config

NixOS config
Log | Files | Refs | README | LICENSE
commit e4870a2a24ec4bb5997e855a79523b9d828b3bb6 (tree)
parent 50c8a718db83217a40957ed6af2fa7f84476b132
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date:   Wed, 17 Jan 2024 13:17:19 +0200

e11sync

Diffstat:

Mflake.lock | 53++++++++++++++++++++++++++++++++++++++++++++++++++---


Mflake.nix | 22++++++++++++++++++----


Mhosts/fra1-a/configuration.nix | 33++++++++++++++++++++++++++-------


Msecrets.nix | 2+-


Asecrets/e11sync/secret-key.age | 15+++++++++++++++


5 files changed, 110 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
@@ -51,6 +51,39 @@
         "type": "github"
       }
     },
+    "e11sync": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "geoip2-tarball": "geoip2-tarball",
+        "gitignore": [
+          "gitignore"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "pre-commit-hooks"
+        ]
+      },
+      "locked": {
+        "lastModified": 1705498237,
+        "narHash": "sha256-FFKNlobtEjtdR+PpbarW3D2xWLTXS0jipSOPWCBh2ug=",
+        "ref": "refs/heads/main",
+        "rev": "bf0d2452ce39c2665214cd2e869dec4117eafc25",
+        "revCount": 113,
+        "type": "git",
+        "url": "https://git.jakstys.lt/motiejus/e11sync"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.jakstys.lt/motiejus/e11sync"
+      }
+    },
     "flake-compat": {
       "locked": {
         "lastModified": 1688025799,
@@ -84,6 +117,19 @@
         "type": "github"
       }
     },
+    "geoip2-tarball": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1705308463,
+        "narHash": "sha256-Q+t6LnGy8R6QLugw25iC0WdVPU2C3eqZPlbvVQ9EpwE=",
+        "type": "tarball",
+        "url": "https://dl.jakstys.lt/_/2024.01.13.tar.zst"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://dl.jakstys.lt/_/2024.01.13.tar.zst"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -202,11 +248,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1705490880,
-        "narHash": "sha256-JfC6ZMF/BWWIzzqYNswF/WTtIbjaF8MKkpdhl1YPyN8=",
+        "lastModified": 1705498134,
+        "narHash": "sha256-JWz7O2RDOAiWvndH/Gd84XvZgsFuvHhDnr4MFbCjLLA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "8d1c62baf47e465e0732ebf7336d2443add7e3ec",
+        "rev": "2afd51ec110a41d646272a548fe5a2913f33a918",
         "type": "github"
       },
       "original": {
@@ -251,6 +297,7 @@
       "inputs": {
         "agenix": "agenix",
         "deploy-rs": "deploy-rs",
+        "e11sync": "e11sync",
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "gitignore": "gitignore",
diff --git a/flake.nix b/flake.nix
@@ -53,6 +53,17 @@
         gitignore.follows = "gitignore";
       };
     };
+
+    e11sync = {
+      url = "git+https://git.jakstys.lt/motiejus/e11sync";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+        flake-compat.follows = "flake-compat";
+        gitignore.follows = "gitignore";
+        pre-commit-hooks.follows = "pre-commit-hooks";
+      };
+    };
   };
 
   nixConfig = {
@@ -73,6 +84,7 @@
     pre-commit-hooks,
     nur,
     nixgl,
+    e11sync,
     ...
   } @ inputs: let
     myData = import ./data.nix;
@@ -201,16 +213,18 @@
           system = "aarch64-linux";
           modules = [
             {nixpkgs.overlays = mkOverlays system;}
-            ./hosts/fra1-a/configuration.nix
-
-            ./modules
-
+            # TODO: remove `${system}` from here
+            e11sync.nixosModules.${system}.e11sync
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager
 
+            ./hosts/fra1-a/configuration.nix
+            ./modules
+
             {
               age.secrets = {
                 zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
+                e11sync-secret-key.file = ./secrets/e11sync/secret-key.age;
                 motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
                 root-passwd-hash.file = ./secrets/root_passwd_hash.age;
                 sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix
@@ -75,12 +75,31 @@
     };
   };
 
-  services.nsd = {
+  e11sync = {
     enable = true;
-    interfaces = ["0.0.0.0" "::"];
-    zones = {
-      "jakstys.lt.".data = myData.jakstysLTZone;
-      "11sync.net.".data = myData.e11syncZone;
+    migrateOnStart = true;
+    secretKeyPath = config.age.secrets.e11sync-secret-key.path;
+    vhost = "11sync.net";
+  };
+
+  services = {
+    caddy = {
+      enable = true;
+      email = "motiejus+acme@jakstys.lt";
+      globalConfig = ''
+        servers {
+          metrics
+        }
+      '';
+    };
+
+    nsd = {
+      enable = true;
+      interfaces = ["0.0.0.0" "::"];
+      zones = {
+        "jakstys.lt.".data = myData.jakstysLTZone;
+        "11sync.net.".data = myData.e11syncZone;
+      };
     };
   };
 
@@ -90,8 +109,8 @@
     domain = "servers.jakst";
     useDHCP = true;
     firewall = {
-      allowedUDPPorts = [53];
-      allowedTCPPorts = [22 53];
+      allowedUDPPorts = [53 443];
+      allowedTCPPorts = [22 53 80 443];
     };
   };
 
diff --git a/secrets.nix b/secrets.nix
@@ -35,9 +35,9 @@ in
     "secrets/synapse/registration_shared_secret.age"
     "secrets/synapse/macaroon_secret_key.age"
   ]
-  # TODO make sure secrets don't repeat here.
   // mk ([fra1-a] ++ motiejus) [
     "secrets/vno1-oh2/zfs-passphrase.age"
+    "secrets/e11sync/secret-key.age"
   ]
   // mk ([vno3-rp3b] ++ motiejus) [
     "secrets/vno3-rp3b/datapool-passphrase.age"
diff --git a/secrets/e11sync/secret-key.age b/secrets/e11sync/secret-key.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 qDkIVA EcrOFGh2er0Hl7xxWct2cUX4heduWCqm2+JqSH81iTY
+7oeP2PFS5nDo1QY8hVA7JtqhXg9tVoUaJmuf/ZRjs/Q
+-> X25519 ljxQYvPkqvKEYOxDlBf8gj6U8Nd6b93STFg7VvX7kTk
+bQluMiLgv37c0lK7Qcywuk76EvM6aWQ1e5jMu+b/wyQ
+-> X25519 mVpBCxyKGYxQjUIbx7saDTn5G23ytVA/cbKu09f0bmU
+ZJWx4ynxcjH+b2I/t65YcBeSWc42bbLj0GPOEmQRthY
+-> piv-p256 +y2G/w A4MZ+jL9BvSPTXcqnhumP19jMLpGHiReoMKKF18Y8c0l
+34dg3Nf0M5seK9dUHH+6mCBuRNbrCcO3Nn3133q9L8c
+-> piv-p256 jNqd3A As9f0NzBBLhHw+raFyA1MXpudE0t4g5X621nlBKyOL7g
+Ttf8gKYskH00eVYSca+el8Q7eL2SUmxAIfeUTiRYTS4
+--- OeIgN68dHKyT9/DFyr90D56ioNKYxAmartgfrDUoDG4
+AS4ɛX2ɹcna{M
+`^wcE.?k@lOЊ0YާNkN
+\ No newline at end of file