weird-row-server: configure agnos · wiro.world/dotfiles@75b73a9

wiro.world / dotfiles

fork atom

yep, more dotfiles

fork atom

weird-row-server: configure agnos

wiro.world 1 month ago 75b73a99 1d5f04f9

verified

Waiting for spindle ...

+74 -11

8 changed files

expand all

hosts

weird-row-server

agnos.nix

default.nix

lldap.nix

pds.nix

secrets

agnos-account-key.age

default.nix

thelounge.nix

warrior.nix

+64

hosts/weird-row-server/agnos.nix

··· 1 + { 2 + config, 3 + ... 4 + }: 5 + 6 + { 7 + config = { 8 + local.ports.agnos = { 9 + number = 53; 10 + public = true; 11 + tcp = false; # let agnos manage the firewall 12 + }; 13 + 14 + # disable dns stub listener or agnos cannot bind 15 + services.resolved.extraConfig = '' 16 + DNSStubListener=no 17 + ''; 18 + 19 + age.secrets.agnos-account-key = { 20 + file = secrets/agnos-account-key.age; 21 + owner = config.security.agnos.user; 22 + }; 23 + security.agnos = { 24 + enable = true; 25 + temporarilyOpenFirewall = true; 26 + settings = { 27 + dns_listen_addr = "0.0.0.0:53"; 28 + 29 + accounts = [ 30 + { 31 + email = "admin@wiro.world"; 32 + private_key_path = config.age.secrets.agnos-account-key.path; 33 + certificates = [ 34 + { 35 + domains = [ 36 + "wiro.world" 37 + "*.wiro.world" 38 + ]; 39 + fullchain_output_file = "wiro.world_fullchain.pem"; 40 + key_output_file = "wiro.world_privkey.pem"; 41 + } 42 + { 43 + domains = [ 44 + "pds.wiro.world" 45 + "*.pds.wiro.world" 46 + ]; 47 + fullchain_output_file = "pds.wiro.world_fullchain.pem"; 48 + key_output_file = "pds.wiro.world_privkey.pem"; 49 + } 50 + { 51 + domains = [ 52 + "net.wiro.world" 53 + "*.net.wiro.world" 54 + ]; 55 + fullchain_output_file = "net.wiro.world_fullchain.pem"; 56 + key_output_file = "net.wiro.world_privkey.pem"; 57 + } 58 + ]; 59 + } 60 + ]; 61 + }; 62 + }; 63 + }; 64 + }

hosts/weird-row-server/default.nix

··· 23 23 srvos.nixosModules.hardware-hetzner-cloud 24 24 srvos.nixosModules.mixins-terminfo 25 25 26 + ./agnos.nix 26 27 ./authelia.nix 27 28 ./goatcounter.nix 28 29 ./grafana.nix ··· 137 138 }; 138 139 139 140 age.secrets.caddy-env.file = secrets/caddy-env.age; 141 + users.users.caddy.extraGroups = [ "agnos" ]; 140 142 services.caddy = { 141 143 enable = true; 142 144 package = pkgs.caddy.withPlugins {

+2 -1

hosts/weird-row-server/lldap.nix

··· 37 37 }; 38 38 39 39 services.caddy = { 40 - virtualHosts."http://${globals.domains.lldap}".extraConfig = '' 40 + virtualHosts.${globals.domains.lldap}.extraConfig = '' 41 41 bind tailscale/ldap 42 + tls /var/lib/agnos/net.wiro.world_fullchain.pem /var/lib/agnos/net.wiro.world_privkey.pem 42 43 reverse_proxy http://localhost:${toString config.services.lldap.settings.http_port} 43 44 ''; 44 45 };

+1 -8

hosts/weird-row-server/pds.nix

··· 25 25 }; 26 26 27 27 services.caddy = { 28 - globalConfig = '' 29 - on_demand_tls { 30 - ask http://localhost:${config.local.ports.pds.string}/tls-check 31 - } 32 - ''; 33 - 34 28 virtualHosts.${globals.domains.pds} = { 35 - # TODO: use wildcard certificate 36 29 serverAliases = [ "*.${globals.domains.pds}" ]; 37 30 extraConfig = '' 38 - tls { on_demand } 31 + tls /var/lib/agnos/pds.wiro.world_fullchain.pem /var/lib/agnos/pds.wiro.world_privkey.pem 39 32 reverse_proxy http://localhost:${toString config.services.bluesky-pds.settings.PDS_PORT} 40 33 ''; 41 34 };

hosts/weird-row-server/secrets/agnos-account-key.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/default.nix

··· 4 4 deploy = servers ++ users; 5 5 in 6 6 { 7 + "agnos-account-key.age".publicKeys = deploy; 7 8 # Defines `TS_AUTHKEY`, `HETZNER_API_TOKEN` 8 9 "caddy-env.age".publicKeys = deploy; 9 10 "authelia-issuer-private-key.age".publicKeys = deploy;

+2 -1

hosts/weird-row-server/thelounge.nix

··· 22 22 }; 23 23 24 24 services.caddy = { 25 - virtualHosts."http://${globals.domains.thelounge}".extraConfig = '' 25 + virtualHosts.${globals.domains.thelounge}.extraConfig = '' 26 26 bind tailscale/irc-lounge 27 + tls /var/lib/agnos/net.wiro.world_fullchain.pem /var/lib/agnos/net.wiro.world_privkey.pem 27 28 reverse_proxy http://localhost:${toString config.services.thelounge.port} 28 29 ''; 29 30 };

+2 -1

hosts/weird-row-server/warrior.nix

··· 21 21 }; 22 22 23 23 services.caddy = { 24 - virtualHosts."http://${globals.domains.warrior}".extraConfig = '' 24 + virtualHosts.${globals.domains.warrior}.extraConfig = '' 25 25 bind tailscale/warrior 26 + tls /var/lib/agnos/net.wiro.world_fullchain.pem /var/lib/agnos/net.wiro.world_privkey.pem 26 27 reverse_proxy http://localhost:${config.local.ports.warrior.string} 27 28 ''; 28 29 };