From 41ce9b892b6e81dfaaaa0a717b3890df50d02cb4 Mon Sep 17 00:00:00 2001 From: sid Date: Sun, 17 May 2026 22:44:00 +0200 Subject: [PATCH 1/2] rm coredns and step-ca. use hs extra dns records. resolve vaultwarden --- constants.nix | 2 +- hosts/rx4/secrets/secrets.yaml | 5 +-- hosts/rx4/services/vaultwarden.nix | 47 ++++++++++++++++++++++++++++- hosts/sid/services/coredns.nix | 5 --- hosts/sid/services/default.nix | 5 +-- hosts/sid/services/headscale.nix | 13 ++++++++ hosts/sid/services/mailserver.nix | 8 +++-- hosts/sid/services/nginx.nix | 18 ----------- hosts/sid/services/step-ca.nix | 4 +-- modules/nixos/tailscale/default.nix | 2 +- 10 files changed, 73 insertions(+), 36 deletions(-) diff --git a/constants.nix b/constants.nix index d49999c..7a2a16e 100644 --- a/constants.nix +++ b/constants.nix @@ -46,7 +46,7 @@ rec { port = 1200; }; vaultwarden = { - fqdn = "pw." + intranet; + fqdn = "pw." + domain; port = 8222; }; }; diff --git a/hosts/rx4/secrets/secrets.yaml b/hosts/rx4/secrets/secrets.yaml index a591f81..eaa951b 100644 --- a/hosts/rx4/secrets/secrets.yaml +++ b/hosts/rx4/secrets/secrets.yaml @@ -16,6 +16,7 @@ forgejo-runner: vaultwarden: admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str] smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str] +hetzner-api-key: ENC[AES256_GCM,data:casjNOXzuQDWgnSFftbBMygA8kGpGiZDqup08faWO9kfjvgOyWOXeqPd2VA1ND8yfM2LvoLYvPs6gUWtni2ldQ==,iv:p2W24uhJgBvpi3g4+cHw0/XbbTM5oYCPHreMBUR4CNs=,tag:lpwjZGoJe/91+CHX/hAkKA==,type:str] sops: age: - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy @@ -36,7 +37,7 @@ sops: NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8 f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-17T16:35:00Z" - mac: ENC[AES256_GCM,data:U2WT4ENx8I9sr3byj7fQjv3H+mQTlhTI1HL9tufryKcUGjvb35ChwkIBcvEiYLa8udOR631sWwN4dCqZ4qwtCQ3MNjR8s1P6HqhzXeAPwyxfMLPZG1mbKXvYpamkxAOq8RxVHnVsPbrvFsxc57J11SI5IUfWT5T5GPQyJ+U8gMs=,iv:/xDaNV0fgKf9z+sql4BwwyIO/LQhRm3TrMhgaYZsPuE=,tag:Y0bfT1ZuiJ05F/+EwyzbSg==,type:str] + lastmodified: "2026-05-17T20:34:39Z" + mac: ENC[AES256_GCM,data:lSSotIfDcS6oJpSDSe2hLx1M9L8a+bjkPstcPv1h2ohSiOu8WGAwTy4lsKD1n9rnhTzFmMqi2Xgh4K0n3WiqWFBeNcA6UeM7+a6PcDtUeCC3JKsP/XZvCoPq5uBwUWcovRSm4UElaL5MteZkV3e+qZWeUpZCTWWWEjYBYnHPLpQ=,iv:t4Up4DuTuQyQQNa7lmZK6kt5O0/aShXSF2XBj9Y6/z8=,tag:oNmP8e7jEZ3ttPkwXkWSZw==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/rx4/services/vaultwarden.nix b/hosts/rx4/services/vaultwarden.nix index 6f00505..eed5712 100644 --- a/hosts/rx4/services/vaultwarden.nix +++ b/hosts/rx4/services/vaultwarden.nix @@ -6,6 +6,7 @@ let inherit (constants) domain; + inherit (constants.hosts.rx4) ip; inherit (constants.services.vaultwarden) fqdn port; in { @@ -21,6 +22,7 @@ in environmentFile = [ config.sops.templates."vaultwarden/env-file".path ]; config = { + ENABLE_WEBSOCKET = true; SIGNUPS_ALLOWED = false; SMTP_FROM = "vaultwarden@${domain}"; @@ -30,12 +32,50 @@ in SMTP_SECURITY = "starttls"; SMTP_USERNAME = "vaultwarden@${domain}"; - ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = port; ROCKET_LOG = "critical"; }; }; + services.nginx.virtualHosts."${fqdn}" = { + useACMEHost = "pw-custom"; + forceSSL = true; + listen = [ + { + addr = "${ip}:443"; + ssl = true; + } + ]; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + }; + "= /notifications/alerts" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + }; + "= /notifications/hub" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin@${domain}"; + certs."pw-custom" = { + domain = fqdn; + dnsProvider = "hetzner"; + dnsResolver = "1.1.1.1:53"; + credentialFiles = { + HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path; + }; + group = "nginx"; + }; + }; + sops = let owner = config.users.users.vaultwarden.name; @@ -50,6 +90,11 @@ in "vaultwarden/smtp-password" = { inherit owner group mode; }; + hetzner-api-key = { + inherit mode; + owner = "acme"; + group = "acme"; + }; }; templates = { "vaultwarden/env-file" = { diff --git a/hosts/sid/services/coredns.nix b/hosts/sid/services/coredns.nix index 13c3096..b7e2f37 100644 --- a/hosts/sid/services/coredns.nix +++ b/hosts/sid/services/coredns.nix @@ -14,12 +14,7 @@ hosts { ${hosts.sid.ip} ${ca-fqdn} - ${hosts.rx4.ip} rx4.tail - ${hosts.sid.ip} sid.tail - ${hosts.vde.ip} vde.tail - ${hosts.sid.ip} ${services.netdata.fqdn} - ${hosts.sid.ip} ${services.vaultwarden.fqdn} fallthrough } diff --git a/hosts/sid/services/default.nix b/hosts/sid/services/default.nix index c1079d8..9baf6fb 100644 --- a/hosts/sid/services/default.nix +++ b/hosts/sid/services/default.nix @@ -10,7 +10,6 @@ outputs.nixosModules.tailscale - ./coredns.nix ./headscale.nix ./mailserver.nix ./matrix-synapse.nix @@ -18,6 +17,8 @@ ./nginx.nix ./radicale.nix ./rss-bridge.nix - ./step-ca.nix + + # ./coredns.nix + # ./step-ca.nix ]; } diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix index 6c7148f..b9492db 100644 --- a/hosts/sid/services/headscale.nix +++ b/hosts/sid/services/headscale.nix @@ -1,5 +1,6 @@ { inputs, + constants, ... }: @@ -24,5 +25,17 @@ enable = true; subdomain = "hs"; }; + settings.dns.extra_records = [ + { + name = constants.services.vaultwarden.fqdn; + type = "A"; + value = constants.hosts.rx4.ip; + } + { + name = constants.services.netdata.fqdn; + type = "A"; + value = constants.hosts.sid.ip; + } + ]; }; } diff --git a/hosts/sid/services/mailserver.nix b/hosts/sid/services/mailserver.nix index f3af274..024665c 100644 --- a/hosts/sid/services/mailserver.nix +++ b/hosts/sid/services/mailserver.nix @@ -1,4 +1,4 @@ -{ inputs, config, ... }: +{ inputs, ... }: { imports = [ inputs.synix.nixosModules.mailserver ]; @@ -6,10 +6,12 @@ mailserver = { enable = true; stateVersion = 3; - localDnsResolver = !config.services.coredns.enable; accounts = { sid = { - aliases = [ "postmaster" ]; + aliases = [ + "admin" + "postmaster" + ]; }; vaultwarden = { }; }; diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix index 81eace3..0844781 100644 --- a/hosts/sid/services/nginx.nix +++ b/hosts/sid/services/nginx.nix @@ -56,15 +56,6 @@ in address = constants.hosts.rx4.ip; port = constants.services.miniflux.port; }; - virtualHosts."${constants.services.netdata.fqdn}" = { - useACMEHost = "sid-internal"; - forceSSL = ssl; - locations."/" = { - # proxyPass = "http://${constants.hosts.sid.ip}:${toString constants.services.netdata.port}"; - proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}"; - proxyWebsockets = true; - }; - }; virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost { inherit ssl; address = constants.hosts.rx4.ip; @@ -82,15 +73,6 @@ in address = constants.hosts.rx4.ip; port = constants.services.rsshub-oci.port; }; - virtualHosts."${constants.services.vaultwarden.fqdn}" = { - useACMEHost = "sid-internal"; - forceSSL = ssl; - locations = { - "/" = { - proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}"; - }; - }; - }; # FIXME # virtualHosts."print.sid.ovh" = { # enableACME = true; diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix index 21d04d4..e2570c9 100644 --- a/hosts/sid/services/step-ca.nix +++ b/hosts/sid/services/step-ca.nix @@ -78,10 +78,8 @@ in security.acme = { certs."sid-internal" = { # domain = constants.intranet; - domain = constants.services.vaultwarden.fqdn; + domain = constants.services.netdata.fqdn; extraDomainNames = [ - constants.services.netdata.fqdn - # constants.services.vaultwarden.fqdn ]; server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory"; group = "nginx"; diff --git a/modules/nixos/tailscale/default.nix b/modules/nixos/tailscale/default.nix index 884847a..f42bb85 100644 --- a/modules/nixos/tailscale/default.nix +++ b/modules/nixos/tailscale/default.nix @@ -11,7 +11,7 @@ loginServer = "https://hs.sid.ovh"; authKeyFile = config.sops.secrets."tailscale/personal-key".path; enableSSH = true; - acceptDNS = false; # use coredns + acceptDNS = true; }; }; }; -- 2.51.2 From 5c8d94d03d01de896b984b653dd8ec07ab69cf85 Mon Sep 17 00:00:00 2001 From: sid Date: Sun, 17 May 2026 22:45:37 +0200 Subject: [PATCH 2/2] change netdata fqdn --- constants.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/constants.nix b/constants.nix index 7a2a16e..91b8456 100644 --- a/constants.nix +++ b/constants.nix @@ -30,7 +30,7 @@ rec { port = 8085; }; netdata = { - fqdn = "netdata." + intranet; + fqdn = "mon." + domain; port = 19999; }; open-webui-oci = { -- 2.51.2