nixos/networking: fix extraHosts generation

npins: update website
nixos/hosts: declare fileSystems for testing hosts
2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00
19 changed files with 156 additions and 102 deletions
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
+ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
+-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
+ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
+--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
+ä3ÛÿÉèŸP>gòh@ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�
@@ -1,17 +1,25 @@
 let
-  users = import ../lib/ssh/keys.nix;
+  inherit (import ../lib)
+    users
+    adminSSHKeys
+    attrsToList
+    getSSHKeys
+    ;

  tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;

  # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
-  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
-
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
 }
+// builtins.listToAttrs (
+  map (user: {
+    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
+    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
+  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+)
@@ -53,6 +53,7 @@
        };

      flake = {
+        lib = import ./lib;
        pins = import ./npins;
      };

@@ -0,0 +1,24 @@
+rec {
+  attrsToList = mapAttrsToList nameValuePair;
+
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+
+  nameValuePair = name: value: { inherit name value; };
+
+  toList = x: if builtins.isList x then x else [ x ];
+
+  getSSHKeys =
+    username:
+    if (builtins.hasAttr "ssh" users.${username}) then
+      toList users.${username}.ssh
+    else
+      builtins.warn "user ${username} declared without ssh keys" [ ];
+
+  users = import ./users.nix;
+
+  adminSSHKeys = builtins.concatLists (
+    map (user: getSSHKeys user.name) (
+      builtins.filter (user: user.value.admin or false) (attrsToList users)
+    )
+  );
+}
@@ -1,8 +0,0 @@
-{
-  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-
-  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-}
@@ -0,0 +1,26 @@
+{
+  error = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+    admin = true;
+    ddns = true;
+  };
+
+  javalsai = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+    admin = true;
+    ddns = true;
+  };
+
+  max = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+    admin = true;
+  };
+
+  vectorum = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  };
+
+  pickzelle = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+  };
+}
@@ -99,22 +99,15 @@ in

    extraHosts =
      let
-        subdomains = [
-          ""
-          ".git"
-        ];
+        subdomains = [ "git" ];
+
+        inherit (config.networking) fqdn;
+        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
      in
-      builtins.foldl' (
-        hosts-acc: domain-prefix:
-        let
-          host = "${domain-prefix}${config.networking.fqdn}";
-        in
-        hosts-acc
-        + ''
+      lib.concatMapStrings (host: ''
        127.0.0.1 ${host}
        ::1 ${host}
-        ''
-      ) "" subdomains;
+      '') hosts;
  };

  virtualisation.podman.enable = true;
@@ -1,11 +1,14 @@
 {
-  acme = {
-    enable = true;
-    rfc2136.nameserver = "tuxcord.net";
-  };
+  imports = [
+    ./storage.nix
+  ];

-  dns.enable = true;
  networking.fqdn = "nix.tuxcord.net";

+  acme.rfc2136.nameserver = "tuxcord.net";
+  dns.enable = true;
+
+  services.getty.autologinUser = "root";
+
  time.timeZone = "Europe/Madrid";
 }
@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}
@@ -32,6 +32,7 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
+        neededForBoot = true;
      };
    };
 }
@@ -1,6 +1,12 @@
 {
+  imports = [
+    ./storage.nix
+  ];
+
+  networking.fqdn = "tuxcord.test";
+
  acme.enable = false;
  dns.enable = true;

-  networking.fqdn = "tuxcord.test";
+  services.getty.autologinUser = "root";
 }
@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}
@@ -55,8 +55,6 @@
    };
  };

-  fileSystems."/persist".neededForBoot = true;
-
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -72,10 +70,6 @@
    ];
    files = [
      "/etc/machine-id"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/etc/ssh/ssh_host_rsa_key"
-      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, self, ... }:
 let
  inherit (config.networking) fqdn;

@@ -15,6 +15,11 @@ let

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
+
+    extraConfig = ''
+      proxy_buffering off;
+      proxy_request_buffering off;
+    '';
  };
 in
 {
@@ -27,11 +32,17 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    # services.nginx.virtualHosts."${fqdn}" = {
-    #   addSSL = true;
-    #   root = "/var/www/myhost.org";
-    #   default = true;
-    # };
+    virtualHosts."${fqdn}" = mkVhost {
+      default = true;
+
+      locations."/" = {
+        root = "${self.pins.website}/web-root";
+
+        extraConfig = ''
+          ssi on;
+        '';
+      };
+    };

    virtualHosts."git.${fqdn}" = mkVhost {
      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
@@ -4,6 +4,7 @@

    settings = {
      ClientAliveInterval = 300;
+      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
@@ -1,25 +1,6 @@
 { lib, self, ... }:
 let
-  users = [
-    {
-      name = "error";
-      options.admin = true;
-    }
-    {
-      name = "javalsai";
-      options.admin = true;
-    }
-    {
-      name = "max";
-      options.admin = true;
-    }
-    {
-      name = "vectorum";
-    }
-    {
-      name = "pickzelle";
-    }
-  ];
+  inherit (self.lib) users;

  adminGroups = [
    "adm"
@@ -30,29 +11,12 @@ let
    "wheel"
  ];

-  getSSHKeys =
-    username:
-    let
-      sshKeys = import "${self}/lib/ssh/keys.nix";
-    in
-    if (builtins.hasAttr username sshKeys) then
-      lib.lists.toList sshKeys.${username}
-    else
-      lib.warn "user ${username} declared without ssh key" [ ];
-
-  mkUser =
-    name: uid: options:
-    let
-      admin = options.admin or false;
-
-    in
-    {
+  mkUser = name: uid: admin: {
    users.users.${name} = {
+      inherit uid;
      isNormalUser = true;
      extraGroups = lib.optionals admin adminGroups;
-        inherit uid;
-
-        openssh.authorizedKeys.keys = getSSHKeys name;
+      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
    };

    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
@@ -69,21 +33,20 @@ in
 lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
+      options = lib.recursiveUpdate attrs.options (
+        mkUser user.name attrs.uid (user.value.admin or false)
+      );
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
-    users
+    (lib.attrsToList users)
  ).options
  {
    users.users.root = {
      initialPassword = "tuxcord";
-
-      openssh.authorizedKeys.keys = lib.lists.concatLists (
-        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
-      );
+      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
    };
  }
@@ -1,4 +1,17 @@
 {
-  "pins": {},
+  "pins": {
+    "website": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
+      "url": null,
+      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
+    }
+  },
  "version": 5
 }
@@ -31,7 +31,6 @@
          git
          inputs.agenix.packages.${stdenv.hostPlatform.system}.default
          jujutsu
-          neovim
          nix-output-monitor
          nixfmt
          npins
Author	SHA1	Message	Date
ErrorNoInternet	0dd5e51f41	nixos/networking: fix extraHosts generation Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:26:28 -04:00
ErrorNoInternet	06e685d0b1	npins: update website	2026-05-04 01:26:28 -04:00
ErrorNoInternet	20219d60d4	nixos/hosts: declare fileSystems for testing hosts	2026-05-04 01:26:28 -04:00
ErrorNoInternet	ee82325b6e	nixos/services/openssh: enable X11 forwarding	2026-05-04 01:26:28 -04:00
javalsai	b8bc3edbff	nixos/hosts: add autologin for testing hosts	2026-05-04 01:26:28 -04:00
javalsai	427a905799	nixos/services: add default website on nginx	2026-05-04 01:26:28 -04:00
javalsai	b597977b8a	nixos/services: disable nginx proxy buffering	2026-05-04 01:26:28 -04:00
ErrorNoInternet	16bcec48f8	nixos/impermanence: remove ssh host key persistence The SSH host key files are already defined in the OpenSSH module, so there is no need to persist them with impermanence.nix.	2026-05-04 01:26:28 -04:00
ErrorNoInternet	9c2bee177c	shells: remove neovim Some users may be using self-contained Neovim executables.	2026-05-04 01:26:27 -04:00
ErrorNoInternet	84199dd8eb	agenix: import initial user dns keys	2026-05-04 01:26:27 -04:00
ErrorNoInternet	1c502afbcd	treewide: create global user list	2026-05-04 01:26:27 -04:00