9 files changed, 155 insertions, 4 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 815cf41a..48ec08c3 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -8,7 +8,7 @@ with lib;
    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
    ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
    ./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix
-    ./changedetection-io.nix
+    ./changedetection-io.nix ./vikunja.nix
  ];
  config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 96599901..14d6efd6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
        ${concatMapStringsSep "\n" mkZone [
          { domain = "yggdrasil.li";
            addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
-            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li"];
+            acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li" "vikunja.yggdrasil.li"];
          }
          { domain = "nights.email";
            addACLs = { "nights.email" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme b/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme
new file mode 100644
index 00000000..69956047
--- /dev/null
+++ b/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:dchG/V5uJVuj1P35Zj9YHwAEqwHeiqGS9zPt+M9V9E3uelugJN2rTe/pnnUzw6piIsdfwmJA4qaNddGbw6Tx9bQbuJxm9wbAm+M+lYokQ1fonQIlm+tZ1dEeBQO00lXidIxbdMcAaKDyGvceexoYOMwg1UYCBl+osu5bCFjxrekYARITec2mPAU2wjjkJ91rsFvp5dvngGfwSu1Yks3ZhdbIUeJx85FjRsi0Wn5m91R8MYE8GFf5OdAbTolsW9TpHbjpVCzuLVXVqaX3Y5PR+OkSND+gta8B,iv:QjRPkiQ1vGNumjBS9r9KIxUWzapsDG8qU7RzUnd9msI=,tag:8y26IM2TJfFl6Nh4mIqLtQ==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbmp1MmRtemNNQmtZSGN0\nZXhURWNYbkg0QS9iL1B5cndQdGthdVJPTFhzCjZ6M2JQWWhFNFFWYkIvOUY4WmUx\nblo5QkF5SldlWGhnTnQxdzBpM1Nad1UKLS0tIEE4Q3dEV081UlA4N3RMZ0szUHcv\nUm1qN09wYndHNCtFR2NWUVZWUnNRTlUKM8wfNY8Vq6Jn3Yc9n5qpYOqrHyATF0F3\nq2ZpnuDJpyUamfCTeJX2jBmTlYAw90ykmhY1IRqyW52sEY+D376pKw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY3hDZEZ2OTg5SkxoeTVk\nbjU1amlTZndxeStxZnVnTWxHOXpqUUhpREE4CitZdVNYcGIyMFo2RTVSUzVobmZX\ncmJDSzRSTWxaME1Qb05WZWM4eHV4Z0kKLS0tIGtMM3FhdkxqTzdFYUVkNHZ3cERt\nV21pcndweHZ5cnNkako5NkJiQ3dFZWMKY3LgLjExrq+nrirJ9PRjkPVJ1YyUjB4y\nfsz/1TPciefIWoqeCsRp+iWWwyb88Dpuv4qTqgrzncHOpw2gEmNurw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2026-01-01T14:25:23Z",
+                "mac": "ENC[AES256_GCM,data:4ohI9Bb16Si871wcBYfINkKDhpQs6AOE8KWlmCoKsGK1pawyKNdeXTfeB/171eT/6XRklLY3e9lTobuh2sYvVDhSzrzqlDfo4Rhq/M3/fsgvyRJItKeTrfnD4LxSX4D+H7N5t9gP1Tjt1cdEDL6GgzbIksMnpdL9K1f6vgludcI=,iv:a3v5bWHhXD5XV2Hwe3AJB5YG/8mznn/ukZOHbJO5AW8=,tag:7vYNT9omLnnyxwVUYVBfSA==,type:str]",
+                "version": "3.11.0"
+        }
+}
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 5234576f..69479895 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025120800 ; serial
+  2026010100 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -117,6 +117,14 @@ _acme-challenge.changedetection	IN	NS	ns.yggdrasil.li.
 changedetection                 IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
+vikunja                 IN      A       202.61.241.61
+vikunja                 IN      AAAA    2a03:4000:52:ada::
+vikunja                 IN      MX      0 surtr.yggdrasil.li
+vikunja                 IN      TXT     "v=spf1 redirect=surtr.yggdrasil.li"
+_acme-challenge.vikunja IN      NS      ns.yggdrasil.li.
+vikunja                 IN      HTTPS   1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
 vidhar                  IN      AAAA    2a03:4000:52:ada:4:1::
 vidhar                  IN      MX      0 ymir.yggdrasil.li
 vidhar                  IN      TXT     "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li b/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li
new file mode 100644
index 00000000..d5c19c2d
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:XfGp8x7wPhGf/Imo3m7/38mo5GD8zUODXEt1YZCVwWYDb6usiPMpGlNDTLzH,iv:mD0j48MKuU30h7llO575vKROOrojJzoA4Md9I6MR4Gg=,tag:h9EAJfViKUg3YQvU1I/ICQ==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbHU3bDlwSS9VcnJNTzd6\ndFZyaC9CS2hQeWVSYVlDTzJLSlEvcEdJQlRFCmNoRzJpcUdycmx4T3dpREoxZTRL\neisxSGhlOXpUd0V2ZWgxdHc4empoRHcKLS0tIHhPNFFBUjNiaUMxWUx4NXNWeVNl\neHVib1Qwb2wyTWk3ZEtJQlNweHVhOUkK2kT2nmv9vwWGsMjW1RfLywGF/0yjLaNt\nb5M/v9jzYtV6S0PB1jegc4QxkGEKH4AxGsc/mqt6cXTG0em6hIIVDA==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSejM4cDZHTEtMdW5keUtk\naVV6Um4yOGd2anp0djduZ1pPMHg4bmNWTTBRCjZ2VE52Ym1YcDVNSEdPRUw5TFA3\nQnIwVjNwMzdUQWtjVUxndWozV2lnWUkKLS0tIGJSTTlEeE1sUysxUmVHVnNSaWRT\nRjJpOXFoUDgvMGxpaGNlV1ZVV0QvK3cKGDVfAudB5v201FOWFaTfCdT+io85Q14P\natzYgCAHbrpkicYL54gAdsgTPKfbnRU62DQlz7b2y69fU+kam4W0cw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2026-01-01T14:25:24Z",
+                "mac": "ENC[AES256_GCM,data:A/1ZIUhKxSZBiivvbuDykcZ5DaUzq7FBD74mkP0ZECev0oBrziYtTgqA4MBgukV/hSQohDl8rzxReiQ7vxUotr6UocnF4x43guhABBayWh9Sp9n5T4yMIYYAemEQ67jYbTdRbgm4xQ+jSofSDRNFILBpdxDbCITRWBbIXh92iIo=,iv:Y4wZAd0+rc3c4eTnNz1QMJGQN1c0FQEx4/CB3t5sEeY=,tag:ha91ZLhWBDDHSubXXDos3A==,type:str]",
+                "version": "3.11.0"
+        }
+}
diff --git a/hosts/surtr/vikunja.nix b/hosts/surtr/vikunja.nix
new file mode 100644
index 00000000..50d8c00e
--- /dev/null
+++ b/hosts/surtr/vikunja.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "vikunja.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+    services.nginx = {
+      upstreams."vikunja" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:3456" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "vikunja.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/vikunja.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/vikunja.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/vikunja.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://vikunja;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "vikunja.yggdrasil.li.key.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/key.pem"
+          "vikunja.yggdrasil.li.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/fullchain.pem"
+          "vikunja.yggdrasil.li.chain.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index c54d57cd..b799ee5f 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io ./vikunja
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 44b6b7a9..5df73e2f 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -99,6 +99,7 @@ table inet filter {
  counter audiobookshelf-rx {}
  counter kimai-rx {}
  counter changedetection-rx {}
+  counter vikunja-rx {}
  counter established-rx {}
@@ -133,6 +134,7 @@ table inet filter {
  counter audiobookshelf-tx {}
  counter kimai-tx {}
  counter changedetection-tx {}
+  counter vikunja-tx {}
  counter tx {}
@@ -220,6 +222,7 @@ table inet filter {
    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
    iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
    iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
+    iifname bifrost tcp dport 3456 ip6 saddr $bifrost_surtr counter name vikunja-rx accept
    ct state { established, related } counter name established-rx accept
@@ -273,6 +276,7 @@ table inet filter {
    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
    iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
    iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
+    iifname bifrost tcp sport 3456 ip6 daddr $bifrost_surtr counter name vikunja-tx accept
    counter name tx
diff --git a/hosts/vidhar/vikunja/default.nix b/hosts/vidhar/vikunja/default.nix
new file mode 100644
index 00000000..a53f7f18
--- /dev/null
+++ b/hosts/vidhar/vikunja/default.nix
@@ -0,0 +1,37 @@
+{ lib, ... }:
+{
+  config = {
+    services.vikunja = {
+      enable = true;
+      frontendScheme = "https";
+      frontendHostname = "vikunja.yggdrasil.li";
+      settings = {
+        service.interface = lib.mkForce "[2a03:4000:52:ada:4:1::]:3456";
+        service.enableregistration = false;
+      };
+      database = {
+        host = "/run/postgresql";
+        type = "postgres";
+      };
+    };
+    services.postgresql = {
+      ensureDatabases = [ "vikunja" ];
+      ensureUsers = [
+        {
+          name = "vikunja";
+          ensureDBOwnership = true;
+          ensureClauses.login = true;
+        }
+      ];
+    };
+    systemd.services.vikunja = {
+      serviceConfig = {
+        User = "vikunja";
+        Group = "vikunja";
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 815cf41a..48ec08c3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -8,7 +8,7 @@ with lib;
8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql	8	./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql
9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix	9	./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix
10	./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix	10	./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix
11	./changedetection-io.nix	11	./changedetection-io.nix ./vikunja.nix
12	];	12	];
13		13
14	config = {	14	config = {


diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 96599901..14d6efd6 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -157,7 +157,7 @@ in {
157	${concatMapStringsSep "\n" mkZone [	157	${concatMapStringsSep "\n" mkZone [
158	{ domain = "yggdrasil.li";	158	{ domain = "yggdrasil.li";
159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };	159	addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li"];	160	acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li" "changedetection.yggdrasil.li" "vikunja.yggdrasil.li"];
161	}	161	}
162	{ domain = "nights.email";	162	{ domain = "nights.email";
163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };	163	addACLs = { "nights.email" = ["ymir_acme_acl"]; };


diff --git a/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme b/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme new file mode 100644 index 00000000..69956047 --- /dev/null +++ b/hosts/surtr/dns/keys/vikunja.yggdrasil.li_acme
@@ -0,0 +1,18 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:dchG/V5uJVuj1P35Zj9YHwAEqwHeiqGS9zPt+M9V9E3uelugJN2rTe/pnnUzw6piIsdfwmJA4qaNddGbw6Tx9bQbuJxm9wbAm+M+lYokQ1fonQIlm+tZ1dEeBQO00lXidIxbdMcAaKDyGvceexoYOMwg1UYCBl+osu5bCFjxrekYARITec2mPAU2wjjkJ91rsFvp5dvngGfwSu1Yks3ZhdbIUeJx85FjRsi0Wn5m91R8MYE8GFf5OdAbTolsW9TpHbjpVCzuLVXVqaX3Y5PR+OkSND+gta8B,iv:QjRPkiQ1vGNumjBS9r9KIxUWzapsDG8qU7RzUnd9msI=,tag:8y26IM2TJfFl6Nh4mIqLtQ==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbmp1MmRtemNNQmtZSGN0\nZXhURWNYbkg0QS9iL1B5cndQdGthdVJPTFhzCjZ6M2JQWWhFNFFWYkIvOUY4WmUx\nblo5QkF5SldlWGhnTnQxdzBpM1Nad1UKLS0tIEE4Q3dEV081UlA4N3RMZ0szUHcv\nUm1qN09wYndHNCtFR2NWUVZWUnNRTlUKM8wfNY8Vq6Jn3Yc9n5qpYOqrHyATF0F3\nq2ZpnuDJpyUamfCTeJX2jBmTlYAw90ykmhY1IRqyW52sEY+D376pKw==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY3hDZEZ2OTg5SkxoeTVk\nbjU1amlTZndxeStxZnVnTWxHOXpqUUhpREE4CitZdVNYcGIyMFo2RTVSUzVobmZX\ncmJDSzRSTWxaME1Qb05WZWM4eHV4Z0kKLS0tIGtMM3FhdkxqTzdFYUVkNHZ3cERt\nV21pcndweHZ5cnNkako5NkJiQ3dFZWMKY3LgLjExrq+nrirJ9PRjkPVJ1YyUjB4y\nfsz/1TPciefIWoqeCsRp+iWWwyb88Dpuv4qTqgrzncHOpw2gEmNurw==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2026-01-01T14:25:23Z",
		15	"mac": "ENC[AES256_GCM,data:4ohI9Bb16Si871wcBYfINkKDhpQs6AOE8KWlmCoKsGK1pawyKNdeXTfeB/171eT/6XRklLY3e9lTobuh2sYvVDhSzrzqlDfo4Rhq/M3/fsgvyRJItKeTrfnD4LxSX4D+H7N5t9gP1Tjt1cdEDL6GgzbIksMnpdL9K1f6vgludcI=,iv:a3v5bWHhXD5XV2Hwe3AJB5YG/8mznn/ukZOHbJO5AW8=,tag:7vYNT9omLnnyxwVUYVBfSA==,type:str]",
		16	"version": "3.11.0"
		17	}
		18	}


diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 5234576f..69479895 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025120800 ; serial	4	2026010100 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -117,6 +117,14 @@ _acme-challenge.changedetection IN NS ns.yggdrasil.li.
117		117
118	changedetection IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"	118	changedetection IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
119		119
		120	vikunja IN A 202.61.241.61
		121	vikunja IN AAAA 2a03:4000:52:ada::
		122	vikunja IN MX 0 surtr.yggdrasil.li
		123	vikunja IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
		124	_acme-challenge.vikunja IN NS ns.yggdrasil.li.
		125
		126	vikunja IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::"
		127
120	vidhar IN AAAA 2a03:4000:52:ada:4:1::	128	vidhar IN AAAA 2a03:4000:52:ada:4:1::
121	vidhar IN MX 0 ymir.yggdrasil.li	129	vidhar IN MX 0 ymir.yggdrasil.li
122	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"	130	vidhar IN TXT "v=spf1 redirect=yggdrasil.li"


diff --git a/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li b/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li new file mode 100644 index 00000000..d5c19c2d --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/vikunja.yggdrasil.li
@@ -0,0 +1,18 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:XfGp8x7wPhGf/Imo3m7/38mo5GD8zUODXEt1YZCVwWYDb6usiPMpGlNDTLzH,iv:mD0j48MKuU30h7llO575vKROOrojJzoA4Md9I6MR4Gg=,tag:h9EAJfViKUg3YQvU1I/ICQ==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbHU3bDlwSS9VcnJNTzd6\ndFZyaC9CS2hQeWVSYVlDTzJLSlEvcEdJQlRFCmNoRzJpcUdycmx4T3dpREoxZTRL\neisxSGhlOXpUd0V2ZWgxdHc4empoRHcKLS0tIHhPNFFBUjNiaUMxWUx4NXNWeVNl\neHVib1Qwb2wyTWk3ZEtJQlNweHVhOUkK2kT2nmv9vwWGsMjW1RfLywGF/0yjLaNt\nb5M/v9jzYtV6S0PB1jegc4QxkGEKH4AxGsc/mqt6cXTG0em6hIIVDA==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSejM4cDZHTEtMdW5keUtk\naVV6Um4yOGd2anp0djduZ1pPMHg4bmNWTTBRCjZ2VE52Ym1YcDVNSEdPRUw5TFA3\nQnIwVjNwMzdUQWtjVUxndWozV2lnWUkKLS0tIGJSTTlEeE1sUysxUmVHVnNSaWRT\nRjJpOXFoUDgvMGxpaGNlV1ZVV0QvK3cKGDVfAudB5v201FOWFaTfCdT+io85Q14P\natzYgCAHbrpkicYL54gAdsgTPKfbnRU62DQlz7b2y69fU+kam4W0cw==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2026-01-01T14:25:24Z",
		15	"mac": "ENC[AES256_GCM,data:A/1ZIUhKxSZBiivvbuDykcZ5DaUzq7FBD74mkP0ZECev0oBrziYtTgqA4MBgukV/hSQohDl8rzxReiQ7vxUotr6UocnF4x43guhABBayWh9Sp9n5T4yMIYYAemEQ67jYbTdRbgm4xQ+jSofSDRNFILBpdxDbCITRWBbIXh92iIo=,iv:Y4wZAd0+rc3c4eTnNz1QMJGQN1c0FQEx4/CB3t5sEeY=,tag:ha91ZLhWBDDHSubXXDos3A==,type:str]",
		16	"version": "3.11.0"
		17	}
		18	}


diff --git a/hosts/surtr/vikunja.nix b/hosts/surtr/vikunja.nix new file mode 100644 index 00000000..50d8c00e --- /dev/null +++ b/hosts/surtr/vikunja.nix
@@ -0,0 +1,66 @@
		1	{ config, ... }:
		2
		3	{
		4	config = {
		5	security.acme.rfc2136Domains = {
		6	"vikunja.yggdrasil.li" = {
		7	restartUnits = ["nginx.service"];
		8	};
		9	};
		10
		11	services.nginx = {
		12	upstreams."vikunja" = {
		13	servers = {
		14	"[2a03:4000:52:ada:4:1::]:3456" = {};
		15	};
		16	extraConfig = ''
		17	keepalive 8;
		18	'';
		19	};
		20	virtualHosts = {
		21	"vikunja.yggdrasil.li" = {
		22	kTLS = true;
		23	http3 = true;
		24	forceSSL = true;
		25	sslCertificate = "/run/credentials/nginx.service/vikunja.yggdrasil.li.pem";
		26	sslCertificateKey = "/run/credentials/nginx.service/vikunja.yggdrasil.li.key.pem";
		27	sslTrustedCertificate = "/run/credentials/nginx.service/vikunja.yggdrasil.li.chain.pem";
		28	extraConfig = ''
		29	charset utf-8;
		30	'';
		31
		32	locations = {
		33	"/".extraConfig = ''
		34	proxy_pass http://vikunja;
		35
		36	proxy_http_version 1.1;
		37	proxy_set_header Upgrade $http_upgrade;
		38	proxy_set_header Connection "upgrade";
		39
		40	proxy_redirect off;
		41	proxy_set_header Host $host;
		42	proxy_set_header X-Real-IP $remote_addr;
		43	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		44	proxy_set_header X-Forwarded-Host $server_name;
		45	proxy_set_header X-Forwarded-Proto $scheme;
		46
		47	client_max_body_size 0;
		48	proxy_request_buffering off;
		49	proxy_buffering off;
		50	'';
		51	};
		52	};
		53	};
		54	};
		55
		56	systemd.services.nginx = {
		57	serviceConfig = {
		58	LoadCredential = [
		59	"vikunja.yggdrasil.li.key.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/key.pem"
		60	"vikunja.yggdrasil.li.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/fullchain.pem"
		61	"vikunja.yggdrasil.li.chain.pem:${config.security.acme.certs."vikunja.yggdrasil.li".directory}/chain.pem"
		62	];
		63	};
		64	};
		65	};
		66	}


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index c54d57cd..b799ee5f 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai ./changedetection-io ./vikunja
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 44b6b7a9..5df73e2f 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -99,6 +99,7 @@ table inet filter {
99	counter audiobookshelf-rx {}	99	counter audiobookshelf-rx {}
100	counter kimai-rx {}	100	counter kimai-rx {}
101	counter changedetection-rx {}	101	counter changedetection-rx {}
		102	counter vikunja-rx {}
102		103
103	counter established-rx {}	104	counter established-rx {}
104		105
@@ -133,6 +134,7 @@ table inet filter {
133	counter audiobookshelf-tx {}	134	counter audiobookshelf-tx {}
134	counter kimai-tx {}	135	counter kimai-tx {}
135	counter changedetection-tx {}	136	counter changedetection-tx {}
		137	counter vikunja-tx {}
136		138
137	counter tx {}	139	counter tx {}
138		140
@@ -220,6 +222,7 @@ table inet filter {
220	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept	222	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
221	iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept	223	iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
222	iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept	224	iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
		225	iifname bifrost tcp dport 3456 ip6 saddr $bifrost_surtr counter name vikunja-rx accept
223		226
224	ct state { established, related } counter name established-rx accept	227	ct state { established, related } counter name established-rx accept
225		228
@@ -273,6 +276,7 @@ table inet filter {
273	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept	276	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
274	iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept	277	iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
275	iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept	278	iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
		279	iifname bifrost tcp sport 3456 ip6 daddr $bifrost_surtr counter name vikunja-tx accept
276		280
277		281
278	counter name tx	282	counter name tx


diff --git a/hosts/vidhar/vikunja/default.nix b/hosts/vidhar/vikunja/default.nix new file mode 100644 index 00000000..a53f7f18 --- /dev/null +++ b/hosts/vidhar/vikunja/default.nix
@@ -0,0 +1,37 @@
		1	{ lib, ... }:
		2
		3	{
		4	config = {
		5	services.vikunja = {
		6	enable = true;
		7	frontendScheme = "https";
		8	frontendHostname = "vikunja.yggdrasil.li";
		9	settings = {
		10	service.interface = lib.mkForce "[2a03:4000:52:ada:4:1::]:3456";
		11	service.enableregistration = false;
		12	};
		13	database = {
		14	host = "/run/postgresql";
		15	type = "postgres";
		16	};
		17	};
		18
		19	services.postgresql = {
		20	ensureDatabases = [ "vikunja" ];
		21	ensureUsers = [
		22	{
		23	name = "vikunja";
		24	ensureDBOwnership = true;
		25	ensureClauses.login = true;
		26	}
		27	];
		28	};
		29
		30	systemd.services.vikunja = {
		31	serviceConfig = {
		32	User = "vikunja";
		33	Group = "vikunja";
		34	};
		35	};
		36	};
		37	}