diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index c0065f2..0850461 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -15,7 +15,7 @@ custom = let - tailscaleDomain = config.custom.services.tailscale.domain; + privateDomain = config.custom.services.nebula.network.domain; in { persistence.enable = true; @@ -30,11 +30,6 @@ onlyCleanRoots = true; }; - tailscale = { - enable = true; - exitNode.enable = true; - }; - nebula.node = { enable = true; address = "10.254.250.2"; @@ -49,44 +44,44 @@ isServer = true; doBackups = true; deviceId = "5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD"; - gui.domain = "syncthing.${tailscaleDomain}"; + gui.domain = "syncthing.${privateDomain}"; }; }; web-services = { filebrowser = { enable = true; - domain = "files.${tailscaleDomain}"; + domain = "files.${privateDomain}"; doBackups = true; }; radicale = { enable = true; - domain = "calendar.${tailscaleDomain}"; + domain = "calendar.${privateDomain}"; doBackups = true; }; memos = { enable = true; - domain = "memos.${tailscaleDomain}"; + domain = "memos.${privateDomain}"; doBackups = true; }; actualbudget = { enable = true; - domain = "budget.${tailscaleDomain}"; + domain = "budget.${privateDomain}"; doBackups = true; }; freshrss = { enable = true; - domain = "rss.${tailscaleDomain}"; + domain = "rss.${privateDomain}"; doBackups = true; }; alloy = { enable = true; - domain = "alloy-${config.networking.hostName}.${tailscaleDomain}"; + domain = "alloy.${config.networking.hostName}.${privateDomain}"; }; }; }; diff --git a/hosts/vps-private/secrets.json b/hosts/vps-private/secrets.json index 46b3167..53c462f 100644 --- a/hosts/vps-private/secrets.json +++ b/hosts/vps-private/secrets.json @@ -24,6 +24,10 @@ "nebula": { "host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]" }, + "porkbun": { + "api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]", + "secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]" + }, "sops": { "age": [ { @@ -35,8 +39,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-21T22:05:56Z", - "mac": "ENC[AES256_GCM,data:i6N/BeTtqkiYz5igk7mHxa69Z8MEe2cRF9541P93utNBddrTGev4VQ5VoqEQEkcOpKWvH5DbQcfsa8k60/zaGXJZ9tWbmbBiBTrbjdslpPJTbVkIwMXWYVhbS87WhfAsyQbRzXu73/jArGKVfDPzcdl2FuRmzXZKQkVjRc7x+Rc=,iv:HxjT6ppxY6jkrSPrcP9m84dd2gy2rGCGKV8MdjGy7FA=,tag:KPWQ2nhsGFuhX8ddFhEZow==,type:str]", + "lastmodified": "2026-01-10T17:15:33Z", + "mac": "ENC[AES256_GCM,data:laYkgmwyEQTqUPAI3VBKmhzewfcFAm4duM/s8wcrG1Vdlf+PR/LvSfstCJSEyNrfnPhZNYkDy3SX5qBJGbxjguJkYbeUDWXat78+qZElHtguitAsjclSCZMmizmICEyaFJYkNvad960Mm/CDTzyMQNG6whHdJTXQ309ve/OnKSQ=,iv:PtCxMjO0he3wTbP32sNZx82sik/JIZDIwuwivgGsDRw=,tag:U51Dwv1BmeQUiWoqcj+6SQ==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.11.0" } diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix index b4e9605..abfd81b 100644 --- a/modules/system/services/syncthing.nix +++ b/modules/system/services/syncthing.nix @@ -59,7 +59,7 @@ in message = "Running syncthing on a server requires `gui.domain` to be set"; } { - assertion = (cfg.gui.domain != null) -> (lib'.isTailscaleDomain cfg.gui.domain); + assertion = (cfg.gui.domain != null) -> (lib'.isPrivateDomain cfg.gui.domain); message = lib'.mkUnprotectedMessage "Syncthing-GUI"; } ]; diff --git a/modules/system/web-services/filebrowser.nix b/modules/system/web-services/filebrowser.nix index 09423ce..eabd86a 100644 --- a/modules/system/web-services/filebrowser.nix +++ b/modules/system/web-services/filebrowser.nix @@ -27,7 +27,7 @@ in config = lib.mkIf cfg.enable { assertions = lib.singleton { - assertion = lib'.isTailscaleDomain cfg.domain; + assertion = lib'.isPrivateDomain cfg.domain; message = lib'.mkUnprotectedMessage "Filebrowser"; }; diff --git a/modules/system/web-services/freshrss.nix b/modules/system/web-services/freshrss.nix index d47f1be..a9736d4 100644 --- a/modules/system/web-services/freshrss.nix +++ b/modules/system/web-services/freshrss.nix @@ -25,7 +25,7 @@ in config = lib.mkIf cfg.enable { assertions = lib.singleton { - assertion = lib'.isTailscaleDomain cfg.domain; + assertion = lib'.isPrivateDomain cfg.domain; message = lib'.mkUnprotectedMessage "FreshRSS"; };