diff --git a/flake.lock b/flake.lock index 1f5aafb..1644dfc 100644 --- a/flake.lock +++ b/flake.lock @@ -51,6 +51,39 @@ "type": "github" } }, + "e11sync": { + "inputs": { + "flake-compat": [ + "flake-compat" + ], + "flake-utils": [ + "flake-utils" + ], + "geoip2-tarball": "geoip2-tarball", + "gitignore": [ + "gitignore" + ], + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks": [ + "pre-commit-hooks" + ] + }, + "locked": { + "lastModified": 1705498237, + "narHash": "sha256-FFKNlobtEjtdR+PpbarW3D2xWLTXS0jipSOPWCBh2ug=", + "ref": "refs/heads/main", + "rev": "bf0d2452ce39c2665214cd2e869dec4117eafc25", + "revCount": 113, + "type": "git", + "url": "https://git.jakstys.lt/motiejus/e11sync" + }, + "original": { + "type": "git", + "url": "https://git.jakstys.lt/motiejus/e11sync" + } + }, "flake-compat": { "locked": { "lastModified": 1688025799, @@ -84,6 +117,19 @@ "type": "github" } }, + "geoip2-tarball": { + "flake": false, + "locked": { + "lastModified": 1705308463, + "narHash": "sha256-Q+t6LnGy8R6QLugw25iC0WdVPU2C3eqZPlbvVQ9EpwE=", + "type": "tarball", + "url": "https://dl.jakstys.lt/_/2024.01.13.tar.zst" + }, + "original": { + "type": "tarball", + "url": "https://dl.jakstys.lt/_/2024.01.13.tar.zst" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -202,11 +248,11 @@ }, "nur": { "locked": { - "lastModified": 1705490880, - "narHash": "sha256-JfC6ZMF/BWWIzzqYNswF/WTtIbjaF8MKkpdhl1YPyN8=", + "lastModified": 1705498134, + "narHash": "sha256-JWz7O2RDOAiWvndH/Gd84XvZgsFuvHhDnr4MFbCjLLA=", "owner": "nix-community", "repo": "NUR", - "rev": "8d1c62baf47e465e0732ebf7336d2443add7e3ec", + "rev": "2afd51ec110a41d646272a548fe5a2913f33a918", "type": "github" }, "original": { @@ -251,6 +297,7 @@ "inputs": { "agenix": "agenix", "deploy-rs": "deploy-rs", + "e11sync": "e11sync", "flake-compat": "flake-compat", "flake-utils": "flake-utils", "gitignore": "gitignore", diff --git a/flake.nix b/flake.nix index 3de3675..57fcee9 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,17 @@ gitignore.follows = "gitignore"; }; }; + + e11sync = { + url = "git+https://git.jakstys.lt/motiejus/e11sync"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + flake-compat.follows = "flake-compat"; + gitignore.follows = "gitignore"; + pre-commit-hooks.follows = "pre-commit-hooks"; + }; + }; }; nixConfig = { @@ -73,6 +84,7 @@ pre-commit-hooks, nur, nixgl, + e11sync, ... } @ inputs: let myData = import ./data.nix; @@ -201,16 +213,18 @@ system = "aarch64-linux"; modules = [ {nixpkgs.overlays = mkOverlays system;} - ./hosts/fra1-a/configuration.nix - - ./modules - + # TODO: remove `${system}` from here + e11sync.nixosModules.${system}.e11sync agenix.nixosModules.default home-manager.nixosModules.home-manager + ./hosts/fra1-a/configuration.nix + ./modules + { age.secrets = { zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; + e11sync-secret-key.file = ./secrets/e11sync/secret-key.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index 4732c6b..d9b843a 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -75,12 +75,31 @@ }; }; - services.nsd = { + e11sync = { enable = true; - interfaces = ["0.0.0.0" "::"]; - zones = { - "jakstys.lt.".data = myData.jakstysLTZone; - "11sync.net.".data = myData.e11syncZone; + migrateOnStart = true; + secretKeyPath = config.age.secrets.e11sync-secret-key.path; + vhost = "11sync.net"; + }; + + services = { + caddy = { + enable = true; + email = "motiejus+acme@jakstys.lt"; + globalConfig = '' + servers { + metrics + } + ''; + }; + + nsd = { + enable = true; + interfaces = ["0.0.0.0" "::"]; + zones = { + "jakstys.lt.".data = myData.jakstysLTZone; + "11sync.net.".data = myData.e11syncZone; + }; }; }; @@ -90,8 +109,8 @@ domain = "servers.jakst"; useDHCP = true; firewall = { - allowedUDPPorts = [53]; - allowedTCPPorts = [22 53]; + allowedUDPPorts = [53 443]; + allowedTCPPorts = [22 53 80 443]; }; }; diff --git a/secrets.nix b/secrets.nix index 7fc1b5e..6cc0d71 100644 --- a/secrets.nix +++ b/secrets.nix @@ -35,9 +35,9 @@ in "secrets/synapse/registration_shared_secret.age" "secrets/synapse/macaroon_secret_key.age" ] - # TODO make sure secrets don't repeat here. // mk ([fra1-a] ++ motiejus) [ "secrets/vno1-oh2/zfs-passphrase.age" + "secrets/e11sync/secret-key.age" ] // mk ([vno3-rp3b] ++ motiejus) [ "secrets/vno3-rp3b/datapool-passphrase.age" diff --git a/secrets/e11sync/secret-key.age b/secrets/e11sync/secret-key.age new file mode 100644 index 0000000..140fe71 --- /dev/null +++ b/secrets/e11sync/secret-key.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 qDkIVA EcrOFGh2er0Hl7xxWct2cUX4heduWCqm2+JqSH81iTY +7oeP2PFS5nDo1QY8hVA7JtqhXg9tVoUaJmuf/ZRjs/Q +-> X25519 ljxQYvPkqvKEYOxDlBf8gj6U8Nd6b93STFg7VvX7kTk +bQluMiLgv37c0lK7Qcywuk76EvM6aWQ1e5jMu+b/wyQ +-> X25519 mVpBCxyKGYxQjUIbx7saDTn5G23ytVA/cbKu09f0bmU +ZJWx4ynxcjH+b2I/t65YcBeSWc42bbLj0GPOEmQRthY +-> piv-p256 +y2G/w A4MZ+jL9BvSPTXcqnhumP19jMLpGHiReoMKKF18Y8c0l +34dg3Nf0M5seK9dUHH+6mCBuRNbrCcO3Nn3133q9L8c +-> piv-p256 jNqd3A As9f0NzBBLhHw+raFyA1MXpudE0t4g5X621nlBKyOL7g +Ttf8gKYskH00eVYSca+el8Q7eL2SUmxAIfeUTiRYTS4 +--- OeIgN68dHKyT9/DFyr90D56ioNKYxAmartgfrDUoDG4 +AS4ɛX2ɹcna{M +`^wcE.? k@lOЊ0YާNkN \ No newline at end of file