xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some things (tiny commit ik)

Browse source
This commit is contained in:
xunuwu 2024-10-21 21:56:47 +02:00
parent 6b76450816
commit 2c282d8bf7
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
38 changed files with 771 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitattributes vendored Normal file
View file

@ -0,0 +1 @@
hosts/nixdesk/smbcreds filter=git-agecrypt diff=git-agecrypt

3
Justfile
View file

@ -10,6 +10,9 @@ local OPERATION *FLAGS:
buildiso *FLAGS:
nix build .#nixosConfigurations.liveiso.config.system.build.isoImage {{FLAGS}}
updatekeys:
fd . secrets -E '*.nix' -t f -x sops updatekeys
remote OPERATION HOST HOSTNAME *FLAGS:
nixos-rebuild \

269
flake.lock generated
View file

@ -87,11 +87,11 @@
]
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
@ -144,6 +144,27 @@
"type": "indirect"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"vpn-confinement",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@ -166,6 +187,24 @@
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@ -180,9 +219,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@ -252,11 +291,11 @@
},
"hardware": {
"locked": {
"lastModified": 1727040444,
"narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
"lastModified": 1728729581,
"narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
"rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806",
"type": "github"
},
"original": {
@ -295,11 +334,11 @@
]
},
"locked": {
"lastModified": 1727246346,
"narHash": "sha256-TcUaKtya339Asu+g6KTJ8h7KiKcKXKp2V+At+7tksyY=",
"lastModified": 1728791962,
"narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1e22ef1518fb175d762006f9cae7f6312b8caedb",
"rev": "64c6325b28ebd708653dd41d88f306023f296184",
"type": "github"
},
"original": {
@ -308,6 +347,28 @@
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1728779945,
"narHash": "sha256-RFKyZygnUbJlWq1uBn4JvEEcQKZW3AFBL3bQoywECPI=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "4d81c4115ef832880561f243efec21f06d2a8b7c",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"neovim-nightly-overlay": {
"inputs": {
"flake-compat": "flake-compat_4",
@ -357,11 +418,11 @@
]
},
"locked": {
"lastModified": 1726975622,
"narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=",
"lastModified": 1728790083,
"narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417",
"rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22",
"type": "github"
},
"original": {
@ -373,17 +434,17 @@
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727228778,
"narHash": "sha256-vg1b7yLH8TgKsUi5KlctSx4GuET7MAoWUR7nqAGnU/Y=",
"lastModified": 1728179514,
"narHash": "sha256-mOGZFPYm9SuEXnYiXhgs/JmLu7RofRaMpAYyJiWudkc=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "fb86a415579cd38eb7b47c3ada597841b97e2ea9",
"rev": "018196c371073d669510fd69dd2f6dc0ec608c41",
"type": "github"
},
"original": {
@ -395,15 +456,17 @@
"nixos-wsl": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs"
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727091786,
"narHash": "sha256-n36Vtdtx7tTTKFI9aoWxdNIlJ2dwxoitFDwcPXrS+Jk=",
"lastModified": 1728860000,
"narHash": "sha256-Ql5wSa6mnCT+1NfJYPk0gP6MQrTaP5u2raR8J6YQXxI=",
"owner": "nix-community",
"repo": "NixOS-WSL",
"rev": "1fcec53c692c15091ca5bb9eaf86a2cac6c53278",
"rev": "b8ebac4acc72aa17e0fb8d893d0050d68843154a",
"type": "github"
},
"original": {
@ -415,27 +478,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1726838390,
"narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1726937504,
"narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9357f4f23713673f310988025d9dc261c20e70c6",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
@ -445,13 +492,29 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728538411,
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1727286550,
"narHash": "sha256-Kmks1TmhrDV3qJFOQWssqhlCnKOsLO6kXKb0hCDyOPk=",
"lastModified": 1728871971,
"narHash": "sha256-9DA3YgtiAC7ADY0Qsjnz95R8jebLJQcdg37dZIgEtdI=",
"owner": "nix-community",
"repo": "NUR",
"rev": "8a471cae1970a8e47ec21151af01b8e316fb38c2",
"rev": "97bf2fe3008121ebd4a71ffc01ddd6bb8a6345c2",
"type": "github"
},
"original": {
@ -463,7 +526,7 @@
"nvfetcher": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]
@ -487,14 +550,18 @@
"flake-parts": "flake-parts",
"hardware": "hardware",
"home-manager": "home-manager",
"microvm": "microvm",
"nix-index-database": "nix-index-database",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs",
"nur": "nur",
"nvfetcher": "nvfetcher",
"small-nvim": "small-nvim",
"sops-nix": "sops-nix"
"sobercookie": "sobercookie",
"sops-nix": "sops-nix",
"umu": "umu",
"vpn-confinement": "vpn-confinement"
}
},
"small-nvim": {
@ -506,11 +573,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1725435730,
"narHash": "sha256-gPja4IoV48x8weXXxA1SJmK+iNbEhw4bSoqmff46xZ0=",
"lastModified": 1729288975,
"narHash": "sha256-3knRNR2DPlgyM5fvs0rzaX8mznceoVYh+WbIgP5fbmc=",
"owner": "xunuwu",
"repo": "small-nvim",
"rev": "88be2b8e644545c1f270d3890e887675b54e819e",
"rev": "062d9c3125ea18d03e87f2dc8403ede52ddb70ce",
"type": "github"
},
"original": {
@ -519,6 +586,24 @@
"type": "github"
}
},
"sobercookie": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1728934593,
"narHash": "sha256-qOnpRkaeRLLph/fdUwOAJ/6sVPPOxMSeWdz24fHmESw=",
"owner": "xunuwu",
"repo": "sobercookie",
"rev": "ead73318a6897989e5a1f957112254c595bb9e8c",
"type": "github"
},
"original": {
"owner": "xunuwu",
"repo": "sobercookie",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
@ -529,11 +614,11 @@
]
},
"locked": {
"lastModified": 1726524647,
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"lastModified": 1728345710,
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
"type": "github"
},
"original": {
@ -542,6 +627,22 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1720264467,
"narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=",
"ref": "refs/heads/main",
"rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3",
"revCount": 674,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -602,9 +703,46 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"umu": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"dir": "packaging/nix",
"lastModified": 1729102213,
"narHash": "sha256-KLi7sZmf+D8d6JYVmJs2WVNLhJgtjvJPPdm2ekbrpDI=",
"owner": "Open-Wine-Components",
"repo": "umu-launcher",
"rev": "a6b84b1aed6582ab2a500e5d109548b5ce64b97c",
"type": "github"
},
"original": {
"dir": "packaging/nix",
"owner": "Open-Wine-Components",
"repo": "umu-launcher",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1710146030,
@ -619,6 +757,27 @@
"repo": "flake-utils",
"type": "github"
}
},
"vpn-confinement": {
"inputs": {
"flake-parts": "flake-parts_4",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728856097,
"narHash": "sha256-GcheritdNs1AHFWksLWZOe48J0NXUibiZVSewqWfo44=",
"owner": "Maroka-chan",
"repo": "VPN-Confinement",
"rev": "eb39d4c45db70818d58239454fd7747aab5e1871",
"type": "github"
},
"original": {
"owner": "Maroka-chan",
"repo": "VPN-Confinement",
"type": "github"
}
}
},
"root": "root",

12
flake.nix
View file

@ -23,6 +23,7 @@
home-manager
sops
colmena
git-agecrypt
inputs.nvfetcher.packages.${pkgs.system}.default
];
name = "dots";
@ -43,12 +44,20 @@
hardware.url = "github:nixos/nixos-hardware";
home-manager.url = "github:nix-community/home-manager";
small-nvim.url = "github:xunuwu/small-nvim";
# small-nvim.url = "/home/xun/dots/small-nvim";
nur.url = "github:nix-community/NUR";
sops-nix.url = "github:Mic92/sops-nix";
nix-index-database.url = "github:Mic92/nix-index-database";
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
nixos-wsl.url = "github:nix-community/NixOS-WSL/main";
nvfetcher.url = "github:berberman/nvfetcher";
microvm.url = "github:astro/microvm.nix";
vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
sobercookie.url = "github:xunuwu/sobercookie";
umu = {
url = "github:Open-Wine-Components/umu-launcher/?dir=packaging\/nix&submodules=1";
inputs.nixpkgs.follows = "nixpkgs";
};
## deduplication
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
@ -60,6 +69,9 @@
};
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
nix-vscode-extensions.inputs.nixpkgs.follows = "nixpkgs";
nixos-wsl.inputs.nixpkgs.follows = "nixpkgs";
nvfetcher.inputs.nixpkgs.follows = "nixpkgs";
microvm.inputs.nixpkgs.follows = "nixpkgs";
vpn-confinement.inputs.nixpkgs.follows = "nixpkgs";
};
}

2
git-agecrypt.toml Normal file
View file

@ -0,0 +1,2 @@
[config]
"hosts/nixdesk/smbcreds" = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqW5ZkBV2XCdF/ZhwC1DOfrgiLxCC2ym6BO7miHi05M xun@nixdesk"]

2
home-modules/xun/develop/default.nix
View file

@ -62,7 +62,7 @@ in {
};
})
(lib.mkIf cfg.lang.c.enable {
home.packages = with pkgs; [clang-tools];
home.packages = with pkgs; [clang-tools buckle];
})
(lib.mkIf cfg.lang.csharp.enable {
home.packages = with pkgs; [

7
home-modules/xun/gaming/default.nix
View file

@ -2,6 +2,7 @@
pkgs,
config,
lib,
inputs,
self,
...
}: let
@ -10,8 +11,12 @@ in {
options.xun.gaming = {
krunker.enable = lib.mkEnableOption "krunker";
roblox.sobercookie.enable = lib.mkEnableOption "sobercookie";
umu.enable = lib.mkEnableOption "umu-launcher";
};
config = lib.mkMerge [
(lib.mkIf cfg.umu.enable {
home.packages = [inputs.umu.packages.${pkgs.system}.umu];
})
(lib.mkIf cfg.krunker.enable {
home.packages = [
self.packages.${pkgs.system}.krunker
@ -19,7 +24,7 @@ in {
})
(lib.mkIf cfg.roblox.sobercookie.enable {
home.packages = [
self.packages.${pkgs.system}.sobercookie
inputs.sobercookie.packages.${pkgs.system}.default
];
})
];

3
home/profiles/nixdesk/default.nix
View file

@ -13,6 +13,7 @@
# ../../terminal
../../terminal/programs/zellij.nix
../../terminal/programs/zoxide.nix
# ../../terminal/programs/irssi.nix
../../terminal/programs/lazygit.nix
../../terminal/programs/beets.nix
@ -73,7 +74,6 @@
name = "dayfox";
package = "EdenEast/nightfox.nvim";
};
wakatime = enabled;
};
desktop = {
xdg = enabled;
@ -97,6 +97,7 @@
};
gaming = {
krunker = enabled;
umu = enabled;
roblox.sobercookie = enabled;
};
school.geogebra = enabled;

16
home/programs/browsers/firefox/default.nix
View file

@ -39,14 +39,14 @@
istilldontcareaboutcookies
sidebery
(lib.mkIf (builtins.elem pkgs.keepassxc config.home.packages) keepassxc-browser)
(buildFirefoxXpiAddon rec {
pname = "roseal";
version = "1.3.44";
addonId = "{f4f4223a-ff30-4961-b9c0-6a71b7a32aaf}";
url = "https://addons.mozilla.org/firefox/downloads/file/4323142/roseal-${version}.xpi";
sha256 = "sha256-Qvd/EUMsSqYCvwUuxjM/ejnn7/TRuhyD82/Azu0dAfE=";
meta = {};
})
#(buildFirefoxXpiAddon rec {
# pname = "roseal";
# version = "1.3.44";
# addonId = "{f4f4223a-ff30-4961-b9c0-6a71b7a32aaf}";
# url = "https://addons.mozilla.org/firefox/downloads/file/4323142/roseal-${version}.xpi";
# sha256 = "sha256-Qvd/EUMsSqYCvwUuxjM/ejnn7/TRuhyD82/Azu0dAfE=";
# meta = {};
#})
];
userChrome = builtins.readFile ./userChrome.css;
# extraConfig = let

2
home/programs/browsers/firefox/search-engines.nix
View file

@ -95,7 +95,7 @@
"Google".metaData.alias = "@go";
"DuckDuckGo".metaData.alias = "@ddg";
"Wikipedia".metaData.alias = "@wiki";
"Bing".metaData.hidden = true;
"Bing".metaData.alias = "@bi";
};
};
}

1
home/programs/browsers/firefox/userChrome.css
View file

@ -5,7 +5,6 @@
/* Hide tab bar */
#TabsToolbar {
/* display: none; */
visibility: collapse;
}

2
home/programs/desktop/sway/default.nix
View file

@ -102,6 +102,8 @@
"${mod}+Ctrl+Shift+${dir.up}" = "move output up";
"${mod}+Ctrl+Shift+${dir.down}" = "move output down";
"${mod}+t" = "sticky toggle";
"${mod}+Shift+Backspace" = "exec systemctl suspend";
"${mod}+Shift+s" = "exec ${lib.getExe pkgs.sway-contrib.grimshot} copy anything";
"${mod}+Ctrl+Shift+s" = "exec ${lib.getExe pkgs.sway-contrib.grimshot} savecopy anything";

2
home/programs/misc/discord.nix
View file

@ -5,5 +5,5 @@
withOpenASAR = true;
})
];
services.arrpc.enable = true; # RPC with vesktop
# services.arrpc.enable = true; # RPC with vesktop (disabled since it uses way more cpu than is reasonable for such a program)
}

1
home/programs/misc/obs.nix
View file

@ -2,6 +2,7 @@
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-vaapi
wlrobs
obs-vkcapture
];

6
home/terminal/programs/git.nix
View file

@ -1,4 +1,8 @@
{config, ...}: {
{
config,
pkgs,
...
}: {
programs.git = {
enable = true;
delta.enable = true;

3
home/terminal/programs/zoxide.nix Normal file
View file

@ -0,0 +1,3 @@
{
programs.zoxide.enable = true;
}

2
hosts/default.nix
View file

@ -138,7 +138,7 @@ in {
#"services/pipewire.nix"
"services/syncthing.nix"
#"services/containers/server"
"services/containers/experimental"
# "services/containers/experimental" # TODO maybe reenable this?? or just abandon it and move fully to systemd network namespace
])
#{

4
hosts/hopper/brawlstats.nix
View file

@ -5,7 +5,7 @@
...
}: {
networking.firewall.allowedTCPPorts = [
4444
# 4444
];
systemd.services."static-web-server".after = ["brawlstats.timer"];
@ -45,6 +45,8 @@
''}
}
rm /tmp/brawlstatslog
case ''${parameters:1} in
total*)
id=$(echo $parameters | ${lib.getExe pkgs.gawk} '{print $2}')

4
hosts/hopper/default.nix
View file

@ -2,8 +2,12 @@
imports = with inputs.hardware.nixosModules; [
common-cpu-intel
inputs.vpn-confinement.nixosModules.default
./hardware.nix
./brawlstats.nix
./lab.nix
./hardening.nix
];
networking.hostName = "hopper";

5
hosts/hopper/hardening.nix Normal file
View file

@ -0,0 +1,5 @@
{
fileSystems."/".options = ["noexec"];
fileSystems."/home".options = ["noexec"];
fileSystems."/boot".options = ["noexec"];
}

4
hosts/hopper/hardware.nix
View file

@ -11,7 +11,7 @@
boot = {
blacklistedKernelModules = [
"xhci_pci" # was causing issues (100% udevd cpu usage)
# "xhci_pci" # was causing issues (100% udevd cpu usage)
];
initrd = {
availableKernelModules = [
@ -23,7 +23,7 @@
];
kernelModules = [];
};
kernelModules = ["kvm-intel"];
kernelModules = ["kvm-intel" "wireguard"];
extraModulePackages = [];
loader = {
systemd-boot = {

305
hosts/hopper/lab.nix Normal file
View file

@ -0,0 +1,305 @@
## TODO look into sops-nix placeholders
## reference: https://github.com/javigomezo/nixos/blob/b3ebe8d570ea9b37aea8bb3a343f6e16e054e322/services/network/authelia/user_database.nix
{
pkgs,
inputs,
config,
lib,
...
}: let
domain = "xunuwu.xyz";
caddyPort = 8336;
autheliaPort = 24637;
in {
## TODO use impermanence
## TODO setup fail2ban mayb
imports = [inputs.vpn-confinement.nixosModules.default];
security.acme = {
acceptTerms = true;
certs.${domain} = {
domain = "*.${domain}";
dnsProvider = "cloudflare";
email = "xunuwu@gmail.com";
reloadServices = ["caddy.service"];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
extraDomainNames = [domain];
};
};
vpnNamespaces."wg" = {
enable = true;
wireguardConfigFile = config.sops.secrets.wireguard-config.path;
accessibleFrom = [
"192.168.0.0/24"
];
# Forwarded to my vpn, for making things accessible from outside
openVPNPorts = [
{
port = caddyPort;
protocol = "tcp";
}
];
# From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
portMappings = [
{
to = caddyPort;
from = caddyPort;
}
{
to = 7359; # Jellyfin auto-discovery
from = 7359;
}
{
to = 1900; # Jellyfin auto-discovery, TODO check if this actually works and dont forward these if it doesnt
from = 1900;
}
];
};
networking.firewall = {
allowedTCPPorts = [config.services.navidrome.settings.Port];
allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
};
systemd.services.caddy.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.caddy = {
enable = true;
# extraConfig = let
# gensub = x: "${x}.${domain}:${toString caddyPort}";
# tls = "tls /var/lib/acme/${domain}/cert.pem /var/lib/acme/${domain}/key.pem";
# rpPort = port: "reverse_proxy localhost:${toString port}";
# in ''
# ${gensub "navidrome"} {
# ${tls}
# ${rpPort config.services.navidrome.settings.Port}
# }
# '';
virtualHosts = let
authelia = "localhost:${toString autheliaPort}";
in
builtins.mapAttrs (n: v:
{
useACMEHost = domain;
hostName = "${n}.${domain}:${toString caddyPort}";
}
// v) {
navidrome.extraConfig = ''
reverse_proxy localhost:${toString config.services.navidrome.settings.Port}
'';
auth.extraConfig = "reverse_proxy ${authelia}";
#jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO tmp off since i dont have proper auth yet
other = {
hostName = ":${toString caddyPort}";
extraConfig = ''
respond 404 {
body "no such route you dummy"
}
'';
};
};
};
systemd.services.navidrome = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
serviceConfig = {
PrivateTmp = true;
NoNewPrivileges = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
};
};
## TODO might be unnecessary with authelia but specifying a custom PasswordEncryptionKey is recommended
services.navidrome = {
enable = true;
settings = {
Address = "localhost";
MusicFolder = "/media/library/music";
ReverseProxyWhitelist = "0.0.0.0/0"; # cant be accessed from outside since the navidrome port isnt mapped to outside of the wireguard namespace
};
};
systemd.services.authelia-main = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
# serviceConfig.LoadCredential = [
# "users.yaml:${}"
# ];
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia_encryption_key.path;
sessionSecretFile = config.sops.secrets.authelia_session_secret.path;
};
settings = {
# might change this to info in the future, for now its nice seeing debug messages if something goes wrong
log.level = "debug";
access_control = {
default_policy = "deny";
rules = [
{
domain = "*.${domain}";
policy = "one_factor"; # using totp requires me to set up smtp support :(
}
];
};
theme = "auto";
default_2fa_method = "totp";
## use ldap backend, not yaml file
## https://www.authelia.com/configuration/first-factor/ldap/
# default_redirection_url = "https://auth.${domain}/";
notifier.filesystem.filename = "/tmp/authelia-notifier.txt"; ## TODO change this to something reasonable
authentication_backend = {
password_reset.disable = true;
file.path = pkgs.writers.writeYAML "users.yaml" {
users.xun = {
disabled = false;
displayname = "xun";
password = "$argon2id$v=19$m=65536,t=3,p=4$cwYrForToKZn7+urMrSXuQ$PStkqPlo/7/GZ+hMsJXfOyZ0WijNtuZpaHWyZUuBWBY";
email = "xunuwu@gmail.com";
groups = ["admin"];
};
};
};
storage.postgres = {
address = "unix:///run/postgresql";
database = "authelia-main";
# this isnt used, ensureDBOwnership allows us to auth to postgres using unix users
username = "authelia-main";
password = "unused";
};
session.cookies = [
{
domain = domain;
authelia_url = "https://auth.${domain}";
default_redirection_url = "https://invalid.${domain}"; # TODO replace with overview thing mayb
}
];
## TODO: https://www.authelia.com/integration/proxies/forwarded-headers/#cloudflare
server = {
address = "127.0.0.1:${toString autheliaPort}";
endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
};
};
services.postgresql = let
databases = ["authelia-main"];
in {
enable = true;
ensureDatabases = databases;
ensureUsers = lib.singleton {
name = "authelia-main";
ensureDBOwnership = true;
};
};
systemd.services.jellyfin.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.jellyfin = {
enable = true;
};
services.prometheus = {
enable = true;
port = 9001;
extraFlags = ["--storage.tsdb.retention.time=30d"];
scrapeConfigs = [
{
job_name = config.networking.hostName;
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
};
};
# services.grafana = {
# enable = true;
# domain = "grafana.hopper";
# addr = "127.0.0.1";
# security = {
# adminUser = "admin";
# adminPasswordFile = config.sops.secrets.grafana-pass.path;
# };
# };
## TODO: add forgejo
## ignore this its cringe and ill prob remove it later idk, its also pasted from someone else, idk who tho ##
systemd.services.vpn-test-service = {
enable = true;
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
script = "${pkgs.writeShellApplication {
name = "vpn-test";
runtimeInputs = with pkgs; [util-linux unixtools.ping coreutils curl bash libressl netcat-gnu openresolv dig];
text = ''
cd "$(mktemp -d)"
# DNS information
dig google.com
# Print resolv.conf
echo "/etc/resolv.conf contains:"
cat /etc/resolv.conf
# Query resolvconf
# echo "resolvconf output:"
# resolvconf -l
# echo ""
# Get ip
echo "Getting IP:"
curl -s ipinfo.io
echo -ne "DNS leak test:"
curl -s https://raw.githubusercontent.com/macvk/dnsleaktest/b03ab54d574adbe322ca48cbcb0523be720ad38d/dnsleaktest.sh -o dnsleaktest.sh
chmod +x dnsleaktest.sh
./dnsleaktest.sh
'';
}}/bin/vpn-test";
};
}

1
hosts/nixdesk/default.nix
View file

@ -3,6 +3,7 @@
./hardware.nix
./hibernate-boot.nix
./testing.nix
./samba-mount.nix
];
networking.hostName = "nixdesk";

21
hosts/nixdesk/samba-mount.nix Normal file
View file

@ -0,0 +1,21 @@
{config, ...}: {
systemd.mounts = [
{
description = "smb hopper transmission download directory";
what = "//192.168.50.97/transmission"; # hopper local ip
where = "/server/transmission";
type = "cifs";
options = builtins.readFile ./smbcreds;
}
];
systemd.automounts = [
{
requires = ["network-online.target"];
where = "/server/transmission";
wantedBy = ["multi-user.target"];
automountConfig = {
TimeoutIdleSec = "10min";
};
}
];
}

10
hosts/nixdesk/smbcreds Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 Uot/1Q zOPmK3Ael5Ss1gclWT0Q/YLbtus/1Ef5QgSYP96MdjQ
Ut0OfpCHqMlWrkU298WDWXLseerYiwv8hAAf70nSgfo
-> mQ1Ds-grease V=M 7*
ZsOetI30y2vLGlwWP84sVSQzbrtA4m+yRrCc316MzHWPyuEJYnVzw7Eygayg8c26
t+1VDhMHLhFpImAIXni2GsZNAxGnUw5VaRybmpHRt1Bri8k7ZENosX/7T6/kViO8
BW8
--- 0MsxoH3ENvyga/ICHX3448MZ9q7GJecTg5eOLPe2D2A
ÍfÈh_±¿ÌïÉ¿m>rˆ®§Ó¡JxûÕ׃÷E^-ø‰‘˜¹`·!+Ñëu¡Tu{¢õsoh"ð¤EŒ<45>%Íϼÿ §Ð—! _>)ûšÒ¤†¡.™ÅÁ'¼]U}í蚃eB·éÈ7³L£¢¹;ñ£9h`
˜+8<38>6Š‰#ÄÀ}4âR»”/OåîS¶“ð—÷€ÌÝüœ„ZÅ(<28>‰åBË®Z­<16>·Ð9 ‡

5
readme.md Normal file
View file

@ -0,0 +1,5 @@
config files for my puters
nixdesk - main desktop
hopper - server
kidney - wsl

1
readme.txt
View file

@ -1 +0,0 @@

8
secrets/global/tailscale-auth.yaml
View file

@ -1,4 +1,4 @@
tailscale-auth: ENC[AES256_GCM,data:aLtXJaD/PRYtBAS0rixS83dzQZ14NIY0W8HhqQx0b1dXhujmiH+ETOECDivt0zyPByFx2JDh4KNU,iv:1BZTqp87gCNYVS2UCv56X1/BguxitsjdmGv3AJUtWII=,tag:Xh2v9E1shOLN9uc+56jDWA==,type:str]
tailscale-auth: ENC[AES256_GCM,data:8+XTTS0YoJpQPYMhES6YTWGehQH992cfIjFed+kl2sXZ551PyvaA4Y0/7CuNM9udJe2ba2yte3DkN+AILWk=,iv:EK6ifjTYD4Y5zEjfty0eJyfDaQO8ooOHXdCcEAF3W0w=,tag:wfbrkPqHFk8dJaDkNeaChg==,type:str]
sops:
kms: []
gcp_kms: []
@ -32,8 +32,8 @@ sops:
eVpKdlRpSnprclN4Wm4wVHpjYzVnSEUK49UF2IeDXzF9PiISIo0QjltkoFIa6Y8D
w2DJIys0Pfw5kGrVTLAgHMOMYmss4EdD4mwY+DQYWHqxTX0P2TKM9w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-26T23:17:57Z"
mac: ENC[AES256_GCM,data:7vnKNCZsqSCersnIJviHetgTt6qZOvO50yOSWCq+8rPVt5IK9abWtTUEZfDtZI0oIvOsOJjAlvCPLn94kknn6y0UspKE4aTTIGQQctM5cHzFL2xMsOaTqBLLMWxvpkAkWFQ8Lpg5v57/X2Rex8M0x1GRB74/KDDXs4TXz0v9fJk=,iv:ZnbiB2JS7bQZy3QNdyz3Ijbukh2YoH63huCNUijFLcM=,tag:Fhi6/5+X5dMe/cKejunVvA==,type:str]
lastmodified: "2024-10-17T00:06:06Z"
mac: ENC[AES256_GCM,data:EWKH7alUhTJWmHd1Y/hrtN7N2rc9DnIUxRghgGL6YwXz4kk1VoTlzEACw9NTv0qrQSfTVbFmD5f24vvdlrn7/SERmacv3GOe1/OM6kC11MTgO8rUCCwUGa+c5ublke7DQW/wQR7ay9a4pHRHf1DVBB3PrO7+A34CYWGP6gt0jcM=,iv:YzccaJSS14OPqEUftQUOhnFnF0vUNAtRvdCaDuZFoMM=,tag:R/fKcXST7LbzTahXD4uO6Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.1

7
secrets/hopper/authelia.yaml
View file

@ -2,6 +2,7 @@ jwt_secret: ENC[AES256_GCM,data:O0LXijtmUCoBKiQgptto6/dhcCRgP9EAXPhnmb0Dw4Gk/8ir
session_secret: ENC[AES256_GCM,data:lFkt5MasAri5ddS2JU9sNLTgHSSAelmvshX7jk5LEhWLcfTryoCdMHSiaqJpAY5NC0DgLPslyAyLtUgrAxTZqL/qHmSw4Q9XfxoWGk1IM4NERb0myOOTgmhcT4ImUEIROZHXNpgEUQ9c1stasix5uu5c1swUieZrDI7j79Xn5DWufzHc+SxaQwIggsLGpOazJO/UmBdGiX/uju2D/arp1okMClk8DcLWZtLdEs4V1Cqz5Yv21aeK/47DKy4rClqDB+8NNXk5ayA5wXa0DrvW7H+a+/ra6TRMcevMZBsjbvbRc2P654mpDt5XB3DMyoucYOHzUasymlYUMmUUtYFRhNaLWfgifAQJG8N+z1COe/DjWzhUOKfKNZQM7S0h61nh5RwLGh+PHMae0G7fLNTcNS7r8BxiIIF4wXJRmtxfnNY4GrQAtfatrHi6lbnrBzA7SsjaheK27/DVXZdUhkc6xxeIA3n+G9e4FSDC8aP6gKHPO8nDBzIEw21E0UtuNO7QYqw3NFwNX30ys+dw89S6RyZzJd9CHodYzmGHB9jlXJnu9aOsqmEUOuWD8Wwez9ogUQY5Uls/MbyXzX5dIEHeofPxzzQYepvMRmlNNyrWjQYmFqw8TblM1S8/dnI0FzmescPIKSdA/H5oEo8X9InpHbuEd2hOR0mQdDXoKFBw+ig=,iv:5yM3rohayzhGN1k8Njm/r8lggfaQDIeLNoVC3Vkc95s=,tag:JOH6xBEPFCYMHLSCNgFW9g==,type:str]
encryption_key: ENC[AES256_GCM,data:VBPBoNaL5l3/MWNW/97m0RXX7dANgHEgoIU4+S3Z7gMtZjFqscfN612CkWM5t4h6Ojej/J8WuslnoDgEK14Efr3byvnVOayFHUxb8U8Y1sGQ7DqW28v+3QXttd2agrVATGoiErVUVH5lUqmtIRzugQuWi707fq8A9D3OU/L26+O+/sBJjfvj+es9Vyq120ri1njtZvQzVDUoKjyTQOiPCOsyEX2C6rws1BT9UQr7EY73e5xEpiBczwq+A9eRVH77/Hqr8t0otbcxPn9rubUFPy9bOxTnqG/eXmm2vtPQXGRdQ3fUzvQgBSxjxkssoWK/MRaXaL6Xs37mfiUc/7KX3Ua49G53jC18HfFmfklnP9xmtORFk/zWTj4+eB3QKt9/mtg6E8iZUlI16S/PYyuB6d37Oy0iuAHatwDqJBSZdnPl/ZXW8NuaZCKGLFMojqBXPxOTxZ/88KJcEI2MEuueBsS62L9Gb7g0jSjsNfTEmA5lCGHQ4rbeG/SahrbAzPKMWTTIgV5va9XY1e1amweTGSjed5nk+XB9ih6Z0MZ+da4RghjnHexOBqEewhDICUHd4Xyfyl3SqJKpBtGOCBW5tfkjy2kIWVL5KB4cB1FhHq9fvATDcG4qCV5ptZPgnGbqsme970UHO7CNTAso1ju8Nk9GT/46y/4oPCxU6DS9gy2oN0hxbut4mpJ+RyGEthtpQ+caSPsjsTx5yx33LUCqw19H1mRqzZo23tSzAcGvLZiHt3c3/S1QRNGOIqJmTz2Q41JOVBjqPF4W/ZgfZgax+vASRDMre7S6TlSMfUGU1i99vzFkELmfDiXVTpbj+Jq0/kIxdaf6RkfvvqA20CfNysSsD7RoLqy7CyTilwjJVHliGqR7T8RG4aJJVZdBBPsXkkPa5281pUO0lX/v48gw/UOqcswcSf0uV9MRidR/Rmb/u6PBNuIRjjUl0U94ZtiO8925gSLFGwFhrrz3NsjkCOzUIyDObh6EImNbzsjWBmiCTetr2huYhK4JkW/BarC75zfhsEFiU9Sv0PKcymgGZ4gm0aFcIyWyyim3YxGI80otIZLu1oGid7YX6ddzWZPrTq8bK9GmxsiNLtfPCahA5EDYKDXoIHcc+eWjzJijoTNaGCAElNK2/kY3cO9zpviib36eYO1C6X5VYrMivTTdvsm935PNmESG1CYaDiAekpvZTDBsCJYm7RCBAPoAfR8IOeZdZah73QAplpQlTo+lxbb/M/SuPO2JMWFpn5aWSgHKj0X0mqtQ8q78KJ7cUtYJV1BkWLnAEmeudq4NqB02PkortEkJb9Jjgj7+iZNbuJxvrdhEixsOAwOw9UbFOIO3q7mV9D39r+PhQ1JNqP7HJA==,iv:fArn1NcxTjBUrWfYYGoeWh7P8rdDhK9zHdrtRrvVxzA=,tag:sGsAX8qOWK4qBIZh8LZj8w==,type:str]
storage_password: ENC[AES256_GCM,data:XH5szvA2s6WpBWauGjJCB0KHGti947/3Y/xGOCAvpc52JEaIrGP9/29ETw2omVVxvhlrg15vsca760Spa2VkpyO4pZOC1vUEmK00uAsNSwDzE5Xt9QGa3res1MthD5lKxRk+2IZBpMnoZYkX3Q11kvSpbyYwOpdFpK5ZU3M962yGs9JKGuDTofzT41Pz08fVXgVs2gGiYTjY+1k4OUzHPqBDRd4fRvlMxepKUJ5hIJlLFq5ncIyXYeDCbv+TDoX/Nw/SBl5cysQxjEnFSKF0ZegKt8u1TTjYL5Ag5378up9xwYtaBGHde1H3Mwq37cLUXOessPo0ftTuhZfa/Vz6mLace/QZoNCz/fnQSO56bIps0+RLqakrctajditJWX6yq3Y3tA1x7FqI+r83jriv334UToDE/LupUlTLax24cy/w34KW1l6sNkjqUwT8UPf3CcYIVSqhmNBMa71EQJFelXGQJyLfCsepe5IlNqFfXiY8Ywe/ncnx0sPCTQG43gN5PcUwNV15/EzOIyg4xp0CtgRBK/dnlVlQ019DaD0s3jwczfcyzC5xLWoguNu3mtm32KwkayMno0Y7timH0E7AwaYW6uLdSo5p582O5zbUcMVlGYUXLa27Y6madAPGZEonhZ9IvrpFrNCG7VVcKiBxdC7OzSn3VWiOoZ+d52m6bAAeIiy1wp3En2PcOqO+b4soc7RTy+acFypupB9//N0xd8Yq+VdALHa4tQGvT5oc0OlAIdMcF7oU0nGiyQKE495Q5/MtcilYseaQq0c2vp82y9YndlinzOnj7JinerXXfAUdTREPH6FvNR3Y6cdPKqgM89esrDJJum7L6eFUq5ozoqwxvOGv1CKEA+LgD9pXuXAPSdqiwZeEBD5P4fuLik5heKHJwcmgIaja7Vd5ni3cSQsLnwU/m2aQ5WmJe+7REbykYmC6J2+EinSm7CWYpq3EqKFmFsSoTbEpjL6ghOtjB4cD0A0fK5RJhU5nbpFC/whSg+6SPGe7w7RZa3suQ41QLY9MgwNKPDGDqwPQP4SnbBVYiQnyCJHj8ZDyWN38LMahEzjJT9leo9yr9h3hjvYdouNN4BTCFajgoQ38eapd9HqeTWBYbg5TOC+JOI3/tG5HYWNI/kI9jWrgIu4belvrnsdPMo0O7FIHiEKQWg/b6v0kBkeG7h+OHgs/qzq7GSz0rOoNgEBqHa2eVTwtmnMZgC3fJ78/QdRCbW+I5YsmFEZIcT4JSXnjFlPjsoFnhpHS5DcdCsY7YnY6006SprYF43lPunRFbpfPPSr4Zpn/G009M5ZasiHNzPPsr7leiDBkugGPtBaEEy+Fnct4bfc1JD6F+FHtTp+iGE0pT5wZCQ==,iv:SiRzgXm4hUSW+o80AA60oAIJus2FSZvL/Ly0bktT5XI=,tag:NuD9XVd4TNFOIo0jdHeSyQ==,type:str]
lldap_password: ENC[AES256_GCM,data:KbJam6qANZDc270gM7Umz1aABIW9N7xcz50PzhsX//dl97k6idDsDASd/33G7KxFCpVPtAQuhT3MLFuGQ+aFjy+YDasL6t8UdlR905CVbi2APH0pexqamhMpf1ZiMbYosdh0wAk5ZOJoWLdOZwVHUBWMgyRtEwc3i85Mla4CDvQ=,iv:PRoSle4GztDQv6QYeNsvHanREEZqs51t84Sa1qJh6Ys=,tag:XDTvZoHBbFtty61b9lugSA==,type:str]
sops:
kms: []
gcp_kms: []
@ -26,8 +27,8 @@ sops:
OTBTbDlXaHZnanJSbUlLUmRTaDc0eE0K0AEhDK731gOTp5AjocYgPEdXnr76m8PF
JoT4IWr2WYs5W/JgC8c4wIc4C9D4O8c+/mnE1RsG6EUXAz5ufMQcGw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-14T15:16:34Z"
mac: ENC[AES256_GCM,data:14fDEp1QyVtDsnbhm/DvFbvk52LAu1NVxUZGn/bhcfipG5PXAOKbtneec9ooe+M8wuWFUtq8nxE+y6341pyS4pKwLbsZ8tftDNm1k586B8QOp/8ctbiWG8zXgvuZn/LnhIDEnt52UaJOlGsY0vfdsC2JgxNx6z39xBIZjqHAjjA=,iv:OfPrtvS1kI3pAnGTX6D9xZod/yEMZM8BTZcB9KvLKcI=,tag:ApAySONamB1Ai7jjUU93Jw==,type:str]
lastmodified: "2024-10-01T04:33:16Z"
mac: ENC[AES256_GCM,data:JOpFhUp35Qh47yO0RySQGx9BHQfa8IrsiQarFNlid26D9jrDyF55Y5Wt88JgzPjGKVGhj+lJCz/vBGZ6wF8EVrT5Zd56cdKf5f7oOVF8s/sHl0O8MCstAUUazF8lP3SHRqZg4ZK45cFFt8ScFJd8KpCttiQY7xhjxyxCfUJ5E/U=,iv:cRedV+y5xEL8PB4gYzdEAmhqZ049geoPXHI6awqoi4Y=,tag:LvEb6Dc4flup2yEKPOnU2A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.0

52
secrets/hopper/default.nix
View file

@ -1,30 +1,21 @@
{
## TODO use defaultSopsFile mayb
{config, ...}: let
autheliaUser = config.services.authelia.instances.main.user;
in {
sops.secrets = {
wireguard = {
format = "binary";
sopsFile = ./wireguard;
};
wg-private = {
key = "PrivateKey";
sopsFile = ./wireguard.yaml;
group = "systemd-network";
mode = "0640";
grafana-pass = {
format = "binary";
sopsFile = ./grafana-pass;
};
wg-preshared = {
key = "PresharedKey";
sopsFile = ./wireguard.yaml;
group = "systemd-network";
mode = "0640";
wireguard-config = {
format = "binary";
sopsFile = ./wireguard-config;
};
serverenv = {
format = "binary";
sopsFile = ./serverenv;
};
code-server = {
format = "binary";
sopsFile = ./code-server;
};
slskd = {
format = "binary";
sopsFile = ./slskd;
@ -45,27 +36,50 @@
restartUnits = ["podman-betanin.service"];
};
# lldap_jwt_secret = {
# sopsFile = ./lldap.yaml;
# key = "jwt_secret";
# owner = "lldap";
# };
#
# lldap_user_password = {
# sopsFile = ./lldap.yaml;
# key = "user_password";
# owner = "lldap";
# };
# authelia
authelia_lldap_password = {
format = "yaml";
sopsFile = ./authelia.yaml;
key = "lldap_password";
owner = autheliaUser;
};
authelia_jwt_secret = {
format = "yaml";
sopsFile = ./authelia.yaml;
key = "jwt_secret";
owner = autheliaUser;
};
authelia_session_secret = {
format = "yaml";
sopsFile = ./authelia.yaml;
key = "session_secret";
owner = autheliaUser;
};
authelia_encryption_key = {
format = "yaml";
sopsFile = ./authelia.yaml;
key = "encryption_key";
owner = autheliaUser;
};
authelia_storage_password = {
format = "yaml";
sopsFile = ./authelia.yaml;
key = "storage_password";
owner = autheliaUser;
};
brawlstars-api-key = {
format = "binary";
sopsFile = ./brawlstars;

24
secrets/hopper/grafana-pass Normal file
View file

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:+jzTvF67htgSLx3//yu4CeH76/lQdxwcJSSplJm9eaVNs91PXF7hnZrEVyjIvMLi8lwOTSrH7SZJXOvZsoLRZHDdWC88+H32jsjVOopJgowAAQHuiKyQJjCACN5OBslKgTQEYo4eKpC8A1fliKf0fwJW+HY9pC9WUbZUkbpc9scMrZJIVb2Tm6UQoPoiEn9PbrC8tgGT1lOEk5EeiMgYg1JbEL7hcn1epuyYPYw45TV4SDLlnvo=,iv:qscpjBl/ifRGmjSHLUZ5rgC8oW86k1ca6JMna+VOFdM=,tag:Bsl3nrKTHrt27Xq/eLDLvg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYejVUVmNCQW9hSm40dzll\nT0Q2STNrNEt0OG5GcXlYMUpHaHpZZFdoejI0Cks2aDJ5b2R5d1BMSSt6UlVVelNL\nai9NRVNreGRZNHFvOVFJcTcra3M1K2sKLS0tIGFvc09pTDN6TGJuMU5XWG1ZT3c5\nWnJsa2k3U1pleUNuZmVzYnRpakxqalEKdNWuvPa9fm+UOiiZ0fb05Cw084z+tz5q\nnC8kK1ZAWvLKPgb3yNhfzrmVbdCfxvxnGYmV3f1SkVFaZv1XMJQCtQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3STVBMjcvMklVOFRuSThM\nWmtoOGxBYVVVVzFFVzNTSzl1TEEwckxsU0VJClFvcU9BbzlWZURSclNFek16L2I0\ndU95VS8vQlZqL0FIak9XMjBmWFdEVlkKLS0tIEJtb0FaZjZFaGE0S0MwNEQ1RnU4\nRUFSWG9LR3BoS21ENTMranhTQmcvTk0Kgm8BjUznYhzRbYwlettBVVK6r0bYkFFi\ngulgnbUSol7nm+eTsDLASZtm7V5Ms20Hv1/SKRry7Jr8zYZjWUqJ1w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-09-30T09:41:29Z",
"mac": "ENC[AES256_GCM,data:DvGuAiiSDScG2sWLq/SMCDvJ9JtS4nO+jqVnDmvRyjz14bRyiOSW/5p1vIaOgqPpuGKJ5OM+drlOdJpz8Co17OesQWWTH1GxRBkF3GkInG9xlY/PwlW/4R3mw1+3NIUE4xy0J1szU/27n4v4ToQ92Nn6NLe1fqZBH921xq9PcYA=,iv:1/pIrLsgLYea7MhxcchiliIDvNMTCjmLr2G8yhAMX6E=,tag:HcT47ZSCWkfju2kTitgdAg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}

31
secrets/hopper/lldap.yaml Normal file
View file

@ -0,0 +1,31 @@
jwt_secret: ENC[AES256_GCM,data:C5TnV7d/qdgiX+J/K7vsKXuZ6atsrEwwbr189c7kURHH5bK3xW0BBw3p+MGS6RAQBK9+SN7t5k4uWlEm9Ekm5wDbgt10/WXerC1ZNacxbcSlB7i+w/Fne+g2d6vg7SwC7wpgH0nBmWSAnCmOdDlXOO6NYQ1zL8apCN99Z2M4SVQ=,iv:DzkZjX8+stqZxzNjcgl+uWR142bAdfeQd3RyByHzOE4=,tag:7tbciVbRuLRt8/1q2NRlAw==,type:str]
user_password: ENC[AES256_GCM,data:IuBlcthybynSI4AJpJ7nZFOgzbH5v4ucKxEO7fe65M1hak33gX7uQSFMRcj9gJAh/E8h87VudQkpxWC6+RKW/w==,iv:WJrvL2RhmoWCaqAjK7nn98Js/TXOL/3oeVADoOt9Vr8=,tag:JcQeKs0O+exoWCG5m/EFtQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU3ZOQnE3bStmdVlOWWVU
cVNyRFp4STR4MFRhNmpVNmpVUUFCc3dFNnhFCjVtU2J0cGhVRVN5MFFobTMrQzI1
VWoyaStZR1BPM1R4TUs4VjNVR3JrWTAKLS0tIFk2ZTJyN0ZpVFdtZFFKNjRacnFn
bitxRG03RU43ZENId1dIL3RWQVlQT1kKpGj5BKFO+iX8WaHbGOlUSfOp8bIJS3wS
6Kqt1qkEPywYHgwd/amuELbkthu7mxCx4k45EEaN5gILyONGYJxR2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiejQxVXlVM29ldDNWbnlC
OTl3SmttaVlIUCtTK3ZteVRCY1JHYUg3cXhZCnNDY3JON1luUDcrS01xMVRGWVkx
Q1YvRzFpRnpybnE5SnM5NGxqUWVpQ2cKLS0tIFpIcEsxVkpRSW5KcmoxMVMrUW13
WFgzK1BpVks3YmcxT3gxYzl3eHpySFEKJwsayqczYl2bFViRTWlP1p2OomPA1NnE
EKU51AINXIYfnNaXzMKWEj52yoVLvtKiA/rdJeVVOOopwD+qa/lRkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-01T04:00:12Z"
mac: ENC[AES256_GCM,data:9mu/knvioQT4y7WGdRjDvfeZxYgNb3TnNnDWOIALN6sqNhs8cI8Q+ussNny9zTygRN/LsS4cvhGypqxZ48CT4YyIKxJ2Xuf32Ho+ojh65a4Kabe3CjklLaAnj//MXnvpUtEXFGKlTiyKi/JxHaQLOaeZBeMv1yfYKuo0hjdzlho=,iv:KR2UMbNmsyxa8TEv6lwTJlqc3Qe81DaTTVtzSZRZyik=,tag:B3Hvr1RRGDrxROylhUuFxg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

24
secrets/hopper/wireguard-config Normal file
View file

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:GhwIkO2APhN+Ozgsj3YtCq40nd1x5IC9R2mbgmzwddT3yEBLQCadSZ3jvXwzJT5KlXXNlf+Wr6wRjRf1ICsVtt+HvbAkp6YmPbsiZZaBR5KqVCKZxhJQm00eOi9mP13RR1Mo+OWzGqu2uGCezG/HocgQoEoCDRTT4EL81jEuBra1j5WjAmFrmJjSTELbwJD1Qu9IKxh0Mu7dTMbb/Roc8ES++NR1Tt/TG4Ljgly0XBtib2sLWIJov5afEzwW0FpwMqHE8gqP+korlIXaEIqIqFGGwTHS54EoZPGmDrQfRYMuQrsNz8xWhuFOEqpd0/KKIb/UjZCc2NYf0pFuCxtQmOGofMFGaTFu8x6T1gehPprWJTf2q1ImYl0yc5aU+lyragr7j1PIowa2SkGu8TMeIDdga4Qusn78tSnycVakPqQE/pJ+xeStLC9Cg4IW6gRvKg0ByzFDgmXcNyPiXu9iGBecRDSNuWsheJUPV8h5qnQBlR4gyWhYXLh3E1549leQw2soG+iGXzOXC9UKwolzCmhXeuI=,iv:j9OIb4P+wSicxghVbuh6C7Sv6KLqjwFQ7uYLCGMeEPU=,tag:hqRxr0p7CPiSfPP9GMLfuA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVlpJdUdEZ1lNT240WHZt\nVnFlSzFQMjhMc0F1LzBvWExnc1dEL0RPTGxnCmFKeU5zOThOcVc4REhNeDh4Y004\nbDFuSVBtL0MvQ3RnS3VZakN0cGVJbEEKLS0tIFFuWTJRbFg1OHA4dnBvWEdQZElm\nNENNSEpPWEtqWS84R3lhNmRCYTdFSDQKsY0PV+8vYLGcU/KxeQZMWCkbkGUfR1gh\n8Tdt7Jo8Xvd4HFwf8a0XegxMxqQk8FE/44RnkwG8xf6HHXLuXxkmlg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaHR6bXdSZWlEemwrQklY\nRjFFU0VWZGNZYUxaaXVndjNpQ1FrUStQNnlNCkVpRmFIV3lvTHBSSnVwK1BhWGwx\nOTkycVVlNDdwdUlzbG5Tb1ZDMFExbjgKLS0tIEY0bVp5akRzeitrZ3ZEaVdueVM5\nVUp4bDhaVk1SWWxXM1pJdWs3UGtVNUkKIScfgHBYmQJE52GtVd32PEuA2/oBl30x\nclfnEzkCCAayBnFFoulY1LkNGelfJMr1/cTK/i9S8Qlts0Vn2mTBnA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-09-29T13:16:47Z",
"mac": "ENC[AES256_GCM,data:DcUk4FtCLgPf8YrlngmnCrflMpqL97QUI5s1eZTaK0ghvD3Ae0qlZ7whcUdalROhO2vsi5XHvDAXMSDhtbfnrEnuTJpwilONMRs66G8mJc9/fnGUAfEBNiZve8FXki+vjaiYjmCVX8VWGMq2NP3Ax4DR7+/obOjOKA9m1CThNH4=,iv:sT8H/ZK7TXOGq054w4jUWqVB/l/nHzXtg9DQJ4HF9Ps=,tag:S6RH3STimNR9KSeRP5V7gA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}

4
secrets/nixdesk/default.nix
View file

@ -20,5 +20,9 @@
format = "binary";
sopsFile = ./brawlstars;
};
samba = {
format = "binary";
sopsFile = ./samba;
};
};
}

24
secrets/nixdesk/samba Normal file
View file

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:IwlFjjTZqyL7QJaM1aBi5De0xPZ6T3/fQb+gIcyRP+sgyazLn4MEFABgoCKxTJaNhl4ld2HPA+uGxLOGavTwAxOPpCSxnfTPiPsDrIob9M+ssdVEinBb28E2GIp1ZEbwL7d+AsLstlI3k9JLNaWwqqC4uUb23cWl5/pXELI3ung5BytXGsGXBM/UqW7ce9VA6OQuCvcZiA==,iv:kt1FZBbOktLblC1Wnj4+apXB4dBMyY5Lk1XygdT9c58=,tag:gO8tkX+udOgiV+He2GIOrQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNnFIQStPV0d4TE0ya1F5\nSGRtckdUalBXVWI3TlkwY00zaUpESGlqem1jCjZJKzZaSDR1QW5ZWkVTS1hWcFEr\nMTJrTTYzRFFXUk9xbVM5aVphNDV5TjQKLS0tIDloRkMwSUNwM1RQN0lTQm81U21w\ndEdGN0R3Q1NKZmZjY0xCNFlKT3FkY0EKea+Gn8QJeu4iVZdx2WTRO1GOmC2IAeGt\njaMAek1JC9cOkzq0InCr8T4u2+R8ZNCNxf4B3uwRUQVBaVn1HV8Jsw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMjNzVVhnZ3htWHEyV3NI\nV001YmtrYTFjQ2lZQWc3V3kvdDdUZ1M5cldzClE1SFVrV0lIc3lWaHVxYnBQS3N5\nbFp5dnJxZFhHdllXYko0b25OdWl5dnMKLS0tIEk1b3FPUG94dWJmS01qWUdnbkVy\nVThNODQvVXlQQ3FZaC8rdlFoOHhPVmsKbcGBJoLMFgpcIQsjlxeAViwne9ri/1WT\n56zPt9+f54K6W7hzJ7pVAG4+IYeWfaybMoPyIWTsTq9tlI6cc8MIag==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-21T08:11:03Z",
"mac": "ENC[AES256_GCM,data:4t/N1HbvMbXpF7pO0In8V3BKxK/6bz2BmFsH0DGTPNFZ9ZUNntOsOBtjjOhnRfbPY+Bl7JAQnHIVoAtyi6JavXpyH1WmzIpvpBUCWraIoKcD2XzrfraLEJazV6wIVE/vaBk9A6L54KivCXzMp35SDyIlWt6GBfyZJX64le2l5Ck=,iv:NVxByBu+6KNTKVnbjINOqQMgNI85lJxAKfeMFsVNz+0=,tag:mXeFyajv517gC095Wc80WQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

2
system/network/networkd.nix
View file

@ -8,4 +8,6 @@
dnssec = "true";
domains = ["~."];
};
# TODO use networkd-dispatcher to do some things when network connectivity changes maybe
}

2
system/network/tailscale.nix
View file

@ -3,6 +3,6 @@
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
authKeyFile = config.sops.secrets.tailscale-auth.path;
#authKeyFile = config.sops.secrets.tailscale-auth.path;
};
}

1
system/programs/tools.nix
View file

@ -23,5 +23,6 @@
else p7zip
)
unar
openssl # for generating passwords
];
}