diff --git a/hosts/companion/companion.nix b/hosts/companion/companion.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/companion/companion.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/companion/configuration.nix b/hosts/companion/configuration.nix new file mode 100644 index 00000000..89a5710e --- /dev/null +++ b/hosts/companion/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/companion/default.nix b/hosts/companion/default.nix new file mode 100644 index 00000000..8cac5356 --- /dev/null +++ b/hosts/companion/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./companion.nix + ] ++ suites.companion; +} diff --git a/hosts/companion/hardware-configuration.nix b/hosts/companion/hardware-configuration.nix new file mode 100644 index 00000000..1b59fa36 --- /dev/null +++ b/hosts/companion/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/5552-1B21"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/companion/home-controller.nix b/hosts/companion/home-controller.nix new file mode 100644 index 00000000..ff7ab606 --- /dev/null +++ b/hosts/companion/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.13"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cox/configuration.nix b/hosts/cox/configuration.nix new file mode 100644 index 00000000..8ab92744 --- /dev/null +++ b/hosts/cox/configuration.nix @@ -0,0 +1,64 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./home-controller.nix + ]; + + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; + networking.networkmanager.enable = lib.mkForce false; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + nix = { + #package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/hosts/cox/cox.nix b/hosts/cox/cox.nix new file mode 100644 index 00000000..ca873721 --- /dev/null +++ b/hosts/cox/cox.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: +with lib; +let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in +{ + imports = [ + ./configuration.nix + ]; + + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; +} diff --git a/hosts/cox/default.nix b/hosts/cox/default.nix new file mode 100644 index 00000000..aa29e195 --- /dev/null +++ b/hosts/cox/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cox.nix + ] ++ suites.cox; +} diff --git a/hosts/cox/hardware-configuration.nix b/hosts/cox/hardware-configuration.nix new file mode 100644 index 00000000..3b52c24b --- /dev/null +++ b/hosts/cox/hardware-configuration.nix @@ -0,0 +1,61 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; + }; + }; + + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/6CB3-6DB8"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hosts/cox/home-controller.nix b/hosts/cox/home-controller.nix new file mode 100644 index 00000000..d017c570 --- /dev/null +++ b/hosts/cox/home-controller.nix @@ -0,0 +1,55 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.12"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix new file mode 100644 index 00000000..6ed057b3 --- /dev/null +++ b/hosts/cube/acme.nix @@ -0,0 +1,8 @@ +{ pkgs, config, ... }: + +{ + security.acme = { + acceptTerms = true; + defaults.email = "hensoko@gssws.de"; + }; +} diff --git a/hosts/cube/configuration.nix b/hosts/cube/configuration.nix new file mode 100644 index 00000000..73bc446f --- /dev/null +++ b/hosts/cube/configuration.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./home-controller.nix + ./acme.nix + ./home-assistant.nix + ./nextcloud.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0"; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + time.timeZone = "Europe/Berlin"; + + networking = { + useDHCP = false; + + interfaces.eno1.ipv4.addresses = [{ + address = "80.244.242.2"; + prefixLength = 29; + }]; + + defaultGateway = "80.244.242.1"; + nameservers = [ "95.129.51.51" "80.244.244.244" ]; + }; + + services.openssh.ports = [ 2222 ]; + + networking.firewall.allowedTCPPorts = [ 2222 ]; + networking.firewall.allowedUDPPorts = [ 51899 ]; + networking.firewall.enable = lib.mkForce true; + + system.stateVersion = "21.05"; # Did you read the comment? +} diff --git a/hosts/cube/cube.nix b/hosts/cube/cube.nix new file mode 100644 index 00000000..894cab9c --- /dev/null +++ b/hosts/cube/cube.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: +with lib; +with pkgs; +let + psCfg = config.pub-solar; +in +{ + imports = [ + ./configuration.nix + ]; + + +} diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix new file mode 100644 index 00000000..7834ef54 --- /dev/null +++ b/hosts/cube/default.nix @@ -0,0 +1,6 @@ +{ suites, ... }: +{ + imports = [ + ./cube.nix + ] ++ suites.cube; +} diff --git a/hosts/cube/hardware-configuration.nix b/hosts/cube/hardware-configuration.nix new file mode 100644 index 00000000..617f0c94 --- /dev/null +++ b/hosts/cube/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875"; + fsType = "ext2"; + }; + + fileSystems."/mnt/internal" = + { + device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }]; +} diff --git a/hosts/cube/home-assistant.nix b/hosts/cube/home-assistant.nix new file mode 100644 index 00000000..e9b1d714 --- /dev/null +++ b/hosts/cube/home-assistant.nix @@ -0,0 +1,19 @@ +{ self, pkgs, config, ... }: + +{ + # HTTP + services.nginx = { + virtualHosts."ha.gssws.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.0.1.254:8123"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + + "proxy_pass_header Authorization;" + ; + }; + }; + }; +} diff --git a/hosts/cube/home-controller.nix b/hosts/cube/home-controller.nix new file mode 100644 index 00000000..c472b12d --- /dev/null +++ b/hosts/cube/home-controller.nix @@ -0,0 +1,48 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "agent"; + ownIp = "10.0.1.5"; + + k3s = { + enableLocalStorage = false; + enableZfs = false; + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + } + + { + # hsha + publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc="; + allowedIPs = [ "10.0.1.254/32" ]; + } + ]; + }; + }; + }; +} diff --git a/hosts/cube/nextcloud.nix b/hosts/cube/nextcloud.nix new file mode 100644 index 00000000..fe389722 --- /dev/null +++ b/hosts/cube/nextcloud.nix @@ -0,0 +1,72 @@ +{ self, pkgs, config, ... }: + +{ + age.secrets.nextcloud_db_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_db_pass.age"; + }; + + age.secrets.nextcloud_admin_pass = { + owner = "nextcloud"; + group = "nextcloud"; + file = "${self}/secrets/cube_nextcloud_admin_pass.age"; + }; + + # HTTP + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + virtualHosts."data.gssws.de" = { + enableACME = true; + forceSSL = true; + }; + }; + + # DATABASES + services.postgresql = { + enable = true; + package = pkgs.postgresql_11; + + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + systemd.services."nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + + + # NEXTCLOUD + services.nextcloud = { + enable = true; + package = pkgs.nextcloud24; + hostName = "data.gssws.de"; + https = true; + #datadir = "/mnt/internal/nextcloud"; + autoUpdateApps.enable = true; + autoUpdateApps.startAt = "05:00:00"; + + config = { + # Further forces Nextcloud to use HTTPS + overwriteProtocol = "https"; + + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; + dbname = "nextcloud"; + dbpassFile = "/run/agenix/nextcloud_db_pass"; + adminpassFile = "/run/agenix/nextcloud_admin_pass"; + adminuser = "admin"; + }; + }; +} diff --git a/hosts/giggles/configuration.nix b/hosts/giggles/configuration.nix index 9f5e3ee2..d6e8e3f2 100644 --- a/hosts/giggles/configuration.nix +++ b/hosts/giggles/configuration.nix @@ -9,9 +9,19 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./home-controller.nix ]; - networking.hostName = "giggles"; # Define your hostname. + boot.loader.timeout = 0; + + boot.loader.generic-extlinux-compatible.enable = lib.mkForce false; + + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -20,55 +30,17 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.wlan0.useDHCP = true; + networking.interfaces.eth0.useDHCP = true; + networking.interfaces.wlan0.useDHCP = false; networking.networkmanager.enable = lib.mkForce false; - #networking.wireless = { - # enable = true; - # networks.DinoLan.psk = "Gelbe Enten schwimmen auf dem Wasser."; - # interfaces = [ wlan0 ]; - #}; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + boot.loader.systemd-boot.enable = lib.mkForce false; nix = { #package = pkgs.nixFlakes; extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; }; - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # }; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ @@ -76,18 +48,8 @@ wget ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 22 ]; + # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; @@ -98,6 +60,6 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/hosts/giggles/giggles.nix b/hosts/giggles/giggles.nix index 1431a53a..ca873721 100644 --- a/hosts/giggles/giggles.nix +++ b/hosts/giggles/giggles.nix @@ -9,5 +9,8 @@ in ./configuration.nix ]; - pub-solar.nextcloud.enable = lib.mkForce false; + config = { + boot.plymouth.enable = lib.mkForce false; + pub-solar.nextcloud.enable = lib.mkForce false; + }; } diff --git a/hosts/giggles/hardware-configuration.nix b/hosts/giggles/hardware-configuration.nix index 3f33b6ee..cfc5cf70 100644 --- a/hosts/giggles/hardware-configuration.nix +++ b/hosts/giggles/hardware-configuration.nix @@ -4,22 +4,58 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = [ - "${fetchTarball { - url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz"; - sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4"; - } - }/raspberry-pi/4" - ]; + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - options = [ "noatime" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.initrd.supportedFilesystems = [ "zfs" ]; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18; + + boot.initrd.luks.devices = { + cryptroot = { + device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2"; + keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1"; + bypassWorkqueues = true; + fallbackToPassword = true; }; }; - # Enable GPU acceleration - #hardware.raspberry-pi."4".fkms-3d.enable = true; + fileSystems."/" = + { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/2F05-9B4A"; + fsType = "vfat"; + }; + + fileSystems."/var/lib/rancher/k3s/storage" = + { + device = "zroot/kubernetes-localstorage"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + networking.hostId = "71f2d82a"; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; } diff --git a/hosts/giggles/home-controller.nix b/hosts/giggles/home-controller.nix new file mode 100644 index 00000000..ac7cfc01 --- /dev/null +++ b/hosts/giggles/home-controller.nix @@ -0,0 +1,53 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "server"; + ownIp = "10.0.1.11"; + + k3s = { + enableLocalStorage = true; + enableZfs = true; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # cube + publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk="; + allowedIPs = [ "10.0.1.5/32" ]; + endpoint = "data.gssws.de:51899"; + persistentKeepalive = 25; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + persistentKeepalive = 25; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + persistentKeepalive = 25; + } + { + # ringo + publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw="; + allowedIPs = [ "10.0.1.21/32" ]; + endpoint = "ringo.local:51899"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/hosts/harrison/configuration.nix b/hosts/harrison/configuration.nix index 11300270..caadafed 100644 --- a/hosts/harrison/configuration.nix +++ b/hosts/harrison/configuration.nix @@ -13,6 +13,7 @@ # Set your time zone. time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config @@ -26,6 +27,8 @@ }; networking.networkmanager.enable = lib.mkForce false; + nixpkgs.config.allowUnsupportedSystem = true; + # List services that you want to enable: # Open ports in the firewall. diff --git a/hosts/harrison/hardware-configuration.nix b/hosts/harrison/hardware-configuration.nix index 9dd07ad4..03acc91d 100644 --- a/hosts/harrison/hardware-configuration.nix +++ b/hosts/harrison/hardware-configuration.nix @@ -21,16 +21,27 @@ bypassWorkqueues = true; }; - boot.loader.grub.mirroredBoots = [ - { - devices = [ "/dev/disk/by-uuid/4B4A-B1B4" ]; - path = "/boot"; - } - { - devices = [ "/dev/disk/by-uuid/4B2C-385A" ]; - path = "/boot2"; - } - ]; + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + boot.loader.grub = { + efiSupport = true; + enable = true; + extraEntries = '' + menuentry "Windows" { + insmod part_gpt + insmod fat + insmod search_fs_uuid + insmod chain + search --fs-uuid --set=root 02DB-F12C + chainloader /efi/Microsoft/Boot/bootmgfw.efi + } + ''; + devices = [ "nodev" ]; + }; + fileSystems = { "/" = @@ -41,8 +52,8 @@ "/boot" = { - device = "/dev/disk/by-uuid/4B4A-B1B4"; - fsType = "vfat"; + device = "/dev/disk/by-uuid/4B4A-B1B4"; + fsType = "vfat"; }; "/boot2" = diff --git a/hosts/harrison/harrison.nix b/hosts/harrison/harrison.nix index 6e2839b7..2fea3d5a 100644 --- a/hosts/harrison/harrison.nix +++ b/hosts/harrison/harrison.nix @@ -1,5 +1,6 @@ { config, pkgs, lib, ... }: with lib; +with pkgs; let psCfg = config.pub-solar; in @@ -9,8 +10,12 @@ in ]; config = { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; }; + + services.teamviewer.enable = true; }; } diff --git a/hosts/redpanda/configuration.nix b/hosts/redpanda/configuration.nix index a2c29a4a..c2b2b653 100644 --- a/hosts/redpanda/configuration.nix +++ b/hosts/redpanda/configuration.nix @@ -11,6 +11,8 @@ ./hardware-configuration.nix ]; + boot.loader.systemd-boot.enable = lib.mkForce false; + # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/ringo/configuration.nix b/hosts/ringo/configuration.nix index b2c934fb..5a57fe2d 100644 --- a/hosts/ringo/configuration.nix +++ b/hosts/ringo/configuration.nix @@ -7,21 +7,14 @@ { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix + ./home-controller.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.initrd.luks.devices."cryptroot" = { - device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13"; - keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01"; - }; - - networking.hostName = "ringo"; # Define your hostname. - # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -29,16 +22,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; - networking.interfaces.enp0s25 = { - ipv4.addresses = [{ - address = "10.9.0.2"; - prefixLength = 24; - }]; - wakeOnLan = { - enable = true; - }; - }; - networking.interfaces.wlp3s0.useDHCP = true; + networking.interfaces.enp0s25.useDHCP = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/ringo/hardware-configuration.nix b/hosts/ringo/hardware-configuration.nix index 408dcf02..d16bc928 100644 --- a/hosts/ringo/hardware-configuration.nix +++ b/hosts/ringo/hardware-configuration.nix @@ -26,7 +26,7 @@ fileSystems."/boot" = { - device = "/dev/disk/by-uuid/9D1D-EE08"; + device = "/dev/disk/by-uuid/47ED-2F0B"; fsType = "vfat"; }; diff --git a/hosts/ringo/home-controller.nix b/hosts/ringo/home-controller.nix new file mode 100644 index 00000000..3f679ba4 --- /dev/null +++ b/hosts/ringo/home-controller.nix @@ -0,0 +1,43 @@ +{ self, config, pkgs, ... }: + +{ + config = { + age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age"; + age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age"; + + pub-solar.home-controller = { + enable = true; + role = "agent"; + ownIp = "10.0.1.21"; + + k3s = { + serverAddr = "https://api.kube:6443"; + tokenFile = "/run/agenix/home_controller_k3s_token"; + }; + + wireguard = { + privateKeyFile = "/run/agenix/home_controller_wireguard"; + peers = [ + { + # giggles + publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg="; + allowedIPs = [ "10.0.1.11/32" ]; + endpoint = "giggles.local:51899"; + } + { + # cox + publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k="; + allowedIPs = [ "10.0.1.12/32" ]; + endpoint = "cox.local:51899"; + } + { + # companion + publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0="; + allowedIPs = [ "10.0.1.13/32" ]; + endpoint = "companion.local:51899"; + } + ]; + }; + }; + }; +} diff --git a/secrets/cube_nextcloud_admin_pass.age b/secrets/cube_nextcloud_admin_pass.age new file mode 100644 index 00000000..5b1ebf69 --- /dev/null +++ b/secrets/cube_nextcloud_admin_pass.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw wG1VH/Rd8D9VhI2nUdKN8ev8GmDTmByYojrAGXiVQ0c +Ce5LdJLYhXZxozhrFZOCCcG6DvDlzcwHUp7rsAAYMb4 +-> ssh-ed25519 YFSOsg KWrIirfADk9OlVVF/SvnyE4P4JWorWhcShIWMLaYezg +kjNaCLQRKwrLKWT6H6mygsawWXas1alwf/rPbpgnIbE +-> ssh-rsa 42S2Dw +GlF0Iwkmi2IukEP4aghJLQP4QUv8Lt2qPBsysz/NIfPxtxuVgnphqmbtZ3ylKURL +iWQbDwvNG3DBQMgbFUTtLpp48yZ++ZWfVCLJxylifoo8Fk1/edOieiQxmKySFIiS +RBDjal+JFIAMQVa4i9zTJ2HolgFGioq7fsQgimjhhcTpbPWF0YgbeFlD/Bx3Uc3D +QXHkPGTWWJr8nmsBLW0erQKuT+2pTy3Yo00BmYYfaHhRSWPxaRiUvlQzqwfEJGZy +N8CWyU8JqacMQfFfMVYYNR8qHGv5p5nu9FtJPQFWz79TB0j0OaowW8VuhP70UVI1 +QvZLDCv1JN4fd9TqDqgcnA +-> ssh-ed25519 iHV63A b0w5AmQtO1FWnySOYDh3JIWkiFM05WNz9M4H67GVZEM +suTrfziEta0t9iGJxx+tcvi6BzQS1NJxPmCnPBx5ViU +-> ssh-ed25519 uTVbSg rMwuqUqpr40KdbuOZnhi9Bya/Ql2F8HfZdAQvcw3JUY +vVF6J8lzQNXnHgzEMzwkcrOGSExKJmPBmuxDklQ7TGA +-> ? ssh-ed25519 hPyiJw 4cMG8rywMIHkCJO0vbcnD46xPHZKTbUFi/bKKPLJW0c +aOmQ7lws7MIDNE7xejtcomQAtRuXjHd+VSGGy805cUk +-> ssh-ed25519 YFSOsg UnTniCyloz+bfIlKsgGvQflAOCIwdNBuKIM64ZZ7fSI +/Q6KAn80cNs38LgOxZhg9tXmAtJJKw5VpN9lfPqNuhc +-> ssh-rsa 42S2Dw +FoosAbMAGlculUJOkL+9U2Wajf80dgUY+Acd2MQDbeSR/A/hE+NOv3JtH2Sx9weD +ww2n/K5uKQhFKrTVIRn5Bp1qYnay2FIn6lz0zu1I2tqmGFCMiR+RhTnrcxFztNjQ +dYbs4F9mvCDmyn9tShTzqAxnClWCdOHkrXBuCMAg08tp5cjAPqaSMdE0wFn5Jvhg +DY5nHJWlxbZcGEhJSW2mxKb+HP4ecZ5FY0Uf4qYn/FTcKm7K80Pojg/e72XV7sq9 +04dPKpa162G53BKQXCmv55L6D81YepydA0wAoeTXXfC1E+DxeWfHrsmF80qdEnBg +ZpPIRWdSBs61zqp4XavsSw +-> ssh-ed25519 iHV63A mumH3Brpcqa3t8Q495yyV9vn8AKalaf2WchgmsirN2Q +fk5iQUYBlUiq+8Nblb5H9mhJarPONiyuOG3ioknlbzk +-> ssh-ed25519 uTVbSg O5xBbchEqAsFJtU4kCZo4gqpByHNAnZO0Ik7p5fwFAM +e+adn+gDYIF2BW0N1zoHZj+/mciN60rVcCPs9OplLsE +-> ,-grease M6FrPQz + B{ +QAdvJryfCY0NJ0XU5sC9D5J2KnHIxCcjBi7iFlehcB56qrdQbSPsL+ysZVqTzfQx +QjDs0lXBKqL2f0g0cWiM9Q +--- Vl5VtidJZtEk19VojwdWLaGJGsIRkvwRTjW0mdnTqiM +T_%2y͌WKhceThڝX $TR9;$ \ No newline at end of file diff --git a/secrets/home_controller_companion_wireguard_key.age b/secrets/home_controller_companion_wireguard_key.age new file mode 100644 index 00000000..25d9ab44 --- /dev/null +++ b/secrets/home_controller_companion_wireguard_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw tQeQac/fLw4UXYx/SXj46HPeG6oPKY4U8IJJI89Fv3c +rB6bWP8ba0kAA9qwcq81rTDgmerGORN4jAE5Usrz1tY +-> ssh-ed25519 YFSOsg W1SJl0W8oRo5ApD+40puyRae+MDhsxd6Miv6vHaeXn4 +Z1xqbXD5r0Lo9XvouS967LxnxEX9arLhylZJnFLG0aM +-> ssh-rsa 42S2Dw +t48CWYrVFfH1x59IYXJtfkeONo1QPnqN6VMwVzMh0c0Vm5U2OFfAml+/6Kit4QWI +u7PASBpg+GRsQmoWC9hFJsCDiikg5NIhyBO4feSS+4Cus+8Xr9cSPjYg5EKsgoOd ++HpTrPhiNG1Wy2pE4kkxSsS5pKOcdIezU+DfqookoXALLneUIUEsaHYCmdOLwE21 +yRzWxiXavQKnvabxnqISYeBK+aHNGtd8hczhnoM8oR7qTaNQwfuQoVa8te0MLTIK +EXIuev6vESPFtdo3gGJUSbmlXY9hH0tumFFgug185oJwkp745rWKM4QlFEB5fNGR +LE54GOkv9sF3+Wij/ELHAA +-> ssh-ed25519 iHV63A OOf5Cx0vckL1ve6WOzL0IAhIKasXAjodubuyKbWKv1Q +1av0Vqos3YsycBFpncCvP69RunBwCQ4oSextLvR9P+Y +-> ssh-ed25519 t1M4HQ j2B7jugQZy124AM5f0JK+id4W2TN6n4C0c/HUNFfLU8 +BJr18XJI/XzFgH32nXKZb5SdBbU8raRCKL6PWgad5cs +-> QwO-grease *8]/h/ 7|S +LM23rOF57rKeWQ +--- 7xz9ru8cIHt3zksF696olmLR+vEkwDfVv0tl2stfNhM +e T|,7kZ5:A dN ssh-ed25519 hPyiJw ZGGRZr/HOQSZ1zREl5pqPE0sftSc0CLVHiKBrJ3X938 +cO/aAeVwrQp5OSAl6JTnIPfhEJmG/1rnbJAtoplTESE +-> ssh-ed25519 YFSOsg G/XSLzhX7SSsOZNWnpdLJ+m6NXyL6F/itN76CfJZzkk +sNfdi78MFpBcoAh1xPpcvWYkTWQQ2fIL6i1myHdun/U +-> ssh-rsa 42S2Dw +RuHlOwIJJhJffpJEcIpUEOX8czKVY8c+bvae1XrCSNplNV1f3CHl/WSdKfhOCC// +u1qOEiidsDxWphJu3IHjiLgTCmlnwwaISZ2bnEOkTSDNPphARrEA7JfrSyQOlZJB +Mu1qhSi5u4uGVi4Mk7TuLxCHRnjDUjDLVh96kbjiwrnAAtI/0fK64ci8rx9P1GzD +aZR1to8+uWFx3sTtr3JUA5I+azQdYb37p5ehlCrvVybcze/16oCkreSDuW88HdoD +yIXrX3tlnjJJou7LGR/s8o74ookFMT89rlkf8DXMhkPpmiUWYxCyJZ1oS6twtee2 +Gwo4twB5KIHTCmryJsZ5mA +-> ssh-ed25519 iHV63A Jun3KRgZaEfE0RmefSaa8WLdMoVLhQGH0kwK9IORaSk +IlMxqMUjdhKOciC3/KTQWIBctjyW3dVHKJpWLfVT+NI +-> ssh-ed25519 w1vtTQ 0iNKMsnq32OTGYhQNz75FszXV8ePAWTPXTSra0s/WAw +4eecaT/DX9CowOod+NRva3PiSbrgmjPerTGceN+u3mg +-> @I^"ao-grease L#%xN`Bb 6l.LN , +h77R6GmXSVnEblcP1Kxuf7kCy8DnMtAF +--- RvWj6AeYYIavoCseUazZH1lw0LFUm0mB9Ww9HeyVRio +9A7oMq#^͎3@"s(/Տ-{Ӻ[/1AY:LZ0uE'kV/ \ No newline at end of file diff --git a/secrets/home_controller_cube_wireguard_key.age b/secrets/home_controller_cube_wireguard_key.age new file mode 100644 index 00000000..fcf891ab --- /dev/null +++ b/secrets/home_controller_cube_wireguard_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw V5crsXjhEfj2BKe5uEjccio8m1hzjvZ1u3DU16SdmVs +gxC6r8tzwj3l7SW6kn4TXinZV2ZNgKpWsiKGn56CZgE +-> ssh-ed25519 YFSOsg Q1tpXI8ilmFt3JGx5ad8SCtZRbrbR8DgGNiu7vXQ7x4 +geB/YeAwQqJuLG0pf27W2FhuXm9SS2RRoqe2UaV2U4o +-> ssh-rsa 42S2Dw +KWliiGsVgLgkkY1DkKNsNtBUzfKSX820nJfLLOMBgFcil78IJz+Sw5Ns6NFLR7Xe ++o+HsUxcnLOXhDYMImR9SALYL6TwLdqp1C+LAQ8HXri35IyERU2uqMXdkzYREn4f +4c4JlCbtCy6F+8nFy0OkK/VtV/yoBpnDMtjDk9wdHYBouSGX91/8QwNUu1L0m0V1 +dvYVjk/tCPDsk3TYGFAR7lG328jt3khqVAV+rcvwwTPzD+jBCkbyGCFQ5N3xZBGI +Wa3xMB+P9ojv4XAfde0eK+6N0uPvoMvnmPGguJTXiaCEgw8K/ILV6PuhkSyo4Wea +EytCf4k42l7wjwG4LWFWZA +-> ssh-ed25519 iHV63A o/IPrEtX8l4ZWCcC/yJWGRUAPDPX7vMJKBvm7ngWRjE +YoXHRtVmNXlxJ4uJqs7jNW/2pBnjMroj1AlLiERLQGk +-> ssh-ed25519 uTVbSg WF+8m47L2GWewOEK36k3g+Ozv1JC20cfswQ0ksbhhzs +w5qbtYBfnrKOB4/ZTiD8Qsd42NibKcgbL9AYQKx9bnM +-> y-grease y>]"'a W " +w265AhhbaGNvdOMRX4xs+w +--- /proerdf6QHIKGNWA0vTE+ZPNuvbJBGhpMEt0DscFgQ +md]وG(nhłLARRjMU Vȏ%M^ oЋJ QDn \ No newline at end of file diff --git a/secrets/home_controller_giggles_wireguard_key.age b/secrets/home_controller_giggles_wireguard_key.age new file mode 100644 index 00000000..3f013f1e --- /dev/null +++ b/secrets/home_controller_giggles_wireguard_key.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw gEHEUHodm0u6YauWsDFycNYfBlNEncGz6cGiFVbMSQw +eb/YlV8CeU2GZaoREi8n4CB6O+bltLjwARBh1SvPHuU +-> ssh-ed25519 YFSOsg oObR84uRNYEhcbdILnSni61pMzaNQcbMSV8CMdUFCVs +hZeKavP58fmaxjpZwHDSNf2QnUqn5GqeSx/MVbWM8w0 +-> ssh-rsa 42S2Dw +W/0mcDisoN/RoEshQ0gDmmYZTfSG3BRAq/PsXT9Xt0mahAqZumfdysT9T2Wkso5O +2SKVvJvP2YAGNs+d/+lnn5/I8f7qlx6K0oQ1e72Y9ZNmoxgZmL3h2jBR3x+GfgG8 +Qp57nfvoF4js2JyC2MSUm3CjOppxDN/BM2v5qOTuPB5/K3bPOP1iBdENH71f9d64 +PK/7HZA1BTtn4jOWYQ52BZIcOjiA9JoVO6HFvB7d5UobasbbXDhO6ZgZ3aWdsDE4 +/0S099FWbvzTk8aITl5qSphQy0Pgp+yeTobx1Hn/b6vokoNIwaMZniOVd1mS0CuU +DL8SGpuQUeOl+27sstHfUw +-> ssh-ed25519 iHV63A 34vhrBbCb4J5xzjoa9o4hWokszJER12Pfd/s8RGxfg4 +2p8SUyhXdks06NJPZMkbKcdsn+YB3+/Ksaipc72mBvg +-> ssh-ed25519 AsPNJg bAYRIQICTPeVri4/qkBBedxmm08TNoBMseEauYtTkX8 +ZeNmjU+oG4qYSMREtv7QdbRLf3SAmdHnX63eiHjvcOU +-> J._|'iH-grease VaQ1S' W7^S -r HJ' +KbnGq5EUW0HcQ4v7n8Gh/4R/Y55bXYOuSPNt2jXTbog +--- Bk+tEcikn4Gd90ou6llBA1nYq+mRGdfB1TaJvIOYEaw +ML7|2F'ZoZ{?J,m\GRaa\t<5 \ No newline at end of file diff --git a/secrets/home_controller_k3s_server_token.age b/secrets/home_controller_k3s_server_token.age new file mode 100644 index 00000000..c1a4c1d2 --- /dev/null +++ b/secrets/home_controller_k3s_server_token.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw B7i7cir4NIqIxeuwN7lBZiHLaLDNwSD5ZJLs0iYidDo +fmj7NzNi4DT805TlhjtyMXa1dcu7rGVIllQG4ALtJdo +-> ssh-ed25519 YFSOsg SpldcBYdyAYW4W+U4JrgkcA8Y5+YnPjW78OISjviDz8 +Czi1SkmtvFmko+fP2hdCanpWJKpo/KndE/MI8BcJVxQ +-> ssh-rsa 42S2Dw +EvIS2maHrEa4Qyhrp3TJ/LULJkdCixIEcvI2HS9SUhVRIJS6jpY/Z+pW+XZqxEgk +P7sp1CjRsjRZ4RZsgBUsgdO4mRnUtSkrTTLzrS84d3QG1QfjQphtF/BSt2+8t1nw +S/XVZWu/LyFb8Z3TbhVkf3vx7ujIBwjdFj+LiUmEYwB4o57MWKH9aCcvyMLZF4Ne +AltRXfkGkEVt7Yn0iKwb8yHaqMPa5CjfjDP9ybLp/my08/pZEQTVduKe/Q6p09DM +8gEF1uVM+3BxXf7yAvt8fW80Hgm21VnYUq0h6exDZaaf0wLPOh0kRnN1MDqK2tjO +uxre1sro1ZQx5CPCXD4ICQ +-> ssh-ed25519 iHV63A Toc315/VlOneCwbLzcp2fDqHZSMDNtSprquR3BOVfAg +ZeEZEdla/o/sAa7Tbh4NY5qqrNkWfHqpbvUokSofC5A +-> ssh-ed25519 AsPNJg ui5FmbBKlKQ69R38yqlFURrMBTX1n7ysQP7mBo9SSRQ +c7dp6ewRp/5rHThk/oGcaaCxNwmBWTcfVSK4IrHJh2M +-> ssh-ed25519 w1vtTQ 7ToJvl/p9DzxX0v/b7nNOIfdgyb85Ja6862Tw2HLLyo +PkEaeBdx60i9mX6t5Ue5PeabY4COffefCSt65H5hRxU +-> ssh-ed25519 t1M4HQ 14NmP2HdhTouv66lkTKPEKh7HANgEUIek8FA8wAntSU +ZZ+Mc8m/Pb16Vbxc9bOZtXJ+0ZXv/YiV30LiKra55cM +-> ssh-ed25519 uTVbSg 1151u2eVy3izoghgXS1zPukpbSiZo6Mc+JTtCNqrqxE +5NGufz7+RjYTy4gUfAHjV/g8VdF5FxPcB3GUzafotn8 +-> ssh-ed25519 4eCLig NAsWZu3MFuCEgi/Fm+2kB04A8ZckvTP5ueLjB2NKZDg +5DKhLww7UKvOxPveJTtuc7jGk/9cypM9UadP1A8C6Ko +-> t-grease > 8z4 `,R~f.lb +K0DjBt5R459zTRkIA58mcIYl+Na5m+1SIXbezHjWZy2q1cIX8L331Du4SE6/UCCR +e3Q +--- ZjP/FefBuH6f+bEQpgqeiL3Uj+f9AbSCVRQni7pYyjQ +6{{;5%n@~Nn!EϷA&â `v-5{ P +8'm7p1 bn#0"=~"}@89eB +/*Uo <.E)t2fXo9FQG) \ No newline at end of file diff --git a/secrets/home_controller_ringo_wireguard_key.age b/secrets/home_controller_ringo_wireguard_key.age new file mode 100644 index 00000000..5a41c0e3 --- /dev/null +++ b/secrets/home_controller_ringo_wireguard_key.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 hPyiJw zHWVBLJi1r1M3C/3Xf1rCOOXhjihjYuF4f0ZsRo4dWI +sB14DJ0gjz2Z9+oJG/RBAl5GJ31NOjUJmpSvKwmkEVU +-> ssh-ed25519 YFSOsg RHtbqm+jWVTkXqyTWRblggdgfbp2OOJmCqieDhI4+HI +0lc7kKOQL3Abo8UyjXfRHvDcq+dOvPe0q7izfycZkj8 +-> ssh-rsa 42S2Dw +QnOc7ZIigTURoIjglNY64KzZh8QbhE2TbioIP88F9OztV/1umy5hniBNYrE3grd2 ++nQSdBEHsHKgyElC3VvdKQ9RvzrbrDHnNt4oBgmH70KfAQzH1wehOvofcNMlu0+B +0ddUjo9BEf5VtxKY4fdUFLoROBv/rIMCuCR69NE4KfS/Cl7I+saWUOzoRVcZKsBc +XmYYCTDezlVOT0dtoRDJT0PBimXQZ+3D9Fj7VKUOobggUiQBOH7irvpKy/JFG6+0 +C5CRDZKPp4XOKfz/XAqIxbkyzxF6ZRpmXz+QJhHXTCJfWdRMfUl45YO5r/fX6ybV +vqZnYo4ytlZtIaoe0ipFJQ +-> ssh-ed25519 iHV63A WkP5FVc9iS9OEQMr2E+ewVvBS1ppHnuCWqGTvdvBY38 +kxdQm6sXkGlFId0KEoMqcbyXII5G1En0g9I6WObwNpk +-> ssh-ed25519 4eCLig /lrGyo78vdS92cFFs3aS8R/BcM+QDLspab0ftIZU9WE ++rvfUcml+WEDzZ9B6WbSvfwh+ceHygGIvHsw4UME94k +-> u\-grease JD#pg \__| M\j|M +9RN98je/hB0 +--- JoemHAPRRKWcsEMIOEU1Cq8AyPFTtz3qYqCgyeonyrs + +"SnqRvKRUsF+E}ݻ^)xx\_S' /2bx]Sr؄ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bac30e03..9a649db0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,9 +1,33 @@ let # set ssh public keys here for your system and user - system = ""; - user = ""; - allKeys = [ system user ]; + user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"; + + user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"; + user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"; + user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"; + + users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ]; + + system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos"; + system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos"; + system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos"; + + system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos"; + system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos"; + + systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ]; + allKeys = users ++ systems_home_controller; in { - "secret.age".publicKeys = allKeys; + "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ]; + "home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ]; + "home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ]; + + "home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ]; + "cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ]; + "cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ]; + + "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ]; + + "home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller; }