diff options
Diffstat (limited to 'system')
-rw-r--r-- | system/linde.nix | 50 | ||||
-rw-r--r-- | system/marvin.nix | 8 | ||||
-rwxr-xr-x | system/nanopi.nix | 44 | ||||
-rw-r--r-- | system/settings/configuration/nix.nix | 4 | ||||
-rw-r--r-- | system/settings/user-interface.nix | 2 |
5 files changed, 80 insertions, 28 deletions
diff --git a/system/linde.nix b/system/linde.nix index 6e5e54ed..573eb78e 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -13,7 +13,7 @@ let net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-rdnsip = "2a01:4f8:c012:23a4::53"; - net-acmeip = "2a01:4f8:c012:23a4::715"; + net-redisip = "2a01:4f8:c012:23a4::6379"; net-mask6 = "64"; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; @@ -43,6 +43,7 @@ in binarycache.file = ../secrets/binarycache.age; dex.file = ../secrets/dex.age; powerdns.file = ../secrets/powerdns.age; + redis-website.file = ../secrets/redis-website.age; golink = let golink = config.services.golink; in { # hope this doesn't collide... path = "${golink.dataDir}/.config/tsnet-golink/auth.key"; @@ -163,7 +164,7 @@ in ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-rdnsip} = [ "dns" ]; - ${net-acmeip} = [ "acme" ]; + ${net-redisip} = [ "redis" ]; }; firewall = { enable = true; @@ -176,6 +177,7 @@ in 443 53 853 + 6379 9418 6922 ]; @@ -221,7 +223,7 @@ in address = [ "${net-ip6}/${net-mask6}" "${net-rdnsip}/${net-mask6}" - "${net-acmeip}/${net-mask6}" + "${net-redisip}/${net-mask6}" ]; addresses = [{ Address = "${net-ip4}/${net-mask4}"; @@ -630,6 +632,9 @@ in certs."stats.alanpearce.eu" = { extraDomainNames = [ "*.stats.alanpearce.eu" ]; }; + certs."redis.alanpearce.eu" = { + group = "redis-website"; + }; }; users.groups.acme.members = [ "caddy" @@ -848,6 +853,10 @@ in permitCertUid = "caddy"; port = tsPort; }; + services.tailscaleAuth = { + enable = true; + group = "caddy"; + }; services.caddy = { enable = true; email = "caddy@alanpearce.eu"; @@ -869,6 +878,19 @@ in root * ${config.services.paperless.package}/lib/paperless-ngx/static file_server } + forward_auth unix//run/tailscale-nginx-auth/tailscale-nginx-auth.sock { + uri /auth + header_up Remote-Addr {remote_host} + header_up Remote-Port {remote_port} + header_up Original-URI {uri} + copy_headers { + Tailscale-User>X-Webauth-User + Tailscale-Name>X-Webauth-Name + Tailscale-Login>X-Webauth-Login + Tailscale-Tailnet>X-Webauth-Tailnet + Tailscale-Profile-Picture>X-Webauth-Profile-Picture + } + } reverse_proxy [::1]:${toString config.services.paperless.port} ''; }; @@ -888,6 +910,9 @@ in PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it + PAPERLESS_ENABLE_HTTP_REMOTE_USER = true; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_WEBAUTH_USER"; + PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_IGNORE_DATES = "09.08.90"; @@ -962,6 +987,25 @@ in Requires = [ "etcd.service" ]; }; + services.redis = { + servers = { + website = { + enable = true; + port = 0; + bind = net-redisip; + databases = 1; + maxclients = 6; + requirePassFile = config.age.secrets.redis-website.path; + settings = { + tls-port = 6379; + tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem"; + tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem"; + tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt"; + tls-auth-clients = false; + }; + }; + }; + }; services.syncthing = { enable = true; diff --git a/system/marvin.nix b/system/marvin.nix index 1907aa39..0e022fb7 100644 --- a/system/marvin.nix +++ b/system/marvin.nix @@ -11,6 +11,14 @@ group = "wheel"; }; + services.redis = { + enable = true; + bind = "127.0.0.1 ::1"; + extraConfig = '' + save "" + ''; + }; + programs.fish.enable = true; environment.shells = with pkgs; [ fish diff --git a/system/nanopi.nix b/system/nanopi.nix index 3a95ebfc..3a0b55e3 100755 --- a/system/nanopi.nix +++ b/system/nanopi.nix @@ -11,9 +11,6 @@ in { imports = [ ./nanopi-hardware.nix - <agenix/modules/age.nix> - <nixos-hardware/friendlyarm/nanopi-r5s> - <home-manager/nixos> ]; age.secrets = { @@ -616,7 +613,6 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvcW4Z9VxOQgEJjsRC1uSMwEJ4vru9BwjT+Z50nawp4 lan" ]; }; - home-manager.users.alan = import ../user/nanopi.nix; users.groups = { linde.members = [ ]; @@ -765,34 +761,34 @@ in services.samba = { enable = true; - enableNmbd = false; - extraConfig = '' - log level = 1 + nmbd.enable = false; + settings = { + global = { + "log level" = 1; - interfaces = bridge0 + "interfaces" = "bridge0"; - min protocol = SMB2 - disable netbios = yes - smb ports = 445 + "min protocol" = "SMB2"; + "disable netbios" = true; + "smb ports" = 445; - socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536 - max xmit = 131072 - min receivefile size = 131072 + "socket options" = "IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536"; + "max xmit" = 131072; + "min receivefile size" = 131072; - aio read size = 1 - aio write size = 1 + "aio read size" = 1; + "aio write size" = 1; - load printers = no - disable spoolss = yes + "load printers" = false; + "disable spoolss" = true; - mdns name = mdns + "mdns name" = "mdns"; - follow symlinks = yes + "follow symlinks" = true; - veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/ - delete veto files = yes - ''; - shares = { + "veto files" = "/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/"; + "delete veto files" = true; + }; public = { path = "/srv/public"; browseable = "yes"; diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix index 105efaae..28da18c0 100644 --- a/system/settings/configuration/nix.nix +++ b/system/settings/configuration/nix.nix @@ -13,11 +13,15 @@ warn-dirty = false; substituters = [ "https://nix-community.cachix.org" + "https://deploy-rs.cachix.org" "https://binarycache.alanpearce.eu" + "https://deploy-rs.cachix.org" ]; trusted-public-keys = [ + "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI=" "binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4=" ]; }; diff --git a/system/settings/user-interface.nix b/system/settings/user-interface.nix index 27f1d9aa..a1d31c3b 100644 --- a/system/settings/user-interface.nix +++ b/system/settings/user-interface.nix @@ -6,7 +6,7 @@ documentation.info.enable = true; environment.systemPackages = with pkgs; [ - epdfview + qpdfview lxappearance lxrandr |