diff --git a/flake.lock b/flake.lock index 646bb5e..6723954 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1735644329, - "narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=", + "lastModified": 1741473158, + "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", "owner": "numtide", "repo": "devshell", - "rev": "f7795ede5b02664b57035b3b757876703e2c3eac", + "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", "type": "github" }, "original": { @@ -39,11 +39,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1740872218, - "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3876f6b87db82f33775b1ef5ea343986105db764", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -92,11 +92,11 @@ ] }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", + "lastModified": 1742655702, + "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", + "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff", "type": "github" }, "original": { @@ -143,11 +143,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1740646007, - "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", + "lastModified": 1742806253, + "narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", + "rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726", "type": "github" }, "original": { @@ -163,11 +163,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1740567864, - "narHash": "sha256-eTS2wrC1jKR6PKXC9jZqQy5PwqbIOBLSLF3dwLiFJ8M=", + "lastModified": 1742999260, + "narHash": "sha256-wgeb7kSod9MAGm39MsVLsy2zxSbtCtckCkgfbjg6TLM=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "1f40b43d01626ce994eb47150afa0d7215f396ca", + "rev": "64d679540fa4d7e2afdbbb53ea63e3e5019c1f52", "type": "github" }, "original": { @@ -195,23 +195,26 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1740872140, - "narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz" + "lastModified": 1740877520, + "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1741010256, - "narHash": "sha256-WZNlK/KX7Sni0RyqLSqLPbK8k08Kq7H7RijPJbq9KHM=", + "lastModified": 1742889210, + "narHash": "sha256-hw63HnwnqU3ZQfsMclLhMvOezpM7RSB0dMAtD5/sOiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ba487dbc9d04e0634c64e3b1f0d25839a0a68246", + "rev": "698214a32beb4f4c8e3942372c694f40848b360d", "type": "github" }, "original": { @@ -223,11 +226,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1740463929, - "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=", + "lastModified": 1740865531, + "narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b", + "rev": "5ef6c425980847c78a80d759abc476e941a9bf42", "type": "github" }, "original": { @@ -239,11 +242,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1740932899, - "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=", + "lastModified": 1742937945, + "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347", + "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7", "type": "github" }, "original": { diff --git a/home-manager/machines/crash/home.nix b/home-manager/machines/crash/home.nix index b57d562..f16278b 100644 --- a/home-manager/machines/crash/home.nix +++ b/home-manager/machines/crash/home.nix @@ -32,6 +32,7 @@ ../../modules/programs/core.nix ../../modules/programs/devel.nix ../../modules/programs/ssh.nix + ../../modules/programs/ssh-agent.nix (import ../../modules/programs/emacs.nix {}) ../../modules/programs/fonts.nix ../../modules/programs/desktop.nix diff --git a/home-manager/modules/programs/ssh-agent.nix b/home-manager/modules/programs/ssh-agent.nix new file mode 100644 index 0000000..73d9324 --- /dev/null +++ b/home-manager/modules/programs/ssh-agent.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + pkgs, + ... +}: { + # Enable the agent + services.ssh-agent = { + enable = true; + }; + # Setup fish init + programs.fish.shellInit = + '' + set -x SSH_AUTH_SOCK $XDG_RUNTIME_DIR/ssh-agent + ssh-add +''; +} diff --git a/home-manager/modules/programs/ssh.nix b/home-manager/modules/programs/ssh.nix index 386c110..65a00bc 100644 --- a/home-manager/modules/programs/ssh.nix +++ b/home-manager/modules/programs/ssh.nix @@ -18,9 +18,21 @@ controlPersist = "10m"; # Configure known hosts matchBlocks = { + # rsync.net + "de1955" = { + hostname = "de1955.rsync.net"; + user = "de1955"; + }; + # my nixos machines "tides" = { hostname = "150.136.87.190"; + forwardAgent = true; }; + "driftwood" = { + hostname = "driftwood.stranger.systems"; + forwardAgent = true; + }; + # Other Machines "static.stranger.systems" = { hostname = "129.153.226.221"; user = "ubuntu"; diff --git a/nixos/machines/driftwood/configuration.nix b/nixos/machines/driftwood/configuration.nix index f04a9a0..9263ba9 100644 --- a/nixos/machines/driftwood/configuration.nix +++ b/nixos/machines/driftwood/configuration.nix @@ -1,10 +1,12 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ config, lib, pkgs, ... }: - { + config, + lib, + pkgs, + ... +}: { # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -15,6 +17,37 @@ i18n.defaultLocale = "en_US.UTF-8"; system.stateVersion = "24.11"; # Did you read the comment? + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp5s0f0"; + # Lazy IPv6 connectivity for the container + enableIPv6 = true; + }; + # Nginx configuration + # Configure automated TLS acquisition/renewal + security.acme = { + acceptTerms = true; + defaults = { + email = "admin@stranger.systems"; + }; + }; + + # ACME data must be readable by the NGINX user + users.users.nginx.extraGroups = [ + "acme" + ]; + + # Enable nginx + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + }; + + # Open firewall ports for HTTP, HTTPS, and Matrix federation + networking.firewall.allowedTCPPorts = [80 443 8448]; + networking.firewall.allowedUDPPorts = [80 443 8448]; } - diff --git a/nixos/machines/driftwood/containers/conduit.nix b/nixos/machines/driftwood/containers/conduit.nix new file mode 100644 index 0000000..7d66cce --- /dev/null +++ b/nixos/machines/driftwood/containers/conduit.nix @@ -0,0 +1,110 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: { + containers.conduit-stranger-systems = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + bindMounts = { + "/var/lib/" = { + hostPath = "/var/containers/conduit"; + isReadOnly = false; + }; + }; + nixpkgs = inputs.nixpkgs-unstable.outPath; + config = { + config, + lib, + pkgs, + ... + }: { + # Conduit proper + services.conduwuit = { + enable = true; + settings.global = { + server_name = "stranger.systems"; + rocksdb_optimize_for_spinning_disks = true; +new_user_displayname_suffix = ""; + allow_registration = true; + registration_token_file = "/var/lib/conduwuit/reg_token"; + port = [6167]; + address = ["0.0.0.0"]; + }; + }; + # Open the port + networking.firewall.allowedTCPPorts = [6167]; + + system.stateVersion = "24.11"; + }; + }; + + services.nginx = { + virtualHosts = { + "matrix.stranger.systems" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 80; + ssl = false; + } + { + addr = "[::]"; + port = 80; + ssl = false; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_conduit$request_uri"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + }; + + upstreams = { + "backend_conduit" = { + servers = { + "192.168.100.11:6167" = {}; + }; + }; + }; + }; +} diff --git a/nixos/machines/driftwood/machine.nix b/nixos/machines/driftwood/machine.nix index 6530412..759513b 100644 --- a/nixos/machines/driftwood/machine.nix +++ b/nixos/machines/driftwood/machine.nix @@ -38,6 +38,7 @@ mutableUsers = false; }) (import ../../modules/ssh.nix) + (import ./containers/conduit.nix) ]; nix.settings.experimental-features = [