diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix index 05c4e92..a758050 100644 --- a/modules/nixos/networking/default.nix +++ b/modules/nixos/networking/default.nix @@ -6,6 +6,7 @@ inherit (lib.modules) mkDefault mkForce; in { imports = [ + ./tailscale.nix ]; networking = { @@ -15,5 +16,13 @@ in { useNetworkd = mkForce true; usePredictableInterfaceNames = mkDefault true; + + nameservers = [ + "1.1.1.1" + "1.0.0.1" + "9.9.9.9" + ]; + + enableIPv6 = true; }; } diff --git a/modules/nixos/networking/tailscale.nix b/modules/nixos/networking/tailscale.nix new file mode 100644 index 0000000..d4c4927 --- /dev/null +++ b/modules/nixos/networking/tailscale.nix @@ -0,0 +1,33 @@ +{ + lib, + pkgs, + config, + ... +}: let + inherit (lib.modules) mkIf mkDefault; + inherit (lib.options) mkEnableOption; + inherit (config.services) tailscale; + + sys = config.olympus.system.networking; + cfg = sys.tailscale; +in { + options.olympus.system.networking.tailscale = { + enable = mkEnableOption "Tailscale"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.tailscale]; + + networking.firewall = { + # always allow traffic from your Tailscale network + trustedInterfaces = ["${tailscale.interfaceName}"]; + checkReversePath = "loose"; + }; + + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = mkDefault "server"; + }; + }; +} diff --git a/modules/nixos/services/hosted/forgejo.nix b/modules/nixos/services/hosted/forgejo.nix index becd2a3..8a84f69 100644 --- a/modules/nixos/services/hosted/forgejo.nix +++ b/modules/nixos/services/hosted/forgejo.nix @@ -121,7 +121,7 @@ in { caddy.virtualHosts.${cfg.domain} = { extraConfig = '' - reverse_proxy localhost:3000 + reverse_proxy localhost:${toString cfg.port} ''; }; }; diff --git a/modules/nixos/services/hosted/uptime-kuma.nix b/modules/nixos/services/hosted/uptime-kuma.nix index 50642b0..e6abc56 100644 --- a/modules/nixos/services/hosted/uptime-kuma.nix +++ b/modules/nixos/services/hosted/uptime-kuma.nix @@ -24,7 +24,7 @@ in { services.caddy.virtualHosts.${cfg.domain} = { extraConfig = '' - reverse_proxy localhost:${cfg.port} + reverse_proxy localhost:${toString cfg.port} ''; }; }; diff --git a/modules/nixos/services/hosted/vaultwarden.nix b/modules/nixos/services/hosted/vaultwarden.nix index 0967ef4..a9239f7 100644 --- a/modules/nixos/services/hosted/vaultwarden.nix +++ b/modules/nixos/services/hosted/vaultwarden.nix @@ -1 +1,54 @@ -{} +{ + lib, + config, + ... +}: let + inherit (lib) template; + inherit (lib.modules) mkIf; + inherit (lib.services) mkServiceOption; + inherit (lib.secrets) mkSecret; + + rdomain = config.networking.domain; + cfg = config.olympus.services.vaultwarden; +in { + options.olympus.services.vaultwarden = mkServiceOption "vaultwarden" { + port = 8222; + domain = "vault.${rdomain}"; + }; + + config = mkIf cfg.enable { + age.secrets.vaultwarden-env = mkSecret { + file = "vaultwarden-env"; + owner = "vaultwarden"; + group = "vaultwarden"; + }; + + services = { + vaultwarden = { + enable = true; + environmentFile = config.age.secrets.vaultwarden-env.path; + + config = { + DOMAIN = "https://${cfg.domain}"; + ROCKET_ADDRESS = cfg.host; + ROCKET_PORT = cfg.port; + extendedLogging = true; + invitationsAllowed = true; + useSyslog = true; + logLevel = "warn"; + showPasswordHint = false; + SIGNUPS_ALLOWED = false; + signupsAllowed = false; + signupsDomainsWhitelist = "${rdomain}"; + dataDir = "/var/lib/vaultwarden"; + }; + }; + + caddy.virtualHosts.${cfg.domain} = { + extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + }; + }; + }; +} diff --git a/secrets/default.nix b/secrets/default.nix index e4af4b4..b49380b 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -4,4 +4,5 @@ let users = [pingu elissa]; in { "forgejo-runner-token.age".publicKeys = [pingu]; + "vaultwarden-env.age".publicKeys = [pingu]; } diff --git a/systems/theia/default.nix b/systems/theia/default.nix index 21c8583..13cc6f1 100644 --- a/systems/theia/default.nix +++ b/systems/theia/default.nix @@ -20,6 +20,11 @@ initrd.enableTweaks = true; plymouth.enable = false; }; + networking = { + tailscale = { + enable = true; + }; + }; }; }; } diff --git a/systems/theia/overrides.nix b/systems/theia/overrides.nix index 5a9ee99..23b96aa 100644 --- a/systems/theia/overrides.nix +++ b/systems/theia/overrides.nix @@ -1,10 +1,11 @@ { lib, pkgs, + config, modulesPath, ... }: let - inherit (lib.modules) mkForce; + inherit (lib.modules) mkForce mkIf; in { imports = [(modulesPath + "/profiles/qemu-guest.nix")]; @@ -12,6 +13,18 @@ in { services = { smartd.enable = mkForce false; # Unavailable - device lacks SMART capability. qemuGuest.enable = true; + + networkd-dispatcher = mkIf config.olympus.system.networking.tailscale.enable { + enable = true; + rules."50-tailscale" = { + onState = ["routable"]; + script = '' + ${ + lib.getExe pkgs.ethtool + } -K ens3 rx-udp-gro-forwarding on rx-gro-list off + ''; + }; + }; }; systemd.services.qemu-guest-agent.path = [pkgs.shadow]; diff --git a/systems/theia/services.nix b/systems/theia/services.nix index bbc1c81..17e4dda 100644 --- a/systems/theia/services.nix +++ b/systems/theia/services.nix @@ -2,5 +2,7 @@ olympus.services = { caddy.enable = true; forgejo.enable = true; + uptime-kuma.enable = true; + vaultwarden.enable = true; }; } diff --git a/systems/theia/users.nix b/systems/theia/users.nix index cf908bc..dff3158 100644 --- a/systems/theia/users.nix +++ b/systems/theia/users.nix @@ -1,5 +1,52 @@ -{ +{pkgs, ...}: { olympus.system = { mainUser = "pingu"; }; + + users = { + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD" + ]; + }; + + users.pingu = { + isNormalUser = true; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD" + ]; + }; + + users.minecraft = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu" # nyx + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD" # laptop + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbAlKwToOiUT6zA6qdgETTuJVRFeSjkBJWLzUWLLAtQZnPJ4gWZMxcHbkoPryY6L5DnibmqliLnAw2cjaREJw3BJ8Di0W1UdSZqZZejipjkfBBDLadckkv6WTskShyCtN/Mum8hkBMbGFrWXSM+8MPEj6pS8WgRnrHjDR27tIyUkP+f6n2B7g8z34o26jmKkIC+cLV5D3IhRhVpi49oPqrI59aWWw6ikOSITdLfdIuNxmlgD9cVhWnVohPp2hfoYF5VwIpWYUwL1zkQdiBvCXKT35DqQLy/jKcHegVHk5ZLeaZlaZ7dyiu5xnQUuTgg6m9r1VW+E3XHuRNp33SMhkGs/LVJWtx0fAEzlQDfQQl9SE2k6XXffZYSeOgFO8hYatGrfZ2Dx4yeacFnckitJglyq8SjIn5lUB4UN/48iD6v1thf0LyOy279LKsbmL90nNrRHP7ByFOTwAb1IsGMARAGeMLZfyvaOOSSfRfm0NqCpi1CV9vX5qwG3w34ifirDs=" # slogo laptop + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAu9nk21JNaOTGBeUw3AOF0uA0ErcMf/2hvjUASXuPcBf9gI7huy0RXPvWO7JiOUorYdqMo9zB792tso4+o0RMYoAKC1A+AP0L1w8uKs4KdhbWsduEZhT3Nmp4OSFhi+Ycv2ZK6MQ52k9OVAbjT2xzyE7GSZHTPFVszr03bpeFkgDE/9K7px6r/KPKrXOn7DMRbgXkyjkOOhB8cCGW8VbJDVwz1/M3p1gfIQDZIcGvt5b6CjcuOyfYPORlcVUdRNVLxdHio4YLjKu6w2M74tVaEvRBb5fl+OTztDyENyEiGo2Pr5xYew5oIuVG4+pZZUpjxOPB+uWr8tPct/kuq/hxqJ5byrsv+bW4CNWlRxKiHC0SLtIlkEXKbCIs0IvEjbFv3tS+wSCU9qdb39yZUXknc09GUmd8ZNfsmPNAg4+1irTfSy7R24Wi76B/dEMyb6TUKm1zUfRRnTCTngr7WZAn/UcPDvwUduJu64h99TRWOtU9T2ih33xkfk3zCJpME5s=" # slogo desktop + ]; + packages = with pkgs; [ + openjdk21 + openjdk17 + screen + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + git + curl + bat + neovim + btop + zip + jq + busybox + fish + ethtool + networkd-dispatcher + ]; }