garnix.yaml

@@ -7,14 +7,6 @@ builds:
       - nixosConfigurations.agate
       - nixosConfigurations.baryte
     branch: deploy
-  - include:
-      - nixosConfigurations.*
-    exclude:
-      - nixosConfigurations.osmium
-      - nixosConfigurations.raspite
-      - nixosConfigurations.agate
-      - nixosConfigurations.baryte
-    branch: deploy-next
   - include:
       - nixosConfigurations.biotite
     branch: testing-biotite

machines/baryte/default.nix

@@ -10,7 +10,6 @@
     commonSettings = {
       auth.enable = true;
       network.localdns.enable = true;
-      serverComponents.enable = true;
     };
 
     services.openssh.enable = true;

machines/biotite/services/synapse.nix

@@ -120,4 +120,8 @@ in
       reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
     '';
   };
+
+  networking.firewall.allowedTCPPorts = [
+    443
+  ];
 }

machines/calcite/configuration.nix

@@ -316,6 +316,10 @@ in
     ];
   };
 
+  custom.prometheus = {
+    exporters.node.enable = true;
+  };
+
   services.ollama = {
     enable = true;
     acceleration = "cuda";

machines/dolomite/common.nix

@@ -36,7 +36,6 @@
     commonSettings = {
       auth.enable = true;
       comin.enable = true;
-      serverComponents.enable = true;
       proxyServer = {
         enable = true;
         users = [

machines/minimal/default.nix

@@ -0,0 +1,25 @@
+{
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot.initrd.availableKernelModules =
+    [
+    ];
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

machines/raspite/configuration.nix

@@ -23,8 +23,6 @@
     })
   ];
 
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
   environment.systemPackages = with pkgs; [
     git
     libraspberrypi

machines/raspite/services/hass.nix

@@ -223,7 +223,10 @@
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
   services.caddy = {
+    enable = true;
     virtualHosts = {
       "raspite.coho-tet.ts.net".extraConfig = ''
         reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}

machines/thorite/default.nix

@@ -26,10 +26,16 @@
       address = [ "23.165.200.99/24" ];
     };
 
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.caddy.enable = true;
+
     commonSettings = {
       auth.enable = true;
       comin.enable = true;
-      serverComponents.enable = true;
     };
 
     nixpkgs.system = "x86_64-linux";

machines/weilite/default.nix

@@ -32,7 +32,6 @@
       };
       comin.enable = true;
       network.localdns.enable = true;
-      serverComponents.enable = true;
     };
 
     boot = {

machines/weilite/services/caddy.nix

@@ -35,6 +35,13 @@
       }";
     in
     {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/caddy-dns/cloudflare@v0.2.1"
+        ];
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+      };
       virtualHosts."derper00.namely.icu:8443".extraConfig = ''
         ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
@@ -45,7 +52,10 @@
       '';
     };
 
-  networking.firewall.allowedTCPPorts = [ 8443 ];
+  networking.firewall.allowedTCPPorts = [
+    8000
+    8443
+  ];
 
   systemd.services.caddy = {
     serviceConfig = {

machines/weilite/services/jellyfin.nix

@@ -19,7 +19,7 @@ in
   services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = ''
     reverse_proxy 127.0.0.1:8096
   '';
-
+  networking.firewall.allowedTCPPorts = [ 8920 ]; # allow on lan
   users.users.jellyfin.extraGroups = [ "render" ];
   users.groups.media.members = [ cfg.user ];
 }

machines/weilite/services/ocis.nix

@@ -27,6 +27,7 @@
     # environmentFile = config.sops.secrets."ocis/env".path;
   };
 
+  networking.firewall.allowedTCPPorts = [ 8443 ];
   services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
     reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
   '';

machines/weilite/services/restic.nix

@@ -38,6 +38,8 @@ in
     (mkPrune "xin" "thorite")
   ];
 
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
   services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
     tls {
       dns dnspod {env.DNSPOD_API_TOKEN}

machines/weilite/services/transmission.nix

@@ -73,8 +73,6 @@ in
       watch-dir-enabled = false;
     };
   };
-
-  networking.firewall.allowedTCPPorts = [ 9091 ];
   services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = ''
     reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port}
   '';
@@ -95,5 +93,6 @@ in
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan
   users.groups.media.members = [ cfg.user ];
 }

modules/nixos/common-settings/proxy-server.nix

@@ -176,8 +176,11 @@ in
         reverse_proxy 127.0.0.1:30310
       '';
 
-      networking.firewall.allowedTCPPorts = [ cfg.trojan.port ];
+      networking.firewall.allowedTCPPorts = [
-      networking.firewall.allowedUDPPorts = lib.range 6311 6314;
+        80
+        cfg.trojan.port
+      ];
+      networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
       services.sing-box = {
         enable = true;

modules/nixos/common-settings/server.nix

@@ -1,56 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.commonSettings.serverComponents;
-in
-{
-  options = {
-    commonSettings.serverComponents = {
-      enable = lib.mkEnableOption "Common components on servers";
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-
-    services.caddy = {
-      enable = true;
-      package = pkgs.caddy.withPlugins {
-        plugins = [
-          "github.com/caddy-dns/cloudflare@v0.2.1"
-        ];
-        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
-      };
-    };
-
-    services.caddy.globalConfig = ''
-      servers {
-        metrics
-      }
-
-      admin unix//var/run/caddy/admin.sock {
-        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
-      }
-    '';
-
-    systemd.services.caddy.serviceConfig = {
-      RuntimeDirectory = "caddy";
-      RuntimeDirectoryMode = "0700";
-    };
-
-    custom.monitoring = {
-      promtail.enable = true;
-    };
-
-    custom.prometheus.exporters = {
-      enable = true;
-      node.enable = true;
-    };
-  };
-}

modules/nixos/default.nix

@@ -7,7 +7,6 @@
     ./common-settings/proxy-server.nix
     ./common-settings/mainland.nix
     ./common-settings/network.nix
-    ./common-settings/server.nix
     ./disk-partitions
     ./restic.nix
     ./monitor

modules/nixos/forgejo-actions-runner.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.custom.forgejo-actions-runner;
+  settingsFormat = pkgs.formats.yaml { };
+in
+{
+  options = {
+    custom.forgejo-actions-runner = {
+      enable = lib.mkEnableOption "TPM supported ssh agent in go";
+      tokenFile = lib.mkOption { type = lib.types.path; };
+      settings = lib.mkOption {
+        type = lib.types.submodule {
+          freeformType = settingsFormat.type;
+        };
+
+        default = { };
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+    services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
+    services.gitea-actions-runner.instances = {
+      "git.xinyang.life" = {
+        enable = true;
+        url = "https://git.xinyang.life";
+        tokenFile = cfg.tokenFile;
+        name = config.networking.hostName;
+        labels = [
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
+          "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
+        ];
+        settings = {
+          container.network = "host";
+        } // cfg.settings;
+      };
+    };
+  };
+}

modules/nixos/kanidm-client.nix

@@ -0,0 +1,81 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+
+let
+  cfg = config.custom.kanidm-client;
+in
+{
+  options = {
+    custom.kanidm-client = {
+      enable = mkEnableOption "Kanidm client service";
+      asSSHAuth = mkOption {
+        type = types.submodule {
+          options = {
+            enable = mkEnableOption "Kanidm as system authentication source";
+            allowedGroups = mkOption {
+              type = types.listOf types.str;
+              example = [ "linux_users" ];
+            };
+            hardening = mkOption {
+              type = types.bool;
+              default = false;
+            };
+          };
+        };
+      };
+      sudoers = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      uri = mkOption { type = types.str; };
+    };
+  };
+  config = mkIf cfg.enable {
+    services.kanidm = mkMerge [
+      (mkIf cfg.enable {
+        package = pkgs.kanidm_1_5;
+        enableClient = true;
+        clientSettings = {
+          uri = cfg.uri;
+        };
+      })
+      (mkIf cfg.asSSHAuth.enable {
+        enablePam = true;
+        unixSettings = {
+          pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
+          default_shell = "/bin/sh";
+        };
+      })
+    ];
+    services.openssh = mkIf cfg.asSSHAuth.enable {
+      enable = true;
+      authorizedKeysCommand = "/etc/ssh/auth %u";
+      authorizedKeysCommandUser = "kanidm-ssh-runner";
+      settings = mkIf cfg.asSSHAuth.enable {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = lib.mkForce "no";
+      };
+    };
+
+    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
+      mode = "0555";
+      text = ''
+        #!${pkgs.stdenv.shell}
+        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
+      '';
+    };
+    users.groups.wheel.members = cfg.sudoers;
+    users.groups.kanidm-ssh-runner = { };
+    users.users.kanidm-ssh-runner = {
+      isSystemUser = true;
+      group = "kanidm-ssh-runner";
+    };
+
+  };
+}

modules/nixos/vaultwarden.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.custom.vaultwarden;
+in
+{
+  options = {
+    custom.vaultwarden = {
+      enable = mkEnableOption "vaultwarden server";
+      domain = mkOption {
+        type = types.str;
+        default = "bitwarden.example.com";
+        description = "Domain name of the vaultwarden server";
+      };
+      caddy = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable Caddy as reverse proxy";
+      };
+      # TODO: mailserver support
+    };
+  };
+  config = mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      config = {
+        DOMAIN = "https://${cfg.domain}";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        ROCKET_LOG = "critical";
+      };
+    };
+    services.caddy = mkIf cfg.caddy {
+      enable = true;
+
+      virtualHosts."https://${cfg.domain}".extraConfig = ''
+        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
+      '';
+    };
+  };
+}