Refactor setup

common/constants.nix

@@ -14,6 +14,13 @@
         The home directory for the default user.
       '';
     };
+    tsMask = mkOption {
+      type = types.str;
+      default = "100.64.0.0/10";
+      description = ''
+        The localhost address.
+      '';
+    };
     localhost = mkOption {
       type = types.str;
       default = "127.0.0.1";
@@ -24,9 +31,14 @@
     port = mkOption {
       type = types.attrsOf types.port;
       default = {
+        conduit = 29800;
+        forgejo = 47674;
+        headscale = 27327;
         http = 80;
         https = 443;
         jellyfin = 8096;
+        vault-rkt = 25487;
+        vault-ws = 40513;
       };
       description = ''
         The mapping from service to ports.

common/secrets.yaml

@@ -1,5 +1,3 @@
-cloudflare:
-    nebula: ENC[AES256_GCM,data:uK5RBgh8WfwpbIbTQSd9XGomc9GyvU1pWId7xqULwxOUPraXKWACG7GSSER/RPoDp0GQbd/Usc/HzXQPvQ==,iv:R8/jU6jYHfmBQ5KnV0lkDCVyj4rZmd0ZInIa7vrh79U=,tag:kjbZjvMYZMJOv/K1mYHPow==,type:str]
 users:
     macronova:
         password: ENC[AES256_GCM,data:o3WtsW7x9wy+gtl8UiT/s5q7F7Ym4q/CGvTy5Hl6FfvaEhbC/GPHQKVbz0MmRF3WV7Oq3jNxdryxWgXcd+WSCHoThNRIh/B4ZpLePD9Yi7Bf6trEYGWMdQM1Qx9pET7FaEBVOJC8eg+Ca4b/cASo53iuim6wzw==,iv:dbypWZHIXhl1kSnyiqW6R/O4NZb7u0R9X+tYpCKEMw4=,tag:bgCiGaH7EVfu7Sox0vulug==,type:str]
@@ -36,8 +34,8 @@ sops:
             TG5mYWd3MnI5TlZiNXBjb0JJY3BvN0EKUd0ldQPe0/zdHjsmKEUhH7xkpO4nLfd5
             fnTk1jGonJg+t+TqLLg/YYKlcNkgExWaIZ7wrd0RVKXOeC2BtM/wzQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-28T05:25:16Z"
+    lastmodified: "2023-12-07T05:17:46Z"
-    mac: ENC[AES256_GCM,data:B+ubIgddt+6DKFw70eHI9tVqUtSO6+BOwLyn7CfzpibCGCKgvWd4K05v7Wy4iZXfwMQ4eS5aNn58yPGrCXKU+LSCKKk4167woQ3CR0ALKj3vQfDMJn02SDrYyu+C8VNN0cOUkw9MwyyTZQgkypz/dTgYv/s1cmHHldvcgiqPchk=,iv:1iKgkaTxMZUvwpmUXRl/xk7p5rIG0gH2nCjmARkV4Dk=,tag:+Zers+yBe6T4Ss6sZRweMw==,type:str]
+    mac: ENC[AES256_GCM,data:yToqS0DMtXj92+012wkWItDGegJT+3MAIhMfiDkqn2G8AGsNadv6YXpR21Un5ZSZNyw3RGuRTvu5o0OT4ocV6IdJxAtxmZpteC6n4BMbm/NMDWw9LwXlNUrftJ3an4BLLtmPrY8nCa5ZTnMeWs0NI2CwPQmVBLEgHsbIJaK5Ly0=,iv:3xhueBREYHMW6vJWoYrRVcQIXn8yBt5eW4VT5wFEzvo=,tag:9yV3ncwTsa8J8yBv98VxbA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

darwin/quasar/default.nix

@@ -1,54 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-
-  # Add trusted users
-  nix.settings.trusted-users = [ "root" "@admin" ];
-
-  # Configure nixpkgs
-  nixpkgs.config.allowUnfree = true;
-
-  # Use common system packages
-  environment = {
-    systemPackages = with pkgs; [
-      bat
-      bottom
-      direnv
-      dua
-      exa
-      fd
-      fzf
-      helix
-      nil
-      nixpkgs-fmt
-      rclone
-      ripgrep
-      tealdeer
-      zoxide
-    ];
-    shells = [ pkgs.fish ];
-  };
-
-  # Enable fish
-  programs.fish = {
-    enable = true;
-    interactiveShellInit = ''
-      alias ls=exa
-      zoxide init --cmd cd fish | source
-    '';
-  };
-  users.users.macronova = {
-    home = "/Users/macronova";
-    shell = "${pkgs.fish}/bin/fish";
-  };
-
-  # Auto upgrade nix package and the daemon service.
-  services.nix-daemon.enable = true;
-  # nix.package = pkgs.nix;
-
-  # Used for backwards compatibility, please read the changelog before changing.
-  # $ darwin-rebuild changelog
-  system.stateVersion = 4;
-}

flake.lock

@@ -39,11 +39,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1700927249,
+        "lastModified": 1701905325,
-        "narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
+        "narHash": "sha256-lda63LmEIlDMeCgWfjr3/wb487XPllBByfrGRieyEk4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
+        "rev": "1144887c6f4d2dcbb2316a24364ef53e25b0fcfe",
         "type": "github"
       },
       "original": {
@@ -88,11 +88,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1701250978,
+        "lastModified": 1701656485,
-        "narHash": "sha256-ohu3cz4edjpGxs2qUTgbs0WrnewOX4crnUJNEB6Jox4=",
+        "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "8772491ed75f150f02552c60694e1beff9f46013",
+        "rev": "fa194fc484fd7270ab324bb985593f71102e84d1",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1701433070,
+        "lastModified": 1701728041,
-        "narHash": "sha256-Gf9JStfENaUQ7YWFz3V7x/srIwr4nlnVteqaAxtwpgM=",
+        "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4a8545f5e737a6338814a4676dc8e18c7f43fc57",
+        "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1701344951,
+        "lastModified": 1701522423,
-        "narHash": "sha256-F0jd1tbSFreIpxNGtqVCxzUHKdSxjKLl2XFZPiz83zY=",
+        "narHash": "sha256-V5TQ/1loQnegDjfLh61DxBWEQZivYEBq2kQpT0fn2cQ=",
         "owner": "viperML",
         "repo": "nh",
-        "rev": "c192a4a937ed3ab974e14c09b90092b226188281",
+        "rev": "375c6cf57de3a839b7937358659bea526da27eae",
         "type": "github"
       },
       "original": {
@@ -227,11 +227,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1700905716,
+        "lastModified": 1701568804,
-        "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
+        "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dfb95385d21475da10b63da74ae96d89ab352431",
+        "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
         "type": "github"
       },
       "original": {
@@ -259,11 +259,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1700794826,
+        "lastModified": 1701253981,
-        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
         "type": "github"
       },
       "original": {
@@ -290,11 +290,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1701156937,
+        "lastModified": 1701263465,
-        "narHash": "sha256-jpMJOFvOTejx211D8z/gz0ErRtQPy6RXxgD2ZB86mso=",
+        "narHash": "sha256-lNXUIlkfyDyp9Ox21hr+wsEf/IBklLvb6bYcyeXbdRc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7c4c20509c4363195841faa6c911777a134acdf3",
+        "rev": "50aa30a13c4ab5e7ba282da460a3e3d44e9d0eb3",
         "type": "github"
       },
       "original": {
@@ -322,11 +322,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1701253981,
+        "lastModified": 1701718080,
-        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
         "type": "github"
       },
       "original": {
@@ -338,11 +338,11 @@
     },
     "nixpkgs_8": {
       "locked": {
-        "lastModified": 1700856099,
+        "lastModified": 1701336116,
-        "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=",
+        "narHash": "sha256-kEmpezCR/FpITc6yMbAh4WrOCiT2zg5pSjnKrq51h5Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1",
+        "rev": "f5c27c6136db4d76c30e533c20517df6864c46ee",
         "type": "github"
       },
       "original": {
@@ -371,11 +371,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1701127353,
+        "lastModified": 1701728052,
-        "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=",
+        "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631",
+        "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d",
         "type": "github"
       },
       "original": {

flake.nix

@@ -15,46 +15,38 @@
 
   outputs = inputs@{ self, darwin, nixpkgs, nix-custom, ... }:
     let
-      darwinConfigDir = ./darwin;
+      linuxCfgDir = ./linux;
-      linuxConfigDir = ./linux;
       templateDir = ./template;
-      systemArgs = archPath: instance: {
-        modules = [
-          # Import config from folder
-          (archPath + "/${instance}")
-          # Setup Nix
-          ({ pkgs, ... }: {
-            networking.hostName = instance;
-            nix = {
-              gc = {
-                automatic = true;
-                options = "--delete-older-than 30d";
-              };
-              settings = {
-                experimental-features = [ "nix-command" "flakes" ];
-                auto-optimise-store = true;
-              };
-            };
-            nixpkgs = {
-              config.allowUnfree = true;
-              overlays = [ nix-custom.overlay ];
-            };
-          })
-        ];
-        specialArgs = { inherit inputs; inherit instance; };
-      };
     in
     {
-      darwinConfigurations = builtins.mapAttrs
-        (instance: _:
-          darwin.lib.darwinSystem (systemArgs darwinConfigDir instance // {
-            system = "aarch64-darwin";
-          }))
-        (builtins.readDir darwinConfigDir);
       nixosConfigurations = builtins.mapAttrs
         (instance: _:
-          nixpkgs.lib.nixosSystem (systemArgs linuxConfigDir instance))
+          nixpkgs.lib.nixosSystem ({
-        (builtins.readDir linuxConfigDir);
+            modules = [
+              # Import config from folder
+              (linuxCfgDir + "/${instance}")
+              # Setup Nix
+              ({ pkgs, ... }: {
+                networking.hostName = instance;
+                nix = {
+                  gc = {
+                    automatic = true;
+                    options = "--delete-older-than 30d";
+                  };
+                  settings = {
+                    experimental-features = [ "nix-command" "flakes" ];
+                    auto-optimise-store = true;
+                  };
+                };
+                nixpkgs = {
+                  config.allowUnfree = true;
+                  overlays = [ nix-custom.overlay ];
+                };
+              })
+            ];
+            specialArgs = { inherit inputs; };
+          }))
+        (builtins.readDir linuxCfgDir);
       templates = builtins.mapAttrs
         (template: _: {
           path = templateDir + "/${template}";

linux/blitzar/gui.nix

@@ -1,4 +1,5 @@
-{ config, pkgs, ... }: let usr = config.constants.userName; in {
+{ config, pkgs, ... }:
+let usr = config.constants.userName; in {
   home-manager.users.${usr} = {
     home.packages = with pkgs; [
       exactaudiocopy

linux/nebula/caddy.nix

@@ -1,29 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.caddy =
-    {
-      enable = true;
-      virtualHosts =
-        let
-          conduitCfg = config.services.matrix-conduit.settings.global;
-          forgejoCfg = config.services.gitea.settings.server;
-          dn = config.constants.domain;
-          lh = config.constants.localhost;
-        in
-        {
-          "forgejo.${dn}".extraConfig = ''
-            reverse_proxy ${forgejoCfg.HTTP_ADDR}:${toString forgejoCfg.HTTP_PORT}
-          '';
-          "jellyfin.${dn}".extraConfig = ''
-            reverse_proxy ${lh}:${toString config.constants.port.jellyfin}
-          '';
-          "matrix.${dn}".extraConfig = ''
-            reverse_proxy /_matrix/* ${conduitCfg.address}:${toString conduitCfg.port}
-            file_server {
-              root ${pkgs.cinny}
-            }
-          '';
-        };
-    };
-}

linux/nebula/conduit.nix

@@ -3,9 +3,9 @@
 {
   services.matrix-conduit = {
     enable = true;
-    settings.global = {
+    settings.global = let const = config.constants; in {
-      address = config.constants.localhost;
+      address = const.tsMask;
-      port = 29800;
+      port = const.port.conduit;
       server_name = config.constants.domain;
     };
   };

linux/nebula/default.nix

@@ -6,7 +6,6 @@
     hardware.nixosModules.common-cpu-amd
     hardware.nixosModules.common-cpu-amd-pstate
   ] ++ [
-    ./caddy.nix
     ./conduit.nix
     ./configuration.nix
     ./disko.nix

linux/nebula/forgejo.nix

@@ -6,11 +6,11 @@
     appName = "Forgejo";
     package = pkgs.forgejo;
     settings = {
-      server = let dn = config.constants.domain; in {
+      server = let const = config.constants; in {
-        DOMAIN = dn;
+        DOMAIN = const.domain;
-        HTTP_ADDR = config.constants.localhost;
+        HTTP_ADDR = const.tsMask;
-        HTTP_PORT = 47674;
+        HTTP_PORT = const.port.forgejo;
-        ROOT_URL = "https://forgejo.${dn}";
+        ROOT_URL = "https://forgejo.${const.domain}";
       };
       service.DISABLE_REGISTRATION = true;
       session.COOKIE_SECURE = true;

linux/nebula/network.nix

@@ -1,9 +1,9 @@
 { config, ... }:
 
-let const = config.constants; hn = config.networking.hostName; in {
+let hn = config.networking.hostName; in {
   networking = {
     domain = config.constants.domain;
-    firewall.allowedTCPPorts = with const.port; [ http https ];
+    firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
     hostId = "e6449321";
     networkmanager = {
       enable = true;
@@ -15,13 +15,6 @@ let const = config.constants; hn = config.networking.hostName; in {
   };
 
   services = {
-    cloudflare-dyndns = {
-      enable = true;
-      apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
-      domains = builtins.attrNames config.services.caddy.virtualHosts;
-      ipv4 = false;
-      ipv6 = true;
-    };
     openssh = {
       enable = true;
       hostKeys = [{
@@ -37,6 +30,4 @@ let const = config.constants; hn = config.networking.hostName; in {
     };
     resolved.enable = true;
   };
-
-  sops.secrets."cloudflare/${hn}" = { };
 }

linux/nebula/tailscale.nix

@@ -1,7 +1,6 @@
 { ... }: {
   services.tailscale = {
     enable = true;
-    extraUpFlags = [ "--advertise-exit-node" ];
     port = 25555;
     useRoutingFeatures = "both";
   };

linux/singularity/caddy.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
   services.caddy = {
@@ -7,24 +7,31 @@
     virtualHosts =
       let
         dn = config.constants.domain;
-        hsCfg = config.services.headscale;
+        home = "100.64.0.3";
+        local = config.constants.localhost;
         msfqdn = config.mailserver.fqdn;
         mtfqdn = "matrix.${dn}";
-        vaultCfg = config.services.vaultwarden.config;
+        portStr = builtins.mapAttrs (n: v: toString v) config.constants.port;
         wn = s: "/.well-known/${s}";
       in
       {
         "${dn}".extraConfig = let wnm = wn "matrix"; in ''
           header ${wnm}/* Content-Type application/json
           header ${wnm}/* Access-Control-Allow-Origin *
-          respond ${wnm}/server `{ "m.server": "${mtfqdn}:${toString config.constants.port.https}" }`
+          respond ${wnm}/server `{ "m.server": "${mtfqdn}:${portStr.https}" }`
           respond ${wnm}/client `{
             "m.homeserver": { "base_url": "https://${mtfqdn}" },
             "m.identity_server": { "base_url": "https://${mtfqdn}" }
           }`
         '';
+        "forgejo.${dn}".extraConfig = ''
+          reverse_proxy ${home}:${portStr.forgejo}
+        '';
         "headscale.${dn}".extraConfig = ''
-          reverse_proxy ${hsCfg.address}:${toString hsCfg.port}
+          reverse_proxy ${local}:${portStr.headscale}
+        '';
+        "jellyfin.${dn}".extraConfig = ''
+          reverse_proxy ${home}:${portStr.jellyfin}
         '';
         ${msfqdn} = {
           extraConfig = ''
@@ -34,17 +41,17 @@
           '';
           useACMEHost = msfqdn;
         };
+        "matrix.${dn}".extraConfig = ''
+          reverse_proxy /_matrix/* ${home}:${portStr.conduit}
+          file_server {
+            root ${pkgs.cinny}
+          }
+        '';
         "vault.${dn}".extraConfig =
           ''
-            reverse_proxy /notifications/hub/negotiate ${vaultCfg.ROCKET_ADDRESS}:${
+            reverse_proxy /notifications/hub/negotiate ${local}:${portStr.vault-rkt}
-              toString vaultCfg.ROCKET_PORT
+            reverse_proxy /notifications/hub ${local}:${portStr.vault-ws}
-            }
+            reverse_proxy ${local}:${portStr.vault-rkt} {
-            reverse_proxy /notifications/hub ${vaultCfg.WEBSOCKET_ADDRESS}:${
-              toString vaultCfg.WEBSOCKET_PORT
-            }
-            reverse_proxy ${vaultCfg.ROCKET_ADDRESS}:${
-              toString vaultCfg.ROCKET_PORT
-            } {
               header_up X-Real-IP {remote_host}
             }
           '';

linux/singularity/headscale.nix

@@ -1,16 +1,15 @@
 { config, ... }:
 
 {
-  services = let const = config.constants; in {
+  services = {
-    headscale = {
+    headscale = let const = config.constants; in {
       enable = true;
       address = const.localhost;
-      port = 27327;
+      port = const.port.headscale;
       settings.server_url = "https://headscale.${const.domain}";
     };
     tailscale = {
       enable = true;
-      extraUpFlags = [ "--advertise-exit-node" ];
       port = 27919;
       useRoutingFeatures = "both";
     };

linux/singularity/mailserver.nix

@@ -6,20 +6,19 @@ let
   mailSecret = "mail/${usr}/password";
 in
 {
-  mailserver =
+  mailserver = {
-    {
+    enable = true;
-      enable = true;
+    fqdn = "mail.${dn}";
-      fqdn = "mail.${dn}";
+    domains = [ dn ];
-      domains = [ dn ];
 
-      loginAccounts = {
+    loginAccounts = {
-        "${usr}@${dn}" = {
+      "${usr}@${dn}" = {
-          aliases = [ config.constants.postMaster ];
+        aliases = [ config.constants.postMaster ];
-          hashedPasswordFile = config.sops.secrets.${mailSecret}.path;
+        hashedPasswordFile = config.sops.secrets.${mailSecret}.path;
-        };
       };
-
-      certificateScheme = "acme";
     };
+
+    certificateScheme = "acme";
+  };
   sops.secrets.${mailSecret} = { };
 }

linux/singularity/vaultwarden.nix

@@ -1,18 +1,18 @@
 { config, ... }:
 
 {
-  services.vaultwarden = let lh = config.constants.localhost; in {
+  services.vaultwarden = {
     enable = true;
-    config = {
+    config = let const = config.constants; in {
       # Disable signup
       SIGNUPS_ALLOWED = false;
       # Specify service port
-      ROCKET_ADDRESS = lh;
+      ROCKET_ADDRESS = const.localhost;
-      ROCKET_PORT = 25487;
+      ROCKET_PORT = const.port.vault-rkt;
       # Specify notification port
       WEBSOCKET_ENABLED = true;
-      WEBSOCKET_ADDRESS = lh;
+      WEBSOCKET_ADDRESS = const.localhost;
-      WEBSOCKET_PORT = 40513;
+      WEBSOCKET_PORT = const.port.vault-ws;
     };
   };
 }