From 2f166efc51466defb91bf6a9df3b3207d44e2ef9 Mon Sep 17 00:00:00 2001
From: Jade <jade@schrottkatze.de>
Date: Sun, 21 May 2023 12:52:04 +0200
Subject: [PATCH] regret not doing this more granularly but oh well

---
 flake.lock              |  6 ++--
 flake.nix               |  4 ++-
 modules/base-stuff.nix  | 62 ++++++++++++++++++++++++++++++++++-------
 modules/hetzner/wan.nix | 38 +++++++++++++++++++++++++
 modules/keycloak.nix    |  6 ++--
 modules/prosody.nix     | 24 ++++++++++++++++
 modules/proxy.nix       |  6 +++-
 7 files changed, 128 insertions(+), 18 deletions(-)
 create mode 100644 modules/hetzner/wan.nix
 create mode 100644 modules/prosody.nix

diff --git a/flake.lock b/flake.lock
index 7d1707d..25ae579 100644
--- a/flake.lock
+++ b/flake.lock
@@ -343,11 +343,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1683478192,
-        "narHash": "sha256-7f7RR71w0jRABDgBwjq3vE1yY3nrVJyXk8hDzu5kl1E=",
+        "lastModified": 1683627095,
+        "narHash": "sha256-8u9SejRpL2TrMuHBdhYh4FKc1OGPDLyWTpIbNTtoHsA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c568239bcc990050b7aedadb7387832440ad8fb1",
+        "rev": "a08e061a4ee8329747d54ddf1566d34c55c895eb",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 4aecbcb..63fe185 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,7 +35,8 @@
         katzencafe = { name, nodes, pkgs, pkgsUnstable, inputs, ... }: {
           deployment = {
             targetHost = "katzen.cafe";
-            # buildOnTarget = true;
+            #targetHost = "2a01:4f8:c17:c51f::";
+            buildOnTarget = true;
           };
           imports = [
             ./modules/base-stuff.nix
@@ -48,6 +49,7 @@
             ./modules/forgejo.nix
             ./modules/mumble.nix
             ./modules/modded-mc.nix
+            #./modules/prosody.nix
           ];
 
           system.stateVersion = "22.11";
diff --git a/modules/base-stuff.nix b/modules/base-stuff.nix
index 38a76ad..48f8125 100644
--- a/modules/base-stuff.nix
+++ b/modules/base-stuff.nix
@@ -1,17 +1,59 @@
-{ pkgs, ... }: 
+{ pkgs, modulesPath, lib, ... }: 
 {
-  networking.hostName = "katzen-cafe";
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+  ];
 
-  networking.networkmanager.enable = true;
-  networking.firewall = {
-    allowedTCPPorts = [ 22 80 443 ];
+  #modules.hetzner.wan = {
+    #enable = true;
+    #macAddress = "96:00:02:1f:45:20"; # changeme
+    #ipAddresses = [
+      #"91.107.221.11/32"
+      #"2a01:4f8:c17:c51f::1/64"
+    #];
+  #};
+  #networking.useDHCP = lib.mkDefault true;
+  networking = {
+    nameservers = [ "9.9.9.9" "149.112.112.112" ];
+    hostName = "katzen-cafe";
+    networkmanager.enable = true;
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+
+    interfaces."enp1s0" = {
+      ipv6.addresses = [{
+        address = "2a01:4f8:c17:c51f::";
+        prefixLength = 64;
+      }];
+      ipv4.addresses = [{
+        address = "91.107.221.11";
+        prefixLength = 32;
+      }];
+    };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    defaultGateway = {
+      address = "172.31.1.1";
+      interface = "enp1s0";
+    };
   };
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = [ "console=tty" ];
-  boot.initrd.kernelModules = [ "virtio_gpu" ];
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [ "console=tty" ];
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
+      kernelModules = [ "virtio_gpu" ];
+    };
+  };
+
+  #networking.interfaces.enp1s0.ipv6.addresses = [ { address = "2a01:4f8:c17:c51f::1/64"; prefixLength = 64; } ];
+  #networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; };
 
   #users.users.april = {
     #isNormalUser = true;
diff --git a/modules/hetzner/wan.nix b/modules/hetzner/wan.nix
new file mode 100644
index 0000000..52f7f99
--- /dev/null
+++ b/modules/hetzner/wan.nix
@@ -0,0 +1,38 @@
+{ lib, config, ... }:
+with lib;
+let
+  cfg = config.modules.hetzner.wan;
+in
+{
+  options.modules.hetzner.wan = {
+    enable = mkEnableOption "Enable Hetzner Cloud WAN interface configuration";
+
+    macAddress = mkOption {
+      type = types.str;
+      description = "MAC Address of the WAN interface";
+    };
+
+    ipAddresses = mkOption {
+      type = types.listOf types.str;
+      description = "List of IP Addresses on the WAN interface";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.network.networks."20-wan" = {
+      matchConfig = {
+        MACAddress = cfg.macAddress;
+      };
+      address = cfg.ipAddresses;
+      routes = [
+        { routeConfig.Gateway = "fe80::1"; }
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
+        { routeConfig = { Destination = "172.16.0.0/12"; Type = "unreachable"; }; }
+        { routeConfig = { Destination = "192.168.0.0/16"; Type = "unreachable"; }; }
+        { routeConfig = { Destination = "10.0.0.0/8"; Type = "unreachable"; }; }
+        { routeConfig = { Destination = "fc00::/7"; Type = "unreachable"; }; }
+      ];
+    };
+  };
+}
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 278b8aa..bcce38f 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -20,14 +20,14 @@
 
     database = {
       type = "postgresql";
-      createLocally = true;
+      createLocally = false;
 
       username = "keycloak";
-      passwordFile = "/run/keys/keycloakDbPw";
+      passwordFile = "/var/lib/secrets/keycloakDbPw";
     };
   };
   deployment.keys."keycloakDbPw" = {
     keyCommand = [ "cat" "/home/jade/keys-tmp/keycloak-db" ];
-    destDir = "/run/keys/";
+    destDir = "/var/lib/secrets";
   };
 }
diff --git a/modules/prosody.nix b/modules/prosody.nix
new file mode 100644
index 0000000..f356b18
--- /dev/null
+++ b/modules/prosody.nix
@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+{
+  services.prosody = {
+    enable = true;
+    admins = [ "root@prosody.katzen.cafe" ];
+    virtualHosts."prosody.katzen.cafe" = {
+      domain = "prosody.katzen.cafe";
+      enabled = true;
+    };
+    ssl = {
+      key = "/var/lib/acme/prosody.katzen.cafe/key.pem";
+      cert = "/var/lib/acme/prosody.katzen.cafe/fullchain.pem";
+    };
+    uploadHttp = {
+      domain = "uploads.prosody.katzen.cafe";
+    };
+    muc = [ {
+      domain = "conference.prosody.katzen.cafe";
+    } ];
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ 5280 5281 ];
+  };
+}
diff --git a/modules/proxy.nix b/modules/proxy.nix
index efa9175..87f71ca 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -37,7 +37,11 @@
       };
       "prosody.katzen.cafe" = {
         group = "prosody";
-        keytrype = "rsa4096";
+        keyType = "rsa4096";
+        extraDomainNames = [ 
+          "uploads.prosody.katzen.cafe"
+          "conference.prosody.katzen.cafe"
+        ];
       };
     };
   };