summary refs log tree commit diff stats
path: root/system/linde.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system/linde.nix')
-rw-r--r--system/linde.nix83
1 files changed, 51 insertions, 32 deletions
diff --git a/system/linde.nix b/system/linde.nix
index e5880491..7ac72e5c 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,7 +13,7 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
-  net-acmeip = "2a01:4f8:c012:23a4::715";
+  net-redisip = "2a01:4f8:c012:23a4::6379";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -43,6 +43,7 @@ in
     binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
+    redis-website.file = ../secrets/redis-website.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -163,7 +164,7 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
-      ${net-acmeip} = [ "acme" ];
+      ${net-redisip} = [ "redis" ];
     };
     firewall = {
       enable = true;
@@ -176,6 +177,7 @@ in
         443
         53
         853
+        6379
         9418
         6922
       ];
@@ -221,7 +223,7 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
-          "${net-acmeip}/${net-mask6}"
+          "${net-redisip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -610,37 +612,11 @@ in
     };
   };
 
-  services.acme-dns = {
-    enable = true;
-    settings =
-      let
-        me = "acme.${domain}";
-      in
-      {
-        general = {
-          listen = "[${net-acmeip}]:53";
-          protocol = "both6";
-          domain = me;
-          nsname = me;
-          nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email;
-          records = [
-            "${me}. AAAA ${net-acmeip}"
-            "${me}. NS ${me}."
-          ];
-        };
-        api = {
-          ip = "[${net-acmeip}]";
-          tls = "letsencrypt";
-          port = 443;
-          notification-email = config.security.acme.defaults.email;
-        };
-      };
-  };
-
   security.acme = {
     defaults = {
       email = "alan@alanpearce.eu";
-      dnsProvider = "acme-dns";
+      dnsProvider = "pdns";
+      dnsResolver = "1.1.1.1:53";
       credentialsFile = config.age.secrets.acme.path;
       reloadServices = [ "caddy" ];
       validMinDays = 32;
@@ -656,6 +632,9 @@ in
     certs."stats.alanpearce.eu" = {
       extraDomainNames = [ "*.stats.alanpearce.eu" ];
     };
+    certs."redis.alanpearce.eu" = {
+      group = "redis-website";
+    };
   };
   users.groups.acme.members = [
     "caddy"
@@ -874,6 +853,10 @@ in
           permitCertUid = "caddy";
           port = tsPort;
         };
+        services.tailscaleAuth = {
+          enable = true;
+          group = "caddy";
+        };
         services.caddy = {
           enable = true;
           email = "caddy@alanpearce.eu";
@@ -895,6 +878,19 @@ in
                   root * ${config.services.paperless.package}/lib/paperless-ngx/static
                   file_server
                 }
+                forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock {
+                  uri /auth
+                  header_up Remote-Addr {remote_host}
+                  header_up Remote-Port {remote_port}
+                  header_up Original-URI {uri}
+                  copy_headers {
+                    Tailscale-User>X-Webauth-User
+                    Tailscale-Name>X-Webauth-Name
+                    Tailscale-Login>X-Webauth-Login
+                    Tailscale-Tailnet>X-Webauth-Tailnet
+                    Tailscale-Profile-Picture>X-Webauth-Profile-Picture
+                  }
+                }
                 reverse_proxy [::1]:${toString config.services.paperless.port}
               '';
             };
@@ -914,6 +910,9 @@ in
             PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
             PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it
 
+            PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+            PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_LOGIN";
+
             PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text";
             PAPERLESS_OCR_LANGUAGE = "deu+eng";
             PAPERLESS_IGNORE_DATES = "09.08.90";
@@ -988,11 +987,31 @@ in
     Requires = [ "etcd.service" ];
   };
 
+  services.redis = {
+    servers = {
+      website = {
+        enable = true;
+        port = 0;
+        bind = net-redisip;
+        databases = 1;
+        maxclients = 6;
+        requirePassFile = config.age.secrets.redis-website.path;
+        settings = {
+          tls-port = 6379;
+          tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem";
+          tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem";
+          tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+          tls-auth-clients = false;
+        };
+      };
+    };
+  };
 
   services.syncthing = {
     enable = true;
     dataDir = "/srv/syncthing";
     configDir = "/var/lib/syncthing";
+    guiAddress = "[::]:8384";
     openDefaultPorts = true;
     overrideDevices = false;
     overrideFolders = false;
@@ -1080,7 +1099,7 @@ in
   };
 
   systemd.services.laminar.environment = {
-    NIX_PATH = "nixpkgs=${<nixpkgs>}";
+    NIX_PATH = "nixpkgs=flake:nixpkgs";
   };
   services.laminar = {
     enable = true;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-02 07:26:29 +0000