This commit is contained in:
Hendrik Sokolowski 2023-02-25 14:45:21 +01:00
parent f4b49fdcde
commit 4a6a9f11e4
52 changed files with 1631 additions and 358 deletions

View file

@ -2,16 +2,19 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"darwin"
],
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1673301561,
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"lastModified": 1677247280,
"narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=",
"owner": "ryantm",
"repo": "agenix",
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1",
"type": "github"
},
"original": {
@ -73,11 +76,11 @@
]
},
"locked": {
"lastModified": 1655976588,
"narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=",
"lastModified": 1671489820,
"narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
"owner": "numtide",
"repo": "devshell",
"rev": "899ca4629020592a13a46783587f6e674179d1db",
"rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
"type": "github"
},
"original": {
@ -126,6 +129,22 @@
"type": "github"
}
},
"factorio-pr": {
"locked": {
"lastModified": 1676729025,
"narHash": "sha256-342GXq1CGPbztLGJcSlbdRbglXlCWMYykeYg/d5Nvyk=",
"owner": "werner291",
"repo": "nixpkgs",
"rev": "e37b8db403154b3c421c6bc21afd725a5ad2df3e",
"type": "github"
},
"original": {
"owner": "werner291",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -202,11 +221,11 @@
"utils": "utils_2"
},
"locked": {
"lastModified": 1674440933,
"narHash": "sha256-CASRcD/rK3fn5vUCti3jzry7zi0GsqRsBohNq9wPgLs=",
"lastModified": 1676257154,
"narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "65c47ced082e3353113614f77b1bc18822dc731f",
"rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527",
"type": "github"
},
"original": {
@ -218,11 +237,11 @@
},
"latest": {
"locked": {
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"lastModified": 1677063315,
"narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"rev": "988cc958c57ce4350ec248d2d53087777f9e1949",
"type": "github"
},
"original": {
@ -239,11 +258,11 @@
]
},
"locked": {
"lastModified": 1673395322,
"narHash": "sha256-Xwaoz3+/+kCu8Przi1W3MWdQcOQ9wLVrr8nfBN6L6wA=",
"lastModified": 1676707513,
"narHash": "sha256-Cr8f0zUpjb9T+aiClDFpJKVqfKKa6S/fbxPcSTX8UHI=",
"owner": "musnix",
"repo": "musnix",
"rev": "46d6e6435edcfa2a4adcfdd95d576979b710f4cb",
"rev": "2289b7c353e56ee18270fb6b43965036942b2d0f",
"type": "github"
},
"original": {
@ -269,11 +288,11 @@
},
"nixos": {
"locked": {
"lastModified": 1674781052,
"narHash": "sha256-nseKFXRvmZ+BDAeWQtsiad+5MnvI/M2Ak9iAWzooWBw=",
"lastModified": 1677075010,
"narHash": "sha256-X+UmR1AkdR//lPVcShmLy8p1n857IGf7y+cyCArp8bU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cc4bb87f5457ba06af9ae57ee4328a49ce674b1b",
"rev": "c95bf18beba4290af25c60cbaaceea1110d0f727",
"type": "github"
},
"original": {
@ -289,11 +308,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1674666581,
"narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=",
"lastModified": 1676297861,
"narHash": "sha256-YECUmK34xzg0IERpnbCnaO6z6YgfecJlstMWX7dqOZ8=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa",
"rev": "1e0a05219f2a557d4622bc38f542abb360518795",
"type": "github"
},
"original": {
@ -304,11 +323,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1674550793,
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
"lastModified": 1677232326,
"narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
"rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2",
"type": "github"
},
"original": {
@ -340,7 +359,7 @@
"locked": {
"lastModified": 1666884246,
"narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=",
"ref": "master",
"ref": "refs/heads/master",
"rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb",
"revCount": 23,
"type": "git",
@ -353,11 +372,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"lastModified": 1672791794,
"narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
"type": "github"
},
"original": {
@ -401,6 +420,7 @@
"darwin": "darwin",
"deploy": "deploy",
"digga": "digga",
"factorio-pr": "factorio-pr",
"flake-compat": "flake-compat",
"home": "home",
"latest": "latest",

150
flake.nix
View file

@ -42,6 +42,8 @@
musnix.inputs.nixpkgs.follows = "nixos";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
factorio-pr.url = "github:werner291/nixpkgs/master";
};
outputs = {
@ -78,6 +80,7 @@
];
};
latest = {};
factorio-pr = {};
fork = {};
};
@ -131,28 +134,32 @@
companion = {
system = "aarch64-linux";
};
cox = {
system = "aarch64-linux";
};
falcone = {
system = "aarch64-linux";
};
giggles = {
system = "aarch64-linux";
};
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
cox = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
falcone = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
giggles = {
system = "aarch64-linux";
modules = [nixos-hardware.nixosModules.raspberry-pi-4];
};
norman = { };
norman = {};
harrison = {
modules = [
musnix.nixosModules.musnix
];
};
harrison = {
modules = [
musnix.nixosModules.musnix
];
};
surfplace = {
modules = [ nixos-hardware.nixosModules.microsoft-surface-pro-intel ];
};
surfplace = {
modules = [nixos-hardware.nixosModules.microsoft-surface-pro-intel];
};
};
importables = rec {
profiles =
@ -161,12 +168,12 @@
users = digga.lib.rakeLeaves ./users;
};
suites = with profiles; rec {
base = [ users.pub-solar users.root ];
iso = base ++ [ base-user graphical pub-solar-iso ];
pubsolaros = [ base-user users.root ];
anonymous = [ pubsolaros users.pub-solar ];
hensoko = pubsolaros ++ [ users.hensoko ];
hensoko-iot = [ server base-user users.root users.iot ];
base = [users.pub-solar users.root];
iso = base ++ [base-user graphical pub-solar-iso];
pubsolaros = [base-user users.root];
anonymous = [pubsolaros users.pub-solar];
hensoko = pubsolaros ++ [users.hensoko];
hensoko-iot = [server base-user users.root users.iot];
# server
cube = hensoko-iot;
@ -183,63 +190,45 @@
redpanda = hensoko;
# home pc
harrison = hensoko ++ [ daw gaming graphical non-free social work ];
harrison = hensoko ++ [daw gaming graphical non-free social work];
# work laptop
norman = hensoko ++ [ graphical non-free social virtualisation work ];
norman = hensoko ++ [graphical non-free social virtualisation work gaming];
# cm4
falcone = hensoko-iot;
# surface
surfplace = hensoko ++ [ graphical non-free social ];
surfplace = hensoko ++ [graphical non-free social];
# chonk
chonk = hensoko-iot;
};
};
};
home = {
imports = [ (digga.lib.importExportableModules ./users/modules) ];
modules = [ ];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [ direnv git ];
};
};
users = {
pub-solar = { suites, ... }: { imports = suites.base; };
hensoko = { suites, ... }: { imports = suites.base; };
iot = { suites, ... }: { imports = suites.base; };
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
devshell = ./shell;
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
redpanda = {
hostname = "192.168.42.71:22";
sshUser = "hensoko";
fastConnect = true;
profilesOrder = [ "system" "direnv" ];
profiles.direnv = {
user = "hensoko";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = { sshUser = "iot"; };
cox = { sshUser = "iot"; };
giggles = { sshUser = "iot"; };
ringo = { };
cube = {
sshUser = "iot";
home = {
imports = [(digga.lib.importExportableModules ./users/modules)];
modules = [];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [direnv git];
};
};
users = {
pub-solar = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
hensoko = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
iot = {suites, ...}: { imports = suites.base; home.stateVersion = "21.03"; };
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
@ -262,12 +251,33 @@
hostname = "192.168.42.71:22";
sshUser = "hensoko";
fastConnect = true;
profilesOrder = [ "system" "direnv" ];
profilesOrder = ["system" "direnv"];
profiles.direnv = {
user = "hensoko";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko;
};
};
companion = {sshUser = "iot";};
cox = {sshUser = "iot";};
giggles = {sshUser = "iot";};
ringo = {};
cube = {sshUser = "iot";};
chonk = {sshUser = "iot";};
};
users = {
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
hensoko = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
iot = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
}

10
hosts/chonk/acme.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
config,
...
}: {
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

37
hosts/chonk/backup.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
self,
...
}: {
age.secrets.restic_repository_password.file = "${self}/secrets/chonk_restic_repository_password.age";
age.secrets.restic_nextcloud_password.file = "${self}/secrets/chonk_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
HostName 10.0.1.12
Port 32222
User backup
IdentityFile /run/agenix/restic_ssh_private_key
'';
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
};
services.restic.backups = {
cox = {
passwordFile = "/run/agenix/restic_repository_password";
paths = [
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repositoryFile = "/run/agenix/restic_nextcloud_password";
timerConfig = {
OnCalendar = "02:00";
};
};
};
}

31
hosts/chonk/builder.nix Normal file
View file

@ -0,0 +1,31 @@
{
self,
config,
pkgs,
...
}: let
psCfg = config.pub-solar;
in {
age.secrets.nix-builder-private-key = {
owner = "builder";
group = "builder";
file = "${self}/secrets/chonk_nix_builder_private_key.age";
};
programs.ssh.package = pkgs.openssh_hpn;
nix.settings.trusted-users = ["builder"];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
users.groups."builder" = {};
users.users."builder" = {
isNormalUser = true;
group = "builder";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8hTdDTA+LVlHkOm5IBjT32PvAdCxYfUfFFRx+JGeS6 root@norman"];
};
nix.settings.secret-key-files = "/run/agenix/nix-builder-private-key";
}

16
hosts/chonk/chonk.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
pkgs,
lib,
...
}:
with lib;
with pkgs; let
psCfg = config.pub-solar;
in {
imports = [
./configuration.nix
];
networking.networkmanager.enable = lib.mkForce false;
}

View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./acme.nix
./backup.nix
./drone.nix
./home-assistant.nix
./nextcloud.nix
./wireguard.nix
./builder.nix
./invidious.nix
./factorio.nix
./invoiceplane.nix
#./tang.nix
#./whiteboard.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
services.openssh.ports = [2222];
networking.nat.enable = true;
networking.nat.internalIPs = ["10.10.42.0/24"];
networking.nat.externalInterface = "eno1";
networking.firewall.allowedTCPPorts = [80 443 2222];
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

7
hosts/chonk/default.nix Normal file
View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./chonk.nix
]
++ suites.chonk;
}

24
hosts/chonk/drone.nix Normal file
View file

@ -0,0 +1,24 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.drone_exec_runner_config = {
file = "${self}/secrets/chonk_drone_exec_runner_config.age";
owner = "999";
};
pub-solar.docker-ci-runner = {
enable = true;
enableKvm = true;
nixCacheLocation = "/srv/drone-nix-cache/nix";
runnerEnvironment = {
DRONE_RUNNER_CAPACITY = "10";
DRONE_RUNNER_LABELS = "hosttype:baremetal";
};
runnerVarsFile = "/run/agenix/drone_exec_runner_config";
};
}

24
hosts/chonk/factorio.nix Normal file
View file

@ -0,0 +1,24 @@
{
self,
config,
pkgs,
fetchurl,
...
}: let
#far-reach = pkgs.factorio-utils.modDrv rec {
# src = fetchurl {
# urls = [ "https://dl-mod.factorio.com/download/c48a8fbbe6941453173ae4e8a353976f3d757773/far-reach_1.1.2.zip?secure=0rFEz6-kw9j2JtrOUv3yEw,1677274141" ];
# sha256 = "";
# };
#};
in {
services.factorio = {
enable = true;
package = pkgs.factorio-headless-experimental;
openFirewall = true;
game-name = "pub.solar Factorio";
game-password = "pub.solar";
admins = ["hensoko"];
#mods = [ far-reach ];
};
}

View file

@ -0,0 +1,103 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["raid1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.initrd.luks.forceLuksSupportInInitrd = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03025429121421051300-0:0";
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/9e13c8ea-96d3-45b1-85f4-d1a61233da6f";
#keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
#fallbackToPassword = true;
#bypassWorkqueues = true;
};
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"];
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
boot.initrd.systemd.enable = true;
boot.initrd.services.swraid = {
enable = true;
mdadmConf = ''
ARRAY /dev/md/0 metadata=1.2 name=data:0 UUID=1156202f:835af09b:2e05e02a:a1869d1c
'';
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
fileSystems."/mnt/internal" = {
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
networking.bonds."bond0" = {
interfaces = ["eno1" "eno2"];
driverOptions = {
miimon = "100";
mode = "balance-xor";
xmit_hash_policy = "layer3+4";
};
};
networking = {
defaultGateway = "80.244.242.1";
nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces."bond0" = {
ipv4.addresses = [
{
address = "80.244.242.2";
prefixLength = 29;
}
];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,21 @@
{
self,
pkgs,
config,
...
}: {
# HTTP
services.nginx = {
virtualHosts."ha.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.0.1.254:8123";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;"
+ "proxy_pass_header Authorization;";
};
};
};
}

23
hosts/chonk/invidious.nix Normal file
View file

@ -0,0 +1,23 @@
{
self,
config,
pkgs,
...
}: let
domain = "yt.gssws.de";
in {
age.secrets.invidious_db_password.file = "${self}/secrets/chonk_invidious_db_password.age";
services.invidious = {
inherit domain;
enable = true;
nginx.enable = true;
database = {
createLocally = true;
passwordFile = "/run/agenix/invidious_db_password";
};
settings = {
https_only = true;
};
};
}

View file

@ -0,0 +1,65 @@
{
self,
config,
pkgs,
...
}: let
hostAddress = "10.10.42.1";
serviceAddress = "10.10.42.11";
domain = "inv.gssws.de";
hostStateDir = "/mnt/internal/invoiceplane";
containerStateDir = "/var/lib/invoiceplane";
in {
# nginx
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${serviceAddress}:80";
};
};
};
# invoiceplane
containers."invoiceplane" = {
privateNetwork = true;
hostAddress = "10.10.42.1";
localAddress = serviceAddress;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.allowedTCPPorts = [80];
services.rsyslogd.enable = true;
services.phpfpm.pools."invoiceplane-${domain}".phpOptions = ''
date.timezone = Europe/Berlin
'';
services.caddy.virtualHosts."http://${domain}".listenAddresses = ["0.0.0.0"];
services.invoiceplane.sites."${domain}" = {
enable = true;
stateDir = containerStateDir;
extraConfig = ''
ENABLE_DEBUG=true
'';
database = {
user = "invoiceplane";
name = "invoiceplane";
};
};
};
};
}

View file

@ -0,0 +1,87 @@
{
self,
pkgs,
config,
lib,
...
}: let
notify_push = pkgs.fetchzip {
sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
};
in {
systemd.services.nextcloud-notify-push = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig = {
Environment = [
"PORT=7867"
"NEXTCLOUD_URL=https://data.gssws.de"
];
ExecStart = "${notify_push}/bin/x86_64/notify_push /mnt/internal/nextcloud/config/config.php";
User = "nextcloud";
};
};
services.nextcloud.extraApps = with pkgs.nextcloud25Packages.apps; {
inherit bookmarks calendar contacts deck keeweb news tasks;
inherit notify_push;
"bruteforcesettings" = pkgs.fetchzip {
sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok=";
url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz";
};
"cookbook" = pkgs.fetchzip {
sha256 = "j7nAprAIY4NMPD6kXfmXVW+PgpRiyx5SRPSe6IEB/vY=";
url = "https://github.com/nextcloud/cookbook/releases/download/v0.10.1/Cookbook-0.10.1.tar.gz";
};
"cospend" = pkgs.fetchzip {
sha256 = "vGjK9Sy+q4ycS5MWeTTrwDGPTOp6t4leH+rF/Y54d0c=";
url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.5.5/cospend-1.5.5.tar.gz";
};
"files_accesscontrol" = pkgs.fetchzip {
sha256 = "34goKXWLUym5p7alby3WEyFzr346psHUeJ/+OZtfGmc=";
url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.15.1/files_accesscontrol-v1.15.1.tar.gz";
};
"files_automatedtagging" = pkgs.fetchzip {
sha256 = "PmcqHojtfww3wNIFoLM+hVXAjoo4zqzK6sUMeveHYa0=";
url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.0/files_automatedtagging-v1.15.0.tar.gz";
};
"files_fulltextsearch" = pkgs.fetchzip {
sha256 = "DEl/CbCvwiWvkNQOuKtHWzifq3AMrhL5wLHmSMuL4TU=";
url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/25.0.0/files_fulltextsearch-25.0.0.tar.gz";
};
"files_mindmap" = pkgs.fetchzip {
sha256 = "/u1H2QvyKfdGjelFAkLc3rRGQlm3T+OajAbpUF0+cdY=";
url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.27/files_mindmap-0.0.27.tar.gz";
};
"fulltextsearch" = pkgs.fetchzip {
sha256 = "1LVo5Cv6Gf4M/laVlHfm5wAQ8I8EsdLIThVm/jUj6uA=";
url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/25.0.0/fulltextsearch-25.0.0.tar.gz";
};
"groupfolders" = pkgs.fetchzip {
sha256 = "CGGt5QEzdJqOJywZQTQYeKIy/2JhHYGACHrfAmH9LD0=";
url = "https://github.com/nextcloud-releases/groupfolders/releases/download/v13.1.0/groupfolders-v13.1.0.tar.gz";
};
"maps" = pkgs.fetchzip {
sha256 = "8HNew2sIlMd+wt2a6jXa1tZpub56AnB5gfBs/cYlkcI=";
url = "https://github.com/nextcloud/maps/releases/download/v0.2.4/maps-0.2.4.tar.gz";
};
#"notify_push" = pkgs.fetchzip {
# sha256 = "7q1I4V2xUkRUK8qfEwxPNW/srkrGPPXiS1Y1Ew22zls=";
# url = "https://github.com/nextcloud-releases/notify_push/releases/download/v0.5.2/notify_push-v0.5.2.tar.gz";
#};
"quota_warning" = pkgs.fetchzip {
sha256 = "If4tW4yJbJ1xgfOyN0wxcgHLxXUrtKPdphRhbQOM6b4=";
url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.15.0/quota_warning-v1.15.0.tar.gz";
};
"richdocuments" = pkgs.fetchzip {
sha256 = "I6Y3lyZADiUCpmnkRS7Muc54uOOvKpWdlQ189EKzesA=";
url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v7.0.2/richdocuments-v7.0.2.tar.gz";
};
#"twofactor_totp" = pkgs.fetchzip {
# sha256 = "p3Ft3sQ/2HPXCFE03dm8pBL39b7bWCi2iAxHkbOK2V4=";
# url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
#};
};
}

164
hosts/chonk/nextcloud.nix Normal file
View file

@ -0,0 +1,164 @@
{
self,
pkgs,
config,
lib,
...
}: let
notifyPushPort = 7867;
in {
imports = [
./nextcloud-apps.nix
];
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/chonk_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."^~ /push/" = {
proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
proxyWebsockets = true;
};
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
settings = {
max_connections = "200";
};
ensureDatabases = ["nextcloud"];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# REDIS
services.redis.servers = {
"nextcloud".enable = true;
};
users.groups."redis-nextcloud".members = ["nextcloud"];
# Collabora Code server
virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
image = "collabora/code";
autoStart = true;
ports = ["127.0.0.1:9980:9980"];
environment.domain = "data\\.gssws\\.de";
extraOptions = ["--cap-add" "MKNOD"];
};
services.nginx.virtualHosts."office.gssws.de" = let
proxyPass = "https://127.0.0.1:9980";
extraConfig = "proxy_ssl_verify off;";
in {
enableACME = true;
forceSSL = true;
locations."^~ /browser" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/discovery" = {
inherit proxyPass extraConfig;
};
locations."^~ /hosting/capabilities" = {
inherit proxyPass extraConfig;
};
locations."~ ^/cool/(.*)/ws''$" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
locations."~ ^/(c|l)ool" = {
inherit proxyPass extraConfig;
};
locations."^~ /cool/adminws" = {
inherit proxyPass extraConfig;
proxyWebsockets = true;
};
};
# NEXTCLOUD
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
hostName = "data.gssws.de";
https = true;
datadir = "/mnt/internal/nextcloud";
caching.apcu = true;
caching.redis = true;
phpPackage = lib.mkForce pkgs.php81;
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "128";
"pm.start_servers" = "64";
"pm.min_spare_servers" = "32";
"pm.max_spare_servers" = "76";
"pm.max_requests" = "500";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "100000";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
trustedProxies = ["80.244.242.2"];
defaultPhoneRegion = "DE";
};
};
}

View file

@ -0,0 +1,68 @@
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/tangd";
domain = "";
serviceAddress = "10.10.42.12";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${serviceAddress}:${toString servicePort}";
};
};
containers."tang" = {
autoStart = true;
ephemeral = true;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.groups."_tang" = {};
users.users."_tang" = {
group = "_tang";
isSystemUser = true;
};
environment.systemPackages = ["${pkgs.jose}"];
systemd.services."tangd@" = {
enable = true;
serviceConfig = {
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
User = "_tang";
Group = "_tang";
};
};
systemd.sockets."tangd" = {
enable = true;
listenStreams = ["${toString servicePort}"];
wantedBy = ["sockets.target"];
socketConfig = {
Accept = true;
};
};
system.stateVersion = "22.11";
};
};
}

25
hosts/chonk/tang.nix Normal file
View file

@ -0,0 +1,25 @@
{
self,
config,
pkgs,
...
}: let
domain = "t.gssws.de";
servicePort = 63080;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString servicePort}";
};
};
virtualisation.oci-containers.containers."tang" = {
image = "cloggo/tangd";
ports = ["127.0.0.1:${builtins.toString servicePort}:8080"];
environment = {
IP_WHITELIST = "172.17.0.1";
};
};
}

65
hosts/chonk/wireguard.nix Normal file
View file

@ -0,0 +1,65 @@
{
self,
config,
pkgs,
...
}: {
age.secrets.home_controller_wireguard.file = "${self}/secrets/chonk_wireguard_key.age";
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
# Enable WireGuard
networking.wireguard.interfaces = {
wg1 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = ["10.0.1.6"];
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = ["10.0.1.11/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = ["10.0.1.12/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = ["10.0.1.13/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = ["10.0.1.254/32"];
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}

View file

@ -1,16 +1,18 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, pkgs, builtins, config, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
inputs,
pkgs,
builtins,
config,
lib,
...
}: {
imports = [
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = lib.mkForce 0;
@ -40,7 +42,7 @@
boot.loader.systemd-boot.enable = lib.mkForce false;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
networking.firewall.allowedTCPPorts = [2380 6443];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
@ -53,4 +55,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

View file

@ -1,23 +1,87 @@
{ self, config, pkgs, ... }:
{
virtualisation.oci-containers = {
backend = "docker";
containers = {
backup-ssh = {
image = "linuxserver/openssh-server:arm64v8-latest";
ports = [ "32222:2222" ];
self,
config,
pkgs,
...
}: {
age.secrets.backup_restic_htpasswd = {
file = "${self}/secrets/cox_backup_restic_htpasswd.age";
owner = "${toString config.ids.uids.restic}";
};
environment = {
PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
USER_NAME = "backup";
TZ = "Europe/Berlin";
PUID = "911";
PGID = "911";
};
volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ];
services.nginx = {
enable = true;
clientMaxBodySize = "1G";
virtualHosts."backup.local" = {
locations."/" = {
proxyPass = "http://127.0.0.1:18000";
extraConfig = ''
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_set_header Host ''$host;
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
};
};
containers."backup" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"/var/lib/restic" = {
hostPath = "/opt/backup/hdd/restic";
isReadOnly = false;
};
"/var/lib/restic/.htpasswd" = {
hostPath = "/run/agenix/backup_restic_htpasswd";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.restic.server = {
enable = true;
listenAddress = "0.0.0.0:18000";
privateRepos = true;
extraFlags = [
"--append-only"
"--prometheus"
"--prometheus-no-auth"
];
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "22.11";
};
};
#virtualisation.oci-containers = {
# backend = "docker";
# containers = {
# backup-ssh = {
# image = "linuxserver/openssh-server:arm64v8-latest";
# ports = [ "32222:2222" ];
#
# environment = {
# PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube";
# USER_NAME = "backup";
# TZ = "Europe/Berlin";
# PUID = "911";
# PGID = "911";
# };
#
# volumes = [
# "/opt/backup/hdd/restic:/data/hdd/restic"
# ];
# };
# };
#};
}

View file

@ -1,19 +1,18 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./backup.nix
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
boot.loader.timeout = 0;
config,
pkgs,
lib,
...
}: {
imports = [
./backup.nix
./hardware-configuration.nix
./home-controller.nix
./paperless.nix
];
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
@ -50,7 +49,7 @@
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 2380 6443 ];
networking.firewall.allowedTCPPorts = [2380 6443];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
@ -63,4 +62,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

View file

@ -1,20 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage" "uas"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.supportedFilesystems = [ ];
boot.supportedFilesystems = [];
boot.kernelParams = ["usb-storage.quirks=2109:0716:ouw,174c:55aa:u,2109:2813:ouw,2109:0813:ouw"];
boot.loader.grub = {
enable = true;
@ -27,6 +33,7 @@
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.timeout = 0;
boot.initrd.luks.devices."cryptroot" = {
@ -36,19 +43,19 @@
bypassWorkqueues = true;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6a419f58-bef1-4dd9-9b4f-389e35ba686a";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6CB3-6DB8";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/ea401985-e25f-4d13-8d72-5a5660c4384f"; }
];
swapDevices = [
{device = "/dev/disk/by-label/swap";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

View file

@ -1,6 +1,9 @@
{ self, config, pkgs, ... }:
{
self,
config,
pkgs,
...
}: {
config = {
#age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
@ -21,30 +24,30 @@
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
allowedIPs = ["10.0.1.11/32"];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}

View file

@ -1,6 +1,8 @@
{ pkgs, config, ... }:
let
{
pkgs,
config,
...
}: let
containerStateDir = "/data";
hostStateDir = "/opt/documents/paperless";
httpPort = 80;
@ -8,105 +10,111 @@ let
ftpListenPort = 20021;
ftpPasvMinPort = 22021;
ftpPasvMaxPort = 24021;
domain = "cox.local";
in
{
domain = "paperless.local";
in {
networking.firewall = {
allowedTCPPorts = [
httpPort
ftpListenPort
];
networking.firewall = {
allowedTCPPorts = [
httpPort
ftpListenPort
];
allowedTCPPortRanges = [
{
from = ftpPasvMinPort;
to = ftpPasvMaxPort;
}
];
};
allowedTCPPortRanges = [ { from = ftpPasvMinPort; to = ftpPasvMaxPort; } ];
};
services.nginx = {
enable = true;
virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString paperlessPort}";
proxyWebsockets = true;
extraConfig = ''
proxy_read_timeout 300s;
proxy_set_header Host ''$host;
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
services.nginx = {
enable = true;
virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString paperlessPort}";
proxyWebsockets = true;
extraConfig = ''
proxy_read_timeout 300s;
proxy_set_header Host ''$host;
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
};
};
containers."paperless" = {
autoStart = true;
ephemeral = true;
containers."paperless" = {
autoStart = true;
ephemeral = true;
tmpfs = [ "/tmp:size=2G" ];
tmpfs = ["/tmp:size=2G"];
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
bindMounts."${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
users.users."paperless".extraGroups = ["ftp"];
services.paperless = {
enable = true;
dataDir = "/data";
consumptionDir = "/data/ftp/consume";
consumptionDirIsPublic = true;
port = paperlessPort;
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_ALLOWED_HOSTS = "${domain}";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}";
PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}";
};
};
config = { config, pkgs, ... }: {
networking.firewall.enable = false;
services.vsftpd = {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/data/ftp";
anonymousUploadEnable = true;
anonymousUmask = "007";
writeEnable = true;
extraConfig = ''
listen=YES
listen_ipv6=NO
listen_port=${toString ftpListenPort}
chown_uploads=YES
chown_username=paperless
download_enable=NO
pasv_min_port=${toString ftpPasvMinPort}
pasv_max_port=${toString ftpPasvMaxPort}
'';
};
users.users."paperless".extraGroups = [ "ftp" ];
services.paperless = {
enable = true;
dataDir = "/data";
consumptionDir = "/data/ftp/consume";
consumptionDirIsPublic = true;
port = paperlessPort;
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_ALLOWED_HOSTS = "${domain}";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${domain}";
PAPERLESS_CORS_ALLOWED_HOSTS = "http://${domain}";
};
systemd.services.nextcloud-autosync = {
unitConfig = {
Description = "Auto sync Nextcloud";
After = "network-online.target";
};
services.vsftpd = {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/data/ftp";
anonymousUploadEnable = true;
anonymousUmask = "007";
writeEnable = true;
extraConfig = ''
listen=YES
listen_ipv6=NO
listen_port=${toString ftpListenPort}
chown_uploads=YES
chown_username=paperless
download_enable=NO
pasv_min_port=${toString ftpPasvMinPort}
pasv_max_port=${toString ftpPasvMaxPort}
'';
};
systemd.services.nextcloud-autosync = {
unitConfig = {
Description = "Auto sync Nextcloud";
After = "network-online.target";
};
serviceConfig = {
User = "paperless";
Type = "simple";
ExecStart= "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
TimeoutStopSec = "180";
KillMode = "process";
KillSignal = "SIGINT";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.nextcloud-autosync = {
unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = ["multi-user.target" "timers.target"];
serviceConfig = {
User = "paperless";
Type = "simple";
ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
TimeoutStopSec = "180";
KillMode = "process";
KillSignal = "SIGINT";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.nextcloud-autosync = {
unitConfig.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = ["multi-user.target" "timers.target"];
};
};
}
};
}

View file

@ -1,8 +1,11 @@
{ config, lib, self, ... }:
{
config,
lib,
self,
...
}: {
age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age";
age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age";
age.secrets.restic_nextcloud_password.file = "${self}/secrets/cube_restic_nextcloud_password.age";
programs.ssh.extraConfig = ''
Host backup
@ -25,7 +28,9 @@
"/mnt/internal/nextcloud"
"/var/backup/postgresql"
];
repository = "sftp:backup:/data/hdd/restic";
repositoryFile = "/run/agenix/restic_nextcloud_password";
#repository = "rest:http://nextcloud:md1TYoRcOqdr7sBRH9ZH0iGos0yv2pLhrnZc3Xhk@10.0.1.12";
#repository = "sftp:backup:/data/hdd/restic";
timerConfig = {
OnCalendar = "02:00";
};

View file

@ -1,6 +1,9 @@
{ self, config, pkgs, ... }:
{
self,
config,
pkgs,
...
}: {
config = {
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
@ -18,30 +21,30 @@
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.6/32"];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
allowedIPs = ["10.0.1.12/32"];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
allowedIPs = ["10.0.1.13/32"];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
allowedIPs = ["10.0.1.21/32"];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}

28
hosts/norman/builder.nix Normal file
View file

@ -0,0 +1,28 @@
{self, ...}: {
programs.ssh.extraConfig = ''
Host builder
Hostname data.gssws.de
Port 2222
User builder
IdentitiesOnly yes
IdentityFile /root/.ssh/id_ed25519-builder
'';
nix.buildMachines = [
{
hostName = "builder";
systems = ["x86_64-linux" "aarch64-linux"];
maxJobs = 20;
speedFactor = 2;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
}
];
nix.distributedBuilds = true;
nix.settings = {
substituters = ["ssh-ng://builder"];
trusted-public-keys = ["chonk:1b/yLBRW2ZeL9jErW1ogMRUTq/hidJnZOxopx363JSo="];
builders-use-substitutes = true;
};
}

View file

@ -1,16 +1,17 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
];
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./wireguard.nix
./builder.nix
];
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -60,4 +61,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

View file

@ -1,16 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.grub.trustedBoot = {
enable = true;
systemHasTPM = "YES_TPM_is_activated";
@ -21,20 +26,17 @@
bypassWorkqueues = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/84CD-91B6";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
swapDevices = [{device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9";}];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@ -42,5 +44,7 @@
enable = true;
device = "TPPS/2 ALPS TrackPoint";
emulateWheel = true;
sensitivity = 100; # default 128
speed = 64; # default 97
};
}

View file

@ -1,16 +1,21 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
in {
imports = [
./configuration.nix
];
config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
environment.systemPackages = [pkgs.factorio-experimental];
pub-solar.audio.bluetooth.enable = false;

View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
@ -73,7 +75,7 @@
{
# Public key of the server (not a file path).
publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
# Forward all the traffic via VPN.
allowedIPs = [
@ -87,8 +89,6 @@
persistentKeepalive = 25;
}
];
};
};
}

View file

@ -18,12 +18,9 @@ in {
home.packages = [
signal-desktop
tdesktop
discord
element-desktop
tdesktop
mattermost-desktop
whatsapp-for-linux
];
};
};
};
}

View file

@ -24,17 +24,17 @@ in {
config = mkIf cfg.enable {
programs.command-not-found.enable = false;
# Needed to get zsh completion for system packages (e.g. systemd).
environment.pathsToLink = ["/share/zsh"];
environment.shells = with pkgs; [
zsh
];
environment.systemPackages = with pkgs; [
screen
];
# Starship is a fast and featureful shell prompt
# starship.toml has sane defaults that can be changed there
programs.starship = {
enable = true;
settings = import ./starship.toml.nix;
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
@ -61,20 +61,21 @@ in {
watson
];
programs.bash = import ./bash {
inherit config;
inherit pkgs;
inherit self;
};
programs.fzf = import ./fzf {
inherit config;
inherit pkgs;
};
programs.neovim = import ./nvim {
inherit config;
inherit pkgs;
inherit lib;
};
};
programs.fzf = import ./fzf {
inherit config;
inherit pkgs;
};
programs.zsh = import ./zsh {
inherit config;
inherit pkgs;
inherit self;
inherit lib;
};
};
};
}

View file

@ -0,0 +1,124 @@
{
config,
pkgs,
self,
lib,
...
}: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
enable = true;
enableAutosuggestions = true;
enableCompletion = true;
dotDir = ".config/zsh";
history = {
ignoreDups = true;
expireDuplicatesFirst = true;
ignoreSpace = true;
path = "$HOME/.local/share/zsh/zsh_history";
save = 10000;
size = 10000;
};
loginExtra = lib.mkIf psCfg.sway.enable ''
[ "$(tty)" = "/dev/tty1" ] && exec ${pkgs.sway-service}/bin/sway-service
'';
shellAliases = {
nano = "nvim";
vi = "nvim";
vim = "nvim";
mutt = "neomutt";
ls = "exa";
la = "exa --group-directories-first -lag";
fm = "vifm .";
vifm = "vifm .";
wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts";
irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
no = "manix \"\" | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview=\"manix '{}'\" | xargs manix";
# fix nixos-option
nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
};
plugins = [
# src gets fetched by nvfetcher, see: ./pkgs/sources.toml
{
# will source ohmyzsh/plugins/z/
name = "zsh-plugins-z";
file = "plugins/z/z.plugin.zsh";
src = pkgs.sources.ohmyzsh.src;
}
{
name = "zsh-powerlevel10k";
file = "powerlevel10k.zsh-theme";
src = pkgs.sources.powerlevel10k.src;
}
{
name = "zsh-fast-syntax-highlighting";
file = "F-Sy-H.plugin.zsh";
src = pkgs.sources.F-Sy-H.src;
}
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.sources.zsh-nix-shell.src;
}
];
initExtra =
''
bindkey -v
bindkey -v 'jj' vi-cmd-mode
bindkey -a 'i' up-line
bindkey -a 'k' down-line
bindkey -a 'j' backward-char
bindkey -a 'h' vi-insert
bindkey '^[[H' beginning-of-line
bindkey '^[[F' end-of-line
bindkey '^R' history-incremental-pattern-search-backward
bindkey '^ ' autosuggest-accept
bindkey '^q' push-line-or-edit
bindkey '^R' fzf-history-widget
# ArrowUp/Down start searching history with current input
autoload -U up-line-or-beginning-search
autoload -U down-line-or-beginning-search
zle -N up-line-or-beginning-search
zle -N down-line-or-beginning-search
bindkey "^[[A" up-line-or-beginning-search
bindkey "^[[B" down-line-or-beginning-search
bindkey "^P" up-line-or-beginning-search
bindkey "^N" down-line-or-beginning-search
# MAKE CTRL+S WORK IN VIM
stty -ixon
stty erase '^?'
precmd () {
DIR_NAME=$(pwd | sed "s|^$HOME|~|g")
echo -e -n "\e]2;$DIR_NAME\e\\"
if [ $(date +%d%m) = '0104' ]; then
if [ $? -eq 0 ]; then
echo "Success! That was a great command! I can't wait to see what amazing stuff you'll be up to next."
fi
fi
}
# If a command is not found, show me where it is
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
''
+ builtins.readFile ./base16.zsh
+ builtins.readFile ./p10k.zsh
+ ''
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.git-bug}/share/zsh/site-functions/git-bug
eval "$(direnv hook zsh)"
''
+ builtins.readFile ./fzf.zsh;
}

12
overlays/invidious.nix Normal file
View file

@ -0,0 +1,12 @@
final: prev: {
invidious = prev.invidious.overrideAttrs (oldAttrs: rec {
version = "unstable-2023-02-22";
src = prev.fetchFromGitHub {
owner = "iv-org";
repo = "invidious";
rev = "0995e0447c2b54d80b55231830b847d41c19b404";
hash = "sha256-hXF836jxMriMJ/qcBJIF5cRvQG719PStKqTZQcIRqlw=";
fetchSubmodules = true;
};
});
}

View file

@ -12,6 +12,11 @@ channels: final: prev: {
nvfetcher
;
inherit
(channels.factorio-pr)
factorio
;
haskellPackages =
prev.haskellPackages.override
(old: {

Binary file not shown.

View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw BzbEPs8LDz17/aVKQoDoRaTdQmKw8MKb4oqKvBFGuAM
/zMIU+KoMrQ6ouI4vK/YyvEtzZ7ut8c9BJH8YTYldac
-> ssh-ed25519 YFSOsg CUwGu/W2wYrVNLHlGETFtsVhchDZUXfEi9JYZ88VkBU
ZD3lYlRTgk2g/L5Hy+Fcs1fLh3gKDdhRhWn0Gc4JP/A
-> ssh-ed25519 iHV63A mZ2DkCasSr/s3S6RXjf8QLi5P4UXOzQqqPNkLUkh4VU
E/eXCLd9cZt+i9Bg7iEh8LbWFn0rsTtzqDB9kaFtVUg
-> ssh-ed25519 Oya/Zw kD7aVVY0BrrNbDyoHa/7/8bUF8W74mYFPgHe/CVMpxg
jytr3knsUz9aaGf421m6mN9QgU4Tt3UykTEt8T8mNVg
-> p'c-grease J
vWgF1GduUf9hstTzuVdrUC6ytMofGgYE8nglE/mUTa+a69SDKrn/
--- kKHfCTImeN1RY9HxI2fWeJTec47FBwwr2gQB13sYdrw
Jýéø) Ù: †Ó½бèW—¡"~»cgRÔ _ù¥@­wD‰Ì+ûjÁ'D¤Í3ÐýaSj2U¶&-5ÁÐÑ

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw yDJ66eI1Mp9+UoFYkd4ur3aaUBAALqveNM5FK1cpSx0
r7eXodJ94kzvLq2oRIk7aPZtArJ1xm37FShQwr1BBSA
-> ssh-ed25519 YFSOsg Sef4VkHt4bMmPsUPJLXOB7nOgPO0pDcV+6MHvBItOG8
MDyOFqyzDJ6MMxkgFqkxYQl25a7cXOn9iCu2sbONhBs
-> ssh-rsa 42S2Dw
Y3yN6FJOz5eDG7gRDLZJiujOaGJ/fm5lPNHvSVl7T5DYmiHedJ5F7on6CztMDuvv
LNrWXTO7Jy/LBPLZ516SG+o752sTfby1xpDAgo0pKejSs/o7XmccMDvwzdVAsPkt
Dk7ou4Fba0D9MnIeIwnhZolKxVPyFeUBfoPNkvDLtQeb48lqJ2N+bgVzjHQEKpL5
1Hx/v4x9jUKTj/cK7eds5j3tzitLNpaxkm20LcVpWlLLGZkAmYijwXPphaY0EXJY
qw0Z1OSJd6WnLUo0ozGtoYGiqxnP42duL31ajI7HiNfMMJqWER7WJaB2h4pA9eTO
1HCHP/C+rNCeWHtjXr8b0Q
-> ssh-ed25519 iHV63A cpEqVauWzNmXoGgNcdV438BLDyWh+pQBCXVOEg98x1o
fFmcIWj3kv3ZdhFTMjaxxYIw0/9rO+HKTnTq3pbSz58
-> ssh-ed25519 uTVbSg NODGHdge8Dp8fz1wvBRXJF+syIdZmvX/AL3I2u+tkwE
foU59bLRz6NOvaZZA/bYU/eQ97/z+ONINGVB30yk6vI
-> ssh-ed25519 Oya/Zw huI2DM77Xa7yPaUg0hnLZmsXOLvgOJALO+ixfmpfwF0
vOcIEA+mfsferBNqnM/XdaoDDtDS+fJu4gPHMHuIenc
-> l-grease T= 30lLW1F G
dHaeEO9LZVIC+26ZVLfGP0thkSDKwwqzM9OdH4Yj2ixuSxdGHKg8eYUmkc4aUmr4
Qa3y5GzKf8nQkfSJceG8/FsQrcm1OvjhePi99yE
--- DugQPlVCIYj1uGYP1Bta+9P7HdN9Ej4di5AjQWK0CKg
éÿ õÑ4QW„ó <59>í­œµóϹ.^æ°Ÿ(tÆÒ3w="пy4/3xÙàÀŠQáŒÆÏ•Q …"X:R-å U­˜å £)«œ

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw Zv5YkeU/1DPR0tuZ+dkI76xF473aFaLltqfO5ZfvFy0
xoWSTmpQSc84tskFAv2XfKkD2gzunCH6XSttO5dVCQM
-> ssh-ed25519 YFSOsg datPvOnMKeP6zH7ThhAeK9k0uyKIulbgY5CAoAsu+w0
0YjqwWWpkYHqT7XEAfPKynQFgjRHfdg1eNVECEJeXMA
-> ssh-rsa 42S2Dw
Waw5Z5JSx5ZpSrqptOjFDlXPiZIFY+YeT5vZBwvSY4eRNIOsvALR+53zKuDkIHEl
TZ1CsgOU1DLuONSS0mP0Oa+eQImVR4NuDaxvfLNqTiLKwYEeBs6DwSL77xwMLtw/
wQL1MWMIcFTtExA/ul3rX3Y4B1TS7t50nvhgohFu5WTeNtXkIdgmbJ3CyflhqamN
L/Kxxn+/92scpIItKu5kgPJEO2MpX2GiwjokD6uY+3kxbS1HGXUJAc3COOwWMgEs
1BwQk/SKt8URcxGiugoagQ6M0zFqZRgGNkqh2uCsjaaT5we0lUuhYlL1gIMbe/FG
CR85WlwoEhzKvnnfgdYLFA
-> ssh-ed25519 iHV63A OqkSBucVJtboalsYV3/heEz1ZkSIADNDLEarRPWgklc
76HOz0Vi1oGwSZCBA3bOSNn7auAnmPE7uHVedVjxGTM
-> ssh-ed25519 uTVbSg +X8ylXfSx+Yg14KORdcPSTr1FvDaTMeb62MjQ/gqA2k
r7M9BL070ijThnFLczko29G5P0ikwRW+6VJ8JYhHevs
-> ssh-ed25519 Oya/Zw wXPvHIhPEqbKPme+OLfrJdxIVAghA0LGTGWwOr2yoys
FsriMbp2jb40ZyxapHratwoA/C7dk8nNhvaFU0YAfpM
-> =HAZ-grease 6e?x*"~
y4DPqeGgLo+PJv/Nja0AMPZ2g31nIqbXwKt3g1I8xHu4rwkM9G/c
--- O3v2CaEy4phy18h9152SkVV6qQhdz/aWJQ9bVI9YHHY
<EFBFBD>$邀孻f @ #}▂&rゲy砲𡟻3癦ロ<E799A6>鏴U蒀𧡰s唚<73>f鱣[缸N利紊T#h
b<EFBFBD>鵜攤𪊓iR<>犟e!z<>

View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw 7kU8OQWy/jGDRUq1hkGl9cNldEgWvk4oG3O2DMw0qGI
XlIzPLT0Gh2/bse6ch4TemO+uzIK4oqyFwDDa7ylXuA
-> ssh-ed25519 YFSOsg dWvGDRO+/3dT7qN04Ykuh4u4aVZSkNAZQl2bbCE0jkg
5QxL1xUjv1OHCJR/+rxw055lIKngtDvarTg7wOaiqu4
-> ssh-rsa 42S2Dw
V9Zo+91MGptezt9ZGX7aGd4sGsoFmBV9k4gbImTXz2CGOXuHUbzFv73j/ikpvXU6
NpCU8nYgBuM8E3GTxrorCFIlBgGpjQI28PrbD7Y8b7nqn585Zqn7S+E5DFln0Zd5
phKfY4NdWypRW4xjuHVjDO8I2uiVd8qD7rhYbE6c611hySudPmrY7k2m41Qz7D2O
j97ATtt2FNFk5MpsNjSKk0w5QeKIVqDTIXTlewRi4eFf3TdLI5vzpBwIELStf/XU
sBmEzqX3EEBvrB41brSPPwQJ7mJ7MaRzjNXmtgytEwirgnI9TA2dv4/xc5zksJgF
zg1F+rlyRC2TOWDNi8Om5g
-> ssh-ed25519 iHV63A IVXUYIxX37FZw+Vn7ZmLc14du4M6120vS+XAY+amx3Q
G9J8NhNx3bwLF1vCWuq1fWQq9//r1IxoXPdJfjg5oQQ
-> ssh-ed25519 uTVbSg v7e3YZQJqK0SZ/F/YSrMPOX8hwAt1+UNf+1YDlzkMSI
1kqIoiR7Oojue2JFHYJB7+piw1j/9U86Thy+eYqphPQ
-> ssh-ed25519 Oya/Zw /EUf0yv0UBi0wPFEl48IK7dJ7m2Z+Y+6EpYqoP75Kx8
dDDQ+dZhrujnyo2Z40cwisFMpwC+4TsaBTGH7ofn8qU
-> Gg'26s6y-grease 8c
X06Ld3joZpAZby/RIFlRb9gqVT4grrQXQInV/g
--- FVcdFxUlZ7vydcDrU7jzFjipxKygYL8t/aDHNC/TN7w
gOAóìiœ§nùûW<C3BB>¹÷¿xŠT“¾UÍ3ü¯"Âxo<78>`“?Õáf<C3A1>:¡iÚMrúÒ̓¦m™

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw x2nB3+kHq5bhYL4Gmu7mcLx8jW8ywUEEkInvVkmH5m8
cMDnbfUtv4AUTlsBh39xeVFyn8jndfd/XxPU01Re1FU
-> ssh-ed25519 YFSOsg rSr6F981RuhKipasm4xcFTqORbkyCxiId/UvtBy8SW0
763z8aYG61IYtSfaKBUuQfe7s6SsfujvQF8qx+ALqVY
-> ssh-rsa 42S2Dw
M78y3Q2hLhSGwWe+sVixdgdkL/NPRp3yVdmsLSJ7dkU/JlIikTJ1Idzp2WR9VbZ9
PyIrBLSVmYlx5SI9ksLfeQZyFoocP7/yKOAdHh7HMvXjpkakN6ZBa4dHELPxLMy0
x7DQX09Q1h6xTfyghYoIyk29sOHHpT66WaTAPz/cHciJst2TAojJU1qfdJ/ZPU0T
9tq/iOaAhGSdFkFVjhETDwS1lYxKnzxYaMKQeoRBcCdWTVGrbSJLVUMH4pFT1iIv
I8auITrGbSZdm1tJAc8aiBIDI1r5lHz1ozrkamazI9dn+5iF5qWIj+9MVtg0l06X
In7knX1skVcG2x2USjdZgw
-> ssh-ed25519 iHV63A SP+EEU7gJi6o2xnzlsJO2RBplyNWjIMrOYOWweBtKQU
Q/9+4yyRRndmPKjx8up5lijZhICDamxrBAUZtbzteB0
-> ssh-ed25519 uTVbSg v4RUldxeE2I7Sw1ASpkfcBLiv9b8yJMUOmeydaqa4hk
OreiiziBBpTCKM/D/4eI181AvRD9mwjTUULGeatKUgo
-> ssh-ed25519 Oya/Zw 51sjyVTCtYbG4e4pROOjg7Cr4lX8LGXdGtf+8drR9y8
Hc6H9PPDJGAmwgO/qOjbt2W2KNXEGlqlbcExmsZQNAE
-> <O-grease lr/]6 OsFzy7 E@<zV R
LhERj36DtC7MwfGTT1Z85I42SCUnJMdl6oToreQSERKbBa5SpTuUo5baqRqM7MdW
JQjLt5MZ0dna
--- SUtdBUH80GU2DjGWmvigOpbRWYkki1VdZi8NkMXFTcE
ê|9µ¼µ÷´a<C2B4>ÒÒUÒšÀˆšÄã>õ–÷9<C3B7>.Q¨ÈßÑÞ¢©¨zD6ÈAf„-Ååz“SSÝf¥t<C2A5>“Íc\Ón.ÿhÿN[``çõ

Binary file not shown.

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw YN25mqloDpfTK9BHraZeaX4wlMNyGmuaB9ikhc1qPx0
MBblsaQ14v/aUrt9BT7Sdef5t7zLXujlNBbKOoKRNvQ
-> ssh-ed25519 YFSOsg GPhY1N8XFr0vxYcho63L/tF1QFuE6vlxGpf+fEUaDn0
jCVovM/dwU839i3Ry7hjvdJcAKcjAshZE00zfxmSc/c
-> ssh-rsa 42S2Dw
khLfcbecRWa0gNw1vCfP8FIbYll+uNrGEysaPHzEtk6hYzOrPw5BOct9PGG32M63
USRC5onMkkZXH3RJjAze+JOaNIQML3l5Wx6LNfAiKE7MBtrbEFw9WpPb3yA3vBtF
/h/ngNIjMTryltOq4ovXTDif6bC2CBcBi4zfThqGaBmIk+hqZHAPZIEaQAH5i6JM
Sic+Y0VTUbNDsz9qvE6RFfs4plGAoRG1RDFBTwdYhReXf/7/ISSQE1sm0r8rY7wk
rFp3AGyQQaAJqa2RlA4LeI9z+0okmXrA9e4Q0VezQPN65Ru2qGFKUGg6dgA0czmM
3rIX9HbzV9vlgmjtXhf6Aw
-> ssh-ed25519 iHV63A CJ6pAaBDuZtsVnBHYvlbhwkTSQmHLVNksADDRW1j/A4
/Vww88tZwVUWwWg8gqdXhKI5vVggGUxgbgeMUkqQagI
-> ssh-ed25519 Oya/Zw ExTtW9P8FWD9s0o3GBycwN16McaP0LVbJuD9cLUejgs
G2BJ8FGHPSqB8/ks5hrGKVDQ0GcaEcS3CK3b7AzB7mI
-> C-grease \T$\ Fn4_2KJ E 2Ju.&t'
jBuy2c0fpq3ibHy3LJOj6xmga+6C9z2WwvSTBTs/lyEXDNgFG9sgEDmjPayMJhAN
JTHQmBJyJ9ae2dMZqhfEPXrcZynNR/F8gd8TyWodXWZhvw
--- FH53Gij4AICM76S4DTZkI1BwEVohhnw/Qnanc4BphE4
ňŠÐߌÜB7 #pB†pþ¡§¡X˜O7ê_c<>6Àû<C380>IÜÞͪƹEìoâ·Ï¸¤/Þ<>ÛM˜µÚ<>JÉ(;ÖÅìU‡ä 6

Binary file not shown.

View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw zqUMfOd04sohMIlfrNdHj9XJPh+1AiZDSG82rALFEn0
AjULNhyeKzMJYzas/Ck5te047CGGkoTGWrl4Zf+fK/g
-> ssh-ed25519 YFSOsg Wf12fsV6ddeCYGrJG/IEc/pm3qltWroW9+xgUvBNhBg
FB6dw6npV16JNMcmhLOh2CrV+Ytxym1Q3X6fi8mXPh4
-> ssh-rsa 42S2Dw
QSORqDFOuGhFBNjCjF1u43tfgAp9okVheVWdY851j4b3JAtX8nsygwEpx0ntNZIk
pYIH7/QreainFDB0WM+sj8too/96YOmrjqf6k1strpP12pI75ArCcQq27XJWk0oD
cIaiAgtzmO8jk1YQTKUDUxvaEv6tX1Lb3r+j3MfHuR6nX4Zx0C6YdmUBFT4t9/9C
DLh990iFG6/wHO+1HSiknGf5V4eUChMfpyh9FgXkOVAQC7JprKgfePbyh2TY9usj
ViRmP6kT8jV7EvqpnsXRuMB3MC0yzrX92OGC1QKArTdj9sNgPduawamposGYiwNm
HAYgbfRbzgcRl/tN8MNSfg
-> ssh-ed25519 iHV63A w9EB0URrVNcTMDhUA+D3z6eDPvaLZihSVpzT8Vr9jHo
ofmrgw+5Jaf1wWXTzBDeijQwY59I/tHfU1fmrZCUTyo
-> ssh-ed25519 uTVbSg qH1A4EHjDjauEa0ideqeWvSwP6ADmziNZOnXnEnrYyg
y7MfmMtWlIGWl/HLyUQVQgJUxzvDKez0WXD6VGq4TfM
-> w>S%-grease nxLQF J+B{F F+"3V
wAF9N9WZyJAygP6EoouxvH9CG0EIIgXBNcnToP73VNNTaPxWOWRyL4rP7yZ9jSyR
JRaZzh9xwASjiqG2GAStcHormaz1JMVy
--- 8QzYdkT1uITqWc6bhvOvDxygLgaiVwWZrgWKOTF0pKc
LæÉGAÖxIó³i¾Š˜¢ŠêÌ+Jg-“p±Dfy¾ü­<C3BC>ø[÷1xÅä ùï©<C2A9>Bqn'¾DkèO<´*n£ØÉ?u[o•Ð.µ&$”9|Øe
â‘+õEíŠ :ô8ÃZg­Ø׉E(]ˆõ~å»

Binary file not shown.

View file

@ -3,14 +3,14 @@ let
user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
user_hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwogNjatRZlft4qUFDFKg73kiYB1HNZZ0xGUwfyfTzP root@nixos";
system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMINORCNhrxSdo2z70GkKrV8vcge2elgNPYzdRve+hI5 root@nixos";
system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4u9Q36B8acRdBJi2RYU5pYpIMeCh+HKmtInR+IKQs root@nixos";
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
system_chonk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICt8I4z42DXGL3d6eju3WzSEnJMeaWPn3y+f/82oYBzy root@nixos";
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos";
@ -18,29 +18,40 @@ let
system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos";
users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
systems_email_accounts = [ system_harrison system_norman system_surfplace ];
systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
users = [user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman];
systems_email_accounts = [system_harrison system_norman system_surfplace];
systems_home_controller = [system_giggles system_cox system_companion system_cube system_ringo];
allKeys = users ++ systems_home_controller;
in
{
in {
"email_gssws_password.age".publicKeys = users ++ systems_email_accounts;
"home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
"home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
"home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
"home_controller_giggles_wireguard_key.age".publicKeys = users ++ [system_giggles];
"home_controller_cox_wireguard_key.age".publicKeys = users ++ [system_cox];
"home_controller_companion_wireguard_key.age".publicKeys = users ++ [system_companion];
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
"cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ];
"cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ];
"cox_backup_restic_htpasswd.age".publicKeys = users ++ [system_cox];
"cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ];
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [system_cube];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [system_cube];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [system_cube];
"cube_restic_ssh_private_key.age".publicKeys = users ++ [system_cube];
"cube_restic_repository_password.age".publicKeys = users ++ [system_cube];
"cube_drone_exec_runner_config.age".publicKeys = users ++ [system_cube];
"cube_invoiceplane_db_password.age".publicKeys = users ++ [system_cube];
"cube_restic_nextcloud_password.age".publicKeys = users ++ [system_cube];
"cube_invoiceplane_db_password.age".publicKeys = users ++ [ system_cube ];
"chonk_wireguard_key.age".publicKeys = users ++ [system_chonk];
"chonk_nextcloud_admin_pass.age".publicKeys = users ++ [system_chonk];
"chonk_nextcloud_db_pass.age".publicKeys = users ++ [system_chonk];
"chonk_restic_ssh_private_key.age".publicKeys = users ++ [system_chonk];
"chonk_restic_repository_password.age".publicKeys = users ++ [system_chonk];
"chonk_drone_exec_runner_config.age".publicKeys = users ++ [system_chonk];
"chonk_invoiceplane_db_password.age".publicKeys = users ++ [system_chonk];
"chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
"chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
"chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];
"home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
}

View file

@ -1,13 +1,22 @@
{ config, pkgs, lib, self, ... }:
with lib;
let
psCfg = config.pub-solar;
in
{
home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
config,
pkgs,
lib,
self,
...
}:
with lib; let
psCfg = config.pub-solar;
in {
home-manager = pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
programs.ssh = {
enable = true;
matchBlocks = {
"builder" = {
hostname = "data.gssws.de";
user = "builder";
port = 2222;
};
"hsha" = {
hostname = "192.168.42.5";
user = "root";
@ -30,7 +39,7 @@ in
"companion" = {
user = "iot";
};
"cube" = {
"chonk" = {
hostname = "80.244.242.2";
user = "iot";
port = 2222;