diff --git a/base.nix b/base.nix index 91787b6..8a73bca 100644 --- a/base.nix +++ b/base.nix @@ -31,4 +31,32 @@ environment.variables.EDITOR = "nvim"; + + security.pki.certificates = [ +''-----BEGIN CERTIFICATE----- +MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw +EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X +DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u +TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 +7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ +BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja +mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG +SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc +oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== +-----END CERTIFICATE-----'' +''-----BEGIN CERTIFICATE----- +MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES +MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe +Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v +bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 +BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw +EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC +jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf +VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= +-----END CERTIFICATE-----'']; + + + } diff --git a/flake.lock b/flake.lock index f6cb534..d67deef 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1648199409, - "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=", + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", "owner": "edolstra", "repo": "flake-compat", - "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", "type": "github" }, "original": { @@ -54,11 +54,11 @@ ] }, "locked": { - "lastModified": 1648917498, - "narHash": "sha256-fdyVHsP6XeyCk9FRyjV6Wv+7qiOzWxykGXdNixadvyg=", + "lastModified": 1651886851, + "narHash": "sha256-kbXOJSf1uho0/7P54nZkJdJY3oAelIjyc6tfiRhaXJI=", "owner": "nix-community", "repo": "home-manager", - "rev": "cfab869fcebc56710be6ec3aca76036b25c04a0d", + "rev": "882bd8118bdbff3a6e53e5ced393932b351ce2f6", "type": "github" }, "original": { @@ -93,11 +93,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1648949219, - "narHash": "sha256-gJrYhdeC7wuNMWJtILUqm+FjzaBock+RHhgMCHL6IwQ=", + "lastModified": 1652071951, + "narHash": "sha256-jg/O2yBPJ/xR6hKZI4zPJlz8mKjdgKQcqQmBeY9n2js=", "owner": "neovim", "repo": "neovim", - "rev": "6786b6afade97771027fda3c1438969def320cc5", + "rev": "dbdd58e548fcf55848359b696275fd848756db7b", "type": "github" }, "original": { @@ -116,11 +116,11 @@ ] }, "locked": { - "lastModified": 1648973670, - "narHash": "sha256-MJNofHXSKFMGwHe4P4zE+u/4wijTOEABg2dQ82Uj4xI=", + "lastModified": 1652084226, + "narHash": "sha256-WH2x3RJ0s3d48jA0GeIEhhhyG9e4rEmtxh0JIONCVVU=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "89d60799d43d847d7a88a8485e96731d1fe2d685", + "rev": "6ad5194b7229f5d3b6db529844fa194e9e8b61f7", "type": "github" }, "original": { @@ -131,11 +131,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1648965846, - "narHash": "sha256-xaO0KS+sgZLYrhaQNjVe6eRcOUIM1mEkAjT+dRbPblU=", + "lastModified": 1652020977, + "narHash": "sha256-9hDlNbrxzD/pLlXmoQ6gzxbYiSAKrj7uHYUWNByLFlI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0aac710801aec4ba545527cf41a5706028fe6271", + "rev": "3c5ae9be1f18c790ea890ef8decbd0946c0b4c04", "type": "github" }, "original": { @@ -177,11 +177,11 @@ }, "nur": { "locked": { - "lastModified": 1649009781, - "narHash": "sha256-dmv0fFFdpVxuviWqeb2X2/Tvx/ItUZNFKeaMakHppdM=", + "lastModified": 1652113343, + "narHash": "sha256-/oWymhWXVJvctnaplziyZP9DlNIdn6K6TX/PjosO1ZE=", "owner": "nix-community", "repo": "NUR", - "rev": "42e253bf9ae7d494c1fe6fb346dbb19b324d4dd3", + "rev": "405e40de38a8f2c6929fec436c01450b373912fe", "type": "github" }, "original": { @@ -233,11 +233,11 @@ ] }, "locked": { - "lastModified": 1647279403, - "narHash": "sha256-ZsHfMah9+TElcjaENsaOIFHBNNtSbXmyLFVbiJiAECs=", + "lastModified": 1649756291, + "narHash": "sha256-KTll8bCINAzIUGaaMrbn9wb5nfhkXRLgmFrWGR/Dku0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c01f48b055ac776f9831c9d4a0fff83e3b74dbe3", + "rev": "c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8", "type": "github" }, "original": { @@ -248,11 +248,11 @@ }, "unstable": { "locked": { - "lastModified": 1648632716, - "narHash": "sha256-kCmnDeiaMsdhfnNKjxdOzwRh2H6eQb8yWAL+nNabC/Y=", + "lastModified": 1651726670, + "narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "710fed5a2483f945b14f4a58af2cd3676b42d8c8", + "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01", "type": "github" }, "original": { diff --git a/lib/default.nix b/lib/default.nix index 28bbfc7..0764b5a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -35,6 +35,7 @@ in htpdate = prev.pkgs.callPackage ../packages/htpdate { }; authelia = prev.pkgs.callPackage ../packages/authelia { }; paperless-ng = prev.pkgs.callPackage ../packages/paperless-ng { }; + tailscale = prev.unstable.tailscale; }) inputs.neovim-nightly-overlay.overlay ]; @@ -57,14 +58,14 @@ in mkVPNSubdomain = name: port: { luj.nginx.enable = true; + security.acme.certs."${name}.luj".server = "https://ca.luj:8443/acme/acme/directory"; services.nginx.virtualHosts."${name}.luj" = { - sslCertificate = "/etc/nginx/certs/${name}.luj/cert.pem"; - sslCertificateKey = "/etc/nginx/certs/${name}.luj/key.pem"; forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString port}"; extraConfig = '' - allow 10.100.0.0/24; + allow 100.10.10.0/8; deny all; ''; }; diff --git a/lib/luj.nix b/lib/luj.nix index a8716ba..62c459f 100644 --- a/lib/luj.nix +++ b/lib/luj.nix @@ -21,6 +21,7 @@ lib: with lib; let _module.freeformType = with types; attrs; domain = "julienmalka.me"; + internalDomain = "luj"; machines = { lisa = { diff --git a/machines/lisa/default.nix b/machines/lisa/default.nix index f92f4ab..0b4c4fd 100644 --- a/machines/lisa/default.nix +++ b/machines/lisa/default.nix @@ -51,6 +51,14 @@ }; + + # make the tailscale command usable to users + environment.systemPackages = [ pkgs.tailscale ]; + + # enable the tailscale service + services.tailscale.enable = true; + + nix.maxJobs = lib.mkDefault 4; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -69,7 +77,14 @@ prefixLength = 120; }]; - networking.nameservers = [ "10.100.0.2" ]; + networking.nameservers = [ "100.127.245.71" "9.9.9.9" ]; + environment.etc."resolv.conf" = with lib; with pkgs; { + source = writeText "resolv.conf" '' + ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)} + options edns0 + ''; + }; + networking.hostId = "fbb334ae"; services.zfs.autoSnapshot.enable = true; services.zfs.autoScrub.enable = true; @@ -77,77 +92,13 @@ system.stateVersion = "21.11"; - networking.firewall = { - allowedUDPPorts = [ 51820 ]; - }; - networking.nat.enable = true; - networking.nat.externalInterface = "ens20"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.wireguard.interfaces = { - wg0 = { - ips = [ "10.100.0.1/24" ]; - listenPort = 51820; - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE - ''; - - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE - ''; - - privateKeyFile = "/root/wg-private"; - peers = [ - { - allowedIPs = [ "10.100.0.2/32" ]; - publicKey = "WQoOWKT6VFn9p8vyLdI1n8tg8IRX1t7tCWXOa1zcHRU="; - } - { - allowedIPs = [ "10.100.0.3/32" ]; - publicKey = "Pp4dQhhdokqYD1JBh+HLoqBbC+FEs64qzXHWfXyu2VE="; - } - { - allowedIPs = [ "10.100.0.4/32" ]; - publicKey = "1d10sX645HAbXeXbvAs2zgjsoYgfg7d2UCQV1xKoY3s="; - } - { - allowedIPs = [ "10.100.0.5/32" ]; - publicKey = "3BlHbLcL05UObnlIWrC/TMjZKdxrH8HTm8h0xxzAWA8="; - } - { - allowedIPs = [ "10.100.0.6/32" ]; - publicKey = "ifMWTkMWpjibnthrRNPtfp2xcgqGQGng3XieVO7Lvzg="; - } - { - allowedIPs = [ "10.100.0.7/32" ]; - publicKey = "TAIP4faPBx6gk1cifC6fdfIP6slo1ir+HMVKxQXBejo="; - } - { - allowedIPs = [ "10.100.0.8/32" ]; - publicKey = "EmWRWnZfr60ekm4ZLdwa6gXU6V3p39p6tWOZ03dL+DA="; - } - { - allowedIPs = [ "10.100.0.9/32" ]; - publicKey = "z85y4nc+7O7t2I4VqP0SAKJOD46PlkXoEPiuGOBS+SI="; - } - { - allowedIPs = [ "10.100.0.10/32" ]; - publicKey = "SJ9tflQps1kssFsgVGLhqSSVKNPDspd+5xVMSu/aqk4="; - } - ]; - - }; - }; - - - services.nginx.virtualHosts."jellyfin.mondon.me" = { enableACME = true; forceSSL = true; locations."/" = { proxyWebsockets = true; - proxyPass = "http://10.100.0.4"; + proxyPass = "http://100.74.49.77"; }; }; diff --git a/modules/homer/default.nix b/modules/homer/default.nix index 4bfe373..24ebc06 100644 --- a/modules/homer/default.nix +++ b/modules/homer/default.nix @@ -12,9 +12,10 @@ in { luj.nginx.enable = true; + security.acme.certs."home.luj".server = "https://ca.luj:8443/acme/acme/directory"; + services.nginx.virtualHosts."home.luj" = { - sslCertificate = "/etc/nginx/certs/home.luj/cert.pem"; - sslCertificateKey = "/etc/nginx/certs/home.luj/key.pem"; + enableACME = true; forceSSL = true; root = "/srv/homer/"; }; diff --git a/users/julien.nix b/users/julien.nix index edc4d08..061e37c 100644 --- a/users/julien.nix +++ b/users/julien.nix @@ -11,7 +11,7 @@ openssh.authorizedKeys.keyFiles = [ (pkgs.fetchurl { url = "https://github.com/JulienMalka.keys"; - sha256 = "sha256-/i6WOEWBfXnRln9r6GCznoc47UzN+jInkWjTSqNafHI="; + sha256 = "sha256-ZTQpJO5/z/RIzvNpLBHv2GyCn8cvWsN5Hx3pd6s7RYY="; }) ]; }; diff --git a/users/status.nix b/users/status.nix index 2013565..21b2317 100644 --- a/users/status.nix +++ b/users/status.nix @@ -8,7 +8,7 @@ openssh.authorizedKeys.keyFiles = [ (pkgs.fetchurl { url = "https://github.com/JulienMalka.keys"; - sha256 = "sha256-/i6WOEWBfXnRln9r6GCznoc47UzN+jInkWjTSqNafHI="; + sha256 = "sha256-ZTQpJO5/z/RIzvNpLBHv2GyCn8cvWsN5Hx3pd6s7RYY="; }) ]; };