Add / update hosts, add secrets

This commit is contained in:
Hendrik Sokolowski 2022-08-13 11:12:00 +02:00
parent 8144c332d1
commit ae0cd2e1fd
38 changed files with 1051 additions and 104 deletions

View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./companion.nix
] ++ suites.companion;
}

View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/5552-1B21";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.13";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

View file

@ -0,0 +1,64 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./home-controller.nix
];
boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false;
nix = {
#package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

16
hosts/cox/cox.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, lib, ... }:
with lib;
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
imports = [
./configuration.nix
];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}

6
hosts/cox/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cox.nix
] ++ suites.cox;
}

View file

@ -0,0 +1,61 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
};
};
fileSystems."/" =
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/6CB3-6DB8";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

View file

@ -0,0 +1,55 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.12";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

8
hosts/cube/acme.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "hensoko@gssws.de";
};
}

View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./home-controller.nix
./acme.nix
./home-assistant.nix
./nextcloud.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
boot.loader.systemd-boot.enable = lib.mkForce false;
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
interfaces.eno1.ipv4.addresses = [{
address = "80.244.242.2";
prefixLength = 29;
}];
defaultGateway = "80.244.242.1";
nameservers = [ "95.129.51.51" "80.244.244.244" ];
};
services.openssh.ports = [ 2222 ];
networking.firewall.allowedTCPPorts = [ 2222 ];
networking.firewall.allowedUDPPorts = [ 51899 ];
networking.firewall.enable = lib.mkForce true;
system.stateVersion = "21.05"; # Did you read the comment?
}

13
hosts/cube/cube.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
with pkgs;
let
psCfg = config.pub-solar;
in
{
imports = [
./configuration.nix
];
}

6
hosts/cube/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ suites, ... }:
{
imports = [
./cube.nix
] ++ suites.cube;
}

View file

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
fsType = "ext2";
};
fileSystems."/mnt/internal" =
{
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
}

View file

@ -0,0 +1,19 @@
{ self, pkgs, config, ... }:
{
# HTTP
services.nginx = {
virtualHosts."ha.gssws.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.0.1.254:8123";
proxyWebsockets = true;
extraConfig =
"proxy_ssl_server_name on;" +
"proxy_pass_header Authorization;"
;
};
};
};
}

View file

@ -0,0 +1,48 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "agent";
ownIp = "10.0.1.5";
k3s = {
enableLocalStorage = false;
enableZfs = false;
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
}
{
# hsha
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
allowedIPs = [ "10.0.1.254/32" ];
}
];
};
};
};
}

72
hosts/cube/nextcloud.nix Normal file
View file

@ -0,0 +1,72 @@
{ self, pkgs, config, ... }:
{
age.secrets.nextcloud_db_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_db_pass.age";
};
age.secrets.nextcloud_admin_pass = {
owner = "nextcloud";
group = "nextcloud";
file = "${self}/secrets/cube_nextcloud_admin_pass.age";
};
# HTTP
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts."data.gssws.de" = {
enableACME = true;
forceSSL = true;
};
};
# DATABASES
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
# NEXTCLOUD
services.nextcloud = {
enable = true;
package = pkgs.nextcloud24;
hostName = "data.gssws.de";
https = true;
#datadir = "/mnt/internal/nextcloud";
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
config = {
# Further forces Nextcloud to use HTTPS
overwriteProtocol = "https";
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
dbpassFile = "/run/agenix/nextcloud_db_pass";
adminpassFile = "/run/agenix/nextcloud_admin_pass";
adminuser = "admin";
};
};
}

View file

@ -9,9 +9,19 @@
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./home-controller.nix
]; ];
networking.hostName = "giggles"; # Define your hostname. boot.loader.timeout = 0;
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -20,55 +30,17 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.wlan0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false; networking.networkmanager.enable = lib.mkForce false;
#networking.wireless = { boot.loader.systemd-boot.enable = lib.mkForce false;
# enable = true;
# networks.DinoLan.psk = "Gelbe Enten schwimmen auf dem Wasser.";
# interfaces = [ wlan0 ];
#};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
nix = { nix = {
#package = pkgs.nixFlakes; #package = pkgs.nixFlakes;
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
}; };
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -76,18 +48,8 @@
wget wget
]; ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
# networking.firewall.enable = false; # networking.firewall.enable = false;
@ -98,6 +60,6 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

View file

@ -9,5 +9,8 @@ in
./configuration.nix ./configuration.nix
]; ];
config = {
boot.plymouth.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false; pub-solar.nextcloud.enable = lib.mkForce false;
};
} }

View file

@ -4,22 +4,58 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ imports =
"${fetchTarball { [
url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz"; (modulesPath + "/installer/scan/not-detected.nix")
sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4";
}
}/raspberry-pi/4"
]; ];
fileSystems = { boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
"/" = { boot.initrd.kernelModules = [ ];
device = "/dev/disk/by-label/NIXOS_SD"; boot.kernelModules = [ ];
fsType = "ext4"; boot.extraModulePackages = [ ];
options = [ "noatime" ]; boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
bypassWorkqueues = true;
fallbackToPassword = true;
}; };
}; };
# Enable GPU acceleration fileSystems."/" =
#hardware.raspberry-pi."4".fkms-3d.enable = true; {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/2F05-9B4A";
fsType = "vfat";
};
fileSystems."/var/lib/rancher/k3s/storage" =
{
device = "zroot/kubernetes-localstorage";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
networking.hostId = "71f2d82a";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

View file

@ -0,0 +1,53 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "server";
ownIp = "10.0.1.11";
k3s = {
enableLocalStorage = true;
enableZfs = true;
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# cube
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
allowedIPs = [ "10.0.1.5/32" ];
endpoint = "data.gssws.de:51899";
persistentKeepalive = 25;
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
persistentKeepalive = 25;
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
persistentKeepalive = 25;
}
{
# ringo
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
allowedIPs = [ "10.0.1.21/32" ];
endpoint = "ringo.local:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

View file

@ -13,6 +13,7 @@
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
@ -26,6 +27,8 @@
}; };
networking.networkmanager.enable = lib.mkForce false; networking.networkmanager.enable = lib.mkForce false;
nixpkgs.config.allowUnsupportedSystem = true;
# List services that you want to enable: # List services that you want to enable:
# Open ports in the firewall. # Open ports in the firewall.

View file

@ -21,16 +21,27 @@
bypassWorkqueues = true; bypassWorkqueues = true;
}; };
boot.loader.grub.mirroredBoots = [ boot.loader.systemd-boot.enable = lib.mkForce false;
{ boot.loader.efi = {
devices = [ "/dev/disk/by-uuid/4B4A-B1B4" ]; canTouchEfiVariables = true;
path = "/boot"; efiSysMountPoint = "/boot";
};
boot.loader.grub = {
efiSupport = true;
enable = true;
extraEntries = ''
menuentry "Windows" {
insmod part_gpt
insmod fat
insmod search_fs_uuid
insmod chain
search --fs-uuid --set=root 02DB-F12C
chainloader /efi/Microsoft/Boot/bootmgfw.efi
} }
{ '';
devices = [ "/dev/disk/by-uuid/4B2C-385A" ]; devices = [ "nodev" ];
path = "/boot2"; };
}
];
fileSystems = { fileSystems = {
"/" = "/" =

View file

@ -1,5 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with lib; with lib;
with pkgs;
let let
psCfg = config.pub-solar; psCfg = config.pub-solar;
in in
@ -9,8 +10,12 @@ in
]; ];
config = { config = {
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable { home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf; "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
}; };
services.teamviewer.enable = true;
}; };
} }

View file

@ -11,6 +11,8 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
boot.loader.systemd-boot.enable = lib.mkForce false;
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;

View file

@ -7,21 +7,14 @@
{ {
imports = imports =
[ [
# Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./home-controller.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
};
networking.hostName = "ringo"; # Define your hostname.
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -29,16 +22,7 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.enp0s25 = { networking.interfaces.enp0s25.useDHCP = true;
ipv4.addresses = [{
address = "10.9.0.2";
prefixLength = 24;
}];
wakeOnLan = {
enable = true;
};
};
networking.interfaces.wlp3s0.useDHCP = true;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions

View file

@ -26,7 +26,7 @@
fileSystems."/boot" = fileSystems."/boot" =
{ {
device = "/dev/disk/by-uuid/9D1D-EE08"; device = "/dev/disk/by-uuid/47ED-2F0B";
fsType = "vfat"; fsType = "vfat";
}; };

View file

@ -0,0 +1,43 @@
{ self, config, pkgs, ... }:
{
config = {
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
pub-solar.home-controller = {
enable = true;
role = "agent";
ownIp = "10.0.1.21";
k3s = {
serverAddr = "https://api.kube:6443";
tokenFile = "/run/agenix/home_controller_k3s_token";
};
wireguard = {
privateKeyFile = "/run/agenix/home_controller_wireguard";
peers = [
{
# giggles
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
allowedIPs = [ "10.0.1.11/32" ];
endpoint = "giggles.local:51899";
}
{
# cox
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
allowedIPs = [ "10.0.1.12/32" ];
endpoint = "cox.local:51899";
}
{
# companion
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
allowedIPs = [ "10.0.1.13/32" ];
endpoint = "companion.local:51899";
}
];
};
};
};
}

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw wG1VH/Rd8D9VhI2nUdKN8ev8GmDTmByYojrAGXiVQ0c
Ce5LdJLYhXZxozhrFZOCCcG6DvDlzcwHUp7rsAAYMb4
-> ssh-ed25519 YFSOsg KWrIirfADk9OlVVF/SvnyE4P4JWorWhcShIWMLaYezg
kjNaCLQRKwrLKWT6H6mygsawWXas1alwf/rPbpgnIbE
-> ssh-rsa 42S2Dw
GlF0Iwkmi2IukEP4aghJLQP4QUv8Lt2qPBsysz/NIfPxtxuVgnphqmbtZ3ylKURL
iWQbDwvNG3DBQMgbFUTtLpp48yZ++ZWfVCLJxylifoo8Fk1/edOieiQxmKySFIiS
RBDjal+JFIAMQVa4i9zTJ2HolgFGioq7fsQgimjhhcTpbPWF0YgbeFlD/Bx3Uc3D
QXHkPGTWWJr8nmsBLW0erQKuT+2pTy3Yo00BmYYfaHhRSWPxaRiUvlQzqwfEJGZy
N8CWyU8JqacMQfFfMVYYNR8qHGv5p5nu9FtJPQFWz79TB0j0OaowW8VuhP70UVI1
QvZLDCv1JN4fd9TqDqgcnA
-> ssh-ed25519 iHV63A b0w5AmQtO1FWnySOYDh3JIWkiFM05WNz9M4H67GVZEM
suTrfziEta0t9iGJxx+tcvi6BzQS1NJxPmCnPBx5ViU
-> ssh-ed25519 uTVbSg rMwuqUqpr40KdbuOZnhi9Bya/Ql2F8HfZdAQvcw3JUY
vVF6J8lzQNXnHgzEMzwkcrOGSExKJmPBmuxDklQ7TGA
-> ?<GZ,~j-grease
jdlD7DImSTrtgtmVJVA+M0g9TNqUI7SSRIlpfGB8KL78WuSIvQWv2z0lpzot
--- 4h3KwWAMcJYCF/K/JGPS3cNpCbSDTC8mTerADBFy2to
æ½íÓ¤¾øë—L¸×(7ŸÉ„pÉOsTÏI³pJí2ÑkS[Ö¥/æþ@¶pyºí-¾{øFÚ0Žõ“¶ÏѲ ±%Ëà}º^<5E>Ô

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw 4cMG8rywMIHkCJO0vbcnD46xPHZKTbUFi/bKKPLJW0c
aOmQ7lws7MIDNE7xejtcomQAtRuXjHd+VSGGy805cUk
-> ssh-ed25519 YFSOsg UnTniCyloz+bfIlKsgGvQflAOCIwdNBuKIM64ZZ7fSI
/Q6KAn80cNs38LgOxZhg9tXmAtJJKw5VpN9lfPqNuhc
-> ssh-rsa 42S2Dw
FoosAbMAGlculUJOkL+9U2Wajf80dgUY+Acd2MQDbeSR/A/hE+NOv3JtH2Sx9weD
ww2n/K5uKQhFKrTVIRn5Bp1qYnay2FIn6lz0zu1I2tqmGFCMiR+RhTnrcxFztNjQ
dYbs4F9mvCDmyn9tShTzqAxnClWCdOHkrXBuCMAg08tp5cjAPqaSMdE0wFn5Jvhg
DY5nHJWlxbZcGEhJSW2mxKb+HP4ecZ5FY0Uf4qYn/FTcKm7K80Pojg/e72XV7sq9
04dPKpa162G53BKQXCmv55L6D81YepydA0wAoeTXXfC1E+DxeWfHrsmF80qdEnBg
ZpPIRWdSBs61zqp4XavsSw
-> ssh-ed25519 iHV63A mumH3Brpcqa3t8Q495yyV9vn8AKalaf2WchgmsirN2Q
fk5iQUYBlUiq+8Nblb5H9mhJarPONiyuOG3ioknlbzk
-> ssh-ed25519 uTVbSg O5xBbchEqAsFJtU4kCZo4gqpByHNAnZO0Ik7p5fwFAM
e+adn+gDYIF2BW0N1zoHZj+/mciN60rVcCPs9OplLsE
-> ,-grease M6FrPQz + B{
QAdvJryfCY0NJ0XU5sC9D5J2KnHIxCcjBi7iFlehcB56qrdQbSPsL+ysZVqTzfQx
QjDs0lXBKqL2f0g0cWiM9Q
--- Vl5VtidJZtEk19VojwdWLaGJGsIRkvwRTjW0mdnTqiM
¾ÕT_Á‰åŸŽ%<25>Õ2ò³yÍŒWÄK¿õ²hc¤<63>eThÚ<68>ÁçX‰º š$™õ¶å×TR9;æ$

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw tQeQac/fLw4UXYx/SXj46HPeG6oPKY4U8IJJI89Fv3c
rB6bWP8ba0kAA9qwcq81rTDgmerGORN4jAE5Usrz1tY
-> ssh-ed25519 YFSOsg W1SJl0W8oRo5ApD+40puyRae+MDhsxd6Miv6vHaeXn4
Z1xqbXD5r0Lo9XvouS967LxnxEX9arLhylZJnFLG0aM
-> ssh-rsa 42S2Dw
t48CWYrVFfH1x59IYXJtfkeONo1QPnqN6VMwVzMh0c0Vm5U2OFfAml+/6Kit4QWI
u7PASBpg+GRsQmoWC9hFJsCDiikg5NIhyBO4feSS+4Cus+8Xr9cSPjYg5EKsgoOd
+HpTrPhiNG1Wy2pE4kkxSsS5pKOcdIezU+DfqookoXALLneUIUEsaHYCmdOLwE21
yRzWxiXavQKnvabxnqISYeBK+aHNGtd8hczhnoM8oR7qTaNQwfuQoVa8te0MLTIK
EXIuev6vESPFtdo3gGJUSbmlXY9hH0tumFFgug185oJwkp745rWKM4QlFEB5fNGR
LE54GOkv9sF3+Wij/ELHAA
-> ssh-ed25519 iHV63A OOf5Cx0vckL1ve6WOzL0IAhIKasXAjodubuyKbWKv1Q
1av0Vqos3YsycBFpncCvP69RunBwCQ4oSextLvR9P+Y
-> ssh-ed25519 t1M4HQ j2B7jugQZy124AM5f0JK+id4W2TN6n4C0c/HUNFfLU8
BJr18XJI/XzFgH32nXKZb5SdBbU8raRCKL6PWgad5cs
-> QwO-grease *8]/h/ 7|S
LM23rOF57rKeWQ
--- 7xz9ru8cIHt3zksF696olmLR+vEkwDfVv0tl2stfNhM
ž´e T|,7kZ5:A džNê<IU™èÙo« °ëN‡»+w„Ho<48>âö°éÄ#NŒg©(du)̱-Sð° 4è?`Þz

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw ZGGRZr/HOQSZ1zREl5pqPE0sftSc0CLVHiKBrJ3X938
cO/aAeVwrQp5OSAl6JTnIPfhEJmG/1rnbJAtoplTESE
-> ssh-ed25519 YFSOsg G/XSLzhX7SSsOZNWnpdLJ+m6NXyL6F/itN76CfJZzkk
sNfdi78MFpBcoAh1xPpcvWYkTWQQ2fIL6i1myHdun/U
-> ssh-rsa 42S2Dw
RuHlOwIJJhJffpJEcIpUEOX8czKVY8c+bvae1XrCSNplNV1f3CHl/WSdKfhOCC//
u1qOEiidsDxWphJu3IHjiLgTCmlnwwaISZ2bnEOkTSDNPphARrEA7JfrSyQOlZJB
Mu1qhSi5u4uGVi4Mk7TuLxCHRnjDUjDLVh96kbjiwrnAAtI/0fK64ci8rx9P1GzD
aZR1to8+uWFx3sTtr3JUA5I+azQdYb37p5ehlCrvVybcze/16oCkreSDuW88HdoD
yIXrX3tlnjJJou7LGR/s8o74ookFMT89rlkf8DXMhkPpmiUWYxCyJZ1oS6twtee2
Gwo4twB5KIHTCmryJsZ5mA
-> ssh-ed25519 iHV63A Jun3KRgZaEfE0RmefSaa8WLdMoVLhQGH0kwK9IORaSk
IlMxqMUjdhKOciC3/KTQWIBctjyW3dVHKJpWLfVT+NI
-> ssh-ed25519 w1vtTQ 0iNKMsnq32OTGYhQNz75FszXV8ePAWTPXTSra0s/WAw
4eecaT/DX9CowOod+NRva3PiSbrgmjPerTGceN+u3mg
-> @I^"ao-grease L#%xN`Bb 6l.LN ,
h77R6GmXSVnEblcP1Kxuf7kCy8DnMtAF
--- RvWj6AeYYIavoCseUazZH1lw0LFUm0mB9Ww9HeyVRio
9Aêð7oMÐqÖ#^ÍŽ3@"£Ësõõ‚‚(/Õ<>„¡-{¯ô¯§Óº„¨™[/1AY‰:¦ÉìLZ0<5A>¹üuÄE'¡ákÔVƒ/à

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw V5crsXjhEfj2BKe5uEjccio8m1hzjvZ1u3DU16SdmVs
gxC6r8tzwj3l7SW6kn4TXinZV2ZNgKpWsiKGn56CZgE
-> ssh-ed25519 YFSOsg Q1tpXI8ilmFt3JGx5ad8SCtZRbrbR8DgGNiu7vXQ7x4
geB/YeAwQqJuLG0pf27W2FhuXm9SS2RRoqe2UaV2U4o
-> ssh-rsa 42S2Dw
KWliiGsVgLgkkY1DkKNsNtBUzfKSX820nJfLLOMBgFcil78IJz+Sw5Ns6NFLR7Xe
+o+HsUxcnLOXhDYMImR9SALYL6TwLdqp1C+LAQ8HXri35IyERU2uqMXdkzYREn4f
4c4JlCbtCy6F+8nFy0OkK/VtV/yoBpnDMtjDk9wdHYBouSGX91/8QwNUu1L0m0V1
dvYVjk/tCPDsk3TYGFAR7lG328jt3khqVAV+rcvwwTPzD+jBCkbyGCFQ5N3xZBGI
Wa3xMB+P9ojv4XAfde0eK+6N0uPvoMvnmPGguJTXiaCEgw8K/ILV6PuhkSyo4Wea
EytCf4k42l7wjwG4LWFWZA
-> ssh-ed25519 iHV63A o/IPrEtX8l4ZWCcC/yJWGRUAPDPX7vMJKBvm7ngWRjE
YoXHRtVmNXlxJ4uJqs7jNW/2pBnjMroj1AlLiERLQGk
-> ssh-ed25519 uTVbSg WF+8m47L2GWewOEK36k3g+Ozv1JC20cfswQ0ksbhhzs
w5qbtYBfnrKOB4/ZTiD8Qsd42NibKcgbL9AYQKx9bnM
-> y-grease y>]"'a W "
w265AhhbaGNvdOMRX4xs+w
--- /proerdf6QHIKGNWA0vTE+ZPNuvbJBGhpMEt0DscFgQ
™m±çd¾]©ÙˆËÔG±<0F>(n˜ïÁ¨hø¹»ÅLARR¯ä°ÎëjMÞU <56>%ÈMÐ^þ ©oÐJ<E280B9>ê QîÿD<C3BF>­nÁŒ

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw gEHEUHodm0u6YauWsDFycNYfBlNEncGz6cGiFVbMSQw
eb/YlV8CeU2GZaoREi8n4CB6O+bltLjwARBh1SvPHuU
-> ssh-ed25519 YFSOsg oObR84uRNYEhcbdILnSni61pMzaNQcbMSV8CMdUFCVs
hZeKavP58fmaxjpZwHDSNf2QnUqn5GqeSx/MVbWM8w0
-> ssh-rsa 42S2Dw
W/0mcDisoN/RoEshQ0gDmmYZTfSG3BRAq/PsXT9Xt0mahAqZumfdysT9T2Wkso5O
2SKVvJvP2YAGNs+d/+lnn5/I8f7qlx6K0oQ1e72Y9ZNmoxgZmL3h2jBR3x+GfgG8
Qp57nfvoF4js2JyC2MSUm3CjOppxDN/BM2v5qOTuPB5/K3bPOP1iBdENH71f9d64
PK/7HZA1BTtn4jOWYQ52BZIcOjiA9JoVO6HFvB7d5UobasbbXDhO6ZgZ3aWdsDE4
/0S099FWbvzTk8aITl5qSphQy0Pgp+yeTobx1Hn/b6vokoNIwaMZniOVd1mS0CuU
DL8SGpuQUeOl+27sstHfUw
-> ssh-ed25519 iHV63A 34vhrBbCb4J5xzjoa9o4hWokszJER12Pfd/s8RGxfg4
2p8SUyhXdks06NJPZMkbKcdsn+YB3+/Ksaipc72mBvg
-> ssh-ed25519 AsPNJg bAYRIQICTPeVri4/qkBBedxmm08TNoBMseEauYtTkX8
ZeNmjU+oG4qYSMREtv7QdbRLf3SAmdHnX63eiHjvcOU
-> J._|'iH-grease VaQ1S' W7^S -r HJ'
KbnGq5EUW0HcQ4v7n8Gh/4R/Y55bXYOuSPNt2jXTbog
--- Bk+tEcikn4Gd90ou6llBA1nYq+mRGdfB1TaJvIOYEaw
×ÎML—ã7|2žÌF'ZžoàÁZ<C381>{ÿ¯?°J,—®âµ×ÜžmíÈñ\G­´†RœaaÁ<61>\tñùäŠ<Àìâë5<C3AB><35>Ú

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw B7i7cir4NIqIxeuwN7lBZiHLaLDNwSD5ZJLs0iYidDo
fmj7NzNi4DT805TlhjtyMXa1dcu7rGVIllQG4ALtJdo
-> ssh-ed25519 YFSOsg SpldcBYdyAYW4W+U4JrgkcA8Y5+YnPjW78OISjviDz8
Czi1SkmtvFmko+fP2hdCanpWJKpo/KndE/MI8BcJVxQ
-> ssh-rsa 42S2Dw
EvIS2maHrEa4Qyhrp3TJ/LULJkdCixIEcvI2HS9SUhVRIJS6jpY/Z+pW+XZqxEgk
P7sp1CjRsjRZ4RZsgBUsgdO4mRnUtSkrTTLzrS84d3QG1QfjQphtF/BSt2+8t1nw
S/XVZWu/LyFb8Z3TbhVkf3vx7ujIBwjdFj+LiUmEYwB4o57MWKH9aCcvyMLZF4Ne
AltRXfkGkEVt7Yn0iKwb8yHaqMPa5CjfjDP9ybLp/my08/pZEQTVduKe/Q6p09DM
8gEF1uVM+3BxXf7yAvt8fW80Hgm21VnYUq0h6exDZaaf0wLPOh0kRnN1MDqK2tjO
uxre1sro1ZQx5CPCXD4ICQ
-> ssh-ed25519 iHV63A Toc315/VlOneCwbLzcp2fDqHZSMDNtSprquR3BOVfAg
ZeEZEdla/o/sAa7Tbh4NY5qqrNkWfHqpbvUokSofC5A
-> ssh-ed25519 AsPNJg ui5FmbBKlKQ69R38yqlFURrMBTX1n7ysQP7mBo9SSRQ
c7dp6ewRp/5rHThk/oGcaaCxNwmBWTcfVSK4IrHJh2M
-> ssh-ed25519 w1vtTQ 7ToJvl/p9DzxX0v/b7nNOIfdgyb85Ja6862Tw2HLLyo
PkEaeBdx60i9mX6t5Ue5PeabY4COffefCSt65H5hRxU
-> ssh-ed25519 t1M4HQ 14NmP2HdhTouv66lkTKPEKh7HANgEUIek8FA8wAntSU
ZZ+Mc8m/Pb16Vbxc9bOZtXJ+0ZXv/YiV30LiKra55cM
-> ssh-ed25519 uTVbSg 1151u2eVy3izoghgXS1zPukpbSiZo6Mc+JTtCNqrqxE
5NGufz7+RjYTy4gUfAHjV/g8VdF5FxPcB3GUzafotn8
-> ssh-ed25519 4eCLig NAsWZu3MFuCEgi/Fm+2kB04A8ZckvTP5ueLjB2NKZDg
5DKhLww7UKvOxPveJTtuc7jGk/9cypM9UadP1A8C6Ko
-> t-grease > 8z4 `,R~f.lb
K0DjBt5R459zTRkIA58mcIYl+Na5m+1SIXbezHjWZy2q1cIX8L331Du4SE6/UCCR
e3Q
--- ZjP/FefBuH6f+bEQpgqeiL3Uj+f9AbSCVRQni7pYyjQ
6{…Ï{;5%·n@~óNóÖn!EÏ·A&âí ¯`v‰¶-ÃË5©Æ{œîžï P
Í8'ém7p‡â1 bàn¾¬#ö0"çí=~àÉê"—¶Ã}ç@Ô89eB Á°
/¹*´ìUo <”šî.£ñEå)t2fX¶o9FüQG)çÞù

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 hPyiJw zHWVBLJi1r1M3C/3Xf1rCOOXhjihjYuF4f0ZsRo4dWI
sB14DJ0gjz2Z9+oJG/RBAl5GJ31NOjUJmpSvKwmkEVU
-> ssh-ed25519 YFSOsg RHtbqm+jWVTkXqyTWRblggdgfbp2OOJmCqieDhI4+HI
0lc7kKOQL3Abo8UyjXfRHvDcq+dOvPe0q7izfycZkj8
-> ssh-rsa 42S2Dw
QnOc7ZIigTURoIjglNY64KzZh8QbhE2TbioIP88F9OztV/1umy5hniBNYrE3grd2
+nQSdBEHsHKgyElC3VvdKQ9RvzrbrDHnNt4oBgmH70KfAQzH1wehOvofcNMlu0+B
0ddUjo9BEf5VtxKY4fdUFLoROBv/rIMCuCR69NE4KfS/Cl7I+saWUOzoRVcZKsBc
XmYYCTDezlVOT0dtoRDJT0PBimXQZ+3D9Fj7VKUOobggUiQBOH7irvpKy/JFG6+0
C5CRDZKPp4XOKfz/XAqIxbkyzxF6ZRpmXz+QJhHXTCJfWdRMfUl45YO5r/fX6ybV
vqZnYo4ytlZtIaoe0ipFJQ
-> ssh-ed25519 iHV63A WkP5FVc9iS9OEQMr2E+ewVvBS1ppHnuCWqGTvdvBY38
kxdQm6sXkGlFId0KEoMqcbyXII5G1En0g9I6WObwNpk
-> ssh-ed25519 4eCLig /lrGyo78vdS92cFFs3aS8R/BcM+QDLspab0ftIZU9WE
+rvfUcml+WEDzZ9B6WbSvfwh+ceHygGIvHsw4UME94k
-> u\-grease JD#pg \__| M\j|M
9RN98je/hB0
--- JoemHAPRRKWcsEMIOEU1Cq8AyPFTtz3qYqCgyeonyrs
"©´S¹Ðnq­RÈvKRËUsF+“ÓE„ôë³}•Ý»^)ªxôx\_´S'ÔÍ Ð/í¶2ô•àbxùÃ]Srôõ‡„Ø„çï ÙñØÈ

View file

@ -1,9 +1,33 @@
let let
# set ssh public keys here for your system and user # set ssh public keys here for your system and user
system = ""; user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
user = "";
allKeys = [ system user ]; user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
allKeys = users ++ systems_home_controller;
in in
{ {
"secret.age".publicKeys = allKeys; "home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
"home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
"home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
"cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
"home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
} }