diff --git a/.sops.yaml b/.sops.yaml index 8933c7c..65dd998 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,22 +6,22 @@ keys: - &hopper age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw creation_rules: - - path_regex: home/secrets + - path_regex: home/profiles/secrets key_groups: - age: - *xun - - path_regex: systemProfiles/secrets/global + - path_regex: sys/profiles/secrets/global key_groups: - age: - *xun - *nixdesk - *hopper - - path_regex: systemProfiles/secrets/nixdesk + - path_regex: sys/proofiles/secrets/nixdesk key_groups: - age: - *xun - *nixdesk - - path_regex: systemProfiles/secrets/hopper + - path_regex: sys/profiles/secrets/hopper key_groups: - age: - *xun diff --git a/flake.lock b/flake.lock index 87b2c61..4366ad2 100644 --- a/flake.lock +++ b/flake.lock @@ -144,22 +144,6 @@ } }, "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -173,7 +157,7 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, - "flake-compat_4": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -265,24 +249,6 @@ } }, "flake-utils_3": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { "inputs": { "systems": [ "stylix", @@ -631,7 +597,7 @@ "nixvim": { "inputs": { "devshell": "devshell", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", "home-manager": "home-manager_2", @@ -659,7 +625,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "ixx": "ixx", "nixpkgs": [ "nvim-nix", @@ -681,28 +647,6 @@ "type": "github" } }, - "nvfetcher": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1732501185, - "narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=", - "owner": "berberman", - "repo": "nvfetcher", - "rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a", - "type": "github" - }, - "original": { - "owner": "berberman", - "repo": "nvfetcher", - "type": "github" - } - }, "nvim-nix": { "inputs": { "nixpkgs": [ @@ -733,7 +677,6 @@ "nix-index-database": "nix-index-database", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs", - "nvfetcher": "nvfetcher", "nvim-nix": "nvim-nix", "sobercookie": "sobercookie", "sops-nix": "sops-nix", @@ -788,15 +731,15 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_4", + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_3", "git-hooks": "git-hooks_2", "gnome-shell": "gnome-shell", "home-manager": "home-manager_3", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_3", + "systems": "systems_2", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-tmux": "tinted-tmux", @@ -846,21 +789,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "tinted-foot": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index ed047ef..537d856 100644 --- a/flake.nix +++ b/flake.nix @@ -57,8 +57,8 @@ nixos-wsl.url = "github:nix-community/NixOS-WSL/main"; nixos-wsl.inputs.nixpkgs.follows = "nixpkgs"; - nvfetcher.url = "github:berberman/nvfetcher"; - nvfetcher.inputs.nixpkgs.follows = "nixpkgs"; + # nvfetcher.url = "github:berberman/nvfetcher"; + # nvfetcher.inputs.nixpkgs.follows = "nixpkgs"; vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; diff --git a/readme.txt b/readme.txt index 2433a14..9913a53 100644 --- a/readme.txt +++ b/readme.txt @@ -3,3 +3,7 @@ config files for my puters nixdesk - main desktop hopper - server kidney - wsl + +TODO + +firewall things within my tailnet with networking.firewall.interfaces.tailscale0 diff --git a/shells/default.nix b/shells/default.nix index 23341b8..24d997b 100644 --- a/shells/default.nix +++ b/shells/default.nix @@ -7,6 +7,7 @@ just home-manager sops + nvfetcher ]; }; } diff --git a/sys/machines/hopper/lab/default.nix b/sys/machines/hopper/lab/default.nix index d4ee1bd..f657bbc 100644 --- a/sys/machines/hopper/lab/default.nix +++ b/sys/machines/hopper/lab/default.nix @@ -13,6 +13,7 @@ slskdUiPort = 23488; caddyLocal = 8562; ncPort = 46523; + adguardWebPort = 23489; kanidmPort = 8300; in { imports = [ @@ -55,6 +56,7 @@ in { wireguardConfigFile = config.sops.secrets.wireguard.path; accessibleFrom = [ "192.168.0.0/24" + # "127.0.0.1" ]; # Forwarded to my vpn, for making things accessible from outside @@ -78,10 +80,10 @@ in { passthrough = [ caddyPort slskdUiPort + 80 # caddy 1900 # jellyfin discovery 7359 # jellyfin discovery - config.services.transmission.settings.rpc-port - 80 # homepage + # 9001 ]; in (l.map (x: { from = x; @@ -129,16 +131,31 @@ in { }; slskd = { useACMEHost = null; - hostName = ":${toString slskdUiPort}"; + hostName = "slskd.hopper.xun.host:80"; extraConfig = '' reverse_proxy localhost:${toString config.services.slskd.settings.web.port} ''; }; + + transmission = { + useACMEHost = null; + hostName = "transmission.hopper.xun.host:80"; + extraConfig = '' + reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} + ''; + }; dash = { useACMEHost = null; - hostName = ":80"; + hostName = "dash.hopper.xun.host:80"; extraConfig = "reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}"; }; + # prometheus = { + # useACMEHost = null; + # hostName = "prometheus.hopper.xun.host:80"; + # extraConfig = '' + # reverse_proxy ${toString config.vpnNamespaces."wg".bridgeAddress}:9001 + # ''; + # }; other = { hostName = ":${toString caddyPort}"; extraConfig = '' @@ -147,6 +164,15 @@ in { } ''; }; + otherPriv = { + useACMEHost = null; + hostName = ":80"; + extraConfig = '' + respond 404 { + body "uhh that doesnt exist, i hope this isnt my fault.." + } + ''; + }; }; }; @@ -162,22 +188,26 @@ in { resources = { cpu = true; disk = "/"; + uptime = ""; + units = "metric"; + cputemp = true; memory = true; + network = true; }; } ]; services = [ { - "Obtaining" = [ + "Downloading" = [ { "transmission" = { - href = "http://${config.networking.hostName}:9091"; + href = "http://transmission.hopper.xun.host"; icon = "transmission"; }; } { "slskd" = { - href = "http://${config.networking.hostName}:23488"; + href = "http://slskd.hopper.xun.host"; icon = "slskd"; }; } @@ -187,10 +217,28 @@ in { "Services" = [ { "jellyfin" = { - href = "https://jellyfin.xunuwu.xyz"; + href = "https://jellyfin.${domain}"; icon = "jellyfin"; }; } + { + "adguard home" = { + href = "http://${config.networking.hostName}:${toString config.services.adguardhome.port}"; + icon = "adguard-home"; + }; + } + { + "prometheus" = { + href = "http://${config.networking.hostName}:${toString config.services.prometheus.port}"; + icon = "prometheus"; + }; + } + { + "kanidm" = { + href = "https://kanidm.${domain}"; + icon = "kanidm"; + }; + } ]; } ]; @@ -201,9 +249,7 @@ in { vpnNamespace = "wg"; }; - services.jellyfin = { - enable = true; - }; + services.jellyfin.enable = true; services.prometheus = { enable = true; @@ -310,7 +356,7 @@ in { InaccessiblePaths = lib.mkForce []; }; }; - boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; + boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999; services.kanidm = { package = pkgs.kanidm_1_4.override {enableSecretProvisioning = true;}; enableServer = true; @@ -338,5 +384,38 @@ in { }; }; + services.adguardhome = { + enable = true; + mutableSettings = false; + port = adguardWebPort; + # host = "100.115.105.144"; + settings = { + dhcp.enabled = false; + dns = { + # port = adguardDnsPort; + upstream_dns = [ + "quic://dns.nextdns.io" + "https://cloudflare-dns.com/dns-query" + "tls://unfiltered.adguard-dns.com" + "https://dns10.quad9.net/dns-query" + ]; + bind_hosts = ["100.115.105.144"]; + bootstrap_dns = ["1.1.1.1" "8.8.8.8"]; + }; + filtering = { + rewrites = [ + { + domain = "*.hopper.xun.host"; + answer = "100.115.105.144"; + } + { + domain = "hopper.xun.host"; + answer = "100.115.105.144"; + } + ]; + }; + }; + }; + ## TODO: add forgejo } diff --git a/sys/profiles/secrets/hopper/default.nix b/sys/profiles/secrets/hopper/default.nix index 4913b8b..6a26f1f 100644 --- a/sys/profiles/secrets/hopper/default.nix +++ b/sys/profiles/secrets/hopper/default.nix @@ -7,14 +7,14 @@ in { format = "binary"; sopsFile = ./wireguard; }; - grafana-pass = { - format = "binary"; - sopsFile = ./grafana-pass; - }; - wireguard-config = { - format = "binary"; - sopsFile = ./wireguard-config; - }; + # grafana-pass = { + # format = "binary"; + # sopsFile = ./grafana-pass; + # }; + # wireguard-config = { + # format = "binary"; + # sopsFile = ./wireguard-config; + # }; slskd = { format = "binary"; @@ -25,26 +25,26 @@ in { format = "binary"; sopsFile = ./cloudflare; }; - jackett = { - format = "binary"; - sopsFile = ./jackett; - restartUnits = ["podman-qbittorrent.service"]; - }; - betanin = { - format = "binary"; - sopsFile = ./betanin; - restartUnits = ["podman-betanin.service"]; - }; + # jackett = { + # format = "binary"; + # sopsFile = ./jackett; + # restartUnits = ["podman-qbittorrent.service"]; + # }; + # betanin = { + # format = "binary"; + # sopsFile = ./betanin; + # restartUnits = ["podman-betanin.service"]; + # }; transmission = { format = "binary"; sopsFile = ./transmission; }; - authentik = { - format = "binary"; - sopsFile = ./authentik; - }; + # authentik = { + # format = "binary"; + # sopsFile = ./authentik; + # }; "kanidm/admin_pass" = { sopsFile = ./kanidm.yaml; @@ -71,45 +71,45 @@ in { # }; # authelia - authelia_lldap_password = { - format = "yaml"; - sopsFile = ./authelia.yaml; - key = "lldap_password"; - # owner = autheliaUser; - }; - authelia_jwt_secret = { - format = "yaml"; - sopsFile = ./authelia.yaml; - key = "jwt_secret"; - # owner = autheliaUser; - }; - authelia_session_secret = { - format = "yaml"; - sopsFile = ./authelia.yaml; - key = "session_secret"; - #owner = autheliaUser; - }; - authelia_encryption_key = { - format = "yaml"; - sopsFile = ./authelia.yaml; - key = "encryption_key"; - #owner = autheliaUser; - }; - authelia_storage_password = { - format = "yaml"; - sopsFile = ./authelia.yaml; - key = "storage_password"; - #owner = autheliaUser; - }; + # authelia_lldap_password = { + # format = "yaml"; + # sopsFile = ./authelia.yaml; + # key = "lldap_password"; + # # owner = autheliaUser; + # }; + # authelia_jwt_secret = { + # format = "yaml"; + # sopsFile = ./authelia.yaml; + # key = "jwt_secret"; + # # owner = autheliaUser; + # }; + # authelia_session_secret = { + # format = "yaml"; + # sopsFile = ./authelia.yaml; + # key = "session_secret"; + # #owner = autheliaUser; + # }; + # authelia_encryption_key = { + # format = "yaml"; + # sopsFile = ./authelia.yaml; + # key = "encryption_key"; + # #owner = autheliaUser; + # }; + # authelia_storage_password = { + # format = "yaml"; + # sopsFile = ./authelia.yaml; + # key = "storage_password"; + # #owner = autheliaUser; + # }; - brawlstars-api-key = { - format = "binary"; - sopsFile = ./brawlstars; - }; - wakapi = { - format = "binary"; - sopsFile = ./wakapi; - mode = "004"; - }; + # brawlstars-api-key = { + # format = "binary"; + # sopsFile = ./brawlstars; + # }; + # wakapi = { + # format = "binary"; + # sopsFile = ./wakapi; + # mode = "004"; + # }; }; }