M .sops.yaml => .sops.yaml +7 -0
@@ 2,6 2,7 @@ keys:
- &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712
- &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
- &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
+ - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
creation_rules:
- path_regex: secrets/arwen/[^/]+\.yaml$
key_groups:
@@ 15,3 16,9 @@ creation_rules:
- *liljamo_gpg
age:
- *alice
+ - path_regex: secrets/dns/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *dns
A hosts/dns/default.nix => hosts/dns/default.nix +17 -0
@@ 0,0 1,17 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.liljamoPwd.neededForUsers = true;
+
+ roles.base = {
+ root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ primaryUser = {
+ username = "liljamo";
+ hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+ };
+ };
+
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+}
M roles/prometheus.nix => roles/prometheus.nix +12 -0
@@ 20,6 20,7 @@ in {
enable = lib.mkEnableOption "node exporter";
port = lib.mkOption {
type = lib.types.port;
+ default = 9100;
};
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
@@ 32,6 33,10 @@ in {
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "systemd exporter";
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 9558;
+ };
};
};
};
@@ 41,12 46,19 @@ in {
};
config = {
+ networking.firewall.allowedTCPPorts = lib.mkIf cfg.exporters.openFirewall [
+ cfg.exporters.node.port
+ cfg.exporters.systemd.port
+ ];
+
services.prometheus.exporters = {
node = lib.mkIf cfg.exporters.node.enable {
+ enable = true;
port = cfg.exporters.node.port;
extraFlags = cfg.exporters.node.extraFlags;
};
systemd = lib.mkIf cfg.exporters.systemd.enable {
+ enable = true;
port = cfg.exporters.systemd.port;
};
};
A secrets/dns/secrets.yaml => secrets/dns/secrets.yaml +34 -0
@@ 0,0 1,34 @@
+rootPwd: ENC[AES256_GCM,data:cuZt7paSCrVK7rp88SXhrFmko7YLIWgNG3KNmcelCBJBvoCAlLwSdfXMKljMGWTBB5qs+GQTSYlbPlqjRfWEX/imABrivg8YMGNn4o8O0hkWvyc9IYCGFVaTJkrB5gNpkMLEHda05Wvf/w==,iv:n+tuhDnyYIe9xl9YYPkhMnh5W/g3Ceg7E5Nuy5pu97s=,tag:aq37MjrsizGuwIHgDGt2dw==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:MMissiTedcpmM7cWGm3PL3/7mrRMLcHatf4BHTcrR1BjGkpEuSIwFxQGgbhulj2Taa4djdL7013tS6Jbb+Hz/o/yL1SrKDD5w0y1hwXcjfDYTsys9uly5UoCtQDLG0gFn4FLxv00ATufdw==,iv:psHrWXFAsUKcgDnDjAOdAOo6bF8h8yr/MLyJeC1+cRI=,tag:BC4EaIT3Rqw/2W1LXxxIvA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUjk1RFVHS0FEdEVBUlll
+ UHdFMkF0c2pHeU03d1BCdS95SnY1QTNZanhzCmlXaEU3SzZwSXNxSzN2VGdYVGxy
+ ekplWlU2WlpZVVd3VWpVejR4eDMvZ00KLS0tIHFPU3BSbGhKS1FPMWhZdXNmQnVH
+ ZVRRZ1hkRllRd1BGTmU0STVQNWVGT1UKE4PBQjAlb0NCI8vrAv9GpsmJFBkR6qRw
+ 4RYHGreTyTgE1NLyf4d+AMIrTmfIXixx4SeiInO4tmMct6ds1gwMAw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-08-18T09:49:50Z"
+ mac: ENC[AES256_GCM,data:No+EUPIds/phGQHY+Lw/8Ict+iLn+0509oXcx2sW2OjGnGU3mJ4uFPrtpoEJ/JWyHUwKhVkuNmqNT4zYe+qVnGUYxnTDFnjcC+nlcIxIkI9vxQhDYruS0FitxuG6BK+6YLmOszmMIEHf2MZUfK5MFvPqAn2gQbzPXzNj+fzW2xo=,iv:seFsJRgJbrHATjTuJ1y55WrrOait56oXSjvB41i29kY=,tag:Zi0N+niUxzqhKytwAZ5RpA==,type:str]
+ pgp:
+ - created_at: "2024-08-18T09:36:11Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdAVIcbSeZWtHEDhkfeggDV3LSknWNTM4RIdFEm2rHonAQw
+ U3K6g+u+bjBdef2CjIgLeTGrY9/+W3ZdfqhQjAGrEYfY553NKbkOFwKXQvOkkZxK
+ 1GgBCQIQicMZu47070ML7Em5DW9u+npjWc2Mv37B4sWDbrMr+4v2HzHdKhmdpAXS
+ AlAZYs+AOVWrMEWzuAvfuqQzRSVM0QLRg0n+9ITCL5dfcAAQe/oUo+AOpsrvDn33
+ fsHSuGxQWapf2w==
+ =GCrz
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
M systems/hosts/default.nix => systems/hosts/default.nix +1 -1
@@ 19,6 19,6 @@
dns = {
system = "x86_64-linux";
profile = lxc;
- moduels = [];
+ modules = [];
};
}
A systems/hosts/dns/default.nix => systems/hosts/dns/default.nix +102 -0
@@ 0,0 1,102 @@
+{...}: let
+ proxyAlias = "proxy.home.arpa";
+ proxyIP = "10.1.2.10";
+
+ defaultDnsServers = ["https://dns.quad9.net/dns-query"];
+ bootstrapDnsServers = ["9.9.9.9"];
+
+ portDns = 53;
+ portDoT = 853;
+ portWebDoH = 80;
+
+ rlUrl = ".rustylily.home.arpa";
+ uwUrl = ".uwulpine.home.arpa";
+in {
+ networking.firewall.allowedTCPPorts = [
+ portDoT
+ portWebDoH
+ ];
+ networking.firewall.allowedUDPPorts = [portDns];
+
+ services.blocky = {
+ enable = true;
+ settings = {
+ upstreams = {
+ groups = {
+ default = defaultDnsServers;
+ };
+ timeout = "2s";
+ };
+ customDNS = {
+ customTTL = "1h";
+ mapping = {
+ "${proxyAlias}" = proxyIP;
+
+ "dns${rlUrl}" = proxyIP;
+
+ "multi.media${rlUrl}" = proxyIP;
+ "books.media${rlUrl}" = proxyIP;
+ "nextcloud${rlUrl}" = proxyIP;
+
+ "metrics${rlUrl}" = proxyIP;
+
+ "portainer${uwUrl}" = proxyIP;
+ "registry${uwUrl}" = proxyIP;
+ "registryui${uwUrl}" = proxyIP;
+ };
+ };
+ blocking = {
+ blackLists = {
+ ads = [
+ "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+ ];
+ };
+ whiteLists = {};
+ clientGroupsBlock = {
+ default = ["ads"];
+ };
+ # 'zeroIp' is default, and returns 0.0.0.0
+ # 'nxDomain' would return a NXDOMAIN code
+ blockType = "zeroIp";
+ blockTTL = "6h";
+ # how often to refresh lists
+ loading = {
+ downloads = {
+ timeout = "5m";
+ attempts = 5;
+ cooldown = "30s";
+ };
+ refreshPeriod = "4h";
+ strategy = "blocking";
+ };
+ };
+ caching = {
+ minTime = "0m";
+ maxTime = "60m";
+ maxItemsCount = 10000;
+ prefetching = false;
+ # cache NXDOMAIN results for only a short time
+ cacheTimeNegative = "5m";
+ };
+ prometheus = {
+ enable = true;
+ path = "/metrics";
+ };
+ minTlsServeVersion = "1.3";
+ bootstrapDns = bootstrapDnsServers;
+ ports = {
+ dns = portDns;
+ tls = portDoT;
+ http = portWebDoH;
+ };
+ log = {
+ level = "info";
+ format = "text";
+ timestamp = true;
+ privacy = true;
+ };
+ };
+ };
+
+ system.stateVersion = "24.05";
+}
M systems/profiles/lxc/default.nix => systems/profiles/lxc/default.nix +7 -1
@@ 1,11 1,17 @@
-inputs @ {sops-nix, ...}: {
+inputs @ {
+ home-manager,
+ sops-nix,
+ ...
+}: {
modules = [
sops-nix.nixosModules.sops
+ home-manager.nixosModules.home-manager
../../../modules
../../../roles
./lxc.nix
+ ./roles.nix
];
specialArgs = {
inherit inputs;
M systems/profiles/lxc/lxc.nix => systems/profiles/lxc/lxc.nix +2 -0
@@ 4,6 4,8 @@
lib,
...
}: {
+ sops.defaultSopsFile = ../../../secrets/${config.networking.hostName}/secrets.yaml;
+
boot.isContainer = true;
# Install new init script
A systems/profiles/lxc/roles.nix => systems/profiles/lxc/roles.nix +15 -0
@@ 0,0 1,15 @@
+{
+ roles.prometheus.exporters = {
+ openFirewall = true;
+ node = {
+ enable = true;
+ extraFlags = [
+ "--collector.disable-defaults"
+ "--collector.filesystem"
+ "--collector.stat"
+ "--collector.time"
+ ];
+ };
+ systemd.enable = true;
+ };
+}