muliple(teal): Update teal
feat: Add a.starrysky.blog
feat: re-key keys with shorthairNanoResident age key
chore: update packages
fix: redo headscale options
Change-Id: I27cab9abc4622f0a69811e35d4e0eb87af29b42b
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/981
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/flake.lock b/flake.lock
index a07abef..cfcddbb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -24,18 +24,19 @@
"agenix-rekey": {
"inputs": {
"devshell": "devshell",
- "flake-utils": "flake-utils",
+ "flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
- "pre-commit-hooks": "pre-commit-hooks"
+ "pre-commit-hooks": "pre-commit-hooks",
+ "treefmt-nix": "treefmt-nix"
},
"locked": {
- "lastModified": 1727102360,
- "narHash": "sha256-ZDqf33OAsr46TlP7TXbxmEf48xenYA3iSLs9441fYbQ=",
+ "lastModified": 1734208773,
+ "narHash": "sha256-K2ugS2XJSyF3lYCrT5SCJtSAqndn/c5OwPkC5Nl18BU=",
"owner": "oddlama",
"repo": "agenix-rekey",
- "rev": "62da71e7eadf6b9b52e831d2e516937c30a5f712",
+ "rev": "1472730015a2b3da0de09d9f1538bab3a816f618",
"type": "github"
},
"original": {
@@ -46,7 +47,7 @@
},
"aux--docs-site": {
"inputs": {
- "flake-utils": "flake-utils_2",
+ "flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
@@ -136,15 +137,14 @@
"nixpkgs": [
"agenix-rekey",
"nixpkgs"
- ],
- "systems": "systems_2"
+ ]
},
"locked": {
- "lastModified": 1695195896,
- "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
+ "lastModified": 1728330715,
+ "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
- "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
+ "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
@@ -153,14 +153,37 @@
"type": "github"
}
},
+ "fenix": {
+ "inputs": {
+ "nixpkgs": [
+ "whisk",
+ "nixpkgs"
+ ],
+ "rust-analyzer-src": "rust-analyzer-src"
+ },
+ "locked": {
+ "lastModified": 1732689334,
+ "narHash": "sha256-yKI1KiZ0+bvDvfPTQ1ZT3oP/nIu3jPYm4dnbRd6hYg4=",
+ "owner": "nix-community",
+ "repo": "fenix",
+ "rev": "a8a983027ca02b363dfc82fbe3f7d9548a8d3dce",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "monthly",
+ "repo": "fenix",
+ "type": "github"
+ }
+ },
"flake-compat": {
"flake": false,
"locked": {
- "lastModified": 1673956053,
- "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+ "lastModified": 1696426674,
+ "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
- "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+ "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@@ -201,16 +224,34 @@
"type": "github"
}
},
- "flake-utils": {
+ "flake-parts": {
"inputs": {
- "systems": "systems_3"
+ "nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1694529238,
- "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+ "lastModified": 1730504689,
+ "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems_2"
+ },
+ "locked": {
+ "lastModified": 1710146030,
+ "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+ "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@@ -243,11 +284,11 @@
"systems": "systems_4"
},
"locked": {
- "lastModified": 1710146030,
- "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "lastModified": 1731533236,
+ "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@@ -258,7 +299,7 @@
},
"flake-utils_3": {
"inputs": {
- "systems": "systems_6"
+ "systems": "systems_5"
},
"locked": {
"lastModified": 1726560853,
@@ -276,7 +317,7 @@
},
"flake-utils_4": {
"inputs": {
- "systems": "systems_7"
+ "systems": "systems_6"
},
"locked": {
"lastModified": 1694529238,
@@ -292,6 +333,39 @@
"type": "github"
}
},
+ "flake-utils_5": {
+ "inputs": {
+ "systems": "systems_7"
+ },
+ "locked": {
+ "lastModified": 1731533236,
+ "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flakey-profile": {
+ "locked": {
+ "lastModified": 1712898590,
+ "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+ "owner": "lf-",
+ "repo": "flakey-profile",
+ "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "lf-",
+ "repo": "flakey-profile",
+ "type": "github"
+ }
+ },
"gitignore": {
"inputs": {
"nixpkgs": [
@@ -301,11 +375,11 @@
]
},
"locked": {
- "lastModified": 1660459072,
- "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+ "lastModified": 1709087332,
+ "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
- "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+ "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
@@ -314,6 +388,30 @@
"type": "github"
}
},
+ "headscale": {
+ "inputs": {
+ "flake-utils": [
+ "flake-utils"
+ ],
+ "nixpkgs": [
+ "unstable"
+ ]
+ },
+ "locked": {
+ "lastModified": 1734610210,
+ "narHash": "sha256-3z56ciF39X8K/TxpwQyAcu5Pzq3PYRjScEp6d47Q0tE=",
+ "owner": "juanfont",
+ "repo": "headscale",
+ "rev": "770f3dcb9334adac650276dcec90cd980af53c6e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "juanfont",
+ "ref": "refs/tags/v0.24.0-beta.2",
+ "repo": "headscale",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -342,11 +440,11 @@
]
},
"locked": {
- "lastModified": 1728337164,
- "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=",
+ "lastModified": 1735381016,
+ "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "038630363e7de57c36c417fd2f5d7c14773403e4",
+ "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2",
"type": "github"
},
"original": {
@@ -357,11 +455,11 @@
},
"impermanence": {
"locked": {
- "lastModified": 1727649413,
- "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
+ "lastModified": 1734945620,
+ "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=",
"owner": "nix-community",
"repo": "impermanence",
- "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e",
+ "rev": "d000479f4f41390ff7cf9204979660ad5dd16176",
"type": "github"
},
"original": {
@@ -370,6 +468,44 @@
"type": "github"
}
},
+ "lix": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1729298361,
+ "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
+ "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
+ "type": "tarball",
+ "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
+ },
+ "original": {
+ "type": "tarball",
+ "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
+ }
+ },
+ "lix-module": {
+ "inputs": {
+ "flake-utils": "flake-utils_3",
+ "flakey-profile": "flakey-profile",
+ "lix": "lix",
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1732605668,
+ "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=",
+ "ref": "refs/tags/2.91.1-2",
+ "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe",
+ "revCount": 113,
+ "type": "git",
+ "url": "https://git.lix.systems/lix-project/nixos-module"
+ },
+ "original": {
+ "ref": "refs/tags/2.91.1-2",
+ "type": "git",
+ "url": "https://git.lix.systems/lix-project/nixos-module"
+ }
+ },
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
@@ -386,34 +522,62 @@
"type": "github"
}
},
+ "nixpkgs-lib": {
+ "locked": {
+ "lastModified": 1730504152,
+ "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
+ "type": "tarball",
+ "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+ },
+ "original": {
+ "type": "tarball",
+ "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+ }
+ },
"nixpkgs-stable": {
"locked": {
- "lastModified": 1685801374,
- "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+ "lastModified": 1730741070,
+ "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+ "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-23.05",
+ "ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1728193676,
- "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
+ "lastModified": 1735531152,
+ "narHash": "sha256-As8I+ebItDKtboWgDXYZSIjGlKeqiLBvjxsQHUmAf1Q=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
+ "rev": "3ffbbdbac0566a0977da3d2657b89cbcfe9a173b",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-24.05",
+ "ref": "nixos-24.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1734875076,
+ "narHash": "sha256-Pzyb+YNG5u3zP79zoi8HXYMs15Q5dfjDgwCdUI5B0nY=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "1807c2b91223227ad5599d7067a61665c52d1295",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
@@ -421,10 +585,6 @@
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
- "flake-utils": [
- "agenix-rekey",
- "flake-utils"
- ],
"gitignore": "gitignore",
"nixpkgs": [
"agenix-rekey",
@@ -433,11 +593,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1694364351,
- "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=",
+ "lastModified": 1732021966,
+ "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
- "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7",
+ "rev": "3308484d1a443fc5bc92012435d79e80458fe43c",
"type": "github"
},
"original": {
@@ -453,12 +613,32 @@
"aux--docs-site": "aux--docs-site",
"aux--wiki": "aux--wiki",
"deploy-rs": "deploy-rs",
- "flake-utils": "flake-utils_3",
+ "flake-utils": "flake-utils_2",
+ "headscale": "headscale",
"home-manager": "home-manager_2",
"impermanence": "impermanence",
+ "lix-module": "lix-module",
"nixpkgs": "nixpkgs_2",
"snowfall-lib": "snowfall-lib",
- "unstable": "unstable"
+ "unstable": "unstable",
+ "whisk": "whisk"
+ }
+ },
+ "rust-analyzer-src": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1732633904,
+ "narHash": "sha256-7VKcoLug9nbAN2txqVksWHHJplqK9Ou8dXjIZAIYSGc=",
+ "owner": "rust-lang",
+ "repo": "rust-analyzer",
+ "rev": "8d5e91c94f80c257ce6dbdfba7bd63a5e8a03fa6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "rust-lang",
+ "ref": "nightly",
+ "repo": "rust-analyzer",
+ "type": "github"
}
},
"snowfall-lib": {
@@ -470,11 +650,11 @@
]
},
"locked": {
- "lastModified": 1719005984,
- "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=",
+ "lastModified": 1732544274,
+ "narHash": "sha256-qvzLIxuqukl0nxpXHEh5+iw1BLeLxYOwRC0+7cFUbPo=",
"owner": "snowfallorg",
"repo": "lib",
- "rev": "c6238c83de101729c5de3a29586ba166a9a65622",
+ "rev": "cfeacd055545ab5de0ecfd41e09324dcd8fb2bbb",
"type": "github"
},
"original": {
@@ -588,13 +768,34 @@
"type": "github"
}
},
+ "treefmt-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix-rekey",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1732292307,
+ "narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "rev": "705df92694af7093dfbb27109ce16d828a79155f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "treefmt-nix",
+ "type": "github"
+ }
+ },
"unstable": {
"locked": {
- "lastModified": 1728241625,
- "narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=",
+ "lastModified": 1735471104,
+ "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1",
+ "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
"type": "github"
},
"original": {
@@ -606,7 +807,7 @@
},
"utils": {
"inputs": {
- "systems": "systems_5"
+ "systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
@@ -621,6 +822,26 @@
"repo": "flake-utils",
"type": "github"
}
+ },
+ "whisk": {
+ "inputs": {
+ "fenix": "fenix",
+ "flake-utils": "flake-utils_5",
+ "nixpkgs": "nixpkgs_3"
+ },
+ "locked": {
+ "lastModified": 1735627103,
+ "narHash": "sha256-kTH5wmd8thpeCmeHOd2MrsO38vG87LsHL9oHz4fDuVM=",
+ "owner": "freshlybakedcake",
+ "repo": "whisk",
+ "rev": "3e94046a7d0c696df4a3ce44ad3743580c3113f2",
+ "type": "github"
+ },
+ "original": {
+ "owner": "freshlybakedcake",
+ "repo": "whisk",
+ "type": "github"
+ }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 336b360..26d1cc9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,16 +19,27 @@
inputs.nixpkgs.follows = "nixpkgs";
};
+ flake-utils.url = "github:numtide/flake-utils";
+
+ headscale = {
+ url = "github:juanfont/headscale?ref=refs/tags/v0.24.0-beta.2";
+ inputs.nixpkgs.follows = "unstable";
+ inputs.flake-utils.follows = "flake-utils";
+ };
+
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
- flake-utils.url = "github:numtide/flake-utils";
-
impermanence.url = "github:nix-community/impermanence";
- nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+ lix-module = {
+ url = "git+https://git.lix.systems/lix-project/nixos-module?ref=refs/tags/2.91.1-2";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
snowfall-lib = {
url = "github:snowfallorg/lib";
@@ -37,12 +48,16 @@
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+ whisk.url = "github:freshlybakedcake/whisk";
+
+
aux--docs-site = {
url = "git+https://git.auxolotl.org/auxolotl/docs-site";
inputs.nixpkgs.follows = "nixpkgs";
inputs.snowfall-lib.follows = "snowfall-lib";
inputs.wiki.follows = "aux--wiki";
};
+
aux--wiki = {
url = "git+https://git.auxolotl.org/auxolotl/wiki";
flake = false;
@@ -64,7 +79,7 @@
in
lib.mkFlake {
overlays = [
- inputs.agenix-rekey.overlays.default
+ inputs.agenix-rekey.overlays.default
];
systems.modules.nixos = [
@@ -76,6 +91,7 @@
# set defaults that are clicks-specific, such as our backups module
# being enabled...
}
+ inputs.lix-module.nixosModules.default
];
deploy = lib.clicks.deploy.mkDeploy {
diff --git a/modules/nixos/clicks/networking/tailscale/default.nix b/modules/nixos/clicks/networking/tailscale/default.nix
index 827a3f0..118cae4 100644
--- a/modules/nixos/clicks/networking/tailscale/default.nix
+++ b/modules/nixos/clicks/networking/tailscale/default.nix
@@ -21,7 +21,7 @@
};
server = lib.mkOption {
description = "Set where your control plane server is";
- default = "clicks.domains";
+ default = "vpn.clicks.codes";
example = "controlplane.tailscale.com";
};
authKeyFile = lib.mkOption {
diff --git a/modules/nixos/clicks/nix/default.nix b/modules/nixos/clicks/nix/default.nix
index 5403d54..766462c 100644
--- a/modules/nixos/clicks/nix/default.nix
+++ b/modules/nixos/clicks/nix/default.nix
@@ -30,12 +30,6 @@
{
options.clicks.nix = {
enable = lib.mkEnableOption "Nix configuration";
- package = lib.mkOption {
- type = lib.types.package;
- default = pkgs.nix;
- defaultText = "pkgs.nix";
- description = "Which Nix package to use.";
- };
default-substituter = {
url = lib.mkOption {
@@ -68,8 +62,6 @@
users = [ "root" ];
in
({
- package = cfg.package;
-
settings = {
experimental-features = "nix-command flakes";
http-connections = 50;
diff --git a/modules/nixos/clicks/security/secrets/default.nix b/modules/nixos/clicks/security/secrets/default.nix
index 8a120f9..b165d7b 100644
--- a/modules/nixos/clicks/security/secrets/default.nix
+++ b/modules/nixos/clicks/security/secrets/default.nix
@@ -16,10 +16,14 @@
config.age = lib.optionalAttrs cfg.enable {
rekey = {
- masterIdentities = [
- "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
- "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
- "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+ masterIdentities =
+ let
+ keyPath = "${inputs.self}/secrets/keys";
+ in [
+ "${keyPath}/minion/collabora-yubikey.pub"
+ "${keyPath}/minion/tiny-yubikey.pub"
+ "${keyPath}/minion/iyubikey.pub"
+ "${keyPath}/coded/ShorthairNano.pub"
];
storageMode = "local";
generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
diff --git a/modules/nixos/clicks/services/headscale/default.nix b/modules/nixos/clicks/services/headscale/default.nix
index 2d104bd..69c4c39 100644
--- a/modules/nixos/clicks/services/headscale/default.nix
+++ b/modules/nixos/clicks/services/headscale/default.nix
@@ -6,6 +6,8 @@
lib,
config,
pkgs,
+ system,
+ inputs,
...
}:
let
@@ -18,6 +20,10 @@
type = lib.types.str;
description = "The domain of the url users should connect to to register a new device";
};
+ server_url = lib.mkOption {
+ type = lib.types.str;
+ description = "The domain of the url users should connect to to register a new device";
+ };
addr = lib.mkOption {
type = lib.types.str;
description = "Where to host headscale";
@@ -48,10 +54,6 @@
description = "Client secret file path";
};
};
- database_password_path = lib.mkOption {
- type = lib.types.str;
- description = "Database password file path";
- };
noise_private_key_path = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Noise private key file path";
@@ -71,16 +73,15 @@
config = lib.mkIf cfg.enable {
clicks = {
- services.postgres.enable = true;
- services.postgres.databases.headscale = cfg.database_password_path;
- services.postgres.secretRequiredGroups = [ "headscale" ];
services.nginx.enable = true;
- services.nginx.hosts.${cfg.domain} = {
+ services.nginx.hosts.${cfg.server_url} = {
service = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
www = false;
# TODO: disable http when we have changed a1d2's reverse proxy config to allow us to terminate HTTPS
enableHttp = true;
};
+
+ storage.impermanence.persist.directories = [ "/var/lib/headscale" ];
};
services.headscale = {
@@ -89,34 +90,27 @@
address = cfg.addr;
port = cfg.port;
- settings.db_type = "postgres";
- settings.db_port = config.services.postgresql.settings.port;
- settings.db_user = "headscale";
- settings.db_password_file = cfg.database_password_path;
- settings.db_name = "headscale";
- settings.db_host = lib.clicks.constants.hosts.standard;
+ package = lib.recursiveUpdate inputs.headscale.packages.${system}.headscale ({ meta.mainProgram = "headscale"; });
- settings.server_url = "https://${cfg.domain}";
-
- settings.ip_prefixes = "100.64.0.0/10";
+ settings.server_url = "https://${cfg.server_url}";
settings.noise.private_key_path = lib.mkIf (
cfg.noise_private_key_path != null
) cfg.noise_private_key_path;
- settings.private_key_path = lib.mkIf (cfg.private_key_path != null) cfg.private_key_path;
- settings.dns_config = {
- nameservers = [
+ settings.dns = {
+ nameservers.global = [
"1.1.1.1"
"1.0.0.1"
+ "2606:4700:4700::1111"
+ "2606:4700:4700::1001"
];
- domains = [ cfg.domain ];
- override_local_dns = true;
base_domain = cfg.domain;
};
settings.oidc = lib.mkIf cfg.oidc.enable {
only_start_if_oidc_is_available = true;
+ strip_email_domain = true;
issuer = cfg.oidc.issuer;
@@ -124,17 +118,12 @@
client_secret_path = cfg.oidc.client_secret_path;
allowed_groups = lib.mkIf (cfg.oidc.allowed_groups != null) cfg.oidc.allowed_groups;
- strip_email_domain = true;
};
- settings.acl_policy_path = lib.mkIf (cfg.acl != null) (
- pkgs.writers.writeJSON "tailscale-acls.json" cfg.acl
- );
+ settings.policy = lib.mkIf (cfg.acl != null) {
+ mode = "file";
+ path = (pkgs.writers.writeJSON "tailscale-acls.json" cfg.acl);
+ };
};
-
- systemd.services.headscale.requires = [ "postgresql.service" ] ++
- (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
- systemd.services.headscale.after = [ "postgresql.service" ] ++
- (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
};
}
diff --git a/modules/nixos/clicks/services/postgres/default.nix b/modules/nixos/clicks/services/postgres/default.nix
index 0f6b71f..836bf71 100644
--- a/modules/nixos/clicks/services/postgres/default.nix
+++ b/modules/nixos/clicks/services/postgres/default.nix
@@ -2,13 +2,14 @@
#
# SPDX-License-Identifier: GPL-3.0-only
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
let
cfg = config.clicks.services.postgres;
in
{
options.clicks.services.postgres = {
enable = lib.mkEnableOption "Postgresql DB";
+ latest = lib.mkEnableOption "Use pinned PG version, otherwise default to 15.10";
databases = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
@@ -34,6 +35,7 @@
lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
+ package = if cfg.latest then pkgs.postgresql else pkgs.postgresql_15;
settings = {
listen_addresses = lib.mkForce lib.clicks.constants.hosts.standard;
diff --git a/modules/nixos/clicks/sites/a.starrysky.blog/default.nix b/modules/nixos/clicks/sites/a.starrysky.blog/default.nix
new file mode 100644
index 0000000..51058fc
--- /dev/null
+++ b/modules/nixos/clicks/sites/a.starrysky.blog/default.nix
@@ -0,0 +1,57 @@
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, inputs, lib, system, pkgs, ... }:
+let
+ siteUrl = "a.starrysky.blog";
+ blogTitle = "A Starry Blog";
+ publicTitleRegex = ''(M36\.31\+[0-9]+ )?(?<title>.*)'';
+ blogPath = "/persist/data/var/lib/silverbullet/Skyler Grey/M36 Personal/30-39 Creativity/31 Blog";
+in
+{
+ options.clicks.sites."${siteUrl}".enable = lib.options.mkEnableOption "Enable hosting https://${siteUrl}";
+
+ config = lib.modules.mkIf config.clicks.sites."${siteUrl}".enable {
+ clicks.services.nginx = {
+ enable = true;
+
+ hosts.${siteUrl} = {
+ service = lib.clicks.nginx.http.directory "/var/lib/whisk/${siteUrl}";
+ www = false;
+ enableHttp = true;
+ };
+ };
+
+ environment.systemPackages = [ pkgs.nodejs-slim_23 ];
+
+ systemd.services."${siteUrl}-setup" = {
+ script = ''
+ export PATH=${pkgs.nodejs-slim_23}/bin:${pkgs.pnpm}/bin::$PATH
+ WORKDIR=$(mktemp -d)
+ cp -r ${inputs.whisk}/frontend/* $WORKDIR
+ cd $WORKDIR
+ pnpm i --reporter=append-only
+
+ mkdir -p /var/lib/whisk
+ rm -rf /var/lib/whisk/${siteUrl}
+
+ export BLOG_PATH='${blogPath}'
+ export PUBLIC_TITLE_REGEX='${publicTitleRegex}'
+ export SITE_URL='${siteUrl}'
+ export BLOG_TITLE='${blogTitle}'
+
+ echo $BLOG_PATH
+
+ pnpm run build --outDir /var/lib/whisk/${siteUrl}
+ '';
+
+ serviceConfig.Type = "oneshot";
+
+ path = [ pkgs.nodejs-slim_23 pkgs.pnpm ];
+
+ wantedBy = [ "nginx.service" ];
+ before = [ "nginx.service" ];
+ };
+ };
+}
diff --git a/secrets/keys/coded/ShorthairNano.pub b/secrets/keys/coded/ShorthairNano.pub
new file mode 100644
index 0000000..e15b20d
--- /dev/null
+++ b/secrets/keys/coded/ShorthairNano.pub
@@ -0,0 +1,7 @@
+# Serial: 27450950, Slot: 1
+# Name: SHORTHAIR
+# Created: Tue, 20 Aug 2024 22:10:38 +0000
+# PIN policy: Once (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+# Recipient: age1yubikey1qvyj2mxs3lwhqu8a27udpzc87wfhjr2gx2mv62z7xcsszq32kg6evgs0sls
+AGE-PLUGIN-YUBIKEY-1GM02YQVZ4STPZMGDZMVQ7
diff --git a/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-6b95b5ae6fcbe0d6537636bd20523d28b45b28d36aa27c34a096c1e99c47435b.age b/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-6b95b5ae6fcbe0d6537636bd20523d28b45b28d36aa27c34a096c1e99c47435b.age
deleted file mode 100644
index 8c9461e..0000000
--- a/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-6b95b5ae6fcbe0d6537636bd20523d28b45b28d36aa27c34a096c1e99c47435b.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 BfRbTA Aq01AXbt1t5l/cnM8VDRsozTVyyIyKp/mLNOJDrTaQQ
-mxDu9M7SEBetniRq9FFYq00I83uQTw2/X+p3M8TskGE
--> g"jn$G-grease ~2v Kg1NIk7H ^&7[ *1]
-E4yMjCQVGFb/t6ZgZ76eGAHh9giOF6S1Dhv2lp129wAMtAvWai5l6qmLh7YonyAj
-3TFSv5ccM0KHTL8eJhaLwhPQBIxWXV/0wjcM9d/xM14wqb0I8Q
---- dZWO3BAyJvPnqUt8uWixM8iomMKhRNHfyXW5zqjlHqs
-±�7�,ïÜ!NþhÒoë§ßP�4]^Rg(ôNë�·
-ÊÙéÞïÀT�
f
å)8ä1¼Öh�*�Ã�MòJóqNªUnzª¶Öy,\ºÓÕê§~«|ýhXôjϤ¶9`-ÇÝç(o
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/0bfc36ca599f766eea3f0c2d0c9055b1-eac5e3f373792c0bc738b5f664f04ba6763f93f3d44677f48fdfa96d4c2b67c8.age b/secrets/rekeyed/teal/0bfc36ca599f766eea3f0c2d0c9055b1-eac5e3f373792c0bc738b5f664f04ba6763f93f3d44677f48fdfa96d4c2b67c8.age
new file mode 100644
index 0000000..df3023e
--- /dev/null
+++ b/secrets/rekeyed/teal/0bfc36ca599f766eea3f0c2d0c9055b1-eac5e3f373792c0bc738b5f664f04ba6763f93f3d44677f48fdfa96d4c2b67c8.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA E/uDVcK3ncFehF6BYJthMKYS01JnHiOpexBkCInXFm4
+EYnR1/g2kcukEEdT1Y5ByrU8Q+tjW1Dp5z8Kiy2a5Yg
+-> ${r-[&#-grease
+2UTcpfrDdaeb5vRy94N+8HfaDofKknqkdCts3uiNkVWz8bAD36LObWIACvDDvw6A
+YKc
+--- rRw6SZ3qmtulo3zyS2q6VnNZI8oIheH/LiUumzvRIIc
+ÛX§BøÁ�[�bÁ�r�;z^¥gØË�1¡«ð5º�oÁlnXæ$rXäúíÜjnö<ávÚr��¨O¤Ü¸�/÷½¹ âð« îOÇy^Ø
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/11d9d957b13608f13fb57001f76bcf3c-c4c037e34cf36b8bffb9edf5f5d8bfe94d77328dfb336a430afb03348327de81.age b/secrets/rekeyed/teal/11d9d957b13608f13fb57001f76bcf3c-c4c037e34cf36b8bffb9edf5f5d8bfe94d77328dfb336a430afb03348327de81.age
deleted file mode 100644
index 116f01f..0000000
--- a/secrets/rekeyed/teal/11d9d957b13608f13fb57001f76bcf3c-c4c037e34cf36b8bffb9edf5f5d8bfe94d77328dfb336a430afb03348327de81.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 BfRbTA 4fv3HkHjLrAzbwUxBI6t9eulii/6ntjEOXyKYDs9Jjc
-bIO+liIXt3rA/bA7kZudmtsu2pa5iTwx7ecpGNqnqx4
--> .|rp@~-grease c^R4&_n d ?<deuW Uyk%dh
-5qJZTbzAG9OUsEunIA3inP6/y1rtw2UjkBv/OY4BjyGTR6a6LwRa0V/JAmhyA0rQ
-jWoOPWQE4BmSnJ3stUrTDZkBHk+S5YEvEJ7Alq3EojYHKI2ph4hdyTa+kQ
---- YNFzHWhM/Z8oiJ1KcZrCAAiiBMco/TDdUiXS199+l/0
-c¸d�¸_%¬ô�áʸ¾ñÄùÅd�ù0gk
Câ]Fg\¿[¢FÎÏë·©ÉÎãZðbÄøèêH¶¡Ö· XW¬�Q
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-9cc6921ad2cabe03ed9e9eaeeb5f86eb7fad88ce337dd175cf9a6dab0a1e6916.age b/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-9cc6921ad2cabe03ed9e9eaeeb5f86eb7fad88ce337dd175cf9a6dab0a1e6916.age
deleted file mode 100644
index 022c2b2..0000000
--- a/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-9cc6921ad2cabe03ed9e9eaeeb5f86eb7fad88ce337dd175cf9a6dab0a1e6916.age
+++ /dev/null
Binary files differ
diff --git a/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-4ff0a9f10b1f785426a18a32610b8eb23fb537695c6352a673d296cbba9f8d91.age b/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-4ff0a9f10b1f785426a18a32610b8eb23fb537695c6352a673d296cbba9f8d91.age
deleted file mode 100644
index cce464d..0000000
--- a/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-4ff0a9f10b1f785426a18a32610b8eb23fb537695c6352a673d296cbba9f8d91.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 BfRbTA klHQV5K9PWGr2HHUhE2pMB5ZFUUnyFoRVkTUDvTZGTU
-tDCvQFbIrAZldWvWtYXsQanS7xLgt3MT7QBRFY7s1UU
--> q<ppk{F;-grease g>&;l1b
-rtYJff1tEUkj6Yd9MhDruZuzlGsuH4mtWeMIVJBE2gdk1SvQWL4QFu9XkMB9P6yU
-Pq1ZxwDxMSAD/Q
---- YU+P2lOIdgX9EKiAD7qBFyg7No1XhcZQJIl4T/DWFhE
-0K²¶Ôòq¤�©ë�â¾õ�?Ô¶�Üf`�#jnþâÖn�z�=! v ÑDÓ+c¦íÊû
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/5c86f7948493658772736f66fc1af757-44d6ff782215ac9e5abbd10aee750e9940ac7042dd3ba1dfbfd1d5afc650226f.age b/secrets/rekeyed/teal/5c86f7948493658772736f66fc1af757-44d6ff782215ac9e5abbd10aee750e9940ac7042dd3ba1dfbfd1d5afc650226f.age
new file mode 100644
index 0000000..bcfb4f2
--- /dev/null
+++ b/secrets/rekeyed/teal/5c86f7948493658772736f66fc1af757-44d6ff782215ac9e5abbd10aee750e9940ac7042dd3ba1dfbfd1d5afc650226f.age
Binary files differ
diff --git a/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-fcc3a6ac8c8c9ee5a975be1170eab009f5fbf92b6839d90efd0b916196929a9d.age b/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-fcc3a6ac8c8c9ee5a975be1170eab009f5fbf92b6839d90efd0b916196929a9d.age
deleted file mode 100644
index 7e83cd6..0000000
--- a/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-fcc3a6ac8c8c9ee5a975be1170eab009f5fbf92b6839d90efd0b916196929a9d.age
+++ /dev/null
Binary files differ
diff --git a/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-77bf5477059992e7f7b8734aa3711993f10216b7e5c1f358a8d5e86a4947fd4a.age b/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-77bf5477059992e7f7b8734aa3711993f10216b7e5c1f358a8d5e86a4947fd4a.age
deleted file mode 100644
index f14672d..0000000
--- a/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-77bf5477059992e7f7b8734aa3711993f10216b7e5c1f358a8d5e86a4947fd4a.age
+++ /dev/null
Binary files differ
diff --git a/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-0af0da187c81ba156aac3a5de7223501ba4606961e0b1f5e4f9e970d35d8c6bd.age b/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-0af0da187c81ba156aac3a5de7223501ba4606961e0b1f5e4f9e970d35d8c6bd.age
deleted file mode 100644
index df7a368..0000000
--- a/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-0af0da187c81ba156aac3a5de7223501ba4606961e0b1f5e4f9e970d35d8c6bd.age
+++ /dev/null
Binary files differ
diff --git a/secrets/rekeyed/teal/8a4d916e926478d6d00f23f0b1f63bbe-54a99c4b062c78215b4afa51c39f8306e78127206f4d52c183e8ce9ab6bb6093.age b/secrets/rekeyed/teal/8a4d916e926478d6d00f23f0b1f63bbe-54a99c4b062c78215b4afa51c39f8306e78127206f4d52c183e8ce9ab6bb6093.age
new file mode 100644
index 0000000..4205255
--- /dev/null
+++ b/secrets/rekeyed/teal/8a4d916e926478d6d00f23f0b1f63bbe-54a99c4b062c78215b4afa51c39f8306e78127206f4d52c183e8ce9ab6bb6093.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA FHes4cqup1bAuWAa/jRdhU2crZm7+UGv8gXf6rVH5n8
+7kSv3yS9JDpQob3BaOqA+rhVT0w6D02hV2MhHKYU4mw
+-> '>/r#B-grease w5@R HXA ptS
+qrPeywHTQIuiUm+v+gMNxgj628wl
+--- wGf5fvQpBysF7K50zOD8hufe7TLhvqaWAxQPU1icC9c
+Z´¸ÁÎòÜé³)Ü1w%a�%ÆX�û,é�~Pÿ÷8��ŵËP¢¯¬¤&�F'�l«kmp]g8ò�Äô.È�¯z�¥ØãÊÉïØX#ëê´SåºXé\�>�6MÑVÛO�B×Ñ�
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/9c301f9d5e0583e3da05df29e1a1a3e7-469559e64d5d0af639fa27bcc9214e0d0185cf72b663b512f3c0ceb66e973859.age b/secrets/rekeyed/teal/9c301f9d5e0583e3da05df29e1a1a3e7-469559e64d5d0af639fa27bcc9214e0d0185cf72b663b512f3c0ceb66e973859.age
new file mode 100644
index 0000000..05a3bec
--- /dev/null
+++ b/secrets/rekeyed/teal/9c301f9d5e0583e3da05df29e1a1a3e7-469559e64d5d0af639fa27bcc9214e0d0185cf72b663b512f3c0ceb66e973859.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA MfKKCMASHvlkX2Eu0Q57oby5JhPKV4R+thDBoNEaQyA
+xWywwuK79uHNM5wNqaDX/neie4zFW5bLn4PepbHFBS4
+-> 6h-Z7Va-grease +-O HRj;
+x3hRs+xsy+D1js3NgNDuWnh3L22AFaYJhrbvooYlZQL7qdFy6LkWbg3USTg1kU4Q
+rHvivLMMjrObLFw2nalENX9K
+--- qq8HdapWzG9bkcfPmocY2dQYFyG1BlV9I+5CBmlhEw0
+Ï
+Ú9êϦ©ÏúâLÖ�Xµbù�yÕd.à¨cõ�phG�ÁeLîÖØCÞ¢mKnÙÚ$íÀÄÖ"7cÆ8¤Y�-Ä�x�-¥Y?�+�£&»Åç¸M�ò�
\ No newline at end of file
diff --git a/secrets/rekeyed/teal/f1cbc09d7ceaa63e60b72eabaad9a58d-14e8123eb769c15645519ae8cd51a5ecd99224820f8ea4fd06922c948310054e.age b/secrets/rekeyed/teal/f1cbc09d7ceaa63e60b72eabaad9a58d-14e8123eb769c15645519ae8cd51a5ecd99224820f8ea4fd06922c948310054e.age
new file mode 100644
index 0000000..45d7b3a
--- /dev/null
+++ b/secrets/rekeyed/teal/f1cbc09d7ceaa63e60b72eabaad9a58d-14e8123eb769c15645519ae8cd51a5ecd99224820f8ea4fd06922c948310054e.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age b/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age
index 3cd5dd9..89df9d8 100644
--- a/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age
+++ b/systems/x86_64-linux/teal/clicks.networking.tailscale.authKeyFile.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age b/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age
index 875b683..499d80a 100644
--- a/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age
+++ b/systems/x86_64-linux/teal/clicks.security.acme.defaults.environmentFile.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.fava.credentials.truelayer_client_secret.age b/systems/x86_64-linux/teal/clicks.services.fava.credentials.truelayer_client_secret.age
index aba1823..1d4d3b1 100644
--- a/systems/x86_64-linux/teal/clicks.services.fava.credentials.truelayer_client_secret.age
+++ b/systems/x86_64-linux/teal/clicks.services.fava.credentials.truelayer_client_secret.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age
deleted file mode 100644
index 6d683e5..0000000
--- a/systems/x86_64-linux/teal/clicks.services.headscale.database_password_path.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> piv-p256 xE4ypg AiABIeb7nQsaUe7jxXow8KBHhq0BfXnPiuI29aSu/gWU
-GAyoIEnVyHY8Hnp/O1gbsgjhaKkmB4FzTGf+iwOSXwo
--> piv-p256 Hpt/+Q AihPD+1l2PMwawMH0Yu0wYgjBNUcXgOWu7H4/JtcFjc8
-+rRoRScmxnC3srf0V7CNKkwQ3mx26CSZ5RUkL5Ndk3s
--> piv-p256 zfskmQ AnzTX8xfBDy2c6BhRSKFA95DNP8oGv6eLJK1e4AEWBOO
-ikE059yKB8ZkCjSoFbnk+CiLpYWRnDq0S5Hui8/vfYg
--> Ta_1;0D-grease 3U~ esRL y)1 5D7@!
-ftM
---- KV4ev4Q0XGspO1OMu9InZsNG1r34+3ttmkbGA8EOeag
-�x\Õ&�ݵV*\_�þ<6�q+m'VÂjìÊÕ1SÊh£�FqÓæÒCýoJ�����¬
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age
index 0a80da7..38db4e8 100644
--- a/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.noise_private_key_path.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age
index dbe7f40..1b16ae6 100644
--- a/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age
+++ b/systems/x86_64-linux/teal/clicks.services.headscale.oidc.client_secret_path.age
Binary files differ
diff --git a/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age b/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age
deleted file mode 100644
index ff84916..0000000
--- a/systems/x86_64-linux/teal/clicks.services.headscale.private_key_path.age
+++ /dev/null
@@ -1,12 +0,0 @@
-age-encryption.org/v1
--> piv-p256 xE4ypg A/1AkQXyQfF7aTIhUDAw6OJ6JO6Ro9iSN5ZGIhFiSAqL
-MLsUkgt4+JeJTB4g4XRAv/K4+BZnc1mlAXJUTilZgqE
--> piv-p256 Hpt/+Q AyReEFiNuDH9r4fchqNmAPsT1mSSoHm3Zw6jAFdraS7U
-6/mlABCjhArVnPTOR6bYtRcQ5JnHMovpdg7s/8yxhu4
--> piv-p256 zfskmQ A1p28F/oDFbDEFz+HdvTVEe+wYDAA2NipMJIPrGgkBL/
-LTldK7n4lNRCh2V1BzTlMsCQIgptJJlNdtLXnHAgPC8
--> 2M%-grease W5eYe~ .~*`-F
-VRvJBX8ur65GXtjI29c0Bef463yz3mRp9g8df6K7HKZ24LrQ/Ioi/RDJe7I94MFW
-sWkryndEdA
---- JEiQ8CXqT6FikePa0ZUfE5gnOsCwubPTJwzp8QmGjwg
-
õûþ÷t^�§�d+*O¢»¨�J»�ÇNLnÀº¦¶M:Hñm»=9ãe4.Ãõ�¹Í�5ø¸Ca�44s}�êC§S¥/l((S+�'Òóþ%Ôxg�5ò)ŦG1åäµOjbÍ
\ No newline at end of file
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index 8123543..8ccb077 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -39,12 +39,15 @@
};
sites."docs.auxolotl.org".enable = true;
+ sites."a.starrysky.blog".enable = true;
+ # sites."blog.thecoded.prof".enable = true;
services = {
ssh.enable = true;
headscale = {
enable = true;
domain = "clicks.domains";
+ server_url = "vpn.clicks.codes";
addr = lib.clicks.constants.hosts.generic;
oidc = {
enable = true;
@@ -53,101 +56,63 @@
client_secret_path =
config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
- database_password_path =
- config.age.secrets."clicks.services.headscale.database_password_path".path;
noise_private_key_path =
config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
- private_key_path =
- config.age.secrets."clicks.services.headscale.private_key_path".path;
- acl =
- let
- internet = [
- "0.0.0.0/5"
- "8.0.0.0/7"
- "11.0.0.0/8"
- "12.0.0.0/6"
- "16.0.0.0/4"
- "32.0.0.0/3"
- "64.0.0.0/3"
- "96.0.0.0/6"
- "100.0.0.0/10"
- "100.128.0.0/9"
- "101.0.0.0/8"
- "102.0.0.0/7"
- "104.0.0.0/5"
- "112.0.0.0/4"
- "128.0.0.0/3"
- "160.0.0.0/5"
- "168.0.0.0/8"
- "169.0.0.0/9"
- "169.128.0.0/10"
- "169.192.0.0/11"
- "169.224.0.0/12"
- "169.240.0.0/13"
- "169.248.0.0/14"
- "169.252.0.0/15"
- "169.255.0.0/16"
- "170.0.0.0/7"
- "172.0.0.0/12"
- "172.32.0.0/11"
- "172.64.0.0/10"
- "172.128.0.0/9"
- "173.0.0.0/8"
- "174.0.0.0/7"
- "176.0.0.0/4"
- "192.0.0.0/9"
- "192.128.0.0/11"
- "192.160.0.0/13"
- "192.169.0.0/16"
- "192.170.0.0/15"
- "192.172.0.0/14"
- "192.176.0.0/12"
- "192.192.0.0/10"
- "193.0.0.0/8"
- "194.0.0.0/7"
- "196.0.0.0/6"
- "200.0.0.0/5"
- "208.0.0.0/4"
- "224.0.0.0/3"
- "ipv6-internet"
- # A nasty hack used because ipv6 colons were messing with dst
- # ports
- ]; # Should be replaceable with autogroup:internet in next release
- in
+ acl = let
+ permitted_area_names = [
+ # Some phonetic alphabet names are excluded here to avoid confusing
+ # them with given names
+ "alpha"
+ "bravo"
+ "delta"
+ "echo"
+ "foxtrot"
+ "golf"
+ "hotel"
+ "india"
+ "kilo"
+ "lima"
+ "november"
+ "papa"
+ "quebec"
+ "sierra"
+ "tango"
+ "uniform"
+ "whiskey"
+ "xray"
+ "yankee"
+ "zulu"
+ ];
+
+ assigned_areas = {
+ "alpha" = "coded";
+ "bravo" = "minion";
+ "echo" = "maddie";
+ "sierra" = "pineafan";
+ "tango" = "mostlyturquoise";
+ "zulu" = "zanderp25";
+ };
+
+ users = [
+ "coded"
+ "maddie"
+ "minion"
+ "pineafan"
+ "zanderp25"
+ "mostlyturquoise"
+ ];
+
+ friends = [
+ "sirdigalot"
+ ];
+ in
{
- groups."group:users" = [
+ groups."group:maintainer" = [
"coded"
- "maddie"
"minion"
- "pineafan"
- "zanderp25"
- "mostlyturquoise"
];
- groups."group:friends" = [
- "sirdigalot"
- ];
- groups."group:areas" = [
- # Some phonetic alphabet names are excluded here to avoid confusing
- # them with given names
- "alpha"
- "bravo"
- "echo"
- "foxtrot"
- "hotel"
- "india"
- "kilo"
- "lima"
- "november"
- "papa"
- "sierra"
- "tango"
- "uniform"
- "whiskey"
- "xray"
- "yankee"
- "zulu"
- ];
- hosts.ipv6-internet = "2000::/3";
+ groups."group:users" = users;
+ groups."group:friends" = friends;
acls = [
{
@@ -156,8 +121,8 @@
dst = [
"group:users:*"
"group:friends:*"
- "group:areas:*"
- ] ++ (lib.forEach internet (host: "${host}:*"));
+ "autogroup:internet:*"
+ ] ++ (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
@@ -169,8 +134,8 @@
}
{
action = "accept";
- src = [ "group:areas" ];
- dst = [ "group:areas:*" ];
+ src = (map (tag: "tag:${tag}") permitted_area_names);
+ dst = (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
@@ -178,6 +143,49 @@
dst = [ "zanderp25:3000" ];
}
];
+
+ ssh = [
+ {
+ action = "check";
+ src = ["group:users"];
+ dst = (map (tag: "tag:${tag}") permitted_area_names);
+ checkPeriod = "8h";
+ acceptEnv = [
+ "BAT_THEME"
+ "COLORTERM"
+ "JQ_COLORS"
+ "LANG"
+ "LS_COLORS"
+ "LSCOLORS"
+ "TERM"
+ ];
+ }
+ ] ++ (lib.attrsets.mapAttrsToList (area: user: {
+ action = "check";
+ src = [ user ];
+ dst = [ "tag:${area}" ];
+ checkPeriod = "2h";
+ users = [ "root" "autogroup:nonroot" ];
+ acceptEnv = [ "*" ];
+ }) assigned_areas) ++ (map (user: {
+ action = "check";
+ src = [ user ];
+ dst = [ user ];
+ checkPeriod = "2h";
+ users = [ "root" "autogroup:nonroot" ];
+ acceptEnv = [ "*" ];
+ }) (users ++ friends));
+
+ tagOwners = (lib.pipe permitted_area_names [
+ (map (area: {
+ name = "tag:${area}";
+ value = [ "group:maintainer" ];
+ }))
+ lib.listToAttrs
+ ]) // (lib.attrsets.mapAttrs' (area: user: {
+ name = "tag:${area}";
+ value = [ "group:maintainer" user ];
+ }) assigned_areas);
};
};
fava = {
@@ -325,16 +333,8 @@
rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
group = "headscale";
};
- age.secrets."clicks.services.headscale.database_password_path" = {
- rekeyFile = ./clicks.services.headscale.database_password_path.age;
- group = "headscale";
- };
age.secrets."clicks.services.headscale.noise_private_key_path" = {
rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
group = "headscale";
};
- age.secrets."clicks.services.headscale.private_key_path" = {
- rekeyFile = ./clicks.services.headscale.private_key_path.age;
- group = "headscale";
- };
}