introduce arrow host and deployment

modules/nixos/hardware/iso.nix

@@ -0,0 +1,19 @@
+{ config, lib, modulesPath, ... }:
+{
+
+  # options.iso.enable = lib.mkEnableOption "Enable creating as an ISO.";
+  #
+  # imports = [ "${toString modulesPath}/installer/cd-dvd/iso-image.nix" ];
+
+  # config = lib.mkIf config.iso.enable {
+  #
+  #   # EFI booting
+  #   isoImage.makeEfiBootable = true;
+  #
+  #   # USB booting
+  #   isoImage.makeUsbBootable = true;
+  #
+  # };
+
+}
+

modules/nixos/services/cloudflare.nix

@@ -69,18 +69,40 @@ in {
     }];
     # Allow Caddy to read Cloudflare API key for DNS validation
     systemd.services.caddy.serviceConfig.EnvironmentFile =
-      config.secrets.cloudflareApi.dest;
+      config.secrets.cloudflare-api.dest;
 
     # API key must have access to modify Cloudflare DNS records
-    secrets.cloudflareApi = {
+    secrets.cloudflare-api = {
       source = ../../../private/cloudflare-api.age;
       dest = "${config.secretsDirectory}/cloudflare-api";
       owner = "caddy";
       group = "caddy";
     };
 
+    # Wait for secret to exist
+    systemd.services.caddy = {
+      after = [ "cloudflare-api-secret.service" ];
+      requires = [ "cloudflare-api-secret.service" ];
+    };
+
     # Allows Nextcloud to trust Cloudflare IPs
     services.nextcloud.settings.trusted_proxies = cloudflareIpRanges;
 
+    # Allows Transmission to trust Cloudflare IPs
+    services.transmission.settings.rpc-whitelist =
+      builtins.concatStringsSep "," ([ "127.0.0.1" ] ++ cloudflareIpRanges);
+
+    services.cloudflare-dyndns = {
+      enable = true;
+      proxied = true;
+      apiTokenFile = config.secrets.cloudflare-api.dest;
+    };
+
+    # Wait for secret to exist
+    systemd.services.cloudflare-dyndns = {
+      after = [ "cloudflare-api-secret.service" ];
+      requires = [ "cloudflare-api-secret.service" ];
+    };
+
   };
 }

modules/nixos/services/default.nix

@@ -11,6 +11,7 @@
     ./calibre.nix
     ./cloudflare-tunnel.nix
     ./cloudflare.nix
+    ./identity.nix
     ./irc.nix
     ./gitea-runner.nix
     ./gitea.nix

modules/nixos/services/identity.nix

@@ -0,0 +1,19 @@
+{ config, ... }: {
+
+  # Wait for secret to be placed on the machine
+  systemd.services.wait-for-identity = {
+    description = "Wait until identity file exists on the machine";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = { Type = "oneshot"; };
+    script = ''
+      while true; do
+          if [ -f ${config.identityFile} ]; then
+              echo "Identity file found."
+              exit 0
+          fi
+          sleep 5
+      done
+    '';
+  };
+
+}

modules/nixos/services/secrets.nix

@@ -68,6 +68,7 @@
 
         description = "Decrypt secret for ${name}";
         wantedBy = [ "multi-user.target" ];
+        requires = [ "wait-for-identity.service" ];
         serviceConfig.Type = "oneshot";
         script = ''
           echo "${attrs.prefix}$(

modules/nixos/services/sshd.nix

@@ -3,8 +3,8 @@
 { config, pkgs, lib, ... }: {
 
   options = {
-    publicKey = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
+    publicKeys = lib.mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
       description = "Public SSH key authorized for this system.";
       default = null;
     };
@@ -28,7 +28,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      lib.mkIf (config.publicKey != null) [ config.publicKey ];
+      lib.mkIf (config.publicKeys != null) config.publicKeys;
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;

modules/nixos/services/transmission.nix

@@ -3,37 +3,33 @@
 
 { config, pkgs, lib, ... }: {
 
-  options = {
-    transmissionServer = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      description = "Hostname for Transmission";
-      default = null;
-    };
-  };
-
   config = let
     namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
     vpnIp = lib.strings.removeSuffix "/32"
       (builtins.head config.networking.wireguard.interfaces.wg0.ips);
-  in lib.mkIf (config.transmissionServer != null) {
+  in lib.mkIf config.services.transmission.enable {
 
     # Setup transmission
     services.transmission = {
-      enable = true;
       settings = {
         port-forwarding-enabled = false;
         rpc-authentication-required = true;
         rpc-port = 9091;
         rpc-bind-address = "0.0.0.0";
         rpc-username = config.user;
-        rpc-host-whitelist = config.transmissionServer;
+        # This is a salted hash of the real password
+        # https://github.com/tomwijnroks/transmission-pwgen
+        rpc-password = "{c4c5145f6e18bcd3c7429214a832440a45285ce26jDOBGVW";
+        rpc-host-whitelist = config.hostnames.transmission;
         rpc-host-whitelist-enabled = true;
-        rpc-whitelist = "127.0.0.1,${vpnIp}";
-        rpc-whitelist-enabled = config.wireguard.enable;
+        rpc-whitelist = lib.mkDefault "127.0.0.1"; # Overwritten by Cloudflare
+        rpc-whitelist-enabled = true;
       };
-      credentialsFile = config.secrets.transmission.dest;
     };
 
+    # Configure Cloudflare DNS to point to this machine
+    services.cloudflare-dyndns.domains = [ config.hostnames.transmission ];
+
     # Bind transmission to wireguard namespace
     systemd.services.transmission = lib.mkIf config.wireguard.enable {
       bindsTo = [ "netns@${namespace}.service" ];
@@ -45,17 +41,22 @@
 
     # Create reverse proxy for web UI
     caddy.routes = lib.mkAfter [{
-      group = if (config.hostnames.download == config.transmissionServer) then
-        "download"
-      else
-        "transmission";
+      group =
+        if (config.hostnames.download == config.hostnames.transmission) then
+          "download"
+        else
+          "transmission";
       match = [{
-        host = [ config.transmissionServer ];
+        host = [ config.hostnames.transmission ];
         path = [ "/transmission*" ];
       }];
       handle = [{
         handler = "reverse_proxy";
-        upstreams = [{ dial = "localhost:9091"; }];
+        upstreams = [{
+          dial = "localhost:${
+              builtins.toString config.services.transmission.settings.rpc-port
+            }";
+        }];
       }];
     }];
 
@@ -79,14 +80,6 @@
       '';
     };
 
-    # Create credentials file for transmission
-    secrets.transmission = {
-      source = ../../../private/transmission.json.age;
-      dest = "${config.secretsDirectory}/transmission.json";
-      owner = "transmission";
-      group = "transmission";
-    };
-
   };
 
 }

modules/nixos/system/auto-upgrade.nix

@@ -1,19 +1,19 @@
 { config, pkgs, lib, ... }: {
 
   # This setting only applies to NixOS, different on Darwin
-  nix.gc.dates = "03:03"; # Run every morning (but before upgrade)
+  nix.gc.dates = "09:03"; # Run every morning (but before upgrade)
 
   # Update the system daily by pointing it at the flake repository
   system.autoUpgrade = {
     enable = config.server; # Only auto upgrade servers
-    dates = "03:33";
+    dates = "09:33";
     flake = "git+${config.dotfilesRepo}";
     randomizedDelaySec = "25min";
     operation = "switch";
     allowReboot = true;
     rebootWindow = {
-      lower = "00:01";
-      upper = "06:00";
+      lower = "09:01";
+      upper = "11:00";
     };
   };