From fdc031ea4d27370c7ced25fa18f3e8a4d5548e3c Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:24:21 +0200 Subject: [PATCH 01/12] feat: write cursed function so that secrets are host-based --- modules/core/sops.nix | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/core/sops.nix b/modules/core/sops.nix index d57f4d9..ddb6ee7 100644 --- a/modules/core/sops.nix +++ b/modules/core/sops.nix @@ -2,18 +2,29 @@ pkgs, inputs, username, + host, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = ../../secrets/${host}/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; - secrets = { - "systemMailerPassword" = { }; - }; + secrets = + if (host == "violet") then + { + "systemMailerPassword" = { }; + "forgejoWorkerSecret" = { }; + "matrixRegistrationSecret" = { }; + } + else if (host == "sakura") then + { + "systemMailerPassword" = { }; + } + else + { }; }; environment.systemPackages = with pkgs; [ From d1c0a81809285e9f750068e599d151d3763ee4d2 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:24:40 +0200 Subject: [PATCH 02/12] feat: adds key group for `violet` --- .sops.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index 69afeda..071f3c5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,10 @@ keys: - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3 creation_rules: - path_regex: secrets/secrets.yaml + key_groups: + - age: + - *sakura + - path_regex: secrets/violet/secrets.yaml key_groups: - age: - *sakura From 783b52e6812a874f697a0c406e27ebd266b39f8f Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:37:50 +0200 Subject: [PATCH 03/12] feat: enable some services for `violet` --- modules/services/violet.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/services/violet.nix b/modules/services/violet.nix index d036137..dc09fbd 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -19,9 +19,12 @@ ++ [ (import ./monitoring.nix) ] ++ [ (import ./ntfy.nix) ] ++ [ (import ./nginx.nix) ] + ++ [ (import ./nix-serve.nix) ] ++ [ (import ./radicale.nix) ] + ++ [ (import ./remote-build.nix) ] ++ [ (import ./readarr.nix) ] ++ [ (import ./sharkey-proxy.nix) ] + ++ [ (import ./smokeping.nix) ] # ++ [ (import ./komga.nix) ] # ++ [ (import ./xmpp.nix) ] ++ [ (import ./tailscale.nix) ] From d8d6bc67d8e492c5c7f16d5466d19c35d9bbe8f1 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:38:07 +0200 Subject: [PATCH 04/12] feat: adds `vaultwarden` configuration --- modules/services/vaultwarden.nix | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 modules/services/vaultwarden.nix diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix new file mode 100644 index 0000000..38a2192 --- /dev/null +++ b/modules/services/vaultwarden.nix @@ -0,0 +1,34 @@ +{ config, ... }: +{ + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + config = { + SIGNUPS_ALLOWED = false; + ENABLE_WEBSOCKET = true; + SENDS_ALLOWED = true; + INVITATIONS_ENABLED = true; + EMERGENCY_ACCESS_ALLOWED = true; + EMAIL_ACCESS_ALLOWED = true; + DOMAIN = "https://passwords.liv.town"; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = 8003; + }; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "passwords.liv.town" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyWebsockets = true; + }; + }; + }; + }; +} From b663614fa5448ac604fa16b5f82b655a2ce6621b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:54:14 +0200 Subject: [PATCH 05/12] feat: update `forgejo` settings to include `mailer` and `gitea-actions-runner` configuration now that we have `sops-nix` --- modules/services/forgejo.nix | 97 +++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 45 deletions(-) diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 52e94bc..8291bcc 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -9,57 +9,64 @@ let srv = cfg.settings.server; in { - services.forgejo = { - enable = true; - # database.type = "postgres"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = "code.liv.town"; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${srv.DOMAIN}/"; - HTTP_PORT = 3050; - }; - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - # Add support for actions, based on act: https://github.com/nektos/act - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - # Sending emails is completely optional - # You can send a test email from the web UI at: - # Profile Picture > Site Administration > Configuration > Mailer Configuration - # mailer = { - # ENABLED = true; - # SMTP_ADDR = "mail.example.com"; - # FROM = "noreply@${srv.DOMAIN}"; - # USER = "noreply@${srv.DOMAIN}"; - # }; - }; - # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; - }; - # gitea-actions-runner = { - # package = pkgs.forgejo-runner; - # instances.my-forgejo-instance = { - # enable = true; - # name = "forgejo-01"; - # token = ""; # TODO: fill in tokens etc - # url = "https://code.liv.town"; - # labels = [ - # "node-22:docker://node:22-bookworm" - # "nixos-latest:docker://nixos/nix" - # ]; - # }; - # }; services = { + forgejo = { + enable = true; + # database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "code.liv.town"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${srv.DOMAIN}/"; + HTTP_PORT = 3050; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # TODO: run own email server that sends users emails! + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.migadu.com"; + FROM = config.liv.variables.senderEmail; + USER = config.liv.variables.senderEmail; + }; + }; + mailerPasswordFile = config.sops.secrets.systemMailerPassword.path; + }; + gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.code-liv-town = { + enable = true; + name = "forgejo-01"; + tokenFile = "${config.sops.secrets.forgejoWorkerSecret.path}"; + url = "https://code.liv.town"; + labels = [ + "node-22:docker://node:22-bookworm" + "nixos-latest:docker://nixos/nix" + ]; + }; + }; + anubis.instances.forgejo = { + settings = { + TARGET = "http://localhost:3050"; + BIND = ":3051"; + BIND_NETWORK = "tcp"; + }; + }; nginx.virtualHosts."code.liv.town" = { forceSSL = true; sslCertificate = "/var/lib/acme/liv.town/cert.pem"; sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { - proxyPass = "http://localhost:3050"; + proxyPass = "http://localhost${toString config.services.anubis.instances.forgejo.settings.BIND}"; proxyWebsockets = true; }; }; From 3aa990e2036c370931ea7ff9e7fc399e26168033 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:17:17 +0200 Subject: [PATCH 06/12] chore: remove `smokeping` from `violet` as it is now a `prometheus` module --- modules/services/violet.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/services/violet.nix b/modules/services/violet.nix index dc09fbd..122aa03 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -24,7 +24,6 @@ ++ [ (import ./remote-build.nix) ] ++ [ (import ./readarr.nix) ] ++ [ (import ./sharkey-proxy.nix) ] - ++ [ (import ./smokeping.nix) ] # ++ [ (import ./komga.nix) ] # ++ [ (import ./xmpp.nix) ] ++ [ (import ./tailscale.nix) ] From 550fa87fbc3dc3c88f9da9e9d3be927a1aa4c3ff Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:20:03 +0200 Subject: [PATCH 07/12] feat: adds `prometheus` exporter for `smokeping` to see latency --- modules/services/monitoring.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index 43b5319..b24e67b 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, host, ... }: { services = { prometheus = { @@ -10,6 +10,15 @@ enabledCollectors = [ "systemd" ]; port = 9002; }; + smokeping = { + enable = true; + hosts = [ + "172.16.10.1" + "172.16.10.2" + "9.9.9.9" + "149.112.112.112" + ]; + }; }; scrapeConfigs = [ { @@ -20,6 +29,14 @@ } ]; } + { + job_name = "${host} - smokeping"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.smokeping.port}" ]; + } + ]; + } ]; }; }; From a042d3790d0cdfb3eee694c46400a1aaee95b213 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:23:14 +0200 Subject: [PATCH 08/12] sops: update --- secrets/violet/secrets.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 secrets/violet/secrets.yaml diff --git a/secrets/violet/secrets.yaml b/secrets/violet/secrets.yaml new file mode 100644 index 0000000..1cfdb0b --- /dev/null +++ b/secrets/violet/secrets.yaml @@ -0,0 +1,27 @@ +systemMailerPassword: ENC[AES256_GCM,data:b1fvCLZMiA9xDu/9BKQGnCTbwj46uixlo37qer66DK09U7CEB8ZBqe+Y+DqjcOJUHHHSo8Qk1XGvGQWypkGICxmxNP8KWvmY42Woh3677APvotUdjW5fVKTgB+Y1m/6/cvXKicJFjbw5LOzZ2/JcXP01KPSkRxWb/X4xzvawSMY=,iv:vbchTqHaH2PB9Mll/s8q4zLhN6ThAsCVvhoggOhj7H4=,tag:6b+TiV1YYHWOn0P9qJZ/bQ==,type:str] +forgejoWorkerSecret: ENC[AES256_GCM,data:kmUjukTJ9SP6nJvfhIMFVTu5vAc9TIfZidUgejC7FSNBDJiP/lVlHw==,iv:jF9LpWLxtBi5i5NCC5nkLeLqJQzOAIY7H1z2NfHqUQI=,tag:3mtTcn+LQEbCESlt34nf9g==,type:str] +matrixRegistrationSecret: ENC[AES256_GCM,data:xDFYVpBJa+FHWjmLlZspJAzJcoav53nWPoctQ5+gAnDYMurtSCkmoQn8r5j6fOmiy56KQyk8AD2/kT1HeFFNKA==,iv:82eIoh1ePc0VxfTbBPxpwGhYrcdRMI6WjFhlUJhxuHk=,tag:FAYUXUy0lEQU56ni2dxvbg==,type:str] +sops: + age: + - recipient: age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeG8vNWltdmJGcHhpMFVv + L2loTVRWeUVQMjdFbXlLdDZ4NWd2czlMa1JVClErdlhXdlJKSDFrakhqVjRQMlBx + RStBKzI3bHkzWlZrdkFTZFZvRjN0eFUKLS0tIGJFaTRkVGhSbmZSbEdYZEFWV2Fz + bytGVUhvL1dKNk41cytPajJMUFdXQmMKbJZ7RDB5MXqotaLrWABIKFs2wEZtIAVm + +k+ykISzj/XhhCt2J4IWbhPqRDlivsOLvQF1srNgk02/laE+0Nz5Pg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMWV2NkVGSWR3UzBPWmFQ + S2lQRm9zZENGc29mN1VxT3hsb2c5d3k3ZGw4Ck5JWlpXQUU0WnhXT2ZocFZFSlkr + WjhZM214YVBDR3UzcU9SQ09ucWJDSUUKLS0tIE00aXVkeTQ5eG1TTTA2UnBuVnVB + S3pjSjlhZjZiSDBNakhLVzNKMjd3bWsKC2geLVXFp190lkjxtmZKq8aLN0XMNeAI + VqbwIY3a30iuWAaxqf8h1ZuCGJvbAZZBevFZraj9yktRHc54JV3Aww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-30T11:20:39Z" + mac: ENC[AES256_GCM,data:BLP2Op9c2N9KuP6wAWT6TZZeHfUKF+J0FOtnoxfmG9yTViM21Jf39xxMvV4ZOtmp0pVFnV3NxT4So/dBpTObDe6Qv+X8Jsyt6voIQEXmah1FSol9ybUobYero1+5YmDwyGjQ6xTny+MRuG5hC7OAshVAtlFm+LH7/3hDgl6S6W8=,iv:D7FRlxPpy59jQYd5/sBT/DaFZo997GjlBKhJQldN6VY=,tag:dYsKOSjh14ZMbAOq6Vx6nQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From 525b24ac25668834048a61347d4fa12245b28083 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:37:35 +0200 Subject: [PATCH 09/12] feat: set correct owner for `matrix-synapse` key --- modules/core/sops.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/core/sops.nix b/modules/core/sops.nix index ddb6ee7..1e4847a 100644 --- a/modules/core/sops.nix +++ b/modules/core/sops.nix @@ -3,6 +3,7 @@ inputs, username, host, + config, ... }: { @@ -17,7 +18,9 @@ { "systemMailerPassword" = { }; "forgejoWorkerSecret" = { }; - "matrixRegistrationSecret" = { }; + "matrixRegistrationSecret" = { + owner = "matrix-synapse"; + }; } else if (host == "sakura") then { From 11992d9506d3781a4f6bda61a4588fd9fb982111 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:37:59 +0200 Subject: [PATCH 10/12] sops: update --- secrets/violet/secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secrets/violet/secrets.yaml b/secrets/violet/secrets.yaml index 1cfdb0b..2d64eda 100644 --- a/secrets/violet/secrets.yaml +++ b/secrets/violet/secrets.yaml @@ -21,7 +21,7 @@ sops: S3pjSjlhZjZiSDBNakhLVzNKMjd3bWsKC2geLVXFp190lkjxtmZKq8aLN0XMNeAI VqbwIY3a30iuWAaxqf8h1ZuCGJvbAZZBevFZraj9yktRHc54JV3Aww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-30T11:20:39Z" - mac: ENC[AES256_GCM,data:BLP2Op9c2N9KuP6wAWT6TZZeHfUKF+J0FOtnoxfmG9yTViM21Jf39xxMvV4ZOtmp0pVFnV3NxT4So/dBpTObDe6Qv+X8Jsyt6voIQEXmah1FSol9ybUobYero1+5YmDwyGjQ6xTny+MRuG5hC7OAshVAtlFm+LH7/3hDgl6S6W8=,iv:D7FRlxPpy59jQYd5/sBT/DaFZo997GjlBKhJQldN6VY=,tag:dYsKOSjh14ZMbAOq6Vx6nQ==,type:str] + lastmodified: "2025-07-30T12:37:11Z" + mac: ENC[AES256_GCM,data:pGnJaFRqa3sjouALSjy8+ClhqE+RNR4b5SMLKB356WtnHtALrGnd/RzPTMyLLTOht1td1Fk5jY8WoUy225qqfI1yy0Mne+qtnFqd9++XTmiY1b7ARBeNvvM/mMuZyp34Mz8WLx+imrLcX6TAlpRZ/SWtv5BE9nleHCwpNvFpqfc=,iv:q8bKIFQd6dRSDBk3qhipOK0E/4NZgIcVCo4Mwu9Ddf8=,tag:JjL3sFxSMx4dp1Swt2lbvg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From 146176af45b3eadc8c2d6baedc581ee00f483798 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:49:19 +0200 Subject: [PATCH 11/12] chore: remove unused files --- modules/services/matrix/secrets.yaml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 modules/services/matrix/secrets.yaml diff --git a/modules/services/matrix/secrets.yaml b/modules/services/matrix/secrets.yaml deleted file mode 100644 index 357c281..0000000 --- a/modules/services/matrix/secrets.yaml +++ /dev/null @@ -1,3 +0,0 @@ -registration_shared_secret: "" - -report_stats: false From 4358dd95b9c5d1c42f7520a8acf1f6804c4cedfa Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:49:53 +0200 Subject: [PATCH 12/12] chore: remove things from gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7ab9c97..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -modules/services/matrix/default.nix result