Compare commits
124 Commits
Author | SHA1 | Date | |
---|---|---|---|
d5c2f8d543 | |||
1189a41df9 | |||
39730d2ec3 | |||
ac6f285400 | |||
e4b8fd7438 | |||
24be3394bc | |||
ba053c539c | |||
3aeeb69c2b | |||
85246af424 | |||
ba7a39b66e | |||
df31ebebf8 | |||
2f3a33ad8e | |||
343b34b4dc | |||
264799952e | |||
5cef32cf1e | |||
6cc70e117d | |||
a52aed5778 | |||
70b53b5c01 | |||
3d642e2320 | |||
41d5f0cc53 | |||
974c947130 | |||
8a9498f8d7 | |||
2ecdafe1cf | |||
db5dc5aee6 | |||
f96f03ba0c | |||
e81cad1670 | |||
67c8e3dcaf | |||
1052379119 | |||
0edb8394c8 | |||
bbab551b0f | |||
13c937b196 | |||
6bdaca40e0 | |||
462f0eecf4 | |||
5dcf3b8e3f | |||
b0618cd3dc | |||
a9829eea9e | |||
cfd64e9a73 | |||
b3af1739a8 | |||
cde6bdd498 | |||
bd5efa3648 | |||
30679f9f4b | |||
67644162e1 | |||
81c77de5ad | |||
a0f93c73d0 | |||
78705d440a | |||
3f829236a2 | |||
7b221eda07 | |||
22305815c6 | |||
fa493123fc | |||
62e61bec8a | |||
50d70ed8bc | |||
796bbc7a68 | |||
8123653a92 | |||
55ade830a8 | |||
a9c9600b14 | |||
eae5e105ff | |||
f1fd6ee270 | |||
1dc370709a | |||
de905e23a8 | |||
9247ae5d91 | |||
7298955391 | |||
f59824ad62 | |||
bff93529aa | |||
13bfe6f787 | |||
ad8c8b9b19 | |||
b7c07d0107 | |||
9cc389f865 | |||
2153c22d7f | |||
a4235b2581 | |||
36ce6ca185 | |||
e3887e320e | |||
a272cd0661 | |||
1ca4daab9c | |||
745ea58dec | |||
348bca745b | |||
0ef24c14e7 | |||
d9233021c7 | |||
b39549e1a9 | |||
8fdd915e76 | |||
62d62500ae | |||
b012d48e1d | |||
eba1dae06b | |||
b6ef41cae0 | |||
700ca88feb | |||
1c75fa88a7 | |||
c3447b3ec9 | |||
5350581676 | |||
4d1521e4b4 | |||
88b33598d7 | |||
4a09f50889 | |||
cf76a055e7 | |||
f4f6c66098 | |||
2c432ce986 | |||
d6b15a1f25 | |||
bd34d0e3ad | |||
52caf6edf9 | |||
016d0e61b5 | |||
b4a33bb6b2 | |||
8cee990f54 | |||
59e5717e00 | |||
f2fe064f72 | |||
dd76435ec3 | |||
85e5c9d00e | |||
ca1751533c | |||
8900423527 | |||
1ae3cf0c41 | |||
72898701da | |||
3c693ee42f | |||
9752e63f09 | |||
d4fb381fcf | |||
e812e96afc | |||
d3fb88a328 | |||
804aa10048 | |||
8f493d1335 | |||
9674e6651d | |||
88378c3179 | |||
d682d5434b | |||
790d0a8a6b | |||
78a024a924 | |||
5e725b14bb | |||
7f25cab5f8 | |||
b0e4e2cca1 | |||
80b4305e60 | |||
90cbec88db |
27
.drone.yml
27
.drone.yml
@ -1,27 +0,0 @@
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: check
|
||||
|
||||
steps:
|
||||
- name: lint
|
||||
image: nixos/nix:2.20.1
|
||||
commands:
|
||||
- nix --extra-experimental-features 'nix-command flakes' fmt
|
||||
- git diff --exit-code
|
||||
|
||||
- name: check
|
||||
image: nixos/nix:2.20.1
|
||||
commands:
|
||||
- nix --extra-experimental-features 'nix-command flakes' flake check
|
||||
|
||||
trigger:
|
||||
event:
|
||||
exclude:
|
||||
- tag
|
||||
- pull_request
|
||||
---
|
||||
kind: signature
|
||||
hmac: 5af72ec77460d7d914f9177c78febed763ea1a33dc0f0e39e7599bbf8f4ad987
|
||||
|
||||
...
|
23
.gitea/workflows/flake.yaml
Normal file
23
.gitea/workflows/flake.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
name: flake
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '**'
|
||||
tags-ignore:
|
||||
- '**'
|
||||
|
||||
jobs:
|
||||
flake:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
|
||||
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
|
||||
- name: lint
|
||||
run: |
|
||||
nix fmt
|
||||
git diff --exit-code
|
||||
- name: flake check
|
||||
run: nix flake check --all-systems
|
||||
timeout-minutes: 10
|
@ -10,3 +10,4 @@ Raspberry Pi images that support Tailscale and headless SSH can be built using a
|
||||
nixos-generate -f sd-aarch64-installer --system aarch64-linux -c hosts/microserver.home.ts.hillion.co.uk/default.nix
|
||||
cp SOME_OUTPUT out.img.zst
|
||||
|
||||
Alternatively, a Raspberry Pi image with headless SSH can be easily built using the logic in [this repo](https://github.com/Robertof/nixos-docker-sd-image-builder/tree/master).
|
||||
|
27
darwin/jakehillion-mba-m2-15/configuration.nix
Normal file
27
darwin/jakehillion-mba-m2-15/configuration.nix
Normal file
@ -0,0 +1,27 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
system.stateVersion = 4;
|
||||
|
||||
networking.hostName = "jakehillion-mba-m2-15";
|
||||
|
||||
nix = {
|
||||
useDaemon = true;
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
security.pam.enableSudoTouchIdAuth = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
fd
|
||||
htop
|
||||
mosh
|
||||
neovim
|
||||
nix
|
||||
ripgrep
|
||||
sapling
|
||||
];
|
||||
};
|
||||
}
|
91
flake.lock
91
flake.lock
@ -2,19 +2,23 @@
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"darwin": [
|
||||
"darwin"
|
||||
],
|
||||
"home-manager": [
|
||||
"home-manager"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703433843,
|
||||
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
|
||||
"lastModified": 1723293904,
|
||||
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
|
||||
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -26,21 +30,19 @@
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1700795494,
|
||||
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||
"lastModified": 1726188813,
|
||||
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
@ -50,11 +52,11 @@
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705309234,
|
||||
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -66,52 +68,51 @@
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703113217,
|
||||
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
|
||||
"lastModified": 1725703823,
|
||||
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
|
||||
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-24.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager_2": {
|
||||
"home-manager-unstable": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
"nixpkgs-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1706981411,
|
||||
"narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
|
||||
"lastModified": 1726357542,
|
||||
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "652fda4ca6dafeb090943422c34ae9145787af37",
|
||||
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-23.11",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1706639736,
|
||||
"narHash": "sha256-CaG4j9+UwBDfinxxvJMo6yOonSmSo0ZgnbD7aj2Put0=",
|
||||
"lastModified": 1725690722,
|
||||
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "cd13c2917eaa68e4c49fea0ff9cada45440d7045",
|
||||
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -121,29 +122,44 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1707347730,
|
||||
"narHash": "sha256-0etC/exQIaqC9vliKhc3eZE2Mm2wgLa0tj93ZF/egvM=",
|
||||
"lastModified": 1725885300,
|
||||
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6832d0d99649db3d65a0e15fa51471537b2c56a6",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-23.11",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1726320982,
|
||||
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1707268954,
|
||||
"narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=",
|
||||
"lastModified": 1726243404,
|
||||
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f8e2ebd66d097614d51a56a755450d4ae1632df1",
|
||||
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -156,9 +172,12 @@
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"darwin": "darwin",
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager_2",
|
||||
"home-manager": "home-manager",
|
||||
"home-manager-unstable": "home-manager-unstable",
|
||||
"impermanence": "impermanence",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
|
111
flake.nix
111
flake.nix
@ -1,60 +1,91 @@
|
||||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
darwin.url = "github:lnl7/nix-darwin";
|
||||
darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.inputs.darwin.follows = "darwin";
|
||||
agenix.inputs.home-manager.follows = "home-manager";
|
||||
|
||||
home-manager.url = "github:nix-community/home-manager/release-23.11";
|
||||
home-manager.url = "github:nix-community/home-manager/release-24.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
home-manager-unstable.url = "github:nix-community/home-manager";
|
||||
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
|
||||
impermanence.url = "github:nix-community/impermanence/master";
|
||||
};
|
||||
|
||||
description = "Hillion Nix flake";
|
||||
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, impermanence, ... }@inputs: {
|
||||
nixosConfigurations =
|
||||
let
|
||||
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
||||
getSystemOverlays = system: nixpkgsConfig: [
|
||||
(final: prev: {
|
||||
"storj" = final.callPackage ./pkgs/storj.nix { };
|
||||
})
|
||||
];
|
||||
mkHost = fqdn:
|
||||
let system = builtins.readFile ./hosts/${fqdn}/system;
|
||||
in
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
specialArgs = inputs;
|
||||
modules = [
|
||||
./hosts/${fqdn}/default.nix
|
||||
./modules/default.nix
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
|
||||
let
|
||||
getSystemOverlays = system: nixpkgsConfig: [
|
||||
(final: prev: {
|
||||
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
|
||||
"storj" = final.callPackage ./pkgs/storj.nix { };
|
||||
})
|
||||
];
|
||||
in
|
||||
{
|
||||
nixosConfigurations =
|
||||
let
|
||||
fqdns = builtins.attrNames (builtins.readDir ./hosts);
|
||||
mkHost = fqdn:
|
||||
let
|
||||
system = builtins.readFile ./hosts/${fqdn}/system;
|
||||
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
|
||||
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
|
||||
in
|
||||
func {
|
||||
inherit system;
|
||||
specialArgs = inputs;
|
||||
modules = [
|
||||
./hosts/${fqdn}/default.nix
|
||||
./modules/default.nix
|
||||
|
||||
agenix.nixosModules.default
|
||||
impermanence.nixosModules.impermanence
|
||||
agenix.nixosModules.default
|
||||
impermanence.nixosModules.impermanence
|
||||
|
||||
home-manager.nixosModules.default
|
||||
{
|
||||
home-manager.sharedModules = [
|
||||
impermanence.nixosModules.home-manager.impermanence
|
||||
];
|
||||
}
|
||||
home-manager-pick.nixosModules.default
|
||||
{
|
||||
home-manager.sharedModules = [
|
||||
impermanence.nixosModules.home-manager.impermanence
|
||||
];
|
||||
}
|
||||
|
||||
({ config, ... }: {
|
||||
nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
|
||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
|
||||
})
|
||||
];
|
||||
};
|
||||
in
|
||||
nixpkgs.lib.genAttrs fqdns mkHost;
|
||||
} // flake-utils.lib.eachDefaultSystem (system: {
|
||||
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
|
||||
});
|
||||
({ config, ... }: {
|
||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
|
||||
})
|
||||
];
|
||||
};
|
||||
in
|
||||
nixpkgs.lib.genAttrs fqdns mkHost;
|
||||
|
||||
darwinConfigurations = {
|
||||
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
|
||||
system = "aarch64-darwin";
|
||||
specialArgs = inputs;
|
||||
|
||||
modules = [
|
||||
./darwin/jakehillion-mba-m2-15/configuration.nix
|
||||
|
||||
({ config, ... }: {
|
||||
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
} // flake-utils.lib.eachDefaultSystem (system: {
|
||||
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
|
||||
});
|
||||
}
|
||||
|
55
hosts/be.lt.ts.hillion.co.uk/default.nix
Normal file
55
hosts/be.lt.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,55 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "be";
|
||||
networking.domain = "lt.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
userExtraFiles.jake = [
|
||||
".ssh/id_ecdsa_sk_keys"
|
||||
];
|
||||
};
|
||||
|
||||
## WiFi
|
||||
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
|
||||
networking.wireless = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
|
||||
|
||||
networks = {
|
||||
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
|
||||
};
|
||||
};
|
||||
|
||||
## Desktop
|
||||
custom.users.jake.password = true;
|
||||
custom.desktop.awesome.enable = true;
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/be.lt.ts.hillion.co.uk".file = ../../secrets/tailscale/be.lt.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/be.lt.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
};
|
||||
}
|
@ -6,24 +6,41 @@
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/6d59bd4b-439d-4480-897c-4480ea6fbe56";
|
||||
fsType = "ext4";
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/D184-A79B";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c8ffa91a-5152-4d84-8995-01232fd5acd6";
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/01a351b8-cf66-4a31-9804-0b4145e69153";
|
||||
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
@ -33,8 +50,10 @@
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s20f0u1u4.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
7
hosts/boron.cx.ts.hillion.co.uk/README.md
Normal file
7
hosts/boron.cx.ts.hillion.co.uk/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# boron.cx.ts.hillion.co.uk
|
||||
|
||||
Additional installation step for Clevis/Tang:
|
||||
|
||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
|
||||
$ sudo chown root:root /mnt/data/disk_encryption.jwe
|
||||
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe
|
13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json
Normal file
13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json
Normal file
@ -0,0 +1,13 @@
|
||||
{
|
||||
"t": 1,
|
||||
"pins": {
|
||||
"tang": [
|
||||
{
|
||||
"url": "http://80.229.251.26:7654"
|
||||
},
|
||||
{
|
||||
"url": "http://185.240.111.53:7654"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
170
hosts/boron.cx.ts.hillion.co.uk/default.nix
Normal file
170
hosts/boron.cx.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,170 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "boron";
|
||||
networking.domain = "cx.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [ "ip=dhcp" ];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "igb" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices = {
|
||||
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
"disk1-crypt".secretFile = "/data/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Kernel
|
||||
### Explicitly use the latest kernel at time of writing because the LTS
|
||||
### kernels available in NixOS do not seem to support this server's very
|
||||
### modern hardware.
|
||||
boot.kernelPackages = pkgs.linuxPackages_6_10;
|
||||
### Apply patch to enable sched_ext which isn't yet available upstream.
|
||||
boot.kernelPatches = [{
|
||||
name = "sched_ext";
|
||||
patch = pkgs.fetchpatch {
|
||||
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
|
||||
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
|
||||
decode = "${pkgs.zstd}/bin/unzstd";
|
||||
excludes = [ "Makefile" ];
|
||||
};
|
||||
extraConfig = ''
|
||||
BPF y
|
||||
BPF_EVENTS y
|
||||
BPF_JIT y
|
||||
BPF_SYSCALL y
|
||||
DEBUG_INFO_BTF y
|
||||
FTRACE y
|
||||
SCHED_CLASS_EXT y
|
||||
'';
|
||||
}];
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
cache.enable = true;
|
||||
};
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
btrfs subvolume delete /cache/system
|
||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
|
||||
'';
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
www.global.enable = true;
|
||||
services = {
|
||||
gitea.actions = {
|
||||
enable = true;
|
||||
tokenSecret = ../../secrets/gitea/actions/boron.age;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nsd.interfaces = [
|
||||
"138.201.252.214"
|
||||
"2a01:4f8:173:23d2::2"
|
||||
];
|
||||
|
||||
## Enable ZRAM to help with root on tmpfs
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Filesystems
|
||||
services.btrfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Tue, 02:00";
|
||||
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
|
||||
fileSystems = [ "/data" ];
|
||||
};
|
||||
|
||||
## General usability
|
||||
### Make podman available for dev tools such as act
|
||||
virtualisation = {
|
||||
containers.enable = true;
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
dockerSocket.enable = true;
|
||||
};
|
||||
};
|
||||
users.users.jake.extraGroups = [ "podman" ];
|
||||
|
||||
## Networking
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
interfaces = {
|
||||
enp6s0 = {
|
||||
name = "eth0";
|
||||
useDHCP = true;
|
||||
ipv6.addresses = [{
|
||||
address = "2a01:4f8:173:23d2::2";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
};
|
||||
};
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "eth0";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [ ];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
3022 # SSH (Gitea) - redirected to 22
|
||||
53 # DNS
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
8080 # Unifi (inform)
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
53 # DNS
|
||||
443 # HTTP 3
|
||||
3478 # Unifi STUN
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix
Normal file
@ -0,0 +1,72 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=0755" "size=100%" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/ED9C-4ABC";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
fileSystems."/cache" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=cache" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."disk0-crypt" = {
|
||||
device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee";
|
||||
allowDiscards = true;
|
||||
};
|
||||
boot.initrd.luks.devices."disk1-crypt" = {
|
||||
device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
@ -2,8 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
../../modules/spotify/default.nix
|
||||
./bluetooth.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
@ -17,6 +15,8 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
@ -29,6 +29,13 @@
|
||||
];
|
||||
};
|
||||
|
||||
## Enable ZRAM swap to help with root on tmpfs
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Desktop
|
||||
custom.users.jake.password = true;
|
||||
custom.desktop.awesome.enable = true;
|
||||
@ -61,9 +68,9 @@
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
@ -76,19 +83,13 @@
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
services.xserver.videoDrivers = [ "amdgpu" ];
|
||||
|
||||
## Spotify
|
||||
home-manager.users.jake.services.spotifyd.settings = {
|
||||
global = {
|
||||
device_name = "Gendry";
|
||||
device_type = "computer";
|
||||
bitrate = 320;
|
||||
};
|
||||
};
|
||||
|
||||
users.users."${config.custom.user}" = {
|
||||
packages = with pkgs; [
|
||||
prismlauncher
|
||||
];
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
};
|
||||
}
|
||||
|
@ -28,7 +28,10 @@
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
||||
boot.initrd.luks.devices."root" = {
|
||||
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
|
@ -1,79 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
networking.hostName = "jorah";
|
||||
networking.domain = "cx.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence.enable = true;
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
services.version_tracker.enable = true;
|
||||
www.global.enable = true;
|
||||
};
|
||||
|
||||
## Filesystems
|
||||
services.btrfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Tue, 02:00";
|
||||
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
|
||||
fileSystems = [ "/data" ];
|
||||
};
|
||||
|
||||
## Networking
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks."enp5s0".extraConfig = ''
|
||||
[Match]
|
||||
Name = enp5s0
|
||||
[Network]
|
||||
Address = 2a01:4f9:4b:3953::2/64
|
||||
Gateway = fe80::1
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
3022 # Gitea SSH (accessed via public 22)
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
enp5s0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
8080 # Unifi (inform)
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
443 # HTTP 3
|
||||
3478 # Unifi STUN
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.96.143.138";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
|
||||
};
|
||||
};
|
||||
}
|
50
hosts/li.pop.ts.hillion.co.uk/default.nix
Normal file
50
hosts/li.pop.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,50 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
networking.hostName = "li";
|
||||
networking.domain = "pop.ts.hillion.co.uk";
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/li.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/li.pop.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/li.pop.ts.hillion.co.uk".path;
|
||||
useRoutingFeatures = "server";
|
||||
extraUpFlags = [ "--advertise-routes" "192.168.1.0/24" ];
|
||||
};
|
||||
|
||||
## Enable ZRAM to make up for 2GB of RAM
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Run a persistent iperf3 server
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
|
||||
networking.firewall.interfaces = {
|
||||
"end0" = {
|
||||
allowedTCPPorts = [
|
||||
7654 # Tang
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -3,7 +3,6 @@
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/common/default.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
@ -13,14 +12,23 @@
|
||||
networking.hostName = "microserver";
|
||||
networking.domain = "home.ts.hillion.co.uk";
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
|
||||
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
|
||||
advertiseExitNode = true;
|
||||
authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
|
||||
useRoutingFeatures = "server";
|
||||
extraUpFlags = [
|
||||
"--advertise-routes"
|
||||
"10.64.50.0/24,10.239.19.0/24"
|
||||
"--advertise-exit-node"
|
||||
];
|
||||
};
|
||||
|
||||
## Enable IoT VLAN
|
||||
@ -31,6 +39,10 @@
|
||||
};
|
||||
};
|
||||
|
||||
hardware = {
|
||||
bluetooth.enable = true;
|
||||
};
|
||||
|
||||
## Enable IP forwarding for Tailscale
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
@ -40,9 +52,19 @@
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
|
||||
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
|
||||
1883 # MQTT server
|
||||
];
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall.interfaces = {
|
||||
"eth0" = {
|
||||
allowedUDPPorts = [
|
||||
5353 # HomeKit
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
1400 # HA Sonos
|
||||
7654 # Tang
|
||||
21063 # HomeKit
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -1,35 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../modules/common/default.nix
|
||||
../../modules/rpi/rpi4.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking.hostName = "microserver";
|
||||
networking.domain = "parents.ts.hillion.co.uk";
|
||||
|
||||
# Networking
|
||||
## Tailscale
|
||||
age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
|
||||
advertiseRoutes = [ "192.168.1.0/24" ];
|
||||
};
|
||||
|
||||
## Enable IP forwarding for Tailscale
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = true;
|
||||
};
|
||||
|
||||
## Run a persistent iperf3 server
|
||||
services.iperf3.enable = true;
|
||||
services.iperf3.openFirewall = true;
|
||||
};
|
||||
}
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
@ -19,6 +18,8 @@
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Interactive password
|
||||
custom.users.jake.password = true;
|
||||
|
||||
@ -31,6 +32,14 @@
|
||||
nat.enable = lib.mkForce false;
|
||||
|
||||
useDHCP = false;
|
||||
|
||||
vlans = {
|
||||
cameras = {
|
||||
id = 3;
|
||||
interface = "eth2";
|
||||
};
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
enp1s0 = {
|
||||
name = "eth0";
|
||||
@ -55,6 +64,14 @@
|
||||
}
|
||||
];
|
||||
};
|
||||
cameras /* cameras@eth2 */ = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.133.145.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
enp4s0 = { name = "eth3"; };
|
||||
enp5s0 = { name = "eth4"; };
|
||||
enp6s0 = { name = "eth5"; };
|
||||
@ -81,8 +98,8 @@
|
||||
|
||||
ip protocol icmp counter accept comment "accept all ICMP types"
|
||||
|
||||
iifname "eth0" ct state { established, related } counter accept
|
||||
iifname "eth0" drop
|
||||
iifname { "eth0", "cameras" } ct state { established, related } counter accept
|
||||
iifname { "eth0", "cameras" } drop
|
||||
}
|
||||
|
||||
chain forward {
|
||||
@ -105,14 +122,8 @@
|
||||
ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
|
||||
|
||||
ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
|
||||
ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28968 counter accept comment "d0.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28968 counter accept comment "d0.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28969 counter accept comment "d1.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28969 counter accept comment "d1.tywin.storj"
|
||||
ip daddr 10.64.50.20 tcp dport 28970 counter accept comment "d2.tywin.storj"
|
||||
ip daddr 10.64.50.20 udp dport 28970 counter accept comment "d2.tywin.storj"
|
||||
|
||||
ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
|
||||
}
|
||||
}
|
||||
|
||||
@ -123,14 +134,8 @@
|
||||
iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
|
||||
|
||||
iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28968 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28968 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28969 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28969 counter dnat to 10.64.50.20
|
||||
iifname eth0 tcp dport 28970 counter dnat to 10.64.50.20
|
||||
iifname eth0 udp dport 28970 counter dnat to 10.64.50.20
|
||||
|
||||
iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
@ -149,12 +154,42 @@
|
||||
|
||||
settings = {
|
||||
interfaces-config = {
|
||||
interfaces = [ "eth1" "eth2" ];
|
||||
interfaces = [ "eth1" "eth2" "cameras" ];
|
||||
};
|
||||
lease-database = {
|
||||
type = "memfile";
|
||||
persist = false;
|
||||
persist = true;
|
||||
name = "/var/lib/kea/dhcp4.leases";
|
||||
};
|
||||
|
||||
option-def = [
|
||||
{
|
||||
name = "cookie";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
code = 1;
|
||||
type = "string";
|
||||
array = false;
|
||||
}
|
||||
];
|
||||
client-classes = [
|
||||
{
|
||||
name = "APC";
|
||||
test = "option[vendor-class-identifier].text == 'APC'";
|
||||
option-data = [
|
||||
{
|
||||
always-send = true;
|
||||
name = "vendor-encapsulated-options";
|
||||
}
|
||||
{
|
||||
name = "cookie";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
code = 1;
|
||||
data = "1APC";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
subnet4 = [
|
||||
{
|
||||
subnet = "10.64.50.0/24";
|
||||
@ -173,22 +208,20 @@
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "1.1.1.1, 8.8.8.8";
|
||||
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
{
|
||||
# tywin.storage.ts.hillion.co.uk
|
||||
hw-address = "c8:7f:54:6d:e1:03";
|
||||
ip-address = "10.64.50.20";
|
||||
hostname = "tywin";
|
||||
}
|
||||
{
|
||||
# syncbox
|
||||
hw-address = "00:1e:06:49:06:1e";
|
||||
ip-address = "10.64.50.22";
|
||||
hostname = "syncbox";
|
||||
}
|
||||
reservations = lib.lists.imap0
|
||||
(i: el: {
|
||||
ip-address = "10.64.50.${toString (20 + i)}";
|
||||
inherit (el) hw-address hostname;
|
||||
}) [
|
||||
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
|
||||
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
|
||||
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
||||
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
||||
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
|
||||
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
|
||||
];
|
||||
}
|
||||
{
|
||||
@ -208,7 +241,7 @@
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "1.1.1.1, 8.8.8.8";
|
||||
data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
@ -226,23 +259,70 @@
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
subnet = "10.133.145.0/24";
|
||||
interface = "cameras";
|
||||
pools = [{
|
||||
pool = "10.133.145.64 - 10.133.145.254";
|
||||
}];
|
||||
option-data = [
|
||||
{
|
||||
name = "routers";
|
||||
data = "10.133.145.1";
|
||||
}
|
||||
{
|
||||
name = "broadcast-address";
|
||||
data = "10.133.145.255";
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "1.1.1.1, 8.8.8.8";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
freeradius = {
|
||||
unbound = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
"127.0.0.1"
|
||||
"10.64.50.1"
|
||||
"10.239.19.1"
|
||||
];
|
||||
access-control = [
|
||||
"10.64.50.0/24 allow"
|
||||
"10.239.19.0/24 allow"
|
||||
];
|
||||
};
|
||||
|
||||
forward-zone = [
|
||||
{
|
||||
name = ".";
|
||||
forward-tls-upstream = "yes";
|
||||
forward-addr = [
|
||||
"1.1.1.1#cloudflare-dns.com"
|
||||
"1.0.0.1#cloudflare-dns.com"
|
||||
"8.8.8.8#dns.google"
|
||||
"8.8.4.4#dns.google"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.105.71.48";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
|
||||
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Enable btrfs compression
|
||||
@ -267,7 +347,7 @@
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
|
||||
};
|
||||
};
|
||||
|
87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
Normal file
87
hosts/sodium.pop.ts.hillion.co.uk/default.nix
Normal file
@ -0,0 +1,87 @@
|
||||
{ config, pkgs, lib, nixos-hardware, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
"${nixos-hardware}/raspberry-pi/5/default.nix"
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.hostName = "sodium";
|
||||
networking.domain = "pop.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Impermanence
|
||||
custom.impermanence = {
|
||||
enable = true;
|
||||
cache.enable = true;
|
||||
};
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
btrfs subvolume delete /cache/tmp
|
||||
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
|
||||
chmod 1777 /cache/tmp
|
||||
'';
|
||||
|
||||
## CA server
|
||||
custom.ca.service.enable = true;
|
||||
|
||||
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
|
||||
fileSystems."/tmp" = {
|
||||
device = "/cache/tmp";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
# nix = {
|
||||
# settings = {
|
||||
# build-dir = "/cache/tmp/";
|
||||
# };
|
||||
# };
|
||||
|
||||
## Custom Services
|
||||
custom.locations.autoServe = true;
|
||||
|
||||
# Networking
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
interfaces = {
|
||||
end0 = {
|
||||
name = "eth0";
|
||||
useDHCP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
7654 # Tang
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
|
||||
};
|
||||
};
|
||||
}
|
@ -9,9 +9,9 @@
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
@ -21,24 +21,32 @@
|
||||
options = [ "mode=0755" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/417B-1063";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/data" =
|
||||
{
|
||||
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=data" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
fileSystems."/cache" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/4D7E-8DE8";
|
||||
fsType = "vfat";
|
||||
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=cache" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
@ -48,8 +56,8 @@
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
1
hosts/sodium.pop.ts.hillion.co.uk/system
Normal file
1
hosts/sodium.pop.ts.hillion.co.uk/system
Normal file
@ -0,0 +1 @@
|
||||
aarch64-linux
|
@ -2,7 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
@ -15,14 +14,18 @@
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
custom.defaults = true;
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.useNetworkd = true;
|
||||
systemd.network.enable = true;
|
||||
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall = {
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
@ -39,11 +42,9 @@
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.104.142.22";
|
||||
ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16";
|
||||
authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Packages
|
||||
|
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
7
hosts/tywin.storage.ts.hillion.co.uk/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# tywin.storage.ts.hillion.co.uk
|
||||
|
||||
Additional installation step for Clevis/Tang:
|
||||
|
||||
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
|
||||
$ sudo chown root:root /mnt/disk_encryption.jwe
|
||||
$ sudo chmod 0400 /mnt/disk_encryption.jwe
|
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
"t": 1,
|
||||
"pins": {
|
||||
"tang": [
|
||||
{
|
||||
"url": "http://10.64.50.21:7654"
|
||||
},
|
||||
{
|
||||
"url": "http://10.64.50.25:7654"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
@ -16,15 +15,35 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernelParams = [
|
||||
"ip=dhcp"
|
||||
"zfs.zfs_arc_max=25769803776"
|
||||
];
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "r8169" ];
|
||||
network.enable = true;
|
||||
clevis = {
|
||||
enable = true;
|
||||
useTang = true;
|
||||
devices."root".secretFile = "/disk_encryption.jwe";
|
||||
};
|
||||
};
|
||||
|
||||
custom.locations.autoServe = true;
|
||||
custom.defaults = true;
|
||||
|
||||
# zram swap: used in the hope it will give the ZFS ARC more room to back off
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
memoryPercent = 200;
|
||||
algorithm = "zstd";
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.115.31.91";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
||||
authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
|
||||
};
|
||||
|
||||
## Filesystems
|
||||
@ -35,11 +54,17 @@
|
||||
forceImportRoot = false;
|
||||
extraPools = [ "data" ];
|
||||
};
|
||||
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
|
||||
|
||||
services.zfs.autoScrub = {
|
||||
services.btrfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Tue, 02:00";
|
||||
# All filesystems includes the BTRFS parts of all the hard drives. This
|
||||
# would take forever and is redundant as they get fully read regularly.
|
||||
fileSystems = [ "/" ];
|
||||
};
|
||||
services.zfs.autoScrub = {
|
||||
enable = true;
|
||||
interval = "Wed, 02:00";
|
||||
};
|
||||
|
||||
## Backups
|
||||
@ -130,7 +155,7 @@
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = ''
|
||||
bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr}
|
||||
bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6}
|
||||
reverse_proxy http://localhost:8000
|
||||
'';
|
||||
};
|
||||
@ -193,7 +218,7 @@
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
keyFile = config.age.secrets."chia/farmer.key".path;
|
||||
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
|
||||
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
|
||||
};
|
||||
|
||||
## Downloads
|
||||
@ -211,13 +236,10 @@
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
## Firewall
|
||||
## Networking
|
||||
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
|
||||
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
|
||||
80 # Caddy (restic.tywin.storage.ts.)
|
||||
14002 # Storj Dashboard (d0.)
|
||||
14003 # Storj Dashboard (d1.)
|
||||
14004 # Storj Dashboard (d2.)
|
||||
14005 # Storj Dashboard (d3.)
|
||||
];
|
||||
};
|
||||
}
|
||||
|
@ -20,6 +20,11 @@
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root" = {
|
||||
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
|
||||
allowDiscards = true;
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/BC57-0AF6";
|
||||
@ -62,6 +67,18 @@
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d6" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/d7" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
|
@ -1,67 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
networking.hostName = "vm";
|
||||
networking.domain = "strangervm.ts.hillion.co.uk";
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
|
||||
## Custom Services
|
||||
custom = {
|
||||
locations.autoServe = true;
|
||||
drone.server.path = "/data/drone";
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking.interfaces.ens18.ipv4.addresses = [{
|
||||
address = "10.72.164.3";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
networking.defaultGateway = "10.72.164.1";
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
trustedInterfaces = lib.mkForce [
|
||||
"lo"
|
||||
"tailscale0"
|
||||
];
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
443 # HTTP 3
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
enable = true;
|
||||
preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
|
||||
ipv4Addr = "100.110.89.111";
|
||||
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:626e:596f";
|
||||
};
|
||||
|
||||
## Backups
|
||||
services.postgresqlBackup.location = "/data/backup/postgres";
|
||||
};
|
||||
}
|
@ -3,6 +3,7 @@
|
||||
{
|
||||
imports = [
|
||||
./git.nix
|
||||
./homeassistant.nix
|
||||
./matrix.nix
|
||||
];
|
||||
}
|
||||
|
34
modules/backups/homeassistant.nix
Normal file
34
modules/backups/homeassistant.nix
Normal file
@ -0,0 +1,34 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.backups.homeassistant;
|
||||
in
|
||||
{
|
||||
options.custom.backups.homeassistant = {
|
||||
enable = lib.mkEnableOption "homeassistant";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."backups/homeassistant/restic/128G" = {
|
||||
file = ../../secrets/restic/128G.age;
|
||||
owner = "hass";
|
||||
group = "hass";
|
||||
};
|
||||
|
||||
services = {
|
||||
restic.backups."homeassistant" = {
|
||||
user = "hass";
|
||||
timerConfig = {
|
||||
OnCalendar = "03:00";
|
||||
RandomizedDelaySec = "60m";
|
||||
};
|
||||
repository = "rest:http://restic.tywin.storage.ts.hillion.co.uk/128G";
|
||||
passwordFile = config.age.secrets."backups/homeassistant/restic/128G".path;
|
||||
paths = [
|
||||
config.services.home-assistant.configDir
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
11
modules/ca/README.md
Normal file
11
modules/ca/README.md
Normal file
@ -0,0 +1,11 @@
|
||||
# ca
|
||||
|
||||
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
|
||||
|
||||
Creating a 10 year root certificate:
|
||||
|
||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
|
||||
|
||||
Creating the intermediate key:
|
||||
|
||||
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem
|
13
modules/ca/cert.pem
Normal file
13
modules/ca/cert.pem
Normal file
@ -0,0 +1,13 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
|
||||
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
|
||||
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
|
||||
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
|
||||
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
|
||||
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
|
||||
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
|
||||
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
|
||||
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
|
||||
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
|
||||
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
|
||||
-----END CERTIFICATE-----
|
14
modules/ca/consumer.nix
Normal file
14
modules/ca/consumer.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ca.consumer;
|
||||
in
|
||||
{
|
||||
options.custom.ca.consumer = {
|
||||
enable = lib.mkEnableOption "ca.service";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
|
||||
};
|
||||
}
|
8
modules/ca/default.nix
Normal file
8
modules/ca/default.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./consumer.nix
|
||||
./service.nix
|
||||
];
|
||||
}
|
45
modules/ca/service.nix
Normal file
45
modules/ca/service.nix
Normal file
@ -0,0 +1,45 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ca.service;
|
||||
in
|
||||
{
|
||||
options.custom.ca.service = {
|
||||
enable = lib.mkEnableOption "ca.service";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
|
||||
address = config.custom.dns.tailscale.ipv4;
|
||||
port = 8443;
|
||||
|
||||
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
|
||||
|
||||
settings = {
|
||||
root = ./cert.pem;
|
||||
crt = "/data/system/ca/intermediate.crt";
|
||||
key = "/data/system/ca/intermediate.pem";
|
||||
|
||||
dnsNames = [ "ca.ts.hillion.co.uk" ];
|
||||
|
||||
logger = { format = "text"; };
|
||||
|
||||
db = {
|
||||
type = "badgerv2";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
};
|
||||
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
type = "ACME";
|
||||
name = "acme";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -46,7 +46,7 @@ in
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.chia = {
|
||||
image = "ghcr.io/chia-network/chia:2.1.4";
|
||||
image = "ghcr.io/chia-network/chia:2.4.1";
|
||||
ports = [ "8444" ];
|
||||
extraOptions = [
|
||||
"--uidmap=0:${toString config.users.users.chia.uid}:1"
|
||||
|
@ -1,59 +0,0 @@
|
||||
{ pkgs, lib, config, agenix, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../home/default.nix
|
||||
./shell.nix
|
||||
./ssh.nix
|
||||
];
|
||||
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 90d";
|
||||
};
|
||||
};
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users."jake" = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # enable sudo
|
||||
};
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
agenix.packages."${system}".default
|
||||
gh
|
||||
git
|
||||
htop
|
||||
nix
|
||||
sapling
|
||||
vim
|
||||
];
|
||||
variables.EDITOR = "vim";
|
||||
shellAliases = {
|
||||
ls = "ls -p --color=auto";
|
||||
};
|
||||
};
|
||||
|
||||
networking = rec {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
networkmanager.dns = "none";
|
||||
};
|
||||
networking.firewall.enable = true;
|
||||
|
||||
custom.hostinfo.enable = true;
|
||||
}
|
@ -1,43 +0,0 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
{
|
||||
users.users."jake".openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
|
||||
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
|
||||
|
||||
];
|
||||
|
||||
programs.mosh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.knownHosts = {
|
||||
# Global Internet hosts
|
||||
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
|
||||
"server.stranger.proxmox.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp";
|
||||
|
||||
# Tailscale hosts
|
||||
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
|
||||
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
|
||||
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
|
||||
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
|
||||
"microserver.parents.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr";
|
||||
"pbs.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGY6ky2sQjg/bLRUWOUERmAOqboAjy+9PkE8sU+angx";
|
||||
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
|
||||
"router.stranger.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHq9tITN59FJfGoyOPNgP1QyJ0ohbVQS8OZtRO960Uxk";
|
||||
"stranger.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp";
|
||||
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
|
||||
"vm.strangervm.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy";
|
||||
};
|
||||
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
|
||||
}
|
@ -3,23 +3,21 @@
|
||||
{
|
||||
imports = [
|
||||
./backups/default.nix
|
||||
./ca/default.nix
|
||||
./chia.nix
|
||||
./common/hostinfo.nix
|
||||
./defaults.nix
|
||||
./desktop/awesome/default.nix
|
||||
./drone/default.nix
|
||||
./dns.nix
|
||||
./home/default.nix
|
||||
./hostinfo.nix
|
||||
./ids.nix
|
||||
./impermanence.nix
|
||||
./locations.nix
|
||||
./resilio.nix
|
||||
./services/downloads.nix
|
||||
./services/gitea.nix
|
||||
./services/mastodon/default.nix
|
||||
./services/matrix.nix
|
||||
./services/unifi.nix
|
||||
./services/version_tracker.nix
|
||||
./services/zigbee2mqtt.nix
|
||||
./services/default.nix
|
||||
./shell/default.nix
|
||||
./ssh/default.nix
|
||||
./storj.nix
|
||||
./tailscale.nix
|
||||
./users.nix
|
||||
./www/global.nix
|
||||
./www/www-repo.nix
|
||||
|
64
modules/defaults.nix
Normal file
64
modules/defaults.nix
Normal file
@ -0,0 +1,64 @@
|
||||
{ pkgs, lib, config, agenix, ... }:
|
||||
|
||||
{
|
||||
options.custom.defaults = lib.mkEnableOption "defaults";
|
||||
|
||||
config = lib.mkIf config.custom.defaults {
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
options = "--delete-older-than 90d";
|
||||
};
|
||||
};
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.${config.custom.user} = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # enable sudo
|
||||
uid = config.ids.uids.${config.custom.user};
|
||||
};
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
agenix.packages."${system}".default
|
||||
gh
|
||||
git
|
||||
htop
|
||||
nix
|
||||
sapling
|
||||
vim
|
||||
];
|
||||
variables.EDITOR = "vim";
|
||||
shellAliases = {
|
||||
ls = "ls -p --color=auto";
|
||||
};
|
||||
};
|
||||
|
||||
networking = rec {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
networkmanager.dns = "none";
|
||||
};
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# Delegation
|
||||
custom.ca.consumer.enable = true;
|
||||
custom.dns.enable = true;
|
||||
custom.home.defaults = true;
|
||||
custom.hostinfo.enable = true;
|
||||
custom.shell.enable = true;
|
||||
custom.ssh.enable = true;
|
||||
};
|
||||
}
|
112
modules/dns.nix
Normal file
112
modules/dns.nix
Normal file
@ -0,0 +1,112 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.dns;
|
||||
in
|
||||
{
|
||||
options.custom.dns = {
|
||||
enable = lib.mkEnableOption "dns";
|
||||
|
||||
authoritative = {
|
||||
ipv4 = lib.mkOption {
|
||||
description = "authoritative ipv4 mappings";
|
||||
readOnly = true;
|
||||
};
|
||||
ipv6 = lib.mkOption {
|
||||
description = "authoritative ipv6 mappings";
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
tailscale =
|
||||
{
|
||||
ipv4 = lib.mkOption {
|
||||
description = "tailscale ipv4 address";
|
||||
readOnly = true;
|
||||
};
|
||||
ipv6 = lib.mkOption {
|
||||
description = "tailscale ipv6 address";
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom.dns.authoritative = {
|
||||
ipv4 = {
|
||||
uk = {
|
||||
co = {
|
||||
hillion = {
|
||||
ts = {
|
||||
cx = {
|
||||
boron = "100.113.188.46";
|
||||
};
|
||||
home = {
|
||||
microserver = "100.105.131.47";
|
||||
router = "100.105.71.48";
|
||||
};
|
||||
jakehillion-terminals = { gendry = "100.70.100.77"; };
|
||||
lt = { be = "100.105.166.79"; };
|
||||
pop = {
|
||||
li = "100.106.87.35";
|
||||
sodium = "100.87.188.4";
|
||||
};
|
||||
storage = {
|
||||
theon = "100.104.142.22";
|
||||
tywin = "100.115.31.91";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ipv6 = {
|
||||
uk = {
|
||||
co = {
|
||||
hillion = {
|
||||
ts = {
|
||||
cx = {
|
||||
boron = "fd7a:115c:a1e0::2a01:bc2f";
|
||||
};
|
||||
home = {
|
||||
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
|
||||
router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
|
||||
};
|
||||
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
|
||||
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
|
||||
pop = {
|
||||
li = "fd7a:115c:a1e0::e701:5723";
|
||||
sodium = "fd7a:115c:a1e0::3701:bc04";
|
||||
};
|
||||
storage = {
|
||||
theon = "fd7a:115c:a1e0::4aa8:8e16";
|
||||
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
custom.dns.tailscale =
|
||||
let
|
||||
lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null;
|
||||
in
|
||||
{
|
||||
ipv4 = lookupFqdn cfg.authoritative.ipv4;
|
||||
ipv6 = lookupFqdn cfg.authoritative.ipv6;
|
||||
};
|
||||
|
||||
networking.hosts =
|
||||
let
|
||||
mkHosts = hosts:
|
||||
(lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x))
|
||||
(lib.mapAttrsRecursive
|
||||
(path: value:
|
||||
lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ])
|
||||
hosts));
|
||||
in
|
||||
builtins.listToAttrs (mkHosts cfg.authoritative.ipv4 ++ mkHosts cfg.authoritative.ipv6);
|
||||
};
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./server.nix
|
||||
];
|
||||
}
|
@ -1,43 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.drone.server;
|
||||
in
|
||||
{
|
||||
options.custom.drone.server = {
|
||||
enable = lib.mkEnableOption "drone server";
|
||||
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/drone";
|
||||
};
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 18733;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."drone/gitea_client_secret".file = ../../secrets/drone/gitea_client_secret.age;
|
||||
age.secrets."drone/rpc_secret".file = ../../secrets/drone/rpc_secret.age;
|
||||
|
||||
virtualisation.oci-containers.containers."drone" = {
|
||||
image = "drone/drone:2.21.0";
|
||||
volumes = [ "${cfg.path}:/data" ];
|
||||
ports = [ "${toString cfg.port}:80" ];
|
||||
environment = {
|
||||
DRONE_AGENTS_ENABLED = "true";
|
||||
DRONE_GITEA_SERVER = "https://gitea.hillion.co.uk";
|
||||
DRONE_GITEA_CLIENT_ID = "687ee331-ad9e-44fd-9e02-7f1c652754bb";
|
||||
DRONE_SERVER_HOST = "drone.hillion.co.uk";
|
||||
DRONE_SERVER_PROTO = "https";
|
||||
DRONE_LOGS_DEBUG = "true";
|
||||
DRONE_USER_CREATE = "username:JakeHillion,admin:true";
|
||||
};
|
||||
environmentFiles = [
|
||||
config.age.secrets."drone/gitea_client_secret".path
|
||||
config.age.secrets."drone/rpc_secret".path
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
@ -6,7 +6,9 @@
|
||||
./tmux/default.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
options.custom.home.defaults = lib.mkEnableOption "home";
|
||||
|
||||
config = lib.mkIf config.custom.home.defaults {
|
||||
home-manager = {
|
||||
users.root.home = {
|
||||
stateVersion = "22.11";
|
||||
@ -22,5 +24,9 @@
|
||||
file.".zshrc".text = "";
|
||||
};
|
||||
};
|
||||
|
||||
# Delegation
|
||||
custom.home.git.enable = true;
|
||||
custom.home.tmux.enable = true;
|
||||
};
|
||||
}
|
||||
|
@ -1,21 +1,30 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.home.git;
|
||||
in
|
||||
{
|
||||
home-manager.users.jake.programs.git = {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
user = {
|
||||
email = "jake@hillion.co.uk";
|
||||
name = "Jake Hillion";
|
||||
};
|
||||
pull = {
|
||||
rebase = true;
|
||||
};
|
||||
merge = {
|
||||
conflictstyle = "diff3";
|
||||
};
|
||||
init = {
|
||||
defaultBranch = "main";
|
||||
options.custom.home.git = {
|
||||
enable = lib.mkEnableOption "git";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
home-manager.users.jake.programs.git = lib.mkIf (config.custom.user == "jake") {
|
||||
enable = true;
|
||||
extraConfig = {
|
||||
user = {
|
||||
email = "jake@hillion.co.uk";
|
||||
name = "Jake Hillion";
|
||||
};
|
||||
pull = {
|
||||
rebase = true;
|
||||
};
|
||||
merge = {
|
||||
conflictstyle = "diff3";
|
||||
};
|
||||
init = {
|
||||
defaultBranch = "main";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -8,3 +8,11 @@ bind -n C-k clear-history
|
||||
bind '"' split-window -c "#{pane_current_path}"
|
||||
bind % split-window -h -c "#{pane_current_path}"
|
||||
bind c new-window -c "#{pane_current_path}"
|
||||
|
||||
# Start indices at 1 to match keyboard
|
||||
set -g base-index 1
|
||||
setw -g pane-base-index 1
|
||||
|
||||
# Open a new session when attached to and one isn't open
|
||||
# Must come after base-index settings
|
||||
new-session
|
||||
|
@ -1,8 +1,17 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.home.tmux;
|
||||
in
|
||||
{
|
||||
home-manager.users.jake.programs.tmux = {
|
||||
enable = true;
|
||||
extraConfig = lib.readFile ./.tmux.conf;
|
||||
options.custom.home.tmux = {
|
||||
enable = lib.mkEnableOption "tmux";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
home-manager.users.jake.programs.tmux = {
|
||||
enable = true;
|
||||
extraConfig = lib.readFile ./.tmux.conf;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -6,6 +6,7 @@
|
||||
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
unifi = 183;
|
||||
chia = 185;
|
||||
gitea = 186;
|
||||
|
||||
## Consistent People
|
||||
jake = 1000;
|
||||
@ -15,6 +16,7 @@
|
||||
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
|
||||
unifi = 183;
|
||||
chia = 185;
|
||||
gitea = 186;
|
||||
|
||||
## Consistent Groups
|
||||
mediaaccess = 1200;
|
||||
|
@ -2,7 +2,6 @@
|
||||
|
||||
let
|
||||
cfg = config.custom.impermanence;
|
||||
listIf = (enable: x: if enable then x else [ ]);
|
||||
in
|
||||
{
|
||||
options.custom.impermanence = {
|
||||
@ -12,6 +11,13 @@ in
|
||||
type = lib.types.str;
|
||||
default = "/data";
|
||||
};
|
||||
cache = {
|
||||
enable = lib.mkEnableOption "impermanence.cache";
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/cache";
|
||||
};
|
||||
};
|
||||
|
||||
users = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
@ -40,41 +46,60 @@ in
|
||||
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
|
||||
};
|
||||
|
||||
environment.persistence."${cfg.base}/system" = {
|
||||
hideMounts = true;
|
||||
environment.persistence = lib.mkMerge [
|
||||
{
|
||||
"${cfg.base}/system" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++
|
||||
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
|
||||
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
|
||||
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
|
||||
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
|
||||
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
|
||||
};
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
|
||||
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
|
||||
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
|
||||
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
|
||||
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
|
||||
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
|
||||
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
|
||||
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
|
||||
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
|
||||
};
|
||||
}
|
||||
(lib.mkIf cfg.cache.enable {
|
||||
"${cfg.cache.path}/system" = {
|
||||
hideMounts = true;
|
||||
|
||||
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
home-manager.users =
|
||||
let
|
||||
mkUser = (x: {
|
||||
name = x;
|
||||
value = {
|
||||
home.persistence."/data/users/${x}" = {
|
||||
allowOther = false;
|
||||
home = {
|
||||
persistence."/data/users/${x}" = {
|
||||
allowOther = false;
|
||||
|
||||
files = [
|
||||
".zsh_history"
|
||||
] ++ cfg.userExtraFiles.${x} or [ ];
|
||||
|
||||
directories = cfg.userExtraDirs.${x} or [ ];
|
||||
files = cfg.userExtraFiles.${x} or [ ];
|
||||
directories = cfg.userExtraDirs.${x} or [ ];
|
||||
};
|
||||
file.".zshrc".text = lib.mkForce ''
|
||||
HISTFILE=/data/users/${x}/.zsh_history
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkUser cfg.users);
|
||||
|
||||
systemd.tmpfiles.rules = builtins.map
|
||||
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
|
||||
(user:
|
||||
let details = config.users.users.${user}; in "L ${details.home}/local - ${user} ${details.group} - /data/users/${user}")
|
||||
cfg.users;
|
||||
let details = config.users.users.${user}; in [
|
||||
"d /data/users/${user} 0700 ${user} ${details.group} - -"
|
||||
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
|
||||
])
|
||||
cfg.users);
|
||||
};
|
||||
}
|
||||
|
@ -11,28 +11,41 @@ in
|
||||
};
|
||||
|
||||
locations = lib.mkOption {
|
||||
default = {
|
||||
services = {
|
||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||
gitea = "jorah.cx.ts.hillion.co.uk";
|
||||
mastodon = "vm.strangervm.ts.hillion.co.uk";
|
||||
matrix = "jorah.cx.ts.hillion.co.uk";
|
||||
unifi = "jorah.cx.ts.hillion.co.uk";
|
||||
};
|
||||
drone = {
|
||||
server = "vm.strangervm.ts.hillion.co.uk";
|
||||
};
|
||||
};
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.autoServe {
|
||||
custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
|
||||
custom.services.gitea.enable = cfg.locations.services.gitea == config.networking.fqdn;
|
||||
custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
|
||||
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
|
||||
custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn;
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
custom.locations.locations = {
|
||||
services = {
|
||||
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
downloads = "tywin.storage.ts.hillion.co.uk";
|
||||
gitea = "boron.cx.ts.hillion.co.uk";
|
||||
homeassistant = "microserver.home.ts.hillion.co.uk";
|
||||
mastodon = "";
|
||||
matrix = "boron.cx.ts.hillion.co.uk";
|
||||
tang = [
|
||||
"li.pop.ts.hillion.co.uk"
|
||||
"microserver.home.ts.hillion.co.uk"
|
||||
"sodium.pop.ts.hillion.co.uk"
|
||||
];
|
||||
unifi = "boron.cx.ts.hillion.co.uk";
|
||||
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
custom.drone.server.enable = cfg.locations.drone.server == config.networking.fqdn;
|
||||
};
|
||||
(lib.mkIf cfg.autoServe
|
||||
{
|
||||
custom.services = lib.mapAttrsRecursive
|
||||
(path: value: {
|
||||
enable =
|
||||
if builtins.isList value
|
||||
then builtins.elem config.networking.fqdn value
|
||||
else config.networking.fqdn == value;
|
||||
})
|
||||
cfg.locations.services;
|
||||
})
|
||||
];
|
||||
}
|
||||
|
@ -1,12 +1,9 @@
|
||||
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.resilio;
|
||||
in
|
||||
{
|
||||
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
|
||||
disabledModules = [ "services/networking/resilio.nix" ];
|
||||
|
||||
options.custom.resilio = {
|
||||
enable = lib.mkEnableOption "resilio";
|
||||
|
||||
@ -64,5 +61,7 @@ in
|
||||
in
|
||||
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
|
||||
};
|
||||
|
||||
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
|
||||
};
|
||||
}
|
||||
|
50
modules/services/authoritative_dns.nix
Normal file
50
modules/services/authoritative_dns.nix
Normal file
@ -0,0 +1,50 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.authoritative_dns;
|
||||
in
|
||||
{
|
||||
options.custom.services.authoritative_dns = {
|
||||
enable = lib.mkEnableOption "authoritative_dns";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
|
||||
zones = {
|
||||
"ts.hillion.co.uk" = {
|
||||
data =
|
||||
let
|
||||
makeRecords = type: s: (lib.concatStringsSep "\n" (lib.collect builtins.isString (lib.mapAttrsRecursive (path: value: "${lib.concatStringsSep "." (lib.reverseList path)} 86400 ${type} ${value}") s)));
|
||||
in
|
||||
''
|
||||
$ORIGIN ts.hillion.co.uk.
|
||||
$TTL 86400
|
||||
|
||||
ts.hillion.co.uk. IN SOA ns1.hillion.co.uk. hostmaster.hillion.co.uk. (
|
||||
1 ;Serial
|
||||
7200 ;Refresh
|
||||
3600 ;Retry
|
||||
1209600 ;Expire
|
||||
3600 ;Negative response caching TTL
|
||||
)
|
||||
|
||||
86400 NS ns1.hillion.co.uk.
|
||||
|
||||
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
|
||||
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
|
||||
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
radarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
restic.tywin.storage 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
sonarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
|
||||
zigbee2mqtt.home 21600 CNAME router.home.ts.hillion.co.uk.
|
||||
|
||||
'' + (makeRecords "A" config.custom.dns.authoritative.ipv4.uk.co.hillion.ts) + "\n\n" + (makeRecords "AAAA" config.custom.dns.authoritative.ipv6.uk.co.hillion.ts);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
16
modules/services/default.nix
Normal file
16
modules/services/default.nix
Normal file
@ -0,0 +1,16 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./authoritative_dns.nix
|
||||
./downloads.nix
|
||||
./gitea/default.nix
|
||||
./homeassistant.nix
|
||||
./mastodon/default.nix
|
||||
./matrix.nix
|
||||
./tang.nix
|
||||
./unifi.nix
|
||||
./version_tracker.nix
|
||||
./zigbee2mqtt.nix
|
||||
];
|
||||
}
|
@ -29,10 +29,16 @@ in
|
||||
|
||||
virtualHosts = builtins.listToAttrs (builtins.map
|
||||
(x: {
|
||||
name = "http://${x}.downloads.ts.hillion.co.uk";
|
||||
name = "${x}.downloads.ts.hillion.co.uk";
|
||||
value = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = ''
|
||||
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
|
||||
|
||||
tls {
|
||||
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
|
||||
}
|
||||
'';
|
||||
};
|
||||
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
|
||||
};
|
||||
@ -132,7 +138,10 @@ in
|
||||
|
||||
script = with pkgs; "${iproute2}/bin/ip link set up lo";
|
||||
};
|
||||
networking.hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
|
||||
networking = {
|
||||
nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
|
||||
};
|
||||
|
||||
services = {
|
||||
prowlarr.enable = true;
|
||||
@ -149,6 +158,7 @@ in
|
||||
deluge = {
|
||||
enable = true;
|
||||
web.enable = true;
|
||||
group = "mediaaccess";
|
||||
|
||||
dataDir = "/var/lib/deluge";
|
||||
authFile = "/run/agenix/deluge/auth";
|
||||
@ -157,11 +167,18 @@ in
|
||||
config = {
|
||||
download_location = "/media/downloads";
|
||||
max_connections_global = 1024;
|
||||
|
||||
max_upload_speed = 12500;
|
||||
max_download_speed = 25000;
|
||||
|
||||
max_active_seeding = 192;
|
||||
max_active_downloading = 64;
|
||||
max_active_limit = 256;
|
||||
dont_count_slow_torrents = true;
|
||||
|
||||
stop_seed_at_ratio = true;
|
||||
stop_seed_ratio = 2;
|
||||
share_ratio_limit = 2;
|
||||
|
||||
enabled_plugins = [ "Label" ];
|
||||
};
|
||||
};
|
||||
|
105
modules/services/gitea/actions.nix
Normal file
105
modules/services/gitea/actions.nix
Normal file
@ -0,0 +1,105 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.gitea.actions;
|
||||
in
|
||||
{
|
||||
options.custom.services.gitea.actions = {
|
||||
enable = lib.mkEnableOption "gitea-actions";
|
||||
|
||||
labels = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [
|
||||
"ubuntu-latest:docker://node:16-bullseye"
|
||||
"ubuntu-20.04:docker://node:16-bullseye"
|
||||
];
|
||||
};
|
||||
tokenSecret = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."gitea/actions/token".file = cfg.tokenSecret;
|
||||
|
||||
# Run gitea-actions in a container and firewall it such that it can only
|
||||
# access the Internet (not private networks).
|
||||
containers."gitea-actions" = {
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
|
||||
privateNetwork = true; # all traffic goes through ve-gitea-actions on the host
|
||||
hostAddress = "10.108.27.1";
|
||||
localAddress = "10.108.27.2";
|
||||
|
||||
extraFlags = [
|
||||
# Extra system calls required to nest Docker, taken from https://wiki.archlinux.org/title/systemd-nspawn
|
||||
"--system-call-filter=add_key"
|
||||
"--system-call-filter=keyctl"
|
||||
"--system-call-filter=bpf"
|
||||
];
|
||||
|
||||
bindMounts = let tokenPath = config.age.secrets."gitea/actions/token".path; in {
|
||||
"${tokenPath}".hostPath = tokenPath;
|
||||
};
|
||||
|
||||
timeoutStartSec = "5min";
|
||||
|
||||
config = (hostConfig: ({ config, pkgs, ... }: {
|
||||
config = let cfg = hostConfig.custom.services.gitea.actions; in {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.gitea-actions-runner.instances.container = {
|
||||
enable = true;
|
||||
url = "https://gitea.hillion.co.uk";
|
||||
tokenFile = hostConfig.age.secrets."gitea/actions/token".path;
|
||||
|
||||
name = "${hostConfig.networking.hostName}";
|
||||
labels = cfg.labels;
|
||||
|
||||
settings = {
|
||||
runner = {
|
||||
capacity = 3;
|
||||
};
|
||||
cache = {
|
||||
enabled = true;
|
||||
host = "10.108.27.2";
|
||||
port = 41919;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Drop any packets to private networks
|
||||
networking = {
|
||||
firewall.enable = lib.mkForce false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet filter {
|
||||
chain output {
|
||||
type filter hook output priority 100; policy accept;
|
||||
|
||||
ct state { established, related } counter accept
|
||||
|
||||
ip daddr 10.0.0.0/8 drop
|
||||
ip daddr 100.64.0.0/10 drop
|
||||
ip daddr 172.16.0.0/12 drop
|
||||
ip daddr 192.168.0.0/16 drop
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
})) config;
|
||||
};
|
||||
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalIPs = [ "10.108.27.2" ];
|
||||
};
|
||||
};
|
||||
}
|
8
modules/services/gitea/default.nix
Normal file
8
modules/services/gitea/default.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./actions.nix
|
||||
./gitea.nix
|
||||
];
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, nixpkgs-unstable, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.gitea;
|
||||
@ -20,39 +20,42 @@ in
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets = {
|
||||
"gitea/mailer_password" = {
|
||||
file = ../../secrets/gitea/mailer_password.age;
|
||||
file = ../../../secrets/gitea/mailer_password.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
};
|
||||
"gitea/oauth_jwt_secret" = {
|
||||
file = ../../secrets/gitea/oauth_jwt_secret.age;
|
||||
file = ../../../secrets/gitea/oauth_jwt_secret.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret";
|
||||
};
|
||||
"gitea/lfs_jwt_secret" = {
|
||||
file = ../../secrets/gitea/lfs_jwt_secret.age;
|
||||
file = ../../../secrets/gitea/lfs_jwt_secret.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret";
|
||||
};
|
||||
"gitea/security_secret_key" = {
|
||||
file = ../../secrets/gitea/security_secret_key.age;
|
||||
file = ../../../secrets/gitea/security_secret_key.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/secret_key";
|
||||
};
|
||||
"gitea/security_internal_token" = {
|
||||
file = ../../secrets/gitea/security_internal_token.age;
|
||||
file = ../../../secrets/gitea/security_internal_token.age;
|
||||
owner = config.services.gitea.user;
|
||||
group = config.services.gitea.group;
|
||||
path = "${config.services.gitea.customDir}/conf/internal_token";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitea.uid = config.ids.uids.gitea;
|
||||
users.groups.gitea.gid = config.ids.gids.gitea;
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
|
||||
package = pkgs.unstable.gitea;
|
||||
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
|
||||
|
||||
appName = "Hillion Gitea";
|
||||
@ -79,7 +82,7 @@ in
|
||||
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
HOST = "smtp.mailgun.org:587";
|
||||
SMTP_ADDR = "smtp.mailgun.org:587";
|
||||
FROM = "gitea@mg.hillion.co.uk";
|
||||
USER = "gitea@mg.hillion.co.uk";
|
||||
};
|
||||
@ -89,7 +92,7 @@ in
|
||||
service = {
|
||||
REGISTER_EMAIL_CONFIRM = true;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
|
||||
EMAIL_DOMAIN_ALLOWLIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
|
||||
};
|
||||
session = {
|
||||
PROVIDER = "file";
|
||||
@ -97,18 +100,14 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
};
|
||||
networking.firewall.extraCommands = ''
|
||||
# proxy all traffic on public interface to the gitea SSH server
|
||||
iptables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
|
||||
# proxy locally originating outgoing packets
|
||||
iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
iptables -A OUTPUT -d 138.201.252.214 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
ip6tables -A OUTPUT -d 2a01:4f8:173:23d2::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
|
||||
'';
|
||||
};
|
||||
}
|
164
modules/services/homeassistant.nix
Normal file
164
modules/services/homeassistant.nix
Normal file
@ -0,0 +1,164 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.homeassistant;
|
||||
in
|
||||
{
|
||||
options.custom.services.homeassistant = {
|
||||
enable = lib.mkEnableOption "homeassistant";
|
||||
|
||||
backup = lib.mkOption {
|
||||
default = true;
|
||||
type = lib.types.bool;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom = {
|
||||
backups.homeassistant.enable = cfg.backup;
|
||||
};
|
||||
|
||||
age.secrets."homeassistant/secrets.yaml" = {
|
||||
file = ../../secrets/homeassistant/secrets.yaml.age;
|
||||
path = "${config.services.home-assistant.configDir}/secrets.yaml";
|
||||
owner = "hass";
|
||||
group = "hass";
|
||||
};
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
enable = true;
|
||||
initialScript = pkgs.writeText "homeassistant-init.sql" ''
|
||||
CREATE ROLE "hass" WITH LOGIN;
|
||||
CREATE DATABASE "homeassistant" WITH OWNER "hass" ENCODING "utf8";
|
||||
'';
|
||||
};
|
||||
|
||||
home-assistant = {
|
||||
enable = true;
|
||||
|
||||
extraPackages = python3Packages: with python3Packages; [
|
||||
psycopg2 # postgresql support
|
||||
];
|
||||
extraComponents = [
|
||||
"bluetooth"
|
||||
"default_config"
|
||||
"esphome"
|
||||
"google_assistant"
|
||||
"homekit"
|
||||
"met"
|
||||
"mobile_app"
|
||||
"mqtt"
|
||||
"otp"
|
||||
"smartthings"
|
||||
"sonos"
|
||||
"sun"
|
||||
"switchbot"
|
||||
];
|
||||
customComponents = with pkgs.home-assistant-custom-components; [
|
||||
adaptive_lighting
|
||||
];
|
||||
|
||||
config = {
|
||||
default_config = { };
|
||||
|
||||
recorder = {
|
||||
db_url = "postgresql://@/homeassistant";
|
||||
};
|
||||
|
||||
http = {
|
||||
use_x_forwarded_for = true;
|
||||
trusted_proxies = with config.custom.dns.authoritative; [
|
||||
ipv4.uk.co.hillion.ts.cx.boron
|
||||
ipv6.uk.co.hillion.ts.cx.boron
|
||||
];
|
||||
};
|
||||
|
||||
google_assistant = {
|
||||
project_id = "homeassistant-8de41";
|
||||
service_account = {
|
||||
client_email = "!secret google_assistant_service_account_client_email";
|
||||
private_key = "!secret google_assistant_service_account_private_key";
|
||||
};
|
||||
report_state = true;
|
||||
expose_by_default = true;
|
||||
exposed_domains = [ "light" ];
|
||||
entity_config = {
|
||||
"input_boolean.sleep_mode" = { };
|
||||
};
|
||||
};
|
||||
homekit = [{
|
||||
filter = {
|
||||
include_domains = [ "light" ];
|
||||
};
|
||||
}];
|
||||
|
||||
bluetooth = { };
|
||||
|
||||
adaptive_lighting = {
|
||||
lights = [
|
||||
"light.bedroom_lamp"
|
||||
"light.bedroom_light"
|
||||
"light.cubby_light"
|
||||
"light.desk_lamp"
|
||||
"light.hallway_light"
|
||||
"light.living_room_lamp"
|
||||
"light.living_room_light"
|
||||
"light.wardrobe_light"
|
||||
];
|
||||
min_sunset_time = "21:00";
|
||||
};
|
||||
|
||||
light = [
|
||||
{
|
||||
platform = "template";
|
||||
lights = {
|
||||
bathroom_light = {
|
||||
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
|
||||
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
|
||||
turn_on = { service = "script.noop"; };
|
||||
turn_off = { service = "script.bathroom_light_switch_if_on"; };
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
sensor = [
|
||||
{
|
||||
# Time/Date (for automations)
|
||||
platform = "time_date";
|
||||
display_options = [
|
||||
"date"
|
||||
"date_time_iso"
|
||||
];
|
||||
}
|
||||
|
||||
{
|
||||
# Living Room Temperature
|
||||
platform = "statistics";
|
||||
name = "Living Room temperature (rolling average)";
|
||||
entity_id = "sensor.living_room_environment_sensor_temperature";
|
||||
state_characteristic = "average_linear";
|
||||
unique_id = "e86198a8-88f4-4822-95cb-3ec7b2662395";
|
||||
max_age = {
|
||||
minutes = 5;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
input_boolean = {
|
||||
sleep_mode = {
|
||||
name = "Set house to sleep mode";
|
||||
icon = "mdi:sleep";
|
||||
};
|
||||
};
|
||||
|
||||
# UI managed expansions
|
||||
automation = "!include automations.yaml";
|
||||
script = "!include scripts.yaml";
|
||||
scene = "!include scenes.yaml";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -32,6 +32,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
users.users.caddy.extraGroups = [ "mastodon" ];
|
||||
|
||||
services = {
|
||||
mastodon = {
|
||||
enable = true;
|
||||
|
@ -41,6 +41,10 @@ in
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
|
||||
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
|
||||
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
@ -76,8 +80,8 @@ in
|
||||
x_forwarded = true;
|
||||
bind_addresses = [
|
||||
"::1"
|
||||
config.custom.tailscale.ipv4Addr
|
||||
config.custom.tailscale.ipv6Addr
|
||||
config.custom.dns.tailscale.ipv4
|
||||
config.custom.dns.tailscale.ipv6
|
||||
];
|
||||
resources = [
|
||||
{
|
||||
@ -114,6 +118,15 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
matrix-sliding-sync = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
|
||||
settings = {
|
||||
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
|
||||
SYNCV3_BINDADDR = "[::]:8009";
|
||||
};
|
||||
};
|
||||
|
||||
heisenbridge = lib.mkIf cfg.heisenbridge {
|
||||
enable = true;
|
||||
owner = "@jake:hillion.co.uk";
|
||||
|
20
modules/services/tang.nix
Normal file
20
modules/services/tang.nix
Normal file
@ -0,0 +1,20 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.services.tang;
|
||||
in
|
||||
{
|
||||
options.custom.services.tang = {
|
||||
enable = lib.mkEnableOption "tang";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.tang = {
|
||||
enable = true;
|
||||
ipAddressAllow = [
|
||||
"138.201.252.214/32"
|
||||
"10.64.50.20/32"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
@ -10,20 +10,14 @@ in
|
||||
dataDir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/unifi";
|
||||
readOnly = true; # NixOS module only supports this directory
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.unifi = {
|
||||
uid = config.ids.uids.unifi;
|
||||
isSystemUser = true;
|
||||
group = "unifi";
|
||||
description = "UniFi controller daemon user";
|
||||
home = "${cfg.dataDir}";
|
||||
};
|
||||
users.groups.unifi = {
|
||||
gid = config.ids.gids.unifi;
|
||||
};
|
||||
# Fix dynamically allocated user and group ids
|
||||
users.users.unifi.uid = config.ids.uids.unifi;
|
||||
users.groups.unifi.gid = config.ids.gids.unifi;
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
@ -38,21 +32,9 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
"unifi" = {
|
||||
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
|
||||
environment = {
|
||||
PUID = toString config.ids.uids.unifi;
|
||||
PGID = toString config.ids.gids.unifi;
|
||||
TZ = "Etc/UTC";
|
||||
};
|
||||
volumes = [ "${cfg.dataDir}:/config" ];
|
||||
ports = [
|
||||
"8080:8080"
|
||||
"8443:8443"
|
||||
"3478:3478/udp"
|
||||
];
|
||||
};
|
||||
services.unifi = {
|
||||
enable = true;
|
||||
unifiPackage = pkgs.unifi8;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -23,7 +23,7 @@ in
|
||||
enable = true;
|
||||
|
||||
virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = {
|
||||
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
|
||||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||||
extraConfig = "reverse_proxy http://127.0.0.1:15606";
|
||||
};
|
||||
};
|
||||
|
@ -1,7 +1,20 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.shell;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
imports = [
|
||||
./update_scripts.nix
|
||||
];
|
||||
|
||||
options.custom.shell = {
|
||||
enable = lib.mkEnableOption "shell";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom.shell.update_scripts.enable = true;
|
||||
|
||||
users.defaultUserShell = pkgs.zsh;
|
||||
|
||||
environment.systemPackages = with pkgs; [ direnv ];
|
64
modules/shell/update_scripts.nix
Normal file
64
modules/shell/update_scripts.nix
Normal file
@ -0,0 +1,64 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.shell.update_scripts;
|
||||
|
||||
update = pkgs.writeScriptBin "update" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
set -e
|
||||
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo ${pkgs.runtimeShell} "$0" "$@"
|
||||
fi
|
||||
|
||||
if [ -n "$1" ]; then
|
||||
BRANCH=$1
|
||||
else
|
||||
BRANCH=main
|
||||
fi
|
||||
|
||||
cd /etc/nixos
|
||||
if [ "$BRANCH" = "main" ]; then
|
||||
${pkgs.git}/bin/git switch $BRANCH
|
||||
${pkgs.git}/bin/git pull
|
||||
else
|
||||
${pkgs.git}/bin/git fetch
|
||||
${pkgs.git}/bin/git switch --detach origin/$BRANCH
|
||||
fi
|
||||
|
||||
if ! ${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" test; then
|
||||
echo "WARNING: \`nixos-rebuild test' failed!"
|
||||
fi
|
||||
|
||||
while true; do
|
||||
read -p "Do you want to boot this configuration? " yn
|
||||
case $yn in
|
||||
[Yy]* ) break;;
|
||||
[Nn]* ) exit;;
|
||||
* ) echo "Please answer yes or no.";;
|
||||
esac
|
||||
done
|
||||
|
||||
${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" boot
|
||||
|
||||
while true; do
|
||||
read -p "Would you like to reboot now? " yn
|
||||
case $yn in
|
||||
[Yy]* ) reboot;;
|
||||
[Nn]* ) exit;;
|
||||
* ) echo "Please answer yes or no.";;
|
||||
esac
|
||||
done
|
||||
'';
|
||||
in
|
||||
{
|
||||
options.custom.shell.update_scripts = {
|
||||
enable = lib.mkEnableOption "update_scripts";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [
|
||||
update
|
||||
];
|
||||
};
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
|
||||
{
|
||||
config.age.secrets."spotify/11132032266" = {
|
||||
file = ../../secrets/spotify/11132032266.age;
|
||||
owner = "jake";
|
||||
};
|
||||
|
||||
config.hardware.pulseaudio.enable = true;
|
||||
|
||||
config.users.users.jake.extraGroups = [ "audio" ];
|
||||
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
|
||||
|
||||
config.home-manager.users.jake.services.spotifyd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
global = {
|
||||
username = "11132032266";
|
||||
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
|
||||
backend = "pulseaudio";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
55
modules/ssh/default.nix
Normal file
55
modules/ssh/default.nix
Normal file
@ -0,0 +1,55 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.ssh;
|
||||
in
|
||||
{
|
||||
options.custom.ssh = {
|
||||
enable = lib.mkEnableOption "ssh";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users =
|
||||
if config.custom.user == "jake" then {
|
||||
"jake".openssh.authorizedKeys.keys = [
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBwJH4udKNvi9TjOBgkxpBBy7hzWqmP0lT5zE9neusCpQLIiDhr6KXYMPXWXdZDc18wH1OLi2+639dXOvp8V/wgAAAAEc3NoOg== jake@beryllium-keys"
|
||||
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
|
||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
|
||||
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
|
||||
];
|
||||
} else { };
|
||||
|
||||
programs.mosh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.knownHosts = {
|
||||
# Global Internet hosts
|
||||
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
|
||||
|
||||
# Tailscale hosts
|
||||
"boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5";
|
||||
"be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
|
||||
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
|
||||
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
|
||||
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
|
||||
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
|
||||
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
|
||||
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
|
||||
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
|
||||
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
|
||||
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
|
||||
};
|
||||
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
|
||||
};
|
||||
}
|
@ -1,65 +0,0 @@
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.tailscale;
|
||||
in
|
||||
{
|
||||
options.custom.tailscale = {
|
||||
enable = lib.mkEnableOption "tailscale";
|
||||
|
||||
preAuthKeyFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
};
|
||||
|
||||
advertiseRoutes = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
advertiseExitNode = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
ipv4Addr = lib.mkOption { type = lib.types.str; };
|
||||
ipv6Addr = lib.mkOption { type = lib.types.str; };
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.tailscale ];
|
||||
|
||||
services.tailscale.enable = true;
|
||||
|
||||
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = [ "network-pre.target" "tailscale.service" ];
|
||||
wants = [ "network-pre.target" "tailscale.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up \
|
||||
--authkey "$(<${cfg.preAuthKeyFile})" \
|
||||
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
|
||||
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
19
modules/www/certs/blog.hillion.co.uk.pem
Normal file
19
modules/www/certs/blog.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
|
||||
QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
|
||||
HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
|
||||
cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
|
||||
PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
|
||||
wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/gitea.hillion.co.uk.pem
Normal file
19
modules/www/certs/gitea.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
|
||||
G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
|
||||
HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
|
||||
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
|
||||
zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
|
||||
nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/hillion.co.uk.pem
Normal file
19
modules/www/certs/hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
|
||||
2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
|
||||
HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
|
||||
cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
|
||||
RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
|
||||
GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/homeassistant.hillion.co.uk.pem
Normal file
19
modules/www/certs/homeassistant.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
|
||||
Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
|
||||
HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
|
||||
oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
|
||||
bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
|
||||
ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
|
||||
-----END CERTIFICATE-----
|
19
modules/www/certs/links.hillion.co.uk.pem
Normal file
19
modules/www/certs/links.hillion.co.uk.pem
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
|
||||
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
|
||||
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
|
||||
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
|
||||
eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
|
||||
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
|
||||
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
|
||||
AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
|
||||
i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
|
||||
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
|
||||
/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
|
||||
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
|
||||
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
|
||||
HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
|
||||
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
|
||||
zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
|
||||
oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
|
||||
-----END CERTIFICATE-----
|
@ -10,21 +10,47 @@ in
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
custom.www.www-repo.enable = true;
|
||||
age.secrets =
|
||||
let
|
||||
mkSecret = domain: {
|
||||
name = "caddy/${domain}.pem";
|
||||
value = {
|
||||
file = ../../secrets/certs/${domain}.pem.age;
|
||||
owner = config.services.caddy.user;
|
||||
group = config.services.caddy.group;
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkSecret [
|
||||
"hillion.co.uk"
|
||||
"blog.hillion.co.uk"
|
||||
"gitea.hillion.co.uk"
|
||||
"homeassistant.hillion.co.uk"
|
||||
"links.hillion.co.uk"
|
||||
]);
|
||||
|
||||
users.users.caddy.extraGroups = [ "mastodon" ];
|
||||
custom.www.www-repo.enable = true;
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.caddy;
|
||||
|
||||
globalConfig = ''
|
||||
email acme@hillion.co.uk
|
||||
'';
|
||||
|
||||
virtualHosts = {
|
||||
"hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
|
||||
handle /.well-known/* {
|
||||
header /.well-known/matrix/* Content-Type application/json
|
||||
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
||||
|
||||
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
|
||||
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
|
||||
respond /.well-known/matrix/client `${builtins.toJSON {
|
||||
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
|
||||
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
|
||||
}}` 200
|
||||
|
||||
respond 404
|
||||
}
|
||||
@ -34,24 +60,26 @@ in
|
||||
}
|
||||
'';
|
||||
"blog.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
|
||||
root * /var/www/blog.hillion.co.uk
|
||||
file_server
|
||||
'';
|
||||
"homeassistant.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
|
||||
'';
|
||||
"emby.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
|
||||
tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
|
||||
reverse_proxy http://${locations.services.homeassistant}:8123
|
||||
'';
|
||||
"gitea.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
|
||||
reverse_proxy http://${locations.services.gitea}:3000
|
||||
'';
|
||||
"matrix.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
|
||||
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
|
||||
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
|
||||
'';
|
||||
"drone.hillion.co.uk".extraConfig = ''
|
||||
reverse_proxy http://${locations.drone.server}:18733
|
||||
"links.hillion.co.uk".extraConfig = ''
|
||||
tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
|
||||
redir https://matrix.to/#/@jake:hillion.co.uk
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
24
renovate.json
Normal file
24
renovate.json
Normal file
@ -0,0 +1,24 @@
|
||||
{
|
||||
"nix": {
|
||||
"enabled": true
|
||||
},
|
||||
"lockFileMaintenance": {
|
||||
"enabled": true,
|
||||
"schedule": ["* 2-5 * * *"]
|
||||
},
|
||||
"rebaseWhen": "behind-base-branch",
|
||||
"packageRules": [
|
||||
{
|
||||
"matchManagers": ["github-actions"],
|
||||
"automerge": true,
|
||||
"schedule": [
|
||||
"after 11pm on Monday",
|
||||
"after 11pm on Thursday"
|
||||
]
|
||||
}
|
||||
],
|
||||
"extends": [
|
||||
"config:recommended",
|
||||
"helpers:pinGitHubActionDigests"
|
||||
]
|
||||
}
|
5
scripts/update_nixpkgs.sh
Executable file
5
scripts/update_nixpkgs.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
set -xe
|
||||
|
||||
VERSION=`curl https://gitea.hillion.co.uk/JakeHillion/nixos/raw/branch/main/flake.lock | nix run nixpkgs#jq -- -r '.nodes."nixpkgs-unstable".locked.rev'`
|
||||
nix registry add nixpkgs "github:NixOS/nixpkgs/${VERSION}"
|
BIN
secrets/certs/blog.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/blog.hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/gitea.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/gitea.hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/hillion.co.uk.pem.age
Normal file
Binary file not shown.
BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
Normal file
BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age
Normal file
Binary file not shown.
20
secrets/certs/links.hillion.co.uk.pem.age
Normal file
20
secrets/certs/links.hillion.co.uk.pem.age
Normal file
@ -0,0 +1,20 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
AaDBHnrzzyVgSLJfjuzNYVqOfGVoNYvtwOZ/8JWdzTiKjFjvFThTwRxXm04x4zV2
|
||||
yDGl2YQn/SdA//tPt2aTt/HEr2vvfvTupf+p8dO81JsdQ2QNEwJq6GFPYvzwpUMt
|
||||
2aY99IWgfZMnNdm1dD40UPRXthRy4neY64fLmrpNH9hM/Tj/O9L9aHo/Z8rROien
|
||||
k/qN0uVWDlrxoCooZNmzuWe8VNE9PtEj07YBjUKY9frVpP38iL9hWZ435x59bRru
|
||||
HTz/I1NEeKyCzUKDz562cmmPl1ihJkelSOLIS/SUL4CfbePt6lGeGgJ1UB1lLBlo
|
||||
nOE79ekfh92wbYJWrogvFg
|
||||
-> ssh-rsa K9mW1w
|
||||
W34jfSpkxpJKesV7ZDl92bQRMtWWB7ht93n7+APJNL18VvLHmqDztkPQovd9FuKY
|
||||
YLEt5qevncV/O2/f6QW87I0ySFT2tpFPflXOITk1INYH8Z/NPfGfHBgUpnl+vM4w
|
||||
xVujFTnFXaFYBpoyOOl5VBLvFTlYvzXL/e2lYyZT/HGb2V43OHQe3dsMWhPKzKLL
|
||||
2eg21XK/LzLFkYdpMwmt5bpVVgXB9kaB9fpmV9ZDtEYDO18/uQQI7Wdn+6XAzB+3
|
||||
iJwIQaqL7YjaOwiF8u6NYOd4Qo7WNEd1WnO9/qIGMp9E4x5V3vToS9fePynE2PtH
|
||||
Chcu3y8jT+Qpby+6joyLwQ
|
||||
-> ssh-ed25519 iWiFbA fxhC7p0ywGIGmpio8x7yFktdB/JnKiiXJF3kvP2X2wk
|
||||
Q2HJ78QRc3nZyyWgB/MjhcEHiKoXou/4421SvoTj9fM
|
||||
--- OYElVzl6Gk/4ma/OgiU1Xtvg5+9Rtq/CIieG85QDOBI
|
||||
Ì$y³6ãyE÷ì=qÉH®y
IûŸ?R @ìG†³H<C2B3>ÓJf\JîaÛ‹¤i¨§2¿ÆÕe³º¯<C2BA>6b%ÑBÜ|.ôgZE¬ßƒ˜ô3ürÄxŽœëë~\Ü\íW‡ïluӚà E¼r$<0C>ÕýÛá'ý¥ÿšaŽÄÙ1Çý—<C3BD>Tæm˜ºp<šIp5hw.Æ'¼GÉÀ7*õ[â\7È*5ôò¤èЖÂãßÓŽör%u06Ó¦û"Ù´G“Àßœvzä6¤
|
||||
Åךe%½¶û QékqôeDoM¹ŸØ(q&r@¶Ï™?Fn
ê_—€<18>\˜°ßÞ"<22>úDÍw½À|úOD]ïê@ö@Ê»Y<C2BB>Ó
|
Binary file not shown.
@ -1,22 +0,0 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
B1tLU+ypxVOlO9jSZUvUwb69QrNk/rqJoYjdNSOJxSWk7+iX0jli0TrU8AePnfSn
|
||||
NjemcJJCoaSf5q7RQJK9Gfvq6BE1z4EoablA3Sx9un/qqUJuIy3SiQhR5+y5bPD0
|
||||
+8FzLznorSQR5tc1mQo82S1lv0ec8hqw2q13Kqm/09NIiZNKSLoHkp031q3VZbjC
|
||||
XL2naNUqX4lNADqDxESbY5au3CsnBJGN2gX0syj0d1iRx0At2HJSR7gANCEYpWKI
|
||||
nBF+5mlX7lbpb61CoDUiQSW4JiXCULz1kiR7WWJQBrlFryn4CJ2PAUJTKUfzKO8t
|
||||
sgi02DX7frP4jMOt/Z5VMA
|
||||
-> ssh-rsa K9mW1w
|
||||
sPxe/ErVYvJmogtrhHikq7lz2c5jSYxb/mhDHdSAIQIV3b7zWOreEbLOxDnzr/K7
|
||||
pSHTLTIWXxiCEWxunrhUccGHiBEoP40MkcYJnxyuG49Fu42I9K8Gsq4GI05zF9Kl
|
||||
HKwVOwD7gF3QMgkDCxFuqCsmQLB11Evwc7NnbR0+Z3Y9o4FfP4SCXc87Ye+C9zn8
|
||||
9dRxjpRo1Qz9WtW2VG+qdaWldwo0BLtQILDQoR08GW8D1CZvsqXuHsoGLCMoPcgk
|
||||
H2TEwawh1V/bY/j0Y509sVQWn3FF27taqeEQYZOQOwUWNf10cAsDTDUjdYyc9fjJ
|
||||
Hx62FPHP9wmGsViNhn4gbg
|
||||
-> ssh-ed25519 O0LMHg 9CZI1FtkDLXaIdP9Qlx8O0hUfbdzfrJdK67ifPVDjQM
|
||||
Zqd5xtiaDBi7IFnab2bZQVzzEX0YQDrPYfvur9N6JT8
|
||||
-> I-grease V-d-})j
|
||||
mxJ1WhR/NqdMpIbCaM2jxxmffNAy/t9vByK+c9FNIzb3t87VUcALJxuSmswdNVqs
|
||||
1iL6
|
||||
--- ZJ3HoKn0QVAGVsB57bTaCEU19BuLas9SLRjczmomG1g
|
||||
ë>Ÿ‚xæÀ(¤G–$_¤ßWbw
›-]³UŸ<55>q~ˆS·ˆö`“ê¹ÄŽÌ-pQ,ID‰À@ÛïÞvf£FäøHÙ0Ù-ù:ð·ÄOñèÆA
|
19
secrets/gitea/actions/boron.age
Normal file
19
secrets/gitea/actions/boron.age
Normal file
@ -0,0 +1,19 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
O6XXkSIScAPiHbBj6VDHrAzbZjossHPW2AQJtQKkrUmERLABYIZuYFJHk9yH2q2W
|
||||
uBdO/jKN8slQ/7fzKMRu/1EKNRscc1ufgrCCDWdZicdNPSy7948dx+mVK0ass/US
|
||||
jnPgn75erR+KLsi8/yNJc12mx6onvVFE0mxFihZobiEdt7FcjSFCV9k2pPtN+1TK
|
||||
5bKpjyodla+KwSXMGDH7jttvMFXtX5NKda4nYNOM1fHwQ5XCdLti67txcn2y85LV
|
||||
fuo9Pzu++o6aFOalfufKyflOh8Vk3RrBwCDK81e+YLMVjSGv4ZsiTp5O+sI8dBwR
|
||||
BqftVb523V4L3FhksG/e7Q
|
||||
-> ssh-rsa K9mW1w
|
||||
xUjF7ctBetl6as6/N1dVa+Zkg8EOfOILOMzCNUQVGStJ0cEeC3vi54xwoTxnZqX8
|
||||
n2f6wsgcZP203MBX5YJTw8w80WN8WPNYM8IZxdrcSNNuOrPJQbJZkikYGOg8z9/g
|
||||
7zaSotrxcHrHYR2DM/qsQJRYNQgZn7AKviEPwDNSkiGHzolIHRuAi+e2M891/DzA
|
||||
k4X5VsYGusM3Lo9ABZvNzX0MEnLxtStl3TwW4i4MgWts4rjcjBAp5ybZPrQLgMf6
|
||||
M//FNwBXv2adLSC8oUiTWYKB5l5sTmjNawp1FED3T9WvesKWNY0Tm4KrqJA+Ul2Z
|
||||
8aoxg/TCjuuypTIaEPm2aQ
|
||||
-> ssh-ed25519 iWiFbA Zl3LbVd8MHnlj1t4LuAcH13UVwHSJb/wSacM5BkTKHY
|
||||
vwJ4d2obJPXkgOn44+beKbiKR+qnKvFgkOvotwPDJK8
|
||||
--- 2q02v2RlVgBjT3qCe2nAXft976YYbr80qtjw3N9i8Vs
|
||||
Ł×?ŢëČ׍[ĺÔ=GľMI(ět¸?ÄÄo⼍/s˝ź¨P}ř™Ńvr,_ţ3×ĂňîÂjŮDJ/;‰ĺdŤut˘;ä‰@+˛
|
Binary file not shown.
@ -1,19 +1,19 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
|
||||
9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
|
||||
kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
|
||||
QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
|
||||
GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
|
||||
K+hgOULnfi+jIDw5U0HJKQ
|
||||
EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
|
||||
Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
|
||||
Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
|
||||
mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
|
||||
FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
|
||||
qnk+0bYAk3pWfdXW9Z/psQ
|
||||
-> ssh-rsa K9mW1w
|
||||
TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
|
||||
V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
|
||||
4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
|
||||
3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
|
||||
5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
|
||||
lPijgnL0SUte+Df3/wXt7Q
|
||||
-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
|
||||
3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
|
||||
--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
|
||||
-õ?ùÌQ5©`Y›_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoTc¿”p°ûNÝá·F[äX¿‹°‘†’f<E28099>³‘4§ê•¡ÄGs©¿
|
||||
NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
|
||||
cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
|
||||
RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
|
||||
330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
|
||||
iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
|
||||
84Xu2vwg9ikUz7B1tTBYeA
|
||||
-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
|
||||
UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
|
||||
--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
|
||||
ßüu_śnTx#H-7<>‰yó—Îç<>¨—B„ô»uµŐÉîj<C3AE>ZHĐ'&÷_đś#‘ľĽ3ŕHÍ˝0‘f
šBęą×Ö™ýčÂLĽî–z
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
secrets/homeassistant/secrets.yaml.age
Normal file
BIN
secrets/homeassistant/secrets.yaml.age
Normal file
Binary file not shown.
@ -1,22 +1,18 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
fR5abxPrwpYFhEty3T8Zx7u3K5HzIRujjj5aZP84+7gZlEE+Fjj7+F1cWk2QeM38
|
||||
x1YHA5psEsuWAqtAQ/v9Rp/JHFH+HcO6imEIaFv2Lg1tv8IswT995ynejr0E1wN/
|
||||
QKzVXhyqXbTHB6EsGKrzxHAK4GcqXwPFV4JWSYQ+Q2JSDkX4j7yM6kT7k7OI32ZO
|
||||
RmhezWUp5FfZp37NJAJdBQNTqp/nvYLc3X9Wq4kFrvWZNRrh1Yix7vIv0iaqvoHY
|
||||
JWLb9NLQA9RfSKnAVIlbbhNZzMBdCH2zPjNFPdRFHilqcGzxL5NZcEnPcvgwdLU3
|
||||
wrxCU0ZlDDVM6PPR4wnf6A
|
||||
kYf/CWnC4WoFnELMnW4b3k1df6r1sZn7JeLPqIvQ7haKwA0SUrbMGiyWui9ewn6s
|
||||
VSZb7T7zCPFAgs546wiq9O3JzeQPtWdTFCA5F/U48ftbZsAL1YjINqm3ySUbg0O0
|
||||
eh8wZnO4ludFG0bi0/7B6eDmDpfqn/TKLjDJkWiintYg1PMLMR0iDaF8D5oy0zCi
|
||||
Yiz+sAWyYBVvUSD9PEdCPFu/q8ySj9upBxaObf/Z5pDC94I2Ex7NZm8lGoXyMmnk
|
||||
vrhVuHc8eRcqqN+ID48JakdPopA/X7IvFIIJVh40yw4Qldzr7H+b7M98Wg0/UEiC
|
||||
mZldTPzpKznZntXXx6O89Q
|
||||
-> ssh-rsa K9mW1w
|
||||
YMUoAeS+odaUTqNrPpUdno5+X2FEtYKJXoELKAV73FzEZPRGqx6QOW66T7I1T6Ta
|
||||
bI8DN0APAhw5iQLzyfQAqCTk+e9OpVMKhOz9aoOvTUMWQvzFnLPplUBrfqErKf0N
|
||||
ynivabBZDu4bYlveUxvDootS0BEGqMX521+GfHXXrnF1kswmQU9iBjaXOJ6ee5kA
|
||||
uuRXYjdvMCRdxt4IfPsmds5sxmQmb3TtqDTglYF/bGSJRvCuTFE2RJReqR0J7fI8
|
||||
7X/v1BXqZ4/USFcaAvDTejynzw7XbVd0QxF8pvyovnC8QAcNEOSW03ZTWa72SAyH
|
||||
sIN+E5WM8vByNDMM9SbtyQ
|
||||
-> ssh-ed25519 O0LMHg DyROBi4kg7STbIT2AQebM2l+PIxRVGHzIzeJNFCckwU
|
||||
tdNtu0iX9DbBcGO++S3FNpPi0bhs8VblZZ1vG+JAtpQ
|
||||
-> pp5-grease h K,g1$` -W-'z=\ PFC!
|
||||
b5JA7LoHsCfpp/rgBBETM+EOZSEqILdpmkWU2kmJdBvpFG+4oCUFD+el2azOiZpf
|
||||
VSgZiCfct2WDZuEEdZyWAcmRd+z7
|
||||
--- Wngnxun5npVjMmr9+LpV28g8T8nzIcDW8vm124DsbLU
|
||||
ÍęuëE€9Ş´Ă]ůÚč˙xdcpyNüV´x×ôDl N¨j/Íò”Uśćč°)J|˝kseaŹě
éGˇB¬›twZKÇĂÚ]d<>VŤŮ
|
||||
M89fPs6WcToz9Jr2YXrRGM26lHU/8Xk72OExtArEsqKpHcRw27EeOQpcXkQ1baro
|
||||
0MFQTKRsMc2PV0S85BPlUIBrvIiTTHNr/eusKTpAlDwnwllGk26xdaqPO3SYXzMX
|
||||
/zo65i6837vQZr1aRPg1LFzRMWfrj7tLGQPuuE9F68Q/BYaCBbEo8t1vVVVNibjt
|
||||
1rGuaMnjJd7scHkJ+wEJURQQuwrIY4oH8obmrzjQrFbBiWPH/lIUH1OUv5SDbYul
|
||||
/Oq0QEHws/o68EQxOKWrPWRu9P1A3xYu3I19YYZgrKr1G9c0+ZEtZsvfeqCE9w79
|
||||
OOz3GtRRHRCLBDDzv8nfrA
|
||||
--- e0EGzCgM5FbTE91OLwUaICK+yruDi8EAIBMGxFJXWLE
|
||||
ªœ£®AòÂÙî{3·…óÚûí€ñ=Õ89ð9<C3B0>es<65>Gïj
|
||||
!”Áü;æt‹r0¼î&Øgd;ü‚¢&Ã¥Í1£^§'ø6û<36>Wh^qœ
|
Binary file not shown.
Binary file not shown.
@ -1,23 +1,17 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-rsa GxPFJQ
|
||||
mdMhxMiuWstsWZ4wSiWcloDrP1sJrKOQFy1IwAEXjrXmWx+N9W2p93+gz9W3mTir
|
||||
ooLWTdj2g9tywRpFlLfZr8MDsZEpCxSLb2TG6/xOHuu7qfdsK2V/q+AdgmNZQemv
|
||||
KdIQoszcltG7tv1MyUgcCgusGqJIudLhJ8Sk5w0yPmKW6K/o0cRqX2IAxLWOts2m
|
||||
wlpieG2r35+OHTyaMC6HKDhZBM5Te9b9nQNwq8kj4n98Il3gEGkWYRK6eGiPoQNq
|
||||
ywQv4cmLVmPvuGRhRymzGOieMk2EeT8ZEs970t7SRgq58BFWI79hFZ1Mihr0pXyL
|
||||
wJgnEvaUey1rBj6Nlbdvcw
|
||||
qK0dnP76DaixuZJ0EM3Bvt1yg3ZrL5WtvymOeEajKo/hg831+d9DtsK/VyaVyAY5
|
||||
NlUAKe86AXWSviuntRdQyOjWYD/nUyr7EQRmKBUSrY704ekLHis3R4xvU3sXZmQw
|
||||
/FT0/3irWZlEj3NAAEvLaCAfpEeyhNQVIp3nC9E+1mxeRr4nhYYv6O5dhJNyPZKH
|
||||
RdzzY3eqrRa8UDy8g85dCqP5xO+CqlZGitAjQ/ah2VGbaB9AAPNOfDQWNQplQ9Om
|
||||
rKw+VJCCNFSm9yVstBzG0U7yn/mjgtuJBKJw8hJ+iI5VC1s7aXo86F9gdGjkuG32
|
||||
drcJOvmsLdoD6bxquutinw
|
||||
-> ssh-rsa K9mW1w
|
||||
s29WasIMWE/iVZ2ESd3HpcMsZeC8K/99X/aopLCtK+c+ykXzbdXyHjCvtfvpvMF+
|
||||
GVgWLpPpTa/miLZX2ih7GDXBOI06cvs0Zy1eFvVBUsgID87hpHqfGbpFKvQrMPEc
|
||||
wvcINtOBVa4B9IQ5HNMrBtKQuJ2kOdyerosm93S7crOG2ioAt+FLCIjYYLRCteFN
|
||||
QIbD8vgcocpezAmY06WnepNM1Yi8yeHGi2m3HfPTNxKb6zxMGQ4RcW4a+CYiu0KO
|
||||
rtXFDcQyw82BHzgM+mbW1bZ94EwlVeJJRzrukfFi5zZxzr+Zisv8kK9aQZYvTaMS
|
||||
5ddMYrdpxJeGJAtO6ir3yw
|
||||
-> ssh-ed25519 O0LMHg yHLnNQMahSSgXtWmyAurXI7+bvlJhg4edg/G+AzGAkk
|
||||
PDbS4LjOhHY6GIfQAojtDYpUJV3xS4nAAnvhfhMui3I
|
||||
-> TQ~'V\-grease vuL/7@ .YbM/Fv$
|
||||
sJRsjd41yeR2gJRv567GFh9a6G55o7Jd00QYxPPp
|
||||
--- dClpo30O0AgOaIbkTeyPuuLgV5xCVwj9TpOMJ8fGUJo
|
||||
Œ˜:çÓ’UYÎ,7™D{µCÏÓö
|
||||
1
TÂCQɶ*f=„gCkú«<C3BA>]'šúeûWfìšÄ«~”†£E¸
|
||||
ÊãÍ:å²ÑA –”
|
||||
w8MReKkS8DfPlcc1h8UwN03lV5Aikoy3VN35EDPT5JM132r5cuvUba/AC8B0wBww
|
||||
dP3xvrQ2juBaKtvdPajXcNxfJGGNB0mtaBufLTGXfy+VBAlt10ZKzWA/1dcftzXP
|
||||
OfGJEgswkDLPUnjNtD4NoCQecwfSc9u4kEW0heg7C7j54M6EEypdgnOge3qEiy9a
|
||||
0CGkh1+aF0YiX0KdOi3LThUkYdl6ygbdnkv8HV09c6eNBaCXaOzaqcDl/dnd2pBZ
|
||||
jEanDudeKjIW4yEFl2VKdCfYRMf8clxEZU+8BSg0nzQYMDGC7f2bbyX1aNodSMvo
|
||||
096OSmWjdto3D6hXwCW4LQ
|
||||
--- TqulkienQkKJrxEEb7qvLtntfHm7XLmUvgupz1bfteM
|
||||
‰7¬¯Ú–·²öÂË:uMíÒ<C3AD>áÑg˜øÙ?<0F>b0<62> í“âYºÐ¡ó˜A¨Øƒ#GþK‡”IþêÎ<C3AA>Gðd‹ó¥ª=ë3a´õ’óÝÒ.
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user