+2 -2

dns/dnsconfig.js

··· 55 55 DnsProvider(DSP_PRIMARY), 56 56 TRIMOUNTS( 57 57 [ 58 58 - "@", "pmart", "dash", "id", 58 58 + "@", "pmart", "dash", 59 59 "knot", "spindle", 60 60 "guestbook", 61 61 ], ··· 124 124 "ptr.pet", 125 125 REG_NONE, 126 126 DnsProvider(DSP_PRIMARY), 127 127 - TRIMOUNTS(["@", "tunes", "corpus", "x"], CF_PROXY_OFF), 127 127 + TRIMOUNTS(["@", "tunes", "corpus", "x", "id"], CF_PROXY_OFF), 128 128 DZWONEK(["nucleus", "trill", "dysnomia"], CF_PROXY_OFF), 129 129 TXT("_kicya", "3b11cb74243eea1fc84e62ffefd7e246279c2f203e1cae42e19d0454dc8d2172"), 130 130 // atproto

+5 -5

hosts/dzwonek/modules/headscale.nix/default.nix

··· 73 73 ]; 74 74 }; 75 75 oidc = { 76 76 - issuer = "https://id.gaze.systems"; 77 77 - client_id = "ba2c2024-f75f-49a2-a156-8593becfba28"; 78 78 - client_secret_path = config.age.secrets.headscaleOidcSecret.path; 79 79 - pkce.enabled = true; 80 80 - only_start_if_oidc_is_available = true; 76 76 + # issuer = "https://atlogin.net"; 77 77 + # client_id = "ptr-pet-at-atlogin-net-headscale-v1"; 78 78 + # client_secret_path = config.age.secrets.headscaleOidcSecret.path; 79 79 + # pkce.enabled = true; 80 80 + only_start_if_oidc_is_available = false; 81 81 }; 82 82 }; 83 83 };

+2 -2

hosts/dzwonek/modules/tailscale.nix

··· 1 1 - { config, ... }: 1 1 + { lib, config, ... }: 2 2 { 3 3 imports = [ ../../../modules/network/tailscale.nix ]; 4 4 ··· 7 7 8 8 services.tailscale = { 9 9 extraSetFlags = [ "--advertise-exit-node" ]; 10 10 - useRoutingFeatures = "both"; 10 10 + useRoutingFeatures = lib.mkForce "both"; 11 11 }; 12 12 }

+77

hosts/trimounts/modules/atlogin.disabled

··· 1 1 + { config, pkgs, terra, ... }: 2 2 + let 3 3 + rootDomain = "ptr.pet"; 4 4 + domain = "id.${rootDomain}"; 5 5 + 6 6 + cfg = { 7 7 + host = "127.0.0.1"; 8 8 + port = 9411; 9 9 + stateDir = "/var/lib/atlogin"; 10 10 + }; 11 11 + in { 12 12 + environment.systemPackages = [( 13 13 + pkgs.writeShellScriptBin "atlogin" ''${terra.atlogin}/bin/atlogin -state-dir=${cfg.stateDir} "$@"'' 14 14 + )]; 15 15 + 16 16 + # ensure state directory exists 17 17 + systemd.tmpfiles.rules = [ 18 18 + "d ${cfg.stateDir} 0700 atlogin atlogin -" 19 19 + ]; 20 20 + 21 21 + users.users.atlogin = { 22 22 + isSystemUser = true; 23 23 + group = "atlogin"; 24 24 + home = cfg.stateDir; 25 25 + }; 26 26 + users.groups.atlogin = {}; 27 27 + 28 28 + age.secrets.atloginCfg = { 29 29 + file = ../../../secrets/atloginCfg.age; 30 30 + owner = "atlogin"; 31 31 + mode = "0600"; 32 32 + }; 33 33 + 34 34 + # systemd service 35 35 + systemd.services.atlogin = { 36 36 + description = "atlogin oidc identity provider"; 37 37 + wantedBy = ["multi-user.target"]; 38 38 + after = ["network.target"]; 39 39 + 40 40 + preStart = '' 41 41 + ${pkgs.coreutils}/bin/cp -f ${config.age.secrets.atloginCfg.path} ${cfg.stateDir}/config.json 42 42 + ''; 43 43 + 44 44 + serviceConfig = { 45 45 + Type = "simple"; 46 46 + User = "atlogin"; 47 47 + Group = "atlogin"; 48 48 + ExecStart = "${terra.atlogin}/bin/atlogin -state-dir=${cfg.stateDir}"; 49 49 + Restart = "on-failure"; 50 50 + RestartSec = "5s"; 51 51 + # harden 52 52 + NoNewPrivileges = true; 53 53 + PrivateTmp = true; 54 54 + ProtectSystem = "strict"; 55 55 + ProtectHome = true; 56 56 + ReadWritePaths = [cfg.stateDir]; 57 57 + }; 58 58 + }; 59 59 + 60 60 + security.acme.certs.${rootDomain}.extraDomainNames = [domain]; 61 61 + services.nginx.virtualHosts.${domain} = { 62 62 + useACMEHost = rootDomain; 63 63 + forceSSL = true; 64 64 + quic = true; 65 65 + kTLS = true; 66 66 + 67 67 + locations."/" = { 68 68 + proxyPass = "http://${cfg.host}:${toString cfg.port}"; 69 69 + proxyWebsockets = true; 70 70 + }; 71 71 + 72 72 + # webfinger endpoint helper (as mentioned in the code comments) 73 73 + locations."/.well-known/webfinger" = { 74 74 + proxyPass = "http://${cfg.host}:${toString cfg.port}/helpers/webfinger"; 75 75 + }; 76 76 + }; 77 77 + }

+25

pkgs-set/pkgs/atlogin.nix

··· 1 1 + { 2 2 + buildGoModule, 3 3 + fetchFromGitHub, 4 4 + ... 5 5 + }: 6 6 + let 7 7 + rev = "943b11de2f5592a6680a826c67e763f292c664ff"; 8 8 + in 9 9 + buildGoModule { 10 10 + pname = "atlogin"; 11 11 + version = builtins.substring 0 8 rev; 12 12 + 13 13 + src = fetchFromGitHub { 14 14 + owner = "apenwarr"; 15 15 + repo = "atlogin"; 16 16 + inherit rev; 17 17 + hash = "sha256-E4B1zj3jYxVw9LKxLkJjNwa72UfrrkRJj4sxPnHhdsA="; 18 18 + }; 19 19 + 20 20 + vendorHash = "sha256-bmoNRyzxIKZmz7hzDKhMSulYZ67PmqpnDzYxtTQhI0o="; 21 21 + 22 22 + subPackages = ["cmd/atlogin"]; 23 23 + 24 24 + ldflags = ["-s" "-w"]; 25 25 + }

secrets/atloginCfg.age

This is a binary file and will not be displayed.

+15 -15

secrets/headscaleOidcSecret.age

··· 1 1 age-encryption.org/v1 2 2 -> ssh-rsa Abmvag 3 3 - iCAioy9OUeFw+o+gqWPf6lmUAt9XM5CfDYD343fGYdVSKi+8V8dJFVwaLEUd7hTl 4 4 - XunScV4IJzm4Ka2F0ILnOxdsnxmqy8nmWYyAX84hn8Y9+oJxjUL0tVhQ5tp7Mjwk 5 5 - VExB5OO3fi8ft7LDhAn8G0p9rzOMH+q2VsEq+yOcAREPcPJhbr8ggGiFtYMGOJHP 6 6 - DNtcwPDUmdagm0FEJYXpwNrx2Dt5VT1cTVBNUhwwFK54khFAAvBJgTDXl/4QEQJt 7 7 - 2gTNkYgVQbeijBgLNSZK506hKUKCLBn2DWUT7+njiLbho3No1lcFs0ywOcMRF8Ym 8 8 - qNmewkeWA0i2pIemeFUudhwBj2EoFAuS3fa2NP1fsGN03hQ2WyeSjsTnfu/9bb4Q 9 9 - VtsPKRBPlStsvKY3yYug/UvoTnGosgDcWYadUc8YA7250TbIQGT3A6AP/lJ7io64 10 10 - 26kQd7cPUIXxISUjqOwSlQYShqoEuUjTxad3rpa/G7W8ipFXQR7BdzVV1IZaYmWT 11 11 - OgVheJ5A9TfHbYG87+7TAZnKjYdYZ53AlZGfdTWb4hAHJVqByZ3LBcH74yuElFQS 12 12 - Og/3k2FPKrXHpFH09LhyM0ro3UPwHwpkMuKM/x+80HUZE0Ple+etSy1+umpDXlqN 13 13 - UftNwoLc1mvp+I5Nkc2M2+hwCRC81kl9lYq6f31xp+0 14 14 - -> ssh-ed25519 y5W/qA M8TkWQD89YNmflfSs86D1ago/yYM3B1ZG2/IHLkaYG4 15 15 - fb2gabcKsPzF8Njs7lz7P2S+7361CEoLGIJmRSNHJcM 16 16 - --- zAZubmMLjvK/7icW5btyg3KKOvjvSYmInXLuhhXpm6s 17 17 - ���9M*@$�0�/����gI�Y�0�m�����e�b\YK�Ǩ���P����*X�V����(�=q 3 3 + Z2CkWLzk0uI9J+Hy8orxxmVO+ZQ9HbmbNl69LbZ9rdZqbXUX5hBaFiu/HrIYCPu7 4 4 + 7SDTc1Q3qKSsKrNJ/zOLScBPmsvgg2It34nDRD+l171jSNezdOIN1EuWvQmOdFTw 5 5 + K6dNW6AUJUJCNZC4GZLT98mkA4R30h2ROdonZlZTtXYu05eiuobVD2kxKgBTtWNY 6 6 + VSa4UHO+8Y4+67foVebXMAXtF+2AYdmoxdQag2XRTDriFqxMSWWMEVDvH+54yxuZ 7 7 + 03bIaGrRWQgUWNUBR/teT7McQwgZkoBnUhcVl0jnGwyTz4YyPqPzRIZaF0lu+iC/ 8 8 + uwIl16483BDD3jX+HQNlZUlfMWEuv6nUhSHJgdk5LJvSAKuZ/tQcsVGfzJ6P2nhk 9 9 + A9SdFelIOU02Z4RzviFMu7gsxWROx8ftVIwm7UcDobUCpoeda8kmLZb2yp9bkAhc 10 10 + s8k7YUv6Fw9/IwrQHI2bLs/AdnC5TvN0h4V4WhmSJdG+x7uOcr0Bf8Egg0wlkNR5 11 11 + Z1R4pGQcZmn21hO48mdTXQIPgdyjMILONSthvL2F754gzUXR0ItuW2vTPsUiQjDj 12 12 + /pWxYn4J6fsLZulZO7hzrw+JpqQN/V6Ynn4Cai/XkNhoZnd6kOonRIvDMsL2UK62 13 13 + It8PtLVk2LiuMKki0rEjFhLpKsYC7cZA3g5RHiUuy2E 14 14 + -> ssh-ed25519 y5W/qA IKHTo5/MwhVyr55ap+NYQNgONiJ0mLl8eoHsWP7DliU 15 15 + BuqdJ4fPg7Jy7DtFR0pjLY9RE5sCtzAmFLESJj5dBig 16 16 + --- K24esprRHelD1k6vw11psKaNf9jUOEU0uMgK4dAkpYE 17 17 + gCR�N"����?��`�1q����<G�����e�N5��$B��>��uH������vu���1@-�v1���

+1

secrets/secrets.nix

··· 33 33 "atfileCfg.age".publicKeys = [yusdacra]; 34 34 "ziplineCfg.age".publicKeys = [yusdacra trimounts]; 35 35 "callieMusic.age".publicKeys = [yusdacra trimounts]; 36 36 + "atloginCfg.age".publicKeys = [yusdacra trimounts]; 36 37 }