commit 02dc7f961d137191028d68bf3c8f0c580c4bd6da
parent ada416174ba4b6c26e324fbaecc21444790b6e3c
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Thu, 19 Jun 2025 19:17:32 +0200
parent ada416174ba4b6c26e324fbaecc21444790b6e3c
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Thu, 19 Jun 2025 19:17:32 +0200
config/nixos/modules/presets/zaphyra: move dn42-stuff to own module
2 files changed, 194 insertions(+), 138 deletions(-)
M
|
285
+++++++++++++++++++++++++++++++++++++++++--------------------------------------
diff --git a/config/nixos/modules/presets/zaphyra/dn42.nix b/config/nixos/modules/presets/zaphyra/dn42.nix @@ -0,0 +1,47 @@ +{ + inputs, + povSelf, + pkgs, + lib, + config, + hostConfig, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options.enable = { + type = types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + dns.zones."zaphyra.dn42".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" = { + AAAA = [ hostConfig.networking.dn42Address ]; + }; + + security.acme.certs."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = { + server = "https://acme.burble.dn42/v1/dn42/acme/directory"; + validMinDays = 20; + keyType = "ec384"; + dnsProvider = null; + }; + + services.nginx = { + enable = true; + virtualHosts."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = { + enableACME = true; + forceSSL = true; + kTLS = true; + }; + }; + + modules.services.prometheusExporters.domain = "${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42"; + + }; + +}
diff --git a/config/nixos/modules/presets/zaphyra/enable.nix b/config/nixos/modules/presets/zaphyra/enable.nix @@ -18,149 +18,158 @@ in default = false; }; - config = lib.mkIf cfg { - sops.secrets.acmeTSIGKey = { }; - - users.users.root = { - extraGroups = [ "ssh" ]; - openssh.authorizedKeys.keys = [ - (builtins.readFile "${pkgs.zaphyra-website}/ssh_pubkey.asc") - ]; - }; - - dns.zones."zaphyra.eu".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" = - lib.mkIf (hostConfig ? networking) - ( - let - networkCfg = hostConfig.networking; - in - { - AAAA = lib.mkIf ((networkCfg ? ip6Address) && !networkCfg.ip6IsPrivate) [ networkCfg.ip6Address ]; - A = lib.mkIf ((networkCfg ? ip4Address) && !networkCfg.ip4IsPrivate) [ networkCfg.ip4Address ]; - } - ); - - modules = { - homeManager.enable = true; - - hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable; - - presets.zaphyra = { - syncthing.enable = lib.mkDefault true; - }; - - services = { - keyd.enable = lib.mkDefault config.modules.presets.graphical.enable; - openssh = { - enable = lib.mkDefault true; - enableRSASupport = lib.mkDefault true; + config = lib.mkIf cfg ( + lib.mkMerge [ + (lib.mkIf (hostConfig ? networking) ( + lib.mkIf (hostConfig.networking ? dn42Address) { + modules.presets.zaphyra.dn42.enable = true; + } + )) + { + sops.secrets.acmeTSIGKey = { }; + + users.users.root = { + extraGroups = [ "ssh" ]; + openssh.authorizedKeys.keys = [ + (builtins.readFile "${pkgs.zaphyra-website}/ssh_pubkey.asc") + ]; }; - prometheusExporters.enable = lib.mkDefault true; - vnstat.enable = true; - vnstat.vnstati.enable = true; - }; - }; - - modules.filesystem.impermanence.system.dirs = [ "/var/lib/acme" ]; - security = { - acme = { - acceptTerms = true; - defaults = { - email = "letsencrypt@zaphyra.eu"; - keyType = "ec384"; - dnsProvider = "rfc2136"; - environmentFile = pkgs.writeText "acme-dns-env" '' - RFC2136_NAMESERVER=morio.infra.zaphyra.eu - RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName} - RFC2136_TSIG_ALGORITHM=hmac-sha384 - ''; - credentialFiles = { - RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path; + + dns.zones."zaphyra.eu".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" = + lib.mkIf (hostConfig ? networking) + ( + let + networkCfg = hostConfig.networking; + in + { + AAAA = lib.mkIf ((networkCfg ? ip6Address) && !networkCfg.ip6IsPrivate) [ networkCfg.ip6Address ]; + A = lib.mkIf ((networkCfg ? ip4Address) && !networkCfg.ip4IsPrivate) [ networkCfg.ip4Address ]; + } + ); + + modules = { + homeManager.enable = true; + + hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable; + + presets.zaphyra = { + syncthing.enable = lib.mkDefault true; + }; + + services = { + keyd.enable = lib.mkDefault config.modules.presets.graphical.enable; + openssh = { + enable = lib.mkDefault true; + enableRSASupport = lib.mkDefault true; + }; + prometheusExporters.enable = lib.mkDefault true; + vnstat.enable = true; + vnstat.vnstati.enable = true; }; }; - certs."${config.networking.fqdn}" = { - group = lib.mkIf config.services.nginx.enable "nginx"; - extraDomainNames = ( - config.services.nginx.virtualHosts - |> lib.mapAttrsToList ( - key: config: [ - (if config ? serverAliases then config.serverAliases else [ ]) - key - ] - ) - |> lib.flatten - |> lib.filter (domain: !(lib.hasSuffix "dn42" domain)) - ); - }; - }; - pki.certificates = [ - '' - -----BEGIN CERTIFICATE----- - MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC - WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 - aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx - NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE - CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd - BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA - A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR - VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx - 6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS - FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu - y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw - GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P - AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J - bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud - HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA - //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 - S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl - aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu - P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI - 9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC - 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ - C0IKqQ== - -----END CERTIFICATE----- - '' - ]; - }; - - services = { - timesyncd.enable = lib.mkDefault true; - fstrim.enable = lib.mkDefault true; - - journald.extraConfig = "SystemMaxUse=2.5G"; - - logind.killUserProcesses = lib.mkDefault true; - - nginx = { - enable = lib.mkDefault true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - commonHttpConfig = '' - server_names_hash_bucket_size 64; - charset utf-8; - - access_log off; - ''; - - virtualHosts."${config.networking.fqdn}" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - default = true; + + modules.filesystem.impermanence.system.dirs = [ "/var/lib/acme" ]; + security = { + acme = { + acceptTerms = true; + defaults = { + email = "letsencrypt@zaphyra.eu"; + keyType = "ec384"; + dnsProvider = "rfc2136"; + environmentFile = pkgs.writeText "acme-dns-env" '' + RFC2136_NAMESERVER=morio.infra.zaphyra.eu + RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName} + RFC2136_TSIG_ALGORITHM=hmac-sha384 + ''; + credentialFiles = { + RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path; + }; + }; + certs."${config.networking.fqdn}" = { + group = lib.mkIf config.services.nginx.enable "nginx"; + extraDomainNames = ( + config.services.nginx.virtualHosts + |> lib.mapAttrsToList ( + key: config: [ + (if config ? serverAliases then config.serverAliases else [ ]) + key + ] + ) + |> lib.flatten + |> lib.filter (domain: !(lib.hasSuffix "dn42" domain)) + ); + }; + }; + pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC + WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 + aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx + NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE + CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd + BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA + A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR + VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx + 6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS + FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu + y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw + GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P + AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J + bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud + HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA + //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 + S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl + aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu + P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI + 9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC + 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ + C0IKqQ== + -----END CERTIFICATE----- + '' + ]; }; - }; - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; + services = { + timesyncd.enable = lib.mkDefault true; + fstrim.enable = lib.mkDefault true; + + journald.extraConfig = "SystemMaxUse=2.5G"; + + logind.killUserProcesses = lib.mkDefault true; + + nginx = { + enable = lib.mkDefault true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + commonHttpConfig = '' + server_names_hash_bucket_size 64; + charset utf-8; + + access_log off; + ''; + + virtualHosts."${config.networking.fqdn}" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + default = true; + }; + }; + }; - environment.systemPackages = with pkgs; [ - ghostty.terminfo - ]; - }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + environment.systemPackages = with pkgs; [ + ghostty.terminfo + ]; + } + ] + ); }