JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: JakeHillion:boron-tpm
Branches Tags
JakeHillion:main
JakeHillion:renovate/lock-file-maintenance
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk
...
pull from: JakeHillion:main
Branches Tags
JakeHillion:renovate/lock-file-maintenance
JakeHillion:main
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk

68 Commits
boron-tpm ... main

Author SHA1 Message Date
Jake Hillion
d5c2f8d543 router: setup cameras vlan
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-09-17 09:20:27 +01:00
Renovate Bot
1189a41df9 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m43s
Details
2024-09-15 16:01:08 +00:00
Jake Hillion
39730d2ec3 macbook: add shell utilities
All checks were successful
flake / flake (push) Successful in 1m16s
Details
2024-09-14 02:39:26 +01:00
Jake Hillion
ac6f285400 resilio: require mounts be available
All checks were successful
flake / flake (push) Successful in 1m15s
Details 
Without this resilio fails on boot on tywin.storage where the paths are
on a ZFS array which gets mounted reliably later than the resilio
service attempts to start.
 2024-09-14 02:30:20 +01:00
Renovate Bot
e4b8fd7438 chore(deps): update determinatesystems/nix-installer-action action to v14
All checks were successful
flake / flake (push) Successful in 1m27s
Details
2024-09-10 00:00:51 +00:00
Renovate Bot
24be3394bc chore(deps): update determinatesystems/magic-nix-cache-action action to v8
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-09 23:00:50 +00:00
Jake Hillion
ba053c539c boron: enable podman
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-06 19:04:25 +01:00
Jake Hillion
3aeeb69c2b nix-darwin: add macbook
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-05 00:50:02 +01:00
Jake Hillion
85246af424 caddy: update to unstable
All checks were successful
flake / flake (push) Successful in 1m13s
Details 
The default config for automatic ACME no longer works in Caddy <2.8.0.
This is due to changes with ZeroSSL's auth. Update to unstable Caddy
which is new enough to renew certs again.

Context: https://github.com/caddyserver/caddy/releases/tag/v2.8.0

Add `pkgs.unstable` as an overlay as recommended on the NixOS wiki. This
is needed here as Caddy must be runnable on all architectures.
 2024-09-05 00:04:08 +01:00
Renovate Bot
ba7a39b66e chore(deps): pin dependencies
All checks were successful
flake / flake (push) Successful in 1m16s
Details
2024-09-02 23:00:12 +00:00
Jake Hillion
df31ebebf8 boron: bump tmpfs to 100% of RAM
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-08-31 22:04:38 +01:00
Renovate Bot
2f3a33ad8e chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-30 19:01:46 +00:00
Jake Hillion
343b34b4dc boron: support sched_ext in kernel
All checks were successful
flake / flake (push) Successful in 1m45s
Details
2024-08-30 18:52:31 +01:00
Jake Hillion
264799952e bathroom_light: trust switchbot if more recently updated
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-08-30 18:46:38 +01:00
Jake Hillion
5cef32cf1e gitea actions: use cache for nix
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-30 18:39:02 +01:00
Jake Hillion
6cc70e117d tywin: mount d7
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-22 15:17:11 +01:00
Jake Hillion
a52aed5778 gendry: use zram swap
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-18 13:51:28 +01:00
Renovate Bot
70b53b5c01 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-18 10:35:15 +00:00
Jake Hillion
3d642e2320 boron: move postgresqlBackup to disk to reduce ram pressure
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-09 23:37:16 +01:00
Jake Hillion
41d5f0cc53 homeassistant: add sonos
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-08-08 18:31:10 +01:00
Jake Hillion
974c947130 homeassistant: add smartthings
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-04 18:15:34 +01:00
Jake Hillion
8a9498f8d7 homeassistant: expose sleep_mode to google
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-04 17:56:32 +01:00
Jake Hillion
2ecdafe1cf chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m32s
Details
2024-08-03 12:15:23 +01:00
Jake Hillion
db5dc5aee6 step-ca: enable server on sodium and load root certs
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-01 23:28:22 +01:00
Jake Hillion
f96f03ba0c boron: update to Linux 6.10
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-07-27 15:16:59 +01:00
Renovate Bot
e81cad1670 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m25s
Details
2024-07-26 13:40:49 +00:00
Jake Hillion
67c8e3dcaf homeassistant: migrate to basnijholt/adaptive-lighting
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-22 11:16:34 +01:00
Jake Hillion
1052379119 unifi: switch to nixos module
All checks were successful
flake / flake (push) Successful in 1m24s
Details
2024-07-19 16:43:53 +01:00
Jake Hillion
0edb8394c8 tywin: mount d6
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 22:19:41 +01:00
Jake Hillion
bbab551b0f be.lt: connect to Hillion WPA3 Network
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 17:10:08 +01:00
Renovate Bot
13c937b196 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-07-17 14:14:27 +00:00
Jake Hillion
6bdaca40e0 tmux: index from 0 and always allow attach
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 15:02:19 +01:00
Jake Hillion
462f0eecf4 gendry: allow luks discards
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-07-17 09:33:33 +01:00
Jake Hillion
5dcf3b8e3f chia: update to 2.4.1
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-07-10 10:01:16 +01:00
Renovate Bot
b0618cd3dc chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m29s
Details
2024-07-06 22:31:08 +00:00
Renovate Bot
a9829eea9e chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m30s
Details
2024-06-23 10:18:56 +00:00
Renovate Bot
cfd64e9a73 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m29s
Details
2024-06-16 12:13:03 +00:00
Renovate Bot
b3af1739a8 chore(deps): update actions/checkout action to v4.1.7
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-06-13 23:01:06 +00:00
Jake Hillion
cde6bdd498 tywin: enable clevis/tang for boot
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-10 22:34:28 +01:00
Jake Hillion
bd5efa3648 tywin: encrypt root disk
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-09 23:14:44 +01:00
Jake Hillion
30679f9f4b sodium: add cache directory on the sd card
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-02 22:41:49 +01:00
Jake Hillion
67644162e1 sodium: rekey
All checks were successful
flake / flake (push) Successful in 1m12s
Details 
accidentally ran `rm -r /data`...
 2024-06-02 21:45:03 +01:00
Renovate Bot
81c77de5ad chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-02 13:15:18 +00:00
Jake Hillion
a0f93c73d0 sodium.pop: add rpi5 host
All checks were successful
flake / flake (push) Successful in 1m22s
Details
2024-05-25 22:56:27 +01:00
JakeHillion
78705d440a homeassistant: only switch bathroom light when it is already on
All checks were successful
flake / flake (push) Successful in 1m18s
Details 
Although the system now knows whether the bathroom light is on, it switches the switch every time the light should be turned off regardless of if it's already off. Because this is a device running on battery that performs a physical movement this runs the battery out very fast. Adjust the system to only switch the light off if it thinks it's on, even though this has the potential for desyncs.
 2024-05-25 22:03:11 +01:00
Jake Hillion
3f829236a2 homeassistant: read bathroom light status from motion sensor
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-25 17:03:57 +01:00
Jake Hillion
7b221eda07 theon: stop scripting networking
All checks were successful
flake / flake (push) Successful in 1m19s
Details 
Unsure why this host is using systemd-networkd, but leave that unchanged
and have NixOS know about it to prevent a warning about loss of
connectivity on build.
 2024-05-25 16:40:19 +01:00
Jake Hillion
22305815c6 matrix: fix warning about renamed sliding sync
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-05-25 16:33:05 +01:00
Jake Hillion
fa493123fc router: dhcp: add APC vendor specific cookie
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-24 22:14:16 +01:00
Jake Hillion
62e61bec8a matrix: add sliding sync
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-24 10:18:30 +01:00
Jake Hillion
50d70ed8bc boron: update kernel to 6.9
All checks were successful
flake / flake (push) Successful in 1m19s
Details
2024-05-23 22:41:18 +01:00
Renovate Bot
796bbc7a68 chore(deps): update nixpkgs to nixos-24.05 (#271)
All checks were successful
flake / flake (push) Successful in 1m20s
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [nixpkgs](https://github.com/NixOS/nixpkgs) | major | `nixos-23.11` -> `nixos-24.05` |

---

### Release Notes

<details>
<summary>NixOS/nixpkgs (nixpkgs)</summary>

### [`vnixos-24.05`](https://github.com/NixOS/nixpkgs/compare/nixos-23.11...nixos-24.05)

[Compare Source](https://github.com/NixOS/nixpkgs/compare/nixos-23.11...nixos-24.05)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzQuMyIsInVwZGF0ZWRJblZlciI6IjM3LjM3NC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Jake Hillion <jake@hillion.co.uk>
Reviewed-on: #271
Co-authored-by: Renovate Bot <renovate-bot@noreply.gitea.hillion.co.uk>
Co-committed-by: Renovate Bot <renovate-bot@noreply.gitea.hillion.co.uk>
 2024-05-23 22:40:58 +01:00
Jake Hillion
8123653a92 jorah.cx: delete
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-05-21 22:43:56 +01:00
Jake Hillion
55ade830a8 router: add more dhcp reservations
All checks were successful
flake / flake (push) Successful in 1m12s
Details
2024-05-21 20:09:26 +01:00
Jake Hillion
a9c9600b14 matrix: move jorah->boron
All checks were successful
flake / flake (push) Successful in 2m20s
Details
2024-05-18 19:14:39 +01:00
Jake Hillion
eae5e105ff unifi: move jorah->boron
All checks were successful
flake / flake (push) Successful in 1m21s
Details
2024-05-18 16:52:22 +01:00
Jake Hillion
f1fd6ee270 gitea: fix ips in iptables rules
All checks were successful
flake / flake (push) Successful in 1m10s
Details
2024-05-18 15:34:43 +01:00
Renovate Bot
1dc370709a chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m23s
Details
2024-05-18 13:03:00 +00:00
Renovate Bot
de905e23a8 chore(deps): update actions/checkout action to v4.1.6
All checks were successful
flake / flake (push) Successful in 2m39s
Details
2024-05-17 00:01:14 +00:00
Renovate Bot
9247ae5d91 chore(deps): update cachix/install-nix-action action to v27
All checks were successful
flake / flake (push) Successful in 2m33s
Details
2024-05-16 23:01:13 +00:00
Jake Hillion
7298955391 tywin: enable automatic btrfs scrubbing
All checks were successful
flake / flake (push) Successful in 2m16s
Details
2024-05-15 20:53:57 +01:00
Jake Hillion
f59824ad62 gitea: move jorah->boron
All checks were successful
flake / flake (push) Successful in 2m16s
Details
2024-05-12 13:11:54 +01:00
Jake Hillion
bff93529aa www.global: move jorah->boron
All checks were successful
flake / flake (push) Successful in 1m56s
Details
2024-05-12 12:11:15 +01:00
Jake Hillion
13bfe6f787 boron: enable authoritative dns
All checks were successful
flake / flake (push) Successful in 2m4s
Details
2024-05-10 22:44:48 +01:00
Jake Hillion
ad8c8b9b19 boron: enable version_tracker
All checks were successful
flake / flake (push) Successful in 2m5s
Details
2024-05-10 22:12:49 +01:00
Jake Hillion
b7c07d0107 boron: enable gitea actions
All checks were successful
flake / flake (push) Successful in 2m28s
Details
2024-05-10 21:52:48 +01:00
Jake Hillion
9cc389f865 boron: remove folding@home
All checks were successful
flake / flake (push) Successful in 1m58s
Details 
The update from 23.11 to 24.05 brought a new folding@home version that
doesn't work. It doesn't work by default and there is 0 documentation on
writing xml configs manually, and even the web UI redirects to a
nonsense public website now. Unfortunately this means I'm going to let
this box idle rather than doing useful work, for now at least.
 2024-05-10 21:02:16 +01:00
Renovate Bot
2153c22d7f chore(deps): update actions/checkout action to v4.1.5
All checks were successful
flake / flake (push) Successful in 2m1s
Details
2024-05-09 23:00:45 +00:00
72 changed files with 945 additions and 534 deletions
Show Stats Expand all files Collapse all files

9
.gitea/workflows/flake.yaml
View File

@ -11,12 +11,9 @@ jobs:
flake:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Prepare for Nix installation
run: |
apt-get update
apt-get install -y sudo
- uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- name: lint
run: |
nix fmt

27
darwin/jakehillion-mba-m2-15/configuration.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
config = {
system.stateVersion = 4;
networking.hostName = "jakehillion-mba-m2-15";
nix = {
useDaemon = true;
};
programs.zsh.enable = true;
security.pam.enableSudoTouchIdAuth = true;
environment.systemPackages = with pkgs; [
fd
htop
mosh
neovim
nix
ripgrep
sapling
];
};
}

73
flake.lock
View File

@ -2,7 +2,9 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"darwin": [
"darwin"
],
"home-manager": [
"home-manager"
],
@ -12,11 +14,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1715101957,
"narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=",
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "07479c2e7396acaaaac5925483498154034ea80a",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
@ -28,21 +30,19 @@
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"lastModified": 1726188813,
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
@ -72,16 +72,16 @@
]
},
"locked": {
"lastModified": 1714043624,
"narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
"lastModified": 1725703823,
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
@ -93,11 +93,11 @@
]
},
"locked": {
"lastModified": 1715077503,
"narHash": "sha256-AfHQshzLQfUqk/efMtdebHaQHqVntCMjhymQzVFLes0=",
"lastModified": 1726357542,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6e277d9566de9976f47228dd8c580b97488734d4",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
"type": "github"
},
"original": {
@ -108,11 +108,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"lastModified": 1725690722,
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
"type": "github"
},
"original": {
@ -122,29 +122,44 @@
"type": "github"
}
},
"nixpkgs": {
"nixos-hardware": {
"locked": {
"lastModified": 1714971268,
"narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
"lastModified": 1725885300,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
"repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1726320982,
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1715087517,
"narHash": "sha256-CLU5Tsg24Ke4+7sH8azHWXKd0CFd4mhLWfhYgUiDBpQ=",
"lastModified": 1726243404,
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b211b392b8486ee79df6cdfb1157ad2133427a29",
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
"type": "github"
},
"original": {
@ -157,10 +172,12 @@
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}

110
flake.nix
View File

@ -1,15 +1,21 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
flake-utils.url = "github:numtide/flake-utils";
darwin.url = "github:lnl7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "darwin";
agenix.inputs.home-manager.follows = "home-manager";
home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -19,47 +25,67 @@
description = "Hillion Nix flake";
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
in
func {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
let
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
in
{
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
in
func {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
agenix.nixosModules.default
impermanence.nixosModules.impermanence
agenix.nixosModules.default
impermanence.nixosModules.impermanence
home-manager-pick.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
home-manager-pick.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
({ config, ... }: {
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
({ config, ... }: {
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
darwinConfigurations = {
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = inputs;
modules = [
./darwin/jakehillion-mba-m2-15/configuration.nix
({ config, ... }: {
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
})
];
};
};
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
}

11
hosts/be.lt.ts.hillion.co.uk/default.nix
View File

@ -24,6 +24,17 @@
];
};
## WiFi
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
networking.wireless = {
enable = true;
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
networks = {
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
};
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;

2
hosts/boron.cx.ts.hillion.co.uk/README.md
View File

@ -2,6 +2,6 @@
Additional installation step for Clevis/Tang:
$ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ sudo chown root:root /mnt/data/disk_encryption.jwe
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe

67
hosts/boron.cx.ts.hillion.co.uk/default.nix
View File

@ -34,25 +34,57 @@
### Explicitly use the latest kernel at time of writing because the LTS
### kernels available in NixOS do not seem to support this server's very
### modern hardware.
boot.kernelPackages = pkgs.linuxPackages_6_8;
boot.kernelPackages = pkgs.linuxPackages_6_10;
### Apply patch to enable sched_ext which isn't yet available upstream.
boot.kernelPatches = [{
name = "sched_ext";
patch = pkgs.fetchpatch {
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
decode = "${pkgs.zstd}/bin/unzstd";
excludes = [ "Makefile" ];
};
extraConfig = ''
BPF y
BPF_EVENTS y
BPF_JIT y
BPF_SYSCALL y
DEBUG_INFO_BTF y
FTRACE y
SCHED_CLASS_EXT y
'';
}];
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence.enable = true;
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/system
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
'';
## Custom Services
custom = {
locations.autoServe = true;
www.global.enable = true;
services = {
gitea.actions = {
enable = true;
tokenSecret = ../../secrets/gitea/actions/boron.age;
};
};
};
services.foldingathome = {
enable = true;
user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
daemonNiceLevel = 19;
};
services.nsd.interfaces = [
"138.201.252.214"
"2a01:4f8:173:23d2::2"
];
## Enable ZRAM to help with root on tmpfs
zramSwap = {
@ -69,6 +101,18 @@
fileSystems = [ "/data" ];
};
## General usability
### Make podman available for dev tools such as act
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
};
users.users.jake.extraGroups = [ "podman" ];
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
@ -100,8 +144,17 @@
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # SSH (Gitea) - redirected to 22
53 # DNS
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
53 # DNS
443 # HTTP 3
3478 # Unifi STUN
];
};
};

9
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -18,7 +18,7 @@
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
options = [ "mode=0755" "size=100%" ];
};
fileSystems."/boot" =
@ -35,6 +35,13 @@
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";

0
hosts/boron.cx.ts.hillion.co.uk/unstable
View File

17
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -2,7 +2,6 @@
{
imports = [
../../modules/spotify/default.nix
./bluetooth.nix
./hardware-configuration.nix
];
@ -30,6 +29,13 @@
];
};
## Enable ZRAM swap to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
@ -77,15 +83,6 @@
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
## Spotify
home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
};
};
users.users."${config.custom.user}" = {
packages = with pkgs; [
prismlauncher

5
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -28,7 +28,10 @@
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
allowDiscards = true;
};
fileSystems."/data" =
{

111
hosts/jorah.cx.ts.hillion.co.uk/default.nix
View File

@ -1,111 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.05";
networking.hostName = "jorah";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence.enable = true;
## Custom Services
custom = {
locations.autoServe = true;
www.global.enable = true;
services = {
version_tracker.enable = true;
gitea.actions = {
enable = true;
tokenSecret = ../../secrets/gitea/actions/jorah.age;
};
};
};
services.foldingathome = {
enable = true;
user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
daemonNiceLevel = 19;
};
## Enable ZRAM to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking = {
useDHCP = false;
interfaces = {
enp5s0 = {
name = "eth0";
useDHCP = true;
ipv6.addresses = [{
address = "2a01:4f9:4b:3953::2";
prefixLength = 64;
}];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # Gitea SSH (accessed via public 22)
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
53 # DNS
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
53 # DNS
443 # HTTP 3
3478 # Unifi STUN
];
};
};
};
## Tailscale
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
};
};
}

48
hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -1,48 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/4D7E-8DE8";
fsType = "vfat";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/jorah.cx.ts.hillion.co.uk/system
View File

@ -1 +0,0 @@
x86_64-linux

1
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -59,6 +59,7 @@
5353 # HomeKit
];
allowedTCPPorts = [
1400 # HA Sonos
7654 # Tang
21063 # HomeKit
];

107
hosts/router.home.ts.hillion.co.uk/default.nix
View File

@ -32,6 +32,14 @@
nat.enable = lib.mkForce false;
useDHCP = false;
vlans = {
cameras = {
id = 3;
interface = "eth2";
};
};
interfaces = {
enp1s0 = {
name = "eth0";
@ -56,6 +64,14 @@
}
];
};
cameras /* cameras@eth2 */ = {
ipv4.addresses = [
{
address = "10.133.145.1";
prefixLength = 24;
}
];
};
enp4s0 = { name = "eth3"; };
enp5s0 = { name = "eth4"; };
enp6s0 = { name = "eth5"; };
@ -82,8 +98,8 @@
ip protocol icmp counter accept comment "accept all ICMP types"
iifname "eth0" ct state { established, related } counter accept
iifname "eth0" drop
iifname { "eth0", "cameras" } ct state { established, related } counter accept
iifname { "eth0", "cameras" } drop
}
chain forward {
@ -138,12 +154,42 @@
settings = {
interfaces-config = {
interfaces = [ "eth1" "eth2" ];
interfaces = [ "eth1" "eth2" "cameras" ];
};
lease-database = {
type = "memfile";
persist = false;
persist = true;
name = "/var/lib/kea/dhcp4.leases";
};
option-def = [
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
type = "string";
array = false;
}
];
client-classes = [
{
name = "APC";
test = "option[vendor-class-identifier].text == 'APC'";
option-data = [
{
always-send = true;
name = "vendor-encapsulated-options";
}
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
data = "1APC";
}
];
}
];
subnet4 = [
{
subnet = "10.64.50.0/24";
@ -165,25 +211,17 @@
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
}
];
reservations = [
{
# tywin.storage.ts.hillion.co.uk
hw-address = "c8:7f:54:6d:e1:03";
ip-address = "10.64.50.20";
hostname = "tywin";
}
{
# syncbox
hw-address = "00:1e:06:49:06:1e";
ip-address = "10.64.50.22";
hostname = "syncbox";
}
{
# microserver.home.ts.hillion.co.uk
hw-address = "e4:5f:01:b4:58:95";
ip-address = "10.64.50.21";
hostname = "microserver";
}
reservations = lib.lists.imap0
(i: el: {
ip-address = "10.64.50.${toString (20 + i)}";
inherit (el) hw-address hostname;
}) [
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
];
}
{
@ -221,6 +259,29 @@
}
];
}
{
subnet = "10.133.145.0/24";
interface = "cameras";
pools = [{
pool = "10.133.145.64 - 10.133.145.254";
}];
option-data = [
{
name = "routers";
data = "10.133.145.1";
}
{
name = "broadcast-address";
data = "10.133.145.255";
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = [
];
}
];
};
};

87
hosts/sodium.pop.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,87 @@
{ config, pkgs, lib, nixos-hardware, ... }:
{
imports = [
"${nixos-hardware}/raspberry-pi/5/default.nix"
./hardware-configuration.nix
];
config = {
system.stateVersion = "24.05";
networking.hostName = "sodium";
networking.domain = "pop.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/tmp
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
chmod 1777 /cache/tmp
'';
## CA server
custom.ca.service.enable = true;
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
fileSystems."/tmp" = {
device = "/cache/tmp";
options = [ "bind" ];
};
# nix = {
# settings = {
# build-dir = "/cache/tmp/";
# };
# };
## Custom Services
custom.locations.autoServe = true;
# Networking
networking = {
useDHCP = false;
interfaces = {
end0 = {
name = "eth0";
useDHCP = true;
};
};
};
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
7654 # Tang
];
allowedUDPPorts = lib.mkForce [
];
};
};
};
## Tailscale
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
};
};
}

63
hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix Normal file
View File

@ -0,0 +1,63 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/417B-1063";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

1
hosts/sodium.pop.ts.hillion.co.uk/system Normal file
View File

@ -0,0 +1 @@
aarch64-linux

1
hosts/theon.storage.ts.hillion.co.uk/default.nix
View File

@ -22,6 +22,7 @@
};
## Networking
networking.useNetworkd = true;
systemd.network.enable = true;
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers

7
hosts/tywin.storage.ts.hillion.co.uk/README.md Normal file
View File

@ -0,0 +1,7 @@
# tywin.storage.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
$ sudo chown root:root /mnt/disk_encryption.jwe
$ sudo chmod 0400 /mnt/disk_encryption.jwe

14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json Normal file
View File

@ -0,0 +1,14 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://10.64.50.21:7654"
},
{
"url": "http://10.64.50.25:7654"
}
]
}
}

26
hosts/tywin.storage.ts.hillion.co.uk/default.nix
View File

@ -15,6 +15,20 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"ip=dhcp"
"zfs.zfs_arc_max=25769803776"
];
boot.initrd = {
availableKernelModules = [ "r8169" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices."root".secretFile = "/disk_encryption.jwe";
};
};
custom.locations.autoServe = true;
custom.defaults = true;
@ -40,11 +54,17 @@
forceImportRoot = false;
extraPools = [ "data" ];
};
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
services.zfs.autoScrub = {
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# All filesystems includes the BTRFS parts of all the hard drives. This
# would take forever and is redundant as they get fully read regularly.
fileSystems = [ "/" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed, 02:00";
};
## Backups
@ -198,7 +218,7 @@
enable = true;
openFirewall = true;
keyFile = config.age.secrets."chia/farmer.key".path;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
};
## Downloads

17
hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -20,6 +20,11 @@
fsType = "btrfs";
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
allowDiscards = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/BC57-0AF6";
@ -62,6 +67,18 @@
fsType = "btrfs";
};
fileSystems."/mnt/d6" =
{
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
fsType = "btrfs";
};
fileSystems."/mnt/d7" =
{
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
fsType = "btrfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

11
modules/ca/README.md Normal file
View File

@ -0,0 +1,11 @@
# ca
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
Creating a 10 year root certificate:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
Creating the intermediate key:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem

13
modules/ca/cert.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
-----END CERTIFICATE-----

14
modules/ca/consumer.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.consumer;
in
{
options.custom.ca.consumer = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
};
}

8
modules/ca/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./consumer.nix
./service.nix
];
}

45
modules/ca/service.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.service;
in
{
options.custom.ca.service = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
services.step-ca = {
enable = true;
address = config.custom.dns.tailscale.ipv4;
port = 8443;
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
settings = {
root = ./cert.pem;
crt = "/data/system/ca/intermediate.crt";
key = "/data/system/ca/intermediate.pem";
dnsNames = [ "ca.ts.hillion.co.uk" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
}

2
modules/chia.nix
View File

@ -46,7 +46,7 @@ in
};
virtualisation.oci-containers.containers.chia = {
image = "ghcr.io/chia-network/chia:2.2.1";
image = "ghcr.io/chia-network/chia:2.4.1";
ports = [ "8444" ];
extraOptions = [
"--uidmap=0:${toString config.users.users.chia.uid}:1"

1
modules/default.nix
View File

@ -3,6 +3,7 @@
{
imports = [
./backups/default.nix
./ca/default.nix
./chia.nix
./defaults.nix
./desktop/awesome/default.nix

1
modules/defaults.nix
View File

@ -54,6 +54,7 @@
networking.firewall.enable = true;
# Delegation
custom.ca.consumer.enable = true;
custom.dns.enable = true;
custom.home.defaults = true;
custom.hostinfo.enable = true;

12
modules/dns.nix
View File

@ -40,7 +40,6 @@ in
ts = {
cx = {
boron = "100.113.188.46";
jorah = "100.96.143.138";
};
home = {
microserver = "100.105.131.47";
@ -48,7 +47,10 @@ in
};
jakehillion-terminals = { gendry = "100.70.100.77"; };
lt = { be = "100.105.166.79"; };
pop = { li = "100.106.87.35"; };
pop = {
li = "100.106.87.35";
sodium = "100.87.188.4";
};
storage = {
theon = "100.104.142.22";
tywin = "100.115.31.91";
@ -65,7 +67,6 @@ in
ts = {
cx = {
boron = "fd7a:115c:a1e0::2a01:bc2f";
jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
home = {
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
@ -73,7 +74,10 @@ in
};
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
pop = { li = "fd7a:115c:a1e0::e701:5723"; };
pop = {
li = "fd7a:115c:a1e0::e701:5723";
sodium = "fd7a:115c:a1e0::3701:bc04";
};
storage = {
theon = "fd7a:115c:a1e0::4aa8:8e16";
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";

8
modules/home/tmux/.tmux.conf
View File

@ -8,3 +8,11 @@ bind -n C-k clear-history
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# Start indices at 1 to match keyboard
set -g base-index 1
setw -g pane-base-index 1
# Open a new session when attached to and one isn't open
# Must come after base-index settings
new-session

2
modules/ids.nix
View File

@ -6,6 +6,7 @@
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent People
jake = 1000;
@ -15,6 +16,7 @@
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent Groups
mediaaccess = 1200;

44
modules/impermanence.nix
View File

@ -2,7 +2,6 @@
let
cfg = config.custom.impermanence;
listIf = (enable: x: if enable then x else [ ]);
in
{
options.custom.impermanence = {
@ -12,6 +11,13 @@ in
type = lib.types.str;
default = "/data";
};
cache = {
enable = lib.mkEnableOption "impermanence.cache";
path = lib.mkOption {
type = lib.types.str;
default = "/cache";
};
};
users = lib.mkOption {
type = with lib.types; listOf str;
@ -40,18 +46,32 @@ in
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
};
environment.persistence."${cfg.base}/system" = {
hideMounts = true;
environment.persistence = lib.mkMerge [
{
"${cfg.base}/system" = {
hideMounts = true;
directories = [
"/etc/nixos"
] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
};
directories = [
"/etc/nixos"
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
};
}
(lib.mkIf cfg.cache.enable {
"${cfg.cache.path}/system" = {
hideMounts = true;
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
};
})
];
home-manager.users =
let

12
modules/locations.nix
View File

@ -19,19 +19,19 @@ in
{
custom.locations.locations = {
services = {
authoritative_dns = [
"jorah.cx.ts.hillion.co.uk"
];
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
downloads = "tywin.storage.ts.hillion.co.uk";
gitea = "jorah.cx.ts.hillion.co.uk";
gitea = "boron.cx.ts.hillion.co.uk";
homeassistant = "microserver.home.ts.hillion.co.uk";
mastodon = "";
matrix = "jorah.cx.ts.hillion.co.uk";
matrix = "boron.cx.ts.hillion.co.uk";
tang = [
"li.pop.ts.hillion.co.uk"
"microserver.home.ts.hillion.co.uk"
"sodium.pop.ts.hillion.co.uk"
];
unifi = "jorah.cx.ts.hillion.co.uk";
unifi = "boron.cx.ts.hillion.co.uk";
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
};
};
}

4
modules/resilio.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, nixpkgs-unstable, ... }:
{ pkgs, lib, config, ... }:
let
cfg = config.custom.resilio;
@ -61,5 +61,7 @@ in
in
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
};
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
};
}

6
modules/services/authoritative_dns.nix
View File

@ -12,11 +12,6 @@ in
services.nsd = {
enable = true;
interfaces = [
"95.217.229.104"
"2a01:4f9:4b:3953::2"
];
zones = {
"ts.hillion.co.uk" = {
data =
@ -37,6 +32,7 @@ in
86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.

10
modules/services/downloads.nix
View File

@ -29,10 +29,16 @@ in
virtualHosts = builtins.listToAttrs (builtins.map
(x: {
name = "http://${x}.downloads.ts.hillion.co.uk";
name = "${x}.downloads.ts.hillion.co.uk";
value = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
extraConfig = ''
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
};
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
};

7
modules/services/gitea/actions.nix
View File

@ -63,6 +63,11 @@ in
runner = {
capacity = 3;
};
cache = {
enabled = true;
host = "10.108.27.2";
port = 41919;
};
};
};
@ -76,6 +81,8 @@ in
chain output {
type filter hook output priority 100; policy accept;
ct state { established, related } counter accept
ip daddr 10.0.0.0/8 drop
ip daddr 100.64.0.0/10 drop
ip daddr 172.16.0.0/12 drop

11
modules/services/gitea/gitea.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, nixpkgs-unstable, ... }:
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.gitea;
@ -50,9 +50,12 @@ in
};
};
users.users.gitea.uid = config.ids.uids.gitea;
users.groups.gitea.gid = config.ids.gids.gitea;
services.gitea = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
package = pkgs.unstable.gitea;
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
appName = "Hillion Gitea";
@ -103,8 +106,8 @@ in
ip6tables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
# proxy locally originating outgoing packets
iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
iptables -A OUTPUT -d 138.201.252.214 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f8:173:23d2::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
'';
};
}

59
modules/services/homeassistant.nix
View File

@ -44,16 +44,20 @@ in
"bluetooth"
"default_config"
"esphome"
"flux"
"google_assistant"
"homekit"
"met"
"mobile_app"
"mqtt"
"otp"
"smartthings"
"sonos"
"sun"
"switchbot"
];
customComponents = with pkgs.home-assistant-custom-components; [
adaptive_lighting
];
config = {
default_config = { };
@ -65,8 +69,8 @@ in
http = {
use_x_forwarded_for = true;
trusted_proxies = with config.custom.dns.authoritative; [
ipv4.uk.co.hillion.ts.cx.jorah
ipv6.uk.co.hillion.ts.cx.jorah
ipv4.uk.co.hillion.ts.cx.boron
ipv6.uk.co.hillion.ts.cx.boron
];
};
@ -79,6 +83,9 @@ in
report_state = true;
expose_by_default = true;
exposed_domains = [ "light" ];
entity_config = {
"input_boolean.sleep_mode" = { };
};
};
homekit = [{
filter = {
@ -88,25 +95,19 @@ in
bluetooth = { };
switch = [
{
platform = "flux";
start_time = "07:00";
stop_time = "23:59";
mode = "mired";
disable_brightness_adjust = true;
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
"light.cubby_light"
"light.desk_lamp"
"light.hallway_light"
"light.living_room_lamp"
"light.living_room_light"
"light.wardrobe_light"
];
}
];
adaptive_lighting = {
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
"light.cubby_light"
"light.desk_lamp"
"light.hallway_light"
"light.living_room_lamp"
"light.living_room_light"
"light.wardrobe_light"
];
min_sunset_time = "21:00";
};
light = [
{
@ -114,12 +115,9 @@ in
lights = {
bathroom_light = {
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
value_template = "on";
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
turn_on = { service = "script.noop"; };
turn_off = {
service = "switch.turn_on";
entity_id = "switch.bathroom_light";
};
turn_off = { service = "script.bathroom_light_switch_if_on"; };
};
};
}
@ -148,6 +146,13 @@ in
}
];
input_boolean = {
sleep_mode = {
name = "Set house to sleep mode";
icon = "mdi:sleep";
};
};
# UI managed expansions
automation = "!include automations.yaml";
script = "!include scripts.yaml";

13
modules/services/matrix.nix
View File

@ -41,6 +41,10 @@ in
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
};
};
services = {
@ -114,6 +118,15 @@ in
};
};
matrix-sliding-sync = {
enable = true;
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
settings = {
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
SYNCV3_BINDADDR = "[::]:8009";
};
};
heisenbridge = lib.mkIf cfg.heisenbridge {
enable = true;
owner = "@jake:hillion.co.uk";

1
modules/services/tang.nix
View File

@ -13,6 +13,7 @@ in
enable = true;
ipAddressAllow = [
"138.201.252.214/32"
"10.64.50.20/32"
];
};
};

32
modules/services/unifi.nix
View File

@ -10,20 +10,14 @@ in
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/unifi";
readOnly = true; # NixOS module only supports this directory
};
};
config = lib.mkIf cfg.enable {
users.users.unifi = {
uid = config.ids.uids.unifi;
isSystemUser = true;
group = "unifi";
description = "UniFi controller daemon user";
home = "${cfg.dataDir}";
};
users.groups.unifi = {
gid = config.ids.gids.unifi;
};
# Fix dynamically allocated user and group ids
users.users.unifi.uid = config.ids.uids.unifi;
users.groups.unifi.gid = config.ids.gids.unifi;
services.caddy = {
enable = true;
@ -38,21 +32,9 @@ in
};
};
virtualisation.oci-containers.containers = {
"unifi" = {
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
environment = {
PUID = toString config.ids.uids.unifi;
PGID = toString config.ids.gids.unifi;
TZ = "Etc/UTC";
};
volumes = [ "${cfg.dataDir}:/config" ];
ports = [
"8080:8080"
"8443:8443"
"3478:3478/udp"
];
};
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
};
};
}

25
modules/spotify/default.nix
View File

@ -1,25 +0,0 @@
{ config, pkgs, lib, ... }:
{
config.age.secrets."spotify/11132032266" = {
file = ../../secrets/spotify/11132032266.age;
owner = "jake";
};
config.hardware.pulseaudio.enable = true;
config.users.users.jake.extraGroups = [ "audio" ];
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
config.home-manager.users.jake.services.spotifyd = {
enable = true;
settings = {
global = {
username = "11132032266";
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
backend = "pulseaudio";
};
};
};
}

2
modules/ssh/default.nix
View File

@ -43,10 +43,10 @@ in
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"jorah.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5";
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
};

11
modules/www/global.nix
View File

@ -33,6 +33,11 @@ in
services.caddy = {
enable = true;
package = pkgs.unstable.caddy;
globalConfig = ''
email acme@hillion.co.uk
'';
virtualHosts = {
"hillion.co.uk".extraConfig = ''
@ -42,7 +47,10 @@ in
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
respond /.well-known/matrix/client `${builtins.toJSON {
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
}}` 200
respond 404
}
@ -65,6 +73,7 @@ in
reverse_proxy http://${locations.services.gitea}:3000
'';
"matrix.hillion.co.uk".extraConfig = ''
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
'';

BIN
secrets/certs/blog.hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/gitea.hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/links.hillion.co.uk.pem.age
View File

Binary file not shown.

19
secrets/gitea/actions/boron.age Normal file
View File

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
O6XXkSIScAPiHbBj6VDHrAzbZjossHPW2AQJtQKkrUmERLABYIZuYFJHk9yH2q2W
uBdO/jKN8slQ/7fzKMRu/1EKNRscc1ufgrCCDWdZicdNPSy7948dx+mVK0ass/US
jnPgn75erR+KLsi8/yNJc12mx6onvVFE0mxFihZobiEdt7FcjSFCV9k2pPtN+1TK
5bKpjyodla+KwSXMGDH7jttvMFXtX5NKda4nYNOM1fHwQ5XCdLti67txcn2y85LV
fuo9Pzu++o6aFOalfufKyflOh8Vk3RrBwCDK81e+YLMVjSGv4ZsiTp5O+sI8dBwR
BqftVb523V4L3FhksG/e7Q
-> ssh-rsa K9mW1w
xUjF7ctBetl6as6/N1dVa+Zkg8EOfOILOMzCNUQVGStJ0cEeC3vi54xwoTxnZqX8
n2f6wsgcZP203MBX5YJTw8w80WN8WPNYM8IZxdrcSNNuOrPJQbJZkikYGOg8z9/g
7zaSotrxcHrHYR2DM/qsQJRYNQgZn7AKviEPwDNSkiGHzolIHRuAi+e2M891/DzA
k4X5VsYGusM3Lo9ABZvNzX0MEnLxtStl3TwW4i4MgWts4rjcjBAp5ybZPrQLgMf6
M//FNwBXv2adLSC8oUiTWYKB5l5sTmjNawp1FED3T9WvesKWNY0Tm4KrqJA+Ul2Z
8aoxg/TCjuuypTIaEPm2aQ
-> ssh-ed25519 iWiFbA Zl3LbVd8MHnlj1t4LuAcH13UVwHSJb/wSacM5BkTKHY
vwJ4d2obJPXkgOn44+beKbiKR+qnKvFgkOvotwPDJK8
--- 2q02v2RlVgBjT3qCe2nAXft976YYbr80qtjw3N9i8Vs
Ł×?ŢëČ׍[ĺÔ=GľMI (ět¸?ÄÄo⼍/s˝ź¨P}ř™Ńvr,_ţ3×ĂňîÂjŮDJ/;‰ĺdŤut˘;ä‰@+˛

19
secrets/gitea/actions/jorah.age
View File

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
IULcxHpUsH6OI4cfixNPM89VJNcVkK+Z8IpgjzRspSyKc5N7jox6DYSbcuPsjGs7
aS2JYOKOx4hYW9aL3B+tef2I24+NzMDTCT31g9gvuLA0wSMWBoFwVodPbfj1ekHy
wDUK5XrgyJtFrwTrvuklGYpb/qIEG//k7M/342C9QqfNesv9nULQ6P7+r7jJvxIW
sOo6qWHFqD/wIiwtLYiX3pOWC6m91L1QNGVh+9/t58YU8RLsgLm2+2vyg13mKya1
UktTKZbhgRXyUJb7h+vVgDKjAnwqnIDL8asCSDuoSRDBcCxwgSpTDOxAEn9X2oJx
6S3JLQDhWLlIYrqmVT1aGg
-> ssh-rsa K9mW1w
hbVlu640hhzR9rJi4b+1c+/V+EilbmwWaNzV7/0+a9BQusTf413hffhk8QXvuze8
04LuVctZW5L5B1eOCIeziHc6F5CyAjTsaEDM8SeKGmFjKccjdcSUdbsql87KR5Id
/drK41oNA6NlmWrLz3YaSz7A9F+B5lgsJDWgXhMFK3Hru8+gnBQPXkwT/IuQLWI1
sXhJN/dHrBsQ5Cc+fRO7/r6u3jiQ1DOS85qQHStsYYXqea0pfiu5wpPdGZVuECwa
/R3+ov1JOTK4T3W8TIqOU9ODJxWT697Nv64c8dV3Hq5ymEKkvmZpp1C1/QoCW2EY
Nk7PF5zM95SM/IdECQjJGQ
-> ssh-ed25519 Qo6/7A 3gQq8TrBY/7Evlu+q6awqBFjG9m5b7ED+dolo8CJCE4
JdbLYPo875DQyocjOaVmWQPdgWssuz/T6DJNqgFF020
--- 0si8/IY1PiYgcmtTFDqu0cj7dW6DFqvgirY0tiSZfdA
ûÈA©®¦£Ž®¬(]ý¸7£ÆüùÙÚqp0<70>„5Èc“ý$$æW|ß%`§/uXûɈ\~â!åléedäþDg˜ .<2E>i•]§­§)l>EÌ

BIN
secrets/gitea/lfs_jwt_secret.age
View File

Binary file not shown.

32
secrets/gitea/mailer_password.age
View File

@ -1,19 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
K+hgOULnfi+jIDw5U0HJKQ
EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
qnk+0bYAk3pWfdXW9Z/psQ
-> ssh-rsa K9mW1w
TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
lPijgnL0SUte+Df3/wXt7Q
-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
-õ?ùÌQ5©`Y_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoT c¿”p°ûNÝá·F[äX ¿‹°f<E28099>³ê•¡ÄG¿
NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
84Xu2vwg9ikUz7B1tTBYeA
-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
ßüu _śnTx#H-7<>‰yó—Îç<>¨—B„ô»uµŐÉîj<C3AE>ZHĐ'&÷_đś#ľĽ3ŕHÍ˝0f  šBęą×Ö™ýčÂLĽîz

BIN
secrets/gitea/oauth_jwt_secret.age
View File

Binary file not shown.

BIN
secrets/gitea/security_internal_token.age
View File

Binary file not shown.

BIN
secrets/gitea/security_secret_key.age
View File

Binary file not shown.

BIN
secrets/matrix/matrix.hillion.co.uk/email.age
View File

Binary file not shown.

34
secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
View File

@ -1,21 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
j36S9K1vUFeNZxh1l1dea+8KqzTnLqR3beGzDGmPSljkTPZrRs9MSsSwuAsH01Zh
95mfzFBvw3y7yGWgcW0NyGeiZ/NGvqYzuplqJbCXf/5Zwt9fnwGiWqIUZK3pGDvt
bEoJwfdTPPGgGH6egm/n+uZw7HuHklJtDwygh5wQobhsfu+q44JeaaC6Dg8Iu0Fs
ZNj2tJ1LIts0bsmevnJveOTXNq3TcHsPP1E3kYCt8OPEfPjx5Y2Ajba+VmDATDN/
5e6ncNOX5viA/DnlfL1Kx+1kf8A1wKJSNnCd0zPIDhDlagdcbd88CXdQPmPUuesD
qdUDplc+FjnCxkWrJPHnnQ
oP+PAtaEFPKwY/p94ofdBlLtCJDzaOkE7jblE4COKCp6NcfjUot7a7G2rSzG3Z9A
cF3HcuKsMrG2Tth4ElBB0nwfaXUJZOBO3nrZaU0RGBBkxqooDVV2LzA+NG0HpIZ6
8Rd/Ch621gaBDYbSNFKLx5pAotqsARt13BMVY9nuifNGmWAamZ5UsJwZ/OhxKC5i
bkFZGeHZm4tilpsBEnh99PxofQmFy52AQhpx2UZETaD7yXvyEQjN9yBVKGhwA8Xs
xIRZLVgCbMv5lroYChpj/SiuoNhuaLo+05+3r5JnL/ODEl2dYZHkr2fAo31QUPnr
kmir2Nwoq4MlNELjQvSfdQ
-> ssh-rsa K9mW1w
Fkzo4emHSiZilicSPgihNC9DjuNMih0pG9gjPJFeL6z3i8vzb2Wlr47Hs3RX8ccd
GUu97/g6Pk71STbZpq0J694lZLlzRrQiAoRD+nvbwDyiY4NThkWGwJyrK5YVsXb9
Tn8koBMyWAl173UZBfX9/tZbV/BgibajNYYUSOYqGPTtKMO2iwZi/f5vNP2Ss9Xn
a6xV3A9uJ0iQd1HFXxDqoy66KsP4cJX7U+cV4jPp0dcdAY/umgVcWnhAVRISiP0f
qLMEW6g63MXeJqij1vVl3WhEXqa4AZHGMGuHbWfuRhES8TVVxkslh6S1HnrbQq8Q
5x0sR+jPHIHk2ZJ3QLWQsQ
-> ssh-ed25519 Qo6/7A AgI2XGB68qmD4HsNzLJlGMOI8RHag/CyOOPgJNZ5Vgc
Oqto0uatJOeVEY6ON8jJIbNkGy96KJOW/HHvKqkKT0A
-> eG853-grease Pw3j" PcU:Uj0
qf1JY7M0YjgzXs73vuw/gwnTut46
--- 1wceU1/J0KK3A4H2iTKGpPIGIv6rbawHYerjWYeNYRA
+aäyz_¥ªìe¹¶_üJ=¼VÌ—Dâ„4n¤WÉ4òàv…ø%<25>ÿ=Äá>;lAôva~Á×ä__Á‰z¿ìˆ½U2=U?”šéÉXëj½d%1äjGì»Mk·ÕÉ’#’ª²—^ø*Újy§¦î¥<C3AE>
GVNgJY5cse7GnU0UpgfBT2a8Ev0KeFC+Tfvj8Jd7Wgu7pYv/DlwIumJN2NcmU76S
zW1Z6we+Fs4DO83v+4Bug4d+m7oUbKxbUfgIDE4MDEkc4B/XUKv0Ex1VaO4lGh6h
0lRF4PO22OjyO4TT4tkLZgTAStq/vS20GhluEdVPp2ovSsn7KYLwmx81iBnfNDbm
0uEKAE2dj01BHSiRZ1rVj9OnTacrRpzp6mbVJxZqkUMJ+A/tMp1B7eTjWiGhUUGs
+de52Ba/ww1jM0BmbdemWS5SA1Kch1ttgnSFKIh24tYyRxX4AVsuYqPkIuH8+W4O
Jh0387AJaR+3+Tvweo88Tw
-> ssh-ed25519 iWiFbA xx3oYrX6/Z1srbxmAztZV5AJgYZn20UMvRnn4qrSoAU
98oe26dqhSE3eET7hwdV/jJTVu2ldBiZ6ysabwK97Co
--- qrw4HhyaHrpDmws4EoABLFF3HU30AaZFCt4qHKo6gUM
OnÄCfIÚìQÿlµç@‡?:5¸<09>Ö m*63ÿgtjÁÃïÖA8 ^;TÓx%;O»·»×ß׶YG¢€,mïÞÜ â¥ ®Éîs8Pƒ òR«\nòXA÷·w;—ÚXRMÛù2´òFÏ

36
secrets/matrix/matrix.hillion.co.uk/registration_shared_secret.age
View File

@ -1,22 +1,20 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
PcYDtUs6evvvrjU3cZxaEoj62lvEyRQI4aGvGFK+6E/5ROwjBsyv7g6ClxDOICNU
CUHzDYtbepFIycvqGGm/TDk2ZDknjpcef/pC2MjlPk+WZDkTx2MeNQs6uk8fNvS5
6Ppw3CvdiABcx3NFUrgh/N1NKsvgGCR621q/AkyjodUdjWwTxYbr3XnZVA1J+S6M
Nj+1RGYGBRGvUYcC7JIqArLZaCjDyXlyExtlCzlux8jUtblEBBmuwDYjMjUNE4fB
Qq7D0RZW1AiaMqiFuzB03l9+n+NzYtmWHDWpgZcp1mbTWEaGWvfSI1xxULjp89Hx
+3GopFzQpknChP+KIGWCIA
XtQerUqo59DoCzMSSbYWK1fZR5uPzA20NJcpZ8YOCD2cPJvGiSN4ePnPLSSnyUAV
ei45c6sdRRRZEKcq/uabTWPqk1xymKv4CrLn4FjS9VviKNYW0p+oo0J9ummwE6sa
/REKRIQRrsP1HwSO0gaq6CQEyGr9NouybuDDS5AIGpvaRV9+F1Htc/Um5JmsGaeC
aUBSJdZGnUajg/NN+QBlhhndT1PevFNKaviOJB4ghZUv8V89KZUhZMLuWQHVSr6D
fPQLXCI7mDjv82rydG5NWzE3OiMycLlt3AXWE97G4dhrtQGMPb3KDeGaY2mXBQ5G
Qq+myMZJqx9LbQWPyBgLgQ
-> ssh-rsa K9mW1w
ioNuiJFlFdVWMmAHlocThTlQYIn0m9I85WZjtbXbBGaV6B7WPVJOAfj8dsKAx2a+
E8kq3Ffc1iNfcnw5gBb9X9zXReyi1cdSsdjwJS8Wew2was3rcbcRBh4cL+bzZ1U5
BOkUqWo8lF1PNf/oJyjK3y07br8EKcjDTMs+n3AkjGTLyyP2Li2ZwzCHCoKgyHxf
COcFAFWQdli4fZon9KjZ+Je4UtPtyDEKUUZxZMxXsXd4OTs/cpaFpzrl7MpB2Qdg
31x0SQbY7Vt7+88yFoE55NmTTDPtIj9A38xSn9HBGHDl8+nftXTnkoQa+E2gJ2V0
LYeWbozz2zFUQiUsQhM72A
-> ssh-ed25519 Qo6/7A h+m0fzmo6DpdSejGvgcrYIuQFM0My3X+Vk4XvwlRyDg
fWmR5VvANbi8P2zouqz66lxx61YzcW9R6wQLZvh3Y48
-> Z#,x-grease ~ts
zKs31SssQzG0GYI+xfHhfC+0
--- Aa0oGbJedOyry0m22fwH+VY5koBC2NO7o4OwIQe6YlY
4´ž -v°OÊ
n.dýç CèµD«Þ,Ï+kr½>¿ÖdiØþÕáý8ŒÉøŸ³å4
QjWGmW/CSl1+xidbzQ7rBjPI9gphRAqC9j4dTsQmK48WlnlG9fAX1w7s8zJI287c
VwtOndfP/yYe8zj14IB0bn/efJ4s9DXS1toSVHhHMXGRYNx4LZJtGrHPEe7bmBDR
g3m6i3dFB48o4niZwLFmsTWD8KpYFPRmGnD9AX7cXtA1KzjD61ebb7dsjQ0J7/04
QLUmPUJ4BMgvMhv5zHfjq/LjasrOVY5QkKi95xYVREacy9hp/5COs9d0d40+qLFh
QJ2CuiOba5+aYnVWtbq63F9YJsAwknPOI2nV64l1BflQGJjec+wS4LPi4+l6pT+0
wPStv+iVu5vYdVNuq7KtnQ
-> ssh-ed25519 iWiFbA Qrs30RtQXXEglsSKQbmeLhZvQB9yR0EbKeba8IV1/wo
o89IKeFH91zdqfRJrIge0Sod6k+66BbN3DcUfnqSgqg
--- zhvOvBCbfuhWDejcJcXxtdypACwgPb1KrqpsNYWiKNc
å<}š‡: ¸Ã2bzªüÙÄq¬SYîÌõr掄Ý}¯â<C2AF> u—»ÌòbŸ\;

20
secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age Normal file
View File

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
Z3WKcEusrn04hb2zUpEFBHOoqDIaCzMo/jZuOX/eMKPBqTrxcba9ZgxOFE7+yaUi
FJvlQNg5pQn/vaCtHkJWfBXdKiwZ3pIeaqwNcto8EprKLxIAkLjMBMOursz9k41E
0B4NKRyxiQO2kMgjKb9jYzhioan3NG1Loto8RbjbUPlqn/Q0NEsq8Uql0qaM02Ba
zBd1Xt1MFDtemXxzfmeqLMX45F67B8JKFujnXajR7qoRCmzz6kkj6zb+SEE+Nodq
9J/i4rpgwP0B9Zgp9QqnvOBVuLtxPOv/EE+Dp9Ktj1v5SxlJbQoPBiX5pZd5n3/n
dqibdn1Jls57qCs9sHAlDQ
-> ssh-rsa K9mW1w
BMNOK5nTDPSw5wZsdWlpWzbA62WdDmqg3CdiYSA8mDZT5LFHsmZt4azfwvCWnwKh
jvzWsNgASSdCCGk4xzDR8qzVAvcku5IxgQjGWCfa307r8k1RFMF910+QpS0nsckE
voBCvNIbv1Qjg6MKSXIDmmDjeLedL/0WYp7mX2FHQbs2Mau3xHz+l4mW9C6Dlyeu
PdR6IYJxqxDOqQk2FIMYq7vS1JWDo2ntS3XcufUL4V6TeFj1Soauff9/55hqt8Tm
JlUkbHmc/69bsqbr3en1sk6lk7GV7M87tfjGJuhdsMQLY10jFuZfkpewRhCLTEpR
LFooblAploXTZfXkvmoj2A
-> ssh-ed25519 iWiFbA izGiArlZgQMVSnQv/WG7+tBUnk0z/iUHI1TgAf0d5V0
Qw/pUd8y7UNElE9U+VwE7cQhemfPXFhFoiKQya34Bwo
--- FfPFhjvH78/oBzE1tL93Vxm6fV9zsHL3S8aDb3KWA4o
óœ}þŠ lj¿mE_¿9mç}z ¼?ü-Ø9F•]IóãÞØy7uw¼x¼ŠQ3ÅìüqñŠJ„åVº/”º@>°vÊî-G4;Êí1Ñ&@§k® ÍWë+c*ûžìá|#»û˜Èª­³Wy
fC°

41
secrets/restic/128G.age
View File

@ -1,24 +1,23 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
EZBFKBAzoSqlSaMvehEGiiCXaT7qhewJy1v6mr3NVCvQqTck6STzEBoalKDi3mIF
fLoX7oVMEh5bgOkKIYBiv00ueHe+osNCJtx/dHx9X462RXixrcbIqdPCD+XS0puZ
CxaohxNu+kSmbtZc9pZ8PETZ93dmCetSIwo1uQiGJChFBxNn7lm/fvOPvdN1821i
ougijCL+f8fG/fymXnnlULbAdyhUI+6Hx2WAP8v9796XQHBieKJJfRFVhbUGRKD9
1AK66zZClZ1dD8SuZBtCnafrVm3Wjwys2aKgncKdrWuNoScWoZNiL4nS55w3PCEN
U2Jq6smqxjPdC/18xuBiNA
S3ctNbWyX1A6JQIN1vNnZamNMMYK20sP5Fv8P6XR4tlrM97QRcFujN6FM3a2siI7
/bHryIpHu1cdK90qCLbIvyYm1lilTrXiN1JIN+4sm808dqinKwUI+RF0B+JzTbLW
JaITpkJubkrudALAoYARWBRcSkBRSnZYfWBIqDyuj42eGiqObTZdw6flA362cplX
j+XaqdyrISSsCq+nH22zpNC62MdwYKGnBNkao3ICZ74lYOdtjPE3FrokGkt1Hllm
AqZaLcYUTBbBlysrf8YlsAK9AvtdRHtwACcBv0YrJ35+HIJP7fkAWkfoCqD6iCu6
z7XHv1LrtMY/HG3md8hV9A
-> ssh-rsa K9mW1w
wYSU6EnCqBEQL950d/suDPPmJmqiPWHX0GJuc37bYffJTCJIJKthk43FDOWrcgbD
vsfTjRkzRZY8H6ngTTlwIuECzoJDhLq4/4n69dOi2Uz8XZvD9y6lPE7qmqClMziZ
mtheoib/PVoV6OvPnCg+d52HfR2REuQNHxGhNucDOjmL+lcjYNqrVq1IHhZJ0WUh
4+8J5kA17yFtdnLuIcIPdVNZ1oI1Y5E6H+fiJhje5cnEJ7u/GQAFRLmdV36cZDzF
OaUap/nxyAIjga+zbGptHjvKvLfWL+5EA+H47es6xcpJfadBuq0+AfTlSvsQzrqj
15xCp6IeGXJeZCOF3NchWw
-> ssh-ed25519 nWv9MA k5cpWIDL6sNwqlr9dx3KBd8SXW4gwLZwjUPD1jqL4VM
xkDd8nnNoZNOPxIMt2iXvOVjUXxPcBpI0KD1I4p40p0
-> ssh-ed25519 Qo6/7A 7eJXxyASGk0iZu7o81zoiIm33IILsL9I7ScDXARPXzw
L0WP9V9nkRUvLXVVWf6BWf2GR8xvEI0LkDDAYOmGqLE
-> ssh-ed25519 L5AKYA h7RKESPZ5k1wt67mErHvfWBpXY20mTVf/rMsvEcnb3s
xoHeghX8qvq2A9LYQpH+jna3Qr9tegIkTI/RhcZFXig
--- EwX1bjkJInYJEdM64ZNnt4UfwXAHcAz6ce+eBU9ORC0
š®
@µéÂl’¥ëf}É4Œ0÷urú *'n•³%j=Õ’´"<22>÷œ;y§×
fv366v8Yl7JHgYP6dyy9CMDY7KtjTK22WZed2zRTNpK4Z2lPrhPkMSahjuKCOtg1
dPw2/mxHL/765f5V+ayGa3OxGzVfycmsKfTWhEBa6AcumVUTXCXk9i0u8MkyW36n
RjSd2wAPhXXt/RJUg0OQ7GB5ILY7sy/z8TGByMIWKUfNqqxJeBqm+D6k4kMjOkx4
/S0JEPFpC3izwVjjnQh+NX5Wm9qOVNViJcCJ/+XX+ydK1uloeZjDvSs1E2+/xlo6
wC4hsIBo7qQ9Fi0XIyE0UZiuLLtwozNEvctIzYOLMgqprP/zVgvDMc/qIrxN6ZzG
zC/n6bzufZ1v/wkyQZVz3Q
-> ssh-ed25519 nWv9MA YWPBSHvP1thV1nTOqv1dSLD3hsmwAoPZ3ha8uyy6ciw
lNiy/gXYtBwMqwPu4kKHPXmA/t/iQ3sYYtZFO/kwB0o
-> ssh-ed25519 iWiFbA K/RtHtowVbVOFjciimyV3qncJpGdXnlgPu2wydgbZC8
RE2ZIl7Huu03JzI2HnzPQlXOH1lCK+Gq85s7ZGQoKOk
-> ssh-ed25519 L5AKYA QeK0d2kufo23d5gYcyz43ZZJG/r6ehro6aF9VIiVihA
D2UVzyBu/ZEgXRvmosYS/EOGFSWVaRANQnJgue1vFzg
--- xS5J/VAzbw0OANF+qfcLIqcrtLpXkRct2miWOIhM+Uk
§[Ði<1A>,g¯ý-EÛy®4*ðÞ&'ЊÁã:°fQ°aº55 „zC®Þ§ A<>

48
secrets/secrets.nix
View File

@ -14,14 +14,16 @@ let
ts = {
cx = {
boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
};
home = {
microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
};
lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; };
pop = {
li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
};
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
storage = {
tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
@ -48,13 +50,16 @@ in
"tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
"tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
"tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
"tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# WiFi Environment Files
"wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
# Resilio Sync Secrets
## Encrypted Resilio Sync Secrets
"resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
@ -70,20 +75,19 @@ in
"resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.storage.tywin ];
# Matrix Secrets
"matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
# Backups Secrets
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.jorah ts.home.microserver ];
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
"git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
"git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Spotify Secrets
"spotify/11132032266.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
# Mastodon Secrets
"mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
"mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
@ -97,7 +101,7 @@ in
"storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Version tracker secrets
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
# Home Automation secrets
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
@ -110,21 +114,21 @@ in
"deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Gitea Secrets
"gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
# HomeAssistant Secrets
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
# Web certificates
"certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"certs/blog.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/blog.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
}

BIN
secrets/spotify/11132032266.age
View File

Binary file not shown.

23
secrets/tailscale/jorah.cx.ts.hillion.co.uk.age
View File

@ -1,23 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
kqQ9ovZi1Wqf7hz75QB+v8oLr5oRT4Uce7juM+R04CrOOGn1O6DkQtVeFa4Q7Ho0
DTYeaP3jTR8zo7poTI323q8FbQ/dLG4jxBFafDZJZlXGEThVLnhNYqZZSjiCJHma
hUn8nSC0y6AdA+lMn8tvZcaivaYpPtT+bALXtvxZ6rTo+mTbJrVRxPY5FZdmdmCC
Z1h3UFZoyuAO9VWQKtPO3o0Ijh+L7e+TFdRl1YowGB+hvZdJ08AkPXrwIEUMnnMA
+e/FA5HxHgvi6ud8RTcAkaecYt0l/vKDgBON9ESfHIMuS+vNk5GKT7a+ImKmfb4/
o2cSmR8y/+J5z4MEBcj/Vg
-> ssh-rsa K9mW1w
veHh0OpoW3Hnvy9k7NwANMae2StqGcohTI9hfeHNi7mR6wHly1HqOD9U7eijVYIC
qvKJsk7sEO8NyAVqLWqrvdq9bLkgTgsNWQsXbulY8VHhwZMIko9YYIZeJv8Um9Bz
q4QiwJW1KoLItqJNR9c1ZLRfwHaLZwKTThAKMjgt5KFiN5NJYb9CLbAZi4eG1hi0
PsIP/S/dsUKAeN6Bz2JZ4HB0jsvyPiQLr2p4q5nfEKybJEmjOfc9Z7TjwZTNlC0Y
0MKVarhwFqsMIP63gTYZisacAhmsG7DoLFA5eHf0VPa1KjqFait0dG+zuojehMfj
uifZFGahsWaAMg+oq+/Cvg
-> ssh-ed25519 Qo6/7A sLXu4pSLH2lnzLYVzisN9Zl/EW1jL21Km6kPZO0/Zjk
chDyf7Sb5GtSVi3TmfYpwwFbI3PhoOnxS5lRcqQGwyY
-> Y1-grease ,Lz| "Uil>z36 -K
xfFD+uEZIkGkysF3HdMkMbhsPnu+Cnu6o8tT0lq8rdSOn26V6Fj5CZi1muuD7d2c
BLtH1vyQx4M71Hb6PmKu7+s5V9xsJqKxtDqx/6iAc9uZnbmeU27nsA
--- YXh9Kl4PGetzx8qsLJa5gTO3W7UNtio1tXs/HXS271U
Þûa…kž+J+/û€áñ<1A>ÍKÅbÄä‰éù|Ï$MäåÒ{NýÇ]¦ï=ö7Ïß@ƒ<E280BA>(h.ql2 ¢X}]ê,¦'ùN ÙCô!Æ;ØW£±
äû·Dï

19
secrets/tailscale/sodium.pop.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
rgebPOZWAkQIqQZn5UywtUzu1ZpEK9yF3wDLl7b76vOLBM8BeE/cud2AgwRe49VM
UfbL+5IInvqvVCtCmciVvDhBp85BLvuB/e6DkWxH+HkKm7/stgXkuaotnbxftLN5
w90Qz8jVgwOSWlpDdW+MACphLBOiDe6oUrcodiQTD+FmA/cH7oEnjaxyElZA4aey
Yw6df7NiMCbh8LitSqLm9YTB6yWlVw6fumpvsVJqW9UPOdTtOEilFT6qrXIMeu10
MEdDkU5FlocDSxYLN1buIRSVb+wtN8eSYrMsOd7zwB/FYWw9fFNbZ/1JFxQKl9SK
w+fHN1jQyOjKpbYELeCdRg
-> ssh-rsa K9mW1w
hAYfQrfwWNmck6t7oDzS/JKd7Gb/j3MMH19kEZ74k2Z/t6j9VgNlo0cLCQCRd29l
NXNwx4H1VLFqP0f0YOIpbeZAPjvLxWODv97ovLWTtokPX9/kDugigqdW59KYcxWB
cbGAJrBm+D7b5uEuVBCWWBAAv8dZ4EajguoBR6u9mkJRDyy55q3JnS8zUoSz/9XK
Ne+pf9Bej2hen5CrFJoIBs3YGL81Tqn9zfI3RsgyncB355aL0bH3FKeeWU/Qm2Eb
fqJroSjNteWp+vqu9RzgrzpRUrZbw+KZL7sssTc0qXTI6UuUrchJ3ku8bOAmYYj+
4GgOgMeY5ne15Xkc0g/U7Q
-> ssh-ed25519 oW6Y8A koK5dt68rm3ItiMLS/D85cL1FyvBFOoOUn2iU431HXk
isWccUR1wymJzBSoNVh+aFMrp1/VS3In6w/kcb1RTSM
--- Askgu9440tsbF855jM94XpINs1fv69fSY/+CchwH/q8
š3 ÌV÷<07>Ôy~ϸtˆ¯ÿÉÏè@öpƒÆࢅ~Ón­°¥Ä ¾âaUUr•1P¤žÓ6W8ÆFÎ<46>Å<EFBFBD>€?ë­7…üÞ&Ü—OŠ×t|œpoË

BIN
secrets/version_tracker/ssh.key.age
View File

Binary file not shown.

20
secrets/wifi/be.lt.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
j23rAXS9bmi74Aw3K+Ym/+4eajkeddGn0JsT4y7LkM54KZDazHLSpdIY8G4bPEC1
Hmwb6tC/fXjCwxZlR69UcWOhYtGFNQKKe66uO4+LnLHrosppsFNUduk1/yamorxh
foTF1BYstniAO4dkeS+gqU+EozOnpOgnXDjJwQu2az7H0ecTkrdaExVSZefoak2Q
NdiMVzLgx4/jcuNFIQhej9h2RuTZFcYqoxLvpDYhgCHHrZGXT4MpMtpbV/1z0rjE
RZiMsaD0cFUB0xY4ncZu/UYTqDInCmiQ/hT1IpHXo41mJgAoOjxvBuMtT1JLFIPx
eHV8+2B6t6cmvJ94oDb6pA
-> ssh-rsa K9mW1w
nX3geP4iz2iW8cIaiI+gUsf2Me5N5yLVxyp0AZx3mxm+REVeW/3gIs6RFwgVvNz4
O3Rd714c5eufkVb0jaHcnh9xPkhd9JPhDx9ALJebFyDwviQelRucCNkAiFU8cCp0
5CwdTOsa+QoTL0yzkgFch32sEnrmi3NQpMyQdIACFaFyvVl0vd8jOvIrNUqEc1dZ
XL2brlteJ5tDn4+7riShILdrkWUXMt127YtBLk4kzAFq9bem6KR3mxoupoGOMZKM
6erqfETaoGyQYfETg7+/4CSoCOnSw7EgleOQ92Esof2KPiLWqvVVLRYQkajr5atn
QM8pEVHysfP7tYCOw5Pc3Q
-> ssh-ed25519 ikTTQA pS/dHNYcNr5Td/Gd7bzuODNdtg5Z/EOl2ZMkRhWIbxs
7S4TzwwGr20Ar2EHYzF42yK3nKf6k2YAV97URcvtssU
--- aaywXgy4WGMmd1EoyFk/LXbATavqk0N5rrAJ43aHXo0
*¢X%jø gàïP5)ÚKS•=ØøÞa~зR7œ©\>ëŠv¡w°¿8©Ã
Ì•ŠQ±Nx…Lžlã`™÷Ì!ä ¸^Z¥éE¼R·V è\׺ ‰ÚÝ-R°vÞû¾Sgtw M©ÞÓÓç)#8Ã΃óɾn