.justfile

@@ -19,8 +19,8 @@ update-input input:
     nix flake lock --update-input {{input}}
 
 @edit-secrets:
-    git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets
+    git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets
-    sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
+    sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
     just -q update-input secrets
     echo "{{bold}}All done!"
     echo "{{normal}}Remember to restore flake.nix"

flake.lock

@@ -527,11 +527,11 @@
         "rev": "08944755d22a7499b0b3fd39d48fdf1dabf4c83f",
         "revCount": 19,
         "type": "git",
-        "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
+        "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       },
       "original": {
         "type": "git",
-        "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"
+        "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       }
     },
     "systems": {

flake.nix

@@ -3,7 +3,7 @@
 
   inputs = {
     secrets = {
-      url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets";
+      url = "git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets";
       flake = false;
     };
     nixpkgs-raw.url = "nixpkgs/nixos-24.05";

roles/common/programs/git.nix

@@ -1,6 +1,6 @@
 {...}: {
   programs.ssh.knownHosts = {
-    "[git.everest.tailscale]:4222".publicKey = ''
+    "[git.everest.sable-pancake.ts.net]:4222".publicKey = ''
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs
     '';
   };

roles/desktop/programs/ssh.nix

@@ -2,7 +2,7 @@
   programs.ssh.knownHosts = {
     everest = {
       hostNames = [
-        "everest.tailscale"
+        "everest.sable-pancake.ts.net"
         "toast003.xyz"
       ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqfABZKnF5YYGZTOKuT7m+sOnUqBQSvLke9c3JDsF5s";
@@ -15,7 +15,7 @@
       matchBlocks = {
         "everest" = {
           host = "everest";
-          hostname = "everest.tailscale";
+          hostname = "everest.sable-pancake.ts.net";
           forwardAgent = true;
           sendEnv = ["COLORTERM"];
         };

roles/server/caddy.nix

@@ -1,22 +0,0 @@
-{config, ...}: let
-  manualHostname = "manual.everest.tailscale";
-in {
-  services.caddy = {
-    enable = true;
-    extraConfig = ''
-      (tailscale) {
-        tls internal
-        bind 100.73.96.48
-      }
-    '';
-    virtualHosts.nixos-manual = {
-      hostName = manualHostname;
-      extraConfig = ''
-        import tailscale
-        file_server
-        root * ${config.system.build.manual.manualHTML}/share/doc/nixos
-      '';
-    };
-  };
-  services.dnsmasq.settings.cname = ["${manualHostname},everest"];
-}

roles/server/default.nix

@@ -11,7 +11,7 @@
     ./ddclient.nix
     ./beep.nix
     ./tailscale.nix
-    ./caddy.nix
+    ./traefik.nix
     ./dns.nix
     ./rust_motd.nix
   ];

roles/server/dns.nix

@@ -16,18 +16,18 @@
       dns-loop-detect = true;
 
       host-record = [
-        "winmax2,winmax2.tailscale,100.106.73.20"
+        "winmax2,winmax2.sable-pancake.ts.net,100.106.73.20"
-        "everest,everest.tailscale,100.73.96.48"
+        "everest,everest.sable-pancake.ts.net,100.73.96.48"
-        "archie,archie.tailscale,100.113.139.93"
+        "archie,archie.sable-pancake.ts.net,100.113.139.93"
-        "steamdeck,steamdeck.tailscale,100.85.48.85"
+        "steamdeck,steamdeck.sable-pancake.ts.net,100.85.48.85"
-        "surfacego,surfacego.tailscale,100.96.92.13"
+        "surfacego,surfacego.sable-pancake.ts.net,100.96.92.13"
       ];
 
       # If this isn't set a cname that targets a host might return the wrong ip
       localise-queries = true;
       ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
       filter-AAAA = true;
-      domain = "tailscale";
+      domain = "sable-pancake.ts.net";
       domain-needed = true;
     };
   };

roles/server/forgejo.nix

@@ -30,7 +30,7 @@ in {
       };
       server = {
         OFFLINE_MODE = false;
-        ROOT_URL = "http://git.everest.tailscale";
+        ROOT_URL = "http://git.everest.sable-pancake.ts.net";
         START_SSH_SERVER = true;
         SSH_PORT = 4222;
         SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
@@ -45,14 +45,22 @@ in {
   };
 
   # Add a cname for forgejo
-  services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"];
 
-  # Set up caddy as the reverse proxy for Forgejo
+  # Set up traefik as the reverse proxy for Forgejo
-  services.caddy.virtualHosts.forgejo = {
+  services.traefik = {
-    hostName = "git.everest.tailscale";
+    dynamicConfigOptions = {
-    extraConfig = ''
+      http = {
-      import tailscale
+        routers = {
-      reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+          forgejo-subpath = {
-    '';
+            rule = "Host(`git.everest.sable-pancake.ts.net`)";
+            service = "forgejo";
+          };
+        };
+        services.forgejo.loadBalancer.servers = [
+          {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
+        ];
+      };
+    };
   };
 }

roles/server/nfs.nix

@@ -2,7 +2,7 @@
   services = {
     nfs.server = {
       enable = true;
-      exports = "/srv/nfs *.tailscale(ro,fsid=root)";
+      exports = "/srv/nfs *.sable-pancake.ts.net(ro,fsid=root)";
       # NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall
       statdPort = 4000;
       lockdPort = 4001;

roles/server/syncthing.nix

@@ -34,14 +34,22 @@
   };
 
   # Add a cname for syncthing
-  services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["sync.everest.sable-pancake.ts.net,everest"];
 
-  # Set up caddy as the reverse proxy for syncthing
+  # Set up traefik as the reverse proxy for syncthing
-  services.caddy.virtualHosts.syncthing = {
+  services.traefik = {
-    hostName = "sync.everest.tailscale";
+    dynamicConfigOptions = {
-    extraConfig = ''
+      http = {
-      import tailscale
+        routers = {
-      reverse_proxy localhost:8384
+          syncthing-subdomain = {
-    '';
+            rule = "Host(`sync.everest.sable-pancake.ts.net`)";
+            service = "syncthing";
+          };
+        };
+        services.syncthing.loadBalancer.servers = [
+          {url = "http://localhost:8384";}
+        ];
+      };
+    };
   };
 }

roles/server/traefik.nix

@@ -0,0 +1,31 @@
+{...}: {
+  specialisation.traefikEnableWebUI.configuration.services.traefik = {
+    staticConfigOptions = {
+      api = {
+        # Enable the web ui
+        insecure = true;
+        dashboard = true;
+      };
+    };
+  };
+
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      entryPoints = {
+        http = {address = "100.73.96.48:80";};
+      };
+    };
+  };
+
+  systemd = {
+    units.tailscaled.requiredBy = ["traefik.service"];
+    # We have somewhat frequent power outages, and our ISP router takes
+    # ages to boot up. If I don't add a delay, traefik tries to bind to
+    # the tailscale interface before it's ready, making it crash too much
+    # in too little time
+    services.traefik.serviceConfig.RestartSec = 120;
+  };
+
+  networking.firewall.allowedTCPPorts = [80 8080];
+}

roles/server/transmission.nix

@@ -9,7 +9,7 @@ in {
     settings = {
       incomplete-dir-enabled = false;
       rpc-bind-address = "0.0.0.0";
-      rpc-host-whitelist = "transmission.everest.tailscale";
+      rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net";
       rpc-whitelist = "127.0.0.1";
     };
   };
@@ -20,7 +20,7 @@ in {
     mountPoint = "/srv/nfs/transmission";
     options = ["bind"];
   };
-  services.nfs.server.exports = "${mountPoint} *.tailscale(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";
+  services.nfs.server.exports = "${mountPoint} *.sable-pancake.ts.net(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})";
 
   services.avahi.extraServiceFiles = {
     Transmission-downloads-nfs = ''
@@ -38,14 +38,22 @@ in {
   };
 
   # Add a cname for transmission
-  services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
+  services.dnsmasq.settings.cname = ["transmission.everest.sable-pancake.ts.net,everest"];
 
-  # Set up caddy as the reverse proxy for transmission
+  # Set up traefik as the reverse proxy for transmission
-  services.caddy.virtualHosts.transmission = {
+  services.traefik = {
-    hostName = "transmission.everest.tailscale";
+    dynamicConfigOptions = {
-    extraConfig = ''
+      http = {
-      import tailscale
+        routers = {
-      reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
+          transmission-subdomain = {
-    '';
+            rule = "Host(`transmission.everest.sable-pancake.ts.net`)";
+            service = "transmission";
+          };
+        };
+        services.transmission.loadBalancer.servers = [
+          {url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";}
+        ];
+      };
+    };
   };
 }