simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Compare commits

base: simon:master
Branches Tags
simon:master
simon:koyomi
simon:ci-runner
simon:24.05
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server
..
compare: simon:catering
Branches Tags
simon:master
simon:koyomi
simon:ci-runner
simon:24.05
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server

1 commit
master ... catering

Author SHA1 Message Date
Simon Bruder a17791658a
catering WIP 2024-01-26 23:44:01 +01:00
131 changed files with 3559 additions and 2961 deletions
Show stats Expand all files Collapse all files

1
.reuse/dep5
View file

@ -7,7 +7,6 @@ Source: https://git.sbruder.de/simon/nixos-config
Files: Files:
.git-crypt/keys/default/0/*.gpg .git-crypt/keys/default/0/*.gpg
secrets.yaml secrets.yaml
secrets/*.yaml
**/secrets.yaml **/secrets.yaml
keys/*/*.asc keys/*/*.asc
machines/*/secrets/*.nix machines/*/secrets/*.nix

33
.sops.yaml
View file

@ -2,7 +2,7 @@
# #
# SPDX-License-Identifier: CC0-1.0 # SPDX-License-Identifier: CC0-1.0
keys: &all-keys keys:
# sops does not (yet) support ADSKs, # sops does not (yet) support ADSKs,
# so all encryption subkeys have to be added manually # so all encryption subkeys have to be added manually
- &simon 6CD375BD0741F67E5A289BC333A01CBE0554C763 # offline - &simon 6CD375BD0741F67E5A289BC333A01CBE0554C763 # offline
@ -15,13 +15,10 @@ keys: &all-keys
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
- &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
- &okarin e7370b48016c961ef8ad792fda66b19d845b3156 - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
- &koyomi 1f18a57e1d4e6716aed0e0cd71586b7a4c0c1a65
- &ci-runner 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
- &hiroshi 2b9be9660662c6c979ca1149c982bdfd82863d09
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -100,27 +97,6 @@ creation_rules:
- *simon-alpha - *simon-alpha
- *simon-beta - *simon-beta
- *yuzuru - *yuzuru
- path_regex: machines/koyomi/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *koyomi
- path_regex: machines/ci-runner/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *ci-runner
- path_regex: machines/hiroshi/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *hiroshi
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:
@ -133,8 +109,3 @@ creation_rules:
- *fuuko - *fuuko
- *mayushii - *mayushii
- *renge - *renge
- *koyomi
- *hiroshi
- path_regex: secrets/local-mail\.yaml$
key_groups:
- pgp: *all-keys

7
README.md
View file

@ -143,10 +143,3 @@ so always consult the file header and other resources as specified in the REUSE
Please note that those licensing terms only apply to the source files in this repository, Please note that those licensing terms only apply to the source files in this repository,
not any build outputs, like system or package closures. not any build outputs, like system or package closures.
They might be licensed differently, depending on their source. They might be licensed differently, depending on their source.
If you think you have a compelling reason
why you should be able to use part of this repository under a more permissive license,
please contact me,
so we can figure something out.
Please note, that I can only offer this for files that are solely authored by me,
as I do not own the rights to other peoples code.

117
flake.lock
View file

@ -26,11 +26,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1673956053,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -44,11 +44,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1701680307,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -65,11 +65,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709087332, "lastModified": 1660459072,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "gitignore.nix", "repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -85,16 +85,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726989464, "lastModified": 1704099619,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.05", "ref": "release-23.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1728337164, "lastModified": 1704100519,
"narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=", "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "038630363e7de57c36c417fd2f5d7c14773403e4", "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -189,11 +189,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703863825, "lastModified": 1698974481,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-github-actions", "repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -205,6 +205,9 @@
"nix-pre-commit-hooks": { "nix-pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
@ -212,11 +215,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1728092656, "lastModified": 1703939133,
"narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=", "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "1211305a5b237771e13fcca0c51e60ad47326a9a", "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -228,11 +231,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1728269138, "lastModified": 1704124233,
"narHash": "sha256-oKxDImsOvgUZMY4NwXVyUc/c1HiU2qInX+b5BU0yXls=", "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "ecfcd787f373f43307d764762e139a7cdeb9c22b", "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -244,16 +247,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1728328465, "lastModified": 1703992652,
"narHash": "sha256-a0a0M1TmXMK34y3M0cugsmpJ4FJPT/xsblhpiiX1CXo=", "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1bfbbbe5bbf888d675397c66bfdb275d0b99361c", "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.05", "ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -272,11 +275,11 @@
"poetry2nix": "poetry2nix" "poetry2nix": "poetry2nix"
}, },
"locked": { "locked": {
"lastModified": 1719952130, "lastModified": 1704120598,
"narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=", "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844", "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
"revCount": 68, "revCount": 65,
"type": "git", "type": "git",
"url": "https://git.sbruder.de/simon/nixpkgs-overlay" "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
}, },
@ -287,43 +290,43 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1720386169, "lastModified": 1685801374,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "nixos-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1728156290, "lastModified": 1703950681,
"narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "17ae88b569bb15590549ff478bab6494dde4a907", "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-24.05", "ref": "release-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1728241625, "lastModified": 1703961334,
"narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=", "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1", "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -359,11 +362,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1721396844, "lastModified": 1703801091,
"narHash": "sha256-VduymKyeovo7JzcJ3ar4fryebNu36RnKlI+/TOMWN8w=", "narHash": "sha256-ay1oI2IxhODG4KheqdxqlHlt6bUmvAogRZbzIcavR+k=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "a09c08847b2539a069833d9ef72d74224c170a54", "rev": "9bddae5f112cdc471faf1a71d34bc4cc2497e946",
"revCount": 19, "revCount": 16,
"type": "git", "type": "git",
"url": "https://git.sbruder.de/simon/password-hash-self-service" "url": "https://git.sbruder.de/simon/password-hash-self-service"
}, },
@ -387,11 +390,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1714509427, "lastModified": 1701399357,
"narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=", "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
"owner": "nix-community", "owner": "nix-community",
"repo": "poetry2nix", "repo": "poetry2nix",
"rev": "184960be60652ca7f865123e8394ece988afb566", "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -450,11 +453,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1728345710, "lastModified": 1703991717,
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,11 +504,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714058656, "lastModified": 1699786194,
"narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github" "type": "github"
}, },
"original": { "original": {

27
flake.nix
View file

@ -8,10 +8,10 @@
inputs = { inputs = {
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager/release-24.05"; home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-unstable.url = "github:nix-community/home-manager"; home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -23,6 +23,7 @@
nixos-hardware.url = "github:nixos/nixos-hardware/master"; nixos-hardware.url = "github:nixos/nixos-hardware/master";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
@ -155,11 +156,12 @@
pkgs.writeShellScript "unlock-${hostname}" '' pkgs.writeShellScript "unlock-${hostname}" ''
set -exo pipefail set -exo pipefail
# opening luks fails if gpg-agent is not unlocked yet # opening luks fails if gpg-agent is not unlocked yet
pass "devices/${hostname}/luks" | ssh \ pass "devices/${hostname}/luks" >/dev/null
ssh \
${lib.optionalString unlockOverV4 "-4"} \ ${lib.optionalString unlockOverV4 "-4"} \
-p 2222 \ -p 2222 \
"root@${targetHost}" \ "root@${targetHost}" \
"cat > /crypt-ramfs/passphrase" "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
'') '')
self.nixosConfigurations); self.nixosConfigurations);
@ -169,23 +171,6 @@
}); });
packages = {
kexec-bundle = (nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./modules/pubkeys.nix
./modules/ssh.nix
({ modulesPath, ... }: {
imports = [
(modulesPath + "/installer/netboot/netboot-minimal.nix")
];
})
];
}).config.system.build.kexecTree;
};
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = (with pkgs; [ buildInputs = (with pkgs; [
black black

28
keys/machines/ci-runner.asc
View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADCLQ+QHuf+tfp88c7rUzPPLLsfSNvH4lPw57cIz0hCADDIyBfs
xZH+uSfBDX7EJyCdpRulpKeI+ixoMtpTo1sgLLnXTaiVY024+ZNtbHUtN28CuS5P
O1uBfWn8ska524DobfHsiIfWRlHrrOdQpgoFfNLIalgbDJv84ktkV92e4NXwp9fg
6/KzcR/LOwUr/ps/OV0+nXgWir9Kz7FepDBIu60UnMeqmqrpptFfxyhB9drps9m0
8wQwaqX+1H4MRNnDVcZEQSdyCHrb3ia7Nc/ysUtguRlhmCuUxRAg1iGoQ4CwDadQ
SgS8eofAmueoV0D0AM6zptFtHydX4U7ZYUeaVdEoKqAcl2IOEydSDg71bDrHDonc
II71WezXY8B76M9W7vvphYjql97x8Eb7HMiDecrqxpaOcnPDeGSy2J9+ENXUhVbk
tak2itzD7FXXpDy15Oam3zNAZV718TfyvsxjOq8xNIDUh1x5iDlR/YAOErro3qF/
fQWIGaKZDDllOpP6BxTR87x85w56i9yPRJ1jl5UvUYKkU30HrnIo/sScy4s1NeSH
XyIGHemm+8e1S2LYEQ/w2bnwKHHNS5kdfARMnaSpMurD+Pd9UBOHPn+M+ZVjX7hT
wCn8QJSJZiUA0b1lJ8YgbXRodHn9jdpZugQ8frtImcDE3Lq+H/VqzJm0tQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQ6LctUsOqOe4CGw8CGQEAAC2dEAABcy5TinEg/yr40qtrPmdR
+qw+B3CezIZOhkFVXJ5SnKSD6kNmijgJjloSJgpQf9qqDsZ8asWzZN79h5s9fqNa
GBn5jBBqoSLPtnNAvxiLk62iRyCbb7y645I1u5Cmg5eBPLjGpVrxI3rPcGojkBz7
1LjtxCY94JI7lRYMpN6qOvyQlrTOxlFDE+C/x60UeliNzL3Ld17O9iuqlSGiYpz4
kellyHF4zHvOcSmURmGmHDzPQvkLop81rCogMZkVoA0tg446U1sPdIo8HJZD+cLt
LXCNlyLU/MK7RCAG25+Z2KE43Z0xuXyNmHc0tpYOWs6oob7+ZmsWFObpyN6v69G/
rTnZbQCp/H/Rr19UbJhoEhDpB6J+6O1OlJXe5hUDiiIYpC6vtzJV8B0ERQ9Vr1TC
nCo+RaBJoPbkJySSO500G3/psQugsxBcxRtCy78cHV1B4fKEJM4e1Hi3VP2uhCju
gRaiLGikDy4rpQQxasszOO2Yt57OGV5qySnZ9hfDLhtmhmNjL2HazZlVT1um28j4
+DZQ7JUmjvlmzZPPt2fWG4k2zv6Xy1p2aLiuL+6TrQLjEyIMa41Lxf6bB7hlYo1Y
3Xl5yE94wvBx2+gKEArlqdrn/P8cdktHuGrELBwVaVgvHHtBM3qfzBik2lIRJMIx
haEIuBv/ZtSMbM/ItaAnJA==
=eW+j
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/hiroshi.asc
View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADAxevBnQowaGvnY324OIQZeS/EwndRQg2kH4hMHagw8GYVE11x
lZUiVApqAaZcA9sy3ckRhsq1wKX42lkzzgKsXLYozq+SHO/ANtwL8U3M5ojY3IZ+
RAA2LhYlhQInPEhX4IVSh2wXjG7GqkCvPmlS3vBSqrxdLnqfdatW4gqVHrwiLwjQ
VZRyE3T4Tk921CYQTjP1VY+lojImUKPXX/y8e1qp2TP9GMofJ5LP7XtF71Kn15fH
pYqLWvc70qt+FvwesifuKQ22ibrce5yVgX03qXNOn4hlOgNiwd8LVv3gV5rxQ32M
HAlCVMsjDvOxT9/L5vBGTtIUf5nuCNErxAc+5zV/uZ/v4M5iiQxhVWFog8rNWAr7
xu5StUBLaQeeAq4g99Jh0lVLzk5BpA5IOHJjUgKgJ0lx7vPnjphf5gfei0ukXOWF
3QlB6vwsjDgiRh5HuKRdVsVDI2joPksbIXyQ4zJZXjTkrwkXrgUvdPGC+fR7RZDH
0f+Z6lO1ZSbNrfhH1DzNUZvRojJh8WSGxdarx9kS6PK8diIXy8/TK/VnfTyY1j5+
gPmpdAjg6Z2PsJnNuUxTYfa7SADt1q1jmB0krMvZfL/0QV439kIN2VXzQ28Gl5wj
XguSdlIvH/s2XLRcLi3viJ4WIADrw+RG6+moywHBQsOo5LhLDMonj5bYQQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQyYK9/YKGPQkCGw8CGQEAAKdXEAAL7NLAFK+d06Gwh3PrC0Qk
Gj+suQgajJu87OEghR4/szrAtTU5gbOLduiBJ6IN/5NgKrLxbum1NFly6808JZ85
Uit0H2r1RvG1OWYWyCtZA0V/J6IhChUbGVdTU3qvYzosWer/Eg7k2KvrjnkhTsDt
GHaS5tNEZpDLdxjCGTqV5/MqShmWLTVBph4y+VWokHmK/5EK0gK94w7Zf5jNcLzH
9SjbpAGekgJtSagcR6opk3ptld9Hb7Tm8nfHCbdMTjWzO66Vspjg3FoatRL/1vyu
IFkgOnmLt4ns8QWsLXUWSnaWyTCq3YDUwjnh03yEX1MRzDx7iEs6xduYSzKWM8YL
7aUv5HctXO/+rVHrewpKkbCDoIw8yX7mqFkute7R/T2VIn+ISkn5mpwae0vgP53C
14ApyF3NbSzO8shuHzcKwMvLgWn//J20ptQhOE2/49Z/Br2dtka72sg9HP5MAp0p
aL4Q/uvKXCTdbLk290iyt1Y1k9FnpJWjg/u6IliavjAL9LMqz7nakpxRczhvkr7I
3kXc9cQYWcHig0WvuwvzmURVy70oWC2T3tmLShq5lgM8BDnuUlbn8karvDkR1MnS
jTXjf3FaM9DTPDAWykID+doARPeJxzGXz1HHj85Uzu7Rx20m7QU3uvyLgueQb5mG
C3mCrd1nCPcmqDI/UsNf2w==
=xlca
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/koyomi.asc
View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACxOC3MelTJWQ+eZDunjDfvYC2bPFP/jZRlgxBp0NOzh4Oql6D+
0CjuQPbqEaqEGJ3xqT4u/E0jovSqFKsxGGimeu4F0CkobzBhVZhEhw3oQRG5uSFS
x/S1QMO9v3RcjIVM8iBSrsrCx8EJDrfveJQor7ullhaGA6XMnxPB2In8MwnjtBFH
G4njMJj5jFtpWxHs8fAum9kBNgtxkahbjOiTXq0nWfIPr65X5Pz0pxSH9fnWsbr5
+QARbL6bWVy5hkS1UItS3KEnJyotLep4JkFEN7UySPjX25z85kAw4eLMn0pRNCLz
b+b76IX04T5r1PGUisu6wNyITJz8yQWyB7fba8NJf1nMPtbY9CNwWtXbl47mp8jJ
qEEBjv8mQor3V5QzjQkMLb30m8w5QTbNaupxFsjeLiUAq+LRm4wxO7Yzu032sbit
HWpcceAho7VJUqwSqgqE8KGANVldgxgG/w8l19c/iD4nVvwlTTCiS12yCMmkKgj9
JN2WSzmdrpPOyWbYZzRbQsNlxbndkWP9iusnP9cceE6diUZCYTwdZZIwYY1anxy2
NXoXM+r+EYCj4urHsTzj2o+04mitsZH+7wUWLtSIuI0upqpq9DYDN1kZE0c0sfxY
VCu3dRL0wtNWokoYwWV+l8nMFhQgnhlMf21DgUlA0BNi9BhESKWIpSvDBQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQcVhrekwMGmUCGw8CGQEAAOOdEAAL1r+OcspofLYAnefX52uU
CMnBOIK00CuOi+Bg+4gRNTEeed7tOKf9RqU2AArzkRrJindflSnkCe088/Qfw/ui
HXs0hGewcp3i/v5SW0MJI5fZox5hSYTKkfUswgwNf8ZyzFdnxYyIXR2dfWiTo8Uv
VcAe1n/rIe7W7T6uKsrdlgYs2iT7Gbo4Txned2nl8Zq2lE7qzpbksqOV1iy+I0RS
CIyV7PRBQfOIC+rIRPeZD1tOxD2PH4CJPW9jwmM9E42/7gcu/cJBN/MP2vUJS8/l
sbvOT2pMqOqrJRXrmlJE2zNyQK1gJeYdhtNN+8INYoy29yeyvMnaSaUsXpjEb76E
jqvYeFEF6LR2RAQJ1HdCQCGianrFcqpDq7pW1fs+TB+YSFcXUEsNdIeIwROP0hyG
usACFHst2FfYVEd3uz98EHMrgVz3sw48BpK3s8aYVdaRAU/L6lljW3a+6+oAPjMJ
6z6yfgTXX5m+ZwdBCPyF6KlRtZNZQTwqmsULcJcb/fLNynZULRSA3TW6rDhS4NXb
wRF1OSwMMTqX2svuqKlZQhOfaa7w9QL9A/Y4Fa3lZoQOGSdT2+/e0d+MD2T4JqZ6
3fC4XIqUkhcgeOsfJ0WOQdxm/RRhz8pwQhzUAjYk2jG/JmaYUCVaMugJSLBjXN78
JKqniA3Iyr5AP2yBxFt9Ag==
=yxFM
-----END PGP PUBLIC KEY BLOCK-----

48
keys/machines/okarin.asc
View file

@ -1,28 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4 jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9 KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0 jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+ uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB /EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1 yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0 DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4 xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
NxR1Jvm5bnGfUcnNlzoB4Q== MsxjN+we2woCXG5SJGYOyA==
=6o0h =UTw1
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

98
keys/users/simon.asc
View file

@ -5,39 +5,67 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/ K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA 0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC 5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF 7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/ +7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts +AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4 JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P 0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe 2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
H6R7fxacajUC fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
=361S IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
=1z2B
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

123
machines/catering/configuration.nix Normal file
View file

@ -0,0 +1,123 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
];
sbruder = {
nginx.hardening.enable = true;
full = false;
};
networking.hostName = "catering";
system.stateVersion = "23.05";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"catering.salespointframework.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:8080";
extraConfig = ''
sub_filter '</script>' '</script><script src="/dev.js"></script>';
sub_filter_once on;
'';
};
"= /dev.js".alias = pkgs.writeText "dev.js" ''
addEventListener("load", event => {
document.querySelector("footer").appendChild((() => {
let el = document.createElement("p")
el.classList.add("text-center", "fw-bold")
el.innerText = "Alle Angebot sind fiktiv!"
return el
})())
if (localStorage.getItem("devAck") !== "true") {
if (confirm("Alle hier präsentierten Angebote sind fiktiv, es können keine rechtsverbindlichen Verträge geschlossen werden. Mit dem Fortfahren bestätigen Sie, dies verstanden zu haben.")) {
localStorage.setItem("devAck", "true")
} else {
location = "about:blank"
}
}
})
'';
};
};
"www.mampf.shop" = {
forceSSL = true;
enableACME = true;
globalRedirect = "catering.salespointframework.org";
};
"mampf.shop" = {
forceSSL = true;
enableACME = true;
globalRedirect = "catering.salespointframework.org";
};
"presi.catering.salespointframework.org" = {
enableACME = true;
forceSSL = true;
root = "/var/www/presi.catering.salespointframework.org";
locations."/".tryFiles = "/main.pdf =404";
};
};
};
systemd.tmpfiles.rules = [
"d /var/www/presi.catering.salespointframework.org 0755 catering catering - -"
];
users.users.catering = {
isSystemUser = true;
group = "catering";
useDefaultShell = true;
home = "/var/lib/catering";
createHome = true;
openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
};
users.groups.catering = { };
sbruder.static-webserver.vhosts = {
"salespointframework.org" = {
redirects = [ "www.salespointframework.org" "salespointframe.work" "www.salespointframe.work" ];
user = {
name = "salespoint";
keys = config.sbruder.pubkeys.trustedKeys;
};
};
"verkaufspunktrahmenwerk.de" = {
redirects = [ "www.verkaufspunktrahmenwerk.de" "verkaufspuntrahmenwerk.de" "www.verkaufspuntrahmenwerk.de" ];
user = {
name = "verkaufspunkt";
keys = config.sbruder.pubkeys.trustedKeys;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

54
machines/catering/hardware-configuration.nix Normal file
View file

@ -0,0 +1,54 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
};
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c39bdb61-2e4c-464b-8c4c-bb6bb7f342a2";
fsType = "btrfs";
options = [ "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/D976-BBAF";
fsType = "vfat";
};
};
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "salespointframework.org" ];
address = [ "2a01:4f9:c011:9c01::1/64" ];
gateway = [ "fe80::1" ];
};
};
};
# no smart on qemu disk
services.smartd.enable = false;
}

15
machines/ci-runner/README.md
View file

@ -1,15 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# ci-runner
## Hardware
QEMU/KVM virtual machine on [koyomi](../koyomi/README.md).
## Purpose
It will serve as a CI runner for Forgejo.

79
machines/ci-runner/configuration.nix
View file

@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
instances = {
personal = {
url = "https://git.sbruder.de";
};
codeberg = {
url = "https://codeberg.org";
};
};
in
{
imports = [
./hardware-configuration.nix
../../modules
];
sbruder = {
full = false;
};
networking.hostName = "ci-runner";
system.stateVersion = "24.05";
sops.secrets = lib.mapAttrs'
(name: _: lib.nameValuePair "forgejo-runner-token-${name}" {
sopsFile = ./secrets.yaml;
})
instances;
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances = lib.mapAttrs
(name: cfg: {
inherit (cfg) url;
enable = true;
name = "koyomi-vm";
tokenFile = config.sops.secrets."forgejo-runner-token-${name}".path;
labels = [
"nix:host"
];
settings = {
log.level = "warn"; # seems to have little effect
runner = {
capacity = 4;
timeout = "1h";
};
};
hostPackages = with pkgs; [
bash
coreutils
git
git-lfs
nix
nodejs
podman
];
})
instances;
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
containers.containersConf.settings = {
engine.cgroup_manager = "cgroupfs"; # systemd does not work for system user
};
};
}

58
machines/ci-runner/hardware-configuration.nix
View file

@ -1,58 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
kernelParams = [ "console=ttyS0" ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
kernelModules = [ ];
};
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/e1a9b0bb-9f04-498c-ac2f-aad9da4639f3";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
};
"/boot" = {
device = "/dev/disk/by-uuid/7A51-7897";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
services.fstrim.enable = true;
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
};
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
};
};
};
}

73
machines/ci-runner/secrets.yaml
View file

@ -1,73 +0,0 @@
forgejo-runner-token-codeberg: ENC[AES256_GCM,data:dOoTwNaXUDrkE5qUldDMI/SQt3mufCF4Aeua7jqvSFTXuB15rLgdbC99+7MlMTc=,iv:7jakhJ3gKWxN0ACG9MfkOeA/X2HnTKHXxMvLJ/b/9uM=,tag:i7uk5pjd5ALnQrH6F5WhZg==,type:str]
forgejo-runner-token-personal: ENC[AES256_GCM,data:U2VmQW3mO+3lNBczxU5MmKjseCICXcu1q9g4xctrJMl7Hcau0Hfy2IT8YzaEnTo=,iv:IRf+5sTyx20cMyUCg8jffDiSIuNgVRySD7eqOlzzAXY=,tag:vLEo/E2VUZ4Uu/vTFDomUw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-07-31T15:26:48Z"
mac: ENC[AES256_GCM,data:qS+MsheUb+zsG5VuNqPAQz4QHDutltBQoY/qWWxSHpp5ty9O477mpsAGwP2okQJfrfbr5zfy9fUMOB/9GV3VWwhNfzmLSbSHM9f/0a1sgv7q2qsX3Z9HTyYoYJD1i9vfIX+AYCgeP7IlbPH/DOi5R6zYO34ETk1UqgSAtWjpu44=,iv:/oe5jlyzDTPZlNB0ToZpsJr/nwGU3QoGerHd7N4TjDY=,tag:U1R8PwdeWvViEhHJ04Un2w==,type:str]
pgp:
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAV+XCpuYtwJAQ0tudjofCp9kLhagt3iFPOZxMVm7Wu38w
7h11CkDL2crHptPFundK0cVC1C149l8fpTRM3w6HzrqrYeSb2rVB3sTJnquWE6vc
hF4Dub78fMESoMASAQdAyxaxQvNwxAVVLs2zfhpaEVJMJTVb2X8Re28T5oyzBTsw
vfLrp2aF9f6aR0rKawCdWCtbkdT84RqjcmFeRFm80aKg/moUOsEGKrJIom8bvzgC
hF4DM6AcvgVUx2MSAQdAkmk2DPVyggHcMG98DGidvPx2lx6f1jUctmu4bgCOCXow
JmC3Navjws1ki32t3AYO18VLzTdJnnoUZsMgKIZjrmTYq1SYEbZF7YkHpFKyD2P/
1GgBCQIQznxhAwr2Y1EfOOIurUCAFioUkb00NYurpRtXkwlq6zXj+g3mqy4oIxwE
G8PWC0Gd5DDf3vgY8gu+yIPdQYVtPEmcgdVAuf2URXeZzOYkYdME9aHjmOkZZLgl
q+rcko9nXtgqfQ==
=a7Tl
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdAn4gu062b6uphH7aptsB+qJsJvw5j1jeEijaiN3g3HCEw
7efyFGEXz5Jr3QBkvA86zzzw4uaj6s8jcpGkygPgVxkid+wNPNE7Od2GxwsQ7Rzs
1GgBCQIQznKTHLTufQbnTxtYWdZ7Vd7d90/hl9ZkGRXCq5llvppaYkuO+RO3HeW1
Z4hAPFKrvOjNctb/Puh9kbmQ2g02KFdzs1xUvq3+Ma6gI+WeefV/R/VewAVve8+2
G/CwY+iDECvL1A==
=QVmD
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAwLuRB1t778hUtgsjaQisVwMhBudnSIOtrBFehLU5Smow
AA29mIR2539iMz/Qkdjoumj3IIKGu6a/fBeu0eLUcZqSt5PtpMKMDnF47HeRv/QQ
1GgBCQIQGjEJcIaQyjBPuHyxUNryt6M72ed5eKsnsHBhe+xmwc8AFliP2rt/kZOn
yJGjhMrFAib5i8rRDQiW+HlDHKZeGxsX3yLGdOSI9KfIFvawcYV8pxDFzIca/3X1
TcVFed7B2BUIow==
=6bPt
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA+i3LVLDqjnuARAArF6aiDcKtyilbZXdBga+6nAqwBdpeYfXlnTMUztFLRYs
cSSe2HKu6J9G1oMqpZuNcGLUXgrdKk8PO3YmivWcPubQ0ruiorgzmSnXDhYvij7+
b9b3dSWXwe82sdCVlSQZRNeapeb1hW8wcrKSoFDUYyIl3HdlxFcB1Y7hKe3XpzAy
UMxgZ8B+Ne1JOHZw97YhZmr834F7/i4vCUv/US+dGd5Fl4a3bX/8ft43T0uj5JWW
PsbjZa2LIuV6dhXu8URraQHj24Z2xM/PSSmm277MzFiXVT/0jWHe38iXLxsp7/KV
hFYqbH49P7gTC7GWJ0xHJaICWXR9WJKSttc5ue8sMkf4rj3C/ULmxS7uKbUn4FgD
Po4XCOSanZZZos4Tz/KxExLjDioJbCBUSBVQUP07RRDyVjIEe4GlOG7QCVgqty6U
LJk7sQLgFOsCgaMGuA5u5hulWx7YDHqaZxKwWZ4ME8huoP2F7L4HzoWJGK33chCR
1t+p/cnflcz459bSGmDMjprZAtD2XFD08/GbDqS7rotPy0h+dnbT7TnvHrFFGjd2
Qw8SIytL0D0KcqKOIXztwtt30RqTMp3CnV22NasGJsbhshAV3zVheI/8dA6UuB4r
kltGrz+O+Z7HMwuYKKTUzz3C29VJYYhPlf4uq3kF+JJZC6ZQUNAoD5rgVDeZDyDS
WAEqbel5S7ImX3oAsIF21iI11jsbWHS1/PjHdsBQdSeBzVXooiRfVa/e4ixgk8S1
tbJl8GcvK4vdDxW689A86w7DoquocXRzJIYsKB/GVfsrTlTofAwPjHY=
=bQn7
-----END PGP MESSAGE-----
fp: 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
unencrypted_suffix: _unencrypted
version: 3.8.1

26
machines/default.nix
View file

@ -23,9 +23,6 @@ in
}; };
vueko = { vueko = {
system = "aarch64-linux"; system = "aarch64-linux";
extraModules = [
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "vueko.sbruder.de"; targetHost = "vueko.sbruder.de";
}; };
@ -49,6 +46,9 @@ in
}; };
renge = { renge = {
system = "aarch64-linux"; system = "aarch64-linux";
extraModules = [
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "renge.sbruder.de"; targetHost = "renge.sbruder.de";
}; };
@ -76,23 +76,9 @@ in
targetHost = "yuzuru.sbruder.de"; targetHost = "yuzuru.sbruder.de";
}; };
koyomi = { catering = {
system = "x86_64-linux"; system = "aarch64-linux";
extraModules = [
hardware.common-cpu-amd
hardware.common-pc-ssd
];
targetHost = "koyomi.sbruder.de"; targetHost = "catering.salespointframework.org";
};
ci-runner = {
system = "x86_64-linux";
targetHost = "ci-runner.sbruder.de";
};
hiroshi = {
system = "x86_64-linux";
targetHost = "hiroshi.sbruder.de";
}; };
} }

48
machines/fuuko/configuration.nix
View file

@ -9,9 +9,9 @@
../../modules ../../modules
../../users/simon ../../users/simon
./services/languagetool.nix
./services/media-backup.nix ./services/media-backup.nix
./services/media.nix ./services/media.nix
./services/paperless.nix
./services/photoprism.nix ./services/photoprism.nix
./services/torrent.nix ./services/torrent.nix
]; ];
@ -19,24 +19,20 @@
sbruder = { sbruder = {
wireguard.home.enable = true; wireguard.home.enable = true;
nginx.hardening.enable = true; nginx.hardening.enable = true;
printing.server.enable = true; restic.system = {
restic = {
enable = true; enable = true;
backups.system = { qos = true;
enable = true; extraPaths = [
qos = true; "/data"
extraPaths = [ ];
"/data" extraExcludes = [
]; "/data/cold/media/video"
extraExcludes = [ "/data/cold/misc"
"/data/cold/media/video" "/data/cold/torrent"
"/data/cold/misc" "/data/hot/torrent"
"/data/cold/torrent" "/data/media/video"
"/data/hot/torrent" "/data/torrent"
"/data/media/video" ];
"/data/torrent"
];
};
}; };
unfree.allowSoftware = true; unfree.allowSoftware = true;
}; };
@ -54,20 +50,4 @@
networking.hostName = "fuuko"; networking.hostName = "fuuko";
system.stateVersion = "20.09"; system.stateVersion = "20.09";
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
};
services.postgresqlBackup = {
enable = true;
startAt = [ ]; # triggered by restic system backup
location = "/var/lib/postgresql-backup";
compression = "none";
};
systemd.services.restic-backups-system = {
after = [ "postgresqlBackup.service" ];
wants = [ "postgresqlBackup.service" ];
};
} }

4
machines/fuuko/hardware-configuration.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -92,8 +92,6 @@
} }
]; ];
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
powerManagement.cpuFreqGovernor = "schedutil"; powerManagement.cpuFreqGovernor = "schedutil";
networking = { networking = {

11
machines/hiroshi/services/languagetool.nix → machines/fuuko/services/languagetool.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -12,9 +12,8 @@ in
#allowOrigin = "https://languagetool.sbruder.de"; #allowOrigin = "https://languagetool.sbruder.de";
allowOrigin = "*"; allowOrigin = "*";
settings = { settings = {
# http://languagetool.org/download/ngram-data/
languageModel = "/var/lib/languagetool/ngrams"; languageModel = "/var/lib/languagetool/ngrams";
# https://fasttext.cc/docs/en/language-identification.html word2vecModel = "/var/lib/languagetool/word2vec";
fasttextModel = "/var/lib/languagetool/fasttext/lid.176.bin"; fasttextModel = "/var/lib/languagetool/fasttext/lid.176.bin";
fasttextBinary = "${pkgs.fasttext}/bin/fasttext"; fasttextBinary = "${pkgs.fasttext}/bin/fasttext";
}; };
@ -23,13 +22,7 @@ in
# default log level is INFO, no easy way to reduce it. # default log level is INFO, no easy way to reduce it.
#systemd.services.languagetool.serviceConfig.StandardOutput = "null"; #systemd.services.languagetool.serviceConfig.StandardOutput = "null";
# It often runs out of java heap memory, no matter what settinsg are used.
systemd.services.languagetool.serviceConfig.Restart = "always";
services.nginx.virtualHosts."languagetool.sbruder.de" = { services.nginx.virtualHosts."languagetool.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = { locations = {
"/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; "/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };

3
machines/fuuko/services/media.nix
View file

@ -8,9 +8,6 @@
sops.secrets.media-htpasswd.owner = "nginx"; sops.secrets.media-htpasswd.owner = "nginx";
services.nginx.virtualHosts."media.sbruder.de" = { services.nginx.virtualHosts."media.sbruder.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.media-htpasswd.path; basicAuthFile = config.sops.secrets.media-htpasswd.path;
root = "/data/media/"; root = "/data/media/";

119
machines/fuuko/services/paperless.nix
View file

@ -1,119 +0,0 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "paperless" ];
ensureUsers = lib.singleton {
name = "paperless";
ensureDBOwnership = true;
};
};
services.paperless = {
enable = true;
settings = {
PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_URL = "https://paperless.sbruder.de";
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_TIME_ZONE = "Europe/Berlin";
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
PAPERLESS_CONSUMER_RECURSIVE = true;
PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED = true;
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
invalidate_digital_signatures = true;
};
};
};
systemd.services.paperless-task-queue.serviceConfig = {
ReadWritePaths = [ "/var/lib/scans/paperless" ];
};
services.nginx = {
enable = true;
virtualHosts."paperless.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = with config.services.paperless; "http://${address}:${toString port}";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 500M;
'';
};
"/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
"/manual-scan/" = {
alias = "/var/lib/scans/manual/";
extraConfig = ''
autoindex on;
allow 10.80.1.0/24;
allow 2001:470:73b9:1::/64;
deny all;
'';
};
};
};
virtualHosts."fuuko.lan.shinonome-lab.de" = {
enableACME = true;
forceSSL = true;
};
};
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
group = "scan";
hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
};
users.groups.scan = { };
systemd.tmpfiles.rules = [
"d /var/lib/scans 0555 scan root -"
"d /var/lib/scans/paperless 0770 scan paperless -"
"d /var/lib/scans/paperless/double-sided 0770 scan paperless -"
"d /var/lib/scans/manual 0750 scan nginx 7d"
"L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
];
sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
chrootlocalUser = true;
userlist = [ "scan" ];
extraConfig = ''
listen_ipv6=YES
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
'';
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
};
}

5
machines/fuuko/services/photoprism.nix
View file

@ -13,14 +13,11 @@
}; };
}; };
sbruder.restic.backups.system.extraExcludes = [ sbruder.restic.system.extraExcludes = [
"/var/lib/private/photoprism" "/var/lib/private/photoprism"
]; ];
services.nginx.virtualHosts."photoprism.sbruder.de" = { services.nginx.virtualHosts."photoprism.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${toString config.services.photoprism.port}"; proxyPass = "http://127.0.0.1:${toString config.services.photoprism.port}";

5
machines/fuuko/services/torrent.nix
View file

@ -15,6 +15,11 @@ in
fqdn = "torrent.sbruder.de"; fqdn = "torrent.sbruder.de";
}; };
services.nginx.virtualHosts."torrent.sbruder.de" = {
enableACME = false;
forceSSL = false;
};
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet qbittorrent { table inet qbittorrent {
chain output { chain output {

19
machines/hiroshi/README.md
View file

@ -1,19 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# hiroshi
## Hardware
QEMU/KVM virtual machine on [koyomi](../koyomi/README.md).
## Purpose
Server for general purpose services.
## Name
Hiroshi Odokawa is a taxi driver from *Odd Taxi*

53
machines/hiroshi/configuration.nix
View file

@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/bang-evaluator.nix
./services/languagetool.nix
./services/li7y.nix
./services/password-hash-self-service.nix
];
sbruder = {
full = false;
restic = {
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true;
infovhost.enable = true;
nginx = {
hardening.enable = true;
proxyv4.enable = true;
};
};
networking.hostName = "hiroshi";
system.stateVersion = "24.05";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
};
services.postgresqlBackup = {
enable = true;
startAt = [ ]; # triggered by restic system backup
location = "/var/lib/postgresql-backup";
compression = "none";
};
systemd.services.restic-backups-system = {
after = [ "postgresqlBackup.service" ];
wants = [ "postgresqlBackup.service" ];
};
}

53
machines/hiroshi/hardware-configuration.nix
View file

@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
kernelParams = [ "console=ttyS0" ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
};
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/41b1b850-4349-435a-ba10-6adefbe25c68";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/F0E4-1A5C";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
};
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
};
};
};
}

73
machines/hiroshi/secrets.yaml
View file

@ -1,73 +0,0 @@
wg-home-private-key: ENC[AES256_GCM,data:JAlK7jzme1qyVLhoJoRZ5K3qTQoFn69RxFPrhcav7GkXzyP/rfp9IUZ7WDw=,iv:JSytbjdpCQ0co+Wz7Kt9p8QgwwjerK+c/y0R+qQISpM=,tag:yHdH/owL43LDnMk65Iw1tQ==,type:str]
li7y-environment: ENC[AES256_GCM,data:9vlusBKLpT9Rd8cODcGKnKHiZJf6LbXNo6BjiulM6HCASfELnDArEQ6bX3w/kkR0C0ZvgAeT/cSnNjMxQgBL4NcKPaMHB+fxoJ68+PDC4LzAd26u6hWtgPfe6INvjsScnlNRZOFeJNHM2LIbRGOFS8PJ/IltxORpPF0n7oR8kCPhK/H46lL/Hz3UFpwYBmXeizSn5O3NETo=,iv:v8oeMwGyyDvx6VltExzAUGdWLxjx8UfYU4NFKS8q/qQ=,tag:f6jKlQWQh0Gl3LnXpStMjw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-08-28T13:24:56Z"
mac: ENC[AES256_GCM,data:vMzaq0A43DkFSV+eBFB6n/HYMQqA8qrBNHBMwLoHyiCvl35BTG0Qx9tHJsqmucWrQJN/w2opm/YZj9/as9xTgVEIaUXn3lFdhSBNuH3ZQYLSayhUFKUQT4q6tBymxzgeFbI/vUmgxhQ/rOlKFV/BVx/GGdOTQBNZMdpyhI8qe0Q=,iv:tOGHmTwrBukks3nJLchPz7Q4BN5Eca6vlM+JcVND1rk=,tag:ZW52VxsZDRn7syscng3Uxw==,type:str]
pgp:
- created_at: "2024-08-20T16:25:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA8BWJC/iC3EO6xmZoy8vJyTR0K5IXZnN9ZLJ0ABGhFBkw
yIA5NSHZDh6jzW9Bc++pzPxUcu/cShc9OLC3UmTXXkO2OQE/PgPeroHit1SykUrv
hF4Dub78fMESoMASAQdAGKhltWUcvYpCWLx1dZ86OsKH0QgZLESG0cvrVUAlNWEw
Akan01/TeYg6u3KBjfJhDJfjdjj1Jz56DFlpNlS21f6mKq36/73rOA5XR22PZJgi
hF4DM6AcvgVUx2MSAQdAigyGpC677Jw+0jXF1g9jRTgtX6iGpawM+ior0ku6PjMw
UGGAviSx4ClSQJDRCxa0XMm0jCOucvwt/RhBtpHJjakW7ygR+8P5ZFjCPNjyt4uX
1GgBCQIQbHEcKTaeBq2331XJtka1TfzeDUuB4qCBzRkbhcyUMloJ085BxgPwCpJr
Et9FDtxGaadZ5Y/1udYaygOSbotoBBb0K6hegtRamiLjfzVoOEl0wlk49aSJcYhB
RNMezIkl4agI2w==
=18pZ
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-08-20T16:25:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdASS1oqED/kKjkWPOT24Ryed4+XFDf/F83pjy8XTuzHXAw
7PHMEfiV3rniHWppCMoGn3lEoBojp4EeJ/OwO/0/ujwg9o86Tq1kzEwy04lgYJCK
1GgBCQIQJZXXZsWsF6VRrURVTZDc2dax+5mvGBgiJ1zlopUA6HgZj6dyeiH5gNRp
LmbbXoTu+UMgcePL4CtkvVam3pi+KFnCDYkcZEtfGygoASklb+WHFmlKSVoJcLRF
qEfypkntJ/n39A==
=jSRD
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-08-20T16:25:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAqFT6XtuCsKZ/OYjgU/fM8FFzWNQGcyhHDYAZJGQyjksw
MTUpUnRgzqqZ3meafYBDm8FS4ecq7xrv72NGrt5dxzg9ubXV/Dy55sYjcDeeq/ez
1GgBCQIQ2BbwEJz4yevPP2wc2PNV3Y/K1gJF45iYW9Ok7SaX1jLT8IkWF4ktY0R4
YytShmcywpUw+vGCOx4EoyMgZgZfhqH5jo+a9xsukL7yFFKIupILl9ypH351aFN4
wQhFWlKE8CoYwg==
=Jw+A
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-08-20T16:25:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA8mCvf2Chj0JARAAtI5JqcTlUuwbCvEETf3R5Fda28TY66SpQqtd1+4bxV5k
Pvasl0z/nwuc0yFyjGX+GWK4f9vWnxWeJVc6MbXHlgO0RrBFgD8U3eDwxKhBRP9S
blFcf2qPbbf9P38/DWGRjgS7y4Va+kdaGSyT5i7+1lsJxt5Uefg2X4U8nnK+BAiy
QWdA5gXNYERi4nj+SmtFkp++McOfU0UYdlFSwKwhJnch5fL/l4yjzc3qCyYtoNtY
C3qMWBZVFerYz8UCKWGusD20h+ysodY9B49uSqJq2mbQSmEZAnkRj4BMyEPeC6im
cvjwZPBM2Gae2Xh+sf8m6zwL7Bo+5uYIJoaWF2frJ7JhCaWeYCXbFMpd62YJajV0
yMwtrVAIAzScC0HoYELI/UCdJ2wk59Ns7GMLwa2EmJy92SfrUMYqC21eNoFNI6oh
KuahY82SfpGFER4PbpJwuW0XzwzHHYYEJAIDd/eAfJa+Do6tU8a/1VI8VLdQ+nHg
QCSpPyIS8uXBmGFxmZEfviroo1dDcwYoLLR5pp2ctwRknQLvhadGqWjWZhGifEg5
s1GQptL7JK/lfoOQkLes9X2HoEC32DqbqP+6zUammuhCoMgMLPPpcw5jcjLFVxfN
jpFXqmxYBCjJuxLjM868scaKRj4XW1jOLNqHgAdAfFq1+5SkxEZtmvwbeTDEFnDS
WAHKApsFhO3JioY8NVPiYWRHdKvMf9a3IeE3iDuSZ7Crue4Lwg7hmDbTnqQEnShM
jmS3x+Gu182MI3pu2qZrB/DYKtbgW+540nI5p2NFEX7SPsrXyKIPrqM=
=pmGP
-----END PGP MESSAGE-----
fp: 2b9be9660662c6c979ca1149c982bdfd82863d09
unencrypted_suffix: _unencrypted
version: 3.8.1

60
machines/hiroshi/services/li7y.nix
View file

@ -1,60 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
sops.secrets.li7y-environment = {
sopsFile = ../secrets.yaml;
owner = "li7y";
};
users.users.li7y = {
isSystemUser = true;
home = "/var/lib/li7y";
createHome = true;
group = "li7y";
};
users.groups.li7y = { };
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
};
systemd.services.podman-li7y = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.podman}/bin/podman pull git.sbruder.de/simon/li7y";
ExecStart = "${pkgs.podman}/bin/podman run --rm --name=li7y --userns=keep-id -v /run/postgresql:/run/postgresql --env-file ${config.sops.secrets.li7y-environment.path} -e 'DATABASE_URL=postgres:///?port=5432&host=/run/postgresql' -e LISTEN_ADDRESS=:: -p 127.0.0.1:8080:8080 git.sbruder.de/simon/li7y";
User = "li7y";
};
};
services.nginx = {
enable = true;
virtualHosts."i7y.eu" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "li7y" ];
ensureUsers = [
{
name = "li7y";
ensureDBOwnership = true;
}
];
};
}

2
machines/hitagi/README.md
View file

@ -18,7 +18,7 @@ with the front panel changed to a Pure Base 500DXs (for better airflow).
\+ 2×32GB G.Skill Ripjaws V F4-3200C16-32GVK \+ 2×32GB G.Skill Ripjaws V F4-3200C16-32GVK
(both DDR4 3200MHz CL16-18-18-38) (both DDR4 3200MHz CL16-18-18-38)
* PSU: be quiet! System Power 10 750W * PSU: be quiet! System Power 10 750W
* SSD: 2TB WD_BLACK SN850X NVMe * SSD: 1TB Samsung 980 Pro NVMe
* GPU: Intel Arc A770 Limited Edition (16GB VRAM) * GPU: Intel Arc A770 Limited Edition (16GB VRAM)
* Case fans: 2 be quiet! Pure Wings 2 140mm (included in case), 3 more with PWM * Case fans: 2 be quiet! Pure Wings 2 140mm (included in case), 3 more with PWM
* CPU Cooler: Noctua NH-U12S with an additional NF-F12 PWM * CPU Cooler: Noctua NH-U12S with an additional NF-F12 PWM

15
machines/hitagi/configuration.nix
View file

@ -18,16 +18,13 @@
}; };
gui.enable = true; gui.enable = true;
media-proxy.enable = true; media-proxy.enable = true;
podman.enable = true; mullvad.enable = true;
restic = { restic.system = {
enable = true; enable = true;
backups.system = { qos = true;
enable = true; extraPaths = [
qos = true; "/data"
extraPaths = [ ];
"/data"
];
};
}; };
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home.enable = true; wireguard.home.enable = true;

6
machines/hitagi/hardware-configuration.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -55,8 +55,6 @@
{ device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; } { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
]; ];
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
# GPU # GPU
hardware.opengl = { hardware.opengl = {
package = pkgs.mesa.drivers; package = pkgs.mesa.drivers;
@ -74,7 +72,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
clinfo clinfo
nvtopPackages.intel nvtop-amd # also returns basic stats for intel
]; ];
security.wrappers."intel_gpu_top" = { security.wrappers."intel_gpu_top" = {

41
machines/koyomi/README.md
View file

@ -1,41 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# koyomi
## Hardware
[Hetzner Online AX41-NVMe](https://www.hetzner.com/de/dedicated-rootserver/ax41-nvme/)
- Motherboard: ASRockRack B565D4-V1L
- CPU: AMD Ryzen 5 3600
- RAM: 2×32GB Samsung [M378A4G43AB2-CWE](https://semiconductor.samsung.com/dram/module/udimm/m378a4g43ab2-cwe/) (DDR4 3200MHz)
- SSD: 2×512GB M.2 NVMe SAMSUNG MZVL2512HCJQ-00B00
## Setup
As it is a physical server (not a VM) in a remote location,
extra care must be taken when installing.
Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
and a rescue system that can be activated before a reboot.
Additionally, there is also a *vKVM* rescue system,
that boots a hypervisor from the network and runs a VM which boots from the physical disks.
The rescue system can be used to start a kexec installer provided by this flake (`nix build .#kexec-bundle`).
Ideally, everything goes well and the next reboot works,
but in the case it does not, the vKVM rescue system can be used for debugging.
Even though the Hetzner documentation states that all current systems have UEFI enabled by default,
my server did not boot when configured for UEFI,
so I used MBR boot instead.
## Purpose
Hypervisor. Exact scope is to be determined.
## Name
Araragi Koyomi is a student from the *Monogatari Series*.

28
machines/koyomi/configuration.nix
View file

@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{
imports = [
./hardware-configuration.nix
../../modules
./services/hypervisor.nix
./services/haproxy.nix
];
sbruder = {
restic = {
enable = true;
backups.system.enable = true;
mirror.backblaze.enable = true;
prune.enable = true;
};
wireguard.home.enable = true;
podman.enable = true;
};
networking.hostName = "koyomi";
system.stateVersion = "24.05";
}

79
machines/koyomi/hardware-configuration.nix
View file

@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
swraid.enable = true;
kernelModules = [ "kvm-amd" "nct6775" ];
kernelParams = [ "ip=dhcp" ];
loader = {
grub = {
devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
};
};
initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "igb" "nvme" ];
kernelModules = [ "dm-snapshot" ];
network.enable = true; # remote unlocking
luks.devices = {
koyomi-pv = {
name = "koyomi-pv";
device = "/dev/disk/by-uuid/4907ad59-e6cf-40ed-a0ff-3dc09c0c7a50";
preLVM = true;
allowDiscards = true;
};
};
# FIXME XXX HACK
# This is required to have the md device available under /dev/disk/by-uuid.
# Both commands are run as part of the regular stage-1 init script,
# but for some reason, they need to be run twice.
preLVMCommands = ''
udevadm trigger
udevadm settle
'';
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/4b4efa64-e571-4937-bb1c-7608e9d7630d";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/83e67d66-ec76-4c9f-8796-1165cdb5362d";
fsType = "ext2";
};
};
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
# Not used for boot, but required to make thin LVs work
services.lvm.boot.thin.enable = true;
# TODO Enable periodic RAID scrubbing/checking with mdcheck
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
address = [ "2a01:4f9:3051:39c6::1/64" ];
gateway = [ "fe80::1" ];
};
};
};
}

74
machines/koyomi/secrets.yaml
View file

@ -1,74 +0,0 @@
restic-mirror-backblaze-env: ENC[AES256_GCM,data:VII+kDpsmWRevdeAhoAI4A0NVlofH1ZNrWCKknwasSHEQhi1/9dNzcHhPd3d264xjh85crq9sIhSZ4dvkZnzEL5AglM6zlmZFf1m46w2vQlyW5VHVZ1T2Yja,iv:wyClY0TnBMqY6nBNdrlmRt09dqRxDT6Ui/kDJDQzOE0=,tag:FrTtthFqZ2ndHVvcFxHjDA==,type:str]
restic-ssh-key: ENC[AES256_GCM,data:fDKiNhPBZu3Hf4xx13rJpNrOv+HWmh6LtTqbcWAu+0dxiKRz8J7lJLlg9AnDL5gIkNukzqL1eAXAC7P9B8ocFBGqcOC3QFGem8o61VWXB0JHurxrm/R7jZCKd/delRiv3gnn0S1wVAfkItDTdoLMhfv+E4uIzgR4bcQDIrvozV02jHOxQY54XpsDCyOFnC0FlQxa0W5EyWVvSTHJsXBNjsrdEQB1y6hh+s7jxAAdV8XdnOJ5/ivVoe+mbhKNrkHEPKHD/JOhjJooDgfr1+XsTkN3rbTPHCqJ1fQVkoh3KiHJQKYc/tG5KPm+W4tzsPbuNroUWr8gBlyCf7y7wae5fHAcuwnl2T2ETspU4N4pfdI/rbzr8uFtNEQTbNiHTD2eLzA9OiDhzPneWiQrfKc3/4/67ZT5vs3o0x6kmQyhhy3/SnXkoiyvjQOFPbRdygarKJBNhIVOHLmZz6cMCYbvuLMjmJPu/7hQAvC8g7JRtJ15foA1SrhHaAcKN7QYCnl5d+fKmfioEguEmYa6U0j4,iv:8Jm9r9u2RCfvNpeEEqbB5MHqTJc3k03P6Z2V5s5xAA8=,tag:ESmj1lRwL6lkUnr48nDeyA==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-08-27T09:48:17Z"
mac: ENC[AES256_GCM,data:XBL1szDu+Mw7A/D31BJt4rD5a4ic1EuTmUefMYoMdL4kTl5fi7Ckk9EIV6MI5nKhF8ejR4cN94ih2cILzLodj/e89Xf74d0o8RX5PlUzqFsHoKV/yy9QVVtDDqnwo87sGZztUUcjlJX427SfPwdcMlNAuCoEZ/3SOQgcz5yoMB8=,iv:+WOJuSpSwB74brg3/SZ4Yu2WVtE4YOOiGfwlencLWps=,tag:YchYDy1eKXmTbK0Jb1Ewjg==,type:str]
pgp:
- created_at: "2024-08-20T22:33:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA059TryQI438sM8HUkXawVy/b05ZXpRuhJwe7y7nwEjgw
+weY4cgFW4vA4dboZfh1ZNTCkqtRFdeOEe7PoP0cAlafqOs4zZu2sgHlcPKYDeJN
hF4Dub78fMESoMASAQdA9f8/bT94aLGvEBuNn11BhGjsTWyU0mKJugMQRCo55HYw
d/h7PEKHl2GZWydF3lWTKx0cfLDpywmMBary7PtVK4lFYuDdlXodWC85I6UPe8wp
hF4DM6AcvgVUx2MSAQdA4AKcSfXJei4vmFQ4DF7xzAuA530Cb7rWpK4AE38ByRow
jFako55pUboMSdXtnC/bzy2cFeuRxT0mGMXgLbDri02/nxG+vljeFYJyozb6UXNp
1GYBCQIQYmT27KaMqjQq6zFSr1zKEO+PjBH9rCZTBpsCULNxqOMn+3IE7XoYtdPv
WVU7zZYaK21JRTbnWDjikdvJe60bSRxExIJX35vH3hczc3WP3V/LqQy6X8Fd81pw
pcbiSfWOTXU=
=y7H/
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-08-20T22:33:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdA1W7CmVHBJD/yJWyGvT6lGEXIhsC/gp0XCoHu672OfTMw
OBqitpHTrHyIN7qmexL9YpGsfPtwRGu6hb6lUsWj2+gJ1Pynk6iGM8kwUxGPnj8C
1GYBCQIQnO/cJgEhybp/i1E6l4i9IG7cbWupNTp6uJ7Ag8EB6cvUqAYN5QHpM2/D
FYMJRh4skIB2LzG2lxPyOOR5F5FQ2j/Rtf7SoCeEidWOBhGPQPBSNQOTE+43zwKo
Z0pnq864C0c=
=btUj
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-08-20T22:33:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAsGJfau7e9h38vm5srU1s9vdvYrCUJanDhM6aTjVQU3Uw
jplWFk/1aNsEAeA2yIydiyw/wzY8h+QGrcfDTNViw6Zwq2kRvVp5t9IW1k1IteO3
1GYBCQIQWrU3Y1SLCA6tV0xLCUeyZbUrgnCgJNUceRHmSV0oi3jMLEv0YUfbf+Hl
VIDfM6RZQeaY0WVLAuFnIEYFJ1RhXgv9nFo/3txZw3WYx3kjKPPRacmoHMturD+1
Ay5oemXyWMo=
=dfVv
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-08-20T22:33:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA3FYa3pMDBplARAAjkLNlHDhqSgxY2IbP10Rx+KlATMRBqzDq2Wx+gdBuWB6
uwGX0Lk1FbcqnhGtUYdtiQBU+7y08oSZ0iFv+tOxTBEGjVBcdUQBjYJa0x1X0kcM
xSfY86bxuJAlvBQJWv7iqdwHPks3DhkePqg8sNwSXUA4wk/L8/JAVnkhbqJ9Am9x
VLJk5xjlFsJwyRMoGui8SDogdc6Voe7zValQXVU5b93Z9klO67dFBEL9nfkUNqhr
mwu0QNRMZGQYE9OYlt41kVRy9x8lATm9J9j12MsEnr9R/8viJyBURHwx+DerRsa9
tJCf3UgJjcK1F54DTGg/ethCOtYDAGF//U0rU9Fcgwff9axZr6fDqUVHIeeE0GAX
7cs+yR5Gp+szfEshm4rSTZPOjZB7xVciCUEIKhlXm2y3dL43idWWYj/+50BMUt1p
HhizkrbsyA+JiAYSE4T4uwOLVoU/jOpecQnn25hrSHX8OoSIIUiaLWFnNMvwobcq
3ummmjAUQ6nxhuO6NQMogrihyqOusidxlBcT7FcP3+V4seo3Co3IlmsCi1w0HmSf
SzLPtJoIaDcDCSVgnlINzfPT9dvDeTOppgUjHMZjbTZDGdUc+jEXb3P/IIqgjrJi
XYtvleP3aoQ84GI3SMvpqwqUfd8kkzvVatGrjA55knQq9HA2o+oq5k9nJnOwEjHS
VgFz6zGoYcr62vaAiBVaSR8ozVQpGjNpq9iC0VR3wpz2J7k9Y8XM+5e3amR15Fm7
lPV3ZBl7OUxTURxnfUdECdmf+19gObsJsiu5WTsVNYsqMIG8nDR/
=pbOT
-----END PGP MESSAGE-----
fp: 1f18a57e1d4e6716aed0e0cd71586b7a4c0c1a65
unencrypted_suffix: _unencrypted
version: 3.8.1

118
machines/koyomi/services/haproxy.nix
View file

@ -1,118 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
baseDomain = "koyomi.sbruder.de";
backends = {
hiroshi = [
"bangs.sbruder.de"
"i7y.eu"
"languagetool.sbruder.de"
"phss.sbruder.de"
];
};
fallbackCert = pkgs.runCommandNoCC "fallback-cert" { } ''
cat > openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
database = database
new_certs_dir = .
serial = serial
default_md = default
policy = policy_default
[ policy_default ]
EOF
echo 01 > serial
touch database
${pkgs.openssl}/bin/openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out fallback.key
${pkgs.openssl}/bin/openssl req -key fallback.key -new -out fallback.csr -subj "/"
${pkgs.openssl}/bin/openssl ca -batch -config openssl.cnf -in fallback.csr -keyfile fallback.key -selfsign -out fallback.crt -startdate 19700101000000Z -enddate 20380119031407Z
mkdir $out
cat fallback.{key,crt} > $out/full.pem
mv fallback.{crt,key} $out
'';
in
{
services.haproxy = {
enable = true;
config = ''
global
stats socket /var/run/haproxy/haproxy-admin.sock mode 600 level admin
stats timeout 2m
defaults
timeout client 30s
timeout server 30s
timeout connect 30s
resolvers system
parse-resolv-conf
frontend http-in
bind :80
mode http
${lib.concatStrings (lib.mapAttrsToList (name: domains: ''
use_backend http-${name} if { hdr(Host) -i ${lib.concatStringsSep " " domains} and path_beg '/.well-known/acme-challenge/' }
'') backends)}
default_backend https-redirect
frontend https-in
bind :443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject if WAIT_END
${lib.concatStrings (lib.mapAttrsToList (name: domains: ''
use_backend https-${name} if { req.ssl_sni -i ${lib.concatStringsSep " " domains} }
'') backends)}
default_backend https-fallback
frontend v6-in
bind [::]:80
bind [::]:443 ssl crt ${fallbackCert}/full.pem
mode http
http-request return status 400 content-type text/html string "<html><body><h1>400 Bad Request</h1>For requests over IPv6, please use the address of the virtual machine directly.</body></html>"
frontend fallback
bind /var/run/haproxy/fallback.sock ssl crt ${fallbackCert}/full.pem
mode http
frontend stats
bind ${config.sbruder.wireguard.home.address}:8404
mode http
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
backend https-redirect
mode http
http-request redirect scheme https
backend https-fallback
server fallback /var/run/haproxy/fallback.sock
${lib.concatStrings (lib.mapAttrsToList (name: domains: ''
backend http-${name}
mode http
server ${name} ${name}.${baseDomain}:80 resolvers system resolve-prefer ipv4 send-proxy-v2
'') backends)}
${lib.concatStrings (lib.mapAttrsToList (name: domains: ''
backend https-${name}
mode tcp
server ${name} ${name}.${baseDomain}:443 resolvers system resolve-prefer ipv4 send-proxy-v2
'') backends)}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

148
machines/koyomi/services/hypervisor.nix
View file

@ -1,148 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
let
guests = {
ci-runner = {
mac = "42:80:00:00:00:02";
v4 = "10.80.32.2";
v6 = "2a01:4f9:3051:39c6:1::2";
};
hiroshi = {
mac = "42:80:00:00:00:03";
v4 = "10.80.32.3";
v6 = "2a01:4f9:3051:39c6:1::3";
};
};
# port forwarding for IPv4
portForwards = {
tcp = { };
udp = { };
};
in
{
sbruder.restic = {
enable = true;
backups.vm-image = {
enable = true;
lvm.lvs = [
"hiroshi"
];
};
};
virtualisation.libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
systemd.network = {
enable = true;
netdevs = {
br-virt = {
netdevConfig = {
Name = "br-virt";
Kind = "bridge";
};
};
};
networks = {
br-virt = {
name = "br-virt";
address = [ "10.80.32.1/24" "2a01:4f9:3051:39c6:1::1/80" ];
};
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
interface = [ "br-virt" ];
bind-interfaces = true; # do not bind to the wildcard interface
bogus-priv = true; # do not forward revese lookups of internal addresses
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
domain-needed = true; # do not forward names without domain
no-hosts = true; # do not resolve hosts from /etc/hosts
no-resolv = true; # only use explicitly configured resolvers
domain = [ "koyomi.sbruder.de" ];
enable-ra = true; # required to tell clients to use DHCPv6
# Force static configuration
dhcp-range = [
"10.80.32.0,static,255.255.255.0"
"2a01:4f9:3051:39c6:1::,static,80"
];
dhcp-host = lib.flatten (lib.mapAttrsToList
(name: { mac, v4, v6 }: [
"${mac},${v4},${name}"
"${mac},[${v6}],${name}"
])
guests);
# Hetzner recursive name servers
# https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
server = [
"185.12.64.1"
"185.12.64.2"
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
};
};
networking.firewall = {
allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
interfaces.br-virt = {
allowedTCPPorts = [ 53 ]; # EDNS
allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
};
};
networking.nftables = {
enable = true;
ruleset = ''
# only IPv4
table ip hypervisor-nat {
chain postrouting {
type nat hook postrouting priority filter; policy accept
oifname eth0 masquerade
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.tcp)}
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.udp)}
}
}
table inet hypervisor-filter {
chain forward {
type filter hook forward priority filter; policy drop
iifname br-virt oifname eth0 counter accept
iifname eth0 oifname br-virt counter accept
}
}
'';
};
}

9
machines/mayushii/configuration.nix
View file

@ -18,13 +18,10 @@
}; };
gui.enable = true; gui.enable = true;
media-proxy.enable = true; media-proxy.enable = true;
podman.enable = true; mullvad.enable = true;
restic = { restic.system = {
enable = true; enable = true;
backups.system = { qos = true;
enable = true;
qos = true;
};
}; };
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home.enable = true; wireguard.home.enable = true;

4
machines/mayushii/hardware-configuration.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -45,8 +45,6 @@
}; };
}; };
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
powerManagement = { powerManagement = {
cpuFreqGovernor = "schedutil"; cpuFreqGovernor = "schedutil";
}; };

7
machines/nunotaba/configuration.nix
View file

@ -13,12 +13,9 @@
sbruder = { sbruder = {
gui.enable = true; gui.enable = true;
restic = { restic.system = {
enable = true; enable = true;
backups.system = { qos = true;
enable = true;
qos = true;
};
}; };
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home.enable = true; wireguard.home.enable = true;

52
machines/okarin/README.md
View file

@ -1,5 +1,5 @@
<!-- <!--
SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0 SPDX-License-Identifier: CC-BY-SA-4.0
--> -->
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
## Hardware ## Hardware
[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1GiB RAM, 10GB SSD). [Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512MB” = 443MiB RAM, 10 GB SSD).
## Purpose ## Purpose
@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
Much like the namesake, Much like the namesake,
this server requires a “mad scientist” approach to set up. this server requires a “mad scientist” approach to set up.
However, it is much easier than setting up its predecessor,
which had just above 400MiB usable memory.
Ionos does not offer any NixOS installation media. Ionos does not offer any NixOS installation media.
I could only choose between various installation media and rescue systems. I could only choose between a Debian installation media, Knoppix and GParted.
Also, installing NixOS with a low amount of memory is problematic. Also, installing with a very low amount of memory is quite hard.
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
On there, I installed NixOS. On there, I installed NixOS.
Because encryption with `argon2id` as PBKDF is quite memory intensive, Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
I had to tune the parameters to ensure decryption was still possible on the target. What I settled on was
This can be done quite easily by interactively running the following command on the build VM: `cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3 To make btrfs use its SSD optimizations,
I had to force the kernel to see the device as non-rotational:
`echo 0 > /sys/block/dm-0/queue/rotational`
The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target. Another problem was the usage of VMware by Ionos.
The VM I set this up with was obviously using KVM/QEMU,
However, since those parameters are not ideal, so it needed different kernel modules at boot.
the following should later be run on the target host itself: What worked was setting it up in the local VM with both libvirt and vmware modules,
and then removing the libvirt modules once it was installed on the target.
cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
This will determine the memory usage automatically,
use one thread
and set the parameters so that decryption takes 10 seconds (10000ms).
The memory usage will not be as high as it could,
but it will be better.
Getting the disk image onto the server was done Getting the disk image onto the server was done
by first `rsync`ing the image to another server (to allow for incremental iterations), by first `rsync`ing the image to another server (to allow for incremental iterations),
which then provided it via HTTP. which then provided it via HTTP.
Using the Debian installation media in rescue mode Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
(as for some reason most other options tried to cache the file in memory and became very slow) it was possible to just `curl http://server/okarin.img > /dev/sda`.
it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
Because of all the pitfalls of this, Because of all the pitfalls of this,
you probably need more than one try. you probably need more than one try.
To make debugging easier on the target, the following option can be set:
```nix
{ pkgs, ... }:
{
boot.initrd.preLVMCommands = ''
${pkgs.bashInteractive}/bin/bash
'';
}
```

3
machines/okarin/configuration.nix
View file

@ -9,6 +9,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/static-sites.nix
./services/proxy.nix ./services/proxy.nix
]; ];
@ -21,7 +22,7 @@
networking.hostName = "okarin"; networking.hostName = "okarin";
system.stateVersion = "23.11"; system.stateVersion = "22.11";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80

34
machines/okarin/hardware-configuration.nix
View file

@ -5,10 +5,6 @@
{ lib, modulesPath, ... }: { lib, modulesPath, ... }:
{ {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true; sbruder.machine.isVm = true;
boot = { boot = {
@ -16,34 +12,41 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelParams = [ "ip=dhcp" ]; kernelParams = [ "ip=dhcp" ];
initrd = { initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ]; availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
kernelModules = [ ]; kernelModules = [ "dm-snapshot" "vmw_balloon" ];
network = { network = {
enable = true; # remote unlocking enable = true; # remote unlocking
# for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
# this works around this, but is arguably quite hacky # this works around this, but is arguably quite hacky
postCommands = '' postCommands = ''
ip route add 85.215.165.1 dev eth0 ip route add 10.255.255.1 dev eth0
ip route add default via 85.215.165.1 dev eth0 ip route add default via 10.255.255.1 dev eth0
''; '';
}; };
luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131"; luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
}; };
loader.grub.device = "/dev/vda"; loader.grub.device = "/dev/sda";
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b"; device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational options = [ "compress=zstd" "discard" "noatime" ];
}; };
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce"; device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
fsType = "ext2"; fsType = "ext2";
}; };
}; };
swapDevices = [
{
device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
randomEncryption.enable = true;
}
];
zramSwap = { zramSwap = {
enable = true; enable = true;
memoryPercent = 150; memoryPercent = 150;
@ -60,6 +63,11 @@
name = "eth0"; name = "eth0";
DHCP = "yes"; DHCP = "yes";
domains = [ "sbruder.de" ]; domains = [ "sbruder.de" ];
address = [ "2001:8d8:1800:8627::1/64" ];
gateway = [ "fe80::1" ];
networkConfig = {
IPv6AcceptRA = "no";
};
}; };
}; };
}; };

106
machines/okarin/secrets.yaml
View file

@ -1,80 +1,80 @@
wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str] wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-12-25T22:06:33Z" lastmodified: "2023-05-06T08:49:32Z"
mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str] mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
pgp: pgp:
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
+ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/ RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf 1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/ zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
hRlLbnUDE1Q= PWZwSFBCZEg=
=ol1Y =r7sK
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1 f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG 1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
G+tyNMgCYhM= B8h2L/JR7Yo=
=2QnY =/wMt
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8 zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh 1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H 8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
VOK1Bc67BzU= Gzwk8dC0wdc=
=3z3V =BWUr
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380 fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3 LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
=F0pC =sy/X
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: e7370b48016c961ef8ad792fda66b19d845b3156 fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

4
machines/okarin/services/proxy.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -6,7 +6,9 @@
let let
proxyMap = { proxyMap = {
"sbruder.xyz" = "renge"; "sbruder.xyz" = "renge";
"nitter.sbruder.xyz" = "renge";
"iv.sbruder.xyz" = "renge"; "iv.sbruder.xyz" = "renge";
"libreddit.sbruder.xyz" = "renge";
}; };
in in
{ {

20
machines/okarin/services/static-sites.nix Normal file
View file

@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, ... }:
{
sbruder.static-webserver.vhosts = {
"maggus.bayern".user = {
name = "maggus";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
] ++ config.sbruder.pubkeys.trustedKeys;
};
"arbeitskampf.work".user = {
name = "arbeitskampf";
};
};
}

11
machines/renge/configuration.nix
View file

@ -9,6 +9,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/bang-evaluator.nix
./services/buchborgen.nix ./services/buchborgen.nix
./services/coturn.nix ./services/coturn.nix
./services/element-web.nix ./services/element-web.nix
@ -17,21 +18,21 @@
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/invidious ./services/invidious
./services/matrix ./services/matrix
./services/murmur.nix
./services/password-hash-self-service.nix
./services/prometheus.nix ./services/prometheus.nix
./services/sbruder.xyz ./services/sbruder.xyz
./services/schabernack.nix
]; ];
sbruder = { sbruder = {
nginx.hardening.enable = true; nginx.hardening.enable = true;
restic = { restic.system = {
enable = true; enable = true;
backups.system.enable = true; prune = true;
}; };
wireguard.home.enable = true; wireguard.home.enable = true;
infovhost.enable = true; infovhost.enable = true;
wkd = {
enable = true;
};
}; };
networking.hostName = "renge"; networking.hostName = "renge";

6
machines/renge/secrets.yaml
View file

@ -2,8 +2,10 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str] go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str] hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str] invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str] netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str] prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
synapse-registration-shared-secret: ENC[AES256_GCM,data:qwUjGPINIuBC3KYqMPmnU3l9uJ85DJsJFixvTFQTSuR+fcq6DEjx03Xk41ff7NJftAi+Gt0QLdqKp+viJfW7eU6iHKyfcgPE/nj46UECCWLM8HISxPFQ9IrP+DIo02k=,iv:C9jhBPexth+gnAs6+DBtEmP2qsWZoKmgw6ILbtXUScA=,tag:M3U+03I0Bj8Nhuu4GB98xw==,type:str] synapse-registration-shared-secret: ENC[AES256_GCM,data:qwUjGPINIuBC3KYqMPmnU3l9uJ85DJsJFixvTFQTSuR+fcq6DEjx03Xk41ff7NJftAi+Gt0QLdqKp+viJfW7eU6iHKyfcgPE/nj46UECCWLM8HISxPFQ9IrP+DIo02k=,iv:C9jhBPexth+gnAs6+DBtEmP2qsWZoKmgw6ILbtXUScA=,tag:M3U+03I0Bj8Nhuu4GB98xw==,type:str]
synapse-turn-shared-secret: ENC[AES256_GCM,data:9MAsVAEnoF703p1enN70BXqlKZWacYmPCL25CNGdapZulGbMF5rAbpLxkJ3JiBNBYQt+DXSSb6zcmsT6yIqQZ4lW04lwtFV0RPJLfbfW9vUJQ3Bi5NUF,iv:keDUMEeintOwbBQzHHqVl8EFyQC1zqKG2LDvnBFSBxE=,tag:ymSwjZ+qC5kLIxMxlxwcAQ==,type:str] synapse-turn-shared-secret: ENC[AES256_GCM,data:9MAsVAEnoF703p1enN70BXqlKZWacYmPCL25CNGdapZulGbMF5rAbpLxkJ3JiBNBYQt+DXSSb6zcmsT6yIqQZ4lW04lwtFV0RPJLfbfW9vUJQ3Bi5NUF,iv:keDUMEeintOwbBQzHHqVl8EFyQC1zqKG2LDvnBFSBxE=,tag:ymSwjZ+qC5kLIxMxlxwcAQ==,type:str]
turn-static-auth-secret: ENC[AES256_GCM,data:HyFKdLn9yClXwVGv4/UcC5QfnqjTK2ui43/SRJiJYC7soP+BZnbtCTFkVe04H2smRQQi9ftrXLWQQx5DdGZxpg==,iv:tIwZcq4pVzWa1bl7zX/YsEuaVCyDenJnPGL0RhF9lmg=,tag:ddXaLQ3U990eupAHLyXx6w==,type:str] turn-static-auth-secret: ENC[AES256_GCM,data:HyFKdLn9yClXwVGv4/UcC5QfnqjTK2ui43/SRJiJYC7soP+BZnbtCTFkVe04H2smRQQi9ftrXLWQQx5DdGZxpg==,iv:tIwZcq4pVzWa1bl7zX/YsEuaVCyDenJnPGL0RhF9lmg=,tag:ddXaLQ3U990eupAHLyXx6w==,type:str]
@ -14,8 +16,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-10-08T20:39:38Z" lastmodified: "2024-01-10T18:29:17Z"
mac: ENC[AES256_GCM,data:tgrvHkBsuxvkOe65YUkA/7iOcuwE3Vd6l46wLRSXK2DVED2FAdvO/cXvwsUKzIRKjrs/QXUl4T+lWGQC024Wiy6gXQB3edjxDT6aiGSzXWQAOmTI8/oLzxNTeuysTKNtIAxbz5x6d88JFx5PswtuYUb8x60xMPp3LTJbKnao/LI=,iv:l48P6gmEyeqSOHotLRCmYb7aZgnANceUvveVvGgpAyE=,tag:X5fFIxDxW9sIO4yF4B0C5Q==,type:str] mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:10Z" - created_at: "2024-01-22T00:20:10Z"
enc: |- enc: |-

0
machines/hiroshi/services/bang-evaluator.nix → machines/renge/services/bang-evaluator.nix
View file

24
machines/renge/services/element-web.nix
View file

@ -3,7 +3,20 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }: { lib, pkgs, ... }:
let
# This uses
# https://github.com/vector-im/element-web#configuration-best-practices
# but allows to disable the frame-ancestors rule for /usercontent/.
mkSecurityHeaders = withFrameOptions: ''
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
'' + lib.optionalString withFrameOptions ''
add_header Content-Security-Policy "frame-ancestors 'none'";
'' + lib.optionalString (!withFrameOptions) ''
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
in
{ {
services.nginx.virtualHosts."chat.sbruder.de" = { services.nginx.virtualHosts."chat.sbruder.de" = {
enableACME = true; enableACME = true;
@ -11,13 +24,8 @@
root = pkgs.element-web; root = pkgs.element-web;
# https://github.com/vector-im/element-web#configuration-best-practices extraConfig = mkSecurityHeaders true;
extraConfig = '' locations."/usercontent/".extraConfig = mkSecurityHeaders false;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
# nixpkgss override mechanism doesnt allow overriding of all options # nixpkgss override mechanism doesnt allow overriding of all options
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } { locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {

29
machines/renge/services/invidious/0002-Require-login.patch
View file

@ -1,29 +0,0 @@
From 9167e70698e82ba9f9c41bff32154bb531322a11 Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@protonmail.com>
Date: Wed, 28 Aug 2024 10:34:47 +0200
Subject: [PATCH 2/2] Require login
Co-authored-by: Simon Bruder <simon@sbruder.de>
---
src/invidious/routes/before_all.cr | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
index 5695dee9..c981a463 100644
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@@ -122,5 +122,11 @@ module Invidious::Routes::BeforeAll
end
env.set "current_page", URI.encode_www_form(current_page)
+
+ unregistered_path_whitelist = {"/login", "/licenses", "/privacy"}
+ if !env.get?("user") && !unregistered_path_whitelist.includes?(env.request.path)
+ env.response.headers["Location"] = "/login"
+ haltf env, status_code: 302
+ end
end
end
--
2.44.1

4
machines/renge/services/invidious/0002-Require-login.patch.license
View file

@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2019 Omar Roth <omarroth@protonmail.com>
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: AGPL-3.0-or-later

10
machines/renge/services/invidious/default.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -17,7 +17,6 @@
package = pkgs.unstable.invidious.overrideAttrs (o: o // { package = pkgs.unstable.invidious.overrideAttrs (o: o // {
patches = (o.patches or [ ]) ++ [ patches = (o.patches or [ ]) ++ [
./0001-Prefer-opus-audio-streams-in-listen-mode.patch ./0001-Prefer-opus-audio-streams-in-listen-mode.patch
./0002-Require-login.patch
]; ];
}); });
nginx.enable = true; nginx.enable = true;
@ -42,12 +41,6 @@
use_pubsub_feeds = true; use_pubsub_feeds = true;
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches"; modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
https_only = lib.mkForce true; https_only = lib.mkForce true;
registration_enabled = false;
# this can be removed
# when this service is re-deployed on a host with state version ≥ 24.05
db.user = "invidious";
}; };
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path; extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
}; };
@ -65,6 +58,7 @@
''; '';
locations = { locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'"; "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/privacy".return = "301 'https://sbruder.xyz/#privacy'";
"/feed/popular".return = "403"; # leaks data about its users "/feed/popular".return = "403"; # leaks data about its users
}; };
}; };

5
machines/renge/services/matrix/default.nix
View file

@ -8,9 +8,4 @@
./mautrix-whatsapp.nix ./mautrix-whatsapp.nix
./go-neb.nix ./go-neb.nix
]; ];
# required by mautrix-whatsapp and go-neb
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
} }

4
machines/vueko/services/murmur.nix → machines/renge/services/murmur.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -25,8 +25,6 @@
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+''; channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
}; };
}; };
# upstream (out-of-tree) does not define this, but nixpkgs wants (🥁) it
systemd.services.murmur.wants = [ "network-online.target" ];
services.nginx.virtualHosts."mumble.sbruder.de" = { services.nginx.virtualHosts."mumble.sbruder.de" = {
enableACME = true; enableACME = true;

0
machines/hiroshi/services/password-hash-self-service.nix → machines/renge/services/password-hash-self-service.nix
View file

54
machines/renge/services/prometheus.nix
View file

@ -8,12 +8,6 @@ let
mkStaticTargets = targets: lib.singleton { inherit targets; }; mkStaticTargets = targets: lib.singleton { inherit targets; };
mkStaticTarget = target: mkStaticTargets (lib.singleton target); mkStaticTarget = target: mkStaticTargets (lib.singleton target);
relabelVpnConfig = {
target_label = "instance";
source_labels = lib.singleton "__address__";
regex = "(.*)\\.vpn\\.sbruder\\.de:[0-9]*";
};
in in
{ {
services.prometheus = { services.prometheus = {
@ -81,22 +75,12 @@ in
"shinobu.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100"
"nazuna.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100" "yuzuru.vpn.sbruder.de:9100"
"koyomi.vpn.sbruder.de:9100"
"hiroshi.vpn.sbruder.de:9100"
]; ];
relabel_configs = lib.singleton relabelVpnConfig; relabel_configs = lib.singleton {
} target_label = "instance";
{ source_labels = lib.singleton "__address__";
job_name = "smartctl"; regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
static_configs = mkStaticTargets [ };
"fuuko.vpn.sbruder.de:9633"
"mayushii.vpn.sbruder.de:9633"
"nunotaba.vpn.sbruder.de:9633"
"hitagi.vpn.sbruder.de:9633"
"shinobu.vpn.sbruder.de:9633"
"koyomi.vpn.sbruder.de:9633"
];
relabel_configs = lib.singleton relabelVpnConfig;
} }
{ {
job_name = "qbittorrent"; job_name = "qbittorrent";
@ -104,7 +88,11 @@ in
"fuuko.vpn.sbruder.de:9561" "fuuko.vpn.sbruder.de:9561"
"nazuna.vpn.sbruder.de:9561" "nazuna.vpn.sbruder.de:9561"
]; ];
relabel_configs = lib.singleton relabelVpnConfig; relabel_configs = lib.singleton {
target_label = "instance";
source_labels = lib.singleton "__address__";
regex = "(.*)\\.vpn\\.sbruder\\.de:9561";
};
} }
( (
let let
@ -123,7 +111,10 @@ in
{ {
job_name = "dnsmasq"; job_name = "dnsmasq";
static_configs = mkStaticTarget "shinobu.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}"; static_configs = mkStaticTarget "shinobu.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
relabel_configs = lib.singleton relabelVpnConfig; relabel_configs = lib.singleton {
target_label = "instance";
replacement = "shinobu";
};
} }
{ {
job_name = "hcloud"; job_name = "hcloud";
@ -145,12 +136,14 @@ in
{ {
job_name = "knot"; job_name = "knot";
static_configs = mkStaticTargets [ static_configs = mkStaticTargets [
"vueko.vpn.sbruder.de:9433"
"renge.vpn.sbruder.de:9433"
"okarin.vpn.sbruder.de:9433" "okarin.vpn.sbruder.de:9433"
"yuzuru.vpn.sbruder.de:9433" "vueko.vpn.sbruder.de:9433"
]; ];
relabel_configs = lib.singleton relabelVpnConfig; relabel_configs = lib.singleton {
target_label = "instance";
source_labels = lib.singleton "__address__";
regex = "(.*)\\.vpn\\.sbruder\\.de:9433";
};
} }
{ {
job_name = "snmp"; job_name = "snmp";
@ -176,13 +169,6 @@ in
} }
]; ];
} }
{
job_name = "haproxy";
static_configs = mkStaticTargets [
"koyomi.vpn.sbruder.de:8404"
];
relabel_configs = lib.singleton relabelVpnConfig;
}
]; ];
rules = rules =

63
machines/renge/services/sbruder.xyz/blocks.nix Normal file
View file

@ -0,0 +1,63 @@
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# I dont do this, because I want to.
# I think I might have to do this because of § 8.2 of Hetzners ToS.
{ config, lib, ... }:
let
serviceBlocks = {
nitter = [
{ path = "/ks1v/status/1439866313476689924"; report = "2023-04-21-Hetzner-C591581F-ROSKOMNADZOR.txt"; }
];
iv = [
{ video = "NR57D2UVqm4"; report = "2023-04-28-Hetzner-C633C02D-ROSKOMNADZOR.txt"; }
];
libreddit = [
];
};
in
{
services.nginx.virtualHosts = lib.mapAttrs'
(domain: blocks: lib.nameValuePair "${domain}.sbruder.xyz" {
locations = lib.listToAttrs
(map
(block:
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
transparency_url = "https://sbruder.xyz/transparency/${block.report}";
return_statement = ''
${parentHeaders}
add_header Link "<${transparency_url}>; rel=blocked-by" always;
add_header Content-Type text/html always;
return 451 '<html><head><title>451 Unavailable For Legal Reasons</title></head><body><center><h1>451 Unavailable For Legal Reasons</h1><p><a href="${transparency_url}">Transparency</a></p></center><hr><center>nginx</center></body></html>';
'';
path =
if block ? "path"
then block.path
else
(if block ? "video"
then "/" # not pretty, but I dont know how to do this differently
else throw "invalid block");
location_block =
if block ? "video"
then {
extraConfig = ''
if ($arg_v = ${block.video}) {
${return_statement}
}
'';
}
else { extraConfig = return_statement; };
in
lib.nameValuePair
path
location_block)
blocks);
})
serviceBlocks;
}

20
machines/renge/services/sbruder.xyz/default.nix
View file

@ -3,8 +3,16 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }: { config, pkgs, ... }:
let
goneVhost = {
locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
};
in
{ {
imports = [
./blocks.nix
];
services.nginx.virtualHosts."sbruder.xyz" = { services.nginx.virtualHosts."sbruder.xyz" = {
root = pkgs.stdenvNoCC.mkDerivation { root = pkgs.stdenvNoCC.mkDerivation {
name = "sbruder.xyz"; name = "sbruder.xyz";
@ -41,6 +49,16 @@
locations = { locations = {
"/imprint/".alias = "${pkgs.sbruder.imprint}/"; "/imprint/".alias = "${pkgs.sbruder.imprint}/";
"/transparency/" = {
alias = "/var/www/transparency/";
extraConfig = ''
autoindex on;
charset utf-8;
'';
};
}; };
}; };
services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
} }

70
machines/renge/services/sbruder.xyz/index.md
View file

@ -1,29 +1,47 @@
<!-- <!--
SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de> SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0 SPDX-License-Identifier: CC-BY-SA-4.0
--> -->
## End of life On this domain, the following services are currently available:
Because of the increasing hostility of YouTube, * [Invidious](https://iv.sbruder.xyz)
the public availability of the Invidious service was discontinued on **2024-09-27**.
Registration of new accounts is disabled since **2024-08-22**.
Access by unauthenticated users is disabled since **2024-08-28**.
All accounts which did not explicitly opt out were deleted on **2024-09-29**.
This information site is scheduled to be deleted in late Q4 2024. They are all semi-public instances.
That means, they are not included in lists of public instances,
but feel free to use them for personal purposes.
You can do so by using a browser plugin like [Privacy Redirect](https://github.com/SimonBrazell/privacy-redirect)
and configuring the addresses to point to this server.
However, please note the following if you want to use them:
* These services are provided as-is without any guarantees.
* You must not use these services for any activities illegal under German law.
* You must not use these services to interfere with the operation of the services
or the sites that originally provide the data.
* Please dont over/abuse these services.
They run on a tiny VPS and wont be able to handle high workloads.
Also note the following service-specific things:
* **Invidious**: There are no backups, so you are responsible for using the data export feature to back up important data.
The VPS providing the services is running NixOS.
The configuration is available [here](https://git.sbruder.de/simon/nixos-config/src/branch/master/machines/renge).
If you have any questions, please [contact me](https://sbruder.de).
## History ## History
Previously, the following services were also publicly available: Previously, the following services were also available:
* [Invidious](https://iv.sbruder.xyz)
* [Libreddit](https://libreddit.sbruder.xyz) * [Libreddit](https://libreddit.sbruder.xyz)
* [Nitter](https://nitter.sbruder.xyz) * [Nitter](https://nitter.sbruder.xyz)
They are no longer offered, They are no longer offered,
as Twitter (which no longer exists in its previous form), Reddit, and YouTube as both Twitter (which no longer exists in its previous form) and Reddit
have become extremely hostile to third party applications, have become extremely hostile to third party applications,
which made them unreliable and forced the developers (at least for Libreddit) which made them unreliable and forced the developers (at least for Libreddit)
to discontinue development. to discontinue development.
@ -32,10 +50,40 @@ The recommended migration path is to use alternative hosted instances
(<https://nitter.net> has been mostly working at the time of writing this) (<https://nitter.net> has been mostly working at the time of writing this)
or discontinue usage of that platform. or discontinue usage of that platform.
<!-- REUSE-IgnoreStart -->
## A Note to Copyright Holders
The services are only relaying content that is otherwise already available on the Internet.
If your rights are infringed by content available from this site,
please report this to the site originally making it available.
Otherwise the content will still be available on the Internet.
If you still want to report illegal content to me instead of the original site,
you can contact me by the means specified in the imprint.
Please dont send letters by snail mail if you want a fast response.
<!-- REUSE-IgnoreEnd -->
## Imprint ## Imprint
See [Imprint](/imprint/). See [Imprint](/imprint/).
## Privacy
If you log in to an Invidious account,
the data you provide to the service will be stored.
You can export or delete that data by using its built-in data control feature.
In the case of an error, details of the problematic request might be stored on the server
and used strictly for debugging and fixing the error.
## Transparency
For transparency reasons,
you can find all take down requests [here](/transparency/).
I was not sure if the reported content could be seen as violating Hetzners ToS,
and therefore complied, even though I dont want to support the authority asking for removal.
#### Fine Print #### Fine Print
<small> <small>

48
machines/renge/services/schabernack.nix Normal file
View file

@ -0,0 +1,48 @@
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
domain = "schulischer-schabernack.de";
in
{
services.nginx = {
commonHttpConfig = ''
# privacy-aware log format
log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
# anonymise ip address
map $remote_addr $remote_addr_schabernack {
~(?P<ip>\d+\.\d+)\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
default 0.0.0.0;
}
'';
virtualHosts = {
${domain} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack";
# only log page views, rss feed access, media file download and embed views
extraConfig = ''
location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
access_log /var/log/nginx/schabernack.log schabernack;
}
'';
};
"www.${domain}" = {
forceSSL = true;
enableACME = true;
globalRedirect = domain;
extraConfig = ''
access_log off;
'';
};
};
};
}

3
machines/shinobu/configuration.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -9,7 +9,6 @@
../../modules ../../modules
./services/co2_exporter.nix ./services/co2_exporter.nix
./services/ntp.nix
./services/router ./services/router
./services/snmp-exporter.nix ./services/snmp-exporter.nix
./services/wordclock-dimmer.nix ./services/wordclock-dimmer.nix

7
machines/shinobu/secrets.yaml
View file

@ -1,4 +1,3 @@
wg-he-private-key: ENC[AES256_GCM,data:bT1G2nZHJO9j04I4j3QZYn7BxGX4XHxzgXDr3iFTnu/kirik6+0Eh/AUp+4=,iv:SeowjlP64t8lPn+WXqrOtZJWA3geTSO9ST9JNuPQwu0=,tag:ctLXe7BP0Ob/ADD4q7yOmg==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str] wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str]
wg-upstream-private-key: ENC[AES256_GCM,data:CO50H7QsLQ2x0QQXnB7c0leG8NdV66gWrdWBWOR9z4ukSN7qj/qqe83t82k=,iv:2as2HfTfRje3TEap8QpPfzz4saNDgjo6Ty1DTF23JVE=,tag:ZYe+59wrpX7mV1HcDllMdg==,type:str] wg-upstream-private-key: ENC[AES256_GCM,data:CO50H7QsLQ2x0QQXnB7c0leG8NdV66gWrdWBWOR9z4ukSN7qj/qqe83t82k=,iv:2as2HfTfRje3TEap8QpPfzz4saNDgjo6Ty1DTF23JVE=,tag:ZYe+59wrpX7mV1HcDllMdg==,type:str]
hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str] hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str]
@ -8,8 +7,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-08-26T18:50:19Z" lastmodified: "2023-08-08T09:43:37Z"
mac: ENC[AES256_GCM,data:k26ZEKuFtS0GLMqFIbY0QiVfHvmpxt3JgLvZIhEHcC3wQ80OhRNeyKocZhua1T5iSfhfvlckXYZl6tTZkCEh4fj3NmYMtQ9vwpoexdYWwx5ylPT3rpByfBbO+foHgQ3JXk6Kyt2R9ULjghMU3/lEcsG4AuGU1XMomsTzrdigXY8=,iv:ls3nIFIwTM//tSvee/aHj6Qv2nn/gZMKgGF+aQWNxeg=,tag:l58uHLpvPfIkbUn9gl+lzg==,type:str] mac: ENC[AES256_GCM,data:lxoKzGyPwdfeI5Dlmgx9K9SBhfRIaokvum+dJWABUoGtIMtrhp4K4ZRF1Rjja8oTi4w3b+s9aUBpxt8TLu9vJZFsUkhY2gqW5bX3Ub/3xMAR9YSG3LtijRSMuKkdVlAkdjB6Guz9aHNVBG3fTZ+SfTlyOQdImW6bK4tydbGHKgY=,iv:6kVR4zZfHnqhcOT3N2tClGST8h7FLjIseXDu2xS2DEY=,tag:rd/f7cHSoxLT3O7HluVWLA==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:19Z" - created_at: "2024-01-22T00:20:19Z"
enc: |- enc: |-
@ -80,4 +79,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 28677f2e3584b39f528a779caf445ebb39c882b7 fp: 28677f2e3584b39f528a779caf445ebb39c882b7
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

11
machines/shinobu/services/ntp.nix
View file

@ -1,11 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{
services.ntp = {
enable = true;
};
networking.firewall.allowedUDPPorts = [ 123 ];
}

15
machines/shinobu/services/router/avahi.nix
View file

@ -1,15 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
let
cfg = pkgs.callPackage ./common.nix { };
in
{
services.avahi = {
enable = true;
reflector = true;
allowInterfaces = lib.mapAttrsToList (name: _: "br-${name}") (lib.filterAttrs (_: { avahi, ... }: avahi) cfg.vlan);
};
}

56
machines/shinobu/services/router/common.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -26,65 +26,32 @@ let
cidr = v6; cidr = v6;
net = fst v6Split; net = fst v6Split;
suffix = snd v6Split; suffix = snd v6Split;
withoutLocalComponent = lib.substring 0 ((lib.stringLength net) - 1) net;
gateway = "${net}1"; gateway = "${net}1";
gatewayCidr = "${gateway}/${suffix}"; gatewayCidr = "${gateway}/${suffix}";
}; };
}; };
macToIpv6InterfaceIdentifier = mac:
let
macList = lib.splitString ":" mac;
macListIpv6 = lib.flatten [
(lib.toHexString (lib.bitXor (builtins.fromTOML "x = 0x${lib.elemAt macList 0}").x 2))
(lib.sublist 1 2 macList)
[ "ff" "fe" ]
(lib.sublist 3 3 macList)
];
interfaceIdentifierNoColons = lib.strings.toLower (lib.concatStrings macListIpv6);
interfaceIdentifier = lib.concatStrings [
(lib.substring 0 4 interfaceIdentifierNoColons)
":"
(lib.substring 4 4 interfaceIdentifierNoColons)
":"
(lib.substring 8 4 interfaceIdentifierNoColons)
":"
(lib.substring 12 4 interfaceIdentifierNoColons)
];
in
interfaceIdentifier;
in in
rec { {
vlan = { vlan = {
lan = { lan = {
id = 10; id = 10;
subnet = mkSubnet "10.80.1.0/24" "2001:470:73b9:1::/64"; subnet = mkSubnet "10.80.1.0/24" "fd00:80:1::/64";
domain = "lan.shinonome-lab.de"; domain = "lan.shinonome-lab.de";
avahi = true;
}; };
management = { management = {
id = 20; id = 20;
subnet = mkSubnet "10.80.2.0/24" "2001:470:73b9:2::/64"; subnet = mkSubnet "10.80.2.0/24" "fd00:80:2::/64";
domain = "management.shinonome-lab.de"; domain = "management.shinonome-lab.de";
avahi = false;
}; };
guest = { guest = {
id = 30; id = 30;
subnet = mkSubnet "10.80.3.0/24" "2001:470:73b9:3::/64"; subnet = mkSubnet "10.80.3.0/24" "fd00:80:3::/64";
domain = "guest.shinonome-lab.de"; domain = "guest.shinonome-lab.de";
avahi = false;
}; };
iot = { iot = {
id = 40; id = 40;
subnet = mkSubnet "10.80.4.0/24" "2001:470:73b9:4::/64"; subnet = mkSubnet "10.80.4.0/24" "fd00:80:4::/64";
domain = "iot.shinonome-lab.de"; domain = "iot.shinonome-lab.de";
avahi = true;
};
printer = {
id = 41;
subnet = mkSubnet "10.80.5.0/24" "2001:470:73b9:5::/64";
domain = "printer.shinonome-lab.de";
avahi = true;
}; };
}; };
tc = { tc = {
@ -156,15 +123,4 @@ rec {
} }
]; ];
}; };
staticHosts = lib.mapAttrs
(_: options: options // {
address6 = "${vlan.${options.vlan}.subnet.v6.withoutLocalComponent}${macToIpv6InterfaceIdentifier options.hwaddr}";
})
{
fuuko = {
hwaddr = "18:c0:4d:d2:93:f0";
address4 = "10.80.1.98";
vlan = "lan";
};
};
} }

26
machines/shinobu/services/router/default.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -31,14 +31,11 @@ let
in in
{ {
imports = [ imports = [
./avahi.nix
./dnsmasq.nix ./dnsmasq.nix
./nft.nix ./nft.nix
./tc.nix ./tc.nix
]; ];
sbruder.wireguard.he.enable = true;
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true;
@ -109,20 +106,6 @@ in
# Only use RA # Only use RA
DHCPv6Client = false; DHCPv6Client = false;
UseDNS = "no"; UseDNS = "no";
UseGateway = false; # should not be used by default for routing (wg-he takes precendence)
};
routingPolicyRules = lib.singleton {
routingPolicyRuleConfig = {
Family = "ipv6";
FirewallMark = 31092; # 0x7974
Table = 31092; # 0x7974
};
};
routes = lib.singleton {
routeConfig = {
Gateway = "_ipv6ra";
Table = 31092; # 0x7974
};
}; };
}; };
physical-lan = { physical-lan = {
@ -145,13 +128,6 @@ in
name = "enp4s0"; name = "enp4s0";
bridge = [ "br-lan" ]; bridge = [ "br-lan" ];
}; };
# extended from common config
wg-he = {
address = lib.singleton "2001:470:73b9::1";
routes = lib.singleton {
routeConfig.Gateway = "::"; # on link
};
};
} }
]; ];
}; };

25
machines/shinobu/services/router/dnsmasq.nix
View file

@ -1,15 +1,10 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = pkgs.callPackage ./common.nix { }; cfg = pkgs.callPackage ./common.nix { };
bypassHe = [
"googlevideo.com"
"youtube.com"
];
in in
{ {
services.dnsmasq = { services.dnsmasq = {
@ -46,33 +41,19 @@ in
cfg.vlan); cfg.vlan);
dhcp-option = lib.flatten (lib.mapAttrsToList dhcp-option = lib.flatten (lib.mapAttrsToList
(name: { subnet, ... }: [ (name: { subnet, ... }: [
# Gateway
"tag:br-${name},option:router,${subnet.v4.gateway}" "tag:br-${name},option:router,${subnet.v4.gateway}"
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}" "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
# NTP server (runs on gateway)
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
]) ])
cfg.vlan); cfg.vlan);
dhcp-host = lib.mapAttrsToList
(name: { hwaddr, address4, vlan, ... }: "${hwaddr},tag:br-${vlan},${address4},${name}")
cfg.staticHosts;
nftset = [ nftset = [
"/${lib.concatStringsSep "/" bypassHe}/6#ip6#he-bypass#addresses" "/pool.ntp.org/4#inet#filter#iot_ntp4"
"/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
]; ];
server = [ server = [
"127.0.0.1#5053" "127.0.0.1#5053"
]; ];
# Authoritative zones for external reachability (only AAAA records)
auth-server = "shinobu.shinonome-lab.de,2001:470:73b9::1";
auth-zone = map
(vlan: "${vlan.domain},${vlan.subnet.v6.cidr}")
(lib.attrValues cfg.vlan);
}; };
}; };
systemd.services.dnsmasq.after = [ "systemd-networkd.service" ]; systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];

9
machines/shinobu/services/router/nft.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -17,12 +17,7 @@ let
passthru = { passthru = {
VLANS = lib.attrNames cfg.vlan; VLANS = lib.attrNames cfg.vlan;
VLAN_BRIDGES = map (name: "br-${name}") (lib.attrNames cfg.vlan); VLAN_BRIDGES = map (name: "br-${name}") (lib.attrNames cfg.vlan);
} // (lib.listToAttrs (lib.flatten (lib.mapAttrsToList };
(name: staticHostConfig:
(map
(option: option // { name = "STATIC_HOST_${name}_${option.name}"; })
(lib.attrsToList staticHostConfig)))
cfg.staticHosts)));
defines = lib.concatStringsSep defines = lib.concatStringsSep
"\n" "\n"

80
machines/shinobu/services/router/rules.nft
View file

@ -1,93 +1,49 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
define NAT_LAN_IFACES = { "br-lan", "br-guest" } define NAT_LAN_IFACES = { "br-lan", "br-guest" }
define PHYSICAL_WAN = "enp1s0" define PHYSICAL_WAN = "enp1s0"
# only includes interfaces that use NAT
define NAT_WAN_IFACES = { $PHYSICAL_WAN } define NAT_WAN_IFACES = { $PHYSICAL_WAN }
# also includes interfaces that do not use NAT
define WAN_IFACES = { $NAT_WAN_IFACES, "wg-he" }
table inet filter { table inet filter {
# These two sets are dynamically managed by dnsmasq
set iot_ntp4 {
type ipv4_addr
comment "IPv4 addresses of resolved NTP servers"
}
set iot_ntp6 {
type ipv6_addr
comment "IPv6 addresses of resolved NTP servers"
}
chain forward { chain forward {
type filter hook forward priority filter; policy drop type filter hook forward priority filter; policy drop
# Use MSS clamping to avoid too large packets not going through the tunnel.
tcp flags syn / syn,rst tcp option maxseg size set rt mtu
# plastic router, might be vulnerable (FIXME v6 is still reachable) # plastic router, might be vulnerable (FIXME v6 is still reachable)
iifname "br-guest" ip daddr "192.168.0.1" drop iifname "br-guest" ip daddr "192.168.0.1" drop
# allow traffic between selected VLANs and wan # allow traffic between selected VLANs and wan
iifname $NAT_LAN_IFACES oifname $WAN_IFACES counter accept iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
iifname $WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
# allow lan clients to be publicly reachable
iifname "wg-he" oifname "br-lan" counter accept
# traffic from lan to all other vlans is allowed # traffic from lan to all other vlans is allowed
iifname "br-lan" oifname $VLAN_BRIDGES counter accept; iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
iifname $WAN_IFACES oifname "br-iot" ct state established,related counter accept iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
iifname "br-printer" oifname "br-lan" ip daddr $STATIC_HOST_fuuko_address4 tcp dport { 21, 30000-30009 } counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
iifname "br-printer" oifname "br-lan" ip6 daddr $STATIC_HOST_fuuko_address6 tcp dport { 21, 30000-30009 } counter accept
} }
} }
table ip nat { table inet nat {
chain postrouting { chain postrouting {
type nat hook postrouting priority filter; policy accept type nat hook postrouting priority filter; policy accept
oifname $NAT_WAN_IFACES masquerade oifname $NAT_WAN_IFACES masquerade
} }
} }
# Bypass HE tunnel by setting a firewall mark.
# This acts in two places that are handled separatly by nftables:
# Packets from the local host (output hook) and forwared packets (prerouting hook).
# To simplify the handling,
# there is a single chain that handles both,
# which is jumped to from the specific chains.
# Additionally, masquerading is allowed for all packages with a destination of the dynamic set.
table ip6 he-bypass {
# Dynamically managed by dnsmasq (based on resolved addresses).
set addresses {
type ipv6_addr
comment "IPv6 addresses for which the HE tunnel should be bypassed by using NAT on wan instead"
}
# This must be of type route, otherwise no route lookup will be performed
chain output {
type route hook output priority mangle
jump common
}
# This does not need to be of type route
chain prerouting {
type filter hook prerouting priority mangle
jump common
}
chain common {
ip6 daddr @addresses mark set 0x7974 counter
}
chain postrouting {
type nat hook postrouting priority filter; policy accept
oifname $NAT_WAN_IFACES ip6 daddr @addresses masquerade
}
}
table ip6 public-access {
chain input {
type filter hook input priority filter; policy accept
iifname "wg-he" oifname "br-lan" counter accept
}
}
# Only allow select connections from and to (physical) wan, # Only allow select connections from and to (physical) wan,
# overriding NixOS firewall in some cases. # overriding NixOS firewall in some cases.
table inet restrict-wan { table inet restrict-wan {
@ -116,7 +72,7 @@ table inet restrict-wan {
} }
# Traffic control # Traffic control
# Needs output and prerouting to match packets from localhost and lan # Neets output and prerouting to match packets from localhost and lan
table inet tc { table inet tc {
chain output { chain output {
type route hook output priority mangle type route hook output priority mangle

1
machines/shinobu/services/snmp-exporter.nix
View file

@ -9,6 +9,5 @@
enable = true; enable = true;
listenAddress = config.sbruder.wireguard.home.address; listenAddress = config.sbruder.wireguard.home.address;
configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml"; configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
enableConfigCheck = false; # otherwise module fails to evaluate
}; };
} }

7
machines/vueko/configuration.nix
View file

@ -9,17 +9,14 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/fuuko-proxy.nix # FIXME!
./services/media.nix ./services/media.nix
./services/murmur.nix
./services/restic.nix ./services/restic.nix
]; ];
sbruder = { sbruder = {
nginx.hardening.enable = true; nginx.hardening.enable = true;
restic = { restic.system.enable = true;
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true; wireguard.home.enable = true;
full = false; full = false;
infovhost.enable = true; infovhost.enable = true;

7
machines/vueko/secrets.yaml
View file

@ -1,5 +1,4 @@
media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str] media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str] restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str] restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str] rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@ -11,8 +10,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-06-01T12:03:28Z" lastmodified: "2023-04-29T10:17:21Z"
mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str] mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:08Z" - created_at: "2024-01-22T00:20:08Z"
enc: |- enc: |-
@ -83,4 +82,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4EA330328CD0D3076E90960194DFA4953D8729DE fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

BIN
machines/vueko/secrets/mail-users.nix
View file

Binary file not shown.

27
machines/vueko/services/fuuko-proxy.nix Normal file
View file

@ -0,0 +1,27 @@
# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, ... }:
{
services.nginx.virtualHosts = builtins.listToAttrs (map
(fqdn: lib.nameValuePair fqdn {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
proxy_pass http://fuuko.vpn.sbruder.de/;
proxy_set_header Host ${fqdn};
'';
proxyWebsockets = true;
};
})
[
"languagetool.sbruder.de"
"media.sbruder.de"
"photoprism.sbruder.de"
"torrent.sbruder.de"
]);
}

5
machines/yuzuru/configuration.nix
View file

@ -15,10 +15,7 @@
sbruder = { sbruder = {
nginx.hardening.enable = true; nginx.hardening.enable = true;
full = false; full = false;
wireguard = { wireguard.home.enable = true;
he.enable = true;
home.enable = true;
};
infovhost.enable = true; infovhost.enable = true;
}; };

5
machines/yuzuru/secrets.yaml
View file

@ -1,4 +1,3 @@
wg-he-private-key: ENC[AES256_GCM,data:aTH+AUBgG2D1CUF0zp1OzTUBu5Td2J2fsq3EpYEUuPGQFA+EbAYS+4AEipg=,iv:vNkqtoixZ+I+C5L4Vbck3EhCYGKzzIvwHIjiNs5PPIQ=,tag:6SMQ9oqKd7FdLvQNt2SAYA==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str] wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str]
sops: sops:
kms: [] kms: []
@ -6,8 +5,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-08-28T13:24:49Z" lastmodified: "2024-01-02T22:37:47Z"
mac: ENC[AES256_GCM,data:fKT7rZ1Vid/oo0GRaoTd07Fdq3XqhM8godEck+x0gee9DTdl+kbVJEXejNS1aeyx7WveudrUCTm1y5s0mvRoClyPSgkAXT+UvZ6L+8MxZeInKMT0c5bKNDzJVlzXdNLJ6oQ4Oa1dkhs6dElkkyevb2KT02PRmGYB8hQki3YqdJM=,iv:fZYIDSROMeYj/D6hjiS8vZP566X3m8wcPdMzA+OQyxw=,tag:KqNu8I3AloRvqMnJIQy+zg==,type:str] mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:20Z" - created_at: "2024-01-22T00:20:20Z"
enc: |- enc: |-

54
machines/yuzuru/services/static-sites.nix
View file

@ -1,16 +1,14 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, ... }:
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"brennende.autos" = { "brennende.autos" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."~ .*".return = "303 'https://www.youtube.com/watch?v=ojToYs6nCnk&t=1684'"; locations."~ .*".return = "303 'https://iv.sbruder.xyz/watch?v=ojToYs6nCnk&t=1684'";
}; };
"www.brennende.autos" = { "www.brennende.autos" = {
enableACME = true; enableACME = true;
@ -18,60 +16,12 @@
globalRedirect = "https://brennende.autos/"; globalRedirect = "https://brennende.autos/";
}; };
"share.sbruder.de".locations."= /".extraConfig = ''
autoindex off;
'';
}; };
sbruder.static-webserver.vhosts = { sbruder.static-webserver.vhosts = {
"arbeitskampf.work".user = {
name = "arbeitskampf";
};
"maggus.bayern".user = {
name = "maggus";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
] ++ config.sbruder.pubkeys.trustedKeys;
};
"psycho-power-papagei.de" = { "psycho-power-papagei.de" = {
user.name = "papagei"; user.name = "papagei";
imprint.enable = true; imprint.enable = true;
}; };
"salespointframework.org" = {
redirects = [
"www.salespointframework.org"
"salespointframe.work"
"www.salespointframe.work"
"verkaufspunktrahmenwerk.de"
"www.verkaufspunktrahmenwerk.de"
];
user.name = "salespoint";
};
"schulischer-schabernack.de" = {
redirects = [
"www.schulischer-schabernack.de"
"staging.schulischer-schabernack.de"
];
user.name = "schabernack";
};
"share.sbruder.de" = {
redirects = [ ];
user.name = "share";
};
}; };
services.nginx-interactive-index.virtualHosts = {
"share.sbruder.de".locations."/".enable = true;
};
sbruder.restic.backups.system.extraExcludes = [
config.sbruder.static-webserver.vhosts."share.sbruder.de".root
];
} }

17
modules/authoritative-dns.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,16 +7,14 @@ let
cfg = config.sbruder.knot; cfg = config.sbruder.knot;
primaryHost = "vueko"; primaryHost = "vueko";
secondaryHosts = [ "renge" "okarin" "yuzuru" ]; secondaryHosts = [ "okarin" ];
isPrimaryHost = config.networking.hostName == primaryHost; isPrimaryHost = config.networking.hostName == primaryHost;
isSecondaryHost = lib.elem config.networking.hostName secondaryHosts; isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
addresses = { addresses = {
vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ]; vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ]; okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
}; };
in in
{ {
@ -67,7 +65,12 @@ in
id = host; id = host;
address = hostAddresses; address = hostAddresses;
}) })
addresses); addresses) ++ lib.optional isPrimaryHost {
id = "inwx";
# INWX only allows the specification of one primary DNS,
# which limits the IP protocol usable for zone transfers to one.
address = lib.singleton "185.181.104.96";
};
} }
(lib.mkIf isPrimaryHost { (lib.mkIf isPrimaryHost {
policy = lib.singleton { policy = lib.singleton {
@ -85,7 +88,7 @@ in
zonefile-load = "difference-no-serial"; zonefile-load = "difference-no-serial";
journal-content = "all"; journal-content = "all";
# secondary # secondary
notify = secondaryHosts; notify = [ "inwx" ] ++ secondaryHosts;
# dnssec # dnssec
dnssec-signing = true; dnssec-signing = true;
dnssec-policy = "default"; dnssec-policy = "default";

82
modules/cups.nix
View file

@ -1,64 +1,36 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2022 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
printersPerServer = { gutenprintWithVersion = "gutenprint.${lib.versions.majorMinor (lib.getVersion pkgs.gutenprint)}";
fuuko = [
{
name = "etikettierviech";
deviceUri = "usb://SII/SLP650?serial=32152867B0";
model = "seiko/siislp650.ppd.gz";
}
];
};
in in
{ lib.mkIf config.sbruder.gui.enable {
options.sbruder.printing = { services = {
server.enable = lib.mkEnableOption "printing server"; printing = {
client.enable = (lib.mkEnableOption "printing client") // { default = config.sbruder.gui.enable; }; enable = true;
drivers = with pkgs; [
gutenprint
] ++ lib.optional config.sbruder.unfree.allowSoftware (cups-kyocera-ecosys-m552x-p502x.override {
# in Kyocera terms, EU means duplex enabled by default
region = "EU";
});
};
avahi.enable = true;
}; };
config = lib.mkMerge [
(lib.mkIf (config.sbruder.printing.client.enable || config.sbruder.printing.server.enable) { hardware.printers.ensurePrinters = [
services.printing = { {
enable = true; name = "ich_drucke_nicht";
drivers = with pkgs; [ deviceUri = "socket://192.168.178.26";
cups-sii-slp-400-600 model = "${gutenprintWithVersion}://bjc-TS3100-series/expert";
gutenprint }
]; ] ++ lib.optionals config.sbruder.unfree.allowSoftware [
}; {
}) name = "elma";
(lib.mkIf config.sbruder.printing.server.enable { deviceUri = "socket://elma.fritz.box";
services.printing = { model = "Kyocera/Kyocera ECOSYS P5021cdn.PPD";
stateless = true; }
startWhenNeeded = false; # cups.socket interferes with cups.service (cups.socket binds to IPv4, so cups.service can only bind to IPv6)
listenAddresses = [ "*:631" ];
allowFrom = [ "all" ];
openFirewall = true;
defaultShared = true;
extraConf = ''
ServerAlias fuuko.lan.shinonome-lab.de
'';
};
hardware.printers.ensurePrinters = printersPerServer.${config.networking.hostName};
})
(lib.mkIf config.sbruder.printing.client.enable {
services.avahi.enable = true;
hardware.printers.ensurePrinters = [
{
name = "etikettierviech";
model = "everywhere";
deviceUri = "ipps://fuuko.lan.shinonome-lab.de:631/printers/etikettierviech";
description = "SII SLP 650";
}
{
name = "bro";
model = "everywhere";
deviceUri = "ipps://bro.printer.shinonome-lab.de";
description = "brother DCP-L2660DW";
}
];
})
]; ];
} }

27
modules/default.nix
View file

@ -33,20 +33,20 @@
./ausweisapp.nix ./ausweisapp.nix
./authoritative-dns.nix ./authoritative-dns.nix
./cups.nix ./cups.nix
./docker.nix
./fancontrol.nix ./fancontrol.nix
./flatpak.nix
./fonts.nix ./fonts.nix
./games.nix ./games.nix
./grub.nix ./grub.nix
./gui.nix ./gui.nix
./infovhost.nix ./infovhost.nix
./initrd-ssh.nix ./initrd-ssh.nix
./local-mail.nix
./locales.nix ./locales.nix
./logitech.nix ./logitech.nix
./mailserver ./mailserver
./media-mount.nix ./media-mount.nix
./media-proxy.nix ./media-proxy.nix
./mullvad
./network-manager.nix ./network-manager.nix
./nginx-interactive-index ./nginx-interactive-index
./nginx.nix ./nginx.nix
@ -54,9 +54,7 @@
./nix.nix ./nix.nix
./office.nix ./office.nix
./pipewire.nix ./pipewire.nix
./podman.nix
./prometheus/node_exporter.nix ./prometheus/node_exporter.nix
./prometheus/smartctl_exporter.nix
./pubkeys.nix ./pubkeys.nix
./qbittorrent ./qbittorrent
./restic ./restic
@ -69,7 +67,6 @@
./udev.nix ./udev.nix
./unfree.nix ./unfree.nix
./wireguard ./wireguard
./wkd
]; ];
config = lib.mkMerge [ config = lib.mkMerge [
@ -81,11 +78,9 @@
git-lfs # not so essential, but required to clone config git-lfs # not so essential, but required to clone config
htop htop
tmux tmux
vim
]; ];
programs.nano.enable = false;
programs.vim.defaultEditor = true;
# Clean temporary files on boot # Clean temporary files on boot
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
@ -113,8 +108,6 @@
# Support for exotic file systems # Support for exotic file systems
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs"; boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
# When this is set to true (default), routing everything through a # When this is set to true (default), routing everything through a
# wireguard tunnel does not work. # wireguard tunnel does not work.
networking.firewall.checkReversePath = false; networking.firewall.checkReversePath = false;
@ -166,21 +159,11 @@
(lib.mkIf (!config.sbruder.machine.isVm) { (lib.mkIf (!config.sbruder.machine.isVm) {
# Hard drive monitoring # Hard drive monitoring
services.smartd.enable = lib.mkDefault true; services.smartd.enable = lib.mkDefault true;
# Firmware updates (only work on EFI systems, so enable only when using systemd-boot) # Firmware updates
services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable); services.fwupd.enable = lib.mkDefault true;
}) })
(lib.mkIf (!config.sbruder.full) { (lib.mkIf (!config.sbruder.full) {
documentation.enable = lib.mkDefault false; documentation.enable = lib.mkDefault false;
}) })
(lib.mkIf (config.services.resolved.enable) {
# With NixOSs default database order for hosts,
# resolving the FQDN with hostname -f always returns “localhost”
# when resolved is enabled.
# This changes the priority of the files database,
# which fixes this.
# This workaround was taken from
# https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
})
]; ];
} }

47
modules/docker.nix Normal file
View file

@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
# This uses a custom option (instead of `virtualisation.docker.enable`) since
# `virtualisation.oci-containers` conditionally sets
# `virtualisation.docker.enable` and therefore causes an infinite recursion.
options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
config = lib.mkIf config.sbruder.docker.enable {
environment.systemPackages = with pkgs; [
docker-compose
docker-credential-helpers
docker-ls
];
virtualisation = {
docker = {
enable = true;
logDriver = "journald";
extraOptions = lib.concatStringsSep " " [
"--ipv6"
"--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
];
};
oci-containers.containers.ipv6nat = {
image = "robbertkl/ipv6nat";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
extraOptions = [
"--network=host"
"--cap-drop=ALL"
"--cap-add=NET_ADMIN"
"--cap-add=NET_RAW"
"--cap-add=SYS_MODULE"
];
};
};
environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
};
}

19
modules/flatpak.nix
View file

@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Flatpak is only used for programs that are not easily installable natively.
# They should always be confined as much as possible using Flatseal.
#
# To make Flatpak work with Flathub,
# the following command must be run imperatively:
#
# flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
#
# The full guide is available on https://flathub.org/setup/NixOS,
# though the restart step is not necessary.
{ config, lib, ... }:
lib.mkIf config.sbruder.gui.enable {
services.flatpak.enable = true;
}

8
modules/fonts.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -9,15 +9,15 @@ let
family = "Iosevka sbruder"; family = "Iosevka sbruder";
spacing = "term"; spacing = "term";
serifs = "sans"; serifs = "sans";
noCvSs = false; no-cv-ss = false;
exportGlyphNames = true; export-glyph-names = true;
variants = { variants = {
inherits = "ss20"; inherits = "ss20";
design = { design = {
capital-g = "toothless-rounded-serifless-hooked"; capital-g = "toothless-rounded-serifless-hooked";
four = "closed-serifless"; four = "closed";
six = "closed-contour"; six = "closed-contour";
nine = "closed-contour"; nine = "closed-contour";
number-sign = "upright-tall"; number-sign = "upright-tall";

32
modules/local-mail.nix
View file

@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
sops.secrets.system-mail.sopsFile = ../secrets/local-mail.yaml;
programs.msmtp = {
enable = true;
setSendmail = true;
accounts.default = {
host = "vueko.sbruder.de";
port = "465";
tls = "on";
tls_starttls = "off";
from = ''"system+%U@%H"@sbruder.de'';
allow_from_override = "off";
auth = "on";
user = "system@sbruder.de";
passwordeval = "cat ${config.sops.secrets.system-mail.path}";
aliases = pkgs.writeText "msmtp-aliases" ''
default: simon@sbruder.de
'';
};
};
boot.swraid.mdadmConf = ''
MAILFROM "mdadm on ${config.networking.hostName}" <"system+root@${config.networking.hostName}"@sbruder.de>
MAILADDR simon@sbruder.de
'';
}

6
modules/mailserver/default.nix
View file

@ -69,12 +69,6 @@ in
"postmaster@example.com" "postmaster@example.com"
]; ];
}; };
localOnly = mkOption {
type = bool;
description = "Whether the user should only be able to send mails to local domains.";
default = false;
example = true;
};
}; };
}); });
description = "Users of the mail server"; description = "Users of the mail server";

114
modules/mailserver/dovecot.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -38,58 +38,14 @@ lib.mkIf cfg.enable {
Spam = { specialUse = "Junk"; auto = "subscribe"; }; Spam = { specialUse = "Junk"; auto = "subscribe"; };
}; };
mailPlugins.perProtocol = { sieveScripts = {
imap.enable = [ "imap_sieve" ]; before = pkgs.writeText "spam.sieve" ''
lmtp.enable = [ "sieve" ]; require "fileinto";
};
sieve = { if header :is "X-Spam" "Yes" {
scripts = { fileinto "Spam";
before = pkgs.writeText "spam.sieve" '' }
require "fileinto"; '';
if header :is "X-Spam" "Yes" {
fileinto "Spam";
}
'';
};
extensions = [ "fileinto" ];
pipeBins = lib.mkIf cfg.spam.enable [
"${pkgs.rspamd}/bin/rspamc"
];
};
imapsieve.mailbox = lib.mkIf cfg.spam.enable [
{
name = "Spam";
causes = [ "COPY" ];
before = pkgs.writeText "learn-spam.sieve" ''
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
'';
}
{
name = "*";
from = "Spam";
causes = [ "COPY" ];
before = pkgs.writeText "learn-ham.sieve" ''
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "''${1}";
}
if string "''${mailbox}" "Trash" {
stop;
}
pipe :copy "rspamc" ["learn_ham"];
'';
}
];
pluginSettings = {
sieve = "file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve";
}; };
extraConfig = '' extraConfig = ''
@ -100,6 +56,14 @@ lib.mkIf cfg.enable {
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no ssl_prefer_server_ciphers = no
protocol imap {
mail_plugins = $mail_plugins imap_sieve
}
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
service imap-login { service imap-login {
inet_listener imap { inet_listener imap {
} }
@ -134,6 +98,25 @@ lib.mkIf cfg.enable {
lda_mailbox_autosubscribe = yes lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes lda_mailbox_autocreate = yes
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve = file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve
${lib.optionalString cfg.spam.enable ''
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
''}
sieve_global_extensions = +vnd.dovecot.pipe
}
service managesieve-login { service managesieve-login {
inet_listener sieve { inet_listener sieve {
port = 4190 port = 4190
@ -144,6 +127,33 @@ lib.mkIf cfg.enable {
systemd.services.dovecot2 = { systemd.services.dovecot2 = {
wants = [ "acme-finished-${cfg.fqdn}.target" ]; wants = [ "acme-finished-${cfg.fqdn}.target" ];
after = [ "acme-finished-${cfg.fqdn}.target" ]; after = [ "acme-finished-${cfg.fqdn}.target" ];
preStart = lib.mkIf cfg.spam.enable
(lib.mkAfter
(lib.concatStrings
(lib.mapAttrsToList
(name: content: ''
cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
'')
{
"learn-spam.sieve" = ''
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
'';
"learn-ham.sieve" = ''
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "''${1}";
}
if string "''${mailbox}" "Trash" {
stop;
}
pipe :copy "rspamc" ["learn_ham"];
'';
})));
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

42
modules/mailserver/postfix.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -39,11 +39,10 @@ let
cfg.cleanHeaders); cfg.cleanHeaders);
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
security.dhparams.params.postfix = { };
services.postfix = { services.postfix = {
enable = true; enable = true;
setSendmail = lib.mkForce false;
enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions) enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
enableSubmissions = true; # submission with implicit TLS (TCP/465) enableSubmissions = true; # submission with implicit TLS (TCP/465)
@ -56,20 +55,6 @@ lib.mkIf cfg.enable {
mapFiles = { mapFiles = {
inherit valiases; inherit valiases;
restricted_senders = pkgs.writeText "restricted_senders"
(lib.concatStringsSep
"\n"
(lib.flatten
(map
(user: (map (address: "${address} local_only") ([ user.address ] ++ user.aliases)))
(lib.filter (user: user.localOnly) cfg.users))));
local_domains = pkgs.writeText "local_domains"
(lib.concatMapStringsSep
"\n"
(domain: "${domain} OK")
cfg.domains);
}; };
config = { config = {
@ -102,21 +87,6 @@ lib.mkIf cfg.enable {
"reject_unknown_sender_domain" "reject_unknown_sender_domain"
]; ];
# cant be in submissionOptions (which does not support spaces in NixOS)
submission_sender_restrictions = listToString [
"reject_sender_login_mismatch"
"check_sender_access hash:/etc/postfix/restricted_senders"
];
smtpd_restriction_classes = listToString [
"local_only"
];
local_only = listToString [
"check_recipient_access hash:/etc/postfix/local_domains"
"reject"
];
# generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration # generated 2021-02-04, Mozilla Guideline v5.6, Postfix 3.5.6, OpenSSL 1.1.1i, intermediate configuration
# https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6 # https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1i&guideline=5.6
smtpd_tls_security_level = "may"; smtpd_tls_security_level = "may";
@ -125,7 +95,6 @@ lib.mkIf cfg.enable {
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"; smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium"; smtpd_tls_mandatory_ciphers = "medium";
smtpd_tls_loglevel = "1"; smtpd_tls_loglevel = "1";
smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
tls_medium_cipherlist = listToString [ tls_medium_cipherlist = listToString [
"ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-ECDSA-AES128-GCM-SHA256"
@ -138,6 +107,8 @@ lib.mkIf cfg.enable {
"DHE-RSA-AES256-GCM-SHA384" "DHE-RSA-AES256-GCM-SHA384"
]; ];
tls_preempt_cipherlist = "no"; tls_preempt_cipherlist = "no";
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
}; };
# plain/STARTTLS (forced with smtpd_tls_security_level) # plain/STARTTLS (forced with smtpd_tls_security_level)
@ -156,7 +127,9 @@ lib.mkIf cfg.enable {
"reject" "reject"
]; ];
smtpd_sender_restrictions = "$submission_sender_restrictions"; smtpd_sender_restrictions = listToString [
"reject_sender_login_mismatch"
];
cleanup_service_name = "submission-header-cleanup"; cleanup_service_name = "submission-header-cleanup";
}; };
@ -167,7 +140,6 @@ lib.mkIf cfg.enable {
# Postscreen # Postscreen
smtpd = { smtpd = {
type = "pass"; type = "pass";
args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
}; };
smtp_inet = { smtp_inet = {
# Partially overrides upstream # Partially overrides upstream

3
modules/media-proxy.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -23,7 +23,6 @@ in
# otherwise name resolution fails # otherwise name resolution fails
systemd.services.nginx.after = [ "network-online.target" ]; systemd.services.nginx.after = [ "network-online.target" ];
systemd.services.nginx.wants = [ "network-online.target" ];
services.nginx = { services.nginx = {
enable = true; enable = true;
commonHttpConfig = '' commonHttpConfig = ''

66
modules/mullvad/default.nix Normal file
View file

@ -0,0 +1,66 @@
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
relays = builtins.fromJSON (builtins.readFile ./relays.json);
cfg = config.sbruder.mullvad;
relayConfigs = lib.mapAttrs'
(name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
[Interface]
DNS = ${cfg.dnsServer}
[Peer]
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
PublicKey = ${pubkey}
AllowedIPs = 0.0.0.0/0,::0/0
''))
relays;
# Creating 100+ files in a separate derivation each has too much overhead
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
mkdir $out
'' + (lib.concatStringsSep
"\n"
(lib.mapAttrsToList
(name: content: ''
cat > $out/${lib.escapeShellArg name} << EOF
${content}
EOF
'')
relayConfigs)));
in
{
options.sbruder.mullvad = {
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
dnsServer = lib.mkOption {
type = lib.types.str;
default = "193.138.218.74";
};
ipVersion = lib.mkOption {
type = lib.types.enum [ 4 6 ];
default = 4;
};
port = lib.mkOption {
type = lib.types.port;
default = 51820;
};
};
config = lib.mkIf cfg.enable {
environment = {
etc = builtins.listToAttrs
(map
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
(lib.attrNames relayConfigs));
systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
install -D ${./mullvad.sh} $out/bin/mullvad
install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
'');
};
};
}

7
modules/mullvad/mullvad-fzf.sh Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
mullvad $(find /etc/wireguard -name "mlv-*.conf" -printf "%f\n" | sed 's/mlv-\(.*\)\.conf/\1/' | fzf)

65
modules/mullvad/mullvad.sh Executable file
View file

@ -0,0 +1,65 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# This reads wg-quick compatible configuration files from
# /etc/wireguard/mlv-LOCATION.conf
#
# Since they are autogenerated by nix and therefore world-readable, they do not
# include secrets like the private key and client address. Instead, they are
# manually added after wg-quick set up the tunnel by retrieving them with
# pass(1) from web/mullvad.net/wireguard.
#
# Format of pass entry:
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
# Address4: 10.0.0.1/32
# Address6: fd00::1/128
set -euo pipefail
if (( $# < 1 )); then
echo "USAGE: $0 LOCATION|off" >&2
exit 1
fi
INTERFACE="mlv-$1"
cmd() {
echo "[#] $*" >&2
sudo "$@"
}
for interface in /sys/class/net/*; do
interface="${interface#/sys/class/net/}"
[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
done
if [ "$1" != "off" ]; then
# Make sure gpg-agent is unlocked so the period where the interface exists but
# no private key is set is minised.
pass web/mullvad.net/wireguard >/dev/null
cmd wg-quick up "$INTERFACE"
pass web/mullvad.net/wireguard | while read -r line; do
key="${line%%: *}"
value="${line#*: }"
case "$key" in
PrivateKey)
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
continue
;;
Address4)
cmd ip -4 address add "$value" dev "$INTERFACE"
continue
;;
Address6)
cmd ip -6 address add "$value" dev "$INTERFACE"
continue
;;
*)
echo "Invalid key '$key'"
exit 1
esac
done
fi

2077
modules/mullvad/relays.json Normal file
View file

File diff suppressed because it is too large Load diff

3
modules/mullvad/relays.json.license Normal file
View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2021-2023 Mullvad VPN AB
SPDX-License-Identifier: CC0-1.0

17
modules/mullvad/update.sh Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# This gets the current wireguard relay list from mullvads API and transforms
# it into a format that takes up less space than the original response.
set -euo pipefail
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
key: (if .hostname | endswith("-wireguard") then .hostname | split("-")[0] else .hostname | sub("-wg-"; "-") end),
value: {
endpoint4: .ipv4_addr_in,
endpoint6: .ipv6_addr_in,
pubkey: .pubkey
}
}) | from_entries' > relays.json

34
modules/nginx.nix
View file

@ -11,14 +11,6 @@ in
hardening.enable = lib.mkEnableOption "nginx hardening"; hardening.enable = lib.mkEnableOption "nginx hardening";
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; }; privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; }; recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
proxyv4 = {
enable = (lib.mkEnableOption "PROXY protocol for IPv4 connections");
trustedAddresses = (lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Trusted addresses which can override the source address";
default = [ "10.0.0.0/8" "127.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
});
};
}; };
config = lib.mkMerge [ config = lib.mkMerge [
@ -35,12 +27,9 @@ in
''; '';
}) })
(lib.mkIf cfg.privacy.enable { (lib.mkIf cfg.privacy.enable {
services.nginx = { services.nginx.commonHttpConfig = ''
logError = "stderr crit"; # error (the default severity) logs potential PII (IP addresses) on 404 errors access_log off;
commonHttpConfig = '' '';
access_log off;
'';
};
}) })
(lib.mkIf cfg.recommended.enable { (lib.mkIf cfg.recommended.enable {
services.nginx = { services.nginx = {
@ -50,22 +39,5 @@ in
recommendedTlsSettings = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true;
}; };
}) })
(lib.mkIf cfg.proxyv4.enable {
services.nginx = {
commonHttpConfig = (lib.concatMapStrings
(address: ''
set_real_ip_from ${address};
'')
cfg.proxyv4.trustedAddresses) + ''
real_ip_header proxy_protocol;
'';
defaultListen = [
{ addr = "[::]"; port = 80; ssl = false; }
{ addr = "0.0.0.0"; port = 80; proxyProtocol = true; ssl = false; }
{ addr = "[::]"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 443; proxyProtocol = true; ssl = true; }
];
};
})
]; ];
} }

17
modules/nix.nix
View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -25,12 +25,16 @@ let
in in
{ {
nix = { nix = {
channel.enable = false;
registry = with inputs; { registry = with inputs; {
nixpkgs.flake = nixpkgs;
nixpkgs-unstable.flake = nixpkgs-unstable; nixpkgs-unstable.flake = nixpkgs-unstable;
}; };
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nixpkgs-overlays=${overlaysCompat}"
];
settings = { settings = {
# Make sudoers trusted nix users # Make sudoers trusted nix users
trusted-users = [ "@wheel" ]; trusted-users = [ "@wheel" ];
@ -39,13 +43,6 @@ in
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = "nix-command flakes"; experimental-features = "nix-command flakes";
# nix.nixPath does not work when nix.channel.enable == false (for some reason)
nix-path = [
"nixpkgs-overlays=${overlaysCompat}"
"nixpkgs=flake:nixpkgs"
"nixpkgs-unstable=flake:nixpkgs-unstable"
];
} // (lib.optionalAttrs config.sbruder.full { } // (lib.optionalAttrs config.sbruder.full {
# Keep output of derivations with gc root # Keep output of derivations with gc root
keep-outputs = true; keep-outputs = true;

30
modules/podman.nix
View file

@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
options.sbruder.podman.enable = lib.mkEnableOption "podman";
config = lib.mkIf config.sbruder.podman.enable {
boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
environment.systemPackages = with pkgs; [
buildah
passt # required by buildah by default
podman-compose
skopeo
];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
};
};
}

5
modules/prometheus/node_exporter.nix
View file

@ -8,10 +8,7 @@
enable = config.sbruder.wireguard.home.enable; enable = config.sbruder.wireguard.home.enable;
listenAddress = config.sbruder.wireguard.home.address; listenAddress = config.sbruder.wireguard.home.address;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
disabledCollectors = [ disabledCollectors = [ "rapl" ];
"arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
"rapl"
];
}; };
systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ]; systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];

Some files were not shown because too many files have changed in this diff Show more