JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Compare commits

base: JakeHillion:main
Branches Tags
JakeHillion:main
JakeHillion:renovate/lock-file-maintenance
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk
..
compare: JakeHillion:vms
Branches Tags
JakeHillion:renovate/lock-file-maintenance
JakeHillion:main
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk

1 Commits
main ... vms

Author SHA1 Message Date
Jake Hillion
9b8fd11726 vms: add support for nix configured virtual machines
Some checks failed
flake / flake (push) Failing after 42s
Details
2024-04-11 08:57:40 +01:00
102 changed files with 780 additions and 2112 deletions
Show Stats Expand all files Collapse all files

13
.gitea/workflows/flake.yaml
View File

@ -11,13 +11,14 @@ jobs:
flake:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- name: lint
- uses: actions/checkout@v4
- name: Prepare for Nix installation
run: |
nix fmt
git diff --exit-code
apt-get update
apt-get install -y sudo
- uses: cachix/install-nix-action@v26
- name: lint
run: nix fmt
- name: flake check
run: nix flake check --all-systems
timeout-minutes: 10

1
README.md
View File

@ -10,4 +10,3 @@ Raspberry Pi images that support Tailscale and headless SSH can be built using a
nixos-generate -f sd-aarch64-installer --system aarch64-linux -c hosts/microserver.home.ts.hillion.co.uk/default.nix
cp SOME_OUTPUT out.img.zst
Alternatively, a Raspberry Pi image with headless SSH can be easily built using the logic in [this repo](https://github.com/Robertof/nixos-docker-sd-image-builder/tree/master).

27
darwin/jakehillion-mba-m2-15/configuration.nix
View File

@ -1,27 +0,0 @@
{ config, pkgs, ... }:
{
config = {
system.stateVersion = 4;
networking.hostName = "jakehillion-mba-m2-15";
nix = {
useDaemon = true;
};
programs.zsh.enable = true;
security.pam.enableSudoTouchIdAuth = true;
environment.systemPackages = with pkgs; [
fd
htop
mosh
neovim
nix
ripgrep
sapling
];
};
}

84
flake.lock
View File

@ -2,9 +2,7 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"darwin"
],
"darwin": "darwin",
"home-manager": [
"home-manager"
],
@ -14,11 +12,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1712079060,
"narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "1381a759b205dff7a6818733118d02253340fd5e",
"type": "github"
},
"original": {
@ -30,19 +28,21 @@
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726188813,
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
@ -72,47 +72,27 @@
]
},
"locked": {
"lastModified": 1725703823,
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
"lastModified": 1712386041,
"narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager-unstable": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1726357542,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
"rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1725690722,
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
@ -122,44 +102,29 @@
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1725885300,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1726320982,
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
"lastModified": 1712437997,
"narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
"rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1726243404,
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
"lastModified": 1712439257,
"narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
"rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
"type": "github"
},
"original": {
@ -172,12 +137,9 @@
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}

54
flake.nix
View File

@ -1,50 +1,35 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
flake-utils.url = "github:numtide/flake-utils";
darwin.url = "github:lnl7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "darwin";
agenix.inputs.home-manager.follows = "home-manager";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
impermanence.url = "github:nix-community/impermanence/master";
};
description = "Hillion Nix flake";
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
let
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
in
{
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, impermanence, ... }@inputs: {
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
let system = builtins.readFile ./hosts/${fqdn}/system;
in
func {
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = inputs;
modules = [
@ -54,7 +39,7 @@
agenix.nixosModules.default
impermanence.nixosModules.impermanence
home-manager-pick.nixosModules.default
home-manager.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
@ -62,6 +47,7 @@
}
({ config, ... }: {
nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
@ -69,22 +55,6 @@
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
darwinConfigurations = {
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = inputs;
modules = [
./darwin/jakehillion-mba-m2-15/configuration.nix
({ config, ... }: {
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
})
];
};
};
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});

55
hosts/be.lt.ts.hillion.co.uk/default.nix
View File

@ -1,55 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "be";
networking.domain = "lt.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence = {
enable = true;
userExtraFiles.jake = [
".ssh/id_ecdsa_sk_keys"
];
};
## WiFi
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
networking.wireless = {
enable = true;
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
networks = {
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
};
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
## Tailscale
age.secrets."tailscale/be.lt.ts.hillion.co.uk".file = ../../secrets/tailscale/be.lt.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/be.lt.ts.hillion.co.uk".path;
};
security.sudo.wheelNeedsPassword = lib.mkForce true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
};
}

59
hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -1,59 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/D184-A79B";
fsType = "vfat";
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c8ffa91a-5152-4d84-8995-01232fd5acd6";
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
fsType = "btrfs";
options = [ "subvol=data" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s20f0u1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

7
hosts/boron.cx.ts.hillion.co.uk/README.md
View File

@ -1,7 +0,0 @@
# boron.cx.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ sudo chown root:root /mnt/data/disk_encryption.jwe
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe

13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json
View File

@ -1,13 +0,0 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://80.229.251.26:7654"
},
{
"url": "http://185.240.111.53:7654"
}
]
}
}

170
hosts/boron.cx.ts.hillion.co.uk/default.nix
View File

@ -1,170 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "boron";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "igb" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices = {
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
"disk1-crypt".secretFile = "/data/disk_encryption.jwe";
};
};
};
custom.defaults = true;
## Kernel
### Explicitly use the latest kernel at time of writing because the LTS
### kernels available in NixOS do not seem to support this server's very
### modern hardware.
boot.kernelPackages = pkgs.linuxPackages_6_10;
### Apply patch to enable sched_ext which isn't yet available upstream.
boot.kernelPatches = [{
name = "sched_ext";
patch = pkgs.fetchpatch {
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
decode = "${pkgs.zstd}/bin/unzstd";
excludes = [ "Makefile" ];
};
extraConfig = ''
BPF y
BPF_EVENTS y
BPF_JIT y
BPF_SYSCALL y
DEBUG_INFO_BTF y
FTRACE y
SCHED_CLASS_EXT y
'';
}];
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/system
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
'';
## Custom Services
custom = {
locations.autoServe = true;
www.global.enable = true;
services = {
gitea.actions = {
enable = true;
tokenSecret = ../../secrets/gitea/actions/boron.age;
};
};
};
services.nsd.interfaces = [
"138.201.252.214"
"2a01:4f8:173:23d2::2"
];
## Enable ZRAM to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## General usability
### Make podman available for dev tools such as act
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
};
users.users.jake.extraGroups = [ "podman" ];
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking = {
useDHCP = false;
interfaces = {
enp6s0 = {
name = "eth0";
useDHCP = true;
ipv6.addresses = [{
address = "2a01:4f8:173:23d2::2";
prefixLength = 64;
}];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [ ];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # SSH (Gitea) - redirected to 22
53 # DNS
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
53 # DNS
443 # HTTP 3
3478 # Unifi STUN
];
};
};
};
## Tailscale
age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
};
};
}

72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -1,72 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" "size=100%" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/ED9C-4ABC";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."disk0-crypt" = {
device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee";
allowDiscards = true;
};
boot.initrd.luks.devices."disk1-crypt" = {
device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963";
allowDiscards = true;
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
hosts/boron.cx.ts.hillion.co.uk/system
View File

@ -1 +0,0 @@
x86_64-linux

27
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -2,6 +2,8 @@
{
imports = [
../../modules/common/default.nix
../../modules/spotify/default.nix
./bluetooth.nix
./hardware-configuration.nix
];
@ -15,8 +17,6 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence = {
enable = true;
@ -29,13 +29,6 @@
];
};
## Enable ZRAM swap to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
@ -68,9 +61,9 @@
## Tailscale
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
services.tailscale = {
custom.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
};
security.sudo.wheelNeedsPassword = lib.mkForce true;
@ -83,13 +76,19 @@
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
## Spotify
home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
};
};
users.users."${config.custom.user}" = {
packages = with pkgs; [
prismlauncher
];
};
## Networking
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
};
}

5
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -28,10 +28,7 @@
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
allowDiscards = true;
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
fileSystems."/data" =
{

79
hosts/jorah.cx.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,79 @@
{ config, pkgs, lib, ... }:
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.05";
networking.hostName = "jorah";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
## Impermanence
custom.impermanence.enable = true;
## Custom Services
custom = {
locations.autoServe = true;
services.version_tracker.enable = true;
www.global.enable = true;
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## Networking
systemd.network = {
enable = true;
networks."enp5s0".extraConfig = ''
[Match]
Name = enp5s0
[Network]
Address = 2a01:4f9:4b:3953::2/64
Gateway = fe80::1
'';
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # Gitea SSH (accessed via public 22)
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
enp5s0 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
3478 # Unifi STUN
];
};
};
};
## Tailscale
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
ipv4Addr = "100.96.143.138";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
};
}

28
hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix → hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -9,9 +9,9 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
@ -21,32 +21,24 @@
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/417B-1063";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/cache" =
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=cache" ];
device = "/dev/disk/by-uuid/4D7E-8DE8";
fsType = "vfat";
};
swapDevices = [ ];
@ -56,8 +48,8 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

0
hosts/be.lt.ts.hillion.co.uk/system → hosts/jorah.cx.ts.hillion.co.uk/system
View File

50
hosts/li.pop.ts.hillion.co.uk/default.nix
View File

@ -1,50 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/rpi/rpi4.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "li";
networking.domain = "pop.ts.hillion.co.uk";
custom.defaults = true;
## Custom Services
custom.locations.autoServe = true;
# Networking
## Tailscale
age.secrets."tailscale/li.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/li.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/li.pop.ts.hillion.co.uk".path;
useRoutingFeatures = "server";
extraUpFlags = [ "--advertise-routes" "192.168.1.0/24" ];
};
## Enable ZRAM to make up for 2GB of RAM
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
networking.firewall.interfaces = {
"end0" = {
allowedTCPPorts = [
7654 # Tang
];
};
};
};
}

18
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -3,6 +3,7 @@
{
imports = [
./hardware-configuration.nix
../../modules/common/default.nix
../../modules/rpi/rpi4.nix
];
@ -12,23 +13,17 @@
networking.hostName = "microserver";
networking.domain = "home.ts.hillion.co.uk";
custom.defaults = true;
## Custom Services
custom.locations.autoServe = true;
# Networking
## Tailscale
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
services.tailscale = {
custom.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-routes"
"10.64.50.0/24,10.239.19.0/24"
"--advertise-exit-node"
];
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
advertiseExitNode = true;
};
## Enable IoT VLAN
@ -52,15 +47,12 @@
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall.interfaces = {
"eth0" = {
allowedUDPPorts = [
5353 # HomeKit
];
allowedTCPPorts = [
1400 # HA Sonos
7654 # Tang
21063 # HomeKit
];
};

42
hosts/microserver.parents.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/common/default.nix
../../modules/rpi/rpi4.nix
];
config = {
system.stateVersion = "22.05";
networking.hostName = "microserver";
networking.domain = "parents.ts.hillion.co.uk";
# Networking
## Tailscale
age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
advertiseRoutes = [ "192.168.1.0/24" ];
};
## Enable IP forwarding for Tailscale
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
};
## Enable ZRAM to make up for 2GB of RAM
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
};
}

0
hosts/li.pop.ts.hillion.co.uk/hardware-configuration.nix → hosts/microserver.parents.ts.hillion.co.uk/hardware-configuration.nix
View File

0
hosts/li.pop.ts.hillion.co.uk/system → hosts/microserver.parents.ts.hillion.co.uk/system
View File

166
hosts/router.home.ts.hillion.co.uk/default.nix
View File

@ -2,6 +2,7 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -18,8 +19,6 @@
"net.ipv4.conf.all.forwarding" = true;
};
custom.defaults = true;
## Interactive password
custom.users.jake.password = true;
@ -32,14 +31,6 @@
nat.enable = lib.mkForce false;
useDHCP = false;
vlans = {
cameras = {
id = 3;
interface = "eth2";
};
};
interfaces = {
enp1s0 = {
name = "eth0";
@ -64,14 +55,6 @@
}
];
};
cameras /* cameras@eth2 */ = {
ipv4.addresses = [
{
address = "10.133.145.1";
prefixLength = 24;
}
];
};
enp4s0 = { name = "eth3"; };
enp5s0 = { name = "eth4"; };
enp6s0 = { name = "eth5"; };
@ -98,8 +81,8 @@
ip protocol icmp counter accept comment "accept all ICMP types"
iifname { "eth0", "cameras" } ct state { established, related } counter accept
iifname { "eth0", "cameras" } drop
iifname "eth0" ct state { established, related } counter accept
iifname "eth0" drop
}
chain forward {
@ -122,8 +105,14 @@
ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28968 counter accept comment "d0.tywin.storj"
ip daddr 10.64.50.20 udp dport 28968 counter accept comment "d0.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28969 counter accept comment "d1.tywin.storj"
ip daddr 10.64.50.20 udp dport 28969 counter accept comment "d1.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28970 counter accept comment "d2.tywin.storj"
ip daddr 10.64.50.20 udp dport 28970 counter accept comment "d2.tywin.storj"
}
}
@ -134,8 +123,14 @@
iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28968 counter dnat to 10.64.50.20
iifname eth0 udp dport 28968 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28969 counter dnat to 10.64.50.20
iifname eth0 udp dport 28969 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28970 counter dnat to 10.64.50.20
iifname eth0 udp dport 28970 counter dnat to 10.64.50.20
}
chain postrouting {
@ -154,42 +149,12 @@
settings = {
interfaces-config = {
interfaces = [ "eth1" "eth2" "cameras" ];
interfaces = [ "eth1" "eth2" ];
};
lease-database = {
type = "memfile";
persist = true;
name = "/var/lib/kea/dhcp4.leases";
persist = false;
};
option-def = [
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
type = "string";
array = false;
}
];
client-classes = [
{
name = "APC";
test = "option[vendor-class-identifier].text == 'APC'";
option-data = [
{
always-send = true;
name = "vendor-encapsulated-options";
}
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
data = "1APC";
}
];
}
];
subnet4 = [
{
subnet = "10.64.50.0/24";
@ -208,20 +173,22 @@
}
{
name = "domain-name-servers";
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = lib.lists.imap0
(i: el: {
ip-address = "10.64.50.${toString (20 + i)}";
inherit (el) hw-address hostname;
}) [
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
reservations = [
{
# tywin.storage.ts.hillion.co.uk
hw-address = "c8:7f:54:6d:e1:03";
ip-address = "10.64.50.20";
hostname = "tywin";
}
{
# syncbox
hw-address = "00:1e:06:49:06:1e";
ip-address = "10.64.50.22";
hostname = "syncbox";
}
];
}
{
@ -241,7 +208,7 @@
}
{
name = "domain-name-servers";
data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = [
@ -259,70 +226,19 @@
}
];
}
{
subnet = "10.133.145.0/24";
interface = "cameras";
pools = [{
pool = "10.133.145.64 - 10.133.145.254";
}];
option-data = [
{
name = "routers";
data = "10.133.145.1";
}
{
name = "broadcast-address";
data = "10.133.145.255";
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = [
];
}
];
};
};
};
unbound = {
enable = true;
settings = {
server = {
interface = [
"127.0.0.1"
"10.64.50.1"
"10.239.19.1"
];
access-control = [
"10.64.50.0/24 allow"
"10.239.19.0/24 allow"
];
};
forward-zone = [
{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
];
}
];
};
};
};
## Tailscale
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
services.tailscale = {
custom.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
ipv4Addr = "100.105.71.48";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
};
## Enable btrfs compression
@ -347,7 +263,7 @@
services.caddy = {
enable = true;
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
};
};

87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
View File

@ -1,87 +0,0 @@
{ config, pkgs, lib, nixos-hardware, ... }:
{
imports = [
"${nixos-hardware}/raspberry-pi/5/default.nix"
./hardware-configuration.nix
];
config = {
system.stateVersion = "24.05";
networking.hostName = "sodium";
networking.domain = "pop.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/tmp
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
chmod 1777 /cache/tmp
'';
## CA server
custom.ca.service.enable = true;
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
fileSystems."/tmp" = {
device = "/cache/tmp";
options = [ "bind" ];
};
# nix = {
# settings = {
# build-dir = "/cache/tmp/";
# };
# };
## Custom Services
custom.locations.autoServe = true;
# Networking
networking = {
useDHCP = false;
interfaces = {
end0 = {
name = "eth0";
useDHCP = true;
};
};
};
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
7654 # Tang
];
allowedUDPPorts = lib.mkForce [
];
};
};
};
## Tailscale
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
};
};
}

1
hosts/sodium.pop.ts.hillion.co.uk/system
View File

@ -1 +0,0 @@
aarch64-linux

11
hosts/theon.storage.ts.hillion.co.uk/default.nix
View File

@ -2,6 +2,7 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -14,18 +15,14 @@
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
custom.defaults = true;
## Custom Services
custom = {
locations.autoServe = true;
};
## Networking
networking.useNetworkd = true;
systemd.network.enable = true;
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
@ -42,9 +39,11 @@
## Tailscale
age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
services.tailscale = {
custom.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.104.142.22";
ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16";
};
## Packages

7
hosts/tywin.storage.ts.hillion.co.uk/README.md
View File

@ -1,7 +0,0 @@
# tywin.storage.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
$ sudo chown root:root /mnt/disk_encryption.jwe
$ sudo chmod 0400 /mnt/disk_encryption.jwe

14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
View File

@ -1,14 +0,0 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://10.64.50.21:7654"
},
{
"url": "http://10.64.50.25:7654"
}
]
}
}

50
hosts/tywin.storage.ts.hillion.co.uk/default.nix
View File

@ -2,6 +2,7 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -15,35 +16,15 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"ip=dhcp"
"zfs.zfs_arc_max=25769803776"
];
boot.initrd = {
availableKernelModules = [ "r8169" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices."root".secretFile = "/disk_encryption.jwe";
};
};
custom.locations.autoServe = true;
custom.defaults = true;
# zram swap: used in the hope it will give the ZFS ARC more room to back off
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Tailscale
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
services.tailscale = {
custom.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.115.31.91";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
};
## Filesystems
@ -54,17 +35,11 @@
forceImportRoot = false;
extraPools = [ "data" ];
};
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# All filesystems includes the BTRFS parts of all the hard drives. This
# would take forever and is redundant as they get fully read regularly.
fileSystems = [ "/" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed, 02:00";
interval = "Tue, 02:00";
};
## Backups
@ -155,7 +130,7 @@
services.caddy = {
enable = true;
virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = ''
bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6}
bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr}
reverse_proxy http://localhost:8000
'';
};
@ -218,7 +193,7 @@
enable = true;
openFirewall = true;
keyFile = config.age.secrets."chia/farmer.key".path;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
};
## Downloads
@ -236,10 +211,13 @@
openFirewall = true;
};
## Networking
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
## Firewall
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
80 # Caddy (restic.tywin.storage.ts.)
14002 # Storj Dashboard (d0.)
14003 # Storj Dashboard (d1.)
14004 # Storj Dashboard (d2.)
14005 # Storj Dashboard (d3.)
];
};
}

17
hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -20,11 +20,6 @@
fsType = "btrfs";
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
allowDiscards = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/BC57-0AF6";
@ -67,18 +62,6 @@
fsType = "btrfs";
};
fileSystems."/mnt/d6" =
{
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
fsType = "btrfs";
};
fileSystems."/mnt/d7" =
{
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
fsType = "btrfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

11
modules/ca/README.md
View File

@ -1,11 +0,0 @@
# ca
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
Creating a 10 year root certificate:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
Creating the intermediate key:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem

13
modules/ca/cert.pem
View File

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
-----END CERTIFICATE-----

14
modules/ca/consumer.nix
View File

@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.consumer;
in
{
options.custom.ca.consumer = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
};
}

8
modules/ca/default.nix
View File

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./consumer.nix
./service.nix
];
}

45
modules/ca/service.nix
View File

@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.service;
in
{
options.custom.ca.service = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
services.step-ca = {
enable = true;
address = config.custom.dns.tailscale.ipv4;
port = 8443;
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
settings = {
root = ./cert.pem;
crt = "/data/system/ca/intermediate.crt";
key = "/data/system/ca/intermediate.pem";
dnsNames = [ "ca.ts.hillion.co.uk" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
}

2
modules/chia.nix
View File

@ -46,7 +46,7 @@ in
};
virtualisation.oci-containers.containers.chia = {
image = "ghcr.io/chia-network/chia:2.4.1";
image = "ghcr.io/chia-network/chia:2.1.4";
ports = [ "8444" ];
extraOptions = [
"--uidmap=0:${toString config.users.users.chia.uid}:1"

60
modules/common/default.nix Normal file
View File

@ -0,0 +1,60 @@
{ pkgs, lib, config, agenix, ... }:
{
imports = [
../home/default.nix
./shell.nix
./ssh.nix
./update_scripts.nix
];
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings = {
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
};
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
users = {
mutableUsers = false;
users."jake" = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # enable sudo
};
};
security.sudo.wheelNeedsPassword = false;
environment = {
systemPackages = with pkgs; [
agenix.packages."${system}".default
gh
git
htop
nix
sapling
vim
];
variables.EDITOR = "vim";
shellAliases = {
ls = "ls -p --color=auto";
};
};
networking = rec {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
networkmanager.dns = "none";
};
networking.firewall.enable = true;
custom.hostinfo.enable = true;
}

0
modules/ssh/github_known_hosts → modules/common/github_known_hosts
View File

0
modules/hostinfo.nix → modules/common/hostinfo.nix
View File

15
modules/shell/default.nix → modules/common/shell.nix
View File

@ -1,20 +1,7 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.shell;
in
{
imports = [
./update_scripts.nix
];
options.custom.shell = {
enable = lib.mkEnableOption "shell";
};
config = lib.mkIf cfg.enable {
custom.shell.update_scripts.enable = true;
config = {
users.defaultUserShell = pkgs.zsh;
environment.systemPackages = with pkgs; [ direnv ];

38
modules/common/ssh.nix Normal file
View File

@ -0,0 +1,38 @@
{ pkgs, lib, config, ... }:
{
users.users."jake".openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
];
programs.mosh.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
programs.ssh.knownHosts = {
# Global Internet hosts
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
# Tailscale hosts
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"microserver.parents.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
};
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
}

8
modules/shell/update_scripts.nix → modules/common/update_scripts.nix
View File

@ -1,8 +1,6 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.shell.update_scripts;
update = pkgs.writeScriptBin "update" ''
#! ${pkgs.runtimeShell}
set -e
@ -52,11 +50,7 @@ let
'';
in
{
options.custom.shell.update_scripts = {
enable = lib.mkEnableOption "update_scripts";
};
config = lib.mkIf cfg.enable {
config = {
environment.systemPackages = [
update
];

10
modules/default.nix
View File

@ -3,22 +3,18 @@
{
imports = [
./backups/default.nix
./ca/default.nix
./chia.nix
./defaults.nix
./common/hostinfo.nix
./desktop/awesome/default.nix
./dns.nix
./home/default.nix
./hostinfo.nix
./ids.nix
./impermanence.nix
./locations.nix
./resilio.nix
./services/default.nix
./shell/default.nix
./ssh/default.nix
./storj.nix
./tailscale.nix
./users.nix
./vms.nix
./www/global.nix
./www/www-repo.nix
];

64
modules/defaults.nix
View File

@ -1,64 +0,0 @@
{ pkgs, lib, config, agenix, ... }:
{
options.custom.defaults = lib.mkEnableOption "defaults";
config = lib.mkIf config.custom.defaults {
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings = {
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
};
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
users = {
mutableUsers = false;
users.${config.custom.user} = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # enable sudo
uid = config.ids.uids.${config.custom.user};
};
};
security.sudo.wheelNeedsPassword = false;
environment = {
systemPackages = with pkgs; [
agenix.packages."${system}".default
gh
git
htop
nix
sapling
vim
];
variables.EDITOR = "vim";
shellAliases = {
ls = "ls -p --color=auto";
};
};
networking = rec {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
networkmanager.dns = "none";
};
networking.firewall.enable = true;
# Delegation
custom.ca.consumer.enable = true;
custom.dns.enable = true;
custom.home.defaults = true;
custom.hostinfo.enable = true;
custom.shell.enable = true;
custom.ssh.enable = true;
};
}

112
modules/dns.nix
View File

@ -1,112 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.dns;
in
{
options.custom.dns = {
enable = lib.mkEnableOption "dns";
authoritative = {
ipv4 = lib.mkOption {
description = "authoritative ipv4 mappings";
readOnly = true;
};
ipv6 = lib.mkOption {
description = "authoritative ipv6 mappings";
readOnly = true;
};
};
tailscale =
{
ipv4 = lib.mkOption {
description = "tailscale ipv4 address";
readOnly = true;
};
ipv6 = lib.mkOption {
description = "tailscale ipv6 address";
readOnly = true;
};
};
};
config = lib.mkIf cfg.enable {
custom.dns.authoritative = {
ipv4 = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "100.113.188.46";
};
home = {
microserver = "100.105.131.47";
router = "100.105.71.48";
};
jakehillion-terminals = { gendry = "100.70.100.77"; };
lt = { be = "100.105.166.79"; };
pop = {
li = "100.106.87.35";
sodium = "100.87.188.4";
};
storage = {
theon = "100.104.142.22";
tywin = "100.115.31.91";
};
};
};
};
};
};
ipv6 = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "fd7a:115c:a1e0::2a01:bc2f";
};
home = {
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
};
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
pop = {
li = "fd7a:115c:a1e0::e701:5723";
sodium = "fd7a:115c:a1e0::3701:bc04";
};
storage = {
theon = "fd7a:115c:a1e0::4aa8:8e16";
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
};
};
};
};
};
};
};
custom.dns.tailscale =
let
lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null;
in
{
ipv4 = lookupFqdn cfg.authoritative.ipv4;
ipv6 = lookupFqdn cfg.authoritative.ipv6;
};
networking.hosts =
let
mkHosts = hosts:
(lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x))
(lib.mapAttrsRecursive
(path: value:
lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ])
hosts));
in
builtins.listToAttrs (mkHosts cfg.authoritative.ipv4 ++ mkHosts cfg.authoritative.ipv6);
};
}

8
modules/home/default.nix
View File

@ -6,9 +6,7 @@
./tmux/default.nix
];
options.custom.home.defaults = lib.mkEnableOption "home";
config = lib.mkIf config.custom.home.defaults {
config = {
home-manager = {
users.root.home = {
stateVersion = "22.11";
@ -24,9 +22,5 @@
file.".zshrc".text = "";
};
};
# Delegation
custom.home.git.enable = true;
custom.home.tmux.enable = true;
};
}

11
modules/home/git.nix
View File

@ -1,15 +1,7 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.home.git;
in
{
options.custom.home.git = {
enable = lib.mkEnableOption "git";
};
config = lib.mkIf cfg.enable {
home-manager.users.jake.programs.git = lib.mkIf (config.custom.user == "jake") {
home-manager.users.jake.programs.git = {
enable = true;
extraConfig = {
user = {
@ -27,5 +19,4 @@ in
};
};
};
};
}

8
modules/home/tmux/.tmux.conf
View File

@ -8,11 +8,3 @@ bind -n C-k clear-history
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# Start indices at 1 to match keyboard
set -g base-index 1
setw -g pane-base-index 1
# Open a new session when attached to and one isn't open
# Must come after base-index settings
new-session

9
modules/home/tmux/default.nix
View File

@ -1,17 +1,8 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.home.tmux;
in
{
options.custom.home.tmux = {
enable = lib.mkEnableOption "tmux";
};
config = lib.mkIf cfg.enable {
home-manager.users.jake.programs.tmux = {
enable = true;
extraConfig = lib.readFile ./.tmux.conf;
};
};
}

2
modules/ids.nix
View File

@ -6,7 +6,6 @@
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent People
jake = 1000;
@ -16,7 +15,6 @@
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent Groups
mediaaccess = 1200;

36
modules/impermanence.nix
View File

@ -2,6 +2,7 @@
let
cfg = config.custom.impermanence;
listIf = (enable: x: if enable then x else [ ]);
in
{
options.custom.impermanence = {
@ -11,13 +12,6 @@ in
type = lib.types.str;
default = "/data";
};
cache = {
enable = lib.mkEnableOption "impermanence.cache";
path = lib.mkOption {
type = lib.types.str;
default = "/cache";
};
};
users = lib.mkOption {
type = with lib.types; listOf str;
@ -46,32 +40,18 @@ in
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
};
environment.persistence = lib.mkMerge [
{
"${cfg.base}/system" = {
environment.persistence."${cfg.base}/system" = {
hideMounts = true;
directories = [
"/etc/nixos"
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
};
}
(lib.mkIf cfg.cache.enable {
"${cfg.cache.path}/system" = {
hideMounts = true;
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
};
})
];
home-manager.users =
let

44
modules/locations.nix
View File

@ -11,41 +11,25 @@ in
};
locations = lib.mkOption {
readOnly = true;
};
};
config = lib.mkMerge [
{
custom.locations.locations = {
default = {
services = {
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
downloads = "tywin.storage.ts.hillion.co.uk";
gitea = "boron.cx.ts.hillion.co.uk";
gitea = "jorah.cx.ts.hillion.co.uk";
homeassistant = "microserver.home.ts.hillion.co.uk";
mastodon = "";
matrix = "boron.cx.ts.hillion.co.uk";
tang = [
"li.pop.ts.hillion.co.uk"
"microserver.home.ts.hillion.co.uk"
"sodium.pop.ts.hillion.co.uk"
];
unifi = "boron.cx.ts.hillion.co.uk";
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
matrix = "jorah.cx.ts.hillion.co.uk";
unifi = "jorah.cx.ts.hillion.co.uk";
};
};
};
};
}
(lib.mkIf cfg.autoServe
{
custom.services = lib.mapAttrsRecursive
(path: value: {
enable =
if builtins.isList value
then builtins.elem config.networking.fqdn value
else config.networking.fqdn == value;
})
cfg.locations.services;
})
];
config = lib.mkIf cfg.autoServe {
custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
custom.services.gitea.enable = cfg.locations.services.gitea == config.networking.fqdn;
custom.services.homeassistant.enable = cfg.locations.services.homeassistant == config.networking.fqdn;
custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn;
};
}

7
modules/resilio.nix
View File

@ -1,9 +1,12 @@
{ pkgs, lib, config, ... }:
{ pkgs, lib, config, nixpkgs-unstable, ... }:
let
cfg = config.custom.resilio;
in
{
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
disabledModules = [ "services/networking/resilio.nix" ];
options.custom.resilio = {
enable = lib.mkEnableOption "resilio";
@ -61,7 +64,5 @@ in
in
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
};
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
};
}

50
modules/services/authoritative_dns.nix
View File

@ -1,50 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.services.authoritative_dns;
in
{
options.custom.services.authoritative_dns = {
enable = lib.mkEnableOption "authoritative_dns";
};
config = lib.mkIf cfg.enable {
services.nsd = {
enable = true;
zones = {
"ts.hillion.co.uk" = {
data =
let
makeRecords = type: s: (lib.concatStringsSep "\n" (lib.collect builtins.isString (lib.mapAttrsRecursive (path: value: "${lib.concatStringsSep "." (lib.reverseList path)} 86400 ${type} ${value}") s)));
in
''
$ORIGIN ts.hillion.co.uk.
$TTL 86400
ts.hillion.co.uk. IN SOA ns1.hillion.co.uk. hostmaster.hillion.co.uk. (
1 ;Serial
7200 ;Refresh
3600 ;Retry
1209600 ;Expire
3600 ;Negative response caching TTL
)
86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
radarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
restic.tywin.storage 21600 CNAME tywin.storage.ts.hillion.co.uk.
sonarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
zigbee2mqtt.home 21600 CNAME router.home.ts.hillion.co.uk.
'' + (makeRecords "A" config.custom.dns.authoritative.ipv4.uk.co.hillion.ts) + "\n\n" + (makeRecords "AAAA" config.custom.dns.authoritative.ipv6.uk.co.hillion.ts);
};
};
};
};
}

4
modules/services/default.nix
View File

@ -2,13 +2,11 @@
{
imports = [
./authoritative_dns.nix
./downloads.nix
./gitea/default.nix
./gitea.nix
./homeassistant.nix
./mastodon/default.nix
./matrix.nix
./tang.nix
./unifi.nix
./version_tracker.nix
./zigbee2mqtt.nix

17
modules/services/downloads.nix
View File

@ -29,16 +29,10 @@ in
virtualHosts = builtins.listToAttrs (builtins.map
(x: {
name = "${x}.downloads.ts.hillion.co.uk";
name = "http://${x}.downloads.ts.hillion.co.uk";
value = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = ''
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
};
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
};
@ -138,10 +132,7 @@ in
script = with pkgs; "${iproute2}/bin/ip link set up lo";
};
networking = {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
};
networking.hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
services = {
prowlarr.enable = true;

29
modules/services/gitea/gitea.nix → modules/services/gitea.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, nixpkgs-unstable, ... }:
let
cfg = config.custom.services.gitea;
@ -20,42 +20,39 @@ in
config = lib.mkIf cfg.enable {
age.secrets = {
"gitea/mailer_password" = {
file = ../../../secrets/gitea/mailer_password.age;
file = ../../secrets/gitea/mailer_password.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
};
"gitea/oauth_jwt_secret" = {
file = ../../../secrets/gitea/oauth_jwt_secret.age;
file = ../../secrets/gitea/oauth_jwt_secret.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret";
};
"gitea/lfs_jwt_secret" = {
file = ../../../secrets/gitea/lfs_jwt_secret.age;
file = ../../secrets/gitea/lfs_jwt_secret.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret";
};
"gitea/security_secret_key" = {
file = ../../../secrets/gitea/security_secret_key.age;
file = ../../secrets/gitea/security_secret_key.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/secret_key";
};
"gitea/security_internal_token" = {
file = ../../../secrets/gitea/security_internal_token.age;
file = ../../secrets/gitea/security_internal_token.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/internal_token";
};
};
users.users.gitea.uid = config.ids.uids.gitea;
users.groups.gitea.gid = config.ids.gids.gitea;
services.gitea = {
enable = true;
package = pkgs.unstable.gitea;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
appName = "Hillion Gitea";
@ -100,14 +97,18 @@ in
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
networking.firewall.extraCommands = ''
# proxy all traffic on public interface to the gitea SSH server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
iptables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
# proxy locally originating outgoing packets
iptables -A OUTPUT -d 138.201.252.214 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f8:173:23d2::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
'';
};
}

105
modules/services/gitea/actions.nix
View File

@ -1,105 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.custom.services.gitea.actions;
in
{
options.custom.services.gitea.actions = {
enable = lib.mkEnableOption "gitea-actions";
labels = lib.mkOption {
type = with lib.types; listOf str;
default = [
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
];
};
tokenSecret = lib.mkOption {
type = lib.types.path;
};
};
config = lib.mkIf cfg.enable {
age.secrets."gitea/actions/token".file = cfg.tokenSecret;
# Run gitea-actions in a container and firewall it such that it can only
# access the Internet (not private networks).
containers."gitea-actions" = {
autoStart = true;
ephemeral = true;
privateNetwork = true; # all traffic goes through ve-gitea-actions on the host
hostAddress = "10.108.27.1";
localAddress = "10.108.27.2";
extraFlags = [
# Extra system calls required to nest Docker, taken from https://wiki.archlinux.org/title/systemd-nspawn
"--system-call-filter=add_key"
"--system-call-filter=keyctl"
"--system-call-filter=bpf"
];
bindMounts = let tokenPath = config.age.secrets."gitea/actions/token".path; in {
"${tokenPath}".hostPath = tokenPath;
};
timeoutStartSec = "5min";
config = (hostConfig: ({ config, pkgs, ... }: {
config = let cfg = hostConfig.custom.services.gitea.actions; in {
system.stateVersion = "23.11";
virtualisation.docker.enable = true;
services.gitea-actions-runner.instances.container = {
enable = true;
url = "https://gitea.hillion.co.uk";
tokenFile = hostConfig.age.secrets."gitea/actions/token".path;
name = "${hostConfig.networking.hostName}";
labels = cfg.labels;
settings = {
runner = {
capacity = 3;
};
cache = {
enabled = true;
host = "10.108.27.2";
port = 41919;
};
};
};
# Drop any packets to private networks
networking = {
firewall.enable = lib.mkForce false;
nftables = {
enable = true;
ruleset = ''
table inet filter {
chain output {
type filter hook output priority 100; policy accept;
ct state { established, related } counter accept
ip daddr 10.0.0.0/8 drop
ip daddr 100.64.0.0/10 drop
ip daddr 172.16.0.0/12 drop
ip daddr 192.168.0.0/16 drop
}
}
'';
};
};
};
})) config;
};
networking.nat = {
enable = true;
externalInterface = "eth0";
internalIPs = [ "10.108.27.2" ];
};
};
}

8
modules/services/gitea/default.nix
View File

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./actions.nix
./gitea.nix
];
}

40
modules/services/homeassistant.nix
View File

@ -44,20 +44,16 @@ in
"bluetooth"
"default_config"
"esphome"
"flux"
"google_assistant"
"homekit"
"met"
"mobile_app"
"mqtt"
"otp"
"smartthings"
"sonos"
"sun"
"switchbot"
];
customComponents = with pkgs.home-assistant-custom-components; [
adaptive_lighting
];
config = {
default_config = { };
@ -68,10 +64,7 @@ in
http = {
use_x_forwarded_for = true;
trusted_proxies = with config.custom.dns.authoritative; [
ipv4.uk.co.hillion.ts.cx.boron
ipv6.uk.co.hillion.ts.cx.boron
];
trusted_proxies = [ "100.96.143.138" ];
};
google_assistant = {
@ -83,9 +76,6 @@ in
report_state = true;
expose_by_default = true;
exposed_domains = [ "light" ];
entity_config = {
"input_boolean.sleep_mode" = { };
};
};
homekit = [{
filter = {
@ -95,7 +85,13 @@ in
bluetooth = { };
adaptive_lighting = {
switch = [
{
platform = "flux";
start_time = "07:00";
stop_time = "23:59";
mode = "mired";
disable_brightness_adjust = true;
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
@ -106,8 +102,8 @@ in
"light.living_room_light"
"light.wardrobe_light"
];
min_sunset_time = "21:00";
};
}
];
light = [
{
@ -115,9 +111,12 @@ in
lights = {
bathroom_light = {
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
value_template = "on";
turn_on = { service = "script.noop"; };
turn_off = { service = "script.bathroom_light_switch_if_on"; };
turn_off = {
service = "switch.turn_on";
entity_id = "switch.bathroom_light";
};
};
};
}
@ -146,13 +145,6 @@ in
}
];
input_boolean = {
sleep_mode = {
name = "Set house to sleep mode";
icon = "mdi:sleep";
};
};
# UI managed expansions
automation = "!include automations.yaml";
script = "!include scripts.yaml";

17
modules/services/matrix.nix
View File

@ -41,10 +41,6 @@ in
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
};
};
services = {
@ -80,8 +76,8 @@ in
x_forwarded = true;
bind_addresses = [
"::1"
config.custom.dns.tailscale.ipv4
config.custom.dns.tailscale.ipv6
config.custom.tailscale.ipv4Addr
config.custom.tailscale.ipv6Addr
];
resources = [
{
@ -118,15 +114,6 @@ in
};
};
matrix-sliding-sync = {
enable = true;
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
settings = {
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
SYNCV3_BINDADDR = "[::]:8009";
};
};
heisenbridge = lib.mkIf cfg.heisenbridge {
enable = true;
owner = "@jake:hillion.co.uk";

20
modules/services/tang.nix
View File

@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.tang;
in
{
options.custom.services.tang = {
enable = lib.mkEnableOption "tang";
};
config = lib.mkIf cfg.enable {
services.tang = {
enable = true;
ipAddressAllow = [
"138.201.252.214/32"
"10.64.50.20/32"
];
};
};
}

32
modules/services/unifi.nix
View File

@ -10,14 +10,20 @@ in
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/unifi";
readOnly = true; # NixOS module only supports this directory
};
};
config = lib.mkIf cfg.enable {
# Fix dynamically allocated user and group ids
users.users.unifi.uid = config.ids.uids.unifi;
users.groups.unifi.gid = config.ids.gids.unifi;
users.users.unifi = {
uid = config.ids.uids.unifi;
isSystemUser = true;
group = "unifi";
description = "UniFi controller daemon user";
home = "${cfg.dataDir}";
};
users.groups.unifi = {
gid = config.ids.gids.unifi;
};
services.caddy = {
enable = true;
@ -32,9 +38,21 @@ in
};
};
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
virtualisation.oci-containers.containers = {
"unifi" = {
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
environment = {
PUID = toString config.ids.uids.unifi;
PGID = toString config.ids.gids.unifi;
TZ = "Etc/UTC";
};
volumes = [ "${cfg.dataDir}:/config" ];
ports = [
"8080:8080"
"8443:8443"
"3478:3478/udp"
];
};
};
};
}

2
modules/services/zigbee2mqtt.nix
View File

@ -23,7 +23,7 @@ in
enable = true;
virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
extraConfig = "reverse_proxy http://127.0.0.1:15606";
};
};

25
modules/spotify/default.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, pkgs, lib, ... }:
{
config.age.secrets."spotify/11132032266" = {
file = ../../secrets/spotify/11132032266.age;
owner = "jake";
};
config.hardware.pulseaudio.enable = true;
config.users.users.jake.extraGroups = [ "audio" ];
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
config.home-manager.users.jake.services.spotifyd = {
enable = true;
settings = {
global = {
username = "11132032266";
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
backend = "pulseaudio";
};
};
};
}

55
modules/ssh/default.nix
View File

@ -1,55 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.ssh;
in
{
options.custom.ssh = {
enable = lib.mkEnableOption "ssh";
};
config = lib.mkIf cfg.enable {
users.users =
if config.custom.user == "jake" then {
"jake".openssh.authorizedKeys.keys = [
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBwJH4udKNvi9TjOBgkxpBBy7hzWqmP0lT5zE9neusCpQLIiDhr6KXYMPXWXdZDc18wH1OLi2+639dXOvp8V/wgAAAAEc3NoOg== jake@beryllium-keys"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
];
} else { };
programs.mosh.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
programs.ssh.knownHosts = {
# Global Internet hosts
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
# Tailscale hosts
"boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5";
"be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
};
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
};
}

65
modules/tailscale.nix Normal file
View File

@ -0,0 +1,65 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.tailscale;
in
{
options.custom.tailscale = {
enable = lib.mkEnableOption "tailscale";
preAuthKeyFile = lib.mkOption {
type = lib.types.str;
};
advertiseRoutes = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
ipv4Addr = lib.mkOption { type = lib.types.str; };
ipv6Addr = lib.mkOption { type = lib.types.str; };
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up \
--authkey "$(<${cfg.preAuthKeyFile})" \
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
'';
};
};
}

21
modules/vms.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, lib, ... }:
{
options = {
boot.isVirtualMachine = lib.mkOption {
type = lib.types.bool;
default = false;
description = lib.mdDoc ''
Whether this NixOS machine is a virtual machine running in another NixOS system.
'';
};
virtualMachines = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule (
{ config, options, name, ... }:
{ }
))
};
};
}

19
modules/www/certs/blog.hillion.co.uk.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
-----END CERTIFICATE-----

19
modules/www/certs/gitea.hillion.co.uk.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
-----END CERTIFICATE-----

19
modules/www/certs/hillion.co.uk.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
-----END CERTIFICATE-----

19
modules/www/certs/homeassistant.hillion.co.uk.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
-----END CERTIFICATE-----

19
modules/www/certs/links.hillion.co.uk.pem
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
-----END CERTIFICATE-----

35
modules/www/global.nix
View File

@ -10,47 +10,19 @@ in
};
config = lib.mkIf cfg.enable {
age.secrets =
let
mkSecret = domain: {
name = "caddy/${domain}.pem";
value = {
file = ../../secrets/certs/${domain}.pem.age;
owner = config.services.caddy.user;
group = config.services.caddy.group;
};
};
in
builtins.listToAttrs (builtins.map mkSecret [
"hillion.co.uk"
"blog.hillion.co.uk"
"gitea.hillion.co.uk"
"homeassistant.hillion.co.uk"
"links.hillion.co.uk"
]);
custom.www.www-repo.enable = true;
services.caddy = {
enable = true;
package = pkgs.unstable.caddy;
globalConfig = ''
email acme@hillion.co.uk
'';
virtualHosts = {
"hillion.co.uk".extraConfig = ''
tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
handle /.well-known/* {
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond /.well-known/matrix/client `${builtins.toJSON {
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
}}` 200
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
respond 404
}
@ -60,25 +32,20 @@ in
}
'';
"blog.hillion.co.uk".extraConfig = ''
tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
root * /var/www/blog.hillion.co.uk
file_server
'';
"homeassistant.hillion.co.uk".extraConfig = ''
tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
reverse_proxy http://${locations.services.homeassistant}:8123
'';
"gitea.hillion.co.uk".extraConfig = ''
tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
reverse_proxy http://${locations.services.gitea}:3000
'';
"matrix.hillion.co.uk".extraConfig = ''
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
'';
"links.hillion.co.uk".extraConfig = ''
tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
redir https://matrix.to/#/@jake:hillion.co.uk
'';
};

17
renovate.json
View File

@ -4,21 +4,6 @@
},
"lockFileMaintenance": {
"enabled": true,
"schedule": ["* 2-5 * * *"]
},
"rebaseWhen": "behind-base-branch",
"packageRules": [
{
"matchManagers": ["github-actions"],
"automerge": true,
"schedule": [
"after 11pm on Monday",
"after 11pm on Thursday"
]
"schedule": ["before 23:59"]
}
],
"extends": [
"config:recommended",
"helpers:pinGitHubActionDigests"
]
}

BIN
secrets/certs/blog.hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/gitea.hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/hillion.co.uk.pem.age
View File

Binary file not shown.

BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
View File

Binary file not shown.

20
secrets/certs/links.hillion.co.uk.pem.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
AaDBHnrzzyVgSLJfjuzNYVqOfGVoNYvtwOZ/8JWdzTiKjFjvFThTwRxXm04x4zV2
yDGl2YQn/SdA//tPt2aTt/HEr2vvfvTupf+p8dO81JsdQ2QNEwJq6GFPYvzwpUMt
2aY99IWgfZMnNdm1dD40UPRXthRy4neY64fLmrpNH9hM/Tj/O9L9aHo/Z8rROien
k/qN0uVWDlrxoCooZNmzuWe8VNE9PtEj07YBjUKY9frVpP38iL9hWZ435x59bRru
HTz/I1NEeKyCzUKDz562cmmPl1ihJkelSOLIS/SUL4CfbePt6lGeGgJ1UB1lLBlo
nOE79ekfh92wbYJWrogvFg
-> ssh-rsa K9mW1w
W34jfSpkxpJKesV7ZDl92bQRMtWWB7ht93n7+APJNL18VvLHmqDztkPQovd9FuKY
YLEt5qevncV/O2/f6QW87I0ySFT2tpFPflXOITk1INYH8Z/NPfGfHBgUpnl+vM4w
xVujFTnFXaFYBpoyOOl5VBLvFTlYvzXL/e2lYyZT/HGb2V43OHQe3dsMWhPKzKLL
2eg21XK/LzLFkYdpMwmt5bpVVgXB9kaB9fpmV9ZDtEYDO18/uQQI7Wdn+6XAzB+3
iJwIQaqL7YjaOwiF8u6NYOd4Qo7WNEd1WnO9/qIGMp9E4x5V3vToS9fePynE2PtH
Chcu3y8jT+Qpby+6joyLwQ
-> ssh-ed25519 iWiFbA fxhC7p0ywGIGmpio8x7yFktdB/JnKiiXJF3kvP2X2wk
Q2HJ78QRc3nZyyWgB/MjhcEHiKoXou/4421SvoTj9fM
--- OYElVzl6Gk/4ma/OgiU1Xtvg5+9Rtq/CIieG85QDOBI
Ì$y³6ãyE÷ì=qÉH®y IûŸ?R @ìG†³H<C2B3>ÓJf\JîaÛ¤i¨§2¿ÆÕe³º¯<C2BA>6 b%ÑBÜ|.ôgZE¬ßƒ˜ô3ürÄxŽœëë~\Ü\íW‡ïluӚàr$ <0C>ÕýÛá'ý¥ÿšaŽÄÙ1Çý—<C3BD>Tæm˜ºp<šIp5hw.Æ' ¼GÉÀ7*õ[â\7È*5ôò¤èÐÂãßÓŽör%u06Ó¦û"Ù´G“Àßœvzä6¤
Åךe%½¶û QékqôeDoM¹ŸØ(q&r@¶­Ï™?Fn ê_—€<18>\˜°ßÞ"<22>úDÍw½À|úOD]ïê@ö@Ê»Y<C2BB>Ó

19
secrets/gitea/actions/boron.age
View File

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
O6XXkSIScAPiHbBj6VDHrAzbZjossHPW2AQJtQKkrUmERLABYIZuYFJHk9yH2q2W
uBdO/jKN8slQ/7fzKMRu/1EKNRscc1ufgrCCDWdZicdNPSy7948dx+mVK0ass/US
jnPgn75erR+KLsi8/yNJc12mx6onvVFE0mxFihZobiEdt7FcjSFCV9k2pPtN+1TK
5bKpjyodla+KwSXMGDH7jttvMFXtX5NKda4nYNOM1fHwQ5XCdLti67txcn2y85LV
fuo9Pzu++o6aFOalfufKyflOh8Vk3RrBwCDK81e+YLMVjSGv4ZsiTp5O+sI8dBwR
BqftVb523V4L3FhksG/e7Q
-> ssh-rsa K9mW1w
xUjF7ctBetl6as6/N1dVa+Zkg8EOfOILOMzCNUQVGStJ0cEeC3vi54xwoTxnZqX8
n2f6wsgcZP203MBX5YJTw8w80WN8WPNYM8IZxdrcSNNuOrPJQbJZkikYGOg8z9/g
7zaSotrxcHrHYR2DM/qsQJRYNQgZn7AKviEPwDNSkiGHzolIHRuAi+e2M891/DzA
k4X5VsYGusM3Lo9ABZvNzX0MEnLxtStl3TwW4i4MgWts4rjcjBAp5ybZPrQLgMf6
M//FNwBXv2adLSC8oUiTWYKB5l5sTmjNawp1FED3T9WvesKWNY0Tm4KrqJA+Ul2Z
8aoxg/TCjuuypTIaEPm2aQ
-> ssh-ed25519 iWiFbA Zl3LbVd8MHnlj1t4LuAcH13UVwHSJb/wSacM5BkTKHY
vwJ4d2obJPXkgOn44+beKbiKR+qnKvFgkOvotwPDJK8
--- 2q02v2RlVgBjT3qCe2nAXft976YYbr80qtjw3N9i8Vs
Ł×?ŢëČ׍[ĺÔ=GľMI (ět¸?ÄÄo⼍/s˝ź¨P}ř™Ńvr,_ţ3×ĂňîÂjŮDJ/;‰ĺdŤut˘;ä‰@+˛

BIN
secrets/gitea/lfs_jwt_secret.age
View File

Binary file not shown.

32
secrets/gitea/mailer_password.age
View File

@ -1,19 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
qnk+0bYAk3pWfdXW9Z/psQ
gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
K+hgOULnfi+jIDw5U0HJKQ
-> ssh-rsa K9mW1w
NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
84Xu2vwg9ikUz7B1tTBYeA
-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
ßüu _śnTx#H-7<>‰yó—Îç<>¨—B„ô»uµŐÉîj<C3AE>ZHĐ'&÷_đś#ľĽ3ŕHÍ˝0f  šBęą×Ö™ýčÂLĽîz
TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
lPijgnL0SUte+Df3/wXt7Q
-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
-õ?ùÌQ5©`Y_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoT c¿”p°ûNÝá·F[äX ¿‹°f<E28099>³ê•¡ÄG¿

BIN
secrets/gitea/oauth_jwt_secret.age
View File

Binary file not shown.

BIN
secrets/gitea/security_internal_token.age
View File

Binary file not shown.

BIN
secrets/gitea/security_secret_key.age
View File

Binary file not shown.

BIN
secrets/matrix/matrix.hillion.co.uk/email.age
View File

Binary file not shown.

34
secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
View File

@ -1,19 +1,21 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
oP+PAtaEFPKwY/p94ofdBlLtCJDzaOkE7jblE4COKCp6NcfjUot7a7G2rSzG3Z9A
cF3HcuKsMrG2Tth4ElBB0nwfaXUJZOBO3nrZaU0RGBBkxqooDVV2LzA+NG0HpIZ6
8Rd/Ch621gaBDYbSNFKLx5pAotqsARt13BMVY9nuifNGmWAamZ5UsJwZ/OhxKC5i
bkFZGeHZm4tilpsBEnh99PxofQmFy52AQhpx2UZETaD7yXvyEQjN9yBVKGhwA8Xs
xIRZLVgCbMv5lroYChpj/SiuoNhuaLo+05+3r5JnL/ODEl2dYZHkr2fAo31QUPnr
kmir2Nwoq4MlNELjQvSfdQ
j36S9K1vUFeNZxh1l1dea+8KqzTnLqR3beGzDGmPSljkTPZrRs9MSsSwuAsH01Zh
95mfzFBvw3y7yGWgcW0NyGeiZ/NGvqYzuplqJbCXf/5Zwt9fnwGiWqIUZK3pGDvt
bEoJwfdTPPGgGH6egm/n+uZw7HuHklJtDwygh5wQobhsfu+q44JeaaC6Dg8Iu0Fs
ZNj2tJ1LIts0bsmevnJveOTXNq3TcHsPP1E3kYCt8OPEfPjx5Y2Ajba+VmDATDN/
5e6ncNOX5viA/DnlfL1Kx+1kf8A1wKJSNnCd0zPIDhDlagdcbd88CXdQPmPUuesD
qdUDplc+FjnCxkWrJPHnnQ
-> ssh-rsa K9mW1w
GVNgJY5cse7GnU0UpgfBT2a8Ev0KeFC+Tfvj8Jd7Wgu7pYv/DlwIumJN2NcmU76S
zW1Z6we+Fs4DO83v+4Bug4d+m7oUbKxbUfgIDE4MDEkc4B/XUKv0Ex1VaO4lGh6h
0lRF4PO22OjyO4TT4tkLZgTAStq/vS20GhluEdVPp2ovSsn7KYLwmx81iBnfNDbm
0uEKAE2dj01BHSiRZ1rVj9OnTacrRpzp6mbVJxZqkUMJ+A/tMp1B7eTjWiGhUUGs
+de52Ba/ww1jM0BmbdemWS5SA1Kch1ttgnSFKIh24tYyRxX4AVsuYqPkIuH8+W4O
Jh0387AJaR+3+Tvweo88Tw
-> ssh-ed25519 iWiFbA xx3oYrX6/Z1srbxmAztZV5AJgYZn20UMvRnn4qrSoAU
98oe26dqhSE3eET7hwdV/jJTVu2ldBiZ6ysabwK97Co
--- qrw4HhyaHrpDmws4EoABLFF3HU30AaZFCt4qHKo6gUM
OnÄCfIÚìQÿlµç@‡?:5¸<09>Ö m*63ÿgtjÁÃïÖA8 ^;TÓx%;O»·»×ß׶YG¢€,mïÞÜ â¥ ®Éîs8Pƒ òR«\nòXA÷·w;—ÚXRMÛù2´òFÏ
Fkzo4emHSiZilicSPgihNC9DjuNMih0pG9gjPJFeL6z3i8vzb2Wlr47Hs3RX8ccd
GUu97/g6Pk71STbZpq0J694lZLlzRrQiAoRD+nvbwDyiY4NThkWGwJyrK5YVsXb9
Tn8koBMyWAl173UZBfX9/tZbV/BgibajNYYUSOYqGPTtKMO2iwZi/f5vNP2Ss9Xn
a6xV3A9uJ0iQd1HFXxDqoy66KsP4cJX7U+cV4jPp0dcdAY/umgVcWnhAVRISiP0f
qLMEW6g63MXeJqij1vVl3WhEXqa4AZHGMGuHbWfuRhES8TVVxkslh6S1HnrbQq8Q
5x0sR+jPHIHk2ZJ3QLWQsQ
-> ssh-ed25519 Qo6/7A AgI2XGB68qmD4HsNzLJlGMOI8RHag/CyOOPgJNZ5Vgc
Oqto0uatJOeVEY6ON8jJIbNkGy96KJOW/HHvKqkKT0A
-> eG853-grease Pw3j" PcU:Uj0
qf1JY7M0YjgzXs73vuw/gwnTut46
--- 1wceU1/J0KK3A4H2iTKGpPIGIv6rbawHYerjWYeNYRA
+aäyz_¥ªìe¹¶_üJ=¼VÌ—Dâ„4n¤WÉ4òàv…ø%<25>ÿ=Äá>;lAôva~Á×ä__Á‰z¿ìˆ½U2=U?”šéÉXëj½d%1äjGì»Mk·ÕÉ’#’ª²—^ø*Újy§¦î¥<C3AE>

36
secrets/matrix/matrix.hillion.co.uk/registration_shared_secret.age
View File

@ -1,20 +1,22 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
XtQerUqo59DoCzMSSbYWK1fZR5uPzA20NJcpZ8YOCD2cPJvGiSN4ePnPLSSnyUAV
ei45c6sdRRRZEKcq/uabTWPqk1xymKv4CrLn4FjS9VviKNYW0p+oo0J9ummwE6sa
/REKRIQRrsP1HwSO0gaq6CQEyGr9NouybuDDS5AIGpvaRV9+F1Htc/Um5JmsGaeC
aUBSJdZGnUajg/NN+QBlhhndT1PevFNKaviOJB4ghZUv8V89KZUhZMLuWQHVSr6D
fPQLXCI7mDjv82rydG5NWzE3OiMycLlt3AXWE97G4dhrtQGMPb3KDeGaY2mXBQ5G
Qq+myMZJqx9LbQWPyBgLgQ
PcYDtUs6evvvrjU3cZxaEoj62lvEyRQI4aGvGFK+6E/5ROwjBsyv7g6ClxDOICNU
CUHzDYtbepFIycvqGGm/TDk2ZDknjpcef/pC2MjlPk+WZDkTx2MeNQs6uk8fNvS5
6Ppw3CvdiABcx3NFUrgh/N1NKsvgGCR621q/AkyjodUdjWwTxYbr3XnZVA1J+S6M
Nj+1RGYGBRGvUYcC7JIqArLZaCjDyXlyExtlCzlux8jUtblEBBmuwDYjMjUNE4fB
Qq7D0RZW1AiaMqiFuzB03l9+n+NzYtmWHDWpgZcp1mbTWEaGWvfSI1xxULjp89Hx
+3GopFzQpknChP+KIGWCIA
-> ssh-rsa K9mW1w
QjWGmW/CSl1+xidbzQ7rBjPI9gphRAqC9j4dTsQmK48WlnlG9fAX1w7s8zJI287c
VwtOndfP/yYe8zj14IB0bn/efJ4s9DXS1toSVHhHMXGRYNx4LZJtGrHPEe7bmBDR
g3m6i3dFB48o4niZwLFmsTWD8KpYFPRmGnD9AX7cXtA1KzjD61ebb7dsjQ0J7/04
QLUmPUJ4BMgvMhv5zHfjq/LjasrOVY5QkKi95xYVREacy9hp/5COs9d0d40+qLFh
QJ2CuiOba5+aYnVWtbq63F9YJsAwknPOI2nV64l1BflQGJjec+wS4LPi4+l6pT+0
wPStv+iVu5vYdVNuq7KtnQ
-> ssh-ed25519 iWiFbA Qrs30RtQXXEglsSKQbmeLhZvQB9yR0EbKeba8IV1/wo
o89IKeFH91zdqfRJrIge0Sod6k+66BbN3DcUfnqSgqg
--- zhvOvBCbfuhWDejcJcXxtdypACwgPb1KrqpsNYWiKNc
å<}š‡: ¸Ã2bzªüÙÄq¬SYîÌõr掄Ý}¯â<C2AF> u—»ÌòbŸ\;
ioNuiJFlFdVWMmAHlocThTlQYIn0m9I85WZjtbXbBGaV6B7WPVJOAfj8dsKAx2a+
E8kq3Ffc1iNfcnw5gBb9X9zXReyi1cdSsdjwJS8Wew2was3rcbcRBh4cL+bzZ1U5
BOkUqWo8lF1PNf/oJyjK3y07br8EKcjDTMs+n3AkjGTLyyP2Li2ZwzCHCoKgyHxf
COcFAFWQdli4fZon9KjZ+Je4UtPtyDEKUUZxZMxXsXd4OTs/cpaFpzrl7MpB2Qdg
31x0SQbY7Vt7+88yFoE55NmTTDPtIj9A38xSn9HBGHDl8+nftXTnkoQa+E2gJ2V0
LYeWbozz2zFUQiUsQhM72A
-> ssh-ed25519 Qo6/7A h+m0fzmo6DpdSejGvgcrYIuQFM0My3X+Vk4XvwlRyDg
fWmR5VvANbi8P2zouqz66lxx61YzcW9R6wQLZvh3Y48
-> Z#,x-grease ~ts
zKs31SssQzG0GYI+xfHhfC+0
--- Aa0oGbJedOyry0m22fwH+VY5koBC2NO7o4OwIQe6YlY
4´ž -v°OÊ
n.dýç CèµD«Þ,Ï+kr½>¿ÖdiØþÕáý8ŒÉøŸ³å4

20
secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
Z3WKcEusrn04hb2zUpEFBHOoqDIaCzMo/jZuOX/eMKPBqTrxcba9ZgxOFE7+yaUi
FJvlQNg5pQn/vaCtHkJWfBXdKiwZ3pIeaqwNcto8EprKLxIAkLjMBMOursz9k41E
0B4NKRyxiQO2kMgjKb9jYzhioan3NG1Loto8RbjbUPlqn/Q0NEsq8Uql0qaM02Ba
zBd1Xt1MFDtemXxzfmeqLMX45F67B8JKFujnXajR7qoRCmzz6kkj6zb+SEE+Nodq
9J/i4rpgwP0B9Zgp9QqnvOBVuLtxPOv/EE+Dp9Ktj1v5SxlJbQoPBiX5pZd5n3/n
dqibdn1Jls57qCs9sHAlDQ
-> ssh-rsa K9mW1w
BMNOK5nTDPSw5wZsdWlpWzbA62WdDmqg3CdiYSA8mDZT5LFHsmZt4azfwvCWnwKh
jvzWsNgASSdCCGk4xzDR8qzVAvcku5IxgQjGWCfa307r8k1RFMF910+QpS0nsckE
voBCvNIbv1Qjg6MKSXIDmmDjeLedL/0WYp7mX2FHQbs2Mau3xHz+l4mW9C6Dlyeu
PdR6IYJxqxDOqQk2FIMYq7vS1JWDo2ntS3XcufUL4V6TeFj1Soauff9/55hqt8Tm
JlUkbHmc/69bsqbr3en1sk6lk7GV7M87tfjGJuhdsMQLY10jFuZfkpewRhCLTEpR
LFooblAploXTZfXkvmoj2A
-> ssh-ed25519 iWiFbA izGiArlZgQMVSnQv/WG7+tBUnk0z/iUHI1TgAf0d5V0
Qw/pUd8y7UNElE9U+VwE7cQhemfPXFhFoiKQya34Bwo
--- FfPFhjvH78/oBzE1tL93Vxm6fV9zsHL3S8aDb3KWA4o
óœ}þŠ lj¿mE_¿9mç}z ¼?ü-Ø9F•]IóãÞØy7uw¼x¼ŠQ3ÅìüqñŠJ„åVº/”º@>°vÊî-G4;Êí1Ñ&@§k® ÍWë+c*ûžìá|#»û˜Èª­³Wy
fC°

40
secrets/passwords/jake.age
View File

@ -1,25 +1,21 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
V2AvkOD5bHByhebVLzXhGpKgD+ZbpXVU8qizj+nvcmsapadSjtnqo/PYHLatc3Hc
9zJoCvW4hXu8DVx6sgEapBUibny8mRBUYm58yxi9UIv4PfutFfOqAaTDolOZkVr2
5cNY6JTjB8l3x0j+rQfSATMebCJr0mexi/vCxfk20BYAYxm71FWa/3HchH5ktf76
YyQFgBG3zSLaWRS8wgWPZxbr3oz2mlQsgAgc2Q+D0RKQ9k9y4MFDy2kQgyBD0mh/
LfEy27pFYDcFq5YFrHDx1mzFP6zmdrgNvJtTvIVHurMX0bjkMVvL1EMPkK89zft0
2fO5lhEhjN1ZtsiRdi1AHw
clM3ZZ+BrFyrKzQEptaVd8zHVtQJZi2gCxeQcdr4X07XFFfDoz+Ft2uY8+FVq54E
U2d1Qorf14/K7ubHlTMFcTLksD9CsMSpj4tiVzZ6jLzoL2g8ygsnllyT2IcG6dmB
8ZLRL+agcZJo+9cfdxOYwJTzjbDuuhGKsQDfS5T833CgDfleJ96XVFkDEnf4yQcB
DBNU4R10SIyHAhRDjZpIRyDAOkwfTVABxHFS9TFfIOWho6tRwfdUeoWAnzqO4wUJ
FFTvnbiX44WU5VbUf7Em/92NDWtDJM98B2s+LbgZpGk3oqcY4iyVJIhi7Tfrz5+m
5EXsa62mgd30xXHkdBp+6w
-> ssh-rsa K9mW1w
Ma3+rklXzp3GvZeLMJRsBFzQn7zx2XSRbeYGjbpwQ15aDaLkvwj30tTkC8T8UOaJ
BxhMcsqVJtUQ+8VDT+8TI8G6z8FZRincI0RTpLXkjnd7wr+7dJGty3I8lvmAZLfc
Lq/ufWLR5siaHbPIdzD7xc3uIOM6uCEtirO69jylsOxI1ln2nFs/XmB7KFKVXFoR
BU7guCumIoxrPU/PRXsSxW2ZgnI/gMGzTFxdfBB+DG5ji3FQJDlQw7PZSKZV3e9r
0zOnJiRIdxwcdw22C5OWPV0NmchcVk07RVMC7g7ZlYn1ZvzyH4F6915vBO0AliQn
owjfSi9xeR8B+6prms40Mw
-> ssh-ed25519 rjda/A R372Lvn/wI+8QHzPHlfdjHbJdsd3CpUP+rDGgBQJCWI
PohaMx5p6FHhx+EwypsBRHq2R3ujNU8UpbmYS8TKOBM
-> ssh-ed25519 8+Ls0w jQRlUZRjOdFjp2jmKLBWiG1EM6XP1JYScC+y5ju62mA
Siiu+PBmnnlXkY3iP16fOaqADppeMLW9csE6ezXOLCQ
-> ssh-ed25519 ikTTQA qQIFOuadfKL5Ie3YekLaMDP5txofg9RDtirNvuun4DQ
C+o9BE/MLnklCpTqR3z4VDULpcHuGolyxfDRMvmzSDM
--- 6gNHbYKsXqKslBJBUbRtAGIGQqqS2uulAq7tmlOBYm4
(rÒNäP+ƒ£_ŠC<43>¡L±s¾—Çë ôíz#vó-) `ÌâCöj¦ÓíÇëÚÈü}}A•.1üḎW«|
g¥ôÓbÏ)Ç
»4_•X¹¢a¸rH…Ø»¾Ý@Aô}YÄüz¶Q€óp«¦Éà(•2øÅm% nš‡
hMggZlLSWTyf2LhYSVnvC11S9yPM7GN5uMRYlRyQoppHsHvNMkRQKYdwdzJUX2QA
5OZ8XQwxct1MAxCp1kiwa7B/EwrlZfoFZgao8VWSs0TZTMCJnYFJ+ETBmVU1JnNa
ZOJR+0bTdFMvWCkf5FeIAPz2CeOQ4XfmyU4QMnMdENzUVqPMoB0vPDd9mPNrWeiz
wuZgD4jqzZDbyuRhveOy4fCBQ485jxnqaT9l+VPQSA9xrDUMC5TA6Vg6yxwmu/hY
pv1Dni7aCiYALRPr7UK2hNUU84cG+8eFf53w+rngzt1lZElvjO0Oailaz5weCkP7
nmSfOOpf5/sHE8uhHb9TSA
-> ssh-ed25519 rjda/A rnnAChws0QFbuQeviARY1GxIMf7Q1EGcLclq9b/pFxM
sOIHM3BMvKIKzXi14CRXJEiIHikJuRf2cl5egADncV4
-> ssh-ed25519 8+Ls0w tJ9gHXR03ez8quA9/KSLzc+g8y1HE7RJ6SPsJ8O66hY
J+YWnfPQClYZRZehQco7zpCZUorLYv8uNinfmcEtq+o
--- iHsZcXh9VESnGPGMQnB7mdn3EVgCUXduFshfX1q88q0
ęAZZŹ=É:“N3ĘVL¨AÓ"6Nčć4µ†áŇş:éƉX`řÍżkÔýěČ<01>9Ŕs/rćaWîÍPŐ@§z<C2A7>ínµE,PŃ{0V$mÎj'"=ŽLîŁ&B9$ú(<1B>w†,mô©gŚźÉtT8J<˙©0ťú… _<>!˙PEv®JÎY鳲ě

41
secrets/restic/128G.age
View File

@ -1,23 +1,24 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
S3ctNbWyX1A6JQIN1vNnZamNMMYK20sP5Fv8P6XR4tlrM97QRcFujN6FM3a2siI7
/bHryIpHu1cdK90qCLbIvyYm1lilTrXiN1JIN+4sm808dqinKwUI+RF0B+JzTbLW
JaITpkJubkrudALAoYARWBRcSkBRSnZYfWBIqDyuj42eGiqObTZdw6flA362cplX
j+XaqdyrISSsCq+nH22zpNC62MdwYKGnBNkao3ICZ74lYOdtjPE3FrokGkt1Hllm
AqZaLcYUTBbBlysrf8YlsAK9AvtdRHtwACcBv0YrJ35+HIJP7fkAWkfoCqD6iCu6
z7XHv1LrtMY/HG3md8hV9A
EZBFKBAzoSqlSaMvehEGiiCXaT7qhewJy1v6mr3NVCvQqTck6STzEBoalKDi3mIF
fLoX7oVMEh5bgOkKIYBiv00ueHe+osNCJtx/dHx9X462RXixrcbIqdPCD+XS0puZ
CxaohxNu+kSmbtZc9pZ8PETZ93dmCetSIwo1uQiGJChFBxNn7lm/fvOPvdN1821i
ougijCL+f8fG/fymXnnlULbAdyhUI+6Hx2WAP8v9796XQHBieKJJfRFVhbUGRKD9
1AK66zZClZ1dD8SuZBtCnafrVm3Wjwys2aKgncKdrWuNoScWoZNiL4nS55w3PCEN
U2Jq6smqxjPdC/18xuBiNA
-> ssh-rsa K9mW1w
fv366v8Yl7JHgYP6dyy9CMDY7KtjTK22WZed2zRTNpK4Z2lPrhPkMSahjuKCOtg1
dPw2/mxHL/765f5V+ayGa3OxGzVfycmsKfTWhEBa6AcumVUTXCXk9i0u8MkyW36n
RjSd2wAPhXXt/RJUg0OQ7GB5ILY7sy/z8TGByMIWKUfNqqxJeBqm+D6k4kMjOkx4
/S0JEPFpC3izwVjjnQh+NX5Wm9qOVNViJcCJ/+XX+ydK1uloeZjDvSs1E2+/xlo6
wC4hsIBo7qQ9Fi0XIyE0UZiuLLtwozNEvctIzYOLMgqprP/zVgvDMc/qIrxN6ZzG
zC/n6bzufZ1v/wkyQZVz3Q
-> ssh-ed25519 nWv9MA YWPBSHvP1thV1nTOqv1dSLD3hsmwAoPZ3ha8uyy6ciw
lNiy/gXYtBwMqwPu4kKHPXmA/t/iQ3sYYtZFO/kwB0o
-> ssh-ed25519 iWiFbA K/RtHtowVbVOFjciimyV3qncJpGdXnlgPu2wydgbZC8
RE2ZIl7Huu03JzI2HnzPQlXOH1lCK+Gq85s7ZGQoKOk
-> ssh-ed25519 L5AKYA QeK0d2kufo23d5gYcyz43ZZJG/r6ehro6aF9VIiVihA
D2UVzyBu/ZEgXRvmosYS/EOGFSWVaRANQnJgue1vFzg
--- xS5J/VAzbw0OANF+qfcLIqcrtLpXkRct2miWOIhM+Uk
§[Ði<1A>,g¯ý-EÛy®4*ðÞ&'ЊÁã:°fQ°aº55 „zC®Þ§ A<>
wYSU6EnCqBEQL950d/suDPPmJmqiPWHX0GJuc37bYffJTCJIJKthk43FDOWrcgbD
vsfTjRkzRZY8H6ngTTlwIuECzoJDhLq4/4n69dOi2Uz8XZvD9y6lPE7qmqClMziZ
mtheoib/PVoV6OvPnCg+d52HfR2REuQNHxGhNucDOjmL+lcjYNqrVq1IHhZJ0WUh
4+8J5kA17yFtdnLuIcIPdVNZ1oI1Y5E6H+fiJhje5cnEJ7u/GQAFRLmdV36cZDzF
OaUap/nxyAIjga+zbGptHjvKvLfWL+5EA+H47es6xcpJfadBuq0+AfTlSvsQzrqj
15xCp6IeGXJeZCOF3NchWw
-> ssh-ed25519 nWv9MA k5cpWIDL6sNwqlr9dx3KBd8SXW4gwLZwjUPD1jqL4VM
xkDd8nnNoZNOPxIMt2iXvOVjUXxPcBpI0KD1I4p40p0
-> ssh-ed25519 Qo6/7A 7eJXxyASGk0iZu7o81zoiIm33IILsL9I7ScDXARPXzw
L0WP9V9nkRUvLXVVWf6BWf2GR8xvEI0LkDDAYOmGqLE
-> ssh-ed25519 L5AKYA h7RKESPZ5k1wt67mErHvfWBpXY20mTVf/rMsvEcnb3s
xoHeghX8qvq2A9LYQpH+jna3Qr9tegIkTI/RhcZFXig
--- EwX1bjkJInYJEdM64ZNnt4UfwXAHcAz6ce+eBU9ORC0
š®
@µéÂl’¥ëf}É4Œ0÷urú *'n•³%j=Õ’´"<22>÷œ;y§×

59
secrets/secrets.nix
View File

@ -12,18 +12,12 @@ let
co = {
hillion = {
ts = {
cx = {
boron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5 root@boron";
};
cx = { jorah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILA9Hp37ljgVRZwjXnTh+XqRuQWk23alOqe7ptwSr2A5 root@jorah"; };
home = {
microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
};
lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; };
pop = {
li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li";
sodium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr root@sodium";
};
parents = { microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver"; };
terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
storage = {
tywin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k root@tywin";
@ -40,26 +34,17 @@ let
in
{
# User Passwords
"passwords/jake.age".publicKeys = jake_users ++ [
ts.terminals.jakehillion.gendry
ts.home.router
ts.lt.be
];
"passwords/jake.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.home.router ];
# Tailscale Pre-Auth Keys
"tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
"tailscale/boron.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
"tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
"tailscale/li.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.li ];
"tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.parents.microserver ];
"tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
"tailscale/sodium.pop.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.pop.sodium ];
"tailscale/theon.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.theon ];
"tailscale/tywin.storage.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# WiFi Environment Files
"wifi/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ];
# Resilio Sync Secrets
## Encrypted Resilio Sync Secrets
"resilio/encrypted/dad.age".publicKeys = jake_users ++ [ ];
@ -75,19 +60,20 @@ in
"resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.storage.tywin ];
# Matrix Secrets
"matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/syncv3_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"matrix/matrix.hillion.co.uk/email.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"matrix/matrix.hillion.co.uk/registration_shared_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
# Backups Secrets
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.boron ts.home.microserver ];
"restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.cx.jorah ts.home.microserver ];
"restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ];
"git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
"git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Spotify Secrets
"spotify/11132032266.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
# Mastodon Secrets
"mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ];
"mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ];
@ -101,7 +87,7 @@ in
"storj/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Version tracker secrets
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
# Home Automation secrets
"mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ];
@ -114,21 +100,12 @@ in
"deluge/auth.age".publicKeys = jake_users ++ [ ts.storage.tywin ];
# Gitea Secrets
"gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/actions/boron.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"gitea/lfs_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/mailer_password.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/oauth_jwt_secret.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/security_secret_key.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
"gitea/security_internal_token.age".publicKeys = jake_users ++ [ ts.cx.jorah ];
# HomeAssistant Secrets
"homeassistant/secrets.yaml.age".publicKeys = jake_users ++ [ ts.home.microserver ];
# Web certificates
"certs/hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/blog.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/gitea.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/homeassistant.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
"certs/links.hillion.co.uk.pem.age".publicKeys = jake_users ++ [ ts.cx.boron ];
}

BIN
secrets/spotify/11132032266.age Normal file
View File

Binary file not shown.

19
secrets/tailscale/be.lt.ts.hillion.co.uk.age
View File

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
quD5S+nsgtv5VnsIk08B5Fqhs4oJFmwuw/mj2GwhOhzgMSzF/KiWnkRlcKL3w2LY
zXnh2hB4kQHeudSNXLEh+3WupvynPcaSiuzBQaG559lBroFHR/Vw90MthhnnJszv
a0WQzcLy0e+46gyV5PGD+qX281/lLJMztC6onR7WdGwfBdGsv9z/y4RVkGi/A34n
pfXeJuTAP+tRcIeQCXUP87XBZdXBruNNtlRwM16UaVx2SzQH/WAirTD1zaG9GNG5
oN8Uj030maXgxVBAzCwyM+9euWllx5XBuvpVsxypB0uqZZV7YJ108tjyY5ydDGTY
tIV99TBm9IsENczBY85+ng
-> ssh-rsa K9mW1w
ZfMMTh58zNW63m9HaAdZ9KmlCiCAWfmMUyYBfnMEc3h7K5bIJPU3E7DymtvlO53/
CsXMGb+t/cnctrTGlFT2VP8OhoQ5vQfDShjBbS49zYaP6oZR2D0iX7LqRSzZPpQF
SWyFWnXKvYIRmtSXT8Ld+kfONBna3nLWUcPiBgQjLJ7pcRA2UJb78+t5sDKJp7iu
CFbOEBIHBwnt5uk4tThzB/uZlJO1UMNRttgW5yyiivUSMHuVL729vllXNN2+4EUn
H0r88XV6jR6j26Xvx7VmdZV6lLBUFJiBjy353OYfvl7wYWsTMZqRttJi+MZ6kx6V
5NmbqWhtJ8ZoM3L1oV6DEQ
-> ssh-ed25519 ikTTQA ahMu1d62ggresMO+p12kL27Sv+m0jMGG+FH9Knq27yM
0dxGvslHl7EYLOl1nmXPqJBclwtid2+nV3zhJUNa8uQ
--- JLHa4NeSjrwXflyWsZpr/vFO6SpTGXOpocmEDVOotE8
„#¿I¼æ¨÷á¥þÆÀæãç¤Ô SòØû5½%ù©³r:oLkÕ?Ÿ<ÈÚ‡ÄNù!ÔT¹ä`6 ·.Ɉxé¶è:Œ¥S~$UónXÐ(ü\d ²;W

20
secrets/tailscale/boron.cx.ts.hillion.co.uk.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
KaDpbglS1rAJv+jdkYv81xbu6jm20CR/L4AnrCJhBRqAl/oOd0+dJ2+6Nf71TuLK
xCYDsQhvpOZNTokg3h7vfCBQFW3twvuDFXetETKkieQmE2KvXpRR+r8C6JnI9TMF
z6UcCMyl5wIctHt+hjOy5EPap93G7zXKu4cSBIVt+9C95ThGDZcCo8CFSguJykRQ
xgbT+9l/1DlrCyrbX6efNGYyuxPkqXqS9MuF5A9/ScsyXbfACqxOxb4255Q784+u
TkgV4aOIlxmGaI8l6OuCLwavmt/stKKkW7M8seDdm0ro975r9ogDlJlr4JSO2wmW
8rknDFzzdBtnXgqp6PWtUw
-> ssh-rsa K9mW1w
MuSScMNbn2QWudIop+kA+v6UrlXEzXk/3tgyJ0248K7vj2DX+wRUb3dc2EewrfIt
0wDslBWKZxDoOjXS4HcuSDRnXxZwg1eT3RjhlKRPjVMhKj4V2OG/4eelQd+0wfJv
OIzvQzkRqw25vk+hfWFJ+UwLkZ6/DVDm8YjQ70bMmpJcJmC+sn6muta8n3qVpI3a
jrHZk4Qs4Bpmmcq7MbFuGnp8XLP+2EnOCAGWpIH82LWKf4ZOAry06tu153ilZ+pD
dr/khG8kIoZWCvXHS1ZlsKsM4l2+ljdTXqrhoIR60/3/J2X1pf5lg9/du0lUU7wG
6DjCagmoQx45VCvysrwi7w
-> ssh-ed25519 iWiFbA 5ufDF6LdfTqTDNGWCKi4tQKQDm/gNB1PLRGw7K9QpmM
PsNdWW0tPRT8KQrBtiRWeOin/SsDeRl0HJMUnZERaFE
--- C5mp1K/mzIrDH1BAOAYs1RN3Nhj+6sUn+urZpZuJbrA
ý8xÒÕq5z0ëÕj09îS<C3AE>‰IÆ­mtYr×¹©…Âéò5LZ<4C>Èž<E28098>^Ê/‰wÍk³Êš
1o[Èú+Ñ wò/¬5Õ1¹š/hœXõÁQ<E2809A>ƒj³Яµ

23
secrets/tailscale/jorah.cx.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
kqQ9ovZi1Wqf7hz75QB+v8oLr5oRT4Uce7juM+R04CrOOGn1O6DkQtVeFa4Q7Ho0
DTYeaP3jTR8zo7poTI323q8FbQ/dLG4jxBFafDZJZlXGEThVLnhNYqZZSjiCJHma
hUn8nSC0y6AdA+lMn8tvZcaivaYpPtT+bALXtvxZ6rTo+mTbJrVRxPY5FZdmdmCC
Z1h3UFZoyuAO9VWQKtPO3o0Ijh+L7e+TFdRl1YowGB+hvZdJ08AkPXrwIEUMnnMA
+e/FA5HxHgvi6ud8RTcAkaecYt0l/vKDgBON9ESfHIMuS+vNk5GKT7a+ImKmfb4/
o2cSmR8y/+J5z4MEBcj/Vg
-> ssh-rsa K9mW1w
veHh0OpoW3Hnvy9k7NwANMae2StqGcohTI9hfeHNi7mR6wHly1HqOD9U7eijVYIC
qvKJsk7sEO8NyAVqLWqrvdq9bLkgTgsNWQsXbulY8VHhwZMIko9YYIZeJv8Um9Bz
q4QiwJW1KoLItqJNR9c1ZLRfwHaLZwKTThAKMjgt5KFiN5NJYb9CLbAZi4eG1hi0
PsIP/S/dsUKAeN6Bz2JZ4HB0jsvyPiQLr2p4q5nfEKybJEmjOfc9Z7TjwZTNlC0Y
0MKVarhwFqsMIP63gTYZisacAhmsG7DoLFA5eHf0VPa1KjqFait0dG+zuojehMfj
uifZFGahsWaAMg+oq+/Cvg
-> ssh-ed25519 Qo6/7A sLXu4pSLH2lnzLYVzisN9Zl/EW1jL21Km6kPZO0/Zjk
chDyf7Sb5GtSVi3TmfYpwwFbI3PhoOnxS5lRcqQGwyY
-> Y1-grease ,Lz| "Uil>z36 -K
xfFD+uEZIkGkysF3HdMkMbhsPnu+Cnu6o8tT0lq8rdSOn26V6Fj5CZi1muuD7d2c
BLtH1vyQx4M71Hb6PmKu7+s5V9xsJqKxtDqx/6iAc9uZnbmeU27nsA
--- YXh9Kl4PGetzx8qsLJa5gTO3W7UNtio1tXs/HXS271U
Þûa…kž+J+/û€áñ<1A>ÍKÅbÄä‰éù|Ï$MäåÒ{NýÇ]¦ï=ö7Ïß@ƒ<E280BA>(h.ql2 ¢X}]ê,¦'ùN ÙCô!Æ;ØW£±
äû·Dï

20
secrets/tailscale/li.pop.ts.hillion.co.uk.age
View File

@ -1,20 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
SQTBZLqLSZF1qk3F6YHkohBdxBA7Rc0sA8ztZcgSu6b1QtAeMR+WCPjF4faxdGnd
gIh4gJoiC7iF3GTr280VuyeldqelBd7xGJ8V84+WXL9v3br7+o3qNIYPwoFBogx1
DBV4if3l1w8Pi4haUkxibagN2p+bv5MBxF+gwd3axUaROR94L2HPemqS6WlL1sui
hOtTUrSMOUu55Hh6E+LjFEsZDym3NQLc85CS9Cm0tM+bV1J+O++CiYdwsRcTG7Iv
uuA+XSp1xngYnutgzkdB0Gnx4GELU+g7qGAU9ax1xEFufMXw9bSECiWpK5geupyr
3djMf7PfkMx0e4N2z7UmsQ
-> ssh-rsa K9mW1w
JCmqBB+NorRVGbVMQDz4nWN46P9h33qpG5qZ9R10NYUNZbTwQF+h9akIT379ZGrG
dZ/22wsS1qOESXbLU3l7JIQDnGP/sxhgU9Alm8fQtbahxtLBSNvju1hqa/Z7oa+Z
+U+Bynd+8qPfEAxMKDf3Y+y4h+17NO7ijA2trLgIrqMnTVm4bR8plEBkIMC++LB4
Vg7ze7w9gTVO6WYi2ybUnrrsRbrCl/GbKjtb+THERXGVNoR+ID4OzuhCj2hT0cLA
xFNhZxIkUNriYd9WLa3+fmQFCWBCsnSfYCS3Qzh+jeiJbIDR+klpUJVIxweJRdDZ
EscWQivkscSKsUBD7679Nw
-> ssh-ed25519 f268Tw E3UlXQTE/yDbBaukFto15hBb1kyudXA7cDFR658qsDY
dCPqHkoHvKK6+prYaOBSyymqYRcePUH5BfhjoMcQIzk
--- B9msRbaSxQPJ8DgWPsAq3OudbwAWMYGhSJt8AHbgU/4
ê.¾ºAt@¤\ºF<C2BA>ìd¸š%†fËÂbpÙ¢~ÁQáF¶
$×éì.m<>“Ó,m< ÅFÄ©Oü’l=µ#Ííü‹=³_ zŸ%fx<7F><78>5|ס®:èSU[_£.øg

22
secrets/tailscale/microserver.parents.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
Yo+wHpsHuYC66kQSt1gxE/e8PZrJLI97cOdxCn7idrkgQn4cgI3ikbx+biKq+7Jy
nASaMD/EEiOd3Ryjj+0o/4BJP21iP6tH2QUYhzZ3kVvxYhd9mhtgckWaUO1NqTE0
OIxVRBlAQWs0T8PP0WJrEL8H4ig5cmdWzfeLPKTMpph7laI0HDJf0DLZAH1XpcBa
SppQxSj6ob3wie2ixKBjiRUkdoGe2rdV+WFkWro1+EAobI36CBmmPMTNLTrBgKDT
ANGvxRkODzdH0SaBCNJtuNZRU+k25z+izX9Mxnw4VRAMYr63lUKgVCz8NbuLHinf
hRnGZ1Stn8FFrkzyTV+SFA
-> ssh-rsa K9mW1w
ioraEWZ19bulZJ2vaiNbKe9f9hZBaE9U8HX10Q7oRXAsJ+MS5x1kcgUk5Afnvymp
O6z3peH7cgEkWGAVN9eN71WY3l+V5CieV06tGNVKYdQZpXpeN/maJbIosbzqvy5N
6rTp3IaRO2/5DY+EEDGOrqXBJpAo6GtcalgDOnCylnIjarCqdCfo3poWtmRfZd5l
bN0pEo97MeQRJ4qJYvLggX0XkZfiRgRTHLw18NHmotxEGqDhITAaGb8LLPnVazOm
yafG6umoICz/hrXSDZG4iYdEjOEI+Wt6z6IQWGXjtRrqGMbgniTMHL2r0F4wrlfh
gRLqGXy4dCJt7sui1KzJ/Q
-> ssh-ed25519 aDuQXQ oK470iNVMGm67Na1vWSNTEZm5YBpX2+Td5Ef587HFWM
oWMRqa2FuIHbdAAJ6w+J7YpE0LAyxEhvLW3vxG4G0rw
-> T{-grease
og2ZkuZjLYtA1ZZeFGJjojtiHBf4BarCmFCkrufoPJVw4V0+Ib6UA7IVnz3bPlth
jQwc8tS/RwO80DqAdjq+csYJ1KsrrwJAeB12a0aMjQrDipM
--- vZLN8TNIsg4EaR8FnjfSXZN+J7tkCG/pYJQePQIZLgM
%.å±(<28>rtpfÙ¸gë™VÌ8 ðKO2Ãpz[÷…*@ZíÛÝ|ê'ûy6\^·§ƒoöò©yµ8†vÞZêÍ.“›?¶L·ˆå:eÙÙ·Ú= €ôÝ„¬[uí 

19
secrets/tailscale/sodium.pop.ts.hillion.co.uk.age
View File

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
rgebPOZWAkQIqQZn5UywtUzu1ZpEK9yF3wDLl7b76vOLBM8BeE/cud2AgwRe49VM
UfbL+5IInvqvVCtCmciVvDhBp85BLvuB/e6DkWxH+HkKm7/stgXkuaotnbxftLN5
w90Qz8jVgwOSWlpDdW+MACphLBOiDe6oUrcodiQTD+FmA/cH7oEnjaxyElZA4aey
Yw6df7NiMCbh8LitSqLm9YTB6yWlVw6fumpvsVJqW9UPOdTtOEilFT6qrXIMeu10
MEdDkU5FlocDSxYLN1buIRSVb+wtN8eSYrMsOd7zwB/FYWw9fFNbZ/1JFxQKl9SK
w+fHN1jQyOjKpbYELeCdRg
-> ssh-rsa K9mW1w
hAYfQrfwWNmck6t7oDzS/JKd7Gb/j3MMH19kEZ74k2Z/t6j9VgNlo0cLCQCRd29l
NXNwx4H1VLFqP0f0YOIpbeZAPjvLxWODv97ovLWTtokPX9/kDugigqdW59KYcxWB
cbGAJrBm+D7b5uEuVBCWWBAAv8dZ4EajguoBR6u9mkJRDyy55q3JnS8zUoSz/9XK
Ne+pf9Bej2hen5CrFJoIBs3YGL81Tqn9zfI3RsgyncB355aL0bH3FKeeWU/Qm2Eb
fqJroSjNteWp+vqu9RzgrzpRUrZbw+KZL7sssTc0qXTI6UuUrchJ3ku8bOAmYYj+
4GgOgMeY5ne15Xkc0g/U7Q
-> ssh-ed25519 oW6Y8A koK5dt68rm3ItiMLS/D85cL1FyvBFOoOUn2iU431HXk
isWccUR1wymJzBSoNVh+aFMrp1/VS3In6w/kcb1RTSM
--- Askgu9440tsbF855jM94XpINs1fv69fSY/+CchwH/q8
š3 ÌV÷<07>Ôy~ϸtˆ¯ÿÉÏè@öpƒÆࢅ~Ón­°¥Ä ¾âaUUr•1P¤žÓ6W8ÆFÎ<46>Å<EFBFBD>€?ë­7…üÞ&Ü—OŠ×t|œpoË

Some files were not shown because too many files have changed in this diff Show More