From b438a36f3bd8f345671f73311a2972031c155eff Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Thu, 21 Sep 2023 21:38:44 +0200 Subject: [PATCH] all: switch from tailscale to headscale --- agenix/hosts/argon/tailscale/authkey.age | Bin 413 -> 510 bytes .../hosts/mediaserver/tailscale/authkey.age | 18 ++--- agenix/hosts/tanker/config.nix | 12 +++ agenix/hosts/tanker/headscale/acls.age | Bin 0 -> 1249 bytes agenix/hosts/tanker/headscale/dbPassword.age | 11 +++ agenix/hosts/tanker/tailscale/authkey.age | 17 ++-- container/proxitok/default.nix | 2 +- flake.lock | 73 +++++++++++------- flake.nix | 4 +- home/programs/nvim/plugins.nix | 66 ++++++++-------- secret/hosts/tanker.nix | Bin 991 -> 988 bytes secrets.nix | 3 + system/flakes/tanker.nix | 6 +- system/hosts/Styx.nix | 3 - system/hosts/tanker.nix | 2 + system/nixos/acme-tanker.nix | 4 + system/nixos/adguardhome.nix | 4 +- system/nixos/anonymous-overflow.nix | 2 +- system/nixos/atuin-sync.nix | 2 +- system/nixos/headscale.nix | 65 ++++++++++++++++ system/nixos/invidious.nix | 2 +- system/nixos/jellyfin.nix | 4 +- system/nixos/libreddit.nix | 6 +- system/nixos/mastodon.nix | 2 +- system/nixos/nitter.nix | 2 +- system/nixos/rimgo.nix | 2 +- system/nixos/tailscale.nix | 34 +++----- system/nixos/voyager.nix | 2 +- 28 files changed, 222 insertions(+), 126 deletions(-) create mode 100644 agenix/hosts/tanker/headscale/acls.age create mode 100644 agenix/hosts/tanker/headscale/dbPassword.age create mode 100644 system/nixos/headscale.nix diff --git a/agenix/hosts/argon/tailscale/authkey.age b/agenix/hosts/argon/tailscale/authkey.age index c9201fda00b5ea545b439207b0d11bd793ee825c..22c4d1a191e0a2f375cee7069714f1d20144870c 100644 GIT binary patch delta 476 zcmWm7J&%)M007|AyW}Fq!O6iyyIwe?Ae7?ieP!Mg}gqv^YH@xeSH5>2p=2P&EnDz`q}Xodgt=Rj_~Kj zJN{($>0117i{E;>d2;>m%g^f7`Po$~w-Tw!L CaigXH delta 378 zcmeyzJePTbPJOadg|AVSu|=`DYk)}XOL@Arha0nONeiPVX~=l zHkZC%Np5jbSU`HBesNS}uyL`Ev#VENPC{X?V5L`RF_*5LLUD11 zZfc5=si~o*f?-;+PiUY*j;FIrczAe4j=NJuq<(H{dcB`TzJ64mp-ZJnS)gM@RC!2L zNlu!(OMpir>?QO@-qEEUw7A>jC`Yz z%!p#+B!lwYB1^xr?3_$(BQx#DL}OE*#AH{loVkK*Pr8GC2xfQ5*Ti_nol<8$C952) z9Jy_FQtAnbWXH&64OREt6VhgvFSOKE2}BCK=MM_2XSiVIHRWGrvFk}@yV4g^efLI` VII`+qJnG)S{pdjNnNN%X3jv8ag4+N9 diff --git a/agenix/hosts/mediaserver/tailscale/authkey.age b/agenix/hosts/mediaserver/tailscale/authkey.age index 3c365f3..48b2b30 100644 --- a/agenix/hosts/mediaserver/tailscale/authkey.age +++ b/agenix/hosts/mediaserver/tailscale/authkey.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 MtGp6g WF7NACS4+2IWcLmDTjbiXQsI93ZUDUeofMg6eYwXyRM -xy71RLaW5MwZU69EP4A4x9SSTLsv2vINzdjPZbHUJ+8 --> ssh-ed25519 Y94Yig nCe73IOsZbRmWpGBAg26zTkTP3GC3FnpmS7UujJkTyU -kY6qLgHIH+5bUTKDTqcak2r2l15XNJR2Hm7uCk1OxGM --> F>J-grease @@cdP -NHDpMlW3kAJD9b/YgQkciZs7IILSWIFi0LY5L6j3IaQp1QTU1xQRzGs0QpH2jYCs -6UIr2dIfw/qc9Q8IGeOYJvHXfjtw ---- l+vCsTsawEm3J0DqduySW+9k3YMqa0iSHMoo/7Kk9xo -i(A]b ͓gn: #|=Kc4 RX:#D.~<=sKb>.] "V$C廊(͹ \ No newline at end of file +-> ssh-ed25519 MtGp6g f+HNEy02C/zWGNsrPpPzJiZc2JvRDH6L5vNqd3Hh2Tk +U2BMb3YczFvYe2EXsRpg+L4GRJ8cwYNPXmEqwHZj2Us +-> ssh-ed25519 Y94Yig HXut7W1n8I/PjISX8+wCAddIg3509V3Z4pw0KcBilGo +LW4jo71cZ6oHu0UnnikI0iEM17HlhUHFz02eO/ZAAnU +-> $vz-grease +uKSVRbtXjOS6mUAzvk9xa3JWgWmktEmNHO6NPalag3C8OULWzDWPsGNaTpY/OCV+ +Re5Uq458B62NwvLlLbw +--- /wV5Bm3A43iFaxc6VAq8YJAei/PDFLCAzMz/TpXmRKA +ί ųIXxJ|Ex=n0J{Nնh'0}qfh;y0DJmQ(''Eܹ3 \ No newline at end of file diff --git a/agenix/hosts/tanker/config.nix b/agenix/hosts/tanker/config.nix index 60888bf..ac56297 100644 --- a/agenix/hosts/tanker/config.nix +++ b/agenix/hosts/tanker/config.nix @@ -31,6 +31,18 @@ file = ./forgejo-actions/token.age; }; + headscale-database-password = { + file = ./headscale/dbPassword.age; + owner = "headscale"; + group = "headscale"; + }; + + headscale-acls = { + file = ./headscale/acls.age; + owner = "headscale"; + group = "headscale"; + }; + linkding-environment = { file = ./linkding/environment.age; }; diff --git a/agenix/hosts/tanker/headscale/acls.age b/agenix/hosts/tanker/headscale/acls.age new file mode 100644 index 0000000000000000000000000000000000000000..ca8526229c721097e8b643e50cea22f0a317f044 GIT binary patch literal 1249 zcmV<71RncgXJsvAZewzJaCB*JZZ2{?aHfJC* zT3U2sX?QVsZdY%2FLEzOQEGB}VR%YXXHP3DWi?7ec13Apc4shgQAr9fSSw*rR!w3x zR7y&0PGMM0ZaFV*OL$H=W>s!fdNpcjOKxykT2@(XdTR+IdyPhR90#^V+x*kAK;Gp+~w;poD}6kGiNs7Buagf#-RF}D%{9{YGV*D zCl2MAiCS z+?i+S%zb{(Y+3PL5Gnuet`hRv}hL$AjCdt1v zym%-&UY8nx)~elAM_oi1DYd$w<;-Q{M?QNsvINYs3?im7H^ghcX)bYTqIs=eTn$ti3u*&m?4+GW(9~fSLlgmGr5RCv zOk)2+uDMLQK`&42zt!kH4X7s7fg}#Q*xLs?*?FYC#+CMYkKneZRu5O=1~fK@-5b_C zC%{(NP%&lRpl(ZmWDR7>01|&e-3Q}ZT!{yuikfWMj9%h*#R!w}nLCsE=IvK5X>(;%PGMwp^7ir> LcO~rqR2o&Zl36e% literal 0 HcmV?d00001 diff --git a/agenix/hosts/tanker/headscale/dbPassword.age b/agenix/hosts/tanker/headscale/dbPassword.age new file mode 100644 index 0000000..f9cf138 --- /dev/null +++ b/agenix/hosts/tanker/headscale/dbPassword.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g Ksx8IgaAlR47n4KH6gqrFa0/LTbJdng+Y4LyaIyUoHM +Us/MXus/dEo5z3q9Un44jGgAPOQmQABhSvEEFbSNZaY +-> ssh-ed25519 iO8/4g bb5CMC4W+/8LqXV4wo5lL/pEPiDv8aTB2JTP4WAU8RI +zUDaW+pIBLWzNpeoRnSVTrs0FzCzGp88xOJQCJ23Abg +-> 9Avzmsce-grease *| wURxw +N/PIH4VmQp68zcOwFozdd/46yiXa7YT3kughflU+PnxACswnu0r56YYEoU40lPqV +kIdUiACfIFkXByDvS4Xt/WlT4X9Ncu0LCEzMZhnT4HQtL8lVMMAWqm6BdDDn4yBs +VuA +--- EN7FwLG8kh/pxDa8gJyFwccM3ew8LqhmJDN7TTVMiSE ++l1cc:cnG=+޴ `'>A0q z*e0DD \ No newline at end of file diff --git a/agenix/hosts/tanker/tailscale/authkey.age b/agenix/hosts/tanker/tailscale/authkey.age index f2042a5..c19e48c 100644 --- a/agenix/hosts/tanker/tailscale/authkey.age +++ b/agenix/hosts/tanker/tailscale/authkey.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 MtGp6g 8/VvalpTjMjXQYaGZiNTJ/UyXXcgaaKXT46+sn2IuC0 -eH+i//7AQiJ9KSD8NUkAd6CL6G6wuPeWBYLaUVUkH1s --> ssh-ed25519 iO8/4g B9Tzo0djfjhV5wDj3i6JZseYJth+zIxkfbbMDuK8y3s -Wgokb9VVhd49riNZZ1JxuCGX1MgwzGr1Yqju475U0YA --> 4S?&lGG-grease ? {z[+;U.< l8P&' !'eh+ -mEhY97w5jF9ubheu6mx4puGrqsUyPxwGLhiwMjr5YLLwR5Hnj9xRY40UHGdng1H1 -ssoX94PaJQN2YwwMSa8WudBhe2hAP7cWpH8tFMH6u/exmGO4UA ---- x1cfStmTuQb1xfYJ5DazYeAhjA1JcHZJF7Z4dhy2V58 -XKet0M(QiB-7 xgGNBXɒ\V=GfMK.$+'؟;ӀdMÇrǯH \ No newline at end of file +-> ssh-ed25519 MtGp6g 4pT/Mw3rQ4Fce6O8VQUg0iiwm5a2uTkBLtGuyhWrtHE +uc2ECQhpzARnywarhHF7yQa6SY7DYg7q6f4GaWxIJsA +-> ssh-ed25519 iO8/4g ZuFmCVHKMjwtchVw/MXr3OEOIuXMmB3OJcVjeXf6kQg +g8JMv21lAtoogNITlpSfa4yfQP0ouqD961OcoYXbWBA +-> 'D~T-grease L<0z6X|I ~0ki Z,Vsm !LvoC'* + +--- k/qNUN24AQe4kouuHkT1wbnUkJnXIPOBH9suI/ZX4ow +ܼjY>=qMu-Bi+=/!KaDjkB0'sa{cŇW )ou \ No newline at end of file diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix index 11347fa..d93a7ed 100644 --- a/container/proxitok/default.nix +++ b/container/proxitok/default.nix @@ -52,7 +52,7 @@ networking.firewall.interfaces."podman+".allowedTCPPorts = [ 6381 ]; services.nginx.virtualHosts."tictac.daniel.sx" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/flake.lock b/flake.lock index fc1ef89..f05eca5 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ ] }, "locked": { - "lastModified": 1695039393, - "narHash": "sha256-HXvRPTSfQ/fCqxYGvWOc1duSBdXcQlrYvyno8YZbyHI=", + "lastModified": 1695204792, + "narHash": "sha256-8hsi2L8e5EiWZBcbjmKTDWXXLsi4BOC2FEjaZFPdjWo=", "owner": "nix-community", "repo": "disko", - "rev": "9f29cedac79d0acf07b6341f9112f46dec3abb8f", + "rev": "f43f106e91fe4f6591cf80cc5c8179e841c6e922", "type": "github" }, "original": { @@ -300,11 +300,11 @@ ] }, "locked": { - "lastModified": 1695069742, - "narHash": "sha256-wKL5C+TqmqkPeDZ9E6dGEGUln3LJ0EmiVkG8MDLo6vE=", + "lastModified": 1695224363, + "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=", "owner": "nix-community", "repo": "home-manager", - "rev": "f092a9220220e390c76605b6c4e2238774050f8b", + "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00", "type": "github" }, "original": { @@ -323,11 +323,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1695010592, - "narHash": "sha256-TbYvLxmx2O6d/oVCG+yHpSg1ZJZRsq4PRVZFV0AOhrg=", + "lastModified": 1695293905, + "narHash": "sha256-vwuytAB/nKLQQ1itTN/Bh1bsRjf31fP/MHNbQkn01DQ=", "owner": "neovim", "repo": "neovim", - "rev": "9cadbf1d36b63f53f0de48c8c5ff6c752ff05d70", + "rev": "5e43a4ce4d973677172519a50e4f6f49e6dd4a2b", "type": "github" }, "original": { @@ -346,11 +346,11 @@ ] }, "locked": { - "lastModified": 1695020316, - "narHash": "sha256-DTVi6jrCNcR1xWzZVru5FecLK3Az0+eTR8IoJRLteUI=", + "lastModified": 1695306705, + "narHash": "sha256-20Li8SnO/ByNkYWmfrx7KDUQftz/2tnRSYGAXACzVMo=", "ref": "refs/heads/master", - "rev": "d5ed014c12239f9b76cf5aeb80002ae9f74b227a", - "revCount": 494, + "rev": "1845949793f5a16d5ab6c7c1bc4c9c7eed229b71", + "revCount": 496, "type": "git", "url": "https://git.kempkens.io/daniel/nix-overlay" }, @@ -366,11 +366,11 @@ ] }, "locked": { - "lastModified": 1694810318, - "narHash": "sha256-LuvrVj2oj9TzdnnwtQUClqcXjpgwCP01FFVBM7azGV8=", + "lastModified": 1695114819, + "narHash": "sha256-/aIfbZxP39QZ8m7qX2RzQTy5PWzz2e22cCcZ+AOO7lA=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "80bb201f4925cdda5a7a3c7b1900fb26bb2af2e8", + "rev": "afeddc412b3a3b0e7c9ef7ea5fbdf2186781d102", "type": "github" }, "original": { @@ -381,11 +381,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1695033975, - "narHash": "sha256-GIUxbgLBhVyaKRxQw/NWYFLx7/jbKW3+U0HoSsMLPAs=", + "lastModified": 1695109627, + "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "161b027169b19d3a0ad6bd0a8948edf0c0fb0f64", + "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a", "type": "github" }, "original": { @@ -397,11 +397,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1694767346, - "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=", + "lastModified": 1695145219, + "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183", + "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", "type": "github" }, "original": { @@ -413,11 +413,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694948089, - "narHash": "sha256-d2B282GmQ9o8klc22/Rbbbj6r99EnELQpOQjWMyv0rU=", + "lastModified": 1695132891, + "narHash": "sha256-cJR9AFHmt816cW/C9necLJyOg/gsnkvEeFAfxgeM1hc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5148520bfab61f99fd25fb9ff7bfbb50dad3c9db", + "rev": "8b5ab8341e33322e5b66fb46ce23d724050f6606", "type": "github" }, "original": { @@ -463,6 +463,22 @@ "type": "github" } }, + "nixpkgs-master": { + "locked": { + "lastModified": 1695306240, + "narHash": "sha256-MsVESu3+HK9cZZ7755uT26n1REpNRgC3Ry7keQ0dIcU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d9c6fcb483ae66621c1dd382cdd939493b8712d0", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1685004253, @@ -533,6 +549,7 @@ "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "treefmt-nix": "treefmt-nix" } @@ -601,11 +618,11 @@ ] }, "locked": { - "lastModified": 1694528738, - "narHash": "sha256-aWMEjib5oTqEzF9f3WXffC1cwICo6v/4dYKjwNktV8k=", + "lastModified": 1695290086, + "narHash": "sha256-ol6licpIAzc9oMsEai/9YZhgSMcrnlnD/3ulMLGNKL0=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "7a49c388d7a6b63bb551b1ddedfa4efab8f400d8", + "rev": "e951529be2e7c669487de78f5aef8597bbae5fca", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9e0adea..885d472 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-master.url = "github:nixos/nixpkgs/master"; + nixpkgs-master.url = "github:nixos/nixpkgs/master"; # Tools @@ -76,7 +76,7 @@ tanker = import ./system/flakes/tanker.nix { nixpkgs = inputs.nixos-unstable; - inherit (inputs) disko deploy-rs home-manager agenix attic; + inherit (inputs) nixpkgs-master disko deploy-rs home-manager agenix attic; inherit inputs; }; diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix index 0361f15..fab9c65 100644 --- a/home/programs/nvim/plugins.nix +++ b/home/programs/nvim/plugins.nix @@ -63,12 +63,12 @@ in }; yanky-nvim = buildVimPluginFrom2Nix { pname = "yanky.nvim"; - version = "2023-09-11"; + version = "2023-09-19"; src = fetchFromGitHub { owner = "gbprod"; repo = "yanky.nvim"; - rev = "4c85d8d6808d9859e72f8bd6c25302199e6a5eac"; - sha256 = "0ph1mc7nlfsx0aaybnvg6wwpx7hv2ks621qkjcrl3hf8dbc173xs"; + rev = "4f5f15829fbad15ed703e7cb072cdf2a488cf5e7"; + sha256 = "0gqzaifbvaj7l9x3l5m2wwn52r2a3giysdbzvmnkyjkj53jn3ya6"; fetchSubmodules = false; }; }; @@ -118,12 +118,12 @@ in }; nvim-treesitter = buildVimPluginFrom2Nix { pname = "nvim-treesitter"; - version = "2023-09-18"; + version = "2023-09-21"; src = fetchFromGitHub { owner = "nvim-treesitter"; repo = "nvim-treesitter"; - rev = "b4f6dd72980607a9821d24502b0ca7ee826376af"; - sha256 = "0x7zzly5syr8ssih0d9y9farji2lxk4mlwimv6sh1w99jacwxj8l"; + rev = "b7f2dd5dfbd24a1239844e15637b637b990df164"; + sha256 = "199hp19b8wp9fxzcb7pakcs4djbsnghbkv5914llc57w6ybhdqdb"; fetchSubmodules = false; }; }; @@ -162,12 +162,12 @@ in }; telescope-nvim = buildVimPluginFrom2Nix { pname = "telescope.nvim"; - version = "2023-09-16"; + version = "2023-09-20"; src = fetchFromGitHub { owner = "nvim-telescope"; repo = "telescope.nvim"; - rev = "b543aaa2c9cf8123ed2fe7dbb6c211a9cd415124"; - sha256 = "0k0jymfkp9n65pb5iak7kf89pl41zr7iwg19ww31j3b814am4pjd"; + rev = "40c8d2fc2b729dd442eda093cf8c9496d6e23732"; + sha256 = "08nxnnglli2j07k70xxfjnd02iysr3zbac26xqjv0b1rdn24w9gx"; fetchSubmodules = false; }; }; @@ -242,23 +242,23 @@ in }; nvim-lspconfig = buildVimPluginFrom2Nix { pname = "nvim-lspconfig"; - version = "2023-09-18"; + version = "2023-09-20"; src = fetchFromGitHub { owner = "neovim"; repo = "nvim-lspconfig"; - rev = "f3195835c0447ee2c80152b893ab51ca162b04a9"; - sha256 = "0mm4s73qcswhjmhq8ija9jg0p1k2jk51g4h9ij36sww76330jnkg"; + rev = "4266f9bb36b4fb09edd19b67d95043cf7ff88ddf"; + sha256 = "1fj81152cpcmbbc9vkbv7cr94i0y9hz4gi0bzsar632wrdsni5q0"; fetchSubmodules = false; }; }; nvim-jdtls = buildVimPluginFrom2Nix { pname = "nvim-jdtls"; - version = "2023-09-14"; + version = "2023-09-19"; src = fetchFromGitHub { owner = "mfussenegger"; repo = "nvim-jdtls"; - rev = "697b39e3db0e0d0ce9ee4c2df506a4e0386af6c2"; - sha256 = "0iaccv986r4z1lmfih24dk2ls501bfqw3n7z4h0mwbf7xqm9jml3"; + rev = "3ca419c52a7c20a2565237db2c110ed68fc7e6f1"; + sha256 = "1jy5yklfc3fvajy5mqwfi4h6p5bxb71ar1hnck8k8hciggrijhrq"; fetchSubmodules = false; }; }; @@ -286,23 +286,23 @@ in }; vim-illuminate = buildVimPluginFrom2Nix { pname = "vim-illuminate"; - version = "2023-09-12"; + version = "2023-09-20"; src = fetchFromGitHub { owner = "RRethy"; repo = "vim-illuminate"; - rev = "8c910b2f84ae6acd9b4b17330bb94dd783c0c11a"; - sha256 = "0v6w5lm8f39yg9s3lfh15a2sbw8sr6pfiz6p83fmigrxncvb49cp"; + rev = "6acf7d4a18255a3ddc43770866c8e148fe85af7b"; + sha256 = "1vgr5cjvkv7jxiwap7fzlhmpmhs8xmlswbzvi747zsbsgwvrk5yf"; fetchSubmodules = false; }; }; nvim-lint = buildVimPluginFrom2Nix { pname = "nvim-lint"; - version = "2023-09-17"; + version = "2023-09-21"; src = fetchFromGitHub { owner = "mfussenegger"; repo = "nvim-lint"; - rev = "3c936d9d28aa5c5d4c90780e1c3430171bdcb3c2"; - sha256 = "12db99jb2wwbf6j8y1d7q5dgrnr5x11j5x83f72sbl800axlkdvf"; + rev = "75a837ce983c0fb94c1abd81a11371dc62c404a8"; + sha256 = "1wq18qamr5a3khyx52jgaz597cbizpc007cv45cffn11q0sy15s4"; fetchSubmodules = false; }; }; @@ -319,12 +319,12 @@ in }; LuaSnip = buildVimPluginFrom2Nix { pname = "LuaSnip"; - version = "2023-09-17"; + version = "2023-09-21"; src = fetchFromGitHub { owner = "L3MON4D3"; repo = "LuaSnip"; - rev = "3657c3f3cb2214a681fc7e95b6ffb509d076ebfb"; - sha256 = "1w7jzcwkyikl4v5irb5yc0v5vs0k758mdwvgnscc9zzwsg6vs642"; + rev = "c5fb16a934892086d4ba01bac48b77c65435025e"; + sha256 = "08gqbwpsqnlvrn11g51h44npfhh1gbxkw55sl7qpa5q3bvh8q5q1"; fetchSubmodules = false; }; }; @@ -462,12 +462,12 @@ in }; nvim-autopairs = buildVimPluginFrom2Nix { pname = "nvim-autopairs"; - version = "2023-09-08"; + version = "2023-09-19"; src = fetchFromGitHub { owner = "windwp"; repo = "nvim-autopairs"; - rev = "defad64afbf19381fe31488a7582bbac421d6e38"; - sha256 = "05ihrriym44g01rryaah2h2xnl183dpwcsf8q8rxzr29z0jpxxip"; + rev = "7b3eb9b5813a22188c4dbb248475fcbaf9f4d195"; + sha256 = "1ml9r1n4yc4xzalphm33m66m46q8g0c54krd29rabi67ymcc7vr3"; fetchSubmodules = false; }; }; @@ -539,12 +539,12 @@ in }; virt-column-nvim = buildVimPluginFrom2Nix { pname = "virt-column.nvim"; - version = "2023-07-24"; + version = "2023-09-19"; src = fetchFromGitHub { owner = "lukas-reineke"; repo = "virt-column.nvim"; - rev = "1917bfb519729dea7b4f5d13aa9c810c9579b0ea"; - sha256 = "08brm8by7fzwqzgzcgcrzk7vq1dmknh5r4wxisc725rwkxjzmfkl"; + rev = "5fc72873dc3175eddbdbbedea8071919c99ad755"; + sha256 = "071cpga3fapqqpifd04hc5fwsq5v27p32vhli5zy8b8awg1qw9sm"; fetchSubmodules = false; }; }; @@ -561,12 +561,12 @@ in }; urlview-nvim = buildVimPluginFrom2Nix { pname = "urlview.nvim"; - version = "2023-05-23"; + version = "2023-09-19"; src = fetchFromGitHub { owner = "axieax"; repo = "urlview.nvim"; - rev = "b183133fd25caa6dd98b415e0f62e51e061cd522"; - sha256 = "0ychlw7lnnpmjflb5f5xyspv63kyrdzbxx88aw9ifaqiiyz3i4aq"; + rev = "bdbdf1e020e283551f003e71b0004096c746ef57"; + sha256 = "1bf226s400vyjffr6zqx9kr52qznzcgx1jnh356vfx3fjxsq81nl"; fetchSubmodules = false; }; }; diff --git a/secret/hosts/tanker.nix b/secret/hosts/tanker.nix index 95f46f9451c16a9803903b405c4fdaf512aff7c8..02de2bb8ae2040e15c76de7bbd6fcd5fe3a329bf 100644 GIT binary patch literal 988 zcmV<210(zZM@dveQdv+`04bD&90)frBNz%eT2_~W*X?XChOYU>xw|=5=qYe=;1t1I zrf}aq_?2R0HC1&!=p2RmEpsipxQ+DyAvZ>EVH*u(2mRaM@mnOW)WaUgjEx3$LbvovJxPfSmo5r7)?ZlN zPdIYE`{2mK(4~ugW>JN*aE=otks)QZInxG@!ONGsehtMXrQ8m$Z0YlHCYJoXtyz~f zZz~9Li2{qOV=jY`!y{ASQ(iGf=KPngT#xVJ#JTDU*k>l@ebqPGV0cI_b!Rm!6S?{; zsdg0wIskCO&~=I-tAa#&J~h?RuV`eaHp2Z)#+^8U|6SQT3R*>;`nvl3J&A)YKbyG7 zy9i~=7gzusw^qq?;#j(BfoUDSJEXSW$ZSY^m&`+IRBd^!c(W&)(55ynz>sV!vFu@n z13CH#yEab&ofE%auM<=1URR??f2uMmrspYdE-$k7_oy^i6#8=DQ}(M5B0mJ zueH->VIY?!qrCi}+5`UnJpq(?r%$-Ij9E?rN=BKi8iIF9o|>e-sWEeY^vU7QYwrE3 zu(s6^re?*Yf(7s=V*hzV#b&OcYF3Udd{Xodlq@)Qd=V|k?v63A#~0d$YqWn)=3*g1IfRk}(v#Fe`bh7pE~T`~ zJBN_NKKa*49dO*1={Fyg$PAJ*;IlcM+X`4p7j%+}^)3<9yDVnSyC4oov|7qR2!v*K zyB8fGU1NRmVN+EvM-)8$^(4CVv7-N^fl!NaN4rr2K|}I)h6u54ui%L zcr?x3jNNl3jqy}$lZ=Qg_qQ*)Y6KfiG!;zeen04R7IedogDi3LSayhPD9}V1d0i^S z3pZpL%As8^&|xK&4x%e?v$T&`D$(wnbl}YvGueMLzN$j&CirSyLwchf7&;(uNKSkp zRRlK$oSe23z2PUO9BWNM-uhGcMH^g7_ZdVK%R)ttB=Q&9SMDtbCV^?*>5*{#2E#6x z@qU5$5S@M6d#~UqV#%R)rx?7oCrxclU{Y1ZF@3BIekn2h5*YTpQP$Wbq3eLxLU*`( zr4XB@*<~T!T9Fey{BNz$q54jkD3E61=Z*x#CgGKZ=f2lD92vVI&a6?QG!4UWBd!tq zpMm6a2Kc^jZ!QNt=W(PLrCn(iM*b#Za+ag*h%gFN64@xT=VHAZ_wER?4({>6uoHH} zc4QE_i5|k|QVnh)FE)OP-#*7k7>I$!@@2e_mIVQrYj>`_yOZhJ*GXpM zIY$Zz)c3U<1g5f1Ls7%lDaX2+K%X@y`Zeb=Gy}H*dMGIZ%53eTYhrz%#zua=e4hz) zgBQw)=&}%Ud(6ulN^%c{yCD|koiQA)b}x=%JeYrY zyAwzmw~GJi9kj^`o4zt?tYXIMsb0m9YrW`PBE+LtSeJs1CoUJ?yO zGrnKNVxSoEH!jEhqpHQ!ZVZ}a&)!S2<>bnhF+}nO%)n)aOKx-pX6+io;^aUN!|dV8 zdP_O1uxZNts$@?w5{~+uR_>ee1lDwIu)^eS$pv(Z3Nkr<9cC3|mLACgXtES#8$jje NMNHmsv3J}1quJ=w;*|gZ diff --git a/secrets.nix b/secrets.nix index 032b02e..0c229d9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -27,6 +27,9 @@ in "agenix/hosts/tanker/forgejo-actions/token.age".publicKeys = tanker; + "agenix/hosts/tanker/headscale/dbPassword.age".publicKeys = tanker; + "agenix/hosts/tanker/headscale/acls.age".publicKeys = tanker; + "agenix/hosts/tanker/mastodon/databasePassword.age".publicKeys = tanker; "agenix/hosts/tanker/mastodon/smtpPassword.age".publicKeys = tanker; "agenix/hosts/tanker/mastodon/otpSecret.age".publicKeys = tanker; diff --git a/system/flakes/tanker.nix b/system/flakes/tanker.nix index 9014f4e..5d0ffa6 100644 --- a/system/flakes/tanker.nix +++ b/system/flakes/tanker.nix @@ -1,15 +1,15 @@ -{ nixpkgs, disko, deploy-rs, home-manager, agenix, attic, inputs, ... }: +{ nixpkgs, nixpkgs-master, disko, deploy-rs, home-manager, agenix, attic, inputs, ... }: let default-system = "x86_64-linux"; - # overlay-master = _: _: { pkgs-master = import inputs.nixpkgs-master { system = default-system; }; }; + overlay-master = _: _: { pkgs-master = import inputs.nixpkgs-master { system = default-system; }; }; overlay-deploy-rs = _: _: { inherit (inputs.deploy-rs.packages.${default-system}) deploy-rs; }; overlay-nifoc = inputs.nifoc-overlay.overlay; nixpkgsConfig = { overlays = [ - # overlay-master + overlay-master overlay-deploy-rs overlay-nifoc ]; diff --git a/system/hosts/Styx.nix b/system/hosts/Styx.nix index 0d624d3..fb6c255 100644 --- a/system/hosts/Styx.nix +++ b/system/hosts/Styx.nix @@ -7,9 +7,6 @@ ../darwin/fish.nix ../darwin/attic.nix - - ../darwin/skhd.nix - ../darwin/yabai.nix ]; nix = { diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix index b9079bd..8e4365d 100644 --- a/system/hosts/tanker.nix +++ b/system/hosts/tanker.nix @@ -35,6 +35,8 @@ in ../nixos/forgejo.nix (import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; })) + ../nixos/headscale.nix + (import ../nixos/home-proxy.nix (args // { inherit secret; })) ../nixos/invidious.nix diff --git a/system/nixos/acme-tanker.nix b/system/nixos/acme-tanker.nix index 6de2764..dc987ed 100644 --- a/system/nixos/acme-tanker.nix +++ b/system/nixos/acme-tanker.nix @@ -27,6 +27,10 @@ "nifoc.pw" = { domain = "*.nifoc.pw"; }; + + "headscale.kempkens.network" = { + domain = "*.headscale.kempkens.network"; + }; }; }; } diff --git a/system/nixos/adguardhome.nix b/system/nixos/adguardhome.nix index afbfb9e..c144f0e 100644 --- a/system/nixos/adguardhome.nix +++ b/system/nixos/adguardhome.nix @@ -105,8 +105,8 @@ useACMEHost = "internal.kempkens.network"; extraConfig = '' - set_real_ip_from 100.108.165.26/32; - set_real_ip_from fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a/128; + set_real_ip_from 100.64.10.2/32; + set_real_ip_from fd7a:115c:a1e0:1010::2/128; real_ip_header X-Forwarded-For; ''; diff --git a/system/nixos/anonymous-overflow.nix b/system/nixos/anonymous-overflow.nix index 6b08ce4..b364512 100644 --- a/system/nixos/anonymous-overflow.nix +++ b/system/nixos/anonymous-overflow.nix @@ -39,7 +39,7 @@ in }; services.nginx.virtualHosts."overflow.daniel.sx" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/atuin-sync.nix b/system/nixos/atuin-sync.nix index 1793305..adb53f8 100644 --- a/system/nixos/atuin-sync.nix +++ b/system/nixos/atuin-sync.nix @@ -9,7 +9,7 @@ }; services.nginx.virtualHosts."atuin-sync.kempkens.io" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/headscale.nix b/system/nixos/headscale.nix new file mode 100644 index 0000000..bdbd66f --- /dev/null +++ b/system/nixos/headscale.nix @@ -0,0 +1,65 @@ +{ pkgs, config, ... }: +let + fqdn = "ctrl.headscale.kempkens.network"; +in +{ + environment.systemPackages = [ pkgs.headscale ]; + + services.headscale = { + enable = true; + + address = "127.0.0.1"; + port = 8017; + + settings = { + ip_prefixes = [ + "fd7a:115c:a1e0:1010::/64" + "100.64.10.0/24" + ]; + + db_type = "postgres"; + db_host = "/run/postgresql"; + db_name = "headscale"; + db_user = "headscale"; + db_password_file = config.age.secrets.headscale-database-password.path; + + server_url = "https://${fqdn}"; + acl_policy_path = config.age.secrets.headscale-acls.path; + }; + }; + + services.postgresql = { + ensureDatabases = [ "headscale" ]; + + ensureUsers = [ + { + name = "headscale"; + ensurePermissions = { + "DATABASE headscale" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + services.nginx.virtualHosts."${fqdn}" = { + quic = true; + http3 = true; + + onlySSL = true; + useACMEHost = "headscale.kempkens.network"; + + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://127.0.0.1:8017"; + proxyWebsockets = true; + }; + + locations."/web" = { + root = "${pkgs.headscale-ui}/share"; + }; + }; +} diff --git a/system/nixos/invidious.nix b/system/nixos/invidious.nix index 5230766..c99ed2c 100644 --- a/system/nixos/invidious.nix +++ b/system/nixos/invidious.nix @@ -43,7 +43,7 @@ in }; services.nginx.virtualHosts."${fqdn}" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/jellyfin.nix b/system/nixos/jellyfin.nix index a159e67..4516643 100644 --- a/system/nixos/jellyfin.nix +++ b/system/nixos/jellyfin.nix @@ -78,8 +78,8 @@ useACMEHost = "internal.kempkens.network"; extraConfig = '' - set_real_ip_from 100.108.165.26/32; - set_real_ip_from fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a/128; + set_real_ip_from 100.64.10.2/32; + set_real_ip_from fd7a:115c:a1e0:1010::2/128; real_ip_header proxy_protocol; ''; diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix index 16fb0b9..bf2b078 100644 --- a/system/nixos/libreddit.nix +++ b/system/nixos/libreddit.nix @@ -11,7 +11,7 @@ services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = { # listen = [ # { - # addr = "100.108.165.26"; + # addr = "100.64.10.2"; # port = 443; # ssl = true; # extraParameters = [ @@ -22,7 +22,7 @@ # } # # { - # addr = "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]"; + # addr = "[fd7a:115c:a1e0:1010::2]"; # port = 443; # ssl = true; # extraParameters = [ @@ -32,7 +32,7 @@ # } # ]; - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix index e65f47c..61efe0a 100644 --- a/system/nixos/mastodon.nix +++ b/system/nixos/mastodon.nix @@ -7,7 +7,7 @@ in services.mastodon = { enable = true; - # package = pkgs.pkgs-master.mastodon; + package = pkgs.pkgs-master.mastodon; configureNginx = false; diff --git a/system/nixos/nitter.nix b/system/nixos/nitter.nix index ebf69c6..a18884f 100644 --- a/system/nixos/nitter.nix +++ b/system/nixos/nitter.nix @@ -62,7 +62,7 @@ in }; services.nginx.virtualHosts."${secret.nginx.hostnames.nitter}" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/rimgo.nix b/system/nixos/rimgo.nix index 2568893..6093a0f 100644 --- a/system/nixos/rimgo.nix +++ b/system/nixos/rimgo.nix @@ -41,7 +41,7 @@ in }; services.nginx.virtualHosts."ringo.daniel.sx" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; diff --git a/system/nixos/tailscale.nix b/system/nixos/tailscale.nix index a698d59..78b9266 100644 --- a/system/nixos/tailscale.nix +++ b/system/nixos/tailscale.nix @@ -1,32 +1,18 @@ { pkgs, config, ... }: +let + headscale = "https://ctrl.headscale.kempkens.network"; +in { environment.systemPackages = [ pkgs.tailscale ]; - services.tailscale.enable = true; + services.tailscale = { + enable = true; + authKeyFile = config.age.secrets.tailscale-authkey.path; - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig.Type = "oneshot"; - - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - authkey="$(cat ${config.age.secrets.tailscale-authkey.path})" - ${pkgs.tailscale}/bin/tailscale up -authkey "$authkey" - ''; + extraUpFlags = [ + "--login-server" + headscale + ]; }; } diff --git a/system/nixos/voyager.nix b/system/nixos/voyager.nix index f2ddc25..8544f54 100644 --- a/system/nixos/voyager.nix +++ b/system/nixos/voyager.nix @@ -9,7 +9,7 @@ }; services.nginx.virtualHosts."voyager.daniel.sx" = { - listenAddresses = [ "100.108.165.26" "[fd7a:115c:a1e0:ab12:4843:cd96:626c:a51a]" ]; + listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true;