Bump versions, disable some stuff for vps reverse-proxy setup

flake.nix

@@ -2,12 +2,13 @@
   description = "NixOS configurations for my machines";
 
   inputs = {
-    nixpkgs.url = github:nixos/nixpkgs;
+    nixpkgs.url = "nixpkgs/23.11";
     nixos-hardware = {
       url = github:nixos/nixos-hardware;
     };
     home-manager = {
-      url = github:nix-community/home-manager;
+      # url = github:nix-community/home-manager;
+      url = github:nix-community/home-manager/6a8444467c83c961e2f5ff64fb4f422e303c98d3;
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {

machines/cj/configuration.nix

@@ -57,9 +57,9 @@
     # Aliases subdomains we serve here. Since we bypass pihole locally to avoid
     # circular lookups, we can set local addresses here instead of using local
     # dns in pihole (or global dns which would resolve to our WAN ips).
-    extraHosts = ''
-      127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
-      '';
+    #extraHosts = ''
+    #  127.0.0.1 git.jhink.org home.jhink.org
+    #  '';
 
 
     # The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
@@ -86,7 +86,7 @@
     timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
   };
 
-  hardware.video.hidpi.enable = false;
+  #hardware.video.hidpi.enable = false;
   hardware.enableRedistributableFirmware = true;
   #hardware.pulseaudio = {
   #enable = true;
@@ -118,6 +118,8 @@
   #   enable = true; enableSSHSupport = true;
   # };
 
+  programs.zsh.enable = true;
+
   security.rtkit.enable = true; # recommended for pipewire
 
   # enable acme for certbot
@@ -190,9 +192,10 @@
     };
 
     vaultwarden = {
-      enable = true;
+      # We use a docker container for vaultwarden now
+      enable = false;
       config = {  # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
-        DOMAIN = "http://100.64.0.2:8081";
+        DOMAIN = "https://vault.jhink.org";
         ROCKET_ADDRESS = "0.0.0.0";
         ROCKET_PORT = 8222;
         SIGNUPS_ALLOWED = false;

machines/cj/firewall.nix

@@ -6,7 +6,7 @@
     53 # pihole
     8123  # home-assistant
     3000  # gitea
-    8081  # vaultwarden
+    8022  # vaultwarden
     80 443  # reverse proxy
   ];
   allowedUDPPorts = [

machines/cj/gitea.nix

@@ -1,9 +1,5 @@
 {
   enable = true;
-  domain = "git.jhink.org";
-  rootUrl = "https://git.jhink.org";
-  httpPort = 3000;
-  httpAddress = "127.0.0.1";
   lfs = {
     enable = true;
     contentDir = "/serverdata/gitea/lfs_content";
@@ -13,5 +9,11 @@
     repository = {
       DEFAULT_BRANCH = "main";
     };
+    server = {
+      DOMAIN = "git.jhink.org";
+      ROOT_URL = "https://git.jhink.org";
+      HTTP_PORT = 3000;
+      HTTP_ADDR = "127.0.0.1";
+    };
   };
 }

machines/cj/hardware-configuration-zfs.nix

@@ -20,7 +20,7 @@
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   # high-resolution display
-  hardware.video.hidpi.enable = lib.mkDefault true;
+  #hardware.video.hidpi.enable = lib.mkDefault true;
 
   fileSystems."/" = {
     device = "none";
@@ -90,6 +90,11 @@
       fsType = "zfs";
       neededForBoot = true;
     };
+  fileSystems."/serverdata/vaultwarden" =
+    { device = "rpool/serverdata/vaultwarden";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
 
   fileSystems."/home" =
     { device = "rpool/userdata/home";

machines/cj/pihole.nix

@@ -1,5 +1,5 @@
 { serverIP, serverIP6 } : {
-  image = "pihole/pihole:2023.05.2";
+  image = "pihole/pihole:2024.01.0";
   ports = [
     "53:53/tcp"
     "53:53/udp"