feat: add split-dns (#59)
* chore: tweak favourites * chore: hacking * feat: add nix-serve * hax * re-encrypt * haxing bind * hacing sonarr/traef * hack * hack * feat: add bind for local dns (manual) * fix * hacked up dns --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
parent
ad8a1c3a73
commit
9786bc9cd6
36 changed files with 701 additions and 299 deletions
|
@ -19,7 +19,6 @@ creation_rules:
|
||||||
- path_regex: .*\.sops\.yaml$
|
- path_regex: .*\.sops\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
||||||
- *dns01
|
- *dns01
|
||||||
- *dns02
|
- *dns02
|
||||||
- *citadel
|
- *citadel
|
||||||
|
|
21
flake.lock
21
flake.lock
|
@ -93,6 +93,26 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nix-index-database": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1711854532,
|
||||||
|
"narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-index-database",
|
||||||
|
"rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-index-database",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nix-vscode-extensions": {
|
"nix-vscode-extensions": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_2",
|
"flake-compat": "flake-compat_2",
|
||||||
|
@ -198,6 +218,7 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
|
"nix-index-database": "nix-index-database",
|
||||||
"nix-vscode-extensions": "nix-vscode-extensions",
|
"nix-vscode-extensions": "nix-vscode-extensions",
|
||||||
"nixos-hardware": "nixos-hardware",
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
|
|
@ -39,6 +39,13 @@
|
||||||
url = "github:nix-community/nix-vscode-extensions";
|
url = "github:nix-community/nix-vscode-extensions";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# nix-index database
|
||||||
|
# https://github.com/nix-community/nix-index-database
|
||||||
|
nix-index-database = {
|
||||||
|
url = "github:nix-community/nix-index-database";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
outputs =
|
outputs =
|
||||||
{ self
|
{ self
|
||||||
|
@ -93,6 +100,7 @@
|
||||||
extraSpecialArgs = {
|
extraSpecialArgs = {
|
||||||
inherit inputs hostname system;
|
inherit inputs hostname system;
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
@ -27,7 +27,7 @@ with lib.hm.gvariant; {
|
||||||
"org/gnome/shell" = {
|
"org/gnome/shell" = {
|
||||||
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
|
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
|
||||||
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
|
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
|
||||||
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ];
|
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ];
|
||||||
};
|
};
|
||||||
"org/gnome/nautilus/preferences" = {
|
"org/gnome/nautilus/preferences" = {
|
||||||
default-folder-viewer = "icon-view";
|
default-folder-viewer = "icon-view";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ lib, pkgs, self, config, ... }:
|
{ lib, pkgs, self, config, inputs, ... }:
|
||||||
with config;
|
with config;
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -51,29 +51,32 @@ with config;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
home = {
|
home = {
|
||||||
# Install these packages for my user
|
# Install these packages for my user
|
||||||
packages = with pkgs; [
|
packages = with pkgs;
|
||||||
discord
|
[
|
||||||
steam
|
discord
|
||||||
spotify
|
steam
|
||||||
brightnessctl
|
spotify
|
||||||
prusa-slicer
|
brightnessctl
|
||||||
bitwarden
|
prusa-slicer
|
||||||
yubioath-flutter
|
bitwarden
|
||||||
yubikey-manager-qt
|
yubioath-flutter
|
||||||
|
yubikey-manager-qt
|
||||||
|
|
||||||
bat
|
bat
|
||||||
dbus
|
dbus
|
||||||
direnv
|
direnv
|
||||||
git
|
git
|
||||||
nix-index
|
nix-index
|
||||||
python3
|
python3
|
||||||
fzf
|
fzf
|
||||||
ripgrep
|
ripgrep
|
||||||
flyctl # fly.io control line
|
flyctl # fly.io control line
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,6 +12,8 @@
|
||||||
mySystem = {
|
mySystem = {
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
security.wheelNeedsSudoPassword = false;
|
security.wheelNeedsSudoPassword = false;
|
||||||
|
|
||||||
|
time.hwClockLocalTime = true; # due to windows dualboot
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
|
|
@ -1,41 +0,0 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/C634-F571";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp12s0.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
||||||
}
|
|
|
@ -17,6 +17,8 @@
|
||||||
maddy.enable = true;
|
maddy.enable = true;
|
||||||
dnscrypt-proxy.enable = true;
|
dnscrypt-proxy.enable = true;
|
||||||
cfDdns.enable = true;
|
cfDdns.enable = true;
|
||||||
|
bind.enable = true;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.hostName = "dns01"; # Define your hostname.
|
networking.hostName = "dns01"; # Define your hostname.
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
dnscrypt-proxy.enable = true;
|
dnscrypt-proxy.enable = true;
|
||||||
cfDdns.enable = true;
|
cfDdns.enable = true;
|
||||||
|
bind.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.hostName = "dns02"; # Define your hostname.
|
networking.hostName = "dns02"; # Define your hostname.
|
||||||
|
|
|
@ -11,13 +11,11 @@
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
security.wheelNeedsSudoPassword = false;
|
security.wheelNeedsSudoPassword = false;
|
||||||
};
|
};
|
||||||
mySystem.services.traefik.enable = true;
|
|
||||||
|
|
||||||
# TODO build this in from flake host names
|
# TODO build this in from flake host names
|
||||||
networking.hostName = "rickenbacker";
|
networking.hostName = "rickenbacker";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{
|
{
|
||||||
device = "/dev/disk/by-label/nixos";
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
|
|
@ -15,7 +15,11 @@
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
cockpit.enable = true;
|
cockpit.enable = true;
|
||||||
podman.enable = true;
|
podman.enable = true;
|
||||||
|
traefik.enable = true;
|
||||||
|
sonarr.enable = true;
|
||||||
|
homepage.enable = true;
|
||||||
};
|
};
|
||||||
|
mySystem.nfs.nas.enable = true;
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
|
|
||||||
|
|
|
@ -2,4 +2,6 @@
|
||||||
|
|
||||||
mySystem = import ./nixos;
|
mySystem = import ./nixos;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
{ lib
|
|
||||||
, config
|
|
||||||
, pkgs
|
|
||||||
, ...
|
|
||||||
}:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
# let
|
|
||||||
# cfg = config.mySystem.xx.yy;
|
|
||||||
# in
|
|
||||||
{
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
./traefik
|
|
||||||
];
|
|
||||||
|
|
||||||
options.myLab.containers.fileRoot = mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "root file path for containers";
|
|
||||||
default = "/persistence/containers/";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Email
|
|
||||||
options.myLab.email.adminFromAddr = mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "From address for admin emails";
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
options.myLab.email.adminToAddr = mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "Address for admin emails to be sent to";
|
|
||||||
default = "admin@trux.dev";
|
|
||||||
};
|
|
||||||
options.myLab.email.smtpServer = mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "SMTP server address";
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
|
|
||||||
# CONFIG HERE
|
|
||||||
myLab.email.adminFromAddr = "admin@trux.dev";
|
|
||||||
myLab.email.smtpServer = "dns02"; # forwards to maddy relay
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,84 +0,0 @@
|
||||||
{ config, lib, vars, networksLocal, ... }:
|
|
||||||
let
|
|
||||||
internalIP = "0.0.0.0"; # TODO fix
|
|
||||||
directories = [
|
|
||||||
"${config.myLab.containers.fileRoot}/traefik"
|
|
||||||
];
|
|
||||||
files = [
|
|
||||||
"${config.myLab.containers.fileRoot}/traefik/acme.json"
|
|
||||||
];
|
|
||||||
cfg = config.myLab.containers.traefik;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
|
|
||||||
options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container";
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 9091 ];
|
|
||||||
|
|
||||||
sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
|
|
||||||
sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
|
|
||||||
|
|
||||||
services.authelia.instances.default = {
|
|
||||||
enable = true;
|
|
||||||
secrets = {
|
|
||||||
jwtSecretFile = config.sops.secrets.authelia-jwt.path;
|
|
||||||
storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
|
|
||||||
};
|
|
||||||
settings = {
|
|
||||||
log.level = "debug";
|
|
||||||
theme = "dark";
|
|
||||||
default_2fa_method = "totp";
|
|
||||||
default_redirection_url = "https://passport.notohh.dev/";
|
|
||||||
authentication_backend = {
|
|
||||||
file.path = "/var/lib/authelia-default/user.yml";
|
|
||||||
};
|
|
||||||
session = {
|
|
||||||
domain = "notohh.dev";
|
|
||||||
expiration = 3600;
|
|
||||||
inactivity = 300;
|
|
||||||
};
|
|
||||||
totp = {
|
|
||||||
issuer = "authelia.com";
|
|
||||||
disable = false;
|
|
||||||
algorithm = "sha1";
|
|
||||||
digits = 6;
|
|
||||||
period = 30;
|
|
||||||
skew = 1;
|
|
||||||
secret_size = 32;
|
|
||||||
};
|
|
||||||
server = {
|
|
||||||
host = "0.0.0.0";
|
|
||||||
port = 9091;
|
|
||||||
};
|
|
||||||
access_control = {
|
|
||||||
default_policy = "deny";
|
|
||||||
rules = [
|
|
||||||
{
|
|
||||||
domain = "notohh.dev";
|
|
||||||
policy = "bypass";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
regulation = {
|
|
||||||
max_retries = 3;
|
|
||||||
find_time = 120;
|
|
||||||
ban_time = 300;
|
|
||||||
};
|
|
||||||
notifier.filesystem = {
|
|
||||||
filename = "/var/lib/authelia-default/notif.txt";
|
|
||||||
};
|
|
||||||
storage.postgres = {
|
|
||||||
host = "192.168.1.211";
|
|
||||||
port = 5432;
|
|
||||||
database = "authelia";
|
|
||||||
schema = "public";
|
|
||||||
username = "authelia";
|
|
||||||
password = "authelia";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./system
|
./system
|
||||||
|
@ -6,7 +7,14 @@
|
||||||
./browser
|
./browser
|
||||||
./de
|
./de
|
||||||
./editor
|
./editor
|
||||||
./containers
|
|
||||||
./hardware
|
./hardware
|
||||||
];
|
];
|
||||||
|
|
||||||
|
options.mySystem.persistentFolder = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "persistent folter for mutable files";
|
||||||
|
default = "/persistent/nixos/";
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
5
nixos/modules/nixos/services/arr/default.nix
Normal file
5
nixos/modules/nixos/services/arr/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./sonarr
|
||||||
|
];
|
||||||
|
}
|
50
nixos/modules/nixos/services/arr/sonarr/default.nix
Normal file
50
nixos/modules/nixos/services/arr/sonarr/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
|
||||||
|
port = 8989;
|
||||||
|
cfg = config.mySystem.services.sonarr;
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/sonarr";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr";
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.sonarr = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "568:568";
|
||||||
|
environment = {
|
||||||
|
UMASK = "002";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/config:rw"
|
||||||
|
"/mnt/nas/natflix/series:/media:rw"
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.sonarr.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.sonarr.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
|
"homepage.group" = "Media";
|
||||||
|
"homepage.name" = "Sonarr";
|
||||||
|
"homepage.icon" = "sonarr.png";
|
||||||
|
"homepage.href" = "https://sonarr.${config.networking.domain}";
|
||||||
|
"homepage.description" = "Series manager";
|
||||||
|
# "homepage.weight" = -70000;
|
||||||
|
"homepage.widget.type" = "sonarr";
|
||||||
|
"homepage.widget.url" = "https://sonarr.${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
99
nixos/modules/nixos/services/bind/default.nix
Normal file
99
nixos/modules/nixos/services/bind/default.nix
Normal file
|
@ -0,0 +1,99 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.services.bind;
|
||||||
|
inherit (config.networking) domain;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.bind.enable = mkEnableOption "bind";
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
"system/networking/bind/trux.dev".sopsFile = ./secrets.sops.yaml;
|
||||||
|
"system/networking/bind/trux.dev".mode = "0444"; # This is world-readable but theres nothing security related in the file
|
||||||
|
|
||||||
|
# Restart dnscrypt when secret changes
|
||||||
|
"system/networking/bind/trux.dev".restartUnits = [ "bind.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.resolvconf.useLocalResolver = mkForce false;
|
||||||
|
|
||||||
|
services.bind = {
|
||||||
|
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Ended up having to do the cfg manually
|
||||||
|
# to bind the port 5353
|
||||||
|
configFile = builtins.toFile "bind.cfg" ''
|
||||||
|
include "/etc/bind/rndc.key";
|
||||||
|
controls {
|
||||||
|
inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
|
||||||
|
};
|
||||||
|
|
||||||
|
acl cachenetworks { 10.8.10.0/24; 10.8.20.0/24; 10.8.30.0/24; 10.8.40.0/24; };
|
||||||
|
acl badnetworks { };
|
||||||
|
|
||||||
|
options {
|
||||||
|
listen-on port 5353 { any; };
|
||||||
|
allow-query { cachenetworks; };
|
||||||
|
blackhole { badnetworks; };
|
||||||
|
forward first;
|
||||||
|
forwarders { 10.8.10.1; };
|
||||||
|
directory "/run/named";
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
listen-on port 5353 { any; };
|
||||||
|
recursion yes;
|
||||||
|
dnssec-validation auto;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
logging {
|
||||||
|
channel stdout {
|
||||||
|
stderr;
|
||||||
|
severity info;
|
||||||
|
print-category yes;
|
||||||
|
print-severity yes;
|
||||||
|
print-time yes;
|
||||||
|
};
|
||||||
|
category security { stdout; };
|
||||||
|
category dnssec { stdout; };
|
||||||
|
category default { stdout; };
|
||||||
|
};
|
||||||
|
acl "trusted" {
|
||||||
|
10.8.10.0/24; # LAN
|
||||||
|
10.8.12.0/24; # TRUSTED
|
||||||
|
10.8.20.0/24; # SERVERS
|
||||||
|
10.8.30.0/24; # IOT
|
||||||
|
10.8.40.0/24; # KIDS
|
||||||
|
10.8.50.0/24; # VIDEO
|
||||||
|
10.8.60.0/24; # VIDEO
|
||||||
|
10.8.11.0/24; # WIREGUARD
|
||||||
|
10.5.0.0/24; # CONTAINERS
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
zone "trux.dev." {
|
||||||
|
type master;
|
||||||
|
file "${config.sops.secrets."system/networking/bind/trux.dev".path}";
|
||||||
|
allow-transfer {
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-query { any; };
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
60
nixos/modules/nixos/services/bind/secrets.sops.yaml
Normal file
60
nixos/modules/nixos/services/bind/secrets.sops.yaml
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
system:
|
||||||
|
networking:
|
||||||
|
bind:
|
||||||
|
trux.dev: ENC[AES256_GCM,data:SQhmIVtugJlUfrjuIG8+ceDknOeqKj+nNenKg9YZyukcuqPMVRHGeESEchjjhZ3rhaicXfeUNthLnxNZgvacoACsI0zjBjeN36MkSyLq9cORbpLdiOM9x4UIFLxlIhVBqKkQSj6ntLX979k8bVzq30O+iGmUmoDW1z7A28hfaf65YuiZMp2e/AM/hNm1V6EP3EZ7M0tNv26c1/75NKo27C97zIL0eOEJmdiM3oGeyYpyPMAFnQGrkbIgJyjQ1ebo4f3isp+2r+VqO77iPx6KSLkHGmza4opQh/GAj7iSSvVtm6ULp7wxQXIqV+n+nArmPZMV0FCJ3LOXKtj2tOR8HyEMaDp+oxAEdtimu2x+5vTC5Bjc5tUgK9n2bLiDql+NYMUS9ZhW3zRZO0qF1wiPPp2gknT3XLkksdFnwfxscd80oP4jWwx0eoLIir+1iI7gnZgoLLhVuuP6298YgB092+F93RRRmkBbbIHDMh5z2CtPSs1xAPSn75PWR993PsgPKLJGwZtFJwGs3/hWY31ia1UChZ7Qe0cq43ErNJE/bJ8QN0WgHB61TlhDRZi+8XxRAJviuf0KBOoxyIXqcwDxLS6KD9/goD0XW0zhsS4Kwwy2pSQP6PgCKx2GllREMUtXBeyTH+v2hjpSCiM5gwosUPx0J+OYNtlj5Q0Ne5mISsNa0wAUPZglV3yGxcmtywCg/bzmMYHZbD9CQgL8uW5KXa9/vvAWPOqoVJboz9C/Tum9obcFMu9n29qmuYRfl91egFWriJv6hE6iMrFgMIe5erfA7/pr6chxerw214A4GSSu1U6KXPjEiV5jCElgthg8tButnBHaH4vaMtSFQ4P21d23wZ9D/OLDJFah9miClFqNjxYz5S3bOuUt3s2Cd/0jAUKoWNxGRWyBH1piiJx8VosrafDYVaIiXmM+7wFbfeE/72XePmUc3bJ4Zp1nhgyuaJxlcmeL4XaqZnJiclkwplB8ZEZHsEdRK21YjJqtGG6vSoK5FplGaPMCRpHEluQlJzt1bVVYllD6oHC3PrwZHHSFDTle5UjxvCLc6iRRZGyXVp6NjLWbdPyue1kwKI7x8AIOYLvQFyK+1nJHPlppVXcgR4HVJ2o84BDnDEXPhu+hS3QSZH5v+hQ1kZzDG8mzdd6jnuCFBS4oW87j5sS3pcCISIL/DOIX+MaIBbuogEevJSAUbqz+W2fRXDguoCALlC8QEDrTCzjLVu6GFI/vKdqP9BC64YEcBell+nyiOQ0ksyXGagsRwUqp3IhxPVXISO95awPo1eCqh72u4/kvUEg+SjSM626eS3T4QJ/0fu/LQOMJ8btdYLSdO5EYHBLbRFo2sj7EbIVXOaYp8zPuEdY8TS1e7aJUyOIfbf8JK3Y5ttbx+T64a1y+6GBPBjBLJaUFdOj685AkymNnC7yZXLNKB78FpDT2hDAlthuh3M/6sYNnwGDINxDcKH61y3AfTHPoox+HkbqCoKoL8a1FN7pDvc4eSmuNiVUuJjL+9kcPluEIMR4NbOsbpQzqHy6p3L8PlCaRxVytQF4b1mhMJ2hCvtZGQeyB4wYlj+pEpSvLXTW2vlNXaFUvD4t7Nwjw7OowPb5nX3y4/zoVo5+JtEYZolrWs3HRGlegCkBctPARTqMRp2g1zUUZU17yOmmZ8m/NA0myosfnL8yXKuLlQtFDEVIJN6sOVru/6QuiLntTGiDPoc95lK1MLeXzTd4hZf2gkiX5so4yoqV2VH9NQBSz2h0xoRhSO+1cvpSXJjIhsI8dNhPDHFfH0rCm97XEKAWTPaDx7HeielgnH0nO/y8oCettuSW1ImE1QowXsyM9olJMII1MlHTSxCOZ2f1y0my2AJ9KBLN+FBHPYY03NKxjLzoeNWyB1z0Pi0GUyih/8NPe/jB8G87tRbODeWa9AtS4+13U07JsjDnLJtS9oPafxv4FxQYI2qnPSaUjzL3LFC80Cmj9YAfx+wyzB+gJlby09FxUO8DMy9efgjKQaQT1vZ6lA4ziE+B+SM1KHHvglQNEETKOlOUa0yq9hF5QWG/2nxIphjRo7Uq9plO1QBzJj80D5IoGouzZTL7RH+qzsO3KZz3i8Be7PfUTVORp/DE1f1emlRN4YWK0MrVcYRP6rFJGKwrDmaGi3R+FCHBWB7vW1CcnDxg6BwK2W6y1HTx5iz44++ez/AkHONFaNW2GtWN8LBtkfZN13VQY1XgH4F9w3L35p+L/vhpevccwi8yGmF9g7R7LjjhDvhSsnCk6f1wrlpon0MjI3q4hbv6QD9iIAQIsR1+cXTD7GfqZNnNgLk3MMslCTjQn0+aiQDjbxfcS16tsLyrkZxAmQrDK9M/xoFFqjF/RiVs5fh8/Bpe8CiNtx3TxVY8jMZZI3xKuofJPNaTt7UjNkxju4qCXF5MX4xIyc5YeU7JNcbMYa6Msnp8eb2TUsERgGeLOuNlu/bFfctzmiaRdbUasaxN9VhdQFv0+0oGP9fhlsRcpyJO6skQnCEnml/txg8dZoRNc1G6626n2GqMazf5CKcW5KlYhBEVHR8IpuPxRcdo8ZrsANUiWGS0iFh47EKe9QK7ZGyUAbGxxupoj1AK1Bz9qjYoQEynCOwNZ+4i9YUIAUXkmhowr0CV+DWbH22/Gglj5b0l0b71rqw39Vudtr1VbK80J1qbyYBqdXdAFiXi5J0JJGu9dk8dWAoK8feILR1aGpiYvvTLLjzJ/aZ5m8FKwnDZFA4zTr8a/F+AWbNgt2rrg/yEo1tgcnrmcYWVQ9pxToAoqq6DrB0PuyNbmrFgFcFpE2TCrf0bs576kbJn4IZHQUkg9fIPJhH78mvkd0SLcTlQCbaKBtmrsvfegxrugi1cAo/4X1cVKJ/MZP8gssVbzwH9zhzgliJL3GZJ6CjNHwnHO2T303QsXoosrmLqSJADdinbHw68Ag2do3nPokJMnTsA97YtslUBMRoF+vDyxmMP8DvseuicKe8WvOupILto182ThrWbn1Ws2xx9ZksrSPd2Xa7EwjOLIg/E205OSD1w+Q/wMAA/qyaC6uQhHqop1o5yivh4ZiQJtbPLjsd4x9Hn1hM7/yW/kwWMeggPYYnlfHraJ78vW5Yu1kIQ4H1xKoIdZf7y1VnIIAb4Lg1xxJ2IM,iv:OzXHST/zSMD0lD2qroK92wTPFnt4o9GO5KGp4AgDHvw=,tag:+i/7/aFsqW2GafFmt70GIQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNENody9xYlF1aEgzbWxH
|
||||||
|
NE5GM1JXNldrMUh2UFk3aWR5akJ6ZW5TNVJJCjFQRFNITEVtZ21FNG51V2xqdWRD
|
||||||
|
aTdUQ2sxTjNqOFdmUmduM081UVlJSVUKLS0tIEE5QXdmcWxtL2hrazZIQU1idWww
|
||||||
|
YjFlNTVCZnlQUzRvWDRWdmpnTTV1TncKNVl5mho/SaNCJroRUNGWLJWekOineIP1
|
||||||
|
I4OsWaMoICMFFFYmNzK0hJW9De6YEHJUT9lQKN2Zjemx3g8lUOTxEQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVFpCYnBQR0luVVlYM2Rt
|
||||||
|
dFdBMzhLVTJrRmNvYkFKdFAvVUg2SjRRbndrCkVZbVVwMG9aTWJ6bkkzbDdhU1lo
|
||||||
|
eE1uN2lwRFRTREFIYWFlTm1KVCtPblEKLS0tIGpvdDZUYjY3RzFoaGthVzRJMDE5
|
||||||
|
dnZtWkZmVzJSV0hKTXRFdEttOFVaQ0EK+stoUbxm5lfUZwe2ffSdVOZ1ChkUfgDd
|
||||||
|
pnNCxN+wRT09yo3CsZ/cqV870ZPBHsdA2BKHsS7rFzrZXPszvrDN8Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZUNmSTQ0NytJcXRxSVFv
|
||||||
|
aWF5eHc3UnNCUklHSjJpbWxRcUk5QitTb3pvClZIZ2tRL3dQT0xSOWoxVGFPVDUx
|
||||||
|
QXZGeDhqUXRqdzlqUkd4WUtDbHpVRTAKLS0tIGF5MTVoMkZ6RDg0dEp3Z3hqUWxw
|
||||||
|
R244RzJyNFFGRXZEVzI0Mk5QMytGTTAKTnrkumPqwdldpAqX9OUInJJhjsdV4ggh
|
||||||
|
9FJPNdDlA7KZycfBvqEoo/j43rFjOQg36/FzWTjOtzmbX1NsylZZMg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ1ppWjRVQTE3R2NZQ2lB
|
||||||
|
L3pFbzhiMXZpaVArb3JOWWhuVkFDazFJUFY4CjI1OHZGN3dvbkdMN2tsTmNSMFlY
|
||||||
|
dm9kY2wvb0FzRi83eTlhdnNWVWpHWGMKLS0tIEI5WVlEOHAreEd5UzVDYWdQZGtR
|
||||||
|
dFZLZlMvUFVqSVVqYUIxQjYrNktsMGcKQrTtLyUKlSXZLntmB5COm1jG9sZqNuH+
|
||||||
|
j5DJ9yTKyrl5Gosb8FcrX4sOcOj5aJKGihL+p7wLgFgr+EYW1ely2g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dFpRcGVHK0RMVFN1cWpl
|
||||||
|
WWxFTEs0MTZndEtHKzJpWHMxeXZwYzFSbFZvCjRvdWVBcFZxd1RiaW5xb0hhZzFs
|
||||||
|
dENYSU1NOGxsdEhER1VyWWRiZGlaQjgKLS0tIHpnd2dQTHV6RllVMSs4Smt2d3g3
|
||||||
|
Y094Y3dnRFEveFphV3J0LzUvK1dTMmsKHjpR7GViKdsR/Qx4/JKoVSWBi4DyujHj
|
||||||
|
nLMa1eEND32OwLg1VAK4m10toVl+wU5TAO0yZXx3tA132WNNtVRbUA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-06T06:13:02Z"
|
||||||
|
mac: ENC[AES256_GCM,data:g5mOOzAO8X009EzCY8dn1Ao+XXcEBwmjrlQyEp0KXapEnP+mntCokjxt3tJZ7U1T7SKkaVDweWbGWBwPqxm2WHDmJrFF7SHLaZ1GcIZ1TjBPGwOG5dQeDxspdU1eK2gS3E/JtMbIOKoDxD12dpH6jLJ3dlq+6Lcm8XoC8elNkWM=,iv:Wsby2DQXUnE9+7Bjk3Vp6/93uF5HoxKrzgcGKHTuW0A=,tag:F1z942D0nf8cBnMBeUEiSQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
0
nixos/modules/nixos/services/bind/zone
Normal file
0
nixos/modules/nixos/services/bind/zone
Normal file
|
@ -1,8 +1,8 @@
|
||||||
system:
|
system:
|
||||||
networking:
|
networking:
|
||||||
#ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment]
|
#ENC[AES256_GCM,data:B4f24DoMFOdKQrn9G/XVtZb+mT/9kXJnFZY8ND+pd/fLJkXxhrFAFbGKHPWxJXabIv1eehKe9a6F1752/HsNK05xo6fzPLZv9WJ6xQ==,iv:xFIa58J4DhIG8vHSZVXj6EXGmzoKU9DSHAlnrjx3dZ4=,tag:yYITOfuPBAOnymwl+8DziQ==,type:comment]
|
||||||
cloudflare-dyndns:
|
cloudflare-dyndns:
|
||||||
apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str]
|
apiTokenFile: ENC[AES256_GCM,data:G342sbp0A6oXl5IycaBdb8LV0cdFlZFDNV6JKZJPIBH13VRviGvygyFX3RoGfJif5qLQGHcHpZk2jFKcOWcFHaORHnLvQdwGSFMk4dPZ8Vwzm7hy4oQZg5gEmPA6U1ctyk4utaUOMD9QLwVMEhgE1+UlUw==,iv:KqV5yd03zt7yjUlCz9c0dba8BSnvkYahemezLWyf2Vg=,tag:FPHnsHHaSLs5wl8Sj6ChAg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -12,50 +12,50 @@ sops:
|
||||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNkY1RU14VW1ycStweStL
|
||||||
aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL
|
Vm1sN28xblNhRmI1WXRYcnRuQVBMczJnQVhZCittbFc5djZsN3dKaklWY1V2ZHBl
|
||||||
UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu
|
R0RpVW1OSWQrVlFuNjNWOTNzMUdEVDAKLS0tIG1FZEdMZ1FlR0FEcWFXV2hlYnhv
|
||||||
QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx
|
SG9abFJVb3pnQ1hleG8vc3E3TmhZTzAK9Qk1Kb4nesOa+OFdf0YfXEMAlvronAfs
|
||||||
Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA==
|
reC3efYY5u1fWCqaYqJScXdDOhFDcBQD77CXZqo3N5EIlwJESHmpSA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTVJueFpVWXkrc25vcU9R
|
||||||
eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3
|
YzVwT243UnM4RVJzVFNWZGdCNUFzZUgwaEcwCnVMMDJ4NHdkUGNOQ2kzdXAwV2l3
|
||||||
Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ
|
dEFvdUc4STZ5bFNSNmQ1L2x4UUZDQUEKLS0tIER6dEZRcENFaFRRUTZNaWErTHN2
|
||||||
bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV
|
b3VuYmhmdnduN215YitkTzZvVzFYTlUKG3SZTp7lJ9JoQhN+CobDui5z/9f60OL+
|
||||||
LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA==
|
4mhi6bl4TNDCpJNgG0yy56iAwbs281es22QGerXv2Y8u2fofllHCtg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK0tvZXdhMjJSMzNwUURG
|
||||||
bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n
|
SEtVdU1IdExIcXh1RWdYUzUwaWV5U2hmcmlFCkNEYkxLWWhTeTBLNC9DL0FIMy9s
|
||||||
T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ
|
SzhoR1FJeGl3Znc0YnFCdW5OTnViRGcKLS0tIEUrZmxlMHFkazZWMm5QWmFJalhW
|
||||||
MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx
|
V2JLSTJlc2RIK0VFTENsUThJQ1ZtcVUK3fG8sPMGg2OdHS44H1kg9DaUnWrDcB+y
|
||||||
ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q==
|
WtvxjeW0esEcZffZlzJmgeswwUVKamoN4A7lTMf8llq4ZBm+z8u8Zw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VnNuSURxQ0V5ZC9XVEdC
|
||||||
L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq
|
OXNwZHVsamJRR0ZxdFZodk51Slpqc2pjbHhvCnBHZ2plT0dxUzVDQUVtSnlYUVdj
|
||||||
RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O
|
VWZjaUdIVWRmQkRwZ2VVemZvOXgrUFUKLS0tIGdvTW1sK2VlNWRESE9Hc0ZBcHQx
|
||||||
VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg
|
SjNnWXhBMnNqZEhUMHdUbmJrdUFUTGMK43zbm2VyKcRpSRkhaf4BrWKiyyQbiKgY
|
||||||
EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw==
|
fYAo9DwMjf/EQgeMv8n6c8zn2HLKWcs2+Oz/XrWOzypinrSl9TOZOw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UUx2ZWpCYVRlQUx6QUVG
|
||||||
b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR
|
WVl1NllRTXRnSDNTeTNXUWo2VFNuN0J1TW00CnFjTTlhUUJuMHczN21LaG9mZUlH
|
||||||
dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o
|
REJnU0k5R25hNU5mTkxiSzBKNW95d00KLS0tIFBFS1g1MDU1dDVwWXhtTjRJenVH
|
||||||
MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo
|
T0YySjh5dFAwcXo0QlhaRzB5S21yS0UKl0Cn8UMqk/TPkbVMp9ngj/gcpueQ3l4Y
|
||||||
A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig==
|
83m99p7uw+1kFbmI3lcxlflFcZXgVBreFM2wF+Ogb7T2zikg0q8FTQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-04-01T00:26:19Z"
|
lastmodified: "2024-04-05T05:23:21Z"
|
||||||
mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str]
|
mac: ENC[AES256_GCM,data:UbhMGGRrG1MBJUEoEX+22y3C3A2dLBhfnxod8+wH1FQgDfZYwIAiCHGfLVbIzkC7ANS6453FeXRNBBH5TW2ELsDDo4W8S13lSwA/1MUUK7st42nNXvOVIMeLHtCrRU++LwYWhEfOR9OIb6au9pk+hwCo1Z0V6nlcAv1bf0uDQNU=,iv:a2GZw4HMp4DCOe8BfA3HgqZIJ9iUmXbttmGoXAMnQZE=,tag:w8VUc2K+f3/Vg7eBu3VREA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -25,7 +25,7 @@ in
|
||||||
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
|
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
|
||||||
|
|
||||||
# Restart when secret changes
|
# Restart when secret changes
|
||||||
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
|
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns.service" ];
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedUDPPorts = [ 53 ];
|
allowedUDPPorts = [ 53 ];
|
||||||
|
|
|
@ -9,5 +9,9 @@
|
||||||
./podman
|
./podman
|
||||||
./traefik
|
./traefik
|
||||||
./nfs
|
./nfs
|
||||||
|
./nix-serve
|
||||||
|
./bind
|
||||||
|
./arr
|
||||||
|
./homepage
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,7 +30,7 @@ in
|
||||||
"system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
|
"system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
|
||||||
|
|
||||||
# Restart dnscrypt when secret changes
|
# Restart dnscrypt when secret changes
|
||||||
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
|
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dnscrypt-proxy2 = {
|
services.dnscrypt-proxy2 = {
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
system:
|
system:
|
||||||
networking:
|
networking:
|
||||||
dnscrypt-proxy2:
|
dnscrypt-proxy2:
|
||||||
forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str]
|
forwarding-rules: ENC[AES256_GCM,data:P5GAwlcuUI2hXcJBzAPSQBviqi8z0ccz29sv1bsSx7lkD9isTaurylD07v3tlXFN,iv:lPIbdMpUMzyhnkakw4FSxvHolyNXMVuciwKK7jz9MMY=,tag:0pKhfclkbWbPBJ6/vs5a3w==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -11,50 +11,50 @@ sops:
|
||||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU2V4cmpHZ0hhRUlDNTU4
|
||||||
SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w
|
c0FGTGxCTzNTTUJxN2lkZmZQUVlCRFVxZld3ClU2TmpxcHFvR0lZeVUxZ0x1YmFC
|
||||||
LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV
|
bFZ4QlQvajNxYTByenlDVXNJb0dGNEEKLS0tIFQvaUhCYnE4MWc1bFZtSlB6cDFq
|
||||||
VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r
|
aTJyS2RGWFJTNEd3Rlo3dVN6UjhlUVEKZvaWNTcKkSzLDsQ99S3/d9eQ350QM+e0
|
||||||
SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg==
|
R19K1QHuljx3vKV+LhnJ+fCUL5bnIhvDCFVnWBWGirVzJNp4iwfuWw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbnR4T1d4M3pKdExGYUZZ
|
||||||
ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY
|
Y0R4WVNLZnZJTmhqVW4vSzJwZjkxdk92N3lNCk9iWmJNZHVZVDFINEErRi9JZjBZ
|
||||||
OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5
|
MDEyM1Q3cGZDWkUyZEZhaVo3K2FpUjgKLS0tIEhHR0dTak43T3pDcUtvYk02aFZZ
|
||||||
NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU
|
M2w2RDV4UmY1Zll5WjdxSWIxZVhVMUUKAvOmavnidng3QxxHaVqQKwq9TMgbusOE
|
||||||
LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw==
|
SnBx1ShiX0m7ZBLHPzcHuwzEOxYRvpKuV1tVDVbROPfaOYusgIMa+A==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaWV0VGZFc0toUXJURURF
|
||||||
NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD
|
eDRKMGV6UktYWVRUcFJKVTdiQ3h6LzhlV2tRCjVMZkFqWGZCV1Q5OFBkOW1lWnFj
|
||||||
M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt
|
NGFMVXBNbVF4azlUV3dLZFB3aHdnZk0KLS0tIEFObC9ING4wRUtwZXhOS2VRcnR3
|
||||||
dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu
|
NnkrVjdGcFE0cGtEY0Vub3Z5R09zVWcKEjgqoO+4n02mwa8idy1FdASqoCkB4Ooe
|
||||||
+bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w==
|
j04tUVa0xufui6gITvO9DBgXbSdni5wbtabZNJ13S3dgWVY4CiDuYw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aC9hTTB1enJYcUpiUHZS
|
||||||
WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4
|
eENnaEhPL3JIeGp5QmczQ1pSMTRmejZ1L0FNCldzM2FFSm9NaTNGTHVmNTJwVW9F
|
||||||
ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn
|
YXIrSGFsWG05U0NXdWg2VUQ1NDVyYWsKLS0tIFQxd2hpMXJRWXhJclFzQjVzZWFI
|
||||||
UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM
|
VHdoVHJnNit3OE5mU2YvTjYxSmxkcXcKBips96WiE/NI7GWZVUOzdJSTIyoG4U4R
|
||||||
wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA==
|
haVYaHJJ1xW/E7WqJKn/E+wiMHFNcQJFOi6/JkWGLCkEE5tDLSDibw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY0pEaVR5NWMzR29YQUFY
|
||||||
bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq
|
R1p2ZFdEaVN1NXYzMW9oR3V2aXJxdDR2QlFvCmxsVDBCQUZnRllvY3NEMm1DQXpj
|
||||||
TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT
|
aDRCZjlnM0xZaVpTVlpXd08wU1VIR3cKLS0tIHo5TGNmMXZHSXpYQW5ITHpwTWJE
|
||||||
dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw
|
a1hDZXkxSG9FR0laYW9nZXFnN0NyUUUKa9dtMzPzZqWi1Z6gBxOh355Om8865AT5
|
||||||
H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg==
|
j0SjD1Zl00RvaC6mZQrhOB6Aq+eYHe3w29jkmkAGvIHXH8p1fNt8Hg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-04-01T00:26:19Z"
|
lastmodified: "2024-04-06T05:12:13Z"
|
||||||
mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str]
|
mac: ENC[AES256_GCM,data:JVJ58TeYh66P6PuhSeCAZpXS5tu4H33rG5GZcJYorhT8Bldn72CTo9AhyhNzVHhfK1fIPI6VLyQM5rBUxBQVHWufx8hnYDrhBQdR9d3po8KKnyfpNgYS0rhifYyon5GUl4BW89RaD45+ZbrE1kIsqCYwwim/bcVYqXuRh1CGYeA=,iv:lRU08rccGMH5ykhSE8bREkog4ftXUporCj+YMsOmUN8=,tag:tIekpP6QIp1Ce2s4a2qO8Q==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
49
nixos/modules/nixos/services/homepage/default.nix
Normal file
49
nixos/modules/nixos/services/homepage/default.nix
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
app = "homepage";
|
||||||
|
image = "ghcr.io/gethomepage/homepage:v0.8.10";
|
||||||
|
user = "568"; #string
|
||||||
|
group = "568"; #string
|
||||||
|
port = 3000; #int
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
|
||||||
|
cfg = config.mySystem.services.homepage;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard";
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
UMASK = "002";
|
||||||
|
PUID = "${user}";
|
||||||
|
PGID = "${group}";
|
||||||
|
};
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
};
|
||||||
|
# mount socket for service discovery.
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/app/config:rw"
|
||||||
|
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket
|
||||||
|
];
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -18,7 +18,7 @@ in
|
||||||
group = "maddy";
|
group = "maddy";
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
|
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy.service" ];
|
||||||
|
|
||||||
services.maddy = {
|
services.maddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
system:
|
system:
|
||||||
mail:
|
mail:
|
||||||
maddy:
|
maddy:
|
||||||
envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str]
|
envFile: ENC[AES256_GCM,data:dHk1pvPlQ46sKDKoZE3OCZ6OxL9gwRpPnu7Q8o9BNmLB8tkxbEudc03Tj956Tf2waghH395O4/Ab2/clyXBZA735+3s0R8ZZX9LDPr47i0MxEhlB9Am/Sa8dg9ivjK8gvlp6oipuvlDmdmfKdP1/DiRd4a+PO9APVPTvFvPTHd9Jy8Y=,iv:x6uZU4XRdtSellvLUTr8aydrLL6k5jhgLoG1n1Zo0P0=,tag:0y2FPDz6psEQglQvus+BuA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -11,50 +11,50 @@ sops:
|
||||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd3VjeUxzR3d1S0NFQ1dI
|
||||||
bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC
|
YVJHNjZKYnZneHJ4RG1NclJySThiVXBNd1JVCkVTc0tjWUpnQmxKS0hhalVzN1N0
|
||||||
UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi
|
ZFNqZzFFbWYxU2ZrV2RnK01yTEk1eGsKLS0tIElRREpyM2F4L2cvNnhHMG9HcU8y
|
||||||
VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/
|
SGVyeWlUR2RrNElwKzlzdXVsMG5QRWsKnZQXvig6jOCam2Pzt/TxXn6KqbNicvyN
|
||||||
5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA==
|
FXm6ObTz7FXj3AcSAWs+Pvsh/BQyk+87iHtgMIgaZnV1WQi7GybW8A==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQ3l0a1VvcFhLTHBqTTVy
|
||||||
czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs
|
emhuK05yaXE4NlNIRmJvdklBZFczdlJtbnlNCmlXa0ttU1dFZGFJSE9TQittQjhv
|
||||||
SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt
|
S2h5NkZnQmQ3L0grUmNRY3lueDNKZVUKLS0tIFNDWlRUaTZxa1RRUUxIand6d3Na
|
||||||
eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz
|
dURrcTgvVVVnYWxYS2ZXNHI2dXB6RW8KQ2ApgWJ9bvpxwSV5ppwFT8pRyalqs5Wf
|
||||||
aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw==
|
4p28ICtASrX58mOkITr3otZUlvHUMCWApr/ued8PSL6k3UoNOnTp4Q==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UkRaVzJxaFYxWmY2SFNl
|
||||||
dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx
|
c1UyQ25tNmFuNFlRRDQvRHlrZitsak9GSVNnCnUvYzVOaUh3T0hTMitKd3ltdG9q
|
||||||
WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4
|
M0YrVTFEYk1SMDczODhiWVdZYTRqREkKLS0tIEEwWFhCOVJ6M3J2dEsvamx0empa
|
||||||
azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX
|
a01rRENJcGx1d2xHVWpubnJvaFNETTAKqVlKYvpowONBqJMPli43L/l6mklsj2eM
|
||||||
W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg==
|
9H9JLhg9QYvbMIYy7X4UsMZWAW9OqrSQGi/BvL1L72LSjfT7BWRuRg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMEpQc3RVTDVOWlI5OFZE
|
||||||
U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y
|
RGZsU3RUUWxtY3Z1SGFkNU5GeGdsZmROcUNBCnc1MGZ5eFBobmUyMThCVmJUelp5
|
||||||
Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk
|
UW1JZUZJaFlPelExeGNmWXlNTzVwZm8KLS0tIFljK2c4RzFDVlZHek1oM2c5SU5j
|
||||||
T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p
|
VE1OUXBHeHEvZzVpSDF5OE9GaWxhNjQKo+m+AThAjdBXjy266bIVRbpJ9STSAvkK
|
||||||
s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ==
|
6h1MRpK2CpFjNOJWL5Yv7wGIOqYyx++y2Sz3TOD842PEzNdpAmrf/A==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YzhHRXl6Yyt5QVFNZzlV
|
||||||
TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm
|
N1l6ZmRoMTl6WGZPQlduYTRyWVVweWtDL1NrCnIxejdvaFNDNHo5RnZUZ1NPako5
|
||||||
OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX
|
QmxVd3IyUXFXNGZpWVRpMTNsaFFCa0UKLS0tIGR0V2tYUkw3NjZsd29tbTl0U2Y5
|
||||||
bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy
|
UGZ5SUUvbEdOcm9ZZ2FPeEJNQTJmeVkK9e4K6Zz7oaLWo66pLDJu5fCtJlpjE+gz
|
||||||
MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w==
|
dApChQV1+oPnTynpCQ4PCxC4X4L5sfxCqIR8uwRAkse6I/DUNWhiDA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-04-01T00:26:19Z"
|
lastmodified: "2024-04-05T05:23:21Z"
|
||||||
mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str]
|
mac: ENC[AES256_GCM,data:2zzSM4qqG/8XSm5gxBE8V4b4eRF46SNuOrXbDzK8ovGRu+BzbhYg1f2duf+p1m3flNu6n9WoR5HltjVDpdetg8ut85j/4AEnDKIVgPJPcjcJaVk0TKUdIGp/DAJ9hs8U6gTmKavxByBfOzhQiX/U7ewzC9GeQbU/MfdNrmC2qVI=,iv:wbjpidsVF6p4rLlGHgSQISA0JjK6MfogFrjhVkl1Sw0=,tag:9CXy2SnEBY9xLjC2UfL2kg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
24
nixos/modules/nixos/services/nix-serve/default.nix
Normal file
24
nixos/modules/nixos/services/nix-serve/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.services.nix-serve;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.nix-serve.enable = mkEnableOption "nix-serve";
|
||||||
|
|
||||||
|
# enable nix serve binary cache
|
||||||
|
# you can test its working with `nix store ping --store http://10.8.20.33:5000`
|
||||||
|
config.services.nix-serve = mkIf cfg.enable {
|
||||||
|
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.nix-serve-ng;
|
||||||
|
openFirewall = true;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -15,6 +15,7 @@ in
|
||||||
{
|
{
|
||||||
virtualisation.podman = {
|
virtualisation.podman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
dockerCompat = true;
|
dockerCompat = true;
|
||||||
extraPackages = [ pkgs.zfs ];
|
extraPackages = [ pkgs.zfs ];
|
||||||
defaultNetwork.settings = {
|
defaultNetwork.settings = {
|
||||||
|
@ -25,6 +26,8 @@ in
|
||||||
backend = "podman";
|
backend = "podman";
|
||||||
};
|
};
|
||||||
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
, pkgs
|
, pkgs
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
|
# ref: https://github.com/rishid/nix-config/blob/be0d5cbbe4df79ed2b2ba4714456f21777c72b38/modules/traefik/default.nix#L170
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.mySystem.services.traefik;
|
cfg = config.mySystem.services.traefik;
|
||||||
|
@ -10,18 +11,159 @@ in
|
||||||
{
|
{
|
||||||
options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
|
options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
|
||||||
|
|
||||||
|
# TODO add to homepage
|
||||||
|
# modules.homepage.infrastructure-services = [{
|
||||||
|
# Traefik = {
|
||||||
|
# icon = "traefik.svg";
|
||||||
|
# description = "Reverse proxy";
|
||||||
|
# href = "https://traefik.dhupar.xyz:444";
|
||||||
|
# };
|
||||||
|
# }];
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml;
|
||||||
|
|
||||||
|
# Restart when secret changes
|
||||||
|
sops.secrets."system/services/traefik/apiTokenFile".restartUnits = [ "traefik.service" ];
|
||||||
|
|
||||||
|
systemd.services.traefik = {
|
||||||
|
serviceConfig.EnvironmentFile = [
|
||||||
|
config.sops.secrets."system/services/traefik/apiTokenFile".path
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
services.traefik = {
|
services.traefik = {
|
||||||
enable = true;
|
enable = true;
|
||||||
staticConfigOptions = {
|
group = "podman"; # podman backend, required to access socket
|
||||||
api.dashboard = true;
|
|
||||||
api.insecure = true;
|
|
||||||
|
|
||||||
serversTransport = {
|
dataDir = "${config.mySystem.persistentFolder}/traefik/";
|
||||||
# Disable backend certificate verification.
|
# Required so traefik is permitted to watch docker events
|
||||||
insecureSkipVerify = true;
|
# group = "docker";
|
||||||
|
|
||||||
|
staticConfigOptions = {
|
||||||
|
|
||||||
|
global = {
|
||||||
|
checkNewVersion = false;
|
||||||
|
sendAnonymousUsage = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
api.dashboard = true;
|
||||||
|
log.level = "DEBUG";
|
||||||
|
|
||||||
|
# Allow backend services to have self-signed certs
|
||||||
|
serversTransport.insecureSkipVerify = true;
|
||||||
|
|
||||||
|
providers.docker = {
|
||||||
|
endpoint = "unix:///var/run/podman/podman.sock";
|
||||||
|
# endpoint = "tcp://127.0.0.1:2375";
|
||||||
|
exposedByDefault = false;
|
||||||
|
defaultRule = "Host(`{{ normalize .Name }}.${config.networking.domain}`)";
|
||||||
|
# network = "proxy";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Listen on port 80 and redirect to port 443
|
||||||
|
entryPoints.web = {
|
||||||
|
address = ":80";
|
||||||
|
http.redirections.entrypoint.to = "websecure";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Run everything SSL
|
||||||
|
entryPoints.websecure = {
|
||||||
|
address = ":443";
|
||||||
|
http = {
|
||||||
|
tls = {
|
||||||
|
certresolver = "letsencrypt";
|
||||||
|
domains.main = "${config.networking.domain}";
|
||||||
|
domains.sans = "*.${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
http3 = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
certificatesResolvers.letsencrypt.acme = {
|
||||||
|
dnsChallenge.provider = "cloudflare";
|
||||||
|
keyType = "EC256";
|
||||||
|
storage = "${config.services.traefik.dataDir}/acme.json";
|
||||||
|
};
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
# Dynamic configuration
|
||||||
|
dynamicConfigOptions = {
|
||||||
|
|
||||||
|
http.middlewares = {
|
||||||
|
# Whitelist local network and VPN addresses
|
||||||
|
local-only.ipWhiteList.sourceRange = [
|
||||||
|
"127.0.0.1/32" # localhost
|
||||||
|
"192.168.0.0/16" # RFC1918
|
||||||
|
"10.0.0.0/8" # RFC1918
|
||||||
|
"172.16.0.0/12" # RFC1918 (docker network)
|
||||||
|
];
|
||||||
|
|
||||||
|
# authelia = {
|
||||||
|
# # Forward requests w/ middlewares=authelia@file to authelia.
|
||||||
|
# forwardAuth = {
|
||||||
|
# # address = cfg.autheliaUrl;
|
||||||
|
# address = "http://localhost:9092/api/verify?rd=https://auth.dhupar.xyz:444/";
|
||||||
|
# trustForwardHeader = true;
|
||||||
|
# authResponseHeaders = [
|
||||||
|
# "Remote-User"
|
||||||
|
# "Remote-Name"
|
||||||
|
# "Remote-Email"
|
||||||
|
# "Remote-Groups"
|
||||||
|
# ];
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# authelia-basic = {
|
||||||
|
# # Forward requests w/ middlewares=authelia-basic@file to authelia.
|
||||||
|
# forwardAuth = {
|
||||||
|
# address = "http://localhost:9092/api/verify?auth=basic";
|
||||||
|
# trustForwardHeader = true;
|
||||||
|
# authResponseHeaders = [
|
||||||
|
# "Remote-User"
|
||||||
|
# "Remote-Name"
|
||||||
|
# "Remote-Email"
|
||||||
|
# "Remote-Groups"
|
||||||
|
# ];
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration
|
||||||
|
# auth-headers = {
|
||||||
|
# browserXssFilter = true;
|
||||||
|
# contentTypeNosniff = true;
|
||||||
|
# forceSTSHeader = true;
|
||||||
|
# frameDeny = true;
|
||||||
|
# sslHost = domain;
|
||||||
|
# sslRedirect = true;
|
||||||
|
# stsIncludeSubdomains = true;
|
||||||
|
# stsPreload = true;
|
||||||
|
# stsSeconds = 315360000;
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
|
||||||
|
tls.options.default = {
|
||||||
|
minVersion = "VersionTLS13";
|
||||||
|
sniStrict = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set up wildcard domain certificates for both *.hostname.domain and *.local.domain
|
||||||
|
http.routers = {
|
||||||
|
traefik = {
|
||||||
|
entrypoints = "websecure";
|
||||||
|
rule = "Host(`traefik.${config.networking.domain}`)";
|
||||||
|
tls.certresolver = "letsencrypt";
|
||||||
|
tls.domains = [{
|
||||||
|
main = "${config.networking.domain}";
|
||||||
|
sans = "*.${config.networking.domain}";
|
||||||
|
}];
|
||||||
|
middlewares = "local-only@file";
|
||||||
|
service = "api@internal";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
61
nixos/modules/nixos/services/traefik/secrets.sops.yaml
Normal file
61
nixos/modules/nixos/services/traefik/secrets.sops.yaml
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
system:
|
||||||
|
services:
|
||||||
|
#ENC[AES256_GCM,data:L5ZUZZoFkMaTErRqwkG03SVET5x6AVL+4OvX6ukQlvFX+P9ICYY6lDGDmJARUXDm2yW6hllqA2FxoteFXT5LEikraLywI5jGDgQMGw==,iv:fHYZ9LBvFVT24xeN7HSjlNhFse/MIhb6/3XCUbdCppA=,tag:tq+MbSt+jhvNJfdpuQ5ddg==,type:comment]
|
||||||
|
traefik:
|
||||||
|
apiTokenFile: ENC[AES256_GCM,data:hVIUCHU/AU6SOGt7JEVYuE55LlT7AhSuRpkCEWrsKxhy0K5jRZhYb4G30sXrOv80gb8T82ItYjpi5ytckGq325A4Uzn2dYQ4P9sv1uRxrcJrSOuMvpeWnijT33wbxn/fcg==,iv:5065MjT63rYvx/+ivfVha/+VxaTaHicfmshPI/9qfYw=,tag:S7t/Fr5R30lwO3KvuDjHWw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbVBCZGdUU3dJR0VXMUQ2
|
||||||
|
ZUhYcEZkYVBRZkxteGkzaXdDNUVzNjdFUWxrCkgwcXZYZlZ2Wk1KbDg2VGpmZXQ5
|
||||||
|
K3ZxR21FZGpJWFpSakltdzN6MUh0b28KLS0tIHRDK2dKQ1Q0UGpBM2oyYzhuSGo2
|
||||||
|
TWFTYnpYbDZPeUVtbTdXNm84RFJoaDQKFB0HX9yJ6D5jQRd8qUsLUy4ZcweYv1Qh
|
||||||
|
BJlQJOlMi+OliSiWOPsI8L8SJSTWJvy6ZX/LcebuQ0tlXeNd3HYAQQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTXp6aExQTVh4OFVKV1Nz
|
||||||
|
UU0zbEJnR3Nvb256TllyYXg4OTVOektoSURnCllWZUpwc3ZObjlWT0YyLzRiQ0dM
|
||||||
|
Sy9GSCtsTkZyVkJ1dDJnbmh2ZHdrZG8KLS0tIDRPakxzRWt6ckRzZzVZQzN6RVlU
|
||||||
|
MEhwbFpIK3hTeGttS0x3Q0dHdHZhNG8KovgKj2k7N/lpGT2j+e1u+3uX3EAMwAwt
|
||||||
|
uHI2LqEtfaMJZQvsP409G4QkEy+o7GJ7N3LpAXFAPvnJbH5/n7WxiA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjFiSDIzMVVNMmk3ZlBn
|
||||||
|
SFFpbE10Q0ZZMlhGbElMTURjeDFhUmlnNmdrCk55ZHY0Y3o2SGtaM2ZOTE5QOFo1
|
||||||
|
WVdEWGtzWTIxbWtXMmF5V3JvVjBpVFEKLS0tIEtVMldydlRvdHJLYzVnQy9kUnNZ
|
||||||
|
OHJUSlBlQ3Rhb1RYUVNQSWNLWU5NOGcKEHjjav+ACT+HQ9haoMfRei7cAOPugMDs
|
||||||
|
JsSRPWnVBYPx+9AxDY030Aw6vMw9+rFSuCp3PMH4mNbCcCucaIWWSA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWhCM2dpZDFkVVE4SVJq
|
||||||
|
SXY1ZVh2ZWlDRnN4d2hsREpwU0tYMmpKK0hzCmhkSllSM0NGdHZiV0o4dWVac2Ft
|
||||||
|
Y01nUlBKUHg4eE1YZWZlU29Vd2lEelEKLS0tIG9DdmdoaWVBMTJ2WnBnWXI5d1ZX
|
||||||
|
VGtCSTdPcDZHeVdUL1Z6S3hoUE9IR2sK8WyNXZDiJG3ox+nBcwTXdn3fmd4kS2z/
|
||||||
|
aUV6ql3vLdsu3/BxLq3v00AXXYNOnWmVrUxTJ9Lv1j0FM5Gh5LupQw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdU9TeFlSUWZISytBTnNn
|
||||||
|
RWlITURiQnY2Ni9LMWZ4R0pBWDJmaHpTZDJ3ClVackV1UHNYUXFmeUliT0h1aHNR
|
||||||
|
S0M4NWg0NkYrL2V4NXlIUDJ6RE8rODgKLS0tIGEwdGpxNVNtVDc0M0k1ejl1ZmFX
|
||||||
|
c2VQSk53WEFoTFdFUTM3eWNVamxwNTgKBYqQy+ILW9MdRPDgRBVw8sOyYF40rhYz
|
||||||
|
yP+Bu6EBAjJDOP/Ywx6I7u6AmlTRcOtk8PmJ8eo3raP07at+jrXsaw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-05T08:20:07Z"
|
||||||
|
mac: ENC[AES256_GCM,data:a/J87IQL0X7XQycpZXWg2otlBe7/W7Ebe0CAKunnyF8Gm9RRMWdECrFeBDtAyVAHl2F6gqlNTyEMsOVE+aR6+xu91rXr332k66SnSQcMOjQ987+r+t3b1hUZ9Cz+qNbtepXaGTuCNQ0JH+o3ezkA1D6BDIvf6S4IRWRT9psOiHI=,iv:2TXiGQDDK2nSTAb+n3baFfng9jDPoe7Ts9Au9dTRclA=,tag:MZFBEcpOmoX0TN33OMoApg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -29,12 +29,17 @@ with lib;
|
||||||
# But wont enable plugins globally, leave them for workstations
|
# But wont enable plugins globally, leave them for workstations
|
||||||
};
|
};
|
||||||
|
|
||||||
# required for yubico
|
environment.systemPackages = with pkgs; [
|
||||||
services.udev.packages = [ pkgs.yubikey-personalization ];
|
curl
|
||||||
services.pcscd.enable = true;
|
wget
|
||||||
|
dnsutils
|
||||||
|
];
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
networking.domain = "trux.dev"; # TODO make variable
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ lib, config, pkgs, nixpkgs, ... }:
|
{ lib, config, pkgs, nixpkgs, self, ... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
## Below is to align shell/system to flake's nixpkgs
|
## Below is to align shell/system to flake's nixpkgs
|
||||||
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
|
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
|
||||||
|
|
||||||
|
@ -31,12 +30,14 @@
|
||||||
"https://cache.garnix.io"
|
"https://cache.garnix.io"
|
||||||
"https://nix-community.cachix.org"
|
"https://nix-community.cachix.org"
|
||||||
"https://numtide.cachix.org"
|
"https://numtide.cachix.org"
|
||||||
|
"https://deploy-rs.cachix.org"
|
||||||
];
|
];
|
||||||
|
|
||||||
trusted-public-keys = [
|
trusted-public-keys = [
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||||
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
|
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
|
||||||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
||||||
|
"deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
|
||||||
];
|
];
|
||||||
|
|
||||||
# Fallback quickly if substituters are not available.
|
# Fallback quickly if substituters are not available.
|
||||||
|
|
|
@ -19,7 +19,6 @@ with lib;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.hostPlatform.system = "aarch64-linux";
|
nixpkgs.hostPlatform.system = "aarch64-linux";
|
||||||
nixpkgs.buildPlatform.system = "x86_64-linux";
|
|
||||||
|
|
||||||
console.enable = false;
|
console.enable = false;
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,7 @@ with config;
|
||||||
|
|
||||||
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||||
plymouth.enable = true; # hide console with splash screen
|
plymouth.enable = true; # hide console with splash screen
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.settings = {
|
nix.settings = {
|
||||||
|
@ -35,6 +36,24 @@ with config;
|
||||||
# set xserver videodrivers if used
|
# set xserver videodrivers if used
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
|
|
||||||
|
services = {
|
||||||
|
fwupd.enable = config.boot.loader.systemd-boot.enable; # fwupd does not work in BIOS mode
|
||||||
|
thermald.enable = true;
|
||||||
|
smartd.enable = true;
|
||||||
|
|
||||||
|
# required for yubikey
|
||||||
|
udev.packages = [ pkgs.yubikey-personalization ];
|
||||||
|
pcscd.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
hardware = {
|
||||||
|
enableAllFirmware = true;
|
||||||
|
sensor.hddtemp = {
|
||||||
|
enable = true;
|
||||||
|
drives = [ "/dev/disk/by-id/*" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -47,12 +66,19 @@ with config;
|
||||||
dnsutils
|
dnsutils
|
||||||
nix
|
nix
|
||||||
|
|
||||||
|
# Sensors etc
|
||||||
|
lm_sensors
|
||||||
|
cpufrequtils
|
||||||
|
cpupower-gui
|
||||||
|
|
||||||
# TODO Move
|
# TODO Move
|
||||||
nil
|
nil
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
statix
|
statix
|
||||||
nvd
|
nvd
|
||||||
gh
|
gh
|
||||||
|
|
||||||
|
bind # for dns utils like named-checkconf
|
||||||
];
|
];
|
||||||
|
|
||||||
i18n = {
|
i18n = {
|
||||||
|
|
Reference in a new issue