diff --git a/flake.lock b/flake.lock index 2570c21..3744570 100644 --- a/flake.lock +++ b/flake.lock @@ -116,11 +116,11 @@ }, "catppuccin": { "locked": { - "lastModified": 1724156255, - "narHash": "sha256-rpUCeS/QZwQdJmDrvCm0hRi8bFvQNQKAnIMK5ZDBfpM=", + "lastModified": 1725509983, + "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=", "owner": "catppuccin", "repo": "nix", - "rev": "8886a68edadb1d93c7101337f995ffce4b410ff2", + "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9", "type": "github" }, "original": { @@ -433,11 +433,11 @@ ] }, "locked": { - "lastModified": 1723986931, - "narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", + "lastModified": 1725694918, + "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=", "owner": "nix-community", "repo": "home-manager", - "rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", + "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda", "type": "github" }, "original": { @@ -476,11 +476,11 @@ ] }, "locked": { - "lastModified": 1715930644, - "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", + "lastModified": 1726036828, + "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", + "rev": "8a1671642826633586d12ac3158e463c7a50a112", "type": "github" }, "original": { @@ -498,11 +498,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1724306750, - "narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=", + "lastModified": 1725247757, + "narHash": "sha256-M++z1VvmSo18FRVI02mdF2210bCYn+t25Zgflrdn9Tc=", "ref": "refs/heads/master", - "rev": "81990813485a580d69853d8429e3b8aece7f66a6", - "revCount": 11, + "rev": "7e0140a6a9eff2ab3292d8269bc99efeb3581835", + "revCount": 14, "type": "git", "url": "https://git.xinyang.life/xin/nixvim" }, @@ -540,11 +540,11 @@ ] }, "locked": { - "lastModified": 1723950649, - "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", + "lastModified": 1725161148, + "narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "392828aafbed62a6ea6ccab13728df2e67481805", + "rev": "32058e9138248874773630c846563b1a78ee7a5b", "type": "github" }, "original": { @@ -564,11 +564,11 @@ ] }, "locked": { - "lastModified": 1724117347, - "narHash": "sha256-/nfm6P0owPtCRjT8ktq/8OChtg2HpkrvNaDJGm9N1Lk=", + "lastModified": 1725672853, + "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2ef60116ef361d988317cbe52a09acfeda7d3416", + "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21", "type": "github" }, "original": { @@ -579,11 +579,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1724067415, - "narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=", + "lastModified": 1725477728, + "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2", + "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce", "type": "github" }, "original": { @@ -623,11 +623,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1723938990, - "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=", + "lastModified": 1725407940, + "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890", + "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", "type": "github" }, "original": { @@ -655,11 +655,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1724160083, - "narHash": "sha256-ROiCJNYSbjO45ajyTfRxp+aqvX+R1M3xwlWOLtfD0iw=", + "lastModified": 1726296585, + "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "885d5117645517b70eb3922acfbb83226fc77dbb", + "rev": "8539edfb09c674994303141378df4ab33cd765ad", "type": "github" }, "original": { @@ -671,11 +671,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1714912032, - "narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=", + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", "type": "github" }, "original": { @@ -713,11 +713,11 @@ }, "nur": { "locked": { - "lastModified": 1724159175, - "narHash": "sha256-3z9wRL+h+gTVFtecCUGrRaW6nvPPAtBCIDE9KAmZj7c=", + "lastModified": 1725687722, + "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=", "owner": "nix-community", "repo": "NUR", - "rev": "0b86d5643d99e3982471f0d79e553871c6f35396", + "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3", "type": "github" }, "original": { @@ -774,11 +774,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1723501126, - "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", "owner": "Mic92", "repo": "sops-nix", - "rev": "be0eec2d27563590194a9206f551a6f73d52fa34", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", "type": "github" }, "original": { @@ -804,15 +804,15 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1724444244, - "narHash": "sha256-fH1lyJvJjUhZ8xMlmiI18EZNzodDSe74rFuwlZDL0aQ=", - "owner": "danth", + "lastModified": 1725416430, + "narHash": "sha256-DkF49DlcaZHV9v3m5ctQnC9qNqsEdfNhwjQArx5Q+Zw=", + "owner": "xinyangli", "repo": "stylix", - "rev": "d042af478ce87e188139480922a3085218194106", + "rev": "7aad490478518af03367dabfb5811b3f87ea93a1", "type": "github" }, "original": { - "owner": "danth", + "owner": "xinyangli", "repo": "stylix", "type": "github" } diff --git a/flake.nix b/flake.nix index 27e4293..9a9ffc3 100644 --- a/flake.nix +++ b/flake.nix @@ -49,8 +49,15 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - catppuccin.url = "github:catppuccin/nix"; - stylix.url = "github:danth/stylix"; + catppuccin = { + url = "github:catppuccin/nix"; + }; + + stylix = { + url = "github:xinyangli/stylix"; + # inputs.nixpkgs.follows = "nixpkgs"; + # inputs.home-manager.follows = "home-manager"; + }; }; outputs = @@ -76,7 +83,7 @@ ]; }; deploymentModule = { - deployment.targetUser = "xin"; + deployment.targetUser = "root"; }; sharedColmenaModules = [ self.nixosModules.default @@ -107,14 +114,29 @@ } ]; }; + mkHomeConfiguration = user: host: { + name = user; + value = home-manager.lib.homeManagerConfiguration { + pkgs = import nixpkgs { system = "x86_64-linux"; }; + modules = [ + (import ./home).${user}.${host} + overlayModule + ] ++ sharedHmModules; + extraSpecialArgs = { + inherit inputs; + }; + }; + }; mkNixos = { + system, modules, specialArgs ? { }, }: nixpkgs.lib.nixosSystem { + inherit system; specialArgs = specialArgs // { - inherit inputs; + inherit inputs system; }; modules = [ self.nixosModules.default @@ -132,9 +154,11 @@ }; homeManagerModules = import ./modules/home-manager; + homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; + colmenaHive = inputs.colmena.lib.makeHive { meta = { - nixpkgs = import nixpkgs { localSystem = "x86_64-linux"; }; + nixpkgs = import nixpkgs { system = "x86_64-linux"; }; specialArgs = { inherit inputs; }; @@ -146,13 +170,17 @@ deployment.targetHost = "49.13.13.122"; deployment.buildOnTarget = true; - imports = [ machines/massicot ] ++ sharedColmenaModules; + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ] ++ sharedColmenaModules; }; tok-00 = { ... }: { imports = [ machines/dolomite ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; deployment = { @@ -166,6 +194,7 @@ { ... }: { imports = [ machines/dolomite ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; networking.hostName = "la-00"; system.stateVersion = "21.05"; deployment = { @@ -182,6 +211,7 @@ targetHost = "raspite.local"; buildOnTarget = false; }; + nixpkgs.system = "aarch64-linux"; imports = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" nixos-hardware.nixosModules.raspberry-pi-4 @@ -198,28 +228,26 @@ targetPort = 22; buildOnTarget = false; }; + nixpkgs.system = "x86_64-linux"; }; }; + nixosConfigurations = { + calcite = mkNixos { + system = "x86_64-linux"; + modules = [ + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") + ]; + }; + } // self.colmenaHive.nodes; + } // flake-utils.lib.eachDefaultSystem ( system: let - pkgs = import nixpkgs { localSystem = system; }; - - mkHomeConfiguration = user: host: { - name = user; - value = home-manager.lib.homeManagerConfiguration { - inherit pkgs; - modules = [ - (import ./home).${user}.${host} - overlayModule - ] ++ sharedHmModules; - extraSpecialArgs = { - inherit inputs; - }; - }; - }; + pkgs = nixpkgs.legacyPackages.${system}; in { devShells = { @@ -238,18 +266,7 @@ packages = { nixvim = my-nixvim.packages.${system}.default; - nixosConfigurations = { - calcite = mkNixos { - modules = [ - nixos-hardware.nixosModules.asus-zephyrus-ga401 - machines/calcite/configuration.nix - (mkHome "xin" "calcite") - ]; - }; - } // self.colmenaHive.nodes; }; - - homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; } ); } diff --git a/garnix.yaml b/garnix.yaml deleted file mode 100644 index dd4f0ed..0000000 --- a/garnix.yaml +++ /dev/null @@ -1,11 +0,0 @@ -builds: - exclude: [] - include: - - '*.x86_64-linux.*' - - defaultPackage.x86_64-linux - - devShell.x86_64-linux - - homeConfigurations.* - - darwinConfigurations.* - - nixosConfigurations.* - - nixosConfigurations.aarch64-linux.calcite - - homeConfigurations.aarch64-linux.xin diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 11307f9..71ffff6 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -27,7 +27,7 @@ }; home.packages = with pkgs; [ - thunderbird + # betterbird remmina ]; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index f89165c..a0efe28 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -215,7 +215,7 @@ gnomeExtensions.pano gnome-tweaks gnome-themes-extra - gnome.gnome-remote-desktop + gnome-remote-desktop bibata-cursors gthumb oculante @@ -357,4 +357,12 @@ }; services.nixseparatedebuginfod.enable = true; + services.bloop = { + install = true; + extraOptions = [ + "-J-Xmx2G" + "-J-XX:MaxInlineLevel=20" + "-J-XX:+UseParallelGC" + ]; + }; } diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 0bfa83f..c80871a 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -19,8 +19,16 @@ "usbhid" ]; boot.initrd.kernelModules = [ ]; - boot.initrd.luks.devices.cryptroot = { - device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; + + boot.initrd = { + systemd.enable = true; # initrd uses systemd + luks = { + fido2Support = false; # because systemd + devices.cryptroot = { + device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; + crypttabExtraOpts = [ "fido2-device=auto" ]; # cryptenroll + }; + }; }; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; @@ -69,5 +77,6 @@ hardware.nvidia = { powerManagement.enable = true; dynamicBoost.enable = lib.mkForce false; + open = true; }; } diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index d6db704..1284da3 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -16,7 +16,6 @@ in }; config = lib.mkIf cfg { - nixpkgs.hostPlatform = "x86_64-linux"; boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" @@ -46,5 +45,7 @@ in networking.useDHCP = false; networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens19.useDHCP = true; + + services.sing-box.settings.dns.strategy = "ipv4_only"; }; } diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index b1cba45..18afeda 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -25,8 +25,6 @@ in }; config = mkIf config.isLightsail { - nixpkgs.hostPlatform = "x86_64-linux"; - boot.loader.grub.device = "/dev/nvme0n1"; # from nixpkgs amazon-image.nix diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ef09ea5..f74f265 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -11,6 +11,7 @@ inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./networking.nix + ./services.nix ./services ]; @@ -50,13 +51,13 @@ efiSupport = true; configurationLimit = 5; }; - - fileSystems."/mnt/storage" = { - device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; - fsType = "cifs"; - options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; - }; - + # + # fileSystems."/mnt/storage" = { + # device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; + # fsType = "cifs"; + # options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; + # }; + # environment.systemPackages = with pkgs; [ cifs-utils git diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 560ac23..36e673c 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -16,8 +16,17 @@ ]; boot.initrd.kernelModules = [ "nvme" ]; fileSystems."/" = { - device = "/dev/sda1"; + device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1"; fsType = "ext4"; }; - nixpkgs.hostPlatform = "aarch64-linux"; + + fileSystems."/mnt/storage" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_101302395"; + fsType = "btrfs"; + options = [ + "subvol=storage" + "compress=zstd" + "noatime" + ]; + }; } diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix new file mode 100644 index 0000000..2439be6 --- /dev/null +++ b/machines/massicot/kanidm-provision.nix @@ -0,0 +1,217 @@ +{ config, lib, ... }: +{ + sops.secrets = { + "kanidm/ocis_android_secret" = { + owner = "kanidm"; + }; + }; + systemd.services.kanidm.serviceConfig = { + BindReadOnlyPaths = [ + config.sops.secrets."kanidm/ocis_android_secret".path + ]; + }; + services.kanidm.provision = { + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + forgejo-admin = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ + "xin" + "zhuo" + "ycm" + ]; + }; + grafana-superadmins = { + members = [ "xin" ]; + }; + grafana-admins = { + members = [ "xin" ]; + }; + grafana-editors = { + members = [ "xin" ]; + }; + grafana-users = { + members = [ "xin" ]; + }; + miniflux-users = { + members = [ "xin" ]; + }; + idm_people_self_mail_write = { + members = [ ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + + ycm = { + displayName = "Chunming"; + mailAddresses = [ "chunmingyou@gmail.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = "https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + forgejo_role = { + joinType = "array"; + valuesByGroup = { + forgejo-access = [ "Access" ]; + forgejo-admin = [ "Admin" ]; + }; + }; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + originLanding = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + }; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://drive.xinyang.life:8443/"; + originLanding = "https://drive.xinyang.life:8443/"; + public = true; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + + owncloud-android = { + displayName = "ownCloud Apps"; + originLanding = "https://drive.xinyang.life:8443/"; + originUrl = [ + "http://localhost/" + "http://127.0.0.1/" + "oc://android.owncloud.com" + ]; + basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + "offline_access" + ]; + }; + }; + + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + originLanding = "https://docs.xinyang.life/auth/oauth2"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + immich = { + displayName = "Immich"; + originUrl = [ + "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/" + "https://immich.xinyang.life:8000/auth/login/" + "https://immich.xinyang.life:8000/user-settings/" + ]; + originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + miniflux = { + displayName = "Miniflux"; + originUrl = "https://rss.xinyang.life/"; + originLanding = "https://rss.xinyang.life/"; + scopeMaps = { + miniflux-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + grafana = { + displayName = "Grafana"; + originUrl = "https://grafana.xinyang.life/"; + originLanding = "https://grafana.xinyang.life/"; + scopeMaps = { + grafana-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + grafana_role = { + joinType = "array"; + valuesByGroup = { + grafana-superadmins = [ "GrafanaAdmin" ]; + grafana-admins = [ "Admin" ]; + grafana-editors = [ "Editor" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 94be559..7859b2e 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,19 +1,12 @@ { pkgs, ... }: { - networking = { - interfaces = { - eth0.useDHCP = true; - eth0.ipv6.addresses = [ - { - address = "2a01:4f8:c17:345f::1"; - prefixLength = 64; - } - ]; - }; - defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - nameservers = [ ]; + networking.useNetworkd = true; + systemd.network.networks."10-wan" = { + matchConfig.MACAddress = "96:00:02:68:7d:2d"; + networkConfig.DHCP = "ipv4"; + networkConfig.Gateway = "fe80::1"; + address = [ + "2a01:4f8:c17:345f::3/64" + ]; }; } diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index cc3fd7f..302df3b 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,11 +1,17 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] -hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] +hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] miniflux: oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] forgejo: env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] +restic: + repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str] + password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str] +kanidm: + ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str] + ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +36,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-21T05:54:31Z" - mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str] + lastmodified: "2024-09-14T05:48:04Z" + mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix new file mode 100644 index 0000000..4be75c5 --- /dev/null +++ b/machines/massicot/services.nix @@ -0,0 +1,303 @@ +{ + config, + pkgs, + lib, + ... +}: +let + kanidm_listen_port = 5324; +in +{ + imports = [ + ./kanidm-provision.nix + ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 2222 + 8448 + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + 8448 + ]; + + custom.vaultwarden = { + enable = true; + domain = "vaultwarden.xinyang.life"; + }; + + custom.hedgedoc = { + enable = true; + caddy = true; + domain = "docs.xinyang.life"; + mediaPath = "/mnt/storage/hedgedoc"; + oidc = { + enable = true; + baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc"; + authorizationURL = "https://auth.xinyang.life/ui/oauth2"; + tokenURL = "https://auth.xinyang.life/oauth2/token"; + userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo"; + }; + environmentFile = config.sops.secrets.hedgedoc_env.path; + }; + + custom.prometheus = { + enable = true; + exporters.blackbox.enable = true; + exporters.miniflux.enable = true; + }; + + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + + services.ntfy-sh = { + enable = true; + group = "caddy"; + settings = { + listen-unix = "/var/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 432; # octal 0660 + base-url = "https://ntfy.xinyang.life"; + }; + }; + + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; + + services.kanidm = { + package = pkgs.kanidm.withSecretProvisioning; + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + online_backup.versions = 7; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; + + custom.miniflux = { + enable = true; + environment = { + LOG_LEVEL = "debug"; + LISTEN_ADDR = "127.0.0.1:58173"; + BASE_URL = "https://rss.xinyang.life/"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; + OAUTH2_USER_CREATION = 1; + }; + oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; + }; + + services.matrix-conduit = { + enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; + package = pkgs.matrix-conduit; + settings.global = { + server_name = "xinyang.life"; + port = 6167; + # database_path = "/var/lib/matrix-conduit/"; + max_concurrent_requests = 100; + log = "info"; + database_backend = "rocksdb"; + allow_registration = false; + + well_known = { + client = "https://msg.xinyang.life"; + server = "msg.xinyang.life:443"; + }; + }; + }; + + users.users.conduit = { + isSystemUser = true; + group = "conduit"; + }; + users.groups.conduit = { }; + + services.gotosocial = { + enable = true; + settings = { + log-level = "debug"; + host = "xinyang.life"; + letsencrypt-enabled = false; + bind-address = "localhost"; + instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-link-existing = true; + storage-local-base-path = "/mnt/storage/gotosocial/storage"; + }; + environmentFile = config.sops.secrets.gts_env.path; + }; + + services.forgejo = { + enable = true; + # Use cutting edge instead of lts + package = pkgs.forgejo; + repositoryRoot = "/mnt/storage/forgejo/repositories"; + lfs = { + enable = true; + contentDir = "/mnt/storage/forgejo/lfs"; + }; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + ROOT_URL = "https://git.xinyang.life/"; + START_SSH_SERVER = false; + SSH_USER = config.services.forgejo.user; + SSH_DOMAIN = "ssh.xinyang.life"; + SSH_PORT = 22; + LFS_MAX_FILE_SIZE = 10737418240; + LANDING_PAGE = "/explore/repos"; + }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + service = { + ENABLE_BASIC_AUTHENTICATION = false; + }; + oauth2 = { + ENABLED = false; # Disable forgejo as oauth2 provider + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + USERNAME = "email"; + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = false; + OPENID_CONNECT_SCOPES = "openid profile email groups"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + }; + }; + + systemd.services.forgejo = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."forgejo/env".path; + ExecStartPost = '' + ${lib.getExe config.services.forgejo.package} admin auth update-oauth \ + --id 1 \ + --name kanidm \ + --provider openidConnect \ + --key forgejo \ + --secret $CLIENT_SECRET \ + --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ + --group-claim-name forgejo_role --admin-group Admin + ''; + }; + }; + + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3003; + root_url = "https://grafana.xinyang.life"; + domain = "grafana.xinyang.life"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + client_id = "grafana"; + scopes = "openid,profile,email,groups"; + auth_url = "https://auth.xinyang.life/ui/oauth2"; + token_url = "https://auth.xinyang.life/oauth2/token"; + api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + allow_sign_up = true; + login_attribute_path = "preferred_username"; + groups_attribute_path = "groups"; + role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + auto_login = true; + }; + "auth" = { + disable_login_form = true; + }; + }; + }; + + systemd.services.grafana.serviceConfig.EnvironmentFile = + config.sops.secrets.grafana_oauth_secret.path; + + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "forgejo" ]; + }; + users.groups.git = { }; + + users.users = { + ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; + }; + + services.caddy = { + enable = true; + virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /.well-known/matrix/* localhost:6167 + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + virtualHosts."https://msg.xinyang.life:443".extraConfig = '' + reverse_proxy /_matrix/* localhost:6167 + ''; + virtualHosts."https://git.xinyang.life:443".extraConfig = '' + reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + ''; + virtualHosts."https://auth.xinyang.life".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + + virtualHosts."https://rss.xinyang.life".extraConfig = '' + reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} + ''; + + virtualHosts."https://ntfy.xinyang.life".extraConfig = '' + reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} + @httpget { + protocol http + method GET + path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) + } + redir @httpget https://{host}{uri} + ''; + + virtualHosts."https://grafana.xinyang.life".extraConfig = + let + grafanaSettings = config.services.grafana.settings.server; + in + '' + reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port} + ''; + }; +} diff --git a/machines/massicot/services/conduit.nix b/machines/massicot/services/conduit.nix deleted file mode 100644 index 505c699..0000000 --- a/machines/massicot/services/conduit.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, lib, ... }: -let - inherit (lib) mkForce; -in -{ - config = { - custom.cifs-mounts = [ "conduit" ]; - - services.matrix-conduit = { - enable = true; - # package = inputs.conduit.packages.${pkgs.system}.default; - package = pkgs.matrix-conduit; - settings.global = { - server_name = "xinyang.life"; - port = 6167; - # database_path = "/var/lib/matrix-conduit/"; - max_concurrent_requests = 100; - log = "info"; - database_backend = "rocksdb"; - allow_registration = false; - - well_known = { - client = "https://msg.xinyang.life"; - server = "msg.xinyang.life:443"; - }; - }; - }; - - systemd.services.conduit = { - serviceConfig = { - DynamicUser = mkForce false; - }; - }; - - users.users.conduit = { - group = "conduit"; - isSystemUser = true; - }; - users.groups.conduit = { }; - - services.caddy.enable = true; - services.caddy.virtualHosts."https://msg.xinyang.life:443".extraConfig = '' - reverse_proxy /_matrix/* localhost:6167 - ''; - }; -} diff --git a/machines/massicot/services/default.nix b/machines/massicot/services/default.nix index cb4ebc1..fdf054b 100644 --- a/machines/massicot/services/default.nix +++ b/machines/massicot/services/default.nix @@ -1,22 +1,5 @@ { imports = [ - ./conduit.nix - ./forgejo.nix - ./gotosocial.nix - ./grafana.nix - ./hedgedoc.nix - ./kanidm - ./miniflux.nix - ./ntfy.nix - ./storagebox.nix - ./vaultwarden.nix + ./restic.nix ]; - config = { - - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - exporters.miniflux.enable = true; - }; - }; } diff --git a/machines/massicot/services/forgejo.nix b/machines/massicot/services/forgejo.nix deleted file mode 100644 index f2dd9b6..0000000 --- a/machines/massicot/services/forgejo.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - inherit (lib) getExe; -in -{ - config = { - custom.cifs-mounts = [ "forgejo" ]; - services.forgejo = { - enable = true; - # Use cutting edge instead of lts - package = pkgs.forgejo; - repositoryRoot = "/mnt/storage/forgejo/repositories"; - lfs = { - enable = true; - contentDir = "/mnt/storage/forgejo/lfs"; - }; - settings = { - service.DISABLE_REGISTRATION = true; - server = { - ROOT_URL = "https://git.xinyang.life/"; - START_SSH_SERVER = false; - SSH_USER = config.services.forgejo.user; - SSH_DOMAIN = "ssh.xinyang.life"; - SSH_PORT = 22; - LFS_MAX_FILE_SIZE = 10737418240; - LANDING_PAGE = "/explore/repos"; - }; - repository = { - ENABLE_PUSH_CREATE_USER = true; - }; - service = { - ENABLE_BASIC_AUTHENTICATION = false; - }; - oauth2 = { - ENABLED = false; # Disable forgejo as oauth2 provider - }; - oauth2_client = { - ACCOUNT_LINKING = "auto"; - USERNAME = "email"; - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = false; - OPENID_CONNECT_SCOPES = "openid profile email groups"; - }; - other = { - SHOW_FOOTER_VERSION = false; - }; - }; - }; - - systemd.services.forgejo = { - serviceConfig = { - EnvironmentFile = config.sops.secrets."forgejo/env".path; - ExecStartPost = '' - ${getExe config.services.forgejo.package} admin auth update-oauth \ - --id 1 \ - --name kanidm \ - --provider openidConnect \ - --key forgejo \ - --secret $CLIENT_SECRET \ - --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ - --group-claim-name forgejo_role --admin-group Admin - ''; - }; - }; - - users.users.git = { - isSystemUser = true; - useDefaultShell = true; - group = "git"; - extraGroups = [ "forgejo" ]; - }; - users.groups.git = { }; - - services.caddy.enable = true; - services.caddy.virtualHosts."https://git.xinyang.life:443".extraConfig = '' - reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} - ''; - }; -} diff --git a/machines/massicot/services/gotosocial.nix b/machines/massicot/services/gotosocial.nix deleted file mode 100644 index d6fe1d3..0000000 --- a/machines/massicot/services/gotosocial.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, ... }: -{ - config = { - custom.cifs-mounts = [ "gotosocial" ]; - services.gotosocial = { - enable = true; - settings = { - log-level = "debug"; - host = "xinyang.life"; - letsencrypt-enabled = false; - bind-address = "localhost"; - instance-expose-public-timeline = true; - oidc-enabled = true; - oidc-idp-name = "Kanidm"; - oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; - oidc-client-id = "gts"; - oidc-link-existing = true; - storage-local-base-path = "/mnt/storage/gotosocial/storage"; - }; - environmentFile = config.sops.secrets.gts_env.path; - }; - - services.caddy.enable = true; - services.caddy.virtualHosts."xinyang.life:443".extraConfig = '' - tls internal - encode zstd gzip - reverse_proxy /.well-known/matrix/* localhost:6167 - reverse_proxy * http://localhost:8080 { - flush_interval -1 - } - ''; - }; -} diff --git a/machines/massicot/services/grafana.nix b/machines/massicot/services/grafana.nix deleted file mode 100644 index a8e2cea..0000000 --- a/machines/massicot/services/grafana.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, ... }: -{ - config = { - services.grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = 3003; - root_url = "https://grafana.xinyang.life"; - domain = "grafana.xinyang.life"; - }; - "auth.generic_oauth" = { - enabled = true; - name = "Kanidm"; - client_id = "grafana"; - scopes = "openid,profile,email,groups"; - auth_url = "https://auth.xinyang.life/ui/oauth2"; - token_url = "https://auth.xinyang.life/oauth2/token"; - api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; - use_pkce = true; - use_refresh_token = true; - allow_sign_up = true; - login_attribute_path = "preferred_username"; - groups_attribute_path = "groups"; - role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; - allow_assign_grafana_admin = true; - auto_login = true; - }; - "auth" = { - disable_login_form = true; - }; - }; - }; - - systemd.services.grafana.serviceConfig.EnvironmentFile = - config.sops.secrets.grafana_oauth_secret.path; - - services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig = - let - grafanaSettings = config.services.grafana.settings.server; - in - '' - reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port} - ''; - }; -} diff --git a/machines/massicot/services/hedgedoc.nix b/machines/massicot/services/hedgedoc.nix deleted file mode 100644 index 5aa2d2e..0000000 --- a/machines/massicot/services/hedgedoc.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, ... }: -{ - config = { - custom.cifs-mounts = [ "hedgedoc" ]; - custom.hedgedoc = { - enable = true; - caddy = true; - domain = "docs.xinyang.life"; - mediaPath = "/mnt/storage/hedgedoc"; - oidc = { - enable = true; - baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc"; - authorizationURL = "https://auth.xinyang.life/ui/oauth2"; - tokenURL = "https://auth.xinyang.life/oauth2/token"; - userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo"; - }; - environmentFile = config.sops.secrets.hedgedoc_env.path; - }; - }; -} diff --git a/machines/massicot/services/kanidm/default.nix b/machines/massicot/services/kanidm/default.nix deleted file mode 100644 index 381644d..0000000 --- a/machines/massicot/services/kanidm/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, pkgs, ... }: -let - kanidm_listen_port = 5324; -in -{ - config = { - services.caddy = { - virtualHosts."http://auth.xinyang.life:80".extraConfig = '' - reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} - ''; - virtualHosts."https://auth.xinyang.life".extraConfig = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - - services.kanidm = { - package = pkgs.kanidm.withSecretProvisioning; - enableServer = true; - serverSettings = { - domain = "auth.xinyang.life"; - origin = "https://auth.xinyang.life"; - bindaddress = "[::]:${toString kanidm_listen_port}"; - tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; - tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; - online_backup.versions = 7; - # db_path = "/var/lib/kanidm/kanidm.db"; - }; - provision = import ./kanidm-provision.nix; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - security.acme = { - acceptTerms = true; - certs."auth.xinyang.life" = { - email = "lixinyang411@gmail.com"; - listenHTTP = "127.0.0.1:1360"; - group = "kanidm"; - }; - }; - - }; -} diff --git a/machines/massicot/services/kanidm/kanidm-provision.nix b/machines/massicot/services/kanidm/kanidm-provision.nix deleted file mode 100644 index 95c75df..0000000 --- a/machines/massicot/services/kanidm/kanidm-provision.nix +++ /dev/null @@ -1,178 +0,0 @@ -{ - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - forgejo-admin = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ - "xin" - "zhuo" - "ycm" - ]; - }; - grafana-superadmins = { - members = [ "xin" ]; - }; - grafana-admins = { - members = [ "xin" ]; - }; - grafana-editors = { - members = [ "xin" ]; - }; - grafana-users = { - members = [ "xin" ]; - }; - miniflux-users = { - members = [ "xin" ]; - }; - idm_people_self_mail_write = { - members = [ ]; - }; - }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - - ycm = { - displayName = "Chunming"; - mailAddresses = [ "chunmingyou@gmail.com" ]; - }; - }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://git.xinyang.life/"; - originLanding = "https://git.xinyang.life/user/oauth2/kandim"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - claimMaps = { - forgejo_role = { - joinType = "array"; - valuesByGroup = { - forgejo-access = [ "Access" ]; - forgejo-admin = [ "Admin" ]; - }; - }; - }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/"; - originLanding = "https://xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://home.xinyang.life:9201/"; - originLanding = "https://home.xinyang.life:9201/"; - public = true; - scopeMaps = { - ocis-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://docs.xinyang.life/"; - originLanding = "https://docs.xinyang.life/auth/oauth2"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - immich-mobile = { - displayName = "Immich"; - originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - miniflux = { - displayName = "Miniflux"; - originUrl = "https://rss.xinyang.life/"; - originLanding = "https://rss.xinyang.life/"; - scopeMaps = { - miniflux-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - grafana = { - displayName = "Grafana"; - originUrl = "https://grafana.xinyang.life/"; - originLanding = "https://grafana.xinyang.life/"; - scopeMaps = { - grafana-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - claimMaps = { - grafana_role = { - joinType = "array"; - valuesByGroup = { - grafana-superadmins = [ "GrafanaAdmin" ]; - grafana-admins = [ "Admin" ]; - grafana-editors = [ "Editor" ]; - }; - }; - }; - }; - }; -} diff --git a/machines/massicot/services/miniflux.nix b/machines/massicot/services/miniflux.nix deleted file mode 100644 index 703aac4..0000000 --- a/machines/massicot/services/miniflux.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, ... }: -{ - config = { - custom.miniflux = { - enable = true; - environment = { - LOG_LEVEL = "debug"; - LISTEN_ADDR = "127.0.0.1:58173"; - BASE_URL = "https://rss.xinyang.life/"; - OAUTH2_PROVIDER = "oidc"; - OAUTH2_CLIENT_ID = "miniflux"; - OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; - OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; - OAUTH2_USER_CREATION = 1; - }; - oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; - }; - - services.caddy = { - enable = true; - virtualHosts."https://rss.xinyang.life".extraConfig = '' - reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} - ''; - }; - }; -} diff --git a/machines/massicot/services/ntfy.nix b/machines/massicot/services/ntfy.nix deleted file mode 100644 index 02ff488..0000000 --- a/machines/massicot/services/ntfy.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, ... }: -{ - config = { - services.ntfy-sh = { - enable = true; - group = "caddy"; - settings = { - listen-unix = "/var/run/ntfy-sh/ntfy.sock"; - listen-unix-mode = 432; # octal 0660 - base-url = "https://ntfy.xinyang.life"; - }; - }; - systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; - - users.users = { - ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; - }; - - services.caddy.virtualHosts."https://ntfy.xinyang.life".extraConfig = '' - reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} - @httpget { - protocol http - method GET - path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) - } - redir @httpget https://{host}{uri} - ''; - }; -} diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix new file mode 100644 index 0000000..9a319bb --- /dev/null +++ b/machines/massicot/services/restic.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +let + sqliteBackup = path: '' + mkdir -p /backup${path} + ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'" + ''; +in +{ + sops.secrets = { + "restic/repo" = { + sopsFile = ../secrets.yaml; + }; + "restic/password" = { + sopsFile = ../secrets.yaml; + }; + }; + + custom.restic = { + enable = true; + repositoryFile = config.sops.secrets."restic/repo".path; + passwordFile = config.sops.secrets."restic/password".path; + paths = [ + "/var/backup" + "/mnt/storage" + ]; + }; + + services.postgresqlBackup = { + enable = true; + compression = "zstd"; + compressionLevel = 9; + location = "/var/backup/postgresql"; + }; + + services.restic.backups.${config.networking.hostName} = { + backupPrepareCommand = builtins.concatStringsSep "\n" [ + (sqliteBackup "/var/lib/hedgedoc/db.sqlite") + (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3") + (sqliteBackup "/var/lib/gotosocial/database.sqlite") + (sqliteBackup "/var/lib/kanidm/kanidm.db") + ]; + extraBackupArgs = [ + "--limit-upload=1024" + ]; + }; +} diff --git a/machines/massicot/services/storagebox.nix b/machines/massicot/services/storagebox.nix deleted file mode 100644 index 9cbd8f3..0000000 --- a/machines/massicot/services/storagebox.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, ... }: -let - inherit (lib) mkDefault mkOption types; - - cfg = config.custom; -in -{ - options = { - custom.cifs-mounts = mkOption { type = with types; (listOf str); }; - }; - - config = { - services.cachefilesd.enable = true; - - systemd.mounts = map (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = mkDefault "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) cfg.cifs-mounts; - }; -} diff --git a/machines/massicot/services/vaultwarden.nix b/machines/massicot/services/vaultwarden.nix deleted file mode 100644 index 7d754c0..0000000 --- a/machines/massicot/services/vaultwarden.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - config = { - custom.vaultwarden = { - enable = true; - domain = "vaultwarden.xinyang.life"; - }; - }; -} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 8eaa463..049e67e 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -17,8 +17,6 @@ }) ]; - nixpkgs.hostPlatform = "aarch64-linux"; - environment.systemPackages = with pkgs; [ git libraspberrypi diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 5718b56..ce39730 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -2,17 +2,15 @@ inputs, config, pkgs, - lib, modulesPath, ... }: -with lib; - { imports = [ inputs.sops-nix.nixosModules.sops (modulesPath + "/profiles/qemu-guest.nix") + ./services ]; config = { @@ -50,6 +48,10 @@ with lib; owner = "caddy"; mode = "400"; }; + "immich/oauth_client_secret" = { + owner = "immich"; + mode = "400"; + }; }; }; @@ -89,6 +91,31 @@ with lib; environment = { IMMICH_MACHINE_LEARNING_ENABLED = "false"; }; + database.enable = true; + }; + + custom.immich.jsonSettings = { + oauth = { + enabled = true; + issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/"; + clientId = "immich"; + clientSecret = { + _secret = config.sops.secrets."immich/oauth_client_secret".path; + }; + scope = "openid email profile"; + signingAlgorithm = "ES256"; + storageLabelClaim = "email"; + buttonText = "Login with Kanidm"; + autoLaunch = true; + mobileOverrideEnabled = true; + mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + }; + passwordLogin = { + enabled = false; + }; + newVersionCheck = { + enabled = false; + }; }; services.dae = { diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 02f78d6..bb631bb 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,4 +1,6 @@ cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] +immich: + oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-29T09:05:41Z" - mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str] + lastmodified: "2024-09-07T14:56:37Z" + mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix new file mode 100644 index 0000000..031018b --- /dev/null +++ b/machines/weilite/services/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./ocis.nix + ./restic.nix + ]; +} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix new file mode 100644 index 0000000..26a6769 --- /dev/null +++ b/machines/weilite/services/ocis.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: +{ + sops = { + secrets = { + "ocis/env" = { + sopsFile = ../secrets.yaml; + }; + }; + }; + + services.ocis = { + enable = true; + package = pkgs.ocis-bin; + stateDir = "/var/lib/ocis"; + url = "https://drive.xinyang.life:8443"; + address = "127.0.0.1"; + port = 9200; + environment = { + OCIS_INSECURE = "false"; + OCIS_LOG_LEVEL = "trace"; + OCIS_LOG_PRETTY = "true"; + # For reverse proxy. Disable tls. + OCIS_PROXY_TLS = "false"; + WEB_OIDC_CLIENT_ID = "owncloud"; + WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + OCIS_EXCLUDE_RUN_SERVICES = "idp"; + PROXY_OIDC_REWRITE_WELLKNOWN = "true"; + }; + }; + + networking.allowedTCPPorts = [ 8443 ]; + + services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' + reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address} + ''; +} diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix new file mode 100644 index 0000000..e1fb489 --- /dev/null +++ b/machines/weilite/services/restic.nix @@ -0,0 +1,18 @@ +{ config, ... }: +{ + services.restic.server = { + enable = true; + dataDir = "/var/lib/restic"; + listenAddress = "127.0.0.1:19573"; + privateRepos = "true"; + extraFlags = [ + "--append-only" + ]; + }; + + networking.allowedTCPPorts = [ 8443 ]; + + services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' + reverse_proxy ${config.services.restic.server.listenAddress} + ''; +} diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 66f1ceb..1777d60 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -19,7 +19,7 @@ in enable = mkEnableOption "Git ssh signing"; keyFile = mkOption { type = types.str; - default = "~/.ssh/id_ecdsa.pub"; + default = "~/.ssh/id_ed25519_sk.pub"; }; }; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 5c801fc..9af7fdd 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -36,8 +36,7 @@ let sourceRoot = "extension"; })) twxs.cmake - ms-vscode.cpptools - ]; + ] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]); settings = { "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a08c54e..36bf773 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -13,5 +13,6 @@ ./forgejo-actions-runner.nix ./oidc-agent.nix ./miniflux.nix + ./immich.nix ]; } diff --git a/modules/nixos/immich.nix b/modules/nixos/immich.nix new file mode 100644 index 0000000..d79afc1 --- /dev/null +++ b/modules/nixos/immich.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: +let + cfg = config.custom.immich; + upstreamCfg = config.services.immich; + settingsFormat = pkgs.formats.json { }; + user = config.systemd.services.immich-server.serviceConfig.User; + group = config.systemd.services.immich-server.serviceConfig.Group; +in +{ + options = { + custom.immich.jsonSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + }; + default = { }; + }; + }; + config = { + /* + LoadCredential happens before preStart. We need to ensure the + configuration file exist, otherwise LoadCredential will fail. + */ + systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable { + "10-etc-immich" = { + "/etc/immich" = { + d = { + inherit user group; + mode = "0700"; + }; + }; + "/etc/immich/config.json" = { + "f+" = { + inherit user group; + mode = "0600"; + }; + }; + }; + }; + + systemd.services.immich-server = { + preStart = '' + umask 0077 + ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"} + ''; + serviceConfig = { + LoadCredential = "config:/etc/immich/config.json"; + Environment = "IMMICH_CONFIG_FILE=%d/config"; + }; + }; + + # https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510 + services.immich.redis.host = "/run/redis-immich/redis.sock"; + }; +} diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 1d6685c..7410a53 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -1,6 +1,6 @@ +# TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better { config, - pkgs, lib, ... }: @@ -11,6 +11,14 @@ in options = { custom.restic = { enable = lib.mkEnableOption "restic"; + paths = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + "/home" + "/var/lib" + ]; + }; + prune = lib.mkEnableOption "auto prune remote restic repo"; repositoryFile = lib.mkOption { type = lib.types.str; default = ""; @@ -22,14 +30,10 @@ in }; }; config = lib.mkIf cfg.enable { - services.restic.backups = { - remotebackup = { + services.restic.backups.${config.networking.hostName} = lib.mkMerge [ + { repositoryFile = cfg.repositoryFile; passwordFile = cfg.passwordFile; - paths = [ - "/home" - "/var/lib" - ]; exclude = [ "/home/*/.cache" "/home/*/.cargo" @@ -40,13 +44,24 @@ in OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; - pruneOpts = [ + pruneOpts = lib.mkIf cfg.prune [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; - }; - }; + paths = lib.mkDefault cfg.paths; + initialize = true; + } + (lib.mkIf (config.fileSystems."/".fsType == "btrfs") { + backupPrepareCommand = '' + btrfs subvolume snapshot -r / backup + ''; + backupCleanupCommand = '' + btrfs subvolume delete /backup + ''; + paths = map (p: "/backup" + p) cfg.paths; + }) + ]; }; } diff --git a/modules/nixos/stylix.nix b/modules/nixos/stylix.nix index c2ab1a9..c5e546b 100644 --- a/modules/nixos/stylix.nix +++ b/modules/nixos/stylix.nix @@ -30,24 +30,11 @@ in stylix.autoEnable = false; stylix.homeManagerIntegration.autoImport = true; stylix.homeManagerIntegration.followSystem = true; - stylix.fonts = { - monospace = { - name = "JetBrainsMono Nerd Font"; - package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; }; - }; - serif = { - name = "Noto Serif CJK SC"; - package = pkgs.noto-fonts; - }; - sansSerif = { - name = "Noto Sans CJK SC"; - package = pkgs.noto-fonts; - }; - }; stylix.targets = { console.enable = true; - gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false; + # gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false; + gnome.enable = false; gtk.enable = true; }; }; diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 82c0e41..2f5de11 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -43,6 +43,7 @@ in }; services.caddy = mkIf cfg.caddy { enable = true; + virtualHosts."https://${cfg.domain}".extraConfig = '' reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} '';