diff --git a/agenix/hosts/argon/adguardhome-sync/environment.age b/agenix/hosts/argon/adguardhome-sync/environment.age new file mode 100644 index 0000000..e19a623 Binary files /dev/null and b/agenix/hosts/argon/adguardhome-sync/environment.age differ diff --git a/agenix/hosts/argon/config.nix b/agenix/hosts/argon/config.nix index cd72e45..35b5ef2 100644 --- a/agenix/hosts/argon/config.nix +++ b/agenix/hosts/argon/config.nix @@ -14,6 +14,10 @@ file = ./tailscale/authkey.age; }; + adguardhome-sync-environment = { + file = ./adguardhome-sync/environment.age; + }; + weewx-proxy-environment = { file = ./weewx-proxy/environment.age; }; diff --git a/flake.lock b/flake.lock index 07fda0f..caade03 100644 --- a/flake.lock +++ b/flake.lock @@ -110,11 +110,11 @@ ] }, "locked": { - "lastModified": 1685559570, - "narHash": "sha256-MNIQvLRoq92isMLR/ordKNCl+aXNiuwBM4QyqmS8d00=", + "lastModified": 1686307493, + "narHash": "sha256-R4VEFnDn7nRmNxAu1LwNbjns5DPM8IBsvnrWmZ8ymPs=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4338bc869e9874d54a4c89539af72f16666b2abe", + "rev": "7c16d31383a90e0e72ace0c35d2d66a18f90fb4f", "type": "github" }, "original": { @@ -253,11 +253,11 @@ ] }, "locked": { - "lastModified": 1686142265, - "narHash": "sha256-IP0xPa0VYqxCzpqZsg3iYGXarUF+4r2zpkhwdHy9WsM=", + "lastModified": 1686391840, + "narHash": "sha256-5S0APl6Mfm6a37taHwvuf11UHnAX0+PnoWQbsYbMUnc=", "owner": "nix-community", "repo": "home-manager", - "rev": "39c7d0a97a77d3f31953941767a0822c94dc01f5", + "rev": "0144ac418ef633bfc9dbd89b8c199ad3a617c59f", "type": "github" }, "original": { @@ -276,11 +276,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1686106284, - "narHash": "sha256-UsJTmzpM6gtQDo4QnMNjCNSQSlqlRoUWwH8JL4ZLRxw=", + "lastModified": 1686365071, + "narHash": "sha256-6yybShpkWPJv8byx7lF1q55uzsnKX1/z0A2Xb74y3I4=", "owner": "neovim", "repo": "neovim", - "rev": "a217675a67233ca2032cd668e919858d2aed92e7", + "rev": "b6d2f49b4536f89cf2428d1f214468aa5fb21788", "type": "github" }, "original": { @@ -301,11 +301,11 @@ "weewx-proxy-flake": "weewx-proxy-flake" }, "locked": { - "lastModified": 1686126028, - "narHash": "sha256-qZcjDerxaAejZWOKIZ/BRzlO6Dk3kSAcGScImAjHKuo=", + "lastModified": 1686385112, + "narHash": "sha256-6hH97tMLpMmiv5+5I3fsNDYsbElqgjQ0mJ8K2N7Q4VA=", "owner": "nifoc", "repo": "nix-overlay", - "rev": "34792fe066ac58e2441ffc6c854ef6c809c3d91d", + "rev": "6964b80444fb9574596a90cc5444f87acad037af", "type": "github" }, "original": { @@ -316,11 +316,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1686396027, + "narHash": "sha256-gE+csxJoXuNn5ZnlgNj0GnMQ2y4heBtDqkB1af8vfjU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "70d5f55faee9c1e141e32e6be1e77d13e5a570db", "type": "github" }, "original": { diff --git a/hardware/hosts/argon.nix b/hardware/hosts/argon.nix index 6e86b41..c84320c 100644 --- a/hardware/hosts/argon.nix +++ b/hardware/hosts/argon.nix @@ -12,6 +12,7 @@ "net.ipv4.tcp_syncookies" = 0; "net.ipv4.tcp_timestamps" = 1; "net.ipv4.tcp_window_scaling" = 1; + "net.core.rmem_max" = 2500000; }; }; diff --git a/home/hosts/Styx.nix b/home/hosts/Styx.nix index 763c643..3cf92f6 100644 --- a/home/hosts/Styx.nix +++ b/home/hosts/Styx.nix @@ -49,6 +49,7 @@ args@{ pkgs, config, lib, ... }: curlHTTP3 dasel deploy-rs + dig exa exiftool fd diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix index 806f248..d23fe27 100644 --- a/home/programs/nvim/plugins.nix +++ b/home/programs/nvim/plugins.nix @@ -19,12 +19,12 @@ in }; plenary-nvim = buildVimPluginFrom2Nix { pname = "plenary.nvim"; - version = "2023-05-31"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "nvim-lua"; repo = "plenary.nvim"; - rev = "499e0743cf5e8075cd32af68baa3946a1c76adf1"; - sha256 = "0r9aw3a53vzq0rdyvq7pi99pqbmnww0dm146pbj2kd33rb34daz6"; + rev = "36aaceb6e93addd20b1b18f94d86aecc552f30c4"; + sha256 = "0r0z27kwpgd8ladjj86h9gmyq2mxcwbiaj3a6mi1bz2dwxqiddxb"; fetchSubmodules = false; }; }; @@ -107,12 +107,12 @@ in }; nvim-treesitter = buildVimPluginFrom2Nix { pname = "nvim-treesitter"; - version = "2023-06-07"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "nvim-treesitter"; repo = "nvim-treesitter"; - rev = "46ddea9deccb0608df416822228786d1a5a2b7d1"; - sha256 = "17rlv3gqh9glskr3ncnvwa6pgk6iansdl6b2fjyrk3zw5kj99gak"; + rev = "f9d701176cb9a3e206a4c690920a8993630c3ec8"; + sha256 = "08zc1irs12clw8fy140j4lk9m4wfjmmmm64dw915gyl0l6r9g0rb"; fetchSubmodules = false; }; }; @@ -140,12 +140,12 @@ in }; telescope-nvim = buildVimPluginFrom2Nix { pname = "telescope.nvim"; - version = "2023-06-07"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "nvim-telescope"; repo = "telescope.nvim"; - rev = "be49680937e821e4d8522329727e50734fdb9b97"; - sha256 = "15bq92f9vvqhzhr6djm8r0vybsm0z030xp5wpf904kir1svpwdgb"; + rev = "116dbea5800c908de4afa6e793f28f782621c65d"; + sha256 = "1scp1pr8innnpk35wz9rq9npkha5j3hacpggrbafy0madvs92x60"; fetchSubmodules = false; }; }; @@ -220,23 +220,23 @@ in }; nvim-lspconfig = buildVimPluginFrom2Nix { pname = "nvim-lspconfig"; - version = "2023-06-07"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "neovim"; repo = "nvim-lspconfig"; - rev = "1028360e0f2f724d93e876df3d22f63c1acd6ff9"; - sha256 = "17n18dkhd39vkbqx0hxgg6zf1yq1052rlnxpqj0x5p7s0zxwqhmr"; + rev = "08f1f347c718e945c3b1712ebb68c6834182cf3a"; + sha256 = "0kqxbyb5hg6r4rv79bxjj8dvm3440137xxppp2a5idxi8sisdqad"; fetchSubmodules = false; }; }; nvim-jdtls = buildVimPluginFrom2Nix { pname = "nvim-jdtls"; - version = "2023-06-02"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "mfussenegger"; repo = "nvim-jdtls"; - rev = "8597d57fb40d4ad503cf3acb2fdcfe1b0d8a193d"; - sha256 = "1s7xnl8rsav4237mzh37q4qflhbfb2sq7vasdfgzx4mgad2x6kx5"; + rev = "dbb8a403e90302bd5611da91975d37a0a26e1473"; + sha256 = "11pfy4w67170fc32fhcyjr8lnw1g9yxrvsp9y676rfbp8imh1sf4"; fetchSubmodules = false; }; }; @@ -308,23 +308,23 @@ in }; friendly-snippets = buildVimPluginFrom2Nix { pname = "friendly-snippets"; - version = "2023-06-06"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "rafamadriz"; repo = "friendly-snippets"; - rev = "b471f5419155ce832eff71ad8920ea8cfbd54840"; - sha256 = "14yjacmzryd8mkbi7dkacq0zqc8r52dipdsjyzak45pqacc4wzvs"; + rev = "b71d1ddc30a10ce0474156f7ee93bc9006d0cd74"; + sha256 = "0jxj57996c4ab54p0zd4h5ldkz9yad1jy0ylzikfq8ylvw7z4p31"; fetchSubmodules = false; }; }; nvim-cmp = buildVimPluginFrom2Nix { pname = "nvim-cmp"; - version = "2023-05-30"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "hrsh7th"; repo = "nvim-cmp"; - rev = "fc0f694af1a742ada77e5b1c91ff405c746f4a26"; - sha256 = "1vmsa4vrx7nsrq2kzh8pyjfssfhb9b7xy7qqcyja4g0xp9z9z077"; + rev = "69e7d280cbe17e318b549a10ae3cae5810946be6"; + sha256 = "119cfn70bb5bbfaq9rfc51dms64qfzzkn6aknj4lnd2dx1r56k00"; fetchSubmodules = false; }; }; @@ -396,12 +396,12 @@ in }; cmp-cmdline = buildVimPluginFrom2Nix { pname = "cmp-cmdline"; - version = "2023-04-24"; + version = "2023-06-08"; src = fetchFromGitHub { owner = "hrsh7th"; repo = "cmp-cmdline"; - rev = "5af1bb7d722ef8a96658f01d6eb219c4cf746b32"; - sha256 = "02xpxdbjvic4l2s4fmhiy38igvvg0mdpi6hr49kvnibx1dyzhx5k"; + rev = "8ee981b4a91f536f52add291594e89fb6645e451"; + sha256 = "03j79ncxnnpilx17x70my7s8vvc4w81kipraq29g4vp32dggzjsv"; fetchSubmodules = false; }; }; @@ -462,12 +462,12 @@ in }; nvim-treesitter-textobjects = buildVimPluginFrom2Nix { pname = "nvim-treesitter-textobjects"; - version = "2023-06-02"; + version = "2023-06-08"; src = fetchFromGitHub { owner = "nvim-treesitter"; repo = "nvim-treesitter-textobjects"; - rev = "23e883b99228f8d438254e5ef8c897e5e60e75d1"; - sha256 = "1xjwah0g96mjv01lhd7yfml2gd15syhj2axbvid9xk4yn4m6hks8"; + rev = "2d6d3c7e49a24f6ffbbf7898241fefe9784f61bd"; + sha256 = "1mlx0hkx42al578ilwsj4547rqny85x089is189hdic287yw59gp"; fetchSubmodules = false; }; }; @@ -550,12 +550,12 @@ in }; nui-nvim = buildVimPluginFrom2Nix { pname = "nui.nvim"; - version = "2023-06-04"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "MunifTanjim"; repo = "nui.nvim"; - rev = "d5a82aae64426a805e19d8ef5a379292f9dc55d3"; - sha256 = "14mnskwvzsva5pxh909xgrzg1cy7r4459f0g85dkqr8z4c9yajic"; + rev = "64bdc579873fa5bd303f6951ead2b419493c88e8"; + sha256 = "1hffqk9vz6lw6jrixqy9sxj1wv2z7cbj08ykccyfym2zpij40gx6"; fetchSubmodules = false; }; }; @@ -572,12 +572,12 @@ in }; noice-nvim = buildVimPluginFrom2Nix { pname = "noice.nvim"; - version = "2023-06-06"; + version = "2023-06-10"; src = fetchFromGitHub { owner = "folke"; repo = "noice.nvim"; - rev = "acf47e2b863eb20f177aa1bd5398041513e731e1"; - sha256 = "1w4vzkashi7yqkzgb9cdq7nv27ibkw94ih041jf36k9axmlffqbr"; + rev = "a070cb87a180fd7e2c4387accff0be90268fb736"; + sha256 = "0838s3vqp2f6g8q7dwd4ga0m4qr8kj02snbrxd6xz4zzzaz1hlbq"; fetchSubmodules = false; }; }; diff --git a/home/programs/ssh/Styx.nix b/home/programs/ssh/Styx.nix index ce64c8f..1b2b907 100644 --- a/home/programs/ssh/Styx.nix +++ b/home/programs/ssh/Styx.nix @@ -26,7 +26,7 @@ in extraConfig = '' IdentityAgent "${auth-socket}" UpdateHostKeys ask - VerifyHostKeyDNS yes + # VerifyHostKeyDNS yes ''; matchBlocks = shared-private.matchBlocks // shared-builder.matchBlocks // shared-work.matchBlocks; diff --git a/secret/hosts/argon.nix b/secret/hosts/argon.nix index 786124e..a58a4c1 100644 Binary files a/secret/hosts/argon.nix and b/secret/hosts/argon.nix differ diff --git a/secret/hosts/attic.nix b/secret/hosts/attic.nix index 65eafbe..2a75e72 100644 Binary files a/secret/hosts/attic.nix and b/secret/hosts/attic.nix differ diff --git a/secret/hosts/mediaserver.nix b/secret/hosts/mediaserver.nix index 05ae022..ec150ea 100644 Binary files a/secret/hosts/mediaserver.nix and b/secret/hosts/mediaserver.nix differ diff --git a/secrets.nix b/secrets.nix index 3f23e28..95c17a8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -81,5 +81,7 @@ in "agenix/hosts/argon/tailscale/authkey.age".publicKeys = argon; + "agenix/hosts/argon/adguardhome-sync/environment.age".publicKeys = argon; + "agenix/hosts/argon/weewx-proxy/environment.age".publicKeys = argon; } diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix index 82c1957..5162b89 100644 --- a/system/hosts/argon.nix +++ b/system/hosts/argon.nix @@ -24,6 +24,9 @@ in ../nixos/tailscale.nix ../nixos/weewx-proxy.nix + + ../nixos/container.nix + ../nixos/adguardhome-sync.nix ]; system.stateVersion = "22.11"; @@ -77,6 +80,17 @@ in useNetworkd = true; }; + environment.etc."resolv.conf".text = lib.mkForce '' + nameserver 127.0.0.1 + nameserver 10.0.0.110 + options edns0 trust-ad + search . + ''; + + services.resolved.extraConfig = '' + DNSStubListener=no + ''; + systemd.network = { enable = true; diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix index 47b2ded..2702c53 100644 --- a/system/hosts/mediaserver.nix +++ b/system/hosts/mediaserver.nix @@ -16,6 +16,8 @@ in ../nixos/acme-mediaserver.nix ../nixos/nginx.nix + (import ../nixos/adguardhome.nix (args // { inherit secret; })) + ../nixos/attic.nix ../nixos/bdfr-browser.nix diff --git a/system/nixos/adguardhome-sync.nix b/system/nixos/adguardhome-sync.nix new file mode 100644 index 0000000..2dc3602 --- /dev/null +++ b/system/nixos/adguardhome-sync.nix @@ -0,0 +1,18 @@ +{ config, ... }: + +{ + virtualisation.oci-containers.containers.adguardhome-sync = { + image = "ghcr.io/bakito/adguardhome-sync"; + cmd = [ "run" ]; + environmentFiles = [ config.age.secrets.adguardhome-sync-environment.path ]; + extraOptions = [ + "--label=com.centurylinklabs.watchtower.enable=true" + "--label=io.containers.autoupdate=registry" + ]; + }; + + networking.firewall.interfaces."podman+" = { + allowedUDPPorts = [ 443 ]; + allowedTCPPorts = [ 443 ]; + }; +} diff --git a/system/nixos/adguardhome.nix b/system/nixos/adguardhome.nix index 18d73db..eb2e0b7 100644 --- a/system/nixos/adguardhome.nix +++ b/system/nixos/adguardhome.nix @@ -18,7 +18,7 @@ debug_pprof = false; dns = { - bind_hosts = [ "127.0.0.1" "10.0.0.5" ]; + bind_hosts = secret.adguardhome.bind_hosts; port = 53; bootstrap_dns = [ @@ -54,7 +54,9 @@ }) (builtins.filter builtins.isString interfaces)); - services.nginx.virtualHosts."agh.internal.kempkens.network" = { + virtualisation.podman.defaultNetwork.settings.dns_enabled = lib.mkForce secret.adguardhome.podmanDNS; + + services.nginx.virtualHosts."${secret.adguardhome.domain_prefix}.internal.kempkens.network" = { serverAliases = [ "dns.internal.kempkens.network" ]; listen = [ diff --git a/system/nixos/home-proxy.nix b/system/nixos/home-proxy.nix index d5e605e..17e85f9 100644 --- a/system/nixos/home-proxy.nix +++ b/system/nixos/home-proxy.nix @@ -22,8 +22,18 @@ upstreams.dns = { servers = { - "${secret.nginx.upstream.dns.primary.hostname}:${builtins.toString secret.nginx.upstream.dns.primary.upstreamPort}" = { }; + "${secret.nginx.upstream.dns.primary.hostname}:${builtins.toString secret.nginx.upstream.dns.primary.upstreamPort}" = { + fail_timeout = "5s"; + }; + + "${secret.nginx.upstream.dns.secondary.hostname}:${builtins.toString secret.nginx.upstream.dns.secondary.upstreamPort}" = { + backup = true; + }; }; + + extraConfig = '' + keepalive 8; + ''; }; virtualHosts."${secret.nginx.upstream.dns.fqdn}" = {