Compare commits
3 commits
020cec94a1
...
e1f4b528c6
| Author | SHA1 | Date | |
|---|---|---|---|
| e1f4b528c6 | |||
| 863840b2b1 | |||
| 5001e70c14 |
13 changed files with 65 additions and 98 deletions
|
|
@ -19,8 +19,8 @@ update-input input:
|
|||
nix flake lock --update-input {{input}}
|
||||
|
||||
@edit-secrets:
|
||||
git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets
|
||||
sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
|
||||
git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets
|
||||
sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
|
||||
just -q update-input secrets
|
||||
echo "{{bold}}All done!"
|
||||
echo "{{normal}}Remember to restore flake.nix"
|
||||
|
|
|
|||
4
flake.lock
generated
4
flake.lock
generated
|
|
@ -527,11 +527,11 @@
|
|||
"rev": "08944755d22a7499b0b3fd39d48fdf1dabf4c83f",
|
||||
"revCount": 19,
|
||||
"type": "git",
|
||||
"url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
|
||||
"url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
|
||||
"url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
inputs = {
|
||||
secrets = {
|
||||
url = "git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets";
|
||||
url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets";
|
||||
flake = false;
|
||||
};
|
||||
nixpkgs-raw.url = "nixpkgs/nixos-24.05";
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{...}: {
|
||||
programs.ssh.knownHosts = {
|
||||
"[git.everest.sable-pancake.ts.net]:4222".publicKey = ''
|
||||
"[git.everest.tailscale]:4222".publicKey = ''
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs
|
||||
'';
|
||||
};
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
programs.ssh.knownHosts = {
|
||||
everest = {
|
||||
hostNames = [
|
||||
"everest.sable-pancake.ts.net"
|
||||
"everest.tailscale"
|
||||
"toast003.xyz"
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqfABZKnF5YYGZTOKuT7m+sOnUqBQSvLke9c3JDsF5s";
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
matchBlocks = {
|
||||
"everest" = {
|
||||
host = "everest";
|
||||
hostname = "everest.sable-pancake.ts.net";
|
||||
hostname = "everest.tailscale";
|
||||
forwardAgent = true;
|
||||
sendEnv = ["COLORTERM"];
|
||||
};
|
||||
|
|
|
|||
22
roles/server/caddy.nix
Normal file
22
roles/server/caddy.nix
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
{config, ...}: let
|
||||
manualHostname = "manual.everest.tailscale";
|
||||
in {
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
(tailscale) {
|
||||
tls internal
|
||||
bind 100.73.96.48
|
||||
}
|
||||
'';
|
||||
virtualHosts.nixos-manual = {
|
||||
hostName = manualHostname;
|
||||
extraConfig = ''
|
||||
import tailscale
|
||||
file_server
|
||||
root * ${config.system.build.manual.manualHTML}/share/doc/nixos
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.dnsmasq.settings.cname = ["${manualHostname},everest"];
|
||||
}
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
./ddclient.nix
|
||||
./beep.nix
|
||||
./tailscale.nix
|
||||
./traefik.nix
|
||||
./caddy.nix
|
||||
./dns.nix
|
||||
./rust_motd.nix
|
||||
];
|
||||
|
|
|
|||
|
|
@ -16,18 +16,18 @@
|
|||
dns-loop-detect = true;
|
||||
|
||||
host-record = [
|
||||
"winmax2,winmax2.sable-pancake.ts.net,100.106.73.20"
|
||||
"everest,everest.sable-pancake.ts.net,100.73.96.48"
|
||||
"archie,archie.sable-pancake.ts.net,100.113.139.93"
|
||||
"steamdeck,steamdeck.sable-pancake.ts.net,100.85.48.85"
|
||||
"surfacego,surfacego.sable-pancake.ts.net,100.96.92.13"
|
||||
"winmax2,winmax2.tailscale,100.106.73.20"
|
||||
"everest,everest.tailscale,100.73.96.48"
|
||||
"archie,archie.tailscale,100.113.139.93"
|
||||
"steamdeck,steamdeck.tailscale,100.85.48.85"
|
||||
"surfacego,surfacego.tailscale,100.96.92.13"
|
||||
];
|
||||
|
||||
# If this isn't set a cname that targets a host might return the wrong ip
|
||||
localise-queries = true;
|
||||
## IPv6 is not a thing in Spain so I'm guaranteed to not use it
|
||||
filter-AAAA = true;
|
||||
domain = "sable-pancake.ts.net";
|
||||
domain = "tailscale";
|
||||
domain-needed = true;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ in {
|
|||
};
|
||||
server = {
|
||||
OFFLINE_MODE = false;
|
||||
ROOT_URL = "http://git.everest.sable-pancake.ts.net";
|
||||
ROOT_URL = "http://git.everest.tailscale";
|
||||
START_SSH_SERVER = true;
|
||||
SSH_PORT = 4222;
|
||||
SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
|
||||
|
|
@ -45,22 +45,14 @@ in {
|
|||
};
|
||||
|
||||
# Add a cname for forgejo
|
||||
services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"];
|
||||
services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
|
||||
|
||||
# Set up traefik as the reverse proxy for Forgejo
|
||||
services.traefik = {
|
||||
dynamicConfigOptions = {
|
||||
http = {
|
||||
routers = {
|
||||
forgejo-subpath = {
|
||||
rule = "Host(`git.everest.sable-pancake.ts.net`)";
|
||||
service = "forgejo";
|
||||
};
|
||||
};
|
||||
services.forgejo.loadBalancer.servers = [
|
||||
{url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
|
||||
];
|
||||
};
|
||||
};
|
||||
# Set up caddy as the reverse proxy for Forgejo
|
||||
services.caddy.virtualHosts.forgejo = {
|
||||
hostName = "git.everest.tailscale";
|
||||
extraConfig = ''
|
||||
import tailscale
|
||||
reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
services = {
|
||||
nfs.server = {
|
||||
enable = true;
|
||||
exports = "/srv/nfs *.sable-pancake.ts.net(ro,fsid=root)";
|
||||
exports = "/srv/nfs *.tailscale(ro,fsid=root)";
|
||||
# NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall
|
||||
statdPort = 4000;
|
||||
lockdPort = 4001;
|
||||
|
|
|
|||
|
|
@ -34,22 +34,14 @@
|
|||
};
|
||||
|
||||
# Add a cname for syncthing
|
||||
services.dnsmasq.settings.cname = ["sync.everest.sable-pancake.ts.net,everest"];
|
||||
services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
|
||||
|
||||
# Set up traefik as the reverse proxy for syncthing
|
||||
services.traefik = {
|
||||
dynamicConfigOptions = {
|
||||
http = {
|
||||
routers = {
|
||||
syncthing-subdomain = {
|
||||
rule = "Host(`sync.everest.sable-pancake.ts.net`)";
|
||||
service = "syncthing";
|
||||
};
|
||||
};
|
||||
services.syncthing.loadBalancer.servers = [
|
||||
{url = "http://localhost:8384";}
|
||||
];
|
||||
};
|
||||
};
|
||||
# Set up caddy as the reverse proxy for syncthing
|
||||
services.caddy.virtualHosts.syncthing = {
|
||||
hostName = "sync.everest.tailscale";
|
||||
extraConfig = ''
|
||||
import tailscale
|
||||
reverse_proxy localhost:8384
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,31 +0,0 @@
|
|||
{...}: {
|
||||
specialisation.traefikEnableWebUI.configuration.services.traefik = {
|
||||
staticConfigOptions = {
|
||||
api = {
|
||||
# Enable the web ui
|
||||
insecure = true;
|
||||
dashboard = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
staticConfigOptions = {
|
||||
entryPoints = {
|
||||
http = {address = "100.73.96.48:80";};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
units.tailscaled.requiredBy = ["traefik.service"];
|
||||
# We have somewhat frequent power outages, and our ISP router takes
|
||||
# ages to boot up. If I don't add a delay, traefik tries to bind to
|
||||
# the tailscale interface before it's ready, making it crash too much
|
||||
# in too little time
|
||||
services.traefik.serviceConfig.RestartSec = 120;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 8080];
|
||||
}
|
||||
|
|
@ -9,7 +9,7 @@ in {
|
|||
settings = {
|
||||
incomplete-dir-enabled = false;
|
||||
rpc-bind-address = "0.0.0.0";
|
||||
rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net";
|
||||
rpc-host-whitelist = "transmission.everest.tailscale";
|
||||
rpc-whitelist = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
|
|
@ -20,7 +20,7 @@ in {
|
|||
mountPoint = "/srv/nfs/transmission";
|
||||
options = ["bind"];
|
||||
};
|
||||
services.nfs.server.exports = "${mountPoint} *.sable-pancake.ts.net(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";
|
||||
services.nfs.server.exports = "${mountPoint} *.tailscale(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";
|
||||
|
||||
services.avahi.extraServiceFiles = {
|
||||
Transmission-downloads-nfs = ''
|
||||
|
|
@ -38,22 +38,14 @@ in {
|
|||
};
|
||||
|
||||
# Add a cname for transmission
|
||||
services.dnsmasq.settings.cname = ["transmission.everest.sable-pancake.ts.net,everest"];
|
||||
services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
|
||||
|
||||
# Set up traefik as the reverse proxy for transmission
|
||||
services.traefik = {
|
||||
dynamicConfigOptions = {
|
||||
http = {
|
||||
routers = {
|
||||
transmission-subdomain = {
|
||||
rule = "Host(`transmission.everest.sable-pancake.ts.net`)";
|
||||
service = "transmission";
|
||||
};
|
||||
};
|
||||
services.transmission.loadBalancer.servers = [
|
||||
{url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";}
|
||||
];
|
||||
};
|
||||
};
|
||||
# Set up caddy as the reverse proxy for transmission
|
||||
services.caddy.virtualHosts.transmission = {
|
||||
hostName = "transmission.everest.tailscale";
|
||||
extraConfig = ''
|
||||
import tailscale
|
||||
reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue