Custom octodns setup!

2024-07-08 03:06:27 +02:00 · 2024-07-08 03:06:27 +02:00 · fd36e012f9
commit fd36e012f9
parent 9e853e9684
27 changed files with 434 additions and 59 deletions
--- a/hosts/nixos/common/global/default.nix
+++ b/hosts/nixos/common/global/default.nix
@ -54,4 +54,7 @@ in

    config.allowUnfree = true;
  };
+
+  # Root domain used throughout my config
+  satellite.dns.domain = "moonythm.dev";
 }
--- a/hosts/nixos/common/global/ports.nix
+++ b/hosts/nixos/common/global/ports.nix
@ -23,5 +23,6 @@
    forgejo = 8419;
    jupyterhub = 8420;
    guacamole = 8421;
+    syncthing = 8422;
  };
 }
--- a/hosts/nixos/common/optional/services/nginx.nix
+++ b/hosts/nixos/common/optional/services/nginx.nix
@ -1,6 +1,5 @@
 {
  imports = [ ./acme.nix ];
-  satellite.nginx.domain = "moonythm.dev"; # Root domain used throughout my config
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
--- a/hosts/nixos/common/optional/services/syncthing.nix
+++ b/hosts/nixos/common/optional/services/syncthing.nix
@ -28,8 +28,15 @@ in

      extraOptions.options.crashReportingEnabled = false;
    };
+
+    guiAddress = "127.0.0.1:${toString config.satellite.ports.syncthing}";
+    settings.gui.insecureSkipHostcheck = true;
  };

+  # Expose gui interface via nginx
+  satellite.nginx.at."syncthing.${config.networking.hostName}".port =
+    config.satellite.ports.syncthing;
+
  # Syncthing seems to leak memory, so we want to restart it daily.
  systemd.services.syncthing.serviceConfig.RuntimeMaxSec = "1d";

--- a/hosts/nixos/common/secrets.yaml
+++ b/hosts/nixos/common/secrets.yaml
@ -1,6 +1,6 @@
 wireless: ENC[AES256_GCM,data:Ib0PdBd2r/DPyE6Ah9NffT8Tw8c2y+seGFrE0e9GkyRaStdYMiiIlWCiaBO0u1HHaVV+2MQ33MnMdqyCGRlqGk45kl0GIwVR5iAiSYnobj/6wcse+kx/+5mzNOHXD1kJRGJBm5+SN9ntiGABNkQXJdn/Qoc/ukY1uaGe2nBeFKmGdD9JL7KfgdI5jYjQYyDbCL9JUszxkXNcplIRBAAy8JDaBVeo9HgI0QDIZToPKwuEeQoA9XzdimrjbCazlZy3ZvjAuoQXmrc1nIRHF5GabSRGTFTnTfcBeW2fGpUxmIhLyucn2DIQBXLm+RDdMLWoqcGbKiLVqKyUXck3ZZyoHMf2b9N52xMUwcS7,iv:ozkDwWmurWTD8TZHGvWL9Yh8cOrP1PzSBkz+1bBZybo=,tag:iGPjRaOoGRcOWJMweTL2yA==,type:str]
 pilot_password: ENC[AES256_GCM,data:PiKJCv5x68O9HFM4UvqLnsSPtqFslBLeAg67OkvFAbw7WaqbXh/p5SQblhPHcJ7jQDc4kI3XesOxruZrfJ0aZNDV1g7MWecgKg==,iv:EVs/m83Zfx2NRQMO52cF6pCe1ETpYfaR6lmXg2Na/DI=,tag:dl2x1aTsaTgtHEZYdW2lmg==,type:str]
-cloudflare_dns_api_token: ENC[AES256_GCM,data:SAIMCvKOpGb5g9s03Xapc08KpOgLI+qlT5oiH/uNGxV+9JFSX3nvmQ==,iv:HFKcmHRG4EEOuJ8gRD0ZWsE18SLaZjewMSLznboLUeI=,tag:z21GURSxvNmZ4qkbri9mDQ==,type:str]
+cloudflare_dns_api_token: ENC[AES256_GCM,data:QlLxQ/4AQsdqdWJC//FRgbMRqR0Ni51JgCDlyXfNe4pfPtiPs+Gb6Q==,iv:7SS+EzeHk0J1DzVvKxd40AuZUidV2asoQbSr5vyxl+U=,tag:T1KGXOsZ26sICYbrcmU8+w==,type:str]
 backup_password: ENC[AES256_GCM,data:Tu7ODTALfQLX7Mbo/BqiM6gaErGv07urwN1iHwGgurKWDuuE1h5NMV5J0cJqW6orTIloVtoZTJgSJ2lZlMcfUQ==,iv:78ha833ZzgEDChIuGjCMVA89U4qY9lWqUmfPCiiQeQM=,tag:u8KWw/060UVP+OOoPhbjRA==,type:str]
 sops:
    kms: []
@ -35,8 +35,8 @@ sops:
            WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U
            sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-29T22:07:18Z"
-    mac: ENC[AES256_GCM,data:HQJU1hZs8S4b8LAPdAg1/IuIX3VETXHrE/lKzODjCb/ndWV8Qh5v8OKg4X8xFw13PJpEeQqIznh6qplxMHJYGcYnUK/TSTP+399BZ3M0NLGWyF0vfFn1JIKu7zg8iHpi491/T+I6TDy5hp9+Y6V0sjpZ4pEzhZTwPW9t+NieSbQ=,iv:lNu0aLUO2P+2Mq7kVDGt6llshu5wgb++3VMX91w1a+8=,tag:WSoUh4XnRenvhb+vwLUpRg==,type:str]
+    lastmodified: "2024-07-08T00:25:56Z"
+    mac: ENC[AES256_GCM,data:v+p223kf9JLRMJ6moIpA5wZOemJY0+BSnX30MY8g28RBGaR+I7AbUHOrd+GUPAXLqwfqtrFdPt8pULT+fzuxL4wnlB9NPZxCYFMhSGGj8HysmDuytYXfSD1LZWD9fymE4KuyTZHv7I/coEM/iobbvutu9cmTKN05i1atjeh4B30=,iv:hPiQkvbeFjLyzTNoHMqqPikMPuDvT2X2iAo7JBlEpHY=,tag:fdHvvH+qPrv8UhwIA6aZSA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/nixos/lapetus/default.nix
+++ b/hosts/nixos/lapetus/default.nix
@ -1,4 +1,4 @@
-{
+{ config, ... }: {
  imports = [
    ../common/global
    ../common/users/pilot.nix
@ -7,6 +7,7 @@
    ../common/optional/services/kanata.nix
    ../common/optional/services/nginx.nix
    ../common/optional/services/postgres.nix
+    ../common/optional/services/syncthing.nix
    ../common/optional/services/restic

    # ./services/commafeed.nix
@ -30,7 +31,6 @@
    ./services/radicale.nix
    ./services/redlib.nix
    ./services/smos.nix
-    ./services/syncthing.nix
    ./services/vaultwarden.nix
    ./services/whoogle.nix
    ./services/zfs.nix
@ -49,4 +49,18 @@

  # Bootloader
  boot.loader.systemd-boot.enable = true;
+
+  # Tailscale internal IP DNS records
+  satellite.dns.records = [
+    {
+      at = config.networking.hostName;
+      type = "A";
+      value = "100.93.136.59";
+    }
+    {
+      at = config.networking.hostName;
+      type = "AAAA";
+      value = "fd7a:115c:a1e0::e75d:883b";
+    }
+  ];
 }
--- a/hosts/nixos/lapetus/services/forgejo.nix
+++ b/hosts/nixos/lapetus/services/forgejo.nix
@ -1,17 +1,12 @@
 { lib, config, ... }:
-let
-  port = config.satellite.ports.forgejo;
-  host = "git.moonythm.dev";
-  cfg = config.services.forgejo;
-in
 {
  sops.secrets.forgejo_mail_password = {
    sopsFile = ../secrets.yaml;
-    owner = cfg.user;
-    group = cfg.group;
+    owner = config.services.forgejo.user;
+    group = config.services.forgejo.group;
  };

-  satellite.cloudflared.at.${host}.port = port;
+  satellite.cloudflared.at.git.port = config.satellite.ports.forgejo;

  services.forgejo = {
    enable = true;
@ -30,9 +25,9 @@ in
      default.APP_NAME = "moonforge";

      server = {
-        DOMAIN = host;
-        HTTP_PORT = port;
-        ROOT_URL = "https://${host}";
+        DOMAIN = config.satellite.cloudflared.at.git.host;
+        HTTP_PORT = config.satellite.cloudflared.at.git.port;
+        ROOT_URL = config.satellite.cloudflared.at.git.host.url;
        LANDING_PAGE = "prescientmoon"; # Make my profile the landing page
      };

--- a/hosts/nixos/lapetus/services/homer.nix
+++ b/hosts/nixos/lapetus/services/homer.nix
@ -55,7 +55,7 @@ in
              name = "Syncthing";
              subtitle = "File synchronization";
              logo = icon "syncthing.png";
-              url = "https://lapetus.syncthing.moonythm.dev";
+              url = "https://syncthing.lapetus.moonythm.dev";
            }
            {
              name = "Guacamole";
--- a/hosts/nixos/lapetus/services/jupyter.nix
+++ b/hosts/nixos/lapetus/services/jupyter.nix
@ -18,7 +18,7 @@ in

  services.jupyterhub = {
    enable = true;
-    port = config.satellite.ports.jupyterhub;
+    port = config.satellite.cloudflared.at.jupyter.port;

    jupyterhubEnv = appEnv;
    jupyterlabEnv = appEnv;
@ -71,7 +71,7 @@ in
  };
  # }}}
  # {{{ Networking & storage
-  satellite.cloudflared.at."jupyter.moonythm.dev".port = config.services.jupyterhub.port;
+  satellite.cloudflared.at.jupyter.port = config.services.jupyterhub.port;

  environment.persistence."/persist/state".directories = [
    "/var/lib/${config.services.jupyterhub.stateDirectory}"
--- a/hosts/nixos/lapetus/services/microbin.nix
+++ b/hosts/nixos/lapetus/services/microbin.nix
@ -1,11 +1,7 @@
 { config, lib, ... }:
-let
-  port = config.satellite.ports.microbin;
-  host = "bin.moonythm.dev";
-in
 {
  sops.secrets.microbin_env.sopsFile = ../secrets.yaml;
-  satellite.cloudflared.at.${host}.port = port;
+  satellite.cloudflared.at.bin.port = config.satellite.ports.microbin;

  services.microbin = {
    enable = true;
@ -16,8 +12,8 @@ in
    settings = {
      # High level settings
      MICROBIN_ADMIN_USERNAME = "prescientmoon";
-      MICROBIN_PORT = toString port;
-      MICROBIN_PUBLIC_PATH = "https://bin.moonythm.dev/";
+      MICROBIN_PORT = toString config.satellite.cloudflared.at.bin.port;
+      MICROBIN_PUBLIC_PATH = config.satellite.cloudflared.at.bin.url;
      MICROBIN_DEFAULT_EXPIRY = "1week";

      # Disable online features
--- a/hosts/nixos/lapetus/services/pounce.nix
+++ b/hosts/nixos/lapetus/services/pounce.nix
@ -28,9 +28,22 @@ in
  # Configure pounce
  services.pounce = {
    enable = true;
-    externalHost = "irc.moonythm.dev";
-    bindHost = "irc.moonythm.dev";
+    externalHost = "irc.${config.satellite.dns.domain}";
+    bindHost = "irc.${config.satellite.dns.domain}";
    certDir = "/var/lib/acme/wildcard-irc.moonythm.dev";
    networks.tilde.config = config.sops.templates."pounce-tilde.cfg".path;
  };
+
+  satellite.dns.records = [
+    {
+      type = "CNAME";
+      at = "*.irc";
+      to = "irc";
+    }
+    {
+      type = "CNAME";
+      at = "irc";
+      to = config.networking.hostName;
+    }
+  ];
 }
--- a/hosts/nixos/lapetus/services/syncthing.nix
+++ b/hosts/nixos/lapetus/services/syncthing.nix
@ -1,12 +0,0 @@
-{ config, ... }:
-let port = 8384;
-in
-{
-  services.syncthing = {
-    settings.folders = { };
-    guiAddress = "127.0.0.1:${toString port}";
-    settings.gui.insecureSkipHostcheck = true;
-  };
-
-  satellite.nginx.at."lapetus.syncthing".port = port;
-}
--- a/hosts/nixos/tethys/default.nix
+++ b/hosts/nixos/tethys/default.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  # {{{ Imports
  imports = [
    ../common/global
@ -72,4 +72,18 @@
  programs.dconf.enable = true;
  services.gnome.evolution-data-server.enable = true;
  services.gnome.gnome-online-accounts.enable = true;
+
+  # Tailscale internal IP DNS records
+  satellite.dns.records = [
+    # {
+    #   at = config.networking.hostName;
+    #   type = "A";
+    #   value = "100.93.136.59";
+    # }
+    # {
+    #   at = config.networking.hostName;
+    #   type = "AAAA";
+    #   value = "fd7a:115c:a1e0::e75d:883b";
+    # }
+  ];
 }