Move more services to defiant. Remove sarek.

.sops.yaml

@@ -2,7 +2,6 @@ keys:
   - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
   - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
   - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
-  - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
   - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
 
 creation_rules:
@@ -26,10 +25,3 @@ creation_rules:
     - age:
       - *host_defiant
       - *user_felixalb
-
-  - path_regex: secrets/sarek/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *host_sarek
-      - *user_felixalb_old
-      - *user_felixalb

flake.nix

@@ -92,24 +92,6 @@
             }
           ];
         };
-        sarek = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs;
-          };
-          modules = [
-            # Overlays-module makes "pkgs.unstable" available in configuration.nix
-            ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-
-            ./hosts/sarek/configuration.nix
-            sops-nix.nixosModules.sops
-            home-manager.nixosModules.home-manager {
-              home-manager.useGlobalPkgs = true;
-              home-manager.useUserPackages = true;
-              home-manager.users."felixalb" = import ./hosts/sarek/home.nix;
-            }
-          ];
-        };
         redshirt = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
           specialArgs = {

hosts/defiant/configuration.nix

@@ -10,6 +10,9 @@
       ./services/postgresql.nix
       ./services/nginx.nix
       ./services/matrix-synapse.nix
+      ./services/flame.nix
+      ./services/hedgedoc.nix
+      ./services/pihole.nix
   ];
 
   networking = {

hosts/defiant/hardware-configuration.nix

@@ -4,26 +4,29 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/DDDC-5C0C";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/DDDC-5C0C";
+    fsType = "vfat";
+  };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+      device = "/swapfile";
+      size = 8*1024;
+  } ];
 
   networking.useDHCP = lib.mkDefault false;
   # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;

hosts/defiant/services/flame.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "flame.home.feal.no";
+  host = "127.0.1.2";
+  port = "5005";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    flame = {
+      image = "pawelmalak/flame";
+      ports = [ "${host}:${port}:5005" ];
+      volumes = [
+        "/var/lib/flame/data:/app/data/"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://${host}:${port}";
+  };
+}
+

hosts/defiant/services/hedgedoc.nix

@@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.hedgedoc.settings;
+  domain = "md.feal.no";
+  port = 3300;
+  host = "127.0.1.2";
+  authServerUrl = "https://auth.feal.no";
+in {
+  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+  sops.secrets."hedgedoc/env" = {
+    restartUnits = [ "hedgedoc.service" ];
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.secrets."hedgedoc/env".path;
+    settings = {
+      inherit domain port host;
+      protocolUseSSL = true;
+      sessionSecret = "$CMD_SESSION_SECRET";
+
+      allowFreeURL = true;
+      allowAnonymous = false;
+      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+
+      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+
+      email = false;
+      oauth2 = {
+        baseURL = "${authServerUrl}/oauth2";
+        tokenURL = "${authServerUrl}/oauth2/token";
+        authorizationURL = "${authServerUrl}/ui/oauth2";
+        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+        clientID = "hedgedoc";
+        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+        scope = "openid email profile";
+        userProfileUsernameAttr = "name";
+        userProfileEmailAttr = "email";
+        userProfileDisplayNameAttr = "displayname";
+
+        providerName = "KaniDM";
+      };
+    };
+  };
+
+  systemd.services.hedgedoc = {
+    requires = [
+      "postgresql.service"
+      # "kanidm.service"
+    ];
+    serviceConfig = let
+      workDir = "/var/lib/hedgedoc";
+    in {
+      WorkingDirectory = lib.mkForce workDir;
+      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+      # Better safe than sorry :)
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [ workDir ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://${host}:${toString port}";
+      };
+      "/socket.io" = {
+        proxyPass = "http://${host}:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/defiant/services/nginx.nix

@@ -12,7 +12,7 @@
     defaultListen = [
       {
         addr = "192.168.10.175";
-        port = "80";
+        port = 80;
         ssl = false;
       }
     ];
@@ -27,4 +27,22 @@
     acceptTerms = true;
     defaults.email = "felix@albrigtsen.it";
   };
+
+  # Publicly exposed services:
+
+  services.nginx.virtualHosts = let
+    publicProxy = upstream: {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".proxyPass = "${upstream}";
+    };
+  in {
+    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+    # "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
+  };
 }

hosts/defiant/services/pihole.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "pihole.home.feal.no";
+  dnsHost = "192.168.10.175";
+  webuiListen = "127.0.1.2:5053";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    pihole = {
+      image = "pihole/pihole";
+      ports = [
+        "${dnsHost}:53:53/tcp"
+        "${dnsHost}:53:53/udp"
+        "${webuiListen}:80"
+      ];
+
+      environment.TZ = "Europe/Oslo";
+
+      volumes = [
+        "/var/lib/pihole/etc:/etc/pihole"
+        "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://${webuiListen}";
+  };
+}
+

hosts/defiant/services/postgresql.nix

@@ -6,12 +6,11 @@
   };
 
   services.postgresqlBackup = {
-    enable = true;
+    # enable = true;
     location = "/data/backup/postgresql/";
     startAt = "*-*-* 03:15:00";
     backupAll = true;
   };
 
-
   environment.systemPackages = [ config.services.postgresql.package ];
 }

hosts/sarek/configuration.nix

@@ -1,54 +0,0 @@
-{ config, pkgs, lib, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/virtualisation/proxmox-lxc.nix")
-      ../../base.nix
-      ../../common/metrics-exporters.nix
-
-      ./services/flame.nix
-      ./services/hedgedoc.nix
-      ./services/nginx.nix
-      ./services/postgresql.nix
-  ];
-
-  # Boot and console is handled by proxmoxLXC.
-  boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.
-
-  # Override proxmox networking
-  proxmoxLXC.manageNetwork = true;
-  networking = {
-    hostName = "sarek";
-    defaultGateway = "192.168.10.1";
-    interfaces."eth0".ipv4 = {
-      addresses = [
-        { address = "192.168.10.181"; prefixLength = 24; }
-      ];
-    };
-    hostId = "15dd36bc";
-  };
-
-  sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;
-  virtualisation.docker.enable = true;
-  virtualisation.oci-containers.backend = "docker";
-
-  # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers
-  system.activationScripts.var = lib.mkForce ''
-    # Various log/runtime directories.
-    mkdir -p /var/tmp
-    chmod 1777 /var/tmp
-    # Empty, immutable home directory of many system accounts.
-    mkdir -p /var/empty
-    # Make sure it's really empty
-    ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
-    find /var/empty -mindepth 1 -delete
-    chmod 0555 /var/empty
-    chown root:root /var/empty
-    ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
-  '';
-  systemd.tmpfiles.rules = lib.mkForce [];
-
-  system.stateVersion = "23.05";
-}
-

hosts/sarek/home.nix

@@ -1,20 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  home.packages = with pkgs; [
-    bat
-    bottom
-    ncdu
-    neofetch
-    nix-index
-  ];
-
-  imports = [
-    ./../../home/base.nix
-  ];
-
-  programs = {
-    zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
-  };
-
-  home.stateVersion = "23.05";
-}

hosts/sarek/services/flame.nix

@@ -1,24 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  domain = "flame.home.feal.no";
-  host = "127.0.1.2";
-  port = "5005";
-in {
-   # Flame - Homelab dashboard/linktree
-   virtualisation.oci-containers.containers = {
-     flame = {
-       image = "pawelmalak/flame";
-       ports = [ "${host}:${port}:5005" ];
-       volumes = [
-         "/var/lib/flame/data:/app/data/"
-       ];
-     };
-   };
-
-   services.nginx.virtualHosts."${domain}" = {
-     locations."/" = {
-       proxyPass = "http://${host}:${port}";
-     };
-   };
- }
-

hosts/sarek/services/hedgedoc.nix

@@ -1,94 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-    cfg = config.services.hedgedoc.settings;
-    domain = "md.feal.no";
-    port = 3300;
-    host = "0.0.0.0";
-    authServerUrl = "https://auth.feal.no";
-in {
-    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
-    sops.secrets."hedgedoc/env" = {
-      restartUnits = [ "hedgedoc.service" ];
-    };
-
-    services.hedgedoc = {
-        enable = true;
-        environmentFile = config.sops.secrets."hedgedoc/env".path;
-        settings = {
-            inherit domain port host;
-            protocolUseSSL = true;
-            sessionSecret = "$CMD_SESSION_SECRET";
-
-            allowFreeURL = true;
-            allowAnonymous = false;
-            allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
-
-            dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
-
-            email = false;
-            oauth2 = {
-              baseURL = "${authServerUrl}/oauth2";
-              tokenURL = "${authServerUrl}/oauth2/token";
-              authorizationURL = "${authServerUrl}/ui/oauth2";
-              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
-
-              clientID = "hedgedoc";
-              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
-              scope = "openid email profile";
-              userProfileUsernameAttr = "name";
-              userProfileEmailAttr = "email";
-              userProfileDisplayNameAttr = "displayname";
-
-              providerName = "KaniDM";
-            };
-
-        };
-    };
-
-    systemd.services.hedgedoc = {
-      requires = [
-        "postgresql.service"
-        # "kanidm.service"
-      ];
-      serviceConfig = let
-        workDir = "/var/lib/hedgedoc";
-      in {
-        WorkingDirectory = lib.mkForce workDir;
-        StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
-
-        # Better safe than sorry :)
-        CapabilityBoundingSet = "";
-        LockPersonality = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateMounts = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ReadWritePaths = [ workDir ];
-        RemoveIPC = true;
-        RestrictSUIDSGID = true;
-        UMask = "0007";
-        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
-        SystemCallArchitectures = "native";
-        # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ port ];
-
-    services.postgresql = {
-      ensureDatabases = [ "hedgedoc" ];
-      ensureUsers = [{
-        name = "hedgedoc";
-        ensureDBOwnership = true;
-      }];
-    };
-}

hosts/sarek/services/nginx.nix

@@ -1,19 +0,0 @@
-{ config, values, ... }:
-{
-  services.nginx = {
-    enable = true;
-    enableReload = true;
-
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  /* security.acme = { */
-  /*   acceptTerms = true; */
-  /*   email = "felix@albrigtsen.it"; */
-  /* }; */
-}

hosts/sarek/services/postgresql.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.postgresql = {
-    enable = true;
-    enableTCPIP = true; # Expose on the network
-    authentication = pkgs.lib.mkOverride 10 ''
-     local all all trust
-     host all all 127.0.0.1/32 trust
-     host all all ::1/128 trust
-    '';
-  };
-
-  services.postgresqlBackup = {
-    enable = true;
-    location = "/backup/postgresql/";
-    startAt = "*-*-* 03:15:00";
-    backupAll = true;
-  };
-
-
-  environment.systemPackages = [ config.services.postgresql.package ];
-}

hosts/worf/configuration.nix

@@ -34,7 +34,7 @@
         sshKey = "/var/root/.ssh/nix-builder";
       }
       {
-        hostName = "sarek.home.feal.no";
+        hostName = "defiant.home.feal.no";
         system = "x86_64-linux";
 
         maxJobs = 6;

secrets/defiant/defiant.yaml

@@ -1,6 +1,8 @@
 matrix:
     synapse:
         registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str]
+hedgedoc:
+    env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +27,8 @@ sops:
             RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
             fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-24T17:26:56Z"
-    mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str]
+    lastmodified: "2023-12-24T23:15:29Z"
+    mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1