From 61b1399131045afb98f4f5f397b9461fd5b29772 Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 02:28:39 -0500 Subject: [PATCH 1/6] enable ssh agent Signed-off-by: cy --- hosts/chunk/default.nix | 7 +++++-- hosts/chunk/tailscale.nix | 3 ++- hosts/ytnix/default.nix | 6 ++++++ hosts/ytnix/tailscale.nix | 3 ++- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 0343084..6021b41 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -75,8 +75,11 @@ }; }; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; + boot = { + loader.grub.enable = true; + loader.grub.device = "/dev/vda"; + kernelPackages = pkgs.linuxPackages_latest; + }; system.stateVersion = "24.05"; diff --git a/hosts/chunk/tailscale.nix b/hosts/chunk/tailscale.nix index fefc8e5..e170e6b 100644 --- a/hosts/chunk/tailscale.nix +++ b/hosts/chunk/tailscale.nix @@ -1,4 +1,5 @@ -{ config, ... }: { +{ config, ... }: +{ services.tailscale = { enable = true; authKeyFile = config.sops.secrets."tailscale/auth".path; diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index 54f13da..6192e43 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -324,4 +324,10 @@ services.udev.extraHwdb = '' SUBSYSTEM=="usb", SYSFS{idVendor}=="090c", SYSFS{idProduct}=="1000", ACTION=="add", GROUP="users", MODE="0664" ''; + + programs.ssh = { + askPassword = "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; + startAgent = true; + enableAskPassword = true; + }; } diff --git a/hosts/ytnix/tailscale.nix b/hosts/ytnix/tailscale.nix index 91d67bf..63489ae 100644 --- a/hosts/ytnix/tailscale.nix +++ b/hosts/ytnix/tailscale.nix @@ -1,4 +1,5 @@ -{ config, ... }: { +{ config, ... }: +{ services.tailscale = { enable = true; authKeyFile = config.sops.secrets."tailscale/auth".path; From a9a3ee84139e743431fc87f94c5fb2ae803feb5f Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 04:02:11 -0500 Subject: [PATCH 2/6] init Signed-off-by: cy --- modules/caddy.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 modules/caddy.nix diff --git a/modules/caddy.nix b/modules/caddy.nix new file mode 100644 index 0000000..9ee9913 --- /dev/null +++ b/modules/caddy.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.my.caddy; + commonExtraConfig = '' + encode zstd gzip + header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + ''; +in +{ + options.my.caddy = { + enable = lib.mkEnableOption "caddy reverse proxy"; + acmeCa = lib.mkOption { + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + services.caddy = { + enable = true; + logFormat = lib.mkForce "level INFO"; + acmeCa = "https://acme-v02.api.letsencrypt.org/directory"; + }; + }; +} From cad577b1931eabc568f7eef6659e5405f20a1eec Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 05:49:00 -0500 Subject: [PATCH 3/6] migrate chunk to caddy module Signed-off-by: cy --- hosts/chunk/Caddyfile | 89 ------------------------------------- hosts/chunk/adguard.nix | 5 +++ hosts/chunk/attic.nix | 5 +++ hosts/chunk/conduwuit.nix | 5 +++ hosts/chunk/default.nix | 12 ++--- hosts/chunk/deluge.nix | 5 +++ hosts/chunk/element.nix | 5 +++ hosts/chunk/forgejo.nix | 16 +++++++ hosts/chunk/garage.nix | 5 +++ hosts/chunk/grafana.nix | 5 +++ hosts/chunk/hedgedoc.nix | 5 +++ hosts/chunk/immich.nix | 5 +++ hosts/chunk/miniflux.nix | 5 +++ hosts/chunk/redlib.nix | 5 +++ hosts/chunk/vaultwarden.nix | 5 +++ modules/caddy.nix | 16 +++---- modules/default.nix | 1 + 17 files changed, 91 insertions(+), 103 deletions(-) delete mode 100644 hosts/chunk/Caddyfile diff --git a/hosts/chunk/Caddyfile b/hosts/chunk/Caddyfile deleted file mode 100644 index 5e56278..0000000 --- a/hosts/chunk/Caddyfile +++ /dev/null @@ -1,89 +0,0 @@ -{ - acme_ca https://acme.zerossl.com/v2/DV90 - acme_eab { - key_id {$EAB_KEY_ID} - mac_key {$EAB_MAC_KEY} - } -} - -(common) { - encode zstd gzip - header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" -} - -git.cything.io { - import common - - # wrap in route so things are evaluated in the order written - route { - # rewrite gitlab URIs to make it work with forgejo - uri path_regexp /-/ / - uri replace /blob/ /src/ - redir https://git.cy7.sh{uri} permanent - } -} - -git.cy7.sh { - import common - reverse_proxy localhost:3000 -} - -rss.cy7.sh { - import common - reverse_proxy localhost:8080 -} - -photos.cy7.sh { - import common - reverse_proxy localhost:2283 -} - -chat.cything.io { - import common - reverse_proxy localhost:8448 -} - -pass.cy7.sh { - import common - reverse_proxy localhost:8081 -} - -dns.cything.io { - import common - reverse_proxy localhost:8082 -} - -pad.cything.io { - import common - reverse_proxy localhost:8085 -} - -red.cything.io { - import common - reverse_proxy localhost:8087 -} - -grafana.cything.io { - import common - reverse_proxy localhost:8088 -} - -element.cything.io { - import common - reverse_proxy localhost:8089 -} - -cache.cything.io { - import common - reverse_proxy localhost:8090 -} - -s3.cy7.sh { - import common - reverse_proxy localhost:3900 -} - -admin.s3.cy7.sh { - import common - reverse_proxy localhost:3903 -} diff --git a/hosts/chunk/adguard.nix b/hosts/chunk/adguard.nix index fe4b9bb..74207fc 100644 --- a/hosts/chunk/adguard.nix +++ b/hosts/chunk/adguard.nix @@ -21,4 +21,9 @@ ]; }; }; + + services.caddy.virtualHosts."dns.cything.io".extraConfig = '' + import common + reverse_proxy localhost:8082 + ''; } diff --git a/hosts/chunk/attic.nix b/hosts/chunk/attic.nix index 2f84394..c41e985 100644 --- a/hosts/chunk/attic.nix +++ b/hosts/chunk/attic.nix @@ -31,4 +31,9 @@ }; }; }; + + services.caddy.virtualHosts."cache.cything.io".extraConfig = '' + import common + reverse_proxy localhost:8090 + ''; } diff --git a/hosts/chunk/conduwuit.nix b/hosts/chunk/conduwuit.nix index 25c85ab..8aa8998 100644 --- a/hosts/chunk/conduwuit.nix +++ b/hosts/chunk/conduwuit.nix @@ -10,4 +10,9 @@ allow_check_for_updates = true; }; }; + + services.caddy.virtualHosts."chat.cything.io".extraConfig = '' + import common + reverse_proxy localhost:8448 + ''; } diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 6021b41..577e9b5 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -183,11 +183,13 @@ programs.gnupg.agent.enable = true; programs.git.enable = true; - services.caddy = { - enable = true; - configFile = ./Caddyfile; - environmentFile = config.sops.secrets."caddy/env".path; - logFormat = lib.mkForce "level INFO"; + my.caddy.enable = true; + services.caddy.virtualHosts."cy7.sh" = { + serverAliases = [ "www.cy7.sh" ]; + extraConfig = '' + import common + redir https://cything.io temporary + ''; }; # container stuff diff --git a/hosts/chunk/deluge.nix b/hosts/chunk/deluge.nix index 638c728..5dd3fd4 100644 --- a/hosts/chunk/deluge.nix +++ b/hosts/chunk/deluge.nix @@ -7,4 +7,9 @@ port = 8112; }; }; + + services.caddy.virtualHosts."t.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8112 + ''; } diff --git a/hosts/chunk/element.nix b/hosts/chunk/element.nix index 81ab246..5a12e1e 100644 --- a/hosts/chunk/element.nix +++ b/hosts/chunk/element.nix @@ -25,4 +25,9 @@ ${pkgs.podman}/bin/podman network create element-net ''; }; + + services.caddy.virtualHosts."element.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8089 + ''; } diff --git a/hosts/chunk/forgejo.nix b/hosts/chunk/forgejo.nix index fd842ce..26fb541 100644 --- a/hosts/chunk/forgejo.nix +++ b/hosts/chunk/forgejo.nix @@ -30,4 +30,20 @@ name = "git"; }; }; + + services.caddy.virtualHosts."git.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:3000 + ''; + services.caddy.virtualHosts."git.cything.io".extraConfig = '' + import common + + # wrap in route so things are evaluated in the order written + route { + # rewrite gitlab URIs to make it work with forgejo + uri path_regexp /-/ / + uri replace /blob/ /src/ + redir https://git.cy7.sh{uri} permanent + } + ''; } diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix index fe3ef46..75730a1 100644 --- a/hosts/chunk/garage.nix +++ b/hosts/chunk/garage.nix @@ -16,4 +16,9 @@ }; environmentFile = config.sops.secrets."garage/env".path; }; + + services.caddy.virtualHosts."s3.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:3900 + ''; } diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix index 0575f51..007bcf1 100644 --- a/hosts/chunk/grafana.nix +++ b/hosts/chunk/grafana.nix @@ -31,4 +31,9 @@ } ]; }; + + services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8088 + ''; } diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 1988520..62505f9 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -16,4 +16,9 @@ protocolUseSSL = true; }; }; + + services.caddy.virtualHosts."pad.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8085 + ''; } diff --git a/hosts/chunk/immich.nix b/hosts/chunk/immich.nix index 2062330..9661e8c 100644 --- a/hosts/chunk/immich.nix +++ b/hosts/chunk/immich.nix @@ -95,4 +95,9 @@ in ${pkgs.podman}/bin/podman network create immich-net ''; }; + + services.caddy.virtualHosts."photos.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:2283 + ''; } diff --git a/hosts/chunk/miniflux.nix b/hosts/chunk/miniflux.nix index f40b2b6..84783f6 100644 --- a/hosts/chunk/miniflux.nix +++ b/hosts/chunk/miniflux.nix @@ -9,4 +9,9 @@ FORCE_REFRESH_INTERVAL = 0; # don't rate limit me }; }; + + services.caddy.virtualHosts."rss.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8080 + ''; } diff --git a/hosts/chunk/redlib.nix b/hosts/chunk/redlib.nix index 39585f1..d095da5 100644 --- a/hosts/chunk/redlib.nix +++ b/hosts/chunk/redlib.nix @@ -10,4 +10,9 @@ REDLIB_ROBOTS_DISABLE_INDEXING = "on"; }; }; + + services.caddy.virtualHosts."red.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8087 + ''; } diff --git a/hosts/chunk/vaultwarden.nix b/hosts/chunk/vaultwarden.nix index b97835e..7529610 100644 --- a/hosts/chunk/vaultwarden.nix +++ b/hosts/chunk/vaultwarden.nix @@ -10,4 +10,9 @@ DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden"; }; }; + + services.caddy.virtualHosts."pass.cy7.sh".extraConfig = '' + import common + reverse_proxy localhost:8081 + ''; } diff --git a/modules/caddy.nix b/modules/caddy.nix index 9ee9913..6d38b01 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -1,29 +1,27 @@ { config, lib, - pkgs, ... }: let cfg = config.my.caddy; - commonExtraConfig = '' - encode zstd gzip - header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" - ''; in { options.my.caddy = { enable = lib.mkEnableOption "caddy reverse proxy"; - acmeCa = lib.mkOption { - type = lib.types.str; - }; }; config = lib.mkIf cfg.enable { services.caddy = { enable = true; logFormat = lib.mkForce "level INFO"; - acmeCa = "https://acme-v02.api.letsencrypt.org/directory"; + acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; + extraConfig = '' + (common) { + encode zstd gzip + header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + } + ''; }; }; } diff --git a/modules/default.nix b/modules/default.nix index 2155137..070a96e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,5 +2,6 @@ { imports = [ ./backup.nix + ./caddy.nix ]; } From da557a7b7e16f82f9f3cac33d3aa02ea937b54f4 Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 20:07:41 -0500 Subject: [PATCH 4/6] titan: redirect to new website Signed-off-by: cy --- hosts/titan/Caddyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/titan/Caddyfile b/hosts/titan/Caddyfile index 70cc99f..5969134 100644 --- a/hosts/titan/Caddyfile +++ b/hosts/titan/Caddyfile @@ -13,7 +13,7 @@ cything.io { import common - reverse_proxy localhost:8084 + redir https://cy7.sh/posts{uri} permanent header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * From f26bbc3b4fe9ee64e1254a1d7014804726b81d48 Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 20:23:15 -0500 Subject: [PATCH 5/6] make justfile better and cleanup zsh Signed-off-by: cy --- home/zsh/default.nix | 5 ----- justfile | 3 ++- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/home/zsh/default.nix b/home/zsh/default.nix index 363efd6..eb920d5 100644 --- a/home/zsh/default.nix +++ b/home/zsh/default.nix @@ -39,11 +39,6 @@ initExtra = '' # disable control+s to pause terminal unsetopt FLOW_CONTROL - # manually integrate fzf cause we need to make sure zsh-vi-mode - # won't override C-r - function zvm_after_init() { - eval "$(${pkgs.fzf}/bin/fzf --zsh)" - } # useful emacs mode bindings bindkey -M viins "^E" end-of-line diff --git a/justfile b/justfile index 95b1fda..6414c0a 100644 --- a/justfile +++ b/justfile @@ -1,9 +1,10 @@ update: + git branch -D update git switch -c update nix flake update git add flake.lock git commit -s -m "flake update" - git push + git push -f git switch main upgrade: From 8d68a5a65dfb73b5c714faec17cdfe8803dddddf Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 27 Jan 2025 20:26:02 -0500 Subject: [PATCH 6/6] flake update Signed-off-by: cy --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index ee29dc4..3ef44bc 100644 --- a/flake.lock +++ b/flake.lock @@ -562,11 +562,11 @@ ] }, "locked": { - "lastModified": 1737762889, - "narHash": "sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio=", + "lastModified": 1737968762, + "narHash": "sha256-xiPARGKwocaMtv+U/rgi+h2g56CZZEmrcl7ldRaslq8=", "owner": "nix-community", "repo": "home-manager", - "rev": "daf04c5950b676f47a794300657f1d3d14c1a120", + "rev": "e1ae908bcc30af792b0bb0a52e53b03d2577255e", "type": "github" }, "original": { @@ -710,11 +710,11 @@ ] }, "locked": { - "lastModified": 1737675503, - "narHash": "sha256-FUWpqPOsEJwK8oomffat+lgKnoxJHArRlWo2j17EhxQ=", + "lastModified": 1738009885, + "narHash": "sha256-zPch36LSTs8dZJZlIiufXuY7wut06xp4CMdf/oqXoq0=", "ref": "refs/heads/main", - "rev": "3e18a1ceec7df4514f5a045441e5f98dd003db09", - "revCount": 131, + "rev": "cf43eeb6b376cc36f70b0632bc39dc949b9f3b59", + "revCount": 132, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -737,11 +737,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1737924584, - "narHash": "sha256-8XAz2IFUdSN7IblSWgQQVjivlZ0uWn3Y5jN3G6+/jss=", + "lastModified": 1737961005, + "narHash": "sha256-b4hqJNgyx8lnngz7NFcJ1W+59xQnMQYF0EK5g0IOy7c=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "d3682c753abbbc8d41578aa12e6f10508d801f4b", + "rev": "e98ae62893568dd31e7a7e4e75e1dbbf23f759a0", "type": "github" }, "original": { @@ -770,11 +770,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1737918541, - "narHash": "sha256-NKartmApYTAjteTg78OAIAYGvtl9QCDcKp8tPk3KCuI=", + "lastModified": 1737956052, + "narHash": "sha256-Gr+tkCSuhQ5NT04hv/PoHExCgbuqRA/GZQv+le40LNY=", "owner": "YaLTeR", "repo": "niri", - "rev": "baa051891237054f2d4db86d7bcfe0f17440c35f", + "rev": "9b4d73f13a6906537faf01b5c5e5e2fee9dd602e", "type": "github" }, "original": { @@ -832,11 +832,11 @@ ] }, "locked": { - "lastModified": 1737504076, - "narHash": "sha256-/B4XJnzYU/6K1ZZOBIgsa3K4pqDJrnC2579c44c+4rI=", + "lastModified": 1737926801, + "narHash": "sha256-un7IETRNjUm83jM5Gd/7BO4rCzzkom46O0FDMo5toaI=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "65cc1fa8e36ceff067daf6cfb142331f02f524d3", + "rev": "62ba0a22426721c94e08f0779ed8235d5672869b", "type": "github" }, "original": { @@ -1045,11 +1045,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1737917096, - "narHash": "sha256-wOo5jWu88VRbm0TTNl9KxE4nIkfnXVKxLvZwpTn75wk=", + "lastModified": 1738003704, + "narHash": "sha256-9VC5icfSf0tI8HSRjzsvOjrJZcLvNy/LKkQYsd14tSY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a47cb26bbe26d63321cbb96de6d1981d790d9748", + "rev": "24cc55b1d2d585dd57ce24f26ad96dd7fd73af39", "type": "github" }, "original": { @@ -1082,11 +1082,11 @@ ] }, "locked": { - "lastModified": 1737914312, - "narHash": "sha256-PBF4R+yQt5Sls7CsA9Miwx28XtOP/yqaqejZ3RKSes0=", + "lastModified": 1737995534, + "narHash": "sha256-in2EtlH84FJ5+7l2vBWhUiknmDFAHTuHIPSBiMhICyw=", "owner": "nix-community", "repo": "nixvim", - "rev": "8e5422bf3e76f410b97d2da640d0829e87657de9", + "rev": "af4483c025ecf02ba36b2013eed0062ccd629809", "type": "github" }, "original": { @@ -1105,11 +1105,11 @@ ] }, "locked": { - "lastModified": 1737823349, - "narHash": "sha256-LAppb+sftyvJbPdrBG1uN9GYWHz6q7bUpkpDjljcSRo=", + "lastModified": 1737924095, + "narHash": "sha256-9RO/IlxiE7bpY7GYsdDMNB533PnDOBo9UvYyXXqlN4c=", "owner": "NuschtOS", "repo": "search", - "rev": "f91a0ac0f4ecf0ad1d1d88140f66520dae6ce4bd", + "rev": "5efc9c966bb9bdad07a3c28667eac38b758c6f18", "type": "github" }, "original": {