nixos/networking: fix extraHosts generation

npins: update website
nixos/hosts: declare fileSystems for testing hosts
2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00 · 2026-05-04 01:26:28 -04:00
11 changed files with 33 additions and 378 deletions
@@ -1,20 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 7PqbYWjorqzuPIDZgOZGIMzZa/P89aGzvORfMAeePRU
-J+gesdnj8VwqJSfD1ohDTSp7nBXdM4nEEB5/7aA1PMc
-> ssh-ed25519 zNC8SA z47u0fUlGVYiQr4/S0lLh6WEj7gyedjWsq4fUk5Z1CY
-6qR4zdA1gQqpAcm5Q5AZJgn3ZnafXL4OeHfU4WJae40
-> ssh-ed25519 EiAAKw 8mPi6HaHW+oFZHZ0Y2fJ2XISgarW3i/yLKD2QJleFGs
-Mch7D28T9eiJm8hmSuI7Wm/rjjT+EzzER9vQ7T6rA3k
-> ssh-rsa eFi+Zw
-d3mwAM+p4yz/UK5g4+0WyeOPyEVHQEyzGSB+pPDf6IIXxGbh613h1WD5j3AQQXdH
-178Es9PhkiZcy0Y0IsQt4dyqDzuqMMwzLLvLKgsfliFsPBcdo93V5r9rWtFi3+9S
-jAfhsFzVUj3KhuBY+xsgBtHpLe5CVV52NnEzXkoJw1wbdunNi62QZvyyC+0NixFV
-HW1lxan6g6XXPrXWWrLbZWvpuqvPV6DoLsofzkMm0nd1DhkeHRU1WU8ucnPaETrJ
-E5G3YrlfhftwRzp/QzeoSFREmdAJca7ycIJaJuG8QIszTZLOOQBUAxg7sonATGUc
-Zutg1lJEfaQSe8oG1iMrJlshGspuSmBc1Ki4iQJjhQnYzvkV+Th9trG3QGq5ur9O
-RYCxqjMMzbp6kR2GdJorSM7P5fpzt0sSv2mxd+nQpMoyvOVfbBjmEbiuWrKSlIl0
-tXYrI6723mRNsbtmodUdDttaDFnr2r0MWbpHPn/K6y422GEoAiKE96Z7Pcxo2+Ml
-
--- ILGiZiEBKY+7nych4vWMVWgiFNhF3eP7mtCvJ/JImxM
-jFÍ%aë;¸8Œõl�Ë�Ô é‚YÊ×ö…›�´töÐ:Â÷ì®û¦#í õÞ(¹ðÂV°;ê[Ç`üØë:tžS#ˆ
-@²ãÒk7²àFž¿ÓEn®†!ÉlÈ¥ÛšŽÃ�7°!•Òï‡êY3:+mzÕÒÈö
@@ -10,7 +10,6 @@ let
 in
 {
  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "authentik.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;

  # tsig-keygen etc.sub.domain.tld.
  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
@@ -23,67 +23,6 @@
        "type": "github"
      }
    },
-    "authentik-go": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1771856219,
-        "narHash": "sha256-zTEmvxe+BpfWYvAl675PnhXCH4jV4GUTFb1MrQ1Eyno=",
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "rev": "4c1444ee54d945fbcc5ae107b4f191ca0352023d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "type": "github"
-      }
-    },
-    "authentik-nix": {
-      "inputs": {
-        "authentik-go": "authentik-go",
-        "authentik-src": "authentik-src",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "napalm": "napalm",
-        "nixpkgs": "nixpkgs",
-        "pyproject-build-systems": "pyproject-build-systems",
-        "pyproject-nix": "pyproject-nix",
-        "systems": "systems_2",
-        "uv2nix": "uv2nix"
-      },
-      "locked": {
-        "lastModified": 1776085803,
-        "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=",
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "type": "github"
-      }
-    },
-    "authentik-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1775573258,
-        "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=",
-        "owner": "goauthentik",
-        "repo": "authentik",
-        "rev": "5249546862986202b901c2afd860992ec48c6ef6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2026.2.2",
-        "repo": "authentik",
-        "type": "github"
-      }
-    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@@ -107,7 +46,6 @@
      }
    },
    "flake-compat": {
-      "flake": false,
      "locked": {
        "lastModified": 1767039857,
        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
@@ -123,21 +61,6 @@
      }
    },
    "flake-compat_2": {
-      "locked": {
-        "lastModified": 1767039857,
-        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -157,24 +80,6 @@
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
-      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_2"
-      },
      "locked": {
        "lastModified": 1777678872,
        "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
@@ -189,27 +94,6 @@
        "type": "github"
      }
    },
-    "flake-utils": {
-      "inputs": {
-        "systems": [
-          "authentik-nix",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": [
@@ -304,35 +188,9 @@
        "type": "github"
      }
    },
-    "napalm": {
-      "inputs": {
-        "flake-utils": [
-          "authentik-nix",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1725806412,
-        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
-        "owner": "willibutz",
-        "repo": "napalm",
-        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "willibutz",
-        "ref": "avoid-foldl-stack-overflow",
-        "repo": "napalm",
-        "type": "github"
-      }
-    },
    "nix-alien": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "nix-index-database": [
          "nix-index-database"
        ],
@@ -376,12 +234,12 @@
    },
    "nix-super": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "flake-parts": [
          "flake-parts"
        ],
        "git-hooks-nix": "git-hooks-nix",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-23-11": "nixpkgs-23-11",
        "nixpkgs-regression": "nixpkgs-regression"
      },
@@ -401,18 +259,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
-        "type": "github"
+        "lastModified": 1771903837,
+        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
+        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
      }
    },
    "nixpkgs-23-11": {
@@ -432,21 +287,6 @@
      }
    },
    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib_2": {
      "locked": {
        "lastModified": 1777168982,
        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
@@ -478,19 +318,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1771903837,
-        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
-        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1777428379,
        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -506,66 +333,15 @@
        "type": "github"
      }
    },
-    "pyproject-build-systems": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ],
-        "uv2nix": [
-          "authentik-nix",
-          "uv2nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771423342,
-        "narHash": "sha256-7uXPiWB0YQ4HNaAqRvVndYL34FEp1ZTwVQHgZmyMtC8=",
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "rev": "04e9c186e01f0830dad3739088070e4c551191a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "type": "github"
-      }
-    },
-    "pyproject-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771518446,
-        "narHash": "sha256-nFJSfD89vWTu92KyuJWDoTQJuoDuddkJV3TlOl1cOic=",
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "rev": "eb204c6b3335698dec6c7fc1da0ebc3c6df05937",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "authentik-nix": "authentik-nix",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "impermanence": "impermanence",
        "nix-alien": "nix-alien",
        "nix-index-database": "nix-index-database",
        "nix-super": "nix-super",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
@@ -582,46 +358,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "uv2nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772187362,
-        "narHash": "sha256-gCojeIlQ/rfWMe3adif3akyHsT95wiMkLURpxTeqmPc=",
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "rev": "abe65de114300de41614002fe9dce2152ac2ac23",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "type": "github"
-      }
    }
  },
  "root": "root",
@@ -31,13 +31,6 @@
      url = "github:privatevoid-net/nix-super";
      inputs.flake-parts.follows = "flake-parts";
    };
-
-    authentik-nix = {
-      url = "github:nix-community/authentik-nix";
-
-      # inputs.nixpkgs.follows = "nixpkgs"
-      # inputs.flake-parts.follows = "flake-parts"
-    };
  };

  outputs =
@@ -1,11 +1,11 @@
 rec {
-  toList = x: if builtins.isList x then x else [ x ];
-
-  nameValuePair = name: value: { inherit name value; };
+  attrsToList = mapAttrsToList nameValuePair;

  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);

-  attrsToList = mapAttrsToList nameValuePair;
+  nameValuePair = name: value: { inherit name value; };
+
+  toList = x: if builtins.isList x then x else [ x ];

  getSSHKeys =
    username:
@@ -18,7 +18,6 @@ in
    agenix.nixosModules.default
    impermanence.nixosModules.default
    nix-index-database.nixosModules.nix-index
-    authentik-nix.nixosModules.default

    ./hardware.nix
    ./impermanence.nix
@@ -100,7 +99,7 @@ in

    extraHosts =
      let
-        subdomains = [ "git" "auth" ];
+        subdomains = [ "git" ];

        inherit (config.networking) fqdn;
        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,17 +0,0 @@
-{ config, self, ... }:
-let
-  inherit (config.networking) fqdn;
-in
-{
-  age.secrets.authentik.file = "${self}/agenix/authentik.age";
-
-  services.authentik = {
-    enable = true;
-    environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001
-    # nginx = {
-    #   enable = true;
-    #   enableACME = true;
-    #   host = "auth.${fqdn}";
-    # };
-  };
-}
@@ -1,7 +1,6 @@
 {
  imports = [
    ./acme.nix
-    ./authentik.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -3,20 +3,13 @@ let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
    }
    // attrs;

@@ -28,19 +21,6 @@ let
      proxy_request_buffering off;
    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,19 +32,21 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
+    virtualHosts."${fqdn}" = mkVhost {
+      default = true;

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
+      locations."/" = {
+        root = "${self.pins.website}/web-root";

-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
+        extraConfig = ''
+          ssi on;
+        '';
      };
    };
+
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+    };
  };

  networking.firewall.allowedTCPPorts = [
@@ -45,21 +45,8 @@ lib.recursiveUpdate
    (lib.attrsToList users)
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
-        initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
+    users.users.root = {
+      initialPassword = "tuxcord";
+      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
    };
  }
Author	SHA1	Message	Date
ErrorNoInternet	0dd5e51f41	nixos/networking: fix extraHosts generation Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:26:28 -04:00
ErrorNoInternet	06e685d0b1	npins: update website	2026-05-04 01:26:28 -04:00
ErrorNoInternet	20219d60d4	nixos/hosts: declare fileSystems for testing hosts	2026-05-04 01:26:28 -04:00
ErrorNoInternet	ee82325b6e	nixos/services/openssh: enable X11 forwarding	2026-05-04 01:26:28 -04:00
javalsai	b8bc3edbff	nixos/hosts: add autologin for testing hosts	2026-05-04 01:26:28 -04:00
javalsai	427a905799	nixos/services: add default website on nginx	2026-05-04 01:26:28 -04:00
javalsai	b597977b8a	nixos/services: disable nginx proxy buffering	2026-05-04 01:26:28 -04:00
ErrorNoInternet	16bcec48f8	nixos/impermanence: remove ssh host key persistence The SSH host key files are already defined in the OpenSSH module, so there is no need to persist them with impermanence.nix.	2026-05-04 01:26:28 -04:00
ErrorNoInternet	9c2bee177c	shells: remove neovim Some users may be using self-contained Neovim executables.	2026-05-04 01:26:27 -04:00
ErrorNoInternet	84199dd8eb	agenix: import initial user dns keys	2026-05-04 01:26:27 -04:00
ErrorNoInternet	1c502afbcd	treewide: create global user list	2026-05-04 01:26:27 -04:00