commit 106b1b56be19b8496031260daf73108878e5e767
parent 1534f9c1fb250ba9d09c424fc25561d689cce169
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 23 Apr 2025 19:51:49 +0200
parent 1534f9c1fb250ba9d09c424fc25561d689cce169
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 23 Apr 2025 19:51:49 +0200
move stuff from `$stuff.ctu.cx` to `$stuff.infra.katja.wtf`
15 files changed, 49 insertions(+), 48 deletions(-)
diff --git a/configurations/common/syncthing.nix b/configurations/common/syncthing.nix @@ -10,11 +10,11 @@ let iphone.id = "3SM3LJV-XMHYW2D-MU5WQ3T-KGYUJOI-LXOL6YI-BSVZ2B5-QJ6GVXN-MPWMKQ7"; #servers - hector.name = "hector.ctu.cx"; + hector.name = "hector.infra.katja.wtf"; hector.id = "MVGBPSX-YSZNBDO-E7HZFGJ-WULYWQ5-XDHVMJO-BKA4R37-GPPRLLS-Z5DQMQJ"; - wanderduene.name = "wanderduene.ctu.cx"; + wanderduene.name = "wanderduene.infra.katja.wtf"; wanderduene.id = "WEFYARN-GY3WZXB-TIXBI56-ZZ77AHS-GFH5SH2-Q35NTBI-VPT3OEM-EQNAMQH"; - briefkasten.name = "briefkasten.home.ctu.cx"; + briefkasten.name = "briefkasten.infra.katja.wtf"; briefkasten.id = "QI2EPUE-4VMZ3XV-LXX3GXP-RHCWTRY-AACLSGL-YG7MIYV-THST74N-KJGIBQ6"; };
diff --git a/configurations/nixos/configure/smarthome/influxdb2.nix b/configurations/nixos/configure/smarthome/influxdb2.nix @@ -2,7 +2,7 @@ { - dns.zones."ctu.cx".subdomains."influx.home".AAAA = [ node.ip6Address ]; + dns.zones."katja.wtf".subdomains."influx.home.infra".AAAA = [ node.ip6Address ]; age.secrets.resticInfluxDB.file = secrets."${config.networking.hostName}".restic.influxdb; age.secrets.influxBackupEnv.file = secrets."${config.networking.hostName}".influx.backupEnv;
diff --git a/configurations/nixos/configure/smarthome/mqtt-webui/default.nix b/configurations/nixos/configure/smarthome/mqtt-webui/default.nix @@ -2,7 +2,7 @@ { - dns.zones."ctu.cx".subdomains."smart.home".AAAA = [ node.ip6Address ]; + dns.zones."katja.wtf".subdomains."smart.home.infra".AAAA = [ node.ip6Address ]; services.nginx = { enable = true;
diff --git a/configurations/nixos/configure/smarthome/zigbee2mqtt.nix b/configurations/nixos/configure/smarthome/zigbee2mqtt.nix @@ -2,7 +2,7 @@ { - dns.zones."ctu.cx".subdomains."zigbee2mqtt.home".AAAA = [ node.ip6Address ]; + dns.zones."katja.wtf".subdomains."zigbee2mqtt.home.infra".AAAA = [ node.ip6Address ]; age.secrets."zigbee2mqttSecrets.yaml" = { file = secrets."${config.networking.hostName}".zigbee2mqtt.secrets;
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -54,7 +54,7 @@ in { useDHCP = lib.mkDefault false; hostName = lib.mkDefault nodeName; - domain = lib.mkDefault "ctu.cx"; + domain = lib.mkDefault "infra.katja.wtf"; nftables.enable = lib.mkDefault true; firewall.enable = lib.mkDefault true; @@ -210,9 +210,9 @@ in { keyType = "ec384"; dnsProvider = "rfc2136"; environmentFile = pkgs.writeText "acme-dns-env" '' - RFC2136_NAMESERVER=ns1.ctu.cx + RFC2136_NAMESERVER=rabbit.infra.katja.wtf RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName} - RFC2136_TSIG_ALGORITHM=hmac-sha384. + RFC2136_TSIG_ALGORITHM=hmac-sha384 ''; credentialFiles = { RFC2136_TSIG_SECRET_FILE = config.age.secrets.acmeTSIGKey.path;
diff --git a/configurations/nixos/services/ca/templates/client-auth.tpl b/configurations/nixos/services/ca/templates/client-auth.tpl @@ -7,5 +7,5 @@ "keyUsage": ["digitalSignature"], {{- end }} "extKeyUsage": ["clientAuth"], - "crlDistributionPoints": ["http://ca.ctu.cx/1.0/crl"] + "crlDistributionPoints": ["http://ca.infra.katja.wtf/1.0/crl"] }
diff --git a/configurations/nixos/services/ca/templates/server-auth.tpl b/configurations/nixos/services/ca/templates/server-auth.tpl @@ -7,5 +7,5 @@ "keyUsage": ["digitalSignature"], {{- end }} "extKeyUsage": ["clientAuth", "serverAuth"], - "crlDistributionPoints": ["http://ca.ctu.cx/1.0/crl"] + "crlDistributionPoints": ["http://ca.infra.katja.wtf/1.0/crl"] }
diff --git a/configurations/nixos/services/dns-server.nix b/configurations/nixos/services/dns-server.nix @@ -1,7 +1,7 @@ { inputs, node, secrets, config, dnsNix, ctucxLib, lib, pkgs, ...}: let - acmeZone = "acme.ctu.cx"; + acmeZone = "acme.infra.katja.wtf"; generateACMERecord = recordName: ( (builtins.hashString "sha1" recordName) + ".${acmeZone}." @@ -65,9 +65,9 @@ in { age = "-"; argument = ctucxLib.toBase64 ( dnsNix.toString acmeZone (with dnsNix.combinators; { - NS = [ "ns1.ctu.cx." "ns2.ctu.cx." ]; + NS = [ "rabbit.infra.katja.wtf." "wanderduene.infra.katja.wtf." ]; SOA = { - nameServer = "ns1.ctu.cx."; + nameServer = "rabbit.infra.katja.wtf."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! serial = 0; }; @@ -75,16 +75,16 @@ in { ); }; - "${config.dns.dataDir}/extraZones/ddns.ctu.cx.zone"."f~" = { + "${config.dns.dataDir}/extraZones/ddns.infra.katja.wtf.zone"."f~" = { group = "knot"; user = "knot"; mode = "770"; age = "-"; argument = ctucxLib.toBase64 ( - dnsNix.toString "ddns.ctu.cx" (with dnsNix.combinators; { - NS = [ "ns1.ctu.cx." "ns2.ctu.cx." ]; + dnsNix.toString "ddns.infra.katja.wtf" (with dnsNix.combinators; { + NS = [ "rabbit.infra.katja.wtf." "wanderduene.infra.katja.wtf." ]; SOA = { - nameServer = "ns1.ctu.cx."; + nameServer = "rabbit.infra.katja.wtf."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! serial = 0; }; @@ -112,9 +112,9 @@ in { |> lib.mapAttrsToList (hostName: _: "acme-nix-${hostName}") ); }; - "ddns.ctu.cx" = { + "ddns.infra.katja.wtf" = { storage = "${config.dns.dataDir}/extraZones"; - file = "ddns.ctu.cx.zone"; + file = "ddns.infra.katja.wtf.zone"; zonefile-sync = 0; zonefile-load = "difference-no-serial"; @@ -143,15 +143,15 @@ in { action = "update"; update-owner = "name"; update-owner-match = "equal"; - update-owner-name = [ "seifenkiste.ddns.ctu.cx." ]; + update-owner-name = [ "seifenkiste.ddns.infra.katja.wtf." ]; }; }); allZones = with dnsNix.combinators; let CAA = [ { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; } ]; - NS = [ "ns1.ctu.cx." "ns2.ctu.cx." ]; + NS = [ "rabbit.infra.katja.wtf." "wanderduene.infra.katja.wtf." ]; SOA = { - nameServer = "ns1.ctu.cx."; + nameServer = "rabbit.infra.katja.wtf."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! serial = 0; }; @@ -170,8 +170,6 @@ in { inputs.self.nodes.wanderduene.ip6Address ); - "acme".NS = [ "ns1" "ns2" ]; - "ddns".NS = [ "ns1" "ns2" ]; _atproto.TXT = [ "did=did:plc:zaeuok3fmh2pcp4cjiicku4i" ]; } // (generateACMERecordsPerZone "ctu.cx"); @@ -192,7 +190,10 @@ in { "katja.wtf" = { inherit SOA NS CAA; - subdomains = generateACMERecordsPerZone "katja.wtf"; + subdomains = { + "acme.infra".NS = [ "rabbit.infra.katja.wtf." "wanderduene.infra.katja.wtf." ]; + "ddns.infra".NS = [ "rabbit.infra.katja.wtf." "wanderduene.infra.katja.wtf." ]; + }// generateACMERecordsPerZone "katja.wtf"; }; "ctucx.de" = {
diff --git a/configurations/nixos/services/restic-server.nix b/configurations/nixos/services/restic-server.nix @@ -7,7 +7,7 @@ owner = "nginx"; }; - dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.fqdn}." ]; + dns.zones."katja.wtf".subdomains."restic.${config.networking.hostName}.infra".CNAME = [ "${config.networking.fqdn}." ]; systemd.services.restic-rest-server.onFailure = [ "ntfysh-notify-failure@%i.service" ];
diff --git a/configurations/nixos/websites/grafana.ctu.cx/default.nix b/configurations/nixos/websites/grafana.ctu.cx/default.nix @@ -2,20 +2,20 @@ { + dns.zones."katja.wtf".subdomains."grafana.infra".CNAME = [ "${config.networking.fqdn}." ]; + age.secrets.grafanaInfluxTokenMqttData = { file = secrets.briefkasten.influx.grafanaTokenMqttData; owner = "grafana"; }; - dns.zones."ctu.cx".subdomains.grafana.CNAME = [ "${config.networking.fqdn}." ]; - systemd.services.grafana.onFailure = [ "ntfysh-notify-failure@%i.service" ]; services.grafana = { enable = true; settings = { server = { - domain = "grafana.ctu.cx"; + domain = "grafana.infra.katja.wtf"; root_url = "https://${config.services.grafana.settings.server.domain}/"; http_addr = "::1"; http_port = 3001; @@ -47,7 +47,7 @@ { name = "InfluxDB (mqttData)"; type = "influxdb"; - url = "https://influx.home.ctu.cx"; + url = "https://influx.home.infra.katja.wtf"; orgId = 1; database = "mqttData"; editable = false;
diff --git a/configurations/nixos/websites/ip.ctu.cx.nix b/configurations/nixos/websites/ip.ctu.cx.nix @@ -6,7 +6,7 @@ dns.zones."ctu.cx".subdomains."ip4".A = [ node.ip4Address ]; dns.zones."ctu.cx".subdomains."ip6".AAAA = [ node.ip6Address ]; - services.nginx.virtualHosts."ip.${config.networking.domain}" = { + services.nginx.virtualHosts."ip.ctu.cx" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; @@ -16,22 +16,22 @@ <!DOCTYPE html> <html> <head> - <title>ip.${config.networking.domain}</title> + <title>ip.ctu.cx</title> </head> <body> - <h1>ip.${config.networking.domain}</h1> + <h1>ip.ctu.cx</h1> <ul> <li><span style="user-select: none;"><b>IPv6:</b> </span><span id="ip6">Loading...</span></li> <li><span style="user-select: none;"><b>IPv4:</b> </span><span id="ip4">Loading...</span></li> </ul> - <p>Use bash and curl: <code>curl ip{4,6}.${config.networking.domain}</code></p> + <p>Use bash and curl: <code>curl ip{4,6}.ctu.cx</code></p> <p><small>Because any other "Whats my IP?"-tool sucks. <a href="https://git.clerie.de/clerie/ip.clerie.de">Host yourself :3</a></small></p> <script> window.addEventListener("DOMContentLoaded", (event) => { [ "ip6", "ip4" ].forEach(async (ipVersion) => { try { - const url = "https://" + ipVersion + ".${config.networking.domain}/"; + const url = "https://" + ipVersion + ".ctu.cx/"; const response = await fetch(url + ((/\?/).test(url) ? "&" : "?") + (new Date()).getTime()); if(response.status != 200) { document.getElementById(ipVersion).innerText = "Error!"; @@ -50,7 +50,7 @@ }; }; - services.nginx.virtualHosts."ip4.${config.networking.domain}" = { + services.nginx.virtualHosts."ip4.ctu.cx" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; @@ -63,7 +63,7 @@ }; }; - services.nginx.virtualHosts."ip6.${config.networking.domain}" = { + services.nginx.virtualHosts."ip6.ctu.cx" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true;
diff --git a/modules/nixos/dns.nix b/modules/nixos/dns.nix @@ -116,6 +116,7 @@ in { primaryAddresses = dnsServerAddresses true; secondaryAddresses = dnsServerAddresses false; secondaries = dnsServerSecondaries; + in { enable = true; keyFiles = lib.mkIf (cfg.keyFiles != []) cfg.keyFiles; @@ -125,6 +126,7 @@ in { server.listen = [ (lib.mkIf (node.ip6Address != "") "${node.ip6Address}@53") (lib.mkIf (node.ip4Address != "") "${node.ip4Address}@53") + "::1@53" ]; mod-rrl.default.rate-limit = 200;
diff --git a/modules/nixos/restic-backups.nix b/modules/nixos/restic-backups.nix @@ -44,7 +44,7 @@ let targets = mkOption { type = with types; listOf str; - default = [ "wanderduene.ctu.cx" "briefkasten.ctu.cx" ]; + default = [ "wanderduene.infra.katja.wtf" "briefkasten.infra.katja.wtf" ]; }; timerConfig = mkOption { @@ -99,12 +99,12 @@ in { cp ${backup.passwordFile} /tmp/passwordFile; - ${if builtins.elem "briefkasten.ctu.cx" backup.targets then '' - cp /run/agenix/resticServerBriefkasten /tmp/briefkasten.ctu.cx; + ${if builtins.elem "briefkasten.infra.katja.wtf" backup.targets then '' + cp /run/agenix/resticServerBriefkasten /tmp/briefkasten.infra.katja.wtf; '' else "" } - ${if builtins.elem "wanderduene.ctu.cx" backup.targets then '' - cp /run/agenix/resticServerWanderduene /tmp/wanderduene.ctu.cx; + ${if builtins.elem "wanderduene.infra.katja.wtf" backup.targets then '' + cp /run/agenix/resticServerWanderduene /tmp/wanderduene.infra.katja.wtf; '' else "" } chown -R ${backup.user} /tmp
diff --git a/nodes/briefkasten/default.nix b/nodes/briefkasten/default.nix @@ -48,10 +48,8 @@ age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten; age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene; - dns.zones."ctu.cx".subdomains = { - briefkasten.AAAA = [ node.ip6Address ]; - home.AAAA = [ node.ip6Address ]; - "briefkasten.home".AAAA = [ node.ip6Address ]; + dns.zones."katja.wtf".subdomains = { + "home.infra".AAAA = [ node.ip6Address ]; }; boot = {
diff --git a/nodes/wanderduene/rclone-restic-server.nix b/nodes/wanderduene/rclone-restic-server.nix @@ -2,7 +2,7 @@ { - dns.zones."ctu.cx".subdomains."restic.${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.ctu.cx." ]; + dns.zones."katja.wtf".subdomains."restic.${config.networking.hostName}.infra".CNAME = [ "${config.networking.hostName}.infra.katja.wtf." ]; users.groups.rclone-restic-server = {}; users.users.rclone-restic-server = {