diff --git a/machines/hippocampus/backups/gitea.nix b/machines/hippocampus/backups/gitea.nix index 4c36208..289d378 100644 --- a/machines/hippocampus/backups/gitea.nix +++ b/machines/hippocampus/backups/gitea.nix @@ -1,6 +1,24 @@ -{ ... }: { +{ pkgs, config, ... }: { services.gitea.dump = { enable = true; interval = "2:45"; }; + systemd.timers."gitea-clear-dump" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "gitea-clear-dump.service"; + }; + }; + + systemd.services."gitea-clear-dump" = { + script = '' + ${pkgs.findutils}/bin/find /var/lib/gitea/dump -type f -ctime +5 -exec rm -f {} \; + ''; + serviceConfig = { + Type = "oneshot"; + User = config.services.gitea.user; + }; + }; } diff --git a/machines/hippocampus/modules/headscale.nix b/machines/hippocampus/modules/headscale.nix index 58d809b..515d4da 100644 --- a/machines/hippocampus/modules/headscale.nix +++ b/machines/hippocampus/modules/headscale.nix @@ -91,7 +91,7 @@ let partOf = ["headscale.service"]; script = '' - ${cfg.package}/bin/headscale preauthkeys -u ${name} create \ + ${cfg.package}/bin/headscale preauthkeys -u $(${cfg.package}/bin/headscale users -o json-line list | ${pkgs.jq}/bin/jq '.[] | select(.name=="${name}").id') create \ ${lib.optionalString options.preAuthEphemeral "--ephemeral"} \ ${lib.optionalString options.preAuthReusable "--reusable"} \ --expiration ${options.preAuthExpiration} \ diff --git a/machines/hippocampus/oci/Wireguard.ContainerFile b/machines/hippocampus/oci/Wireguard.ContainerFile new file mode 100644 index 0000000..7add9a4 --- /dev/null +++ b/machines/hippocampus/oci/Wireguard.ContainerFile @@ -0,0 +1,5 @@ +FROM alpine:3.16 +RUN apk add --no-cache bash wireguard-tools jq curl git ncurses +RUN git clone https://github.com/pia-foss/manual-connections /manual-connections +WORKDIR /manual-connections +CMD bash -c "/manual-connections/run_setup.sh && watch -n 60 curl ip.me" diff --git a/machines/hippocampus/oci/jelly.nix b/machines/hippocampus/oci/jelly.nix index 12689ee..73447a5 100644 --- a/machines/hippocampus/oci/jelly.nix +++ b/machines/hippocampus/oci/jelly.nix @@ -18,10 +18,12 @@ in { containers = { wireguard = { - image = "thrnz/docker-wireguard-pia"; + # Derived from the pia-wg.tar.gz + # which was built from the containerfile + image = "localhost/pia-wg:latest"; volumes = [ # "${configDir}/wireguard:/config" - "${configDir}/wireguard_pia:/pia" + # "${configDir}/wireguard_pia:/pia" ]; ports = getPorts [ "deluge" @@ -34,13 +36,23 @@ ]; environment = { TZ = "America/Toronto"; - LOC = "ca"; + LOC = "ca"; + PIA_DNS = "false"; # - true/false + PIA_PF = "false"; # - true/false + PIA_CONNECT = "true"; # - true/false; connect to VPN after configuration has been created. Set to false to only create configuration file. Only effective for wireguard protocol. Default true. + MAX_LATENCY = "0.2"; # - numeric value, in seconds + AUTOCONNECT = "true"; # - true/false; this will test for and select the server with the lowest latency, it will override PREFERRED_REGION + # PREFERRED_REGION = ""; # - the region ID for a PIA server + DIP_TOKEN = "n"; + VPN_PROTOCOL = "wireguard"; # - wireguard or openvpn; openvpn will default to openvpn_udp_standard, but can also specify openvpn_tcp/udp_standad/strong + DISABLE_IPV6 = "no"; # - yes/no }; extraOptions = [ - "--cap-add=ALL" - "--pull=newer" - "--dns=1.1.1.1" + "--privileged" "--dns=1.1.1.1" "--env-file=${config.sops.secrets.jellyfin-pia.path}" + "--cap-add=NET_ADMIN,NET_RAW,SYS_MODULE" + "--cap-drop=MKNOD,AUDIT_WRITE" + "--sysctl=net.ipv4.ip_forward=1" "--sysctl=net.ipv4.conf.all.src_valid_mark=1" "--sysctl=net.ipv6.conf.lo.disable_ipv6=1" "--sysctl=net.ipv6.conf.all.disable_ipv6=1" diff --git a/machines/hippocampus/oci/pia-wg.tar.gz b/machines/hippocampus/oci/pia-wg.tar.gz new file mode 100644 index 0000000..edb45f9 Binary files /dev/null and b/machines/hippocampus/oci/pia-wg.tar.gz differ diff --git a/machines/hippocampus/secrets/pass.yaml b/machines/hippocampus/secrets/pass.yaml index 6ee8598..c8b2d5c 100644 --- a/machines/hippocampus/secrets/pass.yaml +++ b/machines/hippocampus/secrets/pass.yaml @@ -1,7 +1,7 @@ nextcloud: adminPass: ENC[AES256_GCM,data:D2SAD/Somvw8abIm0KX4fWRfuQ==,iv:Y7K14yZZFcu97KVBd0219hwnGY4LEX2DNxxulSegr/8=,tag:aRJAlz1xvQxWodcE2bZLdQ==,type:str] s3secret: ENC[AES256_GCM,data:lIVuiZMh376MSuu13UPCu49Q64bVbk+WM/CUEIGzV0Q=,iv:J2vHalppWEupWK07zXsMoiH6avmpsgg0Cqcc7EkZVV4=,tag:pxKwiaH5SZa8Vh71gLGQWw==,type:str] -jellyfin-pia: ENC[AES256_GCM,data:rbqpmm2EtxcMeJfjlGaJOwPCn4UAZaKsH8Zeztk7A6QiSw==,iv:8A6NHVHgKIL6iwLKgRrT6T3k0pgDI5lL5rDMN5/Egrw=,tag:P6Kh9cOnrB23Z7S72xBK7g==,type:str] +jellyfin-pia: ENC[AES256_GCM,data:hOgUAr47FMd2QgzgXBeqv41Paqy6zn6tyWVDbF1JtqcTog/zZC4=,iv:opnxrycFszAhuMARcP48gKF6eL1ERNgWS68wO+s4CIM=,tag:fqimxKdTAh55ANKD3bp46w==,type:str] ddclient: ENC[AES256_GCM,data:a31MKnoEZXrj/s8z3+MP9jhQ5/sBjljZphXBJsWj5GU=,iv:YHKCartadDQa59aUf9Fw/KgdgMgsqsVLDAIh/KeqehQ=,tag:hUaUqjcX75xw6eC9axtQmw==,type:str] anki: ENC[AES256_GCM,data:hUBKr/s1DDorlmbHDUvHtVSumw==,iv:Ekjt6dsncinHhM+dV/mxOjErBQpgKtPOVbmwGRy9XOE=,tag:zvfV9z3QROgsk4eznmxqDw==,type:str] tandoor-secret: ENC[AES256_GCM,data:/clEIU38M7lJ6+JbFSKWb5kKSUvxdGYPq2Hl9TjgijZtYIYFOleJQ9PiT+d/osmY/r0=,iv:Nulu93V+s9RBmEDRs2LXJXy7l0O/AeU0CwwtTNLGw2c=,tag:brRyVaWeUGLx1nt0MtcIEw==,type:str] @@ -14,10 +14,6 @@ restic: passwd: ENC[AES256_GCM,data:vUsAP5+iZo7U55xnUP7Cnk1OxnrO+paHKmT2cuc=,iv:GF7fybEQZIxHPm1Z6Sj5dn/zOR5dRVgikH8LILsTMIs=,tag:Mh61boRPsfHeiSfXmrEx5Q==,type:str] backblaze: ENC[AES256_GCM,data:IfWzuIYUrCGYpP68CPFi2vLqq9NVmiVyCE+Z8yi+cnaQwgwNL40lJEPL/U3d0lgsmrsV4GheNJ0oQ9tnrrJeBgZgwMl/CwXMctuUHo+cvVot/cNRd1vCdjRr7WUnw8737uxyW45OaaYbkZRa3NWEGDll1iFDWB2w4n5DTsomyO03tFZB5gckwQYmpjYmK4DcIWyTaEiDrznmkyM+sxoWv9pcTHZIIN7TCHHkzmlMzXXqJnoRfCpdVm/QF9jbrAYs,iv:tOa1FFyggm0ScoRdFk6tACOnQVcZMYaDqeJyX5SMKXc=,tag:EY5jQhZnLP6IzqY9garoEQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve enc: | @@ -28,8 +24,7 @@ sops: RVUzMlFya3Z0amdTUTJ5YjFRck5kZzQKoWZzExqzPRpQPL4CdqBalc1/dYtjBH6J LGR0oImfOWlIJwcaJLv/fc470UvXHHwIji9v/pbV7xMkgMjlJthaYg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-26T02:45:21Z" - mac: ENC[AES256_GCM,data:t5+2iRUJprwwW8GRiQx/h8IOYjjhsq+954GDL2ujXiZVM3oBhESdeBi6aMMwsqABCr+PjP4gb4qHHbduxWlGSZlAh4HSiVwwizI8XV8HZqUqPKBJEqRThzcwznCk4DOGpf1PMbktBX/r50pDeoDcgShKka1bMY8kD385SVklgNE=,iv:EXFXz12HNTMRoW0gIrTEZPHhdTG2cxaWf65uTgT7nZ4=,tag:5XweTiLnO9N8eZb4EPkh6g==,type:str] - pgp: [] + lastmodified: "2025-07-19T19:15:37Z" + mac: ENC[AES256_GCM,data:RPGKe5f+5GUnGK3zybRrTnd8N4TprLWBEWLI2HI68Acf1MlJ1AMOWOhpi5xa0Hkxpah8D/d0CEH2ymaO5EBSUamPdYThI4g/4cxNBXboKnALSf91ZUty86/1+14TbI6vFCZ5ghjB4THxszGf47ajIDa/TjHx0yHFWDi7rpApmcw=,iv:ep/NlJfkIkQe5RJ4U2YfZ7/0S4vWqxjg+xrLLnJwfwI=,tag:c01jey2juzoPKux7n/0rug==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.10.2 diff --git a/machines/hippocampus/servers/public.nix b/machines/hippocampus/servers/public.nix index 4b6185c..4c4538c 100644 --- a/machines/hippocampus/servers/public.nix +++ b/machines/hippocampus/servers/public.nix @@ -25,7 +25,7 @@ ./public/nextcloud.nix # Rabb.it at home - ./public/watchthingz.nix + # ./public/watchthingz.nix # Pterodactyl Game Server ./public/pterodactyl.nix @@ -47,5 +47,8 @@ # Random Usage, specific port ./public/random.nix + + # Perfect Pitch Project + ./public/perfect_pitch.nix ]; } diff --git a/machines/hippocampus/servers/public/headscale.nix b/machines/hippocampus/servers/public/headscale.nix index 5da725a..50c04b2 100644 --- a/machines/hippocampus/servers/public/headscale.nix +++ b/machines/hippocampus/servers/public/headscale.nix @@ -26,6 +26,9 @@ dns = { base_domain = "tailnet"; magic_dns = true; + nameservers.global = [ + "1.1.1.1" + ]; }; }; }; diff --git a/machines/hippocampus/servers/public/hydra.nix b/machines/hippocampus/servers/public/hydra.nix index 5e1f03f..7837c3e 100644 --- a/machines/hippocampus/servers/public/hydra.nix +++ b/machines/hippocampus/servers/public/hydra.nix @@ -17,7 +17,7 @@ in { ''; }; nix.extraOptions = '' - allowed-uris = https://github.com/ https://git.savannah.gnu.org/ https://git.syzygial.cc https://gitlab.com https://sr.ht github: gitlab: + allowed-uris = https://github.com/ https://git.savannah.gnu.org/ https://git.syzygial.cc https://gitlab.com https://sr.ht github: gitlab: https://git.lix.systems ''; systemd.services.hydra = { serviceConfig = { diff --git a/machines/hippocampus/servers/public/nextcloud.nix b/machines/hippocampus/servers/public/nextcloud.nix index 7d3a6a3..5ee4663 100644 --- a/machines/hippocampus/servers/public/nextcloud.nix +++ b/machines/hippocampus/servers/public/nextcloud.nix @@ -13,7 +13,7 @@ in { services.nextcloud = { enable = true; - package = pkgs.nextcloud30; + package = pkgs.nextcloud31; hostName = "localhost"; settings = { trusted_domains = [ diff --git a/machines/hippocampus/servers/public/perfect_pitch.nix b/machines/hippocampus/servers/public/perfect_pitch.nix new file mode 100644 index 0000000..88879e5 --- /dev/null +++ b/machines/hippocampus/servers/public/perfect_pitch.nix @@ -0,0 +1,52 @@ +{config, pkgs, ...}: + +{ + systemd.targets.machines.enable = true; + systemd.services."perfectpitch-container" = { + enable = true; + wantedBy = ["machines.target"]; + environment = { + # SYSTEMD_NSPAWN_USE_CGNS = "0"; + }; + script = '' + exec ${config.systemd.package}/bin/systemd-nspawn --hostname perfectpitch \ + --resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse \ + -nbD /var/lib/machines/perfectpitch --machine perfectpitch + ''; + postStart = '' + ${pkgs.iproute2}/bin/ip link set ve-perfectpitch up || true + ${pkgs.iproute2}/bin/ip addr add 10.2.0.0 dev ve-perfectpitch || true + ${pkgs.iproute2}/bin/ip route add 10.2.0.1 dev ve-perfectpitch || true + ''; + serviceConfig = { + Type = "notify"; + Slice = "machine.slice"; + Delegate = true; + DeviceAllow = "/dev/fuse rwm"; + }; + }; + networking.nat = { + enable = true; + # Check for hostBridge use vb instead of ve + internalInterfaces = ["ve-perfectpitch"]; + externalInterface = "enp0s25"; + enableIPv6 = true; + forwardPorts = [ + { sourcePort = 8022; + destination = "10.2.0.1:22"; + proto = "tcp"; + } + { sourcePort = 8022; + destination = "10.2.0.1:22"; + proto = "udp"; + } + ]; + }; + services.caddy.virtualHosts = { + "pitch.crompton.cc" = { + extraConfig = '' + reverse_proxy 10.2.0.1:8080 + ''; + }; + }; +} diff --git a/machines/hippocampus/servers/public/pterodactyl.nix b/machines/hippocampus/servers/public/pterodactyl.nix index f2deca9..1a82aab 100644 --- a/machines/hippocampus/servers/public/pterodactyl.nix +++ b/machines/hippocampus/servers/public/pterodactyl.nix @@ -32,11 +32,11 @@ externalInterface = "enp0s25"; enableIPv6 = true; forwardPorts = [ - { sourcePort = "25565:28000"; + { sourcePort = "25565:26000"; destination = "10.1.0.1:25565-25600"; proto = "tcp"; } - { sourcePort = "25565:28000"; + { sourcePort = "25565:26000"; destination = "10.1.0.1:25565-25600"; proto = "udp"; } diff --git a/machines/hippocampus/services/dyndns.nix b/machines/hippocampus/services/dyndns.nix index 939be63..5219918 100644 --- a/machines/hippocampus/services/dyndns.nix +++ b/machines/hippocampus/services/dyndns.nix @@ -2,7 +2,7 @@ sops.secrets.ddclient = {}; services.ddclient = { enable = true; - usev4 = "web, web=dynamicdns.park-your-domain.com/getip"; + usev4 = "webv4, web=dynamicdns.park-your-domain.com/getip"; protocol = "namecheap"; server = "dynamicdns.park-your-domain.com"; username = "crompton.cc";