pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

bla

Browse source
This commit is contained in:
Hendrik Sokolowski 2023-02-25 14:45:21 +01:00
parent f4b49fdcde
commit 4a6a9f11e4
52 changed files with 1631 additions and 358 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
flake.lock
View file

@ -2,16 +2,19 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"darwin"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1673301561,
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"lastModified": 1677247280,
"narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=",
"owner": "ryantm",
"repo": "agenix",
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1",
"type": "github"
},
"original": {
@ -73,11 +76,11 @@
]
},
"locked": {
"lastModified": 1655976588,
"narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=",
"lastModified": 1671489820,
"narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
"owner": "numtide",
"repo": "devshell",
"rev": "899ca4629020592a13a46783587f6e674179d1db",
"rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
"type": "github"
},
"original": {
@ -126,6 +129,22 @@
"type": "github"
}
},
"factorio-pr": {
"locked": {
"lastModified": 1676729025,
"narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=",
"owner": "werner291",
"repo": "nixpkgs",
"rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e",
"type": "github"
},
"original": {
"owner": "werner291",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -202,11 +221,11 @@
"utils": "utils_2"
},
"locked": {
"lastModified": 1674440933,
"narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=",
"lastModified": 1676257154,
"narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "65c47ced082e3353113614f77b1bc18822dc731f",
"rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527",
"type": "github"
},
"original": {
@ -218,11 +237,11 @@
},
"latest": {
"locked": {
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"lastModified": 1677063315,
"narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"rev": "988cc958c57ce4350ec248d2d53087777f9e1949",
"type": "github"
},
"original": {
@ -239,11 +258,11 @@
]
},
"locked": {
"lastModified": 1673395322,
"narHash": "sha256-Xwaoz3+/+kCu8Przi1W3MWdQcOQ9wLVrr8nfBN6L6wA=",
"lastModified": 1676707513,
"narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=",
"owner": "musnix",
"repo": "musnix",
"rev": "46d6e6435edcfa2a4adcfdd95d576979b710f4cb",
"rev": "2289b7c353e56ee18270fb6b43965036942b2d0f",
"type": "github"
},
"original": {
@ -269,11 +288,11 @@
},
"nixos": {
"locked": {
"lastModified": 1674781052,
"narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=",
"lastModified": 1677075010,
"narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b",
"rev": "c95bf18beba4290af25c60cbaaceea1110d0f727",
"type": "github"
},
"original": {
@ -289,11 +308,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1674666581,
"narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
"lastModified": 1676297861,
"narHash": "sha256-YECUmK34xzg0IERpnbCnaO6z6YgfecJlstMWX7dqOZ8=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
"rev": "1e0a05219f2a557d4622bc38f542abb360518795",
"type": "github"
},
"original": {
@ -304,11 +323,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1674550793,
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
"lastModified": 1677232326,
"narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
"rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2",
"type": "github"
},
"original": {
@ -340,7 +359,7 @@
"locked": {
"lastModified": 1666884246,
"narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
"ref": "master",
"ref": "refs/heads/master",
"rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
"revCount": 23,
"type": "git",
@ -353,11 +372,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"lastModified": 1672791794,
"narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
"type": "github"
},
"original": {
@ -401,6 +420,7 @@
"darwin": "darwin",
"deploy": "deploy",
"digga": "digga",
"factorio-pr": "factorio-pr",
"flake-compat": "flake-compat",
"home": "home",
"latest": "latest",

74
flake.nix
View file

@ -42,6 +42,8 @@
musnix.inputs.nixpkgs.follows = "nixos";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
factorio-pr.url = "github:werner291/nixpkgs/master";
};
outputs = {
@ -78,6 +80,7 @@
];
};
latest = {};
factorio-pr = {};
fork = {};
};
@ -131,15 +134,19 @@
companion = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
cox = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
falcone = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
giggles = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
norman = {};
@ -186,13 +193,17 @@
harrison = hensoko ++ [daw gaming graphical non-free social work];
# work laptop
norman = hensoko ++ [ graphical non-free social virtualisation work ];
norman = hensoko ++ [graphical non-free social virtualisation work gaming];
# cm4
falcone = hensoko-iot;
# surface
surfplace = hensoko ++ [graphical non-free social];
# chonk
chonk = hensoko-iot;
};
};
};
@ -206,40 +217,18 @@
};
};
users = {
pub-solar = { suites, ... }: { imports = suites.base; };
hensoko = { suites, ... }: { imports = suites.base; };
iot = { suites, ... }: { imports = suites.base; };
}; # digga.lib.importers.rakeLeaves ./users/hm;
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
devshell = ./shell;
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
redpanda = {
hostname = "192.168.42.71:22";
sshUser = "hensoko";
fastConnect = true;
profilesOrder = [ "system" "direnv" ];
profiles.direnv = {
user = "hensoko";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
companion = { sshUser = "iot"; };
cox = { sshUser = "iot"; };
giggles = { sshUser = "iot"; };
ringo = { };
cube = {
sshUser = "iot";
};
};
users = {
pub-solar = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
hensoko = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
iot = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
@ -268,6 +257,27 @@
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = {sshUser = "iot";};
cox = {sshUser = "iot";};
giggles = {sshUser = "iot";};
ringo = {};
cube = {sshUser = "iot";};
chonk = {sshUser = "iot";};
};
users = {
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
}

10
hosts/chonk/acme.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
config,
...
}: {
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

37
hosts/chonk/backup.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
self,
...
}: {
age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age";
age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repositoryFile = "/run/agenix/restic_nextcloud_password";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

31
hosts/chonk/builder.nix Normal file
View file

@ -0,0 +1,31 @@
{
self,
config,
pkgs,
...
}: let
psCfg = config.pub-solar;
in {
age.secrets.nix-builder-private-key = {
owner = "builder";
group = "builder";
file = "${self}/secrets/chonk_nix_builder_private_key.age";
};
programs.ssh.package = pkgs.openssh_hpn;
nix.settings.trusted-users = ["builder"];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
users.groups."builder" = {};
users.users."builder" = {
isNormalUser = true;
group = "builder";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
};
nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
}

16
hosts/chonk/chonk.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
pkgs,
lib,
...
}:
with lib;
with pkgs; let
psCfg = config.pub-solar;
in {
imports = [
./configuration.nix
];
networking.networkmanager.enable = lib.mkForce false;
}

41
hosts/chonk/configuration.nix Normal file
View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
./wireguard.nix
./builder.nix
./invidious.nix
./factorio.nix
./invoiceplane.nix
#./tang.nix
#./whiteboard.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
services.openssh.ports = [2222];
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

7
hosts/chonk/default.nix Normal file
View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./chonk.nix
]
++ suites.chonk;
}

24
hosts/chonk/drone.nix Normal file
View file

@ -0,0 +1,24 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.drone_exec_runner_config = {
file = "${self}/secrets/chonk_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.docker-ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/srv/drone-nix-cache/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "10";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

24
hosts/chonk/factorio.nix Normal file
View file

@ -0,0 +1,24 @@
{
self,
config,
pkgs,
fetchurl,
...
}: let
#far-reach = pkgs.factorio-utils.modDrv rec {
# src = fetchurl {
# urls = [ "https://dl-mod.factorio.com/download/c48a8fbbe6941453173ae4e8a353976f3d757773/far-reach_1.1.2.zip?secure=0rFEz6-kw9j2JtrOUv3yEw,1677274141" ];
# sha256 = "";
# };
#};
in {
services.factorio = {
enable = true;
package = pkgs.factorio-headless-experimental;
openFirewall = true;
game-name = "pub.solar Factorio";
game-password = "pub.solar";
admins = ["hensoko"];
#mods = [ far-reach ];
};
}

103
hosts/chonk/hardware-configuration.nix Normal file
View file

@ -0,0 +1,103 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["raid1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.initrd.luks.forceLuksSupportInInitrd = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
#keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
#fallbackToPassword = true;
#bypassWorkqueues = true;
};
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
boot.initrd.systemd.enable = true;
boot.initrd.services.swraid = {
enable = true;
mdadmConf = ''
ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
'';
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/mnt/internal" = {
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.bonds."bond0" = {
interfaces = ["eno1" "eno2"];
driverOptions = {
miimon = "100";
mode = "balance-xor";
xmit_hash_policy = "layer3+4";
};
};
networking = {
defaultGateway = "80.244.242.1";
nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces."bond0" = {
ipv4.addresses = [
{
address = "80.244.242.2";
prefixLength = 29;
}
];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

21
hosts/chonk/home-assistant.nix Normal file
View file

@ -0,0 +1,21 @@
{
self,
pkgs,
config,
...
}: {
# HTTP
services.nginx = {
virtualHosts."ha.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.0.1.254:8123";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;"
+ "proxy_pass_header Authorization;";
};
};
};
}

23
hosts/chonk/invidious.nix Normal file
View file

@ -0,0 +1,23 @@
{
self,
config,
pkgs,
...
}: let
domain = "yt.gssws.de";
in {
age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age";
services.invidious = {
inherit domain;
enable = true;
nginx.enable = true;
database = {
createLocally = true;
passwordFile = "/run/agenix/invidious_db_password";
};
settings = {
https_only = true;
};
};
}

65
hosts/chonk/invoiceplane.nix Normal file
View file

@ -0,0 +1,65 @@
{
self,
config,
pkgs,
...
}: let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.11";
domain = "inv.gssws.de";
hostStateDir = "/mnt/internal/invoiceplane";
containerStateDir = "/var/lib/invoiceplane";
in {
# nginx
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${serviceAddress}:80";
};
};
};
# invoiceplane
containers."invoiceplane" = {
privateNetwork = true;
hostAddress = "10.10.42.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [80];
services.rsyslogd.enable = true;
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
date.timezone = Europe/Berlin
'';
services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
services.invoiceplane.sites."${domain}" = {
enable = true;
stateDir = containerStateDir;
extraConfig = ''
ENABLE_DEBUG=true
'';
database = {
user = "invoiceplane";
name = "invoiceplane";
};
};
};
};
}

87
hosts/chonk/nextcloud-apps.nix Normal file
View file

@ -0,0 +1,87 @@
{
self,
pkgs,
config,
lib,
...
}: let
notify_push = pkgs.fetchzip {
sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
};
in {
systemd.services.nextcloud-notify-push = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig = {
Environment = [
"PORT=7867"
"NEXTCLOUD_URL=https://data.gssws.de"
];
ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php";
User = "nextcloud";
};
};
services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; {
inherit bookmarks calendar contacts deck keeweb news tasks;
inherit notify_push;
"bruteforcesettings" = pkgs.fetchzip {
sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
};
"cookbook" = pkgs.fetchzip {
sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY=";
url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz";
};
"cospend" = pkgs.fetchzip {
sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c=";
url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz";
};
"files_accesscontrol" = pkgs.fetchzip {
sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc=";
url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz";
};
"files_automatedtagging" = pkgs.fetchzip {
sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0=";
url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz";
};
"files_fulltextsearch" = pkgs.fetchzip {
sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU=";
url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz";
};
"files_mindmap" = pkgs.fetchzip {
sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY=";
url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz";
};
"fulltextsearch" = pkgs.fetchzip {
sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA=";
url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz";
};
"groupfolders" = pkgs.fetchzip {
sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0=";
url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz";
};
"maps" = pkgs.fetchzip {
sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI=";
url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz";
};
#"notify_push" = pkgs.fetchzip {
# sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
# url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
#};
"quota_warning" = pkgs.fetchzip {
sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4=";
url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz";
};
"richdocuments" = pkgs.fetchzip {
sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA=";
url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz";
};
#"twofactor_totp" = pkgs.fetchzip {
# sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4=";
# url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
#};
};
}

164
hosts/chonk/nextcloud.nix Normal file
View file

@ -0,0 +1,164 @@
{
self,
pkgs,
config,
lib,
...
}: let
notifyPushPort = 7867;
in {
imports = [
./nextcloud-apps.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."^~ /push/" = {
proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
proxyWebsockets = true;
};
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
settings = {
max_connections = "200";
};
ensureDatabases = ["nextcloud"];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# REDIS
services.redis.servers = {
"nextcloud".enable = true;
};
users.groups."redis-nextcloud".members = ["nextcloud"];
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = ["127.0.0.1:9980:9980"];
environment.domain = "data\\.gssws\\.de";
extraOptions = ["--cap-add" "MKNOD"];
};
services.nginx.virtualHosts."office.gssws.de" = let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in {
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php81;
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "128";
"pm.start_servers" = "64";
"pm.min_spare_servers" = "32";
"pm.max_spare_servers" = "76";
"pm.max_requests" = "500";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = ["80.244.242.2"];
defaultPhoneRegion = "DE";
};
};
}

68
hosts/chonk/tang-container.nix Normal file
View file

@ -0,0 +1,68 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
domain = "";
serviceAddress = "10.10.42.12";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${serviceAddress}:${toString servicePort}";
};
};
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = ["${pkgs.jose}"];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

25
hosts/chonk/tang.nix Normal file
View file

@ -0,0 +1,25 @@
{
self,
config,
pkgs,
...
}: let
domain = "t.gssws.de";
servicePort = 63080;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
};
};
virtualisation.oci-containers.containers."tang" = {
image = "cloggo/tangd";
ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
environment = {
IP_WHITELIST = "172.17.0.1";
};
};
}

65
hosts/chonk/wireguard.nix Normal file
View file

@ -0,0 +1,65 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = ["10.0.1.6"];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = ["10.0.1.254/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

15
hosts/companion/configuration.nix
View file

@ -1,15 +1,17 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
inputs,
pkgs,
builtins,
config,
lib,
...
}: {
imports = [
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
boot.loader.timeout = lib.mkForce 0;
@ -53,4 +55,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

96
hosts/cox/backup.nix
View file

@ -1,23 +1,87 @@
{ self, config, pkgs, ... }:
{
virtualisation.oci-containers = {
backend = "docker";
containers = {
backup-ssh = {
image = "linuxserver/openssh-server:arm64v8-latest";
ports = [ "32222:2222" ];
environment = {
PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
USER_NAME = "backup";
TZ = "Europe/Berlin";
PUID = "911";
PGID = "911";
self,
config,
pkgs,
...
}: {
age.secrets.backup_restic_htpasswd = {
file = "${self}/secrets/cox_backup_restic_htpasswd.age";
owner = "${toString config.ids.uids.restic}";
};
volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ];
services.nginx = {
enable = true;
clientMaxBodySize = "1G";
virtualHosts."backup.local" = {
locations."/" = {
proxyPass = "http://127.0.0.1:18000";
extraConfig = ''
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_set_header Host ''$host;
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
};
};
containers."backup" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"/var/lib/restic" = {
hostPath = "/opt/backup/hdd/restic";
isReadOnly = false;
};
"/var/lib/restic/.htpasswd" = {
hostPath = "/run/agenix/backup_restic_htpasswd";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.restic.server = {
enable = true;
listenAddress = "0.0.0.0:18000";
privateRepos = true;
extraFlags = [
"--append-only"
"--prometheus"
"--prometheus-no-auth"
];
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11";
};
};
#virtualisation.oci-containers = {
# backend = "docker";
# containers = {
# backup-ssh = {
# image = "linuxserver/openssh-server:arm64v8-latest";
# ports = [ "32222:2222" ];
#
# environment = {
# PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
# USER_NAME = "backup";
# TZ = "Europe/Berlin";
# PUID = "911";
# PGID = "911";
# };
#
# volumes = [
# "/opt/backup/hdd/restic:/data/hdd/restic"
# ];
# };
# };
#};
}

14
hosts/cox/configuration.nix
View file

@ -1,20 +1,19 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
config,
pkgs,
lib,
...
}: {
imports = [
./backup.nix
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
@ -63,4 +62,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

27
hosts/cox/hardware-configuration.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
@ -16,6 +20,8 @@
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.supportedFilesystems = [];
boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
boot.loader.grub = {
enable = true;
efiSupport = true;
@ -27,6 +33,7 @@
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
@ -36,18 +43,18 @@
bypassWorkqueues = true;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6a419f58-bef1-4dd9-9b4f-389e35ba686a";
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6CB3-6DB8";
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/ea401985-e25f-4d13-8d72-5a5660c4384f"; }
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

13
hosts/cox/home-controller.nix
View file

@ -1,6 +1,9 @@
{ self, config, pkgs, ... }:
{
self,
config,
pkgs,
...
}: {
config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
@ -21,9 +24,9 @@
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}

28
hosts/cox/paperless.nix
View file

@ -1,6 +1,8 @@
{ pkgs, config, ... }:
let
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/documents/paperless";
httpPort = 80;
@ -8,17 +10,20 @@ let
ftpListenPort = 20021;
ftpPasvMinPort = 22021;
ftpPasvMaxPort = 24021;
domain = "cox.local";
in
{
domain = "paperless.local";
in {
networking.firewall = {
allowedTCPPorts = [
httpPort
ftpListenPort
];
allowedTCPPortRanges = [ { from = ftpPasvMinPort; to = ftpPasvMaxPort; } ];
allowedTCPPortRanges = [
{
from = ftpPasvMinPort;
to = ftpPasvMaxPort;
}
];
};
services.nginx = {
@ -47,7 +52,11 @@ in
isReadOnly = false;
};
config = { config, pkgs, ... }: {
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.users."paperless".extraGroups = ["ftp"];
@ -63,7 +72,6 @@ in
PAPERLESS_ALLOWED_HOSTS = "${domain}";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}";
PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}";
};
};

13
hosts/cube/backup.nix
View file

@ -1,8 +1,11 @@
{ config, lib, self, ... }:
{
config,
lib,
self,
...
}: {
age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
age.secrets.restic_nextcloud_password.file = "${self}/secrets/cube_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
@ -25,7 +28,9 @@
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repository = "sftp:backup:/data/hdd/restic";
repositoryFile = "/run/agenix/restic_nextcloud_password";
#repository = "rest:http://nextcloud:md1TYoRcOqdr7sBRH9ZH0iGos0yv2pLhrnZc3Xhk@10.0.1.12";
#repository = "sftp:backup:/data/hdd/restic";
timerConfig = {
OnCalendar = "02:00";
};

13
hosts/giggles/home-controller.nix
View file

@ -1,6 +1,9 @@
{ self, config, pkgs, ... }:
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
@ -18,9 +21,9 @@
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}

28
hosts/norman/builder.nix Normal file
View file

@ -0,0 +1,28 @@
{self, ...}: {
programs.ssh.extraConfig = ''
Host builder
Hostname data.gssws.de
Port 2222
User builder
IdentitiesOnly yes
IdentityFile /root/.ssh/id_ed25519-builder
'';
nix.buildMachines = [
{
hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux"];
maxJobs = 20;
speedFactor = 2;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
}
];
nix.distributedBuilds = true;
nix.settings = {
substituters = ["ssh-ng://builder"];
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true;
};
}

12
hosts/norman/configuration.nix
View file

@ -1,15 +1,16 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
./builder.nix
];
# Set your time zone.
@ -60,4 +61,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

20
hosts/norman/hardware-configuration.nix
View file

@ -1,9 +1,13 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
@ -11,6 +15,7 @@
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub.trustedBoot = {
enable = true;
systemHasTPM = "YES_TPM_is_activated";
@ -21,20 +26,17 @@
bypassWorkqueues = true;
};
fileSystems."/" =
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
};
fileSystems."/boot" =
{
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@ -42,5 +44,7 @@
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
sensitivity = 100; # default 128
speed = 64; # default 97
};
}

15
hosts/norman/norman.nix
View file

@ -1,10 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
in {
imports = [
./configuration.nix
];
@ -12,6 +15,8 @@ in
config = {
boot.binfmt.emulatedSystems = ["aarch64-linux"];
environment.systemPackages = [pkgs.factorio-experimental];
pub-solar.audio.bluetooth.enable = false;
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {

10
hosts/norman/wireguard.nix
View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
@ -73,7 +75,7 @@
{
# Public key of the server (not a file path).
publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
# Forward all the traffic via VPN.
allowedIPs = [
@ -87,8 +89,6 @@
persistentKeepalive = 25;
}
];
};
};
}

3
modules/social/default.nix
View file

@ -18,11 +18,8 @@ in {
home.packages = [
signal-desktop
tdesktop
discord
element-desktop
tdesktop
mattermost-desktop
whatsapp-for-linux
];
};
};

33
modules/terminal-life/default.nix
View file

@ -24,17 +24,17 @@ in {
config = mkIf cfg.enable {
programs.command-not-found.enable = false;
# Needed to get zsh completion for system packages (e.g. systemd).
environment.pathsToLink = ["/share/zsh"];
environment.shells = with pkgs; [
zsh
];
environment.systemPackages = with pkgs; [
screen
];
# Starship is a fast and featureful shell prompt
# starship.toml has sane defaults that can be changed there
programs.starship = {
enable = true;
settings = import ./starship.toml.nix;
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
@ -61,20 +61,21 @@ in {
watson
];
programs.bash = import ./bash {
inherit config;
inherit pkgs;
inherit self;
};
programs.fzf = import ./fzf {
inherit config;
inherit pkgs;
};
programs.neovim = import ./nvim {
inherit config;
inherit pkgs;
inherit lib;
};
programs.fzf = import ./fzf {
inherit config;
inherit pkgs;
};
programs.zsh = import ./zsh {
inherit config;
inherit pkgs;
inherit self;
inherit lib;
};
};
};
}

124
modules/terminal-life/zsh/default.nix Normal file
View file

@ -0,0 +1,124 @@
{
config,
pkgs,
self,
lib,
...
}: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
enable = true;
enableAutosuggestions = true;
enableCompletion = true;
dotDir = ".config/zsh";
history = {
ignoreDups = true;
expireDuplicatesFirst = true;
ignoreSpace = true;
path = "$HOME/.local/share/zsh/zsh_history";
save = 10000;
size = 10000;
};
loginExtra = lib.mkIf psCfg.sway.enable ''
[ "$(tty)" = "/dev/tty1" ] && exec ${pkgs.sway-service}/bin/sway-service
'';
shellAliases = {
nano = "nvim";
vi = "nvim";
vim = "nvim";
mutt = "neomutt";
ls = "exa";
la = "exa --group-directories-first -lag";
fm = "vifm .";
vifm = "vifm .";
wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts";
irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
no = "manix \"\" | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview=\"manix '{}'\" | xargs manix";
# fix nixos-option
nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
};
plugins = [
# src gets fetched by nvfetcher, see: ./pkgs/sources.toml
{
# will source ohmyzsh/plugins/z/
name = "zsh-plugins-z";
file = "plugins/z/z.plugin.zsh";
src = pkgs.sources.ohmyzsh.src;
}
{
name = "zsh-powerlevel10k";
file = "powerlevel10k.zsh-theme";
src = pkgs.sources.powerlevel10k.src;
}
{
name = "zsh-fast-syntax-highlighting";
file = "F-Sy-H.plugin.zsh";
src = pkgs.sources.F-Sy-H.src;
}
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.sources.zsh-nix-shell.src;
}
];
initExtra =
''
bindkey -v
bindkey -v 'jj' vi-cmd-mode
bindkey -a 'i' up-line
bindkey -a 'k' down-line
bindkey -a 'j' backward-char
bindkey -a 'h' vi-insert
bindkey '^[[H' beginning-of-line
bindkey '^[[F' end-of-line
bindkey '^R' history-incremental-pattern-search-backward
bindkey '^ ' autosuggest-accept
bindkey '^q' push-line-or-edit
bindkey '^R' fzf-history-widget
# ArrowUp/Down start searching history with current input
autoload -U up-line-or-beginning-search
autoload -U down-line-or-beginning-search
zle -N up-line-or-beginning-search
zle -N down-line-or-beginning-search
bindkey "^[[A" up-line-or-beginning-search
bindkey "^[[B" down-line-or-beginning-search
bindkey "^P" up-line-or-beginning-search
bindkey "^N" down-line-or-beginning-search
# MAKE CTRL+S WORK IN VIM
stty -ixon
stty erase '^?'
precmd () {
DIR_NAME=$(pwd | sed "s|^$HOME|~|g")
echo -e -n "\e]2;$DIR_NAME\e\\"
if [ $(date +%d%m) = '0104' ]; then
if [ $? -eq 0 ]; then
echo "Success! That was a great command! I can't wait to see what amazing stuff you'll be up to next."
fi
fi
}
# If a command is not found, show me where it is
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
''
+ builtins.readFile ./base16.zsh
+ builtins.readFile ./p10k.zsh
+ ''
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.git-bug}/share/zsh/site-functions/git-bug
eval "$(direnv hook zsh)"
''
+ builtins.readFile ./fzf.zsh;
}

12
overlays/invidious.nix Normal file
View file

@ -0,0 +1,12 @@
final: prev: {
invidious = prev.invidious.overrideAttrs (oldAttrs: rec {
version = "unstable-2023-02-22";
src = prev.fetchFromGitHub {
owner = "iv-org";
repo = "invidious";
rev = "0995e0447c2b54d80b55231830b847d41c19b404";
hash = "sha256-hXF836jxMriMJ/qcBJIF5cRvQG719PStKqTZQcIRqlw=";
fetchSubmodules = true;
};
});
}

5
overlays/overrides.nix
View file

@ -12,6 +12,11 @@ channels: final: prev: {
nvfetcher
;
inherit
(channels.factorio-pr)
factorio
;
haskellPackages =
prev.haskellPackages.override
(old: {

BIN
secrets/chonk_drone_exec_runner_config.age Normal file
View file

Binary file not shown.

13
secrets/chonk_invidious_db_password.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw BzbEPs8LDz17/aVKQoDoRaTdQmKw8MKb4oqKvBFGuAM
/zMIU+KoMrQ6ouI4vK/YyvEtzZ7ut8c9BJH8YTYldac
-> ssh-ed25519 YFSOsg CUwGu/W2wYrVNLHlGETFtsVhchDZUXfEi9JYZ88VkBU
ZD3lYlRTgk2g/L5Hy+Fcs1fLh3gKDdhRhWn0Gc4JP/A
-> ssh-ed25519 iHV63A mZ2DkCasSr/s3S6RXjf8QLi5P4UXOzQqqPNkLUkh4VU
E/eXCLd9cZt+i9Bg7iEh8LbWFn0rsTtzqDB9kaFtVUg
-> ssh-ed25519 Oya/Zw kD7aVVY0BrrNbDyoHa/7/8bUF8W74mYFPgHe/CVMpxg
jytr3knsUz9aaGf421m6mN9QgU4Tt3UykTEt8T8mNVg
-> p'c-grease J
vWgF1GduUf9hstTzuVdrUC6ytMofGgYE8nglE/mUTa+a69SDKrn/
--- kKHfCTImeN1RY9HxI2fWeJTec47FBwwr2gQB13sYdrw
Jýéø) Ù: †Ó½бèW—¡"~»cgRÔ _ù¥@­wD‰Ì+ûjÁ'D¤Í3ÐýaSj2U¶&-5ÁÐÑ

23
secrets/chonk_invoiceplane_db_password.age Normal file
View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw yDJ66eI1Mp9+UoFYkd4ur3aaUBAALqveNM5FK1cpSx0
r7eXodJ94kzvLq2oRIk7aPZtArJ1xm37FShQwr1BBSA
-> ssh-ed25519 YFSOsg Sef4VkHt4bMmPsUPJLXOB7nOgPO0pDcV+6MHvBItOG8
MDyOFqyzDJ6MMxkgFqkxYQl25a7cXOn9iCu2sbONhBs
-> ssh-rsa 42S2Dw
Y3yN6FJOz5eDG7gRDLZJiujOaGJ/fm5lPNHvSVl7T5DYmiHedJ5F7on6CztMDuvv
LNrWXTO7Jy/LBPLZ516SG+o752sTfby1xpDAgo0pKejSs/o7XmccMDvwzdVAsPkt
Dk7ou4Fba0D9MnIeIwnhZolKxVPyFeUBfoPNkvDLtQeb48lqJ2N+bgVzjHQEKpL5
1Hx/v4x9jUKTj/cK7eds5j3tzitLNpaxkm20LcVpWlLLGZkAmYijwXPphaY0EXJY
qw0Z1OSJd6WnLUo0ozGtoYGiqxnP42duL31ajI7HiNfMMJqWER7WJaB2h4pA9eTO
1HCHP/C+rNCeWHtjXr8b0Q
-> ssh-ed25519 iHV63A cpEqVauWzNmXoGgNcdV438BLDyWh+pQBCXVOEg98x1o
fFmcIWj3kv3ZdhFTMjaxxYIw0/9rO+HKTnTq3pbSz58
-> ssh-ed25519 uTVbSg NODGHdge8Dp8fz1wvBRXJF+syIdZmvX/AL3I2u+tkwE
foU59bLRz6NOvaZZA/bYU/eQ97/z+ONINGVB30yk6vI
-> ssh-ed25519 Oya/Zw huI2DM77Xa7yPaUg0hnLZmsXOLvgOJALO+ixfmpfwF0
vOcIEA+mfsferBNqnM/XdaoDDtDS+fJu4gPHMHuIenc
-> l-grease T= 30lLW1F G
dHaeEO9LZVIC+26ZVLfGP0thkSDKwwqzM9OdH4Yj2ixuSxdGHKg8eYUmkc4aUmr4
Qa3y5GzKf8nQkfSJceG8/FsQrcm1OvjhePi99yE
--- DugQPlVCIYj1uGYP1Bta+9P7HdN9Ej4di5AjQWK0CKg
éÿ õÑ4QW„ó <59>í­œµóϹ.^æ°Ÿ(tÆÒ3w="пy4/3xÙàÀŠQáŒÆÏ•Q …"X:R-å U­˜å £)«œ

23
secrets/chonk_nextcloud_admin_pass.age Normal file
View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw Zv5YkeU/1DPR0tuZ+dkI76xF473aFaLltqfO5ZfvFy0
xoWSTmpQSc84tskFAv2XfKkD2gzunCH6XSttO5dVCQM
-> ssh-ed25519 YFSOsg datPvOnMKeP6zH7ThhAeK9k0uyKIulbgY5CAoAsu+w0
0YjqwWWpkYHqT7XEAfPKynQFgjRHfdg1eNVECEJeXMA
-> ssh-rsa 42S2Dw
Waw5Z5JSx5ZpSrqptOjFDlXPiZIFY+YeT5vZBwvSY4eRNIOsvALR+53zKuDkIHEl
TZ1CsgOU1DLuONSS0mP0Oa+eQImVR4NuDaxvfLNqTiLKwYEeBs6DwSL77xwMLtw/
wQL1MWMIcFTtExA/ul3rX3Y4B1TS7t50nvhgohFu5WTeNtXkIdgmbJ3CyflhqamN
L/Kxxn+/92scpIItKu5kgPJEO2MpX2GiwjokD6uY+3kxbS1HGXUJAc3COOwWMgEs
1BwQk/SKt8URcxGiugoagQ6M0zFqZRgGNkqh2uCsjaaT5we0lUuhYlL1gIMbe/FG
CR85WlwoEhzKvnnfgdYLFA
-> ssh-ed25519 iHV63A OqkSBucVJtboalsYV3/heEz1ZkSIADNDLEarRPWgklc
76HOz0Vi1oGwSZCBA3bOSNn7auAnmPE7uHVedVjxGTM
-> ssh-ed25519 uTVbSg +X8ylXfSx+Yg14KORdcPSTr1FvDaTMeb62MjQ/gqA2k
r7M9BL070ijThnFLczko29G5P0ikwRW+6VJ8JYhHevs
-> ssh-ed25519 Oya/Zw wXPvHIhPEqbKPme+OLfrJdxIVAghA0LGTGWwOr2yoys
FsriMbp2jb40ZyxapHratwoA/C7dk8nNhvaFU0YAfpM
-> =HAZ-grease 6e?x*"~
y4DPqeGgLo+PJv/Nja0AMPZ2g31nIqbXwKt3g1I8xHu4rwkM9G/c
--- O3v2CaEy4phy18h9152SkVV6qQhdz/aWJQ9bVI9YHHY
<EFBFBD>$邀孻f @ #}▂&rゲy砲𡟻3癦ロ<E799A6>鏴U蒀𧡰s唚<73>f鱣[缸N利紊T#h
b<EFBFBD>鵜攤𪊓iR<>犟e!z<>

22
secrets/chonk_nextcloud_db_pass.age Normal file
View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw 7kU8OQWy/jGDRUq1hkGl9cNldEgWvk4oG3O2DMw0qGI
XlIzPLT0Gh2/bse6ch4TemO+uzIK4oqyFwDDa7ylXuA
-> ssh-ed25519 YFSOsg dWvGDRO+/3dT7qN04Ykuh4u4aVZSkNAZQl2bbCE0jkg
5QxL1xUjv1OHCJR/+rxw055lIKngtDvarTg7wOaiqu4
-> ssh-rsa 42S2Dw
V9Zo+91MGptezt9ZGX7aGd4sGsoFmBV9k4gbImTXz2CGOXuHUbzFv73j/ikpvXU6
NpCU8nYgBuM8E3GTxrorCFIlBgGpjQI28PrbD7Y8b7nqn585Zqn7S+E5DFln0Zd5
phKfY4NdWypRW4xjuHVjDO8I2uiVd8qD7rhYbE6c611hySudPmrY7k2m41Qz7D2O
j97ATtt2FNFk5MpsNjSKk0w5QeKIVqDTIXTlewRi4eFf3TdLI5vzpBwIELStf/XU
sBmEzqX3EEBvrB41brSPPwQJ7mJ7MaRzjNXmtgytEwirgnI9TA2dv4/xc5zksJgF
zg1F+rlyRC2TOWDNi8Om5g
-> ssh-ed25519 iHV63A IVXUYIxX37FZw+Vn7ZmLc14du4M6120vS+XAY+amx3Q
G9J8NhNx3bwLF1vCWuq1fWQq9//r1IxoXPdJfjg5oQQ
-> ssh-ed25519 uTVbSg v7e3YZQJqK0SZ/F/YSrMPOX8hwAt1+UNf+1YDlzkMSI
1kqIoiR7Oojue2JFHYJB7+piw1j/9U86Thy+eYqphPQ
-> ssh-ed25519 Oya/Zw /EUf0yv0UBi0wPFEl48IK7dJ7m2Z+Y+6EpYqoP75Kx8
dDDQ+dZhrujnyo2Z40cwisFMpwC+4TsaBTGH7ofn8qU
-> Gg'26s6y-grease 8c
X06Ld3joZpAZby/RIFlRb9gqVT4grrQXQInV/g
--- FVcdFxUlZ7vydcDrU7jzFjipxKygYL8t/aDHNC/TN7w
gOAóìiœ§nùûW<C3BB>¹÷¿xŠT“¾UÍ3ü¯"Âxo<78>`“?Õáf<C3A1>:¡iÚMrúÒ̓¦m™

BIN
secrets/chonk_nix_builder_private_key.age Normal file
View file

Binary file not shown.

BIN
secrets/chonk_restic_nextcloud_password.age Normal file
View file

Binary file not shown.

23
secrets/chonk_restic_repository_password.age Normal file
View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw x2nB3+kHq5bhYL4Gmu7mcLx8jW8ywUEEkInvVkmH5m8
cMDnbfUtv4AUTlsBh39xeVFyn8jndfd/XxPU01Re1FU
-> ssh-ed25519 YFSOsg rSr6F981RuhKipasm4xcFTqORbkyCxiId/UvtBy8SW0
763z8aYG61IYtSfaKBUuQfe7s6SsfujvQF8qx+ALqVY
-> ssh-rsa 42S2Dw
M78y3Q2hLhSGwWe+sVixdgdkL/NPRp3yVdmsLSJ7dkU/JlIikTJ1Idzp2WR9VbZ9
PyIrBLSVmYlx5SI9ksLfeQZyFoocP7/yKOAdHh7HMvXjpkakN6ZBa4dHELPxLMy0
x7DQX09Q1h6xTfyghYoIyk29sOHHpT66WaTAPz/cHciJst2TAojJU1qfdJ/ZPU0T
9tq/iOaAhGSdFkFVjhETDwS1lYxKnzxYaMKQeoRBcCdWTVGrbSJLVUMH4pFT1iIv
I8auITrGbSZdm1tJAc8aiBIDI1r5lHz1ozrkamazI9dn+5iF5qWIj+9MVtg0l06X
In7knX1skVcG2x2USjdZgw
-> ssh-ed25519 iHV63A SP+EEU7gJi6o2xnzlsJO2RBplyNWjIMrOYOWweBtKQU
Q/9+4yyRRndmPKjx8up5lijZhICDamxrBAUZtbzteB0
-> ssh-ed25519 uTVbSg v4RUldxeE2I7Sw1ASpkfcBLiv9b8yJMUOmeydaqa4hk
OreiiziBBpTCKM/D/4eI181AvRD9mwjTUULGeatKUgo
-> ssh-ed25519 Oya/Zw 51sjyVTCtYbG4e4pROOjg7Cr4lX8LGXdGtf+8drR9y8
Hc6H9PPDJGAmwgO/qOjbt2W2KNXEGlqlbcExmsZQNAE
-> <O-grease lr/]6 OsFzy7 E@<zV R
LhERj36DtC7MwfGTT1Z85I42SCUnJMdl6oToreQSERKbBa5SpTuUo5baqRqM7MdW
JQjLt5MZ0dna
--- SUtdBUH80GU2DjGWmvigOpbRWYkki1VdZi8NkMXFTcE
ê|9µ¼µ÷´a<C2B4>ÒÒUÒšÀˆšÄã>õ–÷9<C3B7>.Q¨ÈßÑÞ¢©¨zD6ÈAf„-Ååz“SSÝf¥t<C2A5>“Íc\Ón.ÿhÿN[``çõ

BIN
secrets/chonk_restic_ssh_private_key.age Normal file
View file

Binary file not shown.

21
secrets/chonk_wireguard_key.age Normal file
View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw YN25mqloDpfTK9BHraZeaX4wlMNyGmuaB9ikhc1qPx0
MBblsaQ14v/aUrt9BT7Sdef5t7zLXujlNBbKOoKRNvQ
-> ssh-ed25519 YFSOsg GPhY1N8XFr0vxYcho63L/tF1QFuE6vlxGpf+fEUaDn0
jCVovM/dwU839i3Ry7hjvdJcAKcjAshZE00zfxmSc/c
-> ssh-rsa 42S2Dw
khLfcbecRWa0gNw1vCfP8FIbYll+uNrGEysaPHzEtk6hYzOrPw5BOct9PGG32M63
USRC5onMkkZXH3RJjAze+JOaNIQML3l5Wx6LNfAiKE7MBtrbEFw9WpPb3yA3vBtF
/h/ngNIjMTryltOq4ovXTDif6bC2CBcBi4zfThqGaBmIk+hqZHAPZIEaQAH5i6JM
Sic+Y0VTUbNDsz9qvE6RFfs4plGAoRG1RDFBTwdYhReXf/7/ISSQE1sm0r8rY7wk
rFp3AGyQQaAJqa2RlA4LeI9z+0okmXrA9e4Q0VezQPN65Ru2qGFKUGg6dgA0czmM
3rIX9HbzV9vlgmjtXhf6Aw
-> ssh-ed25519 iHV63A CJ6pAaBDuZtsVnBHYvlbhwkTSQmHLVNksADDRW1j/A4
/Vww88tZwVUWwWg8gqdXhKI5vVggGUxgbgeMUkqQagI
-> ssh-ed25519 Oya/Zw ExTtW9P8FWD9s0o3GBycwN16McaP0LVbJuD9cLUejgs
G2BJ8FGHPSqB8/ks5hrGKVDQ0GcaEcS3CK3b7AzB7mI
-> C-grease \T$\ Fn4_2KJ E 2Ju.&t'
jBuy2c0fpq3ibHy3LJOj6xmga+6C9z2WwvSTBTs/lyEXDNgFG9sgEDmjPayMJhAN
JTHQmBJyJ9ae2dMZqhfEPXrcZynNR/F8gd8TyWodXWZhvw
--- FH53Gij4AICM76S4DTZkI1BwEVohhnw/Qnanc4BphE4
ňŠÐߌÜB7 #pB†pþ¡§¡X˜O7ê_c<>6Àû<C380>IÜÞͪƹEìoâ·Ï¸¤/Þ<>ÛM˜µÚ<>JÉ(;ÖÅìU‡ä 6

BIN
secrets/cox_backup_restic_htpasswd.age Normal file
View file

Binary file not shown.

22
secrets/cube_restic_nextcloud_password.age Normal file
View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw zqUMfOd04sohMIlfrNdHj9XJPh+1AiZDSG82rALFEn0
AjULNhyeKzMJYzas/Ck5te047CGGkoTGWrl4Zf+fK/g
-> ssh-ed25519 YFSOsg Wf12fsV6ddeCYGrJG/IEc/pm3qltWroW9+xgUvBNhBg
FB6dw6npV16JNMcmhLOh2CrV+Ytxym1Q3X6fi8mXPh4
-> ssh-rsa 42S2Dw
QSORqDFOuGhFBNjCjF1u43tfgAp9okVheVWdY851j4b3JAtX8nsygwEpx0ntNZIk
pYIH7/QreainFDB0WM+sj8too/96YOmrjqf6k1strpP12pI75ArCcQq27XJWk0oD
cIaiAgtzmO8jk1YQTKUDUxvaEv6tX1Lb3r+j3MfHuR6nX4Zx0C6YdmUBFT4t9/9C
DLh990iFG6/wHO+1HSiknGf5V4eUChMfpyh9FgXkOVAQC7JprKgfePbyh2TY9usj
ViRmP6kT8jV7EvqpnsXRuMB3MC0yzrX92OGC1QKArTdj9sNgPduawamposGYiwNm
HAYgbfRbzgcRl/tN8MNSfg
-> ssh-ed25519 iHV63A w9EB0URrVNcTMDhUA+D3z6eDPvaLZihSVpzT8Vr9jHo
ofmrgw+5Jaf1wWXTzBDeijQwY59I/tHfU1fmrZCUTyo
-> ssh-ed25519 uTVbSg qH1A4EHjDjauEa0ideqeWvSwP6ADmziNZOnXnEnrYyg
y7MfmMtWlIGWl/HLyUQVQgJUxzvDKez0WXD6VGq4TfM
-> w>S%-grease nxLQF J+B{F F+"3V
wAF9N9WZyJAygP6EoouxvH9CG0EIIgXBNcnToP73VNNTaPxWOWRyL4rP7yZ9jSyR
JRaZzh9xwASjiqG2GAStcHormaz1JMVy
--- 8QzYdkT1uITqWc6bhvOvDxygLgaiVwWZrgWKOTF0pKc
LæÉGAÖxIó³i¾Š˜¢ŠêÌ+Jg-“p±Dfy¾ü­<C3BC>ø[÷1xÅä ùï©<C2A9>Bqn'¾DkèO<´*n£ØÉ?u[o•Ð.µ&$”9|Øe
â‘+õEíŠ :ô8ÃZg­Ø׉E(]ˆõ~å»

BIN
secrets/email_gssws_password.age
View file

Binary file not shown.

25
secrets/secrets.nix
View file

@ -3,14 +3,14 @@ let
user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
user_hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwogNjatRZlft4qUFDFKg73kiYB1HNZZ0xGUwfyfTzP root@nixos";
system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos";
system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos";
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
system_chonk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICt8I4z42DXGL3d6eju3WzSEnJMeaWPn3y+f/82oYBzy root@nixos";
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos";
@ -18,27 +18,38 @@ let
system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos";
users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
users = [user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman];
systems_email_accounts = [system_harrison system_norman system_surfplace];
systems_home_controller = [system_giggles system_cox system_companion system_cube system_ringo];
allKeys = users ++ systems_home_controller;
in
{
in {
"email_gssws_password.age".publicKeys = users ++ systems_email_accounts;
"home_controller_giggles_wireguard_key.age".publicKeys = users ++ [system_giggles];
"home_controller_cox_wireguard_key.age".publicKeys = users ++ [system_cox];
"home_controller_companion_wireguard_key.age".publicKeys = users ++ [system_companion];
"cox_backup_restic_htpasswd.age".publicKeys = users ++ [system_cox];
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [system_cube];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [system_cube];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [system_cube];
"cube_restic_ssh_private_key.age".publicKeys = users ++ [system_cube];
"cube_restic_repository_password.age".publicKeys = users ++ [system_cube];
"cube_drone_exec_runner_config.age".publicKeys = users ++ [system_cube];
"cube_invoiceplane_db_password.age".publicKeys = users ++ [system_cube];
"cube_restic_nextcloud_password.age".publicKeys = users ++ [system_cube];
"chonk_wireguard_key.age".publicKeys = users ++ [system_chonk];
"chonk_nextcloud_admin_pass.age".publicKeys = users ++ [system_chonk];
"chonk_nextcloud_db_pass.age".publicKeys = users ++ [system_chonk];
"chonk_restic_ssh_private_key.age".publicKeys = users ++ [system_chonk];
"chonk_restic_repository_password.age".publicKeys = users ++ [system_chonk];
"chonk_drone_exec_runner_config.age".publicKeys = users ++ [system_chonk];
"chonk_invoiceplane_db_password.age".publicKeys = users ++ [system_chonk];
"chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
"chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
"chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];

21
users/hensoko/ssh.nix
View file

@ -1,13 +1,22 @@
{ config, pkgs, lib, self, ... }:
with lib;
let
psCfg = config.pub-solar;
in
{
config,
pkgs,
lib,
self,
...
}:
with lib; let
psCfg = config.pub-solar;
in {
home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
programs.ssh = {
enable = true;
matchBlocks = {
"builder" = {
hostname = "data.gssws.de";
user = "builder";
port = 2222;
};
"hsha" = {
hostname = "192.168.42.5";
user = "root";
@ -30,7 +39,7 @@ in
"companion" = {
user = "iot";
};
"cube" = {
"chonk" = {
hostname = "80.244.242.2";
user = "iot";
port = 2222;