diff --git a/checks/default.nix b/checks/default.nix index ae2c491..f82204c 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -11,7 +11,7 @@ ]; perSystem = - { config, ... }: + { config, pkgs, ... }: { treefmt.config = { projectRootFile = ".git/config"; @@ -42,6 +42,18 @@ package = config.treefmt.build.wrapper; }; }; + packages.push-to-cache = + let + allChecks = with self.checks; x86_64-linux // aarch64-linux; + checks = builtins.removeAttrs allChecks [ "push-to-cache" ]; + in + pkgs.writeShellScriptBin "push-to-cache.sh" '' + attic push $1 --stdin --jobs 64 << EOF + ${lib.concatStringsSep "\n" ( + builtins.map (builtins.unsafeDiscardStringContext) (builtins.attrValues checks) + )} + EOF + ''; }; flake.checks = @@ -49,7 +61,7 @@ build = _: nc: nc.config.system.build.toplevel; in { - x86_64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }; + x86_64-linux = (lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }); aarch64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) sisko; # pbp; }; diff --git a/flake.lock b/flake.lock index c3bbb09..3a7c64e 100644 --- a/flake.lock +++ b/flake.lock @@ -83,11 +83,11 @@ ] }, "locked": { - "lastModified": 1748225455, - "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=", + "lastModified": 1748832438, + "narHash": "sha256-/CtyLVfNaFP7PrOPrTEuGOJBIhcBKVQ91KiEbtXJi0A=", "owner": "nix-community", "repo": "disko", - "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", + "rev": "58d6e5a83fff9982d57e0a0a994d4e5c0af441e4", "type": "github" }, "original": { @@ -103,11 +103,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1747658429, - "narHash": "sha256-qZWuEdxmPx818qR61t3mMozJOvZSmTRUDPU4L3JeGgE=", + "lastModified": 1748838242, + "narHash": "sha256-wORL3vLIJdBF8hz73yuD7DVsrbOvFgtH96hQIetXhfg=", "owner": "nix-community", "repo": "dream2nix", - "rev": "6fd6d9188f32efd1e1656b3c3e63a67f9df7b636", + "rev": "e92dacdc57acaa6b2ae79592c1a62c2340931410", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1748248657, - "narHash": "sha256-zqhc7qyoRmgZpkvjocYEui9xYlzL90nqPf40zADGruM=", + "lastModified": 1748941793, + "narHash": "sha256-HncwK05hos0Z5SSjVF5CtZjwMTn56xjWq08fRIdKBms=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "e048433838750a5fd9036e56dd8f59affa6d676b", + "rev": "78278b770d2c83657657da569544cf20eccee0ef", "type": "github" }, "original": { @@ -245,11 +245,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", "type": "github" }, "original": { @@ -387,11 +387,11 @@ ] }, "locked": { - "lastModified": 1748227609, - "narHash": "sha256-SaSdslyo6UGDpPUlmrPA4dWOEuxCy2ihRN9K6BnqYsA=", + "lastModified": 1748925027, + "narHash": "sha256-BJ0qRIdvt5aeqm3zg/5if7b5rruG05zrSX3UpLqjDRk=", "owner": "nix-community", "repo": "home-manager", - "rev": "d23d20f55d49d8818ac1f1b2783671e8a6725022", + "rev": "cb809ec1ff15cf3237c6592af9bbc7e4d983e98c", "type": "github" }, "original": { @@ -464,11 +464,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1748182888, - "narHash": "sha256-tm3yi3KL+KjMnLZFXKR1ioI/Rk8DIa2n1NNE6I99BpU=", + "lastModified": 1748893954, + "narHash": "sha256-Vj1GHarIzlJI3We5KnYcAQlSjn++fx7/lKRaiIVz3tg=", "ref": "refs/heads/main", - "rev": "dbff52bfbc48ead789888bf24422d0ef6f7ba9a8", - "revCount": 17946, + "rev": "019b17f4e93c098f99a9bc691be1f1c4df026c7d", + "revCount": 17982, "type": "git", "url": "https://git@git.lix.systems/lix-project/lix" }, @@ -569,11 +569,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1747900541, - "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", + "lastModified": 1748942041, + "narHash": "sha256-HEu2gTct7nY0tAPRgBtqYepallryBKR1U8B4v2zEEqA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", + "rev": "fc7c4714125cfaa19b048e8aaf86b9c53e04d853", "type": "github" }, "original": { @@ -632,11 +632,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", "type": "github" }, "original": { @@ -647,11 +647,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1748037224, - "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", + "lastModified": 1748810746, + "narHash": "sha256-1na8blYvU1F6HLwx/aFjrhUqpqZ0SCsnqqW9n2vXvok=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", + "rev": "78d9f40fd6941a1543ffc3ed358e19c69961d3c1", "type": "github" }, "original": { @@ -711,11 +711,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { @@ -742,11 +742,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { diff --git a/hmModules/emacs/default.nix b/hmModules/emacs/default.nix index ccaccea..ffd5c5a 100644 --- a/hmModules/emacs/default.nix +++ b/hmModules/emacs/default.nix @@ -49,6 +49,7 @@ in copilot-language-server.fhs math-preview emacs-lsp-booster + texlive.combined.scheme-full ] ++ (with hunspellDicts; [ en_US-large diff --git a/hosts/default.nix b/hosts/default.nix index efdd865..170cd88 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -89,6 +89,7 @@ "forgejo-runners-token".owner = "nixuser"; "forgejo-nix-access-tokens".owner = "nixuser"; "nix-netrc" = { }; + "wireguard-mlabs-private-key" = { }; }; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 02271ff..bf4c0c7 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,6 +41,7 @@ "prometheus-exporters" "zerotier" "alloy" + "wireguard-mlabs" ] ++ [ ./disko.nix ]; diff --git a/hosts/pike/default.nix b/hosts/pike/default.nix index c1c2579..bd39cf3 100644 --- a/hosts/pike/default.nix +++ b/hosts/pike/default.nix @@ -89,6 +89,7 @@ "pantalaimon" "gimp" "jellyfin" + "unison" ]; extraGroups = [ "plugdev" ]; backupPaths = [ ]; diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index 086e8e7..3801ed8 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -163,6 +163,19 @@ in config.services.home-assistant.configDir ]; + services.nginx.virtualHosts."home.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; + }; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + # virtualisation.oci-containers = { # backend = "podman"; # containers.homeassistant = { diff --git a/modules/immich/default.nix b/modules/immich/default.nix index bf93484..505d325 100644 --- a/modules/immich/default.nix +++ b/modules/immich/default.nix @@ -22,4 +22,16 @@ fsType = "ext4"; options = [ "bind" ]; }; + + services.nginx.virtualHosts."photos.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 50000M; + ''; + }; } diff --git a/modules/nix/default.nix b/modules/nix/default.nix index ef46e63..e8dedc8 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -25,23 +25,23 @@ "https://cache.iog.io" "https://cache.lix.systems" "https://nix-community.cachix.org" - # "https://mlabs.cachix.org" + "https://mlabs.cachix.org" "http://sisko.wg.aciceri.dev:8081/nixfleet" ]; trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - # "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" + "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" "nixfleet:Bud23440n6mMTmgq/7U+mk91zlLjnx2X3lQQrCBCCU4=" ]; - deprecated-features = [ "url-literals" ]; + deprecated-features = [ "url-literals" ]; # despite a warning saying that this option doesn't exist it seems to work }; nixPath = [ "nixpkgs=${fleetFlake.inputs.nixpkgs}" ]; extraOptions = '' - experimental-features = nix-command flakes impure-derivations + experimental-features = nix-command flakes builders-use-substitutes = true ''; diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix index eea062d..f0ad8f3 100644 --- a/modules/paperless/default.nix +++ b/modules/paperless/default.nix @@ -16,6 +16,7 @@ pdfa_image_compression = "lossless"; invalidate_digital_signatures = true; }; + PAPERLESS_URL = "https://paper.sisko.wg.aciceri.dev"; }; }; @@ -33,6 +34,12 @@ }; extraConfig = '' client_max_body_size 50000M; + proxy_redirect off; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; ''; serverAliases = [ "paper.sisko.zt.aciceri.dev" ]; }; diff --git a/modules/sisko-proxy/default.nix b/modules/sisko-proxy/default.nix index 19b32b5..2a79fec 100644 --- a/modules/sisko-proxy/default.nix +++ b/modules/sisko-proxy/default.nix @@ -1,105 +1,5 @@ -{ config, ... }: { imports = [ ../nginx-base ]; - services.nginx.virtualHosts = { - localhost.listen = [ { addr = "127.0.0.1"; } ]; - "home.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - "home.sisko.aciceri.dev" = { - forceSSL = true; - useACMEHost = "aciceri.dev"; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - "photos.aciceri.dev" = { - extraConfig = '' - client_max_body_size 50000M; - ''; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; - proxyWebsockets = true; - }; - }; - # "${config.services.nextcloud.hostName}" = { - # forceSSL = true; - # enableACME = true; - # }; - # "sevenofnix.aciceri.dev" = { - # forceSSL = true; - # enableACME = true; - # locations."/" = { - # proxyPass = "http://10.1.1.2:${builtins.toString config.services.buildbot-master.port}"; - # proxyWebsockets = true; - # }; - # }; - }; - - # services.oauth2_proxy = { - # enable = true; - # provider = "oidc"; - # reverseProxy = true; - # # replaces following options with .keyFile - - # clientID = "shouldThisBePrivate?"; - # clientSecret = "thisShouldBePrivate"; - # cookie.secret = "thisShouldBePrivate00000"; - - # email.domains = [ "*" ]; - # extraConfig = { - # # custom-sign-in-logo = "${../../lib/mlabs-logo.svg}"; - # # scope = "user:email"; - # # banner = "MLabs Status"; - # # whitelist-domain = ".status.staging.mlabs.city"; - # oidc-issuer-url = "http://127.0.0.1:5556/dex"; - # }; - # # redirectURL = "https://status.staging.mlabs.city/oauth2/callback"; - # # keyFile = config.age.secrets.status-oauth2-secrets.path; - # # cookie.domain = ".status.staging.mlabs.city"; - # nginx = { - # virtualHosts = [ - # "search.aciceri.dev" - # ]; - # }; - # }; - - # services.dex = { - # enable = true; - # settings = { - # issuer = "http://127.0.0.1:5556/dex"; - # storage = { - # type = "postgres"; - # config.host = "/var/run/postgresql"; - # }; - # web = { - # http = "127.0.0.1:5556"; - # }; - # enablePasswordDB = true; - # staticClients = [ - # { - # # id = "oidcclient"; - # # name = "client"; - # # redirecturis = [ "https://login.aciceri.dev/callback" ]; - # # secretfile = "/etc/dex/oidcclient"; # the content of `secretfile` will be written into to the config as `secret`. - # } - # ]; - # }; - # }; + # TODO this file can be probably deleted now + # each module defining a virtualHost should import nginx-base } diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 352aa40..28bc943 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -13,6 +13,7 @@ { publicKey = vpn.sisko.publicKey; allowedIPs = [ "10.100.0.0/24" ]; + # allowedIPs = [ "0.0.0.0/24" ]; # Uncomment for full tunnel endpoint = "vpn.aciceri.dev:51820"; persistentKeepalive = 25; } diff --git a/modules/wireguard-mlabs/default.nix b/modules/wireguard-mlabs/default.nix new file mode 100644 index 0000000..2d583f7 --- /dev/null +++ b/modules/wireguard-mlabs/default.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + networking.wireguard.interfaces.wg1 = { + ips = [ "10.10.1.1/32" ]; + peers = [ + { + publicKey = "A4u2Rt5WEMHOAc6YpDABkqAy2dzzFLH9Gn8xWcKaPQQ="; + allowedIPs = [ "10.10.0.0/16" ]; + endpoint = "vpn.staging.mlabs.city:51820"; + persistentKeepalive = 25; + } + ]; + privateKeyFile = config.age.secrets.wireguard-mlabs-private-key.path; + }; +} diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix index a02ccad..efb9b41 100644 --- a/modules/wireguard-server/default.nix +++ b/modules/wireguard-server/default.nix @@ -2,6 +2,7 @@ config, lib, vpn, + pkgs, ... }: { @@ -17,5 +18,13 @@ publicKey = vpnConfig.publicKey; allowedIPs = [ "${vpnConfig.ip}/32" ]; }) vpn; + + postSetup = '' + ${lib.getExe' pkgs.iptables "iptables"} -t nat -A POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE + ''; + + postShutdown = '' + ${lib.getExe' pkgs.iptables "iptables"} -t nat -D POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE + ''; }; } diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age index 7b0438f..f2dd53c 100644 Binary files a/secrets/nix-netrc.age and b/secrets/nix-netrc.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fd1bca9..8646ff3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -164,6 +164,12 @@ with keys.users; picard kirk ]; + "wireguard-mlabs-private-key.age".publicKeys = [ + ccr-ssh + picard + pike + kirk + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/wireguard-mlabs-private-key.age b/secrets/wireguard-mlabs-private-key.age new file mode 100644 index 0000000..363e217 --- /dev/null +++ b/secrets/wireguard-mlabs-private-key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 Zh7Kmw 1pcva3l9KyvXlzWJVeul63s1xnL2yEMzuB1R73IdKlA +TDDa9yQYXrqFS+MCEeqCcQ/27zu3WytSmU5MBNyQTIk +-> ssh-ed25519 /WmILg z9/JeIxSpzndNP+1fwfdRfKYTaNp7wVITCkF7wwayEs +8PlFDHZbA0Z/3svhPWGE/sHfsMNmuXrdP6Qf0FhLMmc +-> ssh-ed25519 OYRzvQ Tk0mN20c8199ZvTY6jXY6ExSXGR3kb4qtnj8HkPj1xY +5SGMhFzIE98NgNw7bnnivVTvuKtBtJdf/2jAjJUSKl8 +-> ssh-ed25519 /yLdGQ 8J4LLlxtMFW8fALPGUk/NaHIJ59bo9tKe5TGiGAvYhk +sgE0SQi169mEtltDWIb4ZZaXKUXORyiKhmOZsNOiqKU +--- sWbCYolqfqwIsja6nNdyPBcOeM/Qq5GninMokUvK4xE +ʼngz{4 X? +A e"v\Ho,m}bq$h:fGkF=#0q \ No newline at end of file