From 44f2ab69ba444a3dd89f89c54f6809db76ef7a82 Mon Sep 17 00:00:00 2001 From: xunuwu Date: Mon, 21 Apr 2025 21:31:29 +0200 Subject: [PATCH] change domain --- flake.lock | 24 ++++-------------- flake.nix | 6 +++-- sys/machines/hopper/lab/acme.nix | 21 ++++++++++----- sys/machines/hopper/lab/caddy.nix | 14 ++++++++-- sys/machines/hopper/lab/homepage.nix | 14 +++++++--- sys/machines/hopper/lab/navidrome.nix | 1 - sys/machines/hopper/lab/prometheus.nix | 6 +++++ sys/machines/hopper/lab/vpn-namespace.nix | 1 + sys/profiles/secrets/hopper/default.nix | 2 ++ sys/profiles/secrets/hopper/porkbun.yaml | 31 +++++++++++++++++++++++ vars/common.nix | 3 +++ 11 files changed, 89 insertions(+), 34 deletions(-) create mode 100644 sys/profiles/secrets/hopper/porkbun.yaml create mode 100644 vars/common.nix diff --git a/flake.lock b/flake.lock index da56a2e..40384c4 100644 --- a/flake.lock +++ b/flake.lock @@ -679,7 +679,7 @@ "git-hooks": "git-hooks", "hercules-ci-effects": "hercules-ci-effects", "neovim-src": "neovim-src", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "treefmt-nix": "treefmt-nix_2" }, "locked": { @@ -758,7 +758,9 @@ "inputs": { "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1745114634, @@ -819,22 +821,6 @@ } }, "nixpkgs_3": { - "locked": { - "lastModified": 1742889210, - "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "698214a32beb4f4c8e3942372c694f40848b360d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { "locked": { "lastModified": 1740547748, "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", @@ -934,7 +920,7 @@ "home-manager": "home-manager", "nix-index-database": "nix-index-database", "nix-minecraft": "nix-minecraft", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nvim-config": "nvim-config", "sobercookie": "sobercookie", "sops-nix": "sops-nix", diff --git a/flake.nix b/flake.nix index a74b20e..5b81d09 100644 --- a/flake.nix +++ b/flake.nix @@ -9,13 +9,15 @@ systemProfiles = mylib.loadTree2 ./sys/profiles; homeProfiles = mylib.loadTreeInf ./home/profiles; homeSuites = mylib.loadBranch ./home/suites; + vars = builtins.mapAttrs (_: v: import v) (mylib.loadBranch ./vars); in flake-parts.lib.mkFlake {inherit inputs;} { systems = ["x86_64-linux"]; flake._mylib = mylib; # for debugging :3 + flake._vars = vars; # for debugging :3 flake.nixosConfigurations = mylib.loadConfigurations ./sys/machines { - inherit inputs self systemProfiles homeProfiles homeSuites; + inherit inputs self systemProfiles homeProfiles homeSuites vars; }; perSystem = {pkgs, ...}: { @@ -62,7 +64,7 @@ vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; - # nix-minecraft.inputs.nixpkgs.follows = "nixpkgs"; + nix-minecraft.inputs.nixpkgs.follows = "nixpkgs"; sobercookie.url = "github:xunuwu/sobercookie"; sobercookie.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/sys/machines/hopper/lab/acme.nix b/sys/machines/hopper/lab/acme.nix index c91c16a..ed5095d 100644 --- a/sys/machines/hopper/lab/acme.nix +++ b/sys/machines/hopper/lab/acme.nix @@ -1,14 +1,23 @@ -{config, ...}: { +{ + config, + vars, + ... +}: let + inherit (vars.common) domain; +in { security.acme = { acceptTerms = true; defaults.email = "xunuwu@gmail.com"; certs = { - "xunuwu.xyz" = { - domain = "*.xunuwu.xyz"; - dnsProvider = "cloudflare"; + "${domain}" = { + domain = "${domain}"; + extraDomainNames = ["*.${domain}"]; + dnsProvider = "porkbun"; reloadServices = ["caddy.service"]; - credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path; - extraDomainNames = ["xunuwu.xyz"]; + credentialFiles = { + PORKBUN_API_KEY_FILE = config.sops.secrets.porkbun_api_key.path; + PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets.porkbun_secret_key.path; + }; }; }; }; diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix index 7694562..1560b92 100644 --- a/sys/machines/hopper/lab/caddy.nix +++ b/sys/machines/hopper/lab/caddy.nix @@ -1,5 +1,9 @@ -{config, ...}: let - domain = "xunuwu.xyz"; +{ + config, + vars, + ... +}: let + inherit (vars.common) domain; caddyPort = 8336; in { systemd.services.caddy.vpnConfinement = { @@ -7,8 +11,14 @@ in { vpnNamespace = "wg"; }; + systemd.services.caddy = { + environment.CADDY_ADMIN = "0.0.0.0:2019"; + serviceConfig.RuntimeDirectory = "caddy"; + }; + services.caddy = { enable = true; + globalConfig = "metrics"; virtualHosts = { jellyfin = { useACMEHost = domain; diff --git a/sys/machines/hopper/lab/homepage.nix b/sys/machines/hopper/lab/homepage.nix index babf4c5..32a6c22 100644 --- a/sys/machines/hopper/lab/homepage.nix +++ b/sys/machines/hopper/lab/homepage.nix @@ -1,4 +1,10 @@ -{config, ...}: { +{ + config, + vars, + ... +}: let + inherit (vars.common) domain; +in { systemd.services.homepage-dashboard.vpnConfinement = { enable = true; vpnNamespace = "wg"; @@ -42,13 +48,13 @@ "Services" = [ { "jellyfin" = { - href = "https://jellyfin.xunuwu.xyz"; + href = "https://jellyfin.${domain}"; icon = "jellyfin"; }; } { "navidrome" = { - href = "https://navidrome.xunuwu.xyz"; + href = "https://navidrome.${domain}"; icon = "navidrome"; }; } @@ -66,7 +72,7 @@ } { "vaultwarden" = { - href = "https://vw.xunuwu.xyz"; + href = "https://vw.${domain}"; icon = "vaultwarden"; }; } diff --git a/sys/machines/hopper/lab/navidrome.nix b/sys/machines/hopper/lab/navidrome.nix index cbd6037..27fc481 100644 --- a/sys/machines/hopper/lab/navidrome.nix +++ b/sys/machines/hopper/lab/navidrome.nix @@ -8,7 +8,6 @@ EnableSharing = true; }; }; - systemd.services.navidrome.unitConfig.After = ["caddy.service"]; systemd.services.navidrome.serviceConfig.EnvironmentFile = config.sops.secrets.navidrome.path; services.restic.backups.hopper = { diff --git a/sys/machines/hopper/lab/prometheus.nix b/sys/machines/hopper/lab/prometheus.nix index e0bdc6b..04a2f66 100644 --- a/sys/machines/hopper/lab/prometheus.nix +++ b/sys/machines/hopper/lab/prometheus.nix @@ -20,6 +20,12 @@ targets = ["100.100.100.100"]; }; } + { + job_name = "caddy"; + static_configs = lib.singleton { + targets = ["192.168.15.1:2019"]; + }; + } ]; }; diff --git a/sys/machines/hopper/lab/vpn-namespace.nix b/sys/machines/hopper/lab/vpn-namespace.nix index e51ab5b..db5bcc7 100644 --- a/sys/machines/hopper/lab/vpn-namespace.nix +++ b/sys/machines/hopper/lab/vpn-namespace.nix @@ -37,6 +37,7 @@ 8336 # caddy 80 # caddy 443 # caddy + 2019 # caddy admin, for prometheus metrics 1900 # jellyfin discovery 7359 # jellyfin discovery ]; diff --git a/sys/profiles/secrets/hopper/default.nix b/sys/profiles/secrets/hopper/default.nix index 022b849..8f4a0f2 100644 --- a/sys/profiles/secrets/hopper/default.nix +++ b/sys/profiles/secrets/hopper/default.nix @@ -5,6 +5,8 @@ format = "binary"; sopsFile = ./wireguard; }; + porkbun_api_key.sopsFile = ./porkbun.yaml; + porkbun_secret_key.sopsFile = ./porkbun.yaml; slskd = { format = "binary"; sopsFile = ./slskd; diff --git a/sys/profiles/secrets/hopper/porkbun.yaml b/sys/profiles/secrets/hopper/porkbun.yaml new file mode 100644 index 0000000..c53bf4f --- /dev/null +++ b/sys/profiles/secrets/hopper/porkbun.yaml @@ -0,0 +1,31 @@ +porkbun_api_key: ENC[AES256_GCM,data:XJPpQmR/Qif4SHkOgGCPmcWr0RQ3BDLcpmb0PMRjH052WFXoAdXglNjs0I6vMpunQo86WTrS1O2pE8FTuHb/28eDFoU=,iv:+6cqvjSSt8Yioco6AaZnYXBDCbDUyzY755E4Z9v+188=,tag:j1i88gG3dtE0aPojeH1Mjg==,type:str] +porkbun_secret_key: ENC[AES256_GCM,data:UPEfnyl0cjBjCR1/Goljx0jLRH6FUQFrqeYQ5CmoXopp2n/9QYesPg2Zaue1p5HiUm+YUwR1XRxdrupUZhhcDEKYsPY=,iv:Jx1L3hO90DYfhnCdICIDHhT9xMdOZCkOUoOI/cmtbtM=,tag:ADTqd9PNrv5NS/XuUBT9yw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYkhHSDE1Rk10WUVETkYz + QnRkMTZRaW42dUFqYy93VzZMUTNsWkhBejJnClVpL0UzY0V6aHhtaS9hK3JwR3pX + TmZnZis0MXgyMHFtQXVPYTFpc092amMKLS0tIGM2VCtBQy9BcHkrbkVuU1JnNHlX + b2Q2Vm9JaXovSG01VjBXc0JHVlg4OUEKLu2dgxebe7TcHl8XD9uRWbB6bjToPfdz + Q33TWttTDYnBThM9FCzr3CXk+tpYIwQ75ZDRJsX5K7eo1XhdvKr7KA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeEJJNVU4dEM3MjdOU0hZ + WlFPZlorSnlDOHNscnhRN3pNMWN1dGRyMlVnClVEeGI4L0RYZzAxcEFmLzYxbWdR + M0lnSE9sTDgwSStvY0J5Wk9ob1hnRjgKLS0tIHpFSHdVYmxCWFRZVk42bTVWaHB2 + Yi9kNU5nNTVTbEdSQWxpYzY3OUFhQk0Kh4rW5YIyUo77/q3e+mpOua9LviOodSDo + BFq+GJ55vmTnnsWnNdZ75fA8D3NAGkt90J0vdHTY+S4O3kXK6deGyQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-21T17:52:04Z" + mac: ENC[AES256_GCM,data:FFDYoULGiuxvYbKPshbNAMVQxuSxC9y+UsEh27iXg77tkPm3h9nFD6kkGPn/WhSq22K3e4CPKcdh9OyloNmnj87zQ4U2yMC54L6ecDFv7s/wXx9QIfdjTptwMVHVmj/eWhiT/GNPXmIBQvQdO1WNgt/Phe7avbwMd2v3Z5QjKjM=,iv:T88XSRb1izA2xBidsgZaPkUWyxWeteZ1Lk837ah2dEU=,tag:r0OcLmwQ7SK3FQBpXrVJrA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/vars/common.nix b/vars/common.nix new file mode 100644 index 0000000..73a3424 --- /dev/null +++ b/vars/common.nix @@ -0,0 +1,3 @@ +{ + domain = "242114.xyz"; +}