Compare commits

..

1 commit

Author SHA1 Message Date
Simon Bruder a17791658a
catering WIP 2024-01-26 23:44:01 +01:00
62 changed files with 666 additions and 976 deletions

View file

@ -15,11 +15,10 @@ keys:
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
- &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
- &okarin e7370b48016c961ef8ad792fda66b19d845b3156 - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
- &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -98,13 +97,6 @@ creation_rules:
- *simon-alpha - *simon-alpha
- *simon-beta - *simon-beta
- *yuzuru - *yuzuru
- path_regex: machines/koyomi/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *koyomi
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:
@ -117,4 +109,3 @@ creation_rules:
- *fuuko - *fuuko
- *mayushii - *mayushii
- *renge - *renge
- *koyomi

View file

@ -143,10 +143,3 @@ so always consult the file header and other resources as specified in the REUSE
Please note that those licensing terms only apply to the source files in this repository, Please note that those licensing terms only apply to the source files in this repository,
not any build outputs, like system or package closures. not any build outputs, like system or package closures.
They might be licensed differently, depending on their source. They might be licensed differently, depending on their source.
If you think you have a compelling reason
why you should be able to use part of this repository under a more permissive license,
please contact me,
so we can figure something out.
Please note, that I can only offer this for files that are solely authored by me,
as I do not own the rights to other peoples code.

View file

@ -26,11 +26,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1673956053,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -44,11 +44,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1701680307,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -65,11 +65,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709087332, "lastModified": 1660459072,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "gitignore.nix", "repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -85,11 +85,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715381426, "lastModified": 1704099619,
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=", "narHash": "sha256-QRVMkdxLmv+aKGjcgeEg31xtJEIsYq4i1Kbyw5EPS6g=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4", "rev": "7e398b3d76bc1503171b1364c9d4a07ac06f3851",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716457508, "lastModified": 1704100519,
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "narHash": "sha256-SgZC3cxquvwTN07vrYYT9ZkfvuhS5Y1k1F4+AMsuflc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "rev": "6e91c5df192395753d8e6d55a0352109cb559790",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -205,6 +205,9 @@
"nix-pre-commit-hooks": { "nix-pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
@ -212,11 +215,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1716213921, "lastModified": 1703939133,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -228,11 +231,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1716173274, "lastModified": 1704124233,
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=", "narHash": "sha256-lBHs/yUtkcGgapHRS31oOb5NqvnVrikvktGOW8rK+sE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191", "rev": "f752581d6723a10da7dfe843e917a3b5e4d8115a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -244,11 +247,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1716361217, "lastModified": 1703992652,
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=", "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f", "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -272,11 +275,11 @@
"poetry2nix": "poetry2nix" "poetry2nix": "poetry2nix"
}, },
"locked": { "locked": {
"lastModified": 1712934106, "lastModified": 1704120598,
"narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=", "narHash": "sha256-9g7bZbVHAjMPNUWD2okeOdTmTrC9pkCeVe1zFyvtvqo=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8", "rev": "32ef4fd545a29cdcb2613934525b97470818b42e",
"revCount": 66, "revCount": 65,
"type": "git", "type": "git",
"url": "https://git.sbruder.de/simon/nixpkgs-overlay" "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
}, },
@ -287,43 +290,43 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1710695816, "lastModified": 1685801374,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3", "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-23.11", "ref": "nixos-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1716061101, "lastModified": 1703950681,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=", "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2", "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-23.11", "ref": "release-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1716330097, "lastModified": 1703961334,
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -450,11 +453,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1716400300, "lastModified": 1703991717,
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b549832718b8946e875c016a4785d204fcfc2e53", "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -23,6 +23,7 @@
nixos-hardware.url = "github:nixos/nixos-hardware/master"; nixos-hardware.url = "github:nixos/nixos-hardware/master";
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master"; nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable"; nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
@ -155,11 +156,12 @@
pkgs.writeShellScript "unlock-${hostname}" '' pkgs.writeShellScript "unlock-${hostname}" ''
set -exo pipefail set -exo pipefail
# opening luks fails if gpg-agent is not unlocked yet # opening luks fails if gpg-agent is not unlocked yet
pass "devices/${hostname}/luks" | ssh \ pass "devices/${hostname}/luks" >/dev/null
ssh \
${lib.optionalString unlockOverV4 "-4"} \ ${lib.optionalString unlockOverV4 "-4"} \
-p 2222 \ -p 2222 \
"root@${targetHost}" \ "root@${targetHost}" \
"cat > /crypt-ramfs/passphrase" "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
'') '')
self.nixosConfigurations); self.nixosConfigurations);

View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
CxhNpGhTpzl96WA2WsNP9Q==
=slmv
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -1,28 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4 jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9 KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0 jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+ uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB /EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1 yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0 DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4 xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
NxR1Jvm5bnGfUcnNlzoB4Q== MsxjN+we2woCXG5SJGYOyA==
=6o0h =UTw1
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

View file

@ -5,39 +5,67 @@ EKpaQ5+0H1NpbW9uIEJydWRlciA8c2ltb25Ac2JydWRlci5kZT6InAQTFgoARAIb
AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm AQUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgBYhBNSKGsqxzb0XAVFm
K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/ K7GgtKRYhaAxBQJlrXkpAhkBAAoJELGgtKRYhaAxe14BAMF2Sj/NbHEfPPj/FH0/
Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE Pndzxihc7T7JOO9TxwsHMdidAP9eGoz3DgjA4gOtJUDwK70G6XwGnXrY8k42AcNE
B0JHBLQxU2ltb24gQnJ1ZGVyIDxzaW1vbi5icnVkZXJAbWFpbGJveC50dS1kcmVz B0JHBIkCMwQQAQoAHRYhBEfnVZ4DejVlLbv4qo08gvnzCfjsBQJlrZp3AAoJEI08
ZGVuLmRlPoiZBBMWCgBBFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd20CGwEF gvnzCfjsE2IP/RZoV3xvTi9ks5mpClnxdofGR4r2IVFw8TMQLSFfAHAtEJQ+R8fx
CQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQsaC0pFiFoDGUqAEA 0Yk+yoBNjt6JFKsvVVyVTZsK5cZcECSaX8E5gAYIB0+5S7TAC+DL9lDhWqhJnvOk
vqCjV1Fti5v6XpFFX/YU3160v4GYwD1vSdNJTTFfm3kBAO3hu30ecM3rWZf0SJmC 5nWIM6gdey6H4lmwjMQT9deWFBlHI/4+eEv65B2tlPZH7x2EbXywe5TgAmCAuXBI
xizTcSJIOEng0z39uk75PV4MuDMEZa13mRYJKwYBBAHaRw8BAQdA1st2Ull8qExF 7YOCebPh66n0ezJkw0SkEmz5+yMfj/vQNQxvRUpGpMEPDAUvIWEJ+Mb1XRuSZlYy
xFBS4ZtAxCP4a0yvany8hfclRDuM2W2I9QQYFgoAJgIbAhYhBNSKGsqxzb0XAVFm Z8fNh0lMuvDf/GAwoFLiQM8ToprYT1vVnZ+IzEHkjYA1/nDTj1rDxiFCz+FCc+/k
K7GgtKRYhaAxBQJlrud2BQkB4qNdAIF2IAQZFgoAHRYhBF8781AR60Ih56rcrDR/ +7fjbtbmX1rSLu90jQZx3h0JEb9t4Zd0X9aOstVnqTi9pMWWyFcUgA71+21VqbIQ
+Gmc2gd2BQJlrXeZAAoJEDR/+Gmc2gd2WGkA/1q7AL8NUkvEOXRXOdHUhFkC2AXp LccjaPZ0YK75on5YaD5ZmtHAl5ZD1VIXL0vnyN/XQYa4GUiN0qVwdG9QSEEe8gu8
V9deFHxrszMWgIxhAQD7QPihv5Cm8SPkClDMeKFnGwlMpeZNM/XYn5FqyLPrBwkQ jjAWClU8BroyOtWamOlQWs/RPZsg1G5Nv5KcPJbw67sWzJZYvJhytRMg9yMWM/uC
saC0pFiFoDG2mQD8CMU8iakviZHNDspU2nZLVRp5RWBGtbeqiq2+KUYzgCEA/REV uSC30u/gA49YP2N32XsxwFo8LAUrqn22/WdgcR1NIhHDjzT4SWSTS/ec5lSB998e
SAd0ks7DaVVxtHY4cn/oN76QeX3RXUAvfTsiPD0CuDgEZa13whIKKwYBBAGXVQEF xw+41h4hDHwZn75HYi89FytjS0Sc8C4b2GPw8eqbhKHKMlPKJah2enFXkR85AZJ1
AQEHQCz6uVsYw1gvKcMfmofGvK8uv4t+PsL0N6jlrPtY/Qt2AwEIB4h+BBgWCgAm wJGGhHhUS1mZ9e5SbY5ugtYj8v3Q3RMf47pqSHsO1Z9ojWBpAYforhTEtDFTaW1v
FiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWtd8ICGwwFCQPCZwAACgkQsaC0pFiF biBCcnVkZXIgPHNpbW9uLmJydWRlckBtYWlsYm94LnR1LWRyZXNkZW4uZGU+iJkE
oDFfVwEA7ijxFOSx7RhdE9XqNfDk+Gl4s6ste20j0MW3J+jAKTcBALUk/F0OYJIv ExYKAEEWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13bQIbAQUJA8JnAAULCQgH
E6njUIuZlz4wFKJHDpursKIJu91QjzoFuDMEZa14JhYJKwYBBAHaRw8BAQdATUqx AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxoLSkWIWgMZSoAQC+oKNXUW2Lm/pe
HSmDAt+Fs/8EN7JvsIuciptaJpLnZApQ5gu2KgeIfgQYFgoAJhYhBNSKGsqxzb0X kUVf9hTfXrS/gZjAPW9J00lNMV+beQEA7eG7fR5wzetZl/RImYLGLNNxIkg4SeDT
AVFmK7GgtKRYhaAxBQJlrXgmAhsgBQkB4TOAAAoJELGgtKRYhaAxMBoBAN7lVHou Pf26Tvk9XgyJAjMEEAEKAB0WIQRH51WeA3o1ZS27+KqNPIL58wn47AUCZa2afQAK
WPLuO6NNPHL8fXYG+9LFrIfVn/ztEKGwhOkhAQDcmy+3iHVaO4JPz6NJcojZzyDp CRCNPIL58wn47JgND/0aTHhLlT7QGE9O6RV1kS81YeiQD5UvrJcYh9/wb7plXV/R
nn/R4uqdSVJ1qNy3Bbg4BGWteO4SCisGAQQBl1UBBQEBB0DVD2QambSi9HXWmBts +AJ9QUxnw9SKeyyFGjwQeWIkkdJccq8ov5ekz++ErCsFlQtvhzNMa+ZRRJ5XG1m9
FDf75LrjJa5WTn1my6SVSODaYQMBCAeIdQQYFgoAJxYhBNSKGsqxzb0XAVFmK7Gg dyFUKAvZ9vo5EnYOTO72l3TEel4L3V5t6qeUGdJQoVBC3cmLHJ7Vs92cTrmrQnF6
tKRYhaAxBQJlrXjuAxsABAUJAeEzgAAAA8UBAPjW4ZDp+ITJ9z/v7aL+wLdI0CY4 JXVgoj41iSmgnHdf8l0rsHc4/ODYDpZpOQjQj24Teb6Hj8jkjhNejGm6Ackcy6UF
w2I+LYP/VVtUr8JHAQCRFzzkBSz2IXoMKuRvpcJRLMRPS5gTAbrDC/96eGVGBLgz KIX4ZDQD2k9SlxDt2LGLjF2rHar4NFYNJwgzO1tMazjTDAV1J9zx44NFaC1dm4oj
BGWtfDQWCSsGAQQB2kcPAQEHQOtp4pbIVjjXN7J277+pm5EyzIQVD5aHpoi45J1P 0Nz/xSYyyYyBoeqIG29qZrmWj5yIee64I+POX5REuLvf//64atEAkvODqg8ZhrXB
NVCLiH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa18NAIbIAUJAeEz Jd7BTtsRpUkkzwBv/ZHYJyEwLrUKLXpyx6GejksJ4fX4ftyWAgUOkDI06WI4WnQl
gAAKCRCxoLSkWIWgMRecAQC6fz9nPhVe1ncJyNn/c2RcZra0sEWwzwRiem7wieOU WzTOqIWwbub3M53F8eOGvXLUd6PD3p8ARiCFG+5cqRimmd3WZ5g0C9YWnuKRAOrT
GgEAhEOJxdEMbNv6mw4kSdLnFmC5VCvTEeLQF7uxP37ADwq4OARlrXuTEgorBgEE mrquAFhAeaanp+MRihB9d0nj5Lfx3mtfLAWDHYTj+yXL7de1xJ8p2D4WekJJ9NRJ
AZdVAQUBAQdAb2sZjRbDkcC3IhREZfUpXR5931F0csq5A6lTNSHyclcDAQgHiHUE f8b9d+wswth/1NV/ly64J7aiGpVzE+WcpNGl9pcsisSiXOCGJatPvrl9h6vgU+Oj
GBYKACcWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa17kwMbAAQFCQHhM4AAAMSe 2HhE5vf9WmvHxkUwut1Tw2cw5KoukugDZWos8AZ671QebmfnebDUsmSfhkOymbgz
AQCwkhOqxIjsIJ5DBgybQ4HTu52y3IkCVnx+ikcef8DMowEAgA5A3aSX8x9+p34t BGWtd5kWCSsGAQQB2kcPAQEHQNbLdlJZfKhMRcRQUuGbQMQj+GtMr2p8vIX3JUQ7
6ZX1dbgItWYS1a2bvqlEkvUBnwa4MwRlrX8yFgkrBgEEAdpHDwEBB0D37Ln0CHRc jNltiPUEGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa13mQIbAgUJA8Jn
1itQdbnpQs7fFyWqLm5UT59YI2b7pkhK/oh+BBgWCgAmFiEE1IoayrHNvRcBUWYr AACBCRCxoLSkWIWgMXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWt
saC0pFiFoDEFAmWtfzICGyAFCQPCZwAACgkQsaC0pFiFoDFaJgEAmtpmq5QnshEE d5kACgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaA
HDs9yBTxWAnrYfPnvyOi4KID6FbJTI0BAPNohV+XiBbQKmmKrWb5ui0BXNISPCYk jGEBAPtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sH8p0A/j2fQV8DVJsn
H6R7fxacajUC fnyFdmEIS14LaLyBTQ411CLkOVI4l5yBAP0Xue1JzV1Spm8Ib5rbAB5l2Q39xwsZ
=361S IkGsiN85Wq7cA4j1BBgWCgAmAhsCFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWu
53YFCQHio10AgXYgBBkWCgAdFiEEXzvzUBHrQiHnqtysNH/4aZzaB3YFAmWtd5kA
CgkQNH/4aZzaB3ZYaQD/WrsAvw1SS8Q5dFc50dSEWQLYBelX114UfGuzMxaAjGEB
APtA+KG/kKbxI+QKUMx4oWcbCUyl5k0z9difkWrIs+sHCRCxoLSkWIWgMbaZAPwI
xTyJqS+Jkc0OylTadktVGnlFYEa1t6qKrb4pRjOAIQD9ERVIB3SSzsNpVXG0djhy
f+g3vpB5fdFdQC99OyI8PQK4OARlrXfCEgorBgEEAZdVAQUBAQdALPq5WxjDWC8p
wx+ah8a8ry6/i34+wvQ3qOWs+1j9C3YDAQgHiH4EGBYKACYWIQTUihrKsc29FwFR
ZiuxoLSkWIWgMQUCZa13wgIbDAUJA8JnAAAKCRCxoLSkWIWgMV9XAQDuKPEU5LHt
GF0T1eo18OT4aXizqy17bSPQxbcn6MApNwEAtST8XQ5gki8TqeNQi5mXPjAUokcO
m6uwogm73VCPOgW4MwRlrXgmFgkrBgEEAdpHDwEBB0BNSrEdKYMC34Wz/wQ3sm+w
i5yKm1omkudkClDmC7YqB4h+BBgWCgAmFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEF
AmWteCYCGyAFCQHhM4AACgkQsaC0pFiFoDEwGgEA3uVUei5Y8u47o008cvx9dgb7
0sWsh9Wf/O0QobCE6SEBANybL7eIdVo7gk/Po0lyiNnPIOmef9Hi6p1JUnWo3LcF
uDgEZa147hIKKwYBBAGXVQEFAQEHQNUPZBqZtKL0ddaYG2wUN/vkuuMlrlZOfWbL
pJVI4NphAwEIB4h1BBgWCgAnFiEE1IoayrHNvRcBUWYrsaC0pFiFoDEFAmWteO4D
GwAEBQkB4TOAAAADxQEA+NbhkOn4hMn3P+/tov7At0jQJjjDYj4tg/9VW1SvwkcB
AJEXPOQFLPYhegwq5G+lwlEsxE9LmBMBusML/3p4ZUYEuDMEZa18NBYJKwYBBAHa
Rw8BAQdA62nilshWONc3snbvv6mbkTLMhBUPloemiLjknU81UIuIfgQYFgoAJhYh
BNSKGsqxzb0XAVFmK7GgtKRYhaAxBQJlrXw0AhsgBQkB4TOAAAoJELGgtKRYhaAx
F5wBALp/P2c+FV7WdwnI2f9zZFxmtrSwRbDPBGJ6bvCJ45QaAQCEQ4nF0Qxs2/qb
DiRJ0ucWYLlUK9MR4tAXu7E/fsAPCrg4BGWte5MSCisGAQQBl1UBBQEBB0BvaxmN
FsORwLciFERl9SldHn3fUXRyyrkDqVM1IfJyVwMBCAeIdQQYFgoAJxYhBNSKGsqx
zb0XAVFmK7GgtKRYhaAxBQJlrXuTAxsABAUJAeEzgAAAxJ4BALCSE6rEiOwgnkMG
DJtDgdO7nbLciQJWfH6KRx5/wMyjAQCADkDdpJfzH36nfi3plfV1uAi1ZhLVrZu+
qUSS9QGfBrgzBGWtfzIWCSsGAQQB2kcPAQEHQPfsufQIdFzWK1B1uelCzt8XJaou
blRPn1gjZvumSEr+iH4EGBYKACYWIQTUihrKsc29FwFRZiuxoLSkWIWgMQUCZa1/
MgIbIAUJA8JnAAAKCRCxoLSkWIWgMVomAQCa2marlCeyEQQcOz3IFPFYCeth8+e/
I6LgogPoVslMjQEA82iFX5eIFtAqaYqtZvm6LQFc0hI8JiQfpHt/FpxqNQI=
=1z2B
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

View file

@ -0,0 +1,123 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
];
sbruder = {
nginx.hardening.enable = true;
full = false;
};
networking.hostName = "catering";
system.stateVersion = "23.05";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"catering.salespointframework.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:8080";
extraConfig = ''
sub_filter '</script>' '</script><script src="/dev.js"></script>';
sub_filter_once on;
'';
};
"= /dev.js".alias = pkgs.writeText "dev.js" ''
addEventListener("load", event => {
document.querySelector("footer").appendChild((() => {
let el = document.createElement("p")
el.classList.add("text-center", "fw-bold")
el.innerText = "Alle Angebot sind fiktiv!"
return el
})())
if (localStorage.getItem("devAck") !== "true") {
if (confirm("Alle hier präsentierten Angebote sind fiktiv, es können keine rechtsverbindlichen Verträge geschlossen werden. Mit dem Fortfahren bestätigen Sie, dies verstanden zu haben.")) {
localStorage.setItem("devAck", "true")
} else {
location = "about:blank"
}
}
})
'';
};
};
"www.mampf.shop" = {
forceSSL = true;
enableACME = true;
globalRedirect = "catering.salespointframework.org";
};
"mampf.shop" = {
forceSSL = true;
enableACME = true;
globalRedirect = "catering.salespointframework.org";
};
"presi.catering.salespointframework.org" = {
enableACME = true;
forceSSL = true;
root = "/var/www/presi.catering.salespointframework.org";
locations."/".tryFiles = "/main.pdf =404";
};
};
};
systemd.tmpfiles.rules = [
"d /var/www/presi.catering.salespointframework.org 0755 catering catering - -"
];
users.users.catering = {
isSystemUser = true;
group = "catering";
useDefaultShell = true;
home = "/var/lib/catering";
createHome = true;
openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
};
users.groups.catering = { };
sbruder.static-webserver.vhosts = {
"salespointframework.org" = {
redirects = [ "www.salespointframework.org" "salespointframe.work" "www.salespointframe.work" ];
user = {
name = "salespoint";
keys = config.sbruder.pubkeys.trustedKeys;
};
};
"verkaufspunktrahmenwerk.de" = {
redirects = [ "www.verkaufspunktrahmenwerk.de" "verkaufspuntrahmenwerk.de" "www.verkaufspuntrahmenwerk.de" ];
user = {
name = "verkaufspunkt";
keys = config.sbruder.pubkeys.trustedKeys;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

View file

@ -0,0 +1,54 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" "sr_mod" ];
};
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c39bdb61-2e4c-464b-8c4c-bb6bb7f342a2";
fsType = "btrfs";
options = [ "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/D976-BBAF";
fsType = "vfat";
};
};
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "salespointframework.org" ];
address = [ "2a01:4f9:c011:9c01::1/64" ];
gateway = [ "fe80::1" ];
};
};
};
# no smart on qemu disk
services.smartd.enable = false;
}

View file

@ -23,9 +23,6 @@ in
}; };
vueko = { vueko = {
system = "aarch64-linux"; system = "aarch64-linux";
extraModules = [
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "vueko.sbruder.de"; targetHost = "vueko.sbruder.de";
}; };
@ -49,6 +46,9 @@ in
}; };
renge = { renge = {
system = "aarch64-linux"; system = "aarch64-linux";
extraModules = [
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
];
targetHost = "renge.sbruder.de"; targetHost = "renge.sbruder.de";
}; };
@ -76,13 +76,9 @@ in
targetHost = "yuzuru.sbruder.de"; targetHost = "yuzuru.sbruder.de";
}; };
koyomi = { catering = {
system = "x86_64-linux"; system = "aarch64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
targetHost = "koyomi.sbruder.de"; targetHost = "catering.salespointframework.org";
}; };
} }

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -92,8 +92,6 @@
} }
]; ];
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
powerManagement.cpuFreqGovernor = "schedutil"; powerManagement.cpuFreqGovernor = "schedutil";
networking = { networking = {

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -55,8 +55,6 @@
{ device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; } { device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
]; ];
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
# GPU # GPU
hardware.opengl = { hardware.opengl = {
package = pkgs.mesa.drivers; package = pkgs.mesa.drivers;

View file

@ -1,37 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# koyomi
## Hardware
System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
- Motherboard: FUJITSU D3401-H1
- CPU: Intel Core i7-6700
- RAM: 4×16GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133MHz)
- SSD: 2×512GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
## Setup
As it is a physical server (not a VM) in a remote location,
extra care must be taken when installing.
Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
and a rescue system that can be activated before a reboot.
Additionally, there is also a *vKVM* rescue system,
that boots a hypervisor from the network and runs a VM which boots from the physical disks.
The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
Ideally, everything goes well and the next reboot works,
but in the case it does not, the vKVM rescue system can be used for debugging.
## Purpose
Hypervisor. Exact scope is to be determined.
## Name
Araragi Koyomi is a student from the *Monogatari Series*.

View file

@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/hypervisor.nix
];
sbruder = {
wireguard.home.enable = true;
podman.enable = true;
};
networking.hostName = "koyomi";
system.stateVersion = "23.11";
}

View file

@ -1,74 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
swraid.enable = true;
kernelModules = [ "kvm-intel" ];
kernelParams = [ "ip=dhcp" ];
loader = {
grub = {
devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
};
};
initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
kernelModules = [ "dm-snapshot" ];
network.enable = true; # remote unlocking
luks.devices = {
koyomi-pv = {
name = "koyomi-pv";
device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
preLVM = true;
allowDiscards = true;
};
};
# FIXME XXX HACK
# This is required to have the md device available under /dev/disk/by-uuid.
# Both commands are run as part of the regular stage-1 init script,
# but for some reason, they need to be run twice.
preLVMCommands = ''
udevadm trigger
udevadm settle
'';
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
};
};
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
address = [ "2a01:4f8:151:712d::1/64" ];
gateway = [ "fe80::1" ];
};
};
};
}

View file

@ -1,72 +0,0 @@
wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-05-11T21:49:03Z"
mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
pgp:
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
iXDXWxIe5PY=
=zp+l
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
8GoFUoOn6tE=
=A7C7
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
K0oWZqedIzU=
=Z8wz
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
+Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
=bvPZ
-----END PGP MESSAGE-----
fp: a53d4ca8d2cf54613822c81d660e69babee42643
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,133 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
let
guests = {
forgejo-actions-runner = {
mac = "42:80:00:00:00:02";
v4 = "10.80.32.2";
v6 = "2a01:4f8:151:712d:1::2";
};
};
# port forwarding for IPv4
portForwards = {
tcp = { };
udp = { };
};
in
{
virtualisation.libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
systemd.network = {
enable = true;
netdevs = {
br-virt = {
netdevConfig = {
Name = "br-virt";
Kind = "bridge";
};
};
};
networks = {
br-virt = {
name = "br-virt";
address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
};
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
interface = [ "br-virt" ];
bind-interfaces = true; # do not bind to the wildcard interface
bogus-priv = true; # do not forward revese lookups of internal addresses
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
domain-needed = true; # do not forward names without domain
no-hosts = true; # do not resolve hosts from /etc/hosts
no-resolv = true; # only use explicitly configured resolvers
domain = [ "sbruder.de" ];
enable-ra = true; # required to tell clients to use DHCPv6
# Force static configuration
dhcp-range = [
"10.80.32.0,static,255.255.255.0"
"2a01:4f8:151:712d:1::,static,80"
];
dhcp-host = lib.flatten (lib.mapAttrsToList
(name: { mac, v4, v6 }: [
"${mac},${v4},${name}"
"${mac},[${v6}],${name}"
])
guests);
# Hetzner recursive name servers
# https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
server = [
"185.12.64.1"
"185.12.64.2"
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
};
};
networking.firewall = {
allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
interfaces.br-virt = {
allowedTCPPorts = [ 53 ]; # EDNS
allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
};
};
networking.nftables = {
enable = true;
ruleset = ''
# only IPv4
table ip hypervisor-nat {
chain postrouting {
type nat hook postrouting priority filter; policy accept
oifname eth0 masquerade
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.tcp)}
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.udp)}
}
}
table inet hypervisor-filter {
chain forward {
type filter hook forward priority filter; policy drop
iifname br-virt oifname eth0 counter accept
iifname eth0 oifname br-virt counter accept
}
}
'';
};
}

View file

@ -19,7 +19,6 @@
gui.enable = true; gui.enable = true;
media-proxy.enable = true; media-proxy.enable = true;
mullvad.enable = true; mullvad.enable = true;
podman.enable = true;
restic.system = { restic.system = {
enable = true; enable = true;
qos = true; qos = true;

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -45,8 +45,6 @@
}; };
}; };
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
powerManagement = { powerManagement = {
cpuFreqGovernor = "schedutil"; cpuFreqGovernor = "schedutil";
}; };

View file

@ -1,5 +1,5 @@
<!-- <!--
SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0 SPDX-License-Identifier: CC-BY-SA-4.0
--> -->
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
## Hardware ## Hardware
[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1GiB RAM, 10GB SSD). [Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512MB” = 443MiB RAM, 10 GB SSD).
## Purpose ## Purpose
@ -22,50 +22,32 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
Much like the namesake, Much like the namesake,
this server requires a “mad scientist” approach to set up. this server requires a “mad scientist” approach to set up.
However, it is much easier than setting up its predecessor,
which had just above 400MiB usable memory.
Ionos does not offer any NixOS installation media. Ionos does not offer any NixOS installation media.
I could only choose between various installation media and rescue systems. I could only choose between a Debian installation media, Knoppix and GParted.
Also, installing NixOS with a low amount of memory is problematic. Also, installing with a very low amount of memory is quite hard.
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
On there, I installed NixOS. On there, I installed NixOS.
Because encryption with `argon2id` as PBKDF is quite memory intensive, Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
I had to tune the parameters to ensure decryption was still possible on the target. What I settled on was
This can be done quite easily by interactively running the following command on the build VM: `cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3 To make btrfs use its SSD optimizations,
I had to force the kernel to see the device as non-rotational:
`echo 0 > /sys/block/dm-0/queue/rotational`
The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target. Another problem was the usage of VMware by Ionos.
The VM I set this up with was obviously using KVM/QEMU,
However, since those parameters are not ideal, so it needed different kernel modules at boot.
the following should later be run on the target host itself: What worked was setting it up in the local VM with both libvirt and vmware modules,
and then removing the libvirt modules once it was installed on the target.
cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
This will determine the memory usage automatically,
use one thread
and set the parameters so that decryption takes 10 seconds (10000ms).
The memory usage will not be as high as it could,
but it will be better.
Getting the disk image onto the server was done Getting the disk image onto the server was done
by first `rsync`ing the image to another server (to allow for incremental iterations), by first `rsync`ing the image to another server (to allow for incremental iterations),
which then provided it via HTTP. which then provided it via HTTP.
Using the Debian installation media in rescue mode Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
(as for some reason most other options tried to cache the file in memory and became very slow) it was possible to just `curl http://server/okarin.img > /dev/sda`.
it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
Because of all the pitfalls of this, Because of all the pitfalls of this,
you probably need more than one try. you probably need more than one try.
To make debugging easier on the target, the following option can be set:
```nix
{ pkgs, ... }:
{
boot.initrd.preLVMCommands = ''
${pkgs.bashInteractive}/bin/bash
'';
}
```

View file

@ -9,6 +9,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/static-sites.nix
./services/proxy.nix ./services/proxy.nix
]; ];
@ -21,7 +22,7 @@
networking.hostName = "okarin"; networking.hostName = "okarin";
system.stateVersion = "23.11"; system.stateVersion = "22.11";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80

View file

@ -5,10 +5,6 @@
{ lib, modulesPath, ... }: { lib, modulesPath, ... }:
{ {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true; sbruder.machine.isVm = true;
boot = { boot = {
@ -16,34 +12,41 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelParams = [ "ip=dhcp" ]; kernelParams = [ "ip=dhcp" ];
initrd = { initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ]; availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
kernelModules = [ ]; kernelModules = [ "dm-snapshot" "vmw_balloon" ];
network = { network = {
enable = true; # remote unlocking enable = true; # remote unlocking
# for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
# this works around this, but is arguably quite hacky # this works around this, but is arguably quite hacky
postCommands = '' postCommands = ''
ip route add 85.215.165.1 dev eth0 ip route add 10.255.255.1 dev eth0
ip route add default via 85.215.165.1 dev eth0 ip route add default via 10.255.255.1 dev eth0
''; '';
}; };
luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131"; luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
}; };
loader.grub.device = "/dev/vda"; loader.grub.device = "/dev/sda";
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b"; device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational options = [ "compress=zstd" "discard" "noatime" ];
}; };
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce"; device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
fsType = "ext2"; fsType = "ext2";
}; };
}; };
swapDevices = [
{
device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
randomEncryption.enable = true;
}
];
zramSwap = { zramSwap = {
enable = true; enable = true;
memoryPercent = 150; memoryPercent = 150;
@ -60,6 +63,11 @@
name = "eth0"; name = "eth0";
DHCP = "yes"; DHCP = "yes";
domains = [ "sbruder.de" ]; domains = [ "sbruder.de" ];
address = [ "2001:8d8:1800:8627::1/64" ];
gateway = [ "fe80::1" ];
networkConfig = {
IPv6AcceptRA = "no";
};
}; };
}; };
}; };

View file

@ -1,80 +1,80 @@
wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str] wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-12-25T22:06:33Z" lastmodified: "2023-05-06T08:49:32Z"
mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str] mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
pgp: pgp:
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
+ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/ RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf 1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/ zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
hRlLbnUDE1Q= PWZwSFBCZEg=
=ol1Y =r7sK
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1 f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG 1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
G+tyNMgCYhM= B8h2L/JR7Yo=
=2QnY =/wMt
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8 zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh 1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H 8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
VOK1Bc67BzU= Gzwk8dC0wdc=
=3z3V =BWUr
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380 fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-01-24T12:19:03Z" - created_at: "2024-01-22T00:20:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3 LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
=F0pC =sy/X
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: e7370b48016c961ef8ad792fda66b19d845b3156 fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -6,7 +6,9 @@
let let
proxyMap = { proxyMap = {
"sbruder.xyz" = "renge"; "sbruder.xyz" = "renge";
"nitter.sbruder.xyz" = "renge";
"iv.sbruder.xyz" = "renge"; "iv.sbruder.xyz" = "renge";
"libreddit.sbruder.xyz" = "renge";
}; };
in in
{ {

View file

@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, ... }:
{
sbruder.static-webserver.vhosts = {
"maggus.bayern".user = {
name = "maggus";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
] ++ config.sbruder.pubkeys.trustedKeys;
};
"arbeitskampf.work".user = {
name = "arbeitskampf";
};
};
}

View file

@ -17,8 +17,8 @@
./services/grafana.nix ./services/grafana.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/invidious ./services/invidious
./services/mastodon.nix
./services/matrix ./services/matrix
./services/murmur.nix
./services/password-hash-self-service.nix ./services/password-hash-self-service.nix
./services/prometheus.nix ./services/prometheus.nix
./services/sbruder.xyz ./services/sbruder.xyz
@ -33,9 +33,6 @@
}; };
wireguard.home.enable = true; wireguard.home.enable = true;
infovhost.enable = true; infovhost.enable = true;
wkd = {
enable = true;
};
}; };
networking.hostName = "renge"; networking.hostName = "renge";

View file

@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str] go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str] hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str] invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str] murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str] netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str] prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str] restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
@ -16,8 +16,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-06-01T12:03:17Z" lastmodified: "2024-01-10T18:29:17Z"
mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str] mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:10Z" - created_at: "2024-01-22T00:20:10Z"
enc: |- enc: |-

View file

@ -1,32 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
{
sops.secrets.mastodon-mail = {
owner = config.services.mastodon.user;
sopsFile = ../secrets.yaml;
};
services.mastodon = {
enable = true;
configureNginx = true;
localDomain = "procrastination.space";
smtp = {
createLocally = false;
host = "vueko.sbruder.de";
port = 465;
user = "mastodon@sbruder.de";
passwordFile = config.sops.secrets.mastodon-mail.path;
fromAddress = config.services.mastodon.smtp.user;
authenticate = true;
};
streamingProcesses = 5;
extraConfig = {
SMTP_TLS = "true";
RAILS_LOG_LEVEL = "warn";
};
};
}

View file

@ -75,7 +75,6 @@ in
"shinobu.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100"
"nazuna.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100" "yuzuru.vpn.sbruder.de:9100"
"koyomi.vpn.sbruder.de:9100"
]; ];
relabel_configs = lib.singleton { relabel_configs = lib.singleton {
target_label = "instance"; target_label = "instance";
@ -83,22 +82,6 @@ in
regex = "(.*)\\.vpn\\.sbruder\\.de:9100"; regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
}; };
} }
{
job_name = "smartctl";
static_configs = mkStaticTargets [
"fuuko.vpn.sbruder.de:9633"
"mayushii.vpn.sbruder.de:9633"
"nunotaba.vpn.sbruder.de:9633"
"hitagi.vpn.sbruder.de:9633"
"shinobu.vpn.sbruder.de:9633"
"koyomi.vpn.sbruder.de:9633"
];
relabel_configs = lib.singleton {
target_label = "instance";
source_labels = lib.singleton "__address__";
regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
};
}
{ {
job_name = "qbittorrent"; job_name = "qbittorrent";
static_configs = mkStaticTargets [ static_configs = mkStaticTargets [
@ -153,10 +136,8 @@ in
{ {
job_name = "knot"; job_name = "knot";
static_configs = mkStaticTargets [ static_configs = mkStaticTargets [
"vueko.vpn.sbruder.de:9433"
"renge.vpn.sbruder.de:9433"
"okarin.vpn.sbruder.de:9433" "okarin.vpn.sbruder.de:9433"
"yuzuru.vpn.sbruder.de:9433" "vueko.vpn.sbruder.de:9433"
]; ];
relabel_configs = lib.singleton { relabel_configs = lib.singleton {
target_label = "instance"; target_label = "instance";

View file

@ -3,7 +3,11 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }: { config, pkgs, ... }:
let
goneVhost = {
locations."~ .*".return = "303 'https://sbruder.xyz/#history'";
};
in
{ {
imports = [ imports = [
./blocks.nix ./blocks.nix
@ -54,4 +58,7 @@
}; };
}; };
}; };
services.nginx.virtualHosts."nitter.sbruder.xyz" = goneVhost;
services.nginx.virtualHosts."libreddit.sbruder.xyz" = goneVhost;
} }

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -9,7 +9,6 @@
../../modules ../../modules
./services/co2_exporter.nix ./services/co2_exporter.nix
./services/ntp.nix
./services/router ./services/router
./services/snmp-exporter.nix ./services/snmp-exporter.nix
./services/wordclock-dimmer.nix ./services/wordclock-dimmer.nix

View file

@ -1,11 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{
services.ntp = {
enable = true;
};
networking.firewall.allowedUDPPorts = [ 123 ];
}

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -41,16 +41,16 @@ in
cfg.vlan); cfg.vlan);
dhcp-option = lib.flatten (lib.mapAttrsToList dhcp-option = lib.flatten (lib.mapAttrsToList
(name: { subnet, ... }: [ (name: { subnet, ... }: [
# Gateway
"tag:br-${name},option:router,${subnet.v4.gateway}" "tag:br-${name},option:router,${subnet.v4.gateway}"
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}" "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
# NTP server (runs on gateway)
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
]) ])
cfg.vlan); cfg.vlan);
nftset = [
"/pool.ntp.org/4#inet#filter#iot_ntp4"
"/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
];
server = [ server = [
"127.0.0.1#5053" "127.0.0.1#5053"
]; ];

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,6 +7,16 @@ define PHYSICAL_WAN = "enp1s0"
define NAT_WAN_IFACES = { $PHYSICAL_WAN } define NAT_WAN_IFACES = { $PHYSICAL_WAN }
table inet filter { table inet filter {
# These two sets are dynamically managed by dnsmasq
set iot_ntp4 {
type ipv4_addr
comment "IPv4 addresses of resolved NTP servers"
}
set iot_ntp6 {
type ipv6_addr
comment "IPv6 addresses of resolved NTP servers"
}
chain forward { chain forward {
type filter hook forward priority filter; policy drop type filter hook forward priority filter; policy drop
@ -21,6 +31,8 @@ table inet filter {
iifname "br-lan" oifname $VLAN_BRIDGES counter accept; iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
} }
} }

View file

@ -11,7 +11,6 @@
./services/fuuko-proxy.nix # FIXME! ./services/fuuko-proxy.nix # FIXME!
./services/media.nix ./services/media.nix
./services/murmur.nix
./services/restic.nix ./services/restic.nix
]; ];

View file

@ -1,5 +1,4 @@
media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str] media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str] restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str] restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str] rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
@ -11,8 +10,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-06-01T12:03:28Z" lastmodified: "2023-04-29T10:17:21Z"
mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str] mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:08Z" - created_at: "2024-01-22T00:20:08Z"
enc: |- enc: |-
@ -83,4 +82,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4EA330328CD0D3076E90960194DFA4953D8729DE fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.7.3

View file

@ -1,9 +1,7 @@
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, ... }:
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"brennende.autos" = { "brennende.autos" = {
@ -21,34 +19,9 @@
}; };
sbruder.static-webserver.vhosts = { sbruder.static-webserver.vhosts = {
"arbeitskampf.work".user = {
name = "arbeitskampf";
};
"maggus.bayern".user = {
name = "maggus";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
] ++ config.sbruder.pubkeys.trustedKeys;
};
"psycho-power-papagei.de" = { "psycho-power-papagei.de" = {
user.name = "papagei"; user.name = "papagei";
imprint.enable = true; imprint.enable = true;
}; };
"salespointframework.org" = {
redirects = [
"www.salespointframework.org"
"salespointframe.work"
"www.salespointframe.work"
"verkaufspunktrahmenwerk.de"
"www.verkaufspunktrahmenwerk.de"
"verkaufspuntrahmenwerk.de"
"www.verkaufspuntrahmenwerk.de"
];
user.name = "salespoint";
};
}; };
} }

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,16 +7,14 @@ let
cfg = config.sbruder.knot; cfg = config.sbruder.knot;
primaryHost = "vueko"; primaryHost = "vueko";
secondaryHosts = [ "renge" "okarin" "yuzuru" ]; secondaryHosts = [ "okarin" ];
isPrimaryHost = config.networking.hostName == primaryHost; isPrimaryHost = config.networking.hostName == primaryHost;
isSecondaryHost = lib.elem config.networking.hostName secondaryHosts; isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
addresses = { addresses = {
vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ]; vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ]; okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
}; };
in in
{ {
@ -67,7 +65,12 @@ in
id = host; id = host;
address = hostAddresses; address = hostAddresses;
}) })
addresses); addresses) ++ lib.optional isPrimaryHost {
id = "inwx";
# INWX only allows the specification of one primary DNS,
# which limits the IP protocol usable for zone transfers to one.
address = lib.singleton "185.181.104.96";
};
} }
(lib.mkIf isPrimaryHost { (lib.mkIf isPrimaryHost {
policy = lib.singleton { policy = lib.singleton {
@ -85,7 +88,7 @@ in
zonefile-load = "difference-no-serial"; zonefile-load = "difference-no-serial";
journal-content = "all"; journal-content = "all";
# secondary # secondary
notify = secondaryHosts; notify = [ "inwx" ] ++ secondaryHosts;
# dnssec # dnssec
dnssec-signing = true; dnssec-signing = true;
dnssec-policy = "default"; dnssec-policy = "default";

View file

@ -33,8 +33,8 @@
./ausweisapp.nix ./ausweisapp.nix
./authoritative-dns.nix ./authoritative-dns.nix
./cups.nix ./cups.nix
./docker.nix
./fancontrol.nix ./fancontrol.nix
./flatpak.nix
./fonts.nix ./fonts.nix
./games.nix ./games.nix
./grub.nix ./grub.nix
@ -54,9 +54,7 @@
./nix.nix ./nix.nix
./office.nix ./office.nix
./pipewire.nix ./pipewire.nix
./podman.nix
./prometheus/node_exporter.nix ./prometheus/node_exporter.nix
./prometheus/smartctl_exporter.nix
./pubkeys.nix ./pubkeys.nix
./qbittorrent ./qbittorrent
./restic ./restic
@ -69,7 +67,6 @@
./udev.nix ./udev.nix
./unfree.nix ./unfree.nix
./wireguard ./wireguard
./wkd
]; ];
config = lib.mkMerge [ config = lib.mkMerge [
@ -81,11 +78,9 @@
git-lfs # not so essential, but required to clone config git-lfs # not so essential, but required to clone config
htop htop
tmux tmux
vim
]; ];
programs.nano.enable = false;
programs.vim.defaultEditor = true;
# Clean temporary files on boot # Clean temporary files on boot
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
@ -113,8 +108,6 @@
# Support for exotic file systems # Support for exotic file systems
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs"; boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
# When this is set to true (default), routing everything through a # When this is set to true (default), routing everything through a
# wireguard tunnel does not work. # wireguard tunnel does not work.
networking.firewall.checkReversePath = false; networking.firewall.checkReversePath = false;
@ -166,21 +159,11 @@
(lib.mkIf (!config.sbruder.machine.isVm) { (lib.mkIf (!config.sbruder.machine.isVm) {
# Hard drive monitoring # Hard drive monitoring
services.smartd.enable = lib.mkDefault true; services.smartd.enable = lib.mkDefault true;
# Firmware updates (only work on EFI systems, so enable only when using systemd-boot) # Firmware updates
services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable); services.fwupd.enable = lib.mkDefault true;
}) })
(lib.mkIf (!config.sbruder.full) { (lib.mkIf (!config.sbruder.full) {
documentation.enable = lib.mkDefault false; documentation.enable = lib.mkDefault false;
}) })
(lib.mkIf (config.services.resolved.enable) {
# With NixOSs default database order for hosts,
# resolving the FQDN with hostname -f always returns “localhost”
# when resolved is enabled.
# This changes the priority of the files database,
# which fixes this.
# This workaround was taken from
# https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
})
]; ];
} }

47
modules/docker.nix Normal file
View file

@ -0,0 +1,47 @@
# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
# This uses a custom option (instead of `virtualisation.docker.enable`) since
# `virtualisation.oci-containers` conditionally sets
# `virtualisation.docker.enable` and therefore causes an infinite recursion.
options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
config = lib.mkIf config.sbruder.docker.enable {
environment.systemPackages = with pkgs; [
docker-compose
docker-credential-helpers
docker-ls
];
virtualisation = {
docker = {
enable = true;
logDriver = "journald";
extraOptions = lib.concatStringsSep " " [
"--ipv6"
"--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
];
};
oci-containers.containers.ipv6nat = {
image = "robbertkl/ipv6nat";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
extraOptions = [
"--network=host"
"--cap-drop=ALL"
"--cap-add=NET_ADMIN"
"--cap-add=NET_RAW"
"--cap-add=SYS_MODULE"
];
};
};
environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
};
}

View file

@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Flatpak is only used for programs that are not easily installable natively.
# They should always be confined as much as possible using Flatseal.
#
# To make Flatpak work with Flathub,
# the following command must be run imperatively:
#
# flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
#
# The full guide is available on https://flathub.org/setup/NixOS,
# though the restart step is not necessary.
{ config, lib, ... }:
lib.mkIf config.sbruder.gui.enable {
services.flatpak.enable = true;
}

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -95,7 +95,6 @@ lib.mkIf cfg.enable {
smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1"; smtpd_tls_protocols = "!SSLv2, !SSLv3, !TLSv1, !TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium"; smtpd_tls_mandatory_ciphers = "medium";
smtpd_tls_loglevel = "1"; smtpd_tls_loglevel = "1";
smtpd_tls_received_header = "yes"; # add TLS connection details to Received header
tls_medium_cipherlist = listToString [ tls_medium_cipherlist = listToString [
"ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-ECDSA-AES128-GCM-SHA256"
@ -141,7 +140,6 @@ lib.mkIf cfg.enable {
# Postscreen # Postscreen
smtpd = { smtpd = {
type = "pass"; type = "pass";
args = [ "-o" "smtpd_discard_ehlo_keywords=silent-discard,dsn" ];
}; };
smtp_inet = { smtp_inet = {
# Partially overrides upstream # Partially overrides upstream

View file

@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
options.sbruder.podman.enable = lib.mkEnableOption "podman";
config = lib.mkIf config.sbruder.podman.enable {
boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
environment.systemPackages = with pkgs; [
buildah
podman-compose
skopeo
];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
};
};
}

View file

@ -8,10 +8,7 @@
enable = config.sbruder.wireguard.home.enable; enable = config.sbruder.wireguard.home.enable;
listenAddress = config.sbruder.wireguard.home.address; listenAddress = config.sbruder.wireguard.home.address;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
disabledCollectors = [ disabledCollectors = [ "rapl" ];
"arp.netlink" # https://github.com/prometheus/node_exporter/issues/2849
"rapl"
];
}; };
systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ]; systemd.services.prometheus-node-exporter.after = [ "wireguard-wg-home.service" ];

View file

@ -1,22 +0,0 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
{
services.prometheus.exporters.smartctl = {
enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
listenAddress = config.sbruder.wireguard.home.address;
# devices need to be specified for all systems that use NVMe
# https://github.com/NixOS/nixpkgs/issues/210041
};
systemd.services.prometheus-smartctl-exporter = {
after = [ "wireguard-wg-home.service" ];
serviceConfig = {
IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
IPAddressDeny = "any";
};
};
}

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -28,8 +28,6 @@ let
"/home/*/mounts" "/home/*/mounts"
# Docker (state should be kept somewhere else) # Docker (state should be kept somewhere else)
"/home/*/.local/share/containers" # podman
"/var/lib/containers/"
"/var/lib/docker/" "/var/lib/docker/"
# Static configuration (generated from this repository) # Static configuration (generated from this repository)

View file

@ -60,12 +60,12 @@
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
}; };
okarin = { okarin = {
hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ]; hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
}; };
okarin-initrd = { okarin-initrd = {
hostNames = [ "[okarin.sbruder.de]:2222" ]; hostNames = [ "[okarin.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
}; };
shinobu = { shinobu = {
hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ]; hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
@ -87,13 +87,5 @@
hostNames = [ "[yuzuru.sbruder.de]:2222" ]; hostNames = [ "[yuzuru.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
}; };
koyomi = {
hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
};
koyomi-initrd = {
hostNames = [ "[koyomi.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
};
}; };
} }

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -48,10 +48,9 @@
dmidecode # hardware information dmidecode # hardware information
hdparm # hard drive management hdparm # hard drive management
lm_sensors # temperature sensors lm_sensors # temperature sensors
nvme-cli # NVMe management
parted # partition manager parted # partition manager
pciutils # lspci pciutils # lspci
(reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove) reptyr # move process to current terminal
smartmontools # hard drive monitoring smartmontools # hard drive monitoring
tcpdump # package inspector tcpdump # package inspector
tio # serial console tio # serial console

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -41,6 +41,9 @@ in
# games (okay if they run sandboxed) # games (okay if they run sandboxed)
"osu-lazer" # also is free except for one dependency "osu-lazer" # also is free except for one dependency
"steam"
"steam-original"
"steam-runtime"
] ]
)); ));
}; };

View file

@ -33,8 +33,8 @@ let
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8="; publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
}; };
okarin = { okarin = {
address = "10.80.0.14"; address = "10.80.0.10";
publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA="; publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
}; };
shinobu = { shinobu = {
address = "10.80.0.12"; address = "10.80.0.12";
@ -48,10 +48,6 @@ let
address = "10.80.0.16"; address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU="; publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
}; };
koyomi = {
address = "10.80.0.17";
publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
};
}; };
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;

View file

@ -1,49 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
let
cfg = config.sbruder.wkd;
toFqdn = domain: "openpgpkey.${domain}";
in
{
options.sbruder.wkd = {
enable = lib.mkEnableOption "Web Key Directory";
domain = lib.mkOption {
type = lib.types.str;
description = "The main domain to listen on. The actual fqdn will be openpgpkey.<domain>.";
default = "sbruder.de";
};
domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Additional domains to serve.";
default = [ ];
};
};
config = lib.mkIf cfg.enable {
sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = {
redirects = map toFqdn cfg.domains;
user.name = "wkd";
};
services.nginx.virtualHosts."${toFqdn cfg.domain}" = {
locations."^~ /.well-known/openpgpkey" =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
in
{
extraConfig = ''
${parentHeaders}
add_header Access-Control-Allow-Origin * always;
'';
};
};
};
}

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2022-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -19,7 +19,7 @@ buildGoModule rec {
vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68="; vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68=";
doCheck = false; # no tests oCheck = false; # no tests
meta = with lib; { meta = with lib; {
license = licenses.mit; license = licenses.mit;

View file

@ -25,23 +25,15 @@ SPDX-License-Identifier: CC-BY-SA-4.0
<td><a id="matrix" href="#">(requires javascript)</a></td> <td><a id="matrix" href="#">(requires javascript)</a></td>
</tr> </tr>
<tr> <tr>
<td>Fediverse</td> <td>GitHub</td>
<td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
</tr>
<tr>
<td>Codeberg</td>
<td><a href="https://codeberg.org/sbruder">sbruder</a></td>
</tr>
<tr>
<td>(GitHub)</td>
<td><a href="https://github.com/sbruder">sbruder</a></td> <td><a href="https://github.com/sbruder">sbruder</a></td>
</tr> </tr>
<tr> <tr>
<td>(GitLab)</td> <td>GitLab</td>
<td><a href="https://gitlab.com/sbruder">sbruder</a></td> <td><a href="https://gitlab.com/sbruder">sbruder</a></td>
</tr> </tr>
<tr> <tr>
<td>Forgejo</td> <td>Gitea</td>
<td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td> <td><a href="https://git.sbruder.de/simon">git.sbruder.de</a></td>
</tr> </tr>
<tr> <tr>

View file

@ -61,6 +61,15 @@ def get_color_for_time(time: datetime.time, base=(60, 60, 60)) -> (int, int, int
) )
def update(client: mqtt.Client):
time = datetime.datetime.now().time()
color = get_color_for_time(time)
print(f"{time}: setting color to {color}")
sys.stdout.flush()
set_color(client, *color)
pass
client = mqtt.Client("wordclock.py") client = mqtt.Client("wordclock.py")
user = os.environ["WORDCLOCK_MQTT_USER"] user = os.environ["WORDCLOCK_MQTT_USER"]
@ -74,15 +83,6 @@ host = os.environ["WORDCLOCK_MQTT_HOST"]
client.username_pw_set(user, password) client.username_pw_set(user, password)
client.connect(host, 1883, 60) client.connect(host, 1883, 60)
color = (0, 0, 0)
while True: while True:
time = datetime.datetime.now().time() update(client)
new_color = get_color_for_time(time)
if new_color != color:
color = new_color
print(f"setting color to {color}")
sys.stdout.flush()
set_color(client, *color)
sleep(300) sleep(300)

View file

@ -1,41 +1,98 @@
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
#
# Steam is installed as a flatpak,
# as this seems to be the only method that does not force me
# to spend hours debugging various issues with the client.
#
# Installation instructions for steam:
#
# 1. Run flatpak install flathub com.valvesoftware.Steam
# 2. Use Flatseal to revoke all filesystem permissions,
# development syscalls
# and bluetooth.
# 3. Add GDK_SCALE=2 as an environment variable (hack for sways Xwayland)
# 4. If you previously used steam-sandbox,
# you need to copy the files to the flatpak location.
# For this, start steam once (you can close it early),
# so it creates the new structure.
# Then, run the following commands:
# rm -rf ~/.var/app/com.valvesoftware.Steam/.local/share/Steam
# mv ~/.local/share/steam-sandbox/.local/share/Steam ~/.var/app/com.valvesoftware.Steam/.local/share/
# You might want to copy additional files of games,
# that do not store files inside of Steams directories.
# Afterwards, you can delete ~/.local/share/steam-sandbox
#
# For MangoHud, the following steps are also necessary:
# 1. Run flatpak install org.freedesktop.Platform.VulkanLayer.MangoHud
# 2. Add xdg-config/MangoHud:ro as filesystem mount to Steam in Flatseal
# 4. For Intel Arc systems,
# add /run/wrappers/bin/intel_gpu_top:ro as filiesystem mount
# and /run/wrappers/bin to the PATH environment variable in Flatseal
# 3. Add MANGOHUD=1 as a launch options to all games where MangoHud should be
# available
{ lib, nixosConfig, pkgs, ... }: { lib, nixosConfig, pkgs, ... }:
let let
cfg = nixosConfig.sbruder.games; cfg = nixosConfig.sbruder.games;
inherit (nixosConfig.sbruder) unfree; inherit (nixosConfig.sbruder) unfree;
steam-sandbox = pkgs.writeShellScriptBin "steam-sandbox" /* bash */ ''
set -euo pipefail
shopt -s nullglob # make for loop work for glob if files do not exist
base_dir="''${XDG_DATA_HOME:-$HOME/.local/share}/steam-sandbox"
mkdir -p "$base_dir"/{.local/share,.steam,.config,.factorio,data}
bubblewrap_args=(
# sandboxing
--unshare-all
--share-net
--die-with-parent
--new-session
# basic filesystem
--tmpfs /tmp
--proc /proc
--dev /dev
--dir "$HOME"
--dir "$XDG_RUNTIME_DIR"
--ro-bind /nix/store /nix/store
# path
--ro-bind /run/current-system/sw /run/current-system/sw
--ro-bind /etc/profiles/per-user/$USER/bin /etc/profiles/per-user/$USER/bin
# system-wide configuration
--ro-bind /etc/fonts /etc/fonts
--ro-bind /etc/localtime /etc/localtime
--ro-bind /etc/machine-id /etc/machine-id
--ro-bind /etc/os-release /etc/os-release
--ro-bind /etc/passwd /etc/passwd
--ro-bind /etc/resolv.conf /etc/resolv.conf
--ro-bind /etc/ssl/certs /etc/ssl/certs
--ro-bind /etc/static /etc/static
# gui
--ro-bind /tmp/.X11-unix /tmp/.X11-unix
--ro-bind "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
--dev-bind /dev/dri /dev/dri
--ro-bind /run/opengl-driver /run/opengl-driver
--ro-bind-try /run/opengl-driver-32 /run/opengl-driver-32
# audio
--ro-bind "$XDG_RUNTIME_DIR/pulse" "$XDG_RUNTIME_DIR/pulse"
--setenv PULSE_SERVER "$XDG_RUNTIME_DIR/pulse/native"
--ro-bind "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie" "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie"
--setenv PULSE_COOKIE "''${XDG_CONFIG_HOME:-$HOME/.config}/pulse/cookie/pulse/cookie"
--ro-bind-try /etc/asound.conf /etc/asound.conf
--ro-bind-try /etc/alsa/conf.d /etc/alsa/conf.d
--ro-bind-try "$XDG_RUNTIME_DIR/pipewire-0" "$XDG_RUNTIME_DIR/pipewire-0"
# dbus
--ro-bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket
--ro-bind "$XDG_RUNTIME_DIR/bus" "$XDG_RUNTIME_DIR/bus"
# shared data
--bind "$base_dir/.local/share" "$HOME/.local/share"
--bind "$base_dir/.steam" "$HOME/.steam"
--bind "$base_dir/.config" "$HOME/.config"
--bind "$base_dir/.factorio" "$HOME/.factorio"
--bind "$base_dir/data" "$HOME/data"
--ro-bind-try "$HOME/.config/MangoHud" "$HOME/.config/MangoHud"
# input
--dev-bind /dev/input /dev/input
--dev-bind-try /dev/uinput /dev/uinput
--ro-bind /sys /sys # required for discovery
)
for hidraw in /dev/hidraw*; do
bubblewrap_args+=(--dev-bind $hidraw $hidraw)
done
unset SDL_VIDEODRIVER QT_QPA_PLATFORM # games generally dont support wayland
export PATH="${pkgs.unstable.mangohud}/bin:$PATH"
${pkgs.bubblewrap}/bin/bwrap \
"''${bubblewrap_args[@]}" \
''${SANDBOX_COMMAND:-${pkgs.unstable.steam}/bin/steam} \
"$@"
'';
steam-sandbox-with-icons = pkgs.runCommand "steam-sandbox-with-icons" { } ''
mkdir -p $out/{bin,share}
ln -s ${pkgs.steamPackages.steam}/share/icons $out/share
ln -s ${pkgs.steamPackages.steam}/share/pixmaps $out/share
ln -s ${steam-sandbox}/bin/steam-sandbox $out/bin/steam-sandbox
'';
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
@ -48,7 +105,9 @@ lib.mkIf cfg.enable {
pcsx2 pcsx2
] ++ lib.optionals (cfg.performanceIndex >= 8) [ ] ++ lib.optionals (cfg.performanceIndex >= 8) [
unstable.ryujinx unstable.ryujinx
unstable.yuzu-mainline
] ++ lib.optionals unfree.allowSoftware [ ] ++ lib.optionals unfree.allowSoftware [
unstable.osu-lazer-sandbox unstable.osu-lazer-sandbox
steam-sandbox-with-icons
]; ];
} }

View file

@ -2,7 +2,7 @@
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, nixosConfig, pkgs, ... }: { nixosConfig, pkgs, ... }:
{ {
programs.gpg = { programs.gpg = {
@ -18,7 +18,7 @@
services.gpg-agent = rec { services.gpg-agent = rec {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable; enableSshSupport = true;
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses"; pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -73,7 +73,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
# Lyrics # Lyrics
lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics"; lyrics_directory = "${config.services.mpd.musicDirectory}/lyrics";
follow_now_playing_lyrics = true;
# Misc # Misc
external_editor = "nvim"; external_editor = "nvim";

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -54,7 +54,7 @@ in
haskell-language-server haskell-language-server
jdt-language-server jdt-language-server
unstable.ltex-ls unstable.ltex-ls
nixd rnix-lsp
rust-analyzer rust-analyzer
(python3.withPackages (ps: with ps; [ (python3.withPackages (ps: with ps; [
pyls-isort pyls-isort

View file

@ -1,4 +1,4 @@
-- SPDX-FileCopyrightText: 2018-2024 Simon Bruder <simon@sbruder.de> -- SPDX-FileCopyrightText: 2018-2023 Simon Bruder <simon@sbruder.de>
-- --
-- SPDX-License-Identifier: AGPL-3.0-or-later -- SPDX-License-Identifier: AGPL-3.0-or-later
@ -348,7 +348,7 @@ lsp.ltex.setup {
lsp.pylsp.setup { lsp.pylsp.setup {
on_attach = on_attach, on_attach = on_attach,
} }
lsp.nixd.setup { lsp.rnix.setup {
on_attach = on_attach, on_attach = on_attach,
} }
lsp.rust_analyzer.setup { lsp.rust_analyzer.setup {

View file

@ -1,8 +1,8 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }: { pkgs, ... }:
{ {
programs.password-store = { programs.password-store = {
enable = true; enable = true;
@ -14,14 +14,4 @@
PASSWORD_STORE_DIR = "$HOME/.password-store"; PASSWORD_STORE_DIR = "$HOME/.password-store";
}; };
}; };
programs.browserpass = {
enable = true;
browsers = [ "librewolf" ];
};
services.pass-secret-service = {
enable = true;
storePath = "${config.xdg.dataHome}/secret-service-password-store";
};
} }