[hosts,flake] Fix DNS/Nginx, remove old services

flake.nix

@@ -79,7 +79,7 @@
   };
 
   nixConfig = {
-    extra-substituters = ["http://elysia-clarki:5000"];
+    extra-substituters = ["https://cache.home"];
   };
 
   outputs = {

hosts/cornu-aspersum.nix

@@ -60,7 +60,24 @@
     forwarders = ["100.100.100.100"];
     listenOn = ["any"];
     listenOnIpv6 = ["any"];
-    zones."home" = {
+    zones."home" = let
+      cornu-aspersum = {
+        v4 = "100.86.42.110";
+        v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6256:2a6e";
+      };
+      elysia-clarki = {
+        v4 = "100.104.138.12";
+        v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6268:8a0c";
+      };
+      faunus-ater = {
+        v4 = "100.108.135.4";
+        v6 = "fd7a:115c:a1e0:ab12:4843:cd96:626c:8704";
+      };
+      point = domain: host: ''
+        ${domain} AAAA ${host.v6}
+        ${domain} A    ${host.v4}
+      '';
+    in {
       master = true;
       # TODO: Fix TTLs
       file = pkgs.writeText "home-zone" ''
@@ -72,17 +89,16 @@
                           1  ; Expire
                           1) ; Negative Cache TTL
         @            NS    home.
-        home.        AAAA  fd7a:115c:a1e0:ab12:4843:cd96:6256:2a6e
-        home.        A     100.86.42.110
-        foto         CNAME elysia-clarki.maltet.github.beta.tailscale.net.
-        mc           CNAME cornu-aspersum.maltet.github.beta.tailscale.net.
-        doc          CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        sheet        CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        media        CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        file         CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        stats        CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        cache        CNAME faunus-ater.maltet.github.beta.tailscale.net.
-        hydra        CNAME faunus-ater.maltet.github.beta.tailscale.net.
+        ${point "home." cornu-aspersum}
+        ${point "foto" elysia-clarki}
+        ${point "mc" cornu-aspersum}
+        ${point "doc" faunus-ater}
+        ${point "sheet" faunus-ater}
+        ${point "media" faunus-ater}
+        ${point "file" faunus-ater}
+        ${point "stats" faunus-ater}
+        ${point "cache" faunus-ater}
+        ${point "hydra" faunus-ater}
       '';
     };
   };

hosts/elysia-clarki.nix

@@ -77,86 +77,6 @@ in {
     };
   };
 
-  # === Everything related to the binary cache and hydra ===
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = config.sops.secrets."nix-store-signing-key".path;
-  };
-  networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [
-    config.services.nix-serve.port
-  ];
-
-  services.hydra = {
-    enable = true;
-    package = pkgs.hydra;
-    notificationSender = "hydra@home";
-    hydraURL = "hydra.home";
-    minimumDiskFree = 10;
-    useSubstitutes = true;
-  };
-  nix.buildMachines = [
-    {
-      hostName = "helix-texta";
-      maxJobs = 6;
-      speedFactor = 16;
-      sshKey = "/run/secrets/hydra-overseer-key";
-      sshUser = "hydra-minion";
-      supportedFeatures = ["kvm" "big-parallel"];
-      systems = ["x86_64-linux" "i686-linux"];
-    }
-    {
-      hostName = "murex-pecten";
-      maxJobs = 6;
-      speedFactor = 32;
-      sshKey = "/run/secrets/hydra-overseer-key";
-      sshUser = "hydra-minion";
-      supportedFeatures = ["kvm" "big-parallel"];
-      systems = ["x86_64-linux" "i686-linux"];
-    }
-  ];
-  # TODO: This doesn't seem to work
-  programs.ssh.extraConfig = ''
-    Host *
-      StrictHostKeyChecking accept-new
-  '';
-  nix.extraOptions = ''
-    allowed-uris = http:// https://
-  '';
-  # TODO: Move to hash based passwords!
-  systemd.services."hydra-initial-setup" = {
-    description = "Setup hydra admin password once";
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      LoadCredential = "USER_PW:${config.sops.secrets."hydra-admin-password".path}";
-    };
-    wantedBy = lib.singleton "multi-user.target";
-    requires = lib.singleton "hydra-init.service";
-    after = lib.singleton "hydra-init.service";
-    environment = {
-      inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
-    };
-    script = let
-      hydra-create-user = "${pkgs.hydra}/bin/hydra-create-user";
-    in ''
-      if [ ! -e ~hydra/.setup-is-complete ]; then
-        # create admin user
-        ${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@elysia-clarki' --password "$USER_PW" --role admin || exit 1
-        # done
-        touch ~hydra/.setup-is-complete
-      fi
-    '';
-  };
-  services.nginx.virtualHosts."hydra.home" = {
-    forceSSL = true;
-    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
-    sslCertificateKey = sopsPath "nginx-cert-key";
-    sslCertificate = sopsPath "nginx-cert-crt";
-    locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}";
-    };
-  };
-
   services.fwupd.enable = true;
 
   #### RUNTIME SECRETS ####
@@ -172,13 +92,6 @@ in {
     taskserver-ca-cert = taskserverSecretConfig;
     taskserver-server-key = taskserverSecretConfig;
     taskserver-server-crl = taskserverSecretConfig;
-    hydra-admin-password = {
-      owner = config.users.users.hydra.name;
-      mode = "0400";
-    };
-    nix-store-signing-key = {
-      mode = "0400";
-    };
     taskserver-server-cert = taskserverSecretConfig;
     photoprism-env = {};
     nginx-cert-key = {
@@ -189,10 +102,6 @@ in {
       owner = config.users.users.nginx.name;
       mode = "0400";
     };
-    hydra-overseer-key = {
-      owner = config.users.users.hydra-queue-runner.name;
-      mode = "0400";
-    };
   };
 
   # This value determines the NixOS release from which the default

hosts/faunus-ater.nix

@@ -17,6 +17,7 @@
 
   mkVirtHost = lib.attrsets.recursiveUpdate {
     addSSL = true;
+    listenAddresses = [vpnIPv4 "[${vpnIPv6}]"];
     sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
     sslCertificateKey = sopsPath "nginx-cert-key";
     sslCertificate = sopsPath "nginx-cert-crt";
@@ -230,10 +231,7 @@ in {
       PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
     };
   };
-  services.nginx.virtualHosts."doc.home" = {
-    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
-    sslCertificateKey = sopsPath "nginx-cert-key";
-    sslCertificate = sopsPath "nginx-cert-crt";
+  services.nginx.virtualHosts."doc.home" = mkVirtHost {
     locations."/" = {
       proxyPass = "http://[::1]:${builtins.toString config.services.paperless.port}";
       proxyWebsockets = true;

modules/grafana.nix

@@ -42,6 +42,7 @@ in {
       security.adminPasswordFile = cfg.grafana.adminPasswordFile;
       enable = true;
       domain = "stats.home";
+      port = 9387;
       addr = "[::1]";
       auth.anonymous.enable = true;
       extraOptions = {