xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

meow

Browse source
This commit is contained in:
Lucy Hochkamp 2025-11-21 13:32:44 +01:00
parent 2614910b6f
commit 4667974392
13 changed files with 313 additions and 415 deletions
Download patch file Download diff file Expand all files Collapse all files

308
flake.lock generated
View file

@ -16,56 +16,10 @@
"type": "github"
}
},
"authentik": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs"
],
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"systems": "systems",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1761726959,
"narHash": "sha256-SGndrZx7I0z4vITH1Arf60OTSfkQVMZRTcRgtPIBVtg=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "ea1e06f9fe7cbf59c61b2ec4f2979801ff395d8e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1759190535,
"narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.8.4",
"repo": "authentik",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
@ -102,22 +56,6 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -133,7 +71,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -150,24 +88,6 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1760948891,
"narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
@ -188,49 +108,7 @@
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"terranix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": [
"authentik",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
@ -245,9 +123,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
@ -388,8 +266,8 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts_2",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
@ -445,32 +323,6 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik",
"flake-utils"
],
"nixpkgs": [
"authentik",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nheko": {
"flake": false,
"locked": {
@ -581,21 +433,6 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1762178406,
@ -655,60 +492,9 @@
"type": "github"
}
},
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
],
"pyproject-nix": [
"authentik",
"pyproject-nix"
],
"uv2nix": [
"authentik",
"uv2nix"
]
},
"locked": {
"lastModified": 1759113590,
"narHash": "sha256-fgxP2RCN4cg0jYiMYoETYc7TZ2JjgyvJa2y9l8oSUFE=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
]
},
"locked": {
"lastModified": 1760402624,
"narHash": "sha256-jF6UKLs2uGc2rtved8Vrt58oTWjTQoAssuYs/0578Z4=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "84c4ea102127c77058ea1ed7be7300261fafc7d2",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": {
"inputs": {
"adw-colors": "adw-colors",
"authentik": "authentik",
"colmena": "colmena",
"helix": "helix",
"home-manager": "home-manager",
@ -726,7 +512,6 @@
"nixpkgs-master": "nixpkgs-master",
"rust-overlay": "rust-overlay_4",
"sops-nix": "sops-nix",
"terranix": "terranix",
"xwayland-satellite": "xwayland-satellite",
"zen-browser": "zen-browser"
}
@ -872,21 +657,6 @@
}
},
"systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -901,71 +671,9 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1762161791,
"narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=",
"owner": "terranix",
"repo": "terranix",
"rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"uv2nix": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
],
"pyproject-nix": [
"authentik",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1761101082,
"narHash": "sha256-4Kt3RsfJgg6HzmDCc44ZN//xB8n7KGEGxxt9dNjqPQc=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "e6e728d9719e989c93e65145fe3f9e0c65a021a2",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
},
"xwayland-satellite": {
"inputs": {
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-master"
],

18
flake.nix
View file

@ -15,6 +15,10 @@
colmena.url = "github:zhaofengli/colmena/release-0.4.x";
colmena.inputs.nixpkgs.follows = "nixpkgs";
old-conf.url = "./old-conf";
# software
rust-overlay = { # https://github.com/nix-community/lanzaboote/issues/485#issuecomment-3466684727
url = "github:oxalica/rust-overlay";
@ -50,13 +54,14 @@
helix.inputs.nixpkgs.follows = "nixpkgs-master";
# csharp-language-server.url = "github:sofusa/csharp-language-server";
# csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master";
# authentik
# # authentik
authentik.url = "github:nix-community/authentik-nix";
authentik.inputs.nixpkgs.follows = "nixpkgs";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
# authentik.url = "github:nix-community/authentik-nix";
# authentik.inputs.nixpkgs.follows = "nixpkgs";
# terranix.url = "github:terranix/terranix";
# terranix.inputs.nixpkgs.follows = "nixpkgs";
# non flake inputs, maybe use npins in the future?
adw-colors.url = "github:lassekongo83/adw-colors";
@ -66,6 +71,7 @@
mtxclient.url = "github:Nheko-Reborn/mtxclient";
mtxclient.flake = false;
};
outputs =
@ -110,7 +116,7 @@
inputs.lanzaboote.nixosModules.lanzaboote
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.authentik.nixosModules.default
# inputs.authentik.nixosModules.default
inputs.nix-index-database.nixosModules.nix-index
]
++ (import ./modules/module-list.nix);

67
instances/ds9/configuration.nix
View file

@ -2,35 +2,76 @@
config,
pkgs,
lib,
inputs,
...
}:
{
nixpkgs.system = "x86_64-linux";
imports = [
./hardware-configuration.nix
./services/attic.nix
./services/immich.nix
./services/jellyfin.nix
./services/paperless.nix
./services/ytdl-sub.nix
# ./services/attic.nix
# ./services/immich.nix
# ./services/jellyfin.nix
# ./services/paperless.nix
# ./services/ytdl-sub.nix
];
time.timeZone = "Europe/Berlin";
networking.hostId = "7b4c2337";
containers.ds9 = {
autoStart = true;
privateNetwork = true;
enableTun = true;
additionalCapabilities = [
"CAP_NET_ADMIN"
"CAP_MKNOD"
"CAP_BPF"
"CAP_DAC_READ_SEARCH"
"CAP_SYS_RESOURCE"
"CAP_SYS_ADMIN"
];
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config = inputs.old-conf.nixosConfigurations.ds9.config;
bindMounts = {
"/data" = {
hostPath = "/data";
isReadOnly = false;
};
"/backup" = {
hostPath = "/backup";
isReadOnly = false;
};
"/persistent" = {
hostPath = "/persistent";
isReadOnly = false;
};
};
};
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "eth0"; # TODO: changeme
xyno.services.traefik = {
enable = true;
simpleProxy.oldds9 = {
host = "*.hailsatan.eu";
internal = "https://192.168.100.11:443";
};
};
networking.hostId = "7b4c2932";
xyno.presets.cli.enable = true;
xyno.presets.server.enable = true;
xyno.services.wireguard.enable = true;
xyno.services.caddy.enable = true;
xyno.services.monitoring.enable = true;
xyno.services.authentik.enable = true;
# xyno.services.wireguard.enable = true;
# xyno.services.caddy.enable = true;
# xyno.services.monitoring.enable = true;
# xyno.services.authentik.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
xyno.networking.networkd = {
enable = true;
};
system.stateVersion = "24.11";
system.stateVersion = "25.11";
}

6
instances/ds9/default.nix
View file

@ -1,11 +1,11 @@
{
imports = [ ./configuration.nix ];
xyno.services.monitoring.prometheusServer = true;
# xyno.services.monitoring.prometheusServer = true;
xyno.meta = {
sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
};
xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
# xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
deployment = {
targetHost = "ds9.hailsatan.eu";
targetHost = "ds9.xyno.systems";
};
}

29
instances/theseus/configuration.nix
View file

@ -12,6 +12,35 @@ let
'';
in
{
# containers.podmantest = {
# privateNetwork = true;
# enableTun = true;
# additionalCapabilities = [
# "CAP_NET_ADMIN"
# "CAP_MKNOD"
# "CAP_BPF"
# "CAP_DAC_READ_SEARCH"
# "CAP_SYS_RESOURCE"
# "CAP_SYS_ADMIN"
# ];
# hostAddress = "192.168.100.10";
# localAddress = "192.168.100.11";
# config =
# { ... }:
# {
# virtualisation.oci-containers.containers.test = {
# image = "docker.io/library/nginx";
# ports = [
# "80:80"
# "443:443"
# ];
# };
# };
# };
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [ "ve-+" ];
# networking.nat.externalInterface = "enp195s0f4u1u3";
nixpkgs.system = "x86_64-linux";
imports = [ ./hardware-configuration.nix ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

3
modules/desktop/waybar/cal.nix
View file

@ -24,13 +24,14 @@ let
UNTIL="1d"
EVENT="$(
khal list "$SINCE" "$UNTIL" \
(khal list "$SINCE" "$UNTIL" \
--day-format 'SKIPME' \
--format "{start-end-time-style} {title:.31}{repeat-symbol}" |
grep -v SKIPME | # filter out headers
grep -v -P '| |' | # filter out continuing all day events
grep -v '^ ' | # exclude full-day events
head -n 1 # show just the first
) || echo ""
)"
if [ -z "$EVENT" ]; then

5
modules/module-list.nix
View file

@ -23,8 +23,9 @@
./presets/gui.nix
./presets/home-manager.nix
./presets/server.nix
./services/authentik
./services/caddy
# ./services/authentik
# ./services/caddy
./services/traefik.nix
./services/monitoring.nix
./services/wireguard.nix
./system/impermanence.nix

7
modules/presets/cli.nix
View file

@ -1,5 +1,6 @@
{
config,
inputs,
lib,
pkgs,
...
@ -44,6 +45,11 @@ in
LC_COLLATE = "de_DE.UTF-8";
};
nix.channel.enable = false;
nix.nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nixpkgs-master=${inputs.nixpkgs-master}"
];
nix.settings = {
substituters = [
# "https://cache.lix.systems"
@ -55,6 +61,7 @@ in
# "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
# "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
];
trusted-users = lib.mkDefault [
"root"
"@wheel"

107
modules/services/caddy/default.nix
View file

@ -7,71 +7,16 @@
with lib;
let
cfg = config.xyno.services.caddy;
wildcardMatcherStr = wildcard: hostName: content: ''
@${hostName} host ${hostName}.${wildcard}
handle @${hostName} {
${content.extraConfig}
}
'';
genOneWildcard = wildcard: host: {
extraConfig = ''
# extra pre
${host.extraConfigPre}
# block bots
${optionalString host.blockBots "import blockBots"}
# hosts handler
${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)}
# extra post
${host.extraConfigPost}
abort
'';
schema = import ./json-schema.nix {
inherit pkgs lib;
schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json);
};
genVHostsFromWildcard = mapAttrs' (
n: v: nameValuePair "*.${n}" (genOneWildcard n v)
) cfg.wildcardHosts;
schema = import ./json-schema.nix { inherit pkgs lib; schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); };
in
{
options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
options.xyno.services.caddy.config = mkOption {
default = {};
type = schema.type;
};
options.xyno.services.caddy.wildcardHosts = mkOption {
example = {
"hailsatan.eu" = {
blockBots = true;
hosts.md.extraConfig = ''reverse_proxy ...'';
};
};
default = { };
type =
with types;
attrsOf (submodule {
options = {
blockBots = mkOption {
type = bool;
default = false;
};
extraConfigPre = mkOption {
type = str;
default = "";
};
extraConfigPost = mkOption {
type = str;
default = "";
};
hosts = mkOption {
default = {};
type = attrsOf (submodule {
options = {
extraConfig = mkOption { type = lines; };
};
});
};
};
});
type = schema.type;
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
@ -79,34 +24,32 @@ in
443
];
networking.firewall.allowedUDPPorts = [ 443 ];
xyno.services.caddy.config = {
apps = {
http.metrics.per_host = true;
tls.automation.policies = [
{
issuers = [
{
ca = "https://acme-v02.api.letsencrypt.org/directory";
challenges.dns.provider = {
name = "desec";
token.path = ""; # TODO
};
}
];
module = "acme";
}
];
};
};
services.caddy = {
enable = true;
package = pkgs.caddy-desec;
adapter = "json";
configFile = json.generate "caddy-config.json" cfg.config;
# virtualHosts = genVHostsFromWildcard;
# email = mkDefault "ssl@xyno.systems";
# acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory";
# globalConfig = ''
# metrics {
# per_host
# }
# '';
# extraConfig = ''
# (blockBots) {
# @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot"
# handle @botForbidden {
# redir https://hil-speed.hetzner.com/10GB.bin
# }
# handle /robots.txt {
# respond <<TXT
# User-Agent: *
# Disallow: /
# TXT 200
# }
# }
# '';
};
xyno.services.monitoring.exporters.caddy = 2019;

8
modules/services/caddy/json-schema.nix
View file

@ -36,6 +36,11 @@ let
in
result;
deref = x: if x ? "$ref" then getRef x."$ref" else x;
fileSubmod = types.submodule {
options.path = mkOption {
type = types.pathWith { inStore = false; absolute = true; };
};
};
buildOptionType =
{
spec,
@ -43,7 +48,8 @@ let
...
}:
let
strType = if spec ? enum then types.enum spec.enum else types.str;
strType = if spec ? enum then types.enum spec.enum else (types.either types.str fileSubmod);
objType = types.submodule {
freeformType = json.type;
options = submoduleOptions { inherit spec depth; };

14
modules/services/monitoring.nix
View file

@ -9,9 +9,13 @@ with lib;
let
cfg = config.xyno.services.monitoring;
firstInstanceWithPromServer = if cfg.prometheusServer then config.networking.hostName else (builtins.head (
attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
)).config.networking.hostName;
firstInstanceWithPromServer =
if cfg.prometheusServer then
config.networking.hostName
else
(builtins.head (
attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
)).config.networking.hostName;
vmBasicAuthUsername = "xyno-monitoring";
in
{
@ -84,7 +88,9 @@ in
];
};
services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [ victoriametrics-metrics-datasource ];
services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [
victoriametrics-metrics-datasource
];
})
];

149
modules/services/traefik.nix Normal file
View file

@ -0,0 +1,149 @@
{
pkgs,
lib,
config,
...
}:
let
cfg = config.xyno.services.traefik;
simpleProxyOpts = lib.mapAttrsToList (
n: v:
let
router = "simpleproxy-${n}-router";
service = "simpleproxy-${n}-service";
spl = lib.splitString "." v.host;
certDomain = if (builtins.length spl) > 2 then lib.concatStringsSep "." (builtins.tail spl) else spl;
in
{
routers.${router} = {
inherit service;
rule = "Host(`${v.host}`)";
tls.domains = [
{
main = certDomain;
sans = [ "*.${certDomain}" ];
}
];
};
services.${service} = {
loadBalancer.servers = [
{ url = v.internal; }
];
};
}
) cfg.simpleProxy;
in
{
options.xyno.services.traefik.enable = lib.mkEnableOption "enables traefik";
options.xyno.services.traefik.simpleProxy = lib.mkOption {
example = {
"example" = {
host = "example.org";
middlewares = [ "meow" ];
internal = "http://127.0.0.1:8080";
};
};
default = { };
type = lib.types.attrsOf (
lib.types.submodule {
options = {
middlewares = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
};
internal = lib.mkOption {
type = lib.types.str;
};
host = lib.mkOption {
type = lib.types.str;
};
};
}
);
};
config = lib.mkIf cfg.enable {
services.traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
staticConfigOptions = {
metrics = lib.mkIf config.xyno.services.monitoring.enable {
otlp.http.endpoint = "http://localhost:8429/v1/metrics";
};
entryponts.web = {
address = ":80";
redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
};
entryponts.websecure = {
address = ":443";
tls.certResolver = "letsencrypt";
http3 = { };
};
log.level = "INFO";
certificatesResolvers.letsencrypt.acme = {
email = "ssl@xyno.systems";
caServer = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "desec";
};
};
};
dynamicConfigOptions = {
http = simpleProxyOpts;
tls.options.default = {
# mozilla modern
minVersion = "VersionTLS13";
curvePreferences = [
"X25519"
"CurveP256"
"CurveP384"
];
};
tls.options.old = {
# mozilla intermediate
minVersion = "VersionTLS12";
curvePreferences = [
"X25519"
"CurveP256"
"CurveP384"
];
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
];
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedUDPPorts = [ 443 ];
xyno.impermanence.directories = [ config.services.traefik.dataDir ];
sops.secrets."desec_token" = {
};
sops.templates."traefik.env".content = ''
DESEC_TOKEN=${config.sops.placeholder.desec_token}
DESEC_PROPAGATION_TIMEOUT=1200
'';
sops.templates."traefik.env".reloadUnits = [ "traefik.service" ];
# services.borgmatic.settings.traefikql_databases = [
# {
# name = "all"; # gets run as root anyways so can log in
# }
# ];
};
}

7
secrets/common.yaml
View file

@ -1,5 +1,6 @@
victoriametrics:
basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str]
desec_token: ENC[AES256_GCM,data:3aqlfpAEMyOSNGdLXm4lc0VZajduPkTYkYd+WA==,iv:sktNkKWaD/hjsQpSJzAZeCvwYXfvkhQ2A44BKedCZRg=,tag:XbxIr09c60V0PMDitSOD/w==,type:str]
wg:
psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str]
msmtp:
@ -10,8 +11,8 @@ msmtp:
password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str]
aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str]
sops:
lastmodified: "2025-09-06T16:50:17Z"
mac: ENC[AES256_GCM,data:QdWLok9IBqTaO3StKRiAXcMIZSV5YJQoYY+3cZZ7xARbmvn5cDqnapv3HIJju7v5V48tNG3aXy1nJHG4kKVuDIMd7s7PPjLL1k0dEsnTs4YwE8XugZX86nXuSUZeUuQNfnR9sFOKho/o/I9W5hCp0IcEgo+Bs1dD3IvYxuv6Nzk=,iv:IHEDtI6lo76qPgBvBETg/SiT/tfFivN8r8J7tt93IbQ=,tag:ifW8UVaf5r8Y9HUUtCkAQQ==,type:str]
lastmodified: "2025-11-19T16:17:02Z"
mac: ENC[AES256_GCM,data:dt2iRLTxfPWpYlxsZnOQgtUAvU/MWoXp6eLOJgP/uWLe5ooeU5K868I7PQNVGEnqkJGZTiiENpY7mkmt0niKn2nw7nD5KzRPMvFZ0/JXrLkzCScBfJDlbcuTtKFVqlDkPpz7kgF+fQy1cg5KiDyc9bsJAi/9qHhQHF3wFbeG5rI=,iv:E6YtLKZdnqgVZKx/goxdvn41p+hfMpkSbc7FJ/3yXQA=,tag:6iW9vkEsEuXOhptGdDwpdw==,type:str]
pgp:
- created_at: "2025-09-06T16:37:33Z"
enc: |-
@ -63,4 +64,4 @@ sops:
-----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0