From 04f202688acef570e8a81db77dd546f65960808b Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 16:42:44 -0400 Subject: [PATCH 01/12] Add post-install bits --- .sops.yaml | 2 +- modules/hosts/nixos/hetznix01/default.nix | 4 ++++ .../hetznix01/hardware-configuration.nix | 11 +++++----- modules/hosts/nixos/hetznix01/secrets.yaml | 21 +++++++++---------- modules/system/common/secrets.yaml | 4 ++-- 5 files changed, 22 insertions(+), 20 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index d930bf4..bce9d68 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ --- keys: - - &system_hetznix01 age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 + - &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 825f697..ab489c6 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -2,6 +2,10 @@ imports = [ ./hardware-configuration.nix ./disk-config.nix + # Added post-install + ./sops.nix + ./nginx.nix + ./tailscale.nix ]; system.stateVersion = "24.05"; diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix index f8f026a..f3eff9f 100644 --- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -4,16 +4,15 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } + diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index 543ee2e..84f41a5 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -1,23 +1,22 @@ -local_git_config: ENC[AES256_GCM,data:/1FaGgxRJT01Xg3NYvcGfTaqxklv3PtoBdVN/H7+Mhlxwed5O++leUA=,iv:VKjkzqH8ayRE9hgNrqwSSx4RKCBYVkUkPtA1dvnkfvA=,tag:lfgezmDGQ/yVfLypLBanYA==,type:str] -local_private_env: "" -tailscale_key: ENC[AES256_GCM,data:yiAug7VEfZ5jROEg3NVmZcfdbfUxBZk2duM6mG/BVXKuAYj4u0SB1HtMCmvX6nr7P3y3YyuqiLw6,iv:bN5xbBOPWJfH+DxcHp2ODLm95jyzUwjSkKynPmvQvnY=,tag:8b/0hnNH7T64xBFMkXRjeQ==,type:str] +local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str] +local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 + - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NFBqRFNnSmJCK0ZPYUR5 - SXRXRDhaMmVCbGFVUWxoYkhPbUczdHBJdkZvClcxcE5IUnMvN0tHbllNU3hwMTY1 - SXlhUHFJd3JCYU5MVDB2UnJPaW5xYncKLS0tIENqd3N1dnZ1NFltQ1pOSjA2dU5N - VUIzR0FqbFNvOXAzREZtdDJNTWhjYUEKYfA5s8PRVbefoOefKLs7NiHUd6fYZ62I - ZwUi9YZt+zHxBxxFFMpduSSd5q50Qz+CMBNQHv2CPOBcGeFjToiDxg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ejVRcmRBR3p6N2V1anZp + RkEwVTBWR09TazdNTnZ3YWlUUU9IOUordDNjClJmdU9sUkttaktTOTR4WldFWXFs + WkQ4a1dWaGJmVE40YmovQWJSRS8rTjQKLS0tIERBQ2wxNGc0Um9IQ2FPOU1jTDhZ + WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV + W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-06T02:07:39Z" - mac: ENC[AES256_GCM,data:JWLLdojUJlI0SDdT8Yg0pj03Jmc7eCJL8GHPtXOfw28vcqlK2tnR/yWLI+MClFVu+o4vrV9HZv+41VItqAkeMjBlgAYib9JgTwtkiECZz8o6i8FXEk09Qkml9WKyKrAU1Og/+gt3y1MUSzrmGgg8YkM3YVv7nyGr8lZ0nf/rWb8=,iv:rYtawgUgxsXCY4OHbLW6l2X/x1f+C7X22MoYVlfHIaw=,tag:pdACJHoe56N1lllrFoyHow==,type:str] + lastmodified: "2024-06-15T20:39:04Z" + mac: ENC[AES256_GCM,data:S24sEsBGp/NXShp6XzNSiLMgN5NbX1EbHuxpcOhtye6e0ZzIj9vTzh2VQ61ALaAI1O/CD5MawDy0NfDjk9Rzo5yk0zf3VTaP0QydIOlph7eTAMNPbC7jGXZS1DF1cGaQnKyNTx8iMJZeqvF4Ymfi5j8G+5aAWiMa8qfYWQeo2KU=,iv:JXccbPWqKh/CRUwb+BSQrPZc8LaHguOj/5qFNowKT6E=,tag:rd+sSPKlkJyrp0zqK1mb5Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml index c5749fb..37c75ad 100644 --- a/modules/system/common/secrets.yaml +++ b/modules/system/common/secrets.yaml @@ -72,8 +72,8 @@ sops: ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc 3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-07T00:55:24Z" - mac: ENC[AES256_GCM,data:5GaItFbHP8Qj8Dev5a0kkI7VFovvW5STaI7MPaZibHWCB2Xvcw50ZjKPRVVx6yqsnjz6zf3H2h/siowq/eAvvKJ5gltbof4NAxcCqjcOrqpUaeFT1ykG2SMznX8OezUyH6K7KmFgSFgYv3F/5JhoQOIClJs4NmQIBxUf7afY9KQ=,iv:oJhBRcyyL5zBc324tyyTYF2i1a0Q+CkOxwg4HbyUXkA=,tag:kK9/bQIO/VioSpmxC7P+XA==,type:str] + lastmodified: "2024-06-15T20:40:25Z" + mac: ENC[AES256_GCM,data:ErxmmCLDQM0CvUR5xvUt9OxORC9/1seWIdCNk1ZVbC7VouxuDmSgqmsb+W7Y69wqwJrRhg4JTwcUs/uo9A1IIpSoSpfHyz4NWI41kusRJmimR6UznEFRfaLDSUDkYB5YXValRiQTXDvHjRoeJyvyjArsE3DSUws3wx3KqqpFT7g=,iv:Evh58pQ1l9YZAQo1USoCSWyM9EFGm0POxMOKVxuw44g=,tag:mVY0GUtVJ8Ur8SubJ3jlvg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 68d83d08f260fb85338b19157c131df592c0b6fe Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 17:03:47 -0400 Subject: [PATCH 02/12] Update hetznix01's key in common secrets --- modules/system/common/secrets.yaml | 76 +++++++++++++++--------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml index 37c75ad..200ba37 100644 --- a/modules/system/common/secrets.yaml +++ b/modules/system/common/secrets.yaml @@ -9,71 +9,71 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 + - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseHFTeDZoMElxVUZpWFVa - dmxvWEFkS0p6aTFraUNyNmtITTQ4bFdLNFVZCnlsTlE3TUVvMWdXS0psb0FOQVdP - UGtTVVQ3ZExQVUdvekFEa0lYZmRxdEkKLS0tIEEyMXdkZ0JyV0orSnVwL3hMWVpy - TTAvb09FUE1JaXpNSm80Mmx3Z292eVUKjJ8Q9y2PhU9NpgCjKYne7zY+I+fXvIhs - BB/lskZG/AVuGdBDHRf0yIVFd/j6inTWbP1u3wJ+Mf+dBnPAlS9rXg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WHN1S29tU21PRmRpcGQ4 + cm9hTW5wWVRNWlBDWGtOaUlzNWZndDgzd1NZCkVJZExBUkNFOFBNTUJKTDJBR2Vs + UmVCcWoxRzdGeHAraFZoZitZL21nTzAKLS0tIDNsY0VGVW5nUkY4enoxMWFLZTYr + ay84cjcrZFNyc0d0N3o1RkV6UTdGQ0EKcCzKdxFpXpuVCP/H3vxKsj/nU5MjxUuw + kW6psp5pA+0HHozeZoN+nv4dTaaz6GQLZdY+b/tfOem81/Bl1YXnnQ== -----END AGE ENCRYPTED FILE----- - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWWVCd0ZjMzkxZVdIR1JC - Q1plamZveGg1Z1FaK2VPb29CUVVia0Q4aFZ3CkNKUjl0S090SUMwU1dJenRONEpJ - WnZ6aEFwV2lrelBZV0p0UUQvaWdmS0kKLS0tIGh2OE5iTTRObFEraUpxN0YyTVpx - Mk5Sb0VCN1VjMnNNdzBBZWY3Q2FsUFkK7d9MAUNRL7GSF6diz/5X21BmMsyE5Cu3 - 18ycNiMLtUwGHsfxh+aLliFDBO32LwMI64/tKHDtx4sHQSBGoppsfQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd1hvWU8yOUhzKy9WU2NU + SnVra1hHVjNTY05YSmhkL0JpcWo2Z0tPSmhVCnAyWWg4c2NUazA4RTZoazRMUHJz + OCtsYmVicmphMmJyVUIwbWlzaHNwSTgKLS0tIHNzMFlsMEw0eVBjdmdVWERnZzZZ + WEU0NkNvbjd4NkE0KzdhRXIxT0dla0UKxMxIMNdkh5LFm9+A9lAQNO4qWm+URRBu + dDPLuF+Jw1wkd2aZjAolOcMfdCgTS2WUeY1615bT6GoAUl96v0fQHw== -----END AGE ENCRYPTED FILE----- - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UEc1M2UwTkduWnEyMG8x - TGVYaUpsSlNVcnBxdHZRWU8ydUJvMnZXTTNZCmtIenlWeDdvM0xQemI3Y1dXNlox - SUhNcG5iZE44WGhWL0NwUTZjSzhPNFkKLS0tIHIyaU1DOUxSV0VWVTRaQmhBbXVP - dGVWRnhIek1mV2FJemF1dzVwMjZqWUUKNvkzOwi6OR369S5e5y6TSfGA4/EH09WK - MWlH3fzABkCN+IeRmOmtU/L3MdHIiWanDWp6KdWCJJ3OnBO8cjMEig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3NXNU82djJnNkI0aUF3 + WHFpTTQxUnB0Ynlmb1pOUmhYQk1lc1dRS1hRCnhzbnZ5d3NIWHI3c2VtbHIrMm44 + QnZMY3FXT25sV1N3YWNGNnFpYkxUQncKLS0tIHlEb2UyMFp6UWhiam5zL0Vqa2px + eUVjdzlFdkJKQTBxRitjQ2M3TTVpcHcKs6qM7CfLvcEbpKFjfbmUJjSBLcVZ5SEt + 8MG5VefhVJiVGAX8q6SVZn15FpjLm8PtiuAWoBhi2kboLb6/faK2Cw== -----END AGE ENCRYPTED FILE----- - recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOE5pYXFDdXQzblI1N01i - eFROYzVvK3cxN1pJMHlScW0rZjBScG9SMzBnCko4VDllS0pQMU5NdU5NbndWQWpq - NmhWK1RJSHpITktFWTZIN2JHRklqS2cKLS0tIFFjRE9Ia3Z0TzIyd2MrS2RRWU9k - d3FIL3dqTHRtQVJiS255aVVWZ1p3UjQKb+65IgxbWXtkidmlb5w5Cu11izXh5QgR - I1YAckCX6RlR3Mlcs/5cTyLakpc3ibm/g4+N9+EhlIQz4wIxmxAtHQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QlRIRGNwaEsrWGxoQnpp + dThhRUxBYXJ1ZlBsMmhweHpmd1hjb3RnMmhrCmg4dTZBY0kyUkxnZHZCdXFnOThS + UkJsWnBUeEc1ZG1lTkFrYnlxWnFmS00KLS0tIG5pUTJKaXJydFB5YkxVMHdPanBH + TjZGWjZqbXVhV3kvZ3dHMmJndVRwS28KE1+lw8BZLTv7zeSBw/fd2dqPS/hiq37x + VfOHwiTw9TDbbCm1pCtBl44/qB5vKlqAOtWBjM7hiv06QcZrDgfxZg== -----END AGE ENCRYPTED FILE----- - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2hxZElESWd4eTFycFI1 - YWpKS1ZpWmtYcy9JK2ZPQ1QzSXFjWXM5VzFjCk1CcmJmdE5yL0J1Q2RBN3Npa2hn - WWxZTHkwTnhZaXBYanpZTkRTRUdTcWcKLS0tIFA3SkVuVFFVT2NsbVBlNUdFRlUx - UE9sMXVVOW1ib3JBYUR5LzVFRFp3ZWcK2hwlxaEUexjqHcg86dSpJU37b8bkWO6r - mSygDEjU71u20G6sdMeoSyxepPtWJsVhnAMukFsnKZf6LyfiiCseAQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZkVWMGFmZU9OSXhQWFF4 + Q3pjelptQzhHK3pnZGFSS2dCUUkvVGF1eVM4CityNVRFUyswMUxEN0RSakd0Ymp0 + ZXdnVXJtVDhycVRRSmR3RWhoMk15RFkKLS0tIGR6bVljY1Rnc2JRU05FaXlXQW1H + S0YxZWZ5Q2taQks5VmxGY21CZ01IVUUKU593ro9pDrKkUGAV226dbo0dK7QnI49I + VyGJGcQ/bXEBVJazcwWGhIwA6WACY/HldrUU45WsowlVQgIwtPVkfw== -----END AGE ENCRYPTED FILE----- - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZndiK3FMOUptbDRGOVQ0 - QnNSSEtlVHZtaUlRQlRySzJNUmdqbzRQRFZFCnNyOHRtNFhsWGEvTFRkNTRUbit6 - OWh6cVRRTXhlQmxpY3JpNVFRdStuWkkKLS0tIElYZGRVVWVSTlBhRHhVYWRFSFhC - NERwYVhzTjRZUDBmbTM2QzEyay9vT2MK9QIINuuaagTz2wyF9NiNzE0aiwoAHquH - GK203V5jVnLXftOV09NIg3027m8KCRc7yEWOtcbH5UkGZxZCqESv9Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYkhuWllyTDk4NEpOdVFV + K1JVWUM4THNGSVpkS1V6VTZzNFF3b0xydW44CkpEYlFya0MyTWZLby9zb1dzTGNk + WElCYnpEQStKOUFWWXdVM1dWOEpMSWcKLS0tIDB5aDY3T25MSmtUUmw4YVREeU5l + WnBoZzdHb3NzSVd2NDhiUDY4YUhUS2MKZg09GBkZrL4kqpA7y/dQNVpStLjZTrYz + 8jlhf06x0L/oLrSfP4Ct0apnjHRoPJlpTRLZKEVNfE3t0E8JgW3JDg== -----END AGE ENCRYPTED FILE----- - recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNY2xrM1BFRDdtckRGZkIz - Mkc5VzNHQzV5aC9xTzU4US80czFMcHNpbXpzCnlqUWliUjlra1U0Y0dJTDByMGFQ - MlRTd2FaT1QzMXFWZ3piVjZsZ1ZDemsKLS0tIENRdlVvNE5VT3VOc2hqM2ZnVUVY - ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc - 3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQM1ZrZHplbVRhR3Rtd2dN + N0RXazhNR1hqQzAxb0lpdCttQW9EUzYwZldzCjlFVjV0RG9oQnM4UHJNTjdnNjlo + Y3ZRQ0J0VGxUQ1NYWitWVnFIZHdSRDgKLS0tIG9GdThMKzdQaGZCcy92L3N1TWJZ + OEtqTWJvU2ptTmJEQmhRZDFDTW0zemsKol6EX/Ap98DQXDoMaY8cR9x2N02SiqYg + /6ufAo+0qxF+BS5dWdxAQJOZnTa9+xRePrlp/8bnnpJ4aalRqZj65w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-15T20:40:25Z" - mac: ENC[AES256_GCM,data:ErxmmCLDQM0CvUR5xvUt9OxORC9/1seWIdCNk1ZVbC7VouxuDmSgqmsb+W7Y69wqwJrRhg4JTwcUs/uo9A1IIpSoSpfHyz4NWI41kusRJmimR6UznEFRfaLDSUDkYB5YXValRiQTXDvHjRoeJyvyjArsE3DSUws3wx3KqqpFT7g=,iv:Evh58pQ1l9YZAQo1USoCSWyM9EFGm0POxMOKVxuw44g=,tag:mVY0GUtVJ8Ur8SubJ3jlvg==,type:str] + lastmodified: "2024-06-15T21:02:47Z" + mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From df725f8610a2e0137894d94491a9e14735944d4f Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 17:16:05 -0400 Subject: [PATCH 03/12] More post-install bits --- modules/hosts/nixos/hetznix01/nginx.nix | 2 +- modules/hosts/nixos/hetznix01/secrets.yaml | 5 +++-- modules/hosts/nixos/hetznix01/tailscale.nix | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/nginx.nix b/modules/hosts/nixos/hetznix01/nginx.nix index ceece66..72167cf 100644 --- a/modules/hosts/nixos/hetznix01/nginx.nix +++ b/modules/hosts/nixos/hetznix01/nginx.nix @@ -37,7 +37,7 @@ in { ''; }; }; - "utk-eu.technicalissues.us" = { + "utk-v2.technicalissues.us" = { listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index 84f41a5..8f55189 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -1,5 +1,6 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str] local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] +tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +16,8 @@ sops: WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-15T20:39:04Z" - mac: ENC[AES256_GCM,data:S24sEsBGp/NXShp6XzNSiLMgN5NbX1EbHuxpcOhtye6e0ZzIj9vTzh2VQ61ALaAI1O/CD5MawDy0NfDjk9Rzo5yk0zf3VTaP0QydIOlph7eTAMNPbC7jGXZS1DF1cGaQnKyNTx8iMJZeqvF4Ymfi5j8G+5aAWiMa8qfYWQeo2KU=,iv:JXccbPWqKh/CRUwb+BSQrPZc8LaHguOj/5qFNowKT6E=,tag:rd+sSPKlkJyrp0zqK1mb5Q==,type:str] + lastmodified: "2024-06-15T20:49:45Z" + mac: ENC[AES256_GCM,data:TPY25QfdBEoQbOMoF0kDIv9P3uwqY5pq2HyFIckhidaKvUNog5OVHmXsycpEZ+JC6NOPHWpd0wrYB8XYJI4R3ND/w3Gjl/NGEnDjX7FihkhQZOlTUap+/7UBL3gTQKR/jd0enWn1FIQuOrXmNsJ3RhPStQNpHRmgSPR5FVecJFI=,iv:dIQmQjKK7VFnxOYxkDSRDZNFpsv1+6YU9tpOr8XsTtw=,tag:FDlGiuJR2mwuci+z2Pa5rg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/hosts/nixos/hetznix01/tailscale.nix b/modules/hosts/nixos/hetznix01/tailscale.nix index 0b95751..d6f3278 100644 --- a/modules/hosts/nixos/hetznix01/tailscale.nix +++ b/modules/hosts/nixos/hetznix01/tailscale.nix @@ -1,5 +1,5 @@ { config, username, ... }: { - tailscale = { + services.tailscale = { enable = true; authKeyFile = config.sops.secrets.tailscale_key.path; extraUpFlags = [ From dcce63ecc60908b69c2a5a9b32156356bc83140a Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 17:53:02 -0400 Subject: [PATCH 04/12] Migrated DNS for utk --- modules/hosts/nixos/hetznix01/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/hosts/nixos/hetznix01/nginx.nix b/modules/hosts/nixos/hetznix01/nginx.nix index 72167cf..641f63d 100644 --- a/modules/hosts/nixos/hetznix01/nginx.nix +++ b/modules/hosts/nixos/hetznix01/nginx.nix @@ -37,7 +37,7 @@ in { ''; }; }; - "utk-v2.technicalissues.us" = { + "utk.technicalissues.us" = { listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; From eb53309c33975103a24905608e7ec121cee3bf62 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 17:59:34 -0400 Subject: [PATCH 05/12] Add backups via restic to hetznix01 --- modules/hosts/nixos/hetznix01/default.nix | 3 ++- modules/hosts/nixos/hetznix01/restic.nix | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 modules/hosts/nixos/hetznix01/restic.nix diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index ab489c6..787d56d 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -1,10 +1,11 @@ -{ config, username, ... }: { +{ username, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix # Added post-install ./sops.nix ./nginx.nix + ./restic.nix ./tailscale.nix ]; diff --git a/modules/hosts/nixos/hetznix01/restic.nix b/modules/hosts/nixos/hetznix01/restic.nix new file mode 100644 index 0000000..5acd1b2 --- /dev/null +++ b/modules/hosts/nixos/hetznix01/restic.nix @@ -0,0 +1,10 @@ +{ ... }: { + imports = [ + ../../../system/common/linux/restic.nix + ]; + + services.restic.backups.daily.paths = [ + "/var/lib/uptime-kuma" + ]; +} + From c68680eff44d79c216445570803e00a7928ae51a Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 15 Jun 2024 20:42:25 -0400 Subject: [PATCH 06/12] Organize bits better, add OwnTracks --- modules/hosts/nixos/hetznix01/default.nix | 8 +- modules/hosts/nixos/hetznix01/nginx.nix | 50 ---------- modules/hosts/nixos/hetznix01/owntracks.nix | 20 ++++ .../{sops.nix => post-install-general.nix} | 26 +++++- .../nixos/hetznix01/post-install-nginx.nix | 93 +++++++++++++++++++ modules/hosts/nixos/hetznix01/restic.nix | 10 -- modules/hosts/nixos/hetznix01/tailscale.nix | 14 --- 7 files changed, 139 insertions(+), 82 deletions(-) delete mode 100644 modules/hosts/nixos/hetznix01/nginx.nix create mode 100644 modules/hosts/nixos/hetznix01/owntracks.nix rename modules/hosts/nixos/hetznix01/{sops.nix => post-install-general.nix} (51%) create mode 100644 modules/hosts/nixos/hetznix01/post-install-nginx.nix delete mode 100644 modules/hosts/nixos/hetznix01/restic.nix delete mode 100644 modules/hosts/nixos/hetznix01/tailscale.nix diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 787d56d..35946b0 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -2,11 +2,9 @@ imports = [ ./hardware-configuration.nix ./disk-config.nix - # Added post-install - ./sops.nix - ./nginx.nix - ./restic.nix - ./tailscale.nix + ./owntracks.nix + ./post-install-general.nix + ./post-install-nginx.nix ]; system.stateVersion = "24.05"; diff --git a/modules/hosts/nixos/hetznix01/nginx.nix b/modules/hosts/nixos/hetznix01/nginx.nix deleted file mode 100644 index 641f63d..0000000 --- a/modules/hosts/nixos/hetznix01/nginx.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ ... }: let - http_port = 80; - https_port = 443; -in { - imports = [ - ../../../system/common/linux/lets-encrypt.nix - ]; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - appendHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000 always;"; - } - add_header Strict-Transport-Security $hsts_header; - ''; - virtualHosts = { - "hetznix01.technicalissues.us" = { - default = true; - listen = [ - { port = http_port; addr = "0.0.0.0"; } - { port = https_port; addr = "0.0.0.0"; ssl = true; } - ]; - enableACME = true; - acmeRoot = null; - addSSL = true; - forceSSL = false; - locations."/" = { - return = "200 '

Hello world ;)

'"; - extraConfig = '' - add_header Content-Type text/html; - ''; - }; - }; - "utk.technicalissues.us" = { - listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; - enableACME = true; - acmeRoot = null; - forceSSL = true; - locations."/".proxyWebsockets = true; - locations."/".proxyPass = "http://127.0.0.1:3001"; - }; - }; # end virtualHosts - }; # end nginx -} diff --git a/modules/hosts/nixos/hetznix01/owntracks.nix b/modules/hosts/nixos/hetznix01/owntracks.nix new file mode 100644 index 0000000..3c6fd49 --- /dev/null +++ b/modules/hosts/nixos/hetznix01/owntracks.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: let + frontend_port = "8082"; +in { + environment.systemPackages = with pkgs; [ + owntracks-recorder + ]; + + virtualisation.oci-containers.containers = { + "owntracks-frontend" = { + autoStart = true; + image = "docker.io/owntracks/frontend:2.15.3"; + environment = { + LISTEN = frontend_port; + SERVER_HOST = config.networking.hostName; + SERVER_PORT = "8083"; + }; + ports = [ "${frontend_port}:${frontend_port}" ]; + }; + }; +} diff --git a/modules/hosts/nixos/hetznix01/sops.nix b/modules/hosts/nixos/hetznix01/post-install-general.nix similarity index 51% rename from modules/hosts/nixos/hetznix01/sops.nix rename to modules/hosts/nixos/hetznix01/post-install-general.nix index abd4db0..a40721f 100644 --- a/modules/hosts/nixos/hetznix01/sops.nix +++ b/modules/hosts/nixos/hetznix01/post-install-general.nix @@ -1,4 +1,25 @@ -{ username, ... }: { +{ config, username, ... }: { + imports = [ + ../../../system/common/linux/restic.nix + ]; + + services = { + restic.backups.daily.paths = [ + "/var/lib/uptime-kuma" + ]; + tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tailscale_key.path; + extraUpFlags = [ + "--advertise-exit-node" + "--operator" + "${username}" + "--ssh" + ]; + useRoutingFeatures = "both"; + }; + }; + sops = { age.keyFile = /home/${username}/.config/sops/age/keys.txt; defaultSopsFile = ./secrets.yaml; @@ -16,5 +37,4 @@ }; }; }; -} - +} \ No newline at end of file diff --git a/modules/hosts/nixos/hetznix01/post-install-nginx.nix b/modules/hosts/nixos/hetznix01/post-install-nginx.nix new file mode 100644 index 0000000..b155366 --- /dev/null +++ b/modules/hosts/nixos/hetznix01/post-install-nginx.nix @@ -0,0 +1,93 @@ +{ config, ... }: let + domain = "technicalissues.us"; + http_port = 80; + https_port = 443; +in { + imports = [ + ../../../system/common/linux/lets-encrypt.nix + ]; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000 always;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; + virtualHosts = { + "hetznix01.${domain}" = { + default = true; + listen = [ + { port = http_port; addr = "0.0.0.0"; } + { port = https_port; addr = "0.0.0.0"; ssl = true; } + ]; + enableACME = true; + acmeRoot = null; + addSSL = true; + forceSSL = false; + locations."/" = { + return = "200 '

Hello world ;)

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; + }; + }; + "ot.${domain}}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + basicAuthFile = config.sops.secrets.owntracks_basic_auth.path; + locations = { + # OwnTracks Frontend container + "/" = { + proxypass = "http://127.0.0.1:8082"; + recommendedproxysettings = true; + }; + # OwnTracks Recorder + "/owntracks/" = { + proxypass = "http://127.0.0.1:8083"; + recommendedproxysettings = true; + }; + "/owntracks/pub" = { # Client apps need to point to this path + extraConfig = "proxy_set_header X-Limit-U $remote_user;"; + proxypass = "http://127.0.0.1:8083/pub"; + recommendedproxysettings = true; + }; + "/owntracks/static/" = { + proxypass = "http://127.0.0.1:8083/static/"; + recommendedproxysettings = true; + }; + "/owntracks/utils/" = { + proxypass = "http://127.0.0.1:8083/utils/"; + recommendedproxysettings = true; + }; + "/owntracks/view/" = { + extraConfig = "proxy_buffering off;"; + proxypass = "http://127.0.0.1:8083/view/"; + recommendedproxysettings = true; + }; + "/owntracks/ws" = { + extraConfig = "rewrite ^/owntracks/(.*) /$1 break;"; + proxyPass = "http://127.0.0.1:8083"; + recommendedProxySettings = true; + }; + }; + }; + "utk.${domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://127.0.0.1:3001"; + }; + }; # end virtualHosts + }; # end nginx +} diff --git a/modules/hosts/nixos/hetznix01/restic.nix b/modules/hosts/nixos/hetznix01/restic.nix deleted file mode 100644 index 5acd1b2..0000000 --- a/modules/hosts/nixos/hetznix01/restic.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: { - imports = [ - ../../../system/common/linux/restic.nix - ]; - - services.restic.backups.daily.paths = [ - "/var/lib/uptime-kuma" - ]; -} - diff --git a/modules/hosts/nixos/hetznix01/tailscale.nix b/modules/hosts/nixos/hetznix01/tailscale.nix deleted file mode 100644 index d6f3278..0000000 --- a/modules/hosts/nixos/hetznix01/tailscale.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, username, ... }: { - services.tailscale = { - enable = true; - authKeyFile = config.sops.secrets.tailscale_key.path; - extraUpFlags = [ - "--advertise-exit-node" - "--operator" - "${username}" - "--ssh" - ]; - useRoutingFeatures = "both"; - }; -} - From 158397df0c3f7bb86e7755c4fa4b546d4beb1ba1 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sun, 16 Jun 2024 07:31:27 -0400 Subject: [PATCH 07/12] OwnTracks works now --- modules/hosts/nixos/hetznix01/default.nix | 9 +++- modules/hosts/nixos/hetznix01/owntracks.nix | 53 ++++++++++++++++--- .../nixos/hetznix01/post-install-general.nix | 21 +++++++- .../nixos/hetznix01/post-install-nginx.nix | 50 ++++++++++------- modules/hosts/nixos/hetznix01/secrets.yaml | 6 ++- 5 files changed, 108 insertions(+), 31 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 35946b0..fd7a562 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -1,8 +1,7 @@ -{ username, ... }: { +{ pkgs, username, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - ./owntracks.nix ./post-install-general.nix ./post-install-nginx.nix ]; @@ -17,6 +16,11 @@ efiInstallAsRemovable = true; }; + environment.systemPackages = with pkgs; [ + podman-tui # status of containers in the terminal + podman-compose + ]; + networking = { # Open ports in the firewall. firewall.allowedTCPPorts = [ @@ -74,6 +78,7 @@ isNormalUser = true; description = "Gene Liverman"; extraGroups = [ "networkmanager" "wheel" ]; + linger = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet" ]; diff --git a/modules/hosts/nixos/hetznix01/owntracks.nix b/modules/hosts/nixos/hetznix01/owntracks.nix index 3c6fd49..0765bf4 100644 --- a/modules/hosts/nixos/hetznix01/owntracks.nix +++ b/modules/hosts/nixos/hetznix01/owntracks.nix @@ -1,9 +1,42 @@ { config, pkgs, ... }: let frontend_port = "8082"; in { - environment.systemPackages = with pkgs; [ - owntracks-recorder - ]; + environment = { + etc = { + "default/ot-recorder".text = '' + OTR_USER="recorder" + OTR_PASS="toenail-madmen-nazareth-fum" + OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e" + OTR_TOPICS="owntracks/#" + OTR_HTTPHOST="127.0.0.1" + OTR_HTTPPREFIX="owntracks" + ''; + }; + }; + + services.mosquitto = { + enable = true; + persistence = true; + listeners = [ + { + address = "127.0.0.1"; + port = 1883; + users = { + recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path; + }; + } + ]; + }; + + users = { + groups.owntracks.gid = config.users.users.owntracks.uid; + users.owntracks = { + isSystemUser = true; + description = "OwnTracks"; + group = "owntracks"; + home = "/home/owntracks"; + }; + }; virtualisation.oci-containers.containers = { "owntracks-frontend" = { @@ -11,10 +44,18 @@ in { image = "docker.io/owntracks/frontend:2.15.3"; environment = { LISTEN = frontend_port; - SERVER_HOST = config.networking.hostName; - SERVER_PORT = "8083"; + SERVER_HOST = "ot-recorder"; }; - ports = [ "${frontend_port}:${frontend_port}" ]; + ports = [ "127.0.0.1:${frontend_port}:80" ]; + }; + "ot-recorder" = { + autoStart = true; + image = "docker.io/owntracks/frontend:2.15.3"; + ports = [ "127.0.0.1:8083:8083" ]; + volumes = [ + "/etc/default/config:/config" + "/var/spool/owntracks/recorder/store:/store" + ]; }; }; } diff --git a/modules/hosts/nixos/hetznix01/post-install-general.nix b/modules/hosts/nixos/hetznix01/post-install-general.nix index a40721f..8304433 100644 --- a/modules/hosts/nixos/hetznix01/post-install-general.nix +++ b/modules/hosts/nixos/hetznix01/post-install-general.nix @@ -32,9 +32,28 @@ owner = "${username}"; path = "/home/${username}/.private-env"; }; + mqtt_recorder_pass.restartUnits = ["mosquitto.service"]; + owntracks_basic_auth = { + owner = config.users.users.nginx.name; + restartUnits = ["nginx.service"]; + }; tailscale_key = { restartUnits = [ "tailscaled-autoconnect.service" ]; }; }; }; -} \ No newline at end of file + + # Enable common container config files in /etc/containers + virtualisation.containers.enable = true; + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # Required for containers under podman-compose to be able to talk to each other. + defaultNetwork.settings.dns_enabled = true; + }; + }; +} diff --git a/modules/hosts/nixos/hetznix01/post-install-nginx.nix b/modules/hosts/nixos/hetznix01/post-install-nginx.nix index b155366..f089d1e 100644 --- a/modules/hosts/nixos/hetznix01/post-install-nginx.nix +++ b/modules/hosts/nixos/hetznix01/post-install-nginx.nix @@ -3,6 +3,7 @@ http_port = 80; https_port = 443; in { + imports = [ ../../../system/common/linux/lets-encrypt.nix ]; @@ -38,7 +39,7 @@ in { ''; }; }; - "ot.${domain}}" = { + "ot.${domain}" = { listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; @@ -47,34 +48,43 @@ in { locations = { # OwnTracks Frontend container "/" = { - proxypass = "http://127.0.0.1:8082"; - recommendedproxysettings = true; + proxyPass = "http://127.0.0.1:8082"; + recommendedProxySettings = true; }; + }; + }; + "recorder.${domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + basicAuthFile = config.sops.secrets.owntracks_basic_auth.path; + locations = { # OwnTracks Recorder - "/owntracks/" = { - proxypass = "http://127.0.0.1:8083"; - recommendedproxysettings = true; + "/" = { + proxyPass = "http://127.0.0.1:8083"; + recommendedProxySettings = true; }; - "/owntracks/pub" = { # Client apps need to point to this path + "/pub" = { # Client apps need to point to this path extraConfig = "proxy_set_header X-Limit-U $remote_user;"; - proxypass = "http://127.0.0.1:8083/pub"; - recommendedproxysettings = true; + proxyPass = "http://127.0.0.1:8083/pub"; + recommendedProxySettings = true; }; - "/owntracks/static/" = { - proxypass = "http://127.0.0.1:8083/static/"; - recommendedproxysettings = true; + "/static/" = { + proxyPass = "http://127.0.0.1:8083/static/"; + recommendedProxySettings = true; }; - "/owntracks/utils/" = { - proxypass = "http://127.0.0.1:8083/utils/"; - recommendedproxysettings = true; + "/utils/" = { + proxyPass = "http://127.0.0.1:8083/utils/"; + recommendedProxySettings = true; }; - "/owntracks/view/" = { + "/view/" = { extraConfig = "proxy_buffering off;"; - proxypass = "http://127.0.0.1:8083/view/"; - recommendedproxysettings = true; + proxyPass = "http://127.0.0.1:8083/view/"; + recommendedProxySettings = true; }; - "/owntracks/ws" = { - extraConfig = "rewrite ^/owntracks/(.*) /$1 break;"; + "/ws" = { + extraConfig = "rewrite ^/(.*) /$1 break;"; proxyPass = "http://127.0.0.1:8083"; recommendedProxySettings = true; }; diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index 8f55189..9f799a8 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -1,5 +1,7 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str] local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] +mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str] +owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str] tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str] sops: kms: [] @@ -16,8 +18,8 @@ sops: WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-15T20:49:45Z" - mac: ENC[AES256_GCM,data:TPY25QfdBEoQbOMoF0kDIv9P3uwqY5pq2HyFIckhidaKvUNog5OVHmXsycpEZ+JC6NOPHWpd0wrYB8XYJI4R3ND/w3Gjl/NGEnDjX7FihkhQZOlTUap+/7UBL3gTQKR/jd0enWn1FIQuOrXmNsJ3RhPStQNpHRmgSPR5FVecJFI=,iv:dIQmQjKK7VFnxOYxkDSRDZNFpsv1+6YU9tpOr8XsTtw=,tag:FDlGiuJR2mwuci+z2Pa5rg==,type:str] + lastmodified: "2024-06-16T03:36:06Z" + mac: ENC[AES256_GCM,data:KkJ7awR2HwH8MBHrDzOifwD6ePACWsGFaNg8/eixKvb+/V4k2NkOxZPzdemcqMaCPCzhX9bGlE76MGy9y6JWvln+yKkBx7uilSdfGu5bVnMQY0JT8r2nW4tCfJ1VpLOxdvcw8pUjeK/oizvUolk7DJ1PecrPQuSmhGkOAL6h6dA=,iv:nd0F7sU9hYOu3qb0kXSstRt8M3QDmciSs5ArtiXI6XQ=,tag:gGG8NnO690UrTq6y4NnK9w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From d285d449325547e142d370a8b20f3c9db1038886 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 17 Jun 2024 08:16:54 -0400 Subject: [PATCH 08/12] Temporarily add a different owntracks file --- .../hosts/nixos/hetznix01/owntracks.nix-back | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 modules/hosts/nixos/hetznix01/owntracks.nix-back diff --git a/modules/hosts/nixos/hetznix01/owntracks.nix-back b/modules/hosts/nixos/hetznix01/owntracks.nix-back new file mode 100644 index 0000000..71e595b --- /dev/null +++ b/modules/hosts/nixos/hetznix01/owntracks.nix-back @@ -0,0 +1,75 @@ +{ config, pkgs, ... }: let + frontend_port = "8082"; +in { + environment = { + etc = { + "default/ot-recorder".text = '' + OTR_USER="recorder" + OTR_PASS="toenail-madmen-nazareth-fum" + OTR_GEOKEY="opencage:b85db97221cc4239b34e0ca07e71471e" + OTR_TOPICS="owntracks/#" + OTR_HTTPHOST="127.0.0.1" + OTR_HTTPPREFIX="owntracks" + ''; + }; + systemPackages = with pkgs; [ + owntracks-recorder + ]; + }; + + services.mosquitto = { + enable = true; + persistence = true; + listeners = [ + { + address = "127.0.0.1"; + port = 1883; + users = { + recorder.passwordFile = config.sops.secrets.mqtt_recorder_pass.path; + }; + } + ]; + }; + + systemd.services.ot-recorder = { + name = "ot-recorder.service"; + unitConfig = { + Description = "OwnTracks Recorder"; + Wants = "network-online.target"; + After = "network-online.target"; + }; + serviceConfig = { + Type = "simple"; + User = "owntracks"; + WorkingDirectory = "/"; + ExecStartPre = "${pkgs.coreutils-full.out}/bin/sleep 15"; + ExecStart = "${pkgs.owntracks-recorder.out}/bin/ot-recorder --debug"; + }; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ + config.environment.etc."default/ot-recorder".source + ]; + }; + + users = { + groups.owntracks.gid = config.users.users.owntracks.uid; + users.owntracks = { + isSystemUser = true; + description = "OwnTracks"; + group = "owntracks"; + home = "/home/owntracks"; + }; + }; + + virtualisation.oci-containers.containers = { + "owntracks-frontend" = { + autoStart = true; + image = "docker.io/owntracks/frontend:2.15.3"; + environment = { + LISTEN = frontend_port; + SERVER_HOST = "host.containers.internal"; + }; + ports = [ "127.0.0.1:${frontend_port}:80" ]; + }; + }; +} From 972cb8bc82f75a7dad7dcc393455bad711947cb6 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 17 Jun 2024 21:40:01 -0400 Subject: [PATCH 09/12] Working on setting up matrix --- .gitignore | 1 + modules/hosts/nixos/hetznix01/default.nix | 7 ++- .../default.nix} | 6 ++- .../hetznix01/post-install/matrix-synapse.nix | 46 +++++++++++++++++++ .../nginx.nix} | 2 +- 5 files changed, 57 insertions(+), 5 deletions(-) rename modules/hosts/nixos/hetznix01/{post-install-general.nix => post-install/default.nix} (91%) create mode 100644 modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix rename modules/hosts/nixos/hetznix01/{post-install-nginx.nix => post-install/nginx.nix} (98%) diff --git a/.gitignore b/.gitignore index 72f8bf7..df14d79 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ .dccache *.swp +*.kate-swp # Config files that are not suitable to add to version control: link/nix/config/.mono/ diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index fd7a562..20e31b3 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -2,8 +2,7 @@ imports = [ ./hardware-configuration.nix ./disk-config.nix - ./post-install-general.nix - ./post-install-nginx.nix + ./post-install ]; system.stateVersion = "24.05"; @@ -41,6 +40,10 @@ services = { fail2ban.enable = true; + postgresql = { + enable = true; + package = pkgs.postresql_16; + }; uptime-kuma = { enable = true; settings = { diff --git a/modules/hosts/nixos/hetznix01/post-install-general.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix similarity index 91% rename from modules/hosts/nixos/hetznix01/post-install-general.nix rename to modules/hosts/nixos/hetznix01/post-install/default.nix index 8304433..30200b0 100644 --- a/modules/hosts/nixos/hetznix01/post-install-general.nix +++ b/modules/hosts/nixos/hetznix01/post-install/default.nix @@ -1,6 +1,8 @@ { config, username, ... }: { imports = [ - ../../../system/common/linux/restic.nix + ../../../../system/common/linux/restic.nix + ./matrix-synapse.nix + ./nginx.nix ]; services = { @@ -22,7 +24,7 @@ sops = { age.keyFile = /home/${username}/.config/sops/age/keys.txt; - defaultSopsFile = ./secrets.yaml; + defaultSopsFile = ../secrets.yaml; secrets = { local_git_config = { owner = "${username}"; diff --git a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix new file mode 100644 index 0000000..c5dd2fd --- /dev/null +++ b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: let + # +in { + services.matrix-synapse = { + enable = true; + configureRedisLocally = true; + settings = { + public_baseurl = "https://matrix.technicalissues.us"; + listeners = [ + { + port = 8008; + tls = false; + type = "http"; + x_forwarded = true; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + resources = [ + { + names = [ + "client" + "federation" + ]; + compress = false; + } + ]; + } + ]; + database = { + name = "psycopg2"; + args = { + user = "synapse_user"; + database = "synapse"; + }; + }; + url_preview_enabled = true; + enable_registration = false; + registration_shared_secret = config.sops.secrets.matrix-registration_shared_secret; + macaroon_secret_key = config.sops.secrets.matrix-macaroon_secret_key; + trusted_key_servers = [{ server_name = "matrix.org"; }]; + + }; + + }; +} diff --git a/modules/hosts/nixos/hetznix01/post-install-nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix similarity index 98% rename from modules/hosts/nixos/hetznix01/post-install-nginx.nix rename to modules/hosts/nixos/hetznix01/post-install/nginx.nix index f089d1e..ef0b7bb 100644 --- a/modules/hosts/nixos/hetznix01/post-install-nginx.nix +++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix @@ -5,7 +5,7 @@ in { imports = [ - ../../../system/common/linux/lets-encrypt.nix + ../../../../system/common/linux/lets-encrypt.nix ]; services.nginx = { enable = true; From 37187d29f99629f8d68d4cf91839aab10b7f7b5b Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 17 Jun 2024 21:55:06 -0400 Subject: [PATCH 10/12] update path to secrets for matrix --- .../hosts/nixos/hetznix01/post-install/matrix-synapse.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix index c5dd2fd..6770ab8 100644 --- a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix +++ b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix @@ -4,6 +4,10 @@ in { services.matrix-synapse = { enable = true; configureRedisLocally = true; + enableRegistrationScript = true; + extraConfigFiles = [ + config.sops.secrets.matrix_secrets_yaml; + ]; settings = { public_baseurl = "https://matrix.technicalissues.us"; listeners = [ @@ -36,8 +40,6 @@ in { }; url_preview_enabled = true; enable_registration = false; - registration_shared_secret = config.sops.secrets.matrix-registration_shared_secret; - macaroon_secret_key = config.sops.secrets.matrix-macaroon_secret_key; trusted_key_servers = [{ server_name = "matrix.org"; }]; }; From fac12b855e1640bd847986bbc036a3c5c40b4ec3 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 17 Jun 2024 22:18:21 -0400 Subject: [PATCH 11/12] Working through errors --- modules/hosts/nixos/hetznix01/default.nix | 2 +- modules/hosts/nixos/hetznix01/post-install/default.nix | 4 ++++ .../hosts/nixos/hetznix01/post-install/matrix-synapse.nix | 4 ++-- modules/hosts/nixos/hetznix01/secrets.yaml | 5 +++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 20e31b3..fd63a63 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -42,7 +42,7 @@ fail2ban.enable = true; postgresql = { enable = true; - package = pkgs.postresql_16; + package = pkgs.postgresql_16; }; uptime-kuma = { enable = true; diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix index 30200b0..a0c9b3a 100644 --- a/modules/hosts/nixos/hetznix01/post-install/default.nix +++ b/modules/hosts/nixos/hetznix01/post-install/default.nix @@ -34,6 +34,10 @@ owner = "${username}"; path = "/home/${username}/.private-env"; }; + matrix_secrets_yaml = { + owner = config.users.users.matrix-synapse.name; + restartUnits = ["matrix-synapse.service"]; + }; mqtt_recorder_pass.restartUnits = ["mosquitto.service"]; owntracks_basic_auth = { owner = config.users.users.nginx.name; diff --git a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix index 6770ab8..74ac820 100644 --- a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix +++ b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix @@ -6,10 +6,10 @@ in { configureRedisLocally = true; enableRegistrationScript = true; extraConfigFiles = [ - config.sops.secrets.matrix_secrets_yaml; + config.sops.secrets.matrix_secrets_yaml.path ]; settings = { - public_baseurl = "https://matrix.technicalissues.us"; + public_baseurl = "https://matrix-test.technicalissues.us"; listeners = [ { port = 8008; diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index 9f799a8..4abb301 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -1,5 +1,6 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str] local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] +matrix_secrets_yaml: ENC[AES256_GCM,data:El9razifgbJEaJd9NccOZX1RuZQHRyw6Yg7TY4G8vDtD2w7KxnHUG7bcpIQodh3I1GDjj3gQcHXP6HNs0zS7UjaoGltDt3mHnrhqkvvDW/RgAGrJ9nUsQitB3yhF51PG3IOK1SSbIBk+Pr/wQWbs11ic8i+fGJ6yPcv8k/X5Az8rKmDqDuZh9KUvSB3SQ9J/roOZ+HDb8fv1VmMgZZNGmkOUGZupZkKd+kc2rWrBl5zHTd9XUH6oLk2EwRDufR7T,iv:xCG8xJ7A1bFwK9v1+XJ+vSp/GXCTwdKCL4H/uQ6h4fQ=,tag:Z72quTZvJUMLJ+VJVsTKrw==,type:str] mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str] owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str] tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str] @@ -18,8 +19,8 @@ sops: WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-16T03:36:06Z" - mac: ENC[AES256_GCM,data:KkJ7awR2HwH8MBHrDzOifwD6ePACWsGFaNg8/eixKvb+/V4k2NkOxZPzdemcqMaCPCzhX9bGlE76MGy9y6JWvln+yKkBx7uilSdfGu5bVnMQY0JT8r2nW4tCfJ1VpLOxdvcw8pUjeK/oizvUolk7DJ1PecrPQuSmhGkOAL6h6dA=,iv:nd0F7sU9hYOu3qb0kXSstRt8M3QDmciSs5ArtiXI6XQ=,tag:gGG8NnO690UrTq6y4NnK9w==,type:str] + lastmodified: "2024-06-18T01:49:28Z" + mac: ENC[AES256_GCM,data:ckwiYte2TP4ufiFkmX2cTuNNae+VizjQ/CM1b1m3Lz3Vo5utd1g82loChQS95s9lr1dmKljuUbklHzg74JbNCeFky4f6od5CEydq/R9dXFTZKBen9cLcdvTVQ0i6E9rZS0t6ohy3wMFyJxw0ss6Zyykd0cqQOPuFBpyHmKFZTVs=,iv:85G4CxlLPD0Ac6KxRYaZ+4H9uj8Co6nmh1bbL6s3MVI=,tag:oyRhgR2Uf7lWFIlH5FKAvw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From f3e75455b3dcceab50f466b9eb4b4a8a0b3f4e96 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Wed, 19 Jun 2024 00:08:01 -0400 Subject: [PATCH 12/12] Matrix works, Nginx is carrying the load --- modules/hosts/nixos/hetznix01/default.nix | 1 + .../nixos/hetznix01/post-install/default.nix | 1 + .../hetznix01/post-install/matrix-synapse.nix | 12 +-- .../nixos/hetznix01/post-install/nginx.nix | 81 +++++++++++++------ modules/hosts/nixos/hetznix01/secrets.yaml | 7 +- 5 files changed, 66 insertions(+), 36 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index fd63a63..0a6161f 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -40,6 +40,7 @@ services = { fail2ban.enable = true; + logrotate.enable = true; postgresql = { enable = true; package = pkgs.postgresql_16; diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix index a0c9b3a..8bbc04e 100644 --- a/modules/hosts/nixos/hetznix01/post-install/default.nix +++ b/modules/hosts/nixos/hetznix01/post-install/default.nix @@ -38,6 +38,7 @@ owner = config.users.users.matrix-synapse.name; restartUnits = ["matrix-synapse.service"]; }; + matrix_homeserver_signing_key.owner = config.users.users.matrix-synapse.name; mqtt_recorder_pass.restartUnits = ["mosquitto.service"]; owntracks_basic_auth = { owner = config.users.users.nginx.name; diff --git a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix index 74ac820..d320b2a 100644 --- a/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix +++ b/modules/hosts/nixos/hetznix01/post-install/matrix-synapse.nix @@ -9,7 +9,9 @@ in { config.sops.secrets.matrix_secrets_yaml.path ]; settings = { - public_baseurl = "https://matrix-test.technicalissues.us"; + server_name = "technicalissues.us"; + public_baseurl = "https://matrix.technicalissues.us"; + signing_key_path = config.sops.secrets.matrix_homeserver_signing_key.path; listeners = [ { port = 8008; @@ -31,17 +33,9 @@ in { ]; } ]; - database = { - name = "psycopg2"; - args = { - user = "synapse_user"; - database = "synapse"; - }; - }; url_preview_enabled = true; enable_registration = false; trusted_key_servers = [{ server_name = "matrix.org"; }]; - }; }; diff --git a/modules/hosts/nixos/hetznix01/post-install/nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix index ef0b7bb..d7e0a55 100644 --- a/modules/hosts/nixos/hetznix01/post-install/nginx.nix +++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix @@ -9,6 +9,7 @@ in { ]; services.nginx = { enable = true; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; @@ -21,40 +22,79 @@ in { } add_header Strict-Transport-Security $hsts_header; ''; + defaultListen = [ + { port = https_port; addr = "0.0.0.0"; ssl = true; } + { port = https_port; addr = "[::]"; ssl = true; } + ]; virtualHosts = { "hetznix01.${domain}" = { + serverAliases = [ + "technicalissues.us" + ]; default = true; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations = { + "/" = { + return = "301 https://beanbag.technicalissues.us"; + }; + "/.well-known/matrix/client" = { + return = '' + 200 '{"m.homeserver": {"base_url": "https://matrix.technicalissues.us"}}' + ''; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + "/.well-known/matrix/server" = { + return = '' + 200 '{"m.server": "matrix.technicalissues.us"}' + ''; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; + }; + "matrix.${domain}" = { listen = [ - { port = http_port; addr = "0.0.0.0"; } { port = https_port; addr = "0.0.0.0"; ssl = true; } + { port = https_port; addr = "[::]"; ssl = true; } + { port = 8448; addr = "0.0.0.0"; ssl = true; } + { port = 8448; addr = "[::]"; ssl = true; } ]; enableACME = true; acmeRoot = null; - addSSL = true; - forceSSL = false; - locations."/" = { - return = "200 '

Hello world ;)

'"; - extraConfig = '' - add_header Content-Type text/html; - ''; + forceSSL = true; + extraConfig = '' + client_max_body_size 0; + ''; + locations = { + "/" = { + return = "200 '

Hi.

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; + }; + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = "http://[::1]:8008"; + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = "http://[::1]:8008"; }; }; "ot.${domain}" = { - listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; forceSSL = true; basicAuthFile = config.sops.secrets.owntracks_basic_auth.path; - locations = { - # OwnTracks Frontend container - "/" = { - proxyPass = "http://127.0.0.1:8082"; - recommendedProxySettings = true; - }; - }; + # OwnTracks Frontend container + locations."/".proxyPass = "http://127.0.0.1:8082"; }; "recorder.${domain}" = { - listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; forceSSL = true; @@ -63,35 +103,28 @@ in { # OwnTracks Recorder "/" = { proxyPass = "http://127.0.0.1:8083"; - recommendedProxySettings = true; }; "/pub" = { # Client apps need to point to this path extraConfig = "proxy_set_header X-Limit-U $remote_user;"; proxyPass = "http://127.0.0.1:8083/pub"; - recommendedProxySettings = true; }; "/static/" = { proxyPass = "http://127.0.0.1:8083/static/"; - recommendedProxySettings = true; }; "/utils/" = { proxyPass = "http://127.0.0.1:8083/utils/"; - recommendedProxySettings = true; }; "/view/" = { extraConfig = "proxy_buffering off;"; proxyPass = "http://127.0.0.1:8083/view/"; - recommendedProxySettings = true; }; "/ws" = { extraConfig = "rewrite ^/(.*) /$1 break;"; proxyPass = "http://127.0.0.1:8083"; - recommendedProxySettings = true; }; }; }; "utk.${domain}" = { - listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; enableACME = true; acmeRoot = null; forceSSL = true; diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index 4abb301..10532b2 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -1,6 +1,7 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str] local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] -matrix_secrets_yaml: ENC[AES256_GCM,data:El9razifgbJEaJd9NccOZX1RuZQHRyw6Yg7TY4G8vDtD2w7KxnHUG7bcpIQodh3I1GDjj3gQcHXP6HNs0zS7UjaoGltDt3mHnrhqkvvDW/RgAGrJ9nUsQitB3yhF51PG3IOK1SSbIBk+Pr/wQWbs11ic8i+fGJ6yPcv8k/X5Az8rKmDqDuZh9KUvSB3SQ9J/roOZ+HDb8fv1VmMgZZNGmkOUGZupZkKd+kc2rWrBl5zHTd9XUH6oLk2EwRDufR7T,iv:xCG8xJ7A1bFwK9v1+XJ+vSp/GXCTwdKCL4H/uQ6h4fQ=,tag:Z72quTZvJUMLJ+VJVsTKrw==,type:str] +matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str] +matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str] mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str] owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str] tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str] @@ -19,8 +20,8 @@ sops: WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-18T01:49:28Z" - mac: ENC[AES256_GCM,data:ckwiYte2TP4ufiFkmX2cTuNNae+VizjQ/CM1b1m3Lz3Vo5utd1g82loChQS95s9lr1dmKljuUbklHzg74JbNCeFky4f6od5CEydq/R9dXFTZKBen9cLcdvTVQ0i6E9rZS0t6ohy3wMFyJxw0ss6Zyykd0cqQOPuFBpyHmKFZTVs=,iv:85G4CxlLPD0Ac6KxRYaZ+4H9uj8Co6nmh1bbL6s3MVI=,tag:oyRhgR2Uf7lWFIlH5FKAvw==,type:str] + lastmodified: "2024-06-19T01:44:04Z" + mac: ENC[AES256_GCM,data:PU4r7DhcG6OgqTCeKBtxyAHDErGH6Eh33sOd+KuImQ74ajgahFNfd4zO27OldZbSERkOYLuFqw7w9+zblV3eaaXRQx97Ek3z4oMtJFv2t9lnNfG0lm45c1eECKV742mzTDi6/bcnQMdn/CaGli8DL45IGGctW+beXRJza0S3wEY=,iv:51WymgQc4OWcannaD4g+fjp4vc75WonWsOMS3Jyz7Xo=,tag:dmNFFgkuKQxy2Snb/HjX/A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1