parent
2dc89616a8
commit
eb0042cd81
4 changed files with 89 additions and 7 deletions
|
@ -8,6 +8,7 @@
|
|||
./desktop.nix
|
||||
./services/tpm2.nix
|
||||
./services/hydra.nix
|
||||
./server.nix
|
||||
];
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp" ];
|
||||
|
|
|
@ -1,4 +1,11 @@
|
|||
{ ... }: {
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
|
||||
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
|
||||
add_header Alt-Svc 'h3=":443"';
|
||||
'';
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./postgres.nix
|
||||
../../modules/hydra.nix
|
||||
|
@ -6,7 +13,7 @@
|
|||
];
|
||||
services.hydra = {
|
||||
enable = true;
|
||||
hydraURL = "http://localhost:3000";
|
||||
hydraURL = "https://hydra.int.chir.rs/";
|
||||
notificationSender = "hydra@chir.rs";
|
||||
useSubstitutes = true;
|
||||
extraConfig = ''
|
||||
|
@ -28,4 +35,14 @@
|
|||
];
|
||||
nix.settings.allowed-uris = [ "https://github.com/" "https://git.chir.rs/" "https://minio.int.chir.rs/" ];
|
||||
sops.secrets."services/hydra/gitea_token" = { };
|
||||
services.nginx.virtualHosts."hydra.int.chir.rs" = {
|
||||
listenAddresses = listenIPs;
|
||||
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
|
||||
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
extraConfig = listenStatements;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -7,6 +7,9 @@ services:
|
|||
security:
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:HLaaeITkzp+7LkD0EggKHpVJmzI=,iv:YsgJ8RiuVlZ0etnjD+un1H8qDI00jyctM5aBW6b/mow=,tag:H6+iOvbYRKtTrmuh7zmTWw==,type:str]
|
||||
acme:
|
||||
dns: ENC[AES256_GCM,data:08qtPbnPmc8BYg8UoXCbNGRwLEc3uRq4kDgCaX2DgEaYpMInwAY/KQiQBpNfyeKhIU+5IlWp1nD5Nil27Ell7Gz8Gn7YjJoIU9QR55aLvH7kHA6H5ojfAk2bBzqr/BU6byti7jWvSsSz66GPzJU9YK+RfR6fxPTgB46wKmFBxJKG1Nvep4TXkeweTYkTLWvcLw1qE4E5UNtv36KbWsRXil0ZrLwQKdiAiLJltdRRRGASNXgBVKqBWUUM5+I0tTznfFvlOZh7a5m5sEyJYyD/OTpr4uRPzVHl4g==,iv:FjC4mjo+aK5gbPDWEWBkil6lnFHPCsn+5RnjqAF8NBU=,tag:/WdAnX8pP1HwwNyTN622qA==,type:str]
|
||||
cloudflare: ENC[AES256_GCM,data:4msfkxlL3QDvdroYQJdZv5BHukp/TRM7EFBszOdVkVA0T1V6gqQCibdIM794nSTAABKPODjYcKg71p2a9Q3aBg2n4JbN8ez1jPhlGEuWUN0aapIJ+F8yN9Dt4E1sb26c6BSAArYmd/WKBaEVF4OxMzYEbCcnjJJZ9zHoi02/EMyDjUosy4XyHxEqOa6ikKuJJF0ewUhL9zHWZ84xHE5JU4vKhegWWMQIH7k1W1tUAuNXb8uJHhWuQ6Q=,iv:2ksR8uPpHOMTagd1b/vuWAgstN0Badrta3cJFk60gTQ=,tag:uD7IA2hBKIX1wR6O2DL02g==,type:str]
|
||||
email:
|
||||
lotte@chir.rs: ENC[AES256_GCM,data:7XsLQMZex88Pdh25FI3GwUmjHA==,iv:e/YhtFBnLZBVfngnR3n2WS1c1FNlSN8grLzEpcRFW38=,tag:TQNx+tgtMyUcJZ3/bQOXtw==,type:str]
|
||||
mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:6+yoCDtAqlXX4fZLR73TyNKqXz6kKTwqK1JnKwTnoRJvjXjpCJ3zC8bHgIXfQFNPxaWQN85N21qSGp9ahbljKw==,iv:XtysXD6fL4XNVC7JNhH8eU3J8/x4uL8pSBQV5jQN4yE=,tag:VKZeLMnFNst69OWS97fjYg==,type:str]
|
||||
|
@ -25,8 +28,8 @@ sops:
|
|||
VW5LZnh5QnNwTHdVTEM4L0FRS2cwNUkKKCs+yd3J6hSRCjv9OwefPhSLS48vPAla
|
||||
DbzaS7ec6uAgW1tvw/AucDv+w38EqpBHPD/FxwbxJPadRw5JtxCx8w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-03-06T15:15:16Z"
|
||||
mac: ENC[AES256_GCM,data:dKStSnugA6RbXnv5tGvSOA+8LdjEIgv2GGhOc9L+bWgtV2xOZ0hsr4m5VA7ArMTbw1Ns1YiaJyUtxJSrufwlL5TmPYEw6U2JxSyy1d/NPbev5/Y4k3wqqVy6w++6j3iwp19wnvKKxhYk+w5YYimageNzpGa5QEWDG7TwrnI9jVQ=,iv:kjuiTvbWuoAltcRO/9sfW7htZW7f92ciOImXzsA9CK0=,tag:zBAGiaUXwm/ZIjec/7vItw==,type:str]
|
||||
lastmodified: "2022-03-12T09:45:06Z"
|
||||
mac: ENC[AES256_GCM,data:fg94tQFQTvJVldXUDTrO3e4uzUfrVA7mKHYUZp90CiJKrvDUWsuEh47pRH4g4I2M+ZW/SMTrFjGCX3uLx8TixxbZxmtINx0VT+brh30FUPs7bI66QFpkPTXv5/tI9iwesbexW/Ez1jcm2/sjKL6gLp9kM2cdFYWHO3ZoyPvopbQ=,iv:8sV+nKOfVGFinBQNlorDlfctcALom5RNdKcUcNsEYE8=,tag:LfDZVN+PGW20Hc9OyOxlaA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-02-02T17:49:32Z"
|
||||
enc: |
|
||||
|
|
|
@ -8,7 +8,7 @@ in
|
|||
SOA = {
|
||||
nameServer = "ns2.darkkirb.de.";
|
||||
adminEmail = "lotte@chir.rs";
|
||||
serial = 1;
|
||||
serial = 2;
|
||||
};
|
||||
NS = [
|
||||
"ns2.darkkirb.de."
|
||||
|
@ -100,8 +100,68 @@ in
|
|||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = [ "http/1.1" "h2" "h3" ];
|
||||
ipv4hint = [ "138.201.155.128" ];
|
||||
ipv6hint = [ "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" ];
|
||||
ipv6hint = [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
CAA = [
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "issue";
|
||||
value = "letsencrypt.org";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "issuewild";
|
||||
value = "letsencrypt.org";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "iodef";
|
||||
value = "mailto:lotte@chir.rs";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
nutty-noon = {
|
||||
AAAA = [
|
||||
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437"))
|
||||
];
|
||||
SSHFP = [
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha1";
|
||||
fingerprint = "02e148adb73781d6c60202de7f17a164d3a8e1a4";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha256";
|
||||
fingerprint = "9d7f38a6c8bed75a9bacb253aa172dd4b4a1291ba77c1f07e5b9a0c38a353040";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha1";
|
||||
fingerprint = "932070039e800bf2ae259b8dbf253342e7ee0da6";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha256";
|
||||
fingerprint = "78c585ece995f82bd0c23890c7fd59e0fa7d2c1741f303dc9e301b0161e9e2c3";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
# TODO: add TLSA
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = [ "http/1.1" "h2" "h3" ];
|
||||
ipv4hint = [ "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437" ];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
|
@ -132,5 +192,6 @@ in
|
|||
minio-console.CNAME = [ "nixos-8gb-fsn1-1" ];
|
||||
backup.CNAME = [ "nas" ];
|
||||
cache.CNAME = [ "nixos-8gb-fsn1-1" ];
|
||||
hydra.CNAME = [ "nutty-noon" ];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue