screen

ip range fix
Merge branch 'master' of ssh://git.nx2.site:20022/nx2/dotfiles
2024-08-26 23:24:57 +02:00 · 2024-08-26 23:24:45 +02:00 · 2024-08-26 21:38:01 +02:00 · 2024-08-26 21:37:36 +02:00 · 2024-07-28 17:19:29 +02:00 · 2024-07-28 17:19:25 +02:00
8 changed files with 277 additions and 35 deletions
--- a/git-crypt/secrets.nix
+++ b/git-crypt/secrets.nix
--- a/home.nix
+++ b/home.nix
@@ -71,6 +71,7 @@
    piper-tts
    sssnake pipes
    dig
    screen
    gnumake
    cmake
--- a/sops-secrets.yaml
+++ b/sops-secrets.yaml
--- a/system-modules/hsmw.nix
+++ b/system-modules/hsmw.nix
@@ -1,5 +1,4 @@
 { pkgs, lib, host, secrets, ... }: 
 lib.mkIf (host != "NxACE") 
 {
  environment.systemPackages = with pkgs; [
    strongswanNM
@@ -38,19 +37,19 @@ lib.mkIf (host != "NxACE")
    };
    connections = {
      hsmw = {
-          keyexchange = "ikev2";
+        keyexchange = "ikev2";
-          left = "%defaultroute";
+        left = "%defaultroute";
-          leftid = "%any";
+        leftid = "%any";
-          leftauth = "eap";
+        leftauth = "eap";
-          eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
+        eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
-          leftsourceip = "%config";
+        leftsourceip = "%config";
-          leftdns = "%config4";
+        leftdns = "%config4";  # Ensure that DNS resolution works as expected
-          leftfirewall = "no";
+        leftfirewall = "no";  # Keep firewall disabled, but manually check rules
-          right = "141.55.128.84";
+        right = "141.55.128.84";
-          rightid = "@vpn4.hs-mittweida.de";
+        rightid = "@vpn4.hs-mittweida.de";
-          rightsubnet = "0.0.0.0/0";
+        rightsubnet = "141.55.128.0/16";  # Split tunneling: Only route traffic for the VPN subnet
-          rightauth = "pubkey";
+        rightauth = "pubkey";
-          auto = "add";
+        auto = "add";
      };
    };
    managePlugins = true;
--- a/system-modules/networking.nix
+++ b/system-modules/networking.nix
@@ -3,12 +3,16 @@
 let
 in
 {
-
+  networking.nameservers = [
    "1.1.1.1"
    "8.8.8.8"
  ];
  networking.hostName = host;
  networking.networkmanager = {
    enable = true;
  };
-  networking.enableIPv6 = true;
+  networking.enableIPv6 = false;
 }
--- a/system-modules/nx2site.nix
+++ b/system-modules/nx2site.nix
@@ -1,5 +1,8 @@
 { config, pkgs, lib, user, host, ... }:
 # lib.mkIf false
 lib.mkIf (host == "NxACE")
 # ((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) // 
 (
 {
  sops.secrets = {
    "nx2site/namecheap.pw" = { };
@@ -14,18 +17,15 @@ lib.mkIf (host == "NxACE")
        Unit = "namecheap-dynamic-dns.service";
      };
    };
-    services."namecheap-dynamic-dns" = 
+    services."namecheap-dynamic-dns" = let 
    let 
      u = let
        domain = "nx2.site";
        passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
        # passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
        log-file-path = "/var/log/update_namecheap.log";
        count-file-path = "/var/log/update_namecheap-count.txt";
-      in
+      in pkgs.writers.writePython3Bin "update_namecheap" {
-      pkgs.writers.writePython3Bin "update_namecheap" {
+        libraries = with pkgs.python311Packages; [ requests ];
        libraries = with pkgs.python311Packages; [ 
          requests
        ];
        flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ];
      } ''
        import requests
@@ -58,7 +58,7 @@ lib.mkIf (host == "NxACE")
                # Perform DNS updates
                resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}")
                resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}")
-    
+  
                # Reset the count file
                with open("${count-file-path}", 'w') as f: f.write('0')
@@ -71,19 +71,51 @@ lib.mkIf (host == "NxACE")
            parser = argparse.ArgumentParser()
            parser.add_argument('-f', '--force', action='store_true', help='Force update')
            args = parser.parse_args()
-  
+
            main(args.force)
      '';
-    in
+    in {
    {
      script = ''
        set -eu
        ${u}/bin/update_namecheap
      '';
      serviceConfig = {
        Type = "oneshot";
        # User = "nx2";
      };
    };
  };
-}
+  # I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have
  # security.acme = {
  #   acceptTerms = true;
  #   certs."nx2site" = { };
  # };
  environment.systemPackages = with pkgs; [
    certbot
    (writeShellApplication {
      name = "refresh_ssl_certificate";
      runtimeInputs = [ certbot ];
      # https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431
      text = let
        webroot = /home/nx2/nx2site/staticweb/content;
      in /*bash*/ ''
        cartbot 
        ls ${webroot}
      '';
    })
  ];
  networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",-  "\2" = [ "\1.docker" ];-g'
    "172.1.2.1" = [ "staticweb.docker" ]; 
    "172.1.3.1" = [ "matrix.docker" ]; 
    # "172.1.0.9" = [ "matrixdb.docker" ]; 
    "172.1.4.1" = [ "matrix-ss.docker" ]; 
    # "172.1.0.7" = [ "matrix-ssdb.docker" ]; 
    "172.1.5.1" = [ "pw.docker" ]; 
    "172.1.6.1" = [ "git.docker" ]; 
    # "172.1.0.10" = [ "gitdb.docker" ];
    "172.1.7.1" = [ "nn.docker" ]; 
    "172.1.8.1" = [ "llm.docker" ]; 
    # "172.1.9.1" = [ "proxy.docker" ]; 
    "172.1.10.1" = [ "share.docker" ]; 
    "172.1.11.1" = [ "odq.docker" ]; 
  };
 })
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -0,0 +1,180 @@
 { config, pkgs, lib, user }:
 lib.mkIf false
 {
  sops.secrets = {
    "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
    "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
    "nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
  };
 	services.nginx = {
    enable = true;
    additionalModules = [];
    # appendConfig = '''';
    clientMaxBodySize = "20m";
    defaultHTTPListenPort = 80;
    defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
    defaultListen = [ {
      addr = "0.0.0.0";
      ssl = true;
      port = 443;
      proxyProtocol = true;
    }];
    defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
    defaultSSLListenPort = 443;
    enableQuicBPF = true;
    enableReload = true;
    # eventsConfig = '''';
    # logError = ;
    # mapHashBucketSize = ;
    # mapHashMaxSize = ;
    package = pkgs.nginxQuic;
    # preStart = true;
    proxyResolveWhileRunning = false;
    proxyTimeout = "20s";
    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedZstdSettings = true;
    serverTokens = false;
    # sslCiphers = true;
    sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
    sslProtocols = "TLSv1.2 TLSv1.3";
    statusPage = false;
    streamConfig = ""; # udp config
    validateConfigFile = true;
    upstreams = {
      "staticweb".servers = { "staticweb.docker:80" = {}; };
      "matrix".servers    = { "matrix.docker:80"    = {}; };
      "matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
      "pw".servers        = { "pw.docker:80"        = {}; };
      "git".servers       = { "git.docker:80"       = {}; };
      "nn".servers        = { "nn.docker:80"        = {}; };
      "llm".servers       = { "llm.docker:80"       = {}; };
      "share".servers     = { "share.docker:80"     = {}; };
      "sync".servers      = { "localhost:8384"      = {}; };
    };
    virtualHosts = let
      sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
      sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
      kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
    in
    {
      "nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        locations = {
          "/" = {
            proxyPass = "http://staticweb";
      #       extraConfig = [  ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
          };
          "/.well-known/matrix/client" = {
            return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}'  '';
            extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
          };
          "/.well-known/matrix/server" = {
            return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
            extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
          };
          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
            proxyPass = "http://matrix-ss";
            # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
          };
          "~ ^(\/_matrix|\/_synapse\/client)" = {
            return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
      #       extraConfig = [];
          };
        }; 
      };
      "matrix.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        listen = [ 
          { addr = "0.0.0.0"; port = 443;  ssl = true; }
          { addr = "0.0.0.0"; port = 8448; ssl = true; }
        ];
        locations = {
          "/" = {
            proxyPass = "http://matrix";
            # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
          };
        }; 
      };
      "matrix-ss.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        #   "resolver 1.1.1.1;"
        #   "client_max_body_size 500M;"
        # ];
        locations = {
          "/" = { proxyPass = "http://pw"; };
        }; 
      };
      # "dev.nx2.site" = {
      #   inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
      #   listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
      #   locations = {
      #     "/" = {
      #       proxyPass = "http://dev";
      #     };
      #   }; 
      # };
      "pw.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        locations = {
          "/" = { proxyPass = "http://pw"; };
          "/admin" = { proxyPass = "http://pw"; };
          "/notifications/hub" = { proxyPass = "http://pw"; };
          "/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
        }; 
      };
      "share.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        locations = {
          "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
              # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
              # ''proxy_set_header X-Real-IP $remote_addr;''
              # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
              # ''proxy_set_header Host $http_host;''
            # ];
          };
          "/socket.io" = {
            proxyPass = "http://share/socket.io";
            proxyWebsockets = true;
            # extraConfig = [
            #  ''proxy_http_version 1.1;''
            #  ''proxy_set_header Upgrade $http_upgrade;''
            #  ''proxy_set_header Connection "upgrade";''
            # ];
          };
        }; 
      };
      "sync.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        locations = {
          "/" = { proxyPass = "http://sync"; };
        }; 
      };
      "git.nx2.site" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        locations = {
          "/" = { proxyPass = "http://git"; };
        }; 
      };
      "~^(.*)\.nx2\.site$" = {
        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
        root = "/home/nx2/nx2site/staticweb/xcontent/";
        locations = {
          "~.*" = { return = "502 /502.html"; };
        };
      };
    };
  };
 }
--- a/system-modules/syncthing.nix
+++ b/system-modules/syncthing.nix
@@ -17,7 +17,12 @@ let
  };
  dirs = {
-    default = { name = "sync"; path = "/home/${user}/sync"; };
+    default =      { name = "sync";         path = "/home/${user}/sync";       };
    s21u-dcim =    { name = "s21u-dcim";    path = "/vault/Pictures/Lennart";  };
    diane-dcim =   { name = "diane-dcim";   path = "/vault/Pictures/Diane";    };
    dianesd-dcim = { name = "dianesd-dcim"; path = "/vault/Pictures/Diane-SD"; };
    daniel-dcim =  { name = "daniel-dcim";  path = "/vault/Pictures/Daniel";   };
    tessa-dcim =   { name = "tessa-dcim";   path = "/vault/Pictures/Tessa";    };
  };
 in 
 lib.mkIf (user != "tv")
@@ -45,8 +50,7 @@ lib.mkIf (user != "tv")
      ) else if (host == "NxNORTH") then (        
        xps // ace // s21u
      ) else (
-        # north // xps // s21u // diane // daniel // tessa // georg 
+        north // xps // s21u // diane // daniel // tessa // georg 
        north // xps // s21u
      );
      folders = with dirs; if (host == "NxXPS") then {
        "${default.name}" = {        
@@ -58,11 +62,31 @@ lib.mkIf (user != "tv")
          path = default.path;
          devices = with devices; (justname [ xps ace s21u ]);
        };
-      } else {
+      } else { # NxACE
        "${default.name}" = {        
          path = default.path;
          devices = with devices; (justname [ xps north s21u ]);
        };
        "${s21u-dcim.name}" = {        
          path = s21u-dcim.path;
          devices = with devices; (justname [ s21u ]);
        };
        "${diane-dcim.name}" = {        
          path = diane-dcim.path;
          devices = with devices; (justname [ diane ]);
        };
        "${dianesd-dcim.name}" = {        
          path = dianesd-dcim.path;
          devices = with devices; (justname [ diane ]);
        };
        "${daniel-dcim.name}" = {        
          path = daniel-dcim.path;
          devices = with devices; (justname [ daniel ]);
        };
        "${tessa-dcim.name}" = {        
          path = tessa-dcim.path;
          devices = with devices; (justname [ tessa ]);
        };
      };
      gui = {
        theme = "black";
Author	SHA1	Message	Date
Lennart J. Kurzweg (Nx2)	20f8ea51c6	screen	2024-08-26 23:24:57 +02:00
Lennart J. Kurzweg (Nx2)	52d81b9175	ip range fix	2024-08-26 23:24:45 +02:00
Lennart J. Kurzweg (Nx2)	befa7fe91e	Merge branch 'master' of ssh://git.nx2.site:20022/nx2/dotfiles	2024-08-26 21:38:01 +02:00
Lennart J. Kurzweg (Nx2)	4eead91953	syncthing+nx2site(trying)	2024-08-26 21:37:36 +02:00
Lennart J. Kurzweg (Nx2)	5d1d2c49e5	Merge branch 'master' of ssh://git.nx2.site:20022/nx2/dotfiles	2024-07-28 17:19:29 +02:00
Lennart J. Kurzweg (Nx2)	73b0e338fc	nx2site save (unused)	2024-07-28 17:19:25 +02:00