diff --git a/.justfile b/.justfile index 09e5f48..c03f8d8 100644 --- a/.justfile +++ b/.justfile @@ -19,8 +19,8 @@ update-input input: nix flake lock --update-input {{input}} @edit-secrets: - git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets - sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix + git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets + sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix just -q update-input secrets echo "{{bold}}All done!" echo "{{normal}}Remember to restore flake.nix" diff --git a/flake.lock b/flake.lock index bcc1ee7..ff3b031 100644 --- a/flake.lock +++ b/flake.lock @@ -527,11 +527,11 @@ "rev": "08944755d22a7499b0b3fd39d48fdf1dabf4c83f", "revCount": 19, "type": "git", - "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" + "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets" }, "original": { "type": "git", - "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" + "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets" } }, "systems": { diff --git a/flake.nix b/flake.nix index c2385d3..c7d95cc 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { secrets = { - url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"; + url = "git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"; flake = false; }; nixpkgs-raw.url = "nixpkgs/nixos-24.05"; diff --git a/roles/common/programs/git.nix b/roles/common/programs/git.nix index 037bc6d..02dc612 100644 --- a/roles/common/programs/git.nix +++ b/roles/common/programs/git.nix @@ -1,6 +1,6 @@ {...}: { programs.ssh.knownHosts = { - "[git.everest.tailscale]:4222".publicKey = '' + "[git.everest.sable-pancake.ts.net]:4222".publicKey = '' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs ''; }; diff --git a/roles/desktop/programs/ssh.nix b/roles/desktop/programs/ssh.nix index 8449fe4..4e1bd2f 100644 --- a/roles/desktop/programs/ssh.nix +++ b/roles/desktop/programs/ssh.nix @@ -2,7 +2,7 @@ programs.ssh.knownHosts = { everest = { hostNames = [ - "everest.tailscale" + "everest.sable-pancake.ts.net" "toast003.xyz" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqfABZKnF5YYGZTOKuT7m+sOnUqBQSvLke9c3JDsF5s"; @@ -15,7 +15,7 @@ matchBlocks = { "everest" = { host = "everest"; - hostname = "everest.tailscale"; + hostname = "everest.sable-pancake.ts.net"; forwardAgent = true; sendEnv = ["COLORTERM"]; }; diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix deleted file mode 100644 index f643527..0000000 --- a/roles/server/caddy.nix +++ /dev/null @@ -1,22 +0,0 @@ -{config, ...}: let - manualHostname = "manual.everest.tailscale"; -in { - services.caddy = { - enable = true; - extraConfig = '' - (tailscale) { - tls internal - bind 100.73.96.48 - } - ''; - virtualHosts.nixos-manual = { - hostName = manualHostname; - extraConfig = '' - import tailscale - file_server - root * ${config.system.build.manual.manualHTML}/share/doc/nixos - ''; - }; - }; - services.dnsmasq.settings.cname = ["${manualHostname},everest"]; -} diff --git a/roles/server/default.nix b/roles/server/default.nix index 5e32379..7468b3c 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -11,7 +11,7 @@ ./ddclient.nix ./beep.nix ./tailscale.nix - ./caddy.nix + ./traefik.nix ./dns.nix ./rust_motd.nix ]; diff --git a/roles/server/dns.nix b/roles/server/dns.nix index 88402e1..e1c92c7 100644 --- a/roles/server/dns.nix +++ b/roles/server/dns.nix @@ -16,18 +16,18 @@ dns-loop-detect = true; host-record = [ - "winmax2,winmax2.tailscale,100.106.73.20" - "everest,everest.tailscale,100.73.96.48" - "archie,archie.tailscale,100.113.139.93" - "steamdeck,steamdeck.tailscale,100.85.48.85" - "surfacego,surfacego.tailscale,100.96.92.13" + "winmax2,winmax2.sable-pancake.ts.net,100.106.73.20" + "everest,everest.sable-pancake.ts.net,100.73.96.48" + "archie,archie.sable-pancake.ts.net,100.113.139.93" + "steamdeck,steamdeck.sable-pancake.ts.net,100.85.48.85" + "surfacego,surfacego.sable-pancake.ts.net,100.96.92.13" ]; # If this isn't set a cname that targets a host might return the wrong ip localise-queries = true; ## IPv6 is not a thing in Spain so I'm guaranteed to not use it filter-AAAA = true; - domain = "tailscale"; + domain = "sable-pancake.ts.net"; domain-needed = true; }; }; diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix index 65fbf83..af99060 100644 --- a/roles/server/forgejo.nix +++ b/roles/server/forgejo.nix @@ -30,7 +30,7 @@ in { }; server = { OFFLINE_MODE = false; - ROOT_URL = "http://git.everest.tailscale"; + ROOT_URL = "http://git.everest.sable-pancake.ts.net"; START_SSH_SERVER = true; SSH_PORT = 4222; SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path; @@ -45,14 +45,22 @@ in { }; # Add a cname for forgejo - services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"]; + services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"]; - # Set up caddy as the reverse proxy for Forgejo - services.caddy.virtualHosts.forgejo = { - hostName = "git.everest.tailscale"; - extraConfig = '' - import tailscale - reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} - ''; + # Set up traefik as the reverse proxy for Forgejo + services.traefik = { + dynamicConfigOptions = { + http = { + routers = { + forgejo-subpath = { + rule = "Host(`git.everest.sable-pancake.ts.net`)"; + service = "forgejo"; + }; + }; + services.forgejo.loadBalancer.servers = [ + {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";} + ]; + }; + }; }; } diff --git a/roles/server/nfs.nix b/roles/server/nfs.nix index 37e472d..22dbe91 100755 --- a/roles/server/nfs.nix +++ b/roles/server/nfs.nix @@ -2,7 +2,7 @@ services = { nfs.server = { enable = true; - exports = "/srv/nfs *.tailscale(ro,fsid=root)"; + exports = "/srv/nfs *.sable-pancake.ts.net(ro,fsid=root)"; # NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall statdPort = 4000; lockdPort = 4001; diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix index f684129..137c32b 100755 --- a/roles/server/syncthing.nix +++ b/roles/server/syncthing.nix @@ -34,14 +34,22 @@ }; # Add a cname for syncthing - services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"]; + services.dnsmasq.settings.cname = ["sync.everest.sable-pancake.ts.net,everest"]; - # Set up caddy as the reverse proxy for syncthing - services.caddy.virtualHosts.syncthing = { - hostName = "sync.everest.tailscale"; - extraConfig = '' - import tailscale - reverse_proxy localhost:8384 - ''; + # Set up traefik as the reverse proxy for syncthing + services.traefik = { + dynamicConfigOptions = { + http = { + routers = { + syncthing-subdomain = { + rule = "Host(`sync.everest.sable-pancake.ts.net`)"; + service = "syncthing"; + }; + }; + services.syncthing.loadBalancer.servers = [ + {url = "http://localhost:8384";} + ]; + }; + }; }; } diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix new file mode 100644 index 0000000..171f64d --- /dev/null +++ b/roles/server/traefik.nix @@ -0,0 +1,31 @@ +{...}: { + specialisation.traefikEnableWebUI.configuration.services.traefik = { + staticConfigOptions = { + api = { + # Enable the web ui + insecure = true; + dashboard = true; + }; + }; + }; + + services.traefik = { + enable = true; + staticConfigOptions = { + entryPoints = { + http = {address = "100.73.96.48:80";}; + }; + }; + }; + + systemd = { + units.tailscaled.requiredBy = ["traefik.service"]; + # We have somewhat frequent power outages, and our ISP router takes + # ages to boot up. If I don't add a delay, traefik tries to bind to + # the tailscale interface before it's ready, making it crash too much + # in too little time + services.traefik.serviceConfig.RestartSec = 120; + }; + + networking.firewall.allowedTCPPorts = [80 8080]; +} diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix index e52f286..9b90f1b 100755 --- a/roles/server/transmission.nix +++ b/roles/server/transmission.nix @@ -9,7 +9,7 @@ in { settings = { incomplete-dir-enabled = false; rpc-bind-address = "0.0.0.0"; - rpc-host-whitelist = "transmission.everest.tailscale"; + rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net"; rpc-whitelist = "127.0.0.1"; }; }; @@ -20,7 +20,7 @@ in { mountPoint = "/srv/nfs/transmission"; options = ["bind"]; }; - services.nfs.server.exports = "${mountPoint} *.tailscale(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})"; + services.nfs.server.exports = "${mountPoint} *.sable-pancake.ts.net(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})"; services.avahi.extraServiceFiles = { Transmission-downloads-nfs = '' @@ -38,14 +38,22 @@ in { }; # Add a cname for transmission - services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"]; + services.dnsmasq.settings.cname = ["transmission.everest.sable-pancake.ts.net,everest"]; - # Set up caddy as the reverse proxy for transmission - services.caddy.virtualHosts.transmission = { - hostName = "transmission.everest.tailscale"; - extraConfig = '' - import tailscale - reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} - ''; + # Set up traefik as the reverse proxy for transmission + services.traefik = { + dynamicConfigOptions = { + http = { + routers = { + transmission-subdomain = { + rule = "Host(`transmission.everest.sable-pancake.ts.net`)"; + service = "transmission"; + }; + }; + services.transmission.loadBalancer.servers = [ + {url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";} + ]; + }; + }; }; }