networking: refactor routing #10

Merged
notohh merged 11 commits from refactor-routing into master 2023-10-07 17:11:00 -04:00
13 changed files with 249 additions and 132 deletions

View file

@ -8,4 +8,4 @@ jobs:
uses: https://github.com/DeterminateSystems/nix-installer-action@v5 uses: https://github.com/DeterminateSystems/nix-installer-action@v5
with: with:
github-token: ${{ secrets.GH_TOKEN }} github-token: ${{ secrets.GH_TOKEN }}
- run: nix run nixpkgs#alejandra -- -c . - run: nix run nixpkgs#alejandra -- -c .

View file

@ -11,11 +11,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1693439040, "lastModified": 1695511445,
"narHash": "sha256-t2nOxBcP0Q/XJt6Ild4v0hJ49OSl9F3nE1cdIT4xsDg=", "narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "174604795d316b75777e28185c3a4918bc69b399", "rev": "3de322e06fc88ada5e3589dc8a375b73e749f512",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -83,11 +83,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1690933134, "lastModified": 1693611461,
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -101,11 +101,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1689068808, "lastModified": 1694529238,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -139,11 +139,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695984718, "lastModified": 1696371324,
"narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=", "narHash": "sha256-0ycIheYRxzPOL9XBWiAm/af9cqRmsiy701OpjsRsKiw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "4f02e35f9d150573e1a710afa338846c2f6d850c", "rev": "e63c30fe9792b57dea1eab98be6871a0e42a33c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -163,11 +163,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1696034465, "lastModified": 1696367817,
"narHash": "sha256-4/jscEYXk8x1wkjpP6EFnsMpp9h9ITQXaZsg+iVxen4=", "narHash": "sha256-r16HUij8M3c0JMLLPaLdRJLHlSBhtVBWsR2+JZSW1B8=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "c298439433f9b6861c7c62ea587289ac2e4ef2f8", "rev": "d61e4f9ad75d51f15eac6bced13439899d66a950",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -211,11 +211,11 @@
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1695668783, "lastModified": 1696275091,
"narHash": "sha256-pXVei5KZMxALQ8ibx0oqbfh5N/FI3VzJHodDNAh41xE=", "narHash": "sha256-6/bnExKrZJ9GvveJwTdjIWHuJY0n8Y1pyqnsq5/4xP0=",
"owner": "JakeStanger", "owner": "JakeStanger",
"repo": "ironbar", "repo": "ironbar",
"rev": "0c0163cfa1a8c0286edf231507026dd6f5798644", "rev": "abbd3ab62339a3ac9665dbaf7b66c23f0ae7bc64",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -249,11 +249,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1692351612, "lastModified": 1694081375,
"narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=", "narHash": "sha256-vzJXOUnmkMCm3xw8yfPP5m8kypQ3BhAIRe4RRCWpzy8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "naersk", "repo": "naersk",
"rev": "78789c30d64dea2396c9da516bbcc8db3a475207", "rev": "3f976d822b7b37fc6fb8e6f157c2dd05e7e94e89",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -271,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1694971480, "lastModified": 1696149398,
"narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=", "narHash": "sha256-RwlAyww4bzeu2ndeQoScelYtlYiSxPdCn70R+xGdZBc=",
"owner": "viperML", "owner": "viperML",
"repo": "nh", "repo": "nh",
"rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd", "rev": "2985f5a45d6f3e1a9d8d3ca5c777ef1bc9c7fbd1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -286,11 +286,11 @@
}, },
"nix-filter": { "nix-filter": {
"locked": { "locked": {
"lastModified": 1687178632, "lastModified": 1694857738,
"narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=", "narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
"owner": "numtide", "owner": "numtide",
"repo": "nix-filter", "repo": "nix-filter",
"rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174", "rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -306,11 +306,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695526222, "lastModified": 1696131323,
"narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=", "narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647", "rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -321,11 +321,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1693355128, "lastModified": 1695978539,
"narHash": "sha256-+ZoAny3ZxLcfMaUoLVgL9Ywb/57wP+EtsdNGuXUJrwg=", "narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a63a64b593dcf2fe05f7c5d666eb395950f36bc9", "rev": "bd9b686c0168041aea600222be0805a0de6e6ab8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -336,11 +336,11 @@
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"dir": "lib", "dir": "lib",
"lastModified": 1690881714, "lastModified": 1693471703,
"narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9e1960bc196baf6881340d53dccb203a951745a2", "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -353,11 +353,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1694908564, "lastModified": 1696123266,
"narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", "narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "596611941a74be176b98aeba9328aa9d01b8b322", "rev": "dbe90e63a36762f1fbde546e26a84af774a32455",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -369,11 +369,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1695830400, "lastModified": 1696193975,
"narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=", "narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2", "rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -410,11 +410,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1691374719, "lastModified": 1695003086,
"narHash": "sha256-HCodqnx1Mi2vN4f3hjRPc7+lSQy18vRn8xWW68GeQOg=", "narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "b520a3889b24aaf909e287d19d406862ced9ffc9", "rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -432,11 +432,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1693447852, "lastModified": 1696039808,
"narHash": "sha256-K9npbs4S6+r51vpiElJi+0vwbAeftCAcOGbot/PCBnQ=", "narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "40e851593ef4f9f8cd0b69c8cae7b722b9953a23", "rev": "a4c3c904ab29e04a20d3a6da6626d66030385773",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -453,11 +453,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1695284550, "lastModified": 1696320910,
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", "narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", "rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -530,18 +530,18 @@
"flake": false, "flake": false,
"locked": { "locked": {
"host": "gitlab.freedesktop.org", "host": "gitlab.freedesktop.org",
"lastModified": 1695919988, "lastModified": 1696255886,
"narHash": "sha256-4RBgIZHaVqH0m1POnfzYRzwCWxifIKH4xQ0kCn2LGkA=", "narHash": "sha256-0KZfiqqREousitBgG1mkzKmmNX4tjOIWdbBm6MvRCjQ=",
"owner": "wlroots", "owner": "wlroots",
"repo": "wlroots", "repo": "wlroots",
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e", "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"host": "gitlab.freedesktop.org", "host": "gitlab.freedesktop.org",
"owner": "wlroots", "owner": "wlroots",
"repo": "wlroots", "repo": "wlroots",
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e", "rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
"type": "gitlab" "type": "gitlab"
} }
}, },

View file

@ -10,5 +10,6 @@
./vaultwarden.nix ./vaultwarden.nix
./conduit.nix ./conduit.nix
./cloudflareddns.nix ./cloudflareddns.nix
./tailscale.nix
]; ];
} }

View file

@ -4,7 +4,6 @@
config, config,
... ...
}: { }: {
sops.secrets.forgejo-runner-token = {owner = "forgejo";};
services.forgejo = { services.forgejo = {
enable = true; enable = true;
stateDir = "/var/lib/forgejo"; stateDir = "/var/lib/forgejo";
@ -20,9 +19,14 @@
}; };
server = { server = {
HTTP_PORT = 3200; HTTP_PORT = 3200;
DOMAIN = "git.notohh.dev"; DOMAIN = "git.flake.sh";
ROOT_URL = "https://git.flake.sh"; ROOT_URL = "https://git.flake.sh";
LANDING_PAGE = "/explore/repos"; LANDING_PAGE = "/explore/repos";
START_SSH_SERVER = true;
SSH_DOMAIN = "git.flake.sh";
SSH_PORT = 2222;
SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "100.121.201.47";
}; };
database = { database = {
DB_TYPE = lib.mkForce "postgres"; DB_TYPE = lib.mkForce "postgres";
@ -38,25 +42,4 @@
}; };
}; };
}; };
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.main = {
enable = true;
name = config.networking.hostName;
url = "https://git.flake.sh";
token = config.sops.secrets.forgejo-runner-token.path;
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
#"native:host"
];
hostPackages = with pkgs; [
bash
curl
coreutils
wget
gitMinimal
];
};
};
} }

View file

@ -4,6 +4,7 @@ _: {
settings = { settings = {
port = 3300; port = 3300;
domain = "scratch.flake.sh"; domain = "scratch.flake.sh";
host = "100.121.201.47";
allowOrigin = ["scratch.flake.sh"]; allowOrigin = ["scratch.flake.sh"];
allowAnonymous = true; allowAnonymous = true;
allowFreeURL = true; allowFreeURL = true;

View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}: {
sops.secrets.tsauth-sakura = {};
environment.systemPackages = [pkgs.jq pkgs.tailscale];
services.tailscale = {
useRoutingFeatures = lib.mkDefault "client";
};
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-sakura.path} --exit-node=100.87.54.48 --exit-node-allow-lan-access=true --accept-dns=false
'';
};
}

View file

@ -1,6 +1,5 @@
{config, ...}: { {config, ...}: {
sops.secrets.cloudflare-api-key = {}; sops.secrets.cloudflare-api-key = {};
networking.firewall.allowedTCPPorts = [80 443];
systemd.services.traefik = { systemd.services.traefik = {
environment = { environment = {
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@ -30,57 +29,9 @@
entrypoints = ["web"]; entrypoints = ["web"];
service = "dashdot"; service = "dashdot";
}; };
foundryvtt = {
rule = "Host(`foundry.flake.sh`)";
entrypoints = ["websecure"];
service = "foundryvtt";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
forgejo = {
rule = "Host(`git.flake.sh`)";
entrypoints = ["websecure"];
service = "forgejo";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
rustypaste = {
rule = "Host(`i.flake.sh`)";
entrypoints = ["websecure"];
service = "rustypaste";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
grafana = {
rule = "Host(`metrics.flake.sh`)";
entrypoints = ["websecure"];
service = "grafana";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
hedgedoc = {
rule = "Host(`scratch.flake.sh`)";
entrypoints = ["websecure"];
service = "hedgedoc";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
vaultwarden = {
rule = "Host(`vault.flake.sh`)";
entrypoints = ["websecure"];
service = "vaultwarden";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
}; };
services = { services = {
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}]; dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
foundryvtt.loadBalancer.servers = [{url = "http://localhost:30000";}];
forgejo.loadBalancer.servers = [{url = "http://localhost:3200";}];
rustypaste.loadBalancer.servers = [{url = "http://localhost:8000";}];
grafana.loadBalancer.servers = [{url = "http://localhost:3100";}];
hedgedoc.loadBalancer.servers = [{url = "http://localhost:3300";}];
vaultwarden.loadBalancer.servers = [{url = "http://localhost:8222";}];
}; };
}; };
}; };

View file

@ -3,5 +3,6 @@
./traefik.nix ./traefik.nix
./uptimekuma.nix ./uptimekuma.nix
./gotify.nix ./gotify.nix
./tailscale.nix
]; ];
} }

View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}: {
sops.secrets.tsauth-sora = {};
environment.systemPackages = [pkgs.jq pkgs.tailscale];
services.tailscale = {
useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot
};
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey file:${config.sops.secrets.tsauth-sora.path} --advertise-exit-node=true --accept-dns=false
'';
};
}

View file

@ -1,6 +1,6 @@
{config, ...}: { {config, ...}: {
sops.secrets.cloudflare-api-key = {}; sops.secrets.cloudflare-api-key = {};
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443 2222];
systemd.services.traefik = { systemd.services.traefik = {
environment = { environment = {
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@ -12,6 +12,16 @@
services.traefik = { services.traefik = {
enable = true; enable = true;
dynamicConfigOptions = { dynamicConfigOptions = {
tcp = {
routers = {
gitssh = {
rule = "HostSNI(`*`)";
entrypoints = ["gitssh"];
service = "gitssh";
tls.passthrough = true;
};
};
};
http = { http = {
middlewares.authelia = { middlewares.authelia = {
forwardauth = { forwardauth = {
@ -53,12 +63,61 @@
tls.domains = [{main = "*.notohh.dev";}]; tls.domains = [{main = "*.notohh.dev";}];
tls.certresolver = "production"; tls.certresolver = "production";
}; };
foundryvtt = {
rule = "Host(`foundry.flake.sh`)";
entrypoints = ["websecure"];
service = "foundryvtt";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
forgejo = {
rule = "Host(`git.flake.sh`)";
entrypoints = ["websecure"];
service = "forgejo";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
rustypaste = {
rule = "Host(`i.flake.sh`)";
entrypoints = ["websecure"];
service = "rustypaste";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
grafana = {
rule = "Host(`metrics.flake.sh`)";
entrypoints = ["websecure"];
service = "grafana";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
hedgedoc = {
rule = "Host(`scratch.flake.sh`)";
entrypoints = ["websecure"];
service = "hedgedoc";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
vaultwarden = {
rule = "Host(`vault.flake.sh`)";
entrypoints = ["websecure"];
service = "vaultwarden";
tls.domains = [{main = "*.flake.sh";}];
tls.certresolver = "production";
};
}; };
services = { services = {
uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}]; uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}];
gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}]; gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}];
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}]; conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}]; authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];
vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}];
gitssh.loadBalancer.servers = [{url = "tcp://100.121.201.47:2222";}];
}; };
}; };
}; };
@ -77,6 +136,9 @@
web = { web = {
address = ":80"; address = ":80";
}; };
gitssh = {
address = ":2222";
};
}; };
metrics = { metrics = {
prometheus = { prometheus = {

View file

@ -8,5 +8,6 @@
./dashdot.nix ./dashdot.nix
./jellyfin.nix ./jellyfin.nix
./neko.nix ./neko.nix
./forgejo-runners.nix
]; ];
} }

View file

@ -0,0 +1,33 @@
{
pkgs,
config,
...
}: {
sops.secrets.forgejo-runner-token = {};
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.main = {
settings = {
container = {
network = "host";
};
};
enable = true;
name = config.networking.hostName;
url = "https://git.flake.sh";
token = "gdeEbeUTifa1nK7EfRgBmvm6XRdQE1zZzAatBRSC";
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
#"native:host"
];
hostPackages = with pkgs; [
bash
curl
coreutils
wget
gitMinimal
];
};
};
}

View file

@ -8,7 +8,9 @@ gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJ
authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str] authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str] authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str] cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str]
forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str] forgejo-runner-token: ENC[AES256_GCM,data:vv/zMR3qkmSNxA+wnwAzqdc8yNfR+aLMnmncm5lGmq7PhzryNwxDXQ==,iv:HOJMCTAy0C0VMHUAgLJLAZddsTqbM+Alsgo/+BfBNY4=,tag:pIH8SaIdSxvw70rOtbb9yw==,type:str]
tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str]
tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -24,8 +26,8 @@ sops:
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-05T20:42:39Z" lastmodified: "2023-10-07T19:39:53Z"
mac: ENC[AES256_GCM,data:bniacC304lHRxyxpVPopWtKu2508fIpp+TmVt+2EJjsPiqV2x6tA377DTiczh+7tjjcEKJQ7UclkRs+8BH095WyYuX7LC6F8HzQY2its1BoMUvBoHo9x0gVTK0lgg01kLTrLFrWP3uv5xcGgj1/huBLfr6tOwvymmyEgORlf/+M=,iv:VJIYUqzflBQ+vXEWinBCPBjnQXH36nYdRehjPnErSBo=,tag:6nBssjqsd0oIpakpw+mFsw==,type:str] mac: ENC[AES256_GCM,data:a6G3BdrDCsipNgkG3SNijKM2QCPsQEh9TztF3VlrcUX+jdC5UDpDmh9VCnLHh1MsOTgpRCn4ZXc0QVPSZKxsCra3ipDqLuXATHWzfJFmGDiLnderrRzSmy5MuDJKiVO2wKruYhIfj6VHM92mIvay4JwmqTptmD9DP4g/+5kYkrc=,iv:34XFn2sH3bJjO2O/0oIa23rmiyL4hP+FUYlDqVGiOGA=,tag:A3Qv9uzJ6HXlKoVPHZVjwA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.0 version: 3.8.0