7b02477486
servo: define /etc/persist via sane impermanence module
2023-01-04 02:15:43 +00:00
a9ee26388c
guest account: make home-dir writable by other users
2023-01-04 01:09:23 +00:00
933063115b
moby: fix home-dirs for newer impermanence module
2023-01-04 00:47:48 +00:00
2d7b3750cd
impermanence: split the /home/colin perms fix into more appropriate places
2023-01-03 08:25:43 +00:00
5a2bbcce3b
move plaintext home-dirs out of home-manager module into users module
2023-01-03 07:35:42 +00:00
327e6b536f
impermanence: large refactor, and experimental bind mounting of things from ~/private
2023-01-03 07:22:37 +00:00
9e32211c12
impermanence: cange "encryptedClearOnBoot" to a broader "store" argument
...
in the future it can support ~/private as a backing store
2023-01-03 03:04:19 +00:00
be222c1d70
trust-dns: allow shorthand assignment of record lists
2023-01-02 13:23:52 +00:00
875e923197
declare ~/private in fileSystems and reuse for pamMount
2023-01-02 11:34:02 +00:00
3c726f148b
remove some stale references to mobile-nixos
2023-01-02 10:00:20 +00:00
5a273213f6
sops: remove sops.age.sshKeyPaths override: sops gets this from openssh config already
2022-12-30 03:49:31 +00:00
0a6d88dfc1
impermanence: simplify /etc/ssh/host_keys setup
2022-12-30 03:34:59 +00:00
50dfd482cf
document plans for better handling of /etc/ssh
2022-12-29 19:19:51 +00:00
9743aee79d
ssh keys: document the issues i'm seeing
2022-12-29 18:42:59 +00:00
aa1c1f40cb
WIP: impermanence rework (gut 3rd-party lib)
2022-12-29 16:38:58 +00:00
760f2ac66d
move ~/.cache into encrypted private dir
2022-12-29 01:17:40 +00:00
8e5ca11259
cleanup gocryptfs mounting
...
there's possibly some latent issues. i think my changes to the gocryptfs
package *might* not be necessary: if you work via the fuse front-door,
it's a lot harder to get it into these weird places.
2022-12-29 01:17:40 +00:00
121936620a
impermanence: add support for encrypted clear-on-boot storage
...
this is useful for when we need to store files to disk purely due to
their size, but don't actually want them to be persisted.
2022-12-29 01:17:40 +00:00
f5b49e014c
net: add parent's wifi
2022-12-29 00:57:36 +00:00
4bdb34775d
consolidate filesystems./ across devices
2022-12-28 01:36:22 +00:00
a0ac7fa98d
snippets: add secret snippets
2022-12-26 09:29:04 +00:00
b03043e513
add sane-bt-search script to search jackett/torrents
2022-12-26 09:05:26 +00:00
0713e3bad1
secrets: move bluetooth/vpn secret defn to toplevel nix file
2022-12-26 08:28:44 +00:00
d3a3f39756
move universal secrets out of net.nix -> secrets.nix
2022-12-26 08:09:58 +00:00
9b75d8705b
ejabberd: enable push notifications (verified working on iOS/Modal IM)
2022-12-22 14:12:15 +00:00
217ecec250
ejabberd: enable xmpps-{client,server} SRV records
2022-12-22 13:13:09 +00:00
1f99d44288
/home/colin: fix perms to 0700
2022-12-22 11:33:13 +00:00
0c35e2b3c1
servo: enable nsncd
2022-12-22 10:34:47 +00:00
c745612cfd
Merge branch 'master' of git.uninsane.org:colin/nix-files
2022-12-21 08:51:12 +00:00
278cc98c6d
minor ejabberd config changes, simplify DNS %NATIVE% updating
2022-12-21 08:50:41 +00:00
09c524a5b1
Merge remote-tracking branch 'origin/staging/nixpkgs-2022-12-18'
2022-12-21 07:47:55 +00:00
0db7f0857a
moby: reduce the number of configurations we keep in /boot
2022-12-21 06:33:50 +00:00
55e09c2dbf
ejabberd: port to dns-dns; add experimental STUN/TURN support
...
during startup it says:
```
Ignoring TLS-enabled STUN/TURN listener
```
and later
```
Invalid certificate in /var/lib/acme/uninsane.org/fullchain.pem: at line 61: certificate is signed by unknown CA
```
the invalid cert thing has always been here. it's for the root cert. idk
if i need to tell ejabberd that one's self-signed, or what.
2022-12-20 03:26:08 +00:00
d60e5264f3
don't bind-mount /etc/ssh/host_keys: symlink them instead
2022-12-20 00:04:09 +00:00
97044bf70e
trust-dns: port to dyn-dns for determining WAN IP
...
although the systemd wantedBy directive is working,
`before` seems to be ignored when the unit fails. so on first run,
dyn-dns runs, fails (poor net connectivity), then trust-dns starts
(fails), then they both restart 10s later.
it's not great, but good enough. also, wan IP is persisted, so this
likely won't happen much in practice.
2022-12-19 13:12:23 +00:00
0b2faef989
/etc/ssh/host_keys: fix endlessly stacked mounts
...
i believe this was mounting a new /etc/ssh/host_keys on every
activation, resulting in literally thousands of mounts and slowing down
later activations
2022-12-19 11:18:08 +00:00
8acd6ca4f1
create sane.services.dyn-dns
to manage dynamic DNS stuff
...
not yet integrated into servo
2022-12-19 11:16:30 +00:00
8169f7c6b2
ddns-trust-dns: use ddns from router rather than ipinfo.io
2022-12-19 08:24:11 +00:00
567c08460a
add sane-ip-check-router-wan to query WAN with a more trustworthy source
2022-12-19 05:59:44 +00:00
9b66aecf1b
trust-dns: port the remaining records to a structured format
...
SRV and MX _could_ have more structure (priority, etc).
not sure the best path there (option submodule, i guess).
2022-12-19 04:38:43 +00:00
16cb3b83a2
trust-dns: more idiomatic way to define SOA records
2022-12-19 04:00:27 +00:00
970438be8a
trust-dns: rename records
option -> extraConfig
...
i'll be adding special options for records
2022-12-19 03:12:32 +00:00
8a745a9b8a
ejabberd: enable STUN (with partial discovery support)
...
discovery is probably not working:
```
Won't auto-announce STUN/TURN service on port 3478 (udp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address'
Won't auto-announce STUN/TURN service on port 3478 (tcp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address'
```
no messages for the TLS implementation, so maybe that's working?
2022-12-19 01:22:20 +00:00
3505f3b9f3
ejabberd: provision cert for conference.xmpp.uninsane.org
...
i guess the cert already had that because of legacy prosody setup (?),
but we weren't setup so that new requests would work, i expect.
either that or all of these nginx entries aren't necessary?
2022-12-19 01:22:20 +00:00
444595e847
disable HE and afraid DDNS
2022-12-19 01:22:20 +00:00
22e46d52c2
trust-dns: distribute records across service files
2022-12-17 01:29:12 +00:00
1e0c213adf
split webconfig into each service file
2022-12-17 00:52:48 +00:00
3e1340ed61
enable i2p in firefox
2022-12-16 22:15:19 +00:00
a8a4b8e739
kiwix: serve the full english Wikipedia
2022-12-16 05:58:51 +00:00
2550601179
serve w.uninsane.org through kiwix-serve
2022-12-16 02:25:57 +00:00
8fe304d6c1
trust-dns: split the service into a generic config interface
2022-12-15 11:17:50 +00:00
700fef7df3
servo: mediawiki: remove dead commented-out code
2022-12-15 11:17:50 +00:00
01db7e1f23
servo: install mediawiki
2022-12-15 11:17:50 +00:00
58ad87df8e
vpns: add us-mi[ami]
2022-12-13 04:26:00 +00:00
5fc894cda9
vpn: fix us-atlanta -> us-atl to match interface length limit
2022-12-13 04:13:01 +00:00
005a79e680
vpn: factor out more helpers
2022-12-13 03:55:18 +00:00
0f5279bbca
add us-atlanta VPN
2022-12-13 03:26:23 +00:00
e9b3b7ebab
simplify ovpn impl
2022-12-13 03:17:27 +00:00
46788fe565
servo: make uninsane.org NS records consistent with upstream
2022-12-13 01:00:16 +00:00
115f8d7054
servo: vpn services are part of 'wireguard-wg0'
...
this makes it so if we restart the wireguard connection, the services
themeselves _also_ restart. that should avoid leaving any of them in an
orphaned namespace
2022-12-12 11:53:34 +00:00
ac44b04d99
servo: trust-dns: note about maybe using dig
instead of diff'ing the config
2022-12-12 11:35:47 +00:00
afff0aff19
servo: trust-dns: fix up the timers/ddns reliability
2022-12-12 11:33:20 +00:00
f0086dc5bd
servo: trust-dns: implement some dynamic DNS shim
2022-12-12 10:30:08 +00:00
acabd34f28
servo: net: forward http requests from vpn -> host w/o NATing the source address
...
this ensures we have access to the source IP in our host-side logs
2022-12-12 05:21:29 +00:00
d0e6b82739
make it so wireguard-wg0 is restartable
2022-12-11 17:07:53 +00:00
38c5b82a08
servo: fold wg0 setup into one single service
...
it doesn't restart cleanly (maybe i can't kill a netns while stuff lives
inside it?). problem for another day.
2022-12-11 16:46:55 +00:00
89def1a073
servo: remove dead net code
2022-12-11 16:15:43 +00:00
ad2ed370d9
servo: split the firewall rules across services
2022-12-11 16:12:23 +00:00
3e8f7a9ba2
servo: use ISP-provided DNS resolvers by default
...
this is really hacky and i hate it, but there's not a lot of good
options.
2022-12-11 16:03:41 +00:00
c5ac792c13
servo: connect wg0 via IP addr instead of hostname
...
i think this fixes the connectivity issues i've seen.
2022-12-11 12:48:50 +00:00
bd1624bef9
servo: un-firewall tcp port 53 to fix trust-dns over TCP
2022-12-11 12:48:11 +00:00
3ae53d7f32
services: add RestartSec
to anything which auto-restarts
...
this is to prevent rapid restart failures from killing the service
permanently.
2022-12-10 13:28:46 +00:00
e7f2d41b1f
servo: forward DNS to root ns without NAT'ing the source address
2022-12-10 13:28:19 +00:00
3394a79e2b
trust-dns: restart on failure
...
if the network isn't up, won't be able to bind to eth, and fails.
2022-12-10 13:02:17 +00:00
b01501663d
trust-dns: listen on each address explicitly
2022-12-10 12:29:10 +00:00
cbd5ccd1c8
desko: disable wifi
2022-12-10 12:27:02 +00:00
3a7eb294c7
servo: fix jackett DNS entry
2022-12-10 09:47:28 +00:00
2014d5ce77
servo: bridge port 80/53 from ovpns to native using iptables instead of socat
...
i should probably narrow the rules to match specifically things destined
for the ovpns address, but for now this should work.
2022-12-09 14:16:48 +00:00
a979521a98
servo: enable ddns against freedns.afraid.org
2022-12-08 14:30:17 +00:00
77881be955
trust-dns: document SOA parameters
2022-12-08 14:23:35 +00:00
0450b4d9a6
trust-dns: fix SOA
2022-12-08 00:46:32 +00:00
edea64a41c
trust-dns: move nameserver to subdomain ns1,ns2
2022-12-08 00:39:22 +00:00
90e479592f
trust-dns: enable port 53 forward
2022-12-08 00:06:20 +00:00
52bbe4e9f4
trust-dns: don't restart on failure
...
for in case anything goes wrong
2022-12-07 12:17:03 +00:00
ab176b8d4b
servo: enable trust-dns (experimental)
2022-12-07 12:15:35 +00:00
b4314bd919
mess with XMPP stuff. ejabberd: enable mam, some other acl's that probably aren't used
...
prosody is still broken
2022-12-07 01:31:17 +00:00
c3957d81c2
ejabberd: enable MUC
2022-12-07 00:08:08 +00:00
c2db9fe28e
periodically archive my torrents so i don't lose them again
2022-12-06 07:17:19 +00:00
7f285a8254
ejabberd: enable some more modules which don't conflict
2022-12-06 07:05:59 +00:00
b0664d81ab
ejabberd: enable mod_pubsub, mod_avatar
...
i'm able to do this without breaking federation now,
but it doesn't seem to fullly work.
2022-12-05 02:37:35 +00:00
8ba52bb9cd
ejabberd: enable mod_{carboncopy,last,offline,private,stream_mgmt}
2022-12-05 02:16:28 +00:00
20f0a19e25
ejabberd: fix federation: disable mod_pubsub and mod_avatar
...
now i can send messages FROM uninsane.org again
2022-12-05 00:47:48 +00:00
9dc17a3874
ejabberd: enable avatar support
...
haven't tested that it federates properly -- only that Dino is able to
set it.
2022-12-04 12:38:47 +00:00
2992644901
bluetooth: persist bluetooth earbuds connection
2022-12-04 11:33:03 +00:00
d5d89a10b9
bluetooth: add key for connecting to my car
2022-12-04 10:56:50 +00:00
7c36a0d522
bluetooth: share connections across machines
2022-12-03 11:05:09 +00:00
63c92a44ed
servo: ejabberd: enable file uploads
2022-12-03 08:57:10 +00:00
992efc1093
moby: persist pulseaudio volume status
2022-12-03 07:30:09 +00:00
a1911f3001
ejabberd: fix TLS config (now successfully federating!)
...
TODO: verify file uploading
TODO: wire up admin panel
2022-12-03 02:16:29 +00:00
24967c53a7
servo: disable ipfs
2022-12-02 08:33:50 +00:00
3f33b2cb76
nginx: supply x509 certs for assorted websites under /var/www/sites
2022-11-30 11:37:37 +00:00
f8a1df790f
servo: allow hosting arbitrary websites by stashing them in /var/www
2022-11-30 05:33:04 +00:00
82d11a7ae1
nginx: note that OCSP stapling isn't actually working
2022-11-30 02:09:35 +00:00
5d1e8f5f60
servo: store media on external storage
2022-11-29 21:54:33 +00:00
ff9c26b03d
servo: port to Ryzen/x86 machine
2022-11-29 02:20:18 +00:00
16327fd323
nix patches: fix hashes
2022-11-29 02:18:05 +00:00
a56f2008d3
fix 'nixserv' -> 'nixserve' typo
2022-11-23 04:09:58 +00:00
c2a2b27002
servo: disable duplicity
2022-11-22 12:01:55 +00:00
b566910da0
home-manager: hide behind an enable flag
2022-11-22 05:28:41 +00:00
ca43811c16
remove sane.home-manager.extraPackages
...
replaced by sane.packages.extraUserPkgs
2022-11-22 05:11:02 +00:00
7284452aa5
re-enable some environment stuff that got lost during refactors
2022-11-22 04:51:03 +00:00
f772300d88
move system-packages into the main packages.nix file
2022-11-22 04:40:24 +00:00
eccb5ff3d6
rename home-packages
-> packages
2022-11-22 04:31:55 +00:00
0c6b949a72
lift some more files out of modules -> hosts
2022-11-22 04:29:17 +00:00
9a6c83776d
vpn: move out of modules/
2022-11-22 03:46:25 +00:00
e408e77026
move secrets.nix out of modules
2022-11-22 03:37:57 +00:00
a0e85ff31b
nixserve: remove the default sops path
...
it might make more sense to make this a runtime path (/run/secrets/...)
2022-11-22 03:20:50 +00:00
1d448a4114
migrate common settings from hosts/{instantiate -> common/default}.nix
2022-11-22 03:10:19 +00:00
ed52b5f251
nixcache: modularize
2022-11-22 03:07:11 +00:00
84a17f4599
move hardware
out of modules
into hosts/common
...
i want for `modules/` to behave like a more typical `modules` directory,
where functionality is opt-in.
2022-11-22 02:52:07 +00:00
43fa7fdd9f
rename machines
-> hosts
...
- shorter.
- congruent with `nixos-rebuild .` choosing what to build based on `hostname`.
- more widely used within other nix repos i've seen.
- more accurate in the case that i migrate a host to a different
machine (which i plan to do with servo).
2022-11-22 02:33:47 +00:00