diff options
Diffstat (limited to 'os')
83 files changed, 1818 insertions, 1418 deletions
diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix index af2d144..0cf9957 100644 --- a/os/cez/configuration.nix +++ b/os/cez/configuration.nix @@ -1,10 +1,14 @@ -{ ... }: { +{ imports = [ ../pc/configuration.nix ./hardware-configuration.nix - ./modules/specialisation.nix + ./modules/headscale.nix ./modules/wireguard.nix ./modules/tlp.nix + ../../global/cez + ./modules/specialisation ]; + + networking.hostName = "cez"; } diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix index f1d5f32..da9ed90 100644 --- a/os/cez/hardware-configuration.nix +++ b/os/cez/hardware-configuration.nix @@ -1,4 +1,11 @@ -{ modulesPath, nixos-hardware, config, pkgs, lib, ... }: +{ + modulesPath, + nixos-hardware, + config, + pkgs, + lib, + ... +}: { imports = [ @@ -7,16 +14,18 @@ ]; hardware = { + bluetooth.enable = true; # override nixos-hardware values nvidia.prime.offload.enable = false; - bluetooth.enable = true; }; services.xserver.videoDrivers = [ "modesetting" ]; - swapDevices = [{ - device = "/swapfile"; - size = 14 * 1024; # 14GB - }]; + swapDevices = [ + { + device = "/swapfile"; + size = 14 * 1024; # 14GB + } + ]; boot = { kernelPackages = lib.mkForce pkgs.linuxPackages; @@ -24,8 +33,7 @@ blacklistedKernelModules = [ "k10temp" ]; extraModulePackages = with config.boot.kernelPackages; [ zenpower ]; - initrd.luks.devices."crypt".device = - "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; + initrd.luks.devices."crypt".device = "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; }; fileSystems = { diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix new file mode 100644 index 0000000..169ed45 --- /dev/null +++ b/os/cez/modules/headscale.nix @@ -0,0 +1,52 @@ +{ config, pkgs, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; + + exitNode = "kay"; + helper = pkgs.writeShellApplication { + name = "vpn"; + runtimeInputs = with pkgs; [ + libnotify + tailscale + jq + ]; + + text = '' + note() { + command -v notify-send >/dev/null && + notify-send " Headscale" "$1" + + printf "\n%s\n" "$1" + } + + if [ "$(tailscale status --peers --json | jq ".ExitNodeStatus")" = "null" ]; then + tailscale set --exit-node=${exitNode} && + note "Now routing all traffic through ${exitNode}" + else + tailscale set --exit-node= && + note "Traffic now uses default route." + fi + ''; + }; +in +{ + sops.secrets."misc/headscale" = { }; + environment.systemPackages = [ helper ]; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + ]; + extraSetFlags = [ + "--operator=${user}" + "--accept-routes=true" + ]; + }; +} diff --git a/os/cez/modules/specialisation.nix b/os/cez/modules/specialisation.nix deleted file mode 100644 index abc08e8..0000000 --- a/os/cez/modules/specialisation.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: { - specialisation.nvidia.configuration = { - boot = { - kernelParams = [ "transparent_hugepage=always" ]; - kernel.sysctl."vm.max_map_count" = 2147483642; - }; - - environment.variables = { - DRI_PRIME = 1; - __NV_PRIME_RENDER_OFFLOAD = 1; - __VK_LAYER_NV_optimus = "NVIDIA_only"; - __GLX_VENDOR_LIBRARY_NAME = "nvidia"; - }; - - hardware.nvidia = { - open = true; - nvidiaSettings = false; - prime.sync.enable = true; - }; - - services = { - xserver.videoDrivers = [ "nvidia" ]; - tlp.settings.PLATFORM_PROFILE_ON_AC = lib.mkForce "performance"; - }; - }; -} diff --git a/os/cez/modules/specialisation/default.nix b/os/cez/modules/specialisation/default.nix new file mode 100644 index 0000000..c7fb4aa --- /dev/null +++ b/os/cez/modules/specialisation/default.nix @@ -0,0 +1,6 @@ +{ + specialisation = { + nvidia.configuration.imports = [ ./nvidia.nix ]; + heater.configuration.imports = [ ./heater.nix ]; + }; +} diff --git a/os/cez/modules/specialisation/heater.nix b/os/cez/modules/specialisation/heater.nix new file mode 100644 index 0000000..68dbf4d --- /dev/null +++ b/os/cez/modules/specialisation/heater.nix @@ -0,0 +1,31 @@ +{ + config, + pkgs, + lib, + ... +}: +let + heater = pkgs.writeShellApplication { + name = "heater"; + runtimeInputs = with pkgs; [ + vulkan-tools + mangohud + ]; + + text = '' + MESA_VK_WSI_PRESENT_MODE=immediate mangohud vkcube --present_mode 0 + ''; + }; + username = config.global.userdata.name; +in +{ + imports = [ ./nvidia.nix ]; + + services.logind.settings.Login.HandleLidSwitch = "ignore"; + environment.systemPackages = [ heater ]; + home-manager.users.${username}.imports = [ + { + wayland.windowManager.sway.settings.exec = [ "${lib.getExe heater}" ]; + } + ]; +} diff --git a/os/cez/modules/specialisation/nvidia.nix b/os/cez/modules/specialisation/nvidia.nix new file mode 100644 index 0000000..3ac30b4 --- /dev/null +++ b/os/cez/modules/specialisation/nvidia.nix @@ -0,0 +1,25 @@ +{ lib, ... }: +{ + boot = { + kernelParams = [ "transparent_hugepage=always" ]; + kernel.sysctl."vm.max_map_count" = 2147483642; + }; + + environment.variables = { + DRI_PRIME = 1; + __NV_PRIME_RENDER_OFFLOAD = 1; + __VK_LAYER_NV_optimus = "NVIDIA_only"; + __GLX_VENDOR_LIBRARY_NAME = "nvidia"; + }; + + hardware.nvidia = { + open = true; + nvidiaSettings = false; + prime.sync.enable = true; + }; + + services = { + xserver.videoDrivers = [ "nvidia" ]; + tlp.settings.PLATFORM_PROFILE_ON_AC = lib.mkForce "performance"; + }; +} diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix index 1ccd539..cf002af 100644 --- a/os/cez/modules/tlp.nix +++ b/os/cez/modules/tlp.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ services.tlp = { enable = true; @@ -18,10 +19,6 @@ PLATFORM_PROFILE_ON_AC = "balanced"; PLATFORM_PROFILE_ON_BAT = "low-power"; - - # Enable battery conservation mode - START_CHARGE_THRESH_BAT0 = 0; - STOP_CHARGE_THRESH_BAT0 = 1; }; }; } diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix index c52087a..2bf2252 100644 --- a/os/cez/modules/wireguard.nix +++ b/os/cez/modules/wireguard.nix @@ -1,47 +1,20 @@ -{ config, pkgs, ... }: let - domain = config.global.userdata.domain; - wgIface = "kay"; +{ config, ... }: +{ + sops.secrets."misc/wireguard" = { }; - helper = pkgs.writeShellApplication { - name = "vpn"; - text = '' - note() { - command -v notify-send > /dev/null && - notify-send " VPN" "$1" - - printf "\n%s\n" "$1" - } - - if systemctl status "wg-quick-${wgIface}.service" > /dev/null 2>&1; then - sudo -A systemctl stop "wg-quick-${wgIface}.service" && - note "connection was dropped" - else - sudo -A systemctl start "wg-quick-${wgIface}.service" && - note "traffic routed through ${wgIface}" - fi - ''; - }; -in { - sops.secrets."misc/wireguard" = {}; - - networking.wg-quick.interfaces.${wgIface} = { + networking.wg-quick.interfaces.bud = { autostart = false; - address = [ "10.0.1.2/24" ]; - dns = [ "10.0.1.1" ]; - mtu = 1412; + address = [ "10.54.132.2/24" ]; + mtu = 1420; privateKeyFile = config.sops.secrets."misc/wireguard".path; - peers = [{ - publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; - allowedIPs = [ - "10.0.1.0/24" - "104.16.0.0/12" - "172.64.0.0/13" - ]; - endpoint = "${domain}:51820"; - persistentKeepalive = 25; - }]; + peers = [ + { + publicKey = "O2GRMEWf22YRGKexHAdg1fitucTZ/U/om2MWEJMeyFQ="; + allowedIPs = [ "10.54.132.0/24" ]; + endpoint = "primary.k8s.bud.studio:51820"; + persistentKeepalive = 25; + } + ]; }; - - environment.systemPackages = [ helper ]; } diff --git a/os/cez/modules/www.nix b/os/cez/modules/www.nix deleted file mode 100644 index 9ec20da..0000000 --- a/os/cez/modules/www.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; -in -{ - services.nginx = { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - useACMEHost = domain; - locations."= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - }; - - }; - }; -} diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml index 5cfd108..7b9923c 100644 --- a/os/cez/secrets.yaml +++ b/os/cez/secrets.yaml @@ -1,10 +1,7 @@ misc: wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str] + headscale: ENC[AES256_GCM,data:90xXwi0fPPdF929akAma85UmLkllCUmO1v0nWS8HxRw4gQq8fa9QKoYgGAt84bC6,iv:H0BZN7A21Hzs6p4wdP3ONVfvQyNchVSdc2GJ9BS+wyQ=,tag:fV9XpAOrVMQ5A2Dzo5BcyQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -24,8 +21,7 @@ sops: dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28 fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-04T10:16:20Z" - mac: ENC[AES256_GCM,data:NhVEt9Yg3J3+L1CqaI2IKFtC4VG9FdDkTOuDwc/hbwDvJmdbT7YocyQSX4IxsZ5ZxpaFXcp56C+QE5tDyjdWJs+njcxm8zDLsXaCfu3vLn7JHgzeQ9JeKeCzWV2oAj+PaTiY64QuhDP3LhaFZEZPEPJK5lGYR0XEZQHV2ngtF3U=,iv:LEkUb2cthtT+QG0SryRG17a5VRBli8PtRfhf1gTGBLo=,tag:G1Lo7tGUMWxgvSEQIuIAaw==,type:str] - pgp: [] + lastmodified: "2025-10-17T03:37:38Z" + mac: ENC[AES256_GCM,data:hOs2aCnCs8yF2iLZawyI84olfFe86JTZ8KBgSFLpaE8Kd+HWsQyEa5M0yOMXCts/d0JqJFsMJqxmkcBxBSFT5cBVZM/gSh9TC7xbq14Ja3vRT6KcLZ3O4CI6pZvEvkuJALTSQSXIsxFZG3YoYsKdh67aqKr/uC3Jh5sASYxzIHg=,iv:F4d85Tk920eXa6mVKSBlmJ/dRHncZRiQGh3LHsJCLas=,tag:EO+1OERqvowVUGKe9a77oA==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/common/configuration.nix b/os/common/configuration.nix index 17b8f2a..7b6b956 100644 --- a/os/common/configuration.nix +++ b/os/common/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let host = config.networking.hostName; -in { +in +{ disabledModules = [ "services/networking/pppd.nix" ]; @@ -9,31 +16,43 @@ in { ./modules/user.nix ./modules/environment.nix ./modules/pppd.nix + ./modules/home-manager.nix + ../../global/common ]; system.stateVersion = "24.05"; time.timeZone = "Asia/Kolkata"; - networking.useDHCP = false; - swapDevices = lib.mkDefault [{ - device = "/swapfile"; - size = 2048; # 2GB - }]; + networking = { + useDHCP = false; + hostName = lib.mkOptionDefault "common"; + }; - services.udev.extraRules = let - cmd = "${pkgs.systemd}/bin/systemctl hibernate"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" - ''; + zramSwap.enable = true; + swapDevices = lib.mkDefault [ + { + device = "/swapfile"; + size = 2048; # 2GB + } + ]; + + services.udev.extraRules = + let + cmd = "${pkgs.systemd}/bin/systemctl hibernate"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" + ''; sops = { defaultSopsFile = ../${host}/secrets.yaml; - age.keyFile = "/var/secrets/${host}.sops"; + age.keyFile = "/var/lib/sops-nix/key.txt"; }; boot = { - loader.timeout = 1; + loader.timeout = 0; initrd.systemd.enable = true; + tmp.cleanOnBoot = true; }; programs.bash.promptInit = '' @@ -47,5 +66,10 @@ in { ''; nixpkgs.config.allowUnfreePredicate = - pkg: builtins.elem (lib.getName pkg) [ "nvidia-x11" "slack" "spotify" ]; + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "slack" + "spotify" + ]; } diff --git a/os/common/modules/environment.nix b/os/common/modules/environment.nix index 38446f2..576d756 100644 --- a/os/common/modules/environment.nix +++ b/os/common/modules/environment.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ environment = { binsh = lib.getExe pkgs.dash; systemPackages = with pkgs; [ diff --git a/os/common/modules/home-manager.nix b/os/common/modules/home-manager.nix new file mode 100644 index 0000000..722c9ab --- /dev/null +++ b/os/common/modules/home-manager.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +let + username = config.global.userdata.name; + host = config.networking.hostName; + homeManagerHostPath = ../../../home/${host}/home.nix; +in +{ + home-manager = { + useGlobalPkgs = true; + useUserPackages = false; + users.${username}.imports = [ + ../../../home/common/home.nix + ] + ++ lib.optional (builtins.pathExists homeManagerHostPath) homeManagerHostPath; + }; +} diff --git a/os/common/modules/nix.nix b/os/common/modules/nix.nix index f850e24..e04a156 100644 --- a/os/common/modules/nix.nix +++ b/os/common/modules/nix.nix @@ -1,16 +1,36 @@ -{ ... }: { - nix.settings = { - auto-optimise-store = true; - use-xdg-base-directories = true; - experimental-features = [ "flakes" "nix-command" ]; +{ + config, + ... +}: +let + user = config.global.userdata.name; +in +{ + nix = { + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; - substituters = [ - "https://nixbin.sinanmohd.com" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; + settings = { + auto-optimise-store = true; + use-xdg-base-directories = true; + trusted-users = [ user ]; + + experimental-features = [ + "flakes" + "nix-command" + ]; + + substituters = [ + "https://nixbin.sinanmohd.com" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; }; } diff --git a/os/common/modules/pppd.nix b/os/common/modules/pppd.nix index 772cb29..69c37b8 100644 --- a/os/common/modules/pppd.nix +++ b/os/common/modules/pppd.nix @@ -1,10 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.pppd; - shTypes = [ "ip-up" "ip-down" "ipv6-up" "ipv6-down" ]; + shTypes = [ + "ip-up" + "ip-down" + "ipv6-up" + "ipv6-down" + ]; in { meta = { @@ -46,232 +56,249 @@ in }; script = mkOption { - default = {}; + default = { }; description = lib.mdoc '' script which is executed when the link is available for sending and receiving IP packets or when the link is no longer available for sending and receiving IP packets, see pppd(8) for more details ''; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "01-ddns.sh"; - description = lib.mdDoc "Name of the script."; - }; - type = mkOption { - default = "ip-up"; - type = types.enum shTypes; - description = lib.mdDoc "Type of the script."; - }; - text = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "Shell commands to be executed."; - }; - runtimeInputs = mkOption { - type = types.listOf types.package; - default = []; - description = lib.mdDoc "dependencies of the shell script"; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "01-ddns.sh"; + description = lib.mdDoc "Name of the script."; + }; + type = mkOption { + default = "ip-up"; + type = types.enum shTypes; + description = lib.mdDoc "Type of the script."; + }; + text = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "Shell commands to be executed."; + }; + runtimeInputs = mkOption { + type = types.listOf types.package; + default = [ ]; + description = lib.mdDoc "dependencies of the shell script"; + }; }; - }; - } - )); + } + ) + ); }; peers = mkOption { - default = {}; + default = { }; description = lib.mdDoc "pppd peers."; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "dialup"; - description = lib.mdDoc "Name of the PPP peer."; - }; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = lib.mdDoc "Name of the PPP peer."; + }; - enable = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether to enable this PPP peer."; - }; + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether to enable this PPP peer."; + }; - autostart = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; - }; + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; + }; - config = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; - }; + config = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; + }; - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = literalExpression "/run/secrets/ppp/peer/options"; - description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression "/run/secrets/ppp/peer/options"; + description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + }; }; - }; - } - )); + } + ) + ); }; }; - config = let - enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + config = + let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); - defaultCfg = if (cfg.config != "") then { - "ppp/options".text = cfg.config; - } else {}; + defaultCfg = + if (cfg.config != "") then + { + "ppp/options".text = cfg.config; + } + else + { }; - mkPeers = peerCfg: with peerCfg; let - key = if (configFile == null) then "text" else "source"; - val = if (configFile == null) then peerCfg.config else configFile; - in - { - name = "ppp/peers/${name}"; - value.${key} = val; - }; - - enabledSh = filter (s: s.text != "") (attrValues cfg.script); - mkMsh = name : { - name = "ppp/${name}"; - value.mode = "0755"; - value.text = '' - #!/bin/sh + mkPeers = + peerCfg: + with peerCfg; + let + key = if (configFile == null) then "text" else "source"; + val = if (configFile == null) then peerCfg.config else configFile; + in + { + name = "ppp/peers/${name}"; + value.${key} = val; + }; - # see the pppd(8) man page - for s in /etc/ppp/${name}.d/*.sh; do - [ -x "$s" ] && "$s" "$@" - done - ''; - }; - mkUsh = shCfg : { - name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; - value.mode = "0755"; - value.text = '' - #!/bin/sh - export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" + enabledSh = filter (s: s.text != "") (attrValues cfg.script); + mkMsh = name: { + name = "ppp/${name}"; + value.mode = "0755"; + value.text = '' + #!/bin/sh - ${shCfg.text} - ''; - }; + # see the pppd(8) man page + for s in /etc/ppp/${name}.d/*.sh; do + [ -x "$s" ] && "$s" "$@" + done + ''; + }; + mkUsh = shCfg: { + name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; + value.mode = "0755"; + value.text = '' + #!/bin/sh + export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" - enabledSec = let - l = attrNames cfg.secret; - f = (s: cfg.secret.${s} != null); - in filter f l; - mkSec = sec : { - name = "ppp/${sec}-secrets"; - value.source = cfg.secret.${sec}; - }; + ${shCfg.text} + ''; + }; - mkSystemd = peerCfg: { - name = "pppd-${peerCfg.name}"; - value = { - restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; - before = [ "network.target" ]; - wants = [ "network.target" ]; - after = [ "network-pre.target" ]; - environment = { - # pppd likes to write directly into /var/run. This is rude - # on a modern system, so we use libredirect to transparently - # move those files into /run/pppd. - LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; - NIX_REDIRECTS = "/var/run=/run/pppd"; - }; - serviceConfig = let - capabilities = [ - "CAP_BPF" - "CAP_SYS_TTY_CONFIG" - "CAP_NET_ADMIN" - "CAP_NET_RAW" - ]; + enabledSec = + let + l = attrNames cfg.secret; + f = (s: cfg.secret.${s} != null); in - { - ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; - Restart = "always"; - RestartSec = 5; + filter f l; + mkSec = sec: { + name = "ppp/${sec}-secrets"; + value.source = cfg.secret.${sec}; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = + let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - # pppd can be configured to tweak kernel settings. - ProtectKernelTunables = false; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_ATMPVC" - "AF_ATMSVC" - "AF_INET" - "AF_INET6" - "AF_IPX" - "AF_NETLINK" - "AF_PACKET" - "AF_PPPOX" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SecureBits = "no-setuid-fixup-locked noroot-locked"; - SystemCallFilter = "@system-service"; - SystemCallArchitectures = "native"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; - # All pppd instances on a system must share a runtime - # directory in order for PPP multilink to work correctly. So - # we give all instances the same /run/pppd directory to store - # things in. - # - # For the same reason, we can't set PrivateUsers=true, because - # all instances need to run as the same user to access the - # multilink database. - RuntimeDirectory = "pppd"; - RuntimeDirectoryPreserve = true; + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - }; - etcFiles = listToAttrs (map mkPeers enabledConfigs) // - listToAttrs (map mkMsh shTypes) // - listToAttrs (map mkUsh enabledSh) // - listToAttrs (map mkSec enabledSec) // - defaultCfg; + etcFiles = + listToAttrs (map mkPeers enabledConfigs) + // listToAttrs (map mkMsh shTypes) + // listToAttrs (map mkUsh enabledSh) + // listToAttrs (map mkSec enabledSec) + // defaultCfg; - systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); - in mkIf cfg.enable { - assertions = map (peerCfg: { - assertion = (peerCfg.configFile == null || peerCfg.config == ""); - message = '' - Please specify either - 'services.pppd.${peerCfg.name}.config' or - 'services.pppd.${peerCfg.name}.configFile'. - ''; - }) enabledConfigs; + in + mkIf cfg.enable { + assertions = map (peerCfg: { + assertion = (peerCfg.configFile == null || peerCfg.config == ""); + message = '' + Please specify either + 'services.pppd.${peerCfg.name}.config' or + 'services.pppd.${peerCfg.name}.configFile'. + ''; + }) enabledConfigs; - environment.etc = etcFiles; - systemd.services = systemdConfigs; - }; + environment.etc = etcFiles; + systemd.services = systemdConfigs; + }; } diff --git a/os/common/modules/user.nix b/os/common/modules/user.nix index bdf258e..13a9046 100644 --- a/os/common/modules/user.nix +++ b/os/common/modules/user.nix @@ -1,17 +1,19 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ users.users.${user} = { uid = 1000; isNormalUser = true; description = email; extraGroups = [ "wheel" ]; + initialHashedPassword = "$y$j9T$5yekb7UNR3e1bHrPLqH/F.$zVIIDLBY4snxLQcdGCb1aHD2rIhs96fvdvPdNkstFcD"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzbE0x+ls4Prf4xMylcaFlzuLy44Pti+ZeUU98Wo+5P sinan@paq" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQu223dTF1J2Iw2TuKVt3SPT4cjtY90TMTxFGxP7DP7 sinan@exy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8LnyOuPmtKRqAZeHueNN4kfYvpRQVwCivSTq+SZvDU sinan@cez" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHeyFnYE9RJ87kbkjgrev/yw1Z4PVLxvfPAtJjBMOYPq sinan@ale" ]; }; } diff --git a/os/dspace/configuration.nix b/os/dspace/configuration.nix deleted file mode 100644 index ccbdfdf..0000000 --- a/os/dspace/configuration.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, ... }: - -let - user = config.global.userdata.name; -in -{ - imports = [ - ../common/configuration.nix - ../server/configuration.nix - ./hardware-configuration.nix - - ./modules/network.nix - ./modules/www.nix - ]; - - - users.users.${user}.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvR5FliFLq1FJWotnBk9deWmbeGi2uq2XVmx0uAr1Lw sinan@fscusat" - ]; -} diff --git a/os/dspace/hardware-configuration.nix b/os/dspace/hardware-configuration.nix deleted file mode 100644 index 7a8d7b2..0000000 --- a/os/dspace/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/c5b1077e-52e8-4249-8bd7-d53eafa41f5a"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/9787-FFFE"; - fsType = "vfat"; - }; - }; -} diff --git a/os/dspace/modules/network.nix b/os/dspace/modules/network.nix deleted file mode 100644 index 007cfba..0000000 --- a/os/dspace/modules/network.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -let - wan = "ens18"; -in -{ - networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.107"; - prefixLength = 16; - }]; - defaultGateway = { - address = "10.0.0.1"; - interface = wan; - }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; - }; -} diff --git a/os/dspace/modules/www.nix b/os/dspace/modules/www.nix deleted file mode 100644 index 90ab841..0000000 --- a/os/dspace/modules/www.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, ... }: - -let - domain = "dsp.fscusat.ac.in"; -in -{ - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; - }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - sslCertificateKey = config.sops.secrets."cusat.ac.in/key".path; - sslCertificate = config.sops.secrets."cusat.ac.in/crt".path; - - locations."/" = { - return = "200 '<h1>under construction</h1>'"; - extraConfig = "add_header Content-Type text/html;"; - }; - }; - }; -} diff --git a/os/dspace/secrets.yaml b/os/dspace/secrets.yaml deleted file mode 100644 index 42143ac..0000000 --- a/os/dspace/secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -cusat.ac.in: - key: ENC[AES256_GCM,data:xcij4wsjBCKW/yPfhdSCL8bHP6XvKLXSe3U+7fbSLGYOeI5r+1hCy3oA5EeXn9fXR536FqUlBRu5iS6Qo8pFzK0Buh+gK4h025p9QDLxj2k4lyC3yDpYMBQqAYjuAgcGPDcOkVsNH1t2b8RLQX87sBGOF8xQ7zRq/o7By2PgtyLyGrgHketvTM/4dXD1P9KqW30RyblZwYvQ4uZHrgAEFJuzNJdfS1W+wPXOjV3KC0AtDPyC3aF2MTPhgOkz8GfbRpxoaZTpLgtZTzhNXsaJsat9TSA+pkg5yVu3TgCC40uUoWFqwnWkoo/MSzqiOAoLCfqj40aMfwHtYKEj07itmEVMEjeUIjTjTKI6/04HVzyinsjmmlVnz4xmI8SWQob8WXg+Tv32NvxyWdpwabyVg/nVyj3C47DRtndgaHECgyTZklRL4vJpbhByYg0ylmUbLH2xkUQ9K7zNiIcMZ8wiAgCWNy2xXtUUUC2/R8c5hcdXm4uehcAGveHLVZ2td+Wg0rMkY1QiRYuG0fUj+dJ4esRCBzqcPbfusu4CfywhkpXKZhS+DN2pnNBvG7n0XrKQflBdAsB23n4rQU8GWHgk6uKvYQ4fp/rnIcKBNlYb7wLrNR8aVe2QuFguFPLCjjxDBLPKPViJOHcZZ2ZeaUnuHbORKGe8rrq4BEM/4eikhrWMLwu4bWsvnO7UIXguvayFbQJ7OB8pt1Gz3pq39OIwwYWCpDViIeJ0IDeikqsNXUncZAmjH6XeVSDvRAY62rh1V/eFGdUo5BJtGjvAT0x/0xsXvYul1g5JCyPoUvsAc/RWvk95j1fjHYPbb3TreET+vIs7kJdcuhwjkYGXFaD/IcE1kY4mElLBR0dhGt/J9DhtNPjid05lz3mdOeTPOiC7v8cK/oOoJZ32znf/wcMXjui5DH4JhYb3YrEyjROzQQ/cK57DhV1X4JtGBEoTwiixH0ZN3UyyAqhPh/0IvgtGNKhmcSSZBxlR1fgHgz3mpQVvnI1lofS9NdBcK60LNGJ1cZz/WbLfEsej8jej0q+YwKTqgD/losMbvD/61/DDVLZFPhTCb2OM7eDsI3isdRMVGdH5bM6BwslJxS8qH28hYMW2wysbQLu1m4BtZCePZHpvKNQ9mSf3POX5cWWIsI0gaQZQWZ/QvQ33iM8PKtWkiD1Aj+E2dww09EpQlHpoTMQSvvXYt0mK/CrppmkM2tP17x8oKFfSchDpLdX6gLyV1wHIT79cvtnjOjtHpw2kK5nMv5Dcb8OznSlwQEMjqkcTe51lKMabdgAdh+om2BRpwOzeauXWNmIMdDsX+GI47oWlsL7DFRaNjjC2H+vu5uexS6gaX9njiL7mdw+oCbGoc8TzwyuEIkOAQA9Y6Y0xZjXfiiAOBM6Ysdwm7dmBexfTaiKtdnAf8dMZAMCyuteK/Y2vNOwJkaiSsGAB1XmaZwbFf5Gb0iiSbyfbfdQ7WRnQRjoB3gb6cW25eY//xcQMSgbXW9sI/x76wB7uvhR4uQar2yntERO6V9K0TLkvYVVni4Mqapu2+J5GJr0qz+OAqeIWp6RrgNaVXOewea2v5Jjjzf/icw8mDH5myXw3kmXAHIPY0Yt+BOqkOdUqV5UiKW3eGSdw4uU0uQIk2Vhu12+iyb2bTxzWGrwntvXZnjQ8WXZOImHwGWG+pXzGGxJQDSTlF16UqWB/chAwi6GTGImXwlh7t2kKmAkqzWXrPLWND555S7ZY6+KIRboZnJy0yoN9SBmTWq+0CRNnmMO+wd//nLfmY/L2YVcQc+Cxzk9lukyurwjQGcUcSvqy0KAO2Izoi/3rpdNJ2rXs83SxzjBdnNhZCJ4aSmoyTLng74Xzs84xZXDWuLKB/uoheXAcjreQVtlf0fJtbdJRyN5N0DkfAtHtcVZFzsJK1Q8fC8/5yGwn9lw4PN7Lhmm2VMEn+HAj6iRLP3hyH2B0lOVBWtOCt8Y7snvDMy5Anc5w1pgmIg4zm/2oeshlm/+oCVgTy9KoG34Id3H0zX0J8lRh2+0zas83DIYhxGj++J7b+Zisv8fs1OBqP18+Z/3AOEn5PmmFyJFJGFkfno2hK7x5vSe1XT20entS2SeOhIZWWVARIgpwaWdP2hSaf+MpTpgJVbx5h1tc4EjZWVCCiL074oXV1Vuhh6gXNfk6pS3zT7X7FGA/1cJORWWGKMkWtlKe5z+8dAPv+fDx0eA50vTNdrdQQxSimCHPdajjfMAnPp7+Z8AVJZnocnhmyuuxCiZO7JJmpw6rkDk=,iv:dyo8mIJI2o8IerqV9QNziM6Bl8FOkbp31Y3Q/Lr+x/4=,tag:xalsdWTtaqXWLYn6LJJRRA==,type:str] - crt: ENC[AES256_GCM,data:ufgrvquUriugFmIv3EIEZD35ldqCq/i9oSo0jfkdLVs49mFM1ng1onSmDCpFXP/gdzI2W1q8HI38rS5AaGAIhXE1fQJO+ex2r+KHVO9X3pR9AXQwrAGoV55HJmzO9gcyMveNd0i8UIpu9qePjEe19UBEuAxIVSb8T133AjxyPbpNfcOLC4hMtvxbvRxeE7dS9VGGllN5ns0GlfTLGNM5eMLEd8M6teuwB8hx57EePdwDwfDJOR/HuxyrOGBPYpBAo7/MmWqrCDOI4zBcqWBV79X8nlbaCEyUEF6mAO1F63nrlhLbHbLWY0+CHyCjMWh9TyaVtcjQRtVZVcUibu+bZluJfcQpQ1uvfAUZfJEJvQllMTk++LB3naHBSN1m9NFvpsJhvIavQF97BQExAcM/ShE5oLHLwxP85XSaAWKZtkmlEzefPX6cshsTZxVdnY4hflydfSqZ52o/GyeLlxbcK3hgN2Sp0uhk5yvzCN27HGZZVSWV88+HaWUfk+2WOmpcEyBtHu9mVUnTpOvJEKFdvVnzUf40YkbKtyTz0k8Jwbn1hH6j3U+5zYtN7PlpW1bzUQIiCfuRw9Kezaqn1ndLMOD6b6+FcOaY0bNn2iAn7CmJA1GvouYzM0zdTjupcIvfjnBaqmUTbWckByNdNYGb4Xpg8j2Q+cnYPwvUq42J7Y2BVv76ke7qGASJZX2HJqlcQOwJQKjdmvyo31/Ts4AnyFIZSrjU0O65QYhJ2ZgkV5DTVJS51Za5Bn1RiEQ658Vg1k/4N/c9NjNyCdFeEXsNHYVyXcbyZJDvekirTuHzmRSHWuBkMl0H4OoUCVWpJtxqt/qRt2R54T5CjTvPvMXD9lWqauHDcDb/f5BeVQWIVaf1a4AfNi9YOimm8r0SiNiKDlblbTT2IZh1Tfbu2Jv9m9zWhWS7/8PnCPqnlDBjVdFXavWe2oflIQan7Pj6WMxka+5YscdQpMpIqVDxILw70U4H7Lr+e+nvdu/ByY7iWB8u4OWTahQFkarbSzOtOqTl/URzTWams96V8pRgcAGOo7z6/vfnqZARP3zdInAonsdmgfsC170BNvQ8be6LJCG2Rhr3s1Xahl3tfwYRu8OLSig45bGOBnIgLpysEw+FaahYX1KOaOq1f/NOzF4P5p7OfGAtrVomKtt/fWl/zZWP+vh6jiGrM0x07xVEsdBjlMi9S2OR++16D5nX6oRLH+lhxXj9uV2Dp5DUEJvf9tRB1ahlyEabLp1Q+Op1sbST1V+R/T/UzjSgGpP000Mqdi3qrHZL3vG3IQcIKD8ZcfVADowNIOGgaLIFdQB8BoYt2CTOF9kPXb907mYyB2tQq+SMDQm+hJtnC47LDw/FhdSLqBeBeQUWM5fqd1tm4hNBbp6HVWDdLU5ipOL/95hnby0hCStEvmqQ5uk7JK9Ch7tzXlh7Ufer5b/4JQnWzlgmAt1aqhieUpl6RtNLOtG3PLhV4SDSJeU7xUjv2JFx54/laz8amgKVI33AbYXQZrHcGsjLIPPtZbHJk9c6Q7RN5gX6CUNJrEaehJpa5+9jdFyBsuROAtLAnx1IPasVZmp6Bnt6fm/nfLu9jxNd9wIm9131IIIUbIE2xeEiFZtOo7792kfcBD0uMFgw1ZmZBboXpJC9NTmZswMuN4K7YtDRw/ZPRNWV+i345x9ggEtFoRC6DVCDqWoO0q/+cvQ9yBkZf+h800EAPK8L5SWXi6kLMRMdCMbp+ydHx35dKhsFD7e8xKcpRqI0sA067+sGNPlb01x0XEFzgsGu5tfnukslBIgBrvmFS/F6tGoyaKzbXztbNy7DD0/trLO0GgkMQFHd7cPGg89XeD9Xjc+ZO4ECJAGfhKyysU2xWaxRKfDq9UyElzjrM1jBku1xRJD8tSlF0/iVa4VBWUGVy3yYziEGvEya/B3R56P1cp1O2sXtWEQYbOHWMLFh10oKfyOzEBTQQjYuwDQicPobw/JRUDi63jThtQH9aMAIwXMsnM8wAeSnyvs5uvrNfHRjpxWXs3SesnVO+NP3uTUk7GSX48poRmzOUOr9bYhQrw0saM+JcFJbvjeb7ArhnPZbOKm5TPXNJ26iCnT3PZIYx1K2mGolF5hFBlFgc7xJuXa8DJG3EYExezE3WtcN7NLyZhqueFSmkJWdJGpu8Z4aQaV82YN+WhwnDUZFuKDOqY4iq3kexXn+x2i49cWmd3tQmMPET0V3oh+szAa+FF6fMurQNcfk9vZDXLY4iBc7zTdeVrhQXsTrVMN4nd+ItfwiGtw17iR+RLiJEJXA6A98xPuBd4E5wb5hH73X7ty9QQMHpVHAeCgo3vXBgevGZjjkwaw27UDZh6WLM68zcDHeS3C5UcXAr+GCQYFw0Z0/m83JaLaNtrusxwyLDxo8WWI266NRrtqecxDOvuuqIaqMFsSgV+YhzQB1gelJMEdvls8yZxt3zcrFLfXE5ODdTSocd98Hvx1TZqnHuSgqDa+Ex5f7FNm5fyHaBFRZ0S7AA+G39EplY43MNNrS68FSU0/fubFdQAeVMy7eN+IujkXOZtXCARuJfeXcduifONnUqoQf8sVNCTK2mFvw/6SJMrEcP0dniHHY7Jl5wn8ENQlyLNSbB1wTtksB093kE+6h7kcg2aj4lEMhcMngObpaXilNLnzRIravGacKWEQrYv1OIdQflFz9aXuKYRxGGfoXa/0qaiK/tOaYNdHbJro9st9e1Vxc8e7cGe3Xngw7lFc3H+GXvNHcy2ipvoP2gm7oDAcrQkkkZSc/m1ou42cWsYJZO5g3ax2vAUnhHGi+5B2uW9Z3+QfNn28eA+EEKrliSp0DeQ8afzoEsMdLlSk0Bl45/wK6xIzaGeaz+CT49BN/vE/C13RAHWb85zAdvWRiW9FcDMwPjxviyErCus65udhxE3P9RLcIOuc31sui2rhKivzmC1hPWc6slayUdz56RnBFx+NwNiibWRTFFa8s/5sYURf36YjPA2K+KWAdFlLvBn3v99a7Rb5P2YXIPe4/7bQOXRnzOAQjFLb6CHxAwHEkAJwVfl3uUiWD+edZ1WlvxNzYBpq4YFARaTWpQbUH3mkcRs5oskkzQWcgWHgAoIkhRz2CBTg0XuKt3Z3UfbvsvxXMM2zrnXwyyUfIlKm6kZ+DtE2LWle2W3xJexae0kpYtAGcM42XcafsxfT9EJFmGcgvSeomf7CVc5VhOrBHJ/neHMISyQptmLC8s4u5L9H+msDet5asti1kg3UEDZ4TCX03XctAUryxV2eFdKpNjZgeQuOweM+GSeigTPYp8GTlp+6xWARrUDcTXxtr5Em0tp4FGb4ZA5tHdImTUnITxVbudHN6ZDA25cFORGqDcMIaAatcTYurKl/KsBZ4aQrGXBlIjmNOMt5WEelUi9+7QbKk/TbhTXa+D9+o+wUxRSW4un0D4dXe+851/DGX/5O9tYsTKDP/CJUDrKkqxWTUe24nRK8qRxZ5MwpRd3c4zlz+WWksM8bc3aCgbBv97GRemTg5BoVtK/NSDQqW/0hLCTOcnUyRLhVx8FCrSlQXUclFVh5Aum2hjeefHiGLWgaVO8RnONtv7L5LjhZYsWlTareTz6JI6hW5i04rzZJoEFcgX1DI21pzUBVNGqA7OKP9xmjYHrqBaqyc2CEafR/3qjd5JHy1d9tYI90podaaY7mdAkK60EG6UZUmN7AGXQ+mYZf1E3lfDmdQVrw64tslePInidPjWtZVozHeWcHtMpGzQNWbOS6w56bB2+Nm4z3J/ll5AVsqZQ1qybx/VlXqABo8HG3O3L+EgJ/P5vr+GU/kYnpm/ocHbbj2MJpQC17M4VGnUDe7F3Ohj9zVhu1bI8yH9i1OKyAJYRh01UlSubTQDeAq6mB46QOJGqdfrnl4UK9ZVxTza2q/lzYJUNfJ41RPqTefYPPf2pi1a92oqydq6zV8p27vqVyrDfeli2pEdzNRvsHXYGbaZi8noBBqjrgcNiF9494NoFgABk0BsVSGS7dmjd6sy+rYG+R7nXE0XVMa/9Bj99dxMP5t0g/79eASUa0jdWyEu07pM7l9mnSaZiOUybZZe7roqTVlvZfPRX4Bj7TG6EeVfXQp40Q7zOGofOCbSCxACAbu2pUkWg7FOB1RzI7MgqmrHbUT6hGGGe/236QsRvEbp12vsHDDpURuYkGcR68E3Cq3RuftMTrfIclD14ZjCHphcZ7OD0uO1WBVP33V7TCIBXjHi19iGNVr3AbJhZMKOMvOYGcONj22186EUDtiZSPF4TvGuzYkIf1jYeTEP+5iCe3khQ8MI3W/blzYW0KuPwuAyX8igwWthWYmXCkSWWlE/OKvpsy0s9MYQ5M6mHjNs5IAelYoRBmhfIdZEmje2OiIJm1WfXMMExW6OYUVi5PcQf/zCYrHREv+nd1+GWyP5O/aSTz0RnX2PSmptiopWTedVDogXX53XnH0TEUDZ2UOtSmcr6ICok7jAarLn+HbNt1BaHAvgjKlC6cgFPAs5+oaXm9u5dOxp6PQtRbPSm9PSat1496izT+z+XRA+qZNi+a1357687bl6OV7dJdrMxv2/ZVJNLI1TkskZCiCdT+4q/p9pyk9InksMP3uALqfu8rNI3p+H2pXI7l0rX0qg2ajtgoTiMOcwpcNxEsmTKIzhUeeJYsWTf1C9EPW8anhfxIEiJ3onoLASW+aS/JBBKmB7ECYJ5EWDaCbgUEeobEWC6hLHHs4MUeNzTNIHwWzoKNipyS8UxdXThMxefhl+RXiRCSQKQbjc5u6WL6ZiKBosTTzuExTTb/w5ovx/jEUZJ+gjAkoLjZ33qn1mkPMzB1TYPIRtmQgp9vhxGTKNefi/sB773WEWgSJZWUWJV3XdOYc2ayBN8PbLVZsUeQPYO2d05ZkHRDfd/TmqTm0CSDgkH2zj2o9b0moDf/RVekIjLAT8nFWn17LF1hZ4upXCAfWvpcJ2D421eRvSaGpojta0lYEuhqoMGxOgCpTyQWggbHSmkXmPK/5pZwdtXEzLB0pK/i04nStMrw498sduvml01EmW268uuB14FXBJ6097aExC4CrWMK9o3ZP1Xhgx70OcVd2TZ6WDZ235fTBtatTH2PChQg1ePulnFYAN+lZwkPWYOLg7PRaUPc/jehym+gUxSxBdguxjnLzFUJZSkLf8orrO4l2AdmuHLFPuJumWbOoze3et6CBW2DU8tQmByyh38WgNBT7OoFQROZZzsz6ZmLTDMAtUlw8+vyQU05p4pHCw7sz0PH1yVYNpOANRderJXWdDdmsWvTexaHJQfe0OxS+Fdk6o9gB/F9B/MG0BZgqw8Hj50uXsXE6qdDsVRwB0qsXF68oEmzYWGlHtvR4TUd15S6DGd5g00PBRV4bQsaCdxBz7arAQJtfph2oe7n6nL5NLDFIA8rdUFJl4t6sUEh5iIA0ijnEmii5x+cq1aVReF+GHAUxcmC8PRgIfaQdGTkHsq2YO1eu6KZD/KbXX+XTyKUHIc3q0cmXCRrxGIC9n0YOlYfb4s4s5D+3LwqbKg3io7Pxa7F+gPjWBlQkGI6MzudLQvS79RUt7dwF0VK+A+ZduCqFILStISiY5thMBZb3q7do9ZIT2sZvm82M0btCsfcUB7jhexXZ5D4xHGIx2FLlniUElUIqkFRwEGuboXSf3VeCxoZ0XgWrUPYa2u5/+Oue3GXljNtC5xmrT339ajy4qaCxM8oHCSt1ofmDoguE0h+XAFMqsxLsPOMEdHTmN3byXIEitIglEVykP7cTt8FXIRSz5bDtM0XwYUGH3S09nGD3JUnXamDmLEzf6Vrt0hXQkerZh8/B7ACU23TxxG2r9QvRMs/BfwpAedcQvMyTWMaDwwB0XiU7uEGOMVSahxwP8Yj/RGOOKeu7vPxHOYYvqdx3be6qgPhVHz6WbIievp4kaFkSSKZ3k3RpXZZA48sSEtpuYaffad5Yjq1WqEe2oFkEtRnAB5mtyO8KRE/Vmkr0dyUwmHXBm+3fhPD+C+DUHlLfYxEybnFxwdOhlJCX0pcciBorSwKLQ7ltPQjqwr2j9Lq3LspDpiwRHrCr3kJib1TPmdpbqVXoZyJxkSI/4WYJ/PPLL04mhECQ0c9LQSKauDopI3IjUFycZ98OYmI2+Pi4BzJNbi+lYSocLyDCQ7HP3xOSqIpAR2LjnOQqngiBRGZDYnnBMw/Xp+G1TTdqqf+Zlk4QFzw5hJ232vPUQ0vCtqJRhp+WqE1otO4Wsct6ULEDKKcC1rWlnq8NQmVwr2kboPWvAobyfPiaOmOwDlIHEaLQvVGEXy+XiWuFDMaeUgMLNBlmc7PJlOObUmvWPQDtbwnuY4KzVeZtf7jeX3ULeh8lhqdnXvRbFDNFsgDQIR1CqH1xwN4hmFxWK2HNSPBnnE8EZyocLwanWDxTXd0WJsPzsu0j8aSwasESv8c4UJM3He+n/OrZJ2eF4Mun+K5Yxqp/D01vBsPXPmT7K1ehxoFlPzT+cNoswUtd26SBp4+DrMMpXup+NTzPjL3GzkBvRDTFIpvxxODyBtVYD1mwOUmqRB6F+C73Ey2M3lbnCHb8K/u+af73ww6Ug4A+h972CSK5nBfmbE0Ar0to8GnB4sxrrHLS7GmfK3sS//BCgyjsAoghYQtlLYAaZBzSmnpbRSo6E9LPykn3n8Sa8x1VHTvGlRPsk/UBS5/WBnLYP9Uf74IkE7y9LulEa1L0aB/HDTpue5iMjWaJQkOKP55TXxyFZLYEjq5U9cLgqL8kk0IoVHIEtyM+KEbnvGdacpi5hDVqxI6utIWVjUF87WDVmkgUIVhwRDzPSsuQ/bNPVH+qVPnh1xwCazY8ZJIX4tSxnqyfgRtssy/yYGCp1/SJl/F092g7Di7MynKMbMqnKjwus4vq8NdZYWdvPkaRMwdK23XpojOguaGAK3hQl0XElOhuKjB1N9gLfCzGP7O8xl7meQ7mNuWn+TPptVxBeRPZNRY+hzVJb1+PCyQ5w1B2d3HJdqthnovcd5nmSpjln/uG/mKlkqQNPYpzMJvd3QWMXpSpN0BQQWDBYeK4fV++8RYarqOM87KvCSwJPSI1R5yfvIDXN/0MVpzMboZjeGDb+qn5PZN1lZM9HbXmrsT5P39Pr0tk5y6zzA+ovdGPXGfNqoMQ3XBKsfUv1ovM1NBhod35t7Kslmkf9tXAzvZQOIA4CjvJ21BRoPG0ghdHaAioBQham5XB7x8z2JkvTDtLrSvorXPoTGNcmhOhazqbeA7df+UgxHL0aXKAg/In98mM/8o6sCql4kmiv90Slqy05OARuEI1ILfyEzD5gV5YAJc20HF1lbmDpDPdWRa5SFGB0yZuvSDlp6hHZEDp4jtZx2sc35OnW6N0cj9zava1oIz6FX58yUC6wCGzvNcBlNFILeMGCK6zTB97X7+WnP1t9LJYlN1jI5Qv+OTG67z17hiAzv+c4whhpQfBlxg9ZFUqLJ4DSsQCFOhOSUguiZzdR79w8Wq1zvy7Ie3SZfHd/GVyYZ/uflyfzWw6nQPjOTDv9oIzwVOOIqzg2iOSKOgCf+CIcHogxwT7vmHsZqUzviZtrdV0OS/1OlUs42caccs9YBth9yQRQDecFQK4gnu7CdmSEuN4qggvxDVYUXLPnbI0sgtB6uph9Kl6SCg3YbL59L4/e/BC9MgiFPAp7o6Rb2xX0VXRe6hYH6Yf+bek+NNBeRGwucY5MhqalIoPnxAfgvv3wdWOlh2e21bG5il7oQeXKRrcAdiRQ8yQgeA24LyMoBkqvcbUq4vOjST50q3GCcwxUA17Bscbvq+389dsHeJhHoqg1vXdTwrzvkXQJifsVnd3uUrMQT8+qVRtaI/+SUvvWC7QRdlHULQWZnZplIL06DbU4PfEn6TrJPzdO2+7WqHBtgRV4CtBzNDgjrEmv8Co5ZQhszG+GsLeeq2mvXW7S5/Aohy78CRr716SUwcUi9W+pU5tdML0jeYgxphZd36QzOFk4QQoOseClIYH9OQqBFnL//BFznNxqxvtzCDcvhBSxiI4/Qz8FT107/fl4rctBuArpYNdbZbQaaYnPYl94oJOjlKf2Qxort8koyAjrkivxfLfviqyZ4CHcngIOyN/SUTfdGtv1029kfqIwE+5Y1jT71r4TwprTlZ/mqtW5OKux+oMSJVLgQoXYM6krPxZrxtVTRIliVn/uFh+wlcpp1UbFP9Bc+tm2wT5hC5Y7bJqTdl1RPIrBu94rnTQWz9rtGB4kgsAefP2GtKYjzt6Gggt86vp1Ia5sjmGk9rcRHB1oGzAi3Ud1LvDciKhr8tUsV2WgbiDZo8FqgVdixWpUKOoEvmmg7JL6CVLQq5kpYtn1ovATakRcnLji65COGe3+xo9hXutnlRj41triL5IyihVQnYc2pDocaZXdPEhVv21qmeFIGlIk+HsWGaw+/AuJ6ytL+Xhl3tIpuluRMAmpX93utfMv0WE,iv:KrNhOECVu9ZlIMEjxuseREMJe34ke88MbZsns+ug17E=,tag:zVKWzcDNxTujzN1wwNNjRg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWGxiUlZMN243Yjdtbnla - Sitpd0h4VjFuNVdaYldvM1JTT2QxR1dnTXdnCjJ3RmV4WFRPWGhZV1ZvWm00Y29E - ck1SMVFkMWQ1WVJqeEdYU3ErQWdJRVUKLS0tIDhTWFZLRnVVRllUa1JaZk0wb2Rj - Qk9VZE81YXVaajVISnVLYkNDTHpqaEEKTr5RkhOGSmWu+BHMwXlAcpn5zkqMwJQK - VU9mlVGhoXfc9BW8Ucty0a3/VK5Ze6y5V6573S+GKzhLURspmKXyaw== - -----END AGE ENCRYPTED FILE----- - - recipient: age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY3FNdGw2bG9HOWlWR05C - MUkrVHozakRzTG1iQXd1RjMyeWlPdzRaekRZCk41WGdWZExTK3N3ejczWklaWlY1 - V2tUSjU3alp1SS9ockg2Mjh6c1BaSUkKLS0tIEYyQWJxek9SRG8zaDBMOE1KYjRZ - VzRWd1RNUndzRzR0WWFaL2k1S2dDMTQKPpj0zMSEs0AygU7naxTEy/Bf/XEEN01Y - eKmtK73BQWdZ2LIwm81vShh+9Haq2pBkvGaYwu1attCxYq9BZp9lJA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-09T12:21:41Z" - mac: ENC[AES256_GCM,data:+BZ5x2zZxCOa3vogr0ohbs/o8uCPxgIjf6SZmHgqBRTVY17NAdEjzRlxcDX7vzDGdX+bLcQdJW3zj2H7BfLdlulldoJfjINIhPVTdrqihVrGC9/JgOy+NrQqD3cr8YJgkqAoELMoDira2oecLlrE4Wan8snD3Ul2nyxFdDOoO0Y=,iv:mCmMWopzWtlTukPTQBZ6Z2CSLMFXe1IUL6Ud0cmU1N8=,tag:7/a1ptXCnDkmxFfIGuGm8A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/os/fscusat/configuration.nix b/os/fscusat/configuration.nix index d7a8e43..57eb49c 100644 --- a/os/fscusat/configuration.nix +++ b/os/fscusat/configuration.nix @@ -2,14 +2,18 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix - ./modules/network.nix + ./modules/network/lan.nix + ./modules/network/headscale.nix ./modules/www.nix ./modules/mirror ]; - services.openssh.ports = [ 22 465 ]; + networking.hostName = "fscusat"; + services.openssh.ports = [ + 22 + 465 + ]; } diff --git a/os/fscusat/modules/mirror/debian/default.nix b/os/fscusat/modules/mirror/debian/default.nix index c0a35cd..b80c6b8 100644 --- a/os/fscusat/modules/mirror/debian/default.nix +++ b/os/fscusat/modules/mirror/debian/default.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let name = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ imports = [ ./ftpsync.nix ]; services.ftpsync = { diff --git a/os/fscusat/modules/mirror/debian/ftpsync.nix b/os/fscusat/modules/mirror/debian/ftpsync.nix index 29fb55b..d2394de 100644 --- a/os/fscusat/modules/mirror/debian/ftpsync.nix +++ b/os/fscusat/modules/mirror/debian/ftpsync.nix @@ -1,10 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.ftpsync; - archvsync = pkgs.callPackage ../../../pkgs/archvsync {}; + archvsync = pkgs.callPackage ../../../pkgs/archvsync { }; - formatKeyValue = k: v: '' ${k}="${v}" ''; + formatKeyValue = k: v: ''${k}="${v}" ''; configFormat = pkgs.formats.keyValue { mkKeyValue = formatKeyValue; }; configFile = configFormat.generate "ftpsync.conf" cfg.settings; in @@ -16,7 +21,7 @@ in settings = lib.mkOption { inherit (configFormat) type; - default = {}; + default = { }; description = lib.mdDoc '' Configuration options for ftpsync. See ftpsync.conf(5) man page for available options. @@ -33,33 +38,35 @@ in LOGDIR = lib.mkDefault "$LOGS_DIRECTORY"; }; - systemd = let - name = "ftpsync"; - meta = { - description = "Mirror Debian repositories of packages"; - documentation = [ "man:ftpsync(1)" ]; - }; - in { - timers.${name} = meta // { - wantedBy = [ "timers.target" ]; + systemd = + let + name = "ftpsync"; + meta = { + description = "Mirror Debian repositories of packages"; + documentation = [ "man:ftpsync(1)" ]; + }; + in + { + timers.${name} = meta // { + wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00,06,12,18:00:00"; - Unit="%i.service"; - Persistent = true; - FixedRandomDelay = true; - RandomizedDelaySec = "6h"; + timerConfig = { + OnCalendar = "*-*-* 00,06,12,18:00:00"; + Unit = "%i.service"; + Persistent = true; + FixedRandomDelay = true; + RandomizedDelaySec = "6h"; + }; }; - }; - services.${name} = meta // { - serviceConfig = { - LogsDirectory = name; - StateDirectory = name; + services.${name} = meta // { + serviceConfig = { + LogsDirectory = name; + StateDirectory = name; - ExecStart = "${archvsync}/bin/ftpsync sync:all"; + ExecStart = "${archvsync}/bin/ftpsync sync:all"; + }; }; }; - }; }; } diff --git a/os/fscusat/modules/mirror/default.nix b/os/fscusat/modules/mirror/default.nix index c5fd462..1648204 100644 --- a/os/fscusat/modules/mirror/default.nix +++ b/os/fscusat/modules/mirror/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./debian ./www.nix diff --git a/os/fscusat/modules/network.nix b/os/fscusat/modules/network.nix deleted file mode 100644 index 53367f8..0000000 --- a/os/fscusat/modules/network.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -let - wan = "ens18"; -in -{ - networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.101"; - prefixLength = 16; - }]; - defaultGateway = { - address = "10.0.0.1"; - interface = wan; - }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; - }; -} diff --git a/os/fscusat/modules/network/headscale.nix b/os/fscusat/modules/network/headscale.nix new file mode 100644 index 0000000..906080a --- /dev/null +++ b/os/fscusat/modules/network/headscale.nix @@ -0,0 +1,23 @@ +{ config, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; +in +{ + sops.secrets."misc/headscale" = { }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + "--operator=${user}" + "--accept-routes=false" + "--advertise-exit-node" + ]; + }; +} diff --git a/os/fscusat/modules/network/lan.nix b/os/fscusat/modules/network/lan.nix new file mode 100644 index 0000000..fefcd14 --- /dev/null +++ b/os/fscusat/modules/network/lan.nix @@ -0,0 +1,23 @@ +{ ... }: + +let + wan = "ens18"; +in +{ + networking = { + interfaces.${wan}.ipv4.addresses = [ + { + address = "10.0.8.101"; + prefixLength = 16; + } + ]; + defaultGateway = { + address = "10.0.0.1"; + interface = wan; + }; + nameservers = [ + "10.0.0.2" + "10.0.0.3" + ]; + }; +} diff --git a/os/fscusat/modules/www.nix b/os/fscusat/modules/www.nix index 24398da..8392190 100644 --- a/os/fscusat/modules/www.nix +++ b/os/fscusat/modules/www.nix @@ -4,19 +4,24 @@ let domain = "foss.fscusat.ac.in"; in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; + sops.secrets = + let + opts = { + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; + in + { + "cusat.ac.in/key" = opts; + "cusat.ac.in/crt" = opts; }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - services.nginx = { + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedZstdSettings = true; diff --git a/os/fscusat/pkgs/archvsync/default.nix b/os/fscusat/pkgs/archvsync/default.nix index bd3560e..7c31b1e 100644 --- a/os/fscusat/pkgs/archvsync/default.nix +++ b/os/fscusat/pkgs/archvsync/default.nix @@ -1,4 +1,5 @@ -{ lib, +{ + lib, stdenvNoCC, fetchFromGitLab, makeWrapper, @@ -22,15 +23,29 @@ stdenvNoCC.mkDerivation { }; strictDeps = true; - nativeBuildInputs = [ makeWrapper pandoc ]; - outputs = [ "out" "man" "doc" ]; + nativeBuildInputs = [ + makeWrapper + pandoc + ]; + outputs = [ + "out" + "man" + "doc" + ]; - patches = [ ./Makefile.patch ./common.patch ]; + patches = [ + ./Makefile.patch + ./common.patch + ]; postInstall = '' for s in $out/bin/*; do - wrapProgram $s --prefix PATH : ${lib.makeBinPath - [ rsync bash hostname ] + wrapProgram $s --prefix PATH : ${ + lib.makeBinPath [ + rsync + bash + hostname + ] } done ''; diff --git a/os/fscusat/secrets.yaml b/os/fscusat/secrets.yaml index bed58ce..174bcaf 100644 --- a/os/fscusat/secrets.yaml +++ b/os/fscusat/secrets.yaml @@ -1,11 +1,9 @@ +misc: + headscale: ENC[AES256_GCM,data:UGaqg9KE9ew6sxCWHHWnXUDzE7tm59E4dm7x1i6P5p2IcMP3rgkorbJJPwyf2Z6y,iv:5FsWZL5NkJ0WzFXRXkHCgimyPvU0oLi3OVxW7peL4kU=,tag:ChQbo1Ccq9Ql1Oiv8HTxcw==,type:str] cusat.ac.in: key: ENC[AES256_GCM,data:EKa6hnY8Yu+x/ElgtiATj0dKUR70daMUhdAvloiWS+FQWBLnC94lsI0R0ztFflqmFz0J2dHA0A/D/nKeZKIQPlktl7mcNBYFNIFnQ+5zxqwtRwbhGCaosCZAWEnu94lT/WLzgmx8KuZVWfUZPkGMaqFMBeALt3sGg9b/x/utJCAUKUtOlDgl8BSQQozqXnpGByGvabFZbJlx16SBt5QLxMq8ftup3ik33KFanlEISOfu1hNwIHCseFhP6NSCcM/yZRmtuIpHd4DN2U78PFmLbGSiiY9TCa3Uuj9sTOn3xapNgBI1KtNAsfB486PfTjkeO+HU00/GCjJHxoIL0nYt0+tMyXP6M2ZQvhNazpOmCzf0LnOWbGdNtdGLEKqKmmhs5OIfhBjV0qnsp9Samj3i2fZpOVRsPnI0o80UGfuQ2ag0MPNN93ws1Q7+knV3ldvFOCRPmpeV4C+FEmFvrKIpNq+qJlpxJaNmRetlFcY6IQakiaPL8OrhwZJE3/Zr9w5KBnml90AOE3jbu2ZGh7U9igd242sUnbLfvALkwabNnqyQr/VlqpIDqW3TiMk3hMjoJhFL3A9R0sSK2ritigFoJTM5Hl138HVTvsO2OtVRbrYw8172S5WESg8nwSwSpPuvf3xgRmAwOMTy8zXnVsmnpJGY83JrzFjvVOKHuffojlelKlLX/gTptbjYw+MVH23ZkCIW1eaql/GueALp1iqhtA2gpb6zkVmGwXsm/HqtG9BTnuOSBUsLcmUv3hkd3z0NeE1E/34pstZgN66aTJEc8f6ZjahOCkNGl5QBtEuG/0oWJvIpqidlpDltpYwlEqaIKre/4GdEkzIg/XL4gAEN+/8CmX9YoOmAxPCx47VQ8OUPc7/M1KNsToynkMImDKyiZXIFwctRVJmAIUHcFCVqlbWqjJBR3i4nhurjl6EjU2Ahw4g9EXz6z47wxCcZYiyTH+hjUuxVPmPKTLVhrkOy7AtlMKqyHMMAP303hjDRi8OdeApE8L05ORftWhCawndUh2Es6BH03fFDvHi/EAPovKyz4GkBgmY9/ysmAWPb+ygSRYq5vlsF1mn9N+TFcgacO3rvHSckEOwrNLOE81Ee1ocaYCTb0o2KV/R0I7qaofTxHjk+3QFoJ0UU8Lulfm5rJ2gpY7qZVElGZgxycYj3+KBAc9Ra6YKHX9psCi+kiEW3i5Y6QlT7Qgmn0T+Dyip9l//gKKHcU+KSVl5GJTCX0rgv6BpAtIBG6shExU5SSQ68GkXmfgUltlQbCdPZMSMxy61DQxHT5dNrZF91aJxNvA8ZtjDJOXB1DPeytiVZ9VI+smfcUf8hkWd5xpC5iMgpIO5EIIqFXN0fO3KDJCCZk+lb0RvL3bLHt08HUuk5IJN7jdDcb7+4IGAc3me4htdbdGi2cf8JY/NzUOo+E6uLZiCyHjSiczzHM6rRniGVkZ5EuwFFDN77AoxfbxdAx2XmXVgxt5+1e8uVIyiVeB/+azIU4vJ1Z23EEX3I+3ipqFOoXjpBVrkpkZmzotI8JCzEzSpGJrPI8Vnnh+bEflAttIH4D9DOS91B3FULIh67uHuKJhIdOWyhtXLp/1uVpApsddsI8xxA3f8Ipjed6B5D9sh5B/NjF6EseI62Ait6OqszevRW4+6EaZgO2Qic/f9fVjmtA1HEPuyIiujUSf1l8UszCoXqJ2CS0OBANnBE3960vn3qdo/kaKi/WuoYbB8CWbMX5X4hUE6sb2Vqmu18ieqSIyefKgFJVzLOaUaF6m8jQrM6/vvi2gRXwFVIXRO7pvPMtfcU+KEkTnzZySGy7bpC0Qcj3CBV/BJK3Q21eBEnP+e+ELlszdAKq/S6Jk88nvuNGkQxNSP6VIiWpGKteVygowFzcF2qZnhgoK4T6f+aBUkLkk7x1ovajYj0Qr9faYkCXz19khQNnBl6v7IVbwlEN3ZlDBpvcGBz8taMHw0nod6TjCny0mOyG3t2iM9B0LdFK8LYq+QeUdlUu0bJgwYlLk5/1sTDAkxXpuqhxrq6dnsgwhz776EahzTQ8e8da9QmWCuydmwKe252/eUAw3wwX1b5WCUzWg3m7MAK45Y8WKgu1w2UTougtPmLVsDDDIr0rN60R+rZxsulEod9+f0KAp9+YB4YvE0D84p1LC64B6WiiOz7j9G2l8Z4cwI64ewkmkwllmMiXcahmMjw4meDvSykeL8bUDn536KH3nX6nA3N56v+cgDK5z9TwFtprvY70o8XMUnwbYY/Ob7RK4/MiBcF5rM=,iv:CzxdD55Ct099dzWs97h+8y/fJmicQ47QLh5rKU7nRog=,tag:QtaZVWBS7qBQoADJApoErQ==,type:str] crt: ENC[AES256_GCM,data:8pFnumBIlY0Hse4TTpzEyJUV82t5ZAY9yCXvZYT7ZAWY3ROChpkezCBMaMG43waocEPZTHgmOKkgIDQSZiq/gO9qprOMJA26I8WrV+ZMIoeUtQFCnPOkuyrnoyhtWayr1GIOItNRxNC3rxStI7vpwpeAUmZvb2BQgiDP51Xnhe/zcEsGEsdxR1S8JJWgaKV+KXQUIzK7pUa9hf9bs2uG2jMuxSH24ePkfaO8y3VIj1Wa2Lag+hXvnV5FfKoMMPSaqVgJeXak/5H7hy3hZdTBHGiUVdycLcaRytQIVM9L7jHj+Wtfj+vCMUVxqI+vo4vcmEw3CZwy8RH+SQgNsZmk8chgBqQ8XRWACDnzwukm9VXj/xZjX9chHBaDdiViHaoa7Mo88EKTDaGDctNtG3Kjfr0f8UnfZEUfEMBVYLF8PLfSCAuooVocStkXNGL5xtEx0NzYAA1xrIeRjQznOsHKhqoftGU6o4w5QKdrR6Eg1/hP0NAxca8gcTOjbF9D71edZX+J1HP77Bxlb/x/0WIqk2qc1+zY9AF3qwPHLMV9nrIp/gyEz9Kvff7WjEmeBOu8th4k+w4azWdiyGzIO+u5dw7+5qRgUE8JD/p44ReGJbSz6EhSe7lJrn8AtGUvfDniFQV7mA7gDJJeC0ux3aXMLH8hn1spZR0mjQY2nUqUJokJHzRl29beN/KIoq3Q4AnEVFARaogdkFr15YgNhbmr700vrCsEdu3NNWQUzXgVCNHuaTVGxQ5aqUtR6ynsfAggSglSKvMR4+YK7hHGsUsrB9Etnq3z06nVZN2m4hyJV8N1UX8dVLYzPzMOCEzifU93ULeZ8TNJW/riuFyPFLx8ZOn2uBllk5kiLhMIyi0R6Mcbi7N3R55BxjT58LJB4X6cqRFZHpk/s6GuPKkAChV4Kpbcp9mAr3WuSQhKVz2EilzWJ8XRaCwQ9nZCpLXVAzOWgadN+0GY7twYWhvxMSZKH+swYrlQFobNmZAIo/y+YJjWkHfgpMS5n4jQC47IzCS9cVBFU6KXx0aobUD4K5SmxqQOqWh3VdoZkHdVkLs+IeXS+uE1hCVoMPkJpngvXqyVhkv5seSf92XccwoNnAfwzSHVrUD/RDbjusH5VKXQkq6fCk5FtRCncy95v+XBpjfJ+5VeBQGoKv0Ot2BJ6Go7CS7JapnC1gFDNcqgnrCN+DwRxlXnMgs6bcSNt1d1s6n5GHLzLSkoq9WDjrZEk9EdLFcGWHWLz65uNaI0FRoHuNhCVftZjKwNUJ1Jc84BZUI6iKLVEfCfRmOpdAS+dclZovW9XANix2NPanl1DT+uxLYbJlCtnwrIsRjBrXISV4/TOrQuIL9BaQfZZVhHRDbSQbdyHmXbind8RkJCaA+VZxqXz/mpTcDie2+Dm4wC7c3gzOoACFq53TusjEY/gEwrPcfoVcbdYp58/bSslAAvpB+ZqVibT/iFFPYJ150gOzB3U4d2MIkwddTkmsGfbl+k3zaKMfRsvBm41y/Byvm/fn81l7J4wUYnSyhJuAf1UyBmupltV6xq56ANLxDNAmNylwProRESGXj9Lvka1I8MGkVcF/krZXZKozTJ0PQEgZtf29DVmvPIB0MON4zE0/4bv5k6VENTk4JHCYie4kcZvnuYtv1gfWDn2GQhtdnef7/Dp2FZNbnAU/Ppvdit8fSDqZP7qVkc045U91gzB+lQfEovzNV/vhSN2ekpIJNQVrlCpF+BsMnz7oD6CZfPUV1LgOmZ8eL/qgwjHefpeOJCBLcvhm5ctCmWCYfqM3ZR0DFmF30f9qK3WdiqybI3bI0UC7QaYcUDqOg3cj6NH//LgjYXZJtn9o9NVZD3w4F582S8XbwV2N6j6PxMaSE9TVhocBqKTCPOG9k5gFuK/qNGbUWRfsgi42HlZCjdL2GIODEE1aeCyowEzwu4d2GMuseSlSNp8tyIetV4Bls3nazCy4fM552yN6l0xlljasaOkdhqaSPF/UFQZ1qjTfL2aILcekxav8qnPK/kiNnWys8WPQNqjkx95DWm5sPtNmZip6dt4jLgFHFeg53FPbom/D4kNwB1pHlgDEhyxtofFoq3PYHi37y+IVOVUNGiiBq0mhmR9/eBEr/+nljD1SgDDipmAD3cCaztCHLepBya2LZtA8RQ8JGf+L18UMj+Ovj4EhAZWBkHKTISlXqpqi8+efuAa13zTwShRGv96mldrZpdDY+zP/brb7HTZLAbLZceTMzV/Rf9Z/JTpRvxak8hyEtpEnZ0isvF1eswnYlHx4T6rHdOkZZKpVrpOcHHbtJoo24O3dAkIeSdB0GkNYKNfBtPe3oC1BLMKbB9hOpIuUmnFfnZY18HQvi1cmE7RQnji/hpAmnR2VnlyEH+ju/bxZJTgtw8rYQmnp7tlQ+oocsbQ+UL2HlUbBNSncdeL2xffBFjq9bCrN1I/fi0hWkBeJyoUCPF0jUehx0nedro5/0B31EDg1OyvES8CGbc/uWsHqbQYHZTsBDp2qAfS6pzX3uPNu0wDpSzRxFgcB2QOCXz8WY7iFeE7qetpf7Gax8yWXwMSaN3pphOZl7Z7jY8gRBp05D2lLUqh+jSQi9P7IrZ5O8/y5HZ6tX3x5zIcNAXNXsK1rBLApKyuqE3NOZxmH6LDSQJ7en0Fkq1LaZgItPjDdDTUF4OEv03X3d0L32Sb9dRQXHU/8HG2gtICNURtvVHjF/L922MCSbtT7YWYCigG0c9Q9hycDO5eP+NADWB1e+SpspZeE/4OidI3F1XsOQUx02TyiVsfAJbDvkPwiynpnUzNOlXIiYyZ9DxEQtQQLXddcnkxBwobDJ579IsVIxc7chz4TbMvs74GtY/Ojraz4aw/i0XDXVwOnkSgjyE5HB1Roj8eA7dmO46R8PcXfv//qmTgaev2WiZbFWtv2KZ8XA5GFUQHyGXXqT7r5iTEqca+rFyJuOQdtdheJFnhXtt1YODOR/FWLvks+re7c4HMRTnKGJSgppSB652QbNSGKp6FrmmOChyZ1GmpdMUO6to37VMtk4QFoD0guOd5hQY4syzL9BPGqiZiKYrw83OvJC8F6rdK/xAjhFEgy81K3FWzBE0S0bNfsrPp6ggaTvhX7CDS/gHsScbgYyG2mus6tjm5TbT16hUwCtIz20euyJC/x+/fW/ODE3NAZDChqJRTGu9h424QBXFxjg/IvbYW5tj1Ybpa68k3ZxJRa/+nARLOUizxz7HQhFXbUpYGqy+hi4KdmzYfrhKlsktMk8pQu7j463rjXclmb/vZRKlfOzY8ov7xYQGoQqUHGFTPRMKBben2ezP/sEi5/seiIWTI0/LsPdeSUCTMoruZ0d/QXJwjt9017r+e387yDSWOGqhllLD/DB3q1onTNKm4gXHmQZPx2BonDAXXgcBM35p2FlQ3mjBfKe7aIzvYplEUTTJZsuTHZO7gMsfaohKaoMxiKnaYmT8vZlv7vPNA++jAcp88PfBi3KpH2o0DKyqHL3EbQTigSHcYpxRt16cqazohbEcpP9FOjV+ntkhG4qGwwJLd99G/IaWPMbxuHCJwTdhlgbDBSXyCL8W+Gu5vE9YqyoZDZIOZhjKSVj9XR41MJ+lILbwasjaeywJ49B7JNzXV0rntl/RAS/mlDbf8dAR6GCs1KNKZTpp+cgnMB69nQZvdXRrwMQfpd5MA8HeUvblVBeqGnFyKgklVaq+TZ8cKSpQaGzMQXh3xxa3cNZvoyuuBwXTygXBINCPTQ1ud6ngwb7cJEwSVK8gqkMI252+EnyY0LskzVGdSRjkmaw5G3fu8g9rZRlOrWNGu0VBW5QHzEZvZTDpr2+Bm7McAHtwgANfD652IzxfUa3wtO2gpzoLvdCJo7Agt298kCbd6Kw4XB6hXMLbKdLpayaIYke8vXiguaNZJ/Kimh8EOa3rbRtsWC72Ba12H+lcW3vfT+AQT8ePZxhTjNy7IlwlyR0E3CELRTIb31IopHvBZ/9oy8JrGyd9cRgH8qgXKjC4upNG6pz++ySdcjBWdY9Aea8QAsWXEwbRDbGewf5Zl2E6U5C0RddSg47Fvds11dBArJ0xU9Uj7tDOlr8jHPp9qIyeGgxA98S71nIFMoYVCQ9doq96BGeg5eyAoIbdhvALvRY6c5eYmO7sgu2qmIai9Zr2h70ECq819CKDMbSDZFXGujlsse8EBkqqSOJm34wbsUZcRMXbPzNa+u3mHHMkM4en16oGL69JlB/w5Lnn/MK/f7z4xefG7oHKmjewnGuGEhp1b52BVtmyre/fthn6RncJO7HyZiWP8NTpjmgo3g8Kha0/8khorq0McxxrcRWkudqO/2go1b94M38zB2VFbUBehHECZDGbIKPx/KWhbvqOjvwQ5dlBuIj9BKjHSO75gubM/akn6RWIAYgPMHrRcVjSdc0bI1PPjWEKhvYux0Y43GTZp/uAmRtQ52Xq4oYnhhIEx0wTDccApEhsScN3vSoxGn1tv6zuYfCpgJRucwboGtqRyfFgGDB+HRXH4emXy2wGuEsJo2trt1cvBkZfy37I8RuYiuery+C4tFoNKaXoQuNfe8GpQh99cQmds0s8WVbbLDrmJBu+3F2aiEVbVYyZuPGZJvTmxF8PtS7osyIaSVs4C6c/vRlURqUPe7/IK+LFFn6m8ZAdr2aMlm5MhCve1STux1lOEz8C+in3c1aWo2FCi4zqZh5y+vYbKprwWVRixGYoaD3y+tKyNYXSCXYBgK5RNgnBHR6Z/2FXw9H2mBFiC21jSyFDQ8XKxTat2yRB6+32sfwjaGjfEJvAayPSSfRc8bHxHsirUulbDOtkYKzVWJKFEbNLrOHxthjpyn1JpiPBk9Ix/PDAGNtnNpI8E70QDvLc/X3d3OPM1YrfZw3CGRjKoweFzNE7o1xa+qDPN/JYrFYkZ1oGgBcoggMJhMeEcHlh1dPi7j66Dq+hi5fAil84M4xnT/QYQMuhYRdSrxS/XVBy6FJWSPZ7xGXgJvlBR4jm3U3A1oUzkJoF98e35i2OPRecG9xxKeqV8/LP0OxM1e6XEmVNrU0aIE9zD8K20OkHA0rmlrURpjddIfj+kAFOawEu7bI6TCdX+K9rDryJx0vjY4nInN42y5oQNsUs31sd2ywWI6HLjuPDWTJ6c4yarB1RqUHhE3XqZKBk4DyHI6gFFOIRDoZl1DWbPSFX7P/6KeXv125sSa7SFb5QUNX5nXg325aZr/2ce/JyP76aDrXT1MlGcJOR7UX6W/dDcr7int2wXZPPSHOMs0y9Oicmg2cDkhHBNkWlRlNOtwh8YM+H7ZrdMl5HFlKei37oof6b9mxXMqWHDgypspCn7sPIH9x3YcojMRX42BBBM91KNJ26iJ6e+FC1fpdJ6HiJTgnJ3RjOslTW/URA2CR1gfPSjb6ytagCregIwYwV6607axT/LMfyCKRBOuVevRsrRRJMjTm0lj+7nBYAwaNO6R0Wub9eAk4IGRCXCNvMVf0LI/nloXr4oOkky3CETjrFvxYCQO3T/Heh7s42I0Xcdsp3BQQvGG1mCTHPW9jAZbRznoeKsTPqA+NuG6fCMoYOTpdSgsvKzMC1iPUtS2a8DqKSZLrNCj9KsTKmiBoSZQZZMYIYI38V526tEZkZyNwH3nq1S5Vm+utIyt99PkpjvRMgWtqIZCHMRewaDCqnYn3f7QBMR3nyONuCZrpOupwCRg9Ox03ByBT5TEEhlAKXVywHH7HdZA6BZkcYq7ka6iDGwdgJGBYLOyktLKQQ3fr7597ngXg8jXUULsIA2Cd20sBq7W/FNT+1qloD9nbrUbyyX1Aa/RhGfydy6mBWHenaqEJYyuXJWx9COlD9gH+QQF36KAkMCDdZL9V1u07CTnG1bgNia+HQ3JhfYH2OQVHrylBK15h698d8FUAhJyv+x6mxqQo1k+b8qiHyXN1Pq3SGkyTP5YnYmA4AHGc9Dm1IBJbGRYimdpqDV/bJMuyQKedlud7KVJjd0sbLK8q/u6qBPPFc+52G0WLPhd1CqAVxX31aBv/IczvRKbcDDYv3KRIh3HBU609H572axQgaeCBiEevgDm+2lHgw004cR5rk2ho47nk7w22DV6gRb69ndJrBFy6g6QrgEoHnxZvBwfI9TX2HRwaC9DIgM/kdA9vrBmPv6D2NBgi0c4R0vUt3YUuDaoxhrOyzT2+XvRaIkm3FVMilnH8rmJvM29AJed+nETmcQGfG7fxoF0lkGFdwE8m/ikOMLpC0hYig+g6pLDYIbdG7+GzvjfA7eSOAZ2k09D8pWw6jNeaHt61B2bfCMg50THuYscpO88ecMAUtOh1VC7gd2Kg9JS2rIq770Jq/m8lkWG+iuPv6PUDuoVGiW5G/VVycqDxcCDYQvU0Wkke7ccEsIJ8LQ+7AfdOrdMddFvscpU/49G47K8nbj1NAMoXoxgvDQFUA4YXBCqjCZrkv0TBLu/jSpyHJ+FQrSLbxFJLszBEQalaWolu1eHQ4RihQG2/WXq0RioSapF7SItsybXKytqlTkcS9BbgXmvc93ssgUXuxQszJLI8Ps1dV07aSxZTwSv4tcjdxc6RdFaUWjtNLl/pnRkGrBAfHTCv5iDHHIoDRte5z/Mj5/2yHWaSbrDxqKQSi3l3o3Z3IlTTyiNrqOB7qzDKalAcUzfbA9vKQMf3/vICHiN0Cjn8R01Gwx0XTrNmM7/CkE2Awe63xANVhifgMo+HuDnYOhF553sUAnhijwOoQkIw3XVdeSo5HzWVQz0+iWDBrxHSL/6JiODEAMAy3U/Qft1P6wvUOq/yHwjaMfJqnbiQNPfmj8YR5IE3mPGEs+YEJJqtXd+/DyDHT4txfq4coUjjh9jedl+IM+kM5z9EVK3qUIMNNixWhcFn6VAfkC4gVQCOCb1wF6cL+1xc4kRQhdYSWOqC1gXiXtVTM2VcDCni58u6bEgnr+DGrg33oh2k/mNWk9aWDPgjXKjV5lPhLzWa8IPswiXC3uOUMf8T0wUxqyTkeAceSUd9qC9c4gpV56EY24WEvei6GKsLMFdbL2TpfOU/1rH32iAFGWj3tdbVhhsDFATuFtoN9rqoxtY0sqrq4dEB4lkXOd6TShjXmDLeyn14mL3b0LA15/ju4ZYzRTbvyzrdUU95I/Y41jUW2yelLFFBLqu7+8eiP7fvSOB+5ElMlGlHOOqdqYDOGZKj1Efb+yEehDPWIT5sZnUOEorLYbNKHGAEWV3N/2jBt2kyzSG1HYJXdJHSyZc3qI8rtBp6naqfPBJBwtRsbtzxG+hgCBov6SZNV8spKu6bir/lPPhpwL6cX7rUuKj71bXa2i3WLsHsBRgldbRcCblyLoRU34ozwSgMu7sZTwCPc359RjXz41zHti6ZDBigi3EADA00dM/Zpb8KXthrnmI0YENaZzBKNIwyggc4QimXJeFFTPyTXq9VSgKBDE1YpxX2t91kMF6RI8+IA00HxiUohJ+T27yZfhuPKRLcuY5Kw+ohm4tI5Pz1PATxED5zmp5M8igxh99/E2Z99MHgo4r1B5BN7fjdE3cvYOixlB4DpZsSEZ9KSm2hjn2roq9/WhLdsy1Z4JdwuoyzCepgfFX26CpCiKgyyGQ+OkgAlBUr0xyjZh7nL/khRCB6qDKOsmnJEdMxKxmorZ5LNhQhp3ZCb7IlxMEzpNHfjjTaHvv1ZVvO3F1IQprhk26FEHG2MX5Q0pC8cLflDs4jMX4UGfGsDepBR0ntVq+/OHfbt8OvmKCbg5hzRkfvalHgjYP0QBXuBBY5FgwnttSKUJzd8f2+Tu37uWltQWfAF/DYIGK9QhqOjno/FWkAEhMwlfsGfc5fb1YKlnhH3+/qUDTFmk+W/tWHlWZfESSjaS34M3h7uFQ2nrJUudIxxureUoPFOzVSgE4v0QQH7SkPheJI9JbLmy93KSFbc6TAbv9aVhNd85kuEeC5iE4Qj4DGcFYO2PmhOQDg3+bl6Gm/zo2EFVHpGHK3UWLyWz/vPIqchL9UFER2d7bRU/zQ7HzTSTnkYSSZOU5KZYlcKzogaEXC/Wu4ZwleDLPNlufbFX5TdNGUjqLcwONkJlSN2Z/E4dug9R/af2UORgkjoualltwV1lfnZNqIeSBNsxACVaztoKCFl0VbBUIxPuaHHEOvdMnVE/QzAHr7i+dehOyStXQUG1B1OdSXyeyznV0Zi0Vw9+b2Etx9GVWjFmktXQympVmnK9uN0pmZEvQL5mB9cawi7ZA6c4bC8yp9qfQLToW5bsiNI8l12AQsWojnO4vusZvBzWJGrkCYxC1v2OWmlLrxfkKIiVxTU/8aYr4qIkri1Y/gHQNxq8cWkGesbfqHmLKhn4BKdmO7xDlN5R6lfUHIV6KwveIhWZw2P2MVOVW/09xTjxLBBs3BooSQK49vrKpVS8lMub1Fryb+V7OOutP3pby8G2KPVwv3OqBZirGyFmwZQc5fG72ZoZ+2oYr0i,iv:wBY6kIHIDynH4125koMcCGAuxHc/F63Yq3NcMfCqPBU=,tag:zfuizdFXXtdZ2HLJSgHUmw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -25,8 +23,7 @@ sops: OHpqelBrU2k5Q0dBL1dzOVhYeXM0QkUKjMu+5qi000GvGgKO9l7UFSytjJHHYfEd 8Mi4pXbgWzncWE6D3i5E7twGSDQVpeWHngX35z8SSiWRuBrbjJvVdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-15T01:54:13Z" - mac: ENC[AES256_GCM,data:nxElGqw+YRErhjpJQcG6hHahAizdWIaD1cP/eCKpmsvr7fd8qCJSyQ6nukJ+jugMkdZUsWaoeAX1Vesf2KkcajulvzK0nD+Vq2jXhAZHpil9KIseLPYMxSnSWGNs7B0vsuLLwXN9GB87URYmeJlTS7a74PoH+IfqzAudUH75drw=,iv:qFOShkqvLiLw00R1K85gmhBXx/h7ZNpxM+x63dbNkDs=,tag:hT7btxu3Cc0vXtdZkCRqaw==,type:str] - pgp: [] + lastmodified: "2025-11-03T06:10:56Z" + mac: ENC[AES256_GCM,data:dHT4DDvJfTg2ydAodes0c0UeDTVuQ3nClaigk2TWXlQUJqr0gbuLOALIqCoXABPcX5tidH33zR+GIZSF8MobCML/otZq+jxB0tBBunPLlFBbGVUdiJQc6liZFP8sowrL1HjidXaJxAbeQ4pfxUMCGvVYfGnWS1sLCLfVLlu0BAA=,iv:4BcbV/0OgFNM2D406B7qjIuSE4nzheE7Aq123FdTUO4=,tag:2rwsx5Nb+0358pANSf948A==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/kay/configuration.nix b/os/kay/configuration.nix index 5370b45..1bc5f37 100644 --- a/os/kay/configuration.nix +++ b/os/kay/configuration.nix @@ -2,26 +2,30 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix - ./modules/network.nix - ./modules/www.nix - ./modules/sftp.nix - ./modules/acme.nix - ./modules/mail.nix ./modules/dns - ./modules/sshfwd.nix - ./modules/home-assistant.nix - ./modules/postgresql.nix - ./modules/github-runner.nix - ./modules/nix-cache.nix - ./modules/immich.nix + ./modules/network ./modules/observability - ./modules/alina.nix + + ./modules/internal/www.nix + ./modules/internal/acme.nix + ./modules/internal/postgresql.nix + + ./modules/services/sftp.nix + ./modules/services/mail.nix + ./modules/services/home-assistant.nix + ./modules/services/github-runner.nix + ./modules/services/nix-cache.nix + ./modules/services/immich.nix + ./modules/services/alina.nix + ./modules/services/minio.nix + ./modules/services/matrix + ./modules/services/cgit.nix ]; + networking.hostName = "kay"; boot = { consoleLogLevel = 3; binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/os/kay/modules/acme.nix b/os/kay/modules/acme.nix deleted file mode 100644 index 86ae165..0000000 --- a/os/kay/modules/acme.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: let - email = config.global.userdata.email; - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - secret_path_angelo = "misc/angelo_cloudflare_dns_api_token"; - - environmentFile = - pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; -in { - sops.secrets.${secret_path_angelo} = {}; - - security.acme = { - acceptTerms = true; - defaults.email = email; - - certs = { - ${domain_angelo} = { - domain = domain_angelo; - extraDomainNames = [ "*.${domain_angelo}" ]; - - dnsProvider = "cloudflare"; - credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets.${secret_path_angelo}.path; - - group = config.services.nginx.group; - }; - - ${domain} = { - inherit domain; - extraDomainNames = [ "*.${domain}" ]; - - dnsProvider = "rfc2136"; - dnsPropagationCheck = false; # local DNS server - - inherit environmentFile; - group = config.services.nginx.group; - }; - }; - }; -} diff --git a/os/kay/modules/dns/ddns.nix b/os/kay/modules/dns/ddns.nix index 4a8fe5d..9e1b6ec 100644 --- a/os/kay/modules/dns/ddns.nix +++ b/os/kay/modules/dns/ddns.nix @@ -10,7 +10,7 @@ ]; text = '' - while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1')"; do + while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1337')"; do sleep 0.2 done diff --git a/os/kay/modules/dns/default.nix b/os/kay/modules/dns/default.nix index 357cddd..6179527 100644 --- a/os/kay/modules/dns/default.nix +++ b/os/kay/modules/dns/default.nix @@ -1,5 +1,6 @@ -{ config, pkgs, ... }: let - listen_addr = [ +{ config, pkgs, ... }: +let + listen_addr = [ "137.59.84.126" "2001:470:ee65::1" ]; @@ -16,7 +17,8 @@ IN NS ns1.sinanmohd.com. ''; -in { +in +{ imports = [ ./ddns.nix ]; networking.firewall = { @@ -39,39 +41,55 @@ in { remote = [ { id = "ns1.he.net"; - address = [ "2001:470:100::2" "216.218.130.2" ]; + address = [ + "2001:470:100::2" + "216.218.130.2" + ]; via = "2001:470:ee65::1"; } { id = "m.gtld-servers.net"; - address = [ "2001:501:b1f9::30" "192.55.83.30" ]; + address = [ + "2001:501:b1f9::30" + "192.55.83.30" + ]; } ]; - submission = [{ - id = "gtld-servers.net"; - parent = "m.gtld-servers.net"; - }]; + submission = [ + { + id = "gtld-servers.net"; + parent = "m.gtld-servers.net"; + } + ]; - policy = [{ - id = "gtld-servers.net"; - algorithm = "ecdsap384sha384"; - ksk-lifetime = "365d"; - ksk-submission = "gtld-servers.net"; - }]; + policy = [ + { + id = "gtld-servers.net"; + algorithm = "ecdsap384sha384"; + ksk-lifetime = "365d"; + ksk-submission = "gtld-servers.net"; + } + ]; # generate TSIG key with keymgr -t name acl = [ { id = "ns1.he.net"; key = "ns1.he.net"; - address = [ "2001:470:600::2" "216.218.133.2" ]; + address = [ + "2001:470:600::2" + "216.218.133.2" + ]; action = "transfer"; } { id = "ddns"; address = listen_addr; - update-type = [ "A" "AAAA" ]; + update-type = [ + "A" + "AAAA" + ]; action = "update"; } { @@ -82,11 +100,13 @@ in { } ]; - mod-rrl = [{ - id = "default"; - rate-limit = 200; - slip = 2; - }]; + mod-rrl = [ + { + id = "default"; + rate-limit = 200; + slip = 2; + } + ]; template = [ { @@ -102,7 +122,10 @@ in { dnssec-policy = "gtld-servers.net"; notify = [ "ns1.he.net" ]; - acl = [ "ns1.he.net" "ddns" ]; + acl = [ + "ns1.he.net" + "ddns" + ]; zonefile-sync = "-1"; zonefile-load = "difference"; diff --git a/os/kay/modules/dns/sinanmohd.com.zone b/os/kay/modules/dns/sinanmohd.com.zone index 64214ad..dcbdf6c 100644 --- a/os/kay/modules/dns/sinanmohd.com.zone +++ b/os/kay/modules/dns/sinanmohd.com.zone @@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com. $TTL 2d @ IN SOA ns1 hostmaster ( - 2025051100 ; serial + 2025101400 ; serial 2h ; refresh 5m ; retry 1d ; expire @@ -37,14 +37,18 @@ mta-sts IN CNAME @ _mta-sts IN TXT "v=STSv1; id=2024022500" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:reports@sinanmohd.com" -www IN CNAME @ -git IN CNAME @ -bin IN CNAME @ -static IN CNAME @ -home IN CNAME @ -nixbin IN CNAME @ -immich IN CNAME @ -sliding IN CNAME @ -grafana IN CNAME @ +www IN CNAME @ +git IN CNAME @ +bin IN CNAME @ +static IN CNAME @ +home IN CNAME @ +nixbin IN CNAME @ +immich IN CNAME @ +sliding IN CNAME @ +grafana IN CNAME @ +stalwart IN CNAME @ +minio IN CNAME @ +s3 IN CNAME @ +headscale IN CNAME @ _acme-challenge IN NS ns1 diff --git a/os/kay/modules/internal/acme.nix b/os/kay/modules/internal/acme.nix new file mode 100644 index 0000000..60e40a8 --- /dev/null +++ b/os/kay/modules/internal/acme.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: +let + email = config.global.userdata.email; + domain = config.global.userdata.domain; + + environmentFile = pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in +{ + security.acme = { + acceptTerms = true; + defaults.email = email; + + certs.${domain} = { + inherit domain; + extraDomainNames = [ "*.${domain}" ]; + + dnsProvider = "rfc2136"; + dnsPropagationCheck = false; # local DNS server + + inherit environmentFile; + group = config.services.nginx.group; + }; + }; +} diff --git a/os/kay/modules/internal/postgresql.nix b/os/kay/modules/internal/postgresql.nix new file mode 100644 index 0000000..6ba5398 --- /dev/null +++ b/os/kay/modules/internal/postgresql.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + services.postgresql = { + enable = true; + package = with pkgs; postgresql_15; + authentication = lib.mkForce '' + #type database DBuser origin-address auth-method + # unix socket + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust + # ipv6 + host all all ::1/128 trust + ''; + + settings.log_timezone = config.time.timeZone; + }; + + services.prometheus.exporters.postgres = { + enable = true; + listenAddress = "127.0.0.1"; + }; +} diff --git a/os/kay/modules/internal/www.nix b/os/kay/modules/internal/www.nix new file mode 100644 index 0000000..dd0a1ef --- /dev/null +++ b/os/kay/modules/internal/www.nix @@ -0,0 +1,323 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + domain = config.global.userdata.domain; + storage = "/hdd/users/sftp/shr"; +in +{ + security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ 443 ]; + }; + + services.prometheus.exporters = { + nginxlog = { + enable = true; + listenAddress = "127.0.0.1"; + }; + nginx = { + enable = true; + listenAddress = "127.0.0.1"; + }; + }; + + services.nginx = { + enable = true; + statusPage = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; + + recommendedTlsSettings = true; + # breaks home-assistant proxy for some reason + # only the first request goes through, then site hangs + # recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedBrotliSettings = true; + eventsConfig = "worker_connections 1024;"; + appendHttpConfig = '' + quic_retry on; + quic_gso on; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + + virtualHosts = + let + defaultOpts = { + # reuseport = true; + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in + { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; + + "/.well-known/matrix/client".return = '' + 200 '${ + builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; + "m.identity_server".base_url = "https://vector.im"; + } + }' + ''; + + "/.well-known/".proxyPass = "http://127.0.0.1:8085"; + + "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = + "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + }; + + "sliding.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + }; + }; + + "headscale.${domain}" = defaultOpts // { + locations = { + "/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + }; + "= /".return = "307 https://headscale.${domain}/admin"; + "/admin".proxyPass = "http://localhost:${toString config.services.headplane.settings.server.port}"; + }; + }; + + "${config.services.grafana.settings.server.domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + + "www.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + + root = "/var/www/${domain}"; + }; + + "git.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + }; + + "bin.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; + + "static.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; + + "home.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.home-assistant.config.http.server_port}"; + }; + }; + + "stalwart.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8085"; + }; + }; + + "s3.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9000"; + extraConfig = '' + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "minio.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9003"; + extraConfig = '' + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "mta-sts.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; + }; + + "immich.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + + "nixbin.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "= /files".return = "301 https://nixbin.${domain}/files/"; + "/files/" = { + alias = "/nix/store/"; + extraConfig = "autoindex on;"; + }; + + "= /" = { + extraConfig = '' + add_header Content-Type text/html; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + return = '' + 200 + '<!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <title>Nix Cache</title> + </head> + <body> + <center> + <h1 style="font-size: 8em"> + ❄️ Nix Cache + </h1> + <p style="font-weight: bold"> + Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= + </p> + </center> + </body> + </html>' + ''; + }; + + "/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + + "www.alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + globalRedirect = "alinafs.com/home"; + extraConfig = '' + ssl_early_data on; + ''; + }; + "alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations = { + "/metrics".return = "307 /home/"; + "/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; + }; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; +} diff --git a/os/kay/modules/network.nix b/os/kay/modules/network/default.nix index 22d132b..281751a 100644 --- a/os/kay/modules/network.nix +++ b/os/kay/modules/network/default.nix @@ -1,20 +1,24 @@ -{ config, ... }: +{ config, pkgs, ... }: let inetVlan = 1003; wanInterface = "enp3s0"; - nameServer = [ "1.0.0.1" "1.1.1.1" ]; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; in { imports = [ ./router.nix ./hurricane.nix + ./headscale.nix ]; sops.secrets = { - "ppp/chap-secrets" = {}; - "ppp/pap-secrets" = {}; - "ppp/username" = {}; + "ppp/chap-secrets" = { }; + "ppp/pap-secrets" = { }; + "ppp/username" = { }; }; networking = { @@ -43,7 +47,7 @@ in nic-wan defaultroute - ipv6 ::1, + ipv6 ::1337, noauth persist @@ -52,6 +56,15 @@ in lcp-echo-failure 5 ''; + script."01-ipv6-ra" = { + type = "ip-up"; + runtimeInputs = [ pkgs.procps ]; + + text = '' + sysctl net.ipv6.conf.ppp0.accept_ra=2 + ''; + }; + peers.keralavision = { enable = true; autostart = true; diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix new file mode 100644 index 0000000..39007a4 --- /dev/null +++ b/os/kay/modules/network/headscale.nix @@ -0,0 +1,200 @@ +{ + config, + pkgs, + lib, + headplane, + namescale, + ... +}: +let + url = "https://headscale.${config.global.userdata.domain}"; + stunPort = 3478; + + # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. + settings = lib.recursiveUpdate config.services.headscale.settings { + tls_cert_path = "/dev/null"; + tls_key_path = "/dev/null"; + policy.path = "/dev/null"; + }; + format = pkgs.formats.yaml { }; + headscaleConfig = format.generate "headscale.yml" settings; + + policyFormat = pkgs.formats.json { }; + policy = { + groups = { + "group:owner" = [ "sinan@" ]; + "group:bud" = [ + "sinan@" + "ann@" + ]; + }; + tagOwners = { + "tag:namescale" = [ "group:owner" ]; + "tag:internal" = [ "group:owner" ]; + "tag:bud_clients" = [ "group:bud" ]; + "tag:cusat" = [ "group:owner" ]; + "tag:gaijin" = [ "group:owner" ]; + }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; + acls = [ + { + action = "accept"; + src = [ "*" ]; + dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ]; + } + { + action = "accept"; + src = [ "headplane@" ]; + dst = [ "*:*" ]; + } + + { + action = "accept"; + src = [ "group:owner" ]; + dst = [ "*:*" ]; + } + { + action = "accept"; + src = [ "nazer@" ]; + dst = [ "autogroup:internet:*" ]; + } + + { + action = "accept"; + src = [ "group:bud" ]; + dst = [ "tag:bud_clients:*" ]; + } + { + action = "accept"; + src = [ "tag:bud_clients" ]; + dst = [ "tag:bud_clients:80,443" ]; + } + ]; + }; +in +{ + imports = [ + headplane.nixosModules.headplane + namescale.nixosModules.namescale + ]; + + nixpkgs.overlays = [ headplane.overlays.default ]; + environment.systemPackages = [ config.services.headscale.package ]; + + sops.secrets = { + # server + "headplane/cookie_secret".owner = config.services.headscale.user; + "headplane/preauth_key".owner = config.services.headscale.user; + "headscale/noise_private_key".owner = config.services.headscale.user; + "headscale/derp_private_key".owner = config.services.headscale.user; + # client + "headscale/pre_auth_key" = { }; + }; + + networking = { + nameservers = [ "100.100.100.100" ]; + search = [ config.services.headscale.settings.dns.base_domain ]; + + firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; + }; + # for exit node only + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + services = { + headscale = { + enable = true; + port = 8139; + + settings = { + logtail.enabled = false; + server_url = url; + noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; + dns = { + base_domain = "tsnet.${config.global.userdata.domain}"; + override_local_dns = false; + nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [ + config.services.namescale.settings.host + ]; + }; + derp = { + server = { + enabled = true; + private_key_path = config.sops.secrets."headscale/derp_private_key".path; + region_code = config.networking.hostName; + region_name = config.networking.hostName; + stun_listen_addr = "0.0.0.0:${toString stunPort}"; + region_id = 6969; + automatically_add_embedded_derp_region = true; + }; + urls = [ ]; + }; + policy = { + mode = "file"; + path = policyFormat.generate "acl.json" policy; + }; + }; + }; + + headplane = { + enable = true; + settings = { + server = { + port = 8140; + cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; + }; + headscale = { + inherit url; + config_path = "${headscaleConfig}"; + }; + integration.agent = { + enabled = true; + pre_authkey_path = config.sops.secrets."headplane/preauth_key".path; + }; + }; + }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + "--advertise-tags=tag:internal,tag:namescale" + ]; + }; + + namescale = { + enable = true; + settings = { + host = "100.64.0.6"; + port = 53; + base_domain = config.services.headscale.settings.dns.base_domain; + }; + }; + }; +} diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/network/hurricane.nix index 511b213..e815136 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/network/hurricane.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let iface = "hurricane"; @@ -10,12 +15,15 @@ let prefix64 = "2001:470:36:72a::/64"; prefix48 = "2001:470:ee65::/48"; - makeAddr = prefix: host: let - split = lib.strings.splitString "/" prefix; - in { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; in { networking = { @@ -43,17 +51,15 @@ in }; firewall = { - extraCommands = - "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = - "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; }; }; sops.secrets = { - "hurricane/username" = {}; - "hurricane/update_key" = {}; - "hurricane/tunnel_id" = {}; + "hurricane/username" = { }; + "hurricane/update_key" = { }; + "hurricane/tunnel_id" = { }; }; systemd.services."network-route-${iface}" = { @@ -64,7 +70,10 @@ in ]; before = [ "network-setup.service" ]; bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ "network-pre.target" "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; # restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; @@ -95,9 +104,13 @@ in ''; }; - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ curl coreutils iproute2 iputils ]; + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; text = '' wan_ip="$4" username="$(cat ${config.sops.secrets."hurricane/username".path})" diff --git a/os/kay/modules/router.nix b/os/kay/modules/network/router.nix index 2e01789..aeb008c 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/network/router.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wanInterface = "ppp0"; gponInterface = "enp3s0"; @@ -15,12 +16,8 @@ wapMac = "40:86:cb:d7:40:49"; wapIp = "192.168.43.2"; -in { - imports = [ - ./wireguard.nix - ./iperf3.nix - ]; - +in +{ networking = { bridges.${bridgeInterface}.interfaces = [ lanInterface ]; @@ -30,43 +27,41 @@ in { internalInterfaces = [ bridgeInterface ]; }; interfaces = { - ${bridgeInterface}.ipv4.addresses = [{ + ${bridgeInterface}.ipv4.addresses = [ + { address = host; - prefixLength = prefix; - }]; - ${gponInterface}.ipv4.addresses = [{ + prefixLength = prefix; + } + ]; + ${gponInterface}.ipv4.addresses = [ + { address = gponHost; - prefixLength = gponPrefix; - }]; + prefixLength = gponPrefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; extraCommands = '' iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -N inetfilter - iptables -A inetfilter -s 192.168.43.124/32 -m mac --mac-source 08:02:3c:d4:d9:f2 -j ACCEPT - iptables -A inetfilter -s 192.168.43.119/32 -m mac --mac-source a8:93:4a:50:c8:b3 -j ACCEPT - iptables -A inetfilter -j DROP - iptables -I FORWARD -i lan -o ppp0 -j inetfilter ''; extraStopCommands = '' iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -w -t filter -F inetfilter - iptables -w -t filter -X inetfilter ''; }; }; services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - dhcp-host= "${wapMac},${wapIp}"; + dhcp-host = "${wapMac},${wapIp}"; interface = [ bridgeInterface ]; }; diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix index d9b6071..9ca73da 100644 --- a/os/kay/modules/observability/prometheus.nix +++ b/os/kay/modules/observability/prometheus.nix @@ -4,36 +4,35 @@ enable = true; port = 9001; - scrapeConfigs = [{ - job_name = "kay"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "kay"; + scrape_interval = "1s"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + } + ]; + } + ]; exporters = { node = { diff --git a/os/kay/modules/postgresql.nix b/os/kay/modules/postgresql.nix deleted file mode 100644 index 79d0b12..0000000 --- a/os/kay/modules/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, pkgs, ... }: { - services.postgresql = { - enable = true; - package = with pkgs; postgresql_15; - authentication = lib.mkForce '' - #type database DBuser origin-address auth-method - # unix socket - local all all trust - # ipv4 - host all all 127.0.0.1/32 trust - # ipv6 - host all all ::1/128 trust - ''; - - settings.log_timezone = config.time.timeZone; - }; - - services.prometheus.exporters.postgres = { - enable = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/alina.nix b/os/kay/modules/services/alina.nix index ef6331b..c567953 100644 --- a/os/kay/modules/alina.nix +++ b/os/kay/modules/services/alina.nix @@ -1,14 +1,20 @@ -{ config, pkgs, ... }: let +{ config, alina, ... }: +let domain = "alinafs.com"; -in { - sops.secrets."misc/alina" = {}; +in +{ + imports = [ alina.nixosModules.alina ]; + + sops.secrets."misc/alina" = { }; services.postgresql = { ensureDatabases = [ "alina" ]; - ensureUsers = [{ - name = "alina"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; }; services.alina = { @@ -17,7 +23,7 @@ in { environmentFile = config.sops.secrets."misc/alina".path; settings.server = { data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; /* 1GB */ + file_size_limit = 1024 * 1024 * 1024; # 1GB public_url = "https://${domain}"; }; }; diff --git a/os/kay/modules/cgit.nix b/os/kay/modules/services/cgit.nix index 254cc80..254cc80 100644 --- a/os/kay/modules/cgit.nix +++ b/os/kay/modules/services/cgit.nix diff --git a/os/kay/modules/github-runner.nix b/os/kay/modules/services/github-runner.nix index dd4d48d..dd4d48d 100644 --- a/os/kay/modules/github-runner.nix +++ b/os/kay/modules/services/github-runner.nix diff --git a/os/kay/modules/home-assistant.nix b/os/kay/modules/services/home-assistant.nix index 2376997..65807f7 100644 --- a/os/kay/modules/home-assistant.nix +++ b/os/kay/modules/services/home-assistant.nix @@ -1,21 +1,26 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { enable = true; ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; services.home-assistant = { enable = true; - package = (pkgs.home-assistant.override { - extraPackages = py: with py; [ psycopg2 ]; - }).overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [ psycopg2 ]; + }).overrideAttrs + (oldAttrs: { + doInstallCheck = false; + }); extraComponents = [ "analytics" @@ -29,7 +34,7 @@ ]; config = { - default_config = {}; + default_config = { }; recorder.db_url = "postgresql://@/hass"; http = { diff --git a/os/kay/modules/immich.nix b/os/kay/modules/services/immich.nix index 5e5eaf4..5e5eaf4 100644 --- a/os/kay/modules/immich.nix +++ b/os/kay/modules/services/immich.nix diff --git a/os/kay/modules/iperf3.nix b/os/kay/modules/services/iperf3.nix index 2c8afef..2c8afef 100644 --- a/os/kay/modules/iperf3.nix +++ b/os/kay/modules/services/iperf3.nix diff --git a/os/kay/modules/mail.nix b/os/kay/modules/services/mail.nix index a418a86..685461f 100644 --- a/os/kay/modules/mail.nix +++ b/os/kay/modules/services/mail.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let ipv6 = "2001:470:ee65::1337"; domain = config.global.userdata.domain; username = config.global.userdata.name; @@ -15,12 +16,13 @@ ]; credentials_directory = "/run/credentials/stalwart-mail.service"; -in { +in +{ security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; sops.secrets = { - "mail.${domain}/dkim_rsa" = {}; - "mail.${domain}/dkim_ed25519" = {}; - "mail.${domain}/password" = {}; + "mail.${domain}/dkim_rsa" = { }; + "mail.${domain}/dkim_ed25519" = { }; + "mail.${domain}/password" = { }; }; systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ @@ -35,61 +37,54 @@ in { services.postgresql = { ensureDatabases = [ "stalwart" ]; - ensureUsers = [{ - name = "stalwart"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; }; services.stalwart-mail = { enable = true; openFirewall = true; - # foundation db is too big to build on a 32GB ram machine, good job - # trillion dollar company, proud of you - package = pkgs.stalwart-mail.overrideAttrs { - buildNoDefaultFeatures = true; - buildFeatures = [ "postgres" ]; - buildInputs = with pkgs; [ - bzip2 - openssl - zstd - ]; - # some tests fails with -lfdb_c: No such file, just disable this for row - # probably because of not including foundationdb, upstream has this - # enabled so it's not the end of the world - doCheck = false; - }; - settings = { queue.outbound = { ip-strategy = "ipv6_then_ipv4"; source-ip.v6 = "['${ipv6}']"; tls.starttls = "optional"; }; - - server.listener = { - smtp = { - bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; - protocol = "smtp"; - }; - submission = { - bind = "[::]:587"; - protocol = "smtp"; - }; - submissions = { - bind = "[::]:465"; - protocol = "smtp"; - tls.implicit = true; - }; - imaptls = { - bind = "[::]:993"; - protocol = "imap"; - tls.implicit = true; - }; - http = { - bind = "[::]:8085"; - protocol = "http"; + http.url = "'https://stalwart.${domain}'"; + + server = { + hostname = "mail.${domain}"; + listener = { + smtp = { + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; + protocol = "smtp"; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + imaptls = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = "[::]:8085"; + protocol = "http"; + }; }; }; @@ -98,7 +93,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_rsa}%"; inherit domain; selector = "rsa"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "rsa-sha-256"; canonicalization = "simple/simple"; @@ -110,7 +111,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; inherit domain; selector = "ed25519"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "ed25519-sha256"; canonicalization = "simple/simple"; @@ -148,13 +155,14 @@ in { principals = [ { class = "admin"; - name = username; + name = "${username}@${domain}"; secret = "%{file:${credentials_directory}/password}%"; inherit email; } - { # for mta-sts & dmarc reports + { + # for mta-sts & dmarc reports class = "individual"; - name = "reports"; + name = "reports@${domain}"; secret = "%{file:${credentials_directory}/password}%"; email = [ "reports@${domain}" ]; } diff --git a/os/kay/modules/matrix/default.nix b/os/kay/modules/services/matrix/default.nix index f81d0d9..1b9564d 100644 --- a/os/kay/modules/matrix/default.nix +++ b/os/kay/modules/services/matrix/default.nix @@ -1,12 +1,14 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ imports = [ ./dendrite.nix ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = {}; + sops.secrets."matrix-${domain}/sliding_sync" = { }; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/matrix/dendrite.nix b/os/kay/modules/services/matrix/dendrite.nix index 3f4a879..e66c5a5 100644 --- a/os/kay/modules/matrix/dendrite.nix +++ b/os/kay/modules/services/matrix/dendrite.nix @@ -10,16 +10,18 @@ let }; in { - sops.secrets."matrix-${domain}/key" = {}; + sops.secrets."matrix-${domain}/key" = { }; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { postgresql = { ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "dendrite"; + ensureDBOwnership = true; + } + ]; }; dendrite = { @@ -43,10 +45,12 @@ in ]; inherit database; }; - logging = [{ - type = "std"; - level = "warn"; - }]; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; mscs = { inherit database; mscs = [ "msc2836" ]; @@ -63,19 +67,21 @@ in federation_api = { inherit database; send_max_retries = 8; - key_perspectives = [{ - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - }]; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; }; app_service_api = { diff --git a/os/kay/modules/matrix/matrix-sliding-sync.nix b/os/kay/modules/services/matrix/matrix-sliding-sync.nix index f4c1426..253ec4d 100644 --- a/os/kay/modules/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/services/matrix/matrix-sliding-sync.nix @@ -1,12 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix {}; + matrix-sliding-sync = pkgs.callPackage ../../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ - (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + (lib.mkRenamedOptionModule + [ "services" "matrix-synapse" "sliding-sync" ] + [ "services" "matrix-sliding-sync" ] + ) ]; options.services.matrix-sliding-sync-dirty = { @@ -40,7 +48,14 @@ in }; SYNCV3_LOG_LEVEL = lib.mkOption { - type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; + type = lib.types.enum [ + "trace" + "debug" + "info" + "warn" + "error" + "fatal" + ]; default = "info"; description = "The level of verbosity for messages logged."; }; @@ -77,10 +92,12 @@ in services.postgresql = lib.optionalAttrs cfg.createDatabase { enable = true; ensureDatabases = [ "matrix-sliding-sync" ]; - ensureUsers = [ { - name = "matrix-sliding-sync"; - ensureDBOwnership = true; - } ]; + ensureUsers = [ + { + name = "matrix-sliding-sync"; + ensureDBOwnership = true; + } + ]; }; systemd.services.matrix-sliding-sync = rec { diff --git a/os/kay/modules/services/minio.nix b/os/kay/modules/services/minio.nix new file mode 100644 index 0000000..d440e50 --- /dev/null +++ b/os/kay/modules/services/minio.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: +let + email = config.global.userdata.email; +in +{ + sops.secrets."misc/default_password" = { }; + systemd.services.minio.serviceConfig.LoadCredential = [ + "password:${config.sops.secrets."misc/default_password".path}" + ]; + + services.minio = { + enable = true; + consoleAddress = ":9003"; + + package = pkgs.stdenv.mkDerivation { + name = "minio-with-secrets"; + dontUnpack = true; + buildInputs = with pkgs; [ + makeWrapper + minio + ]; + installPhase = '' + mkdir -p $out/bin + makeWrapper ${lib.getExe pkgs.minio} $out/bin/minio \ + --run 'echo "Seting Minio Secrets"' \ + --set MINIO_ROOT_USER ${email} \ + --run 'export MINIO_ROOT_PASSWORD="$(cat "$CREDENTIALS_DIRECTORY"/password)"' + ''; + }; + }; +} diff --git a/os/kay/modules/nix-cache.nix b/os/kay/modules/services/nix-cache.nix index 9c81b56..9c81b56 100644 --- a/os/kay/modules/nix-cache.nix +++ b/os/kay/modules/services/nix-cache.nix diff --git a/os/kay/modules/sftp.nix b/os/kay/modules/services/sftp.nix index 45ed151..f75abc4 100644 --- a/os/kay/modules/sftp.nix +++ b/os/kay/modules/services/sftp.nix @@ -7,7 +7,7 @@ let in { users = { - groups."sftp".members = []; + groups."sftp".members = [ ]; users."sftp" = { group = "sftp"; @@ -20,7 +20,8 @@ in # samsung files only support PEM, hence RSA key # https://r1.community.samsung.com/t5/galaxy-s/unable-to-remotely-connect-to-sftp-server-through-my-files/m-p/16347552/highlight/true#M105871 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqe7CcXJw+dhXKUVeuj1iGOcV7KhyiJ55PxhGDXfQdu1YS5gi/pBnOk39pL22+QBFZX0trU/JNHpCMZWyFp/Fz9GBxp2LJERHwkANu0lk0PJ7QZdg79YN5lKpWTo2GpA3gHHC555Rm5V5BknwbZwVXWvGhSR93g/2b6AjcSZn4ZUwFF8soSb2EYsRa7blVbBv2njV2SGI9FezfHBF+N3CNOP7kxk63Pilk9NEUQuvYF1tmF7z/zIXbyLNaLT1MJE8KCbayM7E/WZuonSBqFf3fsmQge0La/LveRehQHb503uHNHzlFHXdMMZQrzOAHHyFQUHhYECvhLNDhGJb1KrjZcEiKmqCMmvHCG4JssRdJB5mq6J0g05ZmMrKt0srIT6lginkHy89AKkqt83xHHvXhZEw40zoGcq2rZD1dPN3toNZL/uGaIK0u1eMxFbuVKK3OjMg2UwzaHX1DDZyJdRes5huG/uXTgN7xamUu/TIBOK+WgibJeNf93i3GbsYezTs= sftp@paq" - ] ++ pubKeys; + ] + ++ pubKeys; }; users."nazer" = { @@ -42,7 +43,7 @@ in }; # sandboxing - extraConfig = '' + extraConfig = '' Match Group sftp # chroot dir should be owned by root # and sub dirs by %u diff --git a/os/kay/modules/sshfwd.nix b/os/kay/modules/sshfwd.nix deleted file mode 100644 index d70b893..0000000 --- a/os/kay/modules/sshfwd.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: let - group = "sshfwd"; -in { - networking.firewall.allowedTCPPorts = [ 2222 ]; - - users = { - groups.${group}.members = []; - - users."lia" = { - inherit group; - isSystemUser = true; - - openssh.authorizedKeys.keys - = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; - }; - }; - - services.openssh.extraConfig = '' - Match Group ${group} - ForceCommand echo 'this account is only usable for remote forwarding' - PermitTunnel no - AllowAgentForwarding no - X11Forwarding no - - AllowTcpForwarding remote - GatewayPorts clientspecified - PermitListen *:2222 - ''; -} diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix deleted file mode 100644 index 21cec06..0000000 --- a/os/kay/modules/wireguard.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: let - wgInterface = "wg"; - wanInterface = "ppp0"; - subnet = "10.0.1.0"; - prefix = 24; - port = 51820; - - wgConf = pkgs.writeText "wg.conf" '' - [interface] - Address = 10.0.1.1/24 - MTU = 1412 - ListenPort = 51820 - PostUp = ${lib.getExe (pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - })} - - [Peer] - # friendly_name = cez - PublicKey = IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8= - AllowedIPs = 10.0.1.2/32 - - [Peer] - # friendly_name = exy - PublicKey = bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8= - AllowedIPs = 10.0.1.3/32 - - [Peer] - # friendly_name = dad - PublicKey = q70IyOS2IpubIRWqo5sL3SeEjtUy2V/PT8yqVExiHTQ= - AllowedIPs = 10.0.1.4/32 - - [Peer] - # friendly_name = pradeep - PublicKey = BAOdbgUd53ZmQWkZP3N+zAsxdBpqv6icEwmmjRFEmxI= - AllowedIPs = 10.0.1.5/32 - - [Peer] - # friendly_name = angelo - PublicKey = U6+PzFuM6lKVx0TnDWuWJMsP6Tj8o1a9zjRcD7gV53o= - AllowedIPs = 10.0.1.6/32 - ''; -in { - sops.secrets."misc/wireguard" = {}; - - networking = { - nat = { - enable = true; - externalInterface = wanInterface; - internalInterfaces = [ wgInterface ]; - }; - - firewall.allowedUDPPorts = [ port ]; - wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf; - }; - - services.dnsmasq.settings = { - no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; - }; - - services.prometheus.exporters.wireguard = { - enable = true; - withRemoteIp = true; - wireguardConfig = builtins.toString wgConf; - singleSubnetPerField = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix deleted file mode 100644 index 39e5b4b..0000000 --- a/os/kay/modules/www.nix +++ /dev/null @@ -1,256 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - ip_angelo = "10.0.1.6"; - - storage = "/hdd/users/sftp/shr"; -in -{ - imports = [ - ./matrix - ./cgit.nix - ]; - - security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 443 ]; - }; - - services.prometheus.exporters = { - nginxlog = { - enable = true; - listenAddress = "127.0.0.1"; - }; - nginx = { - enable = true; - listenAddress = "127.0.0.1"; - }; - }; - - services.nginx = { - enable = true; - statusPage = true; - package = pkgs.nginxQuic; - enableQuicBPF = true; - - recommendedTlsSettings = true; - # breaks home-assistant proxy for some reason - # only the first request goes through, then site hangs - # recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - eventsConfig = "worker_connections 1024;"; - - virtualHosts = let - defaultOpts = { - quic = true; - http3 = true; - forceSSL = true; - useACMEHost = domain; - }; - in { - "${domain}" = defaultOpts // { - default = true; - globalRedirect = "www.${domain}"; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "/.well-known/matrix/server".return = '' - 200 '{ "m.server": "${domain}:443" }' - ''; - - "/.well-known/matrix/client".return = '' - 200 '${builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; - "m.identity_server".base_url = "https://vector.im"; - }}' - ''; - - "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:${toString - config.services.dendrite.httpPort - }"; - }; - }; - - "sliding.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; - }; - }; - - ".${domain_angelo}" = defaultOpts // { - useACMEHost = domain_angelo; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${ip_angelo}"; - }; - }; - - "${config.services.grafana.settings.server.domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; - }; - }; - - "www.${domain}" = defaultOpts // { - root = "/var/www/${domain}"; - }; - - "git.${domain}" = defaultOpts; - - "bin.${domain}" = defaultOpts // { - root = "${storage}/bin"; - locations."= /".return = "307 https://www.${domain}"; - }; - - "static.${domain}" = defaultOpts // { - root = "${storage}/static"; - locations."= /".return = "301 https://www.${domain}"; - }; - - "home.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${ - builtins.toString config.services.home-assistant.config.http.server_port - }"; - }; - }; - - "mail.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8085"; - }; - }; - - "mta-sts.${domain}" = defaultOpts // { - locations."= /.well-known/mta-sts.txt".return = ''200 "${ - lib.strings.concatStringsSep "\\n" [ - "version: STSv1" - "mode: enforce" - "mx: mail.${domain}" - "max_age: 86400" - ] - }"''; - }; - - "immich.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - - "nixbin.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "= /files".return = "301 https://nixbin.${domain}/files/"; - "/files/" = { - alias = "/nix/store/"; - extraConfig = "autoindex on;"; - }; - - "= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - - "/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - }; - }; - - - "www.alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - globalRedirect = "alinafs.com/home"; - }; - "alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - - locations = { - "/metrics".return = "307 /home/"; - "/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; - }; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; -} diff --git a/os/kay/pkgs/matrix-sliding-sync.nix b/os/kay/pkgs/matrix-sliding-sync.nix index 17051dc..2095817 100644 --- a/os/kay/pkgs/matrix-sliding-sync.nix +++ b/os/kay/pkgs/matrix-sliding-sync.nix @@ -1,6 +1,7 @@ -{ lib -, buildGoModule -, fetchFromGitHub +{ + lib, + buildGoModule, + fetchFromGitHub, }: buildGoModule rec { diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml index 5a98d3f..5f8c16d 100644 --- a/os/kay/secrets.yaml +++ b/os/kay/secrets.yaml @@ -1,49 +1,54 @@ ppp: - chap-secrets: ENC[AES256_GCM,data:XCOWJZr+4jzkCpx8ynr/86H7pkxQ0flnjjlMhyY=,iv:bVIMPO4KIPuJcsIT5L8mZ2aOgRGS8NBz8pxsr3RRQ7k=,tag:9mHPwlOAaxm5m039T6vP5w==,type:str] - pap-secrets: ENC[AES256_GCM,data:aeaRboKJwcuy60nlY+iW6zKp3Rm9V8WMTnzxFnk=,iv:ph5TLDeMMz+gvn+QWHCl5jvRWcLOKPM+oEpjfHPWJ4w=,tag:ukYsCONCblQvd5hRSgKUGg==,type:str] - username: ENC[AES256_GCM,data:+L9MTQDplyGuMoSMGsSwugEj,iv:Q+2UpahPeYGPix37YsaqORQeVrAm02b7lRk9h0b+vsE=,tag:cePjMJii1YDyL0Jnu5Mp3Q==,type:str] + chap-secrets: ENC[AES256_GCM,data:8R4HavqfzeIE8xD21iYOVI/v1/qxzsV5iEUUrEc=,iv:RqO5/wIFSunFSZofR3xzEENaNPpHSSs4QLuaa8sGWmI=,tag:B2igY5LEeFljNSXEBfCvxw==,type:str] + pap-secrets: ENC[AES256_GCM,data:WVi49mRbcO3XAjwizLU4wPQBSsoLwRhYB4ZIvYg=,iv:Lk1lnP7OCn7tnANpNGvHNZvgOYOo3p1oIWqakm6TEhQ=,tag:NOWjP2Ewh1Rrk6ktyAFvkQ==,type:str] + username: ENC[AES256_GCM,data:utWgkfQf7MxMT3pcF+YEl958,iv:sJkOryoINni7jXFc9UADhmECNobJzIBHdzNt36Kz2S4=,tag:nM4rsGEzLN22wXLPoS6MLw==,type:str] hurricane: - username: ENC[AES256_GCM,data:pe3igN9AIbc1,iv:stBkppjkDC9nvV/fHaEtfs6KskoiqqEKxCp/KC+Xxeo=,tag:pH5CJXOOp/is7dQmt6wlog==,type:str] - update_key: ENC[AES256_GCM,data:wwd+QWTgKEqstY5d2eWBnWJYq2EisTTaa/Ow4WwBNkyh5FYP+7PEyg==,iv:b93JvsfWppqlJtZxGAa3xbXgLEFs0A5Seq5pNjTnRW4=,tag:+W1t1M+Mm4LopVbcI1x+eg==,type:str] - tunnel_id: ENC[AES256_GCM,data:WUDOxjmA,iv:W8k0pyrAQz+UWtm76uvmzodJ2lZG4ioxrVMWjX1kIVM=,tag:2Q25MXzlptg/rc0HQ1k6rg==,type:str] -dns: ENC[AES256_GCM,data:Pa6Oo7UFDqo5ZN+eyz9MKy0p4KU1ePTpWQ+R8PuSFO9JjFt/I86ru/qSKyymIzhJcjj5hXMT2LPjk4MH8BWaO39ACsPDSD09xA6e1GO0rvsvtB9cffuz/GnfveyHmev+7xzdriD4IHqINPE=,iv:zuSfHnmxrjFCX3DJSRxLDs/3IVBRnkn3crar1pCW1EU=,tag:rZ0TlMMsOCF3Shunx8PnfA==,type:str] + username: ENC[AES256_GCM,data:UZwRFDruD/G1,iv:/Gh+Uuiofrf0aaaxe/Ptaan+/e4cSRx5RPyUVwQ0l3k=,tag:y8mNGEv0jPqr7mDK5tWSxA==,type:str] + update_key: ENC[AES256_GCM,data:Xye/AoRGmUwPF19u65Cczzge/lCcN0HRy/CZ+9sdGf8t6HyOs9z2aA==,iv:TIlO8eczq2IL5YE74IDpShJZRZVBUre0G2DH15Iysd0=,tag:R21oIdaUI3gEWTmCqh7GkQ==,type:str] + tunnel_id: ENC[AES256_GCM,data:JFZ82DpC,iv:YNV95axDNqMlaIkWdfW0y2SPJ55Y+8ACQYMcKM/7mx0=,tag:3+Y9u/LyjzTlD8TgdZPZlw==,type:str] +dns: ENC[AES256_GCM,data:aVDqgz8T9etAKMzhgKMfd5pWaBWIJy3S8VNQBw6YSctG0wpoXMVKsJdAFXjsS6p3gpy8OJowbaHl23vOwuZ4zrdTvbXK600ES4UMybZEIRgguehdSY1mqwX4wqaOC9K8IA2Muod/zwoQeEY=,iv:59eimtKcjHZBG7hSS7aX8/bqwQ0rM9PVWz+rXogRmIg=,tag:faZ+TcdmIv4b0YOyCTTZpQ==,type:str] matrix-sinanmohd.com: - key: ENC[AES256_GCM,data:xsSYua3g+ySUVBtfVZ2uZR4761MC5LeJGxmcgf+dWb5+tBSmgzAQL9FFcl7GLzhTmvlq13lARUr599wShS/C9IyMVGOOT9A8hxLFF9Kak64hmM7ERGrwbmzBY1mdTtvibJqzHaeybUVIMbDagczF54zpjDGLmdC5V84wduPFCndSA5FW+4Hhqw==,iv:KJtqrGNPgMDR6Sg/fOUzVAiwnPZwve9wpVfDQPc4g/c=,tag:E2jlbt5WbRA9wu16Lr69Bg==,type:str] - sliding_sync: ENC[AES256_GCM,data:ubFeb/OgYYHaIHVky6KS3icORbpqf7PO3p8bONA8mwG8vU1LB0TDqVm6vQTa8G9pe96JzJ8+IAgSZafG9PaEJc/Bpj53aWRFO3HEV0Pj,iv:P8VD8utVEwNoeQEZUdS2R9GuDe20nKiXYCfKJl0Id3E=,tag:VksV/4IaKN0C2g/alw6r4Q==,type:str] + key: ENC[AES256_GCM,data:J7tgiSiyNpHS3qegQ+KRzSnMuMY5n7EN78H9mwGYkwyfjwAmXztVsIJg1D0o1aLCggMIGgGGcaLUF/I74QKurfhN6cXZJVduuX07BaEFB861hrzLSHN33XN7+IKj+Cbi2IqB8Usso2d7F6MMD8FlMv0mjYHJgDWhjXS6Gzri/WiuOg48iWBCpg==,iv:ODSu+KFgdkyvD+KBp3qEVA/uEvokv+GH8mdzlD8qpMM=,tag:tJViIen01NRjTjR2Fxlmpg==,type:str] + sliding_sync: ENC[AES256_GCM,data:dvfJqmE5/ShH+UcCTcSRCp4P7hUmf2rtQ/yfsF2y5FKbvmNrtCNkHXPbE+qIIbYp6qqaEIUkgF+uwE2TYoLuc/FWcSrTv3p8ENddujsa,iv:M4sxp4Z0CXiJWkVl7pfcKrjapYlz4ohmi2axXZzxei8=,tag:c7j6gFd8nVb/qdEqaFo5tg==,type:str] mail.sinanmohd.com: - dkim_rsa: ENC[AES256_GCM,data:lwdVm4BIUHTipsHAQuJ7rI2TJnWXv6OzBP6komprUCqVjYz7PKlwltqxNvYRnjmOoFg+G4TrHaBCwVtlqlprkr7o7xeQ1omd9xbaYdWmNHhRNvxejGYF9oldK+zVPj9za/PSk2eXkL9b3ByIxyWQKkO9+UXQjs+C33heY+6MIJRvg/+8FX8RnFgjIMIBwvakBAVQSzveJPDB0TL/CF4avijQD1C6ayjqqarhkDu2kQhGO+95DYR9VWL2k3c8YdsQnbah3u7qBHGJpGfbh+r6ZtK4tdvCxg9b/nJo2QfPovsZy8NRIbEe6xiGQL/1Wt+GD/+08b/yq2Q6ao5Dmlqq12Y2KHPJp/EneqOgPKq3qMQOay1mPTnTzV/HP5irOS/gMg3+7ewCX7EuGOCCf4xFmEctbiePvkBbo0J00raUPrbC/tPWZpWSeTo/11jstRmFW593FnaBBcwlvqAm83QNulpWktQZXwM6inabh9XdTcnFga9lRh9XFfkW93wtzsbUNAhrKpSpuhf6fHBm0wZQdUW8K1AGdTVluiSCdrUvSollf8RZQ60zedlq8H3rZnFUnlyaBaguSu4eTSLoA4sXst0xMD5PuWgtiNrKnOdAnbnyEznwxqaJQvOLZN35nfjUIosFqjAZAxSL8FvMPAMikbGvqvnKPI6uI/sC5JymulcpXdSYikco0xvxiszM8E9SHDjHOCEp5mnMv70dk3t/fwwJ8RvQpsef7h5KGFGNEFeWP47s30uJdEXUxNl9pmT5M3C8r8IpThEF2gzpg5IY6/IOnJvaLadsMBpkXp5qlrNBgPJNfwSGoM2tt8DG6wNlae9Yyr6ayt0OASP25XFMTwSbJ/30Gjqf90m/iKIOAsFYXTtqL9FJ9H/X2QKBGGAuA7gsZCJzpW5b8KQh4UO8AgISXaYxxFmnngDRqVLMhWTDJhfwtSXisVE3g3epJe0ZQbjpLGp+HOpUVKskIvuT/f6abNsVGbI+D2k1UPHZH8BhXImfy/lbrcsYUer/RX9D3ifP5RdYcIbzb77pXmPLEsnmMlKO/K9V0M9i/+wByRgHAnQkD6sCL3ZnpL3Q46cEAOwR4vM8yg1CnwGIGYSPTtSbjpUBk5xNVKMUt5nVdaY/nji9h6HS0loQVm/glBZGf/r0hBQ0VmpDXd6NsD0dropF/0nQfqToHQcZmjYsi1Q72vVo492H7b7QYbD5fMPN/iWQIhUyFylYcNxdhllB1OfSdgGAB1XHsXI3x3c/ePTID2q5gBVUWs2EyYU2sxL81xL3I91Xp/IB8hw7hlmJAftWZ3Ol418uQkv5A2+zPkL+T9AcOeZwyPAur/pN145Yv5SxlhFn26jzz2gJC/HxKxG12M2WH5vPwstHWZtefirXgclMRzDAarT8wGWEXBuYNWhPAXSapa5fKi90MJsvMbs38OVz/M9eyAuNgoOqKHF/ZGSiDs050LoTSQCeUGB7EZVlA+GVHeVG2nCAv/MRdu2m5joqxKTUZt6HPMCFMcoT8mmAbDQdWMAxKs1yJ7urogrEzfdneaLGVArlnAv5+XJUDXhZ7JftJitJ0sLkkRP9k46aAfGulmO5YEF9t2jHYkc1Hzi1nGZZ9IiUdRZup5fb5EI6i+I4gawLPZ+JKYHUtKEkkiPvxhAxfG2NIY4/pHJyH0d+Rb6B3DNT+QSoFUI9Ez7lXVFKG3q3QndY9DJsseCde+jFI3v/ENyI2+Ze8FmEvfJKcdPxY9wXJ1xd/E59NbDzdnU+Y3Uph3uojdOOP/N7x9AqhoYGo8xAZIhIFio4zXhHLvLCs7M6CF7N2sVwj31eE8Yo8QeyYPqd99wJPGdnOIOvL7XooLUAEHJ6NB9UjUbAtNpLguw5FpEqq3WyauB2Ex9G7Uqtli930MkjVWHiiheZkWw8UP5tLFHlsXvxR7NAiI6qNZSIDWr8dwudBZKHz91srlxYhD6DN0xC37TC09RbBUd6mzF5DaOJASD3YOXGA4KAx5Rb/CcCnxxLpna35lJmJjGAd0b8S+f1jzAtoqpYAk/FYlhlX4crKhrqiw9l+EsokYNxKuHFuIKwz4KrdzadT9sUOMJOzU+5SLPNplqmqJBfrp6L0lt/ylPANOO0TiT5IqavjFMPMObP04AQuK30RPrZ1crz06aGo2RK0hYEYYDjoygKFkU+iZYTUcgByKM5bpUlqnNSf3Jq1FEU/nEK6caOHiQ76F1thsm/e1FTvAYg+mOUPYz9/nl0vVFJrtr5cMXtqxh9E/f/ujczI+A=,iv:dPnpNUPSDiq5C14YzDM2K4mFHNRFgc6p+X3Zu33OH60=,tag:MhgfV3z1wcbAfpwZmVWczw==,type:str] - dkim_ed25519: ENC[AES256_GCM,data:bberg3vGG9M3iPH1aLA+wIU6KNnxHRZxpGU5zT5Gqo9lohQa1wBDXCwsP0JaSfg56dhh9ZxF5HFd4V0nUzL6QMIeiExGkZmtdluaqki3fwFCssILch9pWOuM71Q1d7vi1eIN5PrAuX+6m8bmQBd1JIR+Kbz8dQ==,iv:C7wEFU7/xCh8LzyKXHSzgTX/L9OkmGWTnl5A94GLogw=,tag:j+sYtzzGN9guWa6T+ZUzbw==,type:str] - password: ENC[AES256_GCM,data:w8kc2CJwab7qTFQeejXCjUBkfHSKhec9YTpCPjT8,iv:lj634vQoWcrJlc+lh9GL+Co/T+QPln8NHOZoT3ky3EU=,tag:gAeD4EjE4uQFCRM4I5ZakQ==,type:str] + dkim_rsa: ENC[AES256_GCM,data:SrGKQCMgoFW51ca4wVh28C65PTVRzTuHFnyrGqjJmPq+pJH2xXNBQ4M+Rx+hVzV9KR6Zq7J/UN1IDfV6yVPZoZx28V/f1sGiAYbjMBc0HBL47+xjUyM985VR61RVk3QwLaszSUhn/gmy0bMzTUkhCJ8VxrnS/jOvCUiwYsHwCkeLad6ZnM8apz0hIUmt/frMf5OWYtmjKL2g2n3fT6itGnebvpbCsYA18qNeseieMP+k9qujKrvXQA6xNIm7zroPfC3sxVxyDvA4J+1MknMEC+5hjU8Nj9HcsmGHXuaCZ9zz1P8f+LoPdQmXoHIuIy2en9dNJiPVufHDac7CYAxZdek6uC2ck+mTtamK+tezav9qXaPMUdoXoQOppe5AQ53QqkJjl27s0CIzTDnZNClpMa8MBYOlcPVzudsEuYUdr+zjWwN58uhlqnFEYNOct0Cv0AQELJLlMh9YllI1vg0QUdbRG7KOnLfwd9PJuAMamI0ajvIOO4FL5uencx6OyR9AWD4sj/4TuLw+5G3jiZK4xjbJmzaN3W5xwQT2ZN1baJOL2Rr65mEg8B+pmV/auc0r/+r0vTUrIqHHPF7uBTC70ft821KxrBv/ZrXx+S12/qXgZ5b/V+OQfJiDilKYJejHzZR6G1HsXByHaZrq77bSrv0rX1ZvZsgkbYzX0qxy4cN72KjfdIhB7ZCP3JUrp8VHETzXsHeTswRP2/sjv1D6KHVi281Zb32rEwTjGcplYiAQnXw1pZ/Q1Ee9tJsDVHzHT+5jbZVq5SvDVUYg/PAvZpiLQUVK4HFuDWB96WQfcjaxKG5Cux3EJnqKSbZFgVCTKJ9hMKZzfNe+uSvYcekbJD7gBCg40CovhARqvXL53QLlfPJrDTEE82MOjUGmXetB1WMKu54q34ZzFMhEZ/ptDqfHDYhHrG8tQluvb9Nv0FFvOzTZawz4+kYFgp25mJyc/j5NvsS744qH6/Pso0pNX7jLbgo4S4qV8ajN788Oh8iiHnTFrTK0G0Kva5T6oyxHcnWbT9Viv64Z+9V4NQtRLJAo2p5HjxUUjIJfqrko48oD60lZim324frpDiDSUfp8dUBYGdTtchfGA/K4NNcL+DHjl2CesuBI7DT5pWb55j6gtpsMpvdyn/Bf0ySxdwwiLx21aPxxeSse1u483ANSproKZaXh2OgNJVh10ZNwRgnn0LlCvMHhNzODuffMRVvGUBZo8K17i4QyrewKPWW5tjejpx4EDk6Uk9vyGzr5ug4jIYJkNpq43V9k7aXaVGaCr133KMvS4HGAcAiE+BpNjtnIgXi6Z/ecJmXXKnrjCFWjMjHm/wKeTsePzsphpTW57D/omfd5IzX99KhNxSsgBux41a3lnzAmPBb8S8211YGjYXlaQ9QVwPC9zPMFh2MXoVPlD/27+0kZ6lO8K1KK5LwdSoes4oTJlpsqiQHZGS+fgfVw7XiF6cZXlHH0LQhAj2WlmNgGMKEQQ5gzRjdc+iFT1a8TMs9onFzAr9G6jeyyqB0r9kxQDvcydu9n77PmprUKlNy34lmpsxoVOPZGPfKxJj2xNAbOGf8oP5F83k07e1GfGLvO/SdjmW59PEWizZrMZSpPHs7mU0gpjajR0BuP95cX5BRGdbDy25bZUT/GkurA4afwkpdeN/SZqGJaH/XuB4lRQG74gXm/iiLNaXIyCh3/MqCArsyULhMNehca0irpZrXobALiF2W1amt9S4Js6kF0HSyvxzlBhssnGTDGVF378oymwC2EKa1Cr+fabXCAfcHKb6/ACqZeAGi5vbiRcP4umZVUQOc8N0USrLeGXZBQAfzqoVJ87UV0VkcZhkuOdT/KwNAzFkjiZNCOYzyssvu5qSCvh+MUc9PjPOnUa5vZPaoO1gHReEzZWEQqZ0NEq+l/lmlOA/5puEEHCSR9aIkQ+P36Z+7AbBWZC89amYTFxO/RabIuQXm0Qn7Am30Oy8dCqXaTvOorXtigqQsKBkRoHUn9DCvF47v2nmS4e+Scqdj6eHfi+idFmSUvplNNBpyqybXkFUClW35po3dztkDcaKiVwzKmqcm7bp8fjxaUedgsuzYThUZUYALU4w7Wp2LcqFTJRTjIev0W6xJIOSzJc/hG3yVn4Reo0nhpnsDZjUob4SdoiVsPfg9NNODE5lzJ9hm0bHN1o87knVf51ArqmiJK6S2HmRoxmMEzffEvH2ARc4bE/Cllt52+s6vtUIz3ku0Dj6NvauSpVT33Hc12i7b9r2oEWYLVhjdAfruRyWg=,iv:zddaL0SgAAA0M+hCdKj8EkR52fW8oYs4zOgiu3O9Ows=,tag:uTgHAd8HhqnxOXhAd1Ei+A==,type:str] + dkim_ed25519: ENC[AES256_GCM,data:AkL1ysBFVcYXLSgdMl3EjzbTfhoc0Y7QH2QmxKK+ybDkomA5UXE28UMN5p8kYA0HMcjsVNnMGDYSVBSUyraqtHzb57dmlsnKAZjJFpHPzyMHt9ONbvRLPF4k1O1pQFmFV8k0P2M6bVhBMtX9irtGH3ky8ya4FA==,iv:g9xsit1QFXxir/9pE06ALKorfeYKfEOvBcCf5Mex4eM=,tag:l3rDMOURMvWTlrIud+u97w==,type:str] + password: ENC[AES256_GCM,data:IozwcatSpkZMmcA9DGcOd1Znc5p96NE2KKlOHT8b,iv:KF0sV2gy2T7+cmqBsExLCEaLlRHd0VaBXeEa9hJ79dA=,tag:kXmAPautkMrTNWg3Hx/P+g==,type:str] github-runner: - nocodb-registration-token: ENC[AES256_GCM,data:AKXoTMXsyuH+wQMsBvqjy6AdsbzVrFPe0KcSVfQ=,iv:h+rj8K2EswZlmd+AHnQ6aJ3sdy4Ku8y1EuVngE1Ifu0=,tag:Z66amJwbv61SBKUzLVrgxg==,type:str] - age-master-key: ENC[AES256_GCM,data:X9hF4Tlu/iki2VrkquYXyNZ22E+CJBN9oFXgzuZtzEMePnIHDON7XVmKvIm4FcPdRIUo7b085+QTSA5RKcslVMbix4BSyWwNLzA=,iv:r51gdhvXmVLGbZ3w0C+kGfRb3DqZaWH3AN6F8c9g+Po=,tag:EzJv7GHuHZofqpMF0ZlqIA==,type:str] + nocodb-registration-token: ENC[AES256_GCM,data:QJ2wGjyzBV0Xmsanc8dpvmi5Iv8ICShpQH0qC7E=,iv:s+IeTdz3cQ22vQiUZlSjFR7xTFwwKVnBvwkyxVeCw4s=,tag:ADeouBMAJiJjCvqLKHTVIw==,type:str] + age-master-key: ENC[AES256_GCM,data:wvhr+iYnjAZh4u+PNtRw3/O/7FAtWAdpC0nOifX8Pf6aB0njLOyhmCo3h8Ti8p4oInvHrJGYCtfUenvACUZSrHVykdDZKC5DgAo=,iv:miFWVbVlpTNV6TZys4tb/WNXiDfC/tobcaM3L9MMytk=,tag:wadOdhXSNZsAlSubVDpqtA==,type:str] +headplane: + cookie_secret: ENC[AES256_GCM,data:ZhUYeusYNPSkuA+CEHHmeRlCB3Y030J+1EpPs88coFs=,iv:Ck3CfLtkwskkwo8Ind+CuLtVARjHI4y3mZITfzCKPso=,tag:yhupLPeAyfBF6LtNqbJs2g==,type:str] + preauth_key: ENC[AES256_GCM,data:XBtitZ0fb8mU7Z7aSP+RxUSDvyxqcfKYiq4bLa9WnKef1xEnQK0+l7QfrQAVRyqI,iv:G82b9GcdTTLF/+jVh4nx6Fu7mnMmKarF6Rc+AabaLwE=,tag:x7HMaJknnrA/SjTfYu6B4w==,type:str] +headscale: + noise_private_key: ENC[AES256_GCM,data:pqh0alokNqQsG9Ghi/qZl3lEi45om8GV4uron4a5JriLrR/QiRKcZQFbMK2u1m4wLwAw57ugN/jXynATlW15vUWw4SAU+PtC,iv:j74JLjGDGbmN65YfARYisSa20ExBXVPUm+QKU4qk4rw=,tag:UUgthumk2/a4xJ14Ucok+A==,type:str] + derp_private_key: ENC[AES256_GCM,data:EMt3RtQzqIY4i5S2S1kK0kxu0wMt3/bBcpaEc3YP0Cmj8F4yZECOaDUYk4dM2QsfmoP84plktAqIrM4MSiY94lQpqRoCvTru,iv:NU/nVFQxBQTou0mf5xvLmlda8hzJfoCRiU1vCgJGyyc=,tag:IEDCDy6ifL+ulYzp7qr3vg==,type:str] + pre_auth_key: ENC[AES256_GCM,data:ItKBknycoP9AcUN1OyTK/OQCUQzkpJfho5Rfm2o0u8g6WGo0F/awC07MQ4pL2lfM,iv:hfOj72ZUP4F28+0vuEXucMUzeL3FAx0rF2quyWTACYw=,tag:zGdtJakxXUOolvJMOCevvg==,type:str] misc: - angelo_cloudflare_dns_api_token: ENC[AES256_GCM,data:Rh1L4dt0cg88XUpUWvSB74ubQlCl9ci8px8PZ/b6KjJVd+ZlmG5qWA==,iv:xXd2A11SA7DXDtiUdsAbBkgAzwabV2D7H8Q11UFWe/A=,tag:o3E7Ww9nQ2ba8z9GLShRjA==,type:str] - wireguard: ENC[AES256_GCM,data:kbUtxJv3xSmikJWgtu87TSo5N8tUb2BiH3dH3oOV36waYyXI3bp2aBeAl1k=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:BDSD9SfQuQppKT4+6Cu65w==,type:str] - default_password: ENC[AES256_GCM,data:6I3Z4Y1r8eTVvyc=,iv:0yMAY6JfsHEkKsrVAgPxb+3So4A5xvWV4ME1Oi33TvQ=,tag:/7dUtXPrVMNkERdxlk0FOw==,type:str] - nixbin.sinanmohd.com: ENC[AES256_GCM,data:WQDzDzOozWa73Bitex6BpE7D7KdVcgIKD1Yx92RbCoNzSa8+b33YtY92Vetu7OlH1Zw4tneKBH/hAjz4ytK1SHoFfKj9wvfdzR5L+8gRKYEwxnvcHyc5gekmAaeQr2bWyUS9PBYRRWTRLiL/5A==,iv:3hlqF2CvpnXS5oDpbW9RIERbDHPLMrgQ+TJ+q9EyrZM=,tag:U4E3b2oBqjMFXEONbz8eKw==,type:str] - alina: ENC[AES256_GCM,data:Mr0FK2JLSXVM3nL+HrAQflj7N0r+tEDiYz8PfI9bcKz4hfnnhSndFBPgVtMFTIfqgzX+HF28NBcMmA3qr9eGawJ6tTBy3bMPrFUjCo7oz0gW+4s=,iv:tKK50u4foAp9essD5tl5hnDSgc5ZVVVhraDzUQV/rv4=,tag:xuwA2qBbpSXGm/OFeyEoFw==,type:str] + default_password: ENC[AES256_GCM,data:xON6jifcv8k8tKA=,iv:Kk3Ax/GGvCvAbTAhNnlkoNh1BzsrZVptchRuQi+vqhc=,tag:9vYn1Gslr+1pAYdKvwRhnA==,type:str] + nixbin.sinanmohd.com: ENC[AES256_GCM,data:iPYrZvEcg8WRl2iRnL5Z3Gxzpu1NWqgobdYuhFj3Ria/zZ+WL6LzSYMKtxxRaCbqXIacjIJKGpsZcesaJjcx6wmLR8EW8GRPPhHO9AjbZSLeBV2h6XwHbe6PD8y/Kjx2fBbIpDDTF2YwstvFqQ==,iv:AYv4Vnog+dlhKlZV8S3D/q7JiY2l2mVxLC/gWuI5MtA=,tag:dzZ8octvGcuuh9TXv0U88A==,type:str] + alina: ENC[AES256_GCM,data:KGSr5fLkngJvZRAGoTK0XfxJCgWQBJ8xd0oelU5j15yOooBctUQjQekmf9GiVnmZbU5OoxdraO6nUssZXEIfKKsCtCps+D2MkDDchL/+gbc+A3Q=,iv:LszKLO5CeultjHbSLUqz9Or9X5K7u9VCzuz9fBPFgmM=,tag:DONP4smkrTTsY0sJ8qyKIQ==,type:str] sops: age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2T3NSZ09xUDg5Q2VKM3FB - RXNwNTJrVkxScHR2eksrVlZQMFduOGRFT1RFClhQK2xTWXBUMzdlektSWFhHNDBN - bEMxelVjK1owZHczMVV3MWI2WlU2TncKLS0tIEovSk1uMnlvWFBya1YxNjArQTdh - Unk0a0tvR3VZQmtIU3RZSWNnazZJZTgKe0mjQHEkagnftc2zEbza863dSlnPOM6Q - 0Me0paRmqzsYBizp12SHjaXYiXFpvEeGmOVOMoGvD8UzTa+V5klS0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WmZBY05MR2tWMTRlRDhP + ZXhkMG1GdlRoS3hQQmQvWm1SazlGUGJycVRnCjRDa2FacG1GMzJsQzdqTmsvWi9a + VHhCWGdMTmNCbjAvVG8zN1lWRWNVdkUKLS0tIE9kbTNyeE4vdXhZRURvMWJRVWwx + TGR0MVFEdGRUVVA0ZlJyOUNoNHBiNTAK6mI2gntwNt+jKMi3BpLwVzmylzkoQMuY + B5fcI6RlNCfSDYzR/O6BIc9zsh5dmWP4YA1aKEjF21+z1uPX3qg2Ww== -----END AGE ENCRYPTED FILE----- - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5NDVlc2crekF2b1lVZnZM - YU95N3lRWFhUUzczV1h4eUU0dHdSbWdpWVhZCmREdmFDSzRzY3pZUHpERkhCK1FS - cmxRam1vZ2U0dHBYc3hJWG9CRW13bzgKLS0tIFBpMFFXYTZDT09mTTJkWDhoYWVr - OXgwSml4bkc1dnloNUFsRGFFcXFHc2cK26l2eiKbZUkogmAXoha6HTUs3YFKixYz - bTkpKKyOAIIin3YM975wwvkCuWNG4tbnHBHQFh5JGK2OEyLDXuV7Pg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdjRoRXpyNTcvR0tmQmJ1 + T3o3c3dPRlZFYWxjczIxL3YyQlEwUTUxTms0Ck5IdG02V2FYeFNheDhtZ2tWcTE0 + Nm84bkhyTlg5SFZES3NnKzY1S0hZVk0KLS0tIGR4NzNoZHJWN0VKRGh2UFBoNGQ4 + bGRaOE1Mc3VqVnYyd0xIVGl5ckpqRFkKpT2gTC4lf9HRQNJDykdGjPdfH+V8og7X + XHq1XqIRoRbulZifuZlmzN/RWMPIoBYkXeHfqaMjmTz5HIBcnO/t9g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-09T08:03:32Z" - mac: ENC[AES256_GCM,data:SJeRVT11Ps1B9ILQdgYwW8YEWPJ9gnxq4t14nTcjh5MTodifipmo6T9j3HWEZPrQjzEv4QtlxlP2HwRw5cHa+/20fA9kiZR68PAj5GTuwFaNsRBPD8qLBpZZNNWT/u+moyKJGM8hXhFc41OOaez6+ZTIpK3DPzsI3aeJdxoIaMY=,iv:NCkEJJgLOATms+iVR+tyLf6MM6SPQvsPx5+9peqdaOQ=,tag:hkTbvp0h4qSEKVjRHmp8gQ==,type:str] + lastmodified: "2025-10-20T15:38:52Z" + mac: ENC[AES256_GCM,data:n0ShTAQ5ft5o38Y53MmSHzOyxEKwKT4TwELfj5kZ2rvZVI4o1jH+kcYnlYKcwPDCXNuIayFRVYRZ7KPEftPuTRgaKK74uCjYyrZh/hQP+pyFRg2va2Jkn5vymzsm2036DIPo2K2JkZtSlWgYG/BNuLVQZioghkKZ5pe23YyJqQs=,iv:NSQCmN081ZoGa2yfU8Bu0H2tfvWrOennYPWjtpRJ8G0=,tag:HDl78o8CmFviEqQWntvrQw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/os/lia/configuration.nix b/os/lia/configuration.nix index 64204a0..2bf401a 100644 --- a/os/lia/configuration.nix +++ b/os/lia/configuration.nix @@ -2,14 +2,14 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix ./modules/network ./modules/users.nix ./modules/lxc.nix - ./modules/sshfwd.nix + ./modules/headscale.nix ]; -} + networking.hostName = "lia"; +} diff --git a/os/lia/modules/headscale.nix b/os/lia/modules/headscale.nix new file mode 100644 index 0000000..906080a --- /dev/null +++ b/os/lia/modules/headscale.nix @@ -0,0 +1,23 @@ +{ config, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; +in +{ + sops.secrets."misc/headscale" = { }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + "--operator=${user}" + "--accept-routes=false" + "--advertise-exit-node" + ]; + }; +} diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix index 259c316..012695d 100644 --- a/os/lia/modules/lxc.nix +++ b/os/lia/modules/lxc.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: let +{ pkgs, ... }: +let container = { name = "ubu"; distro = "ubuntu"; @@ -6,7 +7,8 @@ }; bridge = "lan"; -in { +in +{ virtualisation.lxc.enable = true; environment.systemPackages = with pkgs; [ wget ]; @@ -22,7 +24,14 @@ in { RemainAfterExit = true; }; - path = with pkgs; [ wget lxc util-linux gnutar xz gawk ]; + path = with pkgs; [ + wget + lxc + util-linux + gnutar + xz + gawk + ]; script = '' if ! lxc-ls | grep -q ${container.name}; then lxc-create -n ${container.name} -t download -- \ diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix index c8d9059..3d58636 100644 --- a/os/lia/modules/network/default.nix +++ b/os/lia/modules/network/default.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wan = "enp9s0"; in { @@ -7,10 +8,12 @@ in ]; networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "172.16.148.20"; - prefixLength = 22; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "172.16.148.20"; + prefixLength = 22; + } + ]; defaultGateway = { address = "172.16.148.1"; interface = wan; diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix index b8cac8c..4f22e31 100644 --- a/os/lia/modules/network/router.nix +++ b/os/lia/modules/network/router.nix @@ -1,6 +1,10 @@ -{ ... }: let +{ ... }: +let wanInterface = "enp9s0"; - lanInterfaces = [ "enp1s0f0" "enp1s0f1" ]; + lanInterfaces = [ + "enp1s0f0" + "enp1s0f1" + ]; prefix = 24; subnet = "192.168.1.0"; @@ -8,7 +12,10 @@ leaseRangeStart = "192.168.1.100"; leaseRangeEnd = "192.168.1.254"; - nameServer = [ "10.0.0.2" "10.0.0.3" ]; + nameServer = [ + "10.0.0.2" + "10.0.0.3" + ]; in { networking = { @@ -21,17 +28,21 @@ in }; interfaces.lan = { - ipv4.addresses = [{ - address = host; - prefixLength = prefix; - }]; + ipv4.addresses = [ + { + address = host; + prefixLength = prefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; - extraCommands = - "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; + extraCommands = "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; }; }; diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix deleted file mode 100644 index 3c7c006..0000000 --- a/os/lia/modules/sshfwd.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ pkgs, config, ... }: let - mkFwdSrv = { - local_port, - remote_port, - remote_user, - remote ? "sinanmohd.com", - ssh_port ? 22, - key ? config.sops.secrets."sshfwd/${remote}".path, - }: { - "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { - description = "Forwarding port ${toString local_port} to ${remote}"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # restart rather than stop+start this unit to prevent - # the ssh from dying during switch-to-configuration. - stopIfChanged = false; - - serviceConfig = { - ExecStart = '' - ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ - -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ - -o ServerAliveInterval=15 \ - -o ExitOnForwardFailure=yes \ - -i ${key} - ''; - - RestartSec = 3; - Restart = "always"; - }; - - }; - }; -in { - sops.secrets."sshfwd/sinanmohd.com" = {}; - sops.secrets."sshfwd/lia.sinanmohd.com" = {}; - - environment.systemPackages = with pkgs; [ openssh ]; - systemd.services - = (mkFwdSrv { - local_port = 22; - remote_user = "lia"; - remote_port = 2222; - }) // - (mkFwdSrv { - local_port = 22; - remote_port = 22; - ssh_port = 23; - remote_user = "root"; - remote = "lia.sinanmohd.com"; - }); -} diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix index 26f5dc8..3a44104 100644 --- a/os/lia/modules/users.nix +++ b/os/lia/modules/users.nix @@ -1,18 +1,24 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ users.users = { "rohit" = { isNormalUser = true; extraGroups = [ "wheel" ]; - packages = with pkgs; [ git htop ]; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ]; + packages = with pkgs; [ + git + htop + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" + ]; }; "sharu" = { isNormalUser = true; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" + ]; }; }; } diff --git a/os/lia/secrets.yaml b/os/lia/secrets.yaml index b2b5218..5d34d39 100644 --- a/os/lia/secrets.yaml +++ b/os/lia/secrets.yaml @@ -1,11 +1,6 @@ -sshfwd: - sinanmohd.com: ENC[AES256_GCM,data:ZB2qbUA4+AcYlIY6IaPf9aUdMV0ltdKveqVSNS2Nhq8h6kWheqWiaXgIK6vuN7oDHKomgVXWaVdxTf6OFvFQHCHMMqtm0KfvSJW+cdORpfZkEZuji5Ob/yQiNllyS8oAw9iT5YdyifLi7XkfD+dHbt+XWLQCMFPirJ8Lz6ynTYxV+N7Pu7yOhfCzPDYfqexW7Ymrjk0PI32OVgo+sE0obnASGW645dP4ydKOZM5xx9NGr/Oao2W5C61qdr2gUCoYQKZXkfItGRfCuWuCeh0ZmbxumS6Q1WeWUW09SY5NN24025TBoZgE+UdJIXuczAQy5wzpXYsDWwBXNod4gAhe76YgLydlYBpBHe6xN6OBgCewHkjCGkirHawmbYxkmJ40L6/lMFPjRmMV7yhj94Vsyx7NAW1H8yKVE/9typXUrIyxbxAOGrwy0TjlGYogAcZ7YYZ+ipmkqNlQ1pliA2Kha+2ZzPG0hV8NKhydNr0cz5ylfL4cQaAXxxg6YHOUYL0DGbfMXMpZKTt47TJcY72RWDaUr2RsmhJ+k2vNBDY3I01n9syWnlk80h2bs1ILJ5Ad3PP8Em8yGaXJLM+3,iv:VoDyy+h3UHL0YJPJ7rbgLTZZzIPCJTD8yBPXNxWjHqo=,tag:zGQXrE066SDMCwgZpC9/Pg==,type:str] - lia.sinanmohd.com: ENC[AES256_GCM,data:d2lDCckpWwMtGu8Ra249NnUVt4OtP7JqtVZG8YD9oLtLmAbTi4kLZnYU+0EN7Fs/Z6dxNaSkYLnvJQO08Hr1AlVT12z2TXoWKHokzgMXYKPIBhioHLXg31BAwC9T/qPraxxzY+Jo6zSuv2RK1Xi6+74w6llE9t/eY1U2nJb9VnmtsB+ae9O5BgkxSkdGL/rhnXZNk9p8OhOcmtOnm6kPHVXG0DzszpvWmalsJE3nPmyxe5zB+7+UFj8rFgcktKRoY0bhN5SOMZfFSly7nRkr3WL2mbaVZgZD2g+kvzanYU64NKF0+rbVdKf9lCgVRMSS5z22QSuKOLuZjLlCRml9y254iIVxfV+BC2Y35QMk+Aa14jlHcRowFN5KxZ3dAeuH8TfVuSg/8gfSXwTMAHTBbEDeVvomD09vmuZoVCckrAZzSEiA8alcxKyaHGw4ZiAb1e+DWRSxDDeS9iibHsKrZgZ/RstRdT2qyqF0prbY+wFbajblGrUZhbIhfkPNe67iiTD7HI0Trg3PcC8Z1m+k/gWlhERpi+74TRzHrN1/dAokLBI/j+9I3YRTWR1qNScEr5RJNZP4UQh2TlH4G//3+0J3PM8Nv0DF7cfuOFpOLrob6SAaSRv3Ctn5ZmQM4Ib8uMluFB3MFkwqD/j67EINR+OD3VShdy6ydrIuaWREejhCR3SHnoZp1OhXTNdVzXwKYwFIkjHNGs3uj4jhW37xA+8zvuuqVZUGaXbbETsgIwPrwpFaPsxORkDREVhLxTtXsuHtzASzV7GfQvtArlM1bk5Ne3S75IeSc3ZnJUuAk5fPWjuHHuMDv7FxddNHctgE/V1gmzA/w3FtfYeaG8K2ZUeh1cCxGmou6aRv7aacAB9AdKeLtzr899VYC4bnPCpWBEMgN3Nqhdo/YR3bW+3pLbV3S1M4O2FxrZHjlgS4sffHMe+kNuzVV1GEpc8xybPIS5AAeWuOankmflf+CWg6fVSinHvlwILjRrK7cMCroypPv2p4dtn4IMaJ6MGQsNzDMF7CN6H3XOmOONsnJ8h/dUL6EwJCW87gp5lC8BXcuE93LgUHAVx9SttygpaAmTIWN48BsJosWbvK5Zw7nCaCce7WtxeUuAKtHdhLsLH7WhfQL5aj3aF8xgDDM3b2qOp6gkNI0q/8L0yEGRRg70c3jAu6ojZVD4iq9hS8ct06jVzLdi4U4jTk53NAGEiMbGiSaHTlmPvjwcV1+RYUut7G/a9YVvAgbtw2TKK00EaCUNHefuzd4oWc0jiMUK8OSH9l9gT5usWXOPeexyNNLWHniMympqVoudQXSj1PEvEixXYZYZ6Vp4LuHsdTtLCsTu17J0/7Ob/PdSGXU+BtJGS+EnLbxMgMHHiWk4hd2z5h64DgC9vrSVHqFvd68gGL91bsKw6rnmtEOcuTdY4DLzP2HSGtN6Erxb52XZrVS+fm4zJO0ZR45bN29NBB1rvhUe//ln+ny6tbgJ/mQ1wJIpXtLMOeBsKZqN2x5eaCw2bFqJE+yOwFFcbwTvuyDSsCeJh40LL0Dypfc5FvYmta8rChNw+MpwC2++T/t2xgGcHpvh0o5WcdbtlUm+7H8PAqsK18DhF9GSLxEpCTS14FT5M3GFNKOYGub+Vt+jCWSPrvnZXCITNdBXR6PD47iyqY1Ot00+f213ZEfVNZayfoxr4I3JzwNLJOvdHdxIza2qAyKW+tm+2N9tp0TtGoHUE2vUc9Cm0rxw84rllywqrehwi9039bS5mn72pRtN06ZnFKQrVrx355PsAyYlQ3VkZ2wpuxVOB2i8ko0ujebgO411XjgOQBeV8lNy02AcduavRNQ5z41rBnbhuj+sI5u8xli4kPrpfqeuLACaT+eWeYSZtCy7qY75BYaguhcqKAvRUfUTMxDUyGBkUySKydcNL3ErVU47jLB8uMm8RFjzkRAEKjraR+1PH8GQ+qhTA3e6ZtzNTZ0i9c2hFT+6vrLZ7gNrpC53s3wrkK43yU5MC8JaSe3mRx9v00EqUaUYOnrJZWs5H6LXj6T2OIhQgaTs6ikvGpY4rRE7lkn2jqQAXf/9aCDuMj9fiWanCXgJ7LFSwuAESLe7CmwdNqOl2cyEns8DuChrAq7zdykBv9VbLYfijlzrD6ezcmHGImNTTG+uX2PifuvK4JphOFbmK0YWGPK6//7gJfNtUMReKuINvPZg1X8U8ayQ8btYjmzIpxJeJ2/NvZ+WoKYewttAZhSHbo75I8K1cBEjUvrevwXmPeYvG+iWYyZkYENx7gGCNGyHpdSEEYBL4QdsgkbQWJDRQ=,iv:t825d9WWByfMZXwrtKs2JBFVoEAoAXfYOBmlhWN45hU=,tag:ZVPiwtKwhdYzh4IQyzeb9Q==,type:str] +misc: + headscale: ENC[AES256_GCM,data:kTK0IhZ8zrrT1nJoewageZ1l1F8+rRcipZxdtbpZjy/fAi8ID4Uv0pB9EifHCX+9,iv:zwx9ApRU4oV/TQ58gOz8HuFezoRJgojLwDXaqMSpQO8=,tag:SURBjFP+pnuAj8rUumWfsw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -25,8 +20,7 @@ sops: RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-11T16:35:02Z" - mac: ENC[AES256_GCM,data:nsLGZ5wvmj25COI4G3BsS8dzwpa59zs85Ztm4eZaXITAdMjEgfmHR8eHItzchSijH+PRaJH+pZZNN3kpkDeujGYTiOzfc1t2dGA3Vx6XACCNaZs35vmvbB45VV07a5mjw/Wy3k0ZDOcRCHXQOQccaPshUMzU7FkXudm7PkvoyTM=,iv:Rgfaab+egy2/AwlM6ZMVA+7E5cqb/r9mI4ptMit/SKo=,tag:LVSYkTzTxBRAIFxDkB1asA==,type:str] - pgp: [] + lastmodified: "2025-11-02T05:33:42Z" + mac: ENC[AES256_GCM,data:0W88J0MCbVo8kw685hZtPFw1QJsWkKVqT9SWA5/UDu75A5RvTLIEFE1NIBih5sdWOMkvy9bKG23WuvsLhj84myDkxY1PmKpD/tRFP1kdlBZlGRlPvrcSpDFEECvpQ6DEfXRZHKtTYB5upc9jShQJyv20yQ0k5TpR2YA0l3yq95E=,iv:rf2rqwqRT2iEz/Lk1Z4N+iCV31FTR5dDd8lz6DCodEE=,tag:vHFJ51GSt3VO9FQlQFRt0A==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/pc/configuration.nix b/os/pc/configuration.nix index 7e7218a..023fc30 100644 --- a/os/pc/configuration.nix +++ b/os/pc/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let user = config.global.userdata.name; -in { +in +{ imports = [ ../common/configuration.nix @@ -9,18 +16,20 @@ in { ./modules/network.nix ./modules/wayland.nix ./modules/nopolkit.nix - ./modules/nocodb.nix + ./modules/work ./modules/firejail.nix ]; + networking.hostName = lib.mkDefault "pc"; + boot = { consoleLogLevel = 3; kernelPackages = pkgs.linuxPackages_latest; }; services.pipewire = { - enable = true; - pulse.enable = true; + enable = true; + pulse.enable = true; }; documentation.dev.enable = true; diff --git a/os/pc/modules/firejail.nix b/os/pc/modules/firejail.nix index 920607e..f915d07 100644 --- a/os/pc/modules/firejail.nix +++ b/os/pc/modules/firejail.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ programs.firejail = { enable = true; diff --git a/os/pc/modules/getty.nix b/os/pc/modules/getty.nix index 8c7f57e..c0d5d1c 100644 --- a/os/pc/modules/getty.nix +++ b/os/pc/modules/getty.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; -in { +in +{ systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no"; services.getty = { diff --git a/os/pc/modules/network.nix b/os/pc/modules/network.nix index 6e07963..029822f 100644 --- a/os/pc/modules/network.nix +++ b/os/pc/modules/network.nix @@ -1,5 +1,6 @@ -{ ... }: { - networking.wireless.iwd = { +{ ... }: +{ + networking.wireless.iwd = { enable = true; settings = { diff --git a/os/pc/modules/nocodb.nix b/os/pc/modules/nocodb.nix deleted file mode 100644 index 6b26bf2..0000000 --- a/os/pc/modules/nocodb.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, lib, ... }: let - user = config.global.userdata.name; -in { - programs.firejail.wrappedBinaries.slack = { - executable = lib.getExe pkgs.slack; - profile = "${pkgs.firejail}/etc/firejail/slack.profile"; - }; - - virtualisation.docker.enable = true; - users.extraGroups.docker.members = [ user ]; -} diff --git a/os/pc/modules/nopolkit.nix b/os/pc/modules/nopolkit.nix index 0c45f41..f7148aa 100644 --- a/os/pc/modules/nopolkit.nix +++ b/os/pc/modules/nopolkit.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ security.sudo = { enable = true; - extraRules = [{ - commands = [ - { - command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; - options = [ "SETENV" "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/reboot"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/poweroff"; - options = [ "NOPASSWD" ]; - } - ]; + extraRules = [ + { + commands = [ + { + command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; + options = [ + "SETENV" + "NOPASSWD" + ]; + } + { + command = "${pkgs.systemd}/bin/reboot"; + options = [ "NOPASSWD" ]; + } + { + command = "${pkgs.systemd}/bin/poweroff"; + options = [ "NOPASSWD" ]; + } + ]; - users = [ user ]; - }]; + users = [ user ]; + } + ]; }; } diff --git a/os/pc/modules/sshfs.nix b/os/pc/modules/sshfs.nix index 2dbccce..b173d7c 100644 --- a/os/pc/modules/sshfs.nix +++ b/os/pc/modules/sshfs.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; user = config.global.userdata.name; uid = config.users.users.${user}.uid; gid = config.users.groups.users.gid; -in { +in +{ sops.secrets."misc/sftp".sopsFile = ../secrets.yaml; system.fsPackages = with pkgs; [ sshfs ]; @@ -12,12 +14,12 @@ in { fsType = "sshfs"; options = [ - "allow_other" # for non-root access + "allow_other" # for non-root access "uid=${toString uid}" "gid=${toString gid}" - "_netdev" # this is a network fs + "_netdev" # this is a network fs "x-systemd.automount" # mount on demand - "reconnect" # handle connection drops + "reconnect" # handle connection drops "ServerAliveInterval=15" # keep connections alive "IdentityFile=${config.sops.secrets."misc/sftp".path}" ]; diff --git a/os/pc/modules/wayland.nix b/os/pc/modules/wayland.nix index 33f25c8..6787e9a 100644 --- a/os/pc/modules/wayland.nix +++ b/os/pc/modules/wayland.nix @@ -1,11 +1,12 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; fontSans = config.global.font.sans.name; fontMonospace = config.global.font.monospace.name; - fontPackages = config.global.font.monospace.packages - ++ config.global.font.sans.packages; -in { + fontPackages = config.global.font.monospace.packages ++ config.global.font.sans.packages; +in +{ fonts = { packages = fontPackages; enableDefaultPackages = true; @@ -32,7 +33,10 @@ in { }; systemd.services.swaynag_battery = { - path = [ pkgs.sway pkgs.systemd ]; + path = [ + pkgs.sway + pkgs.systemd + ]; environment = { # TODO: don't hardcode them WAYLAND_DISPLAY = "wayland-1"; @@ -46,19 +50,21 @@ in { systemctl hibernate ''; }; - services.udev.extraRules = let - start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; - stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" - SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" - SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" - ''; + services.udev.extraRules = + let + start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; + stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" + SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" + ''; hardware.graphics = { enable = true; enable32Bit = true; }; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; } diff --git a/os/pc/modules/work/default.nix b/os/pc/modules/work/default.nix new file mode 100644 index 0000000..e1e6b3d --- /dev/null +++ b/os/pc/modules/work/default.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + lib, + ... +}: +let + user = config.global.userdata.name; +in +{ + programs.firejail.wrappedBinaries.slack = { + executable = lib.getExe pkgs.slack; + profile = "${pkgs.firejail}/etc/firejail/slack.profile"; + }; + + virtualisation.docker.enable = true; + users.extraGroups.docker.members = [ user ]; + + specialisation.k3s.configuration = { + systemd.services.k3s.path = [ pkgs.criu ]; + environment = { + variables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; + systemPackages = with pkgs; [ + kubernetes-helm + k9s + ]; + }; + services.k3s = { + enable = true; + gracefulNodeShutdown.enable = true; + clusterInit = true; + role = "server"; + extraFlags = [ + "--write-kubeconfig-group users" + "--write-kubeconfig-mode 0640" + # disabled because some wifi won't have IPv6 (2025 edition), and k3s fails on startup + # uncomment this to enble IPv6 ingress when humanity transcends + # "--cluster-cidr=10.42.0.0/16,fd12:b0d8:b00b::/56" + # "--service-cidr=10.43.0.0/16,fd12:b0d8:babe::/112" + # "--flannel-ipv6-masq" + ]; + manifests.traefik-daemonset = { + enable = true; + source = ./traefik-daemonset.yaml; + target = "traefik-daemonset.yaml"; + }; + }; + }; +} diff --git a/os/pc/modules/work/traefik-daemonset.yaml b/os/pc/modules/work/traefik-daemonset.yaml new file mode 100644 index 0000000..e90e9ec --- /dev/null +++ b/os/pc/modules/work/traefik-daemonset.yaml @@ -0,0 +1,12 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + deployment: + kind: DaemonSet + service: + spec: + externalTrafficPolicy: Local diff --git a/os/server/configuration.nix b/os/server/configuration.nix index 8b1e5e9..c47f560 100644 --- a/os/server/configuration.nix +++ b/os/server/configuration.nix @@ -1,4 +1,11 @@ -{ ... }: { +{ lib, ... }: +{ + imports = [ ../common/configuration.nix ]; + + networking.hostName = lib.mkOptionDefault "server"; + security.sudo.wheelNeedsPassword = false; + + programs.mosh.enable = true; services.openssh = { enable = true; settings.PasswordAuthentication = false; |