diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 6c17d8e1..84abd8aa 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -8,13 +8,27 @@ time.timeZone = "Europe/Berlin"; - networking.hostId = "b352adfe"; + networking = { + hostId = "b352adfe"; + firewall.allowedTCPPorts = [ 25 143 465 587 993 4190 ]; + }; # Machine-specific module settings chvp = { stateVersion = "20.09"; base = { - network.ovh.enable = true; + network.ovh = { + enable = true; + publicIPV4 = { + ip = "54.38.222.69"; + gateway = "54.38.222.254"; + }; + publicIPV6 = { + ip = "2001:41d0:0700:1445::"; + gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff"; + }; + internalIPV4 = "192.168.0.2"; + }; nix.enableDirenv = false; zfs = { backups = [{ @@ -33,6 +47,55 @@ games.tetris.server = true; services = { matrix.enable = true; + nginx = { + extraPostACMEScripts = [ + '' + cp fullchain.pem /data/root/mailcow/data/assets/ssl/cert.pem + cp key.pem /data/root/mailcow/data/assets/ssl/key.pem + pushd /data/root/mailcow + ${pkgs.bash}/bin/bash -c "source mailcow.conf && ${pkgs.docker-compose}/bin/docker-compose restart" + popd + '' + ]; + hosts = [ + { + fqdn = "vanpetegem.me"; + options = { + locations = let matrixRedirect = { + proxyPass = "http://127.0.0.1:8448"; + extraConfig = '' + proxy_read_timeout 600; + client_max_body_size 10M; + proxy_set_header X-Forwarded-Ssl on; + ''; + }; in { + "/_matrix" = matrixRedirect; + "/.well-known/matrix" = matrixRedirect; + "/".return = "307 https://www.vanpetegem.me$request_uri"; + }; + }; + } + { fqdn = "www.vanpetegem.me"; } + { + fqdn = "cvpetegem.be"; + options = { + locations."/".return = "307 https://www.cvpetegem.be$request_uri"; + }; + } + { fqdn = "www.cvpetegem.be"; } + { + fqdn = "chvp.be"; + options = { + locations."/".return = "307 https://www.chvp.be$request_uri"; + }; + } + { fqdn = "www.chvp.be"; } + { + fqdn = "mail.vanpetegem.me"; + basicProxy = "http://127.0.0.1:8080"; + } + ]; + }; nextcloud.enable = true; syncthing.enable = true; }; diff --git a/machines/lasting-integrity/secret.nix b/machines/lasting-integrity/secret.nix deleted file mode 100644 index c82d8268..00000000 Binary files a/machines/lasting-integrity/secret.nix and /dev/null differ diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix index 463267bb..5e1307da 100644 --- a/machines/urithiru/default.nix +++ b/machines/urithiru/default.nix @@ -18,7 +18,18 @@ stateVersion = "20.09"; base = { nix.enableDirenv = false; - network.ovh.enable = true; + network.ovh = { + enable = true; + publicIPV4 = { + ip = "193.70.44.178"; + gateway = "193.70.44.254"; + }; + publicIPV6 = { + ip = "2001:41d0:0303:0ab2::"; + gateway = "2001:41d0:0303:0aff:ff:ff:ff:ff"; + }; + internalIPV4 = "192.168.0.1"; + }; zfs = { backups = [ { @@ -43,7 +54,12 @@ }; services = { accentor.enable = true; + containers.externalInterface = "eno3"; data-access.enable = true; + deluge = { + enable = true; + count = 6; + }; }; }; } diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix deleted file mode 100644 index 421828d6..00000000 Binary files a/machines/urithiru/secret.nix and /dev/null differ diff --git a/modules/base/ssh/default.nix b/modules/base/ssh/default.nix index 3226a200..5d06fcbe 100644 --- a/modules/base/ssh/default.nix +++ b/modules/base/ssh/default.nix @@ -22,10 +22,10 @@ let userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts"; serverAliveInterval = 10; extraOptionOverrides = { + Include = config.age.secrets."files/programs/ssh/host_configuration".path; IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519"; HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"; }; - matchBlocks = import ./hosts.secret.nix; }; home.packages = lib.mkIf config.chvp.graphical.enable [ ssh pkgs.sshfs ]; }; @@ -33,4 +33,8 @@ in { home-manager.users.root = { ... }: (base "/root"); home-manager.users.charlotte = { ... }: (base "/home/charlotte"); + age.secrets."files/programs/ssh/host_configuration" = { + file = ../../../secrets/files/programs/ssh/host_configuration.age; + owner = "charlotte"; + }; } diff --git a/modules/base/ssh/hosts.secret.nix b/modules/base/ssh/hosts.secret.nix deleted file mode 100644 index 76622f36..00000000 Binary files a/modules/base/ssh/hosts.secret.nix and /dev/null differ diff --git a/secrets.nix b/secrets.nix index 4a3b2330..19e700e5 100644 --- a/secrets.nix +++ b/secrets.nix @@ -46,6 +46,8 @@ in "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; + "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users; + "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; diff --git a/secrets/files/programs/ssh/host_configuration.age b/secrets/files/programs/ssh/host_configuration.age new file mode 100644 index 00000000..552fcbd1 Binary files /dev/null and b/secrets/files/programs/ssh/host_configuration.age differ