networking: refactor routing #10
13 changed files with 249 additions and 132 deletions
110
flake.lock
110
flake.lock
|
@ -11,11 +11,11 @@
|
||||||
"rust-overlay": "rust-overlay"
|
"rust-overlay": "rust-overlay"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693439040,
|
"lastModified": 1695511445,
|
||||||
"narHash": "sha256-t2nOxBcP0Q/XJt6Ild4v0hJ49OSl9F3nE1cdIT4xsDg=",
|
"narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=",
|
||||||
"owner": "ipetkov",
|
"owner": "ipetkov",
|
||||||
"repo": "crane",
|
"repo": "crane",
|
||||||
"rev": "174604795d316b75777e28185c3a4918bc69b399",
|
"rev": "3de322e06fc88ada5e3589dc8a375b73e749f512",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -83,11 +83,11 @@
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1690933134,
|
"lastModified": 1693611461,
|
||||||
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
|
"narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
|
"rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -101,11 +101,11 @@
|
||||||
"systems": "systems_2"
|
"systems": "systems_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1689068808,
|
"lastModified": 1694529238,
|
||||||
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
|
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
|
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -139,11 +139,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695984718,
|
"lastModified": 1696371324,
|
||||||
"narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=",
|
"narHash": "sha256-0ycIheYRxzPOL9XBWiAm/af9cqRmsiy701OpjsRsKiw=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "4f02e35f9d150573e1a710afa338846c2f6d850c",
|
"rev": "e63c30fe9792b57dea1eab98be6871a0e42a33c9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -163,11 +163,11 @@
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696034465,
|
"lastModified": 1696367817,
|
||||||
"narHash": "sha256-4/jscEYXk8x1wkjpP6EFnsMpp9h9ITQXaZsg+iVxen4=",
|
"narHash": "sha256-r16HUij8M3c0JMLLPaLdRJLHlSBhtVBWsR2+JZSW1B8=",
|
||||||
"owner": "hyprwm",
|
"owner": "hyprwm",
|
||||||
"repo": "Hyprland",
|
"repo": "Hyprland",
|
||||||
"rev": "c298439433f9b6861c7c62ea587289ac2e4ef2f8",
|
"rev": "d61e4f9ad75d51f15eac6bced13439899d66a950",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -211,11 +211,11 @@
|
||||||
"rust-overlay": "rust-overlay_2"
|
"rust-overlay": "rust-overlay_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695668783,
|
"lastModified": 1696275091,
|
||||||
"narHash": "sha256-pXVei5KZMxALQ8ibx0oqbfh5N/FI3VzJHodDNAh41xE=",
|
"narHash": "sha256-6/bnExKrZJ9GvveJwTdjIWHuJY0n8Y1pyqnsq5/4xP0=",
|
||||||
"owner": "JakeStanger",
|
"owner": "JakeStanger",
|
||||||
"repo": "ironbar",
|
"repo": "ironbar",
|
||||||
"rev": "0c0163cfa1a8c0286edf231507026dd6f5798644",
|
"rev": "abbd3ab62339a3ac9665dbaf7b66c23f0ae7bc64",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -249,11 +249,11 @@
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1692351612,
|
"lastModified": 1694081375,
|
||||||
"narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=",
|
"narHash": "sha256-vzJXOUnmkMCm3xw8yfPP5m8kypQ3BhAIRe4RRCWpzy8=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "naersk",
|
"repo": "naersk",
|
||||||
"rev": "78789c30d64dea2396c9da516bbcc8db3a475207",
|
"rev": "3f976d822b7b37fc6fb8e6f157c2dd05e7e94e89",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -271,11 +271,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694971480,
|
"lastModified": 1696149398,
|
||||||
"narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=",
|
"narHash": "sha256-RwlAyww4bzeu2ndeQoScelYtlYiSxPdCn70R+xGdZBc=",
|
||||||
"owner": "viperML",
|
"owner": "viperML",
|
||||||
"repo": "nh",
|
"repo": "nh",
|
||||||
"rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd",
|
"rev": "2985f5a45d6f3e1a9d8d3ca5c777ef1bc9c7fbd1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -286,11 +286,11 @@
|
||||||
},
|
},
|
||||||
"nix-filter": {
|
"nix-filter": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687178632,
|
"lastModified": 1694857738,
|
||||||
"narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=",
|
"narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "nix-filter",
|
"repo": "nix-filter",
|
||||||
"rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174",
|
"rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -306,11 +306,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695526222,
|
"lastModified": 1696131323,
|
||||||
"narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=",
|
"narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "nix-index-database",
|
"repo": "nix-index-database",
|
||||||
"rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647",
|
"rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -321,11 +321,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693355128,
|
"lastModified": 1695978539,
|
||||||
"narHash": "sha256-+ZoAny3ZxLcfMaUoLVgL9Ywb/57wP+EtsdNGuXUJrwg=",
|
"narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "a63a64b593dcf2fe05f7c5d666eb395950f36bc9",
|
"rev": "bd9b686c0168041aea600222be0805a0de6e6ab8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -336,11 +336,11 @@
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"dir": "lib",
|
"dir": "lib",
|
||||||
"lastModified": 1690881714,
|
"lastModified": 1693471703,
|
||||||
"narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=",
|
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9e1960bc196baf6881340d53dccb203a951745a2",
|
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -353,11 +353,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694908564,
|
"lastModified": 1696123266,
|
||||||
"narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
|
"narHash": "sha256-S6MZEneQeE4M/E/C8SMnr7B7oBnjH/hbm96Kak5hAAI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "596611941a74be176b98aeba9328aa9d01b8b322",
|
"rev": "dbe90e63a36762f1fbde546e26a84af774a32455",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -369,11 +369,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695830400,
|
"lastModified": 1696193975,
|
||||||
"narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=",
|
"narHash": "sha256-mnQjUcYgp9Guu3RNVAB2Srr1TqKcPpRXmJf4LJk6KRY=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2",
|
"rev": "fdd898f8f79e8d2f99ed2ab6b3751811ef683242",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -410,11 +410,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1691374719,
|
"lastModified": 1695003086,
|
||||||
"narHash": "sha256-HCodqnx1Mi2vN4f3hjRPc7+lSQy18vRn8xWW68GeQOg=",
|
"narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "b520a3889b24aaf909e287d19d406862ced9ffc9",
|
"rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -432,11 +432,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693447852,
|
"lastModified": 1696039808,
|
||||||
"narHash": "sha256-K9npbs4S6+r51vpiElJi+0vwbAeftCAcOGbot/PCBnQ=",
|
"narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "40e851593ef4f9f8cd0b69c8cae7b722b9953a23",
|
"rev": "a4c3c904ab29e04a20d3a6da6626d66030385773",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -453,11 +453,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1695284550,
|
"lastModified": 1696320910,
|
||||||
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
|
"narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
|
"rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -530,18 +530,18 @@
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"host": "gitlab.freedesktop.org",
|
"host": "gitlab.freedesktop.org",
|
||||||
"lastModified": 1695919988,
|
"lastModified": 1696255886,
|
||||||
"narHash": "sha256-4RBgIZHaVqH0m1POnfzYRzwCWxifIKH4xQ0kCn2LGkA=",
|
"narHash": "sha256-0KZfiqqREousitBgG1mkzKmmNX4tjOIWdbBm6MvRCjQ=",
|
||||||
"owner": "wlroots",
|
"owner": "wlroots",
|
||||||
"repo": "wlroots",
|
"repo": "wlroots",
|
||||||
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
|
"rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
|
||||||
"type": "gitlab"
|
"type": "gitlab"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"host": "gitlab.freedesktop.org",
|
"host": "gitlab.freedesktop.org",
|
||||||
"owner": "wlroots",
|
"owner": "wlroots",
|
||||||
"repo": "wlroots",
|
"repo": "wlroots",
|
||||||
"rev": "c2aa7fd965cb7ee8bed24f4122b720aca8f0fc1e",
|
"rev": "5ef42e8e8adece098848fac53c721b6eb3818fc2",
|
||||||
"type": "gitlab"
|
"type": "gitlab"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -10,5 +10,6 @@
|
||||||
./vaultwarden.nix
|
./vaultwarden.nix
|
||||||
./conduit.nix
|
./conduit.nix
|
||||||
./cloudflareddns.nix
|
./cloudflareddns.nix
|
||||||
|
./tailscale.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
sops.secrets.forgejo-runner-token = {owner = "forgejo";};
|
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
stateDir = "/var/lib/forgejo";
|
stateDir = "/var/lib/forgejo";
|
||||||
|
@ -20,9 +19,14 @@
|
||||||
};
|
};
|
||||||
server = {
|
server = {
|
||||||
HTTP_PORT = 3200;
|
HTTP_PORT = 3200;
|
||||||
DOMAIN = "git.notohh.dev";
|
DOMAIN = "git.flake.sh";
|
||||||
ROOT_URL = "https://git.flake.sh";
|
ROOT_URL = "https://git.flake.sh";
|
||||||
LANDING_PAGE = "/explore/repos";
|
LANDING_PAGE = "/explore/repos";
|
||||||
|
START_SSH_SERVER = true;
|
||||||
|
SSH_DOMAIN = "git.flake.sh";
|
||||||
|
SSH_PORT = 2222;
|
||||||
|
SSH_LISTEN_PORT = 2222;
|
||||||
|
SSH_LISTEN_HOST = "100.121.201.47";
|
||||||
};
|
};
|
||||||
database = {
|
database = {
|
||||||
DB_TYPE = lib.mkForce "postgres";
|
DB_TYPE = lib.mkForce "postgres";
|
||||||
|
@ -38,25 +42,4 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.gitea-actions-runner = {
|
|
||||||
package = pkgs.forgejo-actions-runner;
|
|
||||||
instances.main = {
|
|
||||||
enable = true;
|
|
||||||
name = config.networking.hostName;
|
|
||||||
url = "https://git.flake.sh";
|
|
||||||
token = config.sops.secrets.forgejo-runner-token.path;
|
|
||||||
labels = [
|
|
||||||
"debian-latest:docker://node:18-bullseye"
|
|
||||||
"ubuntu-latest:docker://node:18-bullseye"
|
|
||||||
#"native:host"
|
|
||||||
];
|
|
||||||
hostPackages = with pkgs; [
|
|
||||||
bash
|
|
||||||
curl
|
|
||||||
coreutils
|
|
||||||
wget
|
|
||||||
gitMinimal
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ _: {
|
||||||
settings = {
|
settings = {
|
||||||
port = 3300;
|
port = 3300;
|
||||||
domain = "scratch.flake.sh";
|
domain = "scratch.flake.sh";
|
||||||
|
host = "100.121.201.47";
|
||||||
allowOrigin = ["scratch.flake.sh"];
|
allowOrigin = ["scratch.flake.sh"];
|
||||||
allowAnonymous = true;
|
allowAnonymous = true;
|
||||||
allowFreeURL = true;
|
allowFreeURL = true;
|
||||||
|
|
41
hosts/sakura/services/tailscale.nix
Normal file
41
hosts/sakura/services/tailscale.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
sops.secrets.tsauth-sakura = {};
|
||||||
|
environment.systemPackages = [pkgs.jq pkgs.tailscale];
|
||||||
|
services.tailscale = {
|
||||||
|
useRoutingFeatures = lib.mkDefault "client";
|
||||||
|
};
|
||||||
|
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
||||||
|
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||||
|
|
||||||
|
systemd.services.tailscale-autoconnect = {
|
||||||
|
description = "Automatic connection to Tailscale";
|
||||||
|
|
||||||
|
# make sure tailscale is running before trying to connect to tailscale
|
||||||
|
after = ["network-pre.target" "tailscale.service"];
|
||||||
|
wants = ["network-pre.target" "tailscale.service"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
|
||||||
|
# set this service as a oneshot job
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
|
||||||
|
# have the job run this shell script
|
||||||
|
script = with pkgs; ''
|
||||||
|
# wait for tailscaled to settle
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# check if we are already authenticated to tailscale
|
||||||
|
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||||
|
if [ $status = "Running" ]; then # if so, then do nothing
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# otherwise authenticate with tailscale
|
||||||
|
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-sakura.path} --exit-node=100.87.54.48 --exit-node-allow-lan-access=true --accept-dns=false
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,5 @@
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
sops.secrets.cloudflare-api-key = {};
|
sops.secrets.cloudflare-api-key = {};
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
|
||||||
systemd.services.traefik = {
|
systemd.services.traefik = {
|
||||||
environment = {
|
environment = {
|
||||||
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
||||||
|
@ -30,57 +29,9 @@
|
||||||
entrypoints = ["web"];
|
entrypoints = ["web"];
|
||||||
service = "dashdot";
|
service = "dashdot";
|
||||||
};
|
};
|
||||||
foundryvtt = {
|
|
||||||
rule = "Host(`foundry.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "foundryvtt";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
forgejo = {
|
|
||||||
rule = "Host(`git.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "forgejo";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
rustypaste = {
|
|
||||||
rule = "Host(`i.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "rustypaste";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
grafana = {
|
|
||||||
rule = "Host(`metrics.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "grafana";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
hedgedoc = {
|
|
||||||
rule = "Host(`scratch.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "hedgedoc";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
vaultwarden = {
|
|
||||||
rule = "Host(`vault.flake.sh`)";
|
|
||||||
entrypoints = ["websecure"];
|
|
||||||
service = "vaultwarden";
|
|
||||||
tls.domains = [{main = "*.flake.sh";}];
|
|
||||||
tls.certresolver = "production";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
|
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
|
||||||
foundryvtt.loadBalancer.servers = [{url = "http://localhost:30000";}];
|
|
||||||
forgejo.loadBalancer.servers = [{url = "http://localhost:3200";}];
|
|
||||||
rustypaste.loadBalancer.servers = [{url = "http://localhost:8000";}];
|
|
||||||
grafana.loadBalancer.servers = [{url = "http://localhost:3100";}];
|
|
||||||
hedgedoc.loadBalancer.servers = [{url = "http://localhost:3300";}];
|
|
||||||
vaultwarden.loadBalancer.servers = [{url = "http://localhost:8222";}];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
./traefik.nix
|
./traefik.nix
|
||||||
./uptimekuma.nix
|
./uptimekuma.nix
|
||||||
./gotify.nix
|
./gotify.nix
|
||||||
|
./tailscale.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
41
hosts/sora/services/tailscale.nix
Normal file
41
hosts/sora/services/tailscale.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
sops.secrets.tsauth-sora = {};
|
||||||
|
environment.systemPackages = [pkgs.jq pkgs.tailscale];
|
||||||
|
services.tailscale = {
|
||||||
|
useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot
|
||||||
|
};
|
||||||
|
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
||||||
|
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||||
|
|
||||||
|
systemd.services.tailscale-autoconnect = {
|
||||||
|
description = "Automatic connection to Tailscale";
|
||||||
|
|
||||||
|
# make sure tailscale is running before trying to connect to tailscale
|
||||||
|
after = ["network-pre.target" "tailscale.service"];
|
||||||
|
wants = ["network-pre.target" "tailscale.service"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
|
||||||
|
# set this service as a oneshot job
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
|
||||||
|
# have the job run this shell script
|
||||||
|
script = with pkgs; ''
|
||||||
|
# wait for tailscaled to settle
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# check if we are already authenticated to tailscale
|
||||||
|
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||||
|
if [ $status = "Running" ]; then # if so, then do nothing
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# otherwise authenticate with tailscale
|
||||||
|
${tailscale}/bin/tailscale up --authkey file:${config.sops.secrets.tsauth-sora.path} --advertise-exit-node=true --accept-dns=false
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
sops.secrets.cloudflare-api-key = {};
|
sops.secrets.cloudflare-api-key = {};
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
networking.firewall.allowedTCPPorts = [80 443 2222];
|
||||||
systemd.services.traefik = {
|
systemd.services.traefik = {
|
||||||
environment = {
|
environment = {
|
||||||
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
||||||
|
@ -12,6 +12,16 @@
|
||||||
services.traefik = {
|
services.traefik = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dynamicConfigOptions = {
|
dynamicConfigOptions = {
|
||||||
|
tcp = {
|
||||||
|
routers = {
|
||||||
|
gitssh = {
|
||||||
|
rule = "HostSNI(`*`)";
|
||||||
|
entrypoints = ["gitssh"];
|
||||||
|
service = "gitssh";
|
||||||
|
tls.passthrough = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
http = {
|
http = {
|
||||||
middlewares.authelia = {
|
middlewares.authelia = {
|
||||||
forwardauth = {
|
forwardauth = {
|
||||||
|
@ -53,12 +63,61 @@
|
||||||
tls.domains = [{main = "*.notohh.dev";}];
|
tls.domains = [{main = "*.notohh.dev";}];
|
||||||
tls.certresolver = "production";
|
tls.certresolver = "production";
|
||||||
};
|
};
|
||||||
|
foundryvtt = {
|
||||||
|
rule = "Host(`foundry.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "foundryvtt";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
|
forgejo = {
|
||||||
|
rule = "Host(`git.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "forgejo";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
|
rustypaste = {
|
||||||
|
rule = "Host(`i.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "rustypaste";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
|
grafana = {
|
||||||
|
rule = "Host(`metrics.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "grafana";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
|
hedgedoc = {
|
||||||
|
rule = "Host(`scratch.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "hedgedoc";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
|
vaultwarden = {
|
||||||
|
rule = "Host(`vault.flake.sh`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "vaultwarden";
|
||||||
|
tls.domains = [{main = "*.flake.sh";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}];
|
uptime-kuma.loadBalancer.servers = [{url = "http://100.87.54.48:4000";}];
|
||||||
gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}];
|
gotify.loadBalancer.servers = [{url = "http://100.87.54.48:3000";}];
|
||||||
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
|
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
|
||||||
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
|
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
|
||||||
|
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
|
||||||
|
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
|
||||||
|
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
|
||||||
|
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
|
||||||
|
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];
|
||||||
|
vaultwarden.loadBalancer.servers = [{url = "http://100.121.201.47:8222";}];
|
||||||
|
gitssh.loadBalancer.servers = [{url = "tcp://100.121.201.47:2222";}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -77,6 +136,9 @@
|
||||||
web = {
|
web = {
|
||||||
address = ":80";
|
address = ":80";
|
||||||
};
|
};
|
||||||
|
gitssh = {
|
||||||
|
address = ":2222";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
metrics = {
|
metrics = {
|
||||||
prometheus = {
|
prometheus = {
|
||||||
|
|
|
@ -8,5 +8,6 @@
|
||||||
./dashdot.nix
|
./dashdot.nix
|
||||||
./jellyfin.nix
|
./jellyfin.nix
|
||||||
./neko.nix
|
./neko.nix
|
||||||
|
./forgejo-runners.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
33
hosts/yuki/services/forgejo-runners.nix
Normal file
33
hosts/yuki/services/forgejo-runners.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
sops.secrets.forgejo-runner-token = {};
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
instances.main = {
|
||||||
|
settings = {
|
||||||
|
container = {
|
||||||
|
network = "host";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
enable = true;
|
||||||
|
name = config.networking.hostName;
|
||||||
|
url = "https://git.flake.sh";
|
||||||
|
token = "gdeEbeUTifa1nK7EfRgBmvm6XRdQE1zZzAatBRSC";
|
||||||
|
labels = [
|
||||||
|
"debian-latest:docker://node:18-bullseye"
|
||||||
|
"ubuntu-latest:docker://node:18-bullseye"
|
||||||
|
#"native:host"
|
||||||
|
];
|
||||||
|
hostPackages = with pkgs; [
|
||||||
|
bash
|
||||||
|
curl
|
||||||
|
coreutils
|
||||||
|
wget
|
||||||
|
gitMinimal
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -8,7 +8,9 @@ gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJ
|
||||||
authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
|
authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
|
||||||
authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
|
authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
|
||||||
cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str]
|
cloudflareddns: ENC[AES256_GCM,data:xow7oaqa3QbMPwggx2zmGvLcKmov7isvLLZKuC6jW/SNjst8kicSQmNhrZw8M/eq8TuqxOT4BqMILQ+I7As2ZCOjSbEBxi1DwU/z47qI,iv:W8UH4kWlh9JyxcGkeuOjRZKqjOHDg9vpzXezHYs1kEg=,tag:YgGk7svEQr9sqLJtKWcHqA==,type:str]
|
||||||
forgejo-runner-token: ENC[AES256_GCM,data:cmE70bA22B1YMr/iD32f+TRhk/X1f4aA8N4z1NGj4GxLgYMXkS1FpA==,iv:8XQ00VnQTyOh3wgb3ipO8P0QTo3qPSAJXvf7rRGi+Tc=,tag:QZpyUa+MDL8Hsjj3mdpOnA==,type:str]
|
forgejo-runner-token: ENC[AES256_GCM,data:vv/zMR3qkmSNxA+wnwAzqdc8yNfR+aLMnmncm5lGmq7PhzryNwxDXQ==,iv:HOJMCTAy0C0VMHUAgLJLAZddsTqbM+Alsgo/+BfBNY4=,tag:pIH8SaIdSxvw70rOtbb9yw==,type:str]
|
||||||
|
tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str]
|
||||||
|
tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -24,8 +26,8 @@ sops:
|
||||||
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
||||||
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-10-05T20:42:39Z"
|
lastmodified: "2023-10-07T19:39:53Z"
|
||||||
mac: ENC[AES256_GCM,data:bniacC304lHRxyxpVPopWtKu2508fIpp+TmVt+2EJjsPiqV2x6tA377DTiczh+7tjjcEKJQ7UclkRs+8BH095WyYuX7LC6F8HzQY2its1BoMUvBoHo9x0gVTK0lgg01kLTrLFrWP3uv5xcGgj1/huBLfr6tOwvymmyEgORlf/+M=,iv:VJIYUqzflBQ+vXEWinBCPBjnQXH36nYdRehjPnErSBo=,tag:6nBssjqsd0oIpakpw+mFsw==,type:str]
|
mac: ENC[AES256_GCM,data:a6G3BdrDCsipNgkG3SNijKM2QCPsQEh9TztF3VlrcUX+jdC5UDpDmh9VCnLHh1MsOTgpRCn4ZXc0QVPSZKxsCra3ipDqLuXATHWzfJFmGDiLnderrRzSmy5MuDJKiVO2wKruYhIfj6VHM92mIvay4JwmqTptmD9DP4g/+5kYkrc=,iv:34XFn2sH3bJjO2O/0oIa23rmiyL4hP+FUYlDqVGiOGA=,tag:A3Qv9uzJ6HXlKoVPHZVjwA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.0
|
version: 3.8.0
|
||||||
|
|
Loading…
Reference in a new issue