUo7OdLuKEg
+-> ssh-ed25519 84j9mw 2a5d7xIwqwF9MuAKv490mGUMYiDvZWK8+sLDjShpnmk
+7CH1AzJQD7nrq7aKZJy54+74awO2MHO6RySq29/MH18
+-> ssh-ed25519 5A7peQ 8h1pfClbTdBZuSZyw1LcntL6QIDXukYkJ+SBmcZMYAE
+d8gix1GBYjqe8nYc/gdOxEvsYNo7+W+vhQZq/RFPeRw
+-> ssh-ed25519 g2vRWw E4b+U5rVKsurdddkOSeDKmhIQW5iK4hdoRePQjohM2w
++WlMZ6Yd9iCqcm/WIrzRSRU9fmqdtc2Lb79wgB945Kg
+-> ssh-ed25519 B2veVw 4APxbmXkGw6O319hX1rPpgCz2BNXs1fa71eopRvgsFI
+AQ3FsW+H7qYg90JG8904/N0FjxjH4S70S1Gyer1BiXI
+-> ssh-ed25519 IFuY+w +W4IMgBS9ihPCEGWQw8DrsTkF8Ih5H1+ZjhmGdPimQE
+qlMFMVpw6uvH/OqGx/fIBFcP41RlXxyXKJ3//1N7mcQ
+-> ssh-ed25519 rA7dkQ 1XI21LILuaiYGHbdgCllU+H8N+/YPq9FyrOUTp0AXCI
+vklhN/5KOmbB0MaQ4F/iIuj5ReLiBrmFQunPtJu0o7w
+--- 5T2/adM9me57EcbMcLPba1MIisFzJnXLC+inc57bJdk
+Ji'6��&&o
+k�4-hu}�2|1DIl9ܦ�Y
\ No newline at end of file
diff --git a/secrets/attic-creds.age b/secrets/attic-creds.age
index 6d72b95..e901eb7 100644
Binary files a/secrets/attic-creds.age and b/secrets/attic-creds.age differ
diff --git a/secrets/forgejo-token.age b/secrets/forgejo-token.age
index 13f30a6..f16f8e1 100644
Binary files a/secrets/forgejo-token.age and b/secrets/forgejo-token.age differ
diff --git a/secrets/github-token.age b/secrets/github-token.age
index 03ad19e..58d43ca 100644
Binary files a/secrets/github-token.age and b/secrets/github-token.age differ
diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age
index 783c7f3..48de2e9 100644
Binary files a/secrets/hercules-cache.age and b/secrets/hercules-cache.age differ
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
index 8b55761..b192321 100644
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@@ -1,16 +1,12 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk
-PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4
--> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk
-tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw
--> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0
-i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk
--> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo
-i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU
--> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ
-mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo
---- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4
-%DJ#��0A�D
-q�z�,3sH����V�b��Tުˇ8[ �?VgNVd
-ĝȗL=̵g%ι[md�6oqE4ŏ�F3�@P\(MDM;%^ܫ�px��p�):O9,iBT
-s�ǚ-�JWE\0£y>0;y�L{t.g%W,X} JJdg3\�#�)�0h=lhBB�Xb$^
�BM[~�u? hl��c;zk
\ No newline at end of file
+-> ssh-ed25519 84j9mw bwa+uUxySjFDjOaCzRiZyYVKl4po1YDaOoDQLqqObSI
+ayXv7BKF5lkzM3ai3rHL8irPetF2Nlwoji2VHpRsD5c
+-> ssh-ed25519 IFuY+w k98+p1XfAR7f7kbahEwTzZVA45ulV4t3INkOQMsU3D8
+1QbRrGvE5cMMKzSNXK5LfBndDBJITd6gTBg9dJWir9E
+-> ssh-ed25519 5A7peQ NyqKUm+8hfHcJ760y3EttpxygXxQXKFXURU8pHg1bAw
+Rh7EqnDagUFvmIEsFkjkE2tVzlhWrGgANKy9UQM0D7M
+-> ssh-ed25519 GKhvwg J3b+gGMaemGwSb7jfeCug9bcjXUJbU8BBGRoTXw2lw4
+tmMZY+0SSYVxZSMDQEBWCYzKUHTVbFH1iuybHyBvor8
+--- Uh1N32VLTQ2mxhsxu40FbIv0dQkqPdfBk+q3nJ/xPZ4
+;tضl̙R�yhٖQ�BX�zi��%JN@֧F�Dv8.D,�_J�(<�p-<�Afl)F�Qf���+6mHݲſ~�yN5؊��Ñb#]�y{MSx9XO3`�R<|O�4(�K@wdMq s%XdGrWm�6�1NQGJ~݃xkgRCv뚑��&v�NSf6�,`K ъk1Z!T%[,a6X־��NL5k^V
+g}�C>m5�rd7Mn=
\ No newline at end of file
diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age
index 54dd108..a7a66a7 100644
Binary files a/secrets/hercules-token.age and b/secrets/hercules-token.age differ
diff --git a/secrets/kanidm-admin-pass.age b/secrets/kanidm-admin-pass.age
new file mode 100644
index 0000000..2b229b2
--- /dev/null
+++ b/secrets/kanidm-admin-pass.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA
+0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw
+-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0
+kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE
+--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I
+iyd�$vVl TK$4G[�M�I[#tz:��r9~�ES�A6}
\ No newline at end of file
diff --git a/secrets/kanidm-idm-admin-pass.age b/secrets/kanidm-idm-admin-pass.age
new file mode 100644
index 0000000..0eac321
--- /dev/null
+++ b/secrets/kanidm-idm-admin-pass.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM
+n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc
+-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8
+Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98
+--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I
+���Җ��܉Y
+9��!4��2DVP9N]G;?ЉS '
\ No newline at end of file
diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age
index fbf07ad..4145d0d 100644
--- a/secrets/leet-nrab-lol-pass.age
+++ b/secrets/leet-nrab-lol-pass.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo
-ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA
--> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0
-uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo
---- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY
-ߵSAѶ��Bzwg@"PY^+E['����,K[X~Xg{��2c4
\ No newline at end of file
+-> ssh-ed25519 84j9mw 9ygN4fWQWX889zSTchiwqVwxTzHzl+3PSelEpeGx6yA
+v1GTvSMdbwC6U0QZtaD7/b5QbJ9j4J3F10eCUaT5COY
+-> ssh-ed25519 GKhvwg 9I2sycYPtBMPZenbWLueANm46TTPzbgCa//4oKojGEQ
+aEX3TQpWRAcrtJaiTMxB08L8OY/O/4JR+/zoNPl7Kxc
+--- 6EB80pdWxmL1yVM+klouel5E59m2C88Dz0SH2DiT6nE
+hkdJw|g~v^jq\ '��yIcdWYF?�N/0�+h=�8�5#
\bm~��1�y�"qAT�
\ No newline at end of file
diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age
deleted file mode 100644
index 455628d..0000000
Binary files a/secrets/legion-niko-pass.age and /dev/null differ
diff --git a/secrets/miyagi-niko-pass.age b/secrets/miyagi-niko-pass.age
index 460e357..e150327 100644
--- a/secrets/miyagi-niko-pass.age
+++ b/secrets/miyagi-niko-pass.age
@@ -1,8 +1,8 @@
age-encryption.org/v1
--> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg
-xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg
--> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k
-2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc
---- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw
--�1dm
-���fR,[#[-;M}vi4x�~=)o��N^n"X���B}W583惍f�v:��uZ�ɶ
\ No newline at end of file
+-> ssh-ed25519 g2vRWw 8FCO/eYVK3KfOvdyk5Va3R9jXaSNzV+ArFVhJwJPDDk
+zRBpyAtdJxg4TSsgUep66Yv2CMUUAI8IF3pL5+MI/88
+-> ssh-ed25519 GKhvwg eMLyDK82QCKJrVjtfuy5DKTNFOc39zdJxJNFEXCO1Ac
+6AamgzEBeT1018cy7N5GcvgjypGPLqF+2P14h//jTtA
+--- jhq8ZEIoUjMq5PH7tktWMKQuCLMKifY/UfjjM1Qn7UE
+Q8cV2
ƈ�4$h��+e�y
+0#aJ`ng{@�.�sIgϞc*��Q��'&k,CuIw�ɘ�
+rEN�շ@F�PI?ђ
\ No newline at end of file
diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age
index d3b9015..bf3032b 100644
Binary files a/secrets/nrab-lol-cf.age and b/secrets/nrab-lol-cf.age differ
diff --git a/secrets/ntfy-alert-pass.age b/secrets/ntfy-alert-pass.age
index 27558ca..4e997b6 100644
Binary files a/secrets/ntfy-alert-pass.age and b/secrets/ntfy-alert-pass.age differ
diff --git a/secrets/ntfy-niko-pass.age b/secrets/ntfy-niko-pass.age
index 276c72f..c42dcd5 100644
--- a/secrets/ntfy-niko-pass.age
+++ b/secrets/ntfy-niko-pass.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw
-tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc
--> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw
-GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s
---- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk
-�zPCSx�f �-��i�c7_2��~�jA
\ No newline at end of file
+-> ssh-ed25519 84j9mw 5fEqoBEGZ6AZRfWuU6mej6XNl6hDrxMIMMlccp9CVzg
+QvontdV2/amh/i1Ldmzup8TB+lN4b0+YuoT+UFWiPw8
+-> ssh-ed25519 GKhvwg 5Qm1FPvbv0ZsJiJ0Rjm0CPm6eWKvfQ4XHAOmEUWWCiA
+eu1MXEWfo425lbnq5tAOnGqpLgRVIOCkZKegTQQjw/I
+--- s1g2UCKwlew0wCJSxGosBzn1K0TEbPlrIl09iZ58bMg
+P�$N�{�Lr�xS:��=Wx��c(J|48S�
\ No newline at end of file
diff --git a/secrets/rab-lol-cf.age b/secrets/rab-lol-cf.age
index 4b5734a..3ed93fe 100644
--- a/secrets/rab-lol-cf.age
+++ b/secrets/rab-lol-cf.age
@@ -1,9 +1,8 @@
age-encryption.org/v1
--> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY
-U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo
--> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc
-40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8
--> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s
-jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc
---- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg
-4�L�7H3F
�̈́"fU(�L~%sbԀ~Z}Z>2KO�'Q�\W[�όe1�^I���
\ No newline at end of file
+-> ssh-ed25519 84j9mw qUAkkpjjETyLa0IZfbm8yJ2opDBBsngbrrNjwu02G0s
+kpEKDzWIfskgnZYR+0lgtCKqv0KwfpxRTq9crCsjvto
+-> ssh-ed25519 GKhvwg FKrEGsx5mPhWnq5vNgFgxM816v6ZAG16pmdukuBWDDU
+qmPRvA2bd0W3QlR6h8BLC/O+XjTp00vYXnp+tXakXDY
+--- 7FE7FzsRmCKPvjr3yOlot32FV0lod38Hec/JRaxP+8g
+��x�A}~ �H]TLزոl]�0>C}J:0n��CEa�V���b
"�dV!R�v��z��9j�O
+�
\ No newline at end of file
diff --git a/secrets/rabulinski-com-cf.age b/secrets/rabulinski-com-cf.age
index 6e80a30..ad35e32 100644
--- a/secrets/rabulinski-com-cf.age
+++ b/secrets/rabulinski-com-cf.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8
-SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4
--> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc
-Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c
---- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0
--�oSԐ-?�{r�]5;+0
G�oE9tHX�jqj2@�3�@� mmkyQ;_�W϶Q~
\ No newline at end of file
+-> ssh-ed25519 84j9mw O57uksGzyC2Obzy7AYk86DnEFQNXt43g5CqM4Vp69jU
+1fW8YTn28ju1O3tX62A6AtvfzsmKzmhe79c3DmGUPrY
+-> ssh-ed25519 GKhvwg s3WZPik8t204g4BlxpHeSpnL4/IgM+JdekXJYx7EFVo
+N0Pyre1DwiLFo4HUE8SFDmNnkE4XJtcyHfn63cMlQJo
+--- WPllwfNX5iXFmVC0pGCNrH4T9EGRhmRwGayE3bY/YC0
+d�p/ݩ3+dvv&�������R
xd��Sy8�ES��e}Nb#6w�.wE0�Q�%?�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 57943fa..b5ee4f6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,21 +13,18 @@ in
# "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
"hercules-token.age".publicKeys = [
keys.system.kazuki
- keys.system.legion
keys.system.ude
keys.system.kogata
keys.other.bootstrap
];
"hercules-cache.age".publicKeys = [
keys.system.kazuki
- keys.system.legion
keys.system.ude
keys.system.kogata
keys.other.bootstrap
];
"hercules-secrets.age".publicKeys = [
keys.system.kazuki
- keys.system.legion
keys.system.ude
keys.system.kogata
keys.other.bootstrap
@@ -35,10 +32,6 @@ in
"alert-plain-pass.age".publicKeys = [
keys.other.bootstrap
] ++ builtins.attrValues keys.system;
- "legion-niko-pass.age".publicKeys = [
- keys.system.legion
- keys.other.bootstrap
- ];
"storage-box-creds.age".publicKeys = [
keys.system.kazuki
keys.other.bootstrap
@@ -54,7 +47,6 @@ in
"github-token.age".publicKeys = [
keys.system.ude
keys.system.kazuki
- keys.system.legion
keys.system.kogata
keys.other.bootstrap
];
@@ -72,7 +64,6 @@ in
keys.other.bootstrap
];
"rab-lol-cf.age".publicKeys = [
- keys.system.legion
keys.system.kazuki
keys.other.bootstrap
];
@@ -97,4 +88,12 @@ in
keys.system.ude
keys.other.bootstrap
];
+ "kanidm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
+ "kanidm-idm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
}
diff --git a/secrets/storage-box-creds.age b/secrets/storage-box-creds.age
index 8b0a272..31a18e7 100644
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY
-4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4
--> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q
-wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc
---- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc
-I��o5q&CU*�[T.HɊʺ��kkpOY�s,g49ʼn$^l-A/�QX�
\ No newline at end of file
+-> ssh-ed25519 84j9mw tKQQB/cd6JHCLQLrix2WGW5hHBUNC+pqDZXvTmOlOkw
+lnx4olU3W8dgMwigYga/NYcjJ/C59J/uVdYNOfWmN2I
+-> ssh-ed25519 GKhvwg iWTl/jvU1aBd78yAZUsOgcG6JaK+vO8Dpx61dYMjmhc
+2Iu6OHlLlhJLy/cxI/zSuqRhBnoeGLXINbDyMIvDZD8
+--- eOl0sze0EOvfcAarBav7mb4B3jdBvOE+fF166oukbrk
+!lxq*T,.Xk6^ ssh-ed25519 84j9mw 8RHYGSsbQG4F+mKMbXJu9aFv6xN3ZyxRBBhFJ3H8EFY
-sRQonxjyqPLnL3AbfugdmraHzVK7RE3LjhuzLirImGM
--> ssh-ed25519 GKhvwg aEEIBlvZ//KmEqkX1pkZrT7QK9sopwKKiD6YUa9lA3k
-srUtd+v0kDfbCsZ7OwPvzRVIualWm8CA4mhgdNAJm+A
---- yWhOlkbF9GUT7OsMu3R0/Dc+nP7DrUetuPLZJFySPpE
-70P`�T��sT=*=sp>�mtY�{-;M0�zC��m}�gO�T��G�jˇ�N
\ No newline at end of file
+-> ssh-ed25519 84j9mw C3TpEZsxJIYJ3d5vsQkCcCTity80nLsyxm5zCBZOMzk
+56z54taf+KUJjDugfCGKlcbeRZfDzi3+eeanKPINS6E
+-> ssh-ed25519 GKhvwg uUXJkGw54Q7dCnYobwV1zihOPa4R1FydJZehlFc5MA4
+6Zbym9jLykqsYjmb6rKIa6GExAKVVvEkvCQrzl6HB/M
+--- QICnyH0PORBpoNgT3pjuhP1p8AHn9gD2OIae/9G23x8
+(}�{Ԝ�2˓i]UmiLmv�>k�e'6A̯X�i<:f�U�)~�&�Aˡj#
+D?_E�-H
\ No newline at end of file
diff --git a/secrets/ude-deluge.age b/secrets/ude-deluge.age
index f9cdd04..f398be0 100644
--- a/secrets/ude-deluge.age
+++ b/secrets/ude-deluge.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4
-OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM
--> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo
-9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU
---- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk
-C<\}J�f|6�G@WXc-"ϐ�A�GZ'x�_�Ԡz�,@n"�3[?
Lb@e
\ No newline at end of file
+-> ssh-ed25519 IFuY+w ZigoLhwVERGG/r7uYI3DKX7jijKt+4tsiTWpbIdUTXE
+k4jmQIJXr7yJOY3pkc1VnoqDgWkNr84k1AgYF7jNjRs
+-> ssh-ed25519 GKhvwg FMZOLDeE2Yw1Kd8V7NTL2oQtWo4IKDUoHu/Z8Su2hHI
+QF+L/Qf35wkOcgGWWRGANMJCG5Vz80epjQuwa4IdYQM
+--- ZUTRNDrgxdsZsNSP1Z3BLxw4EYexr873aJrbUvIgE2I
+�yZͪ�
�M���Xd�塸*5j"*��ZU�ф|ݕ]�a8 "Z�b][9SU��.
\ No newline at end of file
diff --git a/secrets/youko-niko-pass.age b/secrets/youko-niko-pass.age
index 4c85947..6e910ff 100644
--- a/secrets/youko-niko-pass.age
+++ b/secrets/youko-niko-pass.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4
-GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg
--> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk
-OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c
---- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI
-wO�.➌a�A�&ޝz [�oXĂu������,ajxGƜu/������eL̛/6S[SU
\ No newline at end of file
+-> ssh-ed25519 rA7dkQ ucrMqUlwttyHHFkJ/c5tYpHohefNYe6aJnxHMUjkUxU
+RgsGaMLmtziGu/n6MiDJmkTZORTh2yYWoSS0eu9i6PA
+-> ssh-ed25519 GKhvwg u7Fjda07e17aJGV0ZFK/Mt2ZbF/3b38MLydE8WKs2gY
+gO2rNP64Nkhr5GShWP8zhxeT2YUKEkqN1Oc6/3l6PKU
+--- H9oqwkU/uI5fZAdy+qkCW5vw1PBaahe28FTUxhEFsds
+xSm��L69ʎG3<4[Z t}<��OdcY}>XQ^]K�i�|BwDmqHX�]�Fe�Rt%`�Ҥ0��IV
\ No newline at end of file
diff --git a/secrets/zitadel-master.age b/secrets/zitadel-master.age
index 6dbbbf4..9740ab2 100644
Binary files a/secrets/zitadel-master.age and b/secrets/zitadel-master.age differ
diff --git a/services/default.nix b/services/default.nix
index 1837462..6da3b28 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -2,5 +2,7 @@
imports = [
./attic.nix
./forgejo-runner.nix
+ ./kanidm.nix
+ ./forgejo.nix
];
}
diff --git a/services/forgejo.nix b/services/forgejo.nix
new file mode 100644
index 0000000..e887ea4
--- /dev/null
+++ b/services/forgejo.nix
@@ -0,0 +1,89 @@
+{
+ services.forgejo = {
+ host = "kazuki";
+ ports = [ 3000 ];
+ config =
+ { config, pkgs, ... }:
+ {
+ age.secrets.rab-lol-cf = {
+ file = ../secrets/rab-lol-cf.age;
+ owner = config.services.nginx.user;
+ };
+
+ services.forgejo = {
+ enable = true;
+ package = pkgs.forgejo;
+ settings = {
+ server = {
+ DOMAIN = "git.rab.lol";
+ ROOT_URL = "https://git.rab.lol/";
+ };
+ security = {
+ DISABLE_GIT_HOOKS = false;
+ };
+ oauth2_client = {
+ REGISTER_EMAIL_CONFIRM = false;
+ ENABLE_AUTO_REGISTRATION = true;
+ ACCOUNT_LINKING = "auto";
+ UPDATE_AVATAR = true;
+ };
+ service = {
+ DISABLE_REGISTRATION = false;
+ ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+ ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+ };
+ session = {
+ SESSION_LIFE_TIME = 86400 * 30;
+ };
+ federation.ENABLED = true;
+ };
+ repositoryRoot = "/forgejo/repos";
+ lfs = {
+ enable = true;
+ contentDir = "/forgejo/lfs";
+ };
+ };
+
+ systemd.tmpfiles.rules =
+ let
+ cfg = config.services.forgejo;
+ imgDir = pkgs.runCommand "forgejo-img-dir" { } ''
+ cp -R ${../assets/forgejo} "$out"
+ '';
+ in
+ [
+ "d '${cfg.customDir}/public' 0750 ${cfg.user} ${cfg.group} - -"
+ "d '${cfg.customDir}/public/assets' 0750 ${cfg.user} ${cfg.group} - -"
+ "L+ '${cfg.customDir}/public/assets/img' - - - - ${imgDir}"
+ ];
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."git.rab.lol" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:3000";
+ extraConfig = ''
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Upgrade $http_upgrade;
+ '';
+ };
+ };
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ security.acme.acceptTerms = true;
+ security.acme.certs."git.rab.lol" = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rab-lol-cf.path;
+ email = "nikodem@rabulinski.com";
+ };
+ };
+ };
+}
diff --git a/services/kanidm.nix b/services/kanidm.nix
new file mode 100644
index 0000000..b288e14
--- /dev/null
+++ b/services/kanidm.nix
@@ -0,0 +1,85 @@
+{
+ services.kanidm =
+ let
+ port = 8443;
+ domain = "auth.rabulinski.com";
+ in
+ {
+ host = "kazuki";
+ ports = [ port ];
+ config =
+ { config, pkgs, ... }:
+ let
+ cert = config.security.acme.certs.${domain};
+ in
+ {
+ age.secrets.rabulinski-com-cf = {
+ file = ../secrets/rabulinski-com-cf.age;
+ owner = config.services.nginx.user;
+ };
+ age.secrets.kanidm-admin-pass = {
+ file = ../secrets/kanidm-admin-pass.age;
+ owner = "kanidm";
+ };
+ age.secrets.kanidm-idm-admin-pass = {
+ file = ../secrets/kanidm-idm-admin-pass.age;
+ owner = "kanidm";
+ };
+
+ services.kanidm = {
+ enableServer = true;
+ package = pkgs.kanidmWithSecretProvisioning;
+ serverSettings = {
+ bindaddress = "127.0.0.1:${toString port}";
+ inherit domain;
+ origin = "https://${domain}";
+ trust_x_forward_for = true;
+ tls_chain = "${cert.directory}/fullchain.pem";
+ tls_key = "${cert.directory}/key.pem";
+ };
+ provision = {
+ enable = true;
+ idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path;
+ adminPasswordFile = config.age.secrets.kanidm-admin-pass.path;
+ };
+ };
+
+ systemd.services.kanidm.serviceConfig = {
+ SupplementaryGroups = [ cert.group ];
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."auth.rabulinski.com" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "https://localhost:${toString port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_ssl_verify off;
+ proxy_ssl_name ${domain};
+ '';
+ };
+ };
+ };
+
+ security.acme.certs.${domain} = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rabulinski-com-cf.path;
+ reloadServices = [ "kanidm" ];
+ };
+ };
+ };
+}