nixos/networking: fix extraHosts generation

The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.

agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
+ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
+-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
+ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
+--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
+ä3ÛÿÉèŸP>gòh@­ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòㆿy?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OΉPuh‹½ŽÞ=t¶5|¿×“s×€ú&!­‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�

agenix/secrets.nix

@@ -1,17 +1,25 @@
 let
-  users = import ../lib/ssh/keys.nix;
+  inherit (import ../lib)
+    users
+    adminSSHKeys
+    attrsToList
+    getSSHKeys
+    ;
 
   tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
 
   # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
+// builtins.listToAttrs (
+  map (user: {
+    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
+    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
+  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+)

flake.nix

@@ -53,6 +53,7 @@
         };
 
       flake = {
+        lib = import ./lib;
         pins = import ./npins;
       };
 

lib/default.nix

@@ -0,0 +1,21 @@
+rec {
+  users = import ./users.nix;
+
+  adminSSHKeys = builtins.concatLists (
+    map (user: getSSHKeys user.name) (
+      builtins.filter (user: user.value.admin or false) (attrsToList users)
+    )
+  );
+
+  attrsToList = mapAttrsToList nameValuePair;
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+  nameValuePair = name: value: { inherit name value; };
+  toList = x: if builtins.isList x then x else [ x ];
+
+  getSSHKeys =
+    username:
+    if (builtins.hasAttr "ssh" users.${username}) then
+      toList users.${username}.ssh
+    else
+      builtins.warn "user ${username} declared without ssh key" [ ];
+}

lib/ssh/keys.nix

@@ -1,8 +0,0 @@
-{
-  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-
-  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-}

lib/users.nix

@@ -0,0 +1,26 @@
+{
+  error = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+    admin = true;
+    ddns = true;
+  };
+
+  javalsai = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+    admin = true;
+    ddns = true;
+  };
+
+  max = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+    admin = true;
+  };
+
+  vectorum = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  };
+
+  pickzelle = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+  };
+}

nixos/common.nix

@@ -99,22 +99,15 @@ in
 
     extraHosts =
       let
-        subdomains = [
+        subdomains = [ "git" ];
-          ""
+
-          ".git"
+        inherit (config.networking) fqdn;
-        ];
+        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
       in
-      builtins.foldl' (
+      lib.concatMapStrings (host: ''
-        hosts-acc: domain-prefix:
+        127.0.0.1 ${host}
-        let
+        ::1 ${host}
-          host = "${domain-prefix}${config.networking.fqdn}";
+      '') hosts;
-        in
-        hosts-acc
-        + ''
-          127.0.0.1 ${host}
-          ::1 ${host}
-        ''
-      ) "" subdomains;
   };
 
   virtualisation.podman.enable = true;

nixos/hosts/tuxcord-acmetest/default.nix

@@ -1,11 +1,14 @@
 {
-  acme = {
+  imports = [
-    enable = true;
+    ./storage.nix
-    rfc2136.nameserver = "tuxcord.net";
+  ];
-  };
 
-  dns.enable = true;
   networking.fqdn = "nix.tuxcord.net";
 
+  acme.rfc2136.nameserver = "tuxcord.net";
+  dns.enable = true;
+
+  services.getty.autologinUser = "root";
+
   time.timeZone = "Europe/Madrid";
 }

nixos/hosts/tuxcord-acmetest/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/hosts/tuxcord-ca/storage.nix

@@ -32,6 +32,7 @@
         device = "/dev/xvda2";
         fsType = "btrfs";
         options = [ "subvol=@persist" ] ++ defaultOptions;
+        neededForBoot = true;
       };
     };
 }

nixos/hosts/tuxcord-test/default.nix

@@ -1,6 +1,12 @@
 {
+  imports = [
+    ./storage.nix
+  ];
+
+  networking.fqdn = "tuxcord.test";
+
   acme.enable = false;
   dns.enable = true;
 
-  networking.fqdn = "tuxcord.test";
+  services.getty.autologinUser = "root";
 }

nixos/hosts/tuxcord-test/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/impermanence.nix

@@ -55,8 +55,6 @@
     };
   };
 
-  fileSystems."/persist".neededForBoot = true;
-
   environment.persistence."/persist" = {
     enable = true;
     hideMounts = true;
@@ -72,10 +70,6 @@
     ];
     files = [
       "/etc/machine-id"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/etc/ssh/ssh_host_rsa_key"
-      "/etc/ssh/ssh_host_rsa_key.pub"
     ];
   };
 

nixos/modules/nginx.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, self, ... }:
 let
   inherit (config.networking) fqdn;
 
@@ -15,6 +15,11 @@ let
 
   mkProxy = port: {
     proxyPass = "http://127.0.0.1:${toString port}/";
+
+    extraConfig = ''
+      proxy_buffering off;
+      proxy_request_buffering off;
+    '';
   };
 in
 {
@@ -27,11 +32,17 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    # services.nginx.virtualHosts."${fqdn}" = {
+    virtualHosts."${fqdn}" = mkVhost {
-    #   addSSL = true;
+      default = true;
-    #   root = "/var/www/myhost.org";
+
-    #   default = true;
+      locations."/" = {
-    # };
+        root = "${self.pins.website}/web-root";
+
+        extraConfig = ''
+          ssi on;
+        '';
+      };
+    };
 
     virtualHosts."git.${fqdn}" = mkVhost {
       locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;

nixos/openssh.nix

@@ -4,6 +4,7 @@
 
     settings = {
       ClientAliveInterval = 300;
+      X11Forwarding = true;
 
       KbdInteractiveAuthentication = false;
       PasswordAuthentication = false;

nixos/users.nix

@@ -1,25 +1,6 @@
 { lib, self, ... }:
 let
-  users = [
+  inherit (self.lib) users;
-    {
-      name = "error";
-      options.admin = true;
-    }
-    {
-      name = "javalsai";
-      options.admin = true;
-    }
-    {
-      name = "max";
-      options.admin = true;
-    }
-    {
-      name = "vectorum";
-    }
-    {
-      name = "pickzelle";
-    }
-  ];
 
   adminGroups = [
     "adm"
@@ -30,30 +11,13 @@ let
     "wheel"
   ];
 
-  getSSHKeys =
+  mkUser = name: uid: admin: {
-    username:
+    users.users.${name} = {
-    let
+      inherit uid;
-      sshKeys = import "${self}/lib/ssh/keys.nix";
+      isNormalUser = true;
-    in
+      extraGroups = lib.optionals admin adminGroups;
-    if (builtins.hasAttr username sshKeys) then
+      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
-      lib.lists.toList sshKeys.${username}
+    };
-    else
-      lib.warn "user ${username} declared without ssh key" [ ];
-
-  mkUser =
-    name: uid: options:
-    let
-      admin = options.admin or false;
-
-    in
-    {
-      users.users.${name} = {
-        isNormalUser = true;
-        extraGroups = lib.optionals admin adminGroups;
-        inherit uid;
-
-        openssh.authorizedKeys.keys = getSSHKeys name;
-      };
 
     systemd.slices."user-${builtins.toString uid}".sliceConfig = {
       CPUQuota = "50%";
@@ -69,21 +33,20 @@ in
 lib.recursiveUpdate
   (builtins.foldl'
     (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
+      options = lib.recursiveUpdate attrs.options (
+        mkUser user.name attrs.uid (user.value.admin or false)
+      );
       uid = attrs.uid + 1;
     })
     {
       options = { };
       uid = 1000;
     }
-    users
+    (lib.attrsToList users)
   ).options
   {
     users.users.root = {
       initialPassword = "tuxcord";
-
+      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      openssh.authorizedKeys.keys = lib.lists.concatLists (
-        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
-      );
     };
   }

npins/sources.json

@@ -1,4 +1,17 @@
 {
-  "pins": {},
+  "pins": {
+    "website": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
+      "url": null,
+      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
+    }
+  },
   "version": 5
 }

shells/default.nix

@@ -31,7 +31,6 @@
           git
           inputs.agenix.packages.${stdenv.hostPlatform.system}.default
           jujutsu
-          neovim
           nix-output-monitor
           nixfmt
           npins