diff --git a/flake.lock b/flake.lock index 33acc36e..df2b2ba6 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,19 @@ "nodes": { "agenix": { "inputs": { + "darwin": [ + "darwin" + ], "nixpkgs": [ "nixos" ] }, "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "lastModified": 1677247280, + "narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=", "owner": "ryantm", "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1", "type": "github" }, "original": { @@ -73,11 +76,11 @@ ] }, "locked": { - "lastModified": 1655976588, - "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=", + "lastModified": 1671489820, + "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=", "owner": "numtide", "repo": "devshell", - "rev": "899ca4629020592a13a46783587f6e674179d1db", + "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634", "type": "github" }, "original": { @@ -126,6 +129,22 @@ "type": "github" } }, + "factorio-pr": { + "locked": { + "lastModified": 1676729025, + "narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=", + "owner": "werner291", + "repo": "nixpkgs", + "rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e", + "type": "github" + }, + "original": { + "owner": "werner291", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -202,11 +221,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1674440933, - "narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=", + "lastModified": 1676257154, + "narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=", "owner": "nix-community", "repo": "home-manager", - "rev": "65c47ced082e3353113614f77b1bc18822dc731f", + "rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527", "type": "github" }, "original": { @@ -218,11 +237,11 @@ }, "latest": { "locked": { - "lastModified": 1674641431, - "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", + "lastModified": 1677063315, + "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", + "rev": "988cc958c57ce4350ec248d2d53087777f9e1949", "type": "github" }, "original": { @@ -239,11 +258,11 @@ ] }, "locked": { - "lastModified": 1673395322, - "narHash": "sha256-Xwaoz3+/+kCu8Przi1W3MWdQcOQ9wLVrr8nfBN6L6wA=", + "lastModified": 1676707513, + "narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=", "owner": "musnix", "repo": "musnix", - "rev": "46d6e6435edcfa2a4adcfdd95d576979b710f4cb", + "rev": "2289b7c353e56ee18270fb6b43965036942b2d0f", "type": "github" }, "original": { @@ -269,11 +288,11 @@ }, "nixos": { "locked": { - "lastModified": 1674781052, - "narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=", + "lastModified": 1677075010, + "narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b", + "rev": "c95bf18beba4290af25c60cbaaceea1110d0f727", "type": "github" }, "original": { @@ -289,11 +308,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1674666581, - "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=", + "lastModified": 1676297861, + "narHash": "sha256-YECUmK34xzg0IERpnbCnaO6z6YgfecJlstMWX7dqOZ8=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa", + "rev": "1e0a05219f2a557d4622bc38f542abb360518795", "type": "github" }, "original": { @@ -304,11 +323,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1674550793, - "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=", + "lastModified": 1677232326, + "narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103", + "rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2", "type": "github" }, "original": { @@ -340,7 +359,7 @@ "locked": { "lastModified": 1666884246, "narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=", - "ref": "master", + "ref": "refs/heads/master", "rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb", "revCount": 23, "type": "git", @@ -353,11 +372,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1674641431, - "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", + "lastModified": 1672791794, + "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", + "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d", "type": "github" }, "original": { @@ -401,6 +420,7 @@ "darwin": "darwin", "deploy": "deploy", "digga": "digga", + "factorio-pr": "factorio-pr", "flake-compat": "flake-compat", "home": "home", "latest": "latest", diff --git a/flake.nix b/flake.nix index 227dafc9..59abcbe7 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,8 @@ musnix.inputs.nixpkgs.follows = "nixos"; nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs"; + + factorio-pr.url = "github:werner291/nixpkgs/master"; }; outputs = { @@ -78,6 +80,7 @@ ]; }; latest = {}; + factorio-pr = {}; fork = {}; }; @@ -131,28 +134,32 @@ companion = { system = "aarch64-linux"; - }; - cox = { - system = "aarch64-linux"; - }; - falcone = { - system = "aarch64-linux"; - }; - giggles = { - system = "aarch64-linux"; - }; + modules = [nixos-hardware.nixosModules.raspberry-pi-4]; + }; + cox = { + system = "aarch64-linux"; + modules = [nixos-hardware.nixosModules.raspberry-pi-4]; + }; + falcone = { + system = "aarch64-linux"; + modules = [nixos-hardware.nixosModules.raspberry-pi-4]; + }; + giggles = { + system = "aarch64-linux"; + modules = [nixos-hardware.nixosModules.raspberry-pi-4]; + }; - norman = { }; + norman = {}; - harrison = { - modules = [ - musnix.nixosModules.musnix - ]; - }; + harrison = { + modules = [ + musnix.nixosModules.musnix + ]; + }; - surfplace = { - modules = [ nixos-hardware.nixosModules.microsoft-surface-pro-intel ]; - }; + surfplace = { + modules = [nixos-hardware.nixosModules.microsoft-surface-pro-intel]; + }; }; importables = rec { profiles = @@ -161,12 +168,12 @@ users = digga.lib.rakeLeaves ./users; }; suites = with profiles; rec { - base = [ users.pub-solar users.root ]; - iso = base ++ [ base-user graphical pub-solar-iso ]; - pubsolaros = [ base-user users.root ]; - anonymous = [ pubsolaros users.pub-solar ]; - hensoko = pubsolaros ++ [ users.hensoko ]; - hensoko-iot = [ server base-user users.root users.iot ]; + base = [users.pub-solar users.root]; + iso = base ++ [base-user graphical pub-solar-iso]; + pubsolaros = [base-user users.root]; + anonymous = [pubsolaros users.pub-solar]; + hensoko = pubsolaros ++ [users.hensoko]; + hensoko-iot = [server base-user users.root users.iot]; # server cube = hensoko-iot; @@ -183,63 +190,45 @@ redpanda = hensoko; # home pc - harrison = hensoko ++ [ daw gaming graphical non-free social work ]; + harrison = hensoko ++ [daw gaming graphical non-free social work]; # work laptop - norman = hensoko ++ [ graphical non-free social virtualisation work ]; + norman = hensoko ++ [graphical non-free social virtualisation work gaming]; # cm4 falcone = hensoko-iot; # surface - surfplace = hensoko ++ [ graphical non-free social ]; + surfplace = hensoko ++ [graphical non-free social]; + + # chonk + chonk = hensoko-iot; }; }; + }; - home = { - imports = [ (digga.lib.importExportableModules ./users/modules) ]; - modules = [ ]; - importables = rec { - profiles = digga.lib.rakeLeaves ./users/profiles; - suites = with profiles; rec { - base = [ direnv git ]; - }; - }; - users = { - pub-solar = { suites, ... }: { imports = suites.base; }; - hensoko = { suites, ... }: { imports = suites.base; }; - iot = { suites, ... }: { imports = suites.base; }; - }; # digga.lib.importers.rakeLeaves ./users/hm; - }; - - devshell = ./shell; - - homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations; - - deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { - redpanda = { - hostname = "192.168.42.71:22"; - sshUser = "hensoko"; - fastConnect = true; - profilesOrder = [ "system" "direnv" ]; - profiles.direnv = { - user = "hensoko"; - path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko; - }; - }; - - companion = { sshUser = "iot"; }; - cox = { sshUser = "iot"; }; - giggles = { sshUser = "iot"; }; - ringo = { }; - cube = { - sshUser = "iot"; + home = { + imports = [(digga.lib.importExportableModules ./users/modules)]; + modules = []; + importables = rec { + profiles = digga.lib.rakeLeaves ./users/profiles; + suites = with profiles; rec { + base = [direnv git]; }; }; users = { - pub-solar = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; }; - hensoko = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; }; - iot = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; }; + pub-solar = {suites, ...}: { + imports = suites.base; + home.stateVersion = "22.05"; + }; + hensoko = {suites, ...}: { + imports = suites.base; + home.stateVersion = "22.05"; + }; + iot = {suites, ...}: { + imports = suites.base; + home.stateVersion = "22.05"; + }; }; # digga.lib.importers.rakeLeaves ./users/hm; }; @@ -262,12 +251,33 @@ hostname = "192.168.42.71:22"; sshUser = "hensoko"; fastConnect = true; - profilesOrder = [ "system" "direnv" ]; + profilesOrder = ["system" "direnv"]; profiles.direnv = { user = "hensoko"; path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko; }; }; + + companion = {sshUser = "iot";}; + cox = {sshUser = "iot";}; + giggles = {sshUser = "iot";}; + ringo = {}; + cube = {sshUser = "iot";}; + chonk = {sshUser = "iot";}; }; + users = { + pub-solar = {suites, ...}: { + imports = suites.base; + home.stateVersion = "21.03"; + }; + hensoko = {suites, ...}: { + imports = suites.base; + home.stateVersion = "21.03"; + }; + iot = {suites, ...}: { + imports = suites.base; + home.stateVersion = "21.03"; + }; + }; # digga.lib.importers.rakeLeaves ./users/hm; }; } diff --git a/hosts/chonk/acme.nix b/hosts/chonk/acme.nix new file mode 100644 index 00000000..ce9fd60e --- /dev/null +++ b/hosts/chonk/acme.nix @@ -0,0 +1,10 @@ +{ + pkgs, + config, + ... +}: { + security.acme = { + acceptTerms = true; + defaults.email = "hensoko@gssws.de"; + }; +} diff --git a/hosts/chonk/backup.nix b/hosts/chonk/backup.nix new file mode 100644 index 00000000..4eab175a --- /dev/null +++ b/hosts/chonk/backup.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + self, + ... +}: { + age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age"; + age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age"; + + programs.ssh.extraConfig = '' + Host backup + HostName 10.0.1.12 + Port 32222 + User backup + IdentityFile /run/agenix/restic_ssh_private_key + ''; + + services.postgresqlBackup = { + enable = true; + backupAll = true; + compression = "zstd"; + }; + + services.restic.backups = { + cox = { + passwordFile = "/run/agenix/restic_repository_password"; + paths = [ + "/mnt/internal/nextcloud" + "/var/backup/postgresql" + ]; + repositoryFile = "/run/agenix/restic_nextcloud_password"; + timerConfig = { + OnCalendar = "02:00"; + }; + }; + }; +} diff --git a/hosts/chonk/builder.nix b/hosts/chonk/builder.nix new file mode 100644 index 00000000..af13d8c6 --- /dev/null +++ b/hosts/chonk/builder.nix @@ -0,0 +1,31 @@ +{ + self, + config, + pkgs, + ... +}: let + psCfg = config.pub-solar; +in { + age.secrets.nix-builder-private-key = { + owner = "builder"; + group = "builder"; + file = "${self}/secrets/chonk_nix_builder_private_key.age"; + }; + + programs.ssh.package = pkgs.openssh_hpn; + + nix.settings.trusted-users = ["builder"]; + + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + + users.groups."builder" = {}; + + users.users."builder" = { + isNormalUser = true; + group = "builder"; + shell = pkgs.bashInteractive; + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"]; + }; + + nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key"; +} diff --git a/hosts/chonk/chonk.nix b/hosts/chonk/chonk.nix new file mode 100644 index 00000000..0ee8ffba --- /dev/null +++ b/hosts/chonk/chonk.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +with pkgs; let + psCfg = config.pub-solar; +in { + imports = [ + ./configuration.nix + ]; + + networking.networkmanager.enable = lib.mkForce false; +} diff --git a/hosts/chonk/configuration.nix b/hosts/chonk/configuration.nix new file mode 100644 index 00000000..708a0c5d --- /dev/null +++ b/hosts/chonk/configuration.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./acme.nix + ./backup.nix + ./drone.nix + ./home-assistant.nix + ./nextcloud.nix + ./wireguard.nix + ./builder.nix + ./invidious.nix + ./factorio.nix + + ./invoiceplane.nix + #./tang.nix + #./whiteboard.nix + ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + time.timeZone = "Europe/Berlin"; + + services.openssh.ports = [2222]; + + networking.nat.enable = true; + networking.nat.internalIPs = ["10.10.42.0/24"]; + networking.nat.externalInterface = "eno1"; + + networking.firewall.allowedTCPPorts = [80 443 2222]; + networking.firewall.allowedUDPPorts = [51899]; + + networking.firewall.enable = lib.mkForce true; + + system.stateVersion = "21.05"; # Did you read the comment? +} diff --git a/hosts/chonk/default.nix b/hosts/chonk/default.nix new file mode 100644 index 00000000..bf9899fb --- /dev/null +++ b/hosts/chonk/default.nix @@ -0,0 +1,7 @@ +{suites, ...}: { + imports = + [ + ./chonk.nix + ] + ++ suites.chonk; +} diff --git a/hosts/chonk/drone.nix b/hosts/chonk/drone.nix new file mode 100644 index 00000000..d2239123 --- /dev/null +++ b/hosts/chonk/drone.nix @@ -0,0 +1,24 @@ +{ + self, + config, + pkgs, + ... +}: { + age.secrets.drone_exec_runner_config = { + file = "${self}/secrets/chonk_drone_exec_runner_config.age"; + owner = "999"; + }; + + pub-solar.docker-ci-runner = { + enable = true; + enableKvm = true; + nixCacheLocation = "/srv/drone-nix-cache/nix"; + + runnerEnvironment = { + DRONE_RUNNER_CAPACITY = "10"; + DRONE_RUNNER_LABELS = "hosttype:baremetal"; + }; + + runnerVarsFile = "/run/agenix/drone_exec_runner_config"; + }; +} diff --git a/hosts/chonk/factorio.nix b/hosts/chonk/factorio.nix new file mode 100644 index 00000000..535275d4 --- /dev/null +++ b/hosts/chonk/factorio.nix @@ -0,0 +1,24 @@ +{ + self, + config, + pkgs, + fetchurl, + ... +}: let + #far-reach = pkgs.factorio-utils.modDrv rec { + # src = fetchurl { + # urls = [ "https://dl-mod.factorio.com/download/c48a8fbbe6941453173ae4e8a353976f3d757773/far-reach_1.1.2.zip?secure=0rFEz6-kw9j2JtrOUv3yEw,1677274141" ]; + # sha256 = ""; + # }; + #}; +in { + services.factorio = { + enable = true; + package = pkgs.factorio-headless-experimental; + openFirewall = true; + game-name = "pub.solar Factorio"; + game-password = "pub.solar"; + admins = ["hensoko"]; + #mods = [ far-reach ]; + }; +} diff --git a/hosts/chonk/hardware-configuration.nix b/hosts/chonk/hardware-configuration.nix new file mode 100644 index 00000000..fd8bfe57 --- /dev/null +++ b/hosts/chonk/hardware-configuration.nix @@ -0,0 +1,103 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = ["raid1"]; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + boot.extraModprobeConfig = "options kvm_intel nested=1"; + + boot.initrd.luks.forceLuksSupportInInitrd = true; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0"; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f"; + #keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1"; + #fallbackToPassword = true; + #bypassWorkqueues = true; + }; + + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 22; + authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"]; + hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key]; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + + boot.initrd.systemd.enable = true; + + boot.initrd.services.swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c + ''; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + + fileSystems."/mnt/internal" = { + device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-label/swap";} + ]; + + networking.bonds."bond0" = { + interfaces = ["eno1" "eno2"]; + driverOptions = { + miimon = "100"; + mode = "balance-xor"; + xmit_hash_policy = "layer3+4"; + }; + }; + + networking = { + defaultGateway = "80.244.242.1"; + + nameservers = ["95.129.51.51" "80.244.244.244"]; + + interfaces."bond0" = { + ipv4.addresses = [ + { + address = "80.244.242.2"; + prefixLength = 29; + } + ]; + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/chonk/home-assistant.nix b/hosts/chonk/home-assistant.nix new file mode 100644 index 00000000..56b2b655 --- /dev/null +++ b/hosts/chonk/home-assistant.nix @@ -0,0 +1,21 @@ +{ + self, + pkgs, + config, + ... +}: { + # HTTP + services.nginx = { + virtualHosts."ha.gssws.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.0.1.254:8123"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + + "proxy_pass_header Authorization;"; + }; + }; + }; +} diff --git a/hosts/chonk/invidious.nix b/hosts/chonk/invidious.nix new file mode 100644 index 00000000..0335c140 --- /dev/null +++ b/hosts/chonk/invidious.nix @@ -0,0 +1,23 @@ +{ + self, + config, + pkgs, + ... +}: let + domain = "yt.gssws.de"; +in { + age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age"; + + services.invidious = { + inherit domain; + enable = true; + nginx.enable = true; + database = { + createLocally = true; + passwordFile = "/run/agenix/invidious_db_password"; + }; + settings = { + https_only = true; + }; + }; +} diff --git a/hosts/chonk/invoiceplane.nix b/hosts/chonk/invoiceplane.nix new file mode 100644 index 00000000..ff705a40 --- /dev/null +++ b/hosts/chonk/invoiceplane.nix @@ -0,0 +1,65 @@ +{ + self, + config, + pkgs, + ... +}: let + hostAddress = "10.10.42.1"; + serviceAddress = "10.10.42.11"; + + domain = "inv.gssws.de"; + hostStateDir = "/mnt/internal/invoiceplane"; + containerStateDir = "/var/lib/invoiceplane"; +in { + # nginx + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${serviceAddress}:80"; + }; + }; + }; + + # invoiceplane + containers."invoiceplane" = { + privateNetwork = true; + hostAddress = "10.10.42.1"; + localAddress = serviceAddress; + + bindMounts."${containerStateDir}" = { + hostPath = hostStateDir; + isReadOnly = false; + }; + + config = { + config, + pkgs, + ... + }: { + networking.firewall.allowedTCPPorts = [80]; + + services.rsyslogd.enable = true; + + services.phpfpm.pools."invoiceplane-${domain}".phpOptions = '' + date.timezone = Europe/Berlin + ''; + services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"]; + + services.invoiceplane.sites."${domain}" = { + enable = true; + stateDir = containerStateDir; + + extraConfig = '' + ENABLE_DEBUG=true + ''; + + database = { + user = "invoiceplane"; + name = "invoiceplane"; + }; + }; + }; + }; +} diff --git a/hosts/chonk/nextcloud-apps.nix b/hosts/chonk/nextcloud-apps.nix new file mode 100644 index 00000000..93cb0788 --- /dev/null +++ b/hosts/chonk/nextcloud-apps.nix @@ -0,0 +1,87 @@ +{ + self, + pkgs, + config, + lib, + ... +}: let + notify_push = pkgs.fetchzip { + sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls="; + url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz"; + }; +in { + systemd.services.nextcloud-notify-push = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Environment = [ + "PORT=7867" + "NEXTCLOUD_URL=https://data.gssws.de" + ]; + ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php"; + User = "nextcloud"; + }; + }; + + services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; { + inherit bookmarks calendar contacts deck keeweb news tasks; + inherit notify_push; + + "bruteforcesettings" = pkgs.fetchzip { + sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok="; + url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz"; + }; + "cookbook" = pkgs.fetchzip { + sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY="; + url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz"; + }; + "cospend" = pkgs.fetchzip { + sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c="; + url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz"; + }; + "files_accesscontrol" = pkgs.fetchzip { + sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc="; + url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz"; + }; + "files_automatedtagging" = pkgs.fetchzip { + sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0="; + url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz"; + }; + "files_fulltextsearch" = pkgs.fetchzip { + sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU="; + url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz"; + }; + "files_mindmap" = pkgs.fetchzip { + sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY="; + url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz"; + }; + "fulltextsearch" = pkgs.fetchzip { + sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA="; + url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz"; + }; + "groupfolders" = pkgs.fetchzip { + sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0="; + url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz"; + }; + "maps" = pkgs.fetchzip { + sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI="; + url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz"; + }; + #"notify_push" = pkgs.fetchzip { + # sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls="; + # url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz"; + #}; + "quota_warning" = pkgs.fetchzip { + sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4="; + url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz"; + }; + "richdocuments" = pkgs.fetchzip { + sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA="; + url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz"; + }; + #"twofactor_totp" = pkgs.fetchzip { + # sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4="; + # url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz"; + #}; + }; +} diff --git a/hosts/chonk/nextcloud.nix b/hosts/chonk/nextcloud.nix new file mode 100644 index 00000000..acdad4e1 --- /dev/null +++ b/hosts/chonk/nextcloud.nix @@ -0,0 +1,164 @@ +{ + self, + pkgs, + config, + lib, + ... +}: let + notifyPushPort = 7867; +in { + imports = [ + ./nextcloud-apps.nix + ]; + + age.secrets.nextcloud_db_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/chonk_nextcloud_db_pass.age"; + }; + + age.secrets.nextcloud_admin_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/chonk_nextcloud_admin_pass.age"; + }; + + # HTTP + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts."data.gssws.de" = { + enableACME = true; + forceSSL = true; + + locations."^~ /push/" = { + proxyPass = "http://127.0.0.1:${toString notifyPushPort}"; + proxyWebsockets = true; + }; + }; + }; + + # DATABASES + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + + settings = { + max_connections = "200"; + }; + + ensureDatabases = ["nextcloud"]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + # REDIS + services.redis.servers = { + "nextcloud".enable = true; + }; + + users.groups."redis-nextcloud".members = ["nextcloud"]; + + # Collabora Code server + virtualisation.oci-containers.containers."nextcloud-collabora-code" = { + image = "collabora/code"; + autoStart = true; + ports = ["127.0.0.1:9980:9980"]; + environment.domain = "data\\.gssws\\.de"; + extraOptions = ["--cap-add" "MKNOD"]; + }; + + services.nginx.virtualHosts."office.gssws.de" = let + proxyPass = "https://127.0.0.1:9980"; + extraConfig = "proxy_ssl_verify off;"; + in { + enableACME = true; + forceSSL = true; + + locations."^~ /browser" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/discovery" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/capabilities" = { + inherit proxyPass extraConfig; + }; + locations."~ ^/cool/(.*)/ws''$" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + locations."~ ^/(c|l)ool" = { + inherit proxyPass extraConfig; + }; + locations."^~ /cool/adminws" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + }; + + # NEXTCLOUD + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud25; + hostName = "data.gssws.de"; + https = true; + datadir = "/mnt/internal/nextcloud"; + + caching.apcu = true; + caching.redis = true; + + phpPackage = lib.mkForce pkgs.php81; + + poolSettings = { + "pm" = "dynamic"; + "pm.max_children" = "128"; + "pm.start_servers" = "64"; + "pm.min_spare_servers" = "32"; + "pm.max_spare_servers" = "76"; + "pm.max_requests" = "500"; + }; + + phpOptions = { + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; + "opcache.enable_cli" = "1"; + "opcache.interned_strings_buffer" = "32"; + "opcache.max_accelerated_files" = "100000"; + "opcache.memory_consumption" = "256"; + "opcache.revalidate_freq" = "1"; + "opcache.fast_shutdown" = "1"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + catch_workers_output = "yes"; + }; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = "/run/agenix/nextcloud_db_pass"; + adminpassFile = "/run/agenix/nextcloud_admin_pass"; + adminuser = "admin"; + + trustedProxies = ["80.244.242.2"]; + defaultPhoneRegion = "DE"; + }; + }; +} diff --git a/hosts/chonk/tang-container.nix b/hosts/chonk/tang-container.nix new file mode 100644 index 00000000..385f8755 --- /dev/null +++ b/hosts/chonk/tang-container.nix @@ -0,0 +1,68 @@ +{ + pkgs, + config, + ... +}: let + containerStateDir = "/data"; + hostStateDir = "/opt/tangd"; + domain = ""; + serviceAddress = "10.10.42.12"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${serviceAddress}:${toString servicePort}"; + }; + }; + + containers."tang" = { + autoStart = true; + ephemeral = true; + bindMounts."${containerStateDir}" = { + hostPath = hostStateDir; + isReadOnly = false; + }; + + config = { + config, + pkgs, + ... + }: { + networking.firewall.enable = false; + + users.groups."_tang" = {}; + + users.users."_tang" = { + group = "_tang"; + isSystemUser = true; + }; + + environment.systemPackages = ["${pkgs.jose}"]; + + systemd.services."tangd@" = { + enable = true; + serviceConfig = { + ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\""; + ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db"; + StandardInput = "socket"; + StandardOutput = "socket"; + StandardError = "journal"; + User = "_tang"; + Group = "_tang"; + }; + }; + + systemd.sockets."tangd" = { + enable = true; + listenStreams = ["${toString servicePort}"]; + wantedBy = ["sockets.target"]; + socketConfig = { + Accept = true; + }; + }; + + system.stateVersion = "22.11"; + }; + }; +} diff --git a/hosts/chonk/tang.nix b/hosts/chonk/tang.nix new file mode 100644 index 00000000..b0ace79c --- /dev/null +++ b/hosts/chonk/tang.nix @@ -0,0 +1,25 @@ +{ + self, + config, + pkgs, + ... +}: let + domain = "t.gssws.de"; + servicePort = 63080; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString servicePort}"; + }; + }; + + virtualisation.oci-containers.containers."tang" = { + image = "cloggo/tangd"; + ports = ["127.0.0.1:${builtins.toString servicePort}:8080"]; + environment = { + IP_WHITELIST = "172.17.0.1"; + }; + }; +} diff --git a/hosts/chonk/wireguard.nix b/hosts/chonk/wireguard.nix new file mode 100644 index 00000000..fbe00363 --- /dev/null +++ b/hosts/chonk/wireguard.nix @@ -0,0 +1,65 @@ +{ + self, + config, + pkgs, + ... +}: { + age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age"; + + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = ["10.0.1.6"]; + listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/agenix/home_controller_wireguard"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = ["10.0.1.11/32"]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = ["10.0.1.12/32"]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = ["10.0.1.13/32"]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + + { + # hsha + publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; + allowedIPs = ["10.0.1.254/32"]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix index 1b16a50a..f7c336ba 100644 --- a/hosts/companion/configuration.nix +++ b/hosts/companion/configuration.nix @@ -1,16 +1,18 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). - -{ inputs, pkgs, builtins, config, lib, ... }: - { - imports = - [ - ./hardware-configuration.nix - ./home-controller.nix - ./paperless.nix - ]; + inputs, + pkgs, + builtins, + config, + lib, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./home-controller.nix + ]; boot.loader.timeout = lib.mkForce 0; @@ -40,7 +42,7 @@ boot.loader.systemd-boot.enable = lib.mkForce false; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + networking.firewall.allowedTCPPorts = [2380 6443]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -53,4 +55,3 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? } - diff --git a/hosts/cox/backup.nix b/hosts/cox/backup.nix index 28612b3d..57f7c1a7 100644 --- a/hosts/cox/backup.nix +++ b/hosts/cox/backup.nix @@ -1,23 +1,87 @@ -{ self, config, pkgs, ... }: - { - virtualisation.oci-containers = { - backend = "docker"; - containers = { - backup-ssh = { - image = "linuxserver/openssh-server:arm64v8-latest"; - ports = [ "32222:2222" ]; + self, + config, + pkgs, + ... +}: { + age.secrets.backup_restic_htpasswd = { + file = "${self}/secrets/cox_backup_restic_htpasswd.age"; + owner = "${toString config.ids.uids.restic}"; + }; - environment = { - PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube"; - USER_NAME = "backup"; - TZ = "Europe/Berlin"; - PUID = "911"; - PGID = "911"; - }; - - volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ]; + services.nginx = { + enable = true; + clientMaxBodySize = "1G"; + virtualHosts."backup.local" = { + locations."/" = { + proxyPass = "http://127.0.0.1:18000"; + extraConfig = '' + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + proxy_set_header Host ''$host; + proxy_set_header X-Forwarded-For ''$remote_addr; + ''; }; }; }; + containers."backup" = { + autoStart = true; + ephemeral = true; + bindMounts = { + "/var/lib/restic" = { + hostPath = "/opt/backup/hdd/restic"; + isReadOnly = false; + }; + "/var/lib/restic/.htpasswd" = { + hostPath = "/run/agenix/backup_restic_htpasswd"; + isReadOnly = false; + }; + }; + + config = { + config, + pkgs, + ... + }: { + networking.firewall.enable = false; + + services.restic.server = { + enable = true; + listenAddress = "0.0.0.0:18000"; + privateRepos = true; + extraFlags = [ + "--append-only" + "--prometheus" + "--prometheus-no-auth" + ]; + }; + + time.timeZone = "Europe/Berlin"; + system.stateVersion = "22.11"; + }; + }; + + #virtualisation.oci-containers = { + # backend = "docker"; + # containers = { + # backup-ssh = { + # image = "linuxserver/openssh-server:arm64v8-latest"; + # ports = [ "32222:2222" ]; + # + # environment = { + # PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube"; + # USER_NAME = "backup"; + # TZ = "Europe/Berlin"; + # PUID = "911"; + # PGID = "911"; + # }; + # + # volumes = [ + # "/opt/backup/hdd/restic:/data/hdd/restic" + # ]; + # }; + # }; + #}; } diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix index 14ac5211..fe367b82 100644 --- a/hosts/cox/configuration.nix +++ b/hosts/cox/configuration.nix @@ -1,19 +1,18 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, lib, ... }: - { - imports = - [ - ./backup.nix - ./hardware-configuration.nix - ./home-controller.nix - ./paperless.nix - ]; - - boot.loader.timeout = 0; + config, + pkgs, + lib, + ... +}: { + imports = [ + ./backup.nix + ./hardware-configuration.nix + ./home-controller.nix + ./paperless.nix + ]; boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; @@ -50,7 +49,7 @@ ]; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + networking.firewall.allowedTCPPorts = [2380 6443]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -63,4 +62,3 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? } - diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix index dff6b612..ab2ea7af 100644 --- a/hosts/cox/hardware-configuration.nix +++ b/hosts/cox/hardware-configuration.nix @@ -1,20 +1,26 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; boot.kernelPackages = pkgs.linuxPackages_6_1; - boot.supportedFilesystems = [ ]; + boot.supportedFilesystems = []; + + boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"]; boot.loader.grub = { enable = true; @@ -27,6 +33,7 @@ boot.loader.systemd-boot.enable = false; boot.loader.generic-extlinux-compatible.enable = false; + boot.loader.timeout = 0; boot.initrd.luks.devices."cryptroot" = { @@ -36,19 +43,19 @@ bypassWorkqueues = true; }; - fileSystems."/" = - { device = "/dev/disk/by-uuid/6a419f58-bef1-4dd9-9b4f-389e35ba686a"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6CB3-6DB8"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/ea401985-e25f-4d13-8d72-5a5660c4384f"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-label/swap";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix index ce06d8bb..d8deced2 100644 --- a/hosts/cox/home-controller.nix +++ b/hosts/cox/home-controller.nix @@ -1,6 +1,9 @@ -{ self, config, pkgs, ... }: - { + self, + config, + pkgs, + ... +}: { config = { #age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; @@ -21,30 +24,30 @@ privateKeyFile = "/run/agenix/home_controller_wireguard"; peers = [ { - # cube - publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; - allowedIPs = [ "10.0.1.5/32" ]; + # chonk + publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; + allowedIPs = ["10.0.1.6/32"]; endpoint = "data.gssws.de:51899"; persistentKeepalive = 25; } { # giggles publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; - allowedIPs = [ "10.0.1.11/32" ]; + allowedIPs = ["10.0.1.11/32"]; endpoint = "giggles.local:51899"; persistentKeepalive = 25; } { # companion publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; - allowedIPs = [ "10.0.1.13/32" ]; + allowedIPs = ["10.0.1.13/32"]; endpoint = "companion.local:51899"; persistentKeepalive = 25; } { # ringo publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; - allowedIPs = [ "10.0.1.21/32" ]; + allowedIPs = ["10.0.1.21/32"]; endpoint = "ringo.local:51899"; persistentKeepalive = 25; } diff --git a/hosts/cox/paperless.nix b/hosts/cox/paperless.nix index eb03e8bf..41fa5572 100644 --- a/hosts/cox/paperless.nix +++ b/hosts/cox/paperless.nix @@ -1,6 +1,8 @@ -{ pkgs, config, ... }: - -let +{ + pkgs, + config, + ... +}: let containerStateDir = "/data"; hostStateDir = "/opt/documents/paperless"; httpPort = 80; @@ -8,105 +10,111 @@ let ftpListenPort = 20021; ftpPasvMinPort = 22021; ftpPasvMaxPort = 24021; - domain = "cox.local"; -in - { + domain = "paperless.local"; +in { + networking.firewall = { + allowedTCPPorts = [ + httpPort + ftpListenPort + ]; - networking.firewall = { - allowedTCPPorts = [ - httpPort - ftpListenPort - ]; + allowedTCPPortRanges = [ + { + from = ftpPasvMinPort; + to = ftpPasvMaxPort; + } + ]; + }; - allowedTCPPortRanges = [ { from = ftpPasvMinPort; to = ftpPasvMaxPort; } ]; - }; - - services.nginx = { - enable = true; - virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString paperlessPort}"; - proxyWebsockets = true; - extraConfig = '' - proxy_read_timeout 300s; - proxy_set_header Host ''$host; - proxy_set_header X-Forwarded-For ''$remote_addr; - ''; - }; + services.nginx = { + enable = true; + virtualHosts."${domain}" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString paperlessPort}"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 300s; + proxy_set_header Host ''$host; + proxy_set_header X-Forwarded-For ''$remote_addr; + ''; }; }; + }; - containers."paperless" = { - autoStart = true; - ephemeral = true; + containers."paperless" = { + autoStart = true; + ephemeral = true; - tmpfs = [ "/tmp:size=2G" ]; + tmpfs = ["/tmp:size=2G"]; - bindMounts."${containerStateDir}" = { - hostPath = hostStateDir; - isReadOnly = false; + bindMounts."${containerStateDir}" = { + hostPath = hostStateDir; + isReadOnly = false; + }; + + config = { + config, + pkgs, + ... + }: { + networking.firewall.enable = false; + + users.users."paperless".extraGroups = ["ftp"]; + + services.paperless = { + enable = true; + dataDir = "/data"; + consumptionDir = "/data/ftp/consume"; + consumptionDirIsPublic = true; + port = paperlessPort; + extraConfig = { + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_ALLOWED_HOSTS = "${domain}"; + PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}"; + PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}"; + }; }; - config = { config, pkgs, ... }: { - networking.firewall.enable = false; + services.vsftpd = { + enable = true; + anonymousUser = true; + anonymousUserNoPassword = true; + anonymousUserHome = "/data/ftp"; + anonymousUploadEnable = true; + anonymousUmask = "007"; + writeEnable = true; + extraConfig = '' + listen=YES + listen_ipv6=NO + listen_port=${toString ftpListenPort} + chown_uploads=YES + chown_username=paperless + download_enable=NO + pasv_min_port=${toString ftpPasvMinPort} + pasv_max_port=${toString ftpPasvMaxPort} + ''; + }; - users.users."paperless".extraGroups = [ "ftp" ]; - - services.paperless = { - enable = true; - dataDir = "/data"; - consumptionDir = "/data/ftp/consume"; - consumptionDirIsPublic = true; - port = paperlessPort; - extraConfig = { - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_ALLOWED_HOSTS = "${domain}"; - PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}"; - PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}"; - - }; + systemd.services.nextcloud-autosync = { + unitConfig = { + Description = "Auto sync Nextcloud"; + After = "network-online.target"; }; - - services.vsftpd = { - enable = true; - anonymousUser = true; - anonymousUserNoPassword = true; - anonymousUserHome = "/data/ftp"; - anonymousUploadEnable = true; - anonymousUmask = "007"; - writeEnable = true; - extraConfig = '' - listen=YES - listen_ipv6=NO - listen_port=${toString ftpListenPort} - chown_uploads=YES - chown_username=paperless - download_enable=NO - pasv_min_port=${toString ftpPasvMinPort} - pasv_max_port=${toString ftpPasvMaxPort} - ''; - }; - - systemd.services.nextcloud-autosync = { - unitConfig = { - Description = "Auto sync Nextcloud"; - After = "network-online.target"; - }; - serviceConfig = { - User = "paperless"; - Type = "simple"; - ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de"; - TimeoutStopSec = "180"; - KillMode = "process"; - KillSignal = "SIGINT"; - }; - wantedBy = ["multi-user.target"]; - }; - systemd.timers.nextcloud-autosync = { - unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes"; - timerConfig.OnUnitActiveSec = "60min"; - wantedBy = ["multi-user.target" "timers.target"]; + serviceConfig = { + User = "paperless"; + Type = "simple"; + ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de"; + TimeoutStopSec = "180"; + KillMode = "process"; + KillSignal = "SIGINT"; }; + wantedBy = ["multi-user.target"]; + }; + systemd.timers.nextcloud-autosync = { + unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes"; + timerConfig.OnUnitActiveSec = "60min"; + wantedBy = ["multi-user.target" "timers.target"]; }; }; - } + }; +} diff --git a/hosts/cube/backup.nix b/hosts/cube/backup.nix index a2c0ca19..d6a18ba7 100644 --- a/hosts/cube/backup.nix +++ b/hosts/cube/backup.nix @@ -1,8 +1,11 @@ -{ config, lib, self, ... }: - { + config, + lib, + self, + ... +}: { age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age"; - age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age"; + age.secrets.restic_nextcloud_password.file = "${self}/secrets/cube_restic_nextcloud_password.age"; programs.ssh.extraConfig = '' Host backup @@ -25,7 +28,9 @@ "/mnt/internal/nextcloud" "/var/backup/postgresql" ]; - repository = "sftp:backup:/data/hdd/restic"; + repositoryFile = "/run/agenix/restic_nextcloud_password"; + #repository = "rest:http://nextcloud:md1TYoRcOqdr7sBRH9ZH0iGos0yv2pLhrnZc3Xhk@10.0.1.12"; + #repository = "sftp:backup:/data/hdd/restic"; timerConfig = { OnCalendar = "02:00"; }; diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix index bb82e219..be3447f5 100644 --- a/hosts/giggles/home-controller.nix +++ b/hosts/giggles/home-controller.nix @@ -1,6 +1,9 @@ -{ self, config, pkgs, ... }: - { + self, + config, + pkgs, + ... +}: { config = { age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age"; @@ -18,30 +21,30 @@ privateKeyFile = "/run/agenix/home_controller_wireguard"; peers = [ { - # cube - publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; - allowedIPs = [ "10.0.1.5/32" ]; + # chonk + publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; + allowedIPs = ["10.0.1.6/32"]; endpoint = "data.gssws.de:51899"; persistentKeepalive = 25; } { # cox publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; - allowedIPs = [ "10.0.1.12/32" ]; + allowedIPs = ["10.0.1.12/32"]; endpoint = "cox.local:51899"; persistentKeepalive = 25; } { # companion publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; - allowedIPs = [ "10.0.1.13/32" ]; + allowedIPs = ["10.0.1.13/32"]; endpoint = "companion.local:51899"; persistentKeepalive = 25; } { # ringo publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; - allowedIPs = [ "10.0.1.21/32" ]; + allowedIPs = ["10.0.1.21/32"]; endpoint = "ringo.local:51899"; persistentKeepalive = 25; } diff --git a/hosts/norman/builder.nix b/hosts/norman/builder.nix new file mode 100644 index 00000000..2a71694a --- /dev/null +++ b/hosts/norman/builder.nix @@ -0,0 +1,28 @@ +{self, ...}: { + programs.ssh.extraConfig = '' + Host builder + Hostname data.gssws.de + Port 2222 + User builder + IdentitiesOnly yes + IdentityFile /root/.ssh/id_ed25519-builder + ''; + + nix.buildMachines = [ + { + hostName = "builder"; + systems = ["x86_64-linux" "aarch64-linux"]; + maxJobs = 20; + speedFactor = 2; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + mandatoryFeatures = []; + } + ]; + + nix.distributedBuilds = true; + nix.settings = { + substituters = ["ssh-ng://builder"]; + trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="]; + builders-use-substitutes = true; + }; +} diff --git a/hosts/norman/configuration.nix b/hosts/norman/configuration.nix index 099cc583..915ac9ec 100644 --- a/hosts/norman/configuration.nix +++ b/hosts/norman/configuration.nix @@ -1,16 +1,17 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./wireguard.nix - ]; + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./wireguard.nix + ./builder.nix + ]; # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -60,4 +61,3 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? } - diff --git a/hosts/norman/hardware-configuration.nix b/hosts/norman/hardware-configuration.nix index 158f6cb9..2b6778e7 100644 --- a/hosts/norman/hardware-configuration.nix +++ b/hosts/norman/hardware-configuration.nix @@ -1,16 +1,21 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = [ ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = []; - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"]; + boot.initrd.kernelModules = ["dm-snapshot"]; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + boot.kernelPackages = pkgs.linuxPackages_latest; boot.loader.grub.trustedBoot = { enable = true; systemHasTPM = "YES_TPM_is_activated"; @@ -21,20 +26,17 @@ bypassWorkqueues = true; }; - fileSystems."/" = - { - device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/84CD-91B6"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/84CD-91B6"; + fsType = "vfat"; + }; - swapDevices = - [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }]; + swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}]; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -42,5 +44,7 @@ enable = true; device = "TPPS/2 ALPS TrackPoint"; emulateWheel = true; + sensitivity = 100; # default 128 + speed = 64; # default 97 }; } diff --git a/hosts/norman/norman.nix b/hosts/norman/norman.nix index b85d4c6e..55d307b5 100644 --- a/hosts/norman/norman.nix +++ b/hosts/norman/norman.nix @@ -1,16 +1,21 @@ -{ config, pkgs, lib, ... }: -with lib; -let +{ + config, + pkgs, + lib, + ... +}: +with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; -in -{ +in { imports = [ ./configuration.nix ]; config = { - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + + environment.systemPackages = [pkgs.factorio-experimental]; pub-solar.audio.bluetooth.enable = false; diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix index 0460b1f5..55538a98 100644 --- a/hosts/norman/wireguard.nix +++ b/hosts/norman/wireguard.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: - { + config, + pkgs, + ... +}: { systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure"; @@ -73,7 +75,7 @@ { # Public key of the server (not a file path). - publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c="; + publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; # Forward all the traffic via VPN. allowedIPs = [ @@ -87,8 +89,6 @@ persistentKeepalive = 25; } ]; - }; }; } - diff --git a/modules/social/default.nix b/modules/social/default.nix index dc1f0469..0da02cb9 100644 --- a/modules/social/default.nix +++ b/modules/social/default.nix @@ -18,12 +18,9 @@ in { home.packages = [ signal-desktop tdesktop - discord element-desktop - tdesktop mattermost-desktop - whatsapp-for-linux ]; - }; + }; }; } diff --git a/modules/terminal-life/default.nix b/modules/terminal-life/default.nix index 3531be4e..9161cb7e 100644 --- a/modules/terminal-life/default.nix +++ b/modules/terminal-life/default.nix @@ -24,17 +24,17 @@ in { config = mkIf cfg.enable { programs.command-not-found.enable = false; + # Needed to get zsh completion for system packages (e.g. systemd). + environment.pathsToLink = ["/share/zsh"]; + + environment.shells = with pkgs; [ + zsh + ]; + environment.systemPackages = with pkgs; [ screen ]; - # Starship is a fast and featureful shell prompt - # starship.toml has sane defaults that can be changed there - programs.starship = { - enable = true; - settings = import ./starship.toml.nix; - }; - home-manager = with pkgs; pkgs.lib.setAttrByPath ["users" psCfg.user.name] { home.packages = [ @@ -61,20 +61,21 @@ in { watson ]; - programs.bash = import ./bash { - inherit config; - inherit pkgs; - inherit self; - }; - programs.fzf = import ./fzf { - inherit config; - inherit pkgs; - }; programs.neovim = import ./nvim { inherit config; inherit pkgs; inherit lib; }; - }; + programs.fzf = import ./fzf { + inherit config; + inherit pkgs; + }; + programs.zsh = import ./zsh { + inherit config; + inherit pkgs; + inherit self; + inherit lib; + }; + }; }; } diff --git a/modules/terminal-life/zsh/default.nix b/modules/terminal-life/zsh/default.nix new file mode 100644 index 00000000..e216b704 --- /dev/null +++ b/modules/terminal-life/zsh/default.nix @@ -0,0 +1,124 @@ +{ + config, + pkgs, + self, + lib, + ... +}: let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in { + enable = true; + enableAutosuggestions = true; + enableCompletion = true; + dotDir = ".config/zsh"; + + history = { + ignoreDups = true; + expireDuplicatesFirst = true; + ignoreSpace = true; + path = "$HOME/.local/share/zsh/zsh_history"; + save = 10000; + size = 10000; + }; + + loginExtra = lib.mkIf psCfg.sway.enable '' + [ "$(tty)" = "/dev/tty1" ] && exec ${pkgs.sway-service}/bin/sway-service + ''; + + shellAliases = { + nano = "nvim"; + vi = "nvim"; + vim = "nvim"; + mutt = "neomutt"; + ls = "exa"; + la = "exa --group-directories-first -lag"; + fm = "vifm ."; + vifm = "vifm ."; + wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts"; + irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi"; + drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone"; + no = "manix \"\" | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview=\"manix '{}'\" | xargs manix"; + # fix nixos-option + nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat"; + myip = "dig +short myip.opendns.com @208.67.222.222 2>&1"; + }; + plugins = [ + # src gets fetched by nvfetcher, see: ./pkgs/sources.toml + { + # will source ohmyzsh/plugins/z/ + name = "zsh-plugins-z"; + file = "plugins/z/z.plugin.zsh"; + src = pkgs.sources.ohmyzsh.src; + } + { + name = "zsh-powerlevel10k"; + file = "powerlevel10k.zsh-theme"; + src = pkgs.sources.powerlevel10k.src; + } + { + name = "zsh-fast-syntax-highlighting"; + file = "F-Sy-H.plugin.zsh"; + src = pkgs.sources.F-Sy-H.src; + } + { + name = "zsh-nix-shell"; + file = "nix-shell.plugin.zsh"; + src = pkgs.sources.zsh-nix-shell.src; + } + ]; + + initExtra = + '' + bindkey -v + bindkey -v 'jj' vi-cmd-mode + bindkey -a 'i' up-line + bindkey -a 'k' down-line + bindkey -a 'j' backward-char + bindkey -a 'h' vi-insert + bindkey '^[[H' beginning-of-line + bindkey '^[[F' end-of-line + bindkey '^R' history-incremental-pattern-search-backward + bindkey '^ ' autosuggest-accept + bindkey '^q' push-line-or-edit + + bindkey '^R' fzf-history-widget + + # ArrowUp/Down start searching history with current input + autoload -U up-line-or-beginning-search + autoload -U down-line-or-beginning-search + zle -N up-line-or-beginning-search + zle -N down-line-or-beginning-search + bindkey "^[[A" up-line-or-beginning-search + bindkey "^[[B" down-line-or-beginning-search + bindkey "^P" up-line-or-beginning-search + bindkey "^N" down-line-or-beginning-search + + # MAKE CTRL+S WORK IN VIM + stty -ixon + stty erase '^?' + + precmd () { + DIR_NAME=$(pwd | sed "s|^$HOME|~|g") + echo -e -n "\e]2;$DIR_NAME\e\\" + + if [ $(date +%d%m) = '0104' ]; then + if [ $? -eq 0 ]; then + echo "Success! That was a great command! I can't wait to see what amazing stuff you'll be up to next." + fi + fi + } + + # If a command is not found, show me where it is + source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh + '' + + builtins.readFile ./base16.zsh + + builtins.readFile ./p10k.zsh + + '' + source ${pkgs.fzf}/share/fzf/key-bindings.zsh + source ${pkgs.fzf}/share/fzf/completion.zsh + source ${pkgs.git-bug}/share/zsh/site-functions/git-bug + eval "$(direnv hook zsh)" + '' + + builtins.readFile ./fzf.zsh; +} diff --git a/overlays/invidious.nix b/overlays/invidious.nix new file mode 100644 index 00000000..2194206f --- /dev/null +++ b/overlays/invidious.nix @@ -0,0 +1,12 @@ +final: prev: { + invidious = prev.invidious.overrideAttrs (oldAttrs: rec { + version = "unstable-2023-02-22"; + src = prev.fetchFromGitHub { + owner = "iv-org"; + repo = "invidious"; + rev = "0995e0447c2b54d80b55231830b847d41c19b404"; + hash = "sha256-hXF836jxMriMJ/qcBJIF5cRvQG719PStKqTZQcIRqlw="; + fetchSubmodules = true; + }; + }); +} diff --git a/overlays/overrides.nix b/overlays/overrides.nix index 40fe2f70..a2c1addf 100644 --- a/overlays/overrides.nix +++ b/overlays/overrides.nix @@ -12,6 +12,11 @@ channels: final: prev: { nvfetcher ; + inherit + (channels.factorio-pr) + factorio + ; + haskellPackages = prev.haskellPackages.override (old: { diff --git a/secrets/chonk_drone_exec_runner_config.age b/secrets/chonk_drone_exec_runner_config.age new file mode 100644 index 00000000..505b2654 Binary files /dev/null and b/secrets/chonk_drone_exec_runner_config.age differ diff --git a/secrets/chonk_invidious_db_password.age b/secrets/chonk_invidious_db_password.age new file mode 100644 index 00000000..773d04de --- /dev/null +++ b/secrets/chonk_invidious_db_password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw BzbEPs8LDz17/aVKQoDoRaTdQmKw8MKb4oqKvBFGuAM +/zMIU+KoMrQ6ouI4vK/YyvEtzZ7ut8c9BJH8YTYldac +-> ssh-ed25519 YFSOsg CUwGu/W2wYrVNLHlGETFtsVhchDZUXfEi9JYZ88VkBU +ZD3lYlRTgk2g/L5Hy+Fcs1fLh3gKDdhRhWn0Gc4JP/A +-> ssh-ed25519 iHV63A mZ2DkCasSr/s3S6RXjf8QLi5P4UXOzQqqPNkLUkh4VU +E/eXCLd9cZt+i9Bg7iEh8LbWFn0rsTtzqDB9kaFtVUg +-> ssh-ed25519 Oya/Zw kD7aVVY0BrrNbDyoHa/7/8bUF8W74mYFPgHe/CVMpxg +jytr3knsUz9aaGf421m6mN9QgU4Tt3UykTEt8T8mNVg +-> p'c-grease J +vWgF1GduUf9hstTzuVdrUC6ytMofGgYE8nglE/mUTa+a69SDKrn/ +--- kKHfCTImeN1RY9HxI2fWeJTec47FBwwr2gQB13sYdrw +J) : ӽбW"~cgR _@wD+j'D3aSj2U&-5 \ No newline at end of file diff --git a/secrets/chonk_invoiceplane_db_password.age b/secrets/chonk_invoiceplane_db_password.age new file mode 100644 index 00000000..ba4fa800 --- /dev/null +++ b/secrets/chonk_invoiceplane_db_password.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw yDJ66eI1Mp9+UoFYkd4ur3aaUBAALqveNM5FK1cpSx0 +r7eXodJ94kzvLq2oRIk7aPZtArJ1xm37FShQwr1BBSA +-> ssh-ed25519 YFSOsg Sef4VkHt4bMmPsUPJLXOB7nOgPO0pDcV+6MHvBItOG8 +MDyOFqyzDJ6MMxkgFqkxYQl25a7cXOn9iCu2sbONhBs +-> ssh-rsa 42S2Dw +Y3yN6FJOz5eDG7gRDLZJiujOaGJ/fm5lPNHvSVl7T5DYmiHedJ5F7on6CztMDuvv +LNrWXTO7Jy/LBPLZ516SG+o752sTfby1xpDAgo0pKejSs/o7XmccMDvwzdVAsPkt +Dk7ou4Fba0D9MnIeIwnhZolKxVPyFeUBfoPNkvDLtQeb48lqJ2N+bgVzjHQEKpL5 +1Hx/v4x9jUKTj/cK7eds5j3tzitLNpaxkm20LcVpWlLLGZkAmYijwXPphaY0EXJY +qw0Z1OSJd6WnLUo0ozGtoYGiqxnP42duL31ajI7HiNfMMJqWER7WJaB2h4pA9eTO +1HCHP/C+rNCeWHtjXr8b0Q +-> ssh-ed25519 iHV63A cpEqVauWzNmXoGgNcdV438BLDyWh+pQBCXVOEg98x1o +fFmcIWj3kv3ZdhFTMjaxxYIw0/9rO+HKTnTq3pbSz58 +-> ssh-ed25519 uTVbSg NODGHdge8Dp8fz1wvBRXJF+syIdZmvX/AL3I2u+tkwE +foU59bLRz6NOvaZZA/bYU/eQ97/z+ONINGVB30yk6vI +-> ssh-ed25519 Oya/Zw huI2DM77Xa7yPaUg0hnLZmsXOLvgOJALO+ixfmpfwF0 +vOcIEA+mfsferBNqnM/XdaoDDtDS+fJu4gPHMHuIenc +-> l-grease T= 30lLW1F G +dHaeEO9LZVIC+26ZVLfGP0thkSDKwwqzM9OdH4Yj2ixuSxdGHKg8eYUmkc4aUmr4 +Qa3y5GzKf8nQkfSJceG8/FsQrcm1OvjhePi99yE +--- DugQPlVCIYj1uGYP1Bta+9P7HdN9Ej4di5AjQWK0CKg + 4QWYϹ.^氟(t3w="пy4/3xQϕQ "X:R- U ) \ No newline at end of file diff --git a/secrets/chonk_nextcloud_admin_pass.age b/secrets/chonk_nextcloud_admin_pass.age new file mode 100644 index 00000000..4099594f --- /dev/null +++ b/secrets/chonk_nextcloud_admin_pass.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw Zv5YkeU/1DPR0tuZ+dkI76xF473aFaLltqfO5ZfvFy0 +xoWSTmpQSc84tskFAv2XfKkD2gzunCH6XSttO5dVCQM +-> ssh-ed25519 YFSOsg datPvOnMKeP6zH7ThhAeK9k0uyKIulbgY5CAoAsu+w0 +0YjqwWWpkYHqT7XEAfPKynQFgjRHfdg1eNVECEJeXMA +-> ssh-rsa 42S2Dw +Waw5Z5JSx5ZpSrqptOjFDlXPiZIFY+YeT5vZBwvSY4eRNIOsvALR+53zKuDkIHEl +TZ1CsgOU1DLuONSS0mP0Oa+eQImVR4NuDaxvfLNqTiLKwYEeBs6DwSL77xwMLtw/ +wQL1MWMIcFTtExA/ul3rX3Y4B1TS7t50nvhgohFu5WTeNtXkIdgmbJ3CyflhqamN +L/Kxxn+/92scpIItKu5kgPJEO2MpX2GiwjokD6uY+3kxbS1HGXUJAc3COOwWMgEs +1BwQk/SKt8URcxGiugoagQ6M0zFqZRgGNkqh2uCsjaaT5we0lUuhYlL1gIMbe/FG +CR85WlwoEhzKvnnfgdYLFA +-> ssh-ed25519 iHV63A OqkSBucVJtboalsYV3/heEz1ZkSIADNDLEarRPWgklc +76HOz0Vi1oGwSZCBA3bOSNn7auAnmPE7uHVedVjxGTM +-> ssh-ed25519 uTVbSg +X8ylXfSx+Yg14KORdcPSTr1FvDaTMeb62MjQ/gqA2k +r7M9BL070ijThnFLczko29G5P0ikwRW+6VJ8JYhHevs +-> ssh-ed25519 Oya/Zw wXPvHIhPEqbKPme+OLfrJdxIVAghA0LGTGWwOr2yoys +FsriMbp2jb40ZyxapHratwoA/C7dk8nNhvaFU0YAfpM +-> =HAZ-grease 6e?x*"~ +y4DPqeGgLo+PJv/Nja0AMPZ2g31nIqbXwKt3g1I8xHu4rwkM9G/c +--- O3v2CaEy4phy18h9152SkVV6qQhdz/aWJQ9bVI9YHHY +$f @ #}c&rǮy3Y馑jU_sf[NQT#h +buuiRЪfe!z \ No newline at end of file diff --git a/secrets/chonk_nextcloud_db_pass.age b/secrets/chonk_nextcloud_db_pass.age new file mode 100644 index 00000000..a432e5f8 --- /dev/null +++ b/secrets/chonk_nextcloud_db_pass.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw 7kU8OQWy/jGDRUq1hkGl9cNldEgWvk4oG3O2DMw0qGI +XlIzPLT0Gh2/bse6ch4TemO+uzIK4oqyFwDDa7ylXuA +-> ssh-ed25519 YFSOsg dWvGDRO+/3dT7qN04Ykuh4u4aVZSkNAZQl2bbCE0jkg +5QxL1xUjv1OHCJR/+rxw055lIKngtDvarTg7wOaiqu4 +-> ssh-rsa 42S2Dw +V9Zo+91MGptezt9ZGX7aGd4sGsoFmBV9k4gbImTXz2CGOXuHUbzFv73j/ikpvXU6 +NpCU8nYgBuM8E3GTxrorCFIlBgGpjQI28PrbD7Y8b7nqn585Zqn7S+E5DFln0Zd5 +phKfY4NdWypRW4xjuHVjDO8I2uiVd8qD7rhYbE6c611hySudPmrY7k2m41Qz7D2O +j97ATtt2FNFk5MpsNjSKk0w5QeKIVqDTIXTlewRi4eFf3TdLI5vzpBwIELStf/XU +sBmEzqX3EEBvrB41brSPPwQJ7mJ7MaRzjNXmtgytEwirgnI9TA2dv4/xc5zksJgF +zg1F+rlyRC2TOWDNi8Om5g +-> ssh-ed25519 iHV63A IVXUYIxX37FZw+Vn7ZmLc14du4M6120vS+XAY+amx3Q +G9J8NhNx3bwLF1vCWuq1fWQq9//r1IxoXPdJfjg5oQQ +-> ssh-ed25519 uTVbSg v7e3YZQJqK0SZ/F/YSrMPOX8hwAt1+UNf+1YDlzkMSI +1kqIoiR7Oojue2JFHYJB7+piw1j/9U86Thy+eYqphPQ +-> ssh-ed25519 Oya/Zw /EUf0yv0UBi0wPFEl48IK7dJ7m2Z+Y+6EpYqoP75Kx8 +dDDQ+dZhrujnyo2Z40cwisFMpwC+4TsaBTGH7ofn8qU +-> Gg'26s6y-grease 8c +X06Ld3joZpAZby/RIFlRb9gqVT4grrQXQInV/g +--- FVcdFxUlZ7vydcDrU7jzFjipxKygYL8t/aDHNC/TN7w ++ gOAinWxTU3"xo`?f:iMr̓m \ No newline at end of file diff --git a/secrets/chonk_nix_builder_private_key.age b/secrets/chonk_nix_builder_private_key.age new file mode 100644 index 00000000..8e31b70d Binary files /dev/null and b/secrets/chonk_nix_builder_private_key.age differ diff --git a/secrets/chonk_restic_nextcloud_password.age b/secrets/chonk_restic_nextcloud_password.age new file mode 100644 index 00000000..a2e6e63e Binary files /dev/null and b/secrets/chonk_restic_nextcloud_password.age differ diff --git a/secrets/chonk_restic_repository_password.age b/secrets/chonk_restic_repository_password.age new file mode 100644 index 00000000..6a97c8fe --- /dev/null +++ b/secrets/chonk_restic_repository_password.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw x2nB3+kHq5bhYL4Gmu7mcLx8jW8ywUEEkInvVkmH5m8 +cMDnbfUtv4AUTlsBh39xeVFyn8jndfd/XxPU01Re1FU +-> ssh-ed25519 YFSOsg rSr6F981RuhKipasm4xcFTqORbkyCxiId/UvtBy8SW0 +763z8aYG61IYtSfaKBUuQfe7s6SsfujvQF8qx+ALqVY +-> ssh-rsa 42S2Dw +M78y3Q2hLhSGwWe+sVixdgdkL/NPRp3yVdmsLSJ7dkU/JlIikTJ1Idzp2WR9VbZ9 +PyIrBLSVmYlx5SI9ksLfeQZyFoocP7/yKOAdHh7HMvXjpkakN6ZBa4dHELPxLMy0 +x7DQX09Q1h6xTfyghYoIyk29sOHHpT66WaTAPz/cHciJst2TAojJU1qfdJ/ZPU0T +9tq/iOaAhGSdFkFVjhETDwS1lYxKnzxYaMKQeoRBcCdWTVGrbSJLVUMH4pFT1iIv +I8auITrGbSZdm1tJAc8aiBIDI1r5lHz1ozrkamazI9dn+5iF5qWIj+9MVtg0l06X +In7knX1skVcG2x2USjdZgw +-> ssh-ed25519 iHV63A SP+EEU7gJi6o2xnzlsJO2RBplyNWjIMrOYOWweBtKQU +Q/9+4yyRRndmPKjx8up5lijZhICDamxrBAUZtbzteB0 +-> ssh-ed25519 uTVbSg v4RUldxeE2I7Sw1ASpkfcBLiv9b8yJMUOmeydaqa4hk +OreiiziBBpTCKM/D/4eI181AvRD9mwjTUULGeatKUgo +-> ssh-ed25519 Oya/Zw 51sjyVTCtYbG4e4pROOjg7Cr4lX8LGXdGtf+8drR9y8 +Hc6H9PPDJGAmwgO/qOjbt2W2KNXEGlqlbcExmsZQNAE +-> 9.QޢzD6ȑAf-zSSftc\n.hN[`` \ No newline at end of file diff --git a/secrets/chonk_restic_ssh_private_key.age b/secrets/chonk_restic_ssh_private_key.age new file mode 100644 index 00000000..e11eebf8 Binary files /dev/null and b/secrets/chonk_restic_ssh_private_key.age differ diff --git a/secrets/chonk_wireguard_key.age b/secrets/chonk_wireguard_key.age new file mode 100644 index 00000000..f9304fc1 --- /dev/null +++ b/secrets/chonk_wireguard_key.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw YN25mqloDpfTK9BHraZeaX4wlMNyGmuaB9ikhc1qPx0 +MBblsaQ14v/aUrt9BT7Sdef5t7zLXujlNBbKOoKRNvQ +-> ssh-ed25519 YFSOsg GPhY1N8XFr0vxYcho63L/tF1QFuE6vlxGpf+fEUaDn0 +jCVovM/dwU839i3Ry7hjvdJcAKcjAshZE00zfxmSc/c +-> ssh-rsa 42S2Dw +khLfcbecRWa0gNw1vCfP8FIbYll+uNrGEysaPHzEtk6hYzOrPw5BOct9PGG32M63 +USRC5onMkkZXH3RJjAze+JOaNIQML3l5Wx6LNfAiKE7MBtrbEFw9WpPb3yA3vBtF +/h/ngNIjMTryltOq4ovXTDif6bC2CBcBi4zfThqGaBmIk+hqZHAPZIEaQAH5i6JM +Sic+Y0VTUbNDsz9qvE6RFfs4plGAoRG1RDFBTwdYhReXf/7/ISSQE1sm0r8rY7wk +rFp3AGyQQaAJqa2RlA4LeI9z+0okmXrA9e4Q0VezQPN65Ru2qGFKUGg6dgA0czmM +3rIX9HbzV9vlgmjtXhf6Aw +-> ssh-ed25519 iHV63A CJ6pAaBDuZtsVnBHYvlbhwkTSQmHLVNksADDRW1j/A4 +/Vww88tZwVUWwWg8gqdXhKI5vVggGUxgbgeMUkqQagI +-> ssh-ed25519 Oya/Zw ExTtW9P8FWD9s0o3GBycwN16McaP0LVbJuD9cLUejgs +G2BJ8FGHPSqB8/ks5hrGKVDQ0GcaEcS3CK3b7AzB7mI +-> C-grease \T$\ Fn4_2KJ E 2Ju.&t' +jBuy2c0fpq3ibHy3LJOj6xmga+6C9z2WwvSTBTs/lyEXDNgFG9sgEDmjPayMJhAN +JTHQmBJyJ9ae2dMZqhfEPXrcZynNR/F8gd8TyWodXWZhvw +--- FH53Gij4AICM76S4DTZkI1BwEVohhnw/Qnanc4BphE4 +ňߌB7 #pBpXO7_c^͍6IƹEoϸ/ޝMڏJ(;U6 \ No newline at end of file diff --git a/secrets/cox_backup_restic_htpasswd.age b/secrets/cox_backup_restic_htpasswd.age new file mode 100644 index 00000000..41ea2eb7 Binary files /dev/null and b/secrets/cox_backup_restic_htpasswd.age differ diff --git a/secrets/cube_restic_nextcloud_password.age b/secrets/cube_restic_nextcloud_password.age new file mode 100644 index 00000000..cbe9f91b --- /dev/null +++ b/secrets/cube_restic_nextcloud_password.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw zqUMfOd04sohMIlfrNdHj9XJPh+1AiZDSG82rALFEn0 +AjULNhyeKzMJYzas/Ck5te047CGGkoTGWrl4Zf+fK/g +-> ssh-ed25519 YFSOsg Wf12fsV6ddeCYGrJG/IEc/pm3qltWroW9+xgUvBNhBg +FB6dw6npV16JNMcmhLOh2CrV+Ytxym1Q3X6fi8mXPh4 +-> ssh-rsa 42S2Dw +QSORqDFOuGhFBNjCjF1u43tfgAp9okVheVWdY851j4b3JAtX8nsygwEpx0ntNZIk +pYIH7/QreainFDB0WM+sj8too/96YOmrjqf6k1strpP12pI75ArCcQq27XJWk0oD +cIaiAgtzmO8jk1YQTKUDUxvaEv6tX1Lb3r+j3MfHuR6nX4Zx0C6YdmUBFT4t9/9C +DLh990iFG6/wHO+1HSiknGf5V4eUChMfpyh9FgXkOVAQC7JprKgfePbyh2TY9usj +ViRmP6kT8jV7EvqpnsXRuMB3MC0yzrX92OGC1QKArTdj9sNgPduawamposGYiwNm +HAYgbfRbzgcRl/tN8MNSfg +-> ssh-ed25519 iHV63A w9EB0URrVNcTMDhUA+D3z6eDPvaLZihSVpzT8Vr9jHo +ofmrgw+5Jaf1wWXTzBDeijQwY59I/tHfU1fmrZCUTyo +-> ssh-ed25519 uTVbSg qH1A4EHjDjauEa0ideqeWvSwP6ADmziNZOnXnEnrYyg +y7MfmMtWlIGWl/HLyUQVQgJUxzvDKez0WXD6VGq4TfM +-> w>S%-grease nxLQF J+B{F F+"3V +wAF9N9WZyJAygP6EoouxvH9CG0EIIgXBNcnToP73VNNTaPxWOWRyL4rP7yZ9jSyR +JRaZzh9xwASjiqG2GAStcHormaz1JMVy +--- 8QzYdkT1uITqWc6bhvOvDxygLgaiVwWZrgWKOTF0pKc + LGAxIi+Jg-pDfy[1x 禍Bqn'DkO<*n?u[ol.&$9|e ++E :8Zg׉E(]~ \ No newline at end of file diff --git a/secrets/email_gssws_password.age b/secrets/email_gssws_password.age index 05de8c82..09192264 100644 Binary files a/secrets/email_gssws_password.age and b/secrets/email_gssws_password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d5006bc9..1a02fdba 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,14 +3,14 @@ let user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"; user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"; - user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"; - user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"; + user_hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"; system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwogNjatRZlft4qUFDFKg73kiYB1HNZZ0xGUwfyfTzP root@nixos"; system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos"; system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos"; system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos"; + system_chonk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICt8I4z42DXGL3d6eju3WzSEnJMeaWPn3y+f/82oYBzy root@nixos"; system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos"; system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos"; @@ -18,29 +18,40 @@ let system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos"; - users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ]; - systems_email_accounts = [ system_harrison system_norman system_surfplace ]; - systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ]; + users = [user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman]; + systems_email_accounts = [system_harrison system_norman system_surfplace]; + systems_home_controller = [system_giggles system_cox system_companion system_cube system_ringo]; allKeys = users ++ systems_home_controller; -in -{ +in { "email_gssws_password.age".publicKeys = users ++ systems_email_accounts; - "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ]; - "home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ]; - "home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ]; + "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [system_giggles]; + "home_controller_cox_wireguard_key.age".publicKeys = users ++ [system_cox]; + "home_controller_companion_wireguard_key.age".publicKeys = users ++ [system_companion]; - "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ]; - "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ]; - "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ]; - "cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ]; - "cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ]; + "cox_backup_restic_htpasswd.age".publicKeys = users ++ [system_cox]; - "cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ]; + "home_controller_cube_wireguard_key.age".publicKeys = users ++ [system_cube]; + "cube_nextcloud_admin_pass.age".publicKeys = users ++ [system_cube]; + "cube_nextcloud_db_pass.age".publicKeys = users ++ [system_cube]; + "cube_restic_ssh_private_key.age".publicKeys = users ++ [system_cube]; + "cube_restic_repository_password.age".publicKeys = users ++ [system_cube]; + "cube_drone_exec_runner_config.age".publicKeys = users ++ [system_cube]; + "cube_invoiceplane_db_password.age".publicKeys = users ++ [system_cube]; + "cube_restic_nextcloud_password.age".publicKeys = users ++ [system_cube]; - "cube_invoiceplane_db_password.age".publicKeys = users ++ [ system_cube ]; + "chonk_wireguard_key.age".publicKeys = users ++ [system_chonk]; + "chonk_nextcloud_admin_pass.age".publicKeys = users ++ [system_chonk]; + "chonk_nextcloud_db_pass.age".publicKeys = users ++ [system_chonk]; + "chonk_restic_ssh_private_key.age".publicKeys = users ++ [system_chonk]; + "chonk_restic_repository_password.age".publicKeys = users ++ [system_chonk]; + "chonk_drone_exec_runner_config.age".publicKeys = users ++ [system_chonk]; + "chonk_invoiceplane_db_password.age".publicKeys = users ++ [system_chonk]; + "chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk]; + "chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk]; + "chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk]; - "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ]; + "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo]; "home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller; } diff --git a/users/hensoko/ssh.nix b/users/hensoko/ssh.nix index 2edcf2bd..82b07010 100644 --- a/users/hensoko/ssh.nix +++ b/users/hensoko/ssh.nix @@ -1,13 +1,22 @@ -{ config, pkgs, lib, self, ... }: -with lib; -let - psCfg = config.pub-solar; -in { - home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] { + config, + pkgs, + lib, + self, + ... +}: +with lib; let + psCfg = config.pub-solar; +in { + home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] { programs.ssh = { enable = true; matchBlocks = { + "builder" = { + hostname = "data.gssws.de"; + user = "builder"; + port = 2222; + }; "hsha" = { hostname = "192.168.42.5"; user = "root"; @@ -30,7 +39,7 @@ in "companion" = { user = "iot"; }; - "cube" = { + "chonk" = { hostname = "80.244.242.2"; user = "iot"; port = 2222;