diff options
| -rw-r--r-- | flake.lock | 56 | ||||
| -rw-r--r-- | system/linde.nix | 152 |
2 files changed, 38 insertions, 170 deletions
diff --git a/flake.lock b/flake.lock index 1800e1b2..b2e8667c 100644 --- a/flake.lock +++ b/flake.lock @@ -52,11 +52,11 @@ ] }, "locked": { - "lastModified": 1735478292, - "narHash": "sha256-Ys9pSP9ch0SthhpbjnkCSJ9ZLfaNKnt/dcy7swjmS1A=", + "lastModified": 1736085891, + "narHash": "sha256-bTl9fcUo767VaSx4Q5kFhwiDpFQhBKna7lNbGsqCQiA=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "71a3a075e3229a7518d76636bb762aef2bcb73ac", + "rev": "ba9b3173b0f642ada42b78fb9dfc37ca82266f6c", "type": "github" }, "original": { @@ -113,11 +113,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1735550039, - "narHash": "sha256-hIyQM5hqBpOfvb6lMHl+707pg7iwBJKfbsANEZFhV+0=", + "lastModified": 1736097113, + "narHash": "sha256-iYgqw2jUGT8XRL2CjDb5HbFUXnX6ARnZNGAT5sUPEn4=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "bc19dc80cd2987406a19b5c644e0400c4cf67e33", + "rev": "d7e0c9362bd6030e79712036b22404f585fa2919", "type": "github" }, "original": { @@ -311,11 +311,11 @@ ] }, "locked": { - "lastModified": 1735381016, - "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=", + "lastModified": 1736066484, + "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", "owner": "nix-community", "repo": "home-manager", - "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2", + "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", "type": "github" }, "original": { @@ -351,11 +351,11 @@ ] }, "locked": { - "lastModified": 1735443188, - "narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=", + "lastModified": 1736047960, + "narHash": "sha256-hutd85FA1jUJhhqBRRJ+u7UHO9oFGD/RVm2x5w8WjVQ=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544", + "rev": "816a6ae88774ba7e74314830546c29e134e0dffb", "type": "github" }, "original": { @@ -397,11 +397,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1735530358, - "narHash": "sha256-4ZbiXBWFK0gHsl5VT9dih7RVaEV3rRh0XUV0jW0ibOM=", + "lastModified": 1736077418, + "narHash": "sha256-2LwAcQXlLkqWyibkYGiS1SfXsewxRuhpYtzrMQSYElc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5000219208d860bafd1ee26eadb403449f3d9ab9", + "rev": "e554bf17658bd1bfe393dcaca8b8eee6014ddfa1", "type": "github" }, "original": { @@ -413,11 +413,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1735412871, - "narHash": "sha256-Qoz0ow6jDGUIBHxduc7Y1cjYFS71tvEGJV5Src/mj98=", + "lastModified": 1735922141, + "narHash": "sha256-vk0xwGZSlvZ/596yxOtsk4gxsIx2VemzdjiU8zhjgWw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9f94733f93e4fe6e82f516efae007096e4ab5a21", + "rev": "d29ab98cd4a70a387b8ceea3e930b3340d41ac5a", "type": "github" }, "original": { @@ -445,11 +445,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1735471104, - "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", "type": "github" }, "original": { @@ -477,11 +477,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1735471104, - "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", "type": "github" }, "original": { @@ -570,11 +570,11 @@ "simple-css": "simple-css" }, "locked": { - "lastModified": 1735827328, - "narHash": "sha256-yMByBWKBRjM5O16mKRKl8Pht8ywlQj6/yUPJHsFGuO4=", + "lastModified": 1736106757, + "narHash": "sha256-O+VDUgePY6Dx1RImnqtglE9zUpRSGmYPE3cGgK6Hr2M=", "ref": "refs/heads/main", - "rev": "3d9e6998177f7fc8e971df4913c3a880ff911c99", - "revCount": 297, + "rev": "88b3b8158207e8f3ef6be4bc6d44cd450464eecc", + "revCount": 301, "type": "git", "url": "https://git.alanpearce.eu/searchix" }, diff --git a/system/linde.nix b/system/linde.nix index da353bde..29260c21 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -12,7 +12,6 @@ let net-mask4 = "32"; net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; - net-rdnsip = "2a01:4f8:c012:23a4::53"; net-redisip = "2a01:4f8:c012:23a4::6379"; net-mask6 = "64"; net-gw6 = "fe80::1"; @@ -157,7 +156,6 @@ in hosts = lib.mkForce { ${net-ip4} = [ "${hostname}.${domain}" hostname ]; ${net-ip6} = [ "${hostname}.${domain}" hostname ]; - ${net-rdnsip} = [ "dns" ]; ${net-redisip} = [ "redis" ]; }; firewall = { @@ -216,7 +214,6 @@ in ]; address = [ "${net-ip6}/${net-mask6}" - "${net-rdnsip}/${net-mask6}" "${net-redisip}/${net-mask6}" ]; addresses = [{ @@ -402,59 +399,6 @@ in ''; }; - systemd.services.hagezi-blocklist-update = { - enable = true; - startAt = "daily"; - serviceConfig = { - CacheDirectory = "blocklist"; - UMask = "0077"; - DynamicUser = "yes"; - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - PrivateDevices = true; - PrivateUsers = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - ProtectProc = "invisible"; - RestrictAddressFamilies = "AF_INET AF_INET6"; - RestrictNamespaces = true; - RestrictRealtime = true; - LockPersonality = true; - MemoryDenyWriteExecute = "true"; - SystemCallFilter = [ - "~@clock" - "~@cpu-emulation" - "~@debug" - "~@module" - "~@mount" - "~@obsolete" - "~@privileged" - "~@raw-io" - "~@reboot" - "~@resources" - "~@swap" - ]; - SystemCallArchitectures = "native"; - CapabilityBoundingSet = ""; - DevicePolicy = "closed"; - ProcSubset = "pid"; - NoNewPrivileges = true; - ExecStart = "${pkgs.curl}/bin/curl --no-progress-meter --output %C/blocklist/hagezi.rpz https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/pro.plus.txt"; - # https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/pro.plus.txt" - ExecStartPost = [ - "+/bin/sh -c 'exec install --compare --mode=644 %C/blocklist/hagezi.rpz /etc/knot-resolver/blocklist.rpz'" - "-/bin/sh -c 'exec rm -f %C/blocklist/hagezi.rpz'" - ]; - Environment = [ - "HOME=%C/blocklist" - ]; - }; - }; - services.postfix = let localUser = "alan"; @@ -473,75 +417,6 @@ in }; }; - services.kresd = { - enable = true; - # package = pkgs.knot-resolver.override { extraFeatures = true; }; - listenPlain = [ - "[${net-rdnsip}]:53" - ]; - listenTLS = [ - "127.0.0.1:853" - "[::1]:853" - "${net-ip4}:853" - "[${net-ip6}]:853" - ]; - listenDoH = [ - "[::1]:443" - "127.0.0.1:443" - ]; - instances = 2; - extraConfig = '' - modules = { - 'rebinding < iterate', - 'hints > iterate', - 'serve_stale < cache', - 'stats', - predict = { - window = 30, - period = 24 * (60/30), - }, - 'nsid', - } - - local systemd_instance = os.getenv("SYSTEMD_INSTANCE") - nsid.name(systemd_instance) - - log_groups({ 'policy' }) - - cache.size = 500 * MB - - net.tls( - '/var/lib/acme/dns.alanpearce.eu/cert.pem', - '/var/lib/acme/dns.alanpearce.eu/key.pem' - ) - - -- override blocklist - policy.add(policy.suffix(policy.PASS, policy.todnames({ - }))) - - policy.add(policy.rpz( - policy.DENY_MSG('domain blocked by hagezi'), - '/etc/knot-resolver/blocklist.rpz', - false -- needs wrapped kresd - -- true -- will watch the file for updates - )) - - policy.add(policy.domains(policy.REFUSE, policy.todnames({ - 'use-application-dns.net', - 'telemetry.astro.build', - }))) - - -- disable DNSSEC when using Quad9 since they do it - -- trust_anchors.remove('.') - -- policy.add(policy.all(policy.TLS_FORWARD({ - -- {'2620:fe::fe', hostname='dns.quad9.net'}, - -- {'2620:fe::9', hostname='dns.quad9.net'}, - -- {'9.9.9.9', hostname='dns.quad9.net'}, - -- {'149.112.122.122', hostname='dns.quad9.net'}, - -- }))) - ''; - }; - users.groups.ntfy = { }; users.users.ntfy = { isSystemUser = true; @@ -580,31 +455,28 @@ in systemd.services.backup-gitolite = { startAt = "daily"; path = with pkgs; [ - rdiff-backup openssh ]; - script = '' - rdiff-backup --api-version 201 backup ${config.services.gitolite.dataDir} ${hostname}@nano.${ts-domain}::gitolite - rdiff-backup --api-version 201 remove increments --older-than 3M ${hostname}@nano.${ts-domain}::gitolite - ''; - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${lib.getExe pkgs.rdiff-backup} --api-version 201 backup ${config.services.gitolite.dataDir} ${hostname}@nano.${ts-domain}::gitolite"; + ExecStartPost = "-${lib.getExe pkgs.rdiff-backup} --api-version 201 remove increments --older-than 3M ${hostname}@nano.${ts-domain}::gitolite"; + }; }; systemd.services.backup-paperless = { startAt = "daily"; path = with pkgs; [ - sudo - rdiff-backup openssh ]; - script = '' - systemd-run --machine=papers sudo -u paperless ./paperless-manage document_exporter --delete --use-filename-format --no-archive --no-thumbnail --no-progress-bar ./export - rdiff-backup --api-version 201 backup /srv/paperless/export ${hostname}@nano.${ts-domain}::paperless - rdiff-backup --api-version 201 remove increments --older-than 3M ${hostname}@nano.${ts-domain}::paperless - ''; serviceConfig = { Type = "oneshot"; WorkingDirectory = config.services.paperless.dataDir; + ExecStart = [ + "systemd-run --machine=papers sudo -u paperless ./paperless-manage document_exporter --delete --use-filename-format --no-archive --no-thumbnail --no-progress-bar ./export " + "${lib.getExe pkgs.rdiff-backup} --api-version 201 backup /srv/paperless/export ${hostname}@nano.${ts-domain}::paperless" + ]; + ExecStartPost = "-${lib.getExe pkgs.rdiff-backup} --api-version 201 remove increments --older-than 3M ${hostname}@nano.${ts-domain}::paperless"; }; }; @@ -621,10 +493,6 @@ in certs."alanpearce.eu" = { extraDomainNames = [ "*.alanpearce.eu" "*.linde.alanpearce.eu" ]; }; - certs."dns.alanpearce.eu" = { - reloadServices = map (x: "kresd@${toString x}") (range 1 config.services.kresd.instances); - group = "knot-resolver"; - }; certs."stats.alanpearce.eu" = { extraDomainNames = [ "*.stats.alanpearce.eu" ]; }; |