diff --git a/flake.lock b/flake.lock index c9ae64e..5c81ed7 100644 --- a/flake.lock +++ b/flake.lock @@ -40,9 +40,7 @@ }, "agenix": { "inputs": { - "darwin": [ - "nix-darwin" - ], + "darwin": "darwin", "nixpkgs": [ "nixpkgs" ] @@ -61,6 +59,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696360011, + "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deno2nix": { "inputs": { "devshell": "devshell", @@ -322,27 +342,6 @@ "type": "github" } }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1695686713, - "narHash": "sha256-rJATx5B/nwlBpt7CJUf85LV27qWPbul5UVV8fu6ABPg=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "e236a1e598a9a59265897948ac9874c364b9555f", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "nixos-flake": { "locked": { "lastModified": 1692742948, @@ -498,7 +497,6 @@ "home-manager": "home-manager", "mobile-nixos": "mobile-nixos", "musnix": "musnix", - "nix-darwin": "nix-darwin", "nixos-flake": "nixos-flake", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", diff --git a/flake.nix b/flake.nix index 906457a..7c05160 100644 --- a/flake.nix +++ b/flake.nix @@ -12,9 +12,6 @@ flake-compat.url = "github:edolstra/flake-compat"; flake-compat.flake = false; - nix-darwin.url = "github:lnl7/nix-darwin/master"; - nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; @@ -27,7 +24,6 @@ agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; - agenix.inputs.darwin.follows = "nix-darwin"; nixos-hardware.url = "github:nixos/nixos-hardware"; @@ -49,8 +45,6 @@ systems = [ "x86_64-linux" "aarch64-linux" - "x86_64-darwin" - "aarch64-darwin" ]; imports = [ @@ -100,7 +94,7 @@ }; droppie = { - hostname = "backup.b12f.io"; + hostname = "droppie.b12f.io"; sshUser = "yule"; }; diff --git a/hosts/chocolatebar/configuration.nix b/hosts/chocolatebar/configuration.nix index c746c28..395932d 100644 --- a/hosts/chocolatebar/configuration.nix +++ b/hosts/chocolatebar/configuration.nix @@ -1,7 +1,6 @@ { config, pkgs, - flake, lib, ... }: diff --git a/hosts/default.nix b/hosts/default.nix index 248ff40..b961d9f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -57,7 +57,8 @@ ./pie self.nixosModules.yule self.nixosModules.printing - self.nixosModules.paperless + # self.nixosModules.paperless + # self.nixosModules.docker ]; }; @@ -80,6 +81,17 @@ ]; }; + iso-arm = self.nixos-flake.lib.mkLinuxSystem { + nixpkgs.hostPlatform = "aarch64-linux"; + nixpkgs.buildPlatform = "x86_64-linux"; + imports = [ + "${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" + self.nixosModules.base + ./iso + self.nixosModules.nixos + ]; + }; + iso-graphical = self.nixos-flake.lib.mkLinuxSystem { nixpkgs.hostPlatform = "x86_64-linux"; imports = [ diff --git a/hosts/droppie/configuration.nix b/hosts/droppie/configuration.nix index 984306e..e54c97b 100644 --- a/hosts/droppie/configuration.nix +++ b/hosts/droppie/configuration.nix @@ -23,34 +23,6 @@ in { networking.hostName = "droppie"; - security.sudo.extraRules = [ - { - users = ["${psCfg.user.name}"]; - commands = [ - { - command = "ALL"; - options = ["NOPASSWD"]; - } - ]; - } - ]; - - services.ddclient = { - enable = false; - ipv6 = true; - domains = ["backup.b12f.io"]; - server = "ddns.hosting.de"; - username = "b12f"; - use = "web, web=https://ipcheck-ds.wieistmeineip.de/callback/, web-skip='ip\":\"'"; - passwordFile = "/run/agenix/dyndns-droppie.key"; - }; - - age.secrets."dyndns-droppie.key" = { - file = "${flake.self}/secrets/dyndns-droppie.key"; - mode = "400"; - owner = "root"; - }; - # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie age.secrets."droppie-ssh-root.key" = { file = "${flake.self}/secrets/droppie-ssh-root.key"; diff --git a/hosts/pie/.env.firefly b/hosts/pie/.env.firefly new file mode 100644 index 0000000..be16ce7 --- /dev/null +++ b/hosts/pie/.env.firefly @@ -0,0 +1,239 @@ +# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation. +# Never set it to "testing". +APP_ENV=local + +# Set to true if you want to see debug information in error screens. +APP_DEBUG=false + +# This should be your email address. +# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE +# The variable is used in some errors shown to users who aren't admin. +SITE_OWNER=firefly-admin@benjaminbaedorf.eu + +# Firefly III will launch using this language (for new users and unauthenticated visitors) +# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang +# +# If text is still in English, remember that not everything may have been translated. +DEFAULT_LANGUAGE=en_US + +# The locale defines how numbers are formatted. +# by default this value is the same as whatever the language is. +DEFAULT_LOCALE=equal + +# Change this value to your preferred time zone. +# Example: Europe/Amsterdam +# For a list of supported time zones, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +TZ=Europe/Berlin + +# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy. +# Set it to ** and reverse proxies work just fine. +TRUSTED_PROXIES=** + +# The log channel defines where your log entries go to. +# Several other options exist. You can use 'single' for one big fat error log (not recommended). +# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself. +# A rotating log option is 'daily', creates 5 files that (surprise) rotate. +# A cool option is 'papertrail' for cloud logging +# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time. +LOG_CHANNEL=stack + +# Log level. You can set this from least severe to most severe: +# debug, info, notice, warning, error, critical, alert, emergency +# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably +# nothing will get logged, ever. +APP_LOG_LEVEL=notice + +# Audit log level. +# The audit log is used to log notable Firefly III events on a separate channel. +# These log entries may contain sensitive financial information. +# The audit log is disabled by default. +# +# To enable it, set AUDIT_LOG_LEVEL to "info" +# To disable it, set AUDIT_LOG_LEVEL to "emergency" +AUDIT_LOG_LEVEL=emergency + +# +# If you want, you can redirect the audit logs to another channel. +# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself. +# Use audit_daily to log to a rotating file. +# Use audit_papertrail to log to papertrail. +# +# If you do this, the audit logs may be mixed with normal logs because the settings for these channels +# are often the same as the settings for the normal logs. +AUDIT_LOG_CHANNEL= + +# +# Used when logging to papertrail: +# Also used when audit logs log to papertrail: +# +PAPERTRAIL_HOST= +PAPERTRAIL_PORT= + +# PostgreSQL supports SSL. You can configure it here. +# If you use Docker or similar, you can set these variables from a file by appending them with _FILE +PGSQL_SSL_MODE=prefer +PGSQL_SSL_ROOT_CERT=null +PGSQL_SSL_CERT=null +PGSQL_SSL_KEY=null +PGSQL_SSL_CRL_FILE=null + +# more PostgreSQL settings +PGSQL_SCHEMA=public + +# If you're looking for performance improvements, you could install memcached or redis +CACHE_DRIVER=file +SESSION_DRIVER=file + +# If you set either of the options above to 'redis', you might want to update these settings too +# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or +# REDIS_PORT_FILE to set the value from a file instead of from an environment variable + +# can be tcp, unix or http +REDIS_SCHEME=tcp + +# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise. +REDIS_PATH= + +# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise. +REDIS_HOST=127.0.0.1 +REDIS_PORT=6379 + +# Use only with Redis 6+ with proper ACL set. Leave empty otherwise. +REDIS_USERNAME= +REDIS_PASSWORD= + +# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly. +REDIS_DB="0" +REDIS_CACHE_DB="1" + +# Cookie settings. Should not be necessary to change these. +# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set +# the value from a file instead of from an environment variable +# Setting samesite to "strict" may give you trouble logging in. +COOKIE_PATH="/" +COOKIE_DOMAIN= +COOKIE_SECURE=false +COOKIE_SAMESITE=lax + +# Firefly III can send you the following messages. +SEND_ERROR_MESSAGE=true + +# These messages contain (sensitive) transaction information: +SEND_REPORT_JOURNALS=true + +# Set this value to true if you want to set the location of certain things, like transactions. +# Since this involves an external service, it's optional and disabled by default. +ENABLE_EXTERNAL_MAP=false + +# Set this value to true if you want Firefly III to download currency exchange rates +# from the internet. These rates are hosted by the creator of Firefly III inside +# an Azure Storage Container. +# Not all currencies may be available. Rates may be wrong. +ENABLE_EXTERNAL_RATES=true + +# The map will default to this location: +MAP_DEFAULT_LAT=51.983333 +MAP_DEFAULT_LONG=5.916667 +MAP_DEFAULT_ZOOM=6 + +# +# Firefly III authentication settings +# + +# +# Firefly III supports a few authentication methods: +# - 'web' (default, uses built in DB) +# - 'remote_user_guard' for Authelia etc +# Read more about these settings in the documentation. +# https://docs.firefly-iii.org/firefly-iii/advanced-installation/authentication +# +# LDAP is no longer supported :( +# +AUTHENTICATION_GUARD=web + +# +# Remote user guard settings +# +AUTHENTICATION_GUARD_HEADER=REMOTE_USER +AUTHENTICATION_GUARD_EMAIL= + +# +# Firefly III supports webhooks. These are security sensitive and must be enabled manually first. +# +ALLOW_WEBHOOKS=false + +# +# The static cron job token can be useful when you use Docker and wish to manage cron jobs. +# 1. Set this token to any 32-character value (this is important!). +# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile +# +# For more info: https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/ +# +# You can set this variable from a file by appending it with _FILE +# +STATIC_CRON_TOKEN= + +# You can fine tune the start-up of a Docker container by editing these environment variables. +# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data. +# However if you know what you're doing you can significantly speed up container start times. +# Set each value to true to enable, or false to disable. + +# Set this to true to build all locales supported by Firefly III. +# This may take quite some time (several minutes) and is generally not recommended. +# If you wish to change or alter the list of locales, start your Docker container with +# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true` +# and make sure your preferred locales are in your own locale.gen. +DKR_BUILD_LOCALE=false + +# Check if the SQLite database exists. Can be skipped if you're not using SQLite. +# Won't significantly speed up things. +DKR_CHECK_SQLITE=true + +# Run database creation and migration commands. Disable this only if you're 100% sure the DB exists +# and is up to date. +DKR_RUN_MIGRATION=true + +# Run database upgrade commands. Disable this only when you're 100% sure your DB is up-to-date +# with the latest fixes (outside of migrations!) +DKR_RUN_UPGRADE=true + +# Verify database integrity. Includes all data checks and verifications. +# Disabling this makes Firefly III assume your DB is intact. +DKR_RUN_VERIFY=true + +# Run database reporting commands. When disabled, Firefly III won't go over your data to report current state. +# Disabling this should have no impact on data integrity or safety but it won't warn you of possible issues. +DKR_RUN_REPORT=true + +# Generate OAuth2 keys. +# When disabled, Firefly III won't attempt to generate OAuth2 Passport keys. This won't be an issue, IFF (if and only if) +# you had previously generated keys already and they're stored in your database for restoration. +DKR_RUN_PASSPORT_INSTALL=true + +# Leave the following configuration vars as is. +# Unless you like to tinker and know what you're doing. +APP_NAME=FireflyIII +BROADCAST_DRIVER=log +QUEUE_DRIVER=sync +CACHE_PREFIX=firefly +PUSHER_KEY= +IPINFO_TOKEN= +PUSHER_SECRET= +PUSHER_ID= +DEMO_USERNAME= +DEMO_PASSWORD= +FIREFLY_III_LAYOUT=v1 + +# +# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable. +# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking. +# This configuration value WILL NOT HELP. +# +# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff. +# +# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else. +# So when configuring anything WEB related this variable doesn't do anything. Nothing +# +# If you're stuck I understand you get desperate but look SOMEWHERE ELSE. +# +APP_URL=http://localhost diff --git a/hosts/pie/.env.firefly-importer b/hosts/pie/.env.firefly-importer new file mode 100644 index 0000000..f1fe1bb --- /dev/null +++ b/hosts/pie/.env.firefly-importer @@ -0,0 +1,126 @@ +# Firefly Data Importer (FIDI) configuration file + +# Where is Firefly III? +# +# 1) Make sure you ADD http:// or https:// +# 2) Make sure you REMOVE any trailing slash from the end of the URL. +# 3) In case of Docker, refer to the internal IP of your Firefly III installation. +# +# Setting this value is not mandatory. But it is very useful. +# +# This variable can be set from a file if you append it with _FILE +# +FIREFLY_III_URL=https://firefly.b12f.io + +# +# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something). +# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/" +# +# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL. +# +# 1) Make sure you ADD http:// or https:// +# 2) Make sure you REMOVE any trailing slash from the end of the URL. +# +# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL +# +# This variable can be set from a file if you append it with _FILE +# +VANITY_URL=https://firefly.b12f.io + +# +# If set to true, the data import will not complain about running into duplicates. +# This will give you cleaner import mails if you run regular imports. +# +# This means that the data importer will not import duplicates, but it will not complain about them either. +# +# This setting has no influence on the settings in your configuration(.json). +# +# Of course, if something goes wrong *because* the transaction is a duplicate you will +# NEVER know unless you start digging in your log files. So be careful with this. +# +IGNORE_DUPLICATE_ERRORS=false + +# +# Is the /autoimport even endpoint enabled? +# By default it's disabled, and the secret alone will not enable it. +# +CAN_POST_AUTOIMPORT=false + +# +# Is the /autoupload endpoint enabled? +# By default it's disabled, and the secret alone will not enable it. +# +CAN_POST_FILES=false + +# +# Import directory white list. You need to set this before the auto importer will accept a directory to import from. +# +# This variable can be set from a file if you append it with _FILE +# +IMPORT_DIR_ALLOWLIST= + +# +# When you're running Firefly III under a (self-signed) certificate, +# the data importer may have trouble verifying the TLS connection. +# +# You have a few options to make sure the data importer can connect +# to Firefly III: +# - 'true': will verify all certificates. The most secure option and the default. +# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates. +# - 'false': will verify NO certificates. Not very secure. +VERIFY_TLS_SECURITY=true + +# +# If you want, you can set a directory here where the data importer will look for import configurations. +# This is a separate setting from the /import directory that the auto-import uses. +# Setting this variable isn't necessary. The default value is "storage/configurations". +# +# This variable can be set from a file if you append it with _FILE +# +JSON_CONFIGURATION_DIR= + +# +# Time out when connecting with Firefly III. +# π*10 seconds is usually fine. +# +CONNECTION_TIMEOUT=31.41 + +# The following variables can be useful when debugging the application +APP_ENV=local +APP_DEBUG=false +LOG_CHANNEL=stack + +# Log level. You can set this from least severe to most severe: +# debug, info, notice, warning, error, critical, alert, emergency +# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably +# nothing will get logged, ever. +LOG_LEVEL=debug + +# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy. +# Set it to ** and reverse proxies work just fine. +TRUSTED_PROXIES= + +# +# Time zone +# +TZ=Europe/Amsterdam + +# +# Use ASSET_URL when you're running the data importer in a sub-directory. +# +ASSET_URL= + +# +# Email settings. +# The data importer can send you a message with all errors, warnings and messages +# after a successful import. This is disabled by default +# +ENABLE_MAIL_REPORT=false + +# +# Force Firefly III URL to be secure? +# +# +EXPECT_SECURE_URL=true + +APP_NAME=DataImporter diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix index f6fb708..d9e8b6b 100644 --- a/hosts/pie/configuration.nix +++ b/hosts/pie/configuration.nix @@ -1,6 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, @@ -22,12 +19,24 @@ in { boot.loader.generic-extlinux-compatible.enable = false; boot.supportedFilesystems = [ "zfs" ]; - networking.hostId = "34234773"; - boot.kernelPackages = pkgs.linuxPackages_6_1; + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=192.168.178.2::192.168.178.1:255.255.255.0:pie.b12f.io::auto6" + ]; + + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 22; + authorizedKeys = psCfg.user.publicKeys; + hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; + }; + pub-solar.core.disk-encryption-active = false; + networking.hostId = "34234773"; networking.hostName = "pie"; networking.defaultGateway = { address = "192.168.178.1"; @@ -41,6 +50,13 @@ in { } ]; + networking.interfaces.enabcm6e4ei0.ipv6.addresses = [ + { + address = "fe80::dea6:32ff:fe5c:3164"; + prefixLength = 64; + } + ]; + security.sudo.extraRules = [ { users = ["${psCfg.user.name}"]; diff --git a/hosts/pie/ddclient.nix b/hosts/pie/ddclient.nix new file mode 100644 index 0000000..9a9af07 --- /dev/null +++ b/hosts/pie/ddclient.nix @@ -0,0 +1,44 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: +with lib; let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; + + getIP4 = with pkgs; writeShellScriptBin "getIP" '' + ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r + ''; + getIP6 = with pkgs; writeShellScriptBin "getIP" '' + ${curl}/bin/curl -6 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r + ''; +in { + imports = [ + flake.self.nixosModules.ddclient + ]; + + services.ddclient = { + enable = true; + protocol = "dyndns1"; + domains = [ + "pie.b12f.io" + "droppie.b12f.io" + ]; + server = "ddns.hosting.de"; + username = "b12f"; + usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP"; + usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP"; + verbose = true; + passwordFile = "/run/agenix/dyndns.key"; + interval = "1min"; + }; + + age.secrets."dyndns.key" = { + file = "${flake.self}/secrets/dyndns.key"; + mode = "400"; + owner = "root"; + }; +} diff --git a/hosts/pie/default.nix b/hosts/pie/default.nix index 541edac..869abf0 100644 --- a/hosts/pie/default.nix +++ b/hosts/pie/default.nix @@ -6,5 +6,7 @@ ./unbound.nix ./dhcpd.nix ./wake-droppie.nix + ./ddclient.nix + # ./firefly.nix ]; } diff --git a/hosts/pie/dhcpd.nix b/hosts/pie/dhcpd.nix index 2c55cf5..ebdb4f3 100644 --- a/hosts/pie/dhcpd.nix +++ b/hosts/pie/dhcpd.nix @@ -4,6 +4,7 @@ services.kea.dhcp4 = { enable = true; + settings = { interfaces-config = { dhcp-socket-type = "raw"; @@ -76,6 +77,44 @@ persist = true; type = "memfile"; }; + + subnet6 = [ + { + subnet = "2a02:908:500:b::/64"; + + pools = [ + { pool = "2a02:908:500:b::/64"; } + ]; + + option-data = [ + { + name = "dns-servers"; + code = 23; + space = "dhcp6"; + csv-format = true; + data = "2a02:908:500:b:3077:4e39:7763:b5b7"; + } + ]; + + reservations = [ + { + hostname = "droppie.local"; + hw-address = "08:f1:ea:97:0f:0c"; + ip-addresses = [ + "2a02:908:500:b:3077:4e39:7763:b5b8" + ]; + } + { + hostname = "pie.local"; + hw-address = "dc:a6:32:5c:31:64"; + ip-addresses = [ + "2a02:908:500:b:3077:4e39:7763:b5b7" + ]; + } + ]; + } + ]; + rebind-timer = 2000; renew-timer = 1000; }; diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix new file mode 100644 index 0000000..1e0bbe3 --- /dev/null +++ b/hosts/pie/firefly.nix @@ -0,0 +1,99 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: { + age.secrets."firefly-secrets.env" = { + file = "${flake.self}/secrets/firefly-secrets.env"; + mode = "600"; + }; + + age.secrets."firefly-db-secrets.env" = { + file = "${flake.self}/secrets/firefly-db-secrets.env"; + mode = "600"; + }; + + age.secrets."firefly-importer-secrets.env" = { + file = "${flake.self}/secrets/firefly-importer-secrets.env"; + mode = "600"; + }; + + services.caddy = { + enable = true; + extraConfig = '' + firefly.b12f.io { + reverse_proxy localhost:8080 + } + firefly-importer.b12f.io { + reverse_proxy localhost:8081 + } + ''; + }; + + systemd.services."docker-network-firefly" = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in { + serviceConfig.Type = "oneshot"; + before = ["docker-firefly.service"]; + script = '' + ${dockerBin} network inspect firefly >/dev/null 2>&1 || ${dockerBin} network create firefly --subnet 172.20.0.0/24 + ''; + }; + + virtualisation = { + oci-containers = { + backend = "docker"; + + containers."firefly" = { + image = "fireflyiii/core:latest"; + autoStart = true; + volumes = [ + "/var/lib/firefly/upload:/var/www/html/storage/upload" + ]; + extraOptions = [ "--network=firefly" ]; + environmentFiles = [ + ./.env.firefly + config.age.secrets."firefly-secrets.env".path + ]; + ports = [ "8080:8080" ]; + dependsOn = [ "firefly-db" ]; + }; + + containers."firefly-db" = { + image = "postgres:16"; + autoStart = true; + volumes = [ + "/var/lib/firefly/db:/var/lib/postgresql/data" + ]; + extraOptions = [ "--network=firefly" ]; + environmentFiles = [ + config.age.secrets."firefly-db-secrets.env".path + ]; + }; + + containers."firefly-importer" = { + image = "fireflyiii/data-importer:latest"; + autoStart = true; + volumes = [ + "/var/lib/firefly/db:/var/lib/postgresql/data" + ]; + extraOptions = [ "--network=firefly" ]; + ports = [ "8081:8080" ]; + environmentFiles = [ + config.age.secrets."firefly-importer-secrets.env".path + ]; + dependsOn = [ "firefly" ]; + }; + + # containers."cron" = { + # image = "alpine"; + # autoStart = true; + # command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"''; + # extraOptions = [ "--network=firefly" ]; + # }; + }; + }; +} diff --git a/hosts/pie/hardware-configuration.nix b/hosts/pie/hardware-configuration.nix index 2274708..1460bff 100644 --- a/hosts/pie/hardware-configuration.nix +++ b/hosts/pie/hardware-configuration.nix @@ -12,20 +12,29 @@ boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; + boot.supportedFilesystems = [ "zfs" ]; - fileSystems."/" = { - device = "zroot/root"; - fsType = "zfs"; + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/742f819f-98e5-457d-b21e-30443455fde3"; + bypassWorkqueues = true; # optimization for ssds + }; }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/DA7C-BE8B"; - fsType = "vfat"; - }; + fileSystems."/" = + { device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0D5D-B809"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; } + ]; - swapDevices = [ - { device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; } - ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix index 3636edd..80f8670 100644 --- a/hosts/pie/unbound.nix +++ b/hosts/pie/unbound.nix @@ -17,9 +17,24 @@ "\"box\" static" ]; local-data = [ + "\"droppie.local. 10800 IN A 192.168.178.3\"" + "\"droppie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\"" + "\"droppie.b12f.io. 10800 IN A 192.168.178.3\"" + "\"droppie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\"" "\"backup.b12f.io. 10800 IN A 192.168.178.3\"" + "\"backup.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\"" + "\"pie.local. 10800 IN A 192.168.178.2\"" + "\"pie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\"" + "\"pie.b12f.io. 10800 IN A 192.168.178.2\"" + "\"pie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\"" + "\"firefly.b12f.io. 10800 IN A 192.168.178.2\"" + "\"firefly.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\"" + "\"paperless.b12f.io. 10800 IN A 192.168.178.2\"" + "\"paperless.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\"" + "\"fritz.box. 10800 IN A 192.168.178.1\"" + "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\"" ]; }; forward-zone = [ diff --git a/modules/core/packages.nix b/modules/core/packages.nix index 51faea2..fbbc6d0 100644 --- a/modules/core/packages.nix +++ b/modules/core/packages.nix @@ -20,6 +20,6 @@ in { findutils exfat - gitFull + gitMinimal ]; } diff --git a/modules/ddclient/default.nix b/modules/ddclient/default.nix new file mode 100644 index 0000000..e3ee366 --- /dev/null +++ b/modules/ddclient/default.nix @@ -0,0 +1,245 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.services.ddclient; + boolToStr = bool: if bool then "yes" else "no"; + dataDir = "/var/lib/ddclient"; + StateDirectory = builtins.baseNameOf dataDir; + RuntimeDirectory = StateDirectory; + + usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else ""; + usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else ""; + + configFile' = pkgs.writeText "ddclient.conf" '' + # This file can be used as a template for configFile or is automatically generated by Nix options. + use=no + ${usev4} + ${usev6} + cache=${dataDir}/ddclient.cache + foreground=yes + login=${cfg.username} + password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"} + protocol=${cfg.protocol} + ${lib.optionalString (cfg.script != "") "script=${cfg.script}"} + ${lib.optionalString (cfg.server != "") "server=${cfg.server}"} + ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} + ssl=${boolToStr cfg.ssl} + wildcard=yes + quiet=${boolToStr cfg.quiet} + verbose=${boolToStr cfg.verbose} + ${cfg.extraConfig} + ${lib.concatStringsSep "," cfg.domains} + ''; + configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; + + preStart = '' + install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf + ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then '' + install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key + '' else if (cfg.passwordFile != null) then '' + "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf" + '' else '' + sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf + '')} + ''; +in with lib; { + disabledModules = [ + "services/networking/ddclient.nix" + ]; + + imports = [ + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") + (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.") + ]; + + ###### interface + + options = { + services.ddclient = with lib.types; { + enable = mkOption { + default = false; + type = bool; + description = lib.mdDoc '' + Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org). + ''; + }; + + package = mkOption { + type = package; + default = pkgs.ddclient; + defaultText = lib.literalExpression "pkgs.ddclient"; + description = lib.mdDoc '' + The ddclient executable package run by the service. + ''; + }; + + domains = mkOption { + default = [ "" ]; + type = listOf str; + description = lib.mdDoc '' + Domain name(s) to synchronize. + ''; + }; + + username = mkOption { + # For `nsupdate` username contains the path to the nsupdate executable + default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate"; + defaultText = ""; + type = str; + description = lib.mdDoc '' + User name. + ''; + }; + + passwordFile = mkOption { + default = null; + type = nullOr str; + description = lib.mdDoc '' + A file containing the password or a TSIG key in named format when using the nsupdate protocol. + ''; + }; + + interval = mkOption { + default = "10min"; + type = str; + description = lib.mdDoc '' + The interval at which to run the check and update. + See {command}`man 7 systemd.time` for the format. + ''; + }; + + configFile = mkOption { + default = null; + type = nullOr path; + description = lib.mdDoc '' + Path to configuration file. + When set this overrides the generated configuration from module options. + ''; + example = "/root/nixos/secrets/ddclient.conf"; + }; + + protocol = mkOption { + default = "dyndns2"; + type = str; + description = lib.mdDoc '' + Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). + ''; + }; + + server = mkOption { + default = ""; + type = str; + description = lib.mdDoc '' + Server address. + ''; + }; + + ssl = mkOption { + default = true; + type = bool; + description = lib.mdDoc '' + Whether to use SSL/TLS to connect to dynamic DNS provider. + ''; + }; + + quiet = mkOption { + default = false; + type = bool; + description = lib.mdDoc '' + Print no messages for unnecessary updates. + ''; + }; + + script = mkOption { + default = ""; + type = str; + description = lib.mdDoc '' + script as required by some providers. + ''; + }; + + usev4 = mkOption { + default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '"; + type = str; + description = lib.mdDoc '' + Method to determine the IP address to send to the dynamic DNS provider. + ''; + }; + + usev6 = mkOption { + default = ""; + type = str; + description = lib.mdDoc '' + Method to determine the IP address to send to the dynamic DNS provider. + ''; + }; + + verbose = mkOption { + default = false; + type = bool; + description = lib.mdDoc '' + Print verbose information. + ''; + }; + + zone = mkOption { + default = ""; + type = str; + description = lib.mdDoc '' + zone as required by some providers. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = lines; + description = lib.mdDoc '' + Extra configuration. Contents will be added verbatim to the configuration file. + + ::: {.note} + `daemon` should not be added here because it does not work great with the systemd-timer approach the service uses. + ::: + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf config.services.ddclient.enable { + systemd.services.ddclient = { + description = "Dynamic DNS Client"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartTriggers = optional (cfg.configFile != null) cfg.configFile; + + serviceConfig = { + DynamicUser = true; + RuntimeDirectoryMode = "0700"; + inherit RuntimeDirectory; + inherit StateDirectory; + Type = "oneshot"; + ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}"; + ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; + }; + }; + + systemd.timers.ddclient = { + description = "Run ddclient"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = cfg.interval; + OnUnitInactiveSec = cfg.interval; + }; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index a8e008a..2ce614c 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,6 +10,7 @@ bluetooth = import ./bluetooth; core = import ./core; crypto = import ./crypto; + ddclient = import ./ddclient; desktop-extended = import ./desktop-extended; docker = import ./docker; email = import ./email; diff --git a/modules/desktop-extended/default.nix b/modules/desktop-extended/default.nix index ed0334d..45b3f84 100644 --- a/modules/desktop-extended/default.nix +++ b/modules/desktop-extended/default.nix @@ -12,9 +12,9 @@ in { users.users."${psCfg.user.name}".packages = with pkgs; [ ungoogled-chromium - gimp wine + gimp present-md inkscape gpxsee diff --git a/modules/graphical/sway/config/config.nix b/modules/graphical/sway/config/config.nix index 629fe5a..b811c30 100644 --- a/modules/graphical/sway/config/config.nix +++ b/modules/graphical/sway/config/config.nix @@ -19,7 +19,7 @@ set $up i set $right l # Your preferred terminal emulator - set $term ${pkgs.alacritty} + set $term ${pkgs.alacritty}/bin/alacritty # Your preferred application launcher # Note: pass the final command to swaymsg so that the resulting window can be opened # on the original workspace that the command was run on. diff --git a/overlays/default.nix b/overlays/default.nix index 27401c6..6f3e7f3 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -32,12 +32,6 @@ (import ./neovim-plugins.nix) (import ./signal-desktop.nix) ]; - - nix.nixPath = [ - "nixpkgs=${inputs.nixpkgs}" - "nixos-config=${../lib/compat/nixos}" - "home-manager=${inputs.home-manager}" - ]; }); }; }; diff --git a/overlays/overrides.nix b/overlays/overrides.nix deleted file mode 100644 index 80be2f3..0000000 --- a/overlays/overrides.nix +++ /dev/null @@ -1,41 +0,0 @@ -channels: final: prev: { - __dontExport = true; # overrides clutter up actual creations - - inherit - (channels.latest) - - nixd - ; - - inherit - (channels.fix-yubikey-agent) - - yubikey-agent - ; - - inherit - (channels.master) - - factorio-headless - paperless-ngx - waybar - element-desktop - signal-desktop - ; - - haskellPackages = - prev.haskellPackages.override - (old: { - overrides = prev.lib.composeExtensions (old.overrides or (_: _: {})) (hfinal: hprev: let - version = prev.lib.replaceChars ["."] [""] prev.ghc.version; - in { - # same for haskell packages, matching ghc versions - inherit - (channels.latest.haskell.packages."ghc${version}") - haskell-language-server - ; - }); - }); - - vimPlugins = prev.vimPlugins // {inherit (channels.latest.vimPlugins) nvim-lspconfig;}; -} diff --git a/secrets/.fwknoprc b/secrets/.fwknoprc index 6bf3691..fefd74d 100644 Binary files a/secrets/.fwknoprc and b/secrets/.fwknoprc differ diff --git a/secrets/b12f-env-secrets b/secrets/b12f-env-secrets index a70de4c..2999b55 100644 Binary files a/secrets/b12f-env-secrets and b/secrets/b12f-env-secrets differ diff --git a/secrets/cat-test.ovpn b/secrets/cat-test.ovpn index a7ffd69..0aa1e4d 100644 Binary files a/secrets/cat-test.ovpn and b/secrets/cat-test.ovpn differ diff --git a/secrets/crypto_keyfile-chocolatebar.bin b/secrets/crypto_keyfile-chocolatebar.bin index 98fb3f9..40edd6d 100644 Binary files a/secrets/crypto_keyfile-chocolatebar.bin and b/secrets/crypto_keyfile-chocolatebar.bin differ diff --git a/secrets/droppie-ssh-root.key b/secrets/droppie-ssh-root.key index fa6fde6..8a43c1c 100644 Binary files a/secrets/droppie-ssh-root.key and b/secrets/droppie-ssh-root.key differ diff --git a/secrets/dyndns-droppie.key b/secrets/dyndns-droppie.key deleted file mode 100644 index d4f7e99..0000000 --- a/secrets/dyndns-droppie.key +++ /dev/null @@ -1,27 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa kFDS0A -lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj -3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm -eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L -jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv -Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd -enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY -XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J -fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f -DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c -8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4 -QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc --> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg -58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI --> ssh-rsa wVtlwQ -RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ -J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg -bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP -EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp -KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0 -SJDLmHOos2RKTmx06aidDg --> Dz(k-grease ~FF p m)E{J3E -7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP -MzOYiM+PIQmn ---- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4 -l%uE\ ?2\&wG&@W~9"^Ɔon^xOIuO21c*m%)#جeI6A/i \ No newline at end of file diff --git a/secrets/dyndns.key b/secrets/dyndns.key new file mode 100644 index 0000000..2642b29 --- /dev/null +++ b/secrets/dyndns.key @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g GloMoc3qIJq8coOIqGLIWtAwSZMu/tJdLDLt155o+RA +XKt0Hw50VXh3YYYbKEqpVAAo4aj6X+24mX8saH6nu1w +-> ssh-rsa kFDS0A +dG8ZmFNRKsg0sihla32+amA5mlD/tzPgauOtsH64wAvQjPz+aBr7xL8l5usR+nMV +BldXVlaYfipevHmWGE48vvNheAbBLNZ/0iIfJpV8EDdcUZd7v8Ijgp5f4zns2nRS +CGHQRGtcxD1OtPl0Rg5/zF/0vBnmsIUyig/NHmrRaWF08WZBZhMgIcnoRXpUlcnj +AlrW9ElfSTKRsOT2F4AbVcKBrbagSjzJ9ZrIJ/D4gxW8bE6pYkHd5sflXbL4TsRY +4G3kBKC41Co5Z6byv4gaT+y0AfX7/Q6f1lvaqOOAbBzt18TaEZYDoe270L53Wfzy +VPlnM41vo+EsGsKhzTaWLTmBaawSWRhxZScHygZhu+SgIFLEDpU2kOY8XlKp6yuv +82jyEW+ts9069hGvmzrt5yr+HLMzlhEOPfGYqrDgbmuJsq0E4PQPkQOLeGROxaUs +zceCwfg4HUFDRHVa8KBy1HjovjkLzl/auvJaUUre5RTGLp7QWYX5rqiME7AndgfV +joxVMJY0tkrvollNI3xXmfU2xeuK4Jm7Jw54lJ13KaYk1QqC1sMNCo7cuEUIw8Ic +N3aAU6KRX1ltZ3IIo+vJYVQO34UWNa9Xf6uGFTzX9HzpUYEkHbv90Gx4ck+2sYvi +3dBfz1koiFyTfOT094zqDuecH0MsmWExtefBDvU7gcU +-> |0I<)A4-grease +g/FEYilOi+UwM+E98Rvpav2jqeLUlVeDAo4PVWHNhjIbas8iJV6eKwwJMNfuEJ5D +wdh+HTDijoUzaYTPgYqcKg +--- N46xNnGnaWTUqGo6Q7R0VNqgPpUEu0D2VDgOnPZhgiw +zpaf&H~prnOk͵C`leۨǾ"Ʀ&L41)y%:;35樋ܛ \ No newline at end of file diff --git a/secrets/firefly-db-secrets.env b/secrets/firefly-db-secrets.env new file mode 100644 index 0000000..4f673bc --- /dev/null +++ b/secrets/firefly-db-secrets.env @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g vV/SfIESf7TVyAJLgMTm0Tbkd4jLRpcNH/L3ZAIgqyY +KIm/ih9nmdCVkh/c6ol5DwJARivS5s3v6LXXIOuIh9c +-> ssh-rsa kFDS0A +IYso7nT1ccztAARLNc5UsbTM1OE6fYuCrPyWnv4b0FFyYGeiP94baH2zPUKbnCVB +t2VdtU/B+ywqfdD92LnA0t9huzlSVLIA/If6lg4xZ8dZH3rTJ/lhlCmHhMOXNcJ9 +ytLCz1DSatQfmfPQ2NqBthh68IR/vMStop78l/9p2WWY7v6INIhq5lqNgBHsbRxH +P+qQcLKFCNEMib/8h/3aNghfRFe/JL+3/B3M+e1+Ee+ASv1EuheJLbZCEhdUo1Z7 +/nJOCH418bbUWRrRx8fwgmqTS+0ViD1jFWdNgf5akD9HU3WMEAStTS0NDi0yWSxC +5ZsAzrYSplZeXZ+U3G/sNqMsDqHzffWr9OW5o3h1R7/F5P9VBwq2yN1kGaliSK3f +ePbD4QG/qVMsHCXKUfL8BbytljP8BtLdpsp72ZDwtnujw/NuB8SS1jiWzYmZEeoy +1zRBY21KbE4Vrm7vqSPPEnlvEsIyTUfeZrk5JDTqb/TbvFsunXc6g6m6QbOdcExE +SjRPBG0OzYgSNxIt6eM3lnXlp/1UGIZIuu0SaDbmMpZ+KevFg9qQhLRvcwRHi80W +elOxVY7jU2u5AFF5hdD3J4ANijOz/JFDcPYD0RBrjyrbWXFuL6HvBdUmOo7HZpZb +cQeQKBfQX+czuVEwdH5zRipxo65/Tt8nN2vCI0Nyx7o +-> JWdGKAh8-grease > +RgQ2hCi5bBfRsqGIvrwmrWE +--- e4oH/zzH6rnwTpoQI5T+etz/BlQD9Kry7lYsAw8BK14 +b s^*"Mc"*GsXqUhUsEi/3I6^mpY9 +s^yXX~Q!weČpreiE| ʱe3$l +%Cꡞ{3EV+4A \ No newline at end of file diff --git a/secrets/firefly-importer-secrets.env b/secrets/firefly-importer-secrets.env new file mode 100644 index 0000000..a3e9c3b Binary files /dev/null and b/secrets/firefly-importer-secrets.env differ diff --git a/secrets/firefly-secrets.env b/secrets/firefly-secrets.env new file mode 100644 index 0000000..6a78902 Binary files /dev/null and b/secrets/firefly-secrets.env differ diff --git a/secrets/hdd_keyfile-chocolatebar.bin b/secrets/hdd_keyfile-chocolatebar.bin index f48b953..3f7bcbc 100644 Binary files a/secrets/hdd_keyfile-chocolatebar.bin and b/secrets/hdd_keyfile-chocolatebar.bin differ diff --git a/secrets/hosting.de-api.key b/secrets/hosting.de-api.key index 32c936b..fa629c7 100644 Binary files a/secrets/hosting.de-api.key and b/secrets/hosting.de-api.key differ diff --git a/secrets/keyfile-biolimo.bin b/secrets/keyfile-biolimo.bin index 4fb6972..a548fe9 100644 Binary files a/secrets/keyfile-biolimo.bin and b/secrets/keyfile-biolimo.bin differ diff --git a/secrets/keyfile-chocolatebar.bin b/secrets/keyfile-chocolatebar.bin index dec7a83..550f4d3 100644 Binary files a/secrets/keyfile-chocolatebar.bin and b/secrets/keyfile-chocolatebar.bin differ diff --git a/secrets/mopidy.conf b/secrets/mopidy.conf index 2edbacf..ddb1628 100644 Binary files a/secrets/mopidy.conf and b/secrets/mopidy.conf differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ed5b0d3..db808d8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,7 +11,7 @@ let droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos"; droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie"; - nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2"; + pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local"; baseKeys = [ bbcom @@ -32,8 +32,8 @@ let droppie-user ]; - nougat-2Keys = [ - nougat-2-host + pieKeys = [ + pie-host ]; in { "keyfile-biolimo.bin".publicKeys = biolimoKeys ++ baseKeys; @@ -45,7 +45,7 @@ in { "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; - "dyndns-droppie.key".publicKeys = droppieKeys ++ baseKeys; + "dyndns.key".publicKeys = pieKeys ++ baseKeys; "droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys; @@ -57,15 +57,11 @@ in { "cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys; - "hosting.de-api.key".publicKeys = nougat-2Keys ++ baseKeys; + "hosting.de-api.key".publicKeys = baseKeys; - "concourse-secrets.age".publicKeys = nougat-2Keys ++ baseKeys; - "concourse-db-secrets.age".publicKeys = nougat-2Keys ++ baseKeys; - "concourse-worker-key.age".publicKeys = nougat-2Keys ++ baseKeys; - "concourse-tsa-host-key.age".publicKeys = nougat-2Keys ++ baseKeys; - "concourse-session-signing-key.age".publicKeys = nougat-2Keys ++ baseKeys; + "firefly-secrets.env".publicKeys = pieKeys ++ baseKeys; - "keycloak-database-password.age".publicKeys = nougat-2Keys ++ baseKeys; + "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys; - "gitea-database-password.age".publicKeys = nougat-2Keys ++ baseKeys; + "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys; } diff --git a/secrets/vnc-cert-chocolatebar.pem b/secrets/vnc-cert-chocolatebar.pem index d700399..7765f52 100644 Binary files a/secrets/vnc-cert-chocolatebar.pem and b/secrets/vnc-cert-chocolatebar.pem differ diff --git a/secrets/vnc-key-chocolatebar.pem b/secrets/vnc-key-chocolatebar.pem index d2853d1..154c5ec 100644 Binary files a/secrets/vnc-key-chocolatebar.pem and b/secrets/vnc-key-chocolatebar.pem differ diff --git a/users/b12f/default.nix b/users/b12f/default.nix index 0c42827..b870c74 100644 --- a/users/b12f/default.nix +++ b/users/b12f/default.nix @@ -34,7 +34,6 @@ in { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar" - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup" ]; diff --git a/users/b12f/session-variables.nix b/users/b12f/session-variables.nix index 70facc5..96598e1 100644 --- a/users/b12f/session-variables.nix +++ b/users/b12f/session-variables.nix @@ -14,7 +14,7 @@ in { inherit DRONE_RPC_PROTO; DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST; - RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups"; + RESTIC_REPOSITORY = "sftp:root@droppie.b12f.io:/media/internal/backups"; RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password"; }; };