From e1e7b401fcbec6ae9d7610b614fd9bb814f5b63c Mon Sep 17 00:00:00 2001
From: Gabriel Simmer <g@gmem.ca>
Date: Sat, 5 Aug 2023 12:05:53 +0100
Subject: [PATCH] CoreDNS, dedicated git.gmem.ca route for NAS

---
 krops/nas/configuration.nix | 100 ++++++++++++++++++++++++++----------
 1 file changed, 73 insertions(+), 27 deletions(-)

diff --git a/krops/nas/configuration.nix b/krops/nas/configuration.nix
index 5815148..f772d91 100644
--- a/krops/nas/configuration.nix
+++ b/krops/nas/configuration.nix
@@ -27,6 +27,30 @@
   };
 
   services = {
+    coredns = {
+      enable = true;
+      config =
+        ''
+        .:53 {
+          cache
+          bind tailscale0
+        }
+        git.gmem.ca {
+         cache
+         bind tailscale0
+         template IN A  {
+          answer "{{ .Name }} 0 IN A 100.116.48.47"
+         }
+        }
+    '';
+    };
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
     zfs.autoScrub.enable = true;
     tailscale.enable = true;
     openssh.enable = true;
@@ -104,28 +128,24 @@
       recommendedBrotliSettings = true;
       recommendedZstdSettings = true;
       recommendedOptimisation = true;
-
+      recommendedTlsSettings = true;
       # We can only proxy one port with Tailscale Funnel so we abuse locations instead.
       virtualHosts."vancouver.gmem.ca" =  {
         default = true;
-        enableACME = false;
-        forceSSL = false;
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
         locations."/" = {
           root = "/var/www/";
           extraConfig = ''
             error_page 404 /404.html;
           '';
         };
-        locations."/git/" = {
-          proxyWebsockets = false; # needed if you need to use WebSocket
+        locations."/git" = {
           extraConfig =
             ''
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            return 301 $scheme://git.gmem.ca;
             '';
-          proxyPass = "http://127.0.0.1:8973/";
         };
         locations."/n8n/" = {
           proxyPass = "http://127.0.0.1:5678/";
@@ -136,6 +156,21 @@
             '';
         };
       };
+      virtualHosts."git.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            '';
+          proxyPass = "http://127.0.0.1:8973/";
+        };
+      };
     };
     gitea = {
       enable = true;
@@ -143,7 +178,7 @@
       package = pkgs.forgejo;
       settings = {
         server = {
-          ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
+          ROOT_URL = "https://git.gmem.ca/";
           HTTP_PORT = 8973;
         };
         service = {
@@ -159,6 +194,7 @@
       };
     };
     gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
       instances = {
         vancouver = {
           name = "vancouver";
@@ -167,8 +203,7 @@
             "debian-latest:docker://node:18-bullseye"
             "nix:docker://nixos/nix"
           ];
-          url = "https://vancouver.scorpion-ghost.ts.net/git";
-          token = "";
+          url = "https://git.gmem.ca/";
         };
       };
     };
@@ -182,7 +217,9 @@
     firewall = {
       trustedInterfaces = ["tailscale0"];
       checkReversePath = "loose";
-      enable = false;
+      enable = true;
+      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedUDPPorts = [ 53 ];
     };
     nftables.enable = true;
   };
@@ -197,6 +234,8 @@
     screen
     nix-output-monitor
     cifs-utils
+    cloudflared
+    bat
     # atuin
   ];
 
@@ -233,9 +272,13 @@
       isNormalUser = true;
       home = "/Primary/becki";
     };
-    root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr" 
-    ];
+    root.openssh.authorizedKeys.keys = let
+        authorizedKeys = pkgs.fetchurl {
+          url = "https://gmem.ca/ssh";
+          sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9";
+        };
+      in pkgs.lib.splitString "\n" (builtins.readFile
+        authorizedKeys);
   };
 
   home-manager.users.gsimmer = { pkgs, ... }: {
@@ -251,22 +294,25 @@
   virtualisation = {
     docker = {
       enable = true;
-      rootless = {
-        enable = true;
-        setSocketVariable = true;
-      };
     };
     libvirtd.enable = true;
   };
 
   sound.enable = true;
   security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    jack.enable = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "acme@gmem.ca";
+  security.acme.certs."git.gmem.ca" = {
+    domain = "git.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
   };
+  security.acme.certs."vancouver.gmem.ca" = {
+    domain = "vancouver.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+
   system.stateVersion = "23.05";
 }