CoreDNS, dedicated git.gmem.ca route for NAS

2023-08-05 12:05:53 +01:00 · 2023-08-05 12:05:53 +01:00 · e1e7b401fc
parent 89e425c201
commit e1e7b401fc
1 changed files with 73 additions and 27 deletions
--- a/krops/nas/configuration.nix
+++ b/krops/nas/configuration.nix
@ -27,6 +27,30 @@
  };

  services = {
+    coredns = {
+      enable = true;
+      config =
+        ''
+        .:53 {
+          cache
+          bind tailscale0
+        }
+        git.gmem.ca {
+         cache
+         bind tailscale0
+         template IN A  {
+          answer "{{ .Name }} 0 IN A 100.116.48.47"
+         }
+        }
+    '';
+    };
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
    zfs.autoScrub.enable = true;
    tailscale.enable = true;
    openssh.enable = true;
@ -104,28 +128,24 @@
      recommendedBrotliSettings = true;
      recommendedZstdSettings = true;
      recommendedOptimisation = true;
-
+      recommendedTlsSettings = true;
      # We can only proxy one port with Tailscale Funnel so we abuse locations instead.
      virtualHosts."vancouver.gmem.ca" =  {
        default = true;
-        enableACME = false;
-        forceSSL = false;
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
        locations."/" = {
          root = "/var/www/";
          extraConfig = ''
            error_page 404 /404.html;
          '';
        };
-        locations."/git/" = {
-          proxyWebsockets = false; # needed if you need to use WebSocket
+        locations."/git" = {
          extraConfig =
            ''
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            return 301 $scheme://git.gmem.ca;
            '';
-          proxyPass = "http://127.0.0.1:8973/";
        };
        locations."/n8n/" = {
          proxyPass = "http://127.0.0.1:5678/";
@ -136,6 +156,21 @@
            '';
        };
      };
+      virtualHosts."git.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            '';
+          proxyPass = "http://127.0.0.1:8973/";
+        };
+      };
    };
    gitea = {
      enable = true;
@ -143,7 +178,7 @@
      package = pkgs.forgejo;
      settings = {
        server = {
-          ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
+          ROOT_URL = "https://git.gmem.ca/";
          HTTP_PORT = 8973;
        };
        service = {
@ -159,6 +194,7 @@
      };
    };
    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
      instances = {
        vancouver = {
          name = "vancouver";
@ -167,8 +203,7 @@
            "debian-latest:docker://node:18-bullseye"
            "nix:docker://nixos/nix"
          ];
-          url = "https://vancouver.scorpion-ghost.ts.net/git";
-          token = "";
+          url = "https://git.gmem.ca/";
        };
      };
    };
@ -182,7 +217,9 @@
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
-      enable = false;
+      enable = true;
+      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedUDPPorts = [ 53 ];
    };
    nftables.enable = true;
  };
@ -197,6 +234,8 @@
    screen
    nix-output-monitor
    cifs-utils
+    cloudflared
+    bat
    # atuin
  ];

@ -233,9 +272,13 @@
      isNormalUser = true;
      home = "/Primary/becki";
    };
-    root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr" 
-    ];
+    root.openssh.authorizedKeys.keys = let
+        authorizedKeys = pkgs.fetchurl {
+          url = "https://gmem.ca/ssh";
+          sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
+        };
+      in pkgs.lib.splitString "\n" (builtins.readFile
+        authorizedKeys);
  };

  home-manager.users.gsimmer = { pkgs, ... }: {
@ -251,22 +294,25 @@
  virtualisation = {
    docker = {
      enable = true;
-      rootless = {
-        enable = true;
-        setSocketVariable = true;
-      };
    };
    libvirtd.enable = true;
  };

  sound.enable = true;
  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    jack.enable = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "acme@gmem.ca";
+  security.acme.certs."git.gmem.ca" = {
+    domain = "git.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
  };
+  security.acme.certs."vancouver.gmem.ca" = {
+    domain = "vancouver.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+
  system.stateVersion = "23.05";
 }