pluie.me / flake
All my system configs and packages in one repo
fork atom

focaccia: cleanup, add secret for hysteria #3

merged opened by pluie.me targeting main from pluie/jj-srylpntywpzk
Labels

None yet.

Participants 1
AT URI
at://did:plc:e4f33w5yt2m54tq6vsagpwiu/sh.tangled.repo.pull/3mcl5nsbsk622
+113 -66
Diff #0
unified split
+11 -61
systems/focaccia/configuration.nix
··· 7 7 ../common.nix 8 8 ./hardware-configuration.nix 9 9 ./networking.nix 10 - ../../modules/nixos/hysteria.nix 11 - inputs.tangled.nixosModules.knot 10 + ../../modules/nixos/hysteria.nix # TODO: move out 12 11 inputs.sops-nix.nixosModules.sops 13 - ./pds.nix 12 + 13 + ./services/hysteria.nix 14 + ./services/knot.nix 15 + ./services/pds.nix 14 16 ]; 15 17 18 + sops = { 19 + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 20 + defaultSopsFile = ./secrets/global.yaml; 21 + }; 22 + 16 23 networking = { 17 24 hostName = "focaccia"; 18 25 domain = "pluie.me"; 19 26 firewall = { 20 - allowedUDPPorts = [ 53 ]; 21 27 allowedTCPPorts = [ 22 28 80 23 29 443 ··· 45 51 settings.PermitRootLogin = "prohibit-password"; 46 52 }; 47 53 48 - programs.mosh = { 49 - enable = true; 50 - openFirewall = true; 51 - }; 52 - 53 54 users.users.root.openssh.authorizedKeys.keys = [ 54 55 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbsavGX9rGRx5R+7ovLn+r7D/w3zkbqCik4bS31moSz" 55 56 ]; 56 57 57 - boot.kernel.sysctl = { 58 - "net.core.rmem_max" = 16777216; 59 - "net.core.wmem_max" = 16777216; 60 - }; 61 - 62 - services.hysteria = { 63 - enable = true; 64 - settings = { 65 - listen = ":53"; 66 - acme = { 67 - domains = [ "focaccia.pluie.me" ]; 68 - email = "srv@acc.pluie.me"; 69 - }; 70 - auth = { 71 - type = "password"; 72 - password._secret = "/var/lib/hysteria/passwd"; 73 - }; 74 - masquerade = { 75 - type = "proxy"; 76 - proxy = { 77 - url = "https://news.ycombinator.com/"; 78 - rewriteHost = true; 79 - }; 80 - }; 81 - }; 82 - }; 83 - 84 58 # Reverse proxy 85 59 services.caddy = { 86 60 enable = true; 87 61 email = "srv@acc.pluie.me"; 88 - virtualHosts."pds.pluie.me" = { 89 - extraConfig = '' 90 - reverse_proxy :11037 91 - ''; 92 - }; 93 - virtualHosts."knot.pluie.me" = { 94 - extraConfig = '' 95 - reverse_proxy :8964 96 - ''; 97 - }; 98 - }; 99 - 100 - services.tangled.knot = { 101 - enable = true; 102 - openFirewall = false; 103 - 104 - stateDir = "/var/lib/tangled-knot"; 105 - server = { 106 - listenAddr = "0.0.0.0:8964"; 107 - internalListenAddr = "127.0.0.1:4698"; 108 - owner = "did:plc:e4f33w5yt2m54tq6vsagpwiu"; 109 - hostname = "knot.pluie.me"; 110 - }; 111 62 }; 112 - 113 - } 63 + }
+25
systems/focaccia/secrets/global.yaml
··· 1 + hysteria: ENC[AES256_GCM,data:W3s2hkKW+E91K44rKE3NNmok1LY=,iv:Ndr0HTC6XdxiXw/Lpd9hhhlpIpbISYv5k9btRJJi3ok=,tag:7sy5nmhShX0Ev3PznNe49A==,type:str] 2 + sops: 3 + age: 4 + - recipient: age1lh4sn2s9gxj2s3naqdl4wpmz3uhpd3p8l0jfy6k5hu6cu34uyygsdwadd5 5 + enc: | 6 + -----BEGIN AGE ENCRYPTED FILE----- 7 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaS9Ib2VTTjFxUXVxUkRo 8 + YlR2QWl4Zk1RZzhLNlFleUpBanVaTDNNaWxnCjFBL3lZY2xBbnZPUTI0TmNqV1JK 9 + WmJIZnVLcHk4a3N5UnFWeUtzOGsyVVEKLS0tIEFSZ3dXd0lXNnBJU2Z0VTlwVkpB 10 + aEhwN0N1ZEVZeGJMYnU5L3pnMERtN0UK5/rGNBh0usXZ0Sdp6yu7eBiM2Vh4OZJc 11 + h09+sPAFNX4kIWif+2nJk1xHbHngEHlN9OxsOuIWfNpULVqmwdtyCg== 12 + -----END AGE ENCRYPTED FILE----- 13 + - recipient: age1wtr58sze4sxjjzq9jmsq7ztkvkjakvnfzuqzn025p92htz7zsdesjpc2c8 14 + enc: | 15 + -----BEGIN AGE ENCRYPTED FILE----- 16 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZkRrWVdZM29FTmNXZ2lk 17 + Wm16RUI0M1VNVndaN25QUk44cHN4RGpjSFEwCllJZkJjeWVLNDRBd3BnY0l3ejlS 18 + TW4rVjFDOWwxZFBUZDcrUHlIREFLeUEKLS0tIFZXdnVod2ZrT0RtNFpITStJSUdo 19 + WXN3LzdwZ2tXeEE0bUg1eXVkZk02ODAKOn6FoE48qmR+C1ALGzIjWMMWKOEh9WEW 20 + iJ6Rdd7spZB1hRW/QJQ1+7K8hmPWDcxgZov+Nt7UoSz/p3G7DZjfjw== 21 + -----END AGE ENCRYPTED FILE----- 22 + lastmodified: "2026-01-16T22:27:23Z" 23 + mac: ENC[AES256_GCM,data:e1WezcXk68avrvH6n3QJUPE90Ge6W6h9BFTyXfdad8WCwzNU3RLZ1x/3nSE6chDU4uhDrs1YgyBV9yNpI+nLxLSEy1wBsxrScbLPsndn/SuAZzSdWAXGcw2Qj2pL9EGpBpXQWY3G+L6sGu2T7gySVGciqfXQT/bjOgokP1z9lsE=,iv:4EuiJoRPNebRtetzAoLbEYQGdwPrRi+ncS7ePTvuFII=,tag:LJNXOXc1whLnPXI4wJnJBQ==,type:str] 24 + unencrypted_suffix: _unencrypted 25 + version: 3.11.0
+37
systems/focaccia/services/hysteria.nix
··· 1 + { 2 + config, 3 + ... 4 + }: 5 + { 6 + sops.secrets.hysteria = { }; 7 + 8 + networking.firewall.allowedUDPPorts = [ 53 ]; 9 + 10 + services.hysteria = { 11 + enable = true; 12 + settings = { 13 + listen = ":53"; 14 + acme = { 15 + domains = [ "focaccia.pluie.me" ]; 16 + email = "srv@acc.pluie.me"; 17 + }; 18 + auth = { 19 + type = "password"; 20 + password._secret = config.sops.secrets.hysteria.path; 21 + }; 22 + masquerade = { 23 + type = "proxy"; 24 + proxy = { 25 + url = "https://news.ycombinator.com/"; 26 + rewriteHost = true; 27 + }; 28 + }; 29 + }; 30 + }; 31 + 32 + # CPU scheduling optimization for faster speeds :rocket: 33 + boot.kernel.sysctl = { 34 + "net.core.rmem_max" = 16777216; 35 + "net.core.wmem_max" = 16777216; 36 + }; 37 + }
+31
systems/focaccia/services/knot.nix
··· 1 + { 2 + inputs, 3 + config, 4 + ... 5 + }: 6 + let 7 + cfg = config.services.tangled.knot.server; 8 + in 9 + { 10 + imports = [ 11 + 12 + 13 + inputs.tangled.nixosModules.knot 14 + ]; 15 + 16 + services.tangled.knot = { 17 + enable = true; 18 + openFirewall = false; 19 + 20 + stateDir = "/var/lib/tangled-knot"; 21 + server = { 22 + listenAddr = "0.0.0.0:8964"; 23 + internalListenAddr = "127.0.0.1:4698"; 24 + owner = "did:plc:e4f33w5yt2m54tq6vsagpwiu"; 25 + hostname = "knot.pluie.me"; 26 + }; 27 + }; 28 + services.caddy.virtualHosts.${cfg.hostname}.extraConfig = '' 29 + reverse_proxy :8964 30 + ''; 31 + }
+9 -5
systems/focaccia/pds.nix systems/focaccia/services/pds.nix
··· 1 1 { 2 - # inputs, 3 2 config, 4 - # lib, 5 - # pkgs, 6 3 ... 7 4 }: 5 + let 6 + cfg = config.services.bluesky-pds.settings; 7 + in 8 8 { 9 - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 10 9 sops.secrets.bluesky-pds = { 11 - sopsFile = ./secrets/bluesky-pds.env; 10 + # Has to be a separate file since it's a .env file 11 + sopsFile = ../secrets/bluesky-pds.env; 12 12 format = "dotenv"; 13 13 }; 14 14 ··· 22 22 }; 23 23 }; 24 24 25 + services.caddy.virtualHosts.${cfg.PDS_HOSTNAME}.extraConfig = '' 26 + reverse_proxy :${toString cfg.PDS_PORT} 27 + ''; 28 + 25 29 # services.postgresql = { 26 30 # enable = true; 27 31 # authentication = ''

History

1 round 0 comments
sign up or login to add to the discussion
pluie.me submitted #0
1 commit
expand
fb4f9062
focaccia: cleanup, add secret for hysteria
1/1 success
expand
ci.yml
expand 0 comments
pull request successfully merged