James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: James:f795bf54b3e3499b1ca2507b5adf9e583a48ffad
Branches Tags
James:main
...
compare: James:b27d748e3083cc787aecc167da3cadec60bfe8ca
Branches Tags
James:main

4 Commits
f795bf54b3 ... b27d748e30

Author SHA1 Message Date
James Eversole
b27d748e30 Lock down services to LAN 2025-04-22 13:41:00 -05:00
James Eversole
2034274ee0 Migrate from WG to TS/HS 2025-04-22 13:41:00 -05:00
James Eversole
041bba5aeb nix flake update; gitea runner 2025-04-22 13:41:00 -05:00
James Eversole
cff684720f Enable gitea, remove softserve 2025-04-22 13:41:00 -05:00
11 changed files with 117 additions and 116 deletions
Show Stats Expand all files Collapse all files

33
flake.lock generated
View File

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github"
},
"original": {
@ -63,11 +63,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1734991663,
"narHash": "sha256-8T660guvdaOD+2/Cj970bWlQwAyZLKrrbkhYOFcY1YE=",
"lastModified": 1741332913,
"narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6c90912761c43e22b6fb000025ab96dd31c971ff",
"rev": "20755fa05115c84be00b04690630cb38f0a203ad",
"type": "github"
},
"original": {
@ -78,14 +78,17 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1733096140,
"narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
"lastModified": 1740877520,
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"parts": {
@ -93,11 +96,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"lastModified": 1741352980,
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"type": "github"
},
"original": {

2
flake.nix
View File

@ -50,6 +50,7 @@
nix-serve-ng.nixosModules.default
./nix/application/containers.nix
./nix/application/headscale.nix
./nix/application/miniflux.nix
./nix/application/nginx.nix
./nix/application/postgresql.nix
@ -68,7 +69,6 @@
./nix/system/security.nix
./nix/system/system.nix
./nix/system/virtualisation.nix
./nix/system/wireguard.nix
./nix/user/users.nix
];

55
nix/application/containers.nix
View File

@ -22,6 +22,44 @@
[ config.age.secrets.atuin-env.path ];
};
gitea = {
image = "docker.io/gitea/gitea:1.23.0-rc0-rootless";
volumes = [ "/home/sezycei/srv/containerdata/gitea/data:/var/lib/gitea"
"/home/sezycei/srv/containerdata/gitea/config:/etc/gitea"
];
ports = [ "8027:3000" "23231:2222"];
environment =
{
GITEA_APP_INI = "/etc/gitea/app.ini";
GITEA_CUSTOM = "/var/lib/gitea/custom";
GITEA_TEMP = "/tmp/gitea";
GITEA_WORK_DIR = "/var/lib/gitea";
HOME = "/var/lib/gitea/git";
TMPDIR = "/tmp/gitea";
USER_GID = "1000";
USER_UID = "1000";
};
};
gitea-runner = {
image = "docker.io/gitea/act_runner:latest";
volumes = [ "/home/sezycei/srv/containerdata/gitea/runner/config.yaml:/config.yaml"
"/home/sezycei/srv/containerdata/gitea/runner/data:/data"
"/run/podman/podman.sock:/var/run/docker.sock"
];
environment =
{
CONFIG_FILE = "/config.yaml";
GITEA_INSTANCE_URL = "https://git.eversole.co";
GITEA_RUNNER_REGISTRATION_TOKEN = "Rxl7OYPb4ysOmDZB3jnmzm7hJtQQYeaKHdn4jrbR";
GITEA_RUNNER_NAME = "nix0-primary";
};
};
jellyfin = {
image = "linuxserver/jellyfin:latest";
ports = [ "8096:8096" "8920:8920" ];
@ -93,23 +131,6 @@
};
};
softserve = {
image = "charmcli/soft-serve:v0.8.1";
ports = [
"23231:23231"
"23232:23232"
"23233:23233"
"9418:9418"
];
volumes = [ "/home/sezycei/srv/containerdata/soft-serve/data:/soft-serve" ];
environment = {
SOFT_SERVE_NAME = "git.eversole.co";
SOFT_SERVE_HTTP_PUBLIC_URL = "git.eversole.co";
SOFT_SERVE_GIT_MAX_CONNECTIONS = "10";
SOFT_SERVE_INITIAL_ADMIN_KEYS = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzsewMuoEbC0DwwNK23ZJb/ncpNtUuEgZNI2EdAsc7RnhIOhQBxj237qNMhh2mF/8hkASJZ2e4wrmNkjBM7aaz8mrcDY9rG23JMfnGiP4cU6dBC/NqHOuJypt6X28FI5I+dgw2T40sdIbkWAXOr5u5EAJcO6ROdas4zYSPHwl95s3txoGtQrQtgLHgddWMCr53n5KMwFUmqwM1ovVPZplZGaGG5m6VwBkjA0GZQPVFC+RIg6kIp9vUlsAlzPrlDqhTR32jazvaONNBsyUTuE+CJjitU4xoBs67jIFTcesMiFdThKt2HTq1AhXqiUgIfKaDvHfjzWLT8GihxDLpTBxS8G1qWlvkSja09nB/Pn1Y6XqgczM/y51OloowbvuskDZleFoapSYmJdq+rqSCoJ3JCykNGOcpdSBCucnDgR6CHEUPkJJoR0iCrK0ACEIxWhFuSterh/P8gxcH3e2PdcgxO8SfSBagdizOnDsWOw1SR8w6wVOLRrczMyx3hDXoabs= james@eversole.co";
};
};
transmission = {
image = "haugene/transmission-openvpn:5.3.1";
ports = [ "9091:9091" ];

23
nix/application/headscale.nix Normal file
View File

@ -0,0 +1,23 @@
{ pkgs, config, ...}: {
services.headscale = {
enable = true;
address = "0.0.0.0";
port = 35893;
settings = {
dns = {
base_domain = "vpn.matri.cx";
nameservers.global = ["192.168.0.130" "1.1.1.1"];
};
logtail.enabled = false;
noise.private_key_path = "/var/lib/headscale/noise_private.key";
server_url = "https://vpn.matri.cx:443";
};
};
services.tailscale = {
enable = true;
extraUpFlags = [
"--accept-routes" "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" "--login-server=https://vpn.matri.cx"
];
useRoutingFeatures = "both";
};
}

45
nix/application/nginx.nix
View File

@ -33,24 +33,27 @@
};
};
proxiedLAN = { target }: base {
proxiedLAN = { target, extra ? ""}: base {
"/" = {
proxyPass = target;
extraConfig = ''
allow 192.168.0.0/24;
deny all;
'';
extraConfig = allowedLANAddrs + extra;
};
};
allowedLANAddrs = ''
allow 127.0.0.1;
allow 192.168.0.0/24;
allow 100.64.0.0/24;
deny all;
'';
in
{
"default.host" = { default = true; root = "/var/www/default";};
"atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; };
"brohan.lol" = static { dir = "/var/www/brohan.lol"; };
"cache.matri.cx" = proxiedLAN {
target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
"caitlynncox.com" = static { dir = "/var/www/caitlynncox.com"; };
"dallasmed65.com" = static { dir = "/var/www/dallasmed65.com"; };
"docker.matri.cx" = proxiedAuth {
auth = config.age.secrets.htpasswd-dock.path;
target = "http://127.0.0.1:3001";
@ -59,15 +62,13 @@
'';
};
"eversole.co" = proxied { target = "http://127.0.0.1:5196"; };
"flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; };
"git.eversole.co" = {
enableACME = true;
forceSSL = true;
locations."/" = { root = "/var/www/git.eversole.co"; tryFiles = "$uri $uri/ @git"; };
locations."@git" = { proxyPass = "http://127.0.0.1:23232"; priority = 600; };
"flux.matri.cx" = proxiedLAN { target = "http://127.0.0.1:26343"; };
"git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; };
"graf.matri.cx" = { # refer to /monitoring/nginx.nix
root = "/var/www/graf.matri.cx";
extraConfig = allowedLANAddrs;
};
"graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
"hydra.matri.cx" = proxied {
"hydra.matri.cx" = proxiedLAN {
target = "http://127.0.0.1:3034";
extra = ''
proxy_set_header X-Request-Base "https://hydra.matri.cx";
@ -75,12 +76,20 @@
};
"jame.su" = static { dir = "/var/www/jame.su"; };
"matri.cx" = static { dir = "/var/www/matri.cx"; };
"media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
"pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
"media.matri.cx" = proxiedLAN { target = "http://127.0.0.1:8096"; };
"purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
"pw.eversole.co" = proxiedLAN { target = "http://127.0.0.1:40080"; };
"sezycei.com" = static { dir = "/var/www/sezycei.com"; };
"snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
"transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
"purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
"vpn.matri.cx" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
};
}

2
nix/system/age.nix
View File

@ -3,7 +3,6 @@
secrets = {
atuin-env.file = ../../secrets/atuin-env.age;
cache-key.file = ../../secrets/cache-key.age;
gitlab-runner.file = ../../secrets/gitlab-runner.age;
graf-email = {
file = ../../secrets/graf-email.age;
mode = "770";
@ -23,7 +22,6 @@
"restic/env".file = ../../secrets/restic/env.age;
"restic/password".file = ../../secrets/restic/env.age;
"restic/repo".file = ../../secrets/restic/env.age;
"wireguard/server-private".file = ../../secrets/wireguard/server-private.age;
};
identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};

19
nix/system/network.nix
View File

@ -1,15 +1,16 @@
{ ... }: {
{ config, ... }: {
networking = {
hostName = "eve-psr-nix0";
firewall = {
allowedTCPPorts = [ 22 80 443 23231 23232 23233 ];
allowedUDPPorts = [ 53 51820 ];
trustedInterfaces = [ "tun0" ];
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "tun0" "wg0" ];
allowedTCPPorts = [ 22 80 443 5000 23231 23232 23233 ];
allowedUDPPorts = [ 53 51820 config.services.tailscale.port ];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE
'';
};
nat.enable = true;
};
}

33
nix/system/wireguard.nix
View File

@ -1,33 +0,0 @@
{ pkgs, config, lib, ...}: {
networking.wireguard.interfaces = {
wg0 = {
ips = [ "192.168.3.1/24" ];
listenPort = 51820;
privateKeyFile = "/run/agenix/wireguard/server-private";
peers = [
#
# James
#
{ # Primary Cell
publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg=";
allowedIPs = [ "192.168.3.2/32" ];
}
#
# Caitlynn
#
{ # Primary Cell
publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY=";
allowedIPs = [ "192.168.3.3/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
'';
};
};
}

2
secrets.nix
View File

@ -8,7 +8,6 @@ in
{
"secrets/atuin-env.age" = { publicKeys = all; };
"secrets/cache-key.age" = { publicKeys = all; };
"secrets/gitlab-runner.age" = { publicKeys = all; };
"secrets/graf-email.age" = { publicKeys = all; };
"secrets/htpasswd-dock.age" = { publicKeys = all; };
"secrets/keys.age" = { publicKeys = all; };
@ -18,5 +17,4 @@ in
"secrets/restic/env.age" = { publicKeys = all; };
"secrets/restic/repo.age" = { publicKeys = all; };
"secrets/restic/password.age" = { publicKeys = all; };
"secrets/wireguard/server-private.age" = { publicKeys = all; };
}

11
secrets/gitlab-runner.age
View File

@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dQ70Fw 1Y4XyvfewFemjm/3N6v2HKdO+kf3l9zWjR4gm+OL/Wo
7G5Ipgr3ZjRBpQrKWQoqLhAGYk1lwyGZBLsbiGi5eNo
-> ssh-ed25519 ZIoeGg pxNvqGCNvjT+6DrKIfZW0O28lKY7OKRtV5uvurhFWSk
fGcCiYWChBAuHJ4764adKj+btYt410oaKtfDlJzfHR4
-> A"-uU"q-grease p] \?3MHe D,
xpBFoA2Gd3mh877T3WnAvfM6eaB4QF+PXltWXWb4vD28xAZCstZX7yFJ31W/ZUW1
PcEj2vP/t4OpIRkjgBcrwi/iaaAOO4d1AH252iN9YlNVO0JJMWLcOxAB
--- ewj86Tn8VoLJ44f8q8eKrtFvDLpLVmJfhPydTDsm5VY
iräù<EFBFBD>RÔÂ>·v<ÓÉgÁxhñ>ÁØþjÓjgä
ÂYÛ £˜1—)R©ìx•C¨ë2¬'<02>î¾,d﯈s(0¶ö¸ 'ä’öd©õLIÛflÉ`g&šå—ô3ˆhÆgñAêSˆ(<28>

8
secrets/wireguard/server-private.age
View File

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ
BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI
-> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg
37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4
--- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs
¹Â?;HŠª ˜&{û Ńt•c«y8<#É༄ªm¾±äk8
šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot