Bump versions, disable some stuff for vps reverse-proxy setup

2024-03-27 07:16:44 -04:00 · 2024-03-27 07:16:44 -04:00 · 88975f0003
commit 88975f0003
parent 9080b1bd8d
6 changed files with 26 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -2,12 +2,13 @@
  description = "NixOS configurations for my machines";
  inputs = {
-    nixpkgs.url = github:nixos/nixpkgs;
+    nixpkgs.url = "nixpkgs/23.11";
    nixos-hardware = {
      url = github:nixos/nixos-hardware;
    };
    home-manager = {
-      url = github:nix-community/home-manager;
+      # url = github:nix-community/home-manager;
      url = github:nix-community/home-manager/6a8444467c83c961e2f5ff64fb4f422e303c98d3;
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
--- a/machines/cj/configuration.nix
+++ b/machines/cj/configuration.nix
@ -57,9 +57,9 @@
    # Aliases subdomains we serve here. Since we bypass pihole locally to avoid
    # circular lookups, we can set local addresses here instead of using local
    # dns in pihole (or global dns which would resolve to our WAN ips).
-    extraHosts = ''
+    #extraHosts = ''
-      127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
+    #  127.0.0.1 git.jhink.org home.jhink.org
-      '';
+    #  '';
    # The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
@ -86,7 +86,7 @@
    timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
  };
-  hardware.video.hidpi.enable = false;
+  #hardware.video.hidpi.enable = false;
  hardware.enableRedistributableFirmware = true;
  #hardware.pulseaudio = {
  #enable = true;
@ -118,6 +118,8 @@
  #   enable = true; enableSSHSupport = true;
  # };
  programs.zsh.enable = true;
  security.rtkit.enable = true; # recommended for pipewire
  # enable acme for certbot
@ -190,9 +192,10 @@
    };
    vaultwarden = {
-      enable = true;
+      # We use a docker container for vaultwarden now
      enable = false;
      config = {  # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
-        DOMAIN = "http://100.64.0.2:8081";
+        DOMAIN = "https://vault.jhink.org";
        ROCKET_ADDRESS = "0.0.0.0";
        ROCKET_PORT = 8222;
        SIGNUPS_ALLOWED = false;
--- a/machines/cj/firewall.nix
+++ b/machines/cj/firewall.nix
@ -6,7 +6,7 @@
    53 # pihole
    8123  # home-assistant
    3000  # gitea
-    8081  # vaultwarden
+    8022  # vaultwarden
    80 443  # reverse proxy
  ];
  allowedUDPPorts = [
--- a/machines/cj/gitea.nix
+++ b/machines/cj/gitea.nix
@ -1,9 +1,5 @@
 {
  enable = true;
  domain = "git.jhink.org";
  rootUrl = "https://git.jhink.org";
  httpPort = 3000;
  httpAddress = "127.0.0.1";
  lfs = {
    enable = true;
    contentDir = "/serverdata/gitea/lfs_content";
@ -13,5 +9,11 @@
    repository = {
      DEFAULT_BRANCH = "main";
    };
    server = {
      DOMAIN = "git.jhink.org";
      ROOT_URL = "https://git.jhink.org";
      HTTP_PORT = 3000;
      HTTP_ADDR = "127.0.0.1";
    };
  };
 }
--- a/machines/cj/hardware-configuration-zfs.nix
+++ b/machines/cj/hardware-configuration-zfs.nix
@ -20,7 +20,7 @@
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  # high-resolution display
-  hardware.video.hidpi.enable = lib.mkDefault true;
+  #hardware.video.hidpi.enable = lib.mkDefault true;
  fileSystems."/" = {
    device = "none";
@ -90,6 +90,11 @@
      fsType = "zfs";
      neededForBoot = true;
    };
  fileSystems."/serverdata/vaultwarden" =
    { device = "rpool/serverdata/vaultwarden";
      fsType = "zfs";
      neededForBoot = true;
    };
  fileSystems."/home" =
    { device = "rpool/userdata/home";
--- a/machines/cj/pihole.nix
+++ b/machines/cj/pihole.nix
@ -1,5 +1,5 @@
 { serverIP, serverIP6 } : {
-  image = "pihole/pihole:2023.05.2";
+  image = "pihole/pihole:2024.01.0";
  ports = [
    "53:53/tcp"
    "53:53/udp"