From 566f22e61fa93868c3ec59c371d2eaaff4e5321f Mon Sep 17 00:00:00 2001 From: notohh Date: Fri, 6 Oct 2023 23:28:31 -0400 Subject: [PATCH 01/11] forgejo: enable ssh --- hosts/sakura/services/forgejo.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hosts/sakura/services/forgejo.nix b/hosts/sakura/services/forgejo.nix index ed785c8..401d1d2 100644 --- a/hosts/sakura/services/forgejo.nix +++ b/hosts/sakura/services/forgejo.nix @@ -20,9 +20,14 @@ }; server = { HTTP_PORT = 3200; - DOMAIN = "git.notohh.dev"; + DOMAIN = "git.flake.sh"; ROOT_URL = "https://git.flake.sh"; LANDING_PAGE = "/explore/repos"; + START_SSH_SERVER = true; + SSH_DOMAIN = "git.flake.sh"; + SSH_PORT = 2222; + SSH_LISTEN_PORT = 2222; + SSH_LISTEN_HOST = "100.121.201.47"; }; database = { DB_TYPE = lib.mkForce "postgres"; -- 2.47.0 From bbed561d34385ee93b273d6b9d7d9d2d9d5c0be4 Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 10:29:47 -0400 Subject: [PATCH 02/11] hosts: route all traffic through tailscale --- flake.lock | 110 ++++++++++++++-------------- hosts/sakura/services/default.nix | 1 + hosts/sakura/services/tailscale.nix | 41 +++++++++++ hosts/sakura/services/traefik.nix | 49 ------------- hosts/sora/services/default.nix | 1 + hosts/sora/services/tailscale.nix | 41 +++++++++++ hosts/sora/services/traefik.nix | 50 ++++++++++++- secrets/secrets.yaml | 6 +- 8 files changed, 192 insertions(+), 107 deletions(-) create mode 100644 hosts/sakura/services/tailscale.nix create mode 100644 hosts/sora/services/tailscale.nix diff --git a/flake.lock b/flake.lock index fc161b8..6c63375 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1693439040, - "narHash": "sha256-t2nOxBcP0Q/XJt6Ild4v0hJ49OSl9F3nE1cdIT4xsDg=", + "lastModified": 1695511445, + "narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=", "owner": "ipetkov", "repo": "crane", - "rev": "174604795d316b75777e28185c3a4918bc69b399", + "rev": "3de322e06fc88ada5e3589dc8a375b73e749f512", "type": "github" }, "original": { @@ -83,11 +83,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1690933134, - "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", "type": "github" }, "original": { @@ -101,11 +101,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -139,11 +139,11 @@ ] }, "locked": { - "lastModified": 1695984718, - "narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=", + "lastModified": 1696371324, + "narHash": "sha256-0ycIheYRxzPOL9XBWiAm/af9cqRmsiy701OpjsRsKiw=", "owner": "nix-community", "repo": "home-manager", - "rev": "4f02e35f9d150573e1a710afa338846c2f6d850c", + "rev": "e63c30fe9792b57dea1eab98be6871a0e42a33c9", "type": "github" }, "original": { @@ -163,11 +163,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1696034465, - "narHash": "sha256-4/jscEYXk8x1wkjpP6EFnsMpp9h9ITQXaZsg+iVxen4=", + "lastModified": 1696367817, + "narHash": "sha256-r16HUij8M3c0JMLLPaLdRJLHlSBhtVBWsR2+JZSW1B8=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "c298439433f9b6861c7c62ea587289ac2e4ef2f8", + "rev": "d61e4f9ad75d51f15eac6bced13439899d66a950", "type": "github" }, "original": { @@ -211,11 +211,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1695668783, - "narHash": "sha256-pXVei5KZMxALQ8ibx0oqbfh5N/FI3VzJHodDNAh41xE=", + "lastModified": 1696275091, + "narHash": "sha256-6/bnExKrZJ9GvveJwTdjIWHuJY0n8Y1pyqnsq5/4xP0=", "owner": "JakeStanger", "repo": "ironbar", - "rev": "0c0163cfa1a8c0286edf231507026dd6f5798644", + "rev": "abbd3ab62339a3ac9665dbaf7b66c23f0ae7bc64", "type": "github" }, "original": { @@ -249,11 +249,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1692351612, - "narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=", + "lastModified": 1694081375, + "narHash": "sha256-vzJXOUnmkMCm3xw8yfPP5m8kypQ3BhAIRe4RRCWpzy8=", "owner": "nix-community", "repo": "naersk", - "rev": "78789c30d64dea2396c9da516bbcc8db3a475207", + "rev": "3f976d822b7b37fc6fb8e6f157c2dd05e7e94e89", "type": "github" }, "original": { @@ -271,11 +271,11 @@ ] }, "locked": { - "lastModified": 1694971480, - "narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=", + "lastModified": 1696149398, + "narHash": "sha256-RwlAyww4bzeu2ndeQoScelYtlYiSxPdCn70R+xGdZBc=", "owner": "viperML", "repo": "nh", - "rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd", + "rev": "2985f5a45d6f3e1a9d8d3ca5c777ef1bc9c7fbd1", "type": "github" }, "original": { @@ -286,11 +286,11 @@ }, "nix-filter": { "locked": { - "lastModified": 1687178632, - "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=", + "lastModified": 1694857738, + "narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=", "owner": "numtide", "repo": "nix-filter", - "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174", + "rev": "41fd48e00c22b4ced525af521ead8792402de0ea", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1695526222, - "narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=", + "lastModified": 1696131323, + "narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647", + "rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f", "type": "github" }, "original": { @@ -321,11 +321,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693355128, - "narHash": "sha256-+ZoAny3ZxLcfMaUoLVgL9Ywb/57wP+EtsdNGuXUJrwg=", + "lastModified": 1695978539, + "narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a63a64b593dcf2fe05f7c5d666eb395950f36bc9", + "rev": "bd9b686c0168041aea600222be0805a0de6e6ab8", "type": "github" }, "original": { @@ -336,11 +336,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1690881714, - "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9e1960bc196baf6881340d53dccb203a951745a2", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", "type": "github" }, "original": { @@ -353,11 +353,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694908564, - "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", + "lastModified": 1696123266, + "narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "596611941a74be176b98aeba9328aa9d01b8b322", + "rev": "dbe90e63a36762f1fbde546e26a84af774a32455", "type": "github" }, "original": { @@ -369,11 +369,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1695830400, - "narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=", + "lastModified": 1696193975, + "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2", + "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242", "type": "github" }, "original": { @@ -410,11 +410,11 @@ ] }, "locked": { - "lastModified": 1691374719, - "narHash": "sha256-HCodqnx1Mi2vN4f3hjRPc7+lSQy18vRn8xWW68GeQOg=", + "lastModified": 1695003086, + "narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "b520a3889b24aaf909e287d19d406862ced9ffc9", + "rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1693447852, - "narHash": "sha256-K9npbs4S6+r51vpiElJi+0vwbAeftCAcOGbot/PCBnQ=", + "lastModified": 1696039808, + "narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "40e851593ef4f9f8cd0b69c8cae7b722b9953a23", + "rev": "a4c3c904ab29e04a20d3a6da6626d66030385773", "type": "github" }, "original": { @@ -453,11 +453,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1695284550, - "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", + "lastModified": 1696320910, + "narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", + "rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2", "type": "github" }, "original": { @@ -530,18 +530,18 @@ "flake": false, "locked": { "host": "gitlab.freedesktop.org", - "lastModified": 1695919988, - "narHash": "sha256-4RBgIZHaVqH0m1POnfzYRzwCWxifIKH4xQ0kCn2LGkA=", + "lastModified": 1696255886, + "narHash": "sha256-0KZfiqqREousitBgG1mkzKmmNX4tjOIWdbBm6MvRCjQ=", "owner": "wlroots", "repo": "wlroots", - "rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e", + "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2", "type": "gitlab" }, "original": { "host": "gitlab.freedesktop.org", "owner": "wlroots", "repo": "wlroots", - "rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e", + "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2", "type": "gitlab" } }, diff --git a/hosts/sakura/services/default.nix b/hosts/sakura/services/default.nix index 7b9d5e9..6be12bc 100644 --- a/hosts/sakura/services/default.nix +++ b/hosts/sakura/services/default.nix @@ -10,5 +10,6 @@ ./vaultwarden.nix ./conduit.nix ./cloudflareddns.nix + ./tailscale.nix ]; } diff --git a/hosts/sakura/services/tailscale.nix b/hosts/sakura/services/tailscale.nix new file mode 100644 index 0000000..24bf55e --- /dev/null +++ b/hosts/sakura/services/tailscale.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: { + sops.secrets.tsauth-sakura = {}; + environment.systemPackages = [pkgs.jq pkgs.tailscale]; + services.tailscale = { + useRoutingFeatures = lib.mkDefault "client"; + }; + networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; + networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName]; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-sakura.path} --exit-node=100.87.54.48 --exit-node-allow-lan-access=true --accept-dns=false + ''; + }; +} diff --git a/hosts/sakura/services/traefik.nix b/hosts/sakura/services/traefik.nix index 293f259..7cd740f 100644 --- a/hosts/sakura/services/traefik.nix +++ b/hosts/sakura/services/traefik.nix @@ -1,6 +1,5 @@ {config, ...}: { sops.secrets.cloudflare-api-key = {}; - networking.firewall.allowedTCPPorts = [80 443]; systemd.services.traefik = { environment = { CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; @@ -30,57 +29,9 @@ entrypoints = ["web"]; service = "dashdot"; }; - foundryvtt = { - rule = "Host(`foundry.flake.sh`)"; - entrypoints = ["websecure"]; - service = "foundryvtt"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; - forgejo = { - rule = "Host(`git.flake.sh`)"; - entrypoints = ["websecure"]; - service = "forgejo"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; - rustypaste = { - rule = "Host(`i.flake.sh`)"; - entrypoints = ["websecure"]; - service = "rustypaste"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; - grafana = { - rule = "Host(`metrics.flake.sh`)"; - entrypoints = ["websecure"]; - service = "grafana"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; - hedgedoc = { - rule = "Host(`scratch.flake.sh`)"; - entrypoints = ["websecure"]; - service = "hedgedoc"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; - vaultwarden = { - rule = "Host(`vault.flake.sh`)"; - entrypoints = ["websecure"]; - service = "vaultwarden"; - tls.domains = [{main = "*.flake.sh";}]; - tls.certresolver = "production"; - }; }; services = { dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}]; - foundryvtt.loadBalancer.servers = [{url = "http://localhost:30000";}]; - forgejo.loadBalancer.servers = [{url = "http://localhost:3200";}]; - rustypaste.loadBalancer.servers = [{url = "http://localhost:8000";}]; - grafana.loadBalancer.servers = [{url = "http://localhost:3100";}]; - hedgedoc.loadBalancer.servers = [{url = "http://localhost:3300";}]; - vaultwarden.loadBalancer.servers = [{url = "http://localhost:8222";}]; }; }; }; diff --git a/hosts/sora/services/default.nix b/hosts/sora/services/default.nix index 11fff5b..acf74f6 100644 --- a/hosts/sora/services/default.nix +++ b/hosts/sora/services/default.nix @@ -3,5 +3,6 @@ ./traefik.nix ./uptimekuma.nix ./gotify.nix + ./tailscale.nix ]; } diff --git a/hosts/sora/services/tailscale.nix b/hosts/sora/services/tailscale.nix new file mode 100644 index 0000000..a4cbe46 --- /dev/null +++ b/hosts/sora/services/tailscale.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: { + sops.secrets.tsauth-sora = {}; + environment.systemPackages = [pkgs.jq pkgs.tailscale]; + services.tailscale = { + useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot + }; + networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; + networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName]; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey file:${config.sops.secrets.tsauth-sora.path} --advertise-exit-node=true --accept-dns=false + ''; + }; +} diff --git a/hosts/sora/services/traefik.nix b/hosts/sora/services/traefik.nix index 5f8ad44..dfc42f8 100644 --- a/hosts/sora/services/traefik.nix +++ b/hosts/sora/services/traefik.nix @@ -1,6 +1,6 @@ {config, ...}: { sops.secrets.cloudflare-api-key = {}; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 443 2222]; systemd.services.traefik = { environment = { CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; @@ -53,12 +53,60 @@ tls.domains = [{main = "*.notohh.dev";}]; tls.certresolver = "production"; }; + foundryvtt = { + rule = "Host(`foundry.flake.sh`)"; + entrypoints = ["websecure"]; + service = "foundryvtt"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; + forgejo = { + rule = "Host(`git.flake.sh`)"; + entrypoints = ["websecure"]; + service = "forgejo"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; + rustypaste = { + rule = "Host(`i.flake.sh`)"; + entrypoints = ["websecure"]; + service = "rustypaste"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; + grafana = { + rule = "Host(`metrics.flake.sh`)"; + entrypoints = ["websecure"]; + service = "grafana"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; + hedgedoc = { + rule = "Host(`scratch.flake.sh`)"; + entrypoints = ["websecure"]; + service = "hedgedoc"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; + vaultwarden = { + rule = "Host(`vault.flake.sh`)"; + entrypoints = ["websecure"]; + service = "vaultwarden"; + tls.domains = [{main = "*.flake.sh";}]; + tls.certresolver = "production"; + }; }; services = { uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}]; gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}]; conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}]; authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}]; + foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}]; + forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}]; + rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}]; + grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}]; + hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}]; + vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}]; }; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 8627368..4728658 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -9,6 +9,8 @@ authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,i authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str] cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str] forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str] +tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str] +tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +26,8 @@ sops: YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-05T20:42:39Z" - mac: ENC[AES256_GCM,data:bniacC304lHRxyxpVPopWtKu2508fIpp+TmVt+2EJjsPiqV2x6tA377DTiczh+7tjjcEKJQ7UclkRs+8BH095WyYuX7LC6F8HzQY2its1BoMUvBoHo9x0gVTK0lgg01kLTrLFrWP3uv5xcGgj1/huBLfr6tOwvymmyEgORlf/+M=,iv:VJIYUqzflBQ+vXEWinBCPBjnQXH36nYdRehjPnErSBo=,tag:6nBssjqsd0oIpakpw+mFsw==,type:str] + lastmodified: "2023-10-07T14:08:11Z" + mac: ENC[AES256_GCM,data:uk8GkhA5j5w6Az/4uZmPR5eyZ1WOenyeqozSInRfkSZbYwC+bABmSx+DlkqTFKvppTjuWJmCii6OrYGbloiI48x46GzI2qgHfG/Q4a/+HDEmHEa8pnGGioazFzML4Wqwsvba9CaGJq62bSuh44qdH7lQbE3YqhTrEgZqJ3Zmkcg=,iv:foDwveVQ4K3ygA35lrARACwMv/YmDQB3V2fFLOZI2n8=,tag:pC40f60MdlQsYhgNT+7kTw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.0 -- 2.47.0 From 380048450996ee3258ac13320d0435537c5ab13c Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 11:16:44 -0400 Subject: [PATCH 03/11] hedgedoc: bind host --- hosts/sakura/services/hedgedoc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sakura/services/hedgedoc.nix b/hosts/sakura/services/hedgedoc.nix index 341bff5..66f03ba 100644 --- a/hosts/sakura/services/hedgedoc.nix +++ b/hosts/sakura/services/hedgedoc.nix @@ -4,6 +4,7 @@ _: { settings = { port = 3300; domain = "scratch.flake.sh"; + host = "100.121.201.47"; allowOrigin = ["scratch.flake.sh"]; allowAnonymous = true; allowFreeURL = true; -- 2.47.0 From bb1f59d1143ebc1e86b3b1e69477e34665988043 Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 16:14:47 -0400 Subject: [PATCH 04/11] sops: update runner token --- secrets/secrets.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 4728658..f895f9c 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -8,7 +8,7 @@ gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJ authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str] authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str] cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str] -forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str] +forgejo-runner-token: ENC[AES256_GCM,data:vv/zMR3qkmSNxA+wnwAzqdc8yNfR+aLMnmncm5lGmq7PhzryNwxDXQ==,iv:HOJMCTAy0C0VMHUAgLJLAZddsTqbM+Alsgo/+BfBNY4=,tag:pIH8SaIdSxvw70rOtbb9yw==,type:str] tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str] tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str] sops: @@ -26,8 +26,8 @@ sops: YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-07T14:08:11Z" - mac: ENC[AES256_GCM,data:uk8GkhA5j5w6Az/4uZmPR5eyZ1WOenyeqozSInRfkSZbYwC+bABmSx+DlkqTFKvppTjuWJmCii6OrYGbloiI48x46GzI2qgHfG/Q4a/+HDEmHEa8pnGGioazFzML4Wqwsvba9CaGJq62bSuh44qdH7lQbE3YqhTrEgZqJ3Zmkcg=,iv:foDwveVQ4K3ygA35lrARACwMv/YmDQB3V2fFLOZI2n8=,tag:pC40f60MdlQsYhgNT+7kTw==,type:str] + lastmodified: "2023-10-07T19:39:53Z" + mac: ENC[AES256_GCM,data:a6G3BdrDCsipNgkG3SNijKM2QCPsQEh9TztF3VlrcUX+jdC5UDpDmh9VCnLHh1MsOTgpRCn4ZXc0QVPSZKxsCra3ipDqLuXATHWzfJFmGDiLnderrRzSmy5MuDJKiVO2wKruYhIfj6VHM92mIvay4JwmqTptmD9DP4g/+5kYkrc=,iv:34XFn2sH3bJjO2O/0oIa23rmiyL4hP+FUYlDqVGiOGA=,tag:A3Qv9uzJ6HXlKoVPHZVjwA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.0 -- 2.47.0 From bc6a3494163ca706e4b144c6d598e66cb0c939bb Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 16:31:29 -0400 Subject: [PATCH 05/11] ci: update checkout actions --- .forgejo/workflows/check.yml | 2 +- .forgejo/workflows/fmt.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 646fb33..295c907 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -3,7 +3,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: diff --git a/.forgejo/workflows/fmt.yml b/.forgejo/workflows/fmt.yml index bd5f504..ee8beee 100644 --- a/.forgejo/workflows/fmt.yml +++ b/.forgejo/workflows/fmt.yml @@ -3,9 +3,9 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: github-token: ${{ secrets.GH_TOKEN }} - - run: nix run nixpkgs#alejandra -- -c . \ No newline at end of file + - run: nix run nixpkgs#alejandra -- -c . -- 2.47.0 From 6669bc8a89c4d4e7c1da9cf7bebac4cb2200b1ac Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 16:35:42 -0400 Subject: [PATCH 06/11] ci: try switching to docker? --- .forgejo/workflows/check.yml | 3 ++- .forgejo/workflows/fmt.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 295c907..07e9156 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,9 +1,10 @@ on: [push] jobs: check: - runs-on: ubuntu-latest + runs-on: docker steps: - uses: actions/checkout@v4 + with: - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: diff --git a/.forgejo/workflows/fmt.yml b/.forgejo/workflows/fmt.yml index ee8beee..dfef716 100644 --- a/.forgejo/workflows/fmt.yml +++ b/.forgejo/workflows/fmt.yml @@ -1,7 +1,7 @@ on: [push] jobs: check: - runs-on: ubuntu-latest + runs-on: docker steps: - uses: actions/checkout@v4 - name: install nix action -- 2.47.0 From 181c72a32d624caa90df383073768879fcafb24f Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 16:47:37 -0400 Subject: [PATCH 07/11] ci: switch back to ubuntu --- .forgejo/workflows/check.yml | 3 +-- .forgejo/workflows/fmt.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 07e9156..295c907 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,10 +1,9 @@ on: [push] jobs: check: - runs-on: docker + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - with: - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: diff --git a/.forgejo/workflows/fmt.yml b/.forgejo/workflows/fmt.yml index dfef716..ee8beee 100644 --- a/.forgejo/workflows/fmt.yml +++ b/.forgejo/workflows/fmt.yml @@ -1,7 +1,7 @@ on: [push] jobs: check: - runs-on: docker + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: install nix action -- 2.47.0 From 0fb831b03d3405c448da81b8ab7ee30e9c4539eb Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 16:53:40 -0400 Subject: [PATCH 08/11] ci: switch back to checkoutv3 --- .forgejo/workflows/check.yml | 2 +- .forgejo/workflows/fmt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 295c907..646fb33 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -3,7 +3,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v3 - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: diff --git a/.forgejo/workflows/fmt.yml b/.forgejo/workflows/fmt.yml index ee8beee..c854864 100644 --- a/.forgejo/workflows/fmt.yml +++ b/.forgejo/workflows/fmt.yml @@ -3,7 +3,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v3 - name: install nix action uses: https://github.com/DeterminateSystems/nix-installer-action@v5 with: -- 2.47.0 From ce570b6ed3ec26a9d476948c78511f1dc560c3e9 Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 17:03:11 -0400 Subject: [PATCH 09/11] yuki: init forgejo runner --- hosts/yuki/services/default.nix | 1 + hosts/yuki/services/forgejo-runners.nix | 33 +++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 hosts/yuki/services/forgejo-runners.nix diff --git a/hosts/yuki/services/default.nix b/hosts/yuki/services/default.nix index feb1cd0..2f05bbd 100644 --- a/hosts/yuki/services/default.nix +++ b/hosts/yuki/services/default.nix @@ -8,5 +8,6 @@ ./dashdot.nix ./jellyfin.nix ./neko.nix + ./forgejo-runners.nix ]; } diff --git a/hosts/yuki/services/forgejo-runners.nix b/hosts/yuki/services/forgejo-runners.nix new file mode 100644 index 0000000..6b8c433 --- /dev/null +++ b/hosts/yuki/services/forgejo-runners.nix @@ -0,0 +1,33 @@ +{ + pkgs, + config, + ... +}: { + sops.secrets.forgejo-runner-token = {}; + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.main = { + settings = { + container = { + network = "host"; + }; + }; + enable = true; + name = config.networking.hostName; + url = "https://git.flake.sh"; + token = "gdeEbeUTifa1nK7EfRgBmvm6XRdQE1zZzAatBRSC"; + labels = [ + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + #"native:host" + ]; + hostPackages = with pkgs; [ + bash + curl + coreutils + wget + gitMinimal + ]; + }; + }; +} -- 2.47.0 From 6e7fc979597cf749067ef7a9d3bafa1aa31d1a74 Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 17:03:18 -0400 Subject: [PATCH 10/11] forgejo: move runner to yuki --- hosts/sakura/services/forgejo.nix | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/hosts/sakura/services/forgejo.nix b/hosts/sakura/services/forgejo.nix index 401d1d2..a1cbe22 100644 --- a/hosts/sakura/services/forgejo.nix +++ b/hosts/sakura/services/forgejo.nix @@ -4,7 +4,6 @@ config, ... }: { - sops.secrets.forgejo-runner-token = {owner = "forgejo";}; services.forgejo = { enable = true; stateDir = "/var/lib/forgejo"; @@ -43,25 +42,4 @@ }; }; }; - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.main = { - enable = true; - name = config.networking.hostName; - url = "https://git.flake.sh"; - token = config.sops.secrets.forgejo-runner-token.path; - labels = [ - "debian-latest:docker://node:18-bullseye" - "ubuntu-latest:docker://node:18-bullseye" - #"native:host" - ]; - hostPackages = with pkgs; [ - bash - curl - coreutils - wget - gitMinimal - ]; - }; - }; } -- 2.47.0 From 9eea38d0006aca69c224368e21d09395eac2985f Mon Sep 17 00:00:00 2001 From: notohh Date: Sat, 7 Oct 2023 17:06:51 -0400 Subject: [PATCH 11/11] traefik: init gitssh --- hosts/sora/services/traefik.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hosts/sora/services/traefik.nix b/hosts/sora/services/traefik.nix index dfc42f8..f7691a0 100644 --- a/hosts/sora/services/traefik.nix +++ b/hosts/sora/services/traefik.nix @@ -12,6 +12,16 @@ services.traefik = { enable = true; dynamicConfigOptions = { + tcp = { + routers = { + gitssh = { + rule = "HostSNI(`*`)"; + entrypoints = ["gitssh"]; + service = "gitssh"; + tls.passthrough = true; + }; + }; + }; http = { middlewares.authelia = { forwardauth = { @@ -107,6 +117,7 @@ grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}]; hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}]; vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}]; + gitssh.loadBalancer.servers = [{url = "tcp://100.121.201.47:2222";}]; }; }; }; @@ -125,6 +136,9 @@ web = { address = ":80"; }; + gitssh = { + address = ":2222"; + }; }; metrics = { prometheus = { -- 2.47.0