added sops

disabled quic
6 changed files with 157 additions and 190 deletions
--- a/config/files/builders
+++ b/config/files/builders
--- a/config/hosts/web-dus/configuration.nix
+++ b/config/hosts/web-dus/configuration.nix
@ -1,14 +1,4 @@
-{ config, inputs, pkgs, ... }: 
-let 
-  bmpPort = 11019;
-  kyouma-www = inputs.kyouma-www.packages.${config.nixpkgs.hostPlatform.system};
-  autoIndex = ''
-    autoindex on;
-    autoindex_exact_size off;
-    autoindex_format html;
-    autoindex_localtime on;
-  '';
-in { 
+{ config, inputs, pkgs, ... }: { 
  imports = [
    inputs.fernglas.nixosModules.default
    inputs.kyouma-www.nixosModules.default
@ -20,9 +10,8 @@ in {
  ];
  networking = {
    hostName = "web-dus";
-    # docker
    nftables.enable = mkForce false;
-    firewall.allowedTCPPorts = [ 80 443 bmpPort ];
+    firewall.allowedTCPPorts = [ 80 443 11019 ];
    firewall.allowedUDPPorts = [ 443 ];
  };
  systemd.network.networks."98-eth-default" = {
@ -48,7 +37,7 @@ in {
      collectors = {
        bmp_collector = {
          collector_type = "Bmp";
-          bind = "[::]:${toString bmpPort}";
+          bind = "[::]:11019";
          peers = {
            "45.150.123.0" = {};
          };
@ -56,56 +45,62 @@ in {
      }; 
    };
  };
-  services.nginx = {
-    createHost = {
-      "miau.zip" = { root = kyouma-www.default; };
-      "www.miau.zip" = { redirectTo = "miau.zip"; };
-      "www.kyouma.net" = { redirectTo = "kyouma.net"; };
-      "emily.cat" = { root = "/var/www/emily.cat/_site"; };
-      "www.emily.cat" = { redirectTo = "kyouma.net"; };
-      "www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
+  kyouma.nginx.virtualHosts = let
+    kyouma-www = inputs.kyouma-www.packages.${config.nixpkgs.hostPlatform.system};
+    autoIndex = ''
+      autoindex on;
+      autoindex_exact_size off;
+      autoindex_format html;
+      autoindex_localtime on;
+    '';
+  in {
+    "miau.zip" = { root = kyouma-www.default; };
+    "www.miau.zip" = { redirectTo = "miau.zip"; };
+    "www.kyouma.net" = { redirectTo = "kyouma.net"; };
+    "emily.cat" = { root = "/var/www/emily.cat/_site"; };
+    "www.emily.cat" = { redirectTo = "kyouma.net"; };
+    "www.cocaine.trade" = { redirectTo = "cocaine.trade"; };

-      "redirect" = {
-        default = true;
-        reuseport = true;
-        useACMEHost = "kyouma.net";
-        extraConfig = ''
-          return 403;
-        '';
+    "redirect" = {
+      default = true;
+      reuseport = true;
+      useACMEHost = "kyouma.net";
+      extraConfig = ''
+        return 403;
+      '';
+    };
+    "cocaine.trade" = {
+      root = "/var/www/basti/cocaine.trade";
+      extraConfig = ''error_page 404 /404.html;'';
+      locations."/" = {
+        index = "index.html";
+        tryFiles = "$uri $uri.html =404";
      };
-      "cocaine.trade" = {
-        root = "/var/www/basti/cocaine.trade";
-        extraConfig = ''error_page 404 /404.html;'';
-        locations."/" = {
-          index = "index.html";
-          tryFiles = "$uri $uri.html =404";
+      locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
+    };
+    "files.cocaine.trade" = {
+      useACMEHost = "cocaine.trade";
+      root = "/var/www/basti/files.cocaine.trade";
+      locations."/".extraConfig = autoIndex;
+    };
+    "kyouma.net" = {
+      root = kyouma-www.default; 
+      locations = {
+        "/assets/media/".root = kyouma-www.vid;
+        "/vyos/" = {
+          root = config.services.vyosBld.output;
+          extraConfig = autoIndex;
        };
-        locations."= /".extraConfig = ''rewrite ^ /index.html last;'';
-      };
-      "files.cocaine.trade" = {
-        useACMEHost = "cocaine.trade";
-        root = "/var/www/basti/files.cocaine.trade";
-        locations."/".extraConfig = autoIndex;
-      };
-      "kyouma.net" = {
-        root = kyouma-www.default; 
-        locations = {
-          "/assets/media/".root = kyouma-www.vid;
-          "/vyos/" = {
-            root = config.services.vyosBld.output;
-            extraConfig = autoIndex;
-          };
-          "/ihk/" = {
-            root = "/var/www/kyouma.net/ihk";
-            extraConfig = autoIndex;
-          };
+        "/ihk/" = {
+          root = "/var/www/kyouma.net/ihk";
+          extraConfig = autoIndex;
        };
      };
-      "lg.kyouma.net" = {
-        useACMEHost = "kyouma.net";
-        locations."/".root = inputs.fernglas.packages.${config.nixpkgs.hostPlatform.system}.fernglas-frontend;
-        locations."/api/".proxyPass = "http://${config.services.fernglas.settings.api.bind}";
-      };
+    };
+    "lg.kyouma.net" = {
+      useACMEHost = "kyouma.net";
+      locations."/".root = inputs.fernglas.packages.${config.nixpkgs.hostPlatform.system}.fernglas-frontend;
+      locations."/api/".proxyPass = "http://${config.services.fernglas.settings.api.bind}";
    };
  };
  security.acme.certs = {
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -11,7 +11,7 @@
  };
  services.nginx = {
    enable = true;
-    package = pkgs.nginxQuic;
+    #package = pkgs.nginxQuic;
    
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
--- a/flake.lock
+++ b/flake.lock
@ -165,7 +165,7 @@
    },
    "devshell": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixvim",
          "nixpkgs"
@ -205,11 +205,38 @@
        "type": "github"
      }
    },
+    "dns": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1635273082,
+        "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "type": "github"
+      }
+    },
    "fernglas": {
      "inputs": {
        "communities": "communities",
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
        "lastModified": 1707317562,
@ -296,24 +323,6 @@
      "inputs": {
        "systems": "systems"
      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_2": {
-      "inputs": {
-        "systems": "systems_2"
-      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
@ -328,27 +337,9 @@
        "type": "github"
      }
    },
-    "flake-utils_3": {
-      "inputs": {
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_4": {
+    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1701680307,
@ -364,9 +355,9 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
@ -457,30 +448,11 @@
        "type": "github"
      }
    },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "stylix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1706001011,
-        "narHash": "sha256-J7Bs9LHdZubgNHZ6+eE/7C18lZ1P6S5/zdJSdXFItI4=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "3df2a80f3f85f91ea06e5e91071fa74ba92e5084",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
    "kyouma-www": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": [
+          "flake-utils"
+        ],
        "nixpkgs": [
          "nixpkgs"
        ]
@ -536,22 +508,6 @@
      }
    },
    "nixpkgs": {
-      "locked": {
-        "lastModified": 1707092692,
-        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
      "locked": {
        "lastModified": 1711163522,
        "narHash": "sha256-YN/Ciidm+A0fmJPWlHBGvVkcarYWSC+s3NTPk/P+q3c=",
@ -567,18 +523,18 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1700856099,
-        "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=",
+        "lastModified": 1711819797,
+        "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1",
+        "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -614,7 +570,7 @@
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_3",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixvim",
@ -642,16 +598,39 @@
    "root": {
      "inputs": {
        "disko": "disko",
+        "dns": "dns",
        "fernglas": "fernglas",
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "kyouma-www": "kyouma-www",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
+        "sops-nix": "sops-nix",
        "stylix": "stylix"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1711855048,
+        "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "stylix": {
      "inputs": {
        "base16": "base16",
@ -665,8 +644,12 @@
        "base16-vim": "base16-vim",
        "flake-compat": "flake-compat_3",
        "gnome-shell": "gnome-shell",
-        "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_3"
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
      },
      "locked": {
        "lastModified": 1711224130,
@ -726,36 +709,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -3,13 +3,21 @@
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:nixos/nixos-hardware";
-    fernglas.url = "github:wobcom/fernglas";
    flake-utils.url = "github:numtide/flake-utils";
-    stylix.url = "github:danth/stylix";
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    dns = {
+      url = "github:kirelagin/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+    fernglas = {
+      url = "github:wobcom/fernglas";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
@ -17,15 +25,25 @@
    kyouma-www = {
      url = "git+https://git.bsd.gay/snaki/kyouma-net.git";
      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
    };
    nixvim = {
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.home-manager.follows = "home-manager";
    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    stylix = {
+      url = "github:danth/stylix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
  };

-  nixConfig = {
+  nixConfig = rec {
    builders-use-substitutes = true;
    builders = "ssh://nixremote@seras.kyouma.net x86_64-linux,aarch64-linux - 40 5 nixos-test,benchmark,big-parallel,kvm";
  };
@ -39,7 +57,7 @@
    in {
      meta = {
        allowApplyAll = false;
-        machinesFile = ./builders;
+        machinesFile = ./config/files/builders;
        nixpkgs = nixpkgs.legacyPackages.x86_64-linux;
        nodeNixpkgs = {
          lain = nixpkgs.legacyPackages.aarch64-linux;
@ -79,7 +97,7 @@
 #      default = newhost;
 #    };
    devShells.default = pkgs.mkShell {
-      packages = [ pkgs.colmena ];
+      packages = [ pkgs.colmena pkgs.sops ];
    };
  });
 }
--- a/modules/vhost/default.nix
+++ b/modules/vhost/default.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:

 with lib; let
-  cfg = config.services.nginx.createHost;
+  cfg = config.kyouma.nginx.virtualHosts;
  extraConfig = ''
    add_header Strict-Transport-Security 	$hsts_header;
    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@ -12,8 +12,9 @@ with lib; let
  '';
  virtHostCfg = {
    forceSSL = true;
-    http3 = true;
-    quic = true; 
+    #kTLS = true;
+    #http3 = true;
+    #quic = true; 
  };
  createHostFunc = builtins.mapAttrs (vhostName: vhostCfg:
    with lib; let
@ -34,7 +35,7 @@ with lib; let
  );
 in {
  options = {
-    services.nginx.createHost = mkOption {
+    kyouma.nginx.virtualHosts = mkOption {
      type = with types; nullOr anything;
      default = null;
    };
Author	SHA1	Message	Date
emily	08cb22582f	added sops	1 month ago
emily	5b102f2be1	disabled quic	1 month ago