Compare commits
1 commit
Author | SHA1 | Date | |
---|---|---|---|
Simon Bruder | a17791658a |
11
.sops.yaml
11
.sops.yaml
|
@ -15,11 +15,10 @@ keys:
|
||||||
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
|
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
|
||||||
- &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
|
- &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
|
||||||
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
|
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
|
||||||
- &okarin e7370b48016c961ef8ad792fda66b19d845b3156
|
- &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
|
||||||
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
|
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
|
||||||
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
|
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
|
||||||
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
|
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
|
||||||
- &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: machines/nunotaba/secrets\.yaml$
|
- path_regex: machines/nunotaba/secrets\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
@ -98,13 +97,6 @@ creation_rules:
|
||||||
- *simon-alpha
|
- *simon-alpha
|
||||||
- *simon-beta
|
- *simon-beta
|
||||||
- *yuzuru
|
- *yuzuru
|
||||||
- path_regex: machines/koyomi/secrets\.yaml$
|
|
||||||
key_groups:
|
|
||||||
- pgp:
|
|
||||||
- *simon
|
|
||||||
- *simon-alpha
|
|
||||||
- *simon-beta
|
|
||||||
- *koyomi
|
|
||||||
- path_regex: secrets\.yaml$
|
- path_regex: secrets\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
|
@ -117,4 +109,3 @@ creation_rules:
|
||||||
- *fuuko
|
- *fuuko
|
||||||
- *mayushii
|
- *mayushii
|
||||||
- *renge
|
- *renge
|
||||||
- *koyomi
|
|
||||||
|
|
|
@ -143,10 +143,3 @@ so always consult the file header and other resources as specified in the REUSE
|
||||||
Please note that those licensing terms only apply to the source files in this repository,
|
Please note that those licensing terms only apply to the source files in this repository,
|
||||||
not any build outputs, like system or package closures.
|
not any build outputs, like system or package closures.
|
||||||
They might be licensed differently, depending on their source.
|
They might be licensed differently, depending on their source.
|
||||||
|
|
||||||
If you think you have a compelling reason
|
|
||||||
why you should be able to use part of this repository under a more permissive license,
|
|
||||||
please contact me,
|
|
||||||
so we can figure something out.
|
|
||||||
Please note, that I can only offer this for files that are solely authored by me,
|
|
||||||
as I do not own the rights to other people’s code.
|
|
||||||
|
|
87
flake.lock
87
flake.lock
|
@ -26,11 +26,11 @@
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696426674,
|
"lastModified": 1673956053,
|
||||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||||
"owner": "edolstra",
|
"owner": "edolstra",
|
||||||
"repo": "flake-compat",
|
"repo": "flake-compat",
|
||||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -44,11 +44,11 @@
|
||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1710146030,
|
"lastModified": 1701680307,
|
||||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -65,11 +65,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1709087332,
|
"lastModified": 1660459072,
|
||||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "gitignore.nix",
|
"repo": "gitignore.nix",
|
||||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -85,11 +85,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715381426,
|
"lastModified": 1704099619,
|
||||||
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
|
"narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
|
"rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -106,11 +106,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716457508,
|
"lastModified": 1704100519,
|
||||||
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
|
"narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
|
"rev": "6e91c5df192395753d8e6d55a0352109cb559790",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -205,6 +205,9 @@
|
||||||
"nix-pre-commit-hooks": {
|
"nix-pre-commit-hooks": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
"flake-utils": [
|
||||||
|
"flake-utils"
|
||||||
|
],
|
||||||
"gitignore": "gitignore",
|
"gitignore": "gitignore",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs-unstable"
|
"nixpkgs-unstable"
|
||||||
|
@ -212,11 +215,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716213921,
|
"lastModified": 1703939133,
|
||||||
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
|
"narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
|
"rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -228,11 +231,11 @@
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716173274,
|
"lastModified": 1704124233,
|
||||||
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
|
"narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
|
"rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -244,11 +247,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716361217,
|
"lastModified": 1703992652,
|
||||||
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
|
"narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
|
"rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -272,11 +275,11 @@
|
||||||
"poetry2nix": "poetry2nix"
|
"poetry2nix": "poetry2nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712934106,
|
"lastModified": 1704120598,
|
||||||
"narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
|
"narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
|
"rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
|
||||||
"revCount": 66,
|
"revCount": 65,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.sbruder.de/simon/nixpkgs-overlay"
|
"url": "https://git.sbruder.de/simon/nixpkgs-overlay"
|
||||||
},
|
},
|
||||||
|
@ -287,43 +290,43 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1710695816,
|
"lastModified": 1685801374,
|
||||||
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
|
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
|
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-23.11",
|
"ref": "nixos-23.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable_2": {
|
"nixpkgs-stable_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716061101,
|
"lastModified": 1703950681,
|
||||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
"narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
"rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-23.11",
|
"ref": "release-23.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716330097,
|
"lastModified": 1703961334,
|
||||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -450,11 +453,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716400300,
|
"lastModified": 1703991717,
|
||||||
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
"narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
"rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
nixos-hardware.url = "github:nixos/nixos-hardware/master";
|
nixos-hardware.url = "github:nixos/nixos-hardware/master";
|
||||||
|
|
||||||
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
|
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
|
||||||
|
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
|
||||||
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
|
|
||||||
sops-nix.url = "github:Mic92/sops-nix";
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
|
@ -155,11 +156,12 @@
|
||||||
pkgs.writeShellScript "unlock-${hostname}" ''
|
pkgs.writeShellScript "unlock-${hostname}" ''
|
||||||
set -exo pipefail
|
set -exo pipefail
|
||||||
# opening luks fails if gpg-agent is not unlocked yet
|
# opening luks fails if gpg-agent is not unlocked yet
|
||||||
pass "devices/${hostname}/luks" | ssh \
|
pass "devices/${hostname}/luks" >/dev/null
|
||||||
|
ssh \
|
||||||
${lib.optionalString unlockOverV4 "-4"} \
|
${lib.optionalString unlockOverV4 "-4"} \
|
||||||
-p 2222 \
|
-p 2222 \
|
||||||
"root@${targetHost}" \
|
"root@${targetHost}" \
|
||||||
"cat > /crypt-ramfs/passphrase"
|
"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
|
||||||
'')
|
'')
|
||||||
self.nixosConfigurations);
|
self.nixosConfigurations);
|
||||||
|
|
||||||
|
|
|
@ -1,28 +0,0 @@
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
||||||
|
|
||||||
xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
|
|
||||||
bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
|
|
||||||
VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
|
|
||||||
bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
|
|
||||||
JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
|
|
||||||
8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
|
|
||||||
y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
|
|
||||||
eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
|
|
||||||
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
|
|
||||||
KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
|
|
||||||
1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
|
|
||||||
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
|
||||||
AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
|
|
||||||
/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
|
|
||||||
CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
|
|
||||||
/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
|
|
||||||
J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
|
|
||||||
gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
|
|
||||||
QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
|
|
||||||
MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
|
|
||||||
HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
|
|
||||||
DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
|
|
||||||
kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
|
|
||||||
CxhNpGhTpzl96WA2WsNP9Q==
|
|
||||||
=slmv
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
@ -1,28 +1,28 @@
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
|
xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
|
||||||
Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
|
Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
|
||||||
twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
|
ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
|
||||||
cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
|
jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
|
||||||
va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
|
KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
|
||||||
vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
|
NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
|
||||||
5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
|
jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
|
||||||
HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
|
YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
|
||||||
ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
|
a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
|
||||||
0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
|
uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
|
||||||
TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
|
/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
|
||||||
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||||
AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
|
AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
|
||||||
O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
|
yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
|
||||||
+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
|
Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
|
||||||
uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
|
K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
|
||||||
3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
|
DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
|
||||||
t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
|
xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
|
||||||
fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
|
CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
|
||||||
qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
|
RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
|
||||||
uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
|
xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
|
||||||
2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
|
Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
|
||||||
TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
|
rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
|
||||||
NxR1Jvm5bnGfUcnNlzoB4Q==
|
MsxjN+we2woCXG5SJGYOyA==
|
||||||
=6o0h
|
=UTw1
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
|
@ -5,39 +5,67 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
|
||||||
AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
|
AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
|
||||||
K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
|
K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
|
||||||
Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
|
Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
|
||||||
B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz
|
B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
|
||||||
ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF
|
gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
|
||||||
CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA
|
0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
|
||||||
vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC
|
5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
|
||||||
xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF
|
7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
|
||||||
xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm
|
Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
|
||||||
K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/
|
+7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
|
||||||
+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp
|
LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
|
||||||
V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ
|
jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
|
||||||
saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV
|
uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
|
||||||
SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF
|
xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
|
||||||
AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm
|
wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
|
||||||
FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF
|
biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
|
||||||
oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv
|
ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
|
||||||
E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx
|
AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
|
||||||
HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X
|
kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
|
||||||
AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou
|
Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
|
||||||
WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp
|
CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
|
||||||
nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts
|
+AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
|
||||||
FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg
|
dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
|
||||||
tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4
|
JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
|
||||||
w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz
|
KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
|
||||||
BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P
|
0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
|
||||||
NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz
|
Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
|
||||||
gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU
|
WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
|
||||||
GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE
|
mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
|
||||||
AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE
|
f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
|
||||||
GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe
|
2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
|
||||||
AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t
|
BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
|
||||||
6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc
|
jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
|
||||||
1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr
|
AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
|
||||||
saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE
|
d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
|
||||||
HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk
|
jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
|
||||||
H6R7fxacajUC
|
fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
|
||||||
=361S
|
IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
|
||||||
|
53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
|
||||||
|
CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
|
||||||
|
APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
|
||||||
|
xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
|
||||||
|
f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
|
||||||
|
wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
|
||||||
|
ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
|
||||||
|
GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
|
||||||
|
m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
|
||||||
|
i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
|
||||||
|
AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
|
||||||
|
0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
|
||||||
|
uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
|
||||||
|
pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
|
||||||
|
GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
|
||||||
|
AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
|
||||||
|
Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
|
||||||
|
BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
|
||||||
|
F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
|
||||||
|
DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
|
||||||
|
FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
|
||||||
|
zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
|
||||||
|
DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
|
||||||
|
qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
|
||||||
|
blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
|
||||||
|
MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
|
||||||
|
I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
|
||||||
|
=1z2B
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
123
machines/catering/configuration.nix
Normal file
123
machines/catering/configuration.nix
Normal file
|
@ -0,0 +1,123 @@
|
||||||
|
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
../../modules
|
||||||
|
];
|
||||||
|
|
||||||
|
sbruder = {
|
||||||
|
nginx.hardening.enable = true;
|
||||||
|
full = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "catering";
|
||||||
|
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
"catering.salespointframework.org" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://localhost:8080";
|
||||||
|
extraConfig = ''
|
||||||
|
sub_filter '</script>' '</script><script src="/dev.js"></script>';
|
||||||
|
sub_filter_once on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"= /dev.js".alias = pkgs.writeText "dev.js" ''
|
||||||
|
addEventListener("load", event => {
|
||||||
|
document.querySelector("footer").appendChild((() => {
|
||||||
|
let el = document.createElement("p")
|
||||||
|
el.classList.add("text-center", "fw-bold")
|
||||||
|
el.innerText = "Alle Angebot sind fiktiv!"
|
||||||
|
return el
|
||||||
|
})())
|
||||||
|
|
||||||
|
if (localStorage.getItem("devAck") !== "true") {
|
||||||
|
if (confirm("Alle hier präsentierten Angebote sind fiktiv, es können keine rechtsverbindlichen Verträge geschlossen werden. Mit dem Fortfahren bestätigen Sie, dies verstanden zu haben.")) {
|
||||||
|
localStorage.setItem("devAck", "true")
|
||||||
|
} else {
|
||||||
|
location = "about:blank"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
"www.mampf.shop" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
globalRedirect = "catering.salespointframework.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
"mampf.shop" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
globalRedirect = "catering.salespointframework.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
"presi.catering.salespointframework.org" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
root = "/var/www/presi.catering.salespointframework.org";
|
||||||
|
|
||||||
|
locations."/".tryFiles = "/main.pdf =404";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/www/presi.catering.salespointframework.org 0755 catering catering - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.catering = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "catering";
|
||||||
|
useDefaultShell = true;
|
||||||
|
home = "/var/lib/catering";
|
||||||
|
createHome = true;
|
||||||
|
|
||||||
|
openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
|
||||||
|
};
|
||||||
|
users.groups.catering = { };
|
||||||
|
|
||||||
|
sbruder.static-webserver.vhosts = {
|
||||||
|
"salespointframework.org" = {
|
||||||
|
redirects = [ "www.salespointframework.org" "salespointframe.work" "www.salespointframe.work" ];
|
||||||
|
user = {
|
||||||
|
name = "salespoint";
|
||||||
|
keys = config.sbruder.pubkeys.trustedKeys;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"verkaufspunktrahmenwerk.de" = {
|
||||||
|
redirects = [ "www.verkaufspunktrahmenwerk.de" "verkaufspuntrahmenwerk.de" "www.verkaufspuntrahmenwerk.de" ];
|
||||||
|
user = {
|
||||||
|
name = "verkaufspunkt";
|
||||||
|
keys = config.sbruder.pubkeys.trustedKeys;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
|
}
|
54
machines/catering/hardware-configuration.nix
Normal file
54
machines/catering/hardware-configuration.nix
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
sbruder.machine.isVm = true;
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
|
||||||
|
};
|
||||||
|
loader = {
|
||||||
|
grub.enable = false;
|
||||||
|
systemd-boot.enable = true;
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems = {
|
||||||
|
"/" = {
|
||||||
|
device = "/dev/disk/by-uuid/c39bdb61-2e4c-464b-8c4c-bb6bb7f342a2";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "compress=zstd" ];
|
||||||
|
};
|
||||||
|
"/boot" = {
|
||||||
|
device = "/dev/disk/by-uuid/D976-BBAF";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.usePredictableInterfaceNames = false;
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks = {
|
||||||
|
eth0 = {
|
||||||
|
name = "eth0";
|
||||||
|
DHCP = "yes";
|
||||||
|
domains = [ "salespointframework.org" ];
|
||||||
|
address = [ "2a01:4f9:c011:9c01::1/64" ];
|
||||||
|
gateway = [ "fe80::1" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# no smart on qemu disk
|
||||||
|
services.smartd.enable = false;
|
||||||
|
}
|
|
@ -23,9 +23,6 @@ in
|
||||||
};
|
};
|
||||||
vueko = {
|
vueko = {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
extraModules = [
|
|
||||||
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
targetHost = "vueko.sbruder.de";
|
targetHost = "vueko.sbruder.de";
|
||||||
};
|
};
|
||||||
|
@ -49,6 +46,9 @@ in
|
||||||
};
|
};
|
||||||
renge = {
|
renge = {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
|
extraModules = [
|
||||||
|
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
|
||||||
|
];
|
||||||
|
|
||||||
targetHost = "renge.sbruder.de";
|
targetHost = "renge.sbruder.de";
|
||||||
};
|
};
|
||||||
|
@ -76,13 +76,9 @@ in
|
||||||
|
|
||||||
targetHost = "yuzuru.sbruder.de";
|
targetHost = "yuzuru.sbruder.de";
|
||||||
};
|
};
|
||||||
koyomi = {
|
catering = {
|
||||||
system = "x86_64-linux";
|
system = "aarch64-linux";
|
||||||
extraModules = [
|
|
||||||
hardware.common-cpu-intel
|
|
||||||
hardware.common-pc-ssd
|
|
||||||
];
|
|
||||||
|
|
||||||
targetHost = "koyomi.sbruder.de";
|
targetHost = "catering.salespointframework.org";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -92,8 +92,6 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
|
|
||||||
|
|
||||||
powerManagement.cpuFreqGovernor = "schedutil";
|
powerManagement.cpuFreqGovernor = "schedutil";
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -55,8 +55,6 @@
|
||||||
{ device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
|
{ device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
||||||
|
|
||||||
# GPU
|
# GPU
|
||||||
hardware.opengl = {
|
hardware.opengl = {
|
||||||
package = pkgs.mesa.drivers;
|
package = pkgs.mesa.drivers;
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
<!--
|
|
||||||
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
|
|
||||||
SPDX-License-Identifier: CC-BY-SA-4.0
|
|
||||||
-->
|
|
||||||
|
|
||||||
# koyomi
|
|
||||||
|
|
||||||
## Hardware
|
|
||||||
|
|
||||||
System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
|
|
||||||
|
|
||||||
- Motherboard: FUJITSU D3401-H1
|
|
||||||
- CPU: Intel Core i7-6700
|
|
||||||
- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
|
|
||||||
- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
|
|
||||||
|
|
||||||
## Setup
|
|
||||||
|
|
||||||
As it is a physical server (not a VM) in a remote location,
|
|
||||||
extra care must be taken when installing.
|
|
||||||
Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
|
|
||||||
and a rescue system that can be activated before a reboot.
|
|
||||||
Additionally, there is also a *vKVM* rescue system,
|
|
||||||
that boots a hypervisor from the network and runs a VM which boots from the physical disks.
|
|
||||||
|
|
||||||
The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
|
|
||||||
Ideally, everything goes well and the next reboot works,
|
|
||||||
but in the case it does not, the vKVM rescue system can be used for debugging.
|
|
||||||
|
|
||||||
## Purpose
|
|
||||||
|
|
||||||
Hypervisor. Exact scope is to be determined.
|
|
||||||
|
|
||||||
## Name
|
|
||||||
|
|
||||||
Araragi Koyomi is a student from the *Monogatari Series*.
|
|
|
@ -1,23 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./hardware-configuration.nix
|
|
||||||
../../modules
|
|
||||||
|
|
||||||
./services/hypervisor.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
sbruder = {
|
|
||||||
wireguard.home.enable = true;
|
|
||||||
podman.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.hostName = "koyomi";
|
|
||||||
|
|
||||||
system.stateVersion = "23.11";
|
|
||||||
}
|
|
|
@ -1,74 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ modulesPath, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot = {
|
|
||||||
swraid.enable = true;
|
|
||||||
kernelModules = [ "kvm-intel" ];
|
|
||||||
kernelParams = [ "ip=dhcp" ];
|
|
||||||
loader = {
|
|
||||||
grub = {
|
|
||||||
devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
initrd = {
|
|
||||||
availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
|
|
||||||
kernelModules = [ "dm-snapshot" ];
|
|
||||||
network.enable = true; # remote unlocking
|
|
||||||
luks.devices = {
|
|
||||||
koyomi-pv = {
|
|
||||||
name = "koyomi-pv";
|
|
||||||
device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
|
|
||||||
preLVM = true;
|
|
||||||
allowDiscards = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# FIXME XXX HACK
|
|
||||||
# This is required to have the md device available under /dev/disk/by-uuid.
|
|
||||||
# Both commands are run as part of the regular stage-1 init script,
|
|
||||||
# but for some reason, they need to be run twice.
|
|
||||||
preLVMCommands = ''
|
|
||||||
udevadm trigger
|
|
||||||
udevadm settle
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems = {
|
|
||||||
"/" = {
|
|
||||||
device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "discard=async" "noatime" "compress=zstd" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
"/boot" = {
|
|
||||||
device = "/dev/disk/by-uuid/12CE-A600";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
|
||||||
|
|
||||||
networking.useDHCP = false;
|
|
||||||
networking.usePredictableInterfaceNames = false;
|
|
||||||
systemd.network = {
|
|
||||||
enable = true;
|
|
||||||
networks = {
|
|
||||||
eth0 = {
|
|
||||||
name = "eth0";
|
|
||||||
DHCP = "yes";
|
|
||||||
domains = [ "sbruder.de" ];
|
|
||||||
address = [ "2a01:4f8:151:712d::1/64" ];
|
|
||||||
gateway = [ "fe80::1" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,72 +0,0 @@
|
||||||
wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age: []
|
|
||||||
lastmodified: "2024-05-11T21:49:03Z"
|
|
||||||
mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
|
|
||||||
pgp:
|
|
||||||
- created_at: "2024-05-11T21:48:51Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
|
|
||||||
qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
|
|
||||||
hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
|
|
||||||
in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
|
|
||||||
hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
|
|
||||||
dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
|
|
||||||
1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
|
|
||||||
TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
|
|
||||||
iXDXWxIe5PY=
|
|
||||||
=zp+l
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
|
|
||||||
- created_at: "2024-05-11T21:48:51Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
|
|
||||||
WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
|
|
||||||
1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
|
|
||||||
dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
|
|
||||||
8GoFUoOn6tE=
|
|
||||||
=A7C7
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
|
|
||||||
- created_at: "2024-05-11T21:48:51Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
|
|
||||||
pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
|
|
||||||
1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
|
|
||||||
rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
|
|
||||||
K0oWZqedIzU=
|
|
||||||
=Z8wz
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 403215E0F99D2582C7055C512C77841620B8F380
|
|
||||||
- created_at: "2024-05-11T21:48:51Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
|
|
||||||
exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
|
|
||||||
UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
|
|
||||||
ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
|
|
||||||
uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
|
|
||||||
OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
|
|
||||||
OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
|
|
||||||
cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
|
|
||||||
Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
|
|
||||||
gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
|
|
||||||
HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
|
|
||||||
VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
|
|
||||||
+Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
|
|
||||||
=bvPZ
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: a53d4ca8d2cf54613822c81d660e69babee42643
|
|
||||||
unencrypted_suffix: _unencrypted
|
|
||||||
version: 3.8.1
|
|
|
@ -1,133 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
guests = {
|
|
||||||
forgejo-actions-runner = {
|
|
||||||
mac = "42:80:00:00:00:02";
|
|
||||||
v4 = "10.80.32.2";
|
|
||||||
v6 = "2a01:4f8:151:712d:1::2";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# port forwarding for IPv4
|
|
||||||
portForwards = {
|
|
||||||
tcp = { };
|
|
||||||
udp = { };
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
virtualisation.libvirtd = {
|
|
||||||
enable = true;
|
|
||||||
qemu.package = pkgs.qemu_kvm;
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
|
||||||
"net.ipv4.conf.all.forwarding" = true;
|
|
||||||
"net.ipv6.conf.all.forwarding" = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.network = {
|
|
||||||
enable = true;
|
|
||||||
netdevs = {
|
|
||||||
br-virt = {
|
|
||||||
netdevConfig = {
|
|
||||||
Name = "br-virt";
|
|
||||||
Kind = "bridge";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networks = {
|
|
||||||
br-virt = {
|
|
||||||
name = "br-virt";
|
|
||||||
address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.resolved.enable = false;
|
|
||||||
|
|
||||||
services.dnsmasq = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
interface = [ "br-virt" ];
|
|
||||||
|
|
||||||
bind-interfaces = true; # do not bind to the wildcard interface
|
|
||||||
bogus-priv = true; # do not forward revese lookups of internal addresses
|
|
||||||
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
|
|
||||||
domain-needed = true; # do not forward names without domain
|
|
||||||
no-hosts = true; # do not resolve hosts from /etc/hosts
|
|
||||||
no-resolv = true; # only use explicitly configured resolvers
|
|
||||||
|
|
||||||
domain = [ "sbruder.de" ];
|
|
||||||
|
|
||||||
enable-ra = true; # required to tell clients to use DHCPv6
|
|
||||||
|
|
||||||
# Force static configuration
|
|
||||||
dhcp-range = [
|
|
||||||
"10.80.32.0,static,255.255.255.0"
|
|
||||||
"2a01:4f8:151:712d:1::,static,80"
|
|
||||||
];
|
|
||||||
|
|
||||||
dhcp-host = lib.flatten (lib.mapAttrsToList
|
|
||||||
(name: { mac, v4, v6 }: [
|
|
||||||
"${mac},${v4},${name}"
|
|
||||||
"${mac},[${v6}],${name}"
|
|
||||||
])
|
|
||||||
guests);
|
|
||||||
|
|
||||||
# Hetzner recursive name servers
|
|
||||||
# https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
|
|
||||||
server = [
|
|
||||||
"185.12.64.1"
|
|
||||||
"185.12.64.2"
|
|
||||||
"2a01:4ff:ff00::add:1"
|
|
||||||
"2a01:4ff:ff00::add:2"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
|
|
||||||
allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
|
|
||||||
|
|
||||||
interfaces.br-virt = {
|
|
||||||
allowedTCPPorts = [ 53 ]; # EDNS
|
|
||||||
allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.nftables = {
|
|
||||||
enable = true;
|
|
||||||
ruleset = ''
|
|
||||||
# only IPv4
|
|
||||||
table ip hypervisor-nat {
|
|
||||||
chain postrouting {
|
|
||||||
type nat hook postrouting priority filter; policy accept
|
|
||||||
oifname eth0 masquerade
|
|
||||||
}
|
|
||||||
|
|
||||||
chain prerouting {
|
|
||||||
type nat hook prerouting priority dstnat; policy accept
|
|
||||||
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
|
|
||||||
iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
|
|
||||||
'') portForwards.tcp)}
|
|
||||||
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
|
|
||||||
iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
|
|
||||||
'') portForwards.udp)}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
table inet hypervisor-filter {
|
|
||||||
chain forward {
|
|
||||||
type filter hook forward priority filter; policy drop
|
|
||||||
|
|
||||||
iifname br-virt oifname eth0 counter accept
|
|
||||||
iifname eth0 oifname br-virt counter accept
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -19,7 +19,6 @@
|
||||||
gui.enable = true;
|
gui.enable = true;
|
||||||
media-proxy.enable = true;
|
media-proxy.enable = true;
|
||||||
mullvad.enable = true;
|
mullvad.enable = true;
|
||||||
podman.enable = true;
|
|
||||||
restic.system = {
|
restic.system = {
|
||||||
enable = true;
|
enable = true;
|
||||||
qos = true;
|
qos = true;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -45,8 +45,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
|
|
||||||
|
|
||||||
powerManagement = {
|
powerManagement = {
|
||||||
cpuFreqGovernor = "schedutil";
|
cpuFreqGovernor = "schedutil";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<!--
|
<!--
|
||||||
SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
|
|
||||||
SPDX-License-Identifier: CC-BY-SA-4.0
|
SPDX-License-Identifier: CC-BY-SA-4.0
|
||||||
-->
|
-->
|
||||||
|
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
|
||||||
|
|
||||||
## Hardware
|
## Hardware
|
||||||
|
|
||||||
[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
|
[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
|
||||||
|
|
||||||
## Purpose
|
## Purpose
|
||||||
|
|
||||||
|
@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
|
||||||
|
|
||||||
Much like the namesake,
|
Much like the namesake,
|
||||||
this server requires a “mad scientist” approach to set up.
|
this server requires a “mad scientist” approach to set up.
|
||||||
However, it is much easier than setting up its predecessor,
|
|
||||||
which had just above 400 MiB usable memory.
|
|
||||||
|
|
||||||
Ionos does not offer any NixOS installation media.
|
Ionos does not offer any NixOS installation media.
|
||||||
I could only choose between various installation media and rescue systems.
|
I could only choose between a Debian installation media, Knoppix and GParted.
|
||||||
Also, installing NixOS with a low amount of memory is problematic.
|
Also, installing with a very low amount of memory is quite hard.
|
||||||
|
|
||||||
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
|
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
|
||||||
On there, I installed NixOS.
|
On there, I installed NixOS.
|
||||||
Because encryption with `argon2id` as PBKDF is quite memory intensive,
|
Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
|
||||||
I had to tune the parameters to ensure decryption was still possible on the target.
|
What I settled on was
|
||||||
This can be done quite easily by interactively running the following command on the build VM:
|
`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
|
||||||
|
|
||||||
cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
|
To make btrfs use its SSD optimizations,
|
||||||
|
I had to force the kernel to see the device as non-rotational:
|
||||||
|
`echo 0 > /sys/block/dm-0/queue/rotational`
|
||||||
|
|
||||||
The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
|
Another problem was the usage of VMware by Ionos.
|
||||||
|
The VM I set this up with was obviously using KVM/QEMU,
|
||||||
However, since those parameters are not ideal,
|
so it needed different kernel modules at boot.
|
||||||
the following should later be run on the target host itself:
|
What worked was setting it up in the local VM with both libvirt and vmware modules,
|
||||||
|
and then removing the libvirt modules once it was installed on the target.
|
||||||
cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
|
|
||||||
|
|
||||||
This will determine the memory usage automatically,
|
|
||||||
use one thread
|
|
||||||
and set the parameters so that decryption takes 10 seconds (10000 ms).
|
|
||||||
The memory usage will not be as high as it could,
|
|
||||||
but it will be better.
|
|
||||||
|
|
||||||
Getting the disk image onto the server was done
|
Getting the disk image onto the server was done
|
||||||
by first `rsync`ing the image to another server (to allow for incremental iterations),
|
by first `rsync`ing the image to another server (to allow for incremental iterations),
|
||||||
which then provided it via HTTP.
|
which then provided it via HTTP.
|
||||||
Using the Debian installation media in rescue mode
|
Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
|
||||||
(as for some reason most other options tried to cache the file in memory and became very slow)
|
it was possible to just `curl http://server/okarin.img > /dev/sda`.
|
||||||
it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
|
|
||||||
|
|
||||||
Because of all the pitfalls of this,
|
Because of all the pitfalls of this,
|
||||||
you probably need more than one try.
|
you probably need more than one try.
|
||||||
To make debugging easier on the target, the following option can be set:
|
|
||||||
```nix
|
|
||||||
{ pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
boot.initrd.preLVMCommands = ''
|
|
||||||
${pkgs.bashInteractive}/bin/bash
|
|
||||||
'';
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../modules
|
../../modules
|
||||||
|
|
||||||
|
./services/static-sites.nix
|
||||||
./services/proxy.nix
|
./services/proxy.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -21,7 +22,7 @@
|
||||||
|
|
||||||
networking.hostName = "okarin";
|
networking.hostName = "okarin";
|
||||||
|
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "22.11";
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
80
|
80
|
||||||
|
|
|
@ -5,10 +5,6 @@
|
||||||
{ lib, modulesPath, ... }:
|
{ lib, modulesPath, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
|
||||||
(modulesPath + "/profiles/qemu-guest.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
sbruder.machine.isVm = true;
|
sbruder.machine.isVm = true;
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
|
@ -16,34 +12,41 @@
|
||||||
extraModulePackages = [ ];
|
extraModulePackages = [ ];
|
||||||
kernelParams = [ "ip=dhcp" ];
|
kernelParams = [ "ip=dhcp" ];
|
||||||
initrd = {
|
initrd = {
|
||||||
availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
|
availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
|
||||||
kernelModules = [ ];
|
kernelModules = [ "dm-snapshot" "vmw_balloon" ];
|
||||||
network = {
|
network = {
|
||||||
enable = true; # remote unlocking
|
enable = true; # remote unlocking
|
||||||
# for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
|
# for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
|
||||||
# this works around this, but is arguably quite hacky
|
# this works around this, but is arguably quite hacky
|
||||||
postCommands = ''
|
postCommands = ''
|
||||||
ip route add 85.215.165.1 dev eth0
|
ip route add 10.255.255.1 dev eth0
|
||||||
ip route add default via 85.215.165.1 dev eth0
|
ip route add default via 10.255.255.1 dev eth0
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
|
luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
|
||||||
};
|
};
|
||||||
loader.grub.device = "/dev/vda";
|
loader.grub.device = "/dev/sda";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
"/" = {
|
"/" = {
|
||||||
device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
|
device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
|
options = [ "compress=zstd" "discard" "noatime" ];
|
||||||
};
|
};
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
|
device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
|
||||||
fsType = "ext2";
|
fsType = "ext2";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
|
||||||
|
randomEncryption.enable = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
zramSwap = {
|
zramSwap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
memoryPercent = 150;
|
memoryPercent = 150;
|
||||||
|
@ -60,6 +63,11 @@
|
||||||
name = "eth0";
|
name = "eth0";
|
||||||
DHCP = "yes";
|
DHCP = "yes";
|
||||||
domains = [ "sbruder.de" ];
|
domains = [ "sbruder.de" ];
|
||||||
|
address = [ "2001:8d8:1800:8627::1/64" ];
|
||||||
|
gateway = [ "fe80::1" ];
|
||||||
|
networkConfig = {
|
||||||
|
IPv6AcceptRA = "no";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,80 +1,80 @@
|
||||||
wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
|
wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-12-25T22:06:33Z"
|
lastmodified: "2023-05-06T08:49:32Z"
|
||||||
mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
|
mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-01-24T12:19:03Z"
|
- created_at: "2024-01-22T00:20:17Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
|
hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
|
||||||
ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
|
faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
|
||||||
hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
|
hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
|
||||||
+ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
|
aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
|
||||||
hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
|
hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
|
||||||
I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
|
RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
|
||||||
1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
|
1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
|
||||||
1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
|
zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
|
||||||
hRlLbnUDE1Q=
|
PWZwSFBCZEg=
|
||||||
=ol1Y
|
=r7sK
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
|
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
|
||||||
- created_at: "2024-01-24T12:19:03Z"
|
- created_at: "2024-01-22T00:20:17Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
|
hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
|
||||||
VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
|
zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
|
||||||
hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
|
hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
|
||||||
rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
|
f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
|
||||||
hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
|
hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
|
||||||
xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
|
Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
|
||||||
1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
|
1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
|
||||||
Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
|
aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
|
||||||
G+tyNMgCYhM=
|
B8h2L/JR7Yo=
|
||||||
=2QnY
|
=/wMt
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
|
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
|
||||||
- created_at: "2024-01-24T12:19:03Z"
|
- created_at: "2024-01-22T00:20:17Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
|
hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
|
||||||
SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
|
uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
|
||||||
hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
|
hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
|
||||||
wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
|
zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
|
||||||
hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
|
hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
|
||||||
3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
|
mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
|
||||||
1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
|
1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
|
||||||
AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
|
8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
|
||||||
VOK1Bc67BzU=
|
Gzwk8dC0wdc=
|
||||||
=3z3V
|
=BWUr
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 403215E0F99D2582C7055C512C77841620B8F380
|
fp: 403215E0F99D2582C7055C512C77841620B8F380
|
||||||
- created_at: "2024-01-24T12:19:03Z"
|
- created_at: "2024-01-22T00:20:17Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
|
hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
|
||||||
z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
|
lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
|
||||||
w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
|
jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
|
||||||
DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
|
ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
|
||||||
7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
|
tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
|
||||||
7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
|
T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
|
||||||
Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
|
YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
|
||||||
4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
|
qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
|
||||||
5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
|
nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
|
||||||
auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
|
LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
|
||||||
pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
|
a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
|
||||||
VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
|
VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
|
||||||
da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
|
QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
|
||||||
=F0pC
|
=sy/X
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: e7370b48016c961ef8ad792fda66b19d845b3156
|
fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.7.3
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -6,7 +6,9 @@
|
||||||
let
|
let
|
||||||
proxyMap = {
|
proxyMap = {
|
||||||
"sbruder.xyz" = "renge";
|
"sbruder.xyz" = "renge";
|
||||||
|
"nitter.sbruder.xyz" = "renge";
|
||||||
"iv.sbruder.xyz" = "renge";
|
"iv.sbruder.xyz" = "renge";
|
||||||
|
"libreddit.sbruder.xyz" = "renge";
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
20
machines/okarin/services/static-sites.nix
Normal file
20
machines/okarin/services/static-sites.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sbruder.static-webserver.vhosts = {
|
||||||
|
"maggus.bayern".user = {
|
||||||
|
name = "maggus";
|
||||||
|
keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
|
||||||
|
] ++ config.sbruder.pubkeys.trustedKeys;
|
||||||
|
};
|
||||||
|
"arbeitskampf.work".user = {
|
||||||
|
name = "arbeitskampf";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -17,8 +17,8 @@
|
||||||
./services/grafana.nix
|
./services/grafana.nix
|
||||||
./services/hedgedoc.nix
|
./services/hedgedoc.nix
|
||||||
./services/invidious
|
./services/invidious
|
||||||
./services/mastodon.nix
|
|
||||||
./services/matrix
|
./services/matrix
|
||||||
|
./services/murmur.nix
|
||||||
./services/password-hash-self-service.nix
|
./services/password-hash-self-service.nix
|
||||||
./services/prometheus.nix
|
./services/prometheus.nix
|
||||||
./services/sbruder.xyz
|
./services/sbruder.xyz
|
||||||
|
@ -33,9 +33,6 @@
|
||||||
};
|
};
|
||||||
wireguard.home.enable = true;
|
wireguard.home.enable = true;
|
||||||
infovhost.enable = true;
|
infovhost.enable = true;
|
||||||
wkd = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.hostName = "renge";
|
networking.hostName = "renge";
|
||||||
|
|
|
@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
|
||||||
go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
|
go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
|
||||||
hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
|
hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
|
||||||
invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
|
invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
|
||||||
mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
|
murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
|
||||||
netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
|
netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
|
||||||
prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
|
prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
|
||||||
restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
|
restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
|
||||||
|
@ -16,8 +16,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2024-06-01T12:03:17Z"
|
lastmodified: "2024-01-10T18:29:17Z"
|
||||||
mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
|
mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-01-22T00:20:10Z"
|
- created_at: "2024-01-22T00:20:10Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
sops.secrets.mastodon-mail = {
|
|
||||||
owner = config.services.mastodon.user;
|
|
||||||
sopsFile = ../secrets.yaml;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.mastodon = {
|
|
||||||
enable = true;
|
|
||||||
configureNginx = true;
|
|
||||||
localDomain = "procrastination.space";
|
|
||||||
smtp = {
|
|
||||||
createLocally = false;
|
|
||||||
host = "vueko.sbruder.de";
|
|
||||||
port = 465;
|
|
||||||
user = "mastodon@sbruder.de";
|
|
||||||
passwordFile = config.sops.secrets.mastodon-mail.path;
|
|
||||||
fromAddress = config.services.mastodon.smtp.user;
|
|
||||||
authenticate = true;
|
|
||||||
};
|
|
||||||
streamingProcesses = 5;
|
|
||||||
extraConfig = {
|
|
||||||
SMTP_TLS = "true";
|
|
||||||
RAILS_LOG_LEVEL = "warn";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -75,7 +75,6 @@ in
|
||||||
"shinobu.vpn.sbruder.de:9100"
|
"shinobu.vpn.sbruder.de:9100"
|
||||||
"nazuna.vpn.sbruder.de:9100"
|
"nazuna.vpn.sbruder.de:9100"
|
||||||
"yuzuru.vpn.sbruder.de:9100"
|
"yuzuru.vpn.sbruder.de:9100"
|
||||||
"koyomi.vpn.sbruder.de:9100"
|
|
||||||
];
|
];
|
||||||
relabel_configs = lib.singleton {
|
relabel_configs = lib.singleton {
|
||||||
target_label = "instance";
|
target_label = "instance";
|
||||||
|
@ -83,22 +82,6 @@ in
|
||||||
regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
|
regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
|
||||||
job_name = "smartctl";
|
|
||||||
static_configs = mkStaticTargets [
|
|
||||||
"fuuko.vpn.sbruder.de:9633"
|
|
||||||
"mayushii.vpn.sbruder.de:9633"
|
|
||||||
"nunotaba.vpn.sbruder.de:9633"
|
|
||||||
"hitagi.vpn.sbruder.de:9633"
|
|
||||||
"shinobu.vpn.sbruder.de:9633"
|
|
||||||
"koyomi.vpn.sbruder.de:9633"
|
|
||||||
];
|
|
||||||
relabel_configs = lib.singleton {
|
|
||||||
target_label = "instance";
|
|
||||||
source_labels = lib.singleton "__address__";
|
|
||||||
regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
job_name = "qbittorrent";
|
job_name = "qbittorrent";
|
||||||
static_configs = mkStaticTargets [
|
static_configs = mkStaticTargets [
|
||||||
|
@ -153,10 +136,8 @@ in
|
||||||
{
|
{
|
||||||
job_name = "knot";
|
job_name = "knot";
|
||||||
static_configs = mkStaticTargets [
|
static_configs = mkStaticTargets [
|
||||||
"vueko.vpn.sbruder.de:9433"
|
|
||||||
"renge.vpn.sbruder.de:9433"
|
|
||||||
"okarin.vpn.sbruder.de:9433"
|
"okarin.vpn.sbruder.de:9433"
|
||||||
"yuzuru.vpn.sbruder.de:9433"
|
"vueko.vpn.sbruder.de:9433"
|
||||||
];
|
];
|
||||||
relabel_configs = lib.singleton {
|
relabel_configs = lib.singleton {
|
||||||
target_label = "instance";
|
target_label = "instance";
|
||||||
|
|
|
@ -3,7 +3,11 @@
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
goneVhost = {
|
||||||
|
locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
|
||||||
|
};
|
||||||
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./blocks.nix
|
./blocks.nix
|
||||||
|
@ -54,4 +58,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
|
||||||
|
services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -9,7 +9,6 @@
|
||||||
../../modules
|
../../modules
|
||||||
|
|
||||||
./services/co2_exporter.nix
|
./services/co2_exporter.nix
|
||||||
./services/ntp.nix
|
|
||||||
./services/router
|
./services/router
|
||||||
./services/snmp-exporter.nix
|
./services/snmp-exporter.nix
|
||||||
./services/wordclock-dimmer.nix
|
./services/wordclock-dimmer.nix
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{
|
|
||||||
services.ntp = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 123 ];
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -41,16 +41,16 @@ in
|
||||||
cfg.vlan);
|
cfg.vlan);
|
||||||
dhcp-option = lib.flatten (lib.mapAttrsToList
|
dhcp-option = lib.flatten (lib.mapAttrsToList
|
||||||
(name: { subnet, ... }: [
|
(name: { subnet, ... }: [
|
||||||
# Gateway
|
|
||||||
"tag:br-${name},option:router,${subnet.v4.gateway}"
|
"tag:br-${name},option:router,${subnet.v4.gateway}"
|
||||||
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
|
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
|
||||||
|
|
||||||
# NTP server (runs on gateway)
|
|
||||||
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
|
|
||||||
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
|
|
||||||
])
|
])
|
||||||
cfg.vlan);
|
cfg.vlan);
|
||||||
|
|
||||||
|
nftset = [
|
||||||
|
"/pool.ntp.org/4#inet#filter#iot_ntp4"
|
||||||
|
"/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
|
||||||
|
];
|
||||||
|
|
||||||
server = [
|
server = [
|
||||||
"127.0.0.1#5053"
|
"127.0.0.1#5053"
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -7,6 +7,16 @@ define PHYSICAL_WAN = "enp1s0"
|
||||||
define NAT_WAN_IFACES = { $PHYSICAL_WAN }
|
define NAT_WAN_IFACES = { $PHYSICAL_WAN }
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
# These two sets are dynamically managed by dnsmasq
|
||||||
|
set iot_ntp4 {
|
||||||
|
type ipv4_addr
|
||||||
|
comment "IPv4 addresses of resolved NTP servers"
|
||||||
|
}
|
||||||
|
set iot_ntp6 {
|
||||||
|
type ipv6_addr
|
||||||
|
comment "IPv6 addresses of resolved NTP servers"
|
||||||
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority filter; policy drop
|
type filter hook forward priority filter; policy drop
|
||||||
|
|
||||||
|
@ -21,6 +31,8 @@ table inet filter {
|
||||||
iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
|
iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
|
||||||
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
|
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
|
||||||
|
|
||||||
|
iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
|
||||||
|
iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
|
||||||
iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
|
iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
|
|
||||||
./services/fuuko-proxy.nix # FIXME!
|
./services/fuuko-proxy.nix # FIXME!
|
||||||
./services/media.nix
|
./services/media.nix
|
||||||
./services/murmur.nix
|
|
||||||
./services/restic.nix
|
./services/restic.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
|
media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
|
||||||
murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
|
|
||||||
restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
|
restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
|
||||||
restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
|
restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
|
||||||
rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
|
rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
|
||||||
|
@ -11,8 +10,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2024-06-01T12:03:28Z"
|
lastmodified: "2023-04-29T10:17:21Z"
|
||||||
mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
|
mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-01-22T00:20:08Z"
|
- created_at: "2024-01-22T00:20:08Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
@ -83,4 +82,4 @@ sops:
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
|
fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.7.3
|
||||||
|
|
Binary file not shown.
|
@ -1,9 +1,7 @@
|
||||||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ config, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"brennende.autos" = {
|
"brennende.autos" = {
|
||||||
|
@ -21,34 +19,9 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sbruder.static-webserver.vhosts = {
|
sbruder.static-webserver.vhosts = {
|
||||||
"arbeitskampf.work".user = {
|
|
||||||
name = "arbeitskampf";
|
|
||||||
};
|
|
||||||
|
|
||||||
"maggus.bayern".user = {
|
|
||||||
name = "maggus";
|
|
||||||
keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
|
|
||||||
] ++ config.sbruder.pubkeys.trustedKeys;
|
|
||||||
};
|
|
||||||
|
|
||||||
"psycho-power-papagei.de" = {
|
"psycho-power-papagei.de" = {
|
||||||
user.name = "papagei";
|
user.name = "papagei";
|
||||||
imprint.enable = true;
|
imprint.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
"salespointframework.org" = {
|
|
||||||
redirects = [
|
|
||||||
"www.salespointframework.org"
|
|
||||||
"salespointframe.work"
|
|
||||||
"www.salespointframe.work"
|
|
||||||
"verkaufspunktrahmenwerk.de"
|
|
||||||
"www.verkaufspunktrahmenwerk.de"
|
|
||||||
"verkaufspuntrahmenwerk.de"
|
|
||||||
"www.verkaufspuntrahmenwerk.de"
|
|
||||||
];
|
|
||||||
user.name = "salespoint";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -7,16 +7,14 @@ let
|
||||||
cfg = config.sbruder.knot;
|
cfg = config.sbruder.knot;
|
||||||
|
|
||||||
primaryHost = "vueko";
|
primaryHost = "vueko";
|
||||||
secondaryHosts = [ "renge" "okarin" "yuzuru" ];
|
secondaryHosts = [ "okarin" ];
|
||||||
|
|
||||||
isPrimaryHost = config.networking.hostName == primaryHost;
|
isPrimaryHost = config.networking.hostName == primaryHost;
|
||||||
isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
|
isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
|
||||||
|
|
||||||
addresses = {
|
addresses = {
|
||||||
vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
|
vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
|
||||||
renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
|
okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
|
||||||
okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
|
|
||||||
yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
|
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -67,7 +65,12 @@ in
|
||||||
id = host;
|
id = host;
|
||||||
address = hostAddresses;
|
address = hostAddresses;
|
||||||
})
|
})
|
||||||
addresses);
|
addresses) ++ lib.optional isPrimaryHost {
|
||||||
|
id = "inwx";
|
||||||
|
# INWX only allows the specification of one primary DNS,
|
||||||
|
# which limits the IP protocol usable for zone transfers to one.
|
||||||
|
address = lib.singleton "185.181.104.96";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
(lib.mkIf isPrimaryHost {
|
(lib.mkIf isPrimaryHost {
|
||||||
policy = lib.singleton {
|
policy = lib.singleton {
|
||||||
|
@ -85,7 +88,7 @@ in
|
||||||
zonefile-load = "difference-no-serial";
|
zonefile-load = "difference-no-serial";
|
||||||
journal-content = "all";
|
journal-content = "all";
|
||||||
# secondary
|
# secondary
|
||||||
notify = secondaryHosts;
|
notify = [ "inwx" ] ++ secondaryHosts;
|
||||||
# dnssec
|
# dnssec
|
||||||
dnssec-signing = true;
|
dnssec-signing = true;
|
||||||
dnssec-policy = "default";
|
dnssec-policy = "default";
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
./ausweisapp.nix
|
./ausweisapp.nix
|
||||||
./authoritative-dns.nix
|
./authoritative-dns.nix
|
||||||
./cups.nix
|
./cups.nix
|
||||||
|
./docker.nix
|
||||||
./fancontrol.nix
|
./fancontrol.nix
|
||||||
./flatpak.nix
|
|
||||||
./fonts.nix
|
./fonts.nix
|
||||||
./games.nix
|
./games.nix
|
||||||
./grub.nix
|
./grub.nix
|
||||||
|
@ -54,9 +54,7 @@
|
||||||
./nix.nix
|
./nix.nix
|
||||||
./office.nix
|
./office.nix
|
||||||
./pipewire.nix
|
./pipewire.nix
|
||||||
./podman.nix
|
|
||||||
./prometheus/node_exporter.nix
|
./prometheus/node_exporter.nix
|
||||||
./prometheus/smartctl_exporter.nix
|
|
||||||
./pubkeys.nix
|
./pubkeys.nix
|
||||||
./qbittorrent
|
./qbittorrent
|
||||||
./restic
|
./restic
|
||||||
|
@ -69,7 +67,6 @@
|
||||||
./udev.nix
|
./udev.nix
|
||||||
./unfree.nix
|
./unfree.nix
|
||||||
./wireguard
|
./wireguard
|
||||||
./wkd
|
|
||||||
];
|
];
|
||||||
|
|
||||||
config = lib.mkMerge [
|
config = lib.mkMerge [
|
||||||
|
@ -81,11 +78,9 @@
|
||||||
git-lfs # not so essential, but required to clone config
|
git-lfs # not so essential, but required to clone config
|
||||||
htop
|
htop
|
||||||
tmux
|
tmux
|
||||||
|
vim
|
||||||
];
|
];
|
||||||
|
|
||||||
programs.nano.enable = false;
|
|
||||||
programs.vim.defaultEditor = true;
|
|
||||||
|
|
||||||
# Clean temporary files on boot
|
# Clean temporary files on boot
|
||||||
boot.tmp.cleanOnBoot = true;
|
boot.tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
|
@ -113,8 +108,6 @@
|
||||||
# Support for exotic file systems
|
# Support for exotic file systems
|
||||||
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
|
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
|
||||||
|
|
||||||
programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
|
|
||||||
|
|
||||||
# When this is set to true (default), routing everything through a
|
# When this is set to true (default), routing everything through a
|
||||||
# wireguard tunnel does not work.
|
# wireguard tunnel does not work.
|
||||||
networking.firewall.checkReversePath = false;
|
networking.firewall.checkReversePath = false;
|
||||||
|
@ -166,21 +159,11 @@
|
||||||
(lib.mkIf (!config.sbruder.machine.isVm) {
|
(lib.mkIf (!config.sbruder.machine.isVm) {
|
||||||
# Hard drive monitoring
|
# Hard drive monitoring
|
||||||
services.smartd.enable = lib.mkDefault true;
|
services.smartd.enable = lib.mkDefault true;
|
||||||
# Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
|
# Firmware updates
|
||||||
services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
|
services.fwupd.enable = lib.mkDefault true;
|
||||||
})
|
})
|
||||||
(lib.mkIf (!config.sbruder.full) {
|
(lib.mkIf (!config.sbruder.full) {
|
||||||
documentation.enable = lib.mkDefault false;
|
documentation.enable = lib.mkDefault false;
|
||||||
})
|
})
|
||||||
(lib.mkIf (config.services.resolved.enable) {
|
|
||||||
# With NixOS’s default database order for hosts,
|
|
||||||
# resolving the FQDN with hostname -f always returns “localhost”
|
|
||||||
# when resolved is enabled.
|
|
||||||
# This changes the priority of the files database,
|
|
||||||
# which fixes this.
|
|
||||||
# This workaround was taken from
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
|
|
||||||
system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
47
modules/docker.nix
Normal file
47
modules/docker.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# This uses a custom option (instead of `virtualisation.docker.enable`) since
|
||||||
|
# `virtualisation.oci-containers` conditionally sets
|
||||||
|
# `virtualisation.docker.enable` and therefore causes an infinite recursion.
|
||||||
|
options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
|
||||||
|
|
||||||
|
config = lib.mkIf config.sbruder.docker.enable {
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
docker-compose
|
||||||
|
docker-credential-helpers
|
||||||
|
docker-ls
|
||||||
|
];
|
||||||
|
|
||||||
|
virtualisation = {
|
||||||
|
docker = {
|
||||||
|
enable = true;
|
||||||
|
logDriver = "journald";
|
||||||
|
extraOptions = lib.concatStringsSep " " [
|
||||||
|
"--ipv6"
|
||||||
|
"--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
oci-containers.containers.ipv6nat = {
|
||||||
|
image = "robbertkl/ipv6nat";
|
||||||
|
volumes = [
|
||||||
|
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--network=host"
|
||||||
|
"--cap-drop=ALL"
|
||||||
|
"--cap-add=NET_ADMIN"
|
||||||
|
"--cap-add=NET_RAW"
|
||||||
|
"--cap-add=SYS_MODULE"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,19 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# Flatpak is only used for programs that are not easily installable natively.
|
|
||||||
# They should always be confined as much as possible using Flatseal.
|
|
||||||
#
|
|
||||||
# To make Flatpak work with Flathub,
|
|
||||||
# the following command must be run imperatively:
|
|
||||||
#
|
|
||||||
# flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
|
|
||||||
#
|
|
||||||
# The full guide is available on https://flathub.org/setup/NixOS,
|
|
||||||
# though the restart step is not necessary.
|
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
lib.mkIf config.sbruder.gui.enable {
|
|
||||||
services.flatpak.enable = true;
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -95,7 +95,6 @@ lib.mkIf cfg.enable {
|
||||||
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
|
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
|
||||||
smtpd_tls_mandatory_ciphers = "medium";
|
smtpd_tls_mandatory_ciphers = "medium";
|
||||||
smtpd_tls_loglevel = "1";
|
smtpd_tls_loglevel = "1";
|
||||||
smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
|
|
||||||
|
|
||||||
tls_medium_cipherlist = listToString [
|
tls_medium_cipherlist = listToString [
|
||||||
"ECDHE-ECDSA-AES128-GCM-SHA256"
|
"ECDHE-ECDSA-AES128-GCM-SHA256"
|
||||||
|
@ -141,7 +140,6 @@ lib.mkIf cfg.enable {
|
||||||
# Postscreen
|
# Postscreen
|
||||||
smtpd = {
|
smtpd = {
|
||||||
type = "pass";
|
type = "pass";
|
||||||
args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
|
|
||||||
};
|
};
|
||||||
smtp_inet = {
|
smtp_inet = {
|
||||||
# Partially overrides upstream
|
# Partially overrides upstream
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
options.sbruder.podman.enable = lib.mkEnableOption "podman";
|
|
||||||
|
|
||||||
config = lib.mkIf config.sbruder.podman.enable {
|
|
||||||
boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
buildah
|
|
||||||
podman-compose
|
|
||||||
skopeo
|
|
||||||
];
|
|
||||||
|
|
||||||
virtualisation = {
|
|
||||||
podman = {
|
|
||||||
enable = true;
|
|
||||||
dockerSocket.enable = true;
|
|
||||||
defaultNetwork.settings = {
|
|
||||||
ipv6_enabled = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -8,10 +8,7 @@
|
||||||
enable = config.sbruder.wireguard.home.enable;
|
enable = config.sbruder.wireguard.home.enable;
|
||||||
listenAddress = config.sbruder.wireguard.home.address;
|
listenAddress = config.sbruder.wireguard.home.address;
|
||||||
enabledCollectors = [ "systemd" ];
|
enabledCollectors = [ "systemd" ];
|
||||||
disabledCollectors = [
|
disabledCollectors = [ "rapl" ];
|
||||||
"arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
|
|
||||||
"rapl"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];
|
systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
services.prometheus.exporters.smartctl = {
|
|
||||||
enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
|
|
||||||
listenAddress = config.sbruder.wireguard.home.address;
|
|
||||||
# devices need to be specified for all systems that use NVMe
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/210041
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.prometheus-smartctl-exporter = {
|
|
||||||
after = [ "wireguard-wg-home.service" ];
|
|
||||||
serviceConfig = {
|
|
||||||
IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
|
|
||||||
IPAddressDeny = "any";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -28,8 +28,6 @@ let
|
||||||
"/home/*/mounts"
|
"/home/*/mounts"
|
||||||
|
|
||||||
# Docker (state should be kept somewhere else)
|
# Docker (state should be kept somewhere else)
|
||||||
"/home/*/.local/share/containers" # podman
|
|
||||||
"/var/lib/containers/"
|
|
||||||
"/var/lib/docker/"
|
"/var/lib/docker/"
|
||||||
|
|
||||||
# Static configuration (generated from this repository)
|
# Static configuration (generated from this repository)
|
||||||
|
|
|
@ -60,12 +60,12 @@
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
|
||||||
};
|
};
|
||||||
okarin = {
|
okarin = {
|
||||||
hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
|
hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
|
||||||
};
|
};
|
||||||
okarin-initrd = {
|
okarin-initrd = {
|
||||||
hostNames = [ "[okarin.sbruder.de]:2222" ];
|
hostNames = [ "[okarin.sbruder.de]:2222" ];
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
|
||||||
};
|
};
|
||||||
shinobu = {
|
shinobu = {
|
||||||
hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
|
hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
|
||||||
|
@ -87,13 +87,5 @@
|
||||||
hostNames = [ "[yuzuru.sbruder.de]:2222" ];
|
hostNames = [ "[yuzuru.sbruder.de]:2222" ];
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
|
||||||
};
|
};
|
||||||
koyomi = {
|
|
||||||
hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
|
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
|
|
||||||
};
|
|
||||||
koyomi-initrd = {
|
|
||||||
hostNames = [ "[koyomi.sbruder.de]:2222" ];
|
|
||||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -48,10 +48,9 @@
|
||||||
dmidecode # hardware information
|
dmidecode # hardware information
|
||||||
hdparm # hard drive management
|
hdparm # hard drive management
|
||||||
lm_sensors # temperature sensors
|
lm_sensors # temperature sensors
|
||||||
nvme-cli # NVMe management
|
|
||||||
parted # partition manager
|
parted # partition manager
|
||||||
pciutils # lspci
|
pciutils # lspci
|
||||||
(reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
|
reptyr # move process to current terminal
|
||||||
smartmontools # hard drive monitoring
|
smartmontools # hard drive monitoring
|
||||||
tcpdump # package inspector
|
tcpdump # package inspector
|
||||||
tio # serial console
|
tio # serial console
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -41,6 +41,9 @@ in
|
||||||
|
|
||||||
# games (okay if they run sandboxed)
|
# games (okay if they run sandboxed)
|
||||||
"osu-lazer" # also is free except for one dependency
|
"osu-lazer" # also is free except for one dependency
|
||||||
|
"steam"
|
||||||
|
"steam-original"
|
||||||
|
"steam-runtime"
|
||||||
]
|
]
|
||||||
));
|
));
|
||||||
};
|
};
|
||||||
|
|
|
@ -33,8 +33,8 @@ let
|
||||||
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
|
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
|
||||||
};
|
};
|
||||||
okarin = {
|
okarin = {
|
||||||
address = "10.80.0.14";
|
address = "10.80.0.10";
|
||||||
publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
|
publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
|
||||||
};
|
};
|
||||||
shinobu = {
|
shinobu = {
|
||||||
address = "10.80.0.12";
|
address = "10.80.0.12";
|
||||||
|
@ -48,10 +48,6 @@ let
|
||||||
address = "10.80.0.16";
|
address = "10.80.0.16";
|
||||||
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
|
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
|
||||||
};
|
};
|
||||||
koyomi = {
|
|
||||||
address = "10.80.0.17";
|
|
||||||
publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
cfg = config.sbruder.wireguard.home;
|
cfg = config.sbruder.wireguard.home;
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.sbruder.wkd;
|
|
||||||
|
|
||||||
toFqdn = domain: "openpgpkey.${domain}";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.sbruder.wkd = {
|
|
||||||
enable = lib.mkEnableOption "Web Key Directory";
|
|
||||||
domain = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
|
|
||||||
default = "sbruder.de";
|
|
||||||
};
|
|
||||||
domains = lib.mkOption {
|
|
||||||
type = lib.types.listOf lib.types.str;
|
|
||||||
description = "Additional domains to serve.";
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
|
|
||||||
redirects = map toFqdn cfg.domains;
|
|
||||||
user.name = "wkd";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
|
|
||||||
locations."^~ /.well-known/openpgpkey" =
|
|
||||||
let
|
|
||||||
# workaround for nginx dropping parent headers
|
|
||||||
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
|
||||||
parentHeaders = lib.concatStringsSep "\n" (lib.filter
|
|
||||||
(lib.hasPrefix "add_header ")
|
|
||||||
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
|
|
||||||
in
|
|
||||||
{
|
|
||||||
extraConfig = ''
|
|
||||||
${parentHeaders}
|
|
||||||
add_header Access-Control-Allow-Origin * always;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@ buildGoModule rec {
|
||||||
|
|
||||||
vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
|
vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
|
||||||
|
|
||||||
doCheck = false; # no tests
|
oCheck = false; # no tests
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
license = licenses.mit;
|
license = licenses.mit;
|
||||||
|
|
|
@ -25,23 +25,15 @@ SPDX-License-Identifier: CC-BY-SA-4.0
|
||||||
<td><a id="matrix" href="#">(requires javascript)</a></td>
|
<td><a id="matrix" href="#">(requires javascript)</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>Fediverse</td>
|
<td>GitHub</td>
|
||||||
<td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Codeberg</td>
|
|
||||||
<td><a href="https://codeberg.org/sbruder">sbruder</a></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>(GitHub)</td>
|
|
||||||
<td><a href="https://github.com/sbruder">sbruder</a></td>
|
<td><a href="https://github.com/sbruder">sbruder</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>(GitLab)</td>
|
<td>GitLab</td>
|
||||||
<td><a href="https://gitlab.com/sbruder">sbruder</a></td>
|
<td><a href="https://gitlab.com/sbruder">sbruder</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>Forgejo</td>
|
<td>Gitea</td>
|
||||||
<td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
|
<td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
|
|
@ -61,6 +61,15 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def update(client: mqtt.Client):
|
||||||
|
time = datetime.datetime.now().time()
|
||||||
|
color = get_color_for_time(time)
|
||||||
|
print(f"{time}: setting color to {color}")
|
||||||
|
sys.stdout.flush()
|
||||||
|
set_color(client, *color)
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
client = mqtt.Client("wordclock.py")
|
client = mqtt.Client("wordclock.py")
|
||||||
|
|
||||||
user = os.environ["WORDCLOCK_MQTT_USER"]
|
user = os.environ["WORDCLOCK_MQTT_USER"]
|
||||||
|
@ -74,15 +83,6 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
|
||||||
client.username_pw_set(user, password)
|
client.username_pw_set(user, password)
|
||||||
client.connect(host, 1883, 60)
|
client.connect(host, 1883, 60)
|
||||||
|
|
||||||
color = (0, 0, 0)
|
|
||||||
|
|
||||||
while True:
|
while True:
|
||||||
time = datetime.datetime.now().time()
|
update(client)
|
||||||
new_color = get_color_for_time(time)
|
|
||||||
if new_color != color:
|
|
||||||
color = new_color
|
|
||||||
print(f"setting color to {color}")
|
|
||||||
sys.stdout.flush()
|
|
||||||
set_color(client, *color)
|
|
||||||
|
|
||||||
sleep(300)
|
sleep(300)
|
||||||
|
|
|
@ -1,41 +1,98 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
#
|
|
||||||
# Steam is installed as a flatpak,
|
|
||||||
# as this seems to be the only method that does not force me
|
|
||||||
# to spend hours debugging various issues with the client.
|
|
||||||
#
|
|
||||||
# Installation instructions for steam:
|
|
||||||
#
|
|
||||||
# 1. Run flatpak install flathub com.valvesoftware.Steam
|
|
||||||
# 2. Use Flatseal to revoke all filesystem permissions,
|
|
||||||
# development syscalls
|
|
||||||
# and bluetooth.
|
|
||||||
# 3. Add GDK_SCALE=2 as an environment variable (hack for sway’s Xwayland)
|
|
||||||
# 4. If you previously used steam-sandbox,
|
|
||||||
# you need to copy the files to the flatpak location.
|
|
||||||
# For this, start steam once (you can close it early),
|
|
||||||
# so it creates the new structure.
|
|
||||||
# Then, run the following commands:
|
|
||||||
# rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
|
|
||||||
# mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
|
|
||||||
# You might want to copy additional files of games,
|
|
||||||
# that do not store files inside of Steam’s directories.
|
|
||||||
# Afterwards, you can delete ~/.local/share/steam-sandbox
|
|
||||||
#
|
|
||||||
# For MangoHud, the following steps are also necessary:
|
|
||||||
# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
|
|
||||||
# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
|
|
||||||
# 4. For Intel Arc systems,
|
|
||||||
# add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
|
|
||||||
# and /run/wrappers/bin to the PATH environment variable in Flatseal
|
|
||||||
# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
|
|
||||||
# available
|
|
||||||
{ lib, nixosConfig, pkgs, ... }:
|
{ lib, nixosConfig, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = nixosConfig.sbruder.games;
|
cfg = nixosConfig.sbruder.games;
|
||||||
inherit (nixosConfig.sbruder) unfree;
|
inherit (nixosConfig.sbruder) unfree;
|
||||||
|
|
||||||
|
steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
|
||||||
|
set -euo pipefail
|
||||||
|
shopt -s nullglob # make for loop work for glob if files do not exist
|
||||||
|
base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
|
||||||
|
mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
|
||||||
|
bubblewrap_args=(
|
||||||
|
# sandboxing
|
||||||
|
--unshare-all
|
||||||
|
--share-net
|
||||||
|
--die-with-parent
|
||||||
|
--new-session
|
||||||
|
|
||||||
|
# basic filesystem
|
||||||
|
--tmpfs /tmp
|
||||||
|
--proc /proc
|
||||||
|
--dev /dev
|
||||||
|
--dir "$HOME"
|
||||||
|
--dir "$XDG_RUNTIME_DIR"
|
||||||
|
--ro-bind /nix/store /nix/store
|
||||||
|
# path
|
||||||
|
--ro-bind /run/current-system/sw /run/current-system/sw
|
||||||
|
--ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
|
||||||
|
# system-wide configuration
|
||||||
|
--ro-bind /etc/fonts /etc/fonts
|
||||||
|
--ro-bind /etc/localtime /etc/localtime
|
||||||
|
--ro-bind /etc/machine-id /etc/machine-id
|
||||||
|
--ro-bind /etc/os-release /etc/os-release
|
||||||
|
--ro-bind /etc/passwd /etc/passwd
|
||||||
|
--ro-bind /etc/resolv.conf /etc/resolv.conf
|
||||||
|
--ro-bind /etc/ssl/certs /etc/ssl/certs
|
||||||
|
--ro-bind /etc/static /etc/static
|
||||||
|
|
||||||
|
# gui
|
||||||
|
--ro-bind /tmp/.X11-unix /tmp/.X11-unix
|
||||||
|
--ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
|
||||||
|
--dev-bind /dev/dri /dev/dri
|
||||||
|
--ro-bind /run/opengl-driver /run/opengl-driver
|
||||||
|
--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
|
||||||
|
|
||||||
|
# audio
|
||||||
|
--ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
|
||||||
|
--setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
|
||||||
|
--ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
|
||||||
|
--setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
|
||||||
|
--ro-bind-try /etc/asound.conf /etc/asound.conf
|
||||||
|
--ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
|
||||||
|
--ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
|
||||||
|
|
||||||
|
# dbus
|
||||||
|
--ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
|
||||||
|
--ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
|
||||||
|
|
||||||
|
# shared data
|
||||||
|
--bind "$base_dir/.local/share" "$HOME/.local/share"
|
||||||
|
--bind "$base_dir/.steam" "$HOME/.steam"
|
||||||
|
--bind "$base_dir/.config" "$HOME/.config"
|
||||||
|
--bind "$base_dir/.factorio" "$HOME/.factorio"
|
||||||
|
--bind "$base_dir/data" "$HOME/data"
|
||||||
|
--ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
|
||||||
|
|
||||||
|
# input
|
||||||
|
--dev-bind /dev/input /dev/input
|
||||||
|
--dev-bind-try /dev/uinput /dev/uinput
|
||||||
|
--ro-bind /sys /sys # required for discovery
|
||||||
|
)
|
||||||
|
|
||||||
|
for hidraw in /dev/hidraw*; do
|
||||||
|
bubblewrap_args+=(--dev-bind $hidraw $hidraw)
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally don’t support wayland
|
||||||
|
export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
|
||||||
|
|
||||||
|
${pkgs.bubblewrap}/bin/bwrap \
|
||||||
|
"''${bubblewrap_args[@]}" \
|
||||||
|
''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
|
||||||
|
"$@"
|
||||||
|
'';
|
||||||
|
|
||||||
|
steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
|
||||||
|
mkdir -p $out/{bin,share}
|
||||||
|
ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
|
||||||
|
ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
|
||||||
|
ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
lib.mkIf cfg.enable {
|
lib.mkIf cfg.enable {
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
|
@ -48,7 +105,9 @@ lib.mkIf cfg.enable {
|
||||||
pcsx2
|
pcsx2
|
||||||
] ++ lib.optionals (cfg.performanceIndex >= 8) [
|
] ++ lib.optionals (cfg.performanceIndex >= 8) [
|
||||||
unstable.ryujinx
|
unstable.ryujinx
|
||||||
|
unstable.yuzu-mainline
|
||||||
] ++ lib.optionals unfree.allowSoftware [
|
] ++ lib.optionals unfree.allowSoftware [
|
||||||
unstable.osu-lazer-sandbox
|
unstable.osu-lazer-sandbox
|
||||||
|
steam-sandbox-with-icons
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ lib, nixosConfig, pkgs, ... }:
|
{ nixosConfig, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
programs.gpg = {
|
programs.gpg = {
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
services.gpg-agent = rec {
|
services.gpg-agent = rec {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableZshIntegration = true;
|
enableZshIntegration = true;
|
||||||
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
|
enableSshSupport = true;
|
||||||
|
|
||||||
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -73,7 +73,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
|
||||||
|
|
||||||
# Lyrics
|
# Lyrics
|
||||||
lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
|
lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
|
||||||
follow_now_playing_lyrics = true;
|
|
||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
external_editor = "nvim";
|
external_editor = "nvim";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -54,7 +54,7 @@ in
|
||||||
haskell-language-server
|
haskell-language-server
|
||||||
jdt-language-server
|
jdt-language-server
|
||||||
unstable.ltex-ls
|
unstable.ltex-ls
|
||||||
nixd
|
rnix-lsp
|
||||||
rust-analyzer
|
rust-analyzer
|
||||||
(python3.withPackages (ps: with ps; [
|
(python3.withPackages (ps: with ps; [
|
||||||
pyls-isort
|
pyls-isort
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
-- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de>
|
-- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
|
||||||
--
|
--
|
||||||
-- SPDX-License-Identifier: AGPL-3.0-or-later
|
-- SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -348,7 +348,7 @@ lsp.ltex.setup {
|
||||||
lsp.pylsp.setup {
|
lsp.pylsp.setup {
|
||||||
on_attach = on_attach,
|
on_attach = on_attach,
|
||||||
}
|
}
|
||||||
lsp.nixd.setup {
|
lsp.rnix.setup {
|
||||||
on_attach = on_attach,
|
on_attach = on_attach,
|
||||||
}
|
}
|
||||||
lsp.rust_analyzer.setup {
|
lsp.rust_analyzer.setup {
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
programs.password-store = {
|
programs.password-store = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -14,14 +14,4 @@
|
||||||
PASSWORD_STORE_DIR = "$HOME/.password-store";
|
PASSWORD_STORE_DIR = "$HOME/.password-store";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.browserpass = {
|
|
||||||
enable = true;
|
|
||||||
browsers = [ "librewolf" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.pass-secret-service = {
|
|
||||||
enable = true;
|
|
||||||
storePath = "${config.xdg.dataHome}/secret-service-password-store";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue