JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Compare commits

base: JakeHillion:radius
Branches Tags
JakeHillion:main
JakeHillion:renovate/lock-file-maintenance
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk
..
compare: JakeHillion:main
Branches Tags
JakeHillion:renovate/lock-file-maintenance
JakeHillion:main
JakeHillion:ollama
JakeHillion:inventree
JakeHillion:frigate
JakeHillion:sponsorblock
JakeHillion:boron-sync
JakeHillion:ha-lr-hue
JakeHillion:laptop-battery
JakeHillion:rpi-ccache
JakeHillion:boron-native
JakeHillion:boron-tpm
JakeHillion:deploy-rs
JakeHillion:vms
JakeHillion:auto-updates
JakeHillion:he
JakeHillion:node-red
JakeHillion:radius
JakeHillion:images
JakeHillion:mediaserver
JakeHillion:storj-gui
JakeHillion:booted/sodium.pop.ts.hillion.co.uk
JakeHillion:current/sodium.pop.ts.hillion.co.uk
JakeHillion:current/boron.cx.ts.hillion.co.uk
JakeHillion:current/microserver.home.ts.hillion.co.uk
JakeHillion:booted/theon.storage.ts.hillion.co.uk
JakeHillion:current/theon.storage.ts.hillion.co.uk
JakeHillion:current/router.home.ts.hillion.co.uk
JakeHillion:booted/li.pop.ts.hillion.co.uk
JakeHillion:current/li.pop.ts.hillion.co.uk
JakeHillion:booted/tywin.storage.ts.hillion.co.uk
JakeHillion:current/tywin.storage.ts.hillion.co.uk
JakeHillion:booted/boron.cx.ts.hillion.co.uk
JakeHillion:booted/be.lt.ts.hillion.co.uk
JakeHillion:current/be.lt.ts.hillion.co.uk
JakeHillion:booted/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:current/gendry.jakehillion-terminals.ts.hillion.co.uk
JakeHillion:booted/router.home.ts.hillion.co.uk
JakeHillion:booted/microserver.home.ts.hillion.co.uk

124 Commits
radius ... main

Author SHA1 Message Date
Jake Hillion
d5c2f8d543 router: setup cameras vlan
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-09-17 09:20:27 +01:00
Renovate Bot
1189a41df9 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m43s
Details
2024-09-15 16:01:08 +00:00
Jake Hillion
39730d2ec3 macbook: add shell utilities
All checks were successful
flake / flake (push) Successful in 1m16s
Details
2024-09-14 02:39:26 +01:00
Jake Hillion
ac6f285400 resilio: require mounts be available
All checks were successful
flake / flake (push) Successful in 1m15s
Details 
Without this resilio fails on boot on tywin.storage where the paths are
on a ZFS array which gets mounted reliably later than the resilio
service attempts to start.
 2024-09-14 02:30:20 +01:00
Renovate Bot
e4b8fd7438 chore(deps): update determinatesystems/nix-installer-action action to v14
All checks were successful
flake / flake (push) Successful in 1m27s
Details
2024-09-10 00:00:51 +00:00
Renovate Bot
24be3394bc chore(deps): update determinatesystems/magic-nix-cache-action action to v8
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-09 23:00:50 +00:00
Jake Hillion
ba053c539c boron: enable podman
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-06 19:04:25 +01:00
Jake Hillion
3aeeb69c2b nix-darwin: add macbook
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-09-05 00:50:02 +01:00
Jake Hillion
85246af424 caddy: update to unstable
All checks were successful
flake / flake (push) Successful in 1m13s
Details 
The default config for automatic ACME no longer works in Caddy <2.8.0.
This is due to changes with ZeroSSL's auth. Update to unstable Caddy
which is new enough to renew certs again.

Context: https://github.com/caddyserver/caddy/releases/tag/v2.8.0

Add `pkgs.unstable` as an overlay as recommended on the NixOS wiki. This
is needed here as Caddy must be runnable on all architectures.
 2024-09-05 00:04:08 +01:00
Renovate Bot
ba7a39b66e chore(deps): pin dependencies
All checks were successful
flake / flake (push) Successful in 1m16s
Details
2024-09-02 23:00:12 +00:00
Jake Hillion
df31ebebf8 boron: bump tmpfs to 100% of RAM
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-08-31 22:04:38 +01:00
Renovate Bot
2f3a33ad8e chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-30 19:01:46 +00:00
Jake Hillion
343b34b4dc boron: support sched_ext in kernel
All checks were successful
flake / flake (push) Successful in 1m45s
Details
2024-08-30 18:52:31 +01:00
Jake Hillion
264799952e bathroom_light: trust switchbot if more recently updated
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-08-30 18:46:38 +01:00
Jake Hillion
5cef32cf1e gitea actions: use cache for nix
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-30 18:39:02 +01:00
Jake Hillion
6cc70e117d tywin: mount d7
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-22 15:17:11 +01:00
Jake Hillion
a52aed5778 gendry: use zram swap
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-18 13:51:28 +01:00
Renovate Bot
70b53b5c01 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-18 10:35:15 +00:00
Jake Hillion
3d642e2320 boron: move postgresqlBackup to disk to reduce ram pressure
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-09 23:37:16 +01:00
Jake Hillion
41d5f0cc53 homeassistant: add sonos
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-08-08 18:31:10 +01:00
Jake Hillion
974c947130 homeassistant: add smartthings
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-04 18:15:34 +01:00
Jake Hillion
8a9498f8d7 homeassistant: expose sleep_mode to google
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-08-04 17:56:32 +01:00
Jake Hillion
2ecdafe1cf chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m32s
Details
2024-08-03 12:15:23 +01:00
Jake Hillion
db5dc5aee6 step-ca: enable server on sodium and load root certs
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-08-01 23:28:22 +01:00
Jake Hillion
f96f03ba0c boron: update to Linux 6.10
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-07-27 15:16:59 +01:00
Renovate Bot
e81cad1670 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m25s
Details
2024-07-26 13:40:49 +00:00
Jake Hillion
67c8e3dcaf homeassistant: migrate to basnijholt/adaptive-lighting
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-22 11:16:34 +01:00
Jake Hillion
1052379119 unifi: switch to nixos module
All checks were successful
flake / flake (push) Successful in 1m24s
Details
2024-07-19 16:43:53 +01:00
Jake Hillion
0edb8394c8 tywin: mount d6
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 22:19:41 +01:00
Jake Hillion
bbab551b0f be.lt: connect to Hillion WPA3 Network
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 17:10:08 +01:00
Renovate Bot
13c937b196 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-07-17 14:14:27 +00:00
Jake Hillion
6bdaca40e0 tmux: index from 0 and always allow attach
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-07-17 15:02:19 +01:00
Jake Hillion
462f0eecf4 gendry: allow luks discards
All checks were successful
flake / flake (push) Successful in 1m15s
Details
2024-07-17 09:33:33 +01:00
Jake Hillion
5dcf3b8e3f chia: update to 2.4.1
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-07-10 10:01:16 +01:00
Renovate Bot
b0618cd3dc chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m29s
Details
2024-07-06 22:31:08 +00:00
Renovate Bot
a9829eea9e chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m30s
Details
2024-06-23 10:18:56 +00:00
Renovate Bot
cfd64e9a73 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m29s
Details
2024-06-16 12:13:03 +00:00
Renovate Bot
b3af1739a8 chore(deps): update actions/checkout action to v4.1.7
All checks were successful
flake / flake (push) Successful in 1m14s
Details
2024-06-13 23:01:06 +00:00
Jake Hillion
cde6bdd498 tywin: enable clevis/tang for boot
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-10 22:34:28 +01:00
Jake Hillion
bd5efa3648 tywin: encrypt root disk
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-09 23:14:44 +01:00
Jake Hillion
30679f9f4b sodium: add cache directory on the sd card
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-02 22:41:49 +01:00
Jake Hillion
67644162e1 sodium: rekey
All checks were successful
flake / flake (push) Successful in 1m12s
Details 
accidentally ran `rm -r /data`...
 2024-06-02 21:45:03 +01:00
Renovate Bot
81c77de5ad chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m13s
Details
2024-06-02 13:15:18 +00:00
Jake Hillion
a0f93c73d0 sodium.pop: add rpi5 host
All checks were successful
flake / flake (push) Successful in 1m22s
Details
2024-05-25 22:56:27 +01:00
JakeHillion
78705d440a homeassistant: only switch bathroom light when it is already on
All checks were successful
flake / flake (push) Successful in 1m18s
Details 
Although the system now knows whether the bathroom light is on, it switches the switch every time the light should be turned off regardless of if it's already off. Because this is a device running on battery that performs a physical movement this runs the battery out very fast. Adjust the system to only switch the light off if it thinks it's on, even though this has the potential for desyncs.
 2024-05-25 22:03:11 +01:00
Jake Hillion
3f829236a2 homeassistant: read bathroom light status from motion sensor
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-25 17:03:57 +01:00
Jake Hillion
7b221eda07 theon: stop scripting networking
All checks were successful
flake / flake (push) Successful in 1m19s
Details 
Unsure why this host is using systemd-networkd, but leave that unchanged
and have NixOS know about it to prevent a warning about loss of
connectivity on build.
 2024-05-25 16:40:19 +01:00
Jake Hillion
22305815c6 matrix: fix warning about renamed sliding sync
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-05-25 16:33:05 +01:00
Jake Hillion
fa493123fc router: dhcp: add APC vendor specific cookie
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-24 22:14:16 +01:00
Jake Hillion
62e61bec8a matrix: add sliding sync
All checks were successful
flake / flake (push) Successful in 1m18s
Details
2024-05-24 10:18:30 +01:00
Jake Hillion
50d70ed8bc boron: update kernel to 6.9
All checks were successful
flake / flake (push) Successful in 1m19s
Details
2024-05-23 22:41:18 +01:00
Renovate Bot
796bbc7a68 chore(deps): update nixpkgs to nixos-24.05 (#271)
All checks were successful
flake / flake (push) Successful in 1m20s
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [nixpkgs](https://github.com/NixOS/nixpkgs) | major | `nixos-23.11` -> `nixos-24.05` |

---

### Release Notes

<details>
<summary>NixOS/nixpkgs (nixpkgs)</summary>

### [`vnixos-24.05`](https://github.com/NixOS/nixpkgs/compare/nixos-23.11...nixos-24.05)

[Compare Source](https://github.com/NixOS/nixpkgs/compare/nixos-23.11...nixos-24.05)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzQuMyIsInVwZGF0ZWRJblZlciI6IjM3LjM3NC4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Jake Hillion <jake@hillion.co.uk>
Reviewed-on: #271
Co-authored-by: Renovate Bot <renovate-bot@noreply.gitea.hillion.co.uk>
Co-committed-by: Renovate Bot <renovate-bot@noreply.gitea.hillion.co.uk>
 2024-05-23 22:40:58 +01:00
Jake Hillion
8123653a92 jorah.cx: delete
All checks were successful
flake / flake (push) Successful in 1m17s
Details
2024-05-21 22:43:56 +01:00
Jake Hillion
55ade830a8 router: add more dhcp reservations
All checks were successful
flake / flake (push) Successful in 1m12s
Details
2024-05-21 20:09:26 +01:00
Jake Hillion
a9c9600b14 matrix: move jorah->boron
All checks were successful
flake / flake (push) Successful in 2m20s
Details
2024-05-18 19:14:39 +01:00
Jake Hillion
eae5e105ff unifi: move jorah->boron
All checks were successful
flake / flake (push) Successful in 1m21s
Details
2024-05-18 16:52:22 +01:00
Jake Hillion
f1fd6ee270 gitea: fix ips in iptables rules
All checks were successful
flake / flake (push) Successful in 1m10s
Details
2024-05-18 15:34:43 +01:00
Renovate Bot
1dc370709a chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m23s
Details
2024-05-18 13:03:00 +00:00
Renovate Bot
de905e23a8 chore(deps): update actions/checkout action to v4.1.6
All checks were successful
flake / flake (push) Successful in 2m39s
Details
2024-05-17 00:01:14 +00:00
Renovate Bot
9247ae5d91 chore(deps): update cachix/install-nix-action action to v27
All checks were successful
flake / flake (push) Successful in 2m33s
Details
2024-05-16 23:01:13 +00:00
Jake Hillion
7298955391 tywin: enable automatic btrfs scrubbing
All checks were successful
flake / flake (push) Successful in 2m16s
Details
2024-05-15 20:53:57 +01:00
Jake Hillion
f59824ad62 gitea: move jorah->boron
All checks were successful
flake / flake (push) Successful in 2m16s
Details
2024-05-12 13:11:54 +01:00
Jake Hillion
bff93529aa www.global: move jorah->boron
All checks were successful
flake / flake (push) Successful in 1m56s
Details
2024-05-12 12:11:15 +01:00
Jake Hillion
13bfe6f787 boron: enable authoritative dns
All checks were successful
flake / flake (push) Successful in 2m4s
Details
2024-05-10 22:44:48 +01:00
Jake Hillion
ad8c8b9b19 boron: enable version_tracker
All checks were successful
flake / flake (push) Successful in 2m5s
Details
2024-05-10 22:12:49 +01:00
Jake Hillion
b7c07d0107 boron: enable gitea actions
All checks were successful
flake / flake (push) Successful in 2m28s
Details
2024-05-10 21:52:48 +01:00
Jake Hillion
9cc389f865 boron: remove folding@home
All checks were successful
flake / flake (push) Successful in 1m58s
Details 
The update from 23.11 to 24.05 brought a new folding@home version that
doesn't work. It doesn't work by default and there is 0 documentation on
writing xml configs manually, and even the web UI redirects to a
nonsense public website now. Unfortunately this means I'm going to let
this box idle rather than doing useful work, for now at least.
 2024-05-10 21:02:16 +01:00
Renovate Bot
2153c22d7f chore(deps): update actions/checkout action to v4.1.5
All checks were successful
flake / flake (push) Successful in 2m1s
Details
2024-05-09 23:00:45 +00:00
Jake Hillion
a4235b2581 boron: move to kernel 6.8 and re-image
All checks were successful
flake / flake (push) Successful in 1m58s
Details 
The extremely modern hardware on this server appears to experience
kernel crashes with the default NixOS 23.11 kernel 6.1 and the default
NixOS 24.05 kernel 6.6. Empirical testing shows the server staying up on
Ubuntu 22's 6.2 and explicit NixOS kernel 6.8.

The server was wiped during this testing so now needs reimaging.
 2024-05-08 21:11:09 +01:00
Renovate Bot
36ce6ca185 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 2m23s
Details
2024-05-08 16:39:43 +00:00
Jake Hillion
e3887e320e tywin: add zram swap
All checks were successful
flake / flake (push) Successful in 1m56s
Details
2024-05-06 23:25:08 +01:00
Jake Hillion
a272cd0661 downloads: add explicit nameservers
All checks were successful
flake / flake (push) Successful in 1m48s
Details
2024-05-06 00:07:25 +01:00
Jake Hillion
1ca4daab9c locations: move attrset into config block
All checks were successful
flake / flake (push) Successful in 1m42s
Details
2024-04-28 10:39:40 +01:00
Jake Hillion
745ea58dec homeassistant: update trusted proxies
All checks were successful
flake / flake (push) Successful in 1m46s
Details
2024-04-27 19:14:12 +01:00
Jake Hillion
348bca745b jorah: add authoritative dns server
All checks were successful
flake / flake (push) Successful in 1m44s
Details
2024-04-27 18:54:46 +01:00
Jake Hillion
0ef24c14e7 tailscale: update to included nixos module
All checks were successful
flake / flake (push) Successful in 1m43s
Details
2024-04-27 15:36:45 +01:00
Jake Hillion
d9233021c7 add enable options for modules/common/default
All checks were successful
flake / flake (push) Successful in 2m9s
Details
2024-04-27 13:46:06 +01:00
Renovate Bot
b39549e1a9 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 2m11s
Details
2024-04-27 11:00:24 +00:00
Jake Hillion
8fdd915e76 router.home: enable unbound dns server
All checks were successful
flake / flake (push) Successful in 2m0s
Details
2024-04-26 21:40:17 +01:00
Jake Hillion
62d62500ae renovate: fix gitea actions schedule
All checks were successful
renovate/config-validation Validation Successful
flake / flake (push) Successful in 1m59s
Details 
Also pin patch version of Gitea actions. This should treat each future
update as an update rather than a relock which should show the changelog
in the PR.
 2024-04-25 19:40:00 +01:00
Renovate Bot
b012d48e1d chore(deps): update actions/checkout digest to 0ad4b8f
All checks were successful
flake / flake (push) Successful in 1m55s
Details
2024-04-25 15:01:12 +00:00
Jake Hillion
eba1dae06b chia: update to 2.2.1
All checks were successful
flake / flake (push) Successful in 1m59s
Details
2024-04-24 23:36:51 +01:00
Jake Hillion
b6ef41cae0 renovate: auto-merge github actions
All checks were successful
renovate/config-validation Validation Successful
flake / flake (push) Successful in 1m49s
Details
2024-04-23 22:24:28 +01:00
Renovate Bot
700ca88feb chore(deps): pin cachix/install-nix-action action to 8887e59
All checks were successful
flake / flake (push) Successful in 1m52s
Details
2024-04-23 19:58:42 +00:00
Jake Hillion
1c75fa88a7 boron.cx: add new dedicated server
All checks were successful
flake / flake (push) Successful in 1m49s
Details
2024-04-23 20:45:44 +01:00
Jake Hillion
c3447b3ec9 renovate: extend recommended config and pin github actions
All checks were successful
renovate/config-validation Validation Successful
flake / flake (push) Successful in 1m37s
Details
2024-04-23 20:27:40 +01:00
Jake Hillion
5350581676 gitea.actions: actually check formatting
All checks were successful
flake / flake (push) Successful in 1m38s
Details
2024-04-23 20:23:54 +01:00
Jake Hillion
4d1521e4b4 be.lt: add beryllium laptop
All checks were successful
flake / flake (push) Successful in 1m43s
Details
2024-04-21 17:15:14 +01:00
Jake Hillion
88b33598d7 microserver.parents -> li.pop
All checks were successful
flake / flake (push) Successful in 1m30s
Details
2024-04-20 13:45:00 +01:00
Renovate Bot
4a09f50889 chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m35s
Details
2024-04-19 17:02:52 +00:00
Jake Hillion
cf76a055e7 renovate: always rebase and update schedule
All checks were successful
renovate/config-validation Validation Successful
flake / flake (push) Successful in 1m30s
Details
2024-04-17 23:22:29 +01:00
Jake Hillion
f4f6c66098 jorah: enable zramSwap
All checks were successful
flake / flake (push) Successful in 1m29s
Details
2024-04-17 23:04:04 +01:00
Jake Hillion
2c432ce986 jorah: start folding@home
All checks were successful
flake / flake (push) Successful in 1m9s
Details
2024-04-17 22:55:52 +01:00
Jake Hillion
d6b15a1f25 known_hosts: add jorah and theon
All checks were successful
flake / flake (push) Successful in 1m10s
Details
2024-04-14 14:35:38 +01:00
Renovate Bot
bd34d0e3ad chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 1m34s
Details
2024-04-14 11:02:06 +00:00
Jake Hillion
52caf6edf9 gitea.actions: nixify basic docker runner
All checks were successful
flake / flake (push) Successful in 1m37s
Details
2024-04-14 00:09:28 +01:00
Jake Hillion
016d0e61b5 www: proxy some domains via cloudflare
All checks were successful
flake / flake (push) Successful in 3m38s
Details
2024-04-13 23:02:22 +01:00
Jake Hillion
b4a33bb6b2 jorah: fix dual networking setup
All checks were successful
flake / flake (push) Successful in 3m35s
Details
2024-04-13 16:45:20 +01:00
Jake Hillion
8cee990f54 cleanup references to server stranger
All checks were successful
flake / flake (push) Successful in 3m34s
Details
2024-04-10 21:38:08 +01:00
Jake Hillion
59e5717e00 vm.strangervm: delete
All checks were successful
flake / flake (push) Successful in 3m39s
Details
2024-04-07 21:07:02 +01:00
Jake Hillion
f2fe064f72 mastodon: stop running
All checks were successful
flake / flake (push) Successful in 4m57s
Details
2024-04-07 19:08:35 +01:00
Jake Hillion
dd76435ec3 drone: remove server
All checks were successful
flake / flake (push) Successful in 5m9s
Details
2024-04-07 19:00:12 +01:00
Renovate Bot
85e5c9d00e chore(deps): lock file maintenance
All checks were successful
flake / flake (push) Successful in 5m8s
Details
2024-04-07 16:12:32 +00:00
Jake Hillion
ca1751533c update_script: escape quote
All checks were successful
flake / flake (push) Successful in 5m8s
Details
2024-04-07 17:01:56 +01:00
Jake Hillion
8900423527 flake: deduplicate home-manager
All checks were successful
flake / flake (push) Successful in 5m7s
Details
2024-04-07 16:37:43 +01:00
Jake Hillion
1ae3cf0c41 ci: ignore tags
All checks were successful
flake / flake (push) Successful in 5m7s
Details
2024-04-07 16:28:34 +01:00
Jake Hillion
72898701da update_script: remove accidental subshell from echo
All checks were successful
flake / flake (push) Successful in 5m9s
Details
2024-04-07 16:13:13 +01:00
Jake Hillion
3c693ee42f convert drone workflow to gitea actions
All checks were successful
flake / flake (push) Successful in 5m7s
Details
2024-04-07 15:07:40 +01:00
Jake Hillion
9752e63f09 all: add easy update script
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-07 14:11:58 +01:00
Jake Hillion
d4fb381fcf microserver.parents: enable zram
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-05 11:09:48 +01:00
Renovate Bot
e812e96afc chore(deps): lock file maintenance
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-04 21:19:23 +00:00
Jake Hillion
d3fb88a328 gitea: update settings
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-01 20:28:46 +01:00
Jake Hillion
804aa10048 renovate configuration
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-01 20:22:10 +01:00
Jake Hillion
8f493d1335 move renovate.json to default place
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
2024-04-01 20:03:52 +01:00
Jake Hillion
9674e6651d renovate: initial config
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-04-01 19:34:53 +01:00
Jake Hillion
88378c3179 deluge: update config options
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-28 22:30:26 +00:00
Jake Hillion
d682d5434b add links. pointing to matrix
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-27 22:37:31 +00:00
Jake Hillion
790d0a8a6b homeassistant: add switchbot component
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-18 21:26:34 +00:00
Jake Hillion
78a024a924 add homeassistant
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-16 19:46:22 +00:00
Jake Hillion
5e725b14bb impermenance: fix zsh history file
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-16 15:00:34 +00:00
Jake Hillion
7f25cab5f8 www: cleanup emby
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-16 13:44:07 +00:00
Jake Hillion
b0e4e2cca1 flake: update 16th March 2024
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-03-16 13:43:22 +00:00
Jake Hillion
80b4305e60 scripts: add update_nixpkgs
All checks were successful
continuous-integration/drone/push Build is passing
Details 
add simple script to update nix shell/run nixpkgs to match flake
nixpkgs-unstable input. this avoids having it set to the default of
nixpkgs-unstable and downloading 30MB tarballs all the time.
 2024-03-01 14:44:25 +00:00
Jake Hillion
90cbec88db flake: update 28th February 2024
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-02-28 13:40:55 +00:00
121 changed files with 2450 additions and 1049 deletions
Show Stats Expand all files Collapse all files

27
.drone.yml
View File

@ -1,27 +0,0 @@
---
kind: pipeline
type: docker
name: check
steps:
- name: lint
image: nixos/nix:2.20.1
commands:
- nix --extra-experimental-features 'nix-command flakes' fmt
- git diff --exit-code
- name: check
image: nixos/nix:2.20.1
commands:
- nix --extra-experimental-features 'nix-command flakes' flake check
trigger:
event:
exclude:
- tag
- pull_request
---
kind: signature
hmac: 5af72ec77460d7d914f9177c78febed763ea1a33dc0f0e39e7599bbf8f4ad987
...

23
.gitea/workflows/flake.yaml Normal file
View File

@ -0,0 +1,23 @@
name: flake
on:
push:
branches:
- '**'
tags-ignore:
- '**'
jobs:
flake:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14 # v14
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- name: lint
run: |
nix fmt
git diff --exit-code
- name: flake check
run: nix flake check --all-systems
timeout-minutes: 10

1
README.md
View File

@ -10,3 +10,4 @@ Raspberry Pi images that support Tailscale and headless SSH can be built using a
nixos-generate -f sd-aarch64-installer --system aarch64-linux -c hosts/microserver.home.ts.hillion.co.uk/default.nix
cp SOME_OUTPUT out.img.zst
Alternatively, a Raspberry Pi image with headless SSH can be easily built using the logic in [this repo](https://github.com/Robertof/nixos-docker-sd-image-builder/tree/master).

27
darwin/jakehillion-mba-m2-15/configuration.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
config = {
system.stateVersion = 4;
networking.hostName = "jakehillion-mba-m2-15";
nix = {
useDaemon = true;
};
programs.zsh.enable = true;
security.pam.enableSudoTouchIdAuth = true;
environment.systemPackages = with pkgs; [
fd
htop
mosh
neovim
nix
ripgrep
sapling
];
};
}

91
flake.lock
View File

@ -2,19 +2,23 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"darwin": [
"darwin"
],
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
@ -26,21 +30,19 @@
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"lastModified": 1726188813,
"narHash": "sha256-Vop/VRi6uCiScg/Ic+YlwsdIrLabWUJc57dNczp0eBc=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"rev": "21fe31f26473c180390cfa81e3ea81aca0204c80",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
@ -50,11 +52,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -66,52 +68,51 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"lastModified": 1725703823,
"narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"home-manager-unstable": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1706981411,
"narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
"lastModified": 1726357542,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "652fda4ca6dafeb090943422c34ae9145787af37",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1706639736,
"narHash": "sha256-CaG4j9+UwBDfinxxvJMo6yOonSmSo0ZgnbD7aj2Put0=",
"lastModified": 1725690722,
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "cd13c2917eaa68e4c49fea0ff9cada45440d7045",
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
"type": "github"
},
"original": {
@ -121,29 +122,44 @@
"type": "github"
}
},
"nixpkgs": {
"nixos-hardware": {
"locked": {
"lastModified": 1707347730,
"narHash": "sha256-0etC/exQIaqC9vliKhc3eZE2Mm2wgLa0tj93ZF/egvM=",
"lastModified": 1725885300,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6832d0d99649db3d65a0e15fa51471537b2c56a6",
"repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1726320982,
"narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1707268954,
"narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=",
"lastModified": 1726243404,
"narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f8e2ebd66d097614d51a56a755450d4ae1632df1",
"rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
"type": "github"
},
"original": {
@ -156,9 +172,12 @@
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"flake-utils": "flake-utils",
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}

111
flake.nix
View File

@ -1,60 +1,91 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:nixos/nixos-hardware";
flake-utils.url = "github:numtide/flake-utils";
darwin.url = "github:lnl7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "darwin";
agenix.inputs.home-manager.follows = "home-manager";
home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
impermanence.url = "github:nix-community/impermanence/master";
};
description = "Hillion Nix flake";
outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, agenix, home-manager, impermanence, ... }@inputs: {
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
mkHost = fqdn:
let system = builtins.readFile ./hosts/${fqdn}/system;
in
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
let
getSystemOverlays = system: nixpkgsConfig: [
(final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
"storj" = final.callPackage ./pkgs/storj.nix { };
})
];
in
{
nixosConfigurations =
let
fqdns = builtins.attrNames (builtins.readDir ./hosts);
mkHost = fqdn:
let
system = builtins.readFile ./hosts/${fqdn}/system;
func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
in
func {
inherit system;
specialArgs = inputs;
modules = [
./hosts/${fqdn}/default.nix
./modules/default.nix
agenix.nixosModules.default
impermanence.nixosModules.impermanence
agenix.nixosModules.default
impermanence.nixosModules.impermanence
home-manager.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
home-manager-pick.nixosModules.default
{
home-manager.sharedModules = [
impermanence.nixosModules.home-manager.impermanence
];
}
({ config, ... }: {
nix.registry.nixpkgs.flake = nixpkgs; # pin `nix shell` nixpkgs
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
({ config, ... }: {
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
})
];
};
in
nixpkgs.lib.genAttrs fqdns mkHost;
darwinConfigurations = {
jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = inputs;
modules = [
./darwin/jakehillion-mba-m2-15/configuration.nix
({ config, ... }: {
nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
})
];
};
};
} // flake-utils.lib.eachDefaultSystem (system: {
formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
});
}

55
hosts/be.lt.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "be";
networking.domain = "lt.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence = {
enable = true;
userExtraFiles.jake = [
".ssh/id_ecdsa_sk_keys"
];
};
## WiFi
age.secrets."wifi/be.lt.ts.hillion.co.uk".file = ../../secrets/wifi/be.lt.ts.hillion.co.uk.age;
networking.wireless = {
enable = true;
environmentFile = config.age.secrets."wifi/be.lt.ts.hillion.co.uk".path;
networks = {
"Hillion WPA3 Network".psk = "@HILLION_WPA3_NETWORK_PSK@";
};
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
## Tailscale
age.secrets."tailscale/be.lt.ts.hillion.co.uk".file = ../../secrets/tailscale/be.lt.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/be.lt.ts.hillion.co.uk".path;
};
security.sudo.wheelNeedsPassword = lib.mkForce true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
};
}

33
hosts/vm.strangervm.ts.hillion.co.uk/hardware-configuration.nix → hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -6,24 +6,41 @@
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/6d59bd4b-439d-4480-897c-4480ea6fbe56";
fsType = "ext4";
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/D184-A79B";
fsType = "vfat";
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c8ffa91a-5152-4d84-8995-01232fd5acd6";
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/01a351b8-cf66-4a31-9804-0b4145e69153";
device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb";
fsType = "btrfs";
options = [ "subvol=data" ];
};
swapDevices = [ ];
@ -33,8 +50,10 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s20f0u1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

0
hosts/jorah.cx.ts.hillion.co.uk/system → hosts/be.lt.ts.hillion.co.uk/system
View File

7
hosts/boron.cx.ts.hillion.co.uk/README.md Normal file
View File

@ -0,0 +1,7 @@
# boron.cx.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/boron.cx.ts.hillion.co.uk/clevis_config.json)" >/mnt/data/disk_encryption.jwe
$ sudo chown root:root /mnt/data/disk_encryption.jwe
$ sudo chmod 0400 /mnt/data/disk_encryption.jwe

13
hosts/boron.cx.ts.hillion.co.uk/clevis_config.json Normal file
View File

@ -0,0 +1,13 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://80.229.251.26:7654"
},
{
"url": "http://185.240.111.53:7654"
}
]
}
}

170
hosts/boron.cx.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,170 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "boron";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "igb" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices = {
"disk0-crypt".secretFile = "/data/disk_encryption.jwe";
"disk1-crypt".secretFile = "/data/disk_encryption.jwe";
};
};
};
custom.defaults = true;
## Kernel
### Explicitly use the latest kernel at time of writing because the LTS
### kernels available in NixOS do not seem to support this server's very
### modern hardware.
boot.kernelPackages = pkgs.linuxPackages_6_10;
### Apply patch to enable sched_ext which isn't yet available upstream.
boot.kernelPatches = [{
name = "sched_ext";
patch = pkgs.fetchpatch {
url = "https://github.com/sched-ext/scx-kernel-releases/releases/download/v6.10.3-scx1/linux-v6.10.3-scx1.patch.zst";
hash = "sha256-c4UlXsVOHGe0gvL69K9qTMWqCR8as25qwhfNVxCXUTs=";
decode = "${pkgs.zstd}/bin/unzstd";
excludes = [ "Makefile" ];
};
extraConfig = ''
BPF y
BPF_EVENTS y
BPF_JIT y
BPF_SYSCALL y
DEBUG_INFO_BTF y
FTRACE y
SCHED_CLASS_EXT y
'';
}];
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/system
btrfs subvolume snapshot /cache/empty_snapshot /cache/system
'';
## Custom Services
custom = {
locations.autoServe = true;
www.global.enable = true;
services = {
gitea.actions = {
enable = true;
tokenSecret = ../../secrets/gitea/actions/boron.age;
};
};
};
services.nsd.interfaces = [
"138.201.252.214"
"2a01:4f8:173:23d2::2"
];
## Enable ZRAM to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## General usability
### Make podman available for dev tools such as act
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
};
users.users.jake.extraGroups = [ "podman" ];
## Networking
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking = {
useDHCP = false;
interfaces = {
enp6s0 = {
name = "eth0";
useDHCP = true;
ipv6.addresses = [{
address = "2a01:4f8:173:23d2::2";
prefixLength = 64;
}];
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [ ];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # SSH (Gitea) - redirected to 22
53 # DNS
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
53 # DNS
443 # HTTP 3
3478 # Unifi STUN
];
};
};
};
## Tailscale
age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
};
};
}

72
hosts/boron.cx.ts.hillion.co.uk/hardware-configuration.nix Normal file
View File

@ -0,0 +1,72 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
options = [ "mode=0755" "size=100%" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/ED9C-4ABC";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/9aebe351-156a-4aa0-9a97-f09b01ac23ad";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."disk0-crypt" = {
device = "/dev/disk/by-uuid/a68ead16-1bdc-4d26-9e55-62c2be11ceee";
allowDiscards = true;
};
boot.initrd.luks.devices."disk1-crypt" = {
device = "/dev/disk/by-uuid/19bde205-bee4-430d-a4c1-52d635a23963";
allowDiscards = true;
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

0
hosts/vm.strangervm.ts.hillion.co.uk/system → hosts/boron.cx.ts.hillion.co.uk/system
View File

27
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -2,8 +2,6 @@
{
imports = [
../../modules/common/default.nix
../../modules/spotify/default.nix
./bluetooth.nix
./hardware-configuration.nix
];
@ -17,6 +15,8 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Impermanence
custom.impermanence = {
enable = true;
@ -29,6 +29,13 @@
];
};
## Enable ZRAM swap to help with root on tmpfs
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Desktop
custom.users.jake.password = true;
custom.desktop.awesome.enable = true;
@ -61,9 +68,9 @@
## Tailscale
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
};
security.sudo.wheelNeedsPassword = lib.mkForce true;
@ -76,19 +83,13 @@
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
## Spotify
home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
};
};
users.users."${config.custom.user}" = {
packages = with pkgs; [
prismlauncher
];
};
## Networking
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
};
}

5
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -28,7 +28,10 @@
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
allowDiscards = true;
};
fileSystems."/data" =
{

79
hosts/jorah.cx.ts.hillion.co.uk/default.nix
View File

@ -1,79 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
config = {
system.stateVersion = "23.05";
networking.hostName = "jorah";
networking.domain = "cx.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
## Impermanence
custom.impermanence.enable = true;
## Custom Services
custom = {
locations.autoServe = true;
services.version_tracker.enable = true;
www.global.enable = true;
};
## Filesystems
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# By default both /data and /nix would be scrubbed. They are the same filesystem so this is wasteful.
fileSystems = [ "/data" ];
};
## Networking
systemd.network = {
enable = true;
networks."enp5s0".extraConfig = ''
[Match]
Name = enp5s0
[Network]
Address = 2a01:4f9:4b:3953::2/64
Gateway = fe80::1
'';
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
22 # SSH
3022 # Gitea SSH (accessed via public 22)
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
enp5s0 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
8080 # Unifi (inform)
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
3478 # Unifi STUN
];
};
};
};
## Tailscale
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
ipv4Addr = "100.96.143.138";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
};
}

50
hosts/li.pop.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/rpi/rpi4.nix
];
config = {
system.stateVersion = "23.11";
networking.hostName = "li";
networking.domain = "pop.ts.hillion.co.uk";
custom.defaults = true;
## Custom Services
custom.locations.autoServe = true;
# Networking
## Tailscale
age.secrets."tailscale/li.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/li.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/li.pop.ts.hillion.co.uk".path;
useRoutingFeatures = "server";
extraUpFlags = [ "--advertise-routes" "192.168.1.0/24" ];
};
## Enable ZRAM to make up for 2GB of RAM
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
networking.firewall.interfaces = {
"end0" = {
allowedTCPPorts = [
7654 # Tang
];
};
};
};
}

0
hosts/microserver.parents.ts.hillion.co.uk/hardware-configuration.nix → hosts/li.pop.ts.hillion.co.uk/hardware-configuration.nix
View File

0
hosts/microserver.parents.ts.hillion.co.uk/system → hosts/li.pop.ts.hillion.co.uk/system
View File

38
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -3,7 +3,6 @@
{
imports = [
./hardware-configuration.nix
../../modules/common/default.nix
../../modules/rpi/rpi4.nix
];
@ -13,14 +12,23 @@
networking.hostName = "microserver";
networking.domain = "home.ts.hillion.co.uk";
custom.defaults = true;
## Custom Services
custom.locations.autoServe = true;
# Networking
## Tailscale
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
advertiseExitNode = true;
authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-routes"
"10.64.50.0/24,10.239.19.0/24"
"--advertise-exit-node"
];
};
## Enable IoT VLAN
@ -31,6 +39,10 @@
};
};
hardware = {
bluetooth.enable = true;
};
## Enable IP forwarding for Tailscale
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
@ -40,9 +52,19 @@
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
1883 # MQTT server
];
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall.interfaces = {
"eth0" = {
allowedUDPPorts = [
5353 # HomeKit
];
allowedTCPPorts = [
1400 # HA Sonos
7654 # Tang
21063 # HomeKit
];
};
};
};
}

35
hosts/microserver.parents.ts.hillion.co.uk/default.nix
View File

@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/common/default.nix
../../modules/rpi/rpi4.nix
];
config = {
system.stateVersion = "22.05";
networking.hostName = "microserver";
networking.domain = "parents.ts.hillion.co.uk";
# Networking
## Tailscale
age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
advertiseRoutes = [ "192.168.1.0/24" ];
};
## Enable IP forwarding for Tailscale
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
};
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
};
}

164
hosts/router.home.ts.hillion.co.uk/default.nix
View File

@ -2,7 +2,6 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -19,6 +18,8 @@
"net.ipv4.conf.all.forwarding" = true;
};
custom.defaults = true;
## Interactive password
custom.users.jake.password = true;
@ -31,6 +32,14 @@
nat.enable = lib.mkForce false;
useDHCP = false;
vlans = {
cameras = {
id = 3;
interface = "eth2";
};
};
interfaces = {
enp1s0 = {
name = "eth0";
@ -55,6 +64,14 @@
}
];
};
cameras /* cameras@eth2 */ = {
ipv4.addresses = [
{
address = "10.133.145.1";
prefixLength = 24;
}
];
};
enp4s0 = { name = "eth3"; };
enp5s0 = { name = "eth4"; };
enp6s0 = { name = "eth5"; };
@ -81,8 +98,8 @@
ip protocol icmp counter accept comment "accept all ICMP types"
iifname "eth0" ct state { established, related } counter accept
iifname "eth0" drop
iifname { "eth0", "cameras" } ct state { established, related } counter accept
iifname { "eth0", "cameras" } drop
}
chain forward {
@ -105,14 +122,8 @@
ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28968 counter accept comment "d0.tywin.storj"
ip daddr 10.64.50.20 udp dport 28968 counter accept comment "d0.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28969 counter accept comment "d1.tywin.storj"
ip daddr 10.64.50.20 udp dport 28969 counter accept comment "d1.tywin.storj"
ip daddr 10.64.50.20 tcp dport 28970 counter accept comment "d2.tywin.storj"
ip daddr 10.64.50.20 udp dport 28970 counter accept comment "d2.tywin.storj"
ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
}
}
@ -123,14 +134,8 @@
iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28968 counter dnat to 10.64.50.20
iifname eth0 udp dport 28968 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28969 counter dnat to 10.64.50.20
iifname eth0 udp dport 28969 counter dnat to 10.64.50.20
iifname eth0 tcp dport 28970 counter dnat to 10.64.50.20
iifname eth0 udp dport 28970 counter dnat to 10.64.50.20
iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
}
chain postrouting {
@ -149,12 +154,42 @@
settings = {
interfaces-config = {
interfaces = [ "eth1" "eth2" ];
interfaces = [ "eth1" "eth2" "cameras" ];
};
lease-database = {
type = "memfile";
persist = false;
persist = true;
name = "/var/lib/kea/dhcp4.leases";
};
option-def = [
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
type = "string";
array = false;
}
];
client-classes = [
{
name = "APC";
test = "option[vendor-class-identifier].text == 'APC'";
option-data = [
{
always-send = true;
name = "vendor-encapsulated-options";
}
{
name = "cookie";
space = "vendor-encapsulated-options-space";
code = 1;
data = "1APC";
}
];
}
];
subnet4 = [
{
subnet = "10.64.50.0/24";
@ -173,22 +208,20 @@
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
}
];
reservations = [
{
# tywin.storage.ts.hillion.co.uk
hw-address = "c8:7f:54:6d:e1:03";
ip-address = "10.64.50.20";
hostname = "tywin";
}
{
# syncbox
hw-address = "00:1e:06:49:06:1e";
ip-address = "10.64.50.22";
hostname = "syncbox";
}
reservations = lib.lists.imap0
(i: el: {
ip-address = "10.64.50.${toString (20 + i)}";
inherit (el) hw-address hostname;
}) [
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
{ hostname = "apc-ap7921"; hw-address = "00:c0:b7:6b:f4:34"; }
{ hostname = "sodium"; hw-address = "d8:3a:dd:c3:d6:2b"; }
];
}
{
@ -208,7 +241,7 @@
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
}
];
reservations = [
@ -226,23 +259,70 @@
}
];
}
{
subnet = "10.133.145.0/24";
interface = "cameras";
pools = [{
pool = "10.133.145.64 - 10.133.145.254";
}];
option-data = [
{
name = "routers";
data = "10.133.145.1";
}
{
name = "broadcast-address";
data = "10.133.145.255";
}
{
name = "domain-name-servers";
data = "1.1.1.1, 8.8.8.8";
}
];
reservations = [
];
}
];
};
};
};
freeradius = {
unbound = {
enable = true;
settings = {
server = {
interface = [
"127.0.0.1"
"10.64.50.1"
"10.239.19.1"
];
access-control = [
"10.64.50.0/24 allow"
"10.239.19.0/24 allow"
];
};
forward-zone = [
{
name = ".";
forward-tls-upstream = "yes";
forward-addr = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
];
}
];
};
};
};
## Tailscale
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
ipv4Addr = "100.105.71.48";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
};
## Enable btrfs compression
@ -267,7 +347,7 @@
services.caddy = {
enable = true;
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
};
};

87
hosts/sodium.pop.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,87 @@
{ config, pkgs, lib, nixos-hardware, ... }:
{
imports = [
"${nixos-hardware}/raspberry-pi/5/default.nix"
./hardware-configuration.nix
];
config = {
system.stateVersion = "24.05";
networking.hostName = "sodium";
networking.domain = "pop.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
custom.defaults = true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Impermanence
custom.impermanence = {
enable = true;
cache.enable = true;
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
btrfs subvolume delete /cache/tmp
btrfs subvolume snapshot /cache/empty_snapshot /cache/tmp
chmod 1777 /cache/tmp
'';
## CA server
custom.ca.service.enable = true;
### nix only supports build-dir from 2.22. bind mount /tmp to something persistent instead.
fileSystems."/tmp" = {
device = "/cache/tmp";
options = [ "bind" ];
};
# nix = {
# settings = {
# build-dir = "/cache/tmp/";
# };
# };
## Custom Services
custom.locations.autoServe = true;
# Networking
networking = {
useDHCP = false;
interfaces = {
end0 = {
name = "eth0";
useDHCP = true;
};
};
};
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
eth0 = {
allowedTCPPorts = lib.mkForce [
7654 # Tang
];
allowedUDPPorts = lib.mkForce [
];
};
};
};
## Tailscale
age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".file = ../../secrets/tailscale/sodium.pop.ts.hillion.co.uk.age;
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale/sodium.pop.ts.hillion.co.uk".path;
};
};
}

28
hosts/jorah.cx.ts.hillion.co.uk/hardware-configuration.nix → hosts/sodium.pop.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -9,9 +9,9 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
@ -21,24 +21,32 @@
options = [ "mode=0755" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/417B-1063";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/data" =
{
device = "/dev/disk/by-id/nvme-KXG60ZNV512G_TOSHIBA_106S10VHT9LM_1-part2";
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/boot" =
fileSystems."/cache" =
{
device = "/dev/disk/by-uuid/4D7E-8DE8";
fsType = "vfat";
device = "/dev/disk/by-uuid/48ae82bd-4d7f-4be6-a9c9-4fcc29d4aac0";
fsType = "btrfs";
options = [ "subvol=cache" ];
};
swapDevices = [ ];
@ -48,8 +56,8 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enu1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

1
hosts/sodium.pop.ts.hillion.co.uk/system Normal file
View File

@ -0,0 +1 @@
aarch64-linux

11
hosts/theon.storage.ts.hillion.co.uk/default.nix
View File

@ -2,7 +2,6 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -15,14 +14,18 @@
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
custom.defaults = true;
## Custom Services
custom = {
locations.autoServe = true;
};
## Networking
networking.useNetworkd = true;
systemd.network.enable = true;
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = lib.mkForce [
@ -39,11 +42,9 @@
## Tailscale
age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.104.142.22";
ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16";
authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
};
## Packages

7
hosts/tywin.storage.ts.hillion.co.uk/README.md Normal file
View File

@ -0,0 +1,7 @@
# tywin.storage.ts.hillion.co.uk
Additional installation step for Clevis/Tang:
$ echo -n $DISK_ENCRYPTION_PASSWORD | clevis encrypt sss "$(cat /etc/nixos/hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json)" >/mnt/disk_encryption.jwe
$ sudo chown root:root /mnt/disk_encryption.jwe
$ sudo chmod 0400 /mnt/disk_encryption.jwe

14
hosts/tywin.storage.ts.hillion.co.uk/clevis_config.json Normal file
View File

@ -0,0 +1,14 @@
{
"t": 1,
"pins": {
"tang": [
{
"url": "http://10.64.50.21:7654"
},
{
"url": "http://10.64.50.25:7654"
}
]
}
}

50
hosts/tywin.storage.ts.hillion.co.uk/default.nix
View File

@ -2,7 +2,6 @@
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
@ -16,15 +15,35 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"ip=dhcp"
"zfs.zfs_arc_max=25769803776"
];
boot.initrd = {
availableKernelModules = [ "r8169" ];
network.enable = true;
clevis = {
enable = true;
useTang = true;
devices."root".secretFile = "/disk_encryption.jwe";
};
};
custom.locations.autoServe = true;
custom.defaults = true;
# zram swap: used in the hope it will give the ZFS ARC more room to back off
zramSwap = {
enable = true;
memoryPercent = 200;
algorithm = "zstd";
};
## Tailscale
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.115.31.91";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
};
## Filesystems
@ -35,11 +54,17 @@
forceImportRoot = false;
extraPools = [ "data" ];
};
boot.kernelParams = [ "zfs.zfs_arc_max=25769803776" ];
services.zfs.autoScrub = {
services.btrfs.autoScrub = {
enable = true;
interval = "Tue, 02:00";
# All filesystems includes the BTRFS parts of all the hard drives. This
# would take forever and is redundant as they get fully read regularly.
fileSystems = [ "/" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed, 02:00";
};
## Backups
@ -130,7 +155,7 @@
services.caddy = {
enable = true;
virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = ''
bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr}
bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6}
reverse_proxy http://localhost:8000
'';
};
@ -193,7 +218,7 @@
enable = true;
openFirewall = true;
keyFile = config.age.secrets."chia/farmer.key".path;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 7;
plotDirectories = builtins.genList (i: "/mnt/d${toString i}/plots/contract-k32") 8;
};
## Downloads
@ -211,13 +236,10 @@
openFirewall = true;
};
## Firewall
## Networking
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
80 # Caddy (restic.tywin.storage.ts.)
14002 # Storj Dashboard (d0.)
14003 # Storj Dashboard (d1.)
14004 # Storj Dashboard (d2.)
14005 # Storj Dashboard (d3.)
];
};
}

17
hosts/tywin.storage.ts.hillion.co.uk/hardware-configuration.nix
View File

@ -20,6 +20,11 @@
fsType = "btrfs";
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/32837730-5e15-4917-9939-cbb58bb0aabf";
allowDiscards = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/BC57-0AF6";
@ -62,6 +67,18 @@
fsType = "btrfs";
};
fileSystems."/mnt/d6" =
{
device = "/dev/disk/by-uuid/b461e07d-39ab-46b4-b1d1-14c2e0791915";
fsType = "btrfs";
};
fileSystems."/mnt/d7" =
{
device = "/dev/disk/by-uuid/eb8d32d0-e506-449b-8dbc-585ba05c4252";
fsType = "btrfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

67
hosts/vm.strangervm.ts.hillion.co.uk/default.nix
View File

@ -1,67 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
config = {
system.stateVersion = "22.05";
networking.hostName = "vm";
networking.domain = "strangervm.ts.hillion.co.uk";
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
## Custom Services
custom = {
locations.autoServe = true;
drone.server.path = "/data/drone";
};
## Networking
networking.interfaces.ens18.ipv4.addresses = [{
address = "10.72.164.3";
prefixLength = 24;
}];
networking.defaultGateway = "10.72.164.1";
networking.firewall = {
allowedTCPPorts = lib.mkForce [
22 # SSH
];
allowedUDPPorts = lib.mkForce [ ];
trustedInterfaces = lib.mkForce [
"lo"
"tailscale0"
];
interfaces = {
ens18 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
];
};
};
};
## Tailscale
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
ipv4Addr = "100.110.89.111";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:626e:596f";
};
## Backups
services.postgresqlBackup.location = "/data/backup/postgres";
};
}

1
modules/backups/default.nix
View File

@ -3,6 +3,7 @@
{
imports = [
./git.nix
./homeassistant.nix
./matrix.nix
];
}

34
modules/backups/homeassistant.nix Normal file
View File

@ -0,0 +1,34 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.backups.homeassistant;
in
{
options.custom.backups.homeassistant = {
enable = lib.mkEnableOption "homeassistant";
};
config = lib.mkIf cfg.enable {
age.secrets."backups/homeassistant/restic/128G" = {
file = ../../secrets/restic/128G.age;
owner = "hass";
group = "hass";
};
services = {
restic.backups."homeassistant" = {
user = "hass";
timerConfig = {
OnCalendar = "03:00";
RandomizedDelaySec = "60m";
};
repository = "rest:http://restic.tywin.storage.ts.hillion.co.uk/128G";
passwordFile = config.age.secrets."backups/homeassistant/restic/128G".path;
paths = [
config.services.home-assistant.configDir
];
};
};
};
}

11
modules/ca/README.md Normal file
View File

@ -0,0 +1,11 @@
# ca
Getting the certificates in the right place is a manual process (for now, at least). This is to keep the most control over the root certificate's key and allow manual cycling. The manual commands should be run on a trusted machine.
Creating a 10 year root certificate:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME' cert.pem key.pem --kty=EC --curve=P-521 --profile=root-ca --not-after=87600h
Creating the intermediate key:
nix run nixpkgs#step-cli -- certificate create 'Hillion ACME (sodium.pop.ts.hillion.co.uk)' intermediate_cert.pem intermediate_key.pem --kty=EC --curve=P-521 --profile=intermediate-ca --not-after=8760h --ca=$NIXOS_ROOT/modules/ca/cert.pem --ca-key=DOWNLOADED_KEY.pem

13
modules/ca/cert.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAVqgAwIBAgIQIZdaIUsuJdjnu7DQP1N8oTAKBggqhkjOPQQDBDAXMRUw
EwYDVQQDEwxIaWxsaW9uIEFDTUUwHhcNMjQwODAxMjIyMjEwWhcNMzQwNzMwMjIy
MjEwWjAXMRUwEwYDVQQDEwxIaWxsaW9uIEFDTUUwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABAAJI3z1PrV97EFc1xaENcr6ML1z6xdXTy+ReHtf42nWsw+c3WDKzJ45
+xHJ/p2BTOR5+NQ7RGQQ68zmFJnEYTYDogAw6U9YzxxDGlG1HlgnZ9PPmXoF+PFl
Zy2WZCiDPx5KDJcjTPzLV3ITt4fl3PMA12BREVeonvrvRLcpVrMfS2b7wKNFMEMw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFFBT
fMT0uUbS+lVUbGKK8/SZHPISMAoGCCqGSM49BAMEA4GMADCBiAJCAPNIwrQztPrN
MaHB3J0lNVODIGwQWblt99vnjqIWOKJhgckBxaElyInsyt8dlnmTCpOCJdY4BA+K
Nr87AfwIWdAaAkIBV5i4zXPXVKblGKnmM0FomFSbq2cYE3pmi5BO1StakH1kEHlf
vbkdwFgkw2MlARp0Ka3zbWivBG9zjPoZtsL/8tk=
-----END CERTIFICATE-----

14
modules/ca/consumer.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.consumer;
in
{
options.custom.ca.consumer = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
security.pki.certificates = [ (builtins.readFile ./cert.pem) ];
};
}

8
modules/ca/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./consumer.nix
./service.nix
];
}

45
modules/ca/service.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.ca.service;
in
{
options.custom.ca.service = {
enable = lib.mkEnableOption "ca.service";
};
config = lib.mkIf cfg.enable {
services.step-ca = {
enable = true;
address = config.custom.dns.tailscale.ipv4;
port = 8443;
intermediatePasswordFile = "/data/system/ca/intermediate.psk";
settings = {
root = ./cert.pem;
crt = "/data/system/ca/intermediate.crt";
key = "/data/system/ca/intermediate.pem";
dnsNames = [ "ca.ts.hillion.co.uk" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
authority = {
provisioners = [
{
type = "ACME";
name = "acme";
}
];
};
};
};
};
}

2
modules/chia.nix
View File

@ -46,7 +46,7 @@ in
};
virtualisation.oci-containers.containers.chia = {
image = "ghcr.io/chia-network/chia:2.1.4";
image = "ghcr.io/chia-network/chia:2.4.1";
ports = [ "8444" ];
extraOptions = [
"--uidmap=0:${toString config.users.users.chia.uid}:1"

59
modules/common/default.nix
View File

@ -1,59 +0,0 @@
{ pkgs, lib, config, agenix, ... }:
{
imports = [
../home/default.nix
./shell.nix
./ssh.nix
];
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings = {
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
};
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
users = {
mutableUsers = false;
users."jake" = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # enable sudo
};
};
security.sudo.wheelNeedsPassword = false;
environment = {
systemPackages = with pkgs; [
agenix.packages."${system}".default
gh
git
htop
nix
sapling
vim
];
variables.EDITOR = "vim";
shellAliases = {
ls = "ls -p --color=auto";
};
};
networking = rec {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
networkmanager.dns = "none";
};
networking.firewall.enable = true;
custom.hostinfo.enable = true;
}

43
modules/common/ssh.nix
View File

@ -1,43 +0,0 @@
{ pkgs, lib, config, ... }:
{
users.users."jake".openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
];
programs.mosh.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
programs.ssh.knownHosts = {
# Global Internet hosts
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
"server.stranger.proxmox.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp";
# Tailscale hosts
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"microserver.parents.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr";
"pbs.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGY6ky2sQjg/bLRUWOUERmAOqboAjy+9PkE8sU+angx";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"router.stranger.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHq9tITN59FJfGoyOPNgP1QyJ0ohbVQS8OZtRO960Uxk";
"stranger.proxmox.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9d5u/VaeRTQUQfu5JzCRa+zij/DtrPNWOfr+jM4iDp";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
"vm.strangervm.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy";
};
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
}

18
modules/default.nix
View File

@ -3,23 +3,21 @@
{
imports = [
./backups/default.nix
./ca/default.nix
./chia.nix
./common/hostinfo.nix
./defaults.nix
./desktop/awesome/default.nix
./drone/default.nix
./dns.nix
./home/default.nix
./hostinfo.nix
./ids.nix
./impermanence.nix
./locations.nix
./resilio.nix
./services/downloads.nix
./services/gitea.nix
./services/mastodon/default.nix
./services/matrix.nix
./services/unifi.nix
./services/version_tracker.nix
./services/zigbee2mqtt.nix
./services/default.nix
./shell/default.nix
./ssh/default.nix
./storj.nix
./tailscale.nix
./users.nix
./www/global.nix
./www/www-repo.nix

64
modules/defaults.nix Normal file
View File

@ -0,0 +1,64 @@
{ pkgs, lib, config, agenix, ... }:
{
options.custom.defaults = lib.mkEnableOption "defaults";
config = lib.mkIf config.custom.defaults {
nix = {
settings.experimental-features = [ "nix-command" "flakes" ];
settings = {
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
};
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
users = {
mutableUsers = false;
users.${config.custom.user} = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # enable sudo
uid = config.ids.uids.${config.custom.user};
};
};
security.sudo.wheelNeedsPassword = false;
environment = {
systemPackages = with pkgs; [
agenix.packages."${system}".default
gh
git
htop
nix
sapling
vim
];
variables.EDITOR = "vim";
shellAliases = {
ls = "ls -p --color=auto";
};
};
networking = rec {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
networkmanager.dns = "none";
};
networking.firewall.enable = true;
# Delegation
custom.ca.consumer.enable = true;
custom.dns.enable = true;
custom.home.defaults = true;
custom.hostinfo.enable = true;
custom.shell.enable = true;
custom.ssh.enable = true;
};
}

112
modules/dns.nix Normal file
View File

@ -0,0 +1,112 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.dns;
in
{
options.custom.dns = {
enable = lib.mkEnableOption "dns";
authoritative = {
ipv4 = lib.mkOption {
description = "authoritative ipv4 mappings";
readOnly = true;
};
ipv6 = lib.mkOption {
description = "authoritative ipv6 mappings";
readOnly = true;
};
};
tailscale =
{
ipv4 = lib.mkOption {
description = "tailscale ipv4 address";
readOnly = true;
};
ipv6 = lib.mkOption {
description = "tailscale ipv6 address";
readOnly = true;
};
};
};
config = lib.mkIf cfg.enable {
custom.dns.authoritative = {
ipv4 = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "100.113.188.46";
};
home = {
microserver = "100.105.131.47";
router = "100.105.71.48";
};
jakehillion-terminals = { gendry = "100.70.100.77"; };
lt = { be = "100.105.166.79"; };
pop = {
li = "100.106.87.35";
sodium = "100.87.188.4";
};
storage = {
theon = "100.104.142.22";
tywin = "100.115.31.91";
};
};
};
};
};
};
ipv6 = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "fd7a:115c:a1e0::2a01:bc2f";
};
home = {
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
};
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
pop = {
li = "fd7a:115c:a1e0::e701:5723";
sodium = "fd7a:115c:a1e0::3701:bc04";
};
storage = {
theon = "fd7a:115c:a1e0::4aa8:8e16";
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
};
};
};
};
};
};
};
custom.dns.tailscale =
let
lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null;
in
{
ipv4 = lookupFqdn cfg.authoritative.ipv4;
ipv6 = lookupFqdn cfg.authoritative.ipv6;
};
networking.hosts =
let
mkHosts = hosts:
(lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x))
(lib.mapAttrsRecursive
(path: value:
lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ])
hosts));
in
builtins.listToAttrs (mkHosts cfg.authoritative.ipv4 ++ mkHosts cfg.authoritative.ipv6);
};
}

7
modules/drone/default.nix
View File

@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./server.nix
];
}

43
modules/drone/server.nix
View File

@ -1,43 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.drone.server;
in
{
options.custom.drone.server = {
enable = lib.mkEnableOption "drone server";
path = lib.mkOption {
type = lib.types.str;
default = "/var/lib/drone";
};
port = lib.mkOption {
type = lib.types.port;
default = 18733;
};
};
config = lib.mkIf cfg.enable {
age.secrets."drone/gitea_client_secret".file = ../../secrets/drone/gitea_client_secret.age;
age.secrets."drone/rpc_secret".file = ../../secrets/drone/rpc_secret.age;
virtualisation.oci-containers.containers."drone" = {
image = "drone/drone:2.21.0";
volumes = [ "${cfg.path}:/data" ];
ports = [ "${toString cfg.port}:80" ];
environment = {
DRONE_AGENTS_ENABLED = "true";
DRONE_GITEA_SERVER = "https://gitea.hillion.co.uk";
DRONE_GITEA_CLIENT_ID = "687ee331-ad9e-44fd-9e02-7f1c652754bb";
DRONE_SERVER_HOST = "drone.hillion.co.uk";
DRONE_SERVER_PROTO = "https";
DRONE_LOGS_DEBUG = "true";
DRONE_USER_CREATE = "username:JakeHillion,admin:true";
};
environmentFiles = [
config.age.secrets."drone/gitea_client_secret".path
config.age.secrets."drone/rpc_secret".path
];
};
};
}

8
modules/home/default.nix
View File

@ -6,7 +6,9 @@
./tmux/default.nix
];
config = {
options.custom.home.defaults = lib.mkEnableOption "home";
config = lib.mkIf config.custom.home.defaults {
home-manager = {
users.root.home = {
stateVersion = "22.11";
@ -22,5 +24,9 @@
file.".zshrc".text = "";
};
};
# Delegation
custom.home.git.enable = true;
custom.home.tmux.enable = true;
};
}

39
modules/home/git.nix
View File

@ -1,21 +1,30 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.home.git;
in
{
home-manager.users.jake.programs.git = {
enable = true;
extraConfig = {
user = {
email = "jake@hillion.co.uk";
name = "Jake Hillion";
};
pull = {
rebase = true;
};
merge = {
conflictstyle = "diff3";
};
init = {
defaultBranch = "main";
options.custom.home.git = {
enable = lib.mkEnableOption "git";
};
config = lib.mkIf cfg.enable {
home-manager.users.jake.programs.git = lib.mkIf (config.custom.user == "jake") {
enable = true;
extraConfig = {
user = {
email = "jake@hillion.co.uk";
name = "Jake Hillion";
};
pull = {
rebase = true;
};
merge = {
conflictstyle = "diff3";
};
init = {
defaultBranch = "main";
};
};
};
};

8
modules/home/tmux/.tmux.conf
View File

@ -8,3 +8,11 @@ bind -n C-k clear-history
bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"
# Start indices at 1 to match keyboard
set -g base-index 1
setw -g pane-base-index 1
# Open a new session when attached to and one isn't open
# Must come after base-index settings
new-session

15
modules/home/tmux/default.nix
View File

@ -1,8 +1,17 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.home.tmux;
in
{
home-manager.users.jake.programs.tmux = {
enable = true;
extraConfig = lib.readFile ./.tmux.conf;
options.custom.home.tmux = {
enable = lib.mkEnableOption "tmux";
};
config = lib.mkIf cfg.enable {
home-manager.users.jake.programs.tmux = {
enable = true;
extraConfig = lib.readFile ./.tmux.conf;
};
};
}

0
modules/common/hostinfo.nix → modules/hostinfo.nix
View File

2
modules/ids.nix
View File

@ -6,6 +6,7 @@
## Defined System Users (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent People
jake = 1000;
@ -15,6 +16,7 @@
## Defined System Groups (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix)
unifi = 183;
chia = 185;
gitea = 186;
## Consistent Groups
mediaaccess = 1200;

69
modules/impermanence.nix
View File

@ -2,7 +2,6 @@
let
cfg = config.custom.impermanence;
listIf = (enable: x: if enable then x else [ ]);
in
{
options.custom.impermanence = {
@ -12,6 +11,13 @@ in
type = lib.types.str;
default = "/data";
};
cache = {
enable = lib.mkEnableOption "impermanence.cache";
path = lib.mkOption {
type = lib.types.str;
default = "/cache";
};
};
users = lib.mkOption {
type = with lib.types; listOf str;
@ -40,41 +46,60 @@ in
gitea.stateDir = "${cfg.base}/system/var/lib/gitea";
};
environment.persistence."${cfg.base}/system" = {
hideMounts = true;
environment.persistence = lib.mkMerge [
{
"${cfg.base}/system" = {
hideMounts = true;
directories = [
"/etc/nixos"
] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++
(listIf config.custom.services.unifi.enable [ "/var/lib/unifi" ]) ++
(listIf (config.virtualisation.oci-containers.containers != { }) [ "/var/lib/containers" ]);
};
directories = [
"/etc/nixos"
] ++ (lib.lists.optional config.services.tailscale.enable "/var/lib/tailscale") ++
(lib.lists.optional config.services.zigbee2mqtt.enable config.services.zigbee2mqtt.dataDir) ++
(lib.lists.optional config.services.postgresql.enable config.services.postgresql.dataDir) ++
(lib.lists.optional config.hardware.bluetooth.enable "/var/lib/bluetooth") ++
(lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
(lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
(lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
(lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
(lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
};
}
(lib.mkIf cfg.cache.enable {
"${cfg.cache.path}/system" = {
hideMounts = true;
directories = (lib.lists.optional config.services.postgresqlBackup.enable config.services.postgresqlBackup.location);
};
})
];
home-manager.users =
let
mkUser = (x: {
name = x;
value = {
home.persistence."/data/users/${x}" = {
allowOther = false;
home = {
persistence."/data/users/${x}" = {
allowOther = false;
files = [
".zsh_history"
] ++ cfg.userExtraFiles.${x} or [ ];
directories = cfg.userExtraDirs.${x} or [ ];
files = cfg.userExtraFiles.${x} or [ ];
directories = cfg.userExtraDirs.${x} or [ ];
};
file.".zshrc".text = lib.mkForce ''
HISTFILE=/data/users/${x}/.zsh_history
'';
};
};
});
in
builtins.listToAttrs (builtins.map mkUser cfg.users);
systemd.tmpfiles.rules = builtins.map
systemd.tmpfiles.rules = lib.lists.flatten (builtins.map
(user:
let details = config.users.users.${user}; in "L ${details.home}/local - ${user} ${details.group} - /data/users/${user}")
cfg.users;
let details = config.users.users.${user}; in [
"d /data/users/${user} 0700 ${user} ${details.group} - -"
"L ${details.home}/local - ${user} ${details.group} - /data/users/${user}"
])
cfg.users);
};
}

53
modules/locations.nix
View File

@ -11,28 +11,41 @@ in
};
locations = lib.mkOption {
default = {
services = {
downloads = "tywin.storage.ts.hillion.co.uk";
gitea = "jorah.cx.ts.hillion.co.uk";
mastodon = "vm.strangervm.ts.hillion.co.uk";
matrix = "jorah.cx.ts.hillion.co.uk";
unifi = "jorah.cx.ts.hillion.co.uk";
};
drone = {
server = "vm.strangervm.ts.hillion.co.uk";
};
};
readOnly = true;
};
};
config = lib.mkIf cfg.autoServe {
custom.services.downloads.enable = cfg.locations.services.downloads == config.networking.fqdn;
custom.services.gitea.enable = cfg.locations.services.gitea == config.networking.fqdn;
custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
custom.services.unifi.enable = cfg.locations.services.unifi == config.networking.fqdn;
config = lib.mkMerge [
{
custom.locations.locations = {
services = {
authoritative_dns = [ "boron.cx.ts.hillion.co.uk" ];
downloads = "tywin.storage.ts.hillion.co.uk";
gitea = "boron.cx.ts.hillion.co.uk";
homeassistant = "microserver.home.ts.hillion.co.uk";
mastodon = "";
matrix = "boron.cx.ts.hillion.co.uk";
tang = [
"li.pop.ts.hillion.co.uk"
"microserver.home.ts.hillion.co.uk"
"sodium.pop.ts.hillion.co.uk"
];
unifi = "boron.cx.ts.hillion.co.uk";
version_tracker = [ "boron.cx.ts.hillion.co.uk" ];
};
};
}
custom.drone.server.enable = cfg.locations.drone.server == config.networking.fqdn;
};
(lib.mkIf cfg.autoServe
{
custom.services = lib.mapAttrsRecursive
(path: value: {
enable =
if builtins.isList value
then builtins.elem config.networking.fqdn value
else config.networking.fqdn == value;
})
cfg.locations.services;
})
];
}

7
modules/resilio.nix
View File

@ -1,12 +1,9 @@
{ pkgs, lib, config, nixpkgs-unstable, ... }:
{ pkgs, lib, config, ... }:
let
cfg = config.custom.resilio;
in
{
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
disabledModules = [ "services/networking/resilio.nix" ];
options.custom.resilio = {
enable = lib.mkEnableOption "resilio";
@ -64,5 +61,7 @@ in
in
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
};
systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
};
}

50
modules/services/authoritative_dns.nix Normal file
View File

@ -0,0 +1,50 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.services.authoritative_dns;
in
{
options.custom.services.authoritative_dns = {
enable = lib.mkEnableOption "authoritative_dns";
};
config = lib.mkIf cfg.enable {
services.nsd = {
enable = true;
zones = {
"ts.hillion.co.uk" = {
data =
let
makeRecords = type: s: (lib.concatStringsSep "\n" (lib.collect builtins.isString (lib.mapAttrsRecursive (path: value: "${lib.concatStringsSep "." (lib.reverseList path)} 86400 ${type} ${value}") s)));
in
''
$ORIGIN ts.hillion.co.uk.
$TTL 86400
ts.hillion.co.uk. IN SOA ns1.hillion.co.uk. hostmaster.hillion.co.uk. (
1 ;Serial
7200 ;Refresh
3600 ;Retry
1209600 ;Expire
3600 ;Negative response caching TTL
)
86400 NS ns1.hillion.co.uk.
ca 21600 CNAME sodium.pop.ts.hillion.co.uk.
deluge.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
graphs.router.home 21600 CNAME router.home.ts.hillion.co.uk.
prowlarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
radarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
restic.tywin.storage 21600 CNAME tywin.storage.ts.hillion.co.uk.
sonarr.downloads 21600 CNAME tywin.storage.ts.hillion.co.uk.
zigbee2mqtt.home 21600 CNAME router.home.ts.hillion.co.uk.
'' + (makeRecords "A" config.custom.dns.authoritative.ipv4.uk.co.hillion.ts) + "\n\n" + (makeRecords "AAAA" config.custom.dns.authoritative.ipv6.uk.co.hillion.ts);
};
};
};
};
}

16
modules/services/default.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, lib, ... }:
{
imports = [
./authoritative_dns.nix
./downloads.nix
./gitea/default.nix
./homeassistant.nix
./mastodon/default.nix
./matrix.nix
./tang.nix
./unifi.nix
./version_tracker.nix
./zigbee2mqtt.nix
];
}

27
modules/services/downloads.nix
View File

@ -29,10 +29,16 @@ in
virtualHosts = builtins.listToAttrs (builtins.map
(x: {
name = "http://${x}.downloads.ts.hillion.co.uk";
name = "${x}.downloads.ts.hillion.co.uk";
value = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = ''
reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock
tls {
ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
}
'';
};
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);
};
@ -132,7 +138,10 @@ in
script = with pkgs; "${iproute2}/bin/ip link set up lo";
};
networking.hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
networking = {
nameservers = [ "1.1.1.1" "8.8.8.8" ];
hosts = { "127.0.0.1" = builtins.map (x: "${x}.downloads.ts.hillion.co.uk") [ "prowlarr" "sonarr" "radarr" "deluge" ]; };
};
services = {
prowlarr.enable = true;
@ -149,6 +158,7 @@ in
deluge = {
enable = true;
web.enable = true;
group = "mediaaccess";
dataDir = "/var/lib/deluge";
authFile = "/run/agenix/deluge/auth";
@ -157,11 +167,18 @@ in
config = {
download_location = "/media/downloads";
max_connections_global = 1024;
max_upload_speed = 12500;
max_download_speed = 25000;
max_active_seeding = 192;
max_active_downloading = 64;
max_active_limit = 256;
dont_count_slow_torrents = true;
stop_seed_at_ratio = true;
stop_seed_ratio = 2;
share_ratio_limit = 2;
enabled_plugins = [ "Label" ];
};
};

105
modules/services/gitea/actions.nix Normal file
View File

@ -0,0 +1,105 @@
{ config, lib, pkgs, ... }:
let
cfg = config.custom.services.gitea.actions;
in
{
options.custom.services.gitea.actions = {
enable = lib.mkEnableOption "gitea-actions";
labels = lib.mkOption {
type = with lib.types; listOf str;
default = [
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
];
};
tokenSecret = lib.mkOption {
type = lib.types.path;
};
};
config = lib.mkIf cfg.enable {
age.secrets."gitea/actions/token".file = cfg.tokenSecret;
# Run gitea-actions in a container and firewall it such that it can only
# access the Internet (not private networks).
containers."gitea-actions" = {
autoStart = true;
ephemeral = true;
privateNetwork = true; # all traffic goes through ve-gitea-actions on the host
hostAddress = "10.108.27.1";
localAddress = "10.108.27.2";
extraFlags = [
# Extra system calls required to nest Docker, taken from https://wiki.archlinux.org/title/systemd-nspawn
"--system-call-filter=add_key"
"--system-call-filter=keyctl"
"--system-call-filter=bpf"
];
bindMounts = let tokenPath = config.age.secrets."gitea/actions/token".path; in {
"${tokenPath}".hostPath = tokenPath;
};
timeoutStartSec = "5min";
config = (hostConfig: ({ config, pkgs, ... }: {
config = let cfg = hostConfig.custom.services.gitea.actions; in {
system.stateVersion = "23.11";
virtualisation.docker.enable = true;
services.gitea-actions-runner.instances.container = {
enable = true;
url = "https://gitea.hillion.co.uk";
tokenFile = hostConfig.age.secrets."gitea/actions/token".path;
name = "${hostConfig.networking.hostName}";
labels = cfg.labels;
settings = {
runner = {
capacity = 3;
};
cache = {
enabled = true;
host = "10.108.27.2";
port = 41919;
};
};
};
# Drop any packets to private networks
networking = {
firewall.enable = lib.mkForce false;
nftables = {
enable = true;
ruleset = ''
table inet filter {
chain output {
type filter hook output priority 100; policy accept;
ct state { established, related } counter accept
ip daddr 10.0.0.0/8 drop
ip daddr 100.64.0.0/10 drop
ip daddr 172.16.0.0/12 drop
ip daddr 192.168.0.0/16 drop
}
}
'';
};
};
};
})) config;
};
networking.nat = {
enable = true;
externalInterface = "eth0";
internalIPs = [ "10.108.27.2" ];
};
};
}

8
modules/services/gitea/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./actions.nix
./gitea.nix
];
}

33
modules/services/gitea.nix → modules/services/gitea/gitea.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, nixpkgs-unstable, ... }:
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.gitea;
@ -20,39 +20,42 @@ in
config = lib.mkIf cfg.enable {
age.secrets = {
"gitea/mailer_password" = {
file = ../../secrets/gitea/mailer_password.age;
file = ../../../secrets/gitea/mailer_password.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
};
"gitea/oauth_jwt_secret" = {
file = ../../secrets/gitea/oauth_jwt_secret.age;
file = ../../../secrets/gitea/oauth_jwt_secret.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/oauth2_jwt_secret";
};
"gitea/lfs_jwt_secret" = {
file = ../../secrets/gitea/lfs_jwt_secret.age;
file = ../../../secrets/gitea/lfs_jwt_secret.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/lfs_jwt_secret";
};
"gitea/security_secret_key" = {
file = ../../secrets/gitea/security_secret_key.age;
file = ../../../secrets/gitea/security_secret_key.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/secret_key";
};
"gitea/security_internal_token" = {
file = ../../secrets/gitea/security_internal_token.age;
file = ../../../secrets/gitea/security_internal_token.age;
owner = config.services.gitea.user;
group = config.services.gitea.group;
path = "${config.services.gitea.customDir}/conf/internal_token";
};
};
users.users.gitea.uid = config.ids.uids.gitea;
users.groups.gitea.gid = config.ids.gids.gitea;
services.gitea = {
enable = true;
package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
package = pkgs.unstable.gitea;
mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
appName = "Hillion Gitea";
@ -79,7 +82,7 @@ in
mailer = {
ENABLED = true;
HOST = "smtp.mailgun.org:587";
SMTP_ADDR = "smtp.mailgun.org:587";
FROM = "gitea@mg.hillion.co.uk";
USER = "gitea@mg.hillion.co.uk";
};
@ -89,7 +92,7 @@ in
service = {
REGISTER_EMAIL_CONFIRM = true;
ENABLE_NOTIFY_MAIL = true;
EMAIL_DOMAIN_WHITELIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
EMAIL_DOMAIN_ALLOWLIST = "hillion.co.uk,cam.ac.uk,cl.cam.ac.uk";
};
session = {
PROVIDER = "file";
@ -97,18 +100,14 @@ in
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
networking.firewall.extraCommands = ''
# proxy all traffic on public interface to the gitea SSH server
iptables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A PREROUTING -t nat -i enp5s0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
# proxy locally originating outgoing packets
iptables -A OUTPUT -d 95.217.229.104 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f9:4b:3953::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
iptables -A OUTPUT -d 138.201.252.214 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
ip6tables -A OUTPUT -d 2a01:4f8:173:23d2::2 -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.sshPort}
'';
};
}

164
modules/services/homeassistant.nix Normal file
View File

@ -0,0 +1,164 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.homeassistant;
in
{
options.custom.services.homeassistant = {
enable = lib.mkEnableOption "homeassistant";
backup = lib.mkOption {
default = true;
type = lib.types.bool;
};
};
config = lib.mkIf cfg.enable {
custom = {
backups.homeassistant.enable = cfg.backup;
};
age.secrets."homeassistant/secrets.yaml" = {
file = ../../secrets/homeassistant/secrets.yaml.age;
path = "${config.services.home-assistant.configDir}/secrets.yaml";
owner = "hass";
group = "hass";
};
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "homeassistant-init.sql" ''
CREATE ROLE "hass" WITH LOGIN;
CREATE DATABASE "homeassistant" WITH OWNER "hass" ENCODING "utf8";
'';
};
home-assistant = {
enable = true;
extraPackages = python3Packages: with python3Packages; [
psycopg2 # postgresql support
];
extraComponents = [
"bluetooth"
"default_config"
"esphome"
"google_assistant"
"homekit"
"met"
"mobile_app"
"mqtt"
"otp"
"smartthings"
"sonos"
"sun"
"switchbot"
];
customComponents = with pkgs.home-assistant-custom-components; [
adaptive_lighting
];
config = {
default_config = { };
recorder = {
db_url = "postgresql://@/homeassistant";
};
http = {
use_x_forwarded_for = true;
trusted_proxies = with config.custom.dns.authoritative; [
ipv4.uk.co.hillion.ts.cx.boron
ipv6.uk.co.hillion.ts.cx.boron
];
};
google_assistant = {
project_id = "homeassistant-8de41";
service_account = {
client_email = "!secret google_assistant_service_account_client_email";
private_key = "!secret google_assistant_service_account_private_key";
};
report_state = true;
expose_by_default = true;
exposed_domains = [ "light" ];
entity_config = {
"input_boolean.sleep_mode" = { };
};
};
homekit = [{
filter = {
include_domains = [ "light" ];
};
}];
bluetooth = { };
adaptive_lighting = {
lights = [
"light.bedroom_lamp"
"light.bedroom_light"
"light.cubby_light"
"light.desk_lamp"
"light.hallway_light"
"light.living_room_lamp"
"light.living_room_light"
"light.wardrobe_light"
];
min_sunset_time = "21:00";
};
light = [
{
platform = "template";
lights = {
bathroom_light = {
unique_id = "87a4cbb5-e5a7-44fd-9f28-fec2d6a62538";
value_template = "{{ false if state_attr('script.bathroom_light_switch_if_on', 'last_triggered') > states.sensor.bathroom_motion_sensor_illuminance_lux.last_reported else states('sensor.bathroom_motion_sensor_illuminance_lux') | int > 500 }}";
turn_on = { service = "script.noop"; };
turn_off = { service = "script.bathroom_light_switch_if_on"; };
};
};
}
];
sensor = [
{
# Time/Date (for automations)
platform = "time_date";
display_options = [
"date"
"date_time_iso"
];
}
{
# Living Room Temperature
platform = "statistics";
name = "Living Room temperature (rolling average)";
entity_id = "sensor.living_room_environment_sensor_temperature";
state_characteristic = "average_linear";
unique_id = "e86198a8-88f4-4822-95cb-3ec7b2662395";
max_age = {
minutes = 5;
};
}
];
input_boolean = {
sleep_mode = {
name = "Set house to sleep mode";
icon = "mdi:sleep";
};
};
# UI managed expansions
automation = "!include automations.yaml";
script = "!include scripts.yaml";
scene = "!include scenes.yaml";
};
};
};
};
}

2
modules/services/mastodon/default.nix
View File

@ -32,6 +32,8 @@ in
};
};
users.users.caddy.extraGroups = [ "mastodon" ];
services = {
mastodon = {
enable = true;

17
modules/services/matrix.nix
View File

@ -41,6 +41,10 @@ in
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/matrix.hillion.co.uk/syncv3_secret" = {
file = ../../secrets/matrix/matrix.hillion.co.uk/syncv3_secret.age;
};
};
services = {
@ -76,8 +80,8 @@ in
x_forwarded = true;
bind_addresses = [
"::1"
config.custom.tailscale.ipv4Addr
config.custom.tailscale.ipv6Addr
config.custom.dns.tailscale.ipv4
config.custom.dns.tailscale.ipv6
];
resources = [
{
@ -114,6 +118,15 @@ in
};
};
matrix-sliding-sync = {
enable = true;
environmentFile = config.age.secrets."matrix/matrix.hillion.co.uk/syncv3_secret".path;
settings = {
SYNCV3_SERVER = "https://matrix.hillion.co.uk";
SYNCV3_BINDADDR = "[::]:8009";
};
};
heisenbridge = lib.mkIf cfg.heisenbridge {
enable = true;
owner = "@jake:hillion.co.uk";

20
modules/services/tang.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.services.tang;
in
{
options.custom.services.tang = {
enable = lib.mkEnableOption "tang";
};
config = lib.mkIf cfg.enable {
services.tang = {
enable = true;
ipAddressAllow = [
"138.201.252.214/32"
"10.64.50.20/32"
];
};
};
}

32
modules/services/unifi.nix
View File

@ -10,20 +10,14 @@ in
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/unifi";
readOnly = true; # NixOS module only supports this directory
};
};
config = lib.mkIf cfg.enable {
users.users.unifi = {
uid = config.ids.uids.unifi;
isSystemUser = true;
group = "unifi";
description = "UniFi controller daemon user";
home = "${cfg.dataDir}";
};
users.groups.unifi = {
gid = config.ids.gids.unifi;
};
# Fix dynamically allocated user and group ids
users.users.unifi.uid = config.ids.uids.unifi;
users.groups.unifi.gid = config.ids.gids.unifi;
services.caddy = {
enable = true;
@ -38,21 +32,9 @@ in
};
};
virtualisation.oci-containers.containers = {
"unifi" = {
image = "lscr.io/linuxserver/unifi-controller:8.0.24-ls221";
environment = {
PUID = toString config.ids.uids.unifi;
PGID = toString config.ids.gids.unifi;
TZ = "Etc/UTC";
};
volumes = [ "${cfg.dataDir}:/config" ];
ports = [
"8080:8080"
"8443:8443"
"3478:3478/udp"
];
};
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
};
};
}

2
modules/services/zigbee2mqtt.nix
View File

@ -23,7 +23,7 @@ in
enable = true;
virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy http://127.0.0.1:15606";
};
};

15
modules/common/shell.nix → modules/shell/default.nix
View File

@ -1,7 +1,20 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.shell;
in
{
config = {
imports = [
./update_scripts.nix
];
options.custom.shell = {
enable = lib.mkEnableOption "shell";
};
config = lib.mkIf cfg.enable {
custom.shell.update_scripts.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.systemPackages = with pkgs; [ direnv ];

64
modules/shell/update_scripts.nix Normal file
View File

@ -0,0 +1,64 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.shell.update_scripts;
update = pkgs.writeScriptBin "update" ''
#! ${pkgs.runtimeShell}
set -e
if [[ $EUID -ne 0 ]]; then
exec sudo ${pkgs.runtimeShell} "$0" "$@"
fi
if [ -n "$1" ]; then
BRANCH=$1
else
BRANCH=main
fi
cd /etc/nixos
if [ "$BRANCH" = "main" ]; then
${pkgs.git}/bin/git switch $BRANCH
${pkgs.git}/bin/git pull
else
${pkgs.git}/bin/git fetch
${pkgs.git}/bin/git switch --detach origin/$BRANCH
fi
if ! ${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" test; then
echo "WARNING: \`nixos-rebuild test' failed!"
fi
while true; do
read -p "Do you want to boot this configuration? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
${pkgs.nixos-rebuild}/bin/nixos-rebuild --flake "/etc/nixos#${config.networking.fqdn}" boot
while true; do
read -p "Would you like to reboot now? " yn
case $yn in
[Yy]* ) reboot;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
'';
in
{
options.custom.shell.update_scripts = {
enable = lib.mkEnableOption "update_scripts";
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [
update
];
};
}

25
modules/spotify/default.nix
View File

@ -1,25 +0,0 @@
{ config, pkgs, lib, ... }:
{
config.age.secrets."spotify/11132032266" = {
file = ../../secrets/spotify/11132032266.age;
owner = "jake";
};
config.hardware.pulseaudio.enable = true;
config.users.users.jake.extraGroups = [ "audio" ];
config.users.users.jake.packages = with pkgs; [ spotify-tui ];
config.home-manager.users.jake.services.spotifyd = {
enable = true;
settings = {
global = {
username = "11132032266";
password_cmd = "cat ${config.age.secrets."spotify/11132032266".path}";
backend = "pulseaudio";
};
};
};
}

55
modules/ssh/default.nix Normal file
View File

@ -0,0 +1,55 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.ssh;
in
{
options.custom.ssh = {
enable = lib.mkEnableOption "ssh";
};
config = lib.mkIf cfg.enable {
users.users =
if config.custom.user == "jake" then {
"jake".openssh.authorizedKeys.keys = [
"sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBwJH4udKNvi9TjOBgkxpBBy7hzWqmP0lT5zE9neusCpQLIiDhr6KXYMPXWXdZDc18wH1OLi2+639dXOvp8V/wgAAAAEc3NoOg== jake@beryllium-keys"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw4lgH20nfuchDqvVf0YciqN0GnBw5hfh8KIun5z0P7wlNgVYnCyvPvdIlGf2Nt1z5EGfsMzMLhKDOZkcTMlhupd+j2Er/ZB764uVBGe1n3CoPeasmbIlnamZ12EusYDvQGm2hVJTGQPPp9nKaRxr6ljvTMTNl0KWlWvKP4kec74d28MGgULOPLT3HlAyvUymSULK4lSxFK0l97IVXLa8YwuL5TNFGHUmjoSsi/Q7/CKaqvNh+ib1BYHzHYsuEzaaApnCnfjDBNexHm/AfbI7s+g3XZDcZOORZn6r44dOBNFfwvppsWj3CszwJQYIFeJFuMRtzlC8+kyYxci0+FXHn jake@jake-gentoo"
];
} else { };
programs.mosh.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
programs.ssh.knownHosts = {
# Global Internet hosts
"ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ==";
# Tailscale hosts
"boron.cx.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcJ7HY/vjtheMV8EN2wlTw1hU53CJebGIeRJcSkzt5";
"be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm";
"dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY";
"gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c";
"homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux";
"li.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u";
"microserver.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw";
"router.home.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu";
"sodium.pop.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQmG7v/XrinPmkTU2eIoISuU3+hoV4h60Bmbwd+xDjr";
"theon.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN59psLVu3/sQORA4x3p8H3ei8MCQlcwX5T+k3kBeBMf";
"tywin.storage.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGATsjWO0qZNFp2BhfgDuWi+e/ScMkFxp79N2OZoed1k";
};
programs.ssh.knownHostsFiles = [ ./github_known_hosts ];
};
}

0
modules/common/github_known_hosts → modules/ssh/github_known_hosts
View File

65
modules/tailscale.nix
View File

@ -1,65 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.tailscale;
in
{
options.custom.tailscale = {
enable = lib.mkEnableOption "tailscale";
preAuthKeyFile = lib.mkOption {
type = lib.types.str;
};
advertiseRoutes = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
ipv4Addr = lib.mkOption { type = lib.types.str; };
ipv6Addr = lib.mkOption { type = lib.types.str; };
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up \
--authkey "$(<${cfg.preAuthKeyFile})" \
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
'';
};
};
}

19
modules/www/certs/blog.hillion.co.uk.pem Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDGTCCAsCgAwIBAgIUMOkPfgLpbA08ovrPt+deXQPpA9kwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ0MDBaFw0zOTA0MTAyMTQ0MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABNweW8IgrXj7Q64RxyK8s9XpbxJ8TbYVv7NALbWUahlT
QPlGX/5XoM3Z5AtISBi1irLEy5o6mx7ebNK4NmwzNlCjggEkMIIBIDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFMy3oz9l3bwpjgtx6IqL9IH90PXcMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAdBgNV
HREEFjAUghJibG9nLmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAxoC+gLYYraHR0
cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjO
PQQDAgNHADBEAiAgVRgo5V09uyMbz1Mevmxe6d2K5xvZuBElVYja/Rf99AIgZkm1
wHEq9wqVYP0oWTiEYQZ6dzKoSwxviOEZI+ttQRA=
-----END CERTIFICATE-----

19
modules/www/certs/gitea.hillion.co.uk.pem Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDHDCCAsGgAwIBAgIUMHdmb+Ef9YvVmCtliDhg1gDGt8cwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ1MDBaFw0zOTA0MTAyMTQ1MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABGn2vImTE+gpWx/0ELXue7cL0eGb+I2c9VbUYcy3TBJi
G7S+wl79MBM5+5G0wKhTpBgVpXu1/NHunfM97LGZb5ejggElMIIBITAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFI6dxFPItIKnNN7/xczMOtlTytuvMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
HREEFzAVghNnaXRlYS5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
zj0EAwIDSQAwRgIhAKfRSEKCGNY5x4zUNzOy6vfxgDYPfkP6iW5Ha4gNmE+QAiEA
nTsGKr2EoqEdPtnB+wVrYMblWF7/or3JpRYGs6zD2FU=
-----END CERTIFICATE-----

19
modules/www/certs/hillion.co.uk.pem Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDFDCCArugAwIBAgIUedwIJx096VH/KGDgpAKK/Q8jGWUwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTIzMDBaFw0zOTA0MTAyMTIzMDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABIdc0hnQQP7tLADaCGXxZ+1BGbZ8aow/TtHl+aXDbN3t
2vVV2iLmsMbiPcJZ5e9Q2M27L8fZ0uPJP19dDvvN97SjggEfMIIBGzAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFJilRKL8wXskL/LmgH8BnIvLIpkEMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAYBgNV
HREEETAPgg1oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
cmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZIzj0EAwID
RwAwRAIgbexSqkt3pzCpnpqYXwC5Gmt+nG5OEqETQ6690kpIS74CIFQI3zXlx8zk
GB0BlaZdrraAQP7AuI8CcMd5vbQdnldY
-----END CERTIFICATE-----

19
modules/www/certs/homeassistant.hillion.co.uk.pem Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDJDCCAsmgAwIBAgIUaSXrL4UHFHxDvvnW1720aZkkBCkwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTUzMDBaFw0zOTA0MTAyMTUzMDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABOz/ljJJjKawHtILlD09YMwmAdhzxTfPPi61qw7R670T
Oe4/KA4zClCKfzqnVEZ4YonfgK8U6VqhLPI4crxUQk+jggEtMIIBKTAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFO7S2TbvL1kel0QH+sYfjD6v2L7oMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAmBgNV
HREEHzAdghtob21lYXNzaXN0YW50LmhpbGxpb24uY28udWswPAYDVR0fBDUwMzAx
oC+gLYYraHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNy
bDAKBggqhkjOPQQDAgNJADBGAiEAgaiFVCBLVYKjTJV67qKOg1R1GBVszNF+9PCi
ZejJcjwCIQDtl9S3zCl/h8/7uYfk8dHg0Y6kwd5GVuu6HE67GWJ2Yg==
-----END CERTIFICATE-----

19
modules/www/certs/links.hillion.co.uk.pem Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDGzCCAsGgAwIBAgIUFUDTvq6L7SR3qKxaNh77g3XkJk8wCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yNDA0MTMyMTQ2MDBaFw0zOTA0MTAyMTQ2MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABGpSYrOqMuzCfE6qdpXqFze8RxWDcDSUFRYmotnp4cyK
i6ISovoK7YDKarrHRIvIrsNBaqk+0hjZpOhN/XpU16SjggElMIIBITAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFLoqUdEVGspJs/SGcV7pf2bCzqTrMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAeBgNV
HREEFzAVghNsaW5rcy5oaWxsaW9uLmNvLnVrMDwGA1UdHwQ1MDMwMaAvoC2GK2h0
dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYIKoZI
zj0EAwIDSAAwRQIhANh3Ds0ZSZp3rEZ46z4sBp+WNQejnDhTCXt2OIRiCrecAiAB
oe21Oz1Pmqv0htFxNf1YbkgJMCoGfENlViuR0cUAJg==
-----END CERTIFICATE-----

46
modules/www/global.nix
View File

@ -10,21 +10,47 @@ in
};
config = lib.mkIf cfg.enable {
custom.www.www-repo.enable = true;
age.secrets =
let
mkSecret = domain: {
name = "caddy/${domain}.pem";
value = {
file = ../../secrets/certs/${domain}.pem.age;
owner = config.services.caddy.user;
group = config.services.caddy.group;
};
};
in
builtins.listToAttrs (builtins.map mkSecret [
"hillion.co.uk"
"blog.hillion.co.uk"
"gitea.hillion.co.uk"
"homeassistant.hillion.co.uk"
"links.hillion.co.uk"
]);
users.users.caddy.extraGroups = [ "mastodon" ];
custom.www.www-repo.enable = true;
services.caddy = {
enable = true;
package = pkgs.unstable.caddy;
globalConfig = ''
email acme@hillion.co.uk
'';
virtualHosts = {
"hillion.co.uk".extraConfig = ''
tls ${./certs/hillion.co.uk.pem} ${config.age.secrets."caddy/hillion.co.uk.pem".path}
handle /.well-known/* {
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.hillion.co.uk"}}`
respond /.well-known/matrix/client `${builtins.toJSON {
"m.homeserver" = { "base_url" = "https://matrix.hillion.co.uk"; };
"org.matrix.msc3575.proxy" = { "url" = "https://matrix.hillion.co.uk"; };
}}` 200
respond 404
}
@ -34,24 +60,26 @@ in
}
'';
"blog.hillion.co.uk".extraConfig = ''
tls ${./certs/blog.hillion.co.uk.pem} ${config.age.secrets."caddy/blog.hillion.co.uk.pem".path}
root * /var/www/blog.hillion.co.uk
file_server
'';
"homeassistant.hillion.co.uk".extraConfig = ''
reverse_proxy http://homeassistant.homeassistant.ts.hillion.co.uk:8123
'';
"emby.hillion.co.uk".extraConfig = ''
reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
tls ${./certs/homeassistant.hillion.co.uk.pem} ${config.age.secrets."caddy/homeassistant.hillion.co.uk.pem".path}
reverse_proxy http://${locations.services.homeassistant}:8123
'';
"gitea.hillion.co.uk".extraConfig = ''
tls ${./certs/gitea.hillion.co.uk.pem} ${config.age.secrets."caddy/gitea.hillion.co.uk.pem".path}
reverse_proxy http://${locations.services.gitea}:3000
'';
"matrix.hillion.co.uk".extraConfig = ''
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync http://${locations.services.matrix}:8009
reverse_proxy /_matrix/* http://${locations.services.matrix}:8008
reverse_proxy /_synapse/client/* http://${locations.services.matrix}:8008
'';
"drone.hillion.co.uk".extraConfig = ''
reverse_proxy http://${locations.drone.server}:18733
"links.hillion.co.uk".extraConfig = ''
tls ${./certs/links.hillion.co.uk.pem} ${config.age.secrets."caddy/links.hillion.co.uk.pem".path}
redir https://matrix.to/#/@jake:hillion.co.uk
'';
};
};

24
renovate.json Normal file
View File

@ -0,0 +1,24 @@
{
"nix": {
"enabled": true
},
"lockFileMaintenance": {
"enabled": true,
"schedule": ["* 2-5 * * *"]
},
"rebaseWhen": "behind-base-branch",
"packageRules": [
{
"matchManagers": ["github-actions"],
"automerge": true,
"schedule": [
"after 11pm on Monday",
"after 11pm on Thursday"
]
}
],
"extends": [
"config:recommended",
"helpers:pinGitHubActionDigests"
]
}

5
scripts/update_nixpkgs.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
set -xe
VERSION=`curl https://gitea.hillion.co.uk/JakeHillion/nixos/raw/branch/main/flake.lock | nix run nixpkgs#jq -- -r '.nodes."nixpkgs-unstable".locked.rev'`
nix registry add nixpkgs "github:NixOS/nixpkgs/${VERSION}"

BIN
secrets/certs/blog.hillion.co.uk.pem.age Normal file
View File

Binary file not shown.

BIN
secrets/certs/gitea.hillion.co.uk.pem.age Normal file
View File

Binary file not shown.

BIN
secrets/certs/hillion.co.uk.pem.age Normal file
View File

Binary file not shown.

BIN
secrets/certs/homeassistant.hillion.co.uk.pem.age Normal file
View File

Binary file not shown.

20
secrets/certs/links.hillion.co.uk.pem.age Normal file
View File

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
AaDBHnrzzyVgSLJfjuzNYVqOfGVoNYvtwOZ/8JWdzTiKjFjvFThTwRxXm04x4zV2
yDGl2YQn/SdA//tPt2aTt/HEr2vvfvTupf+p8dO81JsdQ2QNEwJq6GFPYvzwpUMt
2aY99IWgfZMnNdm1dD40UPRXthRy4neY64fLmrpNH9hM/Tj/O9L9aHo/Z8rROien
k/qN0uVWDlrxoCooZNmzuWe8VNE9PtEj07YBjUKY9frVpP38iL9hWZ435x59bRru
HTz/I1NEeKyCzUKDz562cmmPl1ihJkelSOLIS/SUL4CfbePt6lGeGgJ1UB1lLBlo
nOE79ekfh92wbYJWrogvFg
-> ssh-rsa K9mW1w
W34jfSpkxpJKesV7ZDl92bQRMtWWB7ht93n7+APJNL18VvLHmqDztkPQovd9FuKY
YLEt5qevncV/O2/f6QW87I0ySFT2tpFPflXOITk1INYH8Z/NPfGfHBgUpnl+vM4w
xVujFTnFXaFYBpoyOOl5VBLvFTlYvzXL/e2lYyZT/HGb2V43OHQe3dsMWhPKzKLL
2eg21XK/LzLFkYdpMwmt5bpVVgXB9kaB9fpmV9ZDtEYDO18/uQQI7Wdn+6XAzB+3
iJwIQaqL7YjaOwiF8u6NYOd4Qo7WNEd1WnO9/qIGMp9E4x5V3vToS9fePynE2PtH
Chcu3y8jT+Qpby+6joyLwQ
-> ssh-ed25519 iWiFbA fxhC7p0ywGIGmpio8x7yFktdB/JnKiiXJF3kvP2X2wk
Q2HJ78QRc3nZyyWgB/MjhcEHiKoXou/4421SvoTj9fM
--- OYElVzl6Gk/4ma/OgiU1Xtvg5+9Rtq/CIieG85QDOBI
Ì$y³6ãyE÷ì=qÉH®y IûŸ?R @ìG†³H<C2B3>ÓJf\JîaÛ¤i¨§2¿ÆÕe³º¯<C2BA>6 b%ÑBÜ|.ôgZE¬ßƒ˜ô3ürÄxŽœëë~\Ü\íW‡ïluӚàr$ <0C>ÕýÛá'ý¥ÿšaŽÄÙ1Çý—<C3BD>Tæm˜ºp<šIp5hw.Æ' ¼GÉÀ7*õ[â\7È*5ôò¤èÐÂãßÓŽör%u06Ó¦û"Ù´G“Àßœvzä6¤
Åךe%½¶û QékqôeDoM¹ŸØ(q&r@¶­Ï™?Fn ê_—€<18>\˜°ßÞ"<22>úDÍw½À|úOD]ïê@ö@Ê»Y<C2BB>Ó

BIN
secrets/drone/gitea_client_secret.age
View File

Binary file not shown.

22
secrets/drone/rpc_secret.age
View File

@ -1,22 +0,0 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
B1tLU+ypxVOlO9jSZUvUwb69QrNk/rqJoYjdNSOJxSWk7+iX0jli0TrU8AePnfSn
NjemcJJCoaSf5q7RQJK9Gfvq6BE1z4EoablA3Sx9un/qqUJuIy3SiQhR5+y5bPD0
+8FzLznorSQR5tc1mQo82S1lv0ec8hqw2q13Kqm/09NIiZNKSLoHkp031q3VZbjC
XL2naNUqX4lNADqDxESbY5au3CsnBJGN2gX0syj0d1iRx0At2HJSR7gANCEYpWKI
nBF+5mlX7lbpb61CoDUiQSW4JiXCULz1kiR7WWJQBrlFryn4CJ2PAUJTKUfzKO8t
sgi02DX7frP4jMOt/Z5VMA
-> ssh-rsa K9mW1w
sPxe/ErVYvJmogtrhHikq7lz2c5jSYxb/mhDHdSAIQIV3b7zWOreEbLOxDnzr/K7
pSHTLTIWXxiCEWxunrhUccGHiBEoP40MkcYJnxyuG49Fu42I9K8Gsq4GI05zF9Kl
HKwVOwD7gF3QMgkDCxFuqCsmQLB11Evwc7NnbR0+Z3Y9o4FfP4SCXc87Ye+C9zn8
9dRxjpRo1Qz9WtW2VG+qdaWldwo0BLtQILDQoR08GW8D1CZvsqXuHsoGLCMoPcgk
H2TEwawh1V/bY/j0Y509sVQWn3FF27taqeEQYZOQOwUWNf10cAsDTDUjdYyc9fjJ
Hx62FPHP9wmGsViNhn4gbg
-> ssh-ed25519 O0LMHg 9CZI1FtkDLXaIdP9Qlx8O0hUfbdzfrJdK67ifPVDjQM
Zqd5xtiaDBi7IFnab2bZQVzzEX0YQDrPYfvur9N6JT8
-> I-grease V-d-})j
mxJ1WhR/NqdMpIbCaM2jxxmffNAy/t9vByK+c9FNIzb3t87VUcALJxuSmswdNVqs
1iL6
--- ZJ3HoKn0QVAGVsB57bTaCEU19BuLas9SLRjczmomG1g
ëxæÀ(¤G$_¤ßWbw -]³<55>q~ˆˆö`“ê¹ÄŽÌ-pQ,ID‰À@ÛïÞvf£FäøHÙ0Ù-ù:ð·ÄOñèÆA

19
secrets/gitea/actions/boron.age Normal file
View File

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
O6XXkSIScAPiHbBj6VDHrAzbZjossHPW2AQJtQKkrUmERLABYIZuYFJHk9yH2q2W
uBdO/jKN8slQ/7fzKMRu/1EKNRscc1ufgrCCDWdZicdNPSy7948dx+mVK0ass/US
jnPgn75erR+KLsi8/yNJc12mx6onvVFE0mxFihZobiEdt7FcjSFCV9k2pPtN+1TK
5bKpjyodla+KwSXMGDH7jttvMFXtX5NKda4nYNOM1fHwQ5XCdLti67txcn2y85LV
fuo9Pzu++o6aFOalfufKyflOh8Vk3RrBwCDK81e+YLMVjSGv4ZsiTp5O+sI8dBwR
BqftVb523V4L3FhksG/e7Q
-> ssh-rsa K9mW1w
xUjF7ctBetl6as6/N1dVa+Zkg8EOfOILOMzCNUQVGStJ0cEeC3vi54xwoTxnZqX8
n2f6wsgcZP203MBX5YJTw8w80WN8WPNYM8IZxdrcSNNuOrPJQbJZkikYGOg8z9/g
7zaSotrxcHrHYR2DM/qsQJRYNQgZn7AKviEPwDNSkiGHzolIHRuAi+e2M891/DzA
k4X5VsYGusM3Lo9ABZvNzX0MEnLxtStl3TwW4i4MgWts4rjcjBAp5ybZPrQLgMf6
M//FNwBXv2adLSC8oUiTWYKB5l5sTmjNawp1FED3T9WvesKWNY0Tm4KrqJA+Ul2Z
8aoxg/TCjuuypTIaEPm2aQ
-> ssh-ed25519 iWiFbA Zl3LbVd8MHnlj1t4LuAcH13UVwHSJb/wSacM5BkTKHY
vwJ4d2obJPXkgOn44+beKbiKR+qnKvFgkOvotwPDJK8
--- 2q02v2RlVgBjT3qCe2nAXft976YYbr80qtjw3N9i8Vs
Ł×?ŢëČ׍[ĺÔ=GľMI (ět¸?ÄÄo⼍/s˝ź¨P}ř™Ńvr,_ţ3×ĂňîÂjŮDJ/;‰ĺdŤut˘;ä‰@+˛

BIN
secrets/gitea/lfs_jwt_secret.age
View File

Binary file not shown.

32
secrets/gitea/mailer_password.age
View File

@ -1,19 +1,19 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
gDF6kKcuWAKwIhdnB7zav8ZXdHEuq+4yYVc0ZOmpXpiRReo8yVgAcDcMIt5Wkfjk
9quZWwFal2YZ9YH7HhG4vXVxzgL0s7oQfnzjsBwVO9lE/hly5gL9TqGY4fjuVv6Q
kBbp+JaogGv6RsHVajNWNto1qKNJWB8JyewnIdZOVRHee21u/a3qRMHuyRhIeiWR
QLMXxJxdvdgaCUjXMyOgMifsdklK/12kuRb6cTp9Zg+LzMUVloROSbhzofLUtjST
GnJR8qKDIDAG6XIzi4+/VZCcHRA/NEAs965GQrK/qyvyTcFW6BUwuoHMq3Ia/9jM
K+hgOULnfi+jIDw5U0HJKQ
EpPN7UHHRuytMr2vXy9CHzjVkH1iCt9LiTLhFsqXbL03Rk+X82q233Lm12f0sQvz
Hqjukkh9bU90TLKcEOFpKrU5FQwKUjzEy85A+4UoovWdJ8VwACOzoJf29Ys1bX3i
Xp4gUT7ne5+4afNwKXVFDS1YCPjIoQPu2cGw6iTNIYwVY5fNxz5y5ZHLkI9lOqJD
mT7jCgLLdkK8vJiDcu4Ofr21GaziQh93YXK69i3gyAt6pqSRyQdAfhMGkykOWdrO
FXMtpzT82UCvfbFbbRCRuSFga0uq5zx2cwvBD4Xagw8Dfg9RQO0rX9NAbbgcoyfG
qnk+0bYAk3pWfdXW9Z/psQ
-> ssh-rsa K9mW1w
TJKNczUv82J3W4sXH76qPmijKcOjvpLvZC7rKf85zBr2fdgOtXzXULQbFhW3l6gs
V50Lkw3gwSBC6ckWWKqfJkSxqWgAQumy5/5yZc9zqnNDJPXCaBEOkz3IL43Eu13V
4AihecOthSqFkfr1VsrllDckANsTse1Md/p8XDHOpNr/wyUHKRuFKnBmTG7nV2Ja
3sqOmI9RzIArUHY868ecGqPrZXWR72vqZJ3twtivq6aQI9mTw+98VPZeAUZVSMVf
5T7Z0XGfA3O5x8KDAtHcqUMA87vZ/NwsAHxsy7F64u4yaihIvG+8EQDmkGEP/7eG
lPijgnL0SUte+Df3/wXt7Q
-> ssh-ed25519 Qo6/7A 7U/6Bj8AWyHKrCZ38LOyUSr/d4HOUXPqT0FoID0ON1A
3jqYYywJlhN/i7QuXBWb0kajeZcZyBnNXpUWCMf9Kzc
--- pPjt0YCs2Wah1kyAp2qLbL9Q2z/K16jv4DJXAO7x2NU
-õ?ùÌQ5©`Y_ËÐŒ§þ£5†È,u¶.:…ÅÊ»AžoT c¿”p°ûNÝá·F[äX ¿‹°f<E28099>³ê•¡ÄG¿
NaR245c+88dGflT9cG73bQOBxQsVi5x8JkMTrqjabzwzHpRiBUdtP+Ou1w+klOI4
cv1RLngEZH9jsSiEdvpvRkzE2ILOR/abgABXZi/4vl7iXiC8T23QSOPXnMxrAgpH
RV9B3GcSClb70+Lf3pJtPBVHVENhFVFvj5JgxQ2Zi6eMpcMuL18r/Szn4erk8zXQ
330oEau80X6WoPtRaSqSxVRrMGecGHdIE9chLosCf1x8CgIcYBTtviky+fDQMkKZ
iwueW1luuBj1AuP33jUqjeyyMaJ6SqSmaxGqGHGXA/ayxF8HnHU9AJlhPH+tEEbs
84Xu2vwg9ikUz7B1tTBYeA
-> ssh-ed25519 iWiFbA CuUeGNUBc5K+AkXBRvp7SUTJNoMDW0bWRnYs3ZhFSGM
UwwyxNA2L9q6yYK+BqYcqOq6F5CF+iCUpuceWsEj7ck
--- 3XKIweSg0UFqbadbOP0APwaLyquaEdoanlvndvxcQkk
ßüu _śnTx#H-7<>‰yó—Îç<>¨—B„ô»uµŐÉîj<C3AE>ZHĐ'&÷_đś#ľĽ3ŕHÍ˝0f  šBęą×Ö™ýčÂLĽîz

BIN
secrets/gitea/oauth_jwt_secret.age
View File

Binary file not shown.

BIN
secrets/gitea/security_internal_token.age
View File

Binary file not shown.

BIN
secrets/gitea/security_secret_key.age
View File

Binary file not shown.

BIN
secrets/homeassistant/secrets.yaml.age Normal file
View File

Binary file not shown.

34
secrets/mastodon/social.hillion.co.uk/mastodon_at_social.hillion.co.uk.age
View File

@ -1,22 +1,18 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
fR5abxPrwpYFhEty3T8Zx7u3K5HzIRujjj5aZP84+7gZlEE+Fjj7+F1cWk2QeM38
x1YHA5psEsuWAqtAQ/v9Rp/JHFH+HcO6imEIaFv2Lg1tv8IswT995ynejr0E1wN/
QKzVXhyqXbTHB6EsGKrzxHAK4GcqXwPFV4JWSYQ+Q2JSDkX4j7yM6kT7k7OI32ZO
RmhezWUp5FfZp37NJAJdBQNTqp/nvYLc3X9Wq4kFrvWZNRrh1Yix7vIv0iaqvoHY
JWLb9NLQA9RfSKnAVIlbbhNZzMBdCH2zPjNFPdRFHilqcGzxL5NZcEnPcvgwdLU3
wrxCU0ZlDDVM6PPR4wnf6A
kYf/CWnC4WoFnELMnW4b3k1df6r1sZn7JeLPqIvQ7haKwA0SUrbMGiyWui9ewn6s
VSZb7T7zCPFAgs546wiq9O3JzeQPtWdTFCA5F/U48ftbZsAL1YjINqm3ySUbg0O0
eh8wZnO4ludFG0bi0/7B6eDmDpfqn/TKLjDJkWiintYg1PMLMR0iDaF8D5oy0zCi
Yiz+sAWyYBVvUSD9PEdCPFu/q8ySj9upBxaObf/Z5pDC94I2Ex7NZm8lGoXyMmnk
vrhVuHc8eRcqqN+ID48JakdPopA/X7IvFIIJVh40yw4Qldzr7H+b7M98Wg0/UEiC
mZldTPzpKznZntXXx6O89Q
-> ssh-rsa K9mW1w
YMUoAeS+odaUTqNrPpUdno5+X2FEtYKJXoELKAV73FzEZPRGqx6QOW66T7I1T6Ta
bI8DN0APAhw5iQLzyfQAqCTk+e9OpVMKhOz9aoOvTUMWQvzFnLPplUBrfqErKf0N
ynivabBZDu4bYlveUxvDootS0BEGqMX521+GfHXXrnF1kswmQU9iBjaXOJ6ee5kA
uuRXYjdvMCRdxt4IfPsmds5sxmQmb3TtqDTglYF/bGSJRvCuTFE2RJReqR0J7fI8
7X/v1BXqZ4/USFcaAvDTejynzw7XbVd0QxF8pvyovnC8QAcNEOSW03ZTWa72SAyH
sIN+E5WM8vByNDMM9SbtyQ
-> ssh-ed25519 O0LMHg DyROBi4kg7STbIT2AQebM2l+PIxRVGHzIzeJNFCckwU
tdNtu0iX9DbBcGO++S3FNpPi0bhs8VblZZ1vG+JAtpQ
-> pp5-grease h K,g1$` -W-'z=\ PFC!
b5JA7LoHsCfpp/rgBBETM+EOZSEqILdpmkWU2kmJdBvpFG+4oCUFD+el2azOiZpf
VSgZiCfct2WDZuEEdZyWAcmRd+z7
--- Wngnxun5npVjMmr9+LpV28g8T8nzIcDW8vm124DsbLU
ÍęuëE€9Ş´Ă]ůÚč˙xdcpy NüV´x×ôDl N¨j/Íò”Uś­ćč°)J|˝kseaŹě éGˇB¬twZKÇĂÚ]d<>VŤŮ
M89fPs6WcToz9Jr2YXrRGM26lHU/8Xk72OExtArEsqKpHcRw27EeOQpcXkQ1baro
0MFQTKRsMc2PV0S85BPlUIBrvIiTTHNr/eusKTpAlDwnwllGk26xdaqPO3SYXzMX
/zo65i6837vQZr1aRPg1LFzRMWfrj7tLGQPuuE9F68Q/BYaCBbEo8t1vVVVNibjt
1rGuaMnjJd7scHkJ+wEJURQQuwrIY4oH8obmrzjQrFbBiWPH/lIUH1OUv5SDbYul
/Oq0QEHws/o68EQxOKWrPWRu9P1A3xYu3I19YYZgrKr1G9c0+ZEtZsvfeqCE9w79
OOz3GtRRHRCLBDDzv8nfrA
--- e0EGzCgM5FbTE91OLwUaICK+yruDi8EAIBMGxFJXWLE
ªœ£®AòÂÙî{3·…óÚûí€ñ=Õ89ð9<C3B0>es<65>Gïj
!”Áü;ætr0¼î&Øgd;ü‚¢&Ã¥Í1£^§ 'ø6û<36>Wh^qœ

BIN
secrets/mastodon/social.hillion.co.uk/otp_secret_file.age
View File

Binary file not shown.

BIN
secrets/mastodon/social.hillion.co.uk/secret_key_base.age
View File

Binary file not shown.

34
secrets/mastodon/social.hillion.co.uk/vapid_private_key.age
View File

@ -1,23 +1,17 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
mdMhxMiuWstsWZ4wSiWcloDrP1sJrKOQFy1IwAEXjrXmWx+N9W2p93+gz9W3mTir
ooLWTdj2g9tywRpFlLfZr8MDsZEpCxSLb2TG6/xOHuu7qfdsK2V/q+AdgmNZQemv
KdIQoszcltG7tv1MyUgcCgusGqJIudLhJ8Sk5w0yPmKW6K/o0cRqX2IAxLWOts2m
wlpieG2r35+OHTyaMC6HKDhZBM5Te9b9nQNwq8kj4n98Il3gEGkWYRK6eGiPoQNq
ywQv4cmLVmPvuGRhRymzGOieMk2EeT8ZEs970t7SRgq58BFWI79hFZ1Mihr0pXyL
wJgnEvaUey1rBj6Nlbdvcw
qK0dnP76DaixuZJ0EM3Bvt1yg3ZrL5WtvymOeEajKo/hg831+d9DtsK/VyaVyAY5
NlUAKe86AXWSviuntRdQyOjWYD/nUyr7EQRmKBUSrY704ekLHis3R4xvU3sXZmQw
/FT0/3irWZlEj3NAAEvLaCAfpEeyhNQVIp3nC9E+1mxeRr4nhYYv6O5dhJNyPZKH
RdzzY3eqrRa8UDy8g85dCqP5xO+CqlZGitAjQ/ah2VGbaB9AAPNOfDQWNQplQ9Om
rKw+VJCCNFSm9yVstBzG0U7yn/mjgtuJBKJw8hJ+iI5VC1s7aXo86F9gdGjkuG32
drcJOvmsLdoD6bxquutinw
-> ssh-rsa K9mW1w
s29WasIMWE/iVZ2ESd3HpcMsZeC8K/99X/aopLCtK+c+ykXzbdXyHjCvtfvpvMF+
GVgWLpPpTa/miLZX2ih7GDXBOI06cvs0Zy1eFvVBUsgID87hpHqfGbpFKvQrMPEc
wvcINtOBVa4B9IQ5HNMrBtKQuJ2kOdyerosm93S7crOG2ioAt+FLCIjYYLRCteFN
QIbD8vgcocpezAmY06WnepNM1Yi8yeHGi2m3HfPTNxKb6zxMGQ4RcW4a+CYiu0KO
rtXFDcQyw82BHzgM+mbW1bZ94EwlVeJJRzrukfFi5zZxzr+Zisv8kK9aQZYvTaMS
5ddMYrdpxJeGJAtO6ir3yw
-> ssh-ed25519 O0LMHg yHLnNQMahSSgXtWmyAurXI7+bvlJhg4edg/G+AzGAkk
PDbS4LjOhHY6GIfQAojtDYpUJV3xS4nAAnvhfhMui3I
-> TQ~'V\-grease vuL/7@ .YbM/Fv$
sJRsjd41yeR2gJRv567GFh9a6G55o7Jd00QYxPPp
--- dClpo30O0AgOaIbkTeyPuuLgV5xCVwj9TpOMJ8fGUJo
Œ˜:çÓUYÎ,7™D{µCÏÓö
1 TÂCQɶ*f=„gCkú«<C3BA>]'šúeûWfìšÄ«~”†£E¸
ÊãÍ:å²ÑA 
w8MReKkS8DfPlcc1h8UwN03lV5Aikoy3VN35EDPT5JM132r5cuvUba/AC8B0wBww
dP3xvrQ2juBaKtvdPajXcNxfJGGNB0mtaBufLTGXfy+VBAlt10ZKzWA/1dcftzXP
OfGJEgswkDLPUnjNtD4NoCQecwfSc9u4kEW0heg7C7j54M6EEypdgnOge3qEiy9a
0CGkh1+aF0YiX0KdOi3LThUkYdl6ygbdnkv8HV09c6eNBaCXaOzaqcDl/dnd2pBZ
jEanDudeKjIW4yEFl2VKdCfYRMf8clxEZU+8BSg0nzQYMDGC7f2bbyX1aNodSMvo
096OSmWjdto3D6hXwCW4LQ
--- TqulkienQkKJrxEEb7qvLtntfHm7XLmUvgupz1bfteM
‰7¬¯Ú·²öÂË:uMíÒ<C3AD>áÑg˜øÙ?<0F>b0<62> í“âYºÐ¡ó˜A¨Øƒ#GþK‡”IþêÎ<C3AA>Gðdó¥ª=ë3a´õóÝÒ.

Some files were not shown because too many files have changed in this diff Show More