diff --git a/flake.lock b/flake.lock index 6081249..3744570 100644 --- a/flake.lock +++ b/flake.lock @@ -116,11 +116,11 @@ }, "catppuccin": { "locked": { - "lastModified": 1726952185, - "narHash": "sha256-l/HbsQjJMT6tlf8KCooFYi3J6wjIips3n6/aWAoLY4g=", + "lastModified": 1725509983, + "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=", "owner": "catppuccin", "repo": "nix", - "rev": "630b559cc1cb4c0bdd525af506935323e4ccd5d1", + "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9", "type": "github" }, "original": { @@ -285,11 +285,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -433,11 +433,11 @@ ] }, "locked": { - "lastModified": 1726985855, - "narHash": "sha256-NJPGK030Y3qETpWBhj9oobDQRbXdXOPxtu+YgGvZ84o=", + "lastModified": 1725694918, + "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=", "owner": "nix-community", "repo": "home-manager", - "rev": "04213d1ce4221f5d9b40bcee30706ce9a91d148d", + "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda", "type": "github" }, "original": { @@ -476,11 +476,11 @@ ] }, "locked": { - "lastModified": 1724435763, - "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "lastModified": 1726036828, + "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=", "owner": "nix-community", "repo": "home-manager", - "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "rev": "8a1671642826633586d12ac3158e463c7a50a112", "type": "github" }, "original": { @@ -540,11 +540,11 @@ ] }, "locked": { - "lastModified": 1726975622, - "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=", + "lastModified": 1725161148, + "narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417", + "rev": "32058e9138248874773630c846563b1a78ee7a5b", "type": "github" }, "original": { @@ -564,11 +564,11 @@ ] }, "locked": { - "lastModified": 1727055858, - "narHash": "sha256-JZldqP3uEzphER/63J8crL9O9uR7g+cNAkb+erRmN48=", + "lastModified": 1725672853, + "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "de538d220bccc69ad940a53e2b50fef7e05501f2", + "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21", "type": "github" }, "original": { @@ -579,11 +579,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1727040444, - "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", + "lastModified": 1725477728, + "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", + "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce", "type": "github" }, "original": { @@ -623,11 +623,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1726838390, - "narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=", + "lastModified": 1725407940, + "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101", + "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", "type": "github" }, "original": { @@ -639,11 +639,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1725762081, - "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", "type": "github" }, "original": { @@ -655,11 +655,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1727093669, - "narHash": "sha256-VUBuY1qGk0FBMBydHWyp85f/pypH6nlSXnnIJh3Z4XA=", + "lastModified": 1726296585, + "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "67cce3820108e9ef3ecd69097089a13a2e3f5909", + "rev": "8539edfb09c674994303141378df4ab33cd765ad", "type": "github" }, "original": { @@ -671,11 +671,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1725194671, - "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", "type": "github" }, "original": { @@ -713,11 +713,11 @@ }, "nur": { "locked": { - "lastModified": 1727091899, - "narHash": "sha256-ztA+/sTDdsba2c4JrxUcKA+RH8mKy5RO1ikCrEmcsH4=", + "lastModified": 1725687722, + "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=", "owner": "nix-community", "repo": "NUR", - "rev": "9134c128b0a9610bdf6771a561e185e6dfbdd05b", + "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3", "type": "github" }, "original": { @@ -774,11 +774,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1726524647, - "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 4af8705..9a9ffc3 100644 --- a/flake.nix +++ b/flake.nix @@ -83,7 +83,7 @@ ]; }; deploymentModule = { - deployment.targetUser = "xin"; + deployment.targetUser = "root"; }; sharedColmenaModules = [ self.nixosModules.default diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index b850d52..71ffff6 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -27,7 +27,7 @@ }; home.packages = with pkgs; [ - betterbird + # betterbird remmina ]; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index f397b7a..a0efe28 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -182,24 +182,12 @@ environment.systemPackages = with pkgs; [ oidc-agent # Filesystem - (owncloud-client.overrideAttrs ( - finalAttrs: previousAttrs: { - src = pkgs.fetchFromGitHub { - owner = "xinyangli"; - repo = "client"; - rev = "e5ec2d68077361f1597b137a944884dda5574487"; - hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM="; - }; - } - )) + owncloud-client nfs-utils # tesseract5 # ocr ocrmypdf # pdfocr - gtkwave - bubblewrap - # ==== Development ==== # # Python # reference: https://nixos.wiki/wiki/Python @@ -268,9 +256,6 @@ system.stateVersion = "22.05"; - system.switch.enable = false; - system.switch.enableNg = true; - nix.extraOptions = '' !include "${config.sops.secrets.github_public_token.path}" ''; @@ -297,7 +282,7 @@ custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; - custom.forgejo-actions-runner.enable = false; + custom.forgejo-actions-runner.enable = true; custom.forgejo-actions-runner.tokenFile = config.sops.secrets."gitea/envfile".path; custom.prometheus = { diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 33e4e52..d0e1b64 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,5 +1,5 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] -restic_repo_calcite: ENC[AES256_GCM,data:ELvSvoBfulbsoMvRMt2bVo9KiNQAuHomblZcAwJ+g0tHELkq65kaaGwMsNy1AttBfiD7RrQsKifX/YTUGmuz1mDg0WqkV/Mv,iv:HKz96YgVahxh+t3AEqe09mTE01uT+VrUYt04H6zyS9g=,tag:llFeeN7ryTZI9gLlYIRhCg==,type:str] +restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] gitea: envfile: ENC[AES256_GCM,data:bO1aMYm0kPTBbyPD5cweVRzNjiDK2WlWDsxz52L3faFg5HSVmBoi5DZC17XBXYw=,iv:lo9XEcwY4FPD/rRbnuiUviioMIiiphS26UgPro56DIU=,tag:0eKfsS0pYw+FPW+Y5dgisg==,type:str] @@ -27,8 +27,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-12T16:48:39Z" - mac: ENC[AES256_GCM,data:sYY8N0HZ05sUV7m/w5L1pFWJb2V8wZNukyUXHH0V9LMO1JlJMwCUH2XuseLGz5kz0yggAF+fty/x16PBvI5ARcpaZ23pLmNFYHtpx2tWhWcyYg/yMAqjUf19o17IZ50GpLVkmRHQbowwZF9dcHr8mEicrftZbeORzg2eKVkx8+w=,iv:0fyqOrs2XQ363uX5Dr8zuoUzkHdtsQ/v3SZidFBeSr4=,tag:1Kw1jrruxfn9lxgtL0XEMA==,type:str] + lastmodified: "2024-08-14T01:46:18Z" + mac: ENC[AES256_GCM,data:+RuyHG1wLykJX792bkHvRXEiW7vDYj7i2tbR0MnZZUuFcr3xQDIuCW0/XnzxeX643k4iq+h/YUer/v7tIbCh75UXTG7oxQpfJhI8zMfaxKcCZBntD+wDhEmpWhgonOR/RwOAPMPz7FntJVvt9BHnpSLVjZC7KqVPohob0DRJs2Q=,iv:p6Lov35M8SN9RIV9I3D+3cO+wi3Kd2pVe08xgWYi/tM=,tag:aOMQauv2FFEsdwaS7WOraQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 91449c1..1284da3 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -42,19 +42,9 @@ in boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; - networking.useNetworkd = true; - systemd.network.networks."10-wan" = { - matchConfig.MACAddress = "ens18"; - networkConfig.DHCP = "ipv4"; - dhcpV4Config = { - UseDNS = false; - }; - }; - systemd.network.networks."20-lan" = { - matchConfig.MACAddress = "ens19"; - networkConfig.DHCP = "ipv4"; - }; - services.resolved.enable = true; + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; services.sing-box.settings.dns.strategy = "ipv4_only"; }; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 0576114..019867c 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -101,6 +101,29 @@ in { enable = true; settings = { + dns = { + servers = [ + { + tag = "warp"; + address = "1.1.1.1"; + detour = "wg-out"; + } + { + tag = "directdns"; + address = "h3://8.8.8.8/dns-query"; + } + ]; + rules = [ + { + outbound = "wg-out"; + server = "warp"; + } + { + outbound = "direct"; + server = "directdns"; + } + ]; + }; inbounds = [ { @@ -159,9 +182,17 @@ in type = "direct"; tag = "direct"; } + { + type = "dns"; + tag = "dns-out"; + } ]; route = { rules = [ + { + outbound = "dns-out"; + protocol = "dns"; + } { inbound = "sg0"; outbound = "direct"; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 230b23d..18afeda 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -103,8 +103,7 @@ in environment.systemPackages = [ pkgs.cryptsetup ]; # EC2 has its own NTP server provided by the hypervisor - services.timesyncd.enable = true; - services.timesyncd.servers = [ "169.254.169.123" ]; + networking.timeServers = [ "169.254.169.123" ]; # udisks has become too bloated to have in a headless system # (e.g. it depends on GTK). diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ecbc6e2..f74f265 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,5 +1,7 @@ { inputs, + config, + libs, pkgs, ... }: @@ -49,6 +51,13 @@ efiSupport = true; configurationLimit = 5; }; + # + # fileSystems."/mnt/storage" = { + # device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; + # fsType = "cifs"; + # options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; + # }; + # environment.systemPackages = with pkgs; [ cifs-utils git @@ -60,11 +69,14 @@ hostName = "massicot"; }; - commonSettings = { - auth.enable = true; - nix = { + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { enable = true; + allowedGroups = [ "linux_users" ]; }; + sudoers = [ "xin@auth.xinyang.life" ]; }; security.sudo = { diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 91f86d2..2439be6 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -37,7 +37,6 @@ "xin" "zhuo" "ycm" - "yzl" ]; }; grafana-superadmins = { @@ -74,11 +73,6 @@ displayName = "Chunming"; mailAddresses = [ "chunmingyou@gmail.com" ]; }; - - yzl = { - displayName = "Zhengli Yang"; - mailAddresses = [ "13391935399@189.cn" ]; - }; }; systems.oauth2 = { forgejo = { @@ -139,8 +133,7 @@ originUrl = [ "http://localhost/" "http://127.0.0.1/" - # TODO: Should allow mobile redirect url not ending with / - # "oc://android.owncloud.com" + "oc://android.owncloud.com" ]; basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path; preferShortUsername = true; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index dfdac4d..4be75c5 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -268,33 +268,15 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} ''; - virtualHosts."https://auth.xinyang.life".extraConfig = - let - reverseProxyKanidm = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } + virtualHosts."https://auth.xinyang.life".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} } - ''; - in - '' - reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - @error status 400 - handle_response @error { - rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo - ${reverseProxyKanidm} - } - } - ${reverseProxyKanidm} - ''; + } + ''; virtualHosts."https://rss.xinyang.life".extraConfig = '' reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix index c8c28be..9a319bb 100644 --- a/machines/massicot/services/restic.nix +++ b/machines/massicot/services/restic.nix @@ -5,9 +5,9 @@ ... }: let - sqliteBackup = fromPath: toPath: file: '' - mkdir -p ${toPath} - ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" + sqliteBackup = path: '' + mkdir -p /backup${path} + ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'" ''; in { @@ -25,7 +25,7 @@ in repositoryFile = config.sops.secrets."restic/repo".path; passwordFile = config.sops.secrets."restic/password".path; paths = [ - "/backup" + "/var/backup" "/mnt/storage" ]; }; @@ -34,15 +34,15 @@ in enable = true; compression = "zstd"; compressionLevel = 9; - location = "/backup/postgresql"; + location = "/var/backup/postgresql"; }; services.restic.backups.${config.networking.hostName} = { backupPrepareCommand = builtins.concatStringsSep "\n" [ - (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite") - (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3") - (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite") - (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db") + (sqliteBackup "/var/lib/hedgedoc/db.sqlite") + (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3") + (sqliteBackup "/var/lib/gotosocial/database.sqlite") + (sqliteBackup "/var/lib/kanidm/kanidm.db") ]; extraBackupArgs = [ "--limit-upload=1024" diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 2d2ef8c..ce39730 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -38,8 +38,6 @@ kernelModules = [ "kvm-intel" ]; }; - nixpkgs.config.allowUnfree = true; - environment.systemPackages = [ pkgs.virtiofsd ]; sops = { @@ -50,10 +48,6 @@ owner = "caddy"; mode = "400"; }; - dnspod_dns_token = { - owner = "caddy"; - mode = "400"; - }; "immich/oauth_client_secret" = { owner = "immich"; mode = "400"; @@ -70,30 +64,16 @@ what = "immich"; where = "/mnt/XinPhotos/immich"; type = "virtiofs"; - options = "rw,nodev,nosuid"; + options = "rw"; wantedBy = [ "immich-server.service" ]; } { what = "originals"; where = "/mnt/XinPhotos/originals"; type = "virtiofs"; - options = "rw,nodev,nosuid"; + options = "ro,nodev,nosuid"; wantedBy = [ "immich-server.service" ]; } - { - what = "restic"; - where = "/var/lib/restic"; - type = "virtiofs"; - options = "rw,nodev,nosuid"; - wantedBy = [ "restic-rest-server.service" ]; - } - { - what = "ocis"; - where = "/var/lib/ocis"; - type = "virtiofs"; - options = "rw,nodev,nosuid"; - wantedBy = [ "ocis.service" ]; - } ]; services.openssh.ports = [ @@ -157,30 +137,26 @@ repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } -{ - repo = "github.com/caddy-dns/dnspod"; - version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af"; - } ]; - vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI="; + vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; }; virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; # API Token must be added in systemd environment file virtualHosts."immich.xinyang.life:8000".extraConfig = '' + tls { + dns cloudflare {env.CLOUDFLARE_API_TOKEN} + } reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; - globalConfig = '' - acme_dns dnspod {env.DNSPOD_API_TOKEN} - ''; }; networking.firewall.allowedTCPPorts = [ 8000 ]; systemd.services.caddy = { serviceConfig = { - EnvironmentFile = config.sops.secrets.dnspod_dns_token.path; + EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path; }; }; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 8446f0a..bb631bb 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,5 +1,4 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] -dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] sops: @@ -26,8 +25,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-13T12:02:54Z" - mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str] + lastmodified: "2024-09-07T14:56:37Z" + mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/weilite/services/cloudflared.nix b/machines/weilite/services/cloudflared.nix deleted file mode 100644 index 30b748d..0000000 --- a/machines/weilite/services/cloudflared.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - services.cloudflared = { - enable = true; - tunnels = - { - }; - }; -} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix index 7438591..26a6769 100644 --- a/machines/weilite/services/ocis.nix +++ b/machines/weilite/services/ocis.nix @@ -1,35 +1,36 @@ { config, pkgs, ... }: { + sops = { + secrets = { + "ocis/env" = { + sopsFile = ../secrets.yaml; + }; + }; + }; + services.ocis = { enable = true; - package = pkgs.ocis; + package = pkgs.ocis-bin; stateDir = "/var/lib/ocis"; url = "https://drive.xinyang.life:8443"; address = "127.0.0.1"; port = 9200; - configDir = "/var/lib/ocis/config"; environment = { OCIS_INSECURE = "false"; - PROXY_TLS = "false"; - OCIS_LOG_LEVEL = "debug"; + OCIS_LOG_LEVEL = "trace"; OCIS_LOG_PRETTY = "true"; - PROXY_AUTOPROVISION_ACCOUNTS = "true"; - PROXY_USER_OIDC_CLAIM = "preferred_username"; - PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; - PROXY_OIDC_REWRITE_WELLKNOWN = "false"; - PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none"; - OCIS_EXCLUDE_RUN_SERVICES = "idp"; - WEB_HTTP_ADDR = "127.0.0.1:12345"; - WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration"; - WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud"; + # For reverse proxy. Disable tls. + OCIS_PROXY_TLS = "false"; WEB_OIDC_CLIENT_ID = "owncloud"; + WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + OCIS_EXCLUDE_RUN_SERVICES = "idp"; + PROXY_OIDC_REWRITE_WELLKNOWN = "true"; }; - # environmentFile = config.sops.secrets."ocis/env".path; }; - networking.firewall.allowedTCPPorts = [ 8443 ]; + networking.allowedTCPPorts = [ 8443 ]; + services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' - redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent - reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port} + reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address} ''; } diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index 4858590..e1fb489 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -1,43 +1,16 @@ { config, ... }: -let - mkPrune = user: host: { - name = "${user}-${host}-prune"; - value = { - user = "restic"; - repository = "/var/lib/restic/${user}/${host}"; - passwordFile = "/var/lib/restic/localpass"; - timerConfig = { - OnCalendar = "02:05"; - RandomizedDelaySec = "1h"; - }; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 75" - ]; - }; - - }; -in { services.restic.server = { enable = true; dataDir = "/var/lib/restic"; listenAddress = "127.0.0.1:19573"; - privateRepos = true; + privateRepos = "true"; extraFlags = [ "--append-only" - "--prometheus-no-auth" ]; }; - services.restic.backups = builtins.listToAttrs [ - (mkPrune "xin" "calcite") - (mkPrune "xin" "massicot") - ]; - - networking.firewall.allowedTCPPorts = [ 8443 ]; + networking.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' reverse_proxy ${config.services.restic.server.listenAddress} diff --git a/modules/nixos/common-settings/autoupgrade.nix b/modules/nixos/common-settings/autoupgrade.nix deleted file mode 100644 index 6c2cc83..0000000 --- a/modules/nixos/common-settings/autoupgrade.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - config, - lib, - ... -}: - -let - inherit (lib) - mkIf - mkEnableOption - mkOption - types - ; - - cfg = config.commonSettings.autoupgrade; -in -{ - options.commonSettings.autoupgrade = { - enable = mkEnableOption "auto upgrade with nixos-rebuild"; - flake = mkOption { - type = types.str; - default = "github:xinyangli/nixos-config/deploy"; - }; - }; - - config = mkIf cfg.enable { - system.autoUpgrade = { - enable = true; - flake = cfg.flake; - }; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bfc36ce..36bf773 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,7 +1,6 @@ { imports = [ ./common-settings/auth.nix - ./common-settings/autoupgrade.nix ./common-settings/nix-conf.nix ./restic.nix ./vaultwarden.nix diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 0926fad..7410a53 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -1,7 +1,6 @@ # TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better { config, - pkgs, lib, ... }: @@ -56,10 +55,10 @@ in } (lib.mkIf (config.fileSystems."/".fsType == "btrfs") { backupPrepareCommand = '' - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r / backup + btrfs subvolume snapshot -r / backup ''; backupCleanupCommand = '' - ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup + btrfs subvolume delete /backup ''; paths = map (p: "/backup" + p) cfg.paths; })