diff --git a/checks/default.nix b/checks/default.nix index f82204c..ae2c491 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -11,7 +11,7 @@ ]; perSystem = - { config, pkgs, ... }: + { config, ... }: { treefmt.config = { projectRootFile = ".git/config"; @@ -42,18 +42,6 @@ package = config.treefmt.build.wrapper; }; }; - packages.push-to-cache = - let - allChecks = with self.checks; x86_64-linux // aarch64-linux; - checks = builtins.removeAttrs allChecks [ "push-to-cache" ]; - in - pkgs.writeShellScriptBin "push-to-cache.sh" '' - attic push $1 --stdin --jobs 64 << EOF - ${lib.concatStringsSep "\n" ( - builtins.map (builtins.unsafeDiscardStringContext) (builtins.attrValues checks) - )} - EOF - ''; }; flake.checks = @@ -61,7 +49,7 @@ build = _: nc: nc.config.system.build.toplevel; in { - x86_64-linux = (lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }); + x86_64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) picard pike kirk; }; aarch64-linux = lib.mapAttrs build { inherit (self.nixosConfigurations) sisko; # pbp; }; diff --git a/flake.lock b/flake.lock index 3a7c64e..c3bbb09 100644 --- a/flake.lock +++ b/flake.lock @@ -83,11 +83,11 @@ ] }, "locked": { - "lastModified": 1748832438, - "narHash": "sha256-/CtyLVfNaFP7PrOPrTEuGOJBIhcBKVQ91KiEbtXJi0A=", + "lastModified": 1748225455, + "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=", "owner": "nix-community", "repo": "disko", - "rev": "58d6e5a83fff9982d57e0a0a994d4e5c0af441e4", + "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", "type": "github" }, "original": { @@ -103,11 +103,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1748838242, - "narHash": "sha256-wORL3vLIJdBF8hz73yuD7DVsrbOvFgtH96hQIetXhfg=", + "lastModified": 1747658429, + "narHash": "sha256-qZWuEdxmPx818qR61t3mMozJOvZSmTRUDPU4L3JeGgE=", "owner": "nix-community", "repo": "dream2nix", - "rev": "e92dacdc57acaa6b2ae79592c1a62c2340931410", + "rev": "6fd6d9188f32efd1e1656b3c3e63a67f9df7b636", "type": "github" }, "original": { @@ -122,11 +122,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1748941793, - "narHash": "sha256-HncwK05hos0Z5SSjVF5CtZjwMTn56xjWq08fRIdKBms=", + "lastModified": 1748248657, + "narHash": "sha256-zqhc7qyoRmgZpkvjocYEui9xYlzL90nqPf40zADGruM=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "78278b770d2c83657657da569544cf20eccee0ef", + "rev": "e048433838750a5fd9036e56dd8f59affa6d676b", "type": "github" }, "original": { @@ -245,11 +245,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -387,11 +387,11 @@ ] }, "locked": { - "lastModified": 1748925027, - "narHash": "sha256-BJ0qRIdvt5aeqm3zg/5if7b5rruG05zrSX3UpLqjDRk=", + "lastModified": 1748227609, + "narHash": "sha256-SaSdslyo6UGDpPUlmrPA4dWOEuxCy2ihRN9K6BnqYsA=", "owner": "nix-community", "repo": "home-manager", - "rev": "cb809ec1ff15cf3237c6592af9bbc7e4d983e98c", + "rev": "d23d20f55d49d8818ac1f1b2783671e8a6725022", "type": "github" }, "original": { @@ -464,11 +464,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1748893954, - "narHash": "sha256-Vj1GHarIzlJI3We5KnYcAQlSjn++fx7/lKRaiIVz3tg=", + "lastModified": 1748182888, + "narHash": "sha256-tm3yi3KL+KjMnLZFXKR1ioI/Rk8DIa2n1NNE6I99BpU=", "ref": "refs/heads/main", - "rev": "019b17f4e93c098f99a9bc691be1f1c4df026c7d", - "revCount": 17982, + "rev": "dbff52bfbc48ead789888bf24422d0ef6f7ba9a8", + "revCount": 17946, "type": "git", "url": "https://git@git.lix.systems/lix-project/lix" }, @@ -569,11 +569,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1748942041, - "narHash": "sha256-HEu2gTct7nY0tAPRgBtqYepallryBKR1U8B4v2zEEqA=", + "lastModified": 1747900541, + "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "fc7c4714125cfaa19b048e8aaf86b9c53e04d853", + "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", "type": "github" }, "original": { @@ -632,11 +632,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "type": "github" }, "original": { @@ -647,11 +647,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1748810746, - "narHash": "sha256-1na8blYvU1F6HLwx/aFjrhUqpqZ0SCsnqqW9n2vXvok=", + "lastModified": 1748037224, + "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "78d9f40fd6941a1543ffc3ed358e19c69961d3c1", + "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", "type": "github" }, "original": { @@ -711,11 +711,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1748693115, - "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", + "lastModified": 1748026106, + "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", + "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", "type": "github" }, "original": { @@ -742,11 +742,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1748693115, - "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", + "lastModified": 1748026106, + "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", + "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", "type": "github" }, "original": { diff --git a/hmModules/emacs/default.nix b/hmModules/emacs/default.nix index ffd5c5a..ccaccea 100644 --- a/hmModules/emacs/default.nix +++ b/hmModules/emacs/default.nix @@ -49,7 +49,6 @@ in copilot-language-server.fhs math-preview emacs-lsp-booster - texlive.combined.scheme-full ] ++ (with hunspellDicts; [ en_US-large diff --git a/hosts/default.nix b/hosts/default.nix index 170cd88..efdd865 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -89,7 +89,6 @@ "forgejo-runners-token".owner = "nixuser"; "forgejo-nix-access-tokens".owner = "nixuser"; "nix-netrc" = { }; - "wireguard-mlabs-private-key" = { }; }; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index bf4c0c7..02271ff 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -41,7 +41,6 @@ "prometheus-exporters" "zerotier" "alloy" - "wireguard-mlabs" ] ++ [ ./disko.nix ]; diff --git a/hosts/pike/default.nix b/hosts/pike/default.nix index bd39cf3..c1c2579 100644 --- a/hosts/pike/default.nix +++ b/hosts/pike/default.nix @@ -89,7 +89,6 @@ "pantalaimon" "gimp" "jellyfin" - "unison" ]; extraGroups = [ "plugdev" ]; backupPaths = [ ]; diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index 3801ed8..086e8e7 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -163,19 +163,6 @@ in config.services.home-assistant.configDir ]; - services.nginx.virtualHosts."home.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; - }; - # virtualisation.oci-containers = { # backend = "podman"; # containers.homeassistant = { diff --git a/modules/immich/default.nix b/modules/immich/default.nix index 505d325..bf93484 100644 --- a/modules/immich/default.nix +++ b/modules/immich/default.nix @@ -22,16 +22,4 @@ fsType = "ext4"; options = [ "bind" ]; }; - - services.nginx.virtualHosts."photos.aciceri.dev" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 50000M; - ''; - }; } diff --git a/modules/nix/default.nix b/modules/nix/default.nix index e8dedc8..ef46e63 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -25,23 +25,23 @@ "https://cache.iog.io" "https://cache.lix.systems" "https://nix-community.cachix.org" - "https://mlabs.cachix.org" + # "https://mlabs.cachix.org" "http://sisko.wg.aciceri.dev:8081/nixfleet" ]; trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" + # "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" "nixfleet:Bud23440n6mMTmgq/7U+mk91zlLjnx2X3lQQrCBCCU4=" ]; - deprecated-features = [ "url-literals" ]; # despite a warning saying that this option doesn't exist it seems to work + deprecated-features = [ "url-literals" ]; }; nixPath = [ "nixpkgs=${fleetFlake.inputs.nixpkgs}" ]; extraOptions = '' - experimental-features = nix-command flakes + experimental-features = nix-command flakes impure-derivations builders-use-substitutes = true ''; diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix index f0ad8f3..eea062d 100644 --- a/modules/paperless/default.nix +++ b/modules/paperless/default.nix @@ -16,7 +16,6 @@ pdfa_image_compression = "lossless"; invalidate_digital_signatures = true; }; - PAPERLESS_URL = "https://paper.sisko.wg.aciceri.dev"; }; }; @@ -34,12 +33,6 @@ }; extraConfig = '' client_max_body_size 50000M; - proxy_redirect off; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Proto $scheme; ''; serverAliases = [ "paper.sisko.zt.aciceri.dev" ]; }; diff --git a/modules/sisko-proxy/default.nix b/modules/sisko-proxy/default.nix index 2a79fec..19b32b5 100644 --- a/modules/sisko-proxy/default.nix +++ b/modules/sisko-proxy/default.nix @@ -1,5 +1,105 @@ +{ config, ... }: { imports = [ ../nginx-base ]; - # TODO this file can be probably deleted now - # each module defining a virtualHost should import nginx-base + services.nginx.virtualHosts = { + localhost.listen = [ { addr = "127.0.0.1"; } ]; + "home.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; + }; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + "home.sisko.aciceri.dev" = { + forceSSL = true; + useACMEHost = "aciceri.dev"; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; + }; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + "photos.aciceri.dev" = { + extraConfig = '' + client_max_body_size 50000M; + ''; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; + proxyWebsockets = true; + }; + }; + # "${config.services.nextcloud.hostName}" = { + # forceSSL = true; + # enableACME = true; + # }; + # "sevenofnix.aciceri.dev" = { + # forceSSL = true; + # enableACME = true; + # locations."/" = { + # proxyPass = "http://10.1.1.2:${builtins.toString config.services.buildbot-master.port}"; + # proxyWebsockets = true; + # }; + # }; + }; + + # services.oauth2_proxy = { + # enable = true; + # provider = "oidc"; + # reverseProxy = true; + # # replaces following options with .keyFile + + # clientID = "shouldThisBePrivate?"; + # clientSecret = "thisShouldBePrivate"; + # cookie.secret = "thisShouldBePrivate00000"; + + # email.domains = [ "*" ]; + # extraConfig = { + # # custom-sign-in-logo = "${../../lib/mlabs-logo.svg}"; + # # scope = "user:email"; + # # banner = "MLabs Status"; + # # whitelist-domain = ".status.staging.mlabs.city"; + # oidc-issuer-url = "http://127.0.0.1:5556/dex"; + # }; + # # redirectURL = "https://status.staging.mlabs.city/oauth2/callback"; + # # keyFile = config.age.secrets.status-oauth2-secrets.path; + # # cookie.domain = ".status.staging.mlabs.city"; + # nginx = { + # virtualHosts = [ + # "search.aciceri.dev" + # ]; + # }; + # }; + + # services.dex = { + # enable = true; + # settings = { + # issuer = "http://127.0.0.1:5556/dex"; + # storage = { + # type = "postgres"; + # config.host = "/var/run/postgresql"; + # }; + # web = { + # http = "127.0.0.1:5556"; + # }; + # enablePasswordDB = true; + # staticClients = [ + # { + # # id = "oidcclient"; + # # name = "client"; + # # redirecturis = [ "https://login.aciceri.dev/callback" ]; + # # secretfile = "/etc/dex/oidcclient"; # the content of `secretfile` will be written into to the config as `secret`. + # } + # ]; + # }; + # }; } diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 28bc943..352aa40 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -13,7 +13,6 @@ { publicKey = vpn.sisko.publicKey; allowedIPs = [ "10.100.0.0/24" ]; - # allowedIPs = [ "0.0.0.0/24" ]; # Uncomment for full tunnel endpoint = "vpn.aciceri.dev:51820"; persistentKeepalive = 25; } diff --git a/modules/wireguard-mlabs/default.nix b/modules/wireguard-mlabs/default.nix deleted file mode 100644 index 2d583f7..0000000 --- a/modules/wireguard-mlabs/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, ... }: -{ - networking.wireguard.interfaces.wg1 = { - ips = [ "10.10.1.1/32" ]; - peers = [ - { - publicKey = "A4u2Rt5WEMHOAc6YpDABkqAy2dzzFLH9Gn8xWcKaPQQ="; - allowedIPs = [ "10.10.0.0/16" ]; - endpoint = "vpn.staging.mlabs.city:51820"; - persistentKeepalive = 25; - } - ]; - privateKeyFile = config.age.secrets.wireguard-mlabs-private-key.path; - }; -} diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix index efb9b41..a02ccad 100644 --- a/modules/wireguard-server/default.nix +++ b/modules/wireguard-server/default.nix @@ -2,7 +2,6 @@ config, lib, vpn, - pkgs, ... }: { @@ -18,13 +17,5 @@ publicKey = vpnConfig.publicKey; allowedIPs = [ "${vpnConfig.ip}/32" ]; }) vpn; - - postSetup = '' - ${lib.getExe' pkgs.iptables "iptables"} -t nat -A POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE - ''; - - postShutdown = '' - ${lib.getExe' pkgs.iptables "iptables"} -t nat -D POSTROUTING -s 10.100.0.0/24 -o enP4p65s0 -j MASQUERADE - ''; }; } diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age index f2dd53c..7b0438f 100644 Binary files a/secrets/nix-netrc.age and b/secrets/nix-netrc.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8646ff3..fd1bca9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -164,12 +164,6 @@ with keys.users; picard kirk ]; - "wireguard-mlabs-private-key.age".publicKeys = [ - ccr-ssh - picard - pike - kirk - ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/wireguard-mlabs-private-key.age b/secrets/wireguard-mlabs-private-key.age deleted file mode 100644 index 363e217..0000000 --- a/secrets/wireguard-mlabs-private-key.age +++ /dev/null @@ -1,12 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 Zh7Kmw 1pcva3l9KyvXlzWJVeul63s1xnL2yEMzuB1R73IdKlA -TDDa9yQYXrqFS+MCEeqCcQ/27zu3WytSmU5MBNyQTIk --> ssh-ed25519 /WmILg z9/JeIxSpzndNP+1fwfdRfKYTaNp7wVITCkF7wwayEs -8PlFDHZbA0Z/3svhPWGE/sHfsMNmuXrdP6Qf0FhLMmc --> ssh-ed25519 OYRzvQ Tk0mN20c8199ZvTY6jXY6ExSXGR3kb4qtnj8HkPj1xY -5SGMhFzIE98NgNw7bnnivVTvuKtBtJdf/2jAjJUSKl8 --> ssh-ed25519 /yLdGQ 8J4LLlxtMFW8fALPGUk/NaHIJ59bo9tKe5TGiGAvYhk -sgE0SQi169mEtltDWIb4ZZaXKUXORyiKhmOZsNOiqKU ---- sWbCYolqfqwIsja6nNdyPBcOeM/Qq5GninMokUvK4xE -ʼngz{4 X? -A e"v\Ho,m}bq$h:fGkF=#0q \ No newline at end of file