feat[server]: add home proxy

2026-04-14 21:29:12 +02:00 · 2026-01-04 17:45:53 +01:00 · 2026-01-04 17:45:53 +01:00 · c1c7431891
commit c1c7431891
parent 75891c3103
84 changed files with 2961 additions and 1601 deletions
--- a/modules/nixos/common/impermanence.nix
+++ b/modules/nixos/common/impermanence.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:
 let
  mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
-  inherit (config.swarselsystems) isImpermanence isCrypted;
+  inherit (config.swarselsystems) isImpermanence isCrypted isBtrfs;
 in
 {
  options.swarselmodules.impermanence = lib.mkEnableOption "impermanence config";
@ -17,7 +17,7 @@ in
    # So if it doesn't run, the btrfs system effectively acts like a normal system
    # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
    boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
-    boot.initrd.systemd = lib.mkIf isImpermanence {
+    boot.initrd.systemd = lib.mkIf (isImpermanence && isBtrfs) {
      enable = true;
      services.rollback = {
        description = "Rollback BTRFS root subvolume to a pristine state";
--- a/modules/nixos/common/nodes.nix
+++ b/modules/nixos/common/nodes.nix
@ -33,6 +33,7 @@ let
    (splitPath "services.kanidm.provision.systems.oauth2")
    (splitPath "sops.secrets")
    (splitPath "swarselsystems.server.dns")
+    (splitPath "topology.self.services")
  ]
  ++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ]
  ++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]