Add garden and updates.

2024-12-23 11:20:27 -06:00 · 2024-12-23 11:20:27 -06:00 · dab0af910b
commit dab0af910b
parent 67823cbed6
14 changed files with 216 additions and 24 deletions
--- a/flake.lock
+++ b/flake.lock
@ -103,11 +103,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951536,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "lastModified": 1734366194,
+        "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f",
        "type": "github"
      },
      "original": {
@ -119,11 +119,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733861262,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "lastModified": 1734352517,
+        "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
        "type": "github"
      },
      "original": {
@ -166,11 +166,11 @@
    },
    "nixpkgsUnstable": {
      "locked": {
-        "lastModified": 1733759999,
-        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "lastModified": 1734424634,
+        "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
        "type": "github"
      },
      "original": {
@ -182,11 +182,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1733808091,
-        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
+        "lastModified": 1734600368,
+        "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
+        "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -97,6 +97,22 @@
            ./hosts/hub
          ];
        };
+        garden = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            agenix.nixosModules.default
+            {
+              environment.systemPackages = [ agenix.packages.${system}.default ];
+            }
+            (
+              { config, pkgs, ... }:
+              {
+                nixpkgs.overlays = [ overlayUnstable ];
+              }
+            )
+            ./hosts/garden
+          ];
+        };
      };
    };
 }
--- a/hosts/garden/default.nix
+++ b/hosts/garden/default.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../users/root.nix
+    ../../roles/tailscale.nix
+    ../../roles/caddy.nix
+    ../../roles/vscode-remote.nix
+    ../../roles/syncthing.nix
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "GARDEN";
+  system.stateVersion = "23.11";
+}
--- a/hosts/garden/hardware-configuration.nix
+++ b/hosts/garden/hardware-configuration.nix
@ -0,0 +1,14 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/FAAB-A09E"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  
+}
--- a/hosts/hub/apps/dev.nix
+++ b/hosts/hub/apps/dev.nix
@ -66,10 +66,14 @@
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;
+        environment.sessionVariables = {
+          PATH = [ "${pkgs.gitea}/bin" ];
+          GITEA_WORK_DIR = "/var/lib/gitea";
+        };
      };
    bindMounts = {
-      "/run/postgresql/.s.PGSQL.5432" = {
-        hostPath = "/run/postgresql/.s.PGSQL.5432";
+      "/run/postgresql" = {
+        hostPath = "/run/postgresql";
      };
    };
  };
--- a/hosts/hub/apps/nextcloud.nix
+++ b/hosts/hub/apps/nextcloud.nix
@ -31,7 +31,7 @@
            package = pkgs.nextcloud30;
            configureRedis = true;
            maxUploadSize = "16G";
-            autoUpdateApps.enable = true;
+            # autoUpdateApps.enable = true;
            notify_push.enable = true;
            webfinger = true;
            settings = {
@ -44,6 +44,7 @@
              dbhost = "/run/postgresql";
              adminpassFile = "/etc/nextcloud-admin-pass";
            };
+            phpOptions."opcache.interned_strings_buffer" = "23";
          };
          onlyoffice = {
            enable = true;
@ -51,6 +52,7 @@
          };
          resolved.enable = true;
        };
+        programs.nix-ld.enable = true;
        networking = {
          firewall.allowedTCPPorts = [ 80 ];
          useHostResolvConf = lib.mkForce false;
@ -62,11 +64,14 @@
        };
      };
    bindMounts = {
-      "/run/postgresql/.s.PGSQL.5432" = {
-        hostPath = "/run/postgresql/.s.PGSQL.5432";
+      "/run/postgresql" = {
+        hostPath = "/run/postgresql";
      };
    };
  };

-  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud'';
+  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
+    reverse_proxy nextcloud
+    header Strict-Transport-Security max-age=31536000;
+  '';
 }
--- a/hosts/hub/default.nix
+++ b/hosts/hub/default.nix
@ -10,6 +10,7 @@
    ../../roles/zfs.nix
    ../../base.nix
    ../../users/root.nix
+    ../../roles/fail2ban.nix
    ../../roles/tailscale.nix
    ../../roles/lldap.nix
    ../../roles/authelia.nix
@ -18,6 +19,7 @@
    ../../roles/caddy.nix
    ../../roles/vscode-remote.nix
    ../../roles/postgres.nix
+    ../../roles/syncthing.nix
    ./apps/dev.nix
    ./apps/nextcloud.nix
  ];
@ -64,11 +66,6 @@
    acceptTerms = true;
    defaults.email = "nolan@thewordnerd.info";
    certs."thewordnerd.info" = {
-      domain = "*.thewordnerd.info";
-      dnsProvider = "cloudflare";
-      environmentFile = config.age.secrets.cloudflareApi.path;
-    };
-    certs."hub.thewordnerd.info" = {
      dnsProvider = "cloudflare";
      environmentFile = config.age.secrets.cloudflareApi.path;
    };
@ -103,6 +100,15 @@
    };
  };

+  services.fail2ban.jails = {
+    dovecot.settings = {
+      filter = "dovecot[mode=aggressive]";
+    };
+    postfix.settings = {
+      filter = "postfix[mode=aggressive]";
+    };
+  };
+
  services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
    ''reverse_proxy localhost:17170'';

@ -110,6 +116,22 @@
    reverse_proxy localhost:9091
  '';

+  services.authelia.instances.main.settings.access_control.rules = [
+    {
+      domain = "syncthing.thewordnerd.info";
+      policy = "one_factor";
+    }
+  ];
+
+  services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
+    forward_auth localhost:9091 {
+      uri /api/authz/forward-auth
+    }
+    reverse_proxy localhost:8384 {
+      header_up Host {upstream_hostport}
+    }
+  '';
+
  services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
    file_server
    root * /var/www/thewordnerd.info
--- a/pkgs/caddy.nix
+++ b/pkgs/caddy.nix
@ -0,0 +1,86 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  nixosTests,
+  caddy,
+  testers,
+  installShellFiles,
+  stdenv,
+}:
+let
+  version = "2.8.4";
+  dist = fetchFromGitHub {
+    owner = "caddyserver";
+    rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
+    repo = "dist";
+    hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0=";
+  };
+in
+buildGoModule {
+  pname = "caddy";
+  version = "0-unstable-2024-12-22";
+  src = fetchFromGitHub {
+    owner = "tailscale";
+    repo = "caddy-tailscale";
+    rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
+    hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ=";
+  };
+
+  vendorHash = "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM=";
+
+  subPackages = [ "cmd/caddy" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
+  ];
+
+  # matches upstream since v2.8.0
+  tags = [ "nobadger" ];
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  postInstall =
+    ''
+      install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
+
+      substituteInPlace $out/lib/systemd/system/caddy.service \
+        --replace-fail "/usr/bin/caddy" "$out/bin/caddy"
+      substituteInPlace $out/lib/systemd/system/caddy-api.service \
+        --replace-fail "/usr/bin/caddy" "$out/bin/caddy"
+    ''
+    + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
+      # Generating man pages and completions fail on cross-compilation
+      # https://github.com/NixOS/nixpkgs/issues/308283
+
+      $out/bin/caddy manpage --directory manpages
+      installManPage manpages/*
+
+      installShellCompletion --cmd caddy \
+        --bash <($out/bin/caddy completion bash) \
+        --fish <($out/bin/caddy completion fish) \
+        --zsh <($out/bin/caddy completion zsh)
+    '';
+
+  passthru.tests = {
+    inherit (nixosTests) caddy;
+    version = testers.testVersion {
+      command = "${caddy}/bin/caddy version";
+      package = caddy;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://caddyserver.com";
+    description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
+    license = licenses.asl20;
+    mainProgram = "caddy";
+    maintainers = with maintainers; [
+      Br1ght0ne
+      emilylange
+      techknowlogick
+    ];
+  };
+}
--- a/roles/caddy.nix
+++ b/roles/caddy.nix
@ -1,10 +1,20 @@
+{ config, pkgs, ... }:
+
 {
  services.caddy = {
    enable = true;
+    package = pkgs.callPackage ../pkgs/caddy.nix { };
    email = "nolan@thewordnerd.info";
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
+  age.secrets.tsAuthKey = {
+    file = ../secrets/ts_auth_key.age;
+    owner = config.services.caddy.user;
+    group = config.services.caddy.group;
+    mode = "600";
+  };
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.tsAuthKey.path;
 }
--- a/roles/fail2ban.nix
+++ b/roles/fail2ban.nix
@ -0,0 +1,6 @@
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [ "192.168.0.0/16" ];
+  };
+}
--- a/roles/syncthing.nix
+++ b/roles/syncthing.nix
@ -0,0 +1,6 @@
+{
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -13,4 +13,5 @@ in
  "authelia_session.age".publicKeys = [ hub ];
  "authelia_storage.age".publicKeys = [ hub ];
  "cloudflare_api.age".publicKeys = [ hub ];
+  "ts_auth_key.age".publicKeys = [ hub ];
 }
--- a/secrets/ts_auth_key.age
+++ b/secrets/ts_auth_key.age
--- a/users/nolan/desktop-minimal.nix
+++ b/users/nolan/desktop-minimal.nix
@ -14,7 +14,12 @@
    programs = {
      firefox = {
        enable = true;
-        package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; };
+        package = pkgs.firefox.override {
+          nativeMessagingHosts = with pkgs; [
+            firefoxpwa
+            gnome-browser-connector
+          ];
+        };
      };
    };
  };