Compare commits
21 commits
Author | SHA1 | Date | |
---|---|---|---|
Simon Bruder | 16cf73afb9 | ||
Simon Bruder | 853e817901 | ||
Simon Bruder | 7daad927e8 | ||
Simon Bruder | ae35e82369 | ||
Simon Bruder | 670ff94dda | ||
Simon Bruder | 62c26e06a5 | ||
Simon Bruder | 5f81e9db4b | ||
Simon Bruder | 10f2e5638f | ||
Simon Bruder | 1f75062bc2 | ||
Simon Bruder | 526db3d97b | ||
Simon Bruder | ad209fa0f7 | ||
Simon Bruder | 00bada7b12 | ||
Simon Bruder | f30318869b | ||
Simon Bruder | 709f8d5676 | ||
Simon Bruder | 51e8dd4169 | ||
Simon Bruder | fc7f0f8648 | ||
Simon Bruder | 11d0870f5c | ||
Simon Bruder | a1645314f4 | ||
Simon Bruder | 47cb7b4b32 | ||
Simon Bruder | 07cac97bef | ||
Simon Bruder | 4c119f0b80 |
|
@ -19,7 +19,6 @@ keys:
|
|||
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
|
||||
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
|
||||
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
|
||||
- &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
|
||||
creation_rules:
|
||||
- path_regex: machines/nunotaba/secrets\.yaml$
|
||||
key_groups:
|
||||
|
@ -98,13 +97,6 @@ creation_rules:
|
|||
- *simon-alpha
|
||||
- *simon-beta
|
||||
- *yuzuru
|
||||
- path_regex: machines/koyomi/secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *simon
|
||||
- *simon-alpha
|
||||
- *simon-beta
|
||||
- *koyomi
|
||||
- path_regex: secrets\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
|
@ -117,4 +109,3 @@ creation_rules:
|
|||
- *fuuko
|
||||
- *mayushii
|
||||
- *renge
|
||||
- *koyomi
|
||||
|
|
51
flake.lock
51
flake.lock
|
@ -85,11 +85,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715381426,
|
||||
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
|
||||
"lastModified": 1712386041,
|
||||
"narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
|
||||
"rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -106,11 +106,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716457508,
|
||||
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
|
||||
"lastModified": 1712989663,
|
||||
"narHash": "sha256-r2X/DIAyKOLiHoncjcxUk1TENWDTTaigRBaY53Cts/w=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
|
||||
"rev": "40ab43ae98cb3e6f07eaeaa3f3ed56d589da21b0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -205,6 +205,9 @@
|
|||
"nix-pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
|
@ -212,11 +215,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716213921,
|
||||
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
|
||||
"lastModified": 1712897695,
|
||||
"narHash": "sha256-nMirxrGteNAl9sWiOhoN5tIHyjBbVi5e2tgZUgZlK3Y=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
|
||||
"rev": "40e6053ecb65fcbf12863338a6dcefb3f55f1bf8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -228,11 +231,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1716173274,
|
||||
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
|
||||
"lastModified": 1712909959,
|
||||
"narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
|
||||
"rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -244,11 +247,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1716361217,
|
||||
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
|
||||
"lastModified": 1712741485,
|
||||
"narHash": "sha256-bCs0+MSTra80oXAsnM6Oq62WsirOIaijQ/BbUY59tR4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
|
||||
"rev": "b2cf36f43f9ef2ded5711b30b1f393ac423d8f72",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -303,11 +306,11 @@
|
|||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1716061101,
|
||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
||||
"lastModified": 1712437997,
|
||||
"narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
||||
"rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -319,11 +322,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1716330097,
|
||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
||||
"lastModified": 1712791164,
|
||||
"narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
||||
"rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -450,11 +453,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716400300,
|
||||
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
||||
"lastModified": 1712617241,
|
||||
"narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
||||
"rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
nixos-hardware.url = "github:nixos/nixos-hardware/master";
|
||||
|
||||
nix-pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix/master";
|
||||
nix-pre-commit-hooks.inputs.flake-utils.follows = "flake-utils";
|
||||
nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
|
@ -155,11 +156,12 @@
|
|||
pkgs.writeShellScript "unlock-${hostname}" ''
|
||||
set -exo pipefail
|
||||
# opening luks fails if gpg-agent is not unlocked yet
|
||||
pass "devices/${hostname}/luks" | ssh \
|
||||
pass "devices/${hostname}/luks" >/dev/null
|
||||
ssh \
|
||||
${lib.optionalString unlockOverV4 "-4"} \
|
||||
-p 2222 \
|
||||
"root@${targetHost}" \
|
||||
"cat > /crypt-ramfs/passphrase"
|
||||
"cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
|
||||
'')
|
||||
self.nixosConfigurations);
|
||||
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
|
||||
bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
|
||||
VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
|
||||
bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
|
||||
JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
|
||||
8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
|
||||
y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
|
||||
eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
|
||||
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
|
||||
KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
|
||||
1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
|
||||
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||
AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
|
||||
/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
|
||||
CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
|
||||
/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
|
||||
J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
|
||||
gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
|
||||
QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
|
||||
MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
|
||||
HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
|
||||
DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
|
||||
kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
|
||||
CxhNpGhTpzl96WA2WsNP9Q==
|
||||
=slmv
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -23,9 +23,6 @@ in
|
|||
};
|
||||
vueko = {
|
||||
system = "aarch64-linux";
|
||||
extraModules = [
|
||||
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
|
||||
];
|
||||
|
||||
targetHost = "vueko.sbruder.de";
|
||||
};
|
||||
|
@ -49,6 +46,9 @@ in
|
|||
};
|
||||
renge = {
|
||||
system = "aarch64-linux";
|
||||
extraModules = [
|
||||
"${inputs.infinisilSystem}/config/new-modules/murmur.nix"
|
||||
];
|
||||
|
||||
targetHost = "renge.sbruder.de";
|
||||
};
|
||||
|
@ -76,13 +76,4 @@ in
|
|||
|
||||
targetHost = "yuzuru.sbruder.de";
|
||||
};
|
||||
koyomi = {
|
||||
system = "x86_64-linux";
|
||||
extraModules = [
|
||||
hardware.common-cpu-intel
|
||||
hardware.common-pc-ssd
|
||||
];
|
||||
|
||||
targetHost = "koyomi.sbruder.de";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -92,8 +92,6 @@
|
|||
}
|
||||
];
|
||||
|
||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/sda" "/dev/sdb" "/dev/sdc" ];
|
||||
|
||||
powerManagement.cpuFreqGovernor = "schedutil";
|
||||
|
||||
networking = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -55,8 +55,6 @@
|
|||
{ device = "/dev/disk/by-uuid/98de7ced-4d7c-4915-bf5b-1a0300458ea6"; }
|
||||
];
|
||||
|
||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
|
||||
# GPU
|
||||
hardware.opengl = {
|
||||
package = pkgs.mesa.drivers;
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
<!--
|
||||
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
|
||||
SPDX-License-Identifier: CC-BY-SA-4.0
|
||||
-->
|
||||
|
||||
# koyomi
|
||||
|
||||
## Hardware
|
||||
|
||||
System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
|
||||
|
||||
- Motherboard: FUJITSU D3401-H1
|
||||
- CPU: Intel Core i7-6700
|
||||
- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
|
||||
- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
|
||||
|
||||
## Setup
|
||||
|
||||
As it is a physical server (not a VM) in a remote location,
|
||||
extra care must be taken when installing.
|
||||
Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
|
||||
and a rescue system that can be activated before a reboot.
|
||||
Additionally, there is also a *vKVM* rescue system,
|
||||
that boots a hypervisor from the network and runs a VM which boots from the physical disks.
|
||||
|
||||
The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
|
||||
Ideally, everything goes well and the next reboot works,
|
||||
but in the case it does not, the vKVM rescue system can be used for debugging.
|
||||
|
||||
## Purpose
|
||||
|
||||
Hypervisor. Exact scope is to be determined.
|
||||
|
||||
## Name
|
||||
|
||||
Araragi Koyomi is a student from the *Monogatari Series*.
|
|
@ -1,23 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules
|
||||
|
||||
./services/hypervisor.nix
|
||||
];
|
||||
|
||||
sbruder = {
|
||||
wireguard.home.enable = true;
|
||||
podman.enable = true;
|
||||
};
|
||||
|
||||
networking.hostName = "koyomi";
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -1,74 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ modulesPath, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
swraid.enable = true;
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
kernelParams = [ "ip=dhcp" ];
|
||||
loader = {
|
||||
grub = {
|
||||
devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
};
|
||||
};
|
||||
initrd = {
|
||||
availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
|
||||
kernelModules = [ "dm-snapshot" ];
|
||||
network.enable = true; # remote unlocking
|
||||
luks.devices = {
|
||||
koyomi-pv = {
|
||||
name = "koyomi-pv";
|
||||
device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
|
||||
preLVM = true;
|
||||
allowDiscards = true;
|
||||
};
|
||||
};
|
||||
|
||||
# FIXME XXX HACK
|
||||
# This is required to have the md device available under /dev/disk/by-uuid.
|
||||
# Both commands are run as part of the regular stage-1 init script,
|
||||
# but for some reason, they need to be run twice.
|
||||
preLVMCommands = ''
|
||||
udevadm trigger
|
||||
udevadm settle
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
|
||||
fsType = "btrfs";
|
||||
options = [ "discard=async" "noatime" "compress=zstd" ];
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/12CE-A600";
|
||||
fsType = "vfat";
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.usePredictableInterfaceNames = false;
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks = {
|
||||
eth0 = {
|
||||
name = "eth0";
|
||||
DHCP = "yes";
|
||||
domains = [ "sbruder.de" ];
|
||||
address = [ "2a01:4f8:151:712d::1/64" ];
|
||||
gateway = [ "fe80::1" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,72 +0,0 @@
|
|||
wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-05-11T21:49:03Z"
|
||||
mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-05-11T21:48:51Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
|
||||
qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
|
||||
hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
|
||||
in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
|
||||
hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
|
||||
dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
|
||||
1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
|
||||
TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
|
||||
iXDXWxIe5PY=
|
||||
=zp+l
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
|
||||
- created_at: "2024-05-11T21:48:51Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
|
||||
WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
|
||||
1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
|
||||
dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
|
||||
8GoFUoOn6tE=
|
||||
=A7C7
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
|
||||
- created_at: "2024-05-11T21:48:51Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
|
||||
pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
|
||||
1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
|
||||
rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
|
||||
K0oWZqedIzU=
|
||||
=Z8wz
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 403215E0F99D2582C7055C512C77841620B8F380
|
||||
- created_at: "2024-05-11T21:48:51Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
|
||||
exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
|
||||
UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
|
||||
ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
|
||||
uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
|
||||
OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
|
||||
OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
|
||||
cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
|
||||
Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
|
||||
gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
|
||||
HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
|
||||
VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
|
||||
+Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
|
||||
=bvPZ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: a53d4ca8d2cf54613822c81d660e69babee42643
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,133 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ lib, pkgs, ... }:
|
||||
let
|
||||
guests = {
|
||||
forgejo-actions-runner = {
|
||||
mac = "42:80:00:00:00:02";
|
||||
v4 = "10.80.32.2";
|
||||
v6 = "2a01:4f8:151:712d:1::2";
|
||||
};
|
||||
};
|
||||
|
||||
# port forwarding for IPv4
|
||||
portForwards = {
|
||||
tcp = { };
|
||||
udp = { };
|
||||
};
|
||||
in
|
||||
{
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
qemu.package = pkgs.qemu_kvm;
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs = {
|
||||
br-virt = {
|
||||
netdevConfig = {
|
||||
Name = "br-virt";
|
||||
Kind = "bridge";
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
br-virt = {
|
||||
name = "br-virt";
|
||||
address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
interface = [ "br-virt" ];
|
||||
|
||||
bind-interfaces = true; # do not bind to the wildcard interface
|
||||
bogus-priv = true; # do not forward revese lookups of internal addresses
|
||||
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
|
||||
domain-needed = true; # do not forward names without domain
|
||||
no-hosts = true; # do not resolve hosts from /etc/hosts
|
||||
no-resolv = true; # only use explicitly configured resolvers
|
||||
|
||||
domain = [ "sbruder.de" ];
|
||||
|
||||
enable-ra = true; # required to tell clients to use DHCPv6
|
||||
|
||||
# Force static configuration
|
||||
dhcp-range = [
|
||||
"10.80.32.0,static,255.255.255.0"
|
||||
"2a01:4f8:151:712d:1::,static,80"
|
||||
];
|
||||
|
||||
dhcp-host = lib.flatten (lib.mapAttrsToList
|
||||
(name: { mac, v4, v6 }: [
|
||||
"${mac},${v4},${name}"
|
||||
"${mac},[${v6}],${name}"
|
||||
])
|
||||
guests);
|
||||
|
||||
# Hetzner recursive name servers
|
||||
# https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
|
||||
server = [
|
||||
"185.12.64.1"
|
||||
"185.12.64.2"
|
||||
"2a01:4ff:ff00::add:1"
|
||||
"2a01:4ff:ff00::add:2"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
|
||||
allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
|
||||
|
||||
interfaces.br-virt = {
|
||||
allowedTCPPorts = [ 53 ]; # EDNS
|
||||
allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
|
||||
};
|
||||
};
|
||||
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
# only IPv4
|
||||
table ip hypervisor-nat {
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority filter; policy accept
|
||||
oifname eth0 masquerade
|
||||
}
|
||||
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept
|
||||
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
|
||||
iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
|
||||
'') portForwards.tcp)}
|
||||
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
|
||||
iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
|
||||
'') portForwards.udp)}
|
||||
}
|
||||
}
|
||||
|
||||
table inet hypervisor-filter {
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop
|
||||
|
||||
iifname br-virt oifname eth0 counter accept
|
||||
iifname eth0 oifname br-virt counter accept
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -19,7 +19,6 @@
|
|||
gui.enable = true;
|
||||
media-proxy.enable = true;
|
||||
mullvad.enable = true;
|
||||
podman.enable = true;
|
||||
restic.system = {
|
||||
enable = true;
|
||||
qos = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -45,8 +45,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.prometheus.exporters.smartctl.devices = [ "/dev/nvme0n1" ];
|
||||
|
||||
powerManagement = {
|
||||
cpuFreqGovernor = "schedutil";
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
|
|
@ -17,8 +17,8 @@
|
|||
./services/grafana.nix
|
||||
./services/hedgedoc.nix
|
||||
./services/invidious
|
||||
./services/mastodon.nix
|
||||
./services/matrix
|
||||
./services/murmur.nix
|
||||
./services/password-hash-self-service.nix
|
||||
./services/prometheus.nix
|
||||
./services/sbruder.xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ forgejo-mail: ENC[AES256_GCM,data:3AlFHzVBA5TE4qv5ubG39K0varV8/HabO0q/RJZSD5o=,i
|
|||
go-neb-overrides: ENC[AES256_GCM,data:1xy+SdsSTuerRox4skitg1mKLr1MoANFoCzz76TKSA31ORo/oUWVGrYxfusZxrFQWjYGRFpSYzmkzPn1RoWmbXyfwPEcisvjenXLNvwcyoontBd7TiiLdukEtya6RfGLRGKc8tfCzbDUWgiYz5IDMFBvKGnewFjB+au0/Ge2+2DTw6M4negjCz343TO/vbyTr5xT/5smmKz7Ouk9SbEo7yEuHkQPQfedGw2PYT82zdXd/Eje3Zq2EB4xcUU7beGrF1zkOdXQ4OVqB8XnkCnuLtNlnJtsffm0rbPDPD3/nhHKpJ8jXrN54V14dSnHW7yOifGMIus0VFMRZcIT7A+BroM9qzJhW3F4gsF1Bwp0CF+6zLLRjgpA0EOyvOwpLIftBZfMIpveAH62MVY0IBfwDdkI1itEOjj9EhTrOGxBx45Cj6Qk3Mk6ncyr15+E+KAmQRxZJrEW8Grk4PyzuxtxYd0n8LSaRUe1eNVUhHkQNpo/zvAPgrzcRnM91EwIoMvlNmwyC63j1h+OBKlXQgChAaB1O6HFXQY=,iv:pnw0jIcMqA771woDYNHxWMWE6wHGaNsXi5aBXOFAHJU=,tag:Wbcqb0FsctZWOS6u5s82mQ==,type:str]
|
||||
hcloud_exporter-environment: ENC[AES256_GCM,data:5gDTeg4C08BgNxBFtzZ7ma6JiafwF4ly5URAG4WxUTlRaUmF32fmbPdAZmveKiKBA8cc6ewcEIfIVJ7d5tbbqCEX+vbf9nr1fuhN05Z6lfsJNLoATclX,iv:GzEnudGDc6+6BJgDtaNnOnT7IK8Z0fsYfs/oJzKO2UA=,tag:LYCvRxNeKdMmNve0aWswrw==,type:str]
|
||||
invidious-extra-settings: ENC[AES256_GCM,data:bThgfyu5ESIyTLD7Q09Qici9ZZw/QYfCyBSjtbNb1EglCy0KHZrvDDAN4uDpdKrHxv8ctoN5Db7tRf5LUl6iyW7A5z9uYg481EXq3Sx6tZztepX0vg==,iv:FZ33tQWRsNEPjwuy/mH/N4e4PyjLx7sbv2G+9S5uigY=,tag:0GQn3AgoM2BPC5iCt5py8w==,type:str]
|
||||
mastodon-mail: ENC[AES256_GCM,data:RT/fS7cqbcePd2qe7CR5jRh2jtKaS81ICbMUOlPUQsY=,iv:C7GYMB0U2KIfXuEnYaoIEfV89/EnJS6V9iG97X8zkPk=,tag:L4SVe6aYGcarvX1hmMqQOw==,type:str]
|
||||
murmur-superuser: ENC[AES256_GCM,data:hPuMK8wbqD/3qKXQbOActq/VJZ+6jFlddQ==,iv:68ZhkpkfxakCOYxFXkCSP/sBamETeSs4CGTRaoBS6co=,tag:5UuYCxDiJ6e2CXjDV5/5yA==,type:str]
|
||||
netbox-secret-key: ENC[AES256_GCM,data:lOE95j6CGkbfJQTLeG41g3BPKNhm0arqxIGAzwvXQyeZLBauAdqufQGKD7D4kPNzdZs=,iv:6HWXEr6Ju4IywP+2jpuTfER/bYI2oUgMSZEJCkq4XX8=,tag:TPD5TTr4Sew8lxPS5WIu5Q==,type:str]
|
||||
prometheus-htpasswd: ENC[AES256_GCM,data:tiewfUfpvrmbrgk6AsBdiP4ng4TqG5UYf1mFcWOzuk8oO55rfZu+Naummz5RRYhJZil43nHFvn5LfIWkJv+CyPMZjpj7xRp4vb4/OCCAFjEzHhrzYVBYNkHM+ZLUTewEXuPVtZ6CZ5uviTExLN2V1moG3ExJdIoyUD16qh4=,iv:SkH609VxIVKJLmHUUNzICEjxHSyjLdwXfw0b7iU6png=,tag:BfNGcUZmk9ZXUvhoQZn6iQ==,type:str]
|
||||
restic-ssh-key: ENC[AES256_GCM,data:9quBzUwv4qylVzESG94wSgzvuodSDM/smPh0j+LYJjXwEN1xksBIW2/Jv0XmF3Q+AWUF/C/lA2jteI3Mf6Pmn7zlqa3H7GwH8Os6/arQI3ywH2dHQLAFxgST2J0AlLGeZcJbntxW0buYw+Rz3q5Jbo+Wo9tQo+2EVvqX320qWBsEwinnahbUhZym3fipyE9g6JxGa3OFGiIn6JAQhst63WgpOfehQsAYu2bdW1gLrgFtURzDQQRQ28RxeD+nMUWRpQcq5GrX2rfSA7sengfQbmP3Ln1atp1YXctTalHsj+n4photBqLz6OfLaFKBqbdKRbinUgVAEarAocEOKk/qf1C6LS8yKjV9Mh/tKeCJQrCI/AccEP5DfMNqdRaWjoQxvjBRKaupPE7Rcuja++K/jm24nP9J8WDcrRSm0tlrVq2JnPHxJv+eUsZoGkvpyOs9AkTG1H2BCckYS5ZG4atjKoBfUvc3CitPNmPZcjSkPrkdRMZbu1BWR+cixFH9rFAUvVIn+e7sWGnqMA8xGXZS,iv:rLOTtmIFP7rwF9JY9ardO9pNqNh1uaobHKtQaGwSuGk=,tag:pCd4ZV0FjfD18qj9oQ236Q==,type:str]
|
||||
|
@ -16,8 +16,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-06-01T12:03:17Z"
|
||||
mac: ENC[AES256_GCM,data:6fJfEtnHSQV7oGZ7HMrXYH1lX8ZzfTChOZC25scDP/q5FH8QZ52OntRuQ8DbR+AKUPN/w6o4EotZVxX53Q2Xxi6QdHSqo07GDsWUnIOb5eCNGmEB3c2w20DJv2smTnEr7d6051aPzEUO0ZxUPxxlqcifC6dsdpdxySyG/VY9OQQ=,iv:KAWFRoOQKRd2tf58QYGD8SnHJk1aLwBxgkcRkPgjuN8=,tag:LJFOJuFblp53Te9zoYKq0Q==,type:str]
|
||||
lastmodified: "2024-01-10T18:29:17Z"
|
||||
mac: ENC[AES256_GCM,data:jsYCPL7/AFxg9mRM/mKhwiy4eH6ZGMyCCSBu+jSfIk/T8RSd9zh0AZ/p5rAwfbW20AzetivzRB4bSgcymLIcCr900EQLdPIuaZgxeGcbZ80N/7I0zF4u8K8oa1pKhyr1UUj48XjL55IdvVOsyvfq/I/KSbIbO7+fBHeQ51crCeo=,iv:CNmKwvZ61PdeyOvGP7elm/yvokll//fiKxdWFe2cfPo=,tag:PVQRV0G3VtBsD0tk34DHig==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-22T00:20:10Z"
|
||||
enc: |-
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
sops.secrets.mastodon-mail = {
|
||||
owner = config.services.mastodon.user;
|
||||
sopsFile = ../secrets.yaml;
|
||||
};
|
||||
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
configureNginx = true;
|
||||
localDomain = "procrastination.space";
|
||||
smtp = {
|
||||
createLocally = false;
|
||||
host = "vueko.sbruder.de";
|
||||
port = 465;
|
||||
user = "mastodon@sbruder.de";
|
||||
passwordFile = config.sops.secrets.mastodon-mail.path;
|
||||
fromAddress = config.services.mastodon.smtp.user;
|
||||
authenticate = true;
|
||||
};
|
||||
streamingProcesses = 5;
|
||||
extraConfig = {
|
||||
SMTP_TLS = "true";
|
||||
RAILS_LOG_LEVEL = "warn";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -75,7 +75,6 @@ in
|
|||
"shinobu.vpn.sbruder.de:9100"
|
||||
"nazuna.vpn.sbruder.de:9100"
|
||||
"yuzuru.vpn.sbruder.de:9100"
|
||||
"koyomi.vpn.sbruder.de:9100"
|
||||
];
|
||||
relabel_configs = lib.singleton {
|
||||
target_label = "instance";
|
||||
|
@ -83,22 +82,6 @@ in
|
|||
regex = "(.*)\\.vpn\\.sbruder\\.de:9100";
|
||||
};
|
||||
}
|
||||
{
|
||||
job_name = "smartctl";
|
||||
static_configs = mkStaticTargets [
|
||||
"fuuko.vpn.sbruder.de:9633"
|
||||
"mayushii.vpn.sbruder.de:9633"
|
||||
"nunotaba.vpn.sbruder.de:9633"
|
||||
"hitagi.vpn.sbruder.de:9633"
|
||||
"shinobu.vpn.sbruder.de:9633"
|
||||
"koyomi.vpn.sbruder.de:9633"
|
||||
];
|
||||
relabel_configs = lib.singleton {
|
||||
target_label = "instance";
|
||||
source_labels = lib.singleton "__address__";
|
||||
regex = "(.*)\\.vpn\\.sbruder\\.de:9633";
|
||||
};
|
||||
}
|
||||
{
|
||||
job_name = "qbittorrent";
|
||||
static_configs = mkStaticTargets [
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
|
||||
./services/fuuko-proxy.nix # FIXME!
|
||||
./services/media.nix
|
||||
./services/murmur.nix
|
||||
./services/restic.nix
|
||||
];
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
media-sb-proxy-auth: ENC[AES256_GCM,data:TFAS1PXu+jSt/orjYI1ffPbiCMCZgc22tU4coz9eEi7CyEaMvaKuQpgIPwZDBoL3r1yhXd+USya/PjEL9g3SCpuva5EXiJVYjV+mYaTxgrLx,iv:a5da4EuduMVVwEy0p2sz3XuAwdYFt+D9WgOs4oqQg6s=,tag:2BTqxnXIK+sWj/8RXVrYDg==,type:str]
|
||||
murmur-superuser: ENC[AES256_GCM,data:D7EjnKZGSmx8ykVeKqSIAdV4Vql7ZkfEUw==,iv:I8SgiZrlCpyqNeBMJlzttFUJFGqQp5vHu6pMUz/0LoE=,tag:G6QMUh3v2QjxtoXUSoRqcA==,type:str]
|
||||
restic-htpasswd: ENC[AES256_GCM,data:om9v+FXOEsOPP7LVntiwyqEKmiCLCwcmMgWBeHxcrlosYT4cElX3MHlu+NQAI0TPwc0mAog1tJyRcTfqK7uYszIzd75/Ig==,iv:7UBHmyqt/2hW9Aw1oRMZtZdOij5mjGF/8nmr3PAq/EI=,tag:TNcECUAdGtch8/bHbOJeNw==,type:str]
|
||||
restic-rclone-ssh-key: ENC[AES256_GCM,data:fefY4sVBp786LeUNdLA1CZ83YGZsxP9yvoIx647fVM47jGBfJWcU8PDwbPGfp4ae5aKnuRi/+OpRQHQIuBWa8XH8mWQ0YLs3JzKavmtNqf8mh9hyiEGLSYBbokEkgSPFBxH8CuhNbzrou0cCO7ACXkXnq4Cf0jjkYR2StjsISiJ11nEnle0tchHMFPSho0W7Ph8UZvT6x1naJjBqMrZKepLMCrT4oM3gqgA3R0cvCxQyIY5BHweopDXxuZDVlIiYjG61qt6OKL7O+lt/Kfvd38i6L1CAsloFVQOv4pQwz5b/jNjH+Kg8+tbbksXz2Dm5PU7HBXyav48MqriTqVCeWpmEsbo9j/zEravtNaC/gvpc7v4H/3lqhyY181g2Fxzu3YCjheSwjhtSuLCtXCD4UdW5Ctkb5TDZrMY+NAQdeXqgCawYggN05x6s+UdSitXXHLBjvyIV5ES/7p43zjWDnddAsFQEgILffQRobA9y8VZ+Igj7wo+HJLdNnmJtcqL/j6CM4MOT4hvj1CLhhBdr,iv:zYgnXzxGU2XJcjeclQT5bX6M1r5WG+Z0pZI7R4qpUU0=,tag:CbBUooyhUCkmKp+N6j4ySw==,type:str]
|
||||
rspamd-worker-controller: ENC[AES256_GCM,data:STf4vgVsYu6+WfpISKC0L69ixlM+cOiefO4qvHY2gYbV9FirRGxlUIRkmPwk+I6gYxKSC6D8ZTO3Bi2drEuWd8Yhuwjj9Rc1ja7b5UxaT5Q591Iof8S5RbXZKvaWMAQXVeAz4qkBaA==,iv:RzB3EHnzybbYO9E95ianu/Yl+chH7IPomvWG89mIGYU=,tag:yFSx97r/vkf3gVhIxMwcNw==,type:str]
|
||||
|
@ -11,8 +10,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-06-01T12:03:28Z"
|
||||
mac: ENC[AES256_GCM,data:KFlisFD6k06XqF6SoQTaMNFpIPYtOgHDFArQueGBcTgjfxzdaxA8AVH1ZBeyFeEFlf4EFfduYcfnqAaGWScOvVW+jVhN/InsNkGf7alPyJ2ifzUD9yhe2/gcOF+eZqPvbTfXsdyfyqkbK7kkRyoYC61T3KPnPzTWqDk/3Chm4k8=,iv:lUbhG5/o5iepukcXHs2FYfue04EJdAbfhX1N0e1C9eA=,tag:EvPEDPoRiLXzbWeHAjTMoQ==,type:str]
|
||||
lastmodified: "2023-04-29T10:17:21Z"
|
||||
mac: ENC[AES256_GCM,data:UfLbX+4uDg9Kp8v9lnq9RktT4ltpJYwOHBBPRhO79a1AmLXkp6GilaoMJYjkj0foL92vTUK10wIw547omySwJeY52pTGAvw1IXVaxNp395KLlMPl3EwLS3xj4c0bhzcVEyFl/fxG2gk6BJOzvQXaMYo4COEzDdK6ZDGZKZVKEAM=,iv:mR9Nq+s7wHeZdP6/gW9+zJd/wa1Y4Q5saACwnMOFOZQ=,tag:yYYF8/mKnbxzmPa6nWIGbA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-22T00:20:08Z"
|
||||
enc: |-
|
||||
|
@ -83,4 +82,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 4EA330328CD0D3076E90960194DFA4953D8729DE
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
version: 3.7.3
|
||||
|
|
Binary file not shown.
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
./ausweisapp.nix
|
||||
./authoritative-dns.nix
|
||||
./cups.nix
|
||||
./docker.nix
|
||||
./fancontrol.nix
|
||||
./flatpak.nix
|
||||
./fonts.nix
|
||||
|
@ -54,9 +55,7 @@
|
|||
./nix.nix
|
||||
./office.nix
|
||||
./pipewire.nix
|
||||
./podman.nix
|
||||
./prometheus/node_exporter.nix
|
||||
./prometheus/smartctl_exporter.nix
|
||||
./pubkeys.nix
|
||||
./qbittorrent
|
||||
./restic
|
||||
|
@ -81,11 +80,9 @@
|
|||
git-lfs # not so essential, but required to clone config
|
||||
htop
|
||||
tmux
|
||||
vim
|
||||
];
|
||||
|
||||
programs.nano.enable = false;
|
||||
programs.vim.defaultEditor = true;
|
||||
|
||||
# Clean temporary files on boot
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
|
||||
|
@ -113,8 +110,6 @@
|
|||
# Support for exotic file systems
|
||||
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
|
||||
|
||||
programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
|
||||
|
||||
# When this is set to true (default), routing everything through a
|
||||
# wireguard tunnel does not work.
|
||||
networking.firewall.checkReversePath = false;
|
||||
|
@ -166,8 +161,8 @@
|
|||
(lib.mkIf (!config.sbruder.machine.isVm) {
|
||||
# Hard drive monitoring
|
||||
services.smartd.enable = lib.mkDefault true;
|
||||
# Firmware updates (only work on EFI systems, so enable only when using systemd-boot)
|
||||
services.fwupd.enable = lib.mkDefault (config.boot.loader.systemd-boot.enable);
|
||||
# Firmware updates
|
||||
services.fwupd.enable = lib.mkDefault true;
|
||||
})
|
||||
(lib.mkIf (!config.sbruder.full) {
|
||||
documentation.enable = lib.mkDefault false;
|
||||
|
|
47
modules/docker.nix
Normal file
47
modules/docker.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
# This uses a custom option (instead of `virtualisation.docker.enable`) since
|
||||
# `virtualisation.oci-containers` conditionally sets
|
||||
# `virtualisation.docker.enable` and therefore causes an infinite recursion.
|
||||
options.sbruder.docker.enable = lib.mkEnableOption "docker with ipv6nat";
|
||||
|
||||
config = lib.mkIf config.sbruder.docker.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker-compose
|
||||
docker-credential-helpers
|
||||
docker-ls
|
||||
];
|
||||
|
||||
virtualisation = {
|
||||
docker = {
|
||||
enable = true;
|
||||
logDriver = "journald";
|
||||
extraOptions = lib.concatStringsSep " " [
|
||||
"--ipv6"
|
||||
"--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64"
|
||||
];
|
||||
};
|
||||
|
||||
oci-containers.containers.ipv6nat = {
|
||||
image = "robbertkl/ipv6nat";
|
||||
volumes = [
|
||||
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
];
|
||||
extraOptions = [
|
||||
"--network=host"
|
||||
"--cap-drop=ALL"
|
||||
"--cap-add=NET_ADMIN"
|
||||
"--cap-add=NET_RAW"
|
||||
"--cap-add=SYS_MODULE"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n";
|
||||
};
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
options.sbruder.podman.enable = lib.mkEnableOption "podman";
|
||||
|
||||
config = lib.mkIf config.sbruder.podman.enable {
|
||||
boot.enableContainers = false; # FIXME: this only needs to be set for some stateVersions
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
buildah
|
||||
podman-compose
|
||||
skopeo
|
||||
];
|
||||
|
||||
virtualisation = {
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerSocket.enable = true;
|
||||
defaultNetwork.settings = {
|
||||
ipv6_enabled = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
services.prometheus.exporters.smartctl = {
|
||||
enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
|
||||
listenAddress = config.sbruder.wireguard.home.address;
|
||||
# devices need to be specified for all systems that use NVMe
|
||||
# https://github.com/NixOS/nixpkgs/issues/210041
|
||||
};
|
||||
|
||||
systemd.services.prometheus-smartctl-exporter = {
|
||||
after = [ "wireguard-wg-home.service" ];
|
||||
serviceConfig = {
|
||||
IPAddressAllow = lib.singleton config.sbruder.wireguard.home.subnet;
|
||||
IPAddressDeny = "any";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -28,8 +28,6 @@ let
|
|||
"/home/*/mounts"
|
||||
|
||||
# Docker (state should be kept somewhere else)
|
||||
"/home/*/.local/share/containers" # podman
|
||||
"/var/lib/containers/"
|
||||
"/var/lib/docker/"
|
||||
|
||||
# Static configuration (generated from this repository)
|
||||
|
|
|
@ -87,13 +87,5 @@
|
|||
hostNames = [ "[yuzuru.sbruder.de]:2222" ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
|
||||
};
|
||||
koyomi = {
|
||||
hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
|
||||
};
|
||||
koyomi-initrd = {
|
||||
hostNames = [ "[koyomi.sbruder.de]:2222" ];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -48,7 +48,6 @@
|
|||
dmidecode # hardware information
|
||||
hdparm # hard drive management
|
||||
lm_sensors # temperature sensors
|
||||
nvme-cli # NVMe management
|
||||
parted # partition manager
|
||||
pciutils # lspci
|
||||
(reptyr.overrideAttrs (o: o // { doCheck = false; })) # move process to current terminal # tests fail on qemu-user-aarch64 (TODO 24.05: remove)
|
||||
|
|
|
@ -48,10 +48,6 @@ let
|
|||
address = "10.80.0.16";
|
||||
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
|
||||
};
|
||||
koyomi = {
|
||||
address = "10.80.0.17";
|
||||
publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
|
||||
};
|
||||
};
|
||||
|
||||
cfg = config.sbruder.wireguard.home;
|
||||
|
|
|
@ -24,10 +24,6 @@ SPDX-License-Identifier: CC-BY-SA-4.0
|
|||
<td>Matrix</td>
|
||||
<td><a id="matrix" href="#">(requires javascript)</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Fediverse</td>
|
||||
<td><a rel="me" href="https://procrastination.space/@simon">@simon@procrastination.space</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Codeberg</td>
|
||||
<td><a href="https://codeberg.org/sbruder">sbruder</a></td>
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ lib, nixosConfig, pkgs, ... }:
|
||||
{ nixosConfig, pkgs, ... }:
|
||||
|
||||
{
|
||||
programs.gpg = {
|
||||
|
@ -18,7 +18,7 @@
|
|||
services.gpg-agent = rec {
|
||||
enable = true;
|
||||
enableZshIntegration = true;
|
||||
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
|
||||
enableSshSupport = true;
|
||||
|
||||
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
programs.password-store = {
|
||||
enable = true;
|
||||
|
@ -19,9 +19,4 @@
|
|||
enable = true;
|
||||
browsers = [ "librewolf" ];
|
||||
};
|
||||
|
||||
services.pass-secret-service = {
|
||||
enable = true;
|
||||
storePath = "${config.xdg.dataHome}/secret-service-password-store";
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue