From aa9481ba733f532350f064a58ec89398937afd2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Tue, 14 Jan 2025 19:46:07 +0200 Subject: [PATCH 01/10] Revert "Disable NAT64 for debugging" This reverts commit 53b6772ea685e41c39f7d86a98b31d1fabdbc2d9. --- machine-confs/nat64.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machine-confs/nat64.nix b/machine-confs/nat64.nix index 3e8f81f..b68b8e8 100644 --- a/machine-confs/nat64.nix +++ b/machine-confs/nat64.nix @@ -4,7 +4,7 @@ imports = [ ../base.nix - # ../services/nat64.nix + ../services/nat64.nix ]; # HARDWARE SPECIFIC From ed237f2458f6e69474341ae943d4c649b52d53fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Tue, 14 Jan 2025 20:23:56 +0200 Subject: [PATCH 02/10] Remove Jool port forwarding for now, to diagnose nat64 issue --- services/nat64.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/services/nat64.nix b/services/nat64.nix index 0662315..bf6f298 100644 --- a/services/nat64.nix +++ b/services/nat64.nix @@ -5,42 +5,6 @@ enable = true; nat64.default = { global.pool6 = "64:ff9b::/96"; # Default value made explicit for clarity - - # Port forwarding - bib = [ - { - # ExoPlaSim WireGuard - "protocol" = "UDP"; - "ipv4 address" = "192.168.1.2#51821"; - "ipv6 address" = "fd08:d473:bcca:1:210:3292:4922:b9aa#51821"; - } - ]; - - pool4 = [ - # Ports for static BIB entries - { - protocol = "UDP"; - prefix = "192.168.1.2/32"; - "port range" = "51821"; - } - - # Port ranges for dynamic translation - { - protocol = "TCP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - { - protocol = "UDP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - { - protocol = "ICMP"; - prefix = "192.168.1.2/32"; - "port range" = "30001-50000"; - } - ]; }; }; }; From ad8b7f036e441b77f51eef21b5d088762489c967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Tue, 14 Jan 2025 20:48:57 +0200 Subject: [PATCH 03/10] Revert "Add back IPv6 privacy addresses" This reverts commit 71803b14ecfd4f2b4c991aaaf73cc67ff63f2a63. --- base.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/base.nix b/base.nix index 5d75e24..a6df078 100644 --- a/base.nix +++ b/base.nix @@ -162,8 +162,11 @@ ######################################## Misc. ################################################## nixpkgs.config.allowUnfree = true; - # Easiest to use and most distros use this by default. - networking.networkmanager.enable = true; + networking = { + # Easiest to use and most distros use this by default. + networkmanager.enable = true; + tempAddresses = "disabled"; + }; users.mutableUsers = false; # Force all user management to happen throught nix-files From b7c9439744dff0b22af82571120bc0b9831b80aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Tue, 14 Jan 2025 20:49:19 +0200 Subject: [PATCH 04/10] Revert "Disable IPv6 privacy for two machines" This reverts commit c357f0f9c5755827d2f6804f1da289e7eb9cbd25. --- machine-confs/helium.nix | 1 - machine-confs/lithium.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/machine-confs/helium.nix b/machine-confs/helium.nix index 18c14b0..9dfcd7e 100644 --- a/machine-confs/helium.nix +++ b/machine-confs/helium.nix @@ -2,7 +2,6 @@ { networking = { hostName = "helium"; - tempAddresses = "disabled"; # For IP-based filtering to work better wg-quick.interfaces = { wg0 = { diff --git a/machine-confs/lithium.nix b/machine-confs/lithium.nix index 4257108..3c095ae 100644 --- a/machine-confs/lithium.nix +++ b/machine-confs/lithium.nix @@ -2,7 +2,6 @@ { networking = { hostName = "lithium"; - tempAddresses = "disabled"; # For IP-based filtering to work better wg-quick.interfaces = { wg0 = { From 1522891a49026d6356198d6b52b7ff0d3a84f5b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Tue, 14 Jan 2025 21:10:29 +0200 Subject: [PATCH 05/10] Add dyndns to exoplasim --- machine-confs/exoplasim.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/machine-confs/exoplasim.nix b/machine-confs/exoplasim.nix index 2fe83cb..b4c2754 100644 --- a/machine-confs/exoplasim.nix +++ b/machine-confs/exoplasim.nix @@ -29,6 +29,16 @@ }; }; + services.ddclient = { + enable = true; + usev4 = ""; + usev6 = "ifv6, ifv6=enp6s18"; + username = "vsinerva.fi-dynexo"; + domains = [ "exovpn.vsinerva.fi" ]; + passwordFile = "/var/lib/ddclient/password"; + server = "www.ovh.com"; + }; + # User worker users.users.worker = { isNormalUser = true; From 98192942be047c7a6ab9f05ec38b8eec64bc2ccd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Wed, 15 Jan 2025 00:29:25 +0200 Subject: [PATCH 06/10] Adjust nginx settings --- services/nextcloud.nix | 3 +++ services/vaultwarden.nix | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 58706ad..5d9041c 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -28,6 +28,9 @@ nginx = { recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; virtualHosts.${config.services.nextcloud.hostName} = { forceSSL = true; diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 189cddc..7e05a7d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -36,6 +36,9 @@ nginx = { enable = true; recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; virtualHosts."vaultwarden.vsinerva.fi" = { forceSSL = true; @@ -43,7 +46,7 @@ enableACME = true; acmeRoot = null; locations."/" = { - proxyPass = "http://127.0.0.1:8000"; + proxyPass = "http://localhost:8000"; }; }; }; From c1f7c5b93ac4a12b6cd4d2374f4b4de7bad4c073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Wed, 15 Jan 2025 00:33:35 +0200 Subject: [PATCH 07/10] Initial Gitea conf --- services/gitea.nix | 66 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 services/gitea.nix diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..095ce87 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,66 @@ +{ config, ... }: +{ + imports = [ ./acme-dns.nix ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + networking.firewall.allowedUDPPorts = [ 443 ]; + + services = { + gitea = { + enable = true; + lfs.enable = true; + appName = "Gitea for Vili Sinervä"; + mailerPasswordFile = "${config.services.gitea.stateDir}/smtp_pass"; # TODO + + settings = { + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + ui = { + DEFAULT_SHOW_FULL_NAME = true; + meta.AUTHOR = "Gitea, hosted by Vili Sinervä"; + }; + server = { + DOMAIN = "gitea.vsinerva.fi"; + HTTP_PORT = 8000; + ROOT_URL = "https://${config.services.gitea.settings.server.DOMAIN}"; + }; + # service.DISABLE_REGISTRATION = true; # Disable for initial setup + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.gmail.com"; + SMTP_PORT = 587; + USER = "vmsskv12@gmail.com"; # Password set in file + FROM = "gitea@vsinerva.fi"; + }; + cron = { + ENABLED = true; + RUN_AT_START = true; + }; + time.DEFAULT_UI_LOCATION = "Europe/Helsinki"; + }; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts.${config.services.gitea.settings.server.DOMAIN} = { + forceSSL = true; + kTLS = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; +} From e25f9e4868255e296c751b21d94e8d9edf0d8e88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Wed, 15 Jan 2025 00:40:42 +0200 Subject: [PATCH 08/10] Add gitea machine conf --- machine-confs/gitea.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 machine-confs/gitea.nix diff --git a/machine-confs/gitea.nix b/machine-confs/gitea.nix new file mode 100644 index 0000000..9356f1f --- /dev/null +++ b/machine-confs/gitea.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + networking.hostName = "gitea"; + + imports = [ + ../base.nix + ../services/gitea.nix + ]; + + # HARDWARE SPECIFIC + services.qemuGuest.enable = true; +} From 38a6af903e95d655b5a7fe19be8468280881a87d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Wed, 15 Jan 2025 00:44:10 +0200 Subject: [PATCH 09/10] Attempt gitea fix --- services/gitea.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index 095ce87..99bb743 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -19,10 +19,8 @@ repository = { ENABLE_PUSH_CREATE_USER = true; }; - ui = { - DEFAULT_SHOW_FULL_NAME = true; - meta.AUTHOR = "Gitea, hosted by Vili Sinervä"; - }; + ui.DEFAULT_SHOW_FULL_NAME = true; + "ui.meta".AUTHOR = "Gitea, hosted by Vili Sinervä"; server = { DOMAIN = "gitea.vsinerva.fi"; HTTP_PORT = 8000; From 9131e285a8eed830ee1917b8291c1f4fd60a5f14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Wed, 15 Jan 2025 01:19:30 +0200 Subject: [PATCH 10/10] Disable gitea registration --- services/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gitea.nix b/services/gitea.nix index 99bb743..1f7708d 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -26,7 +26,7 @@ HTTP_PORT = 8000; ROOT_URL = "https://${config.services.gitea.settings.server.DOMAIN}"; }; - # service.DISABLE_REGISTRATION = true; # Disable for initial setup + service.DISABLE_REGISTRATION = true; # Disable for initial setup session.COOKIE_SECURE = true; mailer = { ENABLED = true;