diff --git a/containers/emerald/configuration.nix b/containers/emerald/configuration.nix index 421ddb0..f69a4c6 100644 --- a/containers/emerald/configuration.nix +++ b/containers/emerald/configuration.nix @@ -16,8 +16,7 @@ ShareURL = "https://${shareFqdn}"; EnableSharing = true; DataFolder = "/persist/navidrome"; - MusicFolder = "/binds/music/main"; + MusicFolder = "/binds/music"; }; }; - systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"]; } diff --git a/containers/emerald/flake.nix b/containers/emerald/flake.nix index 5ee69e4..9c9acdc 100644 --- a/containers/emerald/flake.nix +++ b/containers/emerald/flake.nix @@ -9,11 +9,11 @@ shareFqdn = "muse.lava.moe"; subnetId = "5"; - subnet = x: "fd0d:2::${subnetId}:${toString x}"; + subnet = x: "fd0d:1::${subnetId}:${toString x}"; host = subnet 1; client = subnet 2; - subnet4 = x: "10.32.${subnetId}.${toString x}"; + subnet4 = x: "10.30.${subnetId}.${toString x}"; host4 = subnet4 1; client4 = subnet4 2; @@ -39,7 +39,13 @@ useACMEHost = "lava.moe"; forceSSL = true; locations."/".proxyPass = "http://[${client}]:4533"; - listenAddresses = [ "100.67.2.1" ]; + listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + }; + services.nginx.virtualHosts."${shareFqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/".return = "404"; + locations."/share/".proxyPass = "http://[${client}]:4533"; }; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; @@ -62,7 +68,7 @@ isReadOnly = false; }; bindMounts."music" = { - hostPath = "/flower/media/music"; + hostPath = "/persist/media/music"; mountPoint = "/binds/music"; isReadOnly = true; }; diff --git a/containers/fluorite/configuration.nix b/containers/fluorite/configuration.nix index 9fcb5f5..67dc279 100644 --- a/containers/fluorite/configuration.nix +++ b/containers/fluorite/configuration.nix @@ -1,22 +1,42 @@ { ... }: { system.stateVersion = "25.11"; systemd.tmpfiles.rules = [ - "d /persist/slskd/Downloads 755 slskd slskd" + "d /persist/slskd/downloads 755 slskd slskd" ]; fileSystems."/var/lib/slskd" = { device = "/persist/slskd"; fsType = "none"; options = [ "bind" ]; }; + fileSystems."/var/lib/tailscale" = { + device = "/persist/tailscale"; + fsType = "none"; + options = [ "bind" ]; + }; networking.firewall.allowedTCPPorts = [ 5030 50300 ]; networking.firewall.allowedUDPPorts = [ 5030 50300 ]; + services.tailscale = { + enable = true; + authKeyFile = "/binds/tailscale_auth"; + openFirewall = true; + # interfaceName = "userspace-networking"; + # extraDaemonFlags = [ "--socks5-server=localhost:1055" ]; + extraSetFlags = [ "--exit-node=100.67.1.1" ]; + useRoutingFeatures = "client"; + }; + services.slskd = { enable = true; domain = null; environmentFile = "/binds/slskd_env"; settings = { shares.directories = [ "/binds/music/" ]; + # soulseek.connection.proxy = { + # enabled = true; + # address = "localhost"; + # port = "1055"; + # }; }; }; } diff --git a/containers/fluorite/flake.nix b/containers/fluorite/flake.nix index 33fcdb1..5b9d4d1 100644 --- a/containers/fluorite/flake.nix +++ b/containers/fluorite/flake.nix @@ -16,18 +16,27 @@ host4 = subnet4 1; client4 = subnet4 2; + clientTun = "100.67.2.101"; + modules = [ ./configuration.nix { networking.useHostResolvConf = false; - networking.nameservers = [ host ]; + networking.nameservers = [ "8.8.8.8" ]; } ]; in { nixosConfigurations.container = nixpkgs.lib.nixosSystem { inherit modules; }; - nixosModule = { config, ... }: { + nixosModule = { config, ... }: let + hostfqdn = "${config.networking.hostName}.lava.moe"; + altfqdn = "fluorite.${hostfqdn}"; + # TODO: HACK + listenAddr = if (config.networking.hostName == "alyssum") + then [ "100.67.2.1" ] + else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + in { networking.nat = { enable = true; enableIPv6 = true; @@ -38,8 +47,16 @@ services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "lava.moe"; forceSSL = true; - locations."/".proxyPass = "http://[${client}]:5030"; - listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ]; + locations."/".proxyPass = "http://${clientTun}:5030"; + listenAddresses = listenAddr; + }; + + security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; }; + services.nginx.virtualHosts."${altfqdn}" = { + useACMEHost = hostfqdn; + forceSSL = true; + locations."/".proxyPass = "http://${clientTun}:5030"; + listenAddresses = listenAddr; }; systemd.tmpfiles.rules = [ @@ -49,6 +66,7 @@ containers.${name} = { autoStart = true; privateNetwork = true; + enableTun = true; hostAddress = host4; localAddress = client4; hostAddress6 = host; @@ -82,6 +100,11 @@ mountPoint = "/binds/slskd_env"; isReadOnly = true; }; + bindMounts."tailscale_auth" = { + hostPath = config.age.secrets.tailscale_auth.path; + mountPoint = "/binds/tailscale_auth"; + isReadOnly = true; + }; # flake = "path:" + ./.; }; }; diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 06c415f..9db08f5 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -5,8 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; - passwd.file = ../../secrets/passwd.age; - navidrome_env.file = ../../secrets/navidrome_env.age; + slskd_env.file = ../../secrets/slskd_env.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; @@ -26,16 +25,15 @@ tailscale modules.services.nginx + modules.services.soulbeet modules.services.syncthing - inputs.c-emerald.nixosModule + inputs.c-fluorite.nixosModule inputs.c-garnet.nixosModule ./filesystem.nix ./kernel.nix ./networking.nix - ./home.syncthing.nix - ./samba.nix ../../users/hana ]; diff --git a/hosts/alyssum/home.syncthing.nix b/hosts/alyssum/home.syncthing.nix deleted file mode 100644 index 8d5a1cc..0000000 --- a/hosts/alyssum/home.syncthing.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, ... }: -let - configOn = user: port: { - me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config"; - me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state"; - - systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ]; - - users.users.${user} = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - linger = true; - }; - home-manager.users.${user} = { ... }: { - home = { - username = "${user}"; - homeDirectory = "/home/${user}"; - stateVersion = "26.05"; - }; - services.syncthing = { - enable = true; - guiAddress = "[::]:${toString port}"; - overrideDevices = false; - overrideFolders = false; - settings = { - options.listenAddresses = [ - "tcp://0.0.0.0:2${toString port}" - "quic://0.0.0.0:2${toString port}" - "dynamic+https://relays.syncthing.net/endpoint" - ]; - defaults.folder.path = "/flower/syncthing/${user}"; - }; - }; - }; - }; -in lib.mkMerge [ - (configOn "kujira" 8385) - (configOn "cilly" 8386) -] diff --git a/hosts/alyssum/samba.nix b/hosts/alyssum/samba.nix deleted file mode 100644 index d876981..0000000 --- a/hosts/alyssum/samba.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ config, lib, pkgs, ... }: -let - configOn = user: let - passwd_fname = "passwd_smb${user}"; - in { - age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age; - me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}"; - me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}"; - - users.users.${user} = { - hashedPasswordFile = config.age.secrets.passwd.path; - isNormalUser = true; - }; - - system.activationScripts = { - init_smbpasswd.text = let - smbpasswd = "${config.services.samba.package}/bin/smbpasswd"; - in '' - printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user} - ''; - }; - services.samba.settings."${user}" = { - "path" = "/flower/smb/${user}"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = user; - "force group" = "users"; - "valid users" = user; - }; - }; -in lib.mkMerge [ - (configOn "cilly") - (configOn "kujira") - { - me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43"; - - networking.firewall.allowPing = true; - - services.samba = { - enable = true; - package = pkgs.samba4Full; - openFirewall = true; - settings = { - global = { - "server smb encrypt" = "required"; - "workgroup" = "WORKGROUP"; - "server string" = "smbnix"; - "netbios name" = "smbnix"; - "security" = "user"; - "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "public" = { - "path" = "/flower/smb/public"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "yes"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "hana"; - "force group" = "users"; - }; - }; - }; - - services.samba-wsdd = { - enable = true; - openFirewall = true; - }; - - services.avahi = { - enable = true; - openFirewall = true; - nssmdns4 = true; - publish.enable = true; - publish.userServices = true; - }; - } -] diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index f65dfd1..540008d 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + navidrome_env.file = ../../secrets/navidrome_env.age; slskd_env.file = ../../secrets/slskd_env.age; wg_dandelion.file = ../../secrets/wg_dandelion.age; }; @@ -30,12 +31,11 @@ inputs.c-beryllium.nixosModule inputs.c-citrine.nixosModule inputs.c-diamond.nixosModule - inputs.c-fluorite.nixosModule + inputs.c-emerald.nixosModule ./filesystem.nix ./kernel.nix ./networking.nix - ./nginx.nix ../../users/hana ]; diff --git a/hosts/dandelion/nginx.nix b/hosts/dandelion/nginx.nix deleted file mode 100644 index c29de38..0000000 --- a/hosts/dandelion/nginx.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: { - services.nginx.virtualHosts."muse.lava.moe" = { - useACMEHost = "lava.moe"; - forceSSL = true; - locations."/".return = "404"; - locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533"; - }; -} diff --git a/modules/binds.nix b/modules/binds.nix index c9ffe18..9c7d4ad 100644 --- a/modules/binds.nix +++ b/modules/binds.nix @@ -1,12 +1,8 @@ { config, lib, ...}: { imports = [ ./options.nix ]; - fileSystems = lib.mapAttrs (dest: key: let - target = if (lib.strings.hasPrefix "/" key) - then key - else "/persist/binds/${key}"; - in { + fileSystems = lib.mapAttrs (dest: key: { depends = [ "/persist" ]; - device = target; + device = "/persist/binds/${key}"; fsType = "none"; options = [ "bind" ]; }) config.me.binds; diff --git a/modules/default.nix b/modules/default.nix index 6775c55..c52cde3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -22,6 +22,7 @@ in { ./services/nginx.nix ./services/postgres.nix ./services/sonarr.nix + ./services/soulbeet.nix ./services/synapse.nix ./services/syncthing.nix ./services/tmptsync.nix diff --git a/modules/services/soulbeet.nix b/modules/services/soulbeet.nix new file mode 100644 index 0000000..57b7cc0 --- /dev/null +++ b/modules/services/soulbeet.nix @@ -0,0 +1,32 @@ +{ ... }: +let + dir_data = "/persist/services/soulbeet/data"; + dir_downloads = "/persist/containers/fluorite/slskd/downloads"; + dir_music = "/persist/media/music"; +in { + systemd.tmpfiles.rules = [ + "d ${dir_data} 700 root root" + "d ${dir_downloads} 755 root users" + "d ${dir_music} 075 nobody users" + ]; + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + container-name = { + image = "docker.io/docccccc/soulbeet:latest"; + autoStart = true; + ports = [ "9765:9765" ]; + environment = { + DATABASE_URL = "sqlite:/data/soulbeet.db"; + DOWNLOAD_PATH = "/downloads"; + SECRET_KEY = "change-me-in-production"; + NAVIDROME_URL = "http://navidrome:4533"; + BEETS_CONFIG = "/config/config.yaml"; + }; + volumes = [ + "${dir_data}:/data" + "${dir_downloads}:/downloads" + "${dir_music}:/music" + ]; + }; + }; +} diff --git a/modules/system/nix.nix b/modules/system/nix.nix index eb14f73..6a6fd04 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -1,6 +1,5 @@ -{ config, inputs, pkgs, ... }: { +{ config, lib, pkgs, ... }: { nix = { - nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; package = pkgs.nixVersions.latest; settings = rec { diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 5e3e044..fe0e8bb 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -4,6 +4,19 @@ networking.firewall.trustedInterfaces = [ "tailscale0" ]; networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ]; + networking.nat = lib.mkIf (config.networking.hostName == "dandelion") { + enable = true; + externalInterface = "enp0s6"; + internalInterfaces = [ "tailscale0" ]; + forwardPorts = [ + { + sourcePort = 50300; + proto = "tcp"; + destination = "100.67.2.101:50300"; + } + ]; + }; + networking.firewall.allowedTCPPorts = [ 50300 ]; services.tailscale = { enable = true; authKeyFile = config.age.secrets.tailscale_auth.path; diff --git a/modules/user/neovim.nix b/modules/user/neovim.nix index 2b8d4c1..d691c61 100644 --- a/modules/user/neovim.nix +++ b/modules/user/neovim.nix @@ -1,9 +1,9 @@ -{ config, lib, pkgs, sysConfig, ... }: +{ config, lib, pkgs, ... }: let luaconf = pkgs.writeText "config.lua" (lib.replaceStrings - ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"] - ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName] + ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"] + ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor] (builtins.readFile ../../res/config.lua)); in { systemd.user.tmpfiles.rules = [ @@ -21,7 +21,6 @@ in { withRuby = false; extraPackages = with pkgs; [ - nixd rust-analyzer texlab astro-language-server diff --git a/res/config.lua b/res/config.lua index c0b5dad..3e91e28 100644 --- a/res/config.lua +++ b/res/config.lua @@ -167,7 +167,7 @@ vim.diagnostic.config({ capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities) -local servers = { 'astro', 'clangd', 'cssls', 'html', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } +local servers = { 'astro', 'clangd', 'cssls', 'html', 'nil_ls', 'tailwindcss', 'texlab', 'ts_ls', 'yamlls' } for _, lsp in ipairs(servers) do vim.lsp.config(lsp, { capabilities = capabilities, @@ -292,32 +292,6 @@ vim.lsp.config("diagnosticls", { }) vim.lsp.enable("diagnosticls") --- LSP/nixd -vim.lsp.config("nixd", { - cmd = { "nixd" }, - filetypes = { "nix" }, - root_markers = { "flake.nix", ".git" }, - settings = { - nixd = { - nixpkgs = { - expr = "import { }", - }, - formatting = { - command = { "nixfmt" }, - }, - options = { - nixos = { - expr = '(builtins.getFlake (toString ./.)).nixosConfigurations.{{HOSTNAME}}.options', - }, - home_manager = { - expr = '(builtins.getFlake (builtins.toString ./.)).nixosConfigurations."{{USERNAME}}@{{HOSTNAME}}".options.home-manager.users.type.getSubOptions []', - }, - }, - }, - }, -}) -vim.lsp.enable("nixd") - -- LSP/Signatures require("lsp_signature").setup { hint_enable = false, diff --git a/secrets.nix b/secrets.nix index b1f55e5..0c9c9b2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,14 +7,12 @@ let rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15"; in { - "secrets/passwd.age".publicKeys = [ alyssum anemone blossom rin ]; - "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ]; - "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ]; + "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; - "secrets/navidrome_env.age".publicKeys = [ alyssum dandelion rin ]; - "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; + "secrets/slskd_env.age".publicKeys = [ alyssum anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; diff --git a/secrets/navidrome_env.age b/secrets/navidrome_env.age index 7df364f..6cb705c 100644 Binary files a/secrets/navidrome_env.age and b/secrets/navidrome_env.age differ diff --git a/secrets/passwd.age b/secrets/passwd.age index 05ad906..64ec861 100644 Binary files a/secrets/passwd.age and b/secrets/passwd.age differ diff --git a/secrets/passwd_smbcilly.age b/secrets/passwd_smbcilly.age deleted file mode 100644 index 41ad172..0000000 --- a/secrets/passwd_smbcilly.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ -i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI --> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o -+pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM ---- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew -Æ*Œl\ÈWç!J7E/´»îò"f@%\ìüÏ[¨òj8fÓ¶›ž \ No newline at end of file diff --git a/secrets/passwd_smbkujira.age b/secrets/passwd_smbkujira.age deleted file mode 100644 index 71b6bb8..0000000 --- a/secrets/passwd_smbkujira.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8 -IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE --> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg -QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk ---- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw -TÎ <ç‘R#d ĆÌŽlLkáN¦½º8´cÃ_N¬)±ŠT \ No newline at end of file diff --git a/secrets/slskd_env.age b/secrets/slskd_env.age index eded5d0..4e7e23f 100644 Binary files a/secrets/slskd_env.age and b/secrets/slskd_env.age differ diff --git a/users/rin/packages.nix b/users/rin/packages.nix index 3fe0129..afc711b 100644 --- a/users/rin/packages.nix +++ b/users/rin/packages.nix @@ -15,6 +15,7 @@ in { ffmpeg gnupg kitty + nil nodejs_latest pamixer pnpm