Compare commits
1 Commits
main
...
boron-nati
Author | SHA1 | Date | |
---|---|---|---|
33a0194ae7 |
@ -11,9 +11,12 @@ jobs:
|
|||||||
flake:
|
flake:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
|
||||||
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
|
- name: Prepare for Nix installation
|
||||||
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
|
run: |
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y sudo
|
||||||
|
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
|
||||||
- name: lint
|
- name: lint
|
||||||
run: |
|
run: |
|
||||||
nix fmt
|
nix fmt
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
config = {
|
|
||||||
system.stateVersion = 4;
|
|
||||||
|
|
||||||
networking.hostName = "jakehillion-mba-m2-15";
|
|
||||||
|
|
||||||
nix = {
|
|
||||||
useDaemon = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
programs.zsh.enable = true;
|
|
||||||
|
|
||||||
security.pam.enableSudoTouchIdAuth = true;
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
fd
|
|
||||||
htop
|
|
||||||
mosh
|
|
||||||
neovim
|
|
||||||
nix
|
|
||||||
ripgrep
|
|
||||||
sapling
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
69
flake.lock
69
flake.lock
@ -2,9 +2,7 @@
|
|||||||
"nodes": {
|
"nodes": {
|
||||||
"agenix": {
|
"agenix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"darwin": [
|
"darwin": "darwin",
|
||||||
"darwin"
|
|
||||||
],
|
|
||||||
"home-manager": [
|
"home-manager": [
|
||||||
"home-manager"
|
"home-manager"
|
||||||
],
|
],
|
||||||
@ -14,11 +12,11 @@
|
|||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723293904,
|
"lastModified": 1715290355,
|
||||||
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
|
"narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
|
||||||
"owner": "ryantm",
|
"owner": "ryantm",
|
||||||
"repo": "agenix",
|
"repo": "agenix",
|
||||||
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
|
"rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -30,19 +28,21 @@
|
|||||||
"darwin": {
|
"darwin": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
"agenix",
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726188813,
|
"lastModified": 1700795494,
|
||||||
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
|
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||||
"owner": "lnl7",
|
"owner": "lnl7",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
|
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "lnl7",
|
"owner": "lnl7",
|
||||||
|
"ref": "master",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
@ -72,16 +72,16 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725703823,
|
"lastModified": 1715381426,
|
||||||
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
|
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
|
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"ref": "release-24.05",
|
"ref": "release-23.11",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
@ -93,11 +93,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726357542,
|
"lastModified": 1715930644,
|
||||||
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
|
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
|
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -108,11 +108,11 @@
|
|||||||
},
|
},
|
||||||
"impermanence": {
|
"impermanence": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725690722,
|
"lastModified": 1708968331,
|
||||||
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
|
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "impermanence",
|
"repo": "impermanence",
|
||||||
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
|
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -122,44 +122,29 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1725885300,
|
|
||||||
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixos-hardware",
|
|
||||||
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixos-hardware",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726320982,
|
"lastModified": 1715948915,
|
||||||
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
|
"narHash": "sha256-dxMrggEogQuJQr6f02VAFtsSNtjEPkgxczeiyW7WOQc=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
|
"rev": "bacb8503d3a51d9e9b52e52a1ba45e2c380ad07d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"ref": "nixos-24.05",
|
"ref": "nixos-23.11",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1726243404,
|
"lastModified": 1715787315,
|
||||||
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
|
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
|
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -172,12 +157,10 @@
|
|||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
"darwin": "darwin",
|
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"home-manager-unstable": "home-manager-unstable",
|
"home-manager-unstable": "home-manager-unstable",
|
||||||
"impermanence": "impermanence",
|
"impermanence": "impermanence",
|
||||||
"nixos-hardware": "nixos-hardware",
|
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
}
|
}
|
||||||
|
42
flake.nix
42
flake.nix
@ -1,21 +1,15 @@
|
|||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
|
||||||
|
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
|
||||||
darwin.url = "github:lnl7/nix-darwin";
|
|
||||||
darwin.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
|
|
||||||
agenix.url = "github:ryantm/agenix";
|
agenix.url = "github:ryantm/agenix";
|
||||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
agenix.inputs.darwin.follows = "darwin";
|
|
||||||
agenix.inputs.home-manager.follows = "home-manager";
|
agenix.inputs.home-manager.follows = "home-manager";
|
||||||
|
|
||||||
home-manager.url = "github:nix-community/home-manager/release-24.05";
|
home-manager.url = "github:nix-community/home-manager/release-23.11";
|
||||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
home-manager-unstable.url = "github:nix-community/home-manager";
|
home-manager-unstable.url = "github:nix-community/home-manager";
|
||||||
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
@ -25,19 +19,15 @@
|
|||||||
|
|
||||||
description = "Hillion Nix flake";
|
description = "Hillion Nix flake";
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
|
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
|
||||||
let
|
|
||||||
getSystemOverlays = system: nixpkgsConfig: [
|
|
||||||
(final: prev: {
|
|
||||||
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
|
|
||||||
"storj" = final.callPackage ./pkgs/storj.nix { };
|
|
||||||
})
|
|
||||||
];
|
|
||||||
in
|
|
||||||
{
|
|
||||||
nixosConfigurations =
|
nixosConfigurations =
|
||||||
let
|
let
|
||||||
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
||||||
|
getSystemOverlays = system: nixpkgsConfig: [
|
||||||
|
(final: prev: {
|
||||||
|
"storj" = final.callPackage ./pkgs/storj.nix { };
|
||||||
|
})
|
||||||
|
];
|
||||||
mkHost = fqdn:
|
mkHost = fqdn:
|
||||||
let
|
let
|
||||||
system = builtins.readFile ./hosts/${fqdn}/system;
|
system = builtins.readFile ./hosts/${fqdn}/system;
|
||||||
@ -69,22 +59,6 @@
|
|||||||
};
|
};
|
||||||
in
|
in
|
||||||
nixpkgs.lib.genAttrs fqdns mkHost;
|
nixpkgs.lib.genAttrs fqdns mkHost;
|
||||||
|
|
||||||
darwinConfigurations = {
|
|
||||||
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
|
|
||||||
system = "aarch64-darwin";
|
|
||||||
specialArgs = inputs;
|
|
||||||
|
|
||||||
modules = [
|
|
||||||
./darwin/jakehillion-mba-m2-15/configuration.nix
|
|
||||||
|
|
||||||
({ config, ... }: {
|
|
||||||
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
|
|
||||||
})
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
} // flake-utils.lib.eachDefaultSystem (system: {
|
} // flake-utils.lib.eachDefaultSystem (system: {
|
||||||
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
|
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
|
||||||
});
|
});
|
||||||
|
@ -24,17 +24,6 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
## WiFi
|
|
||||||
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
|
|
||||||
networking.wireless = {
|
|
||||||
enable = true;
|
|
||||||
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
|
|
||||||
|
|
||||||
networks = {
|
|
||||||
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
## Desktop
|
## Desktop
|
||||||
custom.users.jake.password = true;
|
custom.users.jake.password = true;
|
||||||
custom.desktop.awesome.enable = true;
|
custom.desktop.awesome.enable = true;
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
|
|
||||||
Additional installation step for Clevis/Tang:
|
Additional installation step for Clevis/Tang:
|
||||||
|
|
||||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
$ echo $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
||||||
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
||||||
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
||||||
|
@ -30,44 +30,28 @@
|
|||||||
|
|
||||||
custom.defaults = true;
|
custom.defaults = true;
|
||||||
|
|
||||||
|
## Hardware optimisations
|
||||||
|
hardware.enableAllFirmware = true;
|
||||||
|
|
||||||
|
nix.settings.system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-znver4" ];
|
||||||
|
nixpkgs.hostPlatform = {
|
||||||
|
gcc.arch = "znver4";
|
||||||
|
gcc.tune = "znver4";
|
||||||
|
system = builtins.readFile ./system;
|
||||||
|
};
|
||||||
|
|
||||||
## Kernel
|
## Kernel
|
||||||
### Explicitly use the latest kernel at time of writing because the LTS
|
### Explicitly use the latest kernel at time of writing because the LTS
|
||||||
### kernels available in NixOS do not seem to support this server's very
|
### kernels available in NixOS do not seem to support this server's very
|
||||||
### modern hardware.
|
### modern hardware.
|
||||||
boot.kernelPackages = pkgs.linuxPackages_6_10;
|
boot.kernelPackages = pkgs.linuxPackages_6_8;
|
||||||
### Apply patch to enable sched_ext which isn't yet available upstream.
|
|
||||||
boot.kernelPatches = [{
|
|
||||||
name = "sched_ext";
|
|
||||||
patch = pkgs.fetchpatch {
|
|
||||||
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
|
|
||||||
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
|
|
||||||
decode = "${pkgs.zstd}/bin/unzstd";
|
|
||||||
excludes = [ "Makefile" ];
|
|
||||||
};
|
|
||||||
extraConfig = ''
|
|
||||||
BPF y
|
|
||||||
BPF_EVENTS y
|
|
||||||
BPF_JIT y
|
|
||||||
BPF_SYSCALL y
|
|
||||||
DEBUG_INFO_BTF y
|
|
||||||
FTRACE y
|
|
||||||
SCHED_CLASS_EXT y
|
|
||||||
'';
|
|
||||||
}];
|
|
||||||
|
|
||||||
## Enable btrfs compression
|
## Enable btrfs compression
|
||||||
fileSystems."/data".options = [ "compress=zstd" ];
|
fileSystems."/data".options = [ "compress=zstd" ];
|
||||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||||
|
|
||||||
## Impermanence
|
## Impermanence
|
||||||
custom.impermanence = {
|
custom.impermanence.enable = true;
|
||||||
enable = true;
|
|
||||||
cache.enable = true;
|
|
||||||
};
|
|
||||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
|
||||||
btrfs subvolume delete /cache/system
|
|
||||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
|
|
||||||
'';
|
|
||||||
|
|
||||||
## Custom Services
|
## Custom Services
|
||||||
custom = {
|
custom = {
|
||||||
@ -101,18 +85,6 @@
|
|||||||
fileSystems = [ "/data" ];
|
fileSystems = [ "/data" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
## General usability
|
|
||||||
### Make podman available for dev tools such as act
|
|
||||||
virtualisation = {
|
|
||||||
containers.enable = true;
|
|
||||||
podman = {
|
|
||||||
enable = true;
|
|
||||||
dockerCompat = true;
|
|
||||||
dockerSocket.enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
users.users.jake.extraGroups = [ "podman" ];
|
|
||||||
|
|
||||||
## Networking
|
## Networking
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.ip_forward" = true;
|
"net.ipv4.ip_forward" = true;
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
{
|
{
|
||||||
device = "tmpfs";
|
device = "tmpfs";
|
||||||
fsType = "tmpfs";
|
fsType = "tmpfs";
|
||||||
options = [ "mode=0755" "size=100%" ];
|
options = [ "mode=0755" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
@ -35,13 +35,6 @@
|
|||||||
options = [ "subvol=data" ];
|
options = [ "subvol=data" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/cache" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=cache" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/nix" =
|
fileSystems."/nix" =
|
||||||
{
|
{
|
||||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||||
|
0
hosts/boron.cx.ts.hillion.co.uk/unstable
Normal file
0
hosts/boron.cx.ts.hillion.co.uk/unstable
Normal file
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
../../modules/spotify/default.nix
|
||||||
./bluetooth.nix
|
./bluetooth.nix
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
@ -29,13 +30,6 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
## Enable ZRAM swap to help with root on tmpfs
|
|
||||||
zramSwap = {
|
|
||||||
enable = true;
|
|
||||||
memoryPercent = 200;
|
|
||||||
algorithm = "zstd";
|
|
||||||
};
|
|
||||||
|
|
||||||
## Desktop
|
## Desktop
|
||||||
custom.users.jake.password = true;
|
custom.users.jake.password = true;
|
||||||
custom.desktop.awesome.enable = true;
|
custom.desktop.awesome.enable = true;
|
||||||
@ -83,6 +77,15 @@
|
|||||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||||
services.xserver.videoDrivers = [ "amdgpu" ];
|
services.xserver.videoDrivers = [ "amdgpu" ];
|
||||||
|
|
||||||
|
## Spotify
|
||||||
|
home-manager.users.jake.services.spotifyd.settings = {
|
||||||
|
global = {
|
||||||
|
device_name = "Gendry";
|
||||||
|
device_type = "computer";
|
||||||
|
bitrate = 320;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.users."${config.custom.user}" = {
|
users.users."${config.custom.user}" = {
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
prismlauncher
|
prismlauncher
|
||||||
|
@ -28,10 +28,7 @@
|
|||||||
options = [ "subvol=nix" ];
|
options = [ "subvol=nix" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.luks.devices."root" = {
|
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
||||||
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
|
||||||
allowDiscards = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/data" =
|
fileSystems."/data" =
|
||||||
{
|
{
|
||||||
|
106
hosts/jorah.cx.ts.hillion.co.uk/default.nix
Normal file
106
hosts/jorah.cx.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
config = {
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
|
||||||
|
networking.hostName = "jorah";
|
||||||
|
networking.domain = "cx.ts.hillion.co.uk";
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
custom.defaults = true;
|
||||||
|
|
||||||
|
## Impermanence
|
||||||
|
custom.impermanence.enable = true;
|
||||||
|
|
||||||
|
## Custom Services
|
||||||
|
custom = {
|
||||||
|
locations.autoServe = true;
|
||||||
|
services = {
|
||||||
|
gitea.actions = {
|
||||||
|
enable = true;
|
||||||
|
tokenSecret = ../../secrets/gitea/actions/jorah.age;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nsd.interfaces = [
|
||||||
|
"95.217.229.104"
|
||||||
|
"2a01:4f9:4b:3953::2"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.foldingathome = {
|
||||||
|
enable = true;
|
||||||
|
user = "JakeH"; # https://stats.foldingathome.org/donor/id/357021
|
||||||
|
daemonNiceLevel = 19;
|
||||||
|
};
|
||||||
|
|
||||||
|
## Enable ZRAM to help with root on tmpfs
|
||||||
|
zramSwap = {
|
||||||
|
enable = true;
|
||||||
|
memoryPercent = 200;
|
||||||
|
algorithm = "zstd";
|
||||||
|
};
|
||||||
|
|
||||||
|
## Filesystems
|
||||||
|
services.btrfs.autoScrub = {
|
||||||
|
enable = true;
|
||||||
|
interval = "Tue, 02:00";
|
||||||
|
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
|
||||||
|
fileSystems = [ "/data" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.ip_forward" = true;
|
||||||
|
"net.ipv6.conf.all.forwarding" = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
interfaces = {
|
||||||
|
enp5s0 = {
|
||||||
|
name = "eth0";
|
||||||
|
useDHCP = true;
|
||||||
|
ipv6.addresses = [{
|
||||||
|
address = "2a01:4f9:4b:3953::2";
|
||||||
|
prefixLength = 64;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
defaultGateway6 = {
|
||||||
|
address = "fe80::1";
|
||||||
|
interface = "eth0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
allowedTCPPorts = lib.mkForce [ ];
|
||||||
|
allowedUDPPorts = lib.mkForce [ ];
|
||||||
|
interfaces = {
|
||||||
|
eth0 = {
|
||||||
|
allowedTCPPorts = lib.mkForce [
|
||||||
|
53 # DNS
|
||||||
|
];
|
||||||
|
allowedUDPPorts = lib.mkForce [
|
||||||
|
53 # DNS
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
## Tailscale
|
||||||
|
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
|
||||||
|
services.tailscale = {
|
||||||
|
enable = true;
|
||||||
|
authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
48
hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
48
hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = [ "mode=0755" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=nix" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/data" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [ "subvol=data" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-uuid/4D7E-8DE8";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
1
hosts/jorah.cx.ts.hillion.co.uk/system
Normal file
1
hosts/jorah.cx.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
|||||||
|
x86_64-linux
|
@ -59,7 +59,6 @@
|
|||||||
5353 # HomeKit
|
5353 # HomeKit
|
||||||
];
|
];
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
1400 # HA Sonos
|
|
||||||
7654 # Tang
|
7654 # Tang
|
||||||
21063 # HomeKit
|
21063 # HomeKit
|
||||||
];
|
];
|
||||||
|
@ -32,14 +32,6 @@
|
|||||||
nat.enable = lib.mkForce false;
|
nat.enable = lib.mkForce false;
|
||||||
|
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
|
|
||||||
vlans = {
|
|
||||||
cameras = {
|
|
||||||
id = 3;
|
|
||||||
interface = "eth2";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
interfaces = {
|
interfaces = {
|
||||||
enp1s0 = {
|
enp1s0 = {
|
||||||
name = "eth0";
|
name = "eth0";
|
||||||
@ -64,14 +56,6 @@
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
cameras /* cameras@eth2 */ = {
|
|
||||||
ipv4.addresses = [
|
|
||||||
{
|
|
||||||
address = "10.133.145.1";
|
|
||||||
prefixLength = 24;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
enp4s0 = { name = "eth3"; };
|
enp4s0 = { name = "eth3"; };
|
||||||
enp5s0 = { name = "eth4"; };
|
enp5s0 = { name = "eth4"; };
|
||||||
enp6s0 = { name = "eth5"; };
|
enp6s0 = { name = "eth5"; };
|
||||||
@ -98,8 +82,8 @@
|
|||||||
|
|
||||||
ip protocol icmp counter accept comment "accept all ICMP types"
|
ip protocol icmp counter accept comment "accept all ICMP types"
|
||||||
|
|
||||||
iifname { "eth0", "cameras" } ct state { established, related } counter accept
|
iifname "eth0" ct state { established, related } counter accept
|
||||||
iifname { "eth0", "cameras" } drop
|
iifname "eth0" drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
@ -154,42 +138,12 @@
|
|||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
interfaces-config = {
|
interfaces-config = {
|
||||||
interfaces = [ "eth1" "eth2" "cameras" ];
|
interfaces = [ "eth1" "eth2" ];
|
||||||
};
|
};
|
||||||
lease-database = {
|
lease-database = {
|
||||||
type = "memfile";
|
type = "memfile";
|
||||||
persist = true;
|
persist = false;
|
||||||
name = "/var/lib/kea/dhcp4.leases";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
option-def = [
|
|
||||||
{
|
|
||||||
name = "cookie";
|
|
||||||
space = "vendor-encapsulated-options-space";
|
|
||||||
code = 1;
|
|
||||||
type = "string";
|
|
||||||
array = false;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
client-classes = [
|
|
||||||
{
|
|
||||||
name = "APC";
|
|
||||||
test = "option[vendor-class-identifier].text == 'APC'";
|
|
||||||
option-data = [
|
|
||||||
{
|
|
||||||
always-send = true;
|
|
||||||
name = "vendor-encapsulated-options";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "cookie";
|
|
||||||
space = "vendor-encapsulated-options-space";
|
|
||||||
code = 1;
|
|
||||||
data = "1APC";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
subnet4 = [
|
subnet4 = [
|
||||||
{
|
{
|
||||||
subnet = "10.64.50.0/24";
|
subnet = "10.64.50.0/24";
|
||||||
@ -211,17 +165,25 @@
|
|||||||
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
|
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
reservations = lib.lists.imap0
|
reservations = [
|
||||||
(i: el: {
|
{
|
||||||
ip-address = "10.64.50.${toString (20 + i)}";
|
# tywin.storage.ts.hillion.co.uk
|
||||||
inherit (el) hw-address hostname;
|
hw-address = "c8:7f:54:6d:e1:03";
|
||||||
}) [
|
ip-address = "10.64.50.20";
|
||||||
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
|
hostname = "tywin";
|
||||||
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
|
}
|
||||||
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
{
|
||||||
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
# syncbox
|
||||||
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
|
hw-address = "00:1e:06:49:06:1e";
|
||||||
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
|
ip-address = "10.64.50.22";
|
||||||
|
hostname = "syncbox";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
# microserver.home.ts.hillion.co.uk
|
||||||
|
hw-address = "e4:5f:01:b4:58:95";
|
||||||
|
ip-address = "10.64.50.21";
|
||||||
|
hostname = "microserver";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
@ -259,29 +221,6 @@
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
|
||||||
subnet = "10.133.145.0/24";
|
|
||||||
interface = "cameras";
|
|
||||||
pools = [{
|
|
||||||
pool = "10.133.145.64 - 10.133.145.254";
|
|
||||||
}];
|
|
||||||
option-data = [
|
|
||||||
{
|
|
||||||
name = "routers";
|
|
||||||
data = "10.133.145.1";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "broadcast-address";
|
|
||||||
data = "10.133.145.255";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "domain-name-servers";
|
|
||||||
data = "1.1.1.1, 8.8.8.8";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
reservations = [
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,87 +0,0 @@
|
|||||||
{ config, pkgs, lib, nixos-hardware, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
"${nixos-hardware}/raspberry-pi/5/default.nix"
|
|
||||||
./hardware-configuration.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
config = {
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
|
|
||||||
networking.hostName = "sodium";
|
|
||||||
networking.domain = "pop.ts.hillion.co.uk";
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
custom.defaults = true;
|
|
||||||
|
|
||||||
## Enable btrfs compression
|
|
||||||
fileSystems."/data".options = [ "compress=zstd" ];
|
|
||||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
|
||||||
|
|
||||||
## Impermanence
|
|
||||||
custom.impermanence = {
|
|
||||||
enable = true;
|
|
||||||
cache.enable = true;
|
|
||||||
};
|
|
||||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
|
||||||
btrfs subvolume delete /cache/tmp
|
|
||||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
|
|
||||||
chmod 1777 /cache/tmp
|
|
||||||
'';
|
|
||||||
|
|
||||||
## CA server
|
|
||||||
custom.ca.service.enable = true;
|
|
||||||
|
|
||||||
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
|
|
||||||
fileSystems."/tmp" = {
|
|
||||||
device = "/cache/tmp";
|
|
||||||
options = [ "bind" ];
|
|
||||||
};
|
|
||||||
# nix = {
|
|
||||||
# settings = {
|
|
||||||
# build-dir = "/cache/tmp/";
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
## Custom Services
|
|
||||||
custom.locations.autoServe = true;
|
|
||||||
|
|
||||||
# Networking
|
|
||||||
networking = {
|
|
||||||
useDHCP = false;
|
|
||||||
interfaces = {
|
|
||||||
end0 = {
|
|
||||||
name = "eth0";
|
|
||||||
useDHCP = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
trustedInterfaces = [ "tailscale0" ];
|
|
||||||
allowedTCPPorts = lib.mkForce [
|
|
||||||
];
|
|
||||||
allowedUDPPorts = lib.mkForce [ ];
|
|
||||||
interfaces = {
|
|
||||||
eth0 = {
|
|
||||||
allowedTCPPorts = lib.mkForce [
|
|
||||||
7654 # Tang
|
|
||||||
];
|
|
||||||
allowedUDPPorts = lib.mkForce [
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
## Tailscale
|
|
||||||
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
|
|
||||||
services.tailscale = {
|
|
||||||
enable = true;
|
|
||||||
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,63 +0,0 @@
|
|||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{
|
|
||||||
device = "tmpfs";
|
|
||||||
fsType = "tmpfs";
|
|
||||||
options = [ "mode=0755" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/417B-1063";
|
|
||||||
fsType = "vfat";
|
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/nix" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=nix" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/data" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=data" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/cache" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [ "subvol=cache" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
|
||||||
}
|
|
@ -1 +0,0 @@
|
|||||||
aarch64-linux
|
|
@ -22,7 +22,6 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
## Networking
|
## Networking
|
||||||
networking.useNetworkd = true;
|
|
||||||
systemd.network.enable = true;
|
systemd.network.enable = true;
|
||||||
|
|
||||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||||
|
@ -1,7 +0,0 @@
|
|||||||
# tywin.storage.ts.hillion.co.uk
|
|
||||||
|
|
||||||
Additional installation step for Clevis/Tang:
|
|
||||||
|
|
||||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
|
|
||||||
$ sudo chown root:root /mnt/disk_encryption.jwe
|
|
||||||
$ sudo chmod 0400 /mnt/disk_encryption.jwe
|
|
@ -1,14 +0,0 @@
|
|||||||
{
|
|
||||||
"t": 1,
|
|
||||||
"pins": {
|
|
||||||
"tang": [
|
|
||||||
{
|
|
||||||
"url": "http://10.64.50.21:7654"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"url": "http://10.64.50.25:7654"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -15,20 +15,6 @@
|
|||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
boot.kernelParams = [
|
|
||||||
"ip=dhcp"
|
|
||||||
"zfs.zfs_arc_max=25769803776"
|
|
||||||
];
|
|
||||||
boot.initrd = {
|
|
||||||
availableKernelModules = [ "r8169" ];
|
|
||||||
network.enable = true;
|
|
||||||
clevis = {
|
|
||||||
enable = true;
|
|
||||||
useTang = true;
|
|
||||||
devices."root".secretFile = "/disk_encryption.jwe";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
custom.locations.autoServe = true;
|
custom.locations.autoServe = true;
|
||||||
custom.defaults = true;
|
custom.defaults = true;
|
||||||
|
|
||||||
@ -54,6 +40,7 @@
|
|||||||
forceImportRoot = false;
|
forceImportRoot = false;
|
||||||
extraPools = [ "data" ];
|
extraPools = [ "data" ];
|
||||||
};
|
};
|
||||||
|
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
|
||||||
|
|
||||||
services.btrfs.autoScrub = {
|
services.btrfs.autoScrub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -218,7 +205,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
keyFile = config.age.secrets."chia/farmer.key".path;
|
keyFile = config.age.secrets."chia/farmer.key".path;
|
||||||
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
|
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
|
||||||
};
|
};
|
||||||
|
|
||||||
## Downloads
|
## Downloads
|
||||||
|
@ -20,11 +20,6 @@
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.luks.devices."root" = {
|
|
||||||
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
|
|
||||||
allowDiscards = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{
|
{
|
||||||
device = "/dev/disk/by-uuid/BC57-0AF6";
|
device = "/dev/disk/by-uuid/BC57-0AF6";
|
||||||
@ -67,18 +62,6 @@
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/mnt/d6" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
|
|
||||||
fsType = "btrfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/mnt/d7" =
|
|
||||||
{
|
|
||||||
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
|
|
||||||
fsType = "btrfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
# ca
|
|
||||||
|
|
||||||
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
|
|
||||||
|
|
||||||
Creating a 10 year root certificate:
|
|
||||||
|
|
||||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
|
|
||||||
|
|
||||||
Creating the intermediate key:
|
|
||||||
|
|
||||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem
|
|
@ -1,13 +0,0 @@
|
|||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
|
|
||||||
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
|
|
||||||
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
|
|
||||||
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
|
|
||||||
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
|
|
||||||
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
|
|
||||||
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
|
|
||||||
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
|
|
||||||
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
|
|
||||||
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
|
|
||||||
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
|
|
||||||
-----END CERTIFICATE-----
|
|
@ -1,14 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.custom.ca.consumer;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.custom.ca.consumer = {
|
|
||||||
enable = lib.mkEnableOption "ca.service";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,8 +0,0 @@
|
|||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./consumer.nix
|
|
||||||
./service.nix
|
|
||||||
];
|
|
||||||
}
|
|
@ -1,45 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.custom.ca.service;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.custom.ca.service = {
|
|
||||||
enable = lib.mkEnableOption "ca.service";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
services.step-ca = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
address = config.custom.dns.tailscale.ipv4;
|
|
||||||
port = 8443;
|
|
||||||
|
|
||||||
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
root = ./cert.pem;
|
|
||||||
crt = "/data/system/ca/intermediate.crt";
|
|
||||||
key = "/data/system/ca/intermediate.pem";
|
|
||||||
|
|
||||||
dnsNames = [ "ca.ts.hillion.co.uk" ];
|
|
||||||
|
|
||||||
logger = { format = "text"; };
|
|
||||||
|
|
||||||
db = {
|
|
||||||
type = "badgerv2";
|
|
||||||
dataSource = "/var/lib/step-ca/db";
|
|
||||||
};
|
|
||||||
|
|
||||||
authority = {
|
|
||||||
provisioners = [
|
|
||||||
{
|
|
||||||
type = "ACME";
|
|
||||||
name = "acme";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -46,7 +46,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
virtualisation.oci-containers.containers.chia = {
|
virtualisation.oci-containers.containers.chia = {
|
||||||
image = "ghcr.io/chia-network/chia:2.4.1";
|
image = "ghcr.io/chia-network/chia:2.2.1";
|
||||||
ports = [ "8444" ];
|
ports = [ "8444" ];
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"--uidmap=0:${toString config.users.users.chia.uid}:1"
|
"--uidmap=0:${toString config.users.users.chia.uid}:1"
|
||||||
|
@ -3,7 +3,6 @@
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./backups/default.nix
|
./backups/default.nix
|
||||||
./ca/default.nix
|
|
||||||
./chia.nix
|
./chia.nix
|
||||||
./defaults.nix
|
./defaults.nix
|
||||||
./desktop/awesome/default.nix
|
./desktop/awesome/default.nix
|
||||||
|
@ -54,7 +54,6 @@
|
|||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
# Delegation
|
# Delegation
|
||||||
custom.ca.consumer.enable = true;
|
|
||||||
custom.dns.enable = true;
|
custom.dns.enable = true;
|
||||||
custom.home.defaults = true;
|
custom.home.defaults = true;
|
||||||
custom.hostinfo.enable = true;
|
custom.hostinfo.enable = true;
|
||||||
|
@ -40,6 +40,7 @@ in
|
|||||||
ts = {
|
ts = {
|
||||||
cx = {
|
cx = {
|
||||||
boron = "100.113.188.46";
|
boron = "100.113.188.46";
|
||||||
|
jorah = "100.96.143.138";
|
||||||
};
|
};
|
||||||
home = {
|
home = {
|
||||||
microserver = "100.105.131.47";
|
microserver = "100.105.131.47";
|
||||||
@ -47,10 +48,7 @@ in
|
|||||||
};
|
};
|
||||||
jakehillion-terminals = { gendry = "100.70.100.77"; };
|
jakehillion-terminals = { gendry = "100.70.100.77"; };
|
||||||
lt = { be = "100.105.166.79"; };
|
lt = { be = "100.105.166.79"; };
|
||||||
pop = {
|
pop = { li = "100.106.87.35"; };
|
||||||
li = "100.106.87.35";
|
|
||||||
sodium = "100.87.188.4";
|
|
||||||
};
|
|
||||||
storage = {
|
storage = {
|
||||||
theon = "100.104.142.22";
|
theon = "100.104.142.22";
|
||||||
tywin = "100.115.31.91";
|
tywin = "100.115.31.91";
|
||||||
@ -67,6 +65,7 @@ in
|
|||||||
ts = {
|
ts = {
|
||||||
cx = {
|
cx = {
|
||||||
boron = "fd7a:115c:a1e0::2a01:bc2f";
|
boron = "fd7a:115c:a1e0::2a01:bc2f";
|
||||||
|
jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
|
||||||
};
|
};
|
||||||
home = {
|
home = {
|
||||||
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
|
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
|
||||||
@ -74,10 +73,7 @@ in
|
|||||||
};
|
};
|
||||||
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
|
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
|
||||||
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
|
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
|
||||||
pop = {
|
pop = { li = "fd7a:115c:a1e0::e701:5723"; };
|
||||||
li = "fd7a:115c:a1e0::e701:5723";
|
|
||||||
sodium = "fd7a:115c:a1e0::3701:bc04";
|
|
||||||
};
|
|
||||||
storage = {
|
storage = {
|
||||||
theon = "fd7a:115c:a1e0::4aa8:8e16";
|
theon = "fd7a:115c:a1e0::4aa8:8e16";
|
||||||
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
||||||
|
@ -8,11 +8,3 @@ bind -n C-k clear-history
|
|||||||
bind '"' split-window -c "#{pane_current_path}"
|
bind '"' split-window -c "#{pane_current_path}"
|
||||||
bind % split-window -h -c "#{pane_current_path}"
|
bind % split-window -h -c "#{pane_current_path}"
|
||||||
bind c new-window -c "#{pane_current_path}"
|
bind c new-window -c "#{pane_current_path}"
|
||||||
|
|
||||||
# Start indices at 1 to match keyboard
|
|
||||||
set -g base-index 1
|
|
||||||
setw -g pane-base-index 1
|
|
||||||
|
|
||||||
# Open a new session when attached to and one isn't open
|
|
||||||
# Must come after base-index settings
|
|
||||||
new-session
|
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.custom.impermanence;
|
cfg = config.custom.impermanence;
|
||||||
|
listIf = (enable: x: if enable then x else [ ]);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.custom.impermanence = {
|
options.custom.impermanence = {
|
||||||
@ -11,13 +12,6 @@ in
|
|||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "/data";
|
default = "/data";
|
||||||
};
|
};
|
||||||
cache = {
|
|
||||||
enable = lib.mkEnableOption "impermanence.cache";
|
|
||||||
path = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "/cache";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users = lib.mkOption {
|
users = lib.mkOption {
|
||||||
type = with lib.types; listOf str;
|
type = with lib.types; listOf str;
|
||||||
@ -46,32 +40,18 @@ in
|
|||||||
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.persistence = lib.mkMerge [
|
environment.persistence."${cfg.base}/system" = {
|
||||||
{
|
|
||||||
"${cfg.base}/system" = {
|
|
||||||
hideMounts = true;
|
hideMounts = true;
|
||||||
|
|
||||||
directories = [
|
directories = [
|
||||||
"/etc/nixos"
|
"/etc/nixos"
|
||||||
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
|
] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
|
||||||
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
|
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
|
||||||
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
|
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
|
||||||
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
|
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
|
||||||
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
|
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
|
||||||
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
|
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
|
||||||
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
|
|
||||||
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
|
|
||||||
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
|
|
||||||
};
|
};
|
||||||
}
|
|
||||||
(lib.mkIf cfg.cache.enable {
|
|
||||||
"${cfg.cache.path}/system" = {
|
|
||||||
hideMounts = true;
|
|
||||||
|
|
||||||
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
|
|
||||||
home-manager.users =
|
home-manager.users =
|
||||||
let
|
let
|
||||||
|
@ -19,7 +19,10 @@ in
|
|||||||
{
|
{
|
||||||
custom.locations.locations = {
|
custom.locations.locations = {
|
||||||
services = {
|
services = {
|
||||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
authoritative_dns = [
|
||||||
|
"boron.cx.ts.hillion.co.uk"
|
||||||
|
"jorah.cx.ts.hillion.co.uk"
|
||||||
|
];
|
||||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||||
gitea = "boron.cx.ts.hillion.co.uk";
|
gitea = "boron.cx.ts.hillion.co.uk";
|
||||||
homeassistant = "microserver.home.ts.hillion.co.uk";
|
homeassistant = "microserver.home.ts.hillion.co.uk";
|
||||||
@ -28,10 +31,9 @@ in
|
|||||||
tang = [
|
tang = [
|
||||||
"li.pop.ts.hillion.co.uk"
|
"li.pop.ts.hillion.co.uk"
|
||||||
"microserver.home.ts.hillion.co.uk"
|
"microserver.home.ts.hillion.co.uk"
|
||||||
"sodium.pop.ts.hillion.co.uk"
|
|
||||||
];
|
];
|
||||||
unifi = "boron.cx.ts.hillion.co.uk";
|
unifi = "boron.cx.ts.hillion.co.uk";
|
||||||
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
|
version_tracker = [ "boron.cx.ts.hillion.co.uk" "jorah.cx.ts.hillion.co.uk" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ pkgs, lib, config, ... }:
|
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.custom.resilio;
|
cfg = config.custom.resilio;
|
||||||
@ -61,7 +61,5 @@ in
|
|||||||
in
|
in
|
||||||
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
|
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -32,7 +32,6 @@ in
|
|||||||
|
|
||||||
86400 NS ns1.hillion.co.uk.
|
86400 NS ns1.hillion.co.uk.
|
||||||
|
|
||||||
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
|
||||||
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||||
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
|
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
|
||||||
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||||
|
@ -29,16 +29,10 @@ in
|
|||||||
|
|
||||||
virtualHosts = builtins.listToAttrs (builtins.map
|
virtualHosts = builtins.listToAttrs (builtins.map
|
||||||
(x: {
|
(x: {
|
||||||
name = "${x}.downloads.ts.hillion.co.uk";
|
name = "http://${x}.downloads.ts.hillion.co.uk";
|
||||||
value = {
|
value = {
|
||||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||||
extraConfig = ''
|
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
|
||||||
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
|
|
||||||
|
|
||||||
tls {
|
|
||||||
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
|
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
|
||||||
};
|
};
|
||||||
|
@ -63,11 +63,6 @@ in
|
|||||||
runner = {
|
runner = {
|
||||||
capacity = 3;
|
capacity = 3;
|
||||||
};
|
};
|
||||||
cache = {
|
|
||||||
enabled = true;
|
|
||||||
host = "10.108.27.2";
|
|
||||||
port = 41919;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -81,8 +76,6 @@ in
|
|||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 100; policy accept;
|
type filter hook output priority 100; policy accept;
|
||||||
|
|
||||||
ct state { established, related } counter accept
|
|
||||||
|
|
||||||
ip daddr 10.0.0.0/8 drop
|
ip daddr 10.0.0.0/8 drop
|
||||||
ip daddr 100.64.0.0/10 drop
|
ip daddr 100.64.0.0/10 drop
|
||||||
ip daddr 172.16.0.0/12 drop
|
ip daddr 172.16.0.0/12 drop
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, nixpkgs-unstable, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.custom.services.gitea;
|
cfg = config.custom.services.gitea;
|
||||||
@ -55,7 +55,7 @@ in
|
|||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.gitea;
|
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
|
||||||
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
|
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
|
||||||
|
|
||||||
appName = "Hillion Gitea";
|
appName = "Hillion Gitea";
|
||||||
|
@ -44,20 +44,16 @@ in
|
|||||||
"bluetooth"
|
"bluetooth"
|
||||||
"default_config"
|
"default_config"
|
||||||
"esphome"
|
"esphome"
|
||||||
|
"flux"
|
||||||
"google_assistant"
|
"google_assistant"
|
||||||
"homekit"
|
"homekit"
|
||||||
"met"
|
"met"
|
||||||
"mobile_app"
|
"mobile_app"
|
||||||
"mqtt"
|
"mqtt"
|
||||||
"otp"
|
"otp"
|
||||||
"smartthings"
|
|
||||||
"sonos"
|
|
||||||
"sun"
|
"sun"
|
||||||
"switchbot"
|
"switchbot"
|
||||||
];
|
];
|
||||||
customComponents = with pkgs.home-assistant-custom-components; [
|
|
||||||
adaptive_lighting
|
|
||||||
];
|
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
default_config = { };
|
default_config = { };
|
||||||
@ -83,9 +79,6 @@ in
|
|||||||
report_state = true;
|
report_state = true;
|
||||||
expose_by_default = true;
|
expose_by_default = true;
|
||||||
exposed_domains = [ "light" ];
|
exposed_domains = [ "light" ];
|
||||||
entity_config = {
|
|
||||||
"input_boolean.sleep_mode" = { };
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
homekit = [{
|
homekit = [{
|
||||||
filter = {
|
filter = {
|
||||||
@ -95,7 +88,13 @@ in
|
|||||||
|
|
||||||
bluetooth = { };
|
bluetooth = { };
|
||||||
|
|
||||||
adaptive_lighting = {
|
switch = [
|
||||||
|
{
|
||||||
|
platform = "flux";
|
||||||
|
start_time = "07:00";
|
||||||
|
stop_time = "23:59";
|
||||||
|
mode = "mired";
|
||||||
|
disable_brightness_adjust = true;
|
||||||
lights = [
|
lights = [
|
||||||
"light.bedroom_lamp"
|
"light.bedroom_lamp"
|
||||||
"light.bedroom_light"
|
"light.bedroom_light"
|
||||||
@ -106,8 +105,8 @@ in
|
|||||||
"light.living_room_light"
|
"light.living_room_light"
|
||||||
"light.wardrobe_light"
|
"light.wardrobe_light"
|
||||||
];
|
];
|
||||||
min_sunset_time = "21:00";
|
}
|
||||||
};
|
];
|
||||||
|
|
||||||
light = [
|
light = [
|
||||||
{
|
{
|
||||||
@ -115,9 +114,12 @@ in
|
|||||||
lights = {
|
lights = {
|
||||||
bathroom_light = {
|
bathroom_light = {
|
||||||
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
|
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
|
||||||
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
|
value_template = "on";
|
||||||
turn_on = { service = "script.noop"; };
|
turn_on = { service = "script.noop"; };
|
||||||
turn_off = { service = "script.bathroom_light_switch_if_on"; };
|
turn_off = {
|
||||||
|
service = "switch.turn_on";
|
||||||
|
entity_id = "switch.bathroom_light";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -146,13 +148,6 @@ in
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
input_boolean = {
|
|
||||||
sleep_mode = {
|
|
||||||
name = "Set house to sleep mode";
|
|
||||||
icon = "mdi:sleep";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# UI managed expansions
|
# UI managed expansions
|
||||||
automation = "!include automations.yaml";
|
automation = "!include automations.yaml";
|
||||||
script = "!include scripts.yaml";
|
script = "!include scripts.yaml";
|
||||||
|
@ -41,10 +41,6 @@ in
|
|||||||
owner = "matrix-synapse";
|
owner = "matrix-synapse";
|
||||||
group = "matrix-synapse";
|
group = "matrix-synapse";
|
||||||
};
|
};
|
||||||
|
|
||||||
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
|
|
||||||
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
@ -118,15 +114,6 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
matrix-sliding-sync = {
|
|
||||||
enable = true;
|
|
||||||
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
|
|
||||||
settings = {
|
|
||||||
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
|
|
||||||
SYNCV3_BINDADDR = "[::]:8009";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
heisenbridge = lib.mkIf cfg.heisenbridge {
|
heisenbridge = lib.mkIf cfg.heisenbridge {
|
||||||
enable = true;
|
enable = true;
|
||||||
owner = "@jake:hillion.co.uk";
|
owner = "@jake:hillion.co.uk";
|
||||||
|
@ -13,7 +13,6 @@ in
|
|||||||
enable = true;
|
enable = true;
|
||||||
ipAddressAllow = [
|
ipAddressAllow = [
|
||||||
"138.201.252.214/32"
|
"138.201.252.214/32"
|
||||||
"10.64.50.20/32"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -10,14 +10,20 @@ in
|
|||||||
dataDir = lib.mkOption {
|
dataDir = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "/var/lib/unifi";
|
default = "/var/lib/unifi";
|
||||||
readOnly = true; # NixOS module only supports this directory
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
# Fix dynamically allocated user and group ids
|
users.users.unifi = {
|
||||||
users.users.unifi.uid = config.ids.uids.unifi;
|
uid = config.ids.uids.unifi;
|
||||||
users.groups.unifi.gid = config.ids.gids.unifi;
|
isSystemUser = true;
|
||||||
|
group = "unifi";
|
||||||
|
description = "UniFi controller daemon user";
|
||||||
|
home = "${cfg.dataDir}";
|
||||||
|
};
|
||||||
|
users.groups.unifi = {
|
||||||
|
gid = config.ids.gids.unifi;
|
||||||
|
};
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -32,9 +38,21 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.unifi = {
|
virtualisation.oci-containers.containers = {
|
||||||
enable = true;
|
"unifi" = {
|
||||||
unifiPackage = pkgs.unifi8;
|
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
|
||||||
|
environment = {
|
||||||
|
PUID = toString config.ids.uids.unifi;
|
||||||
|
PGID = toString config.ids.gids.unifi;
|
||||||
|
TZ = "Etc/UTC";
|
||||||
|
};
|
||||||
|
volumes = [ "${cfg.dataDir}:/config" ];
|
||||||
|
ports = [
|
||||||
|
"8080:8080"
|
||||||
|
"8443:8443"
|
||||||
|
"3478:3478/udp"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
25
modules/spotify/default.nix
Normal file
25
modules/spotify/default.nix
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
|
||||||
|
{
|
||||||
|
config.age.secrets."spotify/11132032266" = {
|
||||||
|
file = ../../secrets/spotify/11132032266.age;
|
||||||
|
owner = "jake";
|
||||||
|
};
|
||||||
|
|
||||||
|
config.hardware.pulseaudio.enable = true;
|
||||||
|
|
||||||
|
config.users.users.jake.extraGroups = [ "audio" ];
|
||||||
|
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
|
||||||
|
|
||||||
|
config.home-manager.users.jake.services.spotifyd = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
global = {
|
||||||
|
username = "11132032266";
|
||||||
|
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
|
||||||
|
backend = "pulseaudio";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -43,10 +43,10 @@ in
|
|||||||
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
|
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
|
||||||
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
|
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
|
||||||
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
|
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
|
||||||
|
"jorah.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5";
|
||||||
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
|
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
|
||||||
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
|
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
|
||||||
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
|
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
|
||||||
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
|
|
||||||
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
|
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
|
||||||
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
|
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
|
||||||
};
|
};
|
||||||
|
@ -33,11 +33,6 @@ in
|
|||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.caddy;
|
|
||||||
|
|
||||||
globalConfig = ''
|
|
||||||
email acme@hillion.co.uk
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"hillion.co.uk".extraConfig = ''
|
"hillion.co.uk".extraConfig = ''
|
||||||
@ -47,10 +42,7 @@ in
|
|||||||
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
||||||
|
|
||||||
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
|
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
|
||||||
respond /.well-known/matrix/client `${builtins.toJSON {
|
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
|
||||||
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
|
|
||||||
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
|
|
||||||
}}` 200
|
|
||||||
|
|
||||||
respond 404
|
respond 404
|
||||||
}
|
}
|
||||||
@ -73,7 +65,6 @@ in
|
|||||||
reverse_proxy http://${locations.services.gitea}:3000
|
reverse_proxy http://${locations.services.gitea}:3000
|
||||||
'';
|
'';
|
||||||
"matrix.hillion.co.uk".extraConfig = ''
|
"matrix.hillion.co.uk".extraConfig = ''
|
||||||
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
|
|
||||||
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
|
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
|
||||||
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
|
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
|
||||||
'';
|
'';
|
||||||
|
19
secrets/gitea/actions/jorah.age
Normal file
19
secrets/gitea/actions/jorah.age
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa GxPFJQ
|
||||||
|
IULcxHpUsH6OI4cfixNPM89VJNcVkK+Z8IpgjzRspSyKc5N7jox6DYSbcuPsjGs7
|
||||||
|
aS2JYOKOx4hYW9aL3B+tef2I24+NzMDTCT31g9gvuLA0wSMWBoFwVodPbfj1ekHy
|
||||||
|
wDUK5XrgyJtFrwTrvuklGYpb/qIEG//k7M/342C9QqfNesv9nULQ6P7+r7jJvxIW
|
||||||
|
sOo6qWHFqD/wIiwtLYiX3pOWC6m91L1QNGVh+9/t58YU8RLsgLm2+2vyg13mKya1
|
||||||
|
UktTKZbhgRXyUJb7h+vVgDKjAnwqnIDL8asCSDuoSRDBcCxwgSpTDOxAEn9X2oJx
|
||||||
|
6S3JLQDhWLlIYrqmVT1aGg
|
||||||
|
-> ssh-rsa K9mW1w
|
||||||
|
hbVlu640hhzR9rJi4b+1c+/V+EilbmwWaNzV7/0+a9BQusTf413hffhk8QXvuze8
|
||||||
|
04LuVctZW5L5B1eOCIeziHc6F5CyAjTsaEDM8SeKGmFjKccjdcSUdbsql87KR5Id
|
||||||
|
/drK41oNA6NlmWrLz3YaSz7A9F+B5lgsJDWgXhMFK3Hru8+gnBQPXkwT/IuQLWI1
|
||||||
|
sXhJN/dHrBsQ5Cc+fRO7/r6u3jiQ1DOS85qQHStsYYXqea0pfiu5wpPdGZVuECwa
|
||||||
|
/R3+ov1JOTK4T3W8TIqOU9ODJxWT697Nv64c8dV3Hq5ymEKkvmZpp1C1/QoCW2EY
|
||||||
|
Nk7PF5zM95SM/IdECQjJGQ
|
||||||
|
-> ssh-ed25519 Qo6/7A 3gQq8TrBY/7Evlu+q6awqBFjG9m5b7ED+dolo8CJCE4
|
||||||
|
JdbLYPo875DQyocjOaVmWQPdgWssuz/T6DJNqgFF020
|
||||||
|
--- 0si8/IY1PiYgcmtTFDqu0cj7dW6DFqvgirY0tiSZfdA
|
||||||
|
ûÈA©®¦£Ž®¬(]ý¸’7£ÆüùÙÚqp0<70>„5Èc“ý$$æW|ß%`§/uXûɈ\~â!åléedäþDg˜ .<2E>i•]§§)l>EÌ
|
@ -1,20 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-rsa GxPFJQ
|
|
||||||
Z3WKcEusrn04hb2zUpEFBHOoqDIaCzMo/jZuOX/eMKPBqTrxcba9ZgxOFE7+yaUi
|
|
||||||
FJvlQNg5pQn/vaCtHkJWfBXdKiwZ3pIeaqwNcto8EprKLxIAkLjMBMOursz9k41E
|
|
||||||
0B4NKRyxiQO2kMgjKb9jYzhioan3NG1Loto8RbjbUPlqn/Q0NEsq8Uql0qaM02Ba
|
|
||||||
zBd1Xt1MFDtemXxzfmeqLMX45F67B8JKFujnXajR7qoRCmzz6kkj6zb+SEE+Nodq
|
|
||||||
9J/i4rpgwP0B9Zgp9QqnvOBVuLtxPOv/EE+Dp9Ktj1v5SxlJbQoPBiX5pZd5n3/n
|
|
||||||
dqibdn1Jls57qCs9sHAlDQ
|
|
||||||
-> ssh-rsa K9mW1w
|
|
||||||
BMNOK5nTDPSw5wZsdWlpWzbA62WdDmqg3CdiYSA8mDZT5LFHsmZt4azfwvCWnwKh
|
|
||||||
jvzWsNgASSdCCGk4xzDR8qzVAvcku5IxgQjGWCfa307r8k1RFMF910+QpS0nsckE
|
|
||||||
voBCvNIbv1Qjg6MKSXIDmmDjeLedL/0WYp7mX2FHQbs2Mau3xHz+l4mW9C6Dlyeu
|
|
||||||
PdR6IYJxqxDOqQk2FIMYq7vS1JWDo2ntS3XcufUL4V6TeFj1Soauff9/55hqt8Tm
|
|
||||||
JlUkbHmc/69bsqbr3en1sk6lk7GV7M87tfjGJuhdsMQLY10jFuZfkpewRhCLTEpR
|
|
||||||
LFooblAploXTZfXkvmoj2A
|
|
||||||
-> ssh-ed25519 iWiFbA izGiArlZgQMVSnQv/WG7+tBUnk0z/iUHI1TgAf0d5V0
|
|
||||||
Qw/pUd8y7UNElE9U+VwE7cQhemfPXFhFoiKQya34Bwo
|
|
||||||
--- FfPFhjvH78/oBzE1tL93Vxm6fV9zsHL3S8aDb3KWA4o
|
|
||||||
óœ}þŠlj¿mE_¿9mç}z ¼?ü-Ø9F•]IóãÞØy7uw¼x¼ŠQ3ÅìüqñŠJ„åVº–/”º@>°vÊî-G4;Êí1Ñ&@§k®
ÍWë+c*ûžìá|#»û˜Èª³Wy
|
|
||||||
fC°
|
|
@ -14,16 +14,14 @@ let
|
|||||||
ts = {
|
ts = {
|
||||||
cx = {
|
cx = {
|
||||||
boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
|
boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
|
||||||
|
jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah";
|
||||||
};
|
};
|
||||||
home = {
|
home = {
|
||||||
microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
|
microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
|
||||||
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
|
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
|
||||||
};
|
};
|
||||||
lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
|
lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
|
||||||
pop = {
|
pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; };
|
||||||
li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
|
|
||||||
sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
|
|
||||||
};
|
|
||||||
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
|
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
|
||||||
storage = {
|
storage = {
|
||||||
tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
|
tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
|
||||||
@ -50,16 +48,13 @@ in
|
|||||||
"tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
|
"tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
|
||||||
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
|
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
|
||||||
|
"tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
|
||||||
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
||||||
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
|
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
|
||||||
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
|
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
|
||||||
"tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
|
|
||||||
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
|
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
|
||||||
"tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
"tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||||
|
|
||||||
# WiFi Environment Files
|
|
||||||
"wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
|
|
||||||
|
|
||||||
# Resilio Sync Secrets
|
# Resilio Sync Secrets
|
||||||
## Encrypted Resilio Sync Secrets
|
## Encrypted Resilio Sync Secrets
|
||||||
"resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
|
"resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
|
||||||
@ -79,8 +74,6 @@ in
|
|||||||
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
|
|
||||||
"matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
|
||||||
|
|
||||||
# Backups Secrets
|
# Backups Secrets
|
||||||
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
|
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
|
||||||
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
|
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
|
||||||
@ -88,6 +81,9 @@ in
|
|||||||
"git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
"git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||||
"git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
"git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||||
|
|
||||||
|
# Spotify Secrets
|
||||||
|
"spotify/11132032266.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
|
||||||
|
|
||||||
# Mastodon Secrets
|
# Mastodon Secrets
|
||||||
"mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
|
"mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
|
||||||
"mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
|
"mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
|
||||||
@ -101,7 +97,7 @@ in
|
|||||||
"storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
"storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
|
||||||
|
|
||||||
# Version tracker secrets
|
# Version tracker secrets
|
||||||
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ts.cx.jorah ];
|
||||||
|
|
||||||
# Home Automation secrets
|
# Home Automation secrets
|
||||||
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
|
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
|
||||||
@ -121,6 +117,7 @@ in
|
|||||||
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
|
|
||||||
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
|
||||||
|
"gitea/actions/jorah.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
|
||||||
|
|
||||||
# HomeAssistant Secrets
|
# HomeAssistant Secrets
|
||||||
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
|
||||||
|
BIN
secrets/spotify/11132032266.age
Normal file
BIN
secrets/spotify/11132032266.age
Normal file
Binary file not shown.
23
secrets/tailscale/jorah.cx.ts.hillion.co.uk.age
Normal file
23
secrets/tailscale/jorah.cx.ts.hillion.co.uk.age
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-rsa GxPFJQ
|
||||||
|
kqQ9ovZi1Wqf7hz75QB+v8oLr5oRT4Uce7juM+R04CrOOGn1O6DkQtVeFa4Q7Ho0
|
||||||
|
DTYeaP3jTR8zo7poTI323q8FbQ/dLG4jxBFafDZJZlXGEThVLnhNYqZZSjiCJHma
|
||||||
|
hUn8nSC0y6AdA+lMn8tvZcaivaYpPtT+bALXtvxZ6rTo+mTbJrVRxPY5FZdmdmCC
|
||||||
|
Z1h3UFZoyuAO9VWQKtPO3o0Ijh+L7e+TFdRl1YowGB+hvZdJ08AkPXrwIEUMnnMA
|
||||||
|
+e/FA5HxHgvi6ud8RTcAkaecYt0l/vKDgBON9ESfHIMuS+vNk5GKT7a+ImKmfb4/
|
||||||
|
o2cSmR8y/+J5z4MEBcj/Vg
|
||||||
|
-> ssh-rsa K9mW1w
|
||||||
|
veHh0OpoW3Hnvy9k7NwANMae2StqGcohTI9hfeHNi7mR6wHly1HqOD9U7eijVYIC
|
||||||
|
qvKJsk7sEO8NyAVqLWqrvdq9bLkgTgsNWQsXbulY8VHhwZMIko9YYIZeJv8Um9Bz
|
||||||
|
q4QiwJW1KoLItqJNR9c1ZLRfwHaLZwKTThAKMjgt5KFiN5NJYb9CLbAZi4eG1hi0
|
||||||
|
PsIP/S/dsUKAeN6Bz2JZ4HB0jsvyPiQLr2p4q5nfEKybJEmjOfc9Z7TjwZTNlC0Y
|
||||||
|
0MKVarhwFqsMIP63gTYZisacAhmsG7DoLFA5eHf0VPa1KjqFait0dG+zuojehMfj
|
||||||
|
uifZFGahsWaAMg+oq+/Cvg
|
||||||
|
-> ssh-ed25519 Qo6/7A sLXu4pSLH2lnzLYVzisN9Zl/EW1jL21Km6kPZO0/Zjk
|
||||||
|
chDyf7Sb5GtSVi3TmfYpwwFbI3PhoOnxS5lRcqQGwyY
|
||||||
|
-> Y1-grease ,Lz| "Uil>z36 -K
|
||||||
|
xfFD+uEZIkGkysF3HdMkMbhsPnu+Cnu6o8tT0lq8rdSOn26V6Fj5CZi1muuD7d2c
|
||||||
|
BLtH1vyQx4M71Hb6PmKu7+s5V9xsJqKxtDqx/6iAc9uZnbmeU27nsA
|
||||||
|
--- YXh9Kl4PGetzx8qsLJa5gTO3W7UNtio1tXs/HXS271U
|
||||||
|
Þûa…kž+J+/û€áñ<1A>ÍKÅbÄä‰éù|Ï$MäåÒ{NýÇ]¦ï=ö7Ïß@ƒ›—<E280BA>(h.ql2¢X}]ê,¦'ùN ÙCô!Æ;ØW£±
|
||||||
|
äû·Dï
|
@ -1,19 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-rsa GxPFJQ
|
|
||||||
rgebPOZWAkQIqQZn5UywtUzu1ZpEK9yF3wDLl7b76vOLBM8BeE/cud2AgwRe49VM
|
|
||||||
UfbL+5IInvqvVCtCmciVvDhBp85BLvuB/e6DkWxH+HkKm7/stgXkuaotnbxftLN5
|
|
||||||
w90Qz8jVgwOSWlpDdW+MACphLBOiDe6oUrcodiQTD+FmA/cH7oEnjaxyElZA4aey
|
|
||||||
Yw6df7NiMCbh8LitSqLm9YTB6yWlVw6fumpvsVJqW9UPOdTtOEilFT6qrXIMeu10
|
|
||||||
MEdDkU5FlocDSxYLN1buIRSVb+wtN8eSYrMsOd7zwB/FYWw9fFNbZ/1JFxQKl9SK
|
|
||||||
w+fHN1jQyOjKpbYELeCdRg
|
|
||||||
-> ssh-rsa K9mW1w
|
|
||||||
hAYfQrfwWNmck6t7oDzS/JKd7Gb/j3MMH19kEZ74k2Z/t6j9VgNlo0cLCQCRd29l
|
|
||||||
NXNwx4H1VLFqP0f0YOIpbeZAPjvLxWODv97ovLWTtokPX9/kDugigqdW59KYcxWB
|
|
||||||
cbGAJrBm+D7b5uEuVBCWWBAAv8dZ4EajguoBR6u9mkJRDyy55q3JnS8zUoSz/9XK
|
|
||||||
Ne+pf9Bej2hen5CrFJoIBs3YGL81Tqn9zfI3RsgyncB355aL0bH3FKeeWU/Qm2Eb
|
|
||||||
fqJroSjNteWp+vqu9RzgrzpRUrZbw+KZL7sssTc0qXTI6UuUrchJ3ku8bOAmYYj+
|
|
||||||
4GgOgMeY5ne15Xkc0g/U7Q
|
|
||||||
-> ssh-ed25519 oW6Y8A koK5dt68rm3ItiMLS/D85cL1FyvBFOoOUn2iU431HXk
|
|
||||||
isWccUR1wymJzBSoNVh+aFMrp1/VS3In6w/kcb1RTSM
|
|
||||||
--- Askgu9440tsbF855jM94XpINs1fv69fSY/+CchwH/q8
|
|
||||||
š3 ÌV÷<07>‘‹Ôy~ϸtˆ¯ÿÉÏè@öpƒÆࢅ~Ón‚Oî°¥Ä ¾âaUUr›•1P¤žÓ6W8ÆFÎ<46>Å<EFBFBD>€?ë›7…üÞ&Ü—OŠ×t|œpoË
|
|
Binary file not shown.
@ -1,20 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-rsa GxPFJQ
|
|
||||||
j23rAXS9bmi74Aw3K+Ym/+4eajkeddGn0JsT4y7LkM54KZDazHLSpdIY8G4bPEC1
|
|
||||||
Hmwb6tC/fXjCwxZlR69UcWOhYtGFNQKKe66uO4+LnLHrosppsFNUduk1/yamorxh
|
|
||||||
foTF1BYstniAO4dkeS+gqU+EozOnpOgnXDjJwQu2az7H0ecTkrdaExVSZefoak2Q
|
|
||||||
NdiMVzLgx4/jcuNFIQhej9h2RuTZFcYqoxLvpDYhgCHHrZGXT4MpMtpbV/1z0rjE
|
|
||||||
RZiMsaD0cFUB0xY4ncZu/UYTqDInCmiQ/hT1IpHXo41mJgAoOjxvBuMtT1JLFIPx
|
|
||||||
eHV8+2B6t6cmvJ94oDb6pA
|
|
||||||
-> ssh-rsa K9mW1w
|
|
||||||
nX3geP4iz2iW8cIaiI+gUsf2Me5N5yLVxyp0AZx3mxm+REVeW/3gIs6RFwgVvNz4
|
|
||||||
O3Rd714c5eufkVb0jaHcnh9xPkhd9JPhDx9ALJebFyDwviQelRucCNkAiFU8cCp0
|
|
||||||
5CwdTOsa+QoTL0yzkgFch32sEnrmi3NQpMyQdIACFaFyvVl0vd8jOvIrNUqEc1dZ
|
|
||||||
XL2brlteJ5tDn4+7riShILdrkWUXMt127YtBLk4kzAFq9bem6KR3mxoupoGOMZKM
|
|
||||||
6erqfETaoGyQYfETg7+/4CSoCOnSw7EgleOQ92Esof2KPiLWqvVVLRYQkajr5atn
|
|
||||||
QM8pEVHysfP7tYCOw5Pc3Q
|
|
||||||
-> ssh-ed25519 ikTTQA pS/dHNYcNr5Td/Gd7bzuODNdtg5Z/EOl2ZMkRhWIbxs
|
|
||||||
7S4TzwwGr20Ar2EHYzF42yK3nKf6k2YAV97URcvtssU
|
|
||||||
--- aaywXgy4WGMmd1EoyFk/LXbATavqk0N5rrAJ43aHXo0
|
|
||||||
*¢’X%jø
gàïP5)ÚKS•=ØøÞa~зR7œ©\>ëŠv¡w°¿›8©Ã
|
|
||||||
Ì•ŠQ±Nx…Lžlã`™÷Ì!ä¸^Z¥éE¼R››·V è\׺ ‰ÚÝ-R°vÞû¾Sgtw
M©ÞÓÓç)#8Ã΃óɾn
|
|
Loading…
Reference in New Issue
Block a user