fix: get networking on pie working properly
This commit is contained in:
parent
fe8ebd083f
commit
747481c4ea
48
flake.lock
48
flake.lock
|
@ -40,9 +40,7 @@
|
|||
},
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": [
|
||||
"nix-darwin"
|
||||
],
|
||||
"darwin": "darwin",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
|
@ -61,6 +59,28 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696360011,
|
||||
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"deno2nix": {
|
||||
"inputs": {
|
||||
"devshell": "devshell",
|
||||
|
@ -322,27 +342,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695686713,
|
||||
"narHash": "sha256-rJATx5B/nwlBpt7CJUf85LV27qWPbul5UVV8fu6ABPg=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "e236a1e598a9a59265897948ac9874c364b9555f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-flake": {
|
||||
"locked": {
|
||||
"lastModified": 1692742948,
|
||||
|
@ -498,7 +497,6 @@
|
|||
"home-manager": "home-manager",
|
||||
"mobile-nixos": "mobile-nixos",
|
||||
"musnix": "musnix",
|
||||
"nix-darwin": "nix-darwin",
|
||||
"nixos-flake": "nixos-flake",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
|
|
|
@ -12,9 +12,6 @@
|
|||
flake-compat.url = "github:edolstra/flake-compat";
|
||||
flake-compat.flake = false;
|
||||
|
||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
home-manager.url = "github:nix-community/home-manager/release-23.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
|
@ -27,7 +24,6 @@
|
|||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.inputs.darwin.follows = "nix-darwin";
|
||||
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
|
@ -49,8 +45,6 @@
|
|||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
"x86_64-darwin"
|
||||
"aarch64-darwin"
|
||||
];
|
||||
|
||||
imports = [
|
||||
|
@ -100,7 +94,7 @@
|
|||
};
|
||||
|
||||
droppie = {
|
||||
hostname = "backup.b12f.io";
|
||||
hostname = "droppie.b12f.io";
|
||||
sshUser = "yule";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -57,7 +57,8 @@
|
|||
./pie
|
||||
self.nixosModules.yule
|
||||
self.nixosModules.printing
|
||||
self.nixosModules.paperless
|
||||
# self.nixosModules.paperless
|
||||
# self.nixosModules.docker
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -80,6 +81,17 @@
|
|||
];
|
||||
};
|
||||
|
||||
iso-arm = self.nixos-flake.lib.mkLinuxSystem {
|
||||
nixpkgs.hostPlatform = "aarch64-linux";
|
||||
nixpkgs.buildPlatform = "x86_64-linux";
|
||||
imports = [
|
||||
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
|
||||
self.nixosModules.base
|
||||
./iso
|
||||
self.nixosModules.nixos
|
||||
];
|
||||
};
|
||||
|
||||
iso-graphical = self.nixos-flake.lib.mkLinuxSystem {
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
imports = [
|
||||
|
|
|
@ -23,34 +23,6 @@ in {
|
|||
|
||||
networking.hostName = "droppie";
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = ["${psCfg.user.name}"];
|
||||
commands = [
|
||||
{
|
||||
command = "ALL";
|
||||
options = ["NOPASSWD"];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
services.ddclient = {
|
||||
enable = false;
|
||||
ipv6 = true;
|
||||
domains = ["backup.b12f.io"];
|
||||
server = "ddns.hosting.de";
|
||||
username = "b12f";
|
||||
use = "web, web=https://ipcheck-ds.wieistmeineip.de/callback/, web-skip='ip\":\"'";
|
||||
passwordFile = "/run/agenix/dyndns-droppie.key";
|
||||
};
|
||||
|
||||
age.secrets."dyndns-droppie.key" = {
|
||||
file = "${flake.self}/secrets/dyndns-droppie.key";
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
};
|
||||
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
|
||||
age.secrets."droppie-ssh-root.key" = {
|
||||
file = "${flake.self}/secrets/droppie-ssh-root.key";
|
||||
|
|
239
hosts/pie/.env.firefly
Normal file
239
hosts/pie/.env.firefly
Normal file
|
@ -0,0 +1,239 @@
|
|||
# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
|
||||
# Never set it to "testing".
|
||||
APP_ENV=local
|
||||
|
||||
# Set to true if you want to see debug information in error screens.
|
||||
APP_DEBUG=false
|
||||
|
||||
# This should be your email address.
|
||||
# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE
|
||||
# The variable is used in some errors shown to users who aren't admin.
|
||||
SITE_OWNER=firefly-admin@benjaminbaedorf.eu
|
||||
|
||||
# Firefly III will launch using this language (for new users and unauthenticated visitors)
|
||||
# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang
|
||||
#
|
||||
# If text is still in English, remember that not everything may have been translated.
|
||||
DEFAULT_LANGUAGE=en_US
|
||||
|
||||
# The locale defines how numbers are formatted.
|
||||
# by default this value is the same as whatever the language is.
|
||||
DEFAULT_LOCALE=equal
|
||||
|
||||
# Change this value to your preferred time zone.
|
||||
# Example: Europe/Amsterdam
|
||||
# For a list of supported time zones, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
|
||||
TZ=Europe/Berlin
|
||||
|
||||
# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
|
||||
# Set it to ** and reverse proxies work just fine.
|
||||
TRUSTED_PROXIES=**
|
||||
|
||||
# The log channel defines where your log entries go to.
|
||||
# Several other options exist. You can use 'single' for one big fat error log (not recommended).
|
||||
# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
|
||||
# A rotating log option is 'daily', creates 5 files that (surprise) rotate.
|
||||
# A cool option is 'papertrail' for cloud logging
|
||||
# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time.
|
||||
LOG_CHANNEL=stack
|
||||
|
||||
# Log level. You can set this from least severe to most severe:
|
||||
# debug, info, notice, warning, error, critical, alert, emergency
|
||||
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
|
||||
# nothing will get logged, ever.
|
||||
APP_LOG_LEVEL=notice
|
||||
|
||||
# Audit log level.
|
||||
# The audit log is used to log notable Firefly III events on a separate channel.
|
||||
# These log entries may contain sensitive financial information.
|
||||
# The audit log is disabled by default.
|
||||
#
|
||||
# To enable it, set AUDIT_LOG_LEVEL to "info"
|
||||
# To disable it, set AUDIT_LOG_LEVEL to "emergency"
|
||||
AUDIT_LOG_LEVEL=emergency
|
||||
|
||||
#
|
||||
# If you want, you can redirect the audit logs to another channel.
|
||||
# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself.
|
||||
# Use audit_daily to log to a rotating file.
|
||||
# Use audit_papertrail to log to papertrail.
|
||||
#
|
||||
# If you do this, the audit logs may be mixed with normal logs because the settings for these channels
|
||||
# are often the same as the settings for the normal logs.
|
||||
AUDIT_LOG_CHANNEL=
|
||||
|
||||
#
|
||||
# Used when logging to papertrail:
|
||||
# Also used when audit logs log to papertrail:
|
||||
#
|
||||
PAPERTRAIL_HOST=
|
||||
PAPERTRAIL_PORT=
|
||||
|
||||
# PostgreSQL supports SSL. You can configure it here.
|
||||
# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
|
||||
PGSQL_SSL_MODE=prefer
|
||||
PGSQL_SSL_ROOT_CERT=null
|
||||
PGSQL_SSL_CERT=null
|
||||
PGSQL_SSL_KEY=null
|
||||
PGSQL_SSL_CRL_FILE=null
|
||||
|
||||
# more PostgreSQL settings
|
||||
PGSQL_SCHEMA=public
|
||||
|
||||
# If you're looking for performance improvements, you could install memcached or redis
|
||||
CACHE_DRIVER=file
|
||||
SESSION_DRIVER=file
|
||||
|
||||
# If you set either of the options above to 'redis', you might want to update these settings too
|
||||
# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or
|
||||
# REDIS_PORT_FILE to set the value from a file instead of from an environment variable
|
||||
|
||||
# can be tcp, unix or http
|
||||
REDIS_SCHEME=tcp
|
||||
|
||||
# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise.
|
||||
REDIS_PATH=
|
||||
|
||||
# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise.
|
||||
REDIS_HOST=127.0.0.1
|
||||
REDIS_PORT=6379
|
||||
|
||||
# Use only with Redis 6+ with proper ACL set. Leave empty otherwise.
|
||||
REDIS_USERNAME=
|
||||
REDIS_PASSWORD=
|
||||
|
||||
# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly.
|
||||
REDIS_DB="0"
|
||||
REDIS_CACHE_DB="1"
|
||||
|
||||
# Cookie settings. Should not be necessary to change these.
|
||||
# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set
|
||||
# the value from a file instead of from an environment variable
|
||||
# Setting samesite to "strict" may give you trouble logging in.
|
||||
COOKIE_PATH="/"
|
||||
COOKIE_DOMAIN=
|
||||
COOKIE_SECURE=false
|
||||
COOKIE_SAMESITE=lax
|
||||
|
||||
# Firefly III can send you the following messages.
|
||||
SEND_ERROR_MESSAGE=true
|
||||
|
||||
# These messages contain (sensitive) transaction information:
|
||||
SEND_REPORT_JOURNALS=true
|
||||
|
||||
# Set this value to true if you want to set the location of certain things, like transactions.
|
||||
# Since this involves an external service, it's optional and disabled by default.
|
||||
ENABLE_EXTERNAL_MAP=false
|
||||
|
||||
# Set this value to true if you want Firefly III to download currency exchange rates
|
||||
# from the internet. These rates are hosted by the creator of Firefly III inside
|
||||
# an Azure Storage Container.
|
||||
# Not all currencies may be available. Rates may be wrong.
|
||||
ENABLE_EXTERNAL_RATES=true
|
||||
|
||||
# The map will default to this location:
|
||||
MAP_DEFAULT_LAT=51.983333
|
||||
MAP_DEFAULT_LONG=5.916667
|
||||
MAP_DEFAULT_ZOOM=6
|
||||
|
||||
#
|
||||
# Firefly III authentication settings
|
||||
#
|
||||
|
||||
#
|
||||
# Firefly III supports a few authentication methods:
|
||||
# - 'web' (default, uses built in DB)
|
||||
# - 'remote_user_guard' for Authelia etc
|
||||
# Read more about these settings in the documentation.
|
||||
# https://docs.firefly-iii.org/firefly-iii/advanced-installation/authentication
|
||||
#
|
||||
# LDAP is no longer supported :(
|
||||
#
|
||||
AUTHENTICATION_GUARD=web
|
||||
|
||||
#
|
||||
# Remote user guard settings
|
||||
#
|
||||
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
|
||||
AUTHENTICATION_GUARD_EMAIL=
|
||||
|
||||
#
|
||||
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
|
||||
#
|
||||
ALLOW_WEBHOOKS=false
|
||||
|
||||
#
|
||||
# The static cron job token can be useful when you use Docker and wish to manage cron jobs.
|
||||
# 1. Set this token to any 32-character value (this is important!).
|
||||
# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile
|
||||
#
|
||||
# For more info: https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/
|
||||
#
|
||||
# You can set this variable from a file by appending it with _FILE
|
||||
#
|
||||
STATIC_CRON_TOKEN=
|
||||
|
||||
# You can fine tune the start-up of a Docker container by editing these environment variables.
|
||||
# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data.
|
||||
# However if you know what you're doing you can significantly speed up container start times.
|
||||
# Set each value to true to enable, or false to disable.
|
||||
|
||||
# Set this to true to build all locales supported by Firefly III.
|
||||
# This may take quite some time (several minutes) and is generally not recommended.
|
||||
# If you wish to change or alter the list of locales, start your Docker container with
|
||||
# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true`
|
||||
# and make sure your preferred locales are in your own locale.gen.
|
||||
DKR_BUILD_LOCALE=false
|
||||
|
||||
# Check if the SQLite database exists. Can be skipped if you're not using SQLite.
|
||||
# Won't significantly speed up things.
|
||||
DKR_CHECK_SQLITE=true
|
||||
|
||||
# Run database creation and migration commands. Disable this only if you're 100% sure the DB exists
|
||||
# and is up to date.
|
||||
DKR_RUN_MIGRATION=true
|
||||
|
||||
# Run database upgrade commands. Disable this only when you're 100% sure your DB is up-to-date
|
||||
# with the latest fixes (outside of migrations!)
|
||||
DKR_RUN_UPGRADE=true
|
||||
|
||||
# Verify database integrity. Includes all data checks and verifications.
|
||||
# Disabling this makes Firefly III assume your DB is intact.
|
||||
DKR_RUN_VERIFY=true
|
||||
|
||||
# Run database reporting commands. When disabled, Firefly III won't go over your data to report current state.
|
||||
# Disabling this should have no impact on data integrity or safety but it won't warn you of possible issues.
|
||||
DKR_RUN_REPORT=true
|
||||
|
||||
# Generate OAuth2 keys.
|
||||
# When disabled, Firefly III won't attempt to generate OAuth2 Passport keys. This won't be an issue, IFF (if and only if)
|
||||
# you had previously generated keys already and they're stored in your database for restoration.
|
||||
DKR_RUN_PASSPORT_INSTALL=true
|
||||
|
||||
# Leave the following configuration vars as is.
|
||||
# Unless you like to tinker and know what you're doing.
|
||||
APP_NAME=FireflyIII
|
||||
BROADCAST_DRIVER=log
|
||||
QUEUE_DRIVER=sync
|
||||
CACHE_PREFIX=firefly
|
||||
PUSHER_KEY=
|
||||
IPINFO_TOKEN=
|
||||
PUSHER_SECRET=
|
||||
PUSHER_ID=
|
||||
DEMO_USERNAME=
|
||||
DEMO_PASSWORD=
|
||||
FIREFLY_III_LAYOUT=v1
|
||||
|
||||
#
|
||||
# If you have trouble configuring your Firefly III installation, DON'T BOTHER setting this variable.
|
||||
# It won't work. It doesn't do ANYTHING. Don't believe the lies you read online. I'm not joking.
|
||||
# This configuration value WILL NOT HELP.
|
||||
#
|
||||
# Notable exception to this rule is Synology, which, according to some users, will use APP_URL to rewrite stuff.
|
||||
#
|
||||
# This variable is ONLY used in some of the emails Firefly III sends around. Nowhere else.
|
||||
# So when configuring anything WEB related this variable doesn't do anything. Nothing
|
||||
#
|
||||
# If you're stuck I understand you get desperate but look SOMEWHERE ELSE.
|
||||
#
|
||||
APP_URL=http://localhost
|
126
hosts/pie/.env.firefly-importer
Normal file
126
hosts/pie/.env.firefly-importer
Normal file
|
@ -0,0 +1,126 @@
|
|||
# Firefly Data Importer (FIDI) configuration file
|
||||
|
||||
# Where is Firefly III?
|
||||
#
|
||||
# 1) Make sure you ADD http:// or https://
|
||||
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
|
||||
# 3) In case of Docker, refer to the internal IP of your Firefly III installation.
|
||||
#
|
||||
# Setting this value is not mandatory. But it is very useful.
|
||||
#
|
||||
# This variable can be set from a file if you append it with _FILE
|
||||
#
|
||||
FIREFLY_III_URL=https://firefly.b12f.io
|
||||
|
||||
#
|
||||
# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
|
||||
# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
|
||||
#
|
||||
# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
|
||||
#
|
||||
# 1) Make sure you ADD http:// or https://
|
||||
# 2) Make sure you REMOVE any trailing slash from the end of the URL.
|
||||
#
|
||||
# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
|
||||
#
|
||||
# This variable can be set from a file if you append it with _FILE
|
||||
#
|
||||
VANITY_URL=https://firefly.b12f.io
|
||||
|
||||
#
|
||||
# If set to true, the data import will not complain about running into duplicates.
|
||||
# This will give you cleaner import mails if you run regular imports.
|
||||
#
|
||||
# This means that the data importer will not import duplicates, but it will not complain about them either.
|
||||
#
|
||||
# This setting has no influence on the settings in your configuration(.json).
|
||||
#
|
||||
# Of course, if something goes wrong *because* the transaction is a duplicate you will
|
||||
# NEVER know unless you start digging in your log files. So be careful with this.
|
||||
#
|
||||
IGNORE_DUPLICATE_ERRORS=false
|
||||
|
||||
#
|
||||
# Is the /autoimport even endpoint enabled?
|
||||
# By default it's disabled, and the secret alone will not enable it.
|
||||
#
|
||||
CAN_POST_AUTOIMPORT=false
|
||||
|
||||
#
|
||||
# Is the /autoupload endpoint enabled?
|
||||
# By default it's disabled, and the secret alone will not enable it.
|
||||
#
|
||||
CAN_POST_FILES=false
|
||||
|
||||
#
|
||||
# Import directory white list. You need to set this before the auto importer will accept a directory to import from.
|
||||
#
|
||||
# This variable can be set from a file if you append it with _FILE
|
||||
#
|
||||
IMPORT_DIR_ALLOWLIST=
|
||||
|
||||
#
|
||||
# When you're running Firefly III under a (self-signed) certificate,
|
||||
# the data importer may have trouble verifying the TLS connection.
|
||||
#
|
||||
# You have a few options to make sure the data importer can connect
|
||||
# to Firefly III:
|
||||
# - 'true': will verify all certificates. The most secure option and the default.
|
||||
# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
|
||||
# - 'false': will verify NO certificates. Not very secure.
|
||||
VERIFY_TLS_SECURITY=true
|
||||
|
||||
#
|
||||
# If you want, you can set a directory here where the data importer will look for import configurations.
|
||||
# This is a separate setting from the /import directory that the auto-import uses.
|
||||
# Setting this variable isn't necessary. The default value is "storage/configurations".
|
||||
#
|
||||
# This variable can be set from a file if you append it with _FILE
|
||||
#
|
||||
JSON_CONFIGURATION_DIR=
|
||||
|
||||
#
|
||||
# Time out when connecting with Firefly III.
|
||||
# π*10 seconds is usually fine.
|
||||
#
|
||||
CONNECTION_TIMEOUT=31.41
|
||||
|
||||
# The following variables can be useful when debugging the application
|
||||
APP_ENV=local
|
||||
APP_DEBUG=false
|
||||
LOG_CHANNEL=stack
|
||||
|
||||
# Log level. You can set this from least severe to most severe:
|
||||
# debug, info, notice, warning, error, critical, alert, emergency
|
||||
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
|
||||
# nothing will get logged, ever.
|
||||
LOG_LEVEL=debug
|
||||
|
||||
# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
|
||||
# Set it to ** and reverse proxies work just fine.
|
||||
TRUSTED_PROXIES=
|
||||
|
||||
#
|
||||
# Time zone
|
||||
#
|
||||
TZ=Europe/Amsterdam
|
||||
|
||||
#
|
||||
# Use ASSET_URL when you're running the data importer in a sub-directory.
|
||||
#
|
||||
ASSET_URL=
|
||||
|
||||
#
|
||||
# Email settings.
|
||||
# The data importer can send you a message with all errors, warnings and messages
|
||||
# after a successful import. This is disabled by default
|
||||
#
|
||||
ENABLE_MAIL_REPORT=false
|
||||
|
||||
#
|
||||
# Force Firefly III URL to be secure?
|
||||
#
|
||||
#
|
||||
EXPECT_SECURE_URL=true
|
||||
|
||||
APP_NAME=DataImporter
|
|
@ -1,6 +1,3 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
|
@ -22,12 +19,24 @@ in {
|
|||
boot.loader.generic-extlinux-compatible.enable = false;
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
networking.hostId = "34234773";
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_1;
|
||||
|
||||
boot.kernelParams = [
|
||||
"boot.shell_on_fail=1"
|
||||
"ip=192.168.178.2::192.168.178.1:255.255.255.0:pie.b12f.io::auto6"
|
||||
];
|
||||
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
authorizedKeys = psCfg.user.publicKeys;
|
||||
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
|
||||
};
|
||||
|
||||
pub-solar.core.disk-encryption-active = false;
|
||||
|
||||
networking.hostId = "34234773";
|
||||
networking.hostName = "pie";
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.178.1";
|
||||
|
@ -41,6 +50,13 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
networking.interfaces.enabcm6e4ei0.ipv6.addresses = [
|
||||
{
|
||||
address = "fe80::dea6:32ff:fe5c:3164";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = ["${psCfg.user.name}"];
|
||||
|
|
44
hosts/pie/ddclient.nix
Normal file
44
hosts/pie/ddclient.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
|
||||
getIP4 = with pkgs; writeShellScriptBin "getIP" ''
|
||||
${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
|
||||
'';
|
||||
getIP6 = with pkgs; writeShellScriptBin "getIP" ''
|
||||
${curl}/bin/curl -6 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
|
||||
'';
|
||||
in {
|
||||
imports = [
|
||||
flake.self.nixosModules.ddclient
|
||||
];
|
||||
|
||||
services.ddclient = {
|
||||
enable = true;
|
||||
protocol = "dyndns1";
|
||||
domains = [
|
||||
"pie.b12f.io"
|
||||
"droppie.b12f.io"
|
||||
];
|
||||
server = "ddns.hosting.de";
|
||||
username = "b12f";
|
||||
usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP";
|
||||
usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP";
|
||||
verbose = true;
|
||||
passwordFile = "/run/agenix/dyndns.key";
|
||||
interval = "1min";
|
||||
};
|
||||
|
||||
age.secrets."dyndns.key" = {
|
||||
file = "${flake.self}/secrets/dyndns.key";
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
};
|
||||
}
|
|
@ -6,5 +6,7 @@
|
|||
./unbound.nix
|
||||
./dhcpd.nix
|
||||
./wake-droppie.nix
|
||||
./ddclient.nix
|
||||
# ./firefly.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
services.kea.dhcp4 = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
interfaces-config = {
|
||||
dhcp-socket-type = "raw";
|
||||
|
@ -76,6 +77,44 @@
|
|||
persist = true;
|
||||
type = "memfile";
|
||||
};
|
||||
|
||||
subnet6 = [
|
||||
{
|
||||
subnet = "2a02:908:500:b::/64";
|
||||
|
||||
pools = [
|
||||
{ pool = "2a02:908:500:b::/64"; }
|
||||
];
|
||||
|
||||
option-data = [
|
||||
{
|
||||
name = "dns-servers";
|
||||
code = 23;
|
||||
space = "dhcp6";
|
||||
csv-format = true;
|
||||
data = "2a02:908:500:b:3077:4e39:7763:b5b7";
|
||||
}
|
||||
];
|
||||
|
||||
reservations = [
|
||||
{
|
||||
hostname = "droppie.local";
|
||||
hw-address = "08:f1:ea:97:0f:0c";
|
||||
ip-addresses = [
|
||||
"2a02:908:500:b:3077:4e39:7763:b5b8"
|
||||
];
|
||||
}
|
||||
{
|
||||
hostname = "pie.local";
|
||||
hw-address = "dc:a6:32:5c:31:64";
|
||||
ip-addresses = [
|
||||
"2a02:908:500:b:3077:4e39:7763:b5b7"
|
||||
];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
rebind-timer = 2000;
|
||||
renew-timer = 1000;
|
||||
};
|
||||
|
|
99
hosts/pie/firefly.nix
Normal file
99
hosts/pie/firefly.nix
Normal file
|
@ -0,0 +1,99 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
age.secrets."firefly-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-secrets.env";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."firefly-db-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-db-secrets.env";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
age.secrets."firefly-importer-secrets.env" = {
|
||||
file = "${flake.self}/secrets/firefly-importer-secrets.env";
|
||||
mode = "600";
|
||||
};
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
firefly.b12f.io {
|
||||
reverse_proxy localhost:8080
|
||||
}
|
||||
firefly-importer.b12f.io {
|
||||
reverse_proxy localhost:8081
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services."docker-network-firefly" = let
|
||||
docker = config.virtualisation.oci-containers.backend;
|
||||
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
||||
in {
|
||||
serviceConfig.Type = "oneshot";
|
||||
before = ["docker-firefly.service"];
|
||||
script = ''
|
||||
${dockerBin} network inspect firefly >/dev/null 2>&1 || ${dockerBin} network create firefly --subnet 172.20.0.0/24
|
||||
'';
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
oci-containers = {
|
||||
backend = "docker";
|
||||
|
||||
containers."firefly" = {
|
||||
image = "fireflyiii/core:latest";
|
||||
autoStart = true;
|
||||
volumes = [
|
||||
"/var/lib/firefly/upload:/var/www/html/storage/upload"
|
||||
];
|
||||
extraOptions = [ "--network=firefly" ];
|
||||
environmentFiles = [
|
||||
./.env.firefly
|
||||
config.age.secrets."firefly-secrets.env".path
|
||||
];
|
||||
ports = [ "8080:8080" ];
|
||||
dependsOn = [ "firefly-db" ];
|
||||
};
|
||||
|
||||
containers."firefly-db" = {
|
||||
image = "postgres:16";
|
||||
autoStart = true;
|
||||
volumes = [
|
||||
"/var/lib/firefly/db:/var/lib/postgresql/data"
|
||||
];
|
||||
extraOptions = [ "--network=firefly" ];
|
||||
environmentFiles = [
|
||||
config.age.secrets."firefly-db-secrets.env".path
|
||||
];
|
||||
};
|
||||
|
||||
containers."firefly-importer" = {
|
||||
image = "fireflyiii/data-importer:latest";
|
||||
autoStart = true;
|
||||
volumes = [
|
||||
"/var/lib/firefly/db:/var/lib/postgresql/data"
|
||||
];
|
||||
extraOptions = [ "--network=firefly" ];
|
||||
ports = [ "8081:8080" ];
|
||||
environmentFiles = [
|
||||
config.age.secrets."firefly-importer-secrets.env".path
|
||||
];
|
||||
dependsOn = [ "firefly" ];
|
||||
};
|
||||
|
||||
# containers."cron" = {
|
||||
# image = "alpine";
|
||||
# autoStart = true;
|
||||
# command = ''sh -c "echo \"0 3 * * * wget -qO- http://firefly:8080/api/v1/cron/REPLACEME\" | crontab - && crond -f -L /dev/stdout"'';
|
||||
# extraOptions = [ "--network=firefly" ];
|
||||
# };
|
||||
};
|
||||
};
|
||||
}
|
|
@ -12,20 +12,29 @@
|
|||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
boot.initrd.luks.devices = {
|
||||
cryptroot = {
|
||||
device = "/dev/disk/by-uuid/742f819f-98e5-457d-b21e-30443455fde3";
|
||||
bypassWorkqueues = true; # optimization for ssds
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/DA7C-BE8B";
|
||||
fsType = "vfat";
|
||||
};
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/0D5D-B809";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; }
|
||||
];
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-uuid/8ce4ae9c-2db0-41b0-8468-91bb184707d1"; }
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
|
|
|
@ -17,9 +17,24 @@
|
|||
"\"box\" static"
|
||||
];
|
||||
local-data = [
|
||||
"\"droppie.local. 10800 IN A 192.168.178.3\""
|
||||
"\"droppie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
|
||||
"\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
|
||||
"\"droppie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
|
||||
"\"backup.b12f.io. 10800 IN A 192.168.178.3\""
|
||||
"\"backup.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b8\""
|
||||
|
||||
"\"pie.local. 10800 IN A 192.168.178.2\""
|
||||
"\"pie.local. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
|
||||
"\"pie.b12f.io. 10800 IN A 192.168.178.2\""
|
||||
"\"pie.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
|
||||
"\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
|
||||
"\"firefly.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
|
||||
"\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
|
||||
"\"paperless.b12f.io. 10800 IN AAAA 2a02:908:500:b:3077:4e39:7763:b5b7\""
|
||||
|
||||
"\"fritz.box. 10800 IN A 192.168.178.1\""
|
||||
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
|
||||
];
|
||||
};
|
||||
forward-zone = [
|
||||
|
|
|
@ -20,6 +20,6 @@ in {
|
|||
findutils
|
||||
exfat
|
||||
|
||||
gitFull
|
||||
gitMinimal
|
||||
];
|
||||
}
|
||||
|
|
245
modules/ddclient/default.nix
Normal file
245
modules/ddclient/default.nix
Normal file
|
@ -0,0 +1,245 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.ddclient;
|
||||
boolToStr = bool: if bool then "yes" else "no";
|
||||
dataDir = "/var/lib/ddclient";
|
||||
StateDirectory = builtins.baseNameOf dataDir;
|
||||
RuntimeDirectory = StateDirectory;
|
||||
|
||||
usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
|
||||
usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
|
||||
|
||||
configFile' = pkgs.writeText "ddclient.conf" ''
|
||||
# This file can be used as a template for configFile or is automatically generated by Nix options.
|
||||
use=no
|
||||
${usev4}
|
||||
${usev6}
|
||||
cache=${dataDir}/ddclient.cache
|
||||
foreground=yes
|
||||
login=${cfg.username}
|
||||
password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
|
||||
protocol=${cfg.protocol}
|
||||
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
|
||||
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
|
||||
${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"}
|
||||
ssl=${boolToStr cfg.ssl}
|
||||
wildcard=yes
|
||||
quiet=${boolToStr cfg.quiet}
|
||||
verbose=${boolToStr cfg.verbose}
|
||||
${cfg.extraConfig}
|
||||
${lib.concatStringsSep "," cfg.domains}
|
||||
'';
|
||||
configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
|
||||
|
||||
preStart = ''
|
||||
install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
|
||||
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
|
||||
install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
|
||||
'' else if (cfg.passwordFile != null) then ''
|
||||
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
|
||||
'' else ''
|
||||
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
|
||||
'')}
|
||||
'';
|
||||
in with lib; {
|
||||
disabledModules = [
|
||||
"services/networking/ddclient.nix"
|
||||
];
|
||||
|
||||
imports = [
|
||||
(mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]
|
||||
(config:
|
||||
let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
|
||||
in if value != "" then [ value ] else []))
|
||||
(mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
|
||||
(mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
|
||||
];
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
services.ddclient = with lib.types; {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = bool;
|
||||
description = lib.mdDoc ''
|
||||
Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = package;
|
||||
default = pkgs.ddclient;
|
||||
defaultText = lib.literalExpression "pkgs.ddclient";
|
||||
description = lib.mdDoc ''
|
||||
The ddclient executable package run by the service.
|
||||
'';
|
||||
};
|
||||
|
||||
domains = mkOption {
|
||||
default = [ "" ];
|
||||
type = listOf str;
|
||||
description = lib.mdDoc ''
|
||||
Domain name(s) to synchronize.
|
||||
'';
|
||||
};
|
||||
|
||||
username = mkOption {
|
||||
# For `nsupdate` username contains the path to the nsupdate executable
|
||||
default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate";
|
||||
defaultText = "";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
User name.
|
||||
'';
|
||||
};
|
||||
|
||||
passwordFile = mkOption {
|
||||
default = null;
|
||||
type = nullOr str;
|
||||
description = lib.mdDoc ''
|
||||
A file containing the password or a TSIG key in named format when using the nsupdate protocol.
|
||||
'';
|
||||
};
|
||||
|
||||
interval = mkOption {
|
||||
default = "10min";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
The interval at which to run the check and update.
|
||||
See {command}`man 7 systemd.time` for the format.
|
||||
'';
|
||||
};
|
||||
|
||||
configFile = mkOption {
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
description = lib.mdDoc ''
|
||||
Path to configuration file.
|
||||
When set this overrides the generated configuration from module options.
|
||||
'';
|
||||
example = "/root/nixos/secrets/ddclient.conf";
|
||||
};
|
||||
|
||||
protocol = mkOption {
|
||||
default = "dyndns2";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
default = "";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
Server address.
|
||||
'';
|
||||
};
|
||||
|
||||
ssl = mkOption {
|
||||
default = true;
|
||||
type = bool;
|
||||
description = lib.mdDoc ''
|
||||
Whether to use SSL/TLS to connect to dynamic DNS provider.
|
||||
'';
|
||||
};
|
||||
|
||||
quiet = mkOption {
|
||||
default = false;
|
||||
type = bool;
|
||||
description = lib.mdDoc ''
|
||||
Print no messages for unnecessary updates.
|
||||
'';
|
||||
};
|
||||
|
||||
script = mkOption {
|
||||
default = "";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
script as required by some providers.
|
||||
'';
|
||||
};
|
||||
|
||||
usev4 = mkOption {
|
||||
default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
Method to determine the IP address to send to the dynamic DNS provider.
|
||||
'';
|
||||
};
|
||||
|
||||
usev6 = mkOption {
|
||||
default = "";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
Method to determine the IP address to send to the dynamic DNS provider.
|
||||
'';
|
||||
};
|
||||
|
||||
verbose = mkOption {
|
||||
default = false;
|
||||
type = bool;
|
||||
description = lib.mdDoc ''
|
||||
Print verbose information.
|
||||
'';
|
||||
};
|
||||
|
||||
zone = mkOption {
|
||||
default = "";
|
||||
type = str;
|
||||
description = lib.mdDoc ''
|
||||
zone as required by some providers.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
default = "";
|
||||
type = lines;
|
||||
description = lib.mdDoc ''
|
||||
Extra configuration. Contents will be added verbatim to the configuration file.
|
||||
|
||||
::: {.note}
|
||||
`daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
|
||||
:::
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf config.services.ddclient.enable {
|
||||
systemd.services.ddclient = {
|
||||
description = "Dynamic DNS Client";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
restartTriggers = optional (cfg.configFile != null) cfg.configFile;
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
RuntimeDirectoryMode = "0700";
|
||||
inherit RuntimeDirectory;
|
||||
inherit StateDirectory;
|
||||
Type = "oneshot";
|
||||
ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
|
||||
ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.ddclient = {
|
||||
description = "Run ddclient";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = cfg.interval;
|
||||
OnUnitInactiveSec = cfg.interval;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,6 +10,7 @@
|
|||
bluetooth = import ./bluetooth;
|
||||
core = import ./core;
|
||||
crypto = import ./crypto;
|
||||
ddclient = import ./ddclient;
|
||||
desktop-extended = import ./desktop-extended;
|
||||
docker = import ./docker;
|
||||
email = import ./email;
|
||||
|
|
|
@ -12,9 +12,9 @@ in {
|
|||
|
||||
users.users."${psCfg.user.name}".packages = with pkgs; [
|
||||
ungoogled-chromium
|
||||
gimp
|
||||
wine
|
||||
|
||||
gimp
|
||||
present-md
|
||||
inkscape
|
||||
gpxsee
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
set $up i
|
||||
set $right l
|
||||
# Your preferred terminal emulator
|
||||
set $term ${pkgs.alacritty}
|
||||
set $term ${pkgs.alacritty}/bin/alacritty
|
||||
# Your preferred application launcher
|
||||
# Note: pass the final command to swaymsg so that the resulting window can be opened
|
||||
# on the original workspace that the command was run on.
|
||||
|
|
|
@ -32,12 +32,6 @@
|
|||
(import ./neovim-plugins.nix)
|
||||
(import ./signal-desktop.nix)
|
||||
];
|
||||
|
||||
nix.nixPath = [
|
||||
"nixpkgs=${inputs.nixpkgs}"
|
||||
"nixos-config=${../lib/compat/nixos}"
|
||||
"home-manager=${inputs.home-manager}"
|
||||
];
|
||||
});
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
channels: final: prev: {
|
||||
__dontExport = true; # overrides clutter up actual creations
|
||||
|
||||
inherit
|
||||
(channels.latest)
|
||||
|
||||
nixd
|
||||
;
|
||||
|
||||
inherit
|
||||
(channels.fix-yubikey-agent)
|
||||
|
||||
yubikey-agent
|
||||
;
|
||||
|
||||
inherit
|
||||
(channels.master)
|
||||
|
||||
factorio-headless
|
||||
paperless-ngx
|
||||
waybar
|
||||
element-desktop
|
||||
signal-desktop
|
||||
;
|
||||
|
||||
haskellPackages =
|
||||
prev.haskellPackages.override
|
||||
(old: {
|
||||
overrides = prev.lib.composeExtensions (old.overrides or (_: _: {})) (hfinal: hprev: let
|
||||
version = prev.lib.replaceChars ["."] [""] prev.ghc.version;
|
||||
in {
|
||||
# same for haskell packages, matching ghc versions
|
||||
inherit
|
||||
(channels.latest.haskell.packages."ghc${version}")
|
||||
haskell-language-server
|
||||
;
|
||||
});
|
||||
});
|
||||
|
||||
vimPlugins = prev.vimPlugins // {inherit (channels.latest.vimPlugins) nvim-lspconfig;};
|
||||
}
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,27 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa kFDS0A
|
||||
lbrJzpCXpf3BJYL80d2vD/b4raoPnUKV0D9Ka9yKb72W3ATfA/Cqq7vpisHRnwyj
|
||||
3pt1TfrPzti/8ZKDqY/Zw171jQbOF6zW45z4m8yJu4J1LYXh8yYrTR3YPwhPoGYm
|
||||
eZJWWj2YghqCFC7vdL/wZFjkStxwBGgrJfNOxJBcXOpUX2TOzfdNAgJ/pEkvdd/L
|
||||
jktiU5ITt7KXruwSEXRzHVfmntl4SaqDqYfeb0Y0q2a1oMpxTnBKcYXj6dYcZIHv
|
||||
Lm8HX0JsIiThz/DXB4sP2O5GlGeYyibj2iMSCsCqadwDpUndVtJnzFgjSQD5A0gd
|
||||
enNTYly3GSmC9TWt/r2VHHyneAnJ3HQKB5hUEqxPz9peemnvfTA89SIGHddmkXfY
|
||||
XSeN5WJnSG0+WAOwrpJjzl9CgUg9xJS7dDqVob3CwL9oVEQP8FcuuyqCg72ppd4J
|
||||
fdseq5/R+HuVnh6sEUHoaHEDidHtTrpE2Rd49Tesj/BT+YrJyQ/kQqHmy9RiLU2f
|
||||
DSRwLO4/qHF6W8UfuF2N08aMxRpxqXPWTjI/vHxoSJRcSqaofF42x50OQU8lY96c
|
||||
8bPlDPB7HOBg+7bVvOQCaR3+KRuOx+HYpeMwEokQTwCke+frPfXorilNbAcaFUp4
|
||||
QiU1sUZia/FOZ+j47+6pkfC2DfLpiNL2TLWYcNtIzUc
|
||||
-> ssh-ed25519 7Wns0A aKiZ8iw+Ub5rByBef0apOn6lG5Bv6tzFCiBu3DN6sSg
|
||||
58+9kySg3ajO7E5V87b/qRu9axpu2hQUuY/cVTt2YdI
|
||||
-> ssh-rsa wVtlwQ
|
||||
RbrfuwS5zQzL9yMWFDSnWj9cQFLirTH37Xf79Dis2CJIDd83vmlmGNY5x1aPpZoZ
|
||||
J6XDhibGTJc02DYuNVIE1IXm0x9tc6Z9PTT+WiAFt1JuKHguXTWLRMM9HmyvWWDg
|
||||
bFsRDAcYup+SK5d+ME+XooDGueC822rAjkGIRHNSCimGwuLpDRKqyyVfYA+dcfiP
|
||||
EoYH7x4S09jYRr1C5EkbraLbm1vijc5ikJw3b42KKbyo3wDwKga+Vk2nl2AtgjZp
|
||||
KipZlyjs+IjMRXX5IBpgoRtXcvHuidsOSc+guRo0ihF9MbzRc/Tt2g0V7t3KjeT0
|
||||
SJDLmHOos2RKTmx06aidDg
|
||||
-> Dz(k-grease ~FF p m)E{J3E
|
||||
7Igp3pclCAzAmeky5cPqlIzcITT+0jvieQe7ruSxRYRYqpYU7tMQFmHuNUahp+BP
|
||||
MzOYiM+PIQmn
|
||||
--- IC9SI76EjaFZxQ5odEeIv49n/O8uOdpM6LE1Z7dtHg4
|
||||
l%Àu¯¯ÃE„\ÎüÔ?2\&ÚwG&@¡W£~9"úŠ^ÊƆý¼Á<>oån^šë<C5A1>㻳xšèOI‡¢uOíò‡21c*ãm¸%ô)ý#”جeõIÙ6îA/i
|
20
secrets/dyndns.key
Normal file
20
secrets/dyndns.key
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 8bHz7g GloMoc3qIJq8coOIqGLIWtAwSZMu/tJdLDLt155o+RA
|
||||
XKt0Hw50VXh3YYYbKEqpVAAo4aj6X+24mX8saH6nu1w
|
||||
-> ssh-rsa kFDS0A
|
||||
dG8ZmFNRKsg0sihla32+amA5mlD/tzPgauOtsH64wAvQjPz+aBr7xL8l5usR+nMV
|
||||
BldXVlaYfipevHmWGE48vvNheAbBLNZ/0iIfJpV8EDdcUZd7v8Ijgp5f4zns2nRS
|
||||
CGHQRGtcxD1OtPl0Rg5/zF/0vBnmsIUyig/NHmrRaWF08WZBZhMgIcnoRXpUlcnj
|
||||
AlrW9ElfSTKRsOT2F4AbVcKBrbagSjzJ9ZrIJ/D4gxW8bE6pYkHd5sflXbL4TsRY
|
||||
4G3kBKC41Co5Z6byv4gaT+y0AfX7/Q6f1lvaqOOAbBzt18TaEZYDoe270L53Wfzy
|
||||
VPlnM41vo+EsGsKhzTaWLTmBaawSWRhxZScHygZhu+SgIFLEDpU2kOY8XlKp6yuv
|
||||
82jyEW+ts9069hGvmzrt5yr+HLMzlhEOPfGYqrDgbmuJsq0E4PQPkQOLeGROxaUs
|
||||
zceCwfg4HUFDRHVa8KBy1HjovjkLzl/auvJaUUre5RTGLp7QWYX5rqiME7AndgfV
|
||||
joxVMJY0tkrvollNI3xXmfU2xeuK4Jm7Jw54lJ13KaYk1QqC1sMNCo7cuEUIw8Ic
|
||||
N3aAU6KRX1ltZ3IIo+vJYVQO34UWNa9Xf6uGFTzX9HzpUYEkHbv90Gx4ck+2sYvi
|
||||
3dBfz1koiFyTfOT094zqDuecH0MsmWExtefBDvU7gcU
|
||||
-> |0I<)A4-grease
|
||||
g/FEYilOi+UwM+E98Rvpav2jqeLUlVeDAo4PVWHNhjIbas8iJV6eKwwJMNfuEJ5D
|
||||
wdh+HTDijoUzaYTPgYqcKg
|
||||
--- N46xNnGnaWTUqGo6Q7R0VNqgPpUEu0D2VDgOnPZhgiw
|
||||
zÁæ¤p¸ŠÕÕaf&èù€H~pÊÊrn·OŸk„÷øàü͵CÉÝ`ÿÞlùæºe¸ÎÆӑۨǾ"†Æ¦˜æî……&L41š‡ã)‹y%†Åü:;35ÎÀ‘樋ܛ
|
21
secrets/firefly-db-secrets.env
Normal file
21
secrets/firefly-db-secrets.env
Normal file
|
@ -0,0 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 8bHz7g vV/SfIESf7TVyAJLgMTm0Tbkd4jLRpcNH/L3ZAIgqyY
|
||||
KIm/ih9nmdCVkh/c6ol5DwJARivS5s3v6LXXIOuIh9c
|
||||
-> ssh-rsa kFDS0A
|
||||
IYso7nT1ccztAARLNc5UsbTM1OE6fYuCrPyWnv4b0FFyYGeiP94baH2zPUKbnCVB
|
||||
t2VdtU/B+ywqfdD92LnA0t9huzlSVLIA/If6lg4xZ8dZH3rTJ/lhlCmHhMOXNcJ9
|
||||
ytLCz1DSatQfmfPQ2NqBthh68IR/vMStop78l/9p2WWY7v6INIhq5lqNgBHsbRxH
|
||||
P+qQcLKFCNEMib/8h/3aNghfRFe/JL+3/B3M+e1+Ee+ASv1EuheJLbZCEhdUo1Z7
|
||||
/nJOCH418bbUWRrRx8fwgmqTS+0ViD1jFWdNgf5akD9HU3WMEAStTS0NDi0yWSxC
|
||||
5ZsAzrYSplZeXZ+U3G/sNqMsDqHzffWr9OW5o3h1R7/F5P9VBwq2yN1kGaliSK3f
|
||||
ePbD4QG/qVMsHCXKUfL8BbytljP8BtLdpsp72ZDwtnujw/NuB8SS1jiWzYmZEeoy
|
||||
1zRBY21KbE4Vrm7vqSPPEnlvEsIyTUfeZrk5JDTqb/TbvFsunXc6g6m6QbOdcExE
|
||||
SjRPBG0OzYgSNxIt6eM3lnXlp/1UGIZIuu0SaDbmMpZ+KevFg9qQhLRvcwRHi80W
|
||||
elOxVY7jU2u5AFF5hdD3J4ANijOz/JFDcPYD0RBrjyrbWXFuL6HvBdUmOo7HZpZb
|
||||
cQeQKBfQX+czuVEwdH5zRipxo65/Tt8nN2vCI0Nyx7o
|
||||
-> JWdGKAh8-grease >
|
||||
RgQ2hCi5bBfRsqGIvrwmrWE
|
||||
--- e4oH/zzH6rnwTpoQI5T+etz/BlQD9Kry7lYsAw8BK14
|
||||
¬¸¹êŒÀb†ÄsžŽ^®¢*"ûò—¨ýM°càä¾"Ê*GsXq¦‘UhôU<C3B4>…øŽsEi<45>Û/ˆ3I÷6^ämp¬Y9
|
||||
s^y<>XX~ØQ!ˆ«w¾eÄŒp×reiÔ‘E| Úʱýçÿ¢Õe3$§Äÿl™ï<>Çåèì
|
||||
<EFBFBD>¯ì%×øýCŠ—›ê¡žÃ{3EÂV+4ú<34>AùÒ
|
BIN
secrets/firefly-importer-secrets.env
Normal file
BIN
secrets/firefly-importer-secrets.env
Normal file
Binary file not shown.
BIN
secrets/firefly-secrets.env
Normal file
BIN
secrets/firefly-secrets.env
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -11,7 +11,7 @@ let
|
|||
droppie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDuXuPPDXTyJgy4JRwbKcPbawvVB1Il2neyRWb4O5sJ root@nixos";
|
||||
droppie-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnYTlTmHCl6LOkexqRR9LqjOoFgt9TQ4VzHQGRHJMzF/AGcDRoqC+pBLFSTzRb5/ikAOsb32XHyKVg4nNdJeQshO11QtDmkCB02D/XcIXxnNQ5A8CztT2az5xJtbbWSdamMnHBLcqLiwoLmXbERpdlt8jNqMHrz+bjCUGYVAFSfc/WdIs6EATJ1eF0VFxv7nUh4qhgStABSwhNsnoYOC/DOBSA9aBP1f5Fz9QHUioPTGi2hRwbTbtFUvTrymPpWVFRApa1zvGXcr4YUCm7ia1ZlZKzRpsPkwLxb8Omm4bGmR0cAVwVhVRySnhpCTwbIBLyw+H8PvKWBBba1NAKyMij root@droppie";
|
||||
|
||||
nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2";
|
||||
pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local";
|
||||
|
||||
baseKeys = [
|
||||
bbcom
|
||||
|
@ -32,8 +32,8 @@ let
|
|||
droppie-user
|
||||
];
|
||||
|
||||
nougat-2Keys = [
|
||||
nougat-2-host
|
||||
pieKeys = [
|
||||
pie-host
|
||||
];
|
||||
in {
|
||||
"keyfile-biolimo.bin".publicKeys = biolimoKeys ++ baseKeys;
|
||||
|
@ -45,7 +45,7 @@ in {
|
|||
"vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
|
||||
"vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
|
||||
|
||||
"dyndns-droppie.key".publicKeys = droppieKeys ++ baseKeys;
|
||||
"dyndns.key".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"droppie-ssh-root.key".publicKeys = droppieKeys ++ baseKeys;
|
||||
|
||||
|
@ -57,15 +57,11 @@ in {
|
|||
|
||||
"cat-test.ovpn".publicKeys = biolimoKeys ++ chocolatebarKeys ++ baseKeys;
|
||||
|
||||
"hosting.de-api.key".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"hosting.de-api.key".publicKeys = baseKeys;
|
||||
|
||||
"concourse-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"concourse-db-secrets.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"concourse-worker-key.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"concourse-tsa-host-key.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"concourse-session-signing-key.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"firefly-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"keycloak-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
|
||||
"gitea-database-password.age".publicKeys = nougat-2Keys ++ baseKeys;
|
||||
"firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
|
||||
}
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -34,7 +34,6 @@ in {
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
|
||||
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
|
||||
];
|
||||
|
|
|
@ -14,7 +14,7 @@ in {
|
|||
inherit DRONE_RPC_PROTO;
|
||||
DRONE_SERVER = DRONE_RPC_PROTO + "://" + DRONE_RPC_HOST;
|
||||
|
||||
RESTIC_REPOSITORY = "sftp:root@backup.b12f.io:/media/internal/backups";
|
||||
RESTIC_REPOSITORY = "sftp:root@droppie.b12f.io:/media/internal/backups";
|
||||
RESTIC_PASSWORD_COMMAND = "secret-tool lookup restic repository-password";
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue