vps-private: Switch completely to nebula

2026-01-21 12:51:34 +01:00 · 2026-01-10 23:25:13 +01:00 · 2026-01-10 23:25:13 +01:00 · b7a2598ebe
commit b7a2598ebe
parent 116b4437fe
5 changed files with 17 additions and 18 deletions
--- a/hosts/vps-private/default.nix
+++ b/hosts/vps-private/default.nix
@ -15,7 +15,7 @@

  custom =
    let
-      tailscaleDomain = config.custom.services.tailscale.domain;
+      privateDomain = config.custom.services.nebula.network.domain;
    in
    {
      persistence.enable = true;
@ -30,11 +30,6 @@
          onlyCleanRoots = true;
        };

-        tailscale = {
-          enable = true;
-          exitNode.enable = true;
-        };
-
        nebula.node = {
          enable = true;
          address = "10.254.250.2";
@ -49,44 +44,44 @@
          isServer = true;
          doBackups = true;
          deviceId = "5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD";
-          gui.domain = "syncthing.${tailscaleDomain}";
+          gui.domain = "syncthing.${privateDomain}";
        };
      };

      web-services = {
        filebrowser = {
          enable = true;
-          domain = "files.${tailscaleDomain}";
+          domain = "files.${privateDomain}";
          doBackups = true;
        };

        radicale = {
          enable = true;
-          domain = "calendar.${tailscaleDomain}";
+          domain = "calendar.${privateDomain}";
          doBackups = true;
        };

        memos = {
          enable = true;
-          domain = "memos.${tailscaleDomain}";
+          domain = "memos.${privateDomain}";
          doBackups = true;
        };

        actualbudget = {
          enable = true;
-          domain = "budget.${tailscaleDomain}";
+          domain = "budget.${privateDomain}";
          doBackups = true;
        };

        freshrss = {
          enable = true;
-          domain = "rss.${tailscaleDomain}";
+          domain = "rss.${privateDomain}";
          doBackups = true;
        };

        alloy = {
          enable = true;
-          domain = "alloy-${config.networking.hostName}.${tailscaleDomain}";
+          domain = "alloy.${config.networking.hostName}.${privateDomain}";
        };
      };
    };
--- a/hosts/vps-private/secrets.json
+++ b/hosts/vps-private/secrets.json
@ -24,6 +24,10 @@
  "nebula": {
    "host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]"
  },
+  "porkbun": {
+    "api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]",
+    "secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]"
+  },
  "sops": {
    "age": [
      {
@ -35,8 +39,8 @@
        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
      }
    ],
-    "lastmodified": "2025-12-21T22:05:56Z",
-    "mac": "ENC[AES256_GCM,data:i6N/BeTtqkiYz5igk7mHxa69Z8MEe2cRF9541P93utNBddrTGev4VQ5VoqEQEkcOpKWvH5DbQcfsa8k60/zaGXJZ9tWbmbBiBTrbjdslpPJTbVkIwMXWYVhbS87WhfAsyQbRzXu73/jArGKVfDPzcdl2FuRmzXZKQkVjRc7x+Rc=,iv:HxjT6ppxY6jkrSPrcP9m84dd2gy2rGCGKV8MdjGy7FA=,tag:KPWQ2nhsGFuhX8ddFhEZow==,type:str]",
+    "lastmodified": "2026-01-10T17:15:33Z",
+    "mac": "ENC[AES256_GCM,data:laYkgmwyEQTqUPAI3VBKmhzewfcFAm4duM/s8wcrG1Vdlf+PR/LvSfstCJSEyNrfnPhZNYkDy3SX5qBJGbxjguJkYbeUDWXat78+qZElHtguitAsjclSCZMmizmICEyaFJYkNvad960Mm/CDTzyMQNG6whHdJTXQ309ve/OnKSQ=,iv:PtCxMjO0he3wTbP32sNZx82sik/JIZDIwuwivgGsDRw=,tag:U51Dwv1BmeQUiWoqcj+6SQ==,type:str]",
    "unencrypted_suffix": "_unencrypted",
    "version": "3.11.0"
  }
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@ -59,7 +59,7 @@ in
        message = "Running syncthing on a server requires `gui.domain` to be set";
      }
      {
-        assertion = (cfg.gui.domain != null) -> (lib'.isTailscaleDomain cfg.gui.domain);
+        assertion = (cfg.gui.domain != null) -> (lib'.isPrivateDomain cfg.gui.domain);
        message = lib'.mkUnprotectedMessage "Syncthing-GUI";
      }
    ];
--- a/modules/system/web-services/filebrowser.nix
+++ b/modules/system/web-services/filebrowser.nix
@ -27,7 +27,7 @@ in

  config = lib.mkIf cfg.enable {
    assertions = lib.singleton {
-      assertion = lib'.isTailscaleDomain cfg.domain;
+      assertion = lib'.isPrivateDomain cfg.domain;
      message = lib'.mkUnprotectedMessage "Filebrowser";
    };

--- a/modules/system/web-services/freshrss.nix
+++ b/modules/system/web-services/freshrss.nix
@ -25,7 +25,7 @@ in

  config = lib.mkIf cfg.enable {
    assertions = lib.singleton {
-      assertion = lib'.isTailscaleDomain cfg.domain;
+      assertion = lib'.isPrivateDomain cfg.domain;
      message = lib'.mkUnprotectedMessage "FreshRSS";
    };