From 8cc79885d857c7fee7b4c59800083e1c53748bbb Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Mon, 22 Aug 2022 00:53:04 +0200 Subject: [PATCH] add hosts --- flake.lock | 51 +++++- flake.nix | 100 +++++++++-- hosts/companion/companion.nix | 16 ++ hosts/companion/configuration.nix | 63 +++++++ hosts/companion/default.nix | 6 + hosts/companion/hardware-configuration.nix | 61 +++++++ hosts/companion/home-controller.nix | 55 +++++++ hosts/cox/backup.nix | 23 +++ hosts/cox/configuration.nix | 65 ++++++++ hosts/cox/cox.nix | 16 ++ hosts/cox/default.nix | 6 + hosts/cox/hardware-configuration.nix | 61 +++++++ hosts/cox/home-controller.nix | 55 +++++++ hosts/cube/acme.nix | 8 + hosts/cube/backup.nix | 34 ++++ hosts/cube/configuration.nix | 53 ++++++ hosts/cube/cube.nix | 15 ++ hosts/cube/default.nix | 6 + hosts/cube/drone.nix | 21 +++ hosts/cube/hardware-configuration.nix | 38 +++++ hosts/cube/home-assistant.nix | 19 +++ hosts/cube/invoiceplane.nix | 53 ++++++ hosts/cube/nextcloud-apps.nix | 98 +++++++++++ hosts/cube/nextcloud.nix | 155 ++++++++++++++++++ hosts/cube/wireguard.nix | 63 +++++++ hosts/falcone/configuration.nix | 57 +++++++ hosts/falcone/default.nix | 6 + hosts/falcone/falcone.nix | 16 ++ hosts/falcone/hardware-configuration.nix | 35 ++++ hosts/giggles/configuration.nix | 65 ++++++++ hosts/giggles/default.nix | 6 + hosts/giggles/giggles.nix | 16 ++ hosts/giggles/hardware-configuration.nix | 61 +++++++ hosts/giggles/home-controller.nix | 53 ++++++ .../.config/sway/config.d/screens.conf | 19 +++ hosts/harrison/configuration.nix | 49 ++++++ hosts/harrison/default.nix | 6 + hosts/harrison/hardware-configuration.nix | 70 ++++++++ hosts/harrison/harrison.nix | 28 ++++ .../sway/config.d/custom-keybindings.conf | 16 ++ .../norman/.config/sway/config.d/screens.conf | 18 ++ hosts/norman/configuration.nix | 63 +++++++ hosts/norman/default.nix | 6 + hosts/norman/hardware-configuration.nix | 46 ++++++ hosts/norman/norman.nix | 22 +++ hosts/norman/wireguard.nix | 94 +++++++++++ hosts/ringo/configuration.nix | 35 ++++ hosts/ringo/default.nix | 6 + hosts/ringo/hardware-configuration.nix | 43 +++++ hosts/ringo/home-controller.nix | 43 +++++ hosts/ringo/ringo.nix | 13 ++ hosts/surfplace/configuration.nix | 32 ++++ hosts/surfplace/default.nix | 6 + hosts/surfplace/hardware-configuration.nix | 44 +++++ hosts/surfplace/surfplace.nix | 11 ++ modules/core/bluetooth.nix | 0 secrets/cube_drone_exec_runner_config.age | Bin 0 -> 1126 bytes secrets/cube_invoiceplane_db_password.age | 20 +++ secrets/cube_restic_repository_password.age | 21 +++ secrets/cube_restic_ssh_private_key.age | 22 +++ secrets/email_gssws_password.age | 43 ++--- secrets/secrets.nix | 13 ++ 62 files changed, 2203 insertions(+), 42 deletions(-) create mode 100644 hosts/companion/companion.nix create mode 100644 hosts/companion/configuration.nix create mode 100644 hosts/companion/default.nix create mode 100644 hosts/companion/hardware-configuration.nix create mode 100644 hosts/companion/home-controller.nix create mode 100644 hosts/cox/backup.nix create mode 100644 hosts/cox/configuration.nix create mode 100644 hosts/cox/cox.nix create mode 100644 hosts/cox/default.nix create mode 100644 hosts/cox/hardware-configuration.nix create mode 100644 hosts/cox/home-controller.nix create mode 100644 hosts/cube/acme.nix create mode 100644 hosts/cube/backup.nix create mode 100644 hosts/cube/configuration.nix create mode 100644 hosts/cube/cube.nix create mode 100644 hosts/cube/default.nix create mode 100644 hosts/cube/drone.nix create mode 100644 hosts/cube/hardware-configuration.nix create mode 100644 hosts/cube/home-assistant.nix create mode 100644 hosts/cube/invoiceplane.nix create mode 100644 hosts/cube/nextcloud-apps.nix create mode 100644 hosts/cube/nextcloud.nix create mode 100644 hosts/cube/wireguard.nix create mode 100644 hosts/falcone/configuration.nix create mode 100644 hosts/falcone/default.nix create mode 100644 hosts/falcone/falcone.nix create mode 100644 hosts/falcone/hardware-configuration.nix create mode 100644 hosts/giggles/configuration.nix create mode 100644 hosts/giggles/default.nix create mode 100644 hosts/giggles/giggles.nix create mode 100644 hosts/giggles/hardware-configuration.nix create mode 100644 hosts/giggles/home-controller.nix create mode 100644 hosts/harrison/.config/sway/config.d/screens.conf create mode 100644 hosts/harrison/configuration.nix create mode 100644 hosts/harrison/default.nix create mode 100644 hosts/harrison/hardware-configuration.nix create mode 100644 hosts/harrison/harrison.nix create mode 100644 hosts/norman/.config/sway/config.d/custom-keybindings.conf create mode 100644 hosts/norman/.config/sway/config.d/screens.conf create mode 100644 hosts/norman/configuration.nix create mode 100644 hosts/norman/default.nix create mode 100644 hosts/norman/hardware-configuration.nix create mode 100644 hosts/norman/norman.nix create mode 100644 hosts/norman/wireguard.nix create mode 100644 hosts/ringo/configuration.nix create mode 100644 hosts/ringo/default.nix create mode 100644 hosts/ringo/hardware-configuration.nix create mode 100644 hosts/ringo/home-controller.nix create mode 100644 hosts/ringo/ringo.nix create mode 100644 hosts/surfplace/configuration.nix create mode 100644 hosts/surfplace/default.nix create mode 100644 hosts/surfplace/hardware-configuration.nix create mode 100644 hosts/surfplace/surfplace.nix create mode 100644 modules/core/bluetooth.nix create mode 100644 secrets/cube_drone_exec_runner_config.age create mode 100644 secrets/cube_invoiceplane_db_password.age create mode 100644 secrets/cube_restic_repository_password.age create mode 100644 secrets/cube_restic_ssh_private_key.age diff --git a/flake.lock b/flake.lock index 609eb2a9..3a59667e 100644 --- a/flake.lock +++ b/flake.lock @@ -336,6 +336,24 @@ "type": "github" } }, + "nixpkgs-hensoko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1666884246, + "narHash": "sha256-nSiYCIlMiYodY7GPCFPMF6YHVS2RM/XQZwn2Zrhu2eU=", + "ref": "refs/heads/master", + "rev": "f1863fb8e3866c1559ca885e1b319ea82baecdbb", + "revCount": 23, + "type": "git", + "url": "https://git.b12f.io/hensoko/nixpkgs" + }, + "original": { + "type": "git", + "url": "https://git.b12f.io/hensoko/nixpkgs" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1672791794, @@ -352,6 +370,34 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1654994491, + "narHash": "sha256-HFu3HTFFFcZSKImuiki3q+MLvcc85hRgYvW+sXmH8LE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1f8d88087a3753e55a29b5207f7f0997f7c813fa", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 0, + "narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=", + "path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source", + "type": "path" + }, + "original": { + "id": "nur", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -363,13 +409,10 @@ "latest": "latest", "musnix": "musnix", "nixos": "nixos", -<<<<<<< HEAD - "nixos-hardware": "nixos-hardware" -======= "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", + "nixpkgs-hensoko": "nixpkgs-hensoko", "nur": "nur" ->>>>>>> 5366306d (add profiles.daw) } }, "utils": { diff --git a/flake.nix b/flake.nix index 9442ebe8..ed58ce14 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ flake-compat.url = "github:edolstra/flake-compat"; flake-compat.flake = false; - #digga.url = "github:pub-solar/digga/fix/bootstrap-iso"; + digga.url = "github:pub-solar/digga/fix/bootstrap-iso"; digga.inputs.nixpkgs.follows = "nixos"; digga.inputs.nixlib.follows = "nixos"; digga.inputs.home-manager.follows = "home"; @@ -40,6 +40,8 @@ # hensoko additions musnix.url = "github:musnix/musnix"; musnix.inputs.nixpkgs.follows = "nixos"; + + nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs"; }; outputs = { @@ -115,10 +117,6 @@ # Set host-specific properties here bootstrap = { modules = [ - { lib.our = self.lib; } - # FIXME: upstream module causes a huge number of unnecessary - # dependencies to be pulled in for all systems -- many of them are - # graphical. should only be imported as needed. digga.nixosModules.bootstrapIso ]; }; @@ -130,6 +128,31 @@ #}) ]; }; + + companion = { + system = "aarch64-linux"; + }; + cox = { + system = "aarch64-linux"; + }; + falcone = { + system = "aarch64-linux"; + }; + giggles = { + system = "aarch64-linux"; + }; + + norman = { }; + + harrison = { + modules = [ + musnix.nixosModules.musnix + ]; + }; + + surfplace = { + modules = [ nixos-hardware.nixosModules.microsoft-surface-pro-intel ]; + }; }; importables = rec { profiles = @@ -138,11 +161,10 @@ users = digga.lib.rakeLeaves ./users; }; suites = with profiles; rec { - base = [users.pub-solar users.root]; - iso = base ++ [base-user graphical pub-solar-iso]; - pubsolaros = [full-install base-user users.root]; - anonymous = [pubsolaros users.pub-solar]; - pubsolaros-light = [ core-light base-user users.root ]; + base = [ users.pub-solar users.root ]; + iso = base ++ [ base-user graphical pub-solar-iso ]; + pubsolaros = [ base-user users.root ]; + anonymous = [ pubsolaros users.pub-solar ]; hensoko = pubsolaros ++ [ users.hensoko ]; hensoko-iot = [ server base-user users.root users.iot ]; @@ -159,17 +181,59 @@ # vm redpanda = hensoko; + + # home pc + harrison = hensoko ++ [ daw graphical non-free social work ]; + + # work laptop + norman = hensoko ++ [ graphical non-free social virtualisation work ]; + + # cm4 + falcone = hensoko-iot; + + # surface + surfplace = hensoko ++ [ graphical non-free social work ]; }; }; - }; - home = { - imports = [ (digga.lib.importExportableModules ./users/modules) ]; - modules = [ ]; - importables = rec { - profiles = digga.lib.rakeLeaves ./users/profiles; - suites = with profiles; rec { - base = [ direnv git ]; + home = { + imports = [ (digga.lib.importExportableModules ./users/modules) ]; + modules = [ ]; + importables = rec { + profiles = digga.lib.rakeLeaves ./users/profiles; + suites = with profiles; rec { + base = [ direnv git ]; + }; + }; + users = { + pub-solar = { suites, ... }: { imports = suites.base; }; + hensoko = { suites, ... }: { imports = suites.base; }; + iot = { suites, ... }: { imports = suites.base; }; + }; # digga.lib.importers.rakeLeaves ./users/hm; + }; + + devshell = ./shell; + + homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations; + + deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { + redpanda = { + hostname = "192.168.42.71:22"; + sshUser = "hensoko"; + fastConnect = true; + profilesOrder = [ "system" "direnv" ]; + profiles.direnv = { + user = "hensoko"; + path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.hensoko; + }; + }; + + companion = { sshUser = "iot"; }; + cox = { }; + giggles = { }; + ringo = { }; + cube = { + sshUser = "iot"; }; }; users = { diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/companion/companion.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix new file mode 100644 index 00000000..1b8dc6c7 --- /dev/null +++ b/hosts/companion/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = lib.mkForce 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = lib.mkForce true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/companion/default.nix b/hosts/companion/default.nix new file mode 100644 index 00000000..8cac5356 --- /dev/null +++ b/hosts/companion/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./companion.nix + ] ++ suites.companion; +} diff --git a/hosts/companion/hardware-configuration.nix b/hosts/companion/hardware-configuration.nix new file mode 100644 index 00000000..1b59fa36 --- /dev/null +++ b/hosts/companion/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/5552-1B21"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix new file mode 100644 index 00000000..ff7ab606 --- /dev/null +++ b/hosts/companion/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.13"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cox/backup.nix b/hosts/cox/backup.nix new file mode 100644 index 00000000..28612b3d --- /dev/null +++ b/hosts/cox/backup.nix @@ -0,0 +1,23 @@ +{ self, config, pkgs, ... }: + +{ + virtualisation.oci-containers = { + backend = "docker"; + containers = { + backup-ssh = { + image = "linuxserver/openssh-server:arm64v8-latest"; + ports = [ "32222:2222" ]; + + environment = { + PUBLIC_KEY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTpA7OHfZhl1wsbvydLNMtMx4q64fz+ojIAZpVUJEMI root@cube"; + USER_NAME = "backup"; + TZ = "Europe/Berlin"; + PUID = "911"; + PGID = "911"; + }; + + volumes = [ "/opt/backup/hdd/restic:/data/hdd/restic" ]; + }; + }; + }; +} diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix new file mode 100644 index 00000000..bdb0f92d --- /dev/null +++ b/hosts/cox/configuration.nix @@ -0,0 +1,65 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./backup.nix + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + #package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/cox/cox.nix b/hosts/cox/cox.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/cox/cox.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/cox/default.nix b/hosts/cox/default.nix new file mode 100644 index 00000000..aa29e195 --- /dev/null +++ b/hosts/cox/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cox.nix + ] ++ suites.cox; +} diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix new file mode 100644 index 00000000..3b52c24b --- /dev/null +++ b/hosts/cox/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/6CB3-6DB8"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix new file mode 100644 index 00000000..d017c570 --- /dev/null +++ b/hosts/cox/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.12"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix new file mode 100644 index 00000000..6ed057b3 --- /dev/null +++ b/hosts/cube/acme.nix @@ -0,0 +1,8 @@ +{ pkgs, config, ... }: + +{ + security.acme = { + acceptTerms = true; + defaults.email = "hensoko@gssws.de"; + }; +} diff --git a/hosts/cube/backup.nix b/hosts/cube/backup.nix new file mode 100644 index 00000000..a2c0ca19 --- /dev/null +++ b/hosts/cube/backup.nix @@ -0,0 +1,34 @@ +{ config, lib, self, ... }: + +{ + age.secrets.restic_repository_password.file = "${self}/secrets/cube_restic_repository_password.age"; + age.secrets.restic_ssh_private_key.file = "${self}/secrets/cube_restic_ssh_private_key.age"; + + programs.ssh.extraConfig = '' + Host backup + HostName 10.0.1.12 + Port 32222 + User backup + IdentityFile /run/agenix/restic_ssh_private_key + ''; + + services.postgresqlBackup = { + enable = true; + backupAll = true; + compression = "zstd"; + }; + + services.restic.backups = { + cox = { + passwordFile = "/run/agenix/restic_repository_password"; + paths = [ + "/mnt/internal/nextcloud" + "/var/backup/postgresql" + ]; + repository = "sftp:backup:/data/hdd/restic"; + timerConfig = { + OnCalendar = "02:00"; + }; + }; + }; +} diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix new file mode 100644 index 00000000..60701de5 --- /dev/null +++ b/hosts/cube/configuration.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./acme.nix + ./backup.nix + ./drone.nix + ./home-assistant.nix + ./nextcloud.nix + ./wireguard.nix + + ./invoiceplane.nix + ./tang.nix + #./whiteboard.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0"; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + time.timeZone = "Europe/Berlin"; + + networking = { + useDHCP = false; + + interfaces.eno1.ipv4.addresses = [{ + address = "80.244.242.2"; + prefixLength = 29; + }]; + + defaultGateway = "80.244.242.1"; + nameservers = [ "95.129.51.51" "80.244.244.244" ]; + }; + + services.openssh.ports = [ 2222 ]; + + networking.nat.enable = true; + networking.nat.internalIPs = [ "10.10.42.0/24" ]; + networking.nat.externalInterface = "eno1"; + + networking.firewall.allowedTCPPorts = [ 80 443 2222 ]; + networking.firewall.allowedUDPPorts = [ 51899 ]; + + networking.firewall.enable = lib.mkForce true; + + system.stateVersion = "21.05"; # Did you read the comment? +} diff --git a/hosts/cube/cube.nix b/hosts/cube/cube.nix new file mode 100644 index 00000000..2274383f --- /dev/null +++ b/hosts/cube/cube.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +with lib; +with pkgs; +let + psCfg = config.pub-solar; +in +{ + imports = [ + ./configuration.nix + ]; + + pub-solar.core.disk-encryption-active = false; + + networking.networkmanager.enable = lib.mkForce false; +} diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix new file mode 100644 index 00000000..7834ef54 --- /dev/null +++ b/hosts/cube/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cube.nix + ] ++ suites.cube; +} diff --git a/hosts/cube/drone.nix b/hosts/cube/drone.nix new file mode 100644 index 00000000..05a2ceb5 --- /dev/null +++ b/hosts/cube/drone.nix @@ -0,0 +1,21 @@ +{ self, config, pkgs, ... }: + +{ + age.secrets.drone_exec_runner_config = { + file = "${self}/secrets/cube_drone_exec_runner_config.age"; + owner = "999"; + }; + + pub-solar.docker-ci-runner = { + enable = true; + enableKvm = true; + nixCacheLocation = "/mnt/internal/ci-cache-nix-store/nix"; + + runnerEnvironment = { + DRONE_RUNNER_CAPACITY = "1"; + DRONE_RUNNER_LABELS = "hosttype:baremetal"; + }; + + runnerVarsFile = "/run/agenix/drone_exec_runner_config"; + }; +} diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix new file mode 100644 index 00000000..4cacc166 --- /dev/null +++ b/hosts/cube/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.extraModprobeConfig = "options kvm_intel nested=1"; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875"; + fsType = "ext2"; + }; + + fileSystems."/mnt/internal" = + { + device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }]; +} diff --git a/hosts/cube/home-assistant.nix b/hosts/cube/home-assistant.nix new file mode 100644 index 00000000..e9b1d714 --- /dev/null +++ b/hosts/cube/home-assistant.nix @@ -0,0 +1,19 @@ +{ self, pkgs, config, ... }: + +{ + # HTTP + services.nginx = { + virtualHosts."ha.gssws.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.0.1.254:8123"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + + "proxy_pass_header Authorization;" + ; + }; + }; + }; +} diff --git a/hosts/cube/invoiceplane.nix b/hosts/cube/invoiceplane.nix new file mode 100644 index 00000000..e5a98e84 --- /dev/null +++ b/hosts/cube/invoiceplane.nix @@ -0,0 +1,53 @@ +{ self, config, pkgs, ... }: + +let + hostAddress = "10.10.42.1"; + serviceAddress = "10.10.42.11"; + + domain = "inv.gssws.de"; + hostStateDir = "/mnt/internal/invoiceplane"; + containerStateDir = "/var/lib/invoiceplane"; +in +{ + # nginx + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${serviceAddress}:80"; + }; + }; + }; + + # invoiceplane + containers."invoiceplane" = { + privateNetwork = true; + hostAddress = "10.10.42.1"; + localAddress = serviceAddress; + + bindMounts."${containerStateDir}" = { + hostPath = hostStateDir; + isReadOnly = false; + }; + + config = { config, pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.phpfpm.pools."invoiceplane-${domain}".phpOptions = '' + date.timezone = Europe/Berlin + ''; + services.caddy.virtualHosts."http://${domain}".listenAddresses = [ "0.0.0.0" ]; + + services.invoiceplane.sites."${domain}" = { + enable = true; + stateDir = containerStateDir; + + database = { + user = "invoiceplane"; + name = "invoiceplane"; + }; + }; + }; + }; +} diff --git a/hosts/cube/nextcloud-apps.nix b/hosts/cube/nextcloud-apps.nix new file mode 100644 index 00000000..ed23d7ac --- /dev/null +++ b/hosts/cube/nextcloud-apps.nix @@ -0,0 +1,98 @@ +{ self, pkgs, config, lib, ... }: + +{ + services.nextcloud.extraApps = { + "bookmarks" = pkgs.fetchzip { + sha256 = "sha256-sX/2cd0lw2/fHwFUG3WUJ6E0AUzPqELHWCcdOYIbFzA="; + url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.3/bookmarks-11.0.3.tar.gz"; + }; + "bruteforcesettings" = pkgs.fetchzip { + sha256 = "8Sev4B7AOzLGPX6a4in0BEXJ5oL6m2EYGuBExSCnfok="; + url = "https://github.com/nextcloud-releases/bruteforcesettings/releases/download/v2.4.0/bruteforcesettings-v2.4.0.tar.gz"; + }; + "calendar" = pkgs.fetchzip { + sha256 = "JBFujtDVRWn6ELl7fZU80go86/WLln5oRJTupTz9//s="; + url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz"; + }; + "contacts" = pkgs.fetchzip { + sha256 = "eTc51pkg3OdHJB7X4/hD39Ce+9vKzw1nlJ7BhPOzdy0="; + url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz"; + }; + "cookbook" = pkgs.fetchzip { + sha256 = "QBmzGtjH8vciUxiku1HGnWw0P0oCySilEWciLoslDAU="; + url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz"; + }; + "cospend" = pkgs.fetchzip { + sha256 = "Vtg7CVf8KxGbFk9ghTvy86xOh9PD7o/c2//2mqqHARA="; + url = "https://github.com/eneiluj/cospend-nc/releases/download/v1.4.10/cospend-1.4.10.tar.gz"; + }; + "deck" = pkgs.fetchzip { + sha256 = "hK+uI4Qolx37FYeY7m8BXheEIWp3I4cFooMUnpuVfOk="; + url = "https://github.com/nextcloud-releases/deck/releases/download/v1.7.1/deck-v1.7.1.tar.gz"; + }; + "files_accesscontrol" = pkgs.fetchzip { + sha256 = "D9hVQrOMPsyTBbr7B92aePzUOYpnNu5XnpqK4W86514="; + url = "https://github.com/nextcloud-releases/files_accesscontrol/releases/download/v1.14.1/files_accesscontrol-v1.14.1.tar.gz"; + }; + "files_automatedtagging" = pkgs.fetchzip { + sha256 = "MdS63VELoM7kGzjzbEKfcH1KqX98KyGvDEvLgwvVld0="; + url = "https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz"; + }; + "files_fulltextsearch" = pkgs.fetchzip { + sha256 = "+1asXhTn62fpUlIi+B9ALKdrXxaYYymfhxPTB+C5obM="; + url = "https://github.com/nextcloud-releases/files_fulltextsearch/releases/download/v24.0.1/files_fulltextsearch-v24.0.1.tar.gz"; + }; + "files_markdown" = pkgs.fetchzip { + sha256 = "vv/PVDlQOm7Rjhzv8KXxkGpEnyidrV2nsl+Z2fdAFLY="; + url = "https://github.com/icewind1991/files_markdown/releases/download/v2.3.6/files_markdown.tar.gz"; + }; + "files_mindmap" = pkgs.fetchzip { + sha256 = "gJK+XCWDc1jpHZBR0NL6UdHab9V/X/tRNmSw5tl751Q="; + url = "https://github.com/ACTom/files_mindmap/releases/download/v0.0.26/files_mindmap-0.0.26.tar.gz"; + }; + "fulltextsearch" = pkgs.fetchzip { + sha256 = "6uZhK4rItVqIJfEpOWxgmVXYsWMeHKxHQ8GY/g5Wj/s="; + url = "https://github.com/nextcloud-releases/fulltextsearch/releases/download/v24.0.0/fulltextsearch-v24.0.0.tar.gz"; + }; + "groupfolders" = pkgs.fetchzip { + sha256 = "99DqybcYR2tTSNFyZ6QtIQmd3XyHyFy2PL1fGsq48kQ="; + url = "https://github.com/nextcloud/groupfolders/releases/download/v12.0.2/groupfolders.tar.gz"; + }; + "impersonate" = pkgs.fetchzip { + sha256 = "XevbFa2Xyu0qAwtpvSd9CulsejrBj4AeIkV7GuWoOMw="; + url = "https://github.com/nextcloud-releases/impersonate/releases/download/v1.11.0/impersonate-v1.11.0.tar.gz"; + }; + "keeweb" = pkgs.fetchzip { + sha256 = "Fdx3+APQaJQ/uQH/gnkiPmsOqzX5GNJWjPfTyUobtfA="; + url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v0.6.9/keeweb-0.6.9.tar.gz"; + }; + "maps" = pkgs.fetchzip { + sha256 = "2w7Mm+L9cHYq9BLpBpWhMv+V4h3OKCh68Cl6iHt65js="; + url = "https://github.com/nextcloud/maps/releases/download/v0.2.1/maps-0.2.1.tar.gz"; + }; + "news" = pkgs.fetchzip { + sha256 = "jbuqQJWLdE0olIaXLzjUEsPON4ZzMe9RKpH50HZZQsc="; + url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz"; + }; + "notes" = pkgs.fetchzip { + sha256 = "WdteA8pDSZ7ba+kngmveHC2KgzyLSB+PomFEZ7/uCC0="; + url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz"; + }; + "quota_warning" = pkgs.fetchzip { + sha256 = "ugiz1/dhpRoL401h/u3fQykP5zBqVby3nhHfQwyIIIQ="; + url = "https://github.com/nextcloud-releases/quota_warning/releases/download/v1.14.0/quota_warning-v1.14.0.tar.gz"; + }; + "richdocuments" = pkgs.fetchzip { + sha256 = "4B0johygJOiC/nbXiW5KU+7hweCin//rUGfFprYzRQU="; + url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v6.2.0/richdocuments-v6.2.0.tar.gz"; + }; + "tasks" = pkgs.fetchzip { + sha256 = "HMNd8U2KsSzT5xCKh/mA5GwIfYIcA6KTFVF3ca8xc2A="; + url = "https://github.com/nextcloud/tasks/releases/download/v0.14.4/tasks.tar.gz"; + }; + "twofactor_totp" = pkgs.fetchzip { + sha256 = "F7h2VytPLwkVZxJZd1o9pWuhndh02z3i0pOUw5kzBIU="; + url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.0/twofactor_totp-v6.4.0.tar.gz"; + }; + }; +} diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix new file mode 100644 index 00000000..025bf706 --- /dev/null +++ b/hosts/cube/nextcloud.nix @@ -0,0 +1,155 @@ +{ self, pkgs, config, lib, ... }: + +{ + imports = [ + ./nextcloud-apps.nix + ]; + + age.secrets.nextcloud_db_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_db_pass.age"; + }; + + age.secrets.nextcloud_admin_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_admin_pass.age"; + }; + + # HTTP + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts."data.gssws.de" = { + enableACME = true; + forceSSL = true; + }; + }; + + # DATABASES + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + + settings = { + max_connections = "200"; + }; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + # REDIS + services.redis.servers = { + "nextcloud".enable = true; + }; + + users.groups."redis-nextcloud".members = [ "nextcloud" ]; + + # Collabora Code server + virtualisation.oci-containers.containers."nextcloud-collabora-code" = { + image = "collabora/code"; + autoStart = true; + ports = [ "127.0.0.1:9980:9980" ]; + environment.domain = "data\\.gssws\\.de"; + extraOptions = [ "--cap-add" "MKNOD" ]; + }; + + services.nginx.virtualHosts."office.gssws.de" = + let + proxyPass = "https://127.0.0.1:9980"; + extraConfig = "proxy_ssl_verify off;"; + in + { + enableACME = true; + forceSSL = true; + + locations."^~ /browser" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/discovery" = { + inherit proxyPass extraConfig; + }; + locations."^~ /hosting/capabilities" = { + inherit proxyPass extraConfig; + }; + locations."~ ^/cool/(.*)/ws''$" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + locations."~ ^/(c|l)ool" = { + inherit proxyPass extraConfig; + }; + locations."^~ /cool/adminws" = { + inherit proxyPass extraConfig; + proxyWebsockets = true; + }; + }; + + # NEXTCLOUD + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud24; + hostName = "data.gssws.de"; + https = true; + datadir = "/mnt/internal/nextcloud"; + + caching.apcu = true; + caching.redis = true; + + phpPackage = lib.mkForce pkgs.php81; + + poolSettings = { + "pm" = "dynamic"; + "pm.max_children" = "128"; + "pm.start_servers" = "64"; + "pm.min_spare_servers" = "32"; + "pm.max_spare_servers" = "76"; + "pm.max_requests" = "500"; + }; + + phpOptions = { + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; + "opcache.enable_cli" = "1"; + "opcache.interned_strings_buffer" = "32"; + "opcache.max_accelerated_files" = "100000"; + "opcache.memory_consumption" = "256"; + "opcache.revalidate_freq" = "1"; + "opcache.fast_shutdown" = "1"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + catch_workers_output = "yes"; + }; + + config = { + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = "/run/agenix/nextcloud_db_pass"; + adminpassFile = "/run/agenix/nextcloud_admin_pass"; + adminuser = "admin"; + + trustedProxies = [ "80.244.242.2" ]; + defaultPhoneRegion = "DE"; + }; + }; +} diff --git a/hosts/cube/wireguard.nix b/hosts/cube/wireguard.nix new file mode 100644 index 00000000..92b1ffd1 --- /dev/null +++ b/hosts/cube/wireguard.nix @@ -0,0 +1,63 @@ +{ self, config, pkgs, ... }: + +{ + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; + + + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "10.0.1.5" ]; + listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/run/agenix/home_controller_wireguard"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + + { + # hsha + publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; + allowedIPs = [ "10.0.1.254/32" ]; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/hosts/falcone/configuration.nix b/hosts/falcone/configuration.nix new file mode 100644 index 00000000..6383f78f --- /dev/null +++ b/hosts/falcone/configuration.nix @@ -0,0 +1,57 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ inputs, pkgs, builtins, config, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ]; + + pub-solar.core.disk-encryption-active = false; + + boot.loader.timeout = lib.mkForce 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = lib.mkForce true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + + extraInstallCommands = '' + cp -r ${inputs.nixpkgs-hensoko.packages.aarch64-linux.raspberrypi4_firmware_uefi}/share/raspberrypi4-firmware-uefi/* /boot/ + ''; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/falcone/default.nix b/hosts/falcone/default.nix new file mode 100644 index 00000000..86de5233 --- /dev/null +++ b/hosts/falcone/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./falcone.nix + ] ++ suites.falcone; +} diff --git a/hosts/falcone/falcone.nix b/hosts/falcone/falcone.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/falcone/falcone.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/falcone/hardware-configuration.nix b/hosts/falcone/hardware-configuration.nix new file mode 100644 index 00000000..8815265a --- /dev/null +++ b/hosts/falcone/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + #boot.initrd.supportedFilesystems = [ "zfs" ]; + #boot.supportedFilesystems = [ "zfs" ]; + + #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/giggles/configuration.nix b/hosts/giggles/configuration.nix new file mode 100644 index 00000000..5e8d9f36 --- /dev/null +++ b/hosts/giggles/configuration.nix @@ -0,0 +1,65 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + #package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 2380 6443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/giggles/default.nix b/hosts/giggles/default.nix new file mode 100644 index 00000000..ebce8516 --- /dev/null +++ b/hosts/giggles/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./giggles.nix + ] ++ suites.giggles; +} diff --git a/hosts/giggles/giggles.nix b/hosts/giggles/giggles.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/giggles/giggles.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/giggles/hardware-configuration.nix b/hosts/giggles/hardware-configuration.nix new file mode 100644 index 00000000..cfc5cf70 --- /dev/null +++ b/hosts/giggles/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/2F05-9B4A"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix new file mode 100644 index 00000000..ac7cfc01 --- /dev/null +++ b/hosts/giggles/home-controller.nix @@ -0,0 +1,53 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.11"; + + k3s = { + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/harrison/.config/sway/config.d/screens.conf b/hosts/harrison/.config/sway/config.d/screens.conf new file mode 100644 index 00000000..e3d66c29 --- /dev/null +++ b/hosts/harrison/.config/sway/config.d/screens.conf @@ -0,0 +1,19 @@ +set $left 'Dell Inc. DELL S2721DS D0SVQ43' +set $middle 'Samsung Electric Company SMBX2450L 0x00003231' +set $right 'Eizo Nanao Corporation EV2316W 39117013' + +output $left { + scale 1 + pos 0 0 + transform 270 +} + +output $middle { + scale 1 + pos 1440 1150 +} + +output $right { + scale 1 + pos 3360 1150 +} diff --git a/hosts/harrison/configuration.nix b/hosts/harrison/configuration.nix new file mode 100644 index 00000000..c0d7e06c --- /dev/null +++ b/hosts/harrison/configuration.nix @@ -0,0 +1,49 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.dhcpcd.wait = "background"; + networking.useDHCP = false; + networking.interfaces.eno1 = { + useDHCP = true; + wakeOnLan = { + enable = true; + }; + }; + networking.networkmanager.enable = lib.mkForce false; + + nixpkgs.config.allowUnsupportedSystem = true; + + # List services that you want to enable: + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? +} + diff --git a/hosts/harrison/default.nix b/hosts/harrison/default.nix new file mode 100644 index 00000000..a1d958f0 --- /dev/null +++ b/hosts/harrison/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./harrison.nix + ] ++ suites.harrison; +} diff --git a/hosts/harrison/hardware-configuration.nix b/hosts/harrison/hardware-configuration.nix new file mode 100644 index 00000000..3863bc96 --- /dev/null +++ b/hosts/harrison/hardware-configuration.nix @@ -0,0 +1,70 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1"; + fallbackToPassword = true; + bypassWorkqueues = true; + }; + + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + boot.loader.grub = { + efiSupport = true; + enable = lib.mkForce true; + extraEntries = '' + menuentry "Windows" { + insmod part_gpt + insmod fat + insmod search_fs_uuid + insmod chain + search --fs-uuid --set=root 02DB-F12C + chainloader /efi/Microsoft/Boot/bootmgfw.efi + } + ''; + devices = [ "nodev" ]; + }; + + + fileSystems = { + "/" = + { + device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05"; + fsType = "ext4"; + }; + + "/boot" = + { + device = "/dev/disk/by-uuid/4B4A-B1B4"; + fsType = "vfat"; + }; + + "/boot2" = + { + device = "/dev/disk/by-uuid/4B2C-385A"; + fsType = "vfat"; + }; + }; + + swapDevices = + [{ device = "/dev/mapper/vg0-swap"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/harrison/harrison.nix b/hosts/harrison/harrison.nix new file mode 100644 index 00000000..e1caa704 --- /dev/null +++ b/hosts/harrison/harrison.nix @@ -0,0 +1,28 @@ +{ config, pkgs, lib, ... }: +with lib; +with pkgs; +let + psCfg = config.pub-solar; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { + "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; + }; + + pub-solar.paranoia.enable = true; + pub-solar.nextcloud.enable = true; + + programs.ausweisapp.enable = true; + services.pcscd = { + enable = true; + plugins = [ pkgs.pcsc-cyberjack ]; + }; + }; +} diff --git a/hosts/norman/.config/sway/config.d/custom-keybindings.conf b/hosts/norman/.config/sway/config.d/custom-keybindings.conf new file mode 100644 index 00000000..a2938d77 --- /dev/null +++ b/hosts/norman/.config/sway/config.d/custom-keybindings.conf @@ -0,0 +1,16 @@ +# Screen brightness controls +bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')" +bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')" + +# Keyboard backlight brightness controls +bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')" +bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')" + +# Pulse Audio controls +bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume +bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume +bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound +# Media player controls +bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'" +bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'" +bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'" diff --git a/hosts/norman/.config/sway/config.d/screens.conf b/hosts/norman/.config/sway/config.d/screens.conf new file mode 100644 index 00000000..13b97991 --- /dev/null +++ b/hosts/norman/.config/sway/config.d/screens.conf @@ -0,0 +1,18 @@ +set $left 'Dell Inc. DELL S2721DS D0SVQ43' +set $middle 'Eizo Nanao Corporation EV2316W 39117013' +set $right 'Chimei Innolux Corporation 0x14D4' + +output $left { + scale 1 + pos 0 0 +} + +output $middle { + scale 1 + pos 2560 770 +} + +output $right { + scale 1 + pos 1000 1440 +} diff --git a/hosts/norman/configuration.nix b/hosts/norman/configuration.nix new file mode 100644 index 00000000..099cc583 --- /dev/null +++ b/hosts/norman/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./wireguard.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.firewall = { + allowedUDPPorts = [ + 51820 + 51821 + ]; # Clients and peers can use the same port, see listenport + }; + + hardware.nitrokey.enable = true; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + services.tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + + # The following prevents the battery from charging fully to + # preserve lifetime. Run `tlp fullcharge` to temporarily force + # full charge. + # https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds + START_CHARGE_THRESH_BAT0 = 40; + STOP_CHARGE_THRESH_BAT0 = 80; + + # 100 being the maximum, limit the speed of my CPU to reduce + # heat and increase battery usage: + CPU_MAX_PERF_ON_AC = 100; + CPU_MAX_PERF_ON_BAT = 30; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? +} + diff --git a/hosts/norman/default.nix b/hosts/norman/default.nix new file mode 100644 index 00000000..20216667 --- /dev/null +++ b/hosts/norman/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./norman.nix + ] ++ suites.norman; +} diff --git a/hosts/norman/hardware-configuration.nix b/hosts/norman/hardware-configuration.nix new file mode 100644 index 00000000..158f6cb9 --- /dev/null +++ b/hosts/norman/hardware-configuration.nix @@ -0,0 +1,46 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub.trustedBoot = { + enable = true; + systemHasTPM = "YES_TPM_is_activated"; + }; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6"; + bypassWorkqueues = true; + }; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/84CD-91B6"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.trackpoint = { + enable = true; + device = "TPPS/2 ALPS TrackPoint"; + emulateWheel = true; + }; +} diff --git a/hosts/norman/norman.nix b/hosts/norman/norman.nix new file mode 100644 index 00000000..b85d4c6e --- /dev/null +++ b/hosts/norman/norman.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + pub-solar.audio.bluetooth.enable = false; + + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { + "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; + "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf; + }; + }; +} diff --git a/hosts/norman/wireguard.nix b/hosts/norman/wireguard.nix new file mode 100644 index 00000000..0460b1f5 --- /dev/null +++ b/hosts/norman/wireguard.nix @@ -0,0 +1,94 @@ +{ config, pkgs, ... }: + +{ + systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s"; + systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure"; + systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s"; + + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.0.0.13/32" + "fc00:200::13/128" + ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.0.0.0/24" + "192.168.50.0/24" + "192.168.200.0/24" + "10.20.30.0/24" + "10.20.50.0/24" + "fc00:200::/120" + "95.129.51.5" + "95.129.54.43" + "134.0.28.89" + "134.0.27.108" + "134.0.25.181" + ]; + + # Set this to the server IP and port. + endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + wg1 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ + "10.7.0.21" + ]; + listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c="; + + # Forward all the traffic via VPN. + allowedIPs = [ + "10.7.0.0/24" + ]; + + # Set this to the server IP and port. + endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + + }; + }; +} + diff --git a/hosts/ringo/configuration.nix b/hosts/ringo/configuration.nix new file mode 100644 index 00000000..5a57fe2d --- /dev/null +++ b/hosts/ringo/configuration.nix @@ -0,0 +1,35 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? +} + diff --git a/hosts/ringo/default.nix b/hosts/ringo/default.nix new file mode 100644 index 00000000..ff5a8251 --- /dev/null +++ b/hosts/ringo/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./ringo.nix + ] ++ suites.ringo; +} diff --git a/hosts/ringo/hardware-configuration.nix b/hosts/ringo/hardware-configuration.nix new file mode 100644 index 00000000..d16bc928 --- /dev/null +++ b/hosts/ringo/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13"; + keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01"; + fallbackToPassword = true; + bypassWorkqueues = true; + }; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/47ED-2F0B"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/ringo/home-controller.nix b/hosts/ringo/home-controller.nix new file mode 100644 index 00000000..3f679ba4 --- /dev/null +++ b/hosts/ringo/home-controller.nix @@ -0,0 +1,43 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "agent"; + ownIp = "10.0.1.21"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + } + ]; + }; + }; + }; +} diff --git a/hosts/ringo/ringo.nix b/hosts/ringo/ringo.nix new file mode 100644 index 00000000..00fea36d --- /dev/null +++ b/hosts/ringo/ringo.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config.pub-solar.core.lite = true; +} diff --git a/hosts/surfplace/configuration.nix b/hosts/surfplace/configuration.nix new file mode 100644 index 00000000..a1557124 --- /dev/null +++ b/hosts/surfplace/configuration.nix @@ -0,0 +1,32 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ inputs, pkgs, builtins, config, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ]; + + time.timeZone = "Europe/Berlin"; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.networkmanager.enable = true; + + #boot.loader.systemd-boot.enable = lib.mkForce false; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/hosts/surfplace/default.nix b/hosts/surfplace/default.nix new file mode 100644 index 00000000..9bb6c4af --- /dev/null +++ b/hosts/surfplace/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./surfplace.nix + ] ++ suites.surfplace; +} diff --git a/hosts/surfplace/hardware-configuration.nix b/hosts/surfplace/hardware-configuration.nix new file mode 100644 index 00000000..f4dd05c7 --- /dev/null +++ b/hosts/surfplace/hardware-configuration.nix @@ -0,0 +1,44 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.extraModulePackages = [ config.boot.kernelPackages.rtl88x2bu ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/root"; + fsType = "ext4"; + encrypted = { + enable = true; + label = "cryptroot"; + blkDev = "/dev/disk/by-uuid/77829967-0c52-4a52-a65c-cfc093d18776"; + }; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2697-F70A"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/swap"; } + ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.video.hidpi.enable = lib.mkDefault true; + + systemd.services."iptsd" = { + serviceConfig = { + RestartAfter = "5s"; + }; + }; +} diff --git a/hosts/surfplace/surfplace.nix b/hosts/surfplace/surfplace.nix new file mode 100644 index 00000000..517c4c9a --- /dev/null +++ b/hosts/surfplace/surfplace.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; +} diff --git a/modules/core/bluetooth.nix b/modules/core/bluetooth.nix new file mode 100644 index 00000000..e69de29b diff --git a/secrets/cube_drone_exec_runner_config.age b/secrets/cube_drone_exec_runner_config.age new file mode 100644 index 0000000000000000000000000000000000000000..0602c1a83d1846d28000582a45d9223e5aa1b6e6 GIT binary patch literal 1126 zcmZXS%ZuX#0LEo6Lcm3LS=SeCWfoVAHEG&BDx=Um+9qkzrfJfqf|4d}9&MB6*)+Se zi-L@Z-~;i&vg=_EyMm&4@gkxy2!cBbgSZ|9y(o&H;LJ$`>tQbX4}3qq@Av7}xH$HV zaJ7gX-+R;#EhsGk#U~0;WEaOKf}*8r!S1XaZdpKNkZP~$1B@|(<+PReRWX3HHkuPW zIECkgtqdZU3(bbg07)AhLsK2eg}7ykb5liVYI3*kMEYqW8gkJAL~cN>1os~Zl=gxwN9V1Z~2&1+t-AC^k2D|BX+ zY(;xY}&{1(2L}Yn@>#*jmGP@~b0@c(q$***QiQOWIbTpoY+H@|Zlgc3S{Y+#C*rU7p zfH#%C=2}VEs&cH5Nkbo(Mw2oRDnk$^^^OG$v;`c3^*$-YCe8_9lW6o?0bLPP3Dw}P z-mA)-Z|RQ9G(wy~5SLgN0$0;i{%==_t(>Fonc4IImgl&xQ#X`TLfEn znv*34z(L&;#4-ejQ6;iFyV^XWkU|se@~8yOeiV2fcCeyBc=!!yBKUyL$5E zwLf=0dhg@y4ef>Whxa#LC5q2l`2OBgpYHq`--;Z3|I(Fvk8MBs$c1BpvnpTz=J3j< zbmDN^d+sc}slWBd;XA ssh-ed25519 hPyiJw YnfnbbrYnmZj+Sp7IzNko2UN++D+5RPRKUO4s9BJYm0 +250etp+3Xk98f3p464gytQzuOUZtmb0wp2weOOr3TKs +-> ssh-ed25519 YFSOsg Ugqj12V4oVALYruVs2gAvdmX7FPj8bXhw6rADRIQCTA +HL2RU0FMjuVUnNr0NjFYya19D77biMTjY0NUNXw+X5k +-> ssh-rsa 42S2Dw +C0Kwv29evJTIMvtQJt7t3qBaFC6kKd2KXLiQt9PLdotVirMilNxTBAahgPPf5+Wh +vpykEhQdnPGRITlxRLHQARVtwr0sERTi3KSdU5w2FSoAbMx7MoMpct/OvT32UTI5 +atUpIbZRKiVaCNvgdMBYYuHzbndaZ1xiuUkm+TH+VPcvzGpIHew7V86T/R86O3Gy +UK0eeT7bgKCLzV9B/A0MMnzQ2+bw3ArXwwivxhWWDO9nIAyF6aOxdZr+X3rl2p/6 +IYf0AoEV/miqKm7yuxDExFkrJ1fRrZ1nq+lHPneURb/1rXJFfgZ2FQ+knDtokfp6 +fDBLGXXB7NSXkKAv7VLpXg +-> ssh-ed25519 iHV63A z0GdyHGN7aJwL9oYkcUY3Qw/BMJ5W5D8i+tU6W7Haw4 +nSCKSMvJDvkGQfxaAnskwKEk6a7XKjbaB/Bkyq1X/c8 +-> ssh-ed25519 uTVbSg 2Ho8KrV3xfNtwN+TepeS52aQZaqn8R9RpbZXTv7Tpjo +kUX//t2VYMPdGwSa3Xx/wgI2mcPvksBb85BE869K7V4 +-> mk!&q*4-grease PdOI 5~Z: NZD +ItuRMmjRrLT8EiY4zEmCW3uC9x3/5Ol4mzwmFXe0wT0 +--- /gVjl7gfaIAgikOCRKcz6BMaFTNFi8n2OM3DrWn1qkQ +*W^eY-2v"]0U3 vo@c@%{I('9(tQy>BY+II5D \ No newline at end of file diff --git a/secrets/cube_restic_repository_password.age b/secrets/cube_restic_repository_password.age new file mode 100644 index 00000000..00d16f5a --- /dev/null +++ b/secrets/cube_restic_repository_password.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw +rkFPrQE8peUim4x6Ky9ZOq1th5ClCoBGZnHpyUpdhg +RUg+Iy9Tr/rYLac2QZXHgEIXVeUgzThkknHKXw0zcc8 +-> ssh-ed25519 YFSOsg f+9e0azb6BGCW2BAqzY0jeGX35SOg5H8esxKnslo1Bw +zTrfb7rz9rtlGL+RYF+k0bPTJrCCj3sIiRpjqkNwktY +-> ssh-rsa 42S2Dw +E0CKXcPmBbOGFjsKpzr6XD2wiK6X6bACpHxO6qdRfN1vntoRLRsrMlHhiB9nbn3V +wyVou0OtIXoEuW7X/AZDatB2zQp4gs/C6j7jX3MhtzC60qrGpqxZ+qSRwsybbMHl +23ceddRQfudIkojKolpuZj6LhmqHo7psg8HF+OMMMvq8AU2/FLULOoWy5pjtfZTf +FrhbjSHJPe8CDGhHVANd7nmhuNYLf/HoO3/VNCmF5g5FVdTl+oIbV/lG+h9XEkMV +Brmew59jOUNZQkKixA8Qs+Q9jmozVKUfdVNt5214NucExbPkgznOmtp5XyfIZUHP +fcOAonVVoSTsEP2YiPSOkg +-> ssh-ed25519 iHV63A RchzJvnl56NtfqNJ4BclwhEnxmxveeXmdKsk5anyoGY +838Yzcs0Y/d4aRGGpaIUe4HlncnHB/90KPl4Jc6M6gc +-> ssh-ed25519 uTVbSg yUxd7jAji+mUlayh3HAmtt15LT0qIijFdZfxm/QXJ1A +B03YY7feAxzquD55hkqdjfjp7F3UOgPws3CHz6vq5/E +-> s-grease +sVUB69ht3umxJ0/t3sgli+GG1jJYbRH3NAYRXxyjM7cD7kwimAwa0Cv8briHBncF +CXY +--- +656WjsF5wgufRPmpuHmh4BWdHsLLu2R0ZJ9Ryml35k + mbj%^S0ˠguZUz _Gv=6@㒳{0nj \ No newline at end of file diff --git a/secrets/cube_restic_ssh_private_key.age b/secrets/cube_restic_ssh_private_key.age new file mode 100644 index 00000000..dd6a8dcb --- /dev/null +++ b/secrets/cube_restic_ssh_private_key.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw +A6/Q0jkgCU8oT8UwEOXm+ilWBZSkPheytu+qWJ8ow0 +kBztg+HTVR8tNJR9cws2wAfXf/p+SlDZ/HoXYyhSP5Q +-> ssh-ed25519 YFSOsg RlxOjmi/X/nXaN1pur/YkOeNMfaNjaeRlhuIy8Xg/C4 +rXLCp5cOgqg97NlsIhNOtReLro3ELEfcfEFmeh5QmXg +-> ssh-rsa 42S2Dw +ivPg0J88URraGg/P1pYwPbHAPcLRxOEEGhIve858Wv0TJxyeSLFMEgyal6fKnxQN +bE+SuV9ZAWRx4LCmaxq35exfXJAclcC4zg+WOui3uojeWf6Yo/Q0OXGYhS5uHMHm +SJnIKoIKsdrD7g+0hoTKKztrjliK/zw8ooBPP8c6KGKncIhWGWfvS+eBzYkQp0VE +mMplI6YGTGtKavR7w5X9NG9rb5Ot0jdTuM+Q1URhtXbER1ZJWnEQMfdGeHEYKTXA +cJR08iiMY3J/XeYnv+I8B8FBCfWZurMDeH72t7TjObaZEBz/gKl6sk1+FuEBLQR0 +r1Fqd9w06fgMcuVLLdFZQg +-> ssh-ed25519 iHV63A a27f4SrL8d4VTA/zf0ZFN+gRZEZYjfXxGRkK+0BvFBI +FPY1Vl6t1KMdmLMuhrF0NZptzrwGNyEgw+IHxvZkNT4 +-> ssh-ed25519 uTVbSg cNe3wLmtGYd8E/mVT4nnGc9uKwVfKeLkPOA4iWH/n00 +zUGfMmyqVA8+wH4U9e3aLCOyUn7JQbvd2hFViCGkAZs +-> ;y-K-grease 'D %/|`ff=t +EIllMsZQ7AqFv1F9F8SOleLU4Q1PKLJIdw7FL1fveIuPdnBPguvrcyw1kQeCzZ7M +F2LCYbb0cJUlJi1Mo+LxFEC4cCS0NI1hlMtbh5c4cxy7Ay/cpzCxhY9yVV8 +--- fXi80THZW40z8KwPZUmXCYcp3zjgI/P0SyOGbI6SEOI +t_cO9D:EaCXUŘ-w`)!9DO+b<94\e5v=kJ%s|a#޺!PIZGlh:jO`1dq$0RFɦ.w˜]!Mno|gP|ר^"2hBiѫ!~f[z;`HpHF~KJRT~5AgvR3flD/7Y2bSO=)8(F.+<$* 0ǒ@#R]]֚89?W%중!,;Q؊N~xfM*? 吾'xpCU +_ N. \ No newline at end of file diff --git a/secrets/email_gssws_password.age b/secrets/email_gssws_password.age index 2db3102a..6297178d 100644 --- a/secrets/email_gssws_password.age +++ b/secrets/email_gssws_password.age @@ -1,22 +1,25 @@ age-encryption.org/v1 --> ssh-ed25519 hPyiJw 1+o3Kv3nXAiMEyY8GVW7ZMCILH/SToajDAYM0HR3/FU -YgmC4YvrNidF5sr3h2KtByL/ehS8RC2yEKQf8pkcruE --> ssh-ed25519 YFSOsg Ju5LywricieLjgr6GeaXyN6RwrT2rf1ypjyvABtYkEE -TeZO7TBBIK58XTN5Bi9UdAde8vlEeIuiRnnYuTWV3Ds +-> ssh-ed25519 hPyiJw L1ibB8t4cvp/OXx9HQAxdEyI85z/1Lz5m4li6jA9Kz8 +yBswoHr9wY7cw4Jd4bgaT0acbUz6SOXZ03UFmFtTUEM +-> ssh-ed25519 YFSOsg LLswQxf9SCn+iEDeLnSrYkVxfzayM8U2DBW974hpAxA +8lsCg3xMdgBthhuwqiFVx8pbz7uTLZ0RynIvczCYBhA -> ssh-rsa 42S2Dw -YR3lIzLqv6FZlKHgPYc2uVo8kiuEStoP+wZqMsNJwlpT9VIUn2n7V3Pj7gsRUtN7 -dYjVEnXCXOYJiT1cKitbsQ/uvO7pDh7Ol4cve4yCt5OTXqux4MsZRBTvBXmbom7v -BZCOruqKIViWChXLo6s1vhJ2Rv3LzY12h1IGlDrVqyTHAxUga7aQmKnFzICwsb2M -6A7JDryveWA3AWntHOgw6G/OzL6TlZxa51w6UAW3z+cckEttmwfLaaOhT2xuhAvJ -3SH856B5Xtx7qWyooN7Cq2XQAlZ3DKJVmjIJvI1y9DdpZlO29kXZXI6FZJb6ZJMM -c0GntItUK2VXGwR+a+PIDg --> ssh-ed25519 iHV63A 68iPatktmiT9enmwFBH0O2KS7Iu5ZR3vEdrD6OKTwyg -IyRwEOu+/ThnqIG42fYxr65rpniPqvS5HYNP3xQgYfU --> ssh-ed25519 VApqug rYWmUWJxn6FnnZGopYUzrTcbTBsr+zHuhrSisHl6LXM -7XANpzZrrZlsPILu0UhNh3s1UoUwhGXVUhhmMfZuBqw --> -.bX&'x-grease mStW!.EH *+Q`QW/ -0jNHMBJOkpVUD7xoEr7ymD2f3kCEIU0SZkPJ8wJfxYSg4F/4Pwc19+tHChEjOHCC -svyV ---- rCetdRQgIw8CPjfsojxST3lEYYbxGMRhBi9rBfIpQx0 - -S!>8] 'i [cwNa 1Ā'Sˡ \ No newline at end of file +NgKNMMnaozW4qWvXhK5AKSJkXffIKtTKBla28z7ruFv53mGqRwRKYATB2mFDiVH4 +PgDHv6+M5UBqbFEN48bzngnrugWjWXRDoXJifsfMeWXDCbd0z/X2JPul3PCi0jpB +Pgzcl5kuM4BxRDIkn/F9uc7y5ybGn9LUpbRWrWDdz8t5Vc4xYLY2UnhGkK5Oi1Cq +H8Dgv4N6oTWerzeXyRiir6PbhMFHBbMconi6rU0u4/ZFyllLHJG3ocxAMFiKknlx +6obLiszq1Jdb/N/1Wi6SN3wSu/RiVHEabgb08kzUf6t3DSIsqeh/3rUV0IdjF/mp +T5XXzUIhZyadH+Ddxrl75A +-> ssh-ed25519 iHV63A ddkExJKu/Jys/9jiSUOg2ZKGKYIf+Y7G9QASxCZdOW4 +y/XOHNRaJjvKw5RZw1oUCP7nPY7t+ZMbTNxIStVCfRI +-> ssh-ed25519 VApqug Uf71meztk0oZUJHjJ8Sdth4QdfaDWzv2wAsj6f1lt0E +vtkLmvXGgK+lnPI+RS3JRZH71TBjfkozAK5dW3a3uoo +-> ssh-ed25519 NhniTw vvLxotjVSTvf9KKJn9lZ08DgKonQbI8C+jTTET7h3WI +b8QFEGpS2Ll4EbxCK6xfCHLB5DMT4+kOASz6STtuDEw +-> ssh-ed25519 f35zxg B2hFbT3p201jS5YC6E7kHlo0O0sSQsZkMjj3c36KHAY +PnVcMx0G2gWMtFn6LFhGDZ/+1d1mtdsAzsL+JuBr6bE +-> r\{-grease +Y8zuemoJ8F+VQAQBf9EdPMj2BvfODuc2rY4RxnTxSCNlm5fQu+nzUpr2cxXYdRZc +miiCinz2+S5kJph9WwKbpC7RNyuegok1ww +--- YcYQRF4M9Gik+v1Txho8noV9bt3hBmsCDiNABOC4qFg +/ds,87벻O}K`0 nJ_, P#1bb# diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9a649db0..950a39d5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,6 +15,13 @@ let system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos"; system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos"; + system_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGsY9APkK11hlcqKXER+iqaJZ/x5HNacQ8FXfLe2SA4 root@nixos"; + system_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFePAtdXP/4J0UdChfRC78Tj/yBZaUNTNnbwXe9HJx6 root@nixos"; + + system_surfplace = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAmim1CFeTPPDz/34sDYhF773NquhbqIS6v4mWM4qSd root@nixos"; + + users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ]; + systems_email_accounts = [ system_harrison system_norman system_surfplace ]; systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ]; allKeys = users ++ systems_home_controller; in @@ -26,6 +33,12 @@ in "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ]; "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ]; "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ]; + "cube_restic_ssh_private_key.age".publicKeys = users ++ [ system_cube ]; + "cube_restic_repository_password.age".publicKeys = users ++ [ system_cube ]; + + "cube_drone_exec_runner_config.age".publicKeys = users ++ [ system_cube ]; + + "cube_invoiceplane_db_password.age".publicKeys = users ++ [ system_cube ]; "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];