+1 -1

hosts/wolumonde/modules/forgejo.nix hosts/wolumonde/modules/forgejo.nix/default.nix

··· 46 46 makeCopyCommand = dir: '' 47 47 mkdir -p ${customDir} 48 48 rm -rf ${getCustomDir dir} 49 49 - cp -r --no-preserve=mode,ownership ${./forgejo/${dir}} ${getCustomDir dir} 49 49 + cp -r --no-preserve=mode,ownership ${./${dir}} ${getCustomDir dir} 50 50 ''; 51 51 in 52 52 lib.concatMapStrings makeCopyCommand [

hosts/wolumonde/modules/forgejo/public/assets/css/theme-edge-dark.css hosts/wolumonde/modules/forgejo.nix/public/assets/css/theme-edge-dark.css

hosts/wolumonde/modules/forgejo/public/assets/fonts/comic.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comic.woff2

hosts/wolumonde/modules/forgejo/public/assets/fonts/comicbd.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comicbd.woff2

hosts/wolumonde/modules/forgejo/public/assets/fonts/comici.woff2 hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comici.woff2

hosts/wolumonde/modules/forgejo/public/assets/img/favicon.png hosts/wolumonde/modules/forgejo.nix/public/assets/img/favicon.png

hosts/wolumonde/modules/forgejo/public/assets/img/grrr.webp hosts/wolumonde/modules/forgejo.nix/public/assets/img/grrr.webp

hosts/wolumonde/modules/forgejo/public/assets/img/logo.png hosts/wolumonde/modules/forgejo.nix/public/assets/img/logo.png

hosts/wolumonde/modules/forgejo/public/assets/img/wecode.gif hosts/wolumonde/modules/forgejo.nix/public/assets/img/wecode.gif

hosts/wolumonde/modules/forgejo/templates/base/head.tmpl hosts/wolumonde/modules/forgejo.nix/templates/base/head.tmpl

hosts/wolumonde/modules/forgejo/templates/base/head_navbar.tmpl hosts/wolumonde/modules/forgejo.nix/templates/base/head_navbar.tmpl

hosts/wolumonde/modules/forgejo/templates/home.tmpl hosts/wolumonde/modules/forgejo.nix/templates/home.tmpl

+5 -2

hosts/wolumonde/modules/headscale.nix hosts/wolumonde/modules/headscale.nix/default.nix

··· 3 3 domain = "vpn.${rootDomain}"; 4 4 in { 5 5 age.secrets.headscaleOidcSecret = { 6 6 - file = ../../../secrets/headscaleOidcSecret.age; 6 6 + file = ../../../../secrets/headscaleOidcSecret.age; 7 7 mode = "600"; 8 8 owner = config.services.headscale.user; 9 9 group = config.services.headscale.group; ··· 15 15 port = 1111; 16 16 settings = { 17 17 server_url = "https://${domain}"; 18 18 - policy.mode = "database"; 18 18 + policy = { 19 19 + mode = "file"; 20 20 + file = ./acl.hujson; 21 21 + }; 19 22 dns = { 20 23 base_domain = "lan.${rootDomain}"; 21 24 nameservers.global = ["1.1.1.1" "1.0.0.1" "9.9.9.9" "149.112.112.112"];

+53

hosts/wolumonde/modules/headscale.nix/acl.hujson

··· 1 1 + { 2 2 + // Headscale ACL Configuration 3 3 + // Defines groups, tags, and access control rules 4 4 + 5 5 + // Groups define collections of users 6 6 + "groups": { 7 7 + "group:admin": ["90008@"], 8 8 + }, 9 9 + 10 10 + // Tags are used to label devices/nodes for access control 11 11 + "tagOwners": { 12 12 + "tag:private-infra": ["group:admin"], 13 13 + "tag:other-infra": ["group:admin"], 14 14 + }, 15 15 + 16 16 + // Access Control Lists - define what can access what 17 17 + "acls": [ 18 18 + // Admin group (user 90008) can access their own devices 19 19 + { 20 20 + "action": "accept", 21 21 + "src": ["group:admin"], 22 22 + "dst": ["group:admin:*"], 23 23 + }, 24 24 + 25 25 + // Private infrastructure can access other infrastructure 26 26 + { 27 27 + "action": "accept", 28 28 + "src": ["tag:private-infra"], 29 29 + "dst": ["tag:other-infra:*"], 30 30 + }, 31 31 + 32 32 + // Private infrastructure can access itself 33 33 + { 34 34 + "action": "accept", 35 35 + "src": ["tag:private-infra"], 36 36 + "dst": ["tag:private-infra:*"], 37 37 + }, 38 38 + 39 39 + // Other infrastructure can access itself 40 40 + { 41 41 + "action": "accept", 42 42 + "src": ["tag:other-infra"], 43 43 + "dst": ["tag:other-infra:*"], 44 44 + }, 45 45 + 46 46 + // Admin group can access both infrastructure tags 47 47 + { 48 48 + "action": "accept", 49 49 + "src": ["group:admin"], 50 50 + "dst": ["tag:private-infra:*", "tag:other-infra:*"], 51 51 + }, 52 52 + ], 53 53 + }

+3 -3

hosts/wolumonde/modules/perses.nix hosts/wolumonde/modules/perses.nix/default.nix

··· 78 78 }; 79 79 80 80 age.secrets.persesSecret = { 81 81 - file = ../../../secrets/persesSecret.age; 81 81 + file = ../../../../secrets/persesSecret.age; 82 82 owner = user; 83 83 group = user; 84 84 }; 85 85 age.secrets.persesAdminUser = { 86 86 - file = ../../../secrets/persesAdminUser.age; 86 86 + file = ../../../../secrets/persesAdminUser.age; 87 87 owner = user; 88 88 group = user; 89 89 }; ··· 95 95 '' 96 96 rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder} 97 97 cp -f ${secrets.persesAdminUser.path} ${provisioningFolder}/1-admin-user.json 98 98 - cp -f ${./perses/provision}/* ${provisioningFolder} 98 98 + cp -f ${./provision}/* ${provisioningFolder} 99 99 ''; 100 100 101 101 virtualisation.oci-containers.containers.perses = {

hosts/wolumonde/modules/perses/dashboards/.gitignore hosts/wolumonde/modules/perses.nix/dashboards/.gitignore

hosts/wolumonde/modules/perses/dashboards/go.mod hosts/wolumonde/modules/perses.nix/dashboards/go.mod

hosts/wolumonde/modules/perses/dashboards/go.sum hosts/wolumonde/modules/perses.nix/dashboards/go.sum

hosts/wolumonde/modules/perses/dashboards/wolumonde.go hosts/wolumonde/modules/perses.nix/dashboards/wolumonde.go

hosts/wolumonde/modules/perses/provision/1-private-infra.yaml hosts/wolumonde/modules/perses.nix/provision/1-private-infra.yaml

hosts/wolumonde/modules/perses/provision/2-admin-role.yaml hosts/wolumonde/modules/perses.nix/provision/2-admin-role.yaml

hosts/wolumonde/modules/perses/provision/3-admin-bind-role.yaml hosts/wolumonde/modules/perses.nix/provision/3-admin-bind-role.yaml

hosts/wolumonde/modules/perses/provision/4-victoria.yaml hosts/wolumonde/modules/perses.nix/provision/4-victoria.yaml

hosts/wolumonde/modules/perses/provision/5-funny.yaml hosts/wolumonde/modules/perses.nix/provision/5-funny.yaml

hosts/wolumonde/modules/perses/provision/6-guest-role.yaml hosts/wolumonde/modules/perses.nix/provision/6-guest-role.yaml

hosts/wolumonde/modules/perses/provision/7-funny-bind-role.yaml hosts/wolumonde/modules/perses.nix/provision/7-funny-bind-role.yaml

hosts/wolumonde/modules/perses/provision/90-wolumonde.yaml hosts/wolumonde/modules/perses.nix/provision/90-wolumonde.yaml

+1

hosts/wolumonde/modules/tailscale.nix

··· 5 5 enable = true; 6 6 port = 41641; 7 7 extraSetFlags = [ "--advertise-exit-node" ]; 8 8 + extraUpFlags = [ "--ssh" ]; 8 9 extraDaemonFlags = [ "--no-logs-no-support" ]; 9 10 useRoutingFeatures = "both"; 10 11 authKeyFile = config.age.secrets.tailscaleAuthKey.path;

+2 -2

hosts/wolumonde/modules/webhook.nix hosts/wolumonde/modules/webhook.nix/default.nix

··· 1 1 { config, tlib, ... }: 2 2 { 3 3 - imports = tlib.importFolder ./webhooks; 3 3 + imports = tlib.importFolder ./.; 4 4 5 5 services.webhook = { 6 6 enable = true; ··· 8 8 }; 9 9 10 10 age.secrets.webhookAuth = { 11 11 - file = ../../../secrets/webhookAuth.age; 11 11 + file = ../../../../secrets/webhookAuth.age; 12 12 mode = "600"; 13 13 owner = "nginx"; 14 14 group = "nginx";

hosts/wolumonde/modules/webhooks/deploy-wolumonde.nix hosts/wolumonde/modules/webhook.nix/deploy-wolumonde.nix

+1 -1

lib/default.nix

··· 19 19 files = b.readDir modules; 20 20 fileNames = b.attrNames files; 21 21 filesToImport = b.map (name: "${modules}/${name}") ( 22 22 - b.filter (name: b.match ".*\.nix" name != null) fileNames 22 22 + b.filter (name: (b.match ".*\.nix" name != null) && (name != "default.nix")) fileNames 23 23 ); 24 24 in 25 25 filesToImport;

secrets/develMobiNetbirdClientKey.age

This is a binary file and will not be displayed.

secrets/develMobiTailscaleAuthKey.age

This is a binary file and will not be displayed.

+15 -16

secrets/tailscaleAuthKey.age

··· 1 1 age-encryption.org/v1 2 2 -> ssh-rsa Abmvag 3 3 - NKeTQ1taN613x+apPY0ZIeL5kisXNZ/BQkFaOUeGz1J6esoiTtHQb2c426iH/1Xr 4 4 - doQnrpveP1g3xAhmcwPSrTFM1ZGmaTXw7OmWJJruPoaUgvJ+mzeYpHlCFcP/jZLZ 5 5 - /DSZklljD1kaefNsZVFrL44P/N9us65RclC9LtWsBy9uHKDR9vpAg+a/BchY1pfd 6 6 - laukKd3V+aZGBucBvXlzYz1vhmV8gAmiTzV8az/QEnXTUSY+9IF3rMFT0ZpppJAA 7 7 - KJ4Rk+iDK/0lIkHUrOdoZneeENt55nvc22eBKAzyF1GrifuBt5/yk9kPS7sv1svV 8 8 - ruNAnJyvBIT7Vnwasv9ZTy7+U/VeFjWaTiSs1DewBPOiLpHw9mmxbmF28oIP6dLz 9 9 - oRo1ZoZHyjF0+kgsMco6d9VgOCqIRLj3ObXvvda8iJQThMZsPjEKmvHt64usxwjT 10 10 - cVaE240zswtjnHfdtC7nxDG2aUHr5oeH6QXH7sAwKwx31zoJX9J7N0nc/ctD40nQ 11 11 - z0oevXgzN0MD5L/X2cjwJ0L2qajJjyJBrAlb5XiaOK38MTwf32cQZnaIej8cDzfE 12 12 - ReXXOmFiXq/Dl8nEKoHDQI3p+4ZOLztXu/5i/TL1HuvF5Riod5hA1oW2ubwHeHxR 13 13 - ApZ7ry5dtbBUxnuTI5zRLQY78BnrqsuJ9ghp2fDzSsc 14 14 - -> ssh-ed25519 KjIL7g SFusm9HUDdCCjjjKwOji+X66SpI2TzEf7p7AthPAWQU 15 15 - 11ovCJnXkMlOz/6570chlP62LkBoKx64EkFkcTXKELg 16 16 - --- mufkRbwTo+mBT3hXsyh5Mv7O30CtTtqXtR6EaJ2tZY8 17 17 - BS>���;Q6/<���KGM��m!����*��,Ƥ����KlM"s[Z��>�Nv 18 18 - WQ�kD��$Q> za)2*'�Y_���< 3 3 + cdEH6fTtZbBDJzNHCRdD6/xjHl/CG//VQqF5qIdJ+CVBTYZ8cyaY13fkJG7hKPAR 4 4 + WaMcRKyPwgAA1Dbhc3/K2VwGAZBSibIHhkj+iBOfu46WIRjEGPcz9HrMVMI6MmRf 5 5 + cCOw4VdTWYrUbcOclC9mGy/dimw+hHaTFIuepuDulVsSjC56kYDrhBSg+nmBBY1n 6 6 + 7nHiHOznHhjXfao65AuB++1kxqf7RifEq6bDcfgkvaXhUDJrc2kDY78o9qctvfFR 7 7 + 6sX77+vt8xxRgTZvWkix14WQRfOvWfXsroFfoSnno0A3KYlkko0JKxwkd/G56efi 8 8 + BA41j5OES3K+NxwdNvHlA73uXs/jumgtI76JXg7KHh2zWDbG6qtA290piKb6hSG8 9 9 + VnWoFJ37SKFNZTOuMjgpwurzzyCscRf4RHGy3/anUd/1yAK8RS35nlOS3QDKECyu 10 10 + Q6FIwcBItvZkzBmoFJKj6seUENZ46Wb6h1AOhaTCljkQyGTqti16Es0CGcyw+iTe 11 11 + OFWj7C6JXIlr/D8PTFK0pR9bVWc+NcJ0EF12kCC7jeqkBZ1BCa/SI3y3RxEGxVBQ 12 12 + qnJpeci/jEi6vUczx669+JU/WT015Ad73CwrILpY6GdvM5B5dLhKoiRTcrmZErLW 13 13 + N3qR1s0e+GDMOD6j6KQ9p5ob4/Iwb4KyFT1ua3pvVeo 14 14 + -> ssh-ed25519 KjIL7g BiO1JiyYp3Ekc5pPeMi8tMNcY+jaUcuDMrLl1r31FTk 15 15 + 6ynf4SG+Bg+vaTwiNssmwXUM7L8hIrkhK4OEPBCiyaY 16 16 + --- Didicg7j8DbrYwg+DCCiLrfp92LLa4nim3oPnRESZSw 17 17 + ւ���22�6Y[�"�u<s{�
?��ʲ.�� 5�t0!ul5�Q�y�.dܰEz�
�%7&��CA��Ko�^ YvD�P�