Compare commits
11 Commits
boron-nati
...
main
Author | SHA1 | Date | |
---|---|---|---|
390bdaaf51 | |||
ba9d54ddab | |||
843802bcb7 | |||
a07c493802 | |||
3a2d6f4e2e | |||
a383e013c6 | |||
ed3b9019f2 | |||
a3fd10be31 | |||
79a3c62924 | |||
0761162e34 | |||
2999a5f744 |
@ -12,7 +12,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
|
||||
- uses: DeterminateSystems/nix-installer-action@b92f66560d6f97d6576405a7bae901ab57e72b6a # v15
|
||||
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
|
||||
- name: lint
|
||||
run: |
|
||||
|
44
flake.lock
44
flake.lock
@ -34,11 +34,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729826725,
|
||||
"narHash": "sha256-w3WNlYxqWYsuzm/jgFPyhncduoDNjot28aC8j39TW0U=",
|
||||
"lastModified": 1731153869,
|
||||
"narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "7840909b00fbd5a183008a6eb251ea307fe4a76e",
|
||||
"rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -54,11 +54,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729942962,
|
||||
"narHash": "sha256-xzt7tb4YUw6VZXSCGw4sukirJSfYsIcFyvmhK5KMiKw=",
|
||||
"lastModified": 1731060864,
|
||||
"narHash": "sha256-aYE7oAYZ+gPU1mPNhM0JwLAQNgjf0/JK1BF1ln2KBgk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "58cd832497f9c87cb4889744b86aba4284fd0474",
|
||||
"rev": "5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -113,11 +113,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729894599,
|
||||
"narHash": "sha256-nL9nzNE5/re/P+zOv7NX6bRm5e+DeS1HIufQUJ01w20=",
|
||||
"lastModified": 1730837930,
|
||||
"narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "93435d27d250fa986bfec6b2ff263161ff8288cb",
|
||||
"rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -128,11 +128,11 @@
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1729068498,
|
||||
"narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=",
|
||||
"lastModified": 1730403150,
|
||||
"narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "e337457502571b23e449bf42153d7faa10c0a562",
|
||||
"rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -144,11 +144,11 @@
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1729742320,
|
||||
"narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
|
||||
"lastModified": 1730919458,
|
||||
"narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
|
||||
"rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -159,11 +159,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1729691686,
|
||||
"narHash": "sha256-BAuPWW+9fa1moZTU+jFh+1cUtmsuF8asgzFwejM4wac=",
|
||||
"lastModified": 1730963269,
|
||||
"narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "32e940c7c420600ef0d1ef396dc63b04ee9cad37",
|
||||
"rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -175,11 +175,11 @@
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1730411648,
|
||||
"narHash": "sha256-peNkSyOkRzR2nEi3s86xGV/6eMwO1yxRidSdItaQ+Nw=",
|
||||
"rev": "6c3f1f46fd7ce56f6949ca6f6c124a62a8740222",
|
||||
"lastModified": 1730867498,
|
||||
"narHash": "sha256-Ce3a1w7Qf+UEPjVJcXxeSiWyPMngqf1M2EIsmqiluQw=",
|
||||
"rev": "9240e11a83307a6e8cf2254340782cba4aa782fd",
|
||||
"type": "tarball",
|
||||
"url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/6c3f1f46fd7ce56f6949ca6f6c124a62a8740222.tar.gz"
|
||||
"url": "https://gitea.hillion.co.uk/api/v1/repos/JakeHillion/nixpkgs/archive/9240e11a83307a6e8cf2254340782cba4aa782fd.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
|
75
hosts/merlin.rig.ts.hillion.co.uk/default.nix
Normal file
75
hosts/merlin.rig.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,75 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./disko.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.hostName = "merlin";
|
||||
networking.domain = "rig.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [
|
||||
"ip=dhcp"
|
||||
|
||||
# zswap
|
||||
"zswap.enabled=1"
|
||||
"zswap.compressor=zstd"
|
||||
"zswap.max_pool_percent=20"
|
||||
];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "igc" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices = {
|
||||
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
custom.defaults = true;
|
||||
custom.locations.autoServe = true;
|
||||
custom.impermanence.enable = true;
|
||||
|
||||
custom.users.jake.password = true;
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
|
||||
# Networking
|
||||
networking = {
|
||||
interfaces.enp171s0.name = "eth0";
|
||||
interfaces.enp172s0.name = "eth1";
|
||||
};
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [ ];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/merlin.rig.ts.hillion.co.uk".file = ../../secrets/tailscale/merlin.rig.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/merlin.rig.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
70
hosts/merlin.rig.ts.hillion.co.uk/disko.nix
Normal file
70
hosts/merlin.rig.ts.hillion.co.uk/disko.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
disk0 = {
|
||||
type = "disk";
|
||||
device = "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "1G";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [ "umask=0077" ];
|
||||
};
|
||||
};
|
||||
|
||||
disk0-crypt = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "disk0-crypt";
|
||||
settings = {
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
content = {
|
||||
type = "btrfs";
|
||||
|
||||
subvolumes = {
|
||||
"/data" = {
|
||||
mountpoint = "/data";
|
||||
mountOptions = [ "compress=zstd" "ssd" ];
|
||||
};
|
||||
"/nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "ssd" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
swap = {
|
||||
size = "64G";
|
||||
content = {
|
||||
type = "swap";
|
||||
randomEncryption = true;
|
||||
discardPolicy = "both";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodev = {
|
||||
"/" = {
|
||||
fsType = "tmpfs";
|
||||
mountOptions = [
|
||||
"mode=755"
|
||||
"size=100%"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
28
hosts/merlin.rig.ts.hillion.co.uk/hardware-configuration.nix
Normal file
28
hosts/merlin.rig.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,28 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp171s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp172s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp173s0f0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
1
hosts/merlin.rig.ts.hillion.co.uk/system
Normal file
1
hosts/merlin.rig.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
x86_64-linux
|
@ -45,12 +45,9 @@
|
||||
networking.firewall.interfaces = {
|
||||
"eth0" = {
|
||||
allowedUDPPorts = [
|
||||
5353 # HomeKit
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
1400 # HA Sonos
|
||||
7654 # Tang
|
||||
21063 # HomeKit
|
||||
];
|
||||
};
|
||||
};
|
||||
|
@ -90,7 +90,7 @@ in
|
||||
in
|
||||
builtins.map (mkFolder) folderNames;
|
||||
};
|
||||
services.resilio.directoryRoot = "/${zpool_name}/users/jake/sync";
|
||||
services.resilio.directoryRoot = "/${zpool_name}/sync";
|
||||
|
||||
## Chia
|
||||
age.secrets."chia/farmer.key" = {
|
||||
|
@ -67,7 +67,6 @@
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp201s0f3u2u3.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
|
||||
|
@ -229,6 +229,8 @@
|
||||
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
|
||||
{ hostname = "gendry"; hw-address = "18:c0:4d:35:60:1e"; }
|
||||
{ hostname = "phoenix"; hw-address = "a8:b8:e0:04:17:a5"; }
|
||||
{ hostname = "merlin"; hw-address = "b0:41:6f:13:20:14"; }
|
||||
{ hostname = "stinger"; hw-address = "7c:83:34:be:30:dd"; }
|
||||
]);
|
||||
}
|
||||
{
|
||||
|
84
hosts/stinger.pop.ts.hillion.co.uk/default.nix
Normal file
84
hosts/stinger.pop.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,84 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./disko.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.hostName = "stinger";
|
||||
networking.domain = "pop.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [
|
||||
"ip=dhcp"
|
||||
|
||||
# zswap
|
||||
"zswap.enabled=1"
|
||||
"zswap.compressor=zstd"
|
||||
"zswap.max_pool_percent=20"
|
||||
];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "r8169" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices = {
|
||||
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
custom.defaults = true;
|
||||
custom.locations.autoServe = true;
|
||||
custom.impermanence.enable = true;
|
||||
|
||||
hardware = {
|
||||
bluetooth.enable = true;
|
||||
};
|
||||
|
||||
# Networking
|
||||
networking = {
|
||||
interfaces.enp1s0.name = "eth0";
|
||||
vlans = {
|
||||
iot = {
|
||||
id = 2;
|
||||
interface = "eth0";
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
1400 # HA Sonos
|
||||
21063 # HomeKit
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
5353 # HomeKit
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/stinger.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/stinger.pop.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/stinger.pop.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
70
hosts/stinger.pop.ts.hillion.co.uk/disko.nix
Normal file
70
hosts/stinger.pop.ts.hillion.co.uk/disko.nix
Normal file
@ -0,0 +1,70 @@
|
||||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
disk0 = {
|
||||
type = "disk";
|
||||
device = "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "1G";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [ "umask=0077" ];
|
||||
};
|
||||
};
|
||||
|
||||
disk0-crypt = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "disk0-crypt";
|
||||
settings = {
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
content = {
|
||||
type = "btrfs";
|
||||
|
||||
subvolumes = {
|
||||
"/data" = {
|
||||
mountpoint = "/data";
|
||||
mountOptions = [ "compress=zstd" "ssd" ];
|
||||
};
|
||||
"/nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "ssd" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
swap = {
|
||||
size = "64G";
|
||||
content = {
|
||||
type = "swap";
|
||||
randomEncryption = true;
|
||||
discardPolicy = "both";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodev = {
|
||||
"/" = {
|
||||
fsType = "tmpfs";
|
||||
mountOptions = [
|
||||
"mode=755"
|
||||
"size=100%"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s20f0u2.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
1
hosts/stinger.pop.ts.hillion.co.uk/system
Normal file
1
hosts/stinger.pop.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
x86_64-linux
|
@ -2,7 +2,7 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
./git.nix
|
||||
./git/default.nix
|
||||
./homeassistant.nix
|
||||
./matrix.nix
|
||||
];
|
||||
|
@ -15,9 +15,9 @@ in
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."git/git_backups_ecdsa".file = ../../secrets/git/git_backups_ecdsa.age;
|
||||
age.secrets."git/git_backups_remotes".file = ../../secrets/git/git_backups_remotes.age;
|
||||
age.secrets."git-backups/restic/128G".file = ../../secrets/restic/128G.age;
|
||||
age.secrets."git/git_backups_ecdsa".file = ../../../secrets/git/git_backups_ecdsa.age;
|
||||
age.secrets."git/git_backups_remotes".file = ../../../secrets/git/git_backups_remotes.age;
|
||||
age.secrets."git-backups/restic/128G".file = ../../../secrets/restic/128G.age;
|
||||
|
||||
systemd.services.backup-git = {
|
||||
description = "Git repo backup service.";
|
1
modules/backups/git/id_ecdsa.pub
Normal file
1
modules/backups/git/id_ecdsa.pub
Normal file
@ -0,0 +1 @@
|
||||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIc3WVROMCifYtqHRWf5gZAOQFdpbcSYOC0JckKzUVM5sGdXtw3VXNiVqY3npdMizS4e1V8Hh77UecD3q9CLkMA= backups-git@nixos
|
@ -14,9 +14,21 @@ in
|
||||
owner = "hass";
|
||||
group = "hass";
|
||||
};
|
||||
age.secrets."backups/homeassistant/restic/1.6T" = {
|
||||
file = ../../secrets/restic/1.6T.age;
|
||||
owner = "postgres";
|
||||
group = "postgres";
|
||||
};
|
||||
|
||||
services = {
|
||||
restic.backups."homeassistant" = {
|
||||
postgresqlBackup = {
|
||||
enable = true;
|
||||
compression = "none"; # for better diffing
|
||||
databases = [ "homeassistant" ];
|
||||
};
|
||||
|
||||
restic.backups = {
|
||||
"homeassistant-config" = {
|
||||
user = "hass";
|
||||
timerConfig = {
|
||||
OnCalendar = "03:00";
|
||||
@ -28,6 +40,19 @@ in
|
||||
config.services.home-assistant.configDir
|
||||
];
|
||||
};
|
||||
"homeassistant-database" = {
|
||||
user = "postgres";
|
||||
timerConfig = {
|
||||
OnCalendar = "03:00";
|
||||
RandomizedDelaySec = "60m";
|
||||
};
|
||||
repository = "rest:https://restic.ts.hillion.co.uk/1.6T";
|
||||
passwordFile = config.age.secrets."backups/homeassistant/restic/1.6T".path;
|
||||
paths = [
|
||||
"${config.services.postgresqlBackup.location}/homeassistant.sql"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -4,6 +4,7 @@
|
||||
options.custom.defaults = lib.mkEnableOption "defaults";
|
||||
|
||||
config = lib.mkIf config.custom.defaults {
|
||||
hardware.enableAllFirmware = true;
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
settings = {
|
||||
|
@ -50,6 +50,10 @@ in
|
||||
pop = {
|
||||
li = "100.106.87.35";
|
||||
sodium = "100.87.188.4";
|
||||
stinger = "100.117.89.126";
|
||||
};
|
||||
rig = {
|
||||
merlin = "100.69.181.56";
|
||||
};
|
||||
st = {
|
||||
phoenix = "100.92.37.106";
|
||||
@ -79,6 +83,10 @@ in
|
||||
pop = {
|
||||
li = "fd7a:115c:a1e0::e701:5723";
|
||||
sodium = "fd7a:115c:a1e0::3701:bc04";
|
||||
stinger = "fd7a:115c:a1e0::8401:597e";
|
||||
};
|
||||
rig = {
|
||||
merlin = "fd7a:115c:a1e0::8d01:b538";
|
||||
};
|
||||
st = {
|
||||
phoenix = "fd7a:115c:a1e0::6901:256a";
|
||||
|
@ -50,10 +50,18 @@ in
|
||||
path = lib.mkOverride 999 "/data/chia";
|
||||
};
|
||||
|
||||
services.resilio = lib.mkIf config.services.resilio.enable {
|
||||
directoryRoot = lib.mkOverride 999 "${cfg.base}/sync";
|
||||
};
|
||||
|
||||
services.plex = lib.mkIf config.services.plex.enable {
|
||||
dataDir = lib.mkOverride 999 "/data/plex";
|
||||
};
|
||||
|
||||
services.home-assistant = lib.mkIf config.services.home-assistant.enable {
|
||||
configDir = lib.mkOverride 999 "/data/home-assistant";
|
||||
};
|
||||
|
||||
environment.persistence = lib.mkMerge [
|
||||
{
|
||||
"${cfg.base}/system" = {
|
||||
|
@ -22,7 +22,7 @@ in
|
||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
downloads = "phoenix.st.ts.hillion.co.uk";
|
||||
gitea = "boron.cx.ts.hillion.co.uk";
|
||||
homeassistant = "microserver.home.ts.hillion.co.uk";
|
||||
homeassistant = "stinger.pop.ts.hillion.co.uk";
|
||||
mastodon = "";
|
||||
matrix = "boron.cx.ts.hillion.co.uk";
|
||||
prometheus = "boron.cx.ts.hillion.co.uk";
|
||||
|
@ -1,9 +1,12 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.resilio;
|
||||
in
|
||||
{
|
||||
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
|
||||
disabledModules = [ "services/networking/resilio.nix" ];
|
||||
|
||||
options.custom.resilio = {
|
||||
enable = lib.mkEnableOption "resilio";
|
||||
|
||||
|
@ -15,6 +15,8 @@ in
|
||||
"138.201.252.214/32"
|
||||
"10.64.50.26/32"
|
||||
"10.64.50.27/32"
|
||||
"10.64.50.28/32"
|
||||
"10.64.50.29/32"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -24,12 +24,14 @@ let
|
||||
pop = {
|
||||
li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
|
||||
sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
|
||||
stinger = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID28NGGSaK1OtpQkQnYqSZWSahX25uboiHwhsYQoKKbL root@stinger";
|
||||
};
|
||||
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
|
||||
rig = { merlin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN99UrXe3puoW0Jr1bSPRHL6ImLZD9A9sXeE54JFggIC root@merlin"; };
|
||||
st = { phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPQcp9MzabvwbViNmILVNfipMUnwV+5okRfhOuV7+Mt root@phoenix"; };
|
||||
storage = {
|
||||
theon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf root@theon";
|
||||
};
|
||||
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -42,10 +44,11 @@ in
|
||||
{
|
||||
# User Passwords
|
||||
"passwords/jake.age".publicKeys = jake_users ++ [
|
||||
ts.terminals.jakehillion.gendry
|
||||
ts.home.router
|
||||
ts.lt.be
|
||||
ts.rig.merlin
|
||||
ts.st.phoenix
|
||||
ts.terminals.jakehillion.gendry
|
||||
];
|
||||
|
||||
# Tailscale Pre-Auth Keys
|
||||
@ -53,10 +56,12 @@ in
|
||||
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
|
||||
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
|
||||
"tailscale/merlin.rig.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.rig.merlin ];
|
||||
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
||||
"tailscale/phoenix.st.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
|
||||
"tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
|
||||
"tailscale/stinger.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.stinger ];
|
||||
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
|
||||
|
||||
# WiFi Environment Files
|
||||
@ -84,11 +89,11 @@ in
|
||||
"matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
|
||||
# Backups Secrets
|
||||
"restic/128G.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.cx.boron ts.home.microserver ];
|
||||
"restic/128G.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.cx.boron ts.pop.stinger ];
|
||||
"restic/128G-wasabi.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
"restic/128G-backblaze.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
|
||||
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.home.router ];
|
||||
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.home.router ts.pop.stinger ];
|
||||
"restic/1.6T-wasabi.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
"restic/1.6T-backblaze.env.age".publicKeys = jake_users ++ [ ts.st.phoenix ];
|
||||
|
||||
@ -130,7 +135,7 @@ in
|
||||
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
|
||||
# HomeAssistant Secrets
|
||||
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
||||
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.pop.stinger ];
|
||||
|
||||
# Web certificates
|
||||
"certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||
|
31
secrets/tailscale/merlin.rig.ts.hillion.co.uk.age
Normal file
31
secrets/tailscale/merlin.rig.ts.hillion.co.uk.age
Normal file
@ -0,0 +1,31 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa JSzstA
|
||||
Vj60ZJQry8CORPuKGalgBn5TNyPZ8124gjq7oRCZXWLWQxsG/7CYJgNW7rqIWI35
|
||||
QECakNvQz4GfbnKAa8XLQVlKXQow4FeY3M0UPoXdha1udhgdvk4IA9HjrGaCU+xK
|
||||
NabjYDyHMcg004V2l4a72GZF6YEgqnZLFQff2xiYQ6dTisloMq560n4ZC7SXBkuw
|
||||
oAS73wenS+3TQb80j4+4E/7+QmQlEcaAo7MZMLE8Oa8EraTxU4E2l1QCFNvdNLrg
|
||||
19xqiZXMDgMMOmuz+bkrtsNRMd/2fmguWe6Te1JXAAQkNKtFCswgrp62yVg8VH9K
|
||||
stJMT9M3h2YkJGcmUNUw5cjUJE1ByA/NW/QLSHXMUqNvStPTZQC5WvaeMcRnktxR
|
||||
z5KcpvT5xPFbanTd1E94ix2m3I0S9153WoXalzhr/dpJkR4WokVgUHdVDWCtxMPz
|
||||
hT8SAjlsqRY/ONKdTXoiuP+XT4BSLN1zkiziLC5IYvLWAw3Ha2/+gbfOweppxgLO
|
||||
TetT2v83mmSboUIiDr62XaRnx6IBQnXMC5ojC88Ts1p/P75RTWIeO6tScY5+DdSa
|
||||
mFvvl5HAZrJ8K9IAjasff8Uywor799sRVXesZ5xNEVFjeBzY21GgPXsWL5QQ+sB8
|
||||
tCxWqBVrG1/4ZT9yNznpQFKrMpnvOXySzo/3X3rkG7k
|
||||
-> ssh-rsa GxPFJQ
|
||||
gqtoNF2H7yYBWLLNN7vqLf72a15FJXOnWCOehy/otuCHuxkyp7GWI2o0IYbf00LC
|
||||
ztVCAnMG55hqm0aApzh3+2B55kzLLWlZ41z7J0Zv7euZCaiONIxn/5MeNKIKH3xq
|
||||
BbKBHAFwtsPrNVWg1T6pCI0DESJRgFsi6wtybcCrnY4B2zb7/YxHM1lBGWkB5Bzh
|
||||
T6GGN0mSLKI8XyWRDGkXVA96oqRgbMEnQo7SpWcJJ+bvFIZjXsJP7Dfj3ZI76Qwv
|
||||
+jcDTGDogpezIop9hssULyl3S84lkb2UBNJgXFAaONOSoUDZ7CqDdbHTA6ZRl+NI
|
||||
8rUMZ40ksPdWhRV3zpUn2w
|
||||
-> ssh-rsa K9mW1w
|
||||
b/kL9nAgHGDs6bodtMBT363Mq8FrTKOISajIYB0v2gvc3fiEeFv2BPsy81QfiD7v
|
||||
gmtS0huJs+T/oan/M2Uznt2XfuQVZ3m0Snx0gDR0FEFCUa8f41djGQoxO9+LABp2
|
||||
1C9VFxlytGMtBnU+/9ZyeLdJL5BCRdYRuXe3lOixG2N6we++JjCLFsrXjBNLvZHb
|
||||
d2LzvybVbgkXHx47lrbJRVT31z1zlM8XAvGq1reGkADlaIDqkaWu5f5zLjWwO+do
|
||||
KaL0/DuojOOyLqLJmMseOiH/qGue0KL0HFrxsz452xBSZZKFFmidi4Mh9UdJBG8L
|
||||
jNHOOJV8OvJRYZt0wWu8Gg
|
||||
-> ssh-ed25519 6tJ2Ww YESYsdZhznbNHdjzq2hp43u3iRsm2Jw7BEPARsgM/HY
|
||||
fIlB0707w3zq2pXV5BndEeg95Mr0EeyOsdQr3nHdpxo
|
||||
--- xMvjiEEiIGADQMIvMPyykndxIvX517CVarOFBr8CJR4
|
||||
Ó‰¸¯B\¿üŠÛ)UÍÎö´ÞàÌ¢ï§Éx¸£¡ãnT<6E>“2†ŠU,§ùËsÝ|Oö4e¼ÑeÅ=1àù ê2`6Õðµ°(xR%"ÿu¼$r›<72>§GμµTu:
X
|
31
secrets/tailscale/stinger.pop.ts.hillion.co.uk.age
Normal file
31
secrets/tailscale/stinger.pop.ts.hillion.co.uk.age
Normal file
@ -0,0 +1,31 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa JSzstA
|
||||
T80Ll0LkBPpkTCjsez+zE4FzosiZYcyd/u1sarG1g9tmTIkjhwMKLYjfYPHbZfKx
|
||||
1lua7fZWeLZhKKHy8nDbOLgKC4sqrTxl/zopjywzp+1dSKm8ZtjWDk+uvrBY0gNk
|
||||
G8c9yip7lnSGBB6rzDnCFgHfYXZJ93YMcGxNMVPrPKzW9YSbCacCh3fRCRxYE9rY
|
||||
7ewLMuac3Ti/7DsrnFQUY8RHMqAz9hGMMXXXq1da5OXdGgf4l6LMurSZQKE3BmNI
|
||||
vKwYrdVBQvql02nunB1h0PdhG8tdAwVOXtUi6zTlH4irwweoQBEvny+v44JDp5vl
|
||||
tchI3X1BOHisTBCno1DXlLPjrcabVLfm1nQ8NDnscDoWjgmtaFhLtI6yDBO3328t
|
||||
zzwLGTZi8ABzSowP2GtVvfDYxCjrNaKXa5rc6Ip9C98vJ6N3ZGlC7yXLet7hHiuI
|
||||
1Evr9fMgXXdGIDxBdQDSFAQmIj4lrSnnzAj08gMdsKFdxG3xN9Y2ZeymT3AZ3bBQ
|
||||
sS3KfFHy05uENSak+NBGU8YifUymq/U3/Yg2vZF4rVaGewC24pONbiFTQl58KEt8
|
||||
T8LRoQNmuqpVXpj4vPgQ4nEO+8Y8i8aq3d1bqnm2+jMa5KKLmil2ilVzjbKJ9nzC
|
||||
ZmsRSYv1hLC/r6lBp8ICa9Pe6XzYpgl3/FaPqc/Mdj4
|
||||
-> ssh-rsa GxPFJQ
|
||||
rWXbLajz8BnDwc0HyWoO49lrC2sjBJq+UDWerQnCKJjWfTKpDZr1t8/Z7jWQifTm
|
||||
J2fG+nZ94M76QaPXDsEZCCHooXvcAfvAuoDfURVTXM7IIAwH3hl1esz+v/sIVV3Z
|
||||
AWaXSiJBe6k84HC4Kz8+Tv6J955nusAm9Lxso3dTfT9Uvf9D+iRV8OxejZSJVwEA
|
||||
lvU9Fh3U5+9CRPu5B4Ec67ShAHA7NWEzdM4KoNORLyADuQQ/LJv8LBbNMe14GWxc
|
||||
eLrp+X1UJ8R2NspdlLdLJdAJIR/OZRS89RPPzVMo5+WeglrOBEUDrFdNIkVpOGLR
|
||||
/EgxwNZkRKy+1zLZNICTaw
|
||||
-> ssh-rsa K9mW1w
|
||||
f20zvTnXg7X0rUVE4KRFZBffQFE+m8LvqHxCVuRikGg2H/xB4chKdLUJpTj1AR/I
|
||||
c8TW1+KpUSoqNMN6NBGe//YCXPnLEgGwXIp/8+e3JoPVG0JELwAGN5nU6iLmhWzH
|
||||
ya7upzNnRAGXhSJThRPQfDGbJAIOhhwhSVmOke6umf49xmyZ+/K6i+vtDhYTJhrA
|
||||
NJ9GBebKEFeZmn2bvoWUZV5ZE2jZZ0l+f5gjLw+e8+STEgq7kg/vPLLRDVhs5VYV
|
||||
mlRqmCJw2FO0+VJwxaHmVxlf8dKVC/woKNLxvrM1dkSIUKt5v7kZnrwlpSH8SoJ+
|
||||
HHvU7VZdU3Gvz7XqQLp0PQ
|
||||
-> ssh-ed25519 IrNzWQ +cAZF1BJiJGsWcB5Ss2QMxb4u2DiksWVgyCMVERppE0
|
||||
4ztuTfGdvFKhUh26r8baU2nP9tWobaV7Yi6kpILs6VM
|
||||
--- 0iwk2L+KkUhW4e4wKOgLiU7YsWEXsKC+cJNPJiXvWAA
|
||||
¸×zšÝœË[ajF…b<E280A6> ¢ÌA¹–MÍt?“…r<14>Ìi_¹Øã
[ö¸ªeŸ>(Ö9ÑN§ÿžž:›U™Bidžë
®~#yrßè<C39F>Õ¿ˆš[îKñŒm¬
|
Loading…
Reference in New Issue
Block a user