From 9786bc9cd6ad4789c535c49410e2eecf45454b53 Mon Sep 17 00:00:00 2001 From: Truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 6 Apr 2024 17:24:47 +1100 Subject: [PATCH] feat: add split-dns (#59) * chore: tweak favourites * chore: hacking * feat: add nix-serve * hax * re-encrypt * haxing bind * hacing sonarr/traef * hack * hack * feat: add bind for local dns (manual) * fix * hacked up dns --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> --- .sops.yaml | 1 - flake.lock | 21 +++ flake.nix | 8 + .../modules/programs/de/gnome/default.nix | 2 +- nixos/home/truxnell/workstation.nix | 43 ++--- nixos/hosts/citadel/default.nix | 2 + .../hosts/citadel/hardware-configuration.nix | 41 ----- nixos/hosts/dns01/default.nix | 2 + nixos/hosts/dns02/default.nix | 1 + nixos/hosts/rickenbacker/default.nix | 2 - nixos/hosts/shodan/default.nix | 4 + nixos/modules/default.nix | 2 + nixos/modules/nixos/containers/default.nix | 49 ------ .../nixos/containers/traefik/default.nix | 84 ---------- nixos/modules/nixos/default.nix | 10 +- nixos/modules/nixos/services/arr/default.nix | 5 + .../nixos/services/arr/sonarr/default.nix | 50 ++++++ nixos/modules/nixos/services/bind/default.nix | 99 +++++++++++ .../nixos/services/bind/secrets.sops.yaml | 60 +++++++ nixos/modules/nixos/services/bind/zone | 0 .../cloudflare-dyndns.sops.yaml | 58 +++---- .../services/cloudflare-dyndns/default.nix | 2 +- nixos/modules/nixos/services/default.nix | 4 + .../services/dnscrypt-proxy2/default.nix | 2 +- .../dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml | 56 +++---- .../nixos/services/homepage/default.nix | 49 ++++++ .../modules/nixos/services/maddy/default.nix | 2 +- .../nixos/services/maddy/maddy.sops.yaml | 56 +++---- .../nixos/services/nix-serve/default.nix | 24 +++ .../modules/nixos/services/podman/default.nix | 3 + .../nixos/services/traefik/default.nix | 154 +++++++++++++++++- .../nixos/services/traefik/secrets.sops.yaml | 61 +++++++ nixos/profiles/global.nix | 11 +- nixos/profiles/global/nix.nix | 5 +- nixos/profiles/hw-rpi4.nix | 1 - nixos/profiles/role-worstation.nix | 26 +++ 36 files changed, 701 insertions(+), 299 deletions(-) delete mode 100644 nixos/hosts/citadel/hardware-configuration.nix delete mode 100644 nixos/modules/nixos/containers/default.nix delete mode 100644 nixos/modules/nixos/containers/traefik/default.nix create mode 100644 nixos/modules/nixos/services/arr/default.nix create mode 100644 nixos/modules/nixos/services/arr/sonarr/default.nix create mode 100644 nixos/modules/nixos/services/bind/default.nix create mode 100644 nixos/modules/nixos/services/bind/secrets.sops.yaml create mode 100644 nixos/modules/nixos/services/bind/zone create mode 100644 nixos/modules/nixos/services/homepage/default.nix create mode 100644 nixos/modules/nixos/services/nix-serve/default.nix create mode 100644 nixos/modules/nixos/services/traefik/secrets.sops.yaml diff --git a/.sops.yaml b/.sops.yaml index 7d68808..51cfa16 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -19,7 +19,6 @@ creation_rules: - path_regex: .*\.sops\.yaml$ key_groups: - age: - - *dns01 - *dns02 - *citadel diff --git a/flake.lock b/flake.lock index bee04c2..5c3716d 100644 --- a/flake.lock +++ b/flake.lock @@ -93,6 +93,26 @@ "type": "github" } }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711854532, + "narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=", + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, "nix-vscode-extensions": { "inputs": { "flake-compat": "flake-compat_2", @@ -198,6 +218,7 @@ "inputs": { "deploy-rs": "deploy-rs", "home-manager": "home-manager", + "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 55b6be9..db33108 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,13 @@ url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; }; + + # nix-index database + # https://github.com/nix-community/nix-index-database + nix-index-database = { + url = "github:nix-community/nix-index-database"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self @@ -93,6 +100,7 @@ extraSpecialArgs = { inherit inputs hostname system; }; + }; } ] diff --git a/nixos/home/modules/programs/de/gnome/default.nix b/nixos/home/modules/programs/de/gnome/default.nix index 868912a..490026e 100644 --- a/nixos/home/modules/programs/de/gnome/default.nix +++ b/nixos/home/modules/programs/de/gnome/default.nix @@ -27,7 +27,7 @@ with lib.hm.gvariant; { "org/gnome/shell" = { disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ]; enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ]; - favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ]; + favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ]; }; "org/gnome/nautilus/preferences" = { default-folder-viewer = "icon-view"; diff --git a/nixos/home/truxnell/workstation.nix b/nixos/home/truxnell/workstation.nix index fe537ef..71e4577 100644 --- a/nixos/home/truxnell/workstation.nix +++ b/nixos/home/truxnell/workstation.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, self, config, ... }: +{ lib, pkgs, self, config, inputs, ... }: with config; { imports = [ @@ -51,29 +51,32 @@ with config; }; }; + + home = { # Install these packages for my user - packages = with pkgs; [ - discord - steam - spotify - brightnessctl - prusa-slicer - bitwarden - yubioath-flutter - yubikey-manager-qt + packages = with pkgs; + [ + discord + steam + spotify + brightnessctl + prusa-slicer + bitwarden + yubioath-flutter + yubikey-manager-qt - bat - dbus - direnv - git - nix-index - python3 - fzf - ripgrep - flyctl # fly.io control line + bat + dbus + direnv + git + nix-index + python3 + fzf + ripgrep + flyctl # fly.io control line - ]; + ]; }; } diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index eb5a2b9..ab75080 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -12,6 +12,8 @@ mySystem = { services.openssh.enable = true; security.wheelNeedsSudoPassword = false; + + time.hwClockLocalTime = true; # due to windows dualboot }; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; diff --git a/nixos/hosts/citadel/hardware-configuration.nix b/nixos/hosts/citadel/hardware-configuration.nix deleted file mode 100644 index 5a06546..0000000 --- a/nixos/hosts/citadel/hardware-configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/C634-F571"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp12s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index 44d698f..78911d4 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -17,6 +17,8 @@ maddy.enable = true; dnscrypt-proxy.enable = true; cfDdns.enable = true; + bind.enable = true; + }; networking.hostName = "dns01"; # Define your hostname. diff --git a/nixos/hosts/dns02/default.nix b/nixos/hosts/dns02/default.nix index 8bd8199..3abb963 100644 --- a/nixos/hosts/dns02/default.nix +++ b/nixos/hosts/dns02/default.nix @@ -16,6 +16,7 @@ openssh.enable = true; dnscrypt-proxy.enable = true; cfDdns.enable = true; + bind.enable = true; }; networking.hostName = "dns02"; # Define your hostname. diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index c6db737..1b5e588 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -11,13 +11,11 @@ services.openssh.enable = true; security.wheelNeedsSudoPassword = false; }; - mySystem.services.traefik.enable = true; # TODO build this in from flake host names networking.hostName = "rickenbacker"; - fileSystems."/" = { device = "/dev/disk/by-label/nixos"; diff --git a/nixos/hosts/shodan/default.nix b/nixos/hosts/shodan/default.nix index cf526d9..c515f86 100644 --- a/nixos/hosts/shodan/default.nix +++ b/nixos/hosts/shodan/default.nix @@ -15,7 +15,11 @@ openssh.enable = true; cockpit.enable = true; podman.enable = true; + traefik.enable = true; + sonarr.enable = true; + homepage.enable = true; }; + mySystem.nfs.nas.enable = true; boot = { diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 8d1b7d9..6e9f76b 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -2,4 +2,6 @@ mySystem = import ./nixos; + + } diff --git a/nixos/modules/nixos/containers/default.nix b/nixos/modules/nixos/containers/default.nix deleted file mode 100644 index bd2fdff..0000000 --- a/nixos/modules/nixos/containers/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: - -with lib; -# let -# cfg = config.mySystem.xx.yy; -# in -{ - - imports = [ - ./traefik - ]; - - options.myLab.containers.fileRoot = mkOption { - type = lib.types.str; - description = "root file path for containers"; - default = "/persistence/containers/"; - }; - - # Email - options.myLab.email.adminFromAddr = mkOption { - type = lib.types.str; - description = "From address for admin emails"; - default = ""; - }; - options.myLab.email.adminToAddr = mkOption { - type = lib.types.str; - description = "Address for admin emails to be sent to"; - default = "admin@trux.dev"; - }; - options.myLab.email.smtpServer = mkOption { - type = lib.types.str; - description = "SMTP server address"; - default = ""; - }; - - config = mkIf cfg.enable { - - # CONFIG HERE - myLab.email.adminFromAddr = "admin@trux.dev"; - myLab.email.smtpServer = "dns02"; # forwards to maddy relay - - }; - - -} diff --git a/nixos/modules/nixos/containers/traefik/default.nix b/nixos/modules/nixos/containers/traefik/default.nix deleted file mode 100644 index 5092d67..0000000 --- a/nixos/modules/nixos/containers/traefik/default.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ config, lib, vars, networksLocal, ... }: -let - internalIP = "0.0.0.0"; # TODO fix - directories = [ - "${config.myLab.containers.fileRoot}/traefik" - ]; - files = [ - "${config.myLab.containers.fileRoot}/traefik/acme.json" - ]; - cfg = config.myLab.containers.traefik; -in -{ - - options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container"; - - config = lib.mkIf cfg.enable { - - networking.firewall.allowedTCPPorts = [ 9091 ]; - - sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; }; - sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; }; - - services.authelia.instances.default = { - enable = true; - secrets = { - jwtSecretFile = config.sops.secrets.authelia-jwt.path; - storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path; - }; - settings = { - log.level = "debug"; - theme = "dark"; - default_2fa_method = "totp"; - default_redirection_url = "https://passport.notohh.dev/"; - authentication_backend = { - file.path = "/var/lib/authelia-default/user.yml"; - }; - session = { - domain = "notohh.dev"; - expiration = 3600; - inactivity = 300; - }; - totp = { - issuer = "authelia.com"; - disable = false; - algorithm = "sha1"; - digits = 6; - period = 30; - skew = 1; - secret_size = 32; - }; - server = { - host = "0.0.0.0"; - port = 9091; - }; - access_control = { - default_policy = "deny"; - rules = [ - { - domain = "notohh.dev"; - policy = "bypass"; - } - ]; - }; - regulation = { - max_retries = 3; - find_time = 120; - ban_time = 300; - }; - notifier.filesystem = { - filename = "/var/lib/authelia-default/notif.txt"; - }; - storage.postgres = { - host = "192.168.1.211"; - port = 5432; - database = "authelia"; - schema = "public"; - username = "authelia"; - password = "authelia"; - }; - }; - }; - - }; -} diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index 5c3ca35..a67b19e 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { imports = [ ./system @@ -6,7 +7,14 @@ ./browser ./de ./editor - ./containers ./hardware ]; + + options.mySystem.persistentFolder = lib.mkOption { + type = lib.types.str; + description = "persistent folter for mutable files"; + default = "/persistent/nixos/"; + }; + + } diff --git a/nixos/modules/nixos/services/arr/default.nix b/nixos/modules/nixos/services/arr/default.nix new file mode 100644 index 0000000..6955140 --- /dev/null +++ b/nixos/modules/nixos/services/arr/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./sonarr + ]; +} diff --git a/nixos/modules/nixos/services/arr/sonarr/default.nix b/nixos/modules/nixos/services/arr/sonarr/default.nix new file mode 100644 index 0000000..d9484fc --- /dev/null +++ b/nixos/modules/nixos/services/arr/sonarr/default.nix @@ -0,0 +1,50 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655"; + port = 8989; + cfg = config.mySystem.services.sonarr; + persistentFolder = "${config.mySystem.persistentFolder}/sonarr"; +in +{ + options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr"; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + virtualisation.oci-containers.containers.sonarr = { + image = "${image}"; + user = "568:568"; + environment = { + UMASK = "002"; + }; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix/series:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.sonarr.entrypoints" = "websecure"; + "traefik.http.routers.sonarr.middlewares" = "local-only@file"; + "traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}"; + + "homepage.group" = "Media"; + "homepage.name" = "Sonarr"; + "homepage.icon" = "sonarr.png"; + "homepage.href" = "https://sonarr.${config.networking.domain}"; + "homepage.description" = "Series manager"; + # "homepage.weight" = -70000; + "homepage.widget.type" = "sonarr"; + "homepage.widget.url" = "https://sonarr.${config.networking.domain}"; + }; + }; + }; +} diff --git a/nixos/modules/nixos/services/bind/default.nix b/nixos/modules/nixos/services/bind/default.nix new file mode 100644 index 0000000..ea3e005 --- /dev/null +++ b/nixos/modules/nixos/services/bind/default.nix @@ -0,0 +1,99 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.services.bind; + inherit (config.networking) domain; +in +{ + options.mySystem.services.bind.enable = mkEnableOption "bind"; + + config = mkIf cfg.enable { + + sops.secrets = { + + # configure secret for forwarding rules + "system/networking/bind/trux.dev".sopsFile = ./secrets.sops.yaml; + "system/networking/bind/trux.dev".mode = "0444"; # This is world-readable but theres nothing security related in the file + + # Restart dnscrypt when secret changes + "system/networking/bind/trux.dev".restartUnits = [ "bind.service" ]; + }; + + networking.resolvconf.useLocalResolver = mkForce false; + + services.bind = { + + enable = true; + + # Ended up having to do the cfg manually + # to bind the port 5353 + configFile = builtins.toFile "bind.cfg" '' + include "/etc/bind/rndc.key"; + controls { + inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; + }; + + acl cachenetworks { 10.8.10.0/24; 10.8.20.0/24; 10.8.30.0/24; 10.8.40.0/24; }; + acl badnetworks { }; + + options { + listen-on port 5353 { any; }; + allow-query { cachenetworks; }; + blackhole { badnetworks; }; + forward first; + forwarders { 10.8.10.1; }; + directory "/run/named"; + pid-file "/run/named/named.pid"; + listen-on port 5353 { any; }; + recursion yes; + dnssec-validation auto; + + }; + + logging { + channel stdout { + stderr; + severity info; + print-category yes; + print-severity yes; + print-time yes; + }; + category security { stdout; }; + category dnssec { stdout; }; + category default { stdout; }; + }; + acl "trusted" { + 10.8.10.0/24; # LAN + 10.8.12.0/24; # TRUSTED + 10.8.20.0/24; # SERVERS + 10.8.30.0/24; # IOT + 10.8.40.0/24; # KIDS + 10.8.50.0/24; # VIDEO + 10.8.60.0/24; # VIDEO + 10.8.11.0/24; # WIREGUARD + 10.5.0.0/24; # CONTAINERS + }; + + + zone "trux.dev." { + type master; + file "${config.sops.secrets."system/networking/bind/trux.dev".path}"; + allow-transfer { + + }; + + allow-query { any; }; + + }; + + ''; + + }; + + }; +} + diff --git a/nixos/modules/nixos/services/bind/secrets.sops.yaml b/nixos/modules/nixos/services/bind/secrets.sops.yaml new file mode 100644 index 0000000..207cbe4 --- /dev/null +++ b/nixos/modules/nixos/services/bind/secrets.sops.yaml @@ -0,0 +1,60 @@ +system: + networking: + bind: + trux.dev: ENC[AES256_GCM,data:SQhmIVtugJlUfrjuIG8+ceDknOeqKj+nNenKg9YZyukcuqPMVRHGeESEchjjhZ3rhaicXfeUNthLnxNZgvacoACsI0zjBjeN36MkSyLq9cORbpLdiOM9x4UIFLxlIhVBqKkQSj6ntLX979k8bVzq30O+iGmUmoDW1z7A28hfaf65YuiZMp2e/AM/hNm1V6EP3EZ7M0tNv26c1/75NKo27C97zIL0eOEJmdiM3oGeyYpyPMAFnQGrkbIgJyjQ1ebo4f3isp+2r+VqO77iPx6KSLkHGmza4opQh/GAj7iSSvVtm6ULp7wxQXIqV+n+nArmPZMV0FCJ3LOXKtj2tOR8HyEMaDp+oxAEdtimu2x+5vTC5Bjc5tUgK9n2bLiDql+NYMUS9ZhW3zRZO0qF1wiPPp2gknT3XLkksdFnwfxscd80oP4jWwx0eoLIir+1iI7gnZgoLLhVuuP6298YgB092+F93RRRmkBbbIHDMh5z2CtPSs1xAPSn75PWR993PsgPKLJGwZtFJwGs3/hWY31ia1UChZ7Qe0cq43ErNJE/bJ8QN0WgHB61TlhDRZi+8XxRAJviuf0KBOoxyIXqcwDxLS6KD9/goD0XW0zhsS4Kwwy2pSQP6PgCKx2GllREMUtXBeyTH+v2hjpSCiM5gwosUPx0J+OYNtlj5Q0Ne5mISsNa0wAUPZglV3yGxcmtywCg/bzmMYHZbD9CQgL8uW5KXa9/vvAWPOqoVJboz9C/Tum9obcFMu9n29qmuYRfl91egFWriJv6hE6iMrFgMIe5erfA7/pr6chxerw214A4GSSu1U6KXPjEiV5jCElgthg8tButnBHaH4vaMtSFQ4P21d23wZ9D/OLDJFah9miClFqNjxYz5S3bOuUt3s2Cd/0jAUKoWNxGRWyBH1piiJx8VosrafDYVaIiXmM+7wFbfeE/72XePmUc3bJ4Zp1nhgyuaJxlcmeL4XaqZnJiclkwplB8ZEZHsEdRK21YjJqtGG6vSoK5FplGaPMCRpHEluQlJzt1bVVYllD6oHC3PrwZHHSFDTle5UjxvCLc6iRRZGyXVp6NjLWbdPyue1kwKI7x8AIOYLvQFyK+1nJHPlppVXcgR4HVJ2o84BDnDEXPhu+hS3QSZH5v+hQ1kZzDG8mzdd6jnuCFBS4oW87j5sS3pcCISIL/DOIX+MaIBbuogEevJSAUbqz+W2fRXDguoCALlC8QEDrTCzjLVu6GFI/vKdqP9BC64YEcBell+nyiOQ0ksyXGagsRwUqp3IhxPVXISO95awPo1eCqh72u4/kvUEg+SjSM626eS3T4QJ/0fu/LQOMJ8btdYLSdO5EYHBLbRFo2sj7EbIVXOaYp8zPuEdY8TS1e7aJUyOIfbf8JK3Y5ttbx+T64a1y+6GBPBjBLJaUFdOj685AkymNnC7yZXLNKB78FpDT2hDAlthuh3M/6sYNnwGDINxDcKH61y3AfTHPoox+HkbqCoKoL8a1FN7pDvc4eSmuNiVUuJjL+9kcPluEIMR4NbOsbpQzqHy6p3L8PlCaRxVytQF4b1mhMJ2hCvtZGQeyB4wYlj+pEpSvLXTW2vlNXaFUvD4t7Nwjw7OowPb5nX3y4/zoVo5+JtEYZolrWs3HRGlegCkBctPARTqMRp2g1zUUZU17yOmmZ8m/NA0myosfnL8yXKuLlQtFDEVIJN6sOVru/6QuiLntTGiDPoc95lK1MLeXzTd4hZf2gkiX5so4yoqV2VH9NQBSz2h0xoRhSO+1cvpSXJjIhsI8dNhPDHFfH0rCm97XEKAWTPaDx7HeielgnH0nO/y8oCettuSW1ImE1QowXsyM9olJMII1MlHTSxCOZ2f1y0my2AJ9KBLN+FBHPYY03NKxjLzoeNWyB1z0Pi0GUyih/8NPe/jB8G87tRbODeWa9AtS4+13U07JsjDnLJtS9oPafxv4FxQYI2qnPSaUjzL3LFC80Cmj9YAfx+wyzB+gJlby09FxUO8DMy9efgjKQaQT1vZ6lA4ziE+B+SM1KHHvglQNEETKOlOUa0yq9hF5QWG/2nxIphjRo7Uq9plO1QBzJj80D5IoGouzZTL7RH+qzsO3KZz3i8Be7PfUTVORp/DE1f1emlRN4YWK0MrVcYRP6rFJGKwrDmaGi3R+FCHBWB7vW1CcnDxg6BwK2W6y1HTx5iz44++ez/AkHONFaNW2GtWN8LBtkfZN13VQY1XgH4F9w3L35p+L/vhpevccwi8yGmF9g7R7LjjhDvhSsnCk6f1wrlpon0MjI3q4hbv6QD9iIAQIsR1+cXTD7GfqZNnNgLk3MMslCTjQn0+aiQDjbxfcS16tsLyrkZxAmQrDK9M/xoFFqjF/RiVs5fh8/Bpe8CiNtx3TxVY8jMZZI3xKuofJPNaTt7UjNkxju4qCXF5MX4xIyc5YeU7JNcbMYa6Msnp8eb2TUsERgGeLOuNlu/bFfctzmiaRdbUasaxN9VhdQFv0+0oGP9fhlsRcpyJO6skQnCEnml/txg8dZoRNc1G6626n2GqMazf5CKcW5KlYhBEVHR8IpuPxRcdo8ZrsANUiWGS0iFh47EKe9QK7ZGyUAbGxxupoj1AK1Bz9qjYoQEynCOwNZ+4i9YUIAUXkmhowr0CV+DWbH22/Gglj5b0l0b71rqw39Vudtr1VbK80J1qbyYBqdXdAFiXi5J0JJGu9dk8dWAoK8feILR1aGpiYvvTLLjzJ/aZ5m8FKwnDZFA4zTr8a/F+AWbNgt2rrg/yEo1tgcnrmcYWVQ9pxToAoqq6DrB0PuyNbmrFgFcFpE2TCrf0bs576kbJn4IZHQUkg9fIPJhH78mvkd0SLcTlQCbaKBtmrsvfegxrugi1cAo/4X1cVKJ/MZP8gssVbzwH9zhzgliJL3GZJ6CjNHwnHO2T303QsXoosrmLqSJADdinbHw68Ag2do3nPokJMnTsA97YtslUBMRoF+vDyxmMP8DvseuicKe8WvOupILto182ThrWbn1Ws2xx9ZksrSPd2Xa7EwjOLIg/E205OSD1w+Q/wMAA/qyaC6uQhHqop1o5yivh4ZiQJtbPLjsd4x9Hn1hM7/yW/kwWMeggPYYnlfHraJ78vW5Yu1kIQ4H1xKoIdZf7y1VnIIAb4Lg1xxJ2IM,iv:OzXHST/zSMD0lD2qroK92wTPFnt4o9GO5KGp4AgDHvw=,tag:+i/7/aFsqW2GafFmt70GIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNENody9xYlF1aEgzbWxH + NE5GM1JXNldrMUh2UFk3aWR5akJ6ZW5TNVJJCjFQRFNITEVtZ21FNG51V2xqdWRD + aTdUQ2sxTjNqOFdmUmduM081UVlJSVUKLS0tIEE5QXdmcWxtL2hrazZIQU1idWww + YjFlNTVCZnlQUzRvWDRWdmpnTTV1TncKNVl5mho/SaNCJroRUNGWLJWekOineIP1 + I4OsWaMoICMFFFYmNzK0hJW9De6YEHJUT9lQKN2Zjemx3g8lUOTxEQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVFpCYnBQR0luVVlYM2Rt + dFdBMzhLVTJrRmNvYkFKdFAvVUg2SjRRbndrCkVZbVVwMG9aTWJ6bkkzbDdhU1lo + eE1uN2lwRFRTREFIYWFlTm1KVCtPblEKLS0tIGpvdDZUYjY3RzFoaGthVzRJMDE5 + dnZtWkZmVzJSV0hKTXRFdEttOFVaQ0EK+stoUbxm5lfUZwe2ffSdVOZ1ChkUfgDd + pnNCxN+wRT09yo3CsZ/cqV870ZPBHsdA2BKHsS7rFzrZXPszvrDN8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZUNmSTQ0NytJcXRxSVFv + aWF5eHc3UnNCUklHSjJpbWxRcUk5QitTb3pvClZIZ2tRL3dQT0xSOWoxVGFPVDUx + QXZGeDhqUXRqdzlqUkd4WUtDbHpVRTAKLS0tIGF5MTVoMkZ6RDg0dEp3Z3hqUWxw + R244RzJyNFFGRXZEVzI0Mk5QMytGTTAKTnrkumPqwdldpAqX9OUInJJhjsdV4ggh + 9FJPNdDlA7KZycfBvqEoo/j43rFjOQg36/FzWTjOtzmbX1NsylZZMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ1ppWjRVQTE3R2NZQ2lB + L3pFbzhiMXZpaVArb3JOWWhuVkFDazFJUFY4CjI1OHZGN3dvbkdMN2tsTmNSMFlY + dm9kY2wvb0FzRi83eTlhdnNWVWpHWGMKLS0tIEI5WVlEOHAreEd5UzVDYWdQZGtR + dFZLZlMvUFVqSVVqYUIxQjYrNktsMGcKQrTtLyUKlSXZLntmB5COm1jG9sZqNuH+ + j5DJ9yTKyrl5Gosb8FcrX4sOcOj5aJKGihL+p7wLgFgr+EYW1ely2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dFpRcGVHK0RMVFN1cWpl + WWxFTEs0MTZndEtHKzJpWHMxeXZwYzFSbFZvCjRvdWVBcFZxd1RiaW5xb0hhZzFs + dENYSU1NOGxsdEhER1VyWWRiZGlaQjgKLS0tIHpnd2dQTHV6RllVMSs4Smt2d3g3 + Y094Y3dnRFEveFphV3J0LzUvK1dTMmsKHjpR7GViKdsR/Qx4/JKoVSWBi4DyujHj + nLMa1eEND32OwLg1VAK4m10toVl+wU5TAO0yZXx3tA132WNNtVRbUA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-06T06:13:02Z" + mac: ENC[AES256_GCM,data:g5mOOzAO8X009EzCY8dn1Ao+XXcEBwmjrlQyEp0KXapEnP+mntCokjxt3tJZ7U1T7SKkaVDweWbGWBwPqxm2WHDmJrFF7SHLaZ1GcIZ1TjBPGwOG5dQeDxspdU1eK2gS3E/JtMbIOKoDxD12dpH6jLJ3dlq+6Lcm8XoC8elNkWM=,iv:Wsby2DQXUnE9+7Bjk3Vp6/93uF5HoxKrzgcGKHTuW0A=,tag:F1z942D0nf8cBnMBeUEiSQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/bind/zone b/nixos/modules/nixos/services/bind/zone new file mode 100644 index 0000000..e69de29 diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index 146fa65..12a2089 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -1,8 +1,8 @@ system: networking: - #ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment] + #ENC[AES256_GCM,data:B4f24DoMFOdKQrn9G/XVtZb+mT/9kXJnFZY8ND+pd/fLJkXxhrFAFbGKHPWxJXabIv1eehKe9a6F1752/HsNK05xo6fzPLZv9WJ6xQ==,iv:xFIa58J4DhIG8vHSZVXj6EXGmzoKU9DSHAlnrjx3dZ4=,tag:yYITOfuPBAOnymwl+8DziQ==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str] + apiTokenFile: ENC[AES256_GCM,data:G342sbp0A6oXl5IycaBdb8LV0cdFlZFDNV6JKZJPIBH13VRviGvygyFX3RoGfJif5qLQGHcHpZk2jFKcOWcFHaORHnLvQdwGSFMk4dPZ8Vwzm7hy4oQZg5gEmPA6U1ctyk4utaUOMD9QLwVMEhgE1+UlUw==,iv:KqV5yd03zt7yjUlCz9c0dba8BSnvkYahemezLWyf2Vg=,tag:FPHnsHHaSLs5wl8Sj6ChAg==,type:str] sops: kms: [] gcp_kms: [] @@ -12,50 +12,50 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw - aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL - UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu - QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx - Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNkY1RU14VW1ycStweStL + Vm1sN28xblNhRmI1WXRYcnRuQVBMczJnQVhZCittbFc5djZsN3dKaklWY1V2ZHBl + R0RpVW1OSWQrVlFuNjNWOTNzMUdEVDAKLS0tIG1FZEdMZ1FlR0FEcWFXV2hlYnhv + SG9abFJVb3pnQ1hleG8vc3E3TmhZTzAK9Qk1Kb4nesOa+OFdf0YfXEMAlvronAfs + reC3efYY5u1fWCqaYqJScXdDOhFDcBQD77CXZqo3N5EIlwJESHmpSA== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD - eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3 - Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ - bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV - LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTVJueFpVWXkrc25vcU9R + YzVwT243UnM4RVJzVFNWZGdCNUFzZUgwaEcwCnVMMDJ4NHdkUGNOQ2kzdXAwV2l3 + dEFvdUc4STZ5bFNSNmQ1L2x4UUZDQUEKLS0tIER6dEZRcENFaFRRUTZNaWErTHN2 + b3VuYmhmdnduN215YitkTzZvVzFYTlUKG3SZTp7lJ9JoQhN+CobDui5z/9f60OL+ + 4mhi6bl4TNDCpJNgG0yy56iAwbs281es22QGerXv2Y8u2fofllHCtg== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky - bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n - T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ - MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx - ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK0tvZXdhMjJSMzNwUURG + SEtVdU1IdExIcXh1RWdYUzUwaWV5U2hmcmlFCkNEYkxLWWhTeTBLNC9DL0FIMy9s + SzhoR1FJeGl3Znc0YnFCdW5OTnViRGcKLS0tIEUrZmxlMHFkazZWMm5QWmFJalhW + V2JLSTJlc2RIK0VFTENsUThJQ1ZtcVUK3fG8sPMGg2OdHS44H1kg9DaUnWrDcB+y + WtvxjeW0esEcZffZlzJmgeswwUVKamoN4A7lTMf8llq4ZBm+z8u8Zw== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj - L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq - RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O - VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg - EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VnNuSURxQ0V5ZC9XVEdC + OXNwZHVsamJRR0ZxdFZodk51Slpqc2pjbHhvCnBHZ2plT0dxUzVDQUVtSnlYUVdj + VWZjaUdIVWRmQkRwZ2VVemZvOXgrUFUKLS0tIGdvTW1sK2VlNWRESE9Hc0ZBcHQx + SjNnWXhBMnNqZEhUMHdUbmJrdUFUTGMK43zbm2VyKcRpSRkhaf4BrWKiyyQbiKgY + fYAo9DwMjf/EQgeMv8n6c8zn2HLKWcs2+Oz/XrWOzypinrSl9TOZOw== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD - b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR - dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o - MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo - A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UUx2ZWpCYVRlQUx6QUVG + WVl1NllRTXRnSDNTeTNXUWo2VFNuN0J1TW00CnFjTTlhUUJuMHczN21LaG9mZUlH + REJnU0k5R25hNU5mTkxiSzBKNW95d00KLS0tIFBFS1g1MDU1dDVwWXhtTjRJenVH + T0YySjh5dFAwcXo0QlhaRzB5S21yS0UKl0Cn8UMqk/TPkbVMp9ngj/gcpueQ3l4Y + 83m99p7uw+1kFbmI3lcxlflFcZXgVBreFM2wF+Ogb7T2zikg0q8FTQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-01T00:26:19Z" - mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str] + lastmodified: "2024-04-05T05:23:21Z" + mac: ENC[AES256_GCM,data:UbhMGGRrG1MBJUEoEX+22y3C3A2dLBhfnxod8+wH1FQgDfZYwIAiCHGfLVbIzkC7ANS6453FeXRNBBH5TW2ELsDDo4W8S13lSwA/1MUUK7st42nNXvOVIMeLHtCrRU++LwYWhEfOR9OIb6au9pk+hwCo1Z0V6nlcAv1bf0uDQNU=,iv:a2GZw4HMp4DCOe8BfA3HgqZIJ9iUmXbttmGoXAMnQZE=,tag:w8VUc2K+f3/Vg7eBu3VREA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix index e146c5f..174ec89 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix +++ b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix @@ -25,7 +25,7 @@ in sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; # Restart when secret changes - sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; + sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns.service" ]; networking.firewall = { allowedUDPPorts = [ 53 ]; diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index ebc2007..2d6efc9 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -9,5 +9,9 @@ ./podman ./traefik ./nfs + ./nix-serve + ./bind + ./arr + ./homepage ]; } diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix index ac017be..0d0dc91 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix @@ -30,7 +30,7 @@ in "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file # Restart dnscrypt when secret changes - "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2.service" ]; }; services.dnscrypt-proxy2 = { diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index 50ea825..2dbb8d5 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -1,7 +1,7 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str] + forwarding-rules: ENC[AES256_GCM,data:P5GAwlcuUI2hXcJBzAPSQBviqi8z0ccz29sv1bsSx7lkD9isTaurylD07v3tlXFN,iv:lPIbdMpUMzyhnkakw4FSxvHolyNXMVuciwKK7jz9MMY=,tag:0pKhfclkbWbPBJ6/vs5a3w==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX - SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w - LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV - VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r - SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU2V4cmpHZ0hhRUlDNTU4 + c0FGTGxCTzNTTUJxN2lkZmZQUVlCRFVxZld3ClU2TmpxcHFvR0lZeVUxZ0x1YmFC + bFZ4QlQvajNxYTByenlDVXNJb0dGNEEKLS0tIFQvaUhCYnE4MWc1bFZtSlB6cDFq + aTJyS2RGWFJTNEd3Rlo3dVN6UjhlUVEKZvaWNTcKkSzLDsQ99S3/d9eQ350QM+e0 + R19K1QHuljx3vKV+LhnJ+fCUL5bnIhvDCFVnWBWGirVzJNp4iwfuWw== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO - ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY - OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5 - NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU - LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbnR4T1d4M3pKdExGYUZZ + Y0R4WVNLZnZJTmhqVW4vSzJwZjkxdk92N3lNCk9iWmJNZHVZVDFINEErRi9JZjBZ + MDEyM1Q3cGZDWkUyZEZhaVo3K2FpUjgKLS0tIEhHR0dTak43T3pDcUtvYk02aFZZ + M2w2RDV4UmY1Zll5WjdxSWIxZVhVMUUKAvOmavnidng3QxxHaVqQKwq9TMgbusOE + SnBx1ShiX0m7ZBLHPzcHuwzEOxYRvpKuV1tVDVbROPfaOYusgIMa+A== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr - NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD - M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt - dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu - +bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaWV0VGZFc0toUXJURURF + eDRKMGV6UktYWVRUcFJKVTdiQ3h6LzhlV2tRCjVMZkFqWGZCV1Q5OFBkOW1lWnFj + NGFMVXBNbVF4azlUV3dLZFB3aHdnZk0KLS0tIEFObC9ING4wRUtwZXhOS2VRcnR3 + NnkrVjdGcFE0cGtEY0Vub3Z5R09zVWcKEjgqoO+4n02mwa8idy1FdASqoCkB4Ooe + j04tUVa0xufui6gITvO9DBgXbSdni5wbtabZNJ13S3dgWVY4CiDuYw== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda - WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4 - ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn - UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM - wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aC9hTTB1enJYcUpiUHZS + eENnaEhPL3JIeGp5QmczQ1pSMTRmejZ1L0FNCldzM2FFSm9NaTNGTHVmNTJwVW9F + YXIrSGFsWG05U0NXdWg2VUQ1NDVyYWsKLS0tIFQxd2hpMXJRWXhJclFzQjVzZWFI + VHdoVHJnNit3OE5mU2YvTjYxSmxkcXcKBips96WiE/NI7GWZVUOzdJSTIyoG4U4R + haVYaHJJ1xW/E7WqJKn/E+wiMHFNcQJFOi6/JkWGLCkEE5tDLSDibw== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr - bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq - TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT - dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw - H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY0pEaVR5NWMzR29YQUFY + R1p2ZFdEaVN1NXYzMW9oR3V2aXJxdDR2QlFvCmxsVDBCQUZnRllvY3NEMm1DQXpj + aDRCZjlnM0xZaVpTVlpXd08wU1VIR3cKLS0tIHo5TGNmMXZHSXpYQW5ITHpwTWJE + a1hDZXkxSG9FR0laYW9nZXFnN0NyUUUKa9dtMzPzZqWi1Z6gBxOh355Om8865AT5 + j0SjD1Zl00RvaC6mZQrhOB6Aq+eYHe3w29jkmkAGvIHXH8p1fNt8Hg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-01T00:26:19Z" - mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str] + lastmodified: "2024-04-06T05:12:13Z" + mac: ENC[AES256_GCM,data:JVJ58TeYh66P6PuhSeCAZpXS5tu4H33rG5GZcJYorhT8Bldn72CTo9AhyhNzVHhfK1fIPI6VLyQM5rBUxBQVHWufx8hnYDrhBQdR9d3po8KKnyfpNgYS0rhifYyon5GUl4BW89RaD45+ZbrE1kIsqCYwwim/bcVYqXuRh1CGYeA=,iv:lRU08rccGMH5ykhSE8bREkog4ftXUporCj+YMsOmUN8=,tag:tIekpP6QIp1Ce2s4a2qO8Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/homepage/default.nix b/nixos/modules/nixos/services/homepage/default.nix new file mode 100644 index 0000000..c6b2e4a --- /dev/null +++ b/nixos/modules/nixos/services/homepage/default.nix @@ -0,0 +1,49 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "homepage"; + image = "ghcr.io/gethomepage/homepage:v0.8.10"; + user = "568"; #string + group = "568"; #string + port = 3000; #int + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; + + cfg = config.mySystem.services.homepage; +in +{ + options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard"; + + config = mkIf cfg.enable { + + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + UMASK = "002"; + PUID = "${user}"; + PGID = "${group}"; + }; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.${app}.entrypoints" = "websecure"; + "traefik.http.routers.${app}.middlewares" = "local-only@file"; + "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + }; + # mount socket for service discovery. + volumes = [ + "${persistentFolder}:/app/config:rw" + "/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket + ]; + + }; + }; +} diff --git a/nixos/modules/nixos/services/maddy/default.nix b/nixos/modules/nixos/services/maddy/default.nix index c0b081e..5ac4a51 100644 --- a/nixos/modules/nixos/services/maddy/default.nix +++ b/nixos/modules/nixos/services/maddy/default.nix @@ -18,7 +18,7 @@ in group = "maddy"; }; - sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ]; + sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy.service" ]; services.maddy = { enable = true; diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml index 805b337..2492489 100644 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -1,7 +1,7 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str] + envFile: ENC[AES256_GCM,data:dHk1pvPlQ46sKDKoZE3OCZ6OxL9gwRpPnu7Q8o9BNmLB8tkxbEudc03Tj956Tf2waghH395O4/Ab2/clyXBZA735+3s0R8ZZX9LDPr47i0MxEhlB9Am/Sa8dg9ivjK8gvlp6oipuvlDmdmfKdP1/DiRd4a+PO9APVPTvFvPTHd9Jy8Y=,iv:x6uZU4XRdtSellvLUTr8aydrLL6k5jhgLoG1n1Zo0P0=,tag:0y2FPDz6psEQglQvus+BuA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2 - bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC - UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi - VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/ - 5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd3VjeUxzR3d1S0NFQ1dI + YVJHNjZKYnZneHJ4RG1NclJySThiVXBNd1JVCkVTc0tjWUpnQmxKS0hhalVzN1N0 + ZFNqZzFFbWYxU2ZrV2RnK01yTEk1eGsKLS0tIElRREpyM2F4L2cvNnhHMG9HcU8y + SGVyeWlUR2RrNElwKzlzdXVsMG5QRWsKnZQXvig6jOCam2Pzt/TxXn6KqbNicvyN + FXm6ObTz7FXj3AcSAWs+Pvsh/BQyk+87iHtgMIgaZnV1WQi7GybW8A== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj - czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs - SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt - eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz - aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQ3l0a1VvcFhLTHBqTTVy + emhuK05yaXE4NlNIRmJvdklBZFczdlJtbnlNCmlXa0ttU1dFZGFJSE9TQittQjhv + S2h5NkZnQmQ3L0grUmNRY3lueDNKZVUKLS0tIFNDWlRUaTZxa1RRUUxIand6d3Na + dURrcTgvVVVnYWxYS2ZXNHI2dXB6RW8KQ2ApgWJ9bvpxwSV5ppwFT8pRyalqs5Wf + 4p28ICtASrX58mOkITr3otZUlvHUMCWApr/ued8PSL6k3UoNOnTp4Q== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz - dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx - WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4 - azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX - W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UkRaVzJxaFYxWmY2SFNl + c1UyQ25tNmFuNFlRRDQvRHlrZitsak9GSVNnCnUvYzVOaUh3T0hTMitKd3ltdG9q + M0YrVTFEYk1SMDczODhiWVdZYTRqREkKLS0tIEEwWFhCOVJ6M3J2dEsvamx0empa + a01rRENJcGx1d2xHVWpubnJvaFNETTAKqVlKYvpowONBqJMPli43L/l6mklsj2eM + 9H9JLhg9QYvbMIYy7X4UsMZWAW9OqrSQGi/BvL1L72LSjfT7BWRuRg== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj - U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y - Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk - T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p - s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMEpQc3RVTDVOWlI5OFZE + RGZsU3RUUWxtY3Z1SGFkNU5GeGdsZmROcUNBCnc1MGZ5eFBobmUyMThCVmJUelp5 + UW1JZUZJaFlPelExeGNmWXlNTzVwZm8KLS0tIFljK2c4RzFDVlZHek1oM2c5SU5j + VE1OUXBHeHEvZzVpSDF5OE9GaWxhNjQKo+m+AThAjdBXjy266bIVRbpJ9STSAvkK + 6h1MRpK2CpFjNOJWL5Yv7wGIOqYyx++y2Sz3TOD842PEzNdpAmrf/A== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3 - TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm - OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX - bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy - MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YzhHRXl6Yyt5QVFNZzlV + N1l6ZmRoMTl6WGZPQlduYTRyWVVweWtDL1NrCnIxejdvaFNDNHo5RnZUZ1NPako5 + QmxVd3IyUXFXNGZpWVRpMTNsaFFCa0UKLS0tIGR0V2tYUkw3NjZsd29tbTl0U2Y5 + UGZ5SUUvbEdOcm9ZZ2FPeEJNQTJmeVkK9e4K6Zz7oaLWo66pLDJu5fCtJlpjE+gz + dApChQV1+oPnTynpCQ4PCxC4X4L5sfxCqIR8uwRAkse6I/DUNWhiDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-01T00:26:19Z" - mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str] + lastmodified: "2024-04-05T05:23:21Z" + mac: ENC[AES256_GCM,data:2zzSM4qqG/8XSm5gxBE8V4b4eRF46SNuOrXbDzK8ovGRu+BzbhYg1f2duf+p1m3flNu6n9WoR5HltjVDpdetg8ut85j/4AEnDKIVgPJPcjcJaVk0TKUdIGp/DAJ9hs8U6gTmKavxByBfOzhQiX/U7ewzC9GeQbU/MfdNrmC2qVI=,iv:wbjpidsVF6p4rLlGHgSQISA0JjK6MfogFrjhVkl1Sw0=,tag:9CXy2SnEBY9xLjC2UfL2kg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/nix-serve/default.nix b/nixos/modules/nixos/services/nix-serve/default.nix new file mode 100644 index 0000000..b449fa3 --- /dev/null +++ b/nixos/modules/nixos/services/nix-serve/default.nix @@ -0,0 +1,24 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.services.nix-serve; +in +{ + options.mySystem.services.nix-serve.enable = mkEnableOption "nix-serve"; + + # enable nix serve binary cache + # you can test its working with `nix store ping --store http://10.8.20.33:5000` + config.services.nix-serve = mkIf cfg.enable { + + enable = true; + package = pkgs.nix-serve-ng; + openFirewall = true; + + }; + + +} diff --git a/nixos/modules/nixos/services/podman/default.nix b/nixos/modules/nixos/services/podman/default.nix index ecfc260..81716fc 100644 --- a/nixos/modules/nixos/services/podman/default.nix +++ b/nixos/modules/nixos/services/podman/default.nix @@ -15,6 +15,7 @@ in { virtualisation.podman = { enable = true; + dockerCompat = true; extraPackages = [ pkgs.zfs ]; defaultNetwork.settings = { @@ -25,6 +26,8 @@ in backend = "podman"; }; networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ]; + + }; } diff --git a/nixos/modules/nixos/services/traefik/default.nix b/nixos/modules/nixos/services/traefik/default.nix index 9742677..cc74f75 100644 --- a/nixos/modules/nixos/services/traefik/default.nix +++ b/nixos/modules/nixos/services/traefik/default.nix @@ -3,6 +3,7 @@ , pkgs , ... }: +# ref: https://github.com/rishid/nix-config/blob/be0d5cbbe4df79ed2b2ba4714456f21777c72b38/modules/traefik/default.nix#L170 with lib; let cfg = config.mySystem.services.traefik; @@ -10,18 +11,159 @@ in { options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy"; + # TODO add to homepage + # modules.homepage.infrastructure-services = [{ + # Traefik = { + # icon = "traefik.svg"; + # description = "Reverse proxy"; + # href = "https://traefik.dhupar.xyz:444"; + # }; + # }]; + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml; + + # Restart when secret changes + sops.secrets."system/services/traefik/apiTokenFile".restartUnits = [ "traefik.service" ]; + + systemd.services.traefik = { + serviceConfig.EnvironmentFile = [ + config.sops.secrets."system/services/traefik/apiTokenFile".path + ]; + }; + services.traefik = { enable = true; - staticConfigOptions = { - api.dashboard = true; - api.insecure = true; + group = "podman"; # podman backend, required to access socket - serversTransport = { - # Disable backend certificate verification. - insecureSkipVerify = true; + dataDir = "${config.mySystem.persistentFolder}/traefik/"; + # Required so traefik is permitted to watch docker events + # group = "docker"; + + staticConfigOptions = { + + global = { + checkNewVersion = false; + sendAnonymousUsage = false; }; + + api.dashboard = true; + log.level = "DEBUG"; + + # Allow backend services to have self-signed certs + serversTransport.insecureSkipVerify = true; + + providers.docker = { + endpoint = "unix:///var/run/podman/podman.sock"; + # endpoint = "tcp://127.0.0.1:2375"; + exposedByDefault = false; + defaultRule = "Host(`{{ normalize .Name }}.${config.networking.domain}`)"; + # network = "proxy"; + }; + + # Listen on port 80 and redirect to port 443 + entryPoints.web = { + address = ":80"; + http.redirections.entrypoint.to = "websecure"; + }; + + # Run everything SSL + entryPoints.websecure = { + address = ":443"; + http = { + tls = { + certresolver = "letsencrypt"; + domains.main = "${config.networking.domain}"; + domains.sans = "*.${config.networking.domain}"; + }; + }; + http3 = { }; + }; + + certificatesResolvers.letsencrypt.acme = { + dnsChallenge.provider = "cloudflare"; + keyType = "EC256"; + storage = "${config.services.traefik.dataDir}/acme.json"; + }; + # }; + }; + # Dynamic configuration + dynamicConfigOptions = { + + http.middlewares = { + # Whitelist local network and VPN addresses + local-only.ipWhiteList.sourceRange = [ + "127.0.0.1/32" # localhost + "192.168.0.0/16" # RFC1918 + "10.0.0.0/8" # RFC1918 + "172.16.0.0/12" # RFC1918 (docker network) + ]; + + # authelia = { + # # Forward requests w/ middlewares=authelia@file to authelia. + # forwardAuth = { + # # address = cfg.autheliaUrl; + # address = "http://localhost:9092/api/verify?rd=https://auth.dhupar.xyz:444/"; + # trustForwardHeader = true; + # authResponseHeaders = [ + # "Remote-User" + # "Remote-Name" + # "Remote-Email" + # "Remote-Groups" + # ]; + # }; + # }; + # authelia-basic = { + # # Forward requests w/ middlewares=authelia-basic@file to authelia. + # forwardAuth = { + # address = "http://localhost:9092/api/verify?auth=basic"; + # trustForwardHeader = true; + # authResponseHeaders = [ + # "Remote-User" + # "Remote-Name" + # "Remote-Email" + # "Remote-Groups" + # ]; + # }; + # }; + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration + # auth-headers = { + # browserXssFilter = true; + # contentTypeNosniff = true; + # forceSTSHeader = true; + # frameDeny = true; + # sslHost = domain; + # sslRedirect = true; + # stsIncludeSubdomains = true; + # stsPreload = true; + # stsSeconds = 315360000; + # }; + }; + + tls.options.default = { + minVersion = "VersionTLS13"; + sniStrict = true; + }; + + # Set up wildcard domain certificates for both *.hostname.domain and *.local.domain + http.routers = { + traefik = { + entrypoints = "websecure"; + rule = "Host(`traefik.${config.networking.domain}`)"; + tls.certresolver = "letsencrypt"; + tls.domains = [{ + main = "${config.networking.domain}"; + sans = "*.${config.networking.domain}"; + }]; + middlewares = "local-only@file"; + service = "api@internal"; + }; + + }; + }; }; }; diff --git a/nixos/modules/nixos/services/traefik/secrets.sops.yaml b/nixos/modules/nixos/services/traefik/secrets.sops.yaml new file mode 100644 index 0000000..904b85c --- /dev/null +++ b/nixos/modules/nixos/services/traefik/secrets.sops.yaml @@ -0,0 +1,61 @@ +system: + services: + #ENC[AES256_GCM,data:L5ZUZZoFkMaTErRqwkG03SVET5x6AVL+4OvX6ukQlvFX+P9ICYY6lDGDmJARUXDm2yW6hllqA2FxoteFXT5LEikraLywI5jGDgQMGw==,iv:fHYZ9LBvFVT24xeN7HSjlNhFse/MIhb6/3XCUbdCppA=,tag:tq+MbSt+jhvNJfdpuQ5ddg==,type:comment] + traefik: + apiTokenFile: ENC[AES256_GCM,data:hVIUCHU/AU6SOGt7JEVYuE55LlT7AhSuRpkCEWrsKxhy0K5jRZhYb4G30sXrOv80gb8T82ItYjpi5ytckGq325A4Uzn2dYQ4P9sv1uRxrcJrSOuMvpeWnijT33wbxn/fcg==,iv:5065MjT63rYvx/+ivfVha/+VxaTaHicfmshPI/9qfYw=,tag:S7t/Fr5R30lwO3KvuDjHWw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbVBCZGdUU3dJR0VXMUQ2 + ZUhYcEZkYVBRZkxteGkzaXdDNUVzNjdFUWxrCkgwcXZYZlZ2Wk1KbDg2VGpmZXQ5 + K3ZxR21FZGpJWFpSakltdzN6MUh0b28KLS0tIHRDK2dKQ1Q0UGpBM2oyYzhuSGo2 + TWFTYnpYbDZPeUVtbTdXNm84RFJoaDQKFB0HX9yJ6D5jQRd8qUsLUy4ZcweYv1Qh + BJlQJOlMi+OliSiWOPsI8L8SJSTWJvy6ZX/LcebuQ0tlXeNd3HYAQQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTXp6aExQTVh4OFVKV1Nz + UU0zbEJnR3Nvb256TllyYXg4OTVOektoSURnCllWZUpwc3ZObjlWT0YyLzRiQ0dM + Sy9GSCtsTkZyVkJ1dDJnbmh2ZHdrZG8KLS0tIDRPakxzRWt6ckRzZzVZQzN6RVlU + MEhwbFpIK3hTeGttS0x3Q0dHdHZhNG8KovgKj2k7N/lpGT2j+e1u+3uX3EAMwAwt + uHI2LqEtfaMJZQvsP409G4QkEy+o7GJ7N3LpAXFAPvnJbH5/n7WxiA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjFiSDIzMVVNMmk3ZlBn + SFFpbE10Q0ZZMlhGbElMTURjeDFhUmlnNmdrCk55ZHY0Y3o2SGtaM2ZOTE5QOFo1 + WVdEWGtzWTIxbWtXMmF5V3JvVjBpVFEKLS0tIEtVMldydlRvdHJLYzVnQy9kUnNZ + OHJUSlBlQ3Rhb1RYUVNQSWNLWU5NOGcKEHjjav+ACT+HQ9haoMfRei7cAOPugMDs + JsSRPWnVBYPx+9AxDY030Aw6vMw9+rFSuCp3PMH4mNbCcCucaIWWSA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWhCM2dpZDFkVVE4SVJq + SXY1ZVh2ZWlDRnN4d2hsREpwU0tYMmpKK0hzCmhkSllSM0NGdHZiV0o4dWVac2Ft + Y01nUlBKUHg4eE1YZWZlU29Vd2lEelEKLS0tIG9DdmdoaWVBMTJ2WnBnWXI5d1ZX + VGtCSTdPcDZHeVdUL1Z6S3hoUE9IR2sK8WyNXZDiJG3ox+nBcwTXdn3fmd4kS2z/ + aUV6ql3vLdsu3/BxLq3v00AXXYNOnWmVrUxTJ9Lv1j0FM5Gh5LupQw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdU9TeFlSUWZISytBTnNn + RWlITURiQnY2Ni9LMWZ4R0pBWDJmaHpTZDJ3ClVackV1UHNYUXFmeUliT0h1aHNR + S0M4NWg0NkYrL2V4NXlIUDJ6RE8rODgKLS0tIGEwdGpxNVNtVDc0M0k1ejl1ZmFX + c2VQSk53WEFoTFdFUTM3eWNVamxwNTgKBYqQy+ILW9MdRPDgRBVw8sOyYF40rhYz + yP+Bu6EBAjJDOP/Ywx6I7u6AmlTRcOtk8PmJ8eo3raP07at+jrXsaw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-05T08:20:07Z" + mac: ENC[AES256_GCM,data:a/J87IQL0X7XQycpZXWg2otlBe7/W7Ebe0CAKunnyF8Gm9RRMWdECrFeBDtAyVAHl2F6gqlNTyEMsOVE+aR6+xu91rXr332k66SnSQcMOjQ987+r+t3b1hUZ9Cz+qNbtepXaGTuCNQ0JH+o3ezkA1D6BDIvf6S4IRWRT9psOiHI=,iv:2TXiGQDDK2nSTAb+n3baFfng9jDPoe7Ts9Au9dTRclA=,tag:MZFBEcpOmoX0TN33OMoApg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 03b51f5..83bd9d2 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -29,12 +29,17 @@ with lib; # But wont enable plugins globally, leave them for workstations }; - # required for yubico - services.udev.packages = [ pkgs.yubikey-personalization ]; - services.pcscd.enable = true; + environment.systemPackages = with pkgs; [ + curl + wget + dnsutils + ]; + networking.useDHCP = lib.mkDefault true; + networking.domain = "trux.dev"; # TODO make variable + diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index 3ae9b70..5646e0f 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -1,6 +1,5 @@ -{ lib, config, pkgs, nixpkgs, ... }: +{ lib, config, pkgs, nixpkgs, self, ... }: { - ## Below is to align shell/system to flake's nixpkgs ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry @@ -31,12 +30,14 @@ "https://cache.garnix.io" "https://nix-community.cachix.org" "https://numtide.cachix.org" + "https://deploy-rs.cachix.org" ]; trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI=" ]; # Fallback quickly if substituters are not available. diff --git a/nixos/profiles/hw-rpi4.nix b/nixos/profiles/hw-rpi4.nix index 06c90e3..df86368 100644 --- a/nixos/profiles/hw-rpi4.nix +++ b/nixos/profiles/hw-rpi4.nix @@ -19,7 +19,6 @@ with lib; }; nixpkgs.hostPlatform.system = "aarch64-linux"; - nixpkgs.buildPlatform.system = "x86_64-linux"; console.enable = false; diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index a793560..4e17049 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -23,6 +23,7 @@ with config; binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation plymouth.enable = true; # hide console with splash screen + }; nix.settings = { @@ -35,6 +36,24 @@ with config; # set xserver videodrivers if used services.xserver.enable = true; + services = { + fwupd.enable = config.boot.loader.systemd-boot.enable; # fwupd does not work in BIOS mode + thermald.enable = true; + smartd.enable = true; + + # required for yubikey + udev.packages = [ pkgs.yubikey-personalization ]; + pcscd.enable = true; + }; + + hardware = { + enableAllFirmware = true; + sensor.hddtemp = { + enable = true; + drives = [ "/dev/disk/by-id/*" ]; + }; + }; + environment.systemPackages = with pkgs; [ @@ -47,12 +66,19 @@ with config; dnsutils nix + # Sensors etc + lm_sensors + cpufrequtils + cpupower-gui + # TODO Move nil nixpkgs-fmt statix nvd gh + + bind # for dns utils like named-checkconf ]; i18n = {