diff --git a/flake.lock b/flake.lock index 8e524d96..cb74c5bc 100644 --- a/flake.lock +++ b/flake.lock @@ -16,56 +16,10 @@ "type": "github" } }, - "authentik": { - "inputs": { - "authentik-src": "authentik-src", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", - "napalm": "napalm", - "nixpkgs": [ - "nixpkgs" - ], - "pyproject-build-systems": "pyproject-build-systems", - "pyproject-nix": "pyproject-nix", - "systems": "systems", - "uv2nix": "uv2nix" - }, - "locked": { - "lastModified": 1761726959, - "narHash": "sha256-SGndrZx7I0z4vITH1Arf60OTSfkQVMZRTcRgtPIBVtg=", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "ea1e06f9fe7cbf59c61b2ec4f2979801ff395d8e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "authentik-nix", - "type": "github" - } - }, - "authentik-src": { - "flake": false, - "locked": { - "lastModified": 1759190535, - "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=", - "owner": "goauthentik", - "repo": "authentik", - "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2", - "type": "github" - }, - "original": { - "owner": "goauthentik", - "ref": "version/2025.8.4", - "repo": "authentik", - "type": "github" - } - }, "colmena": { "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ], @@ -102,22 +56,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -133,7 +71,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -150,24 +88,6 @@ } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -188,49 +108,7 @@ "type": "github" } }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "terranix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { - "inputs": { - "systems": [ - "authentik", - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -245,9 +123,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -388,8 +266,8 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat_3", - "flake-parts": "flake-parts_2", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts", "nixpkgs": [ "nixpkgs" ], @@ -445,32 +323,6 @@ "type": "github" } }, - "napalm": { - "inputs": { - "flake-utils": [ - "authentik", - "flake-utils" - ], - "nixpkgs": [ - "authentik", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725806412, - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", - "owner": "willibutz", - "repo": "napalm", - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", - "type": "github" - }, - "original": { - "owner": "willibutz", - "ref": "avoid-foldl-stack-overflow", - "repo": "napalm", - "type": "github" - } - }, "nheko": { "flake": false, "locked": { @@ -581,21 +433,6 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixpkgs-master": { "locked": { "lastModified": 1762178406, @@ -655,60 +492,9 @@ "type": "github" } }, - "pyproject-build-systems": { - "inputs": { - "nixpkgs": [ - "authentik", - "nixpkgs" - ], - "pyproject-nix": [ - "authentik", - "pyproject-nix" - ], - "uv2nix": [ - "authentik", - "uv2nix" - ] - }, - "locked": { - "lastModified": 1759113590, - "narHash": "sha256-fgxP2RCN4cg0jYiMYoETYc7TZ2JjgyvJa2y9l8oSUFE=", - "owner": "pyproject-nix", - "repo": "build-system-pkgs", - "rev": "dbfc0483b5952c6b86e36f8b3afeb9dde30ea4b5", - "type": "github" - }, - "original": { - "owner": "pyproject-nix", - "repo": "build-system-pkgs", - "type": "github" - } - }, - "pyproject-nix": { - "inputs": { - "nixpkgs": [ - "authentik", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760402624, - "narHash": "sha256-jF6UKLs2uGc2rtved8Vrt58oTWjTQoAssuYs/0578Z4=", - "owner": "pyproject-nix", - "repo": "pyproject.nix", - "rev": "84c4ea102127c77058ea1ed7be7300261fafc7d2", - "type": "github" - }, - "original": { - "owner": "pyproject-nix", - "repo": "pyproject.nix", - "type": "github" - } - }, "root": { "inputs": { "adw-colors": "adw-colors", - "authentik": "authentik", "colmena": "colmena", "helix": "helix", "home-manager": "home-manager", @@ -726,7 +512,6 @@ "nixpkgs-master": "nixpkgs-master", "rust-overlay": "rust-overlay_4", "sops-nix": "sops-nix", - "terranix": "terranix", "xwayland-satellite": "xwayland-satellite", "zen-browser": "zen-browser" } @@ -872,21 +657,6 @@ } }, "systems": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -901,71 +671,9 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "terranix": { - "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_2" - }, - "locked": { - "lastModified": 1762161791, - "narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=", - "owner": "terranix", - "repo": "terranix", - "rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } - }, - "uv2nix": { - "inputs": { - "nixpkgs": [ - "authentik", - "nixpkgs" - ], - "pyproject-nix": [ - "authentik", - "pyproject-nix" - ] - }, - "locked": { - "lastModified": 1761101082, - "narHash": "sha256-4Kt3RsfJgg6HzmDCc44ZN//xB8n7KGEGxxt9dNjqPQc=", - "owner": "pyproject-nix", - "repo": "uv2nix", - "rev": "e6e728d9719e989c93e65145fe3f9e0c65a021a2", - "type": "github" - }, - "original": { - "owner": "pyproject-nix", - "repo": "uv2nix", - "type": "github" - } - }, "xwayland-satellite": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs-master" ], diff --git a/flake.nix b/flake.nix index 71a78f0a..a4b12100 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,10 @@ colmena.url = "github:zhaofengli/colmena/release-0.4.x"; colmena.inputs.nixpkgs.follows = "nixpkgs"; + + old-conf.url = "./old-conf"; + + # software rust-overlay = { # https://github.com/nix-community/lanzaboote/issues/485#issuecomment-3466684727 url = "github:oxalica/rust-overlay"; @@ -50,13 +54,14 @@ helix.inputs.nixpkgs.follows = "nixpkgs-master"; # csharp-language-server.url = "github:sofusa/csharp-language-server"; # csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master"; + - # authentik + # # authentik - authentik.url = "github:nix-community/authentik-nix"; - authentik.inputs.nixpkgs.follows = "nixpkgs"; - terranix.url = "github:terranix/terranix"; - terranix.inputs.nixpkgs.follows = "nixpkgs"; + # authentik.url = "github:nix-community/authentik-nix"; + # authentik.inputs.nixpkgs.follows = "nixpkgs"; + # terranix.url = "github:terranix/terranix"; + # terranix.inputs.nixpkgs.follows = "nixpkgs"; # non flake inputs, maybe use npins in the future? adw-colors.url = "github:lassekongo83/adw-colors"; @@ -66,6 +71,7 @@ mtxclient.url = "github:Nheko-Reborn/mtxclient"; mtxclient.flake = false; + }; outputs = @@ -110,7 +116,7 @@ inputs.lanzaboote.nixosModules.lanzaboote inputs.sops-nix.nixosModules.sops inputs.impermanence.nixosModules.impermanence - inputs.authentik.nixosModules.default + # inputs.authentik.nixosModules.default inputs.nix-index-database.nixosModules.nix-index ] ++ (import ./modules/module-list.nix); diff --git a/instances/ds9/configuration.nix b/instances/ds9/configuration.nix index 8f640680..f50cfd9d 100644 --- a/instances/ds9/configuration.nix +++ b/instances/ds9/configuration.nix @@ -2,35 +2,76 @@ config, pkgs, lib, + inputs, ... }: { nixpkgs.system = "x86_64-linux"; imports = [ ./hardware-configuration.nix - ./services/attic.nix - ./services/immich.nix - ./services/jellyfin.nix - ./services/paperless.nix - ./services/ytdl-sub.nix + # ./services/attic.nix + # ./services/immich.nix + # ./services/jellyfin.nix + # ./services/paperless.nix + # ./services/ytdl-sub.nix ]; time.timeZone = "Europe/Berlin"; + networking.hostId = "7b4c2337"; + + containers.ds9 = { + autoStart = true; + privateNetwork = true; + enableTun = true; + additionalCapabilities = [ + "CAP_NET_ADMIN" + "CAP_MKNOD" + "CAP_BPF" + "CAP_DAC_READ_SEARCH" + "CAP_SYS_RESOURCE" + "CAP_SYS_ADMIN" + ]; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + config = inputs.old-conf.nixosConfigurations.ds9.config; + bindMounts = { + "/data" = { + hostPath = "/data"; + isReadOnly = false; + }; + "/backup" = { + hostPath = "/backup"; + isReadOnly = false; + }; + "/persistent" = { + hostPath = "/persistent"; + isReadOnly = false; + }; + }; + }; + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-+" ]; + networking.nat.externalInterface = "eth0"; # TODO: changeme + + xyno.services.traefik = { + enable = true; + simpleProxy.oldds9 = { + host = "*.hailsatan.eu"; + internal = "https://192.168.100.11:443"; + }; + }; - networking.hostId = "7b4c2932"; - xyno.presets.cli.enable = true; xyno.presets.server.enable = true; - xyno.services.wireguard.enable = true; - xyno.services.caddy.enable = true; - xyno.services.monitoring.enable = true; - xyno.services.authentik.enable = true; + # xyno.services.wireguard.enable = true; + # xyno.services.caddy.enable = true; + # xyno.services.monitoring.enable = true; + # xyno.services.authentik.enable = true; xyno.presets.home-manager.enable = true; xyno.system.user.enable = true; xyno.networking.networkd = { enable = true; }; - - system.stateVersion = "24.11"; + system.stateVersion = "25.11"; } diff --git a/instances/ds9/default.nix b/instances/ds9/default.nix index a324215e..b3553b11 100644 --- a/instances/ds9/default.nix +++ b/instances/ds9/default.nix @@ -1,11 +1,11 @@ { imports = [ ./configuration.nix ]; - xyno.services.monitoring.prometheusServer = true; + # xyno.services.monitoring.prometheusServer = true; xyno.meta = { sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7"; }; - xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; + # xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; deployment = { - targetHost = "ds9.hailsatan.eu"; + targetHost = "ds9.xyno.systems"; }; } diff --git a/instances/theseus/configuration.nix b/instances/theseus/configuration.nix index 2401fbab..cc235155 100644 --- a/instances/theseus/configuration.nix +++ b/instances/theseus/configuration.nix @@ -12,6 +12,35 @@ let ''; in { + # containers.podmantest = { + # privateNetwork = true; + # enableTun = true; + # additionalCapabilities = [ + # "CAP_NET_ADMIN" + # "CAP_MKNOD" + # "CAP_BPF" + # "CAP_DAC_READ_SEARCH" + # "CAP_SYS_RESOURCE" + # "CAP_SYS_ADMIN" + # ]; + # hostAddress = "192.168.100.10"; + # localAddress = "192.168.100.11"; + # config = + # { ... }: + # { + # virtualisation.oci-containers.containers.test = { + # image = "docker.io/library/nginx"; + # ports = [ + # "80:80" + # "443:443" + # ]; + # }; + # }; + # }; + # networking.nat.enable = true; + # networking.nat.internalInterfaces = [ "ve-+" ]; + # networking.nat.externalInterface = "enp195s0f4u1u3"; + nixpkgs.system = "x86_64-linux"; imports = [ ./hardware-configuration.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/modules/desktop/waybar/cal.nix b/modules/desktop/waybar/cal.nix index 0cc35d99..8664509b 100644 --- a/modules/desktop/waybar/cal.nix +++ b/modules/desktop/waybar/cal.nix @@ -24,13 +24,14 @@ let UNTIL="1d" EVENT="$( - khal list "$SINCE" "$UNTIL" \ + (khal list "$SINCE" "$UNTIL" \ --day-format 'SKIPME' \ --format "{start-end-time-style} {title:.31}{repeat-symbol}" | grep -v SKIPME | # filter out headers grep -v -P '↦|↔ |⇥' | # filter out continuing all day events grep -v '^ ' | # exclude full-day events head -n 1 # show just the first + ) || echo "" )" if [ -z "$EVENT" ]; then diff --git a/modules/module-list.nix b/modules/module-list.nix index 3351eefb..8b2f5bac 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -23,8 +23,9 @@ ./presets/gui.nix ./presets/home-manager.nix ./presets/server.nix - ./services/authentik - ./services/caddy + # ./services/authentik + # ./services/caddy + ./services/traefik.nix ./services/monitoring.nix ./services/wireguard.nix ./system/impermanence.nix diff --git a/modules/presets/cli.nix b/modules/presets/cli.nix index 2b51fd1a..53ddffaf 100644 --- a/modules/presets/cli.nix +++ b/modules/presets/cli.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, ... @@ -44,6 +45,11 @@ in LC_COLLATE = "de_DE.UTF-8"; }; + nix.channel.enable = false; + nix.nixPath = [ + "nixpkgs=${inputs.nixpkgs}" + "nixpkgs-master=${inputs.nixpkgs-master}" + ]; nix.settings = { substituters = [ # "https://cache.lix.systems" @@ -55,6 +61,7 @@ in # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" # "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs=" ]; + trusted-users = lib.mkDefault [ "root" "@wheel" diff --git a/modules/services/caddy/default.nix b/modules/services/caddy/default.nix index bfdc9ea9..3986e1b0 100644 --- a/modules/services/caddy/default.nix +++ b/modules/services/caddy/default.nix @@ -7,71 +7,16 @@ with lib; let cfg = config.xyno.services.caddy; - wildcardMatcherStr = wildcard: hostName: content: '' - @${hostName} host ${hostName}.${wildcard} - handle @${hostName} { - ${content.extraConfig} - } - - ''; - genOneWildcard = wildcard: host: { - extraConfig = '' - # extra pre - ${host.extraConfigPre} - # block bots - ${optionalString host.blockBots "import blockBots"} - # hosts handler - ${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)} - # extra post - ${host.extraConfigPost} - abort - ''; + schema = import ./json-schema.nix { + inherit pkgs lib; + schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); }; - genVHostsFromWildcard = mapAttrs' ( - n: v: nameValuePair "*.${n}" (genOneWildcard n v) - ) cfg.wildcardHosts; - schema = import ./json-schema.nix { inherit pkgs lib; schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); }; in { options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin"; options.xyno.services.caddy.config = mkOption { - default = {}; - type = schema.type; - }; - options.xyno.services.caddy.wildcardHosts = mkOption { - example = { - "hailsatan.eu" = { - blockBots = true; - hosts.md.extraConfig = ''reverse_proxy ...''; - }; - }; default = { }; - type = - with types; - attrsOf (submodule { - options = { - blockBots = mkOption { - type = bool; - default = false; - }; - extraConfigPre = mkOption { - type = str; - default = ""; - }; - extraConfigPost = mkOption { - type = str; - default = ""; - }; - hosts = mkOption { - default = {}; - type = attrsOf (submodule { - options = { - extraConfig = mkOption { type = lines; }; - }; - }); - }; - }; - }); + type = schema.type; }; config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ @@ -79,34 +24,32 @@ in 443 ]; networking.firewall.allowedUDPPorts = [ 443 ]; + xyno.services.caddy.config = { + apps = { + http.metrics.per_host = true; + tls.automation.policies = [ + { + issuers = [ + { + ca = "https://acme-v02.api.letsencrypt.org/directory"; + challenges.dns.provider = { + name = "desec"; + token.path = ""; # TODO + + }; + } + ]; + module = "acme"; + } + ]; + }; + }; + services.caddy = { enable = true; package = pkgs.caddy-desec; adapter = "json"; configFile = json.generate "caddy-config.json" cfg.config; - # virtualHosts = genVHostsFromWildcard; - # email = mkDefault "ssl@xyno.systems"; - # acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory"; - # globalConfig = '' - # metrics { - # per_host - # } - # ''; - # extraConfig = '' - # (blockBots) { - # @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot" - - # handle @botForbidden { - # redir https://hil-speed.hetzner.com/10GB.bin - # } - # handle /robots.txt { - # respond < 2 then lib.concatStringsSep "." (builtins.tail spl) else spl; + in + { + routers.${router} = { + inherit service; + rule = "Host(`${v.host}`)"; + tls.domains = [ + { + main = certDomain; + sans = [ "*.${certDomain}" ]; + } + ]; + }; + services.${service} = { + loadBalancer.servers = [ + { url = v.internal; } + ]; + + }; + } + ) cfg.simpleProxy; +in +{ + options.xyno.services.traefik.enable = lib.mkEnableOption "enables traefik"; + options.xyno.services.traefik.simpleProxy = lib.mkOption { + example = { + "example" = { + host = "example.org"; + middlewares = [ "meow" ]; + internal = "http://127.0.0.1:8080"; + }; + }; + default = { }; + type = lib.types.attrsOf ( + lib.types.submodule { + options = { + middlewares = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); + }; + internal = lib.mkOption { + type = lib.types.str; + }; + host = lib.mkOption { + type = lib.types.str; + }; + }; + } + ); + + }; + config = lib.mkIf cfg.enable { + services.traefik = { + enable = true; + environmentFiles = [ + config.sops.templates."traefik.env".path + ]; + staticConfigOptions = { + metrics = lib.mkIf config.xyno.services.monitoring.enable { + otlp.http.endpoint = "http://localhost:8429/v1/metrics"; + }; + entryponts.web = { + address = ":80"; + redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + permanent = true; + }; + }; + entryponts.websecure = { + address = ":443"; + tls.certResolver = "letsencrypt"; + http3 = { }; + + }; + log.level = "INFO"; + certificatesResolvers.letsencrypt.acme = { + email = "ssl@xyno.systems"; + caServer = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "desec"; + }; + }; + }; + dynamicConfigOptions = { + http = simpleProxyOpts; + tls.options.default = { + # mozilla modern + minVersion = "VersionTLS13"; + curvePreferences = [ + "X25519" + "CurveP256" + "CurveP384" + ]; + }; + tls.options.old = { + # mozilla intermediate + minVersion = "VersionTLS12"; + curvePreferences = [ + "X25519" + "CurveP256" + "CurveP384" + ]; + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" + ]; + + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + networking.firewall.allowedUDPPorts = [ 443 ]; + xyno.impermanence.directories = [ config.services.traefik.dataDir ]; + sops.secrets."desec_token" = { + }; + sops.templates."traefik.env".content = '' + DESEC_TOKEN=${config.sops.placeholder.desec_token} + DESEC_PROPAGATION_TIMEOUT=1200 + ''; + sops.templates."traefik.env".reloadUnits = [ "traefik.service" ]; + # services.borgmatic.settings.traefikql_databases = [ + # { + # name = "all"; # gets run as root anyways so can log in + # } + # ]; + + }; +} diff --git a/secrets/common.yaml b/secrets/common.yaml index 0c72d97d..2b1fbc70 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -1,5 +1,6 @@ victoriametrics: basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str] +desec_token: ENC[AES256_GCM,data:3aqlfpAEMyOSNGdLXm4lc0VZajduPkTYkYd+WA==,iv:sktNkKWaD/hjsQpSJzAZeCvwYXfvkhQ2A44BKedCZRg=,tag:XbxIr09c60V0PMDitSOD/w==,type:str] wg: psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str] msmtp: @@ -10,8 +11,8 @@ msmtp: password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str] aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str] sops: - lastmodified: "2025-09-06T16:50:17Z" - mac: ENC[AES256_GCM,data:QdWLok9IBqTaO3StKRiAXcMIZSV5YJQoYY+3cZZ7xARbmvn5cDqnapv3HIJju7v5V48tNG3aXy1nJHG4kKVuDIMd7s7PPjLL1k0dEsnTs4YwE8XugZX86nXuSUZeUuQNfnR9sFOKho/o/I9W5hCp0IcEgo+Bs1dD3IvYxuv6Nzk=,iv:IHEDtI6lo76qPgBvBETg/SiT/tfFivN8r8J7tt93IbQ=,tag:ifW8UVaf5r8Y9HUUtCkAQQ==,type:str] + lastmodified: "2025-11-19T16:17:02Z" + mac: ENC[AES256_GCM,data:dt2iRLTxfPWpYlxsZnOQgtUAvU/MWoXp6eLOJgP/uWLe5ooeU5K868I7PQNVGEnqkJGZTiiENpY7mkmt0niKn2nw7nD5KzRPMvFZ0/JXrLkzCScBfJDlbcuTtKFVqlDkPpz7kgF+fQy1cg5KiDyc9bsJAi/9qHhQHF3wFbeG5rI=,iv:E6YtLKZdnqgVZKx/goxdvn41p+hfMpkSbc7FJ/3yXQA=,tag:6iW9vkEsEuXOhptGdDwpdw==,type:str] pgp: - created_at: "2025-09-06T16:37:33Z" enc: |- @@ -63,4 +64,4 @@ sops: -----END PGP MESSAGE----- fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0