Use aciceri.dev domains for VPNs too

hmModules/niri/default.nix

@@ -14,8 +14,8 @@ let
           cols = "150";
         };
         floating-btop = {
-          rows = "60";
-          cols = "210";
+          rows = "210";
+          cols = "60";
         };
       };
       kirk = {
@@ -38,7 +38,7 @@ let
   run-floating-btop =
     with niriVars.floating-btop;
     pkgs.writeScriptBin "run-floating-btop" ''
-      foot --title='bTop' -W ${cols}x${rows} btop
+      foot --title='bTop' -W ${rows}x${cols} btop
     '';
 in
 {

hosts/default.nix

@@ -116,7 +116,6 @@
             owner = "grafana";
             group = "forgejo";
           };
-          "firefly-app-key".owner = "firefly-iii";
           "matrix-registration-shared-secret".owner = "matrix-synapse";
         };
       };

hosts/kirk/default.nix

@@ -35,6 +35,7 @@
       "prometheus-exporters"
       "promtail"
       "syncthing"
+      "zerotier"
     ]
     ++ [ ./disko.nix ];
 

hosts/picard/default.nix

@@ -41,6 +41,7 @@
       "adb"
       "prometheus-exporters"
       "promtail"
+      "zerotier"
     ]
     ++ [ ./disko.nix ];
 

hosts/sisko/default.nix

@@ -11,13 +11,10 @@
       "wireguard-server"
       "mediatomb"
       "transmission"
-      # "hercules-ci"
       "home-assistant"
       "adguard-home"
       "cloudflare-dyndns"
       "sisko-proxy"
-      "invidious"
-      "searx"
       "sisko-share"
       "forgejo"
       "prometheus"
@@ -32,9 +29,9 @@
       "syncthing"
       "atticd"
       "jellyfin"
-      "firefly"
       "matrix"
       "radarr"
+      "zerotier"
     ]
     ++ [
       ./disko.nix

modules/adguard-home/default.nix

@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.adguardhome = {
     enable = true;
@@ -15,4 +16,13 @@
   environment.persistence."/persist".directories = [
     "/var/lib/AdGuardHome"
   ];
+
+  services.nginx.virtualHosts."adguard.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.adguardhome.port}";
+    };
+    serverAliases = [ "adguard.sisko.zt.aciceri.dev" ];
+  };
 }

modules/cloudflare-dyndns/default.nix

@@ -8,15 +8,8 @@
       "aciceri.dev"
       "git.aciceri.dev"
       "home.aciceri.dev"
-      "torrent.aciceri.dev"
-      "search.aciceri.dev"
-      "invidious.aciceri.dev"
-      "vpn.aciceri.dev"
       "photos.aciceri.dev"
-      "status.aciceri.dev"
       "jelly.aciceri.dev"
-      "firefly.aciceri.dev"
-      "import.firefly.aciceri.dev"
       "matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;

modules/grafana/default.nix

@@ -7,7 +7,7 @@ in
     enable = true;
     settings = {
       server = {
-        domain = "status.aciceri.dev";
+        domain = "status.sisko.aciceri.dev";
         http_addr = "127.0.0.1";
         http_port = 2342;
         root_url = "https://${config.services.grafana.settings.server.domain}:443/";
@@ -30,10 +30,11 @@ in
   ];
 
   services.nginx.virtualHosts = {
-    "status.aciceri.dev" = {
-      enableACME = true;
+    "status.sisko.wg.aciceri.dev" = {
+      useACMEHost = "aciceri.dev";
       forceSSL = true;
       locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.settings.server.http_port}";
+      serverAliases = [ "status.sisko.zt.aciceri.dev" ];
     };
   };
 }

modules/jellyfin/default.nix

@@ -15,7 +15,7 @@
     "jelly.aciceri.dev" = {
       enableACME = true;
       forceSSL = true;
-      locations."/".proxyPass = "http://127.0.0.1:8096";
+      locations."/".proxyPass = "http://127.0.0.1:8096"; # FIXME hardcoded port
     };
   };
 }

modules/matrix/default.nix

@@ -7,7 +7,6 @@
 let
   clientConfig = {
     "m.homeserver".base_url = "https://matrix.aciceri.dev";
-    # "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev";
   };
   serverConfig."m.server" = "matrix.aciceri.dev:443";
   mkWellKnown = data: ''
@@ -21,7 +20,7 @@ in
 
   services.nginx.virtualHosts = {
     "aciceri.dev" = {
-      enableACME = true;
+      useACMEHost = "aciceri.dev";
       forceSSL = true;
       locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
       locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
@@ -36,17 +35,6 @@ in
     };
   };
 
-  services.postgresql = {
-    enable = true;
-    # initialScript = pkgs.writeText "synapse-init.sql" ''
-    #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    #   CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-    # TEMPLATE template0
-    # LC_COLLATE = "C"
-    # LC_CTYPE = "C";
-    # '';
-  };
-
   systemd.tmpfiles.rules = [
     "d ${config.services.matrix-synapse.dataDir} 770 matrix-synapse matrix-synapse"
   ];
@@ -79,28 +67,4 @@ in
     };
     extraConfigFiles = [ config.age.secrets.matrix-registration-shared-secret.path ];
   };
-
-  # backup.paths = [
-  #   config.services.matrix-synapse.dataDir
-  #   "/var/backup/postgresql/matrix-synapse.sql.gz"
-  # ];
-
-  # services.postgresqlBackup = {
-  #   enable = true;
-  # databases = [ "matrix-synapse" ];
-  # };
-
-  # services.matrix-sliding-sync = {
-  #   enable = true;
-  #   environmentFile = config.age.secrets.matrix-sliding-sync-secret.path;
-  #   settings = {
-  #     SYNCV3_SERVER = "http://localhost:8008";
-  #   };
-  # };
-
-  # services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = {
-  #   enableACME = true;
-  #   forceSSL = true;
-  #   locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER;
-  # };
 }

modules/nginx-base/default.nix

@@ -1,7 +1,23 @@
+{ config, ... }:
 {
   security.acme = {
     acceptTerms = true;
     defaults.email = "andrea.ciceri@autistici.org";
+    certs = {
+      "aciceri.dev" = {
+        reloadServices = [ "nginx.service" ];
+        domain = "aciceri.dev";
+        extraDomainNames = [
+          "*.sisko.zt.aciceri.dev"
+          "*.sisko.wg.aciceri.dev"
+        ];
+        dnsProvider = "cloudflare";
+        # dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        group = config.services.nginx.group;
+        environmentFile = config.age.secrets.cloudflare-dyndns-api-token.path;
+      };
+    };
   };
 
   networking.firewall.allowedTCPPorts = [
@@ -11,6 +27,7 @@
 
   services.nginx = {
     enable = true;
+    statusPage = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;

modules/paperless/default.nix

@@ -25,14 +25,15 @@
 
   imports = [ ../nginx-base ];
 
-  services.nginx.virtualHosts."paper.aciceri.dev" = {
+  services.nginx.virtualHosts."paper.sisko.wg.aciceri.dev" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "aciceri.dev";
     locations."/" = {
       proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}";
     };
     extraConfig = ''
       client_max_body_size 50000M;
     '';
+    serverAliases = [ "paper.sisko.zt.aciceri.dev" ];
   };
 }

modules/radarr/default.nix

@@ -2,4 +2,13 @@
   services.radarr = {
     enable = true;
   };
+
+  services.nginx.virtualHosts."radarr.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:7878"; # FIXME hardcoded port
+    };
+    serverAliases = [ "radarr.sisko.zt.aciceri.dev" ];
+  };
 }

modules/sisko-proxy/default.nix

@@ -15,26 +15,17 @@
         proxy_set_header    Connection  $connection_upgrade;
       '';
     };
-    "torrent.aciceri.dev" = {
+    "home.sisko.aciceri.dev" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = "aciceri.dev";
       locations."/" = {
-        proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}";
-      };
-    };
-    "search.aciceri.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:8888";
-      };
-    };
-    "invidious.aciceri.dev" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:${builtins.toString config.services.invidious.port}";
+        proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}";
+        proxyWebsockets = true;
       };
+      extraConfig = ''
+        proxy_set_header    Upgrade     $http_upgrade;
+        proxy_set_header    Connection  $connection_upgrade;
+      '';
     };
     "photos.aciceri.dev" = {
       extraConfig = ''

modules/transmission/default.nix

@@ -48,4 +48,13 @@
   environment.persistence."/persist".directories = [
     config.services.transmission.home
   ];
+
+  services.nginx.virtualHosts."torrent.sisko.wg.aciceri.dev" = {
+    forceSSL = true;
+    useACMEHost = "aciceri.dev";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.transmission.settings.rpc-port}";
+    };
+    serverAliases = [ "torrent.sisko.zt.aciceri.dev" ];
+  };
 }

modules/zerotier/default.nix

@@ -0,0 +1,6 @@
+{
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "632ea29085af0cb4" ];
+  };
+}

secrets/cloudflare-dyndns-api-token.age

@@ -1,30 +1,17 @@
 age-encryption.org/v1
 -> ssh-rsa /AagBw
-K5GB/dRGaRFYq0dxuUFPubpdceMq6jOGSWuFuKgtRbtvC+P7qd8g56AZYTyo97jZ
-oAsl8bF3wifrPN73SzCoGba1lCmpDZLCPllNd5RZL1bcAGBj9eDAA1zihYnnO7s+
-r8L8JSJ/P76AZ3JRhylU0KjgkX1TnVSIsJ/wCQGbdw+KrTuam/3zjzLXEptn2U26
-oQ4AuzWVGWtyrAKyJfRDWQQUGDwgXMB1h+7XZMm3G1eu6Wm7vuFEQLjaocFE9tO0
-8lnU3IEzXtn1NrutmiIJSoDyGk/PeRdvu2fZWY9oKRxkCA2q0fOca9ArcAP7Wr8a
-+/2usaZ/wsc2fzqDQU2XoFutIU0qwvX6DtDmfb8RhMNrkj2HiR2MluYo+NqQqMOJ
-7kMS22yE1Z6akvpeHo1GZ15HczQatIXXSr4DFGlF7CG0ASNbjR+2Qzws+EmZ2WGX
-Ad8D9aq5DYOr9xvUdZn66NwyFyyo7FRMoXRFNL01sxJUBpu1wVkKECa8DK0GTIzz
-u+qRWtD9WxJkAodW1NmE2F08HIy//exP0L/L6laAjIrDZTle12Nrk6n9ke1UUBIo
-zU0RdY9HT+DAqScViGdbitv4Z+GYNWWkZfpW8O56S+B/0rmZZ6UQ8VB8GopUecBt
-E14rynpvnd2A6+WlUWcft2Uwl1i7jL3IARO1F3LTsS4
--> ssh-rsa QHr3/A
-Kh/yF7CW7lKTsn6JK4vX2SNyiH66JdB+oVYTFdc2efJYTXVLuj7ITK8EMP3dV267
-+D4UM3jcn8wOTeTjXIo8P01IOspGxslfC4J+Yol8K+1JA2BjB0diwzhQbkOEyxJ6
-R0uymJYXjtl8Cjx2mlyNMybG8QZYypPhdKosBRn/KELxInGsWHm4MV3XQ+w2fr9Q
-xHIKvz/8QabgzodHwFbMjp29B4MJUSIkl+uxyTULQMcoOCJ5Ip5BqA+VZsFRD8zV
-4dePanMQHPXIMnm3POZy3hq/M4FcwWkdJLvz3zyVDuW6mWdiOgA0k1AGpGIFTXeM
-bKclRUlgL9n7C/dEh5pcKLbEeh5HSf+2izn7PAA90zAQl8++2+iYMHEIQL/Ft6LH
-XnAsNR4rwnVdWu8BlyEhIPev1GgSp3wOc9eQ6TA16RO4ND1ItnLVauAmvDN4rUWI
-0wc9Utgwxy4MNhypRLnRXKc555pNpsL1aoA+vcbHfxW1MiW7zviIz2z/RXBR77ut
-x9kekkP+LEgMHWD4XCGidM2sMrKfKDDblb+YGKxRcdFlELQa0jHH1mcvU5YC4oY2
-IhYhWeEvyQOr21cP885Psu8IvSpaZVA0tOEdrEXNTa5+S495IGplp8YuxdjW6dz1
-trDcKVSXNsjqLtpl0CrPY8pSPRIEvUJgBcHUxB3+E/U
--> ssh-ed25519 +vdRnA lCY+mIpl7nNGi4wD5Z2CJPlIpqTECUyOncW+FuKzqxs
-3g0+X5fVGjo+EnETlDlO1VQl83Loi4bEBHshRz1/q0A
---- iUTAy7LeDZTABLGEMw/Bkc/qbujLcdpHdQ/TuodhmaM
-Ó¤ºþµ½;{Ö?‡®Ã`t™Ö8<C396>+—­‡þtÿý0m0Áç¾Ü¼ùì”ÊAÓ£m¨x}ÁŒZ2žóÀ„¾N±Ö2
-xå<
‡IVüæ#­W„ôúŠLÅÚ¿
+qbtCO62bJ2e8tUAZHoGTjyrbvp/nkh4XUeLJDeuZNVsUWuvmAyrdb43V4x8cZprl
+90ac8YG6xCZ8Jjq8KYV/CtS08HSDLR09om673lrQ5huUYu1kWVUatmH2102mQYyi
+tlRNx8MtYWlrEgh2cw1E24DJhzUILvW13yHfLyYH052Xaj+uXFRj/c7AyYSoOgzQ
+IrfFU5yncmC6IMiO5/S9TGFLpq8zL983JzeZuYKdYXW+MiWaD15nxzsQQIgXI6YH
+K8GYXcugB8O1FisjKw8edYr3bRbHYNNSK1U+v7Wu0ge9f/FXLv2eDKQszcKPxUCJ
+XLHi1A6PyHmGlAvYfbj7Dns7KW4DoMmg+Low6VQ6yORbPlN1bbEcjq0qE6f+e6TJ
+QQT7617PkmL1KVw2EryIql5Cq7ConTNQaaj1118mjBpW91b64vOXOmWZfOzNo+M1
+Cbsb98Q0VyK2dXDMwPNXW1dKxDb1TGOrPCg9jIwGASco98MTeHFV3/G2F8n7aKYZ
+8erixoeKQjyZtNxW2Phq5Wmhjif22qmfJ/+wWvB43CSzLf/79Zcf6Y/qrdqwjzED
+fI3NhbAlZVsywBXQnTpuZlN1CE+lR5h0QtJVDy4CWhj/SbucCWL7hmtG3CW8Covq
+sa0CJMCtfX71m+h8F3v9oXxlg7Mh8j9c9dHGIbzAYFQ
+-> ssh-ed25519 +vdRnA 0FOXCOJg0HIZ2yeW3PKHHOQxtJN6d2L1z6qtW74vxXw
+6xthzPbBs09E4iTgki8bxSvp/WhnO6AqrfL8ZEfYrBI
+--- eH5jp9jn2nUTrUHVdGK6WF+cyms4icim/UjLByNsUOw
+2ÉØ>eæ†o\îþj¸ïr…ö<E280A6><C3B6>Y·¶3eŸù¯ê<>@qþ.s‹%>yz[9Å/á”„å²!Bµº.lÁKºç4â\ñ* ôN=OÖt˜W°]êÿ›é¾½Õ‰‰¸ˆš6cRö^|H+¹è¤ç~Ô<>‚ù< ¸ðîÓ¸µ§ƒO*ÁŒT€=uïM~šµ_Jæ‚PÞ[±°ªŠ