diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix
new file mode 100644
index 00000000..ca873721
--- /dev/null
+++ b/hosts/companion/companion.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ psCfg = config.pub-solar;
+ xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+ imports = [
+ ./configuration.nix
+ ];
+
+ config = {
+ boot.plymouth.enable = lib.mkForce false;
+ pub-solar.nextcloud.enable = lib.mkForce false;
+ };
+}
diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix
new file mode 100644
index 00000000..89a5710e
--- /dev/null
+++ b/hosts/companion/configuration.nix
@@ -0,0 +1,63 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ./hardware-configuration.nix
+ ./home-controller.nix
+ ];
+
+ boot.loader.timeout = 0;
+
+ boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+ boot.loader.grub = {
+ enable = true;
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ device = "nodev";
+ };
+
+ # Set your time zone.
+ time.timeZone = "Europe/Berlin";
+
+ # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+ # Per-interface useDHCP will be mandatory in the future, so this generated config
+ # replicates the default behaviour.
+ networking.useDHCP = false;
+ networking.interfaces.eth0.useDHCP = true;
+ networking.interfaces.wlan0.useDHCP = false;
+ networking.networkmanager.enable = lib.mkForce false;
+
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+
+ nix = {
+ extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+ };
+
+ # List packages installed in system profile. To search, run:
+ # $ nix search wget
+ environment.systemPackages = with pkgs; [
+ vim
+ wget
+ ];
+
+ # Open ports in the firewall.
+ # networking.firewall.allowedTCPPorts = [ ... ];
+ # networking.firewall.allowedUDPPorts = [ ... ];
+ # Or disable the firewall altogether.
+ # networking.firewall.enable = false;
+
+ # This value determines the NixOS release from which the default
+ # settings for stateful data, like file locations and database versions
+ # on your system were taken. It‘s perfectly fine and recommended to leave
+ # this value at the release version of the first install of this system.
+ # Before changing this value read the documentation for this option
+ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+ system.stateVersion = "22.11"; # Did you read the comment?
+}
+
diff --git a/hosts/companion/default.nix b/hosts/companion/default.nix
new file mode 100644
index 00000000..8cac5356
--- /dev/null
+++ b/hosts/companion/default.nix
@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+ imports = [
+ ./companion.nix
+ ] ++ suites.companion;
+}
diff --git a/hosts/companion/hardware-configuration.nix b/hosts/companion/hardware-configuration.nix
new file mode 100644
index 00000000..1b59fa36
--- /dev/null
+++ b/hosts/companion/hardware-configuration.nix
@@ -0,0 +1,61 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+ boot.initrd.supportedFilesystems = [ "zfs" ];
+ boot.supportedFilesystems = [ "zfs" ];
+
+ boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+ boot.initrd.luks.devices = {
+ cryptroot = {
+ device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
+ keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
+ bypassWorkqueues = true;
+ fallbackToPassword = true;
+ };
+ };
+
+ fileSystems."/" =
+ {
+ device = "zroot/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ {
+ device = "/dev/disk/by-uuid/5552-1B21";
+ fsType = "vfat";
+ };
+
+ fileSystems."/var/lib/rancher/k3s/storage" =
+ {
+ device = "zroot/kubernetes-localstorage";
+ fsType = "zfs";
+ };
+
+ swapDevices =
+ [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = false;
+ networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+ # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+ networking.hostId = "71f2d82a";
+
+ powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix
new file mode 100644
index 00000000..ff7ab606
--- /dev/null
+++ b/hosts/companion/home-controller.nix
@@ -0,0 +1,55 @@
+{ self, config, pkgs, ... }:
+
+{
+ config = {
+ age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+ age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
+
+ pub-solar.home-controller = {
+ enable = true;
+ role = "server";
+ ownIp = "10.0.1.13";
+
+ k3s = {
+ serverAddr = "https://api.kube:6443";
+ tokenFile = "/run/agenix/home_controller_k3s_token";
+ enableLocalStorage = true;
+ enableZfs = true;
+ };
+
+ wireguard = {
+ privateKeyFile = "/run/agenix/home_controller_wireguard";
+ peers = [
+ {
+ # cube
+ publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+ allowedIPs = [ "10.0.1.5/32" ];
+ endpoint = "data.gssws.de:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # giggles
+ publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+ allowedIPs = [ "10.0.1.11/32" ];
+ endpoint = "giggles.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # cox
+ publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+ allowedIPs = [ "10.0.1.12/32" ];
+ endpoint = "cox.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # ringo
+ publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+ allowedIPs = [ "10.0.1.21/32" ];
+ endpoint = "ringo.local:51899";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix
new file mode 100644
index 00000000..8ab92744
--- /dev/null
+++ b/hosts/cox/configuration.nix
@@ -0,0 +1,64 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+{
+ imports =
+ [
+ ./hardware-configuration.nix
+ ./home-controller.nix
+ ];
+
+ boot.loader.timeout = 0;
+
+ boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+ boot.loader.grub = {
+ enable = true;
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ device = "nodev";
+ };
+
+ # Set your time zone.
+ time.timeZone = "Europe/Berlin";
+
+ # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+ # Per-interface useDHCP will be mandatory in the future, so this generated config
+ # replicates the default behaviour.
+ networking.useDHCP = false;
+ networking.interfaces.eth0.useDHCP = true;
+ networking.interfaces.wlan0.useDHCP = false;
+ networking.networkmanager.enable = lib.mkForce false;
+
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+
+ nix = {
+ #package = pkgs.nixFlakes;
+ extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
+ };
+
+ # List packages installed in system profile. To search, run:
+ # $ nix search wget
+ environment.systemPackages = with pkgs; [
+ vim
+ wget
+ ];
+
+ # Open ports in the firewall.
+ # networking.firewall.allowedTCPPorts = [ ... ];
+ # networking.firewall.allowedUDPPorts = [ ... ];
+ # Or disable the firewall altogether.
+ # networking.firewall.enable = false;
+
+ # This value determines the NixOS release from which the default
+ # settings for stateful data, like file locations and database versions
+ # on your system were taken. It‘s perfectly fine and recommended to leave
+ # this value at the release version of the first install of this system.
+ # Before changing this value read the documentation for this option
+ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+ system.stateVersion = "22.11"; # Did you read the comment?
+}
+
diff --git a/hosts/cox/cox.nix b/hosts/cox/cox.nix
new file mode 100644
index 00000000..ca873721
--- /dev/null
+++ b/hosts/cox/cox.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ psCfg = config.pub-solar;
+ xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in
+{
+ imports = [
+ ./configuration.nix
+ ];
+
+ config = {
+ boot.plymouth.enable = lib.mkForce false;
+ pub-solar.nextcloud.enable = lib.mkForce false;
+ };
+}
diff --git a/hosts/cox/default.nix b/hosts/cox/default.nix
new file mode 100644
index 00000000..aa29e195
--- /dev/null
+++ b/hosts/cox/default.nix
@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+ imports = [
+ ./cox.nix
+ ] ++ suites.cox;
+}
diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix
new file mode 100644
index 00000000..3b52c24b
--- /dev/null
+++ b/hosts/cox/hardware-configuration.nix
@@ -0,0 +1,61 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+ boot.initrd.supportedFilesystems = [ "zfs" ];
+ boot.supportedFilesystems = [ "zfs" ];
+
+ boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+ boot.initrd.luks.devices = {
+ cryptroot = {
+ device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
+ keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
+ bypassWorkqueues = true;
+ fallbackToPassword = true;
+ };
+ };
+
+ fileSystems."/" =
+ {
+ device = "zroot/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ {
+ device = "/dev/disk/by-uuid/6CB3-6DB8";
+ fsType = "vfat";
+ };
+
+ fileSystems."/var/lib/rancher/k3s/storage" =
+ {
+ device = "zroot/kubernetes-localstorage";
+ fsType = "zfs";
+ };
+
+ swapDevices =
+ [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = false;
+ networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+ # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+ networking.hostId = "71f2d82a";
+
+ powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix
new file mode 100644
index 00000000..d017c570
--- /dev/null
+++ b/hosts/cox/home-controller.nix
@@ -0,0 +1,55 @@
+{ self, config, pkgs, ... }:
+
+{
+ config = {
+ age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+ age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
+
+ pub-solar.home-controller = {
+ enable = true;
+ role = "server";
+ ownIp = "10.0.1.12";
+
+ k3s = {
+ serverAddr = "https://api.kube:6443";
+ tokenFile = "/run/agenix/home_controller_k3s_token";
+ enableLocalStorage = true;
+ enableZfs = true;
+ };
+
+ wireguard = {
+ privateKeyFile = "/run/agenix/home_controller_wireguard";
+ peers = [
+ {
+ # cube
+ publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+ allowedIPs = [ "10.0.1.5/32" ];
+ endpoint = "data.gssws.de:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # giggles
+ publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+ allowedIPs = [ "10.0.1.11/32" ];
+ endpoint = "giggles.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # companion
+ publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+ allowedIPs = [ "10.0.1.13/32" ];
+ endpoint = "companion.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # ringo
+ publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+ allowedIPs = [ "10.0.1.21/32" ];
+ endpoint = "ringo.local:51899";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix
new file mode 100644
index 00000000..6ed057b3
--- /dev/null
+++ b/hosts/cube/acme.nix
@@ -0,0 +1,8 @@
+{ pkgs, config, ... }:
+
+{
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "hensoko@gssws.de";
+ };
+}
diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix
new file mode 100644
index 00000000..73bc446f
--- /dev/null
+++ b/hosts/cube/configuration.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ ./home-controller.nix
+ ./acme.nix
+ ./home-assistant.nix
+ ./nextcloud.nix
+ ];
+
+ # Use the GRUB 2 boot loader.
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
+
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+
+ time.timeZone = "Europe/Berlin";
+
+ networking = {
+ useDHCP = false;
+
+ interfaces.eno1.ipv4.addresses = [{
+ address = "80.244.242.2";
+ prefixLength = 29;
+ }];
+
+ defaultGateway = "80.244.242.1";
+ nameservers = [ "95.129.51.51" "80.244.244.244" ];
+ };
+
+ services.openssh.ports = [ 2222 ];
+
+ networking.firewall.allowedTCPPorts = [ 2222 ];
+ networking.firewall.allowedUDPPorts = [ 51899 ];
+ networking.firewall.enable = lib.mkForce true;
+
+ system.stateVersion = "21.05"; # Did you read the comment?
+}
diff --git a/hosts/cube/cube.nix b/hosts/cube/cube.nix
new file mode 100644
index 00000000..894cab9c
--- /dev/null
+++ b/hosts/cube/cube.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+with lib;
+with pkgs;
+let
+ psCfg = config.pub-solar;
+in
+{
+ imports = [
+ ./configuration.nix
+ ];
+
+
+}
diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix
new file mode 100644
index 00000000..7834ef54
--- /dev/null
+++ b/hosts/cube/default.nix
@@ -0,0 +1,6 @@
+{ suites, ... }:
+{
+ imports = [
+ ./cube.nix
+ ] ++ suites.cube;
+}
diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix
new file mode 100644
index 00000000..617f0c94
--- /dev/null
+++ b/hosts/cube/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ {
+ device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" =
+ {
+ device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
+ fsType = "ext2";
+ };
+
+ fileSystems."/mnt/internal" =
+ {
+ device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
+ fsType = "ext4";
+ };
+
+ swapDevices =
+ [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
+}
diff --git a/hosts/cube/home-assistant.nix b/hosts/cube/home-assistant.nix
new file mode 100644
index 00000000..e9b1d714
--- /dev/null
+++ b/hosts/cube/home-assistant.nix
@@ -0,0 +1,19 @@
+{ self, pkgs, config, ... }:
+
+{
+ # HTTP
+ services.nginx = {
+ virtualHosts."ha.gssws.de" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://10.0.1.254:8123";
+ proxyWebsockets = true;
+ extraConfig =
+ "proxy_ssl_server_name on;" +
+ "proxy_pass_header Authorization;"
+ ;
+ };
+ };
+ };
+}
diff --git a/hosts/cube/home-controller.nix b/hosts/cube/home-controller.nix
new file mode 100644
index 00000000..c472b12d
--- /dev/null
+++ b/hosts/cube/home-controller.nix
@@ -0,0 +1,48 @@
+{ self, config, pkgs, ... }:
+
+{
+ config = {
+ age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+ age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
+
+ pub-solar.home-controller = {
+ enable = true;
+ role = "agent";
+ ownIp = "10.0.1.5";
+
+ k3s = {
+ enableLocalStorage = false;
+ enableZfs = false;
+ serverAddr = "https://api.kube:6443";
+ tokenFile = "/run/agenix/home_controller_k3s_token";
+ };
+
+ wireguard = {
+ privateKeyFile = "/run/agenix/home_controller_wireguard";
+ peers = [
+ {
+ # giggles
+ publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+ allowedIPs = [ "10.0.1.11/32" ];
+ }
+ {
+ # cox
+ publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+ allowedIPs = [ "10.0.1.12/32" ];
+ }
+ {
+ # companion
+ publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+ allowedIPs = [ "10.0.1.13/32" ];
+ }
+
+ {
+ # hsha
+ publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
+ allowedIPs = [ "10.0.1.254/32" ];
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix
new file mode 100644
index 00000000..fe389722
--- /dev/null
+++ b/hosts/cube/nextcloud.nix
@@ -0,0 +1,72 @@
+{ self, pkgs, config, ... }:
+
+{
+ age.secrets.nextcloud_db_pass = {
+ owner = "nextcloud";
+ group = "nextcloud";
+ file = "${self}/secrets/cube_nextcloud_db_pass.age";
+ };
+
+ age.secrets.nextcloud_admin_pass = {
+ owner = "nextcloud";
+ group = "nextcloud";
+ file = "${self}/secrets/cube_nextcloud_admin_pass.age";
+ };
+
+ # HTTP
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+ virtualHosts."data.gssws.de" = {
+ enableACME = true;
+ forceSSL = true;
+ };
+ };
+
+ # DATABASES
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_11;
+
+ ensureDatabases = [ "nextcloud" ];
+ ensureUsers = [
+ {
+ name = "nextcloud";
+ ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+ }
+ ];
+ };
+ systemd.services."nextcloud-setup" = {
+ requires = [ "postgresql.service" ];
+ after = [ "postgresql.service" ];
+ };
+
+
+ # NEXTCLOUD
+ services.nextcloud = {
+ enable = true;
+ package = pkgs.nextcloud24;
+ hostName = "data.gssws.de";
+ https = true;
+ #datadir = "/mnt/internal/nextcloud";
+ autoUpdateApps.enable = true;
+ autoUpdateApps.startAt = "05:00:00";
+
+ config = {
+ # Further forces Nextcloud to use HTTPS
+ overwriteProtocol = "https";
+
+ dbtype = "pgsql";
+ dbuser = "nextcloud";
+ dbhost = "/run/postgresql";
+ dbname = "nextcloud";
+ dbpassFile = "/run/agenix/nextcloud_db_pass";
+ adminpassFile = "/run/agenix/nextcloud_admin_pass";
+ adminuser = "admin";
+ };
+ };
+}
diff --git a/hosts/giggles/configuration.nix b/hosts/giggles/configuration.nix
index 9f5e3ee2..d6e8e3f2 100644
--- a/hosts/giggles/configuration.nix
+++ b/hosts/giggles/configuration.nix
@@ -9,9 +9,19 @@
[
# Include the results of the hardware scan.
./hardware-configuration.nix
+ ./home-controller.nix
];
- networking.hostName = "giggles"; # Define your hostname.
+ boot.loader.timeout = 0;
+
+ boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
+
+ boot.loader.grub = {
+ enable = true;
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ device = "nodev";
+ };
# Set your time zone.
time.timeZone = "Europe/Berlin";
@@ -20,55 +30,17 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
- networking.interfaces.wlan0.useDHCP = true;
+ networking.interfaces.eth0.useDHCP = true;
+ networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
- #networking.wireless = {
- # enable = true;
- # networks.DinoLan.psk = "Gelbe Enten schwimmen auf dem Wasser.";
- # interfaces = [ wlan0 ];
- #};
-
- # Configure network proxy if necessary
- # networking.proxy.default = "http://user:password@proxy:port/";
- # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+ boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
- # Select internationalisation properties.
- # i18n.defaultLocale = "en_US.UTF-8";
- # console = {
- # font = "Lat2-Terminus16";
- # keyMap = "us";
- # };
-
- # Enable the X11 windowing system.
- # services.xserver.enable = true;
-
-
- # Configure keymap in X11
- # services.xserver.layout = "us";
- # services.xserver.xkbOptions = "eurosign:e";
-
- # Enable CUPS to print documents.
- # services.printing.enable = true;
-
- # Enable sound.
- # sound.enable = true;
- # hardware.pulseaudio.enable = true;
-
- # Enable touchpad support (enabled default in most desktopManager).
- # services.xserver.libinput.enable = true;
-
- # Define a user account. Don't forget to set a password with ‘passwd’.
- # users.users.jane = {
- # isNormalUser = true;
- # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
- # };
-
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
@@ -76,18 +48,8 @@
wget
];
- # Some programs need SUID wrappers, can be configured further or are
- # started in user sessions.
- # programs.mtr.enable = true;
- # programs.gnupg.agent = {
- # enable = true;
- # enableSSHSupport = true;
- # };
-
- # List services that you want to enable:
-
# Open ports in the firewall.
- networking.firewall.allowedTCPPorts = [ 22 ];
+ # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
@@ -98,6 +60,6 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
- system.stateVersion = "21.05"; # Did you read the comment?
+ system.stateVersion = "22.11"; # Did you read the comment?
}
diff --git a/hosts/giggles/giggles.nix b/hosts/giggles/giggles.nix
index 1431a53a..ca873721 100644
--- a/hosts/giggles/giggles.nix
+++ b/hosts/giggles/giggles.nix
@@ -9,5 +9,8 @@ in
./configuration.nix
];
- pub-solar.nextcloud.enable = lib.mkForce false;
+ config = {
+ boot.plymouth.enable = lib.mkForce false;
+ pub-solar.nextcloud.enable = lib.mkForce false;
+ };
}
diff --git a/hosts/giggles/hardware-configuration.nix b/hosts/giggles/hardware-configuration.nix
index 3f33b6ee..cfc5cf70 100644
--- a/hosts/giggles/hardware-configuration.nix
+++ b/hosts/giggles/hardware-configuration.nix
@@ -4,22 +4,58 @@
{ config, lib, pkgs, modulesPath, ... }:
{
- imports = [
- "${fetchTarball {
- url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz";
- sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4";
- }
- }/raspberry-pi/4"
- ];
+ imports =
+ [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- fileSystems = {
- "/" = {
- device = "/dev/disk/by-label/NIXOS_SD";
- fsType = "ext4";
- options = [ "noatime" ];
+ boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+ boot.initrd.supportedFilesystems = [ "zfs" ];
+ boot.supportedFilesystems = [ "zfs" ];
+
+ boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
+
+ boot.initrd.luks.devices = {
+ cryptroot = {
+ device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
+ keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
+ bypassWorkqueues = true;
+ fallbackToPassword = true;
};
};
- # Enable GPU acceleration
- #hardware.raspberry-pi."4".fkms-3d.enable = true;
+ fileSystems."/" =
+ {
+ device = "zroot/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ {
+ device = "/dev/disk/by-uuid/2F05-9B4A";
+ fsType = "vfat";
+ };
+
+ fileSystems."/var/lib/rancher/k3s/storage" =
+ {
+ device = "zroot/kubernetes-localstorage";
+ fsType = "zfs";
+ };
+
+ swapDevices =
+ [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = false;
+ networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+ # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+ networking.hostId = "71f2d82a";
+
+ powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix
new file mode 100644
index 00000000..ac7cfc01
--- /dev/null
+++ b/hosts/giggles/home-controller.nix
@@ -0,0 +1,53 @@
+{ self, config, pkgs, ... }:
+
+{
+ config = {
+ age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+ age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
+
+ pub-solar.home-controller = {
+ enable = true;
+ role = "server";
+ ownIp = "10.0.1.11";
+
+ k3s = {
+ enableLocalStorage = true;
+ enableZfs = true;
+ };
+
+ wireguard = {
+ privateKeyFile = "/run/agenix/home_controller_wireguard";
+ peers = [
+ {
+ # cube
+ publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
+ allowedIPs = [ "10.0.1.5/32" ];
+ endpoint = "data.gssws.de:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # cox
+ publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+ allowedIPs = [ "10.0.1.12/32" ];
+ endpoint = "cox.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # companion
+ publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+ allowedIPs = [ "10.0.1.13/32" ];
+ endpoint = "companion.local:51899";
+ persistentKeepalive = 25;
+ }
+ {
+ # ringo
+ publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
+ allowedIPs = [ "10.0.1.21/32" ];
+ endpoint = "ringo.local:51899";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/hosts/harrison/configuration.nix b/hosts/harrison/configuration.nix
index 11300270..caadafed 100644
--- a/hosts/harrison/configuration.nix
+++ b/hosts/harrison/configuration.nix
@@ -13,6 +13,7 @@
# Set your time zone.
time.timeZone = "Europe/Berlin";
+ time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
@@ -26,6 +27,8 @@
};
networking.networkmanager.enable = lib.mkForce false;
+ nixpkgs.config.allowUnsupportedSystem = true;
+
# List services that you want to enable:
# Open ports in the firewall.
diff --git a/hosts/harrison/hardware-configuration.nix b/hosts/harrison/hardware-configuration.nix
index 9dd07ad4..03acc91d 100644
--- a/hosts/harrison/hardware-configuration.nix
+++ b/hosts/harrison/hardware-configuration.nix
@@ -21,16 +21,27 @@
bypassWorkqueues = true;
};
- boot.loader.grub.mirroredBoots = [
- {
- devices = [ "/dev/disk/by-uuid/4B4A-B1B4" ];
- path = "/boot";
- }
- {
- devices = [ "/dev/disk/by-uuid/4B2C-385A" ];
- path = "/boot2";
- }
- ];
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+ boot.loader.efi = {
+ canTouchEfiVariables = true;
+ efiSysMountPoint = "/boot";
+ };
+ boot.loader.grub = {
+ efiSupport = true;
+ enable = true;
+ extraEntries = ''
+ menuentry "Windows" {
+ insmod part_gpt
+ insmod fat
+ insmod search_fs_uuid
+ insmod chain
+ search --fs-uuid --set=root 02DB-F12C
+ chainloader /efi/Microsoft/Boot/bootmgfw.efi
+ }
+ '';
+ devices = [ "nodev" ];
+ };
+
fileSystems = {
"/" =
@@ -41,8 +52,8 @@
"/boot" =
{
- device = "/dev/disk/by-uuid/4B4A-B1B4";
- fsType = "vfat";
+ device = "/dev/disk/by-uuid/4B4A-B1B4";
+ fsType = "vfat";
};
"/boot2" =
diff --git a/hosts/harrison/harrison.nix b/hosts/harrison/harrison.nix
index 6e2839b7..2fea3d5a 100644
--- a/hosts/harrison/harrison.nix
+++ b/hosts/harrison/harrison.nix
@@ -1,5 +1,6 @@
{ config, pkgs, lib, ... }:
with lib;
+with pkgs;
let
psCfg = config.pub-solar;
in
@@ -9,8 +10,12 @@ in
];
config = {
+ boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
};
+
+ services.teamviewer.enable = true;
};
}
diff --git a/hosts/redpanda/configuration.nix b/hosts/redpanda/configuration.nix
index a2c29a4a..c2b2b653 100644
--- a/hosts/redpanda/configuration.nix
+++ b/hosts/redpanda/configuration.nix
@@ -11,6 +11,8 @@
./hardware-configuration.nix
];
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
diff --git a/hosts/ringo/configuration.nix b/hosts/ringo/configuration.nix
index b2c934fb..5a57fe2d 100644
--- a/hosts/ringo/configuration.nix
+++ b/hosts/ringo/configuration.nix
@@ -7,21 +7,14 @@
{
imports =
[
- # Include the results of the hardware scan.
./hardware-configuration.nix
+ ./home-controller.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
- boot.initrd.luks.devices."cryptroot" = {
- device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
- keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
- };
-
- networking.hostName = "ringo"; # Define your hostname.
-
# Set your time zone.
time.timeZone = "Europe/Berlin";
@@ -29,16 +22,7 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
- networking.interfaces.enp0s25 = {
- ipv4.addresses = [{
- address = "10.9.0.2";
- prefixLength = 24;
- }];
- wakeOnLan = {
- enable = true;
- };
- };
- networking.interfaces.wlp3s0.useDHCP = true;
+ networking.interfaces.enp0s25.useDHCP = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
diff --git a/hosts/ringo/hardware-configuration.nix b/hosts/ringo/hardware-configuration.nix
index 408dcf02..d16bc928 100644
--- a/hosts/ringo/hardware-configuration.nix
+++ b/hosts/ringo/hardware-configuration.nix
@@ -26,7 +26,7 @@
fileSystems."/boot" =
{
- device = "/dev/disk/by-uuid/9D1D-EE08";
+ device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat";
};
diff --git a/hosts/ringo/home-controller.nix b/hosts/ringo/home-controller.nix
new file mode 100644
index 00000000..3f679ba4
--- /dev/null
+++ b/hosts/ringo/home-controller.nix
@@ -0,0 +1,43 @@
+{ self, config, pkgs, ... }:
+
+{
+ config = {
+ age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
+ age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
+
+ pub-solar.home-controller = {
+ enable = true;
+ role = "agent";
+ ownIp = "10.0.1.21";
+
+ k3s = {
+ serverAddr = "https://api.kube:6443";
+ tokenFile = "/run/agenix/home_controller_k3s_token";
+ };
+
+ wireguard = {
+ privateKeyFile = "/run/agenix/home_controller_wireguard";
+ peers = [
+ {
+ # giggles
+ publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
+ allowedIPs = [ "10.0.1.11/32" ];
+ endpoint = "giggles.local:51899";
+ }
+ {
+ # cox
+ publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
+ allowedIPs = [ "10.0.1.12/32" ];
+ endpoint = "cox.local:51899";
+ }
+ {
+ # companion
+ publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
+ allowedIPs = [ "10.0.1.13/32" ];
+ endpoint = "companion.local:51899";
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/secrets/cube_nextcloud_admin_pass.age b/secrets/cube_nextcloud_admin_pass.age
new file mode 100644
index 00000000..5b1ebf69
--- /dev/null
+++ b/secrets/cube_nextcloud_admin_pass.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw wG1VH/Rd8D9VhI2nUdKN8ev8GmDTmByYojrAGXiVQ0c
+Ce5LdJLYhXZxozhrFZOCCcG6DvDlzcwHUp7rsAAYMb4
+-> ssh-ed25519 YFSOsg KWrIirfADk9OlVVF/SvnyE4P4JWorWhcShIWMLaYezg
+kjNaCLQRKwrLKWT6H6mygsawWXas1alwf/rPbpgnIbE
+-> ssh-rsa 42S2Dw
+GlF0Iwkmi2IukEP4aghJLQP4QUv8Lt2qPBsysz/NIfPxtxuVgnphqmbtZ3ylKURL
+iWQbDwvNG3DBQMgbFUTtLpp48yZ++ZWfVCLJxylifoo8Fk1/edOieiQxmKySFIiS
+RBDjal+JFIAMQVa4i9zTJ2HolgFGioq7fsQgimjhhcTpbPWF0YgbeFlD/Bx3Uc3D
+QXHkPGTWWJr8nmsBLW0erQKuT+2pTy3Yo00BmYYfaHhRSWPxaRiUvlQzqwfEJGZy
+N8CWyU8JqacMQfFfMVYYNR8qHGv5p5nu9FtJPQFWz79TB0j0OaowW8VuhP70UVI1
+QvZLDCv1JN4fd9TqDqgcnA
+-> ssh-ed25519 iHV63A b0w5AmQtO1FWnySOYDh3JIWkiFM05WNz9M4H67GVZEM
+suTrfziEta0t9iGJxx+tcvi6BzQS1NJxPmCnPBx5ViU
+-> ssh-ed25519 uTVbSg rMwuqUqpr40KdbuOZnhi9Bya/Ql2F8HfZdAQvcw3JUY
+vVF6J8lzQNXnHgzEMzwkcrOGSExKJmPBmuxDklQ7TGA
+-> ?<GZ,~j-grease
+jdlD7DImSTrtgtmVJVA+M0g9TNqUI7SSRIlpfGB8KL78WuSIvQWv2z0lpzot
+--- 4h3KwWAMcJYCF/K/JGPS3cNpCbSDTC8mTerADBFy2to
+��Ӥ�����L��(�7�Ʉp��OsT�I�pJ�2��kS[���/����@�py��-��{��F�0������Ѳ���%��}�^���
\ No newline at end of file
diff --git a/secrets/cube_nextcloud_db_pass.age b/secrets/cube_nextcloud_db_pass.age
new file mode 100644
index 00000000..850b5d86
--- /dev/null
+++ b/secrets/cube_nextcloud_db_pass.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw 4cMG8rywMIHkCJO0vbcnD46xPHZKTbUFi/bKKPLJW0c
+aOmQ7lws7MIDNE7xejtcomQAtRuXjHd+VSGGy805cUk
+-> ssh-ed25519 YFSOsg UnTniCyloz+bfIlKsgGvQflAOCIwdNBuKIM64ZZ7fSI
+/Q6KAn80cNs38LgOxZhg9tXmAtJJKw5VpN9lfPqNuhc
+-> ssh-rsa 42S2Dw
+FoosAbMAGlculUJOkL+9U2Wajf80dgUY+Acd2MQDbeSR/A/hE+NOv3JtH2Sx9weD
+ww2n/K5uKQhFKrTVIRn5Bp1qYnay2FIn6lz0zu1I2tqmGFCMiR+RhTnrcxFztNjQ
+dYbs4F9mvCDmyn9tShTzqAxnClWCdOHkrXBuCMAg08tp5cjAPqaSMdE0wFn5Jvhg
+DY5nHJWlxbZcGEhJSW2mxKb+HP4ecZ5FY0Uf4qYn/FTcKm7K80Pojg/e72XV7sq9
+04dPKpa162G53BKQXCmv55L6D81YepydA0wAoeTXXfC1E+DxeWfHrsmF80qdEnBg
+ZpPIRWdSBs61zqp4XavsSw
+-> ssh-ed25519 iHV63A mumH3Brpcqa3t8Q495yyV9vn8AKalaf2WchgmsirN2Q
+fk5iQUYBlUiq+8Nblb5H9mhJarPONiyuOG3ioknlbzk
+-> ssh-ed25519 uTVbSg O5xBbchEqAsFJtU4kCZo4gqpByHNAnZO0Ik7p5fwFAM
+e+adn+gDYIF2BW0N1zoHZj+/mciN60rVcCPs9OplLsE
+-> ,-grease M6FrPQz + B{
+QAdvJryfCY0NJ0XU5sC9D5J2KnHIxCcjBi7iFlehcB56qrdQbSPsL+ysZVqTzfQx
+QjDs0lXBKqL2f0g0cWiM9Q
+--- Vl5VtidJZtEk19VojwdWLaGJGsIRkvwRTjW0mdnTqiM
+��T_�����%���2��y͌W��K���hc��eThڝ��X����$������TR9;�$
\ No newline at end of file
diff --git a/secrets/home_controller_companion_wireguard_key.age b/secrets/home_controller_companion_wireguard_key.age
new file mode 100644
index 00000000..25d9ab44
--- /dev/null
+++ b/secrets/home_controller_companion_wireguard_key.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw tQeQac/fLw4UXYx/SXj46HPeG6oPKY4U8IJJI89Fv3c
+rB6bWP8ba0kAA9qwcq81rTDgmerGORN4jAE5Usrz1tY
+-> ssh-ed25519 YFSOsg W1SJl0W8oRo5ApD+40puyRae+MDhsxd6Miv6vHaeXn4
+Z1xqbXD5r0Lo9XvouS967LxnxEX9arLhylZJnFLG0aM
+-> ssh-rsa 42S2Dw
+t48CWYrVFfH1x59IYXJtfkeONo1QPnqN6VMwVzMh0c0Vm5U2OFfAml+/6Kit4QWI
+u7PASBpg+GRsQmoWC9hFJsCDiikg5NIhyBO4feSS+4Cus+8Xr9cSPjYg5EKsgoOd
++HpTrPhiNG1Wy2pE4kkxSsS5pKOcdIezU+DfqookoXALLneUIUEsaHYCmdOLwE21
+yRzWxiXavQKnvabxnqISYeBK+aHNGtd8hczhnoM8oR7qTaNQwfuQoVa8te0MLTIK
+EXIuev6vESPFtdo3gGJUSbmlXY9hH0tumFFgug185oJwkp745rWKM4QlFEB5fNGR
+LE54GOkv9sF3+Wij/ELHAA
+-> ssh-ed25519 iHV63A OOf5Cx0vckL1ve6WOzL0IAhIKasXAjodubuyKbWKv1Q
+1av0Vqos3YsycBFpncCvP69RunBwCQ4oSextLvR9P+Y
+-> ssh-ed25519 t1M4HQ j2B7jugQZy124AM5f0JK+id4W2TN6n4C0c/HUNFfLU8
+BJr18XJI/XzFgH32nXKZb5SdBbU8raRCKL6PWgad5cs
+-> QwO-grease *8]/h/ 7|S
+LM23rOF57rKeWQ
+--- 7xz9ru8cIHt3zksF696olmLR+vEkwDfVv0tl2stfNhM
+��e
T|�,7kZ5:�A�d�N��<IU���o�
�v����N���+�w�Ho������#N�g��(du�)̱-S�4�?`�z
\ No newline at end of file
diff --git a/secrets/home_controller_cox_wireguard_key.age b/secrets/home_controller_cox_wireguard_key.age
new file mode 100644
index 00000000..4181dd35
--- /dev/null
+++ b/secrets/home_controller_cox_wireguard_key.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw ZGGRZr/HOQSZ1zREl5pqPE0sftSc0CLVHiKBrJ3X938
+cO/aAeVwrQp5OSAl6JTnIPfhEJmG/1rnbJAtoplTESE
+-> ssh-ed25519 YFSOsg G/XSLzhX7SSsOZNWnpdLJ+m6NXyL6F/itN76CfJZzkk
+sNfdi78MFpBcoAh1xPpcvWYkTWQQ2fIL6i1myHdun/U
+-> ssh-rsa 42S2Dw
+RuHlOwIJJhJffpJEcIpUEOX8czKVY8c+bvae1XrCSNplNV1f3CHl/WSdKfhOCC//
+u1qOEiidsDxWphJu3IHjiLgTCmlnwwaISZ2bnEOkTSDNPphARrEA7JfrSyQOlZJB
+Mu1qhSi5u4uGVi4Mk7TuLxCHRnjDUjDLVh96kbjiwrnAAtI/0fK64ci8rx9P1GzD
+aZR1to8+uWFx3sTtr3JUA5I+azQdYb37p5ehlCrvVybcze/16oCkreSDuW88HdoD
+yIXrX3tlnjJJou7LGR/s8o74ookFMT89rlkf8DXMhkPpmiUWYxCyJZ1oS6twtee2
+Gwo4twB5KIHTCmryJsZ5mA
+-> ssh-ed25519 iHV63A Jun3KRgZaEfE0RmefSaa8WLdMoVLhQGH0kwK9IORaSk
+IlMxqMUjdhKOciC3/KTQWIBctjyW3dVHKJpWLfVT+NI
+-> ssh-ed25519 w1vtTQ 0iNKMsnq32OTGYhQNz75FszXV8ePAWTPXTSra0s/WAw
+4eecaT/DX9CowOod+NRva3PiSbrgmjPerTGceN+u3mg
+-> @I^"ao-grease L#%xN`Bb 6l.LN ,
+h77R6GmXSVnEblcP1Kxuf7kCy8DnMtAF
+--- RvWj6AeYYIavoCseUazZH1lw0LFUm0mB9Ww9HeyVRio
+9A��7oM��q�#^͎3@"��s�����(/Տ���-{����Ӻ���[�/1�AY��:���LZ0���u�E�'��k�V��/�
\ No newline at end of file
diff --git a/secrets/home_controller_cube_wireguard_key.age b/secrets/home_controller_cube_wireguard_key.age
new file mode 100644
index 00000000..fcf891ab
--- /dev/null
+++ b/secrets/home_controller_cube_wireguard_key.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw V5crsXjhEfj2BKe5uEjccio8m1hzjvZ1u3DU16SdmVs
+gxC6r8tzwj3l7SW6kn4TXinZV2ZNgKpWsiKGn56CZgE
+-> ssh-ed25519 YFSOsg Q1tpXI8ilmFt3JGx5ad8SCtZRbrbR8DgGNiu7vXQ7x4
+geB/YeAwQqJuLG0pf27W2FhuXm9SS2RRoqe2UaV2U4o
+-> ssh-rsa 42S2Dw
+KWliiGsVgLgkkY1DkKNsNtBUzfKSX820nJfLLOMBgFcil78IJz+Sw5Ns6NFLR7Xe
++o+HsUxcnLOXhDYMImR9SALYL6TwLdqp1C+LAQ8HXri35IyERU2uqMXdkzYREn4f
+4c4JlCbtCy6F+8nFy0OkK/VtV/yoBpnDMtjDk9wdHYBouSGX91/8QwNUu1L0m0V1
+dvYVjk/tCPDsk3TYGFAR7lG328jt3khqVAV+rcvwwTPzD+jBCkbyGCFQ5N3xZBGI
+Wa3xMB+P9ojv4XAfde0eK+6N0uPvoMvnmPGguJTXiaCEgw8K/ILV6PuhkSyo4Wea
+EytCf4k42l7wjwG4LWFWZA
+-> ssh-ed25519 iHV63A o/IPrEtX8l4ZWCcC/yJWGRUAPDPX7vMJKBvm7ngWRjE
+YoXHRtVmNXlxJ4uJqs7jNW/2pBnjMroj1AlLiERLQGk
+-> ssh-ed25519 uTVbSg WF+8m47L2GWewOEK36k3g+Ozv1JC20cfswQ0ksbhhzs
+w5qbtYBfnrKOB4/ZTiD8Qsd42NibKcgbL9AYQKx9bnM
+-> y-grease y>]"'a W "
+w265AhhbaGNvdOMRX4xs+w
+--- /proerdf6QHIKGNWA0vTE+ZPNuvbJBGhpMEt0DscFgQ
+��m��d�]�و���G����(n����h���ł�LARR�������jM�U�Vȏ%�M�^���oЋJ���Q��D���n��
\ No newline at end of file
diff --git a/secrets/home_controller_giggles_wireguard_key.age b/secrets/home_controller_giggles_wireguard_key.age
new file mode 100644
index 00000000..3f013f1e
--- /dev/null
+++ b/secrets/home_controller_giggles_wireguard_key.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw gEHEUHodm0u6YauWsDFycNYfBlNEncGz6cGiFVbMSQw
+eb/YlV8CeU2GZaoREi8n4CB6O+bltLjwARBh1SvPHuU
+-> ssh-ed25519 YFSOsg oObR84uRNYEhcbdILnSni61pMzaNQcbMSV8CMdUFCVs
+hZeKavP58fmaxjpZwHDSNf2QnUqn5GqeSx/MVbWM8w0
+-> ssh-rsa 42S2Dw
+W/0mcDisoN/RoEshQ0gDmmYZTfSG3BRAq/PsXT9Xt0mahAqZumfdysT9T2Wkso5O
+2SKVvJvP2YAGNs+d/+lnn5/I8f7qlx6K0oQ1e72Y9ZNmoxgZmL3h2jBR3x+GfgG8
+Qp57nfvoF4js2JyC2MSUm3CjOppxDN/BM2v5qOTuPB5/K3bPOP1iBdENH71f9d64
+PK/7HZA1BTtn4jOWYQ52BZIcOjiA9JoVO6HFvB7d5UobasbbXDhO6ZgZ3aWdsDE4
+/0S099FWbvzTk8aITl5qSphQy0Pgp+yeTobx1Hn/b6vokoNIwaMZniOVd1mS0CuU
+DL8SGpuQUeOl+27sstHfUw
+-> ssh-ed25519 iHV63A 34vhrBbCb4J5xzjoa9o4hWokszJER12Pfd/s8RGxfg4
+2p8SUyhXdks06NJPZMkbKcdsn+YB3+/Ksaipc72mBvg
+-> ssh-ed25519 AsPNJg bAYRIQICTPeVri4/qkBBedxmm08TNoBMseEauYtTkX8
+ZeNmjU+oG4qYSMREtv7QdbRLf3SAmdHnX63eiHjvcOU
+-> J._|'iH-grease VaQ1S' W7^S -r HJ'
+KbnGq5EUW0HcQ4v7n8Gh/4R/Y55bXYOuSPNt2jXTbog
+--- Bk+tEcikn4Gd90ou6llBA1nYq+mRGdfB1TaJvIOYEaw
+������ML���7|�2��F'�Z�o��Z�{���?��J,�������m����\G���R�aa���\t����<����5���
\ No newline at end of file
diff --git a/secrets/home_controller_k3s_server_token.age b/secrets/home_controller_k3s_server_token.age
new file mode 100644
index 00000000..c1a4c1d2
--- /dev/null
+++ b/secrets/home_controller_k3s_server_token.age
@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw B7i7cir4NIqIxeuwN7lBZiHLaLDNwSD5ZJLs0iYidDo
+fmj7NzNi4DT805TlhjtyMXa1dcu7rGVIllQG4ALtJdo
+-> ssh-ed25519 YFSOsg SpldcBYdyAYW4W+U4JrgkcA8Y5+YnPjW78OISjviDz8
+Czi1SkmtvFmko+fP2hdCanpWJKpo/KndE/MI8BcJVxQ
+-> ssh-rsa 42S2Dw
+EvIS2maHrEa4Qyhrp3TJ/LULJkdCixIEcvI2HS9SUhVRIJS6jpY/Z+pW+XZqxEgk
+P7sp1CjRsjRZ4RZsgBUsgdO4mRnUtSkrTTLzrS84d3QG1QfjQphtF/BSt2+8t1nw
+S/XVZWu/LyFb8Z3TbhVkf3vx7ujIBwjdFj+LiUmEYwB4o57MWKH9aCcvyMLZF4Ne
+AltRXfkGkEVt7Yn0iKwb8yHaqMPa5CjfjDP9ybLp/my08/pZEQTVduKe/Q6p09DM
+8gEF1uVM+3BxXf7yAvt8fW80Hgm21VnYUq0h6exDZaaf0wLPOh0kRnN1MDqK2tjO
+uxre1sro1ZQx5CPCXD4ICQ
+-> ssh-ed25519 iHV63A Toc315/VlOneCwbLzcp2fDqHZSMDNtSprquR3BOVfAg
+ZeEZEdla/o/sAa7Tbh4NY5qqrNkWfHqpbvUokSofC5A
+-> ssh-ed25519 AsPNJg ui5FmbBKlKQ69R38yqlFURrMBTX1n7ysQP7mBo9SSRQ
+c7dp6ewRp/5rHThk/oGcaaCxNwmBWTcfVSK4IrHJh2M
+-> ssh-ed25519 w1vtTQ 7ToJvl/p9DzxX0v/b7nNOIfdgyb85Ja6862Tw2HLLyo
+PkEaeBdx60i9mX6t5Ue5PeabY4COffefCSt65H5hRxU
+-> ssh-ed25519 t1M4HQ 14NmP2HdhTouv66lkTKPEKh7HANgEUIek8FA8wAntSU
+ZZ+Mc8m/Pb16Vbxc9bOZtXJ+0ZXv/YiV30LiKra55cM
+-> ssh-ed25519 uTVbSg 1151u2eVy3izoghgXS1zPukpbSiZo6Mc+JTtCNqrqxE
+5NGufz7+RjYTy4gUfAHjV/g8VdF5FxPcB3GUzafotn8
+-> ssh-ed25519 4eCLig NAsWZu3MFuCEgi/Fm+2kB04A8ZckvTP5ueLjB2NKZDg
+5DKhLww7UKvOxPveJTtuc7jGk/9cypM9UadP1A8C6Ko
+-> t-grease > 8z4 `,R~f.lb
+K0DjBt5R459zTRkIA58mcIYl+Na5m+1SIXbezHjWZy2q1cIX8L331Du4SE6/UCCR
+e3Q
+--- ZjP/FefBuH6f+bEQpgqeiL3Uj+f9AbSCVRQni7pYyjQ
+6{��{�;��5%�n@~�N�����n!EϷA&â����`v���-��5��{�����P
+��8'�m7p����1 b�n��#�0"��=~���"������}�@��89eB����
+/�*��Uo�<���.��E�)t2fX�o9F��QG)���
\ No newline at end of file
diff --git a/secrets/home_controller_ringo_wireguard_key.age b/secrets/home_controller_ringo_wireguard_key.age
new file mode 100644
index 00000000..5a41c0e3
--- /dev/null
+++ b/secrets/home_controller_ringo_wireguard_key.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw zHWVBLJi1r1M3C/3Xf1rCOOXhjihjYuF4f0ZsRo4dWI
+sB14DJ0gjz2Z9+oJG/RBAl5GJ31NOjUJmpSvKwmkEVU
+-> ssh-ed25519 YFSOsg RHtbqm+jWVTkXqyTWRblggdgfbp2OOJmCqieDhI4+HI
+0lc7kKOQL3Abo8UyjXfRHvDcq+dOvPe0q7izfycZkj8
+-> ssh-rsa 42S2Dw
+QnOc7ZIigTURoIjglNY64KzZh8QbhE2TbioIP88F9OztV/1umy5hniBNYrE3grd2
++nQSdBEHsHKgyElC3VvdKQ9RvzrbrDHnNt4oBgmH70KfAQzH1wehOvofcNMlu0+B
+0ddUjo9BEf5VtxKY4fdUFLoROBv/rIMCuCR69NE4KfS/Cl7I+saWUOzoRVcZKsBc
+XmYYCTDezlVOT0dtoRDJT0PBimXQZ+3D9Fj7VKUOobggUiQBOH7irvpKy/JFG6+0
+C5CRDZKPp4XOKfz/XAqIxbkyzxF6ZRpmXz+QJhHXTCJfWdRMfUl45YO5r/fX6ybV
+vqZnYo4ytlZtIaoe0ipFJQ
+-> ssh-ed25519 iHV63A WkP5FVc9iS9OEQMr2E+ewVvBS1ppHnuCWqGTvdvBY38
+kxdQm6sXkGlFId0KEoMqcbyXII5G1En0g9I6WObwNpk
+-> ssh-ed25519 4eCLig /lrGyo78vdS92cFFs3aS8R/BcM+QDLspab0ftIZU9WE
++rvfUcml+WEDzZ9B6WbSvfwh+ceHygGIvHsw4UME94k
+-> u\-grease JD#pg \__| M\j|M
+9RN98je/hB0
+--- JoemHAPRRKWcsEMIOEU1Cq8AyPFTtz3qYqCgyeonyrs
+
+"����S��nq�R�vKR�UsF+��E���}�ݻ^)�x�x\_�S'�� �/��2���bx��]Sr������������
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bac30e03..9a649db0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,9 +1,33 @@
let
# set ssh public keys here for your system and user
- system = "";
- user = "";
- allKeys = [ system user ];
+ user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
+
+ user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
+ user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
+ user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
+
+ users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
+
+ system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
+ system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
+ system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
+
+ system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
+ system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
+
+ systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
+ allKeys = users ++ systems_home_controller;
in
{
- "secret.age".publicKeys = allKeys;
+ "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
+ "home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
+ "home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
+
+ "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
+ "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
+ "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
+
+ "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
+
+ "home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
}