JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Compare commits

base: JakeHillion:main
Branches Tags
JakeHillion:main
JakeHillion:renovate/lock-file-maintenance
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk
..
compare: JakeHillion:boron-native
Branches Tags
JakeHillion:renovate/lock-file-maintenance
JakeHillion:main
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk

1 Commits
main ... boron-nati

Author SHA1 Message Date
Jake Hillion
33a0194ae7 boron: add firmware and optimise compilation for hardware
All checks were successful
flake / flake (push) Successful in 2m41s
Details
2024-05-19 00:33:13 +01:00
56 changed files with 433 additions and 800 deletions
Show Stats Expand all files Collapse all files

9
.gitea/workflows/flake.yaml
View File

@ -11,9 +11,12 @@ jobs:
flake:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Prepare for Nix installation
run: |
apt-get update
apt-get install -y sudo
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- name: lint
run: |
nix fmt

27
darwin/jakehillion-mba-m2-15/configuration.nix
View File

@ -1,27 +0,0 @@
{ config, pkgs, ... }:
{
config = {
system.stateVersion = 4;
networking.hostName = "jakehillion-mba-m2-15";
nix = {
useDaemon = true;
};
programs.zsh.enable = true;
security.pam.enableSudoTouchIdAuth = true;
environment.systemPackages = with pkgs; [
fd
htop
mosh
neovim
nix
ripgrep
sapling
];
};
}

69
flake.lock
View File

@ -2,9 +2,7 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"darwin"
],
"darwin": "darwin",
"home-manager": [
"home-manager"
],
@ -14,11 +12,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1715290355,
"narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
"type": "github"
},
"original": {
@ -30,19 +28,21 @@
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726188813,
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
@ -72,16 +72,16 @@
]
},
"locked": {
"lastModified": 1725703823,
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
"lastModified": 1715381426,
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
@ -93,11 +93,11 @@
]
},
"locked": {
"lastModified": 1726357542,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
"lastModified": 1715930644,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"type": "github"
},
"original": {
@ -108,11 +108,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1725690722,
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
@ -122,44 +122,29 @@
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1725885300,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1726320982,
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
"lastModified": 1715948915,
"narHash": "sha256-dxMrggEogQuJQr6f02VAFtsSNtjEPkgxczeiyW7WOQc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
"rev": "bacb8503d3a51d9e9b52e52a1ba45e2c380ad07d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1726243404,
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
"lastModified": 1715787315,
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
"type": "github"
},
"original": {
@ -172,12 +157,10 @@
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}

110
flake.nix
View File

@ -1,21 +1,15 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
flake-utils.url = "github:numtide/flake-utils";
darwin.url = "github:lnl7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "darwin";
agenix.inputs.home-manager.follows = "home-manager";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -25,67 +19,47 @@
description = "Hillion Nix flake";
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
let
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
in
{
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
in
func {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
in
func {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
agenix.nixosModules.default
impermanence.nixosModules.impermanence
agenix.nixosModules.default
impermanence.nixosModules.impermanence
home-manager-pick.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
home-manager-pick.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
({ config, ... }: {
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
darwinConfigurations = {
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = inputs;
modules = [
./darwin/jakehillion-mba-m2-15/configuration.nix
({ config, ... }: {
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
})
];
};
};
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
({ config, ... }: {
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
}

11
hosts/be.lt.ts.hillion.co.uk/default.nix
View File

@ -24,17 +24,6 @@
];
};
## WiFi
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
networking.wireless = {
enable = true;
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
networks = {
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
};
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;

2
hosts/boron.cx.ts.hillion.co.uk/README.md
View File

@ -2,6 +2,6 @@
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ sudo chown root:root /mnt/data/disk_encryption.jwe
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe

52
hosts/boron.cx.ts.hillion.co.uk/default.nix
View File

@ -30,44 +30,28 @@
custom.defaults = true;
## Hardware optimisations
hardware.enableAllFirmware = true;
nix.settings.system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-znver4" ];
nixpkgs.hostPlatform = {
gcc.arch = "znver4";
gcc.tune = "znver4";
system = builtins.readFile ./system;
};
## Kernel
### Explicitly use the latest kernel at time of writing because the LTS
### kernels available in NixOS do not seem to support this server's very
### modern hardware.
boot.kernelPackages = pkgs.linuxPackages_6_10;
### Apply patch to enable sched_ext which isn't yet available upstream.
boot.kernelPatches = [{
name = "sched_ext";
patch = pkgs.fetchpatch {
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
decode = "${pkgs.zstd}/bin/unzstd";
excludes = [ "Makefile" ];
};
extraConfig = ''
BPF y
BPF_EVENTS y
BPF_JIT y
BPF_SYSCALL y
DEBUG_INFO_BTF y
FTRACE y
SCHED_CLASS_EXT y
'';
}];
boot.kernelPackages = pkgs.linuxPackages_6_8;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/system
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
'';
custom.impermanence.enable = true;
## Custom Services
custom = {
@ -101,18 +85,6 @@
fileSystems = [ "/data" ];
};
## General usability
### Make podman available for dev tools such as act
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
};
users.users.jake.extraGroups = [ "podman" ];
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;

9
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -18,7 +18,7 @@
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" "size=100%" ];
options = [ "mode=0755" ];
};
fileSystems."/boot" =
@ -35,13 +35,6 @@
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";

0
hosts/boron.cx.ts.hillion.co.uk/unstable Normal file
View File

17
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -2,6 +2,7 @@
{
imports = [
../../modules/spotify/default.nix
./bluetooth.nix
./hardware-configuration.nix
];
@ -29,13 +30,6 @@
];
};
## Enable ZRAM swap to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
@ -83,6 +77,15 @@
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
## Spotify
home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
};
};
users.users."${config.custom.user}" = {
packages = with pkgs; [
prismlauncher

5
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -28,10 +28,7 @@
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
allowDiscards = true;
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
fileSystems."/data" =
{

106
hosts/jorah.cx.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,106 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.05";
networking.hostName = "jorah";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence.enable = true;
## Custom Services
custom = {
locations.autoServe = true;
services = {
gitea.actions = {
enable = true;
tokenSecret = ../../secrets/gitea/actions/jorah.age;
};
};
};
services.nsd.interfaces = [
"95.217.229.104"
"2a01:4f9:4b:3953::2"
];
services.foldingathome = {
enable = true;
user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
daemonNiceLevel = 19;
};
## Enable ZRAM to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking = {
useDHCP = false;
interfaces = {
enp5s0 = {
name = "eth0";
useDHCP = true;
ipv6.addresses = [{
address = "2a01:4f9:4b:3953::2";
prefixLength = 64;
}];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [ ];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
53 # DNS
];
allowedUDPPorts = lib.mkForce [
53 # DNS
];
};
};
};
## Tailscale
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
};
};
}

48
hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix Normal file
View File

@ -0,0 +1,48 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/4D7E-8DE8";
fsType = "vfat";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/jorah.cx.ts.hillion.co.uk/system Normal file
View File

@ -0,0 +1 @@
x86_64-linux

1
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -59,7 +59,6 @@
5353 # HomeKit
];
allowedTCPPorts = [
1400 # HA Sonos
7654 # Tang
21063 # HomeKit
];

107
hosts/router.home.ts.hillion.co.uk/default.nix
View File

@ -32,14 +32,6 @@
nat.enable = lib.mkForce false;
useDHCP = false;
vlans = {
cameras = {
id = 3;
interface = "eth2";
};
};
interfaces = {
enp1s0 = {
name = "eth0";
@ -64,14 +56,6 @@
}
];
};
cameras /* cameras@eth2 */ = {
ipv4.addresses = [
{
address = "10.133.145.1";
prefixLength = 24;
}
];
};
enp4s0 = { name = "eth3"; };
enp5s0 = { name = "eth4"; };
enp6s0 = { name = "eth5"; };
@ -98,8 +82,8 @@
ip protocol icmp counter accept comment "accept all ICMP types"
iifname { "eth0", "cameras" } ct state { established, related } counter accept
iifname { "eth0", "cameras" } drop
iifname "eth0" ct state { established, related } counter accept
iifname "eth0" drop
}
chain forward {
@ -154,42 +138,12 @@
settings = {
interfaces-config = {
interfaces = [ "eth1" "eth2" "cameras" ];
interfaces = [ "eth1" "eth2" ];
};
lease-database = {
type = "memfile";
persist = true;
name = "/var/lib/kea/dhcp4.leases";
persist = false;
};
option-def = [
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
type = "string";
array = false;
}
];
client-classes = [
{
name = "APC";
test = "option[vendor-class-identifier].text == 'APC'";
option-data = [
{
always-send = true;
name = "vendor-encapsulated-options";
}
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
data = "1APC";
}
];
}
];
subnet4 = [
{
subnet = "10.64.50.0/24";
@ -211,17 +165,25 @@
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
}
];
reservations = lib.lists.imap0
(i: el: {
ip-address = "10.64.50.${toString (20 + i)}";
inherit (el) hw-address hostname;
}) [
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
reservations = [
{
# tywin.storage.ts.hillion.co.uk
hw-address = "c8:7f:54:6d:e1:03";
ip-address = "10.64.50.20";
hostname = "tywin";
}
{
# syncbox
hw-address = "00:1e:06:49:06:1e";
ip-address = "10.64.50.22";
hostname = "syncbox";
}
{
# microserver.home.ts.hillion.co.uk
hw-address = "e4:5f:01:b4:58:95";
ip-address = "10.64.50.21";
hostname = "microserver";
}
];
}
{
@ -259,29 +221,6 @@
}
];
}
{
subnet = "10.133.145.0/24";
interface = "cameras";
pools = [{
pool = "10.133.145.64 - 10.133.145.254";
}];
option-data = [
{
name = "routers";
data = "10.133.145.1";
}
{
name = "broadcast-address";
data = "10.133.145.255";
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = [
];
}
];
};
};

87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
View File

@ -1,87 +0,0 @@
{ config, pkgs, lib, nixos-hardware, ... }:
{
imports = [
"${nixos-hardware}/raspberry-pi/5/default.nix"
./hardware-configuration.nix
];
config = {
system.stateVersion = "24.05";
networking.hostName = "sodium";
networking.domain = "pop.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/tmp
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
chmod 1777 /cache/tmp
'';
## CA server
custom.ca.service.enable = true;
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
fileSystems."/tmp" = {
device = "/cache/tmp";
options = [ "bind" ];
};
# nix = {
# settings = {
# build-dir = "/cache/tmp/";
# };
# };
## Custom Services
custom.locations.autoServe = true;
# Networking
networking = {
useDHCP = false;
interfaces = {
end0 = {
name = "eth0";
useDHCP = true;
};
};
};
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
7654 # Tang
];
allowedUDPPorts = lib.mkForce [
];
};
};
};
## Tailscale
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
};
};
}

63
hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -1,63 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/417B-1063";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

1
hosts/sodium.pop.ts.hillion.co.uk/system
View File

@ -1 +0,0 @@
aarch64-linux

1
hosts/theon.storage.ts.hillion.co.uk/default.nix
View File

@ -22,7 +22,6 @@
};
## Networking
networking.useNetworkd = true;
systemd.network.enable = true;
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers

7
hosts/tywin.storage.ts.hillion.co.uk/README.md
View File

@ -1,7 +0,0 @@
# tywin.storage.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
$ sudo chown root:root /mnt/disk_encryption.jwe
$ sudo chmod 0400 /mnt/disk_encryption.jwe

14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
View File

@ -1,14 +0,0 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://10.64.50.21:7654"
},
{
"url": "http://10.64.50.25:7654"
}
]
}
}

17
hosts/tywin.storage.ts.hillion.co.uk/default.nix
View File

@ -15,20 +15,6 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"ip=dhcp"
"zfs.zfs_arc_max=25769803776"
];
boot.initrd = {
availableKernelModules = [ "r8169" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices."root".secretFile = "/disk_encryption.jwe";
};
};
custom.locations.autoServe = true;
custom.defaults = true;
@ -54,6 +40,7 @@
forceImportRoot = false;
extraPools = [ "data" ];
};
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
services.btrfs.autoScrub = {
enable = true;
@ -218,7 +205,7 @@
enable = true;
openFirewall = true;
keyFile = config.age.secrets."chia/farmer.key".path;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
};
## Downloads

17
hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -20,11 +20,6 @@
fsType = "btrfs";
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
allowDiscards = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/BC57-0AF6";
@ -67,18 +62,6 @@
fsType = "btrfs";
};
fileSystems."/mnt/d6" =
{
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
fsType = "btrfs";
};
fileSystems."/mnt/d7" =
{
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
fsType = "btrfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

11
modules/ca/README.md
View File

@ -1,11 +0,0 @@
# ca
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
Creating a 10 year root certificate:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
Creating the intermediate key:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem

13
modules/ca/cert.pem
View File

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
-----END CERTIFICATE-----

14
modules/ca/consumer.nix
View File

@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.consumer;
in
{
options.custom.ca.consumer = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
};
}

8
modules/ca/default.nix
View File

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./consumer.nix
./service.nix
];
}

45
modules/ca/service.nix
View File

@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.service;
in
{
options.custom.ca.service = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
services.step-ca = {
enable = true;
address = config.custom.dns.tailscale.ipv4;
port = 8443;
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
settings = {
root = ./cert.pem;
crt = "/data/system/ca/intermediate.crt";
key = "/data/system/ca/intermediate.pem";
dnsNames = [ "ca.ts.hillion.co.uk" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
}

2
modules/chia.nix
View File

@ -46,7 +46,7 @@ in
};
virtualisation.oci-containers.containers.chia = {
image = "ghcr.io/chia-network/chia:2.4.1";
image = "ghcr.io/chia-network/chia:2.2.1";
ports = [ "8444" ];
extraOptions = [
"--uidmap=0:${toString config.users.users.chia.uid}:1"

1
modules/default.nix
View File

@ -3,7 +3,6 @@
{
imports = [
./backups/default.nix
./ca/default.nix
./chia.nix
./defaults.nix
./desktop/awesome/default.nix

1
modules/defaults.nix
View File

@ -54,7 +54,6 @@
networking.firewall.enable = true;
# Delegation
custom.ca.consumer.enable = true;
custom.dns.enable = true;
custom.home.defaults = true;
custom.hostinfo.enable = true;

12
modules/dns.nix
View File

@ -40,6 +40,7 @@ in
ts = {
cx = {
boron = "100.113.188.46";
jorah = "100.96.143.138";
};
home = {
microserver = "100.105.131.47";
@ -47,10 +48,7 @@ in
};
jakehillion-terminals = { gendry = "100.70.100.77"; };
lt = { be = "100.105.166.79"; };
pop = {
li = "100.106.87.35";
sodium = "100.87.188.4";
};
pop = { li = "100.106.87.35"; };
storage = {
theon = "100.104.142.22";
tywin = "100.115.31.91";
@ -67,6 +65,7 @@ in
ts = {
cx = {
boron = "fd7a:115c:a1e0::2a01:bc2f";
jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
home = {
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
@ -74,10 +73,7 @@ in
};
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
pop = {
li = "fd7a:115c:a1e0::e701:5723";
sodium = "fd7a:115c:a1e0::3701:bc04";
};
pop = { li = "fd7a:115c:a1e0::e701:5723"; };
storage = {
theon = "fd7a:115c:a1e0::4aa8:8e16";
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";

8
modules/home/tmux/.tmux.conf
View File

@ -8,11 +8,3 @@ bind -n C-k clear-history
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# Start indices at 1 to match keyboard
set -g base-index 1
setw -g pane-base-index 1
# Open a new session when attached to and one isn't open
# Must come after base-index settings
new-session

44
modules/impermanence.nix
View File

@ -2,6 +2,7 @@
let
cfg = config.custom.impermanence;
listIf = (enable: x: if enable then x else [ ]);
in
{
options.custom.impermanence = {
@ -11,13 +12,6 @@ in
type = lib.types.str;
default = "/data";
};
cache = {
enable = lib.mkEnableOption "impermanence.cache";
path = lib.mkOption {
type = lib.types.str;
default = "/cache";
};
};
users = lib.mkOption {
type = with lib.types; listOf str;
@ -46,32 +40,18 @@ in
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
};
environment.persistence = lib.mkMerge [
{
"${cfg.base}/system" = {
hideMounts = true;
environment.persistence."${cfg.base}/system" = {
hideMounts = true;
directories = [
"/etc/nixos"
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
};
}
(lib.mkIf cfg.cache.enable {
"${cfg.cache.path}/system" = {
hideMounts = true;
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
};
})
];
directories = [
"/etc/nixos"
] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
};
home-manager.users =
let

8
modules/locations.nix
View File

@ -19,7 +19,10 @@ in
{
custom.locations.locations = {
services = {
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
authoritative_dns = [
"boron.cx.ts.hillion.co.uk"
"jorah.cx.ts.hillion.co.uk"
];
downloads = "tywin.storage.ts.hillion.co.uk";
gitea = "boron.cx.ts.hillion.co.uk";
homeassistant = "microserver.home.ts.hillion.co.uk";
@ -28,10 +31,9 @@ in
tang = [
"li.pop.ts.hillion.co.uk"
"microserver.home.ts.hillion.co.uk"
"sodium.pop.ts.hillion.co.uk"
];
unifi = "boron.cx.ts.hillion.co.uk";
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
version_tracker = [ "boron.cx.ts.hillion.co.uk" "jorah.cx.ts.hillion.co.uk" ];
};
};
}

4
modules/resilio.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ pkgs, lib, config, nixpkgs-unstable, ... }:
let
cfg = config.custom.resilio;
@ -61,7 +61,5 @@ in
in
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
};
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
};
}

1
modules/services/authoritative_dns.nix
View File

@ -32,7 +32,6 @@ in
86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.

10
modules/services/downloads.nix
View File

@ -29,16 +29,10 @@ in
virtualHosts = builtins.listToAttrs (builtins.map
(x: {
name = "${x}.downloads.ts.hillion.co.uk";
name = "http://${x}.downloads.ts.hillion.co.uk";
value = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = ''
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
};
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
};

7
modules/services/gitea/actions.nix
View File

@ -63,11 +63,6 @@ in
runner = {
capacity = 3;
};
cache = {
enabled = true;
host = "10.108.27.2";
port = 41919;
};
};
};
@ -81,8 +76,6 @@ in
chain output {
type filter hook output priority 100; policy accept;
ct state { established, related } counter accept
ip daddr 10.0.0.0/8 drop
ip daddr 100.64.0.0/10 drop
ip daddr 172.16.0.0/12 drop

4
modules/services/gitea/gitea.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, nixpkgs-unstable, ... }:
let
cfg = config.custom.services.gitea;
@ -55,7 +55,7 @@ in
services.gitea = {
enable = true;
package = pkgs.unstable.gitea;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
appName = "Hillion Gitea";

55
modules/services/homeassistant.nix
View File

@ -44,20 +44,16 @@ in
"bluetooth"
"default_config"
"esphome"
"flux"
"google_assistant"
"homekit"
"met"
"mobile_app"
"mqtt"
"otp"
"smartthings"
"sonos"
"sun"
"switchbot"
];
customComponents = with pkgs.home-assistant-custom-components; [
adaptive_lighting
];
config = {
default_config = { };
@ -83,9 +79,6 @@ in
report_state = true;
expose_by_default = true;
exposed_domains = [ "light" ];
entity_config = {
"input_boolean.sleep_mode" = { };
};
};
homekit = [{
filter = {
@ -95,19 +88,25 @@ in
bluetooth = { };
adaptive_lighting = {
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
"light.cubby_light"
"light.desk_lamp"
"light.hallway_light"
"light.living_room_lamp"
"light.living_room_light"
"light.wardrobe_light"
];
min_sunset_time = "21:00";
};
switch = [
{
platform = "flux";
start_time = "07:00";
stop_time = "23:59";
mode = "mired";
disable_brightness_adjust = true;
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
"light.cubby_light"
"light.desk_lamp"
"light.hallway_light"
"light.living_room_lamp"
"light.living_room_light"
"light.wardrobe_light"
];
}
];
light = [
{
@ -115,9 +114,12 @@ in
lights = {
bathroom_light = {
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
value_template = "on";
turn_on = { service = "script.noop"; };
turn_off = { service = "script.bathroom_light_switch_if_on"; };
turn_off = {
service = "switch.turn_on";
entity_id = "switch.bathroom_light";
};
};
};
}
@ -146,13 +148,6 @@ in
}
];
input_boolean = {
sleep_mode = {
name = "Set house to sleep mode";
icon = "mdi:sleep";
};
};
# UI managed expansions
automation = "!include automations.yaml";
script = "!include scripts.yaml";

13
modules/services/matrix.nix
View File

@ -41,10 +41,6 @@ in
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
};
};
services = {
@ -118,15 +114,6 @@ in
};
};
matrix-sliding-sync = {
enable = true;
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
settings = {
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
SYNCV3_BINDADDR = "[::]:8009";
};
};
heisenbridge = lib.mkIf cfg.heisenbridge {
enable = true;
owner = "@jake:hillion.co.uk";

1
modules/services/tang.nix
View File

@ -13,7 +13,6 @@ in
enable = true;
ipAddressAllow = [
"138.201.252.214/32"
"10.64.50.20/32"
];
};
};

32
modules/services/unifi.nix
View File

@ -10,14 +10,20 @@ in
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/unifi";
readOnly = true; # NixOS module only supports this directory
};
};
config = lib.mkIf cfg.enable {
# Fix dynamically allocated user and group ids
users.users.unifi.uid = config.ids.uids.unifi;
users.groups.unifi.gid = config.ids.gids.unifi;
users.users.unifi = {
uid = config.ids.uids.unifi;
isSystemUser = true;
group = "unifi";
description = "UniFi controller daemon user";
home = "${cfg.dataDir}";
};
users.groups.unifi = {
gid = config.ids.gids.unifi;
};
services.caddy = {
enable = true;
@ -32,9 +38,21 @@ in
};
};
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
virtualisation.oci-containers.containers = {
"unifi" = {
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
environment = {
PUID = toString config.ids.uids.unifi;
PGID = toString config.ids.gids.unifi;
TZ = "Etc/UTC";
};
volumes = [ "${cfg.dataDir}:/config" ];
ports = [
"8080:8080"
"8443:8443"
"3478:3478/udp"
];
};
};
};
}

25
modules/spotify/default.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, pkgs, lib, ... }:
{
config.age.secrets."spotify/11132032266" = {
file = ../../secrets/spotify/11132032266.age;
owner = "jake";
};
config.hardware.pulseaudio.enable = true;
config.users.users.jake.extraGroups = [ "audio" ];
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
config.home-manager.users.jake.services.spotifyd = {
enable = true;
settings = {
global = {
username = "11132032266";
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
backend = "pulseaudio";
};
};
};
}

2
modules/ssh/default.nix
View File

@ -43,10 +43,10 @@ in
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"jorah.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5";
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
};

11
modules/www/global.nix
View File

@ -33,11 +33,6 @@ in
services.caddy = {
enable = true;
package = pkgs.unstable.caddy;
globalConfig = ''
email acme@hillion.co.uk
'';
virtualHosts = {
"hillion.co.uk".extraConfig = ''
@ -47,10 +42,7 @@ in
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond /.well-known/matrix/client `${builtins.toJSON {
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
}}` 200
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
respond 404
}
@ -73,7 +65,6 @@ in
reverse_proxy http://${locations.services.gitea}:3000
'';
"matrix.hillion.co.uk".extraConfig = ''
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
'';

19
secrets/gitea/actions/jorah.age Normal file
View File

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
IULcxHpUsH6OI4cfixNPM89VJNcVkK+Z8IpgjzRspSyKc5N7jox6DYSbcuPsjGs7
aS2JYOKOx4hYW9aL3B+tef2I24+NzMDTCT31g9gvuLA0wSMWBoFwVodPbfj1ekHy
wDUK5XrgyJtFrwTrvuklGYpb/qIEG//k7M/342C9QqfNesv9nULQ6P7+r7jJvxIW
sOo6qWHFqD/wIiwtLYiX3pOWC6m91L1QNGVh+9/t58YU8RLsgLm2+2vyg13mKya1
UktTKZbhgRXyUJb7h+vVgDKjAnwqnIDL8asCSDuoSRDBcCxwgSpTDOxAEn9X2oJx
6S3JLQDhWLlIYrqmVT1aGg
-> ssh-rsa K9mW1w
hbVlu640hhzR9rJi4b+1c+/V+EilbmwWaNzV7/0+a9BQusTf413hffhk8QXvuze8
04LuVctZW5L5B1eOCIeziHc6F5CyAjTsaEDM8SeKGmFjKccjdcSUdbsql87KR5Id
/drK41oNA6NlmWrLz3YaSz7A9F+B5lgsJDWgXhMFK3Hru8+gnBQPXkwT/IuQLWI1
sXhJN/dHrBsQ5Cc+fRO7/r6u3jiQ1DOS85qQHStsYYXqea0pfiu5wpPdGZVuECwa
/R3+ov1JOTK4T3W8TIqOU9ODJxWT697Nv64c8dV3Hq5ymEKkvmZpp1C1/QoCW2EY
Nk7PF5zM95SM/IdECQjJGQ
-> ssh-ed25519 Qo6/7A 3gQq8TrBY/7Evlu+q6awqBFjG9m5b7ED+dolo8CJCE4
JdbLYPo875DQyocjOaVmWQPdgWssuz/T6DJNqgFF020
--- 0si8/IY1PiYgcmtTFDqu0cj7dW6DFqvgirY0tiSZfdA
ûÈA©®¦£Ž®¬(]ý¸7£ÆüùÙÚqp0<70>„5Èc“ý$$æW|ß%`§/uXûɈ\~â!åléedäþDg˜ .<2E>i•]§­§)l>EÌ

20
secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
Z3WKcEusrn04hb2zUpEFBHOoqDIaCzMo/jZuOX/eMKPBqTrxcba9ZgxOFE7+yaUi
FJvlQNg5pQn/vaCtHkJWfBXdKiwZ3pIeaqwNcto8EprKLxIAkLjMBMOursz9k41E
0B4NKRyxiQO2kMgjKb9jYzhioan3NG1Loto8RbjbUPlqn/Q0NEsq8Uql0qaM02Ba
zBd1Xt1MFDtemXxzfmeqLMX45F67B8JKFujnXajR7qoRCmzz6kkj6zb+SEE+Nodq
9J/i4rpgwP0B9Zgp9QqnvOBVuLtxPOv/EE+Dp9Ktj1v5SxlJbQoPBiX5pZd5n3/n
dqibdn1Jls57qCs9sHAlDQ
-> ssh-rsa K9mW1w
BMNOK5nTDPSw5wZsdWlpWzbA62WdDmqg3CdiYSA8mDZT5LFHsmZt4azfwvCWnwKh
jvzWsNgASSdCCGk4xzDR8qzVAvcku5IxgQjGWCfa307r8k1RFMF910+QpS0nsckE
voBCvNIbv1Qjg6MKSXIDmmDjeLedL/0WYp7mX2FHQbs2Mau3xHz+l4mW9C6Dlyeu
PdR6IYJxqxDOqQk2FIMYq7vS1JWDo2ntS3XcufUL4V6TeFj1Soauff9/55hqt8Tm
JlUkbHmc/69bsqbr3en1sk6lk7GV7M87tfjGJuhdsMQLY10jFuZfkpewRhCLTEpR
LFooblAploXTZfXkvmoj2A
-> ssh-ed25519 iWiFbA izGiArlZgQMVSnQv/WG7+tBUnk0z/iUHI1TgAf0d5V0
Qw/pUd8y7UNElE9U+VwE7cQhemfPXFhFoiKQya34Bwo
--- FfPFhjvH78/oBzE1tL93Vxm6fV9zsHL3S8aDb3KWA4o
óœ}þŠ lj¿mE_¿9mç}z ¼?ü-Ø9F•]IóãÞØy7uw¼x¼ŠQ3ÅìüqñŠJ„åVº/”º@>°vÊî-G4;Êí1Ñ&@§k® ÍWë+c*ûžìá|#»û˜Èª­³Wy
fC°

19
secrets/secrets.nix
View File

@ -14,16 +14,14 @@ let
ts = {
cx = {
boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
};
home = {
microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
};
lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
pop = {
li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
};
pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; };
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
storage = {
tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
@ -50,16 +48,13 @@ in
"tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
"tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
"tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
"tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# WiFi Environment Files
"wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
# Resilio Sync Secrets
## Encrypted Resilio Sync Secrets
"resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
@ -79,8 +74,6 @@ in
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
# Backups Secrets
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
@ -88,6 +81,9 @@ in
"git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
"git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Spotify Secrets
"spotify/11132032266.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
# Mastodon Secrets
"mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
"mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
@ -101,7 +97,7 @@ in
"storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Version tracker secrets
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ts.cx.jorah ];
# Home Automation secrets
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
@ -121,6 +117,7 @@ in
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
# HomeAssistant Secrets
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];

BIN
secrets/spotify/11132032266.age Normal file
View File

Binary file not shown.

23
secrets/tailscale/jorah.cx.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
kqQ9ovZi1Wqf7hz75QB+v8oLr5oRT4Uce7juM+R04CrOOGn1O6DkQtVeFa4Q7Ho0
DTYeaP3jTR8zo7poTI323q8FbQ/dLG4jxBFafDZJZlXGEThVLnhNYqZZSjiCJHma
hUn8nSC0y6AdA+lMn8tvZcaivaYpPtT+bALXtvxZ6rTo+mTbJrVRxPY5FZdmdmCC
Z1h3UFZoyuAO9VWQKtPO3o0Ijh+L7e+TFdRl1YowGB+hvZdJ08AkPXrwIEUMnnMA
+e/FA5HxHgvi6ud8RTcAkaecYt0l/vKDgBON9ESfHIMuS+vNk5GKT7a+ImKmfb4/
o2cSmR8y/+J5z4MEBcj/Vg
-> ssh-rsa K9mW1w
veHh0OpoW3Hnvy9k7NwANMae2StqGcohTI9hfeHNi7mR6wHly1HqOD9U7eijVYIC
qvKJsk7sEO8NyAVqLWqrvdq9bLkgTgsNWQsXbulY8VHhwZMIko9YYIZeJv8Um9Bz
q4QiwJW1KoLItqJNR9c1ZLRfwHaLZwKTThAKMjgt5KFiN5NJYb9CLbAZi4eG1hi0
PsIP/S/dsUKAeN6Bz2JZ4HB0jsvyPiQLr2p4q5nfEKybJEmjOfc9Z7TjwZTNlC0Y
0MKVarhwFqsMIP63gTYZisacAhmsG7DoLFA5eHf0VPa1KjqFait0dG+zuojehMfj
uifZFGahsWaAMg+oq+/Cvg
-> ssh-ed25519 Qo6/7A sLXu4pSLH2lnzLYVzisN9Zl/EW1jL21Km6kPZO0/Zjk
chDyf7Sb5GtSVi3TmfYpwwFbI3PhoOnxS5lRcqQGwyY
-> Y1-grease ,Lz| "Uil>z36 -K
xfFD+uEZIkGkysF3HdMkMbhsPnu+Cnu6o8tT0lq8rdSOn26V6Fj5CZi1muuD7d2c
BLtH1vyQx4M71Hb6PmKu7+s5V9xsJqKxtDqx/6iAc9uZnbmeU27nsA
--- YXh9Kl4PGetzx8qsLJa5gTO3W7UNtio1tXs/HXS271U
Þûa…kž+J+/û€áñ<1A>ÍKÅbÄä‰éù|Ï$MäåÒ{NýÇ]¦ï=ö7Ïß@ƒ<E280BA>(h.ql2 ¢X}]ê,¦'ùN ÙCô!Æ;ØW£±
äû·Dï

19
secrets/tailscale/sodium.pop.ts.hillion.co.uk.age
View File

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
rgebPOZWAkQIqQZn5UywtUzu1ZpEK9yF3wDLl7b76vOLBM8BeE/cud2AgwRe49VM
UfbL+5IInvqvVCtCmciVvDhBp85BLvuB/e6DkWxH+HkKm7/stgXkuaotnbxftLN5
w90Qz8jVgwOSWlpDdW+MACphLBOiDe6oUrcodiQTD+FmA/cH7oEnjaxyElZA4aey
Yw6df7NiMCbh8LitSqLm9YTB6yWlVw6fumpvsVJqW9UPOdTtOEilFT6qrXIMeu10
MEdDkU5FlocDSxYLN1buIRSVb+wtN8eSYrMsOd7zwB/FYWw9fFNbZ/1JFxQKl9SK
w+fHN1jQyOjKpbYELeCdRg
-> ssh-rsa K9mW1w
hAYfQrfwWNmck6t7oDzS/JKd7Gb/j3MMH19kEZ74k2Z/t6j9VgNlo0cLCQCRd29l
NXNwx4H1VLFqP0f0YOIpbeZAPjvLxWODv97ovLWTtokPX9/kDugigqdW59KYcxWB
cbGAJrBm+D7b5uEuVBCWWBAAv8dZ4EajguoBR6u9mkJRDyy55q3JnS8zUoSz/9XK
Ne+pf9Bej2hen5CrFJoIBs3YGL81Tqn9zfI3RsgyncB355aL0bH3FKeeWU/Qm2Eb
fqJroSjNteWp+vqu9RzgrzpRUrZbw+KZL7sssTc0qXTI6UuUrchJ3ku8bOAmYYj+
4GgOgMeY5ne15Xkc0g/U7Q
-> ssh-ed25519 oW6Y8A koK5dt68rm3ItiMLS/D85cL1FyvBFOoOUn2iU431HXk
isWccUR1wymJzBSoNVh+aFMrp1/VS3In6w/kcb1RTSM
--- Askgu9440tsbF855jM94XpINs1fv69fSY/+CchwH/q8
š3 ÌV÷<07>Ôy~ϸtˆ¯ÿÉÏè@öpƒÆࢅ~Ón­°¥Ä ¾âaUUr•1P¤žÓ6W8ÆFÎ<46>Å<EFBFBD>€?ë­7…üÞ&Ü—OŠ×t|œpoË

BIN
secrets/version_tracker/ssh.key.age
View File

Binary file not shown.

20
secrets/wifi/be.lt.ts.hillion.co.uk.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
j23rAXS9bmi74Aw3K+Ym/+4eajkeddGn0JsT4y7LkM54KZDazHLSpdIY8G4bPEC1
Hmwb6tC/fXjCwxZlR69UcWOhYtGFNQKKe66uO4+LnLHrosppsFNUduk1/yamorxh
foTF1BYstniAO4dkeS+gqU+EozOnpOgnXDjJwQu2az7H0ecTkrdaExVSZefoak2Q
NdiMVzLgx4/jcuNFIQhej9h2RuTZFcYqoxLvpDYhgCHHrZGXT4MpMtpbV/1z0rjE
RZiMsaD0cFUB0xY4ncZu/UYTqDInCmiQ/hT1IpHXo41mJgAoOjxvBuMtT1JLFIPx
eHV8+2B6t6cmvJ94oDb6pA
-> ssh-rsa K9mW1w
nX3geP4iz2iW8cIaiI+gUsf2Me5N5yLVxyp0AZx3mxm+REVeW/3gIs6RFwgVvNz4
O3Rd714c5eufkVb0jaHcnh9xPkhd9JPhDx9ALJebFyDwviQelRucCNkAiFU8cCp0
5CwdTOsa+QoTL0yzkgFch32sEnrmi3NQpMyQdIACFaFyvVl0vd8jOvIrNUqEc1dZ
XL2brlteJ5tDn4+7riShILdrkWUXMt127YtBLk4kzAFq9bem6KR3mxoupoGOMZKM
6erqfETaoGyQYfETg7+/4CSoCOnSw7EgleOQ92Esof2KPiLWqvVVLRYQkajr5atn
QM8pEVHysfP7tYCOw5Pc3Q
-> ssh-ed25519 ikTTQA pS/dHNYcNr5Td/Gd7bzuODNdtg5Z/EOl2ZMkRhWIbxs
7S4TzwwGr20Ar2EHYzF42yK3nKf6k2YAV97URcvtssU
--- aaywXgy4WGMmd1EoyFk/LXbATavqk0N5rrAJ43aHXo0
*¢X%jø gàïP5)ÚKS•=ØøÞa~зR7œ©\>ëŠv¡w°¿8©Ã
Ì•ŠQ±Nx…Lžlã`™÷Ì!ä ¸^Z¥éE¼R·V è\׺ ‰ÚÝ-R°vÞû¾Sgtw M©ÞÓÓç)#8Ã΃óɾn