Services: add tailscale, kuma, vw and forgejo to Theia

modules/nixos/networking/default.nix

@@ -6,6 +6,7 @@
   inherit (lib.modules) mkDefault mkForce;
 in {
   imports = [
+    ./tailscale.nix
   ];
 
   networking = {
@@ -15,5 +16,13 @@ in {
     useNetworkd = mkForce true;
 
     usePredictableInterfaceNames = mkDefault true;
+
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+      "9.9.9.9"
+    ];
+
+    enableIPv6 = true;
   };
 }

modules/nixos/networking/tailscale.nix

@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.options) mkEnableOption;
+  inherit (config.services) tailscale;
+
+  sys = config.olympus.system.networking;
+  cfg = sys.tailscale;
+in {
+  options.olympus.system.networking.tailscale = {
+    enable = mkEnableOption "Tailscale";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.tailscale];
+
+    networking.firewall = {
+      # always allow traffic from your Tailscale network
+      trustedInterfaces = ["${tailscale.interfaceName}"];
+      checkReversePath = "loose";
+    };
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = mkDefault "server";
+    };
+  };
+}

modules/nixos/services/hosted/forgejo.nix

@@ -121,7 +121,7 @@ in {
 
       caddy.virtualHosts.${cfg.domain} = {
         extraConfig = ''
-          reverse_proxy localhost:3000
+          reverse_proxy localhost:${toString cfg.port}
         '';
       };
     };

modules/nixos/services/hosted/uptime-kuma.nix

@@ -24,7 +24,7 @@ in {
 
     services.caddy.virtualHosts.${cfg.domain} = {
       extraConfig = ''
-        reverse_proxy localhost:${cfg.port}
+        reverse_proxy localhost:${toString cfg.port}
       '';
     };
   };

modules/nixos/services/hosted/vaultwarden.nix

@@ -1 +1,54 @@
-{}
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) template;
+  inherit (lib.modules) mkIf;
+  inherit (lib.services) mkServiceOption;
+  inherit (lib.secrets) mkSecret;
+
+  rdomain = config.networking.domain;
+  cfg = config.olympus.services.vaultwarden;
+in {
+  options.olympus.services.vaultwarden = mkServiceOption "vaultwarden" {
+    port = 8222;
+    domain = "vault.${rdomain}";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.vaultwarden-env = mkSecret {
+      file = "vaultwarden-env";
+      owner = "vaultwarden";
+      group = "vaultwarden";
+    };
+
+    services = {
+      vaultwarden = {
+        enable = true;
+        environmentFile = config.age.secrets.vaultwarden-env.path;
+
+        config = {
+          DOMAIN = "https://${cfg.domain}";
+          ROCKET_ADDRESS = cfg.host;
+          ROCKET_PORT = cfg.port;
+          extendedLogging = true;
+          invitationsAllowed = true;
+          useSyslog = true;
+          logLevel = "warn";
+          showPasswordHint = false;
+          SIGNUPS_ALLOWED = false;
+          signupsAllowed = false;
+          signupsDomainsWhitelist = "${rdomain}";
+          dataDir = "/var/lib/vaultwarden";
+        };
+      };
+
+      caddy.virtualHosts.${cfg.domain} = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString cfg.port}
+        '';
+      };
+    };
+  };
+}

secrets/default.nix

@@ -4,4 +4,5 @@ let
   users = [pingu elissa];
 in {
   "forgejo-runner-token.age".publicKeys = [pingu];
+  "vaultwarden-env.age".publicKeys = [pingu];
 }

systems/theia/default.nix

@@ -20,6 +20,11 @@
         initrd.enableTweaks = true;
         plymouth.enable = false;
       };
+      networking = {
+        tailscale = {
+          enable = true;
+        };
+      };
     };
   };
 }

systems/theia/overrides.nix

@@ -1,10 +1,11 @@
 {
   lib,
   pkgs,
+  config,
   modulesPath,
   ...
 }: let
-  inherit (lib.modules) mkForce;
+  inherit (lib.modules) mkForce mkIf;
 in {
   imports = [(modulesPath + "/profiles/qemu-guest.nix")];
 
@@ -12,6 +13,18 @@ in {
     services = {
       smartd.enable = mkForce false; # Unavailable - device lacks SMART capability.
       qemuGuest.enable = true;
+
+      networkd-dispatcher = mkIf config.olympus.system.networking.tailscale.enable {
+        enable = true;
+        rules."50-tailscale" = {
+          onState = ["routable"];
+          script = ''
+            ${
+              lib.getExe pkgs.ethtool
+            } -K ens3 rx-udp-gro-forwarding on rx-gro-list off
+          '';
+        };
+      };
     };
     systemd.services.qemu-guest-agent.path = [pkgs.shadow];
 

systems/theia/services.nix

@@ -2,5 +2,7 @@
   olympus.services = {
     caddy.enable = true;
     forgejo.enable = true;
+    uptime-kuma.enable = true;
+    vaultwarden.enable = true;
   };
 }

systems/theia/users.nix

@@ -1,5 +1,52 @@
-{
+{pkgs, ...}: {
   olympus.system = {
     mainUser = "pingu";
   };
+
+  users = {
+    users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD"
+      ];
+    };
+
+    users.pingu = {
+      isNormalUser = true;
+      extraGroups = ["wheel"];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD"
+      ];
+    };
+
+    users.minecraft = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu" # nyx
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLqPq70t6RbnI8UejEshYcfBP66I4OrLFjvGLLfIEXD" # laptop
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbAlKwToOiUT6zA6qdgETTuJVRFeSjkBJWLzUWLLAtQZnPJ4gWZMxcHbkoPryY6L5DnibmqliLnAw2cjaREJw3BJ8Di0W1UdSZqZZejipjkfBBDLadckkv6WTskShyCtN/Mum8hkBMbGFrWXSM+8MPEj6pS8WgRnrHjDR27tIyUkP+f6n2B7g8z34o26jmKkIC+cLV5D3IhRhVpi49oPqrI59aWWw6ikOSITdLfdIuNxmlgD9cVhWnVohPp2hfoYF5VwIpWYUwL1zkQdiBvCXKT35DqQLy/jKcHegVHk5ZLeaZlaZ7dyiu5xnQUuTgg6m9r1VW+E3XHuRNp33SMhkGs/LVJWtx0fAEzlQDfQQl9SE2k6XXffZYSeOgFO8hYatGrfZ2Dx4yeacFnckitJglyq8SjIn5lUB4UN/48iD6v1thf0LyOy279LKsbmL90nNrRHP7ByFOTwAb1IsGMARAGeMLZfyvaOOSSfRfm0NqCpi1CV9vX5qwG3w34ifirDs=" # slogo laptop
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAu9nk21JNaOTGBeUw3AOF0uA0ErcMf/2hvjUASXuPcBf9gI7huy0RXPvWO7JiOUorYdqMo9zB792tso4+o0RMYoAKC1A+AP0L1w8uKs4KdhbWsduEZhT3Nmp4OSFhi+Ycv2ZK6MQ52k9OVAbjT2xzyE7GSZHTPFVszr03bpeFkgDE/9K7px6r/KPKrXOn7DMRbgXkyjkOOhB8cCGW8VbJDVwz1/M3p1gfIQDZIcGvt5b6CjcuOyfYPORlcVUdRNVLxdHio4YLjKu6w2M74tVaEvRBb5fl+OTztDyENyEiGo2Pr5xYew5oIuVG4+pZZUpjxOPB+uWr8tPct/kuq/hxqJ5byrsv+bW4CNWlRxKiHC0SLtIlkEXKbCIs0IvEjbFv3tS+wSCU9qdb39yZUXknc09GUmd8ZNfsmPNAg4+1irTfSy7R24Wi76B/dEMyb6TUKm1zUfRRnTCTngr7WZAn/UcPDvwUduJu64h99TRWOtU9T2ih33xkfk3zCJpME5s=" # slogo desktop
+      ];
+      packages = with pkgs; [
+        openjdk21
+        openjdk17
+        screen
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    curl
+    bat
+    neovim
+    btop
+    zip
+    jq
+    busybox
+    fish
+    ethtool
+    networkd-dispatcher
+  ];
 }