diff --git a/modules/config/devices/config/deimos.nix b/modules/config/devices/config/deimos.nix index f7c7f9e..dfb252c 100755 --- a/modules/config/devices/config/deimos.nix +++ b/modules/config/devices/config/deimos.nix @@ -14,9 +14,6 @@ in ip = { address0 = deimosIP; }; - wireguard = { - ip0 = "10.100.0.3"; - }; boot = { options = ownerWriteOthersReadMask; }; diff --git a/modules/config/instances/config/podgrab.nix b/modules/config/instances/config/podgrab.nix new file mode 100755 index 0000000..3635de6 --- /dev/null +++ b/modules/config/instances/config/podgrab.nix @@ -0,0 +1,35 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + servicePath + sslPath + sopsPath + ; + + label = "Podgrab"; + name = "podgrab"; + subdomain = "podcasts"; + domain = "${subdomain}.${domain0}"; +in +{ + label = label; + name = name; + sops = { + path0 = "${sopsPath}/${name}"; + }; + domains = { + url0 = domain; + }; + subdomain = name; + paths = { + path0 = "${servicePath}/${label}"; + }; + ports = { + port0 = 4242; + }; + ssl = { + cert = "${sslPath}/${name}.${domain0}/fullchain.pem"; + key = "${sslPath}/${name}.${domain0}/key.pem"; + }; +} diff --git a/modules/home/cli/utilities/dig/default.nix b/modules/home/cli/utilities/dig/default.nix old mode 100755 new mode 100644 diff --git a/modules/home/cli/utilities/ipTables/default.nix b/modules/home/cli/utilities/ipTables/default.nix old mode 100755 new mode 100644 diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 2eb4236..9f10bcb 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -10,6 +10,7 @@ in mullvad syncthing ollama + glance plasma sddm hypr @@ -31,6 +32,7 @@ in sddm flatpak espanso + glance ; }; }; @@ -50,18 +52,17 @@ in acme audiobookshelf caddy - forgejo - glance jellyfin logrotate mastodon minecraft ollama + website postgresql samba searx vaultwarden - website + forgejo ; }; }; diff --git a/modules/nixos/services/acme/default.nix b/modules/nixos/services/acme/default.nix index 06fd49c..659eff6 100755 --- a/modules/nixos/services/acme/default.nix +++ b/modules/nixos/services/acme/default.nix @@ -32,15 +32,15 @@ in value = dnsConfig; }) [ - "audiobookshelf" - "glance" "jellyfin" "minecraft" - "nextcloud" "ollama" - "searx" + "nextcloud" "syncthing" + "searx" + "podgrab" "vaultwarden" + "audiobookshelf" ] ) ++ (map @@ -49,9 +49,9 @@ in value = dnsConfig; }) [ + "peertube" "forgejo" "mastodon" - "peertube" ] ) ++ (map diff --git a/modules/nixos/services/glance/config/server.nix b/modules/nixos/services/glance/config/server.nix index 12cf8ec..cefc788 100755 --- a/modules/nixos/services/glance/config/server.nix +++ b/modules/nixos/services/glance/config/server.nix @@ -1,14 +1,10 @@ -{ flake, configHelpers, ... }: +{ flake, service, ... }: let inherit (flake.config.people) user0; - inherit (flake.config.machines.devices) ceres; in { assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; - # host = configHelpers.host; - # host = configHelpers.localhost; - host = ceres.wireguard.ip0; - port = configHelpers.service.ports.port0; + port = service.ports.port0; # auth = { # secret-key = config.sops.secrets."${service.name}-key".path; # users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path; diff --git a/modules/nixos/services/glance/default.nix b/modules/nixos/services/glance/default.nix index 1afdc33..c600215 100755 --- a/modules/nixos/services/glance/default.nix +++ b/modules/nixos/services/glance/default.nix @@ -1,20 +1,10 @@ { config, flake, ... }: let - inherit (flake.config.services.instances) - glance - jellyfin - web - ; - inherit (flake.config.machines.devices) ceres mars deimos; - configHelpers = { - service = glance; - hostname = config.networking.hostName; - localhost = web.localhost.address1; - host = configHelpers.service.domains.url0; - }; + inherit (flake.config.services.instances) glance jellyfin; + service = glance; configPath = ./config; configImports = { - server = import (configPath + /server.nix) { inherit flake configHelpers; }; + server = import (configPath + /server.nix) { inherit flake service; }; branding = import (configPath + /branding.nix); theme = import (configPath + /theme.nix); pages = import (configPath + /pages.nix) { inherit config flake; }; @@ -26,32 +16,11 @@ in enable = true; settings = configImports; }; - caddy = { - virtualHosts = { - "${configHelpers.host}" = { - extraConfig = '' - @allowed_ips { - remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} - } - - handle @allowed_ips { - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0} - } - handle { - respond "Access Denied" 403 - } - tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key} - ''; - }; - }; - }; }; sops = let sopsPath = secret: { - path = "/run/secrets/${configHelpers.service.name}-${secret}"; + path = "/run/secrets/${service.name}-${secret}"; owner = "root"; group = "root"; mode = "644"; @@ -61,7 +30,7 @@ in secrets = builtins.listToAttrs ( map (secret: { - name = "${configHelpers.service.name}-${secret}"; + name = "${service.name}-${secret}"; value = sopsPath secret; }) [ @@ -72,10 +41,15 @@ in ); }; + systemd.tmpfiles.rules = [ + # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" + # "Z ${service.sops.path0} 755 root root -" + ]; + networking = { firewall = { - interfaces.wg0.allowedTCPPorts = [ - configHelpers.service.ports.port0 + allowedTCPPorts = [ + service.ports.port0 ]; }; }; diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix new file mode 100755 index 0000000..82a5b95 --- /dev/null +++ b/modules/nixos/services/podgrab/default.nix @@ -0,0 +1,77 @@ +{ config, flake, ... }: +let + inherit (flake.config.services.instances) podgrab web; + inherit (flake.config.machines.devices) ceres; + service = podgrab; + localhost = web.localhost.address0; + host = service.domains.url0; +in +{ + services = { + podgrab = { + enable = true; + port = service.ports.port0; + passwordFile = config.sops.secrets."${service.name}-pass".path; + dataDirectory = service.paths.path0; + }; + caddy = { + virtualHosts = { + "${host}" = { + extraConfig = '' + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + reverse_proxy ${localhost}:${toString service.ports.port0} + + tls ${service.ssl.cert} ${service.ssl.key} + ''; + }; + }; + }; + }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/password.env"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "pass" + ] + ); + }; + + fileSystems."/var/lib/${service.name}" = { + device = service.paths.path0; + fsType = "none"; + options = [ + "bind" + ]; + depends = [ + ceres.storage0.mount + ]; + }; + + systemd.tmpfiles.rules = [ + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -" + ]; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; +} diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix index 6c7e949..2f2cbeb 100755 --- a/modules/nixos/services/searx/default.nix +++ b/modules/nixos/services/searx/default.nix @@ -5,7 +5,7 @@ ... }: let - inherit (flake.config.machines.devices) ceres mars deimos; + inherit (flake.config.machines.devices) ceres mars; inherit (flake.config.services.instances) searx web; configHelpers = { service = searx; @@ -47,7 +47,7 @@ in "${configHelpers.host}" = { extraConfig = '' @allowed_ips { - remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0} + remote_ip ${mars.wireguard.ip0} } handle @allowed_ips { diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index a682cf8..34a8a1c 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -40,8 +40,6 @@ wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhda wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] -wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str] -wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str] podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] @@ -58,7 +56,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-04T00:40:18Z" - mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str] + lastmodified: "2025-07-01T08:55:49Z" + mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix index 3a178f0..466ebf5 100755 --- a/systems/ceres/config/wireguard.nix +++ b/systems/ceres/config/wireguard.nix @@ -1,8 +1,8 @@ { config, flake, ... }: let - inherit (flake.config.services) instances; - inherit (flake.config.machines.devices) mars deimos ceres; - service = instances.wireGuard; + inherit (flake.config.services.instances) wireGuard searx; + inherit (flake.config.machines.devices) mars ceres; + service = wireGuard; in { networking = { @@ -14,6 +14,9 @@ in service.ports.port0 service.ports.port1 ]; + interfaces.wg0.allowedTCPPorts = [ + searx.ports.port0 + ]; }; nat = { @@ -29,17 +32,10 @@ in listenPort = service.ports.port1; privateKeyFile = config.sops.secrets."${service.name}-private".path; peers = [ - # if you need to create a new key pair - # wg genkey | save --raw --force privatekey - # open privatekey | wg pubkey | save --raw --force publickey { publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; allowedIPs = [ "${mars.wireguard.ip0}/32" ]; } - { - publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I="; - allowedIPs = [ "${deimos.wireguard.ip0}/32" ]; - } ]; }; }; diff --git a/systems/deimos/config/wireguard.nix b/systems/deimos/config/wireguard.nix deleted file mode 100755 index 72fb149..0000000 --- a/systems/deimos/config/wireguard.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, flake, ... }: -let - inherit (flake.config.services.instances) wireGuard web; - inherit (flake.config.services) instances; - inherit (flake.config.machines.devices) ceres deimos; - service = wireGuard; -in -{ - networking = { - hosts = { - ${ceres.wireguard.ip0} = [ - instances.searx.domains.url0 - instances.glance.domains.url0 - ]; - }; - wireguard.interfaces = { - wg0 = { - ips = [ "${deimos.wireguard.ip0}/32" ]; - privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path; - peers = [ - { - publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw="; - allowedIPs = [ - "${ceres.wireguard.ip0}/32" - "${web.localhost.address4}/24" - ]; - endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}"; - persistentKeepalive = 25; - } - ]; - }; - }; - }; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}-pass"; - owner = "root"; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "deimos-private" - "deimos-public" - ] - ); - }; -} diff --git a/systems/mars/config/wireguard.nix b/systems/mars/config/wireguard.nix index bc07a81..74df4bc 100755 --- a/systems/mars/config/wireguard.nix +++ b/systems/mars/config/wireguard.nix @@ -8,10 +8,7 @@ in { networking = { hosts = { - ${ceres.wireguard.ip0} = [ - instances.searx.domains.url0 - instances.glance.domains.url0 - ]; + ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; }; wireguard.interfaces = { wg0 = {