networking: refactor routing #10
13 changed files with 249 additions and 132 deletions
|
@ -8,4 +8,4 @@ jobs:
|
|||
uses: https://github.com/DeterminateSystems/nix-installer-action@v5
|
||||
with:
|
||||
github-token: ${{ secrets.GH_TOKEN }}
|
||||
- run: nix run nixpkgs#alejandra -- -c .
|
||||
- run: nix run nixpkgs#alejandra -- -c .
|
||||
|
|
110
flake.lock
110
flake.lock
|
@ -11,11 +11,11 @@
|
|||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693439040,
|
||||
"narHash": "sha256-t2nOxBcP0Q/XJt6Ild4v0hJ49OSl9F3nE1cdIT4xsDg=",
|
||||
"lastModified": 1695511445,
|
||||
"narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=",
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"rev": "174604795d316b75777e28185c3a4918bc69b399",
|
||||
"rev": "3de322e06fc88ada5e3589dc8a375b73e749f512",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -83,11 +83,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690933134,
|
||||
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
|
||||
"lastModified": 1693611461,
|
||||
"narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
|
||||
"rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -101,11 +101,11 @@
|
|||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689068808,
|
||||
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
|
||||
"lastModified": 1694529238,
|
||||
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
|
||||
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -139,11 +139,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695984718,
|
||||
"narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=",
|
||||
"lastModified": 1696371324,
|
||||
"narHash": "sha256-0ycIheYRxzPOL9XBWiAm/af9cqRmsiy701OpjsRsKiw=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "4f02e35f9d150573e1a710afa338846c2f6d850c",
|
||||
"rev": "e63c30fe9792b57dea1eab98be6871a0e42a33c9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -163,11 +163,11 @@
|
|||
"xdph": "xdph"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696034465,
|
||||
"narHash": "sha256-4/jscEYXk8x1wkjpP6EFnsMpp9h9ITQXaZsg+iVxen4=",
|
||||
"lastModified": 1696367817,
|
||||
"narHash": "sha256-r16HUij8M3c0JMLLPaLdRJLHlSBhtVBWsR2+JZSW1B8=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "Hyprland",
|
||||
"rev": "c298439433f9b6861c7c62ea587289ac2e4ef2f8",
|
||||
"rev": "d61e4f9ad75d51f15eac6bced13439899d66a950",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -211,11 +211,11 @@
|
|||
"rust-overlay": "rust-overlay_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695668783,
|
||||
"narHash": "sha256-pXVei5KZMxALQ8ibx0oqbfh5N/FI3VzJHodDNAh41xE=",
|
||||
"lastModified": 1696275091,
|
||||
"narHash": "sha256-6/bnExKrZJ9GvveJwTdjIWHuJY0n8Y1pyqnsq5/4xP0=",
|
||||
"owner": "JakeStanger",
|
||||
"repo": "ironbar",
|
||||
"rev": "0c0163cfa1a8c0286edf231507026dd6f5798644",
|
||||
"rev": "abbd3ab62339a3ac9665dbaf7b66c23f0ae7bc64",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -249,11 +249,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1692351612,
|
||||
"narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=",
|
||||
"lastModified": 1694081375,
|
||||
"narHash": "sha256-vzJXOUnmkMCm3xw8yfPP5m8kypQ3BhAIRe4RRCWpzy8=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "78789c30d64dea2396c9da516bbcc8db3a475207",
|
||||
"rev": "3f976d822b7b37fc6fb8e6f157c2dd05e7e94e89",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -271,11 +271,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694971480,
|
||||
"narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=",
|
||||
"lastModified": 1696149398,
|
||||
"narHash": "sha256-RwlAyww4bzeu2ndeQoScelYtlYiSxPdCn70R+xGdZBc=",
|
||||
"owner": "viperML",
|
||||
"repo": "nh",
|
||||
"rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd",
|
||||
"rev": "2985f5a45d6f3e1a9d8d3ca5c777ef1bc9c7fbd1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -286,11 +286,11 @@
|
|||
},
|
||||
"nix-filter": {
|
||||
"locked": {
|
||||
"lastModified": 1687178632,
|
||||
"narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=",
|
||||
"lastModified": 1694857738,
|
||||
"narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
|
||||
"owner": "numtide",
|
||||
"repo": "nix-filter",
|
||||
"rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174",
|
||||
"rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -306,11 +306,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695526222,
|
||||
"narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=",
|
||||
"lastModified": 1696131323,
|
||||
"narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
|
||||
"owner": "Mic92",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647",
|
||||
"rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -321,11 +321,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1693355128,
|
||||
"narHash": "sha256-+ZoAny3ZxLcfMaUoLVgL9Ywb/57wP+EtsdNGuXUJrwg=",
|
||||
"lastModified": 1695978539,
|
||||
"narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a63a64b593dcf2fe05f7c5d666eb395950f36bc9",
|
||||
"rev": "bd9b686c0168041aea600222be0805a0de6e6ab8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -336,11 +336,11 @@
|
|||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"dir": "lib",
|
||||
"lastModified": 1690881714,
|
||||
"narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=",
|
||||
"lastModified": 1693471703,
|
||||
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9e1960bc196baf6881340d53dccb203a951745a2",
|
||||
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -353,11 +353,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1694908564,
|
||||
"narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
|
||||
"lastModified": 1696123266,
|
||||
"narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "596611941a74be176b98aeba9328aa9d01b8b322",
|
||||
"rev": "dbe90e63a36762f1fbde546e26a84af774a32455",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -369,11 +369,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1695830400,
|
||||
"narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=",
|
||||
"lastModified": 1696193975,
|
||||
"narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2",
|
||||
"rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -410,11 +410,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1691374719,
|
||||
"narHash": "sha256-HCodqnx1Mi2vN4f3hjRPc7+lSQy18vRn8xWW68GeQOg=",
|
||||
"lastModified": 1695003086,
|
||||
"narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "b520a3889b24aaf909e287d19d406862ced9ffc9",
|
||||
"rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -432,11 +432,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693447852,
|
||||
"narHash": "sha256-K9npbs4S6+r51vpiElJi+0vwbAeftCAcOGbot/PCBnQ=",
|
||||
"lastModified": 1696039808,
|
||||
"narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "40e851593ef4f9f8cd0b69c8cae7b722b9953a23",
|
||||
"rev": "a4c3c904ab29e04a20d3a6da6626d66030385773",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -453,11 +453,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695284550,
|
||||
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
|
||||
"lastModified": 1696320910,
|
||||
"narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
|
||||
"rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -530,18 +530,18 @@
|
|||
"flake": false,
|
||||
"locked": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"lastModified": 1695919988,
|
||||
"narHash": "sha256-4RBgIZHaVqH0m1POnfzYRzwCWxifIKH4xQ0kCn2LGkA=",
|
||||
"lastModified": 1696255886,
|
||||
"narHash": "sha256-0KZfiqqREousitBgG1mkzKmmNX4tjOIWdbBm6MvRCjQ=",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
|
||||
"rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
|
||||
"rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -10,5 +10,6 @@
|
|||
./vaultwarden.nix
|
||||
./conduit.nix
|
||||
./cloudflareddns.nix
|
||||
./tailscale.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
config,
|
||||
...
|
||||
}: {
|
||||
sops.secrets.forgejo-runner-token = {owner = "forgejo";};
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
stateDir = "/var/lib/forgejo";
|
||||
|
@ -20,9 +19,14 @@
|
|||
};
|
||||
server = {
|
||||
HTTP_PORT = 3200;
|
||||
DOMAIN = "git.notohh.dev";
|
||||
DOMAIN = "git.flake.sh";
|
||||
ROOT_URL = "https://git.flake.sh";
|
||||
LANDING_PAGE = "/explore/repos";
|
||||
START_SSH_SERVER = true;
|
||||
SSH_DOMAIN = "git.flake.sh";
|
||||
SSH_PORT = 2222;
|
||||
SSH_LISTEN_PORT = 2222;
|
||||
SSH_LISTEN_HOST = "100.121.201.47";
|
||||
};
|
||||
database = {
|
||||
DB_TYPE = lib.mkForce "postgres";
|
||||
|
@ -38,25 +42,4 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances.main = {
|
||||
enable = true;
|
||||
name = config.networking.hostName;
|
||||
url = "https://git.flake.sh";
|
||||
token = config.sops.secrets.forgejo-runner-token.path;
|
||||
labels = [
|
||||
"debian-latest:docker://node:18-bullseye"
|
||||
"ubuntu-latest:docker://node:18-bullseye"
|
||||
#"native:host"
|
||||
];
|
||||
hostPackages = with pkgs; [
|
||||
bash
|
||||
curl
|
||||
coreutils
|
||||
wget
|
||||
gitMinimal
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ _: {
|
|||
settings = {
|
||||
port = 3300;
|
||||
domain = "scratch.flake.sh";
|
||||
host = "100.121.201.47";
|
||||
allowOrigin = ["scratch.flake.sh"];
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
|
|
41
hosts/sakura/services/tailscale.nix
Normal file
41
hosts/sakura/services/tailscale.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
sops.secrets.tsauth-sakura = {};
|
||||
environment.systemPackages = [pkgs.jq pkgs.tailscale];
|
||||
services.tailscale = {
|
||||
useRoutingFeatures = lib.mkDefault "client";
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
||||
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = ["network-pre.target" "tailscale.service"];
|
||||
wants = ["network-pre.target" "tailscale.service"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-sakura.path} --exit-node=100.87.54.48 --exit-node-allow-lan-access=true --accept-dns=false
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,6 +1,5 @@
|
|||
{config, ...}: {
|
||||
sops.secrets.cloudflare-api-key = {};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
systemd.services.traefik = {
|
||||
environment = {
|
||||
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
||||
|
@ -30,57 +29,9 @@
|
|||
entrypoints = ["web"];
|
||||
service = "dashdot";
|
||||
};
|
||||
foundryvtt = {
|
||||
rule = "Host(`foundry.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "foundryvtt";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
forgejo = {
|
||||
rule = "Host(`git.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "forgejo";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
rustypaste = {
|
||||
rule = "Host(`i.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "rustypaste";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
grafana = {
|
||||
rule = "Host(`metrics.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "grafana";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
hedgedoc = {
|
||||
rule = "Host(`scratch.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "hedgedoc";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
vaultwarden = {
|
||||
rule = "Host(`vault.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "vaultwarden";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
};
|
||||
services = {
|
||||
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
|
||||
foundryvtt.loadBalancer.servers = [{url = "http://localhost:30000";}];
|
||||
forgejo.loadBalancer.servers = [{url = "http://localhost:3200";}];
|
||||
rustypaste.loadBalancer.servers = [{url = "http://localhost:8000";}];
|
||||
grafana.loadBalancer.servers = [{url = "http://localhost:3100";}];
|
||||
hedgedoc.loadBalancer.servers = [{url = "http://localhost:3300";}];
|
||||
vaultwarden.loadBalancer.servers = [{url = "http://localhost:8222";}];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -3,5 +3,6 @@
|
|||
./traefik.nix
|
||||
./uptimekuma.nix
|
||||
./gotify.nix
|
||||
./tailscale.nix
|
||||
];
|
||||
}
|
||||
|
|
41
hosts/sora/services/tailscale.nix
Normal file
41
hosts/sora/services/tailscale.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
sops.secrets.tsauth-sora = {};
|
||||
environment.systemPackages = [pkgs.jq pkgs.tailscale];
|
||||
services.tailscale = {
|
||||
useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
||||
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = ["network-pre.target" "tailscale.service"];
|
||||
wants = ["network-pre.target" "tailscale.service"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up --authkey file:${config.sops.secrets.tsauth-sora.path} --advertise-exit-node=true --accept-dns=false
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
{config, ...}: {
|
||||
sops.secrets.cloudflare-api-key = {};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
networking.firewall.allowedTCPPorts = [80 443 2222];
|
||||
systemd.services.traefik = {
|
||||
environment = {
|
||||
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
||||
|
@ -12,6 +12,16 @@
|
|||
services.traefik = {
|
||||
enable = true;
|
||||
dynamicConfigOptions = {
|
||||
tcp = {
|
||||
routers = {
|
||||
gitssh = {
|
||||
rule = "HostSNI(`*`)";
|
||||
entrypoints = ["gitssh"];
|
||||
service = "gitssh";
|
||||
tls.passthrough = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
http = {
|
||||
middlewares.authelia = {
|
||||
forwardauth = {
|
||||
|
@ -53,12 +63,61 @@
|
|||
tls.domains = [{main = "*.notohh.dev";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
foundryvtt = {
|
||||
rule = "Host(`foundry.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "foundryvtt";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
forgejo = {
|
||||
rule = "Host(`git.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "forgejo";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
rustypaste = {
|
||||
rule = "Host(`i.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "rustypaste";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
grafana = {
|
||||
rule = "Host(`metrics.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "grafana";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
hedgedoc = {
|
||||
rule = "Host(`scratch.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "hedgedoc";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
vaultwarden = {
|
||||
rule = "Host(`vault.flake.sh`)";
|
||||
entrypoints = ["websecure"];
|
||||
service = "vaultwarden";
|
||||
tls.domains = [{main = "*.flake.sh";}];
|
||||
tls.certresolver = "production";
|
||||
};
|
||||
};
|
||||
services = {
|
||||
uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}];
|
||||
gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}];
|
||||
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
|
||||
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
|
||||
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
|
||||
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
|
||||
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
|
||||
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
|
||||
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];
|
||||
vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}];
|
||||
gitssh.loadBalancer.servers = [{url = "tcp://100.121.201.47:2222";}];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -77,6 +136,9 @@
|
|||
web = {
|
||||
address = ":80";
|
||||
};
|
||||
gitssh = {
|
||||
address = ":2222";
|
||||
};
|
||||
};
|
||||
metrics = {
|
||||
prometheus = {
|
||||
|
|
|
@ -8,5 +8,6 @@
|
|||
./dashdot.nix
|
||||
./jellyfin.nix
|
||||
./neko.nix
|
||||
./forgejo-runners.nix
|
||||
];
|
||||
}
|
||||
|
|
33
hosts/yuki/services/forgejo-runners.nix
Normal file
33
hosts/yuki/services/forgejo-runners.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
sops.secrets.forgejo-runner-token = {};
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances.main = {
|
||||
settings = {
|
||||
container = {
|
||||
network = "host";
|
||||
};
|
||||
};
|
||||
enable = true;
|
||||
name = config.networking.hostName;
|
||||
url = "https://git.flake.sh";
|
||||
token = "gdeEbeUTifa1nK7EfRgBmvm6XRdQE1zZzAatBRSC";
|
||||
labels = [
|
||||
"debian-latest:docker://node:18-bullseye"
|
||||
"ubuntu-latest:docker://node:18-bullseye"
|
||||
#"native:host"
|
||||
];
|
||||
hostPackages = with pkgs; [
|
||||
bash
|
||||
curl
|
||||
coreutils
|
||||
wget
|
||||
gitMinimal
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -8,7 +8,9 @@ gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJ
|
|||
authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
|
||||
authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
|
||||
cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str]
|
||||
forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str]
|
||||
forgejo-runner-token: ENC[AES256_GCM,data:vv/zMR3qkmSNxA+wnwAzqdc8yNfR+aLMnmncm5lGmq7PhzryNwxDXQ==,iv:HOJMCTAy0C0VMHUAgLJLAZddsTqbM+Alsgo/+BfBNY4=,tag:pIH8SaIdSxvw70rOtbb9yw==,type:str]
|
||||
tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str]
|
||||
tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -24,8 +26,8 @@ sops:
|
|||
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
||||
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-05T20:42:39Z"
|
||||
mac: ENC[AES256_GCM,data:bniacC304lHRxyxpVPopWtKu2508fIpp+TmVt+2EJjsPiqV2x6tA377DTiczh+7tjjcEKJQ7UclkRs+8BH095WyYuX7LC6F8HzQY2its1BoMUvBoHo9x0gVTK0lgg01kLTrLFrWP3uv5xcGgj1/huBLfr6tOwvymmyEgORlf/+M=,iv:VJIYUqzflBQ+vXEWinBCPBjnQXH36nYdRehjPnErSBo=,tag:6nBssjqsd0oIpakpw+mFsw==,type:str]
|
||||
lastmodified: "2023-10-07T19:39:53Z"
|
||||
mac: ENC[AES256_GCM,data:a6G3BdrDCsipNgkG3SNijKM2QCPsQEh9TztF3VlrcUX+jdC5UDpDmh9VCnLHh1MsOTgpRCn4ZXc0QVPSZKxsCra3ipDqLuXATHWzfJFmGDiLnderrRzSmy5MuDJKiVO2wKruYhIfj6VHM92mIvay4JwmqTptmD9DP4g/+5kYkrc=,iv:34XFn2sH3bJjO2O/0oIa23rmiyL4hP+FUYlDqVGiOGA=,tag:A3Qv9uzJ6HXlKoVPHZVjwA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.0
|
||||
|
|
Loading…
Reference in a new issue