From b416affd1f83d550b028c84994cdd5e07a83565d Mon Sep 17 00:00:00 2001 From: Julia Lange Date: Tue, 16 Sep 2025 18:45:24 -0700 Subject: [PATCH 1/2] Caddy, DNS Challenges; Headscale, Magic_dns Changed to using Porkbun DNS Challenges for Caddy. This enables wildcard certificates. Documentation - https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates - https://caddyserver.com/docs/automatic-https#dns-challenge Changed headscale to use a domain I own instead of the beautiful madoka OP. --- hosts/juri/host.nix | 8 ++++++++ hosts/juri/secrets.yaml | 12 ++++-------- nixosModules/services/caddy/service.nix | 14 ++++++++++++++ nixosModules/services/headscale/service.nix | 2 +- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/hosts/juri/host.nix b/hosts/juri/host.nix index 57c9a47..9f908bf 100644 --- a/hosts/juri/host.nix +++ b/hosts/juri/host.nix @@ -17,12 +17,14 @@ in { forgejoPassword = { owner = "forgejo"; }; + caddyApi = {}; }; }; caddy = { enable = true; adminEmail = email; + environmentFile = config.sops.secrets.caddyApi.path; vhosts = { "juri.woach.me" = { extraConfig = '' @@ -39,6 +41,12 @@ in { extraConfig = '' reverse_proxy :${builtins.toString config.headscale.server.port} ''; + serverAliases = [ "*.dns.ginko.woach.me" ]; + }; + "juri.${config.services.headscale.settings.dns.base_domain}" = { + extraConfig = '' + reverse_proxy :${builtins.toString config.fava.port} + ''; }; }; }; diff --git a/hosts/juri/secrets.yaml b/hosts/juri/secrets.yaml index 6800ced..145fe69 100644 --- a/hosts/juri/secrets.yaml +++ b/hosts/juri/secrets.yaml @@ -1,10 +1,7 @@ pdsEnv: ENC[AES256_GCM,data:W1kKvcntrBOSgo7gLxwO8A9ZkWjkRWfUDZUMy5YNvhzqYS5xBPGL4QEcknWtQaVfaZklnO/+Gr5JEq/qgU2nIEY3xazfjYl4MNkZBhuwI20RwZB9voVubzHbPwjLtZbNTXRMa7BzO6a3ieSudKWAMP0dumG3/+wHtTYOM6lxUBfpw51+lNikc7kLqI+lzys0jC37ajP0/cm/U644BD0ozSSF289CLtXSkLt8sgHvA1ci8M+wEEq4aJ0JTVs98m0E7Udaride4tjLelESx3hPdoVzBIEa,iv:sQiYE//UGGA2qPfbM9//FcKEued6t8ORiKW8kfzLtz0=,tag:Fj+CzBgL8MH/6FLnUadIPQ==,type:str] forgejoPassword: ENC[AES256_GCM,data:cQJJbf07v4HngeSYE2TwTcAx8WY=,iv:533TO2MfJVop93U4T7yIIiu6i4swDtduFuu79ZzFYFU=,tag:Pz5u/NqOSTKz2zFNzNLY5w==,type:str] +caddyApi: ENC[AES256_GCM,data:mWb/pMr1cxbz6K2ZQkV3AF93/GtIPZyYrJfDDbisK3GhMlWOVZNWDzw7cC/e+1w5aSxeGmOAE13eETVpV9q8W2Bjg8IADn/4j8Su90LxAr+U77pVoF0gUvv1CagEXM8myx+GgaAG80xIeSUNUMOMsgUhJTBoaMrVpHDEPREsa9XyRzEB4X3uQnKx4tUNcUqGSUu5wvMfXDF7rNzJhkVEfE6i,iv:h5QLei1PcZUc4djaqbId9VFv8Rr2dTa7CNowxZVlRUA=,tag:nBfyFVU/fBboswcVsGKL4A==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68 enc: | @@ -33,8 +30,7 @@ sops: N3NhMHp3V1ppclQvWTIxNkM5RjhRV0EKl8goB9tCl0BGi4jN7Fzuh0Ajm146x2Hu vesj+ENu2E9II3OeYuBndD+Y4x2zugIpzNOPg1V8zkarJOf7R/sXEw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-24T19:31:53Z" - mac: ENC[AES256_GCM,data:5FVSw5wMXRl4qZQmD4yS7g/9qztaveDiU7mgifiOhOBqQrtvv5I/V7rkb5nKew+N3vKmg4vpWBL4kFxsQvWekAPT+ToNED4XhB5H5wZ/RyXga0CU0PMKWtGdEKdyjs4cIZjfScclW0ONgaSkv6XtCLj1V+ukPY3WBI3/2jnf6dA=,iv:7p1qEG1+E7SNLv64/aqjm1ppF4jQ/5h+Z5iHzd8sGDA=,tag:hG59vDcqha1MQf+kN1jguw==,type:str] - pgp: [] + lastmodified: "2025-09-17T01:49:06Z" + mac: ENC[AES256_GCM,data:THEyH3KP9VVFiP7NAPn693dolWIWByb3wSjwC9QLSTe3cgdJbFqa5GvVzFa6xM1ue/GYStMwYIZt0+3LP5Wz5B2KWNy2ljvgFXjzlDHxSOzkWi3/yP9fnuRyf0vujW2Q0ltkXMleyKSisZCD87FjuUz1J9LBYQP64e0mhyB5jL4=,iv:WUDt4AusjrQVhDFk/XSohBlmxjp6Dp6EoMe08yQ0RYg=,tag:LC2j1Bvgo7h29O9mmgIFCw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/nixosModules/services/caddy/service.nix b/nixosModules/services/caddy/service.nix index b07fa3c..e24f701 100644 --- a/nixosModules/services/caddy/service.nix +++ b/nixosModules/services/caddy/service.nix @@ -5,14 +5,28 @@ enable = lib.mkEnableOption "Enables caddy webserver"; vhosts = lib.mkOption {}; adminEmail = lib.mkOption { type = lib.types.str; }; + environmentFile = lib.mkOption {}; }; config = lib.mkIf config.caddy.enable { networking.firewall.allowedTCPPorts = [ 80 443 ]; services.caddy = { enable = true; + globalConfig = '' + acme_dns porkbun { + api_key {$APIKEY} + api_secret_key {$APISECRETKEY} + } + ''; + package = pkgs.caddy.withPlugins { + plugins = [ "github.com/caddy-dns/porkbun@v0.3.1" ]; + hash = "sha256-g/Nmi4X/qlqqjY/zoG90iyP5Y5fse6Akr8exG5Spf08="; + }; virtualHosts = config.caddy.vhosts; email = config.caddy.adminEmail; }; + systemd.services.caddy.serviceConfig.EnvironmentFile = [ + config.caddy.environmentFile + ]; }; } diff --git a/nixosModules/services/headscale/service.nix b/nixosModules/services/headscale/service.nix index 12fbad7..4f692f1 100644 --- a/nixosModules/services/headscale/service.nix +++ b/nixosModules/services/headscale/service.nix @@ -17,7 +17,7 @@ settings = { server_url = "https://${config.headscale.server.domain}"; dns = { - base_domain = "connect.claris"; + base_domain = "dns.${config.headscale.server.domain}"; override_local_dns = false; }; }; From 823c6d0738a7961b63c9a22f813284f5880a0de3 Mon Sep 17 00:00:00 2001 From: Julia Lange Date: Mon, 17 Nov 2025 09:05:48 -0800 Subject: [PATCH 2/2] Convert to flake-parts & easy-hosts. Users broke convert to using flake-parts and easy-hosts for the flake system. This allows me to remove my poor file-system based code and replace it with the code done in easy-hosts. Which also has good knock-on effects. This change factors users out of hosts, which is probably a good change since users aren't a nixos-module, but aren't completely untangled either. I'm going to leave users broken for a minute as I decide exactly how I want to handle them. --- .gitignore | 1 + flake.nix | 149 ++++++++---------- hosts/jibril/{host.nix => default.nix} | 0 hosts/juri/{host.nix => default.nix} | 0 hosts/onizuka/{host.nix => default.nix} | 0 .../users/badtz => users/badtz@juri}/user.nix | 0 .../users/pan => users/pan@jibril}/user.nix | 0 .../users/pan => users/pan@juri}/user.nix | 0 .../users/pan => users/pan@onizuka}/user.nix | 0 9 files changed, 68 insertions(+), 82 deletions(-) rename hosts/jibril/{host.nix => default.nix} (100%) rename hosts/juri/{host.nix => default.nix} (100%) rename hosts/onizuka/{host.nix => default.nix} (100%) rename {hosts/juri/users/badtz => users/badtz@juri}/user.nix (100%) rename {hosts/jibril/users/pan => users/pan@jibril}/user.nix (100%) rename {hosts/juri/users/pan => users/pan@juri}/user.nix (100%) rename {hosts/onizuka/users/pan => users/pan@onizuka}/user.nix (100%) diff --git a/.gitignore b/.gitignore index e69de29..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +result diff --git a/flake.nix b/flake.nix index eeb4bd0..568e458 100644 --- a/flake.nix +++ b/flake.nix @@ -1,94 +1,79 @@ { - inputs = { - nixpkgs.url = "nixpkgs/nixos-unstable"; + outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { + imports = with inputs; [ + easy-hosts.flakeModule + # home-manager.flakeModules.home-manager + ]; - home-manager.url = "github:nix-community/home-manager"; + systems = [ "x86-64-linux" ]; + easy-hosts = { + autoConstruct = true; + path = ./hosts; + easy-hosts.onlySystem = "x86-64-linux"; - lix-module.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; + shared = { + modules = [ + inputs.lix-module.nixosModules.default + ./nixModules + ]; + }; + }; - hyprland.url = "git+https://github.com/hyprwm/Hyprland"; - hyprland-contrib.url = "github:hyprwm/contrib"; - - niri.url = "github:sodiboo/niri-flake"; - - sops-nix.url = "github:Mic92/sops-nix"; - ags.url = "github:Aylur/ags"; - aagl.url = "github:ezKEa/aagl-gtk-on-nix"; + # flake = { + # homeConfigurations = {}; + # homeModules = { my-modules = ./hmModules; }; + # }; }; - outputs = { self, home-manager, nixpkgs, lix-module, ... }@inputs: let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; - fs = pkgs.lib.fileset; - st = pkgs.lib.strings; - as = pkgs.lib.attrsets; + inputs = { + # Save data with this url. Source: + # at://did:plc:mojgntlezho4qt7uvcfkdndg/app.bsky.feed.post/3loogwsoqok2w + # cid: bafyreidhuuxs3cuabneygtxir65hnd7hvy4hwj5rwrylpwmp7jhxciasve + nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"; - hosts = let - hostFilter = { name, ...}: name == "host.nix"; - hostPaths = fs.toList (fs.fileFilter hostFilter ./hosts); - # Assumes dir structure is start_of_path/hosts/hostname/host.nix - extractHostName = path: builtins.unsafeDiscardStringContext ( - st.removeSuffix "/host.nix" ( - builtins.elemAt (st.splitString "/hosts/" path) 1 - ) - ); - in builtins.listToAttrs (map (path: { - value = path; - name = extractHostName path; - }) hostPaths); - - users = let - userFilter = { name, ...}: name == "user.nix"; - userPaths = fs.toList (fs.fileFilter userFilter ./hosts); - in builtins.listToAttrs (map (path: let - dirsAndFiles = st.splitString "/" path; - dAFLength = builtins.length dirsAndFiles; - # Assumes dir structure is start_of_path/hosts/hostname/users/username/user.nix - hostname = builtins.unsafeDiscardStringContext ( - builtins.elemAt dirsAndFiles (dAFLength - 4)); - username = builtins.unsafeDiscardStringContext ( - builtins.elemAt dirsAndFiles (dAFLength - 2)); - in { - name = username + "@" + hostname; - value = path; - } - ) userPaths); - - userConfig = usernameAtHostname: userpath: home-manager.lib.homeManagerConfiguration { - inherit pkgs; - extraSpecialArgs = { - inherit inputs; - inherit usernameAtHostname; - }; - modules = [ - ./hmModules - userpath - ]; + home-manager = { + type = "github"; + owner = "nix-community"; + repo = "home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; }; - hostConfig = hostname: hostpath: nixpkgs.lib.nixosSystem { - specialArgs = let - hostFilteredUsers = as.filterAttrs ( - name: value: let - userHostname = builtins.elemAt (st.splitString "@" name) 1; - in userHostname == hostname - ) users; - - hostUsers = as.mapAttrsToList ( - name: value: builtins.elemAt (st.splitString "@" name) 0 - ) hostFilteredUsers; - in { - inherit inputs; - inherit hostname; - "usernameList" = hostUsers; - }; - modules = [ - ./nixosModules - hostpath - ]; + flake-parts = { + type = "github"; + owner = "hercules-ci"; + repo = "flake-parts"; + inputs.nixpkgs-lib.follows = "nixpkgs"; + }; + + easy-hosts = { + type = "github"; + owner = "tgirlcloud"; + repo = "easy-hosts"; + }; + + lix = { + url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"; + flake = false; + }; + + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.lix.follows = "lix"; + }; + + niri = { + type = "github"; + owner = "sodiboo"; + repo = "niri-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + sops-nix = { + type = "github"; + owner = "Mic92"; + repo = "sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; - in { - nixosConfigurations = builtins.mapAttrs (name: path: hostConfig name path) hosts; - homeConfigurations = builtins.mapAttrs (name: path: userConfig name path) users; }; } diff --git a/hosts/jibril/host.nix b/hosts/jibril/default.nix similarity index 100% rename from hosts/jibril/host.nix rename to hosts/jibril/default.nix diff --git a/hosts/juri/host.nix b/hosts/juri/default.nix similarity index 100% rename from hosts/juri/host.nix rename to hosts/juri/default.nix diff --git a/hosts/onizuka/host.nix b/hosts/onizuka/default.nix similarity index 100% rename from hosts/onizuka/host.nix rename to hosts/onizuka/default.nix diff --git a/hosts/juri/users/badtz/user.nix b/users/badtz@juri/user.nix similarity index 100% rename from hosts/juri/users/badtz/user.nix rename to users/badtz@juri/user.nix diff --git a/hosts/jibril/users/pan/user.nix b/users/pan@jibril/user.nix similarity index 100% rename from hosts/jibril/users/pan/user.nix rename to users/pan@jibril/user.nix diff --git a/hosts/juri/users/pan/user.nix b/users/pan@juri/user.nix similarity index 100% rename from hosts/juri/users/pan/user.nix rename to users/pan@juri/user.nix diff --git a/hosts/onizuka/users/pan/user.nix b/users/pan@onizuka/user.nix similarity index 100% rename from hosts/onizuka/users/pan/user.nix rename to users/pan@onizuka/user.nix