diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..3ab7365 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +hosts/nixdesk/smbcreds filter=git-agecrypt diff=git-agecrypt diff --git a/Justfile b/Justfile index 2a60227..d05c199 100644 --- a/Justfile +++ b/Justfile @@ -10,6 +10,9 @@ local OPERATION *FLAGS: buildiso *FLAGS: nix build .#nixosConfigurations.liveiso.config.system.build.isoImage {{FLAGS}} +updatekeys: + fd . secrets -E '*.nix' -t f -x sops updatekeys + remote OPERATION HOST HOSTNAME *FLAGS: nixos-rebuild \ diff --git a/flake.lock b/flake.lock index 026d06c..2ce882a 100644 --- a/flake.lock +++ b/flake.lock @@ -87,11 +87,11 @@ ] }, "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -144,6 +144,27 @@ "type": "indirect" } }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "vpn-confinement", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -166,6 +187,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1726560853, "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", @@ -180,9 +219,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, @@ -252,11 +291,11 @@ }, "hardware": { "locked": { - "lastModified": 1727040444, - "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", + "lastModified": 1728729581, + "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", + "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806", "type": "github" }, "original": { @@ -295,11 +334,11 @@ ] }, "locked": { - "lastModified": 1727246346, - "narHash": "sha256-TcUaKtya339Asu+g6KTJ8h7KiKcKXKp2V+At+7tksyY=", + "lastModified": 1728791962, + "narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=", "owner": "nix-community", "repo": "home-manager", - "rev": "1e22ef1518fb175d762006f9cae7f6312b8caedb", + "rev": "64c6325b28ebd708653dd41d88f306023f296184", "type": "github" }, "original": { @@ -308,6 +347,28 @@ "type": "github" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1728779945, + "narHash": "sha256-RFKyZygnUbJlWq1uBn4JvEEcQKZW3AFBL3bQoywECPI=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "4d81c4115ef832880561f243efec21f06d2a8b7c", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "neovim-nightly-overlay": { "inputs": { "flake-compat": "flake-compat_4", @@ -357,11 +418,11 @@ ] }, "locked": { - "lastModified": 1726975622, - "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=", + "lastModified": 1728790083, + "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417", + "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22", "type": "github" }, "original": { @@ -373,17 +434,17 @@ "nix-vscode-extensions": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1727228778, - "narHash": "sha256-vg1b7yLH8TgKsUi5KlctSx4GuET7MAoWUR7nqAGnU/Y=", + "lastModified": 1728179514, + "narHash": "sha256-mOGZFPYm9SuEXnYiXhgs/JmLu7RofRaMpAYyJiWudkc=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "fb86a415579cd38eb7b47c3ada597841b97e2ea9", + "rev": "018196c371073d669510fd69dd2f6dc0ec608c41", "type": "github" }, "original": { @@ -395,15 +456,17 @@ "nixos-wsl": { "inputs": { "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1727091786, - "narHash": "sha256-n36Vtdtx7tTTKFI9aoWxdNIlJ2dwxoitFDwcPXrS+Jk=", + "lastModified": 1728860000, + "narHash": "sha256-Ql5wSa6mnCT+1NfJYPk0gP6MQrTaP5u2raR8J6YQXxI=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "1fcec53c692c15091ca5bb9eaf86a2cac6c53278", + "rev": "b8ebac4acc72aa17e0fb8d893d0050d68843154a", "type": "github" }, "original": { @@ -415,27 +478,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726838390, - "narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1726937504, - "narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=", + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9357f4f23713673f310988025d9dc261c20e70c6", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "type": "github" }, "original": { @@ -445,13 +492,29 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { - "lastModified": 1727286550, - "narHash": "sha256-Kmks1TmhrDV3qJFOQWssqhlCnKOsLO6kXKb0hCDyOPk=", + "lastModified": 1728871971, + "narHash": "sha256-9DA3YgtiAC7ADY0Qsjnz95R8jebLJQcdg37dZIgEtdI=", "owner": "nix-community", "repo": "NUR", - "rev": "8a471cae1970a8e47ec21151af01b8e316fb38c2", + "rev": "97bf2fe3008121ebd4a71ffc01ddd6bb8a6345c2", "type": "github" }, "original": { @@ -463,7 +526,7 @@ "nvfetcher": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] @@ -487,14 +550,18 @@ "flake-parts": "flake-parts", "hardware": "hardware", "home-manager": "home-manager", + "microvm": "microvm", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nur": "nur", "nvfetcher": "nvfetcher", "small-nvim": "small-nvim", - "sops-nix": "sops-nix" + "sobercookie": "sobercookie", + "sops-nix": "sops-nix", + "umu": "umu", + "vpn-confinement": "vpn-confinement" } }, "small-nvim": { @@ -506,11 +573,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1725435730, - "narHash": "sha256-gPja4IoV48x8weXXxA1SJmK+iNbEhw4bSoqmff46xZ0=", + "lastModified": 1729288975, + "narHash": "sha256-3knRNR2DPlgyM5fvs0rzaX8mznceoVYh+WbIgP5fbmc=", "owner": "xunuwu", "repo": "small-nvim", - "rev": "88be2b8e644545c1f270d3890e887675b54e819e", + "rev": "062d9c3125ea18d03e87f2dc8403ede52ddb70ce", "type": "github" }, "original": { @@ -519,6 +586,24 @@ "type": "github" } }, + "sobercookie": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1728934593, + "narHash": "sha256-qOnpRkaeRLLph/fdUwOAJ/6sVPPOxMSeWdz24fHmESw=", + "owner": "xunuwu", + "repo": "sobercookie", + "rev": "ead73318a6897989e5a1f957112254c595bb9e8c", + "type": "github" + }, + "original": { + "owner": "xunuwu", + "repo": "sobercookie", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -529,11 +614,11 @@ ] }, "locked": { - "lastModified": 1726524647, - "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", + "lastModified": 1728345710, + "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", + "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", "type": "github" }, "original": { @@ -542,6 +627,22 @@ "type": "github" } }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1720264467, + "narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=", + "ref": "refs/heads/main", + "rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3", + "revCount": 674, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -602,9 +703,46 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "umu": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "packaging/nix", + "lastModified": 1729102213, + "narHash": "sha256-KLi7sZmf+D8d6JYVmJs2WVNLhJgtjvJPPdm2ekbrpDI=", + "owner": "Open-Wine-Components", + "repo": "umu-launcher", + "rev": "a6b84b1aed6582ab2a500e5d109548b5ce64b97c", + "type": "github" + }, + "original": { + "dir": "packaging/nix", + "owner": "Open-Wine-Components", + "repo": "umu-launcher", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1710146030, @@ -619,6 +757,27 @@ "repo": "flake-utils", "type": "github" } + }, + "vpn-confinement": { + "inputs": { + "flake-parts": "flake-parts_4", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728856097, + "narHash": "sha256-GcheritdNs1AHFWksLWZOe48J0NXUibiZVSewqWfo44=", + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "rev": "eb39d4c45db70818d58239454fd7747aab5e1871", + "type": "github" + }, + "original": { + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 5ae9300..434a096 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,7 @@ home-manager sops colmena + git-agecrypt inputs.nvfetcher.packages.${pkgs.system}.default ]; name = "dots"; @@ -43,12 +44,20 @@ hardware.url = "github:nixos/nixos-hardware"; home-manager.url = "github:nix-community/home-manager"; small-nvim.url = "github:xunuwu/small-nvim"; + # small-nvim.url = "/home/xun/dots/small-nvim"; nur.url = "github:nix-community/NUR"; sops-nix.url = "github:Mic92/sops-nix"; nix-index-database.url = "github:Mic92/nix-index-database"; nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; nixos-wsl.url = "github:nix-community/NixOS-WSL/main"; nvfetcher.url = "github:berberman/nvfetcher"; + microvm.url = "github:astro/microvm.nix"; + vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; + sobercookie.url = "github:xunuwu/sobercookie"; + umu = { + url = "github:Open-Wine-Components/umu-launcher/?dir=packaging\/nix&submodules=1"; + inputs.nixpkgs.follows = "nixpkgs"; + }; ## deduplication flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; @@ -60,6 +69,9 @@ }; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; nix-vscode-extensions.inputs.nixpkgs.follows = "nixpkgs"; + nixos-wsl.inputs.nixpkgs.follows = "nixpkgs"; nvfetcher.inputs.nixpkgs.follows = "nixpkgs"; + microvm.inputs.nixpkgs.follows = "nixpkgs"; + vpn-confinement.inputs.nixpkgs.follows = "nixpkgs"; }; } diff --git a/git-agecrypt.toml b/git-agecrypt.toml new file mode 100644 index 0000000..9f85c74 --- /dev/null +++ b/git-agecrypt.toml @@ -0,0 +1,2 @@ +[config] +"hosts/nixdesk/smbcreds" = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqW5ZkBV2XCdF/ZhwC1DOfrgiLxCC2ym6BO7miHi05M xun@nixdesk"] diff --git a/home-modules/xun/develop/default.nix b/home-modules/xun/develop/default.nix index 5a194bf..328f65f 100644 --- a/home-modules/xun/develop/default.nix +++ b/home-modules/xun/develop/default.nix @@ -62,7 +62,7 @@ in { }; }) (lib.mkIf cfg.lang.c.enable { - home.packages = with pkgs; [clang-tools]; + home.packages = with pkgs; [clang-tools buckle]; }) (lib.mkIf cfg.lang.csharp.enable { home.packages = with pkgs; [ diff --git a/home-modules/xun/gaming/default.nix b/home-modules/xun/gaming/default.nix index b96be1c..ef0e80e 100644 --- a/home-modules/xun/gaming/default.nix +++ b/home-modules/xun/gaming/default.nix @@ -2,6 +2,7 @@ pkgs, config, lib, + inputs, self, ... }: let @@ -10,8 +11,12 @@ in { options.xun.gaming = { krunker.enable = lib.mkEnableOption "krunker"; roblox.sobercookie.enable = lib.mkEnableOption "sobercookie"; + umu.enable = lib.mkEnableOption "umu-launcher"; }; config = lib.mkMerge [ + (lib.mkIf cfg.umu.enable { + home.packages = [inputs.umu.packages.${pkgs.system}.umu]; + }) (lib.mkIf cfg.krunker.enable { home.packages = [ self.packages.${pkgs.system}.krunker @@ -19,7 +24,7 @@ in { }) (lib.mkIf cfg.roblox.sobercookie.enable { home.packages = [ - self.packages.${pkgs.system}.sobercookie + inputs.sobercookie.packages.${pkgs.system}.default ]; }) ]; diff --git a/home/profiles/nixdesk/default.nix b/home/profiles/nixdesk/default.nix index 88f48d0..54a1fe8 100644 --- a/home/profiles/nixdesk/default.nix +++ b/home/profiles/nixdesk/default.nix @@ -13,6 +13,7 @@ # ../../terminal ../../terminal/programs/zellij.nix + ../../terminal/programs/zoxide.nix # ../../terminal/programs/irssi.nix ../../terminal/programs/lazygit.nix ../../terminal/programs/beets.nix @@ -73,7 +74,6 @@ name = "dayfox"; package = "EdenEast/nightfox.nvim"; }; - wakatime = enabled; }; desktop = { xdg = enabled; @@ -97,6 +97,7 @@ }; gaming = { krunker = enabled; + umu = enabled; roblox.sobercookie = enabled; }; school.geogebra = enabled; diff --git a/home/programs/browsers/firefox/default.nix b/home/programs/browsers/firefox/default.nix index eaf3926..48c14fc 100644 --- a/home/programs/browsers/firefox/default.nix +++ b/home/programs/browsers/firefox/default.nix @@ -39,14 +39,14 @@ istilldontcareaboutcookies sidebery (lib.mkIf (builtins.elem pkgs.keepassxc config.home.packages) keepassxc-browser) - (buildFirefoxXpiAddon rec { - pname = "roseal"; - version = "1.3.44"; - addonId = "{f4f4223a-ff30-4961-b9c0-6a71b7a32aaf}"; - url = "https://addons.mozilla.org/firefox/downloads/file/4323142/roseal-${version}.xpi"; - sha256 = "sha256-Qvd/EUMsSqYCvwUuxjM/ejnn7/TRuhyD82/Azu0dAfE="; - meta = {}; - }) + #(buildFirefoxXpiAddon rec { + # pname = "roseal"; + # version = "1.3.44"; + # addonId = "{f4f4223a-ff30-4961-b9c0-6a71b7a32aaf}"; + # url = "https://addons.mozilla.org/firefox/downloads/file/4323142/roseal-${version}.xpi"; + # sha256 = "sha256-Qvd/EUMsSqYCvwUuxjM/ejnn7/TRuhyD82/Azu0dAfE="; + # meta = {}; + #}) ]; userChrome = builtins.readFile ./userChrome.css; # extraConfig = let diff --git a/home/programs/browsers/firefox/search-engines.nix b/home/programs/browsers/firefox/search-engines.nix index c2b4a7e..71902ae 100644 --- a/home/programs/browsers/firefox/search-engines.nix +++ b/home/programs/browsers/firefox/search-engines.nix @@ -95,7 +95,7 @@ "Google".metaData.alias = "@go"; "DuckDuckGo".metaData.alias = "@ddg"; "Wikipedia".metaData.alias = "@wiki"; - "Bing".metaData.hidden = true; + "Bing".metaData.alias = "@bi"; }; }; } diff --git a/home/programs/browsers/firefox/userChrome.css b/home/programs/browsers/firefox/userChrome.css index e0ed1b7..4b19eff 100644 --- a/home/programs/browsers/firefox/userChrome.css +++ b/home/programs/browsers/firefox/userChrome.css @@ -5,7 +5,6 @@ /* Hide tab bar */ #TabsToolbar { - /* display: none; */ visibility: collapse; } diff --git a/home/programs/desktop/sway/default.nix b/home/programs/desktop/sway/default.nix index e6fb712..e0391bd 100644 --- a/home/programs/desktop/sway/default.nix +++ b/home/programs/desktop/sway/default.nix @@ -102,6 +102,8 @@ "${mod}+Ctrl+Shift+${dir.up}" = "move output up"; "${mod}+Ctrl+Shift+${dir.down}" = "move output down"; + "${mod}+t" = "sticky toggle"; + "${mod}+Shift+Backspace" = "exec systemctl suspend"; "${mod}+Shift+s" = "exec ${lib.getExe pkgs.sway-contrib.grimshot} copy anything"; "${mod}+Ctrl+Shift+s" = "exec ${lib.getExe pkgs.sway-contrib.grimshot} savecopy anything"; diff --git a/home/programs/misc/discord.nix b/home/programs/misc/discord.nix index 605533f..ee95bf8 100644 --- a/home/programs/misc/discord.nix +++ b/home/programs/misc/discord.nix @@ -5,5 +5,5 @@ withOpenASAR = true; }) ]; - services.arrpc.enable = true; # RPC with vesktop + # services.arrpc.enable = true; # RPC with vesktop (disabled since it uses way more cpu than is reasonable for such a program) } diff --git a/home/programs/misc/obs.nix b/home/programs/misc/obs.nix index 565b420..c16dcdc 100644 --- a/home/programs/misc/obs.nix +++ b/home/programs/misc/obs.nix @@ -2,6 +2,7 @@ programs.obs-studio = { enable = true; plugins = with pkgs.obs-studio-plugins; [ + obs-vaapi wlrobs obs-vkcapture ]; diff --git a/home/terminal/programs/git.nix b/home/terminal/programs/git.nix index 761283d..b69c1e4 100644 --- a/home/terminal/programs/git.nix +++ b/home/terminal/programs/git.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { programs.git = { enable = true; delta.enable = true; diff --git a/home/terminal/programs/zoxide.nix b/home/terminal/programs/zoxide.nix new file mode 100644 index 0000000..c4b4530 --- /dev/null +++ b/home/terminal/programs/zoxide.nix @@ -0,0 +1,3 @@ +{ + programs.zoxide.enable = true; +} diff --git a/hosts/default.nix b/hosts/default.nix index 87aa2f6..396010e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -138,7 +138,7 @@ in { #"services/pipewire.nix" "services/syncthing.nix" #"services/containers/server" - "services/containers/experimental" + # "services/containers/experimental" # TODO maybe reenable this?? or just abandon it and move fully to systemd network namespace ]) #{ diff --git a/hosts/hopper/brawlstats.nix b/hosts/hopper/brawlstats.nix index 8a270c1..e33e6a1 100644 --- a/hosts/hopper/brawlstats.nix +++ b/hosts/hopper/brawlstats.nix @@ -5,7 +5,7 @@ ... }: { networking.firewall.allowedTCPPorts = [ - 4444 + # 4444 ]; systemd.services."static-web-server".after = ["brawlstats.timer"]; @@ -45,6 +45,8 @@ ''} } + rm /tmp/brawlstatslog + case ''${parameters:1} in total*) id=$(echo $parameters | ${lib.getExe pkgs.gawk} '{print $2}') diff --git a/hosts/hopper/default.nix b/hosts/hopper/default.nix index 6c8b252..217c5b7 100644 --- a/hosts/hopper/default.nix +++ b/hosts/hopper/default.nix @@ -2,8 +2,12 @@ imports = with inputs.hardware.nixosModules; [ common-cpu-intel + inputs.vpn-confinement.nixosModules.default + ./hardware.nix ./brawlstats.nix + ./lab.nix + ./hardening.nix ]; networking.hostName = "hopper"; diff --git a/hosts/hopper/hardening.nix b/hosts/hopper/hardening.nix new file mode 100644 index 0000000..5a71eb1 --- /dev/null +++ b/hosts/hopper/hardening.nix @@ -0,0 +1,5 @@ +{ + fileSystems."/".options = ["noexec"]; + fileSystems."/home".options = ["noexec"]; + fileSystems."/boot".options = ["noexec"]; +} diff --git a/hosts/hopper/hardware.nix b/hosts/hopper/hardware.nix index 7922e34..43228df 100644 --- a/hosts/hopper/hardware.nix +++ b/hosts/hopper/hardware.nix @@ -11,7 +11,7 @@ boot = { blacklistedKernelModules = [ - "xhci_pci" # was causing issues (100% udevd cpu usage) + # "xhci_pci" # was causing issues (100% udevd cpu usage) ]; initrd = { availableKernelModules = [ @@ -23,7 +23,7 @@ ]; kernelModules = []; }; - kernelModules = ["kvm-intel"]; + kernelModules = ["kvm-intel" "wireguard"]; extraModulePackages = []; loader = { systemd-boot = { diff --git a/hosts/hopper/lab.nix b/hosts/hopper/lab.nix new file mode 100644 index 0000000..7182762 --- /dev/null +++ b/hosts/hopper/lab.nix @@ -0,0 +1,305 @@ +## TODO look into sops-nix placeholders +## reference: https://github.com/javigomezo/nixos/blob/b3ebe8d570ea9b37aea8bb3a343f6e16e054e322/services/network/authelia/user_database.nix +{ + pkgs, + inputs, + config, + lib, + ... +}: let + domain = "xunuwu.xyz"; + caddyPort = 8336; + autheliaPort = 24637; +in { + ## TODO use impermanence + ## TODO setup fail2ban mayb + + imports = [inputs.vpn-confinement.nixosModules.default]; + + security.acme = { + acceptTerms = true; + certs.${domain} = { + domain = "*.${domain}"; + dnsProvider = "cloudflare"; + email = "xunuwu@gmail.com"; + reloadServices = ["caddy.service"]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path; + extraDomainNames = [domain]; + }; + }; + + vpnNamespaces."wg" = { + enable = true; + wireguardConfigFile = config.sops.secrets.wireguard-config.path; + accessibleFrom = [ + "192.168.0.0/24" + ]; + + # Forwarded to my vpn, for making things accessible from outside + openVPNPorts = [ + { + port = caddyPort; + protocol = "tcp"; + } + ]; + + # From inside of the vpn namespace to outside of it, for making things inside accessible to LAN + portMappings = [ + { + to = caddyPort; + from = caddyPort; + } + { + to = 7359; # Jellyfin auto-discovery + from = 7359; + } + { + to = 1900; # Jellyfin auto-discovery, TODO check if this actually works and dont forward these if it doesnt + from = 1900; + } + ]; + }; + + networking.firewall = { + allowedTCPPorts = [config.services.navidrome.settings.Port]; + allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery + }; + + systemd.services.caddy.vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + + services.caddy = { + enable = true; + # extraConfig = let + # gensub = x: "${x}.${domain}:${toString caddyPort}"; + # tls = "tls /var/lib/acme/${domain}/cert.pem /var/lib/acme/${domain}/key.pem"; + # rpPort = port: "reverse_proxy localhost:${toString port}"; + # in '' + # ${gensub "navidrome"} { + # ${tls} + # ${rpPort config.services.navidrome.settings.Port} + # } + # ''; + virtualHosts = let + authelia = "localhost:${toString autheliaPort}"; + in + builtins.mapAttrs (n: v: + { + useACMEHost = domain; + hostName = "${n}.${domain}:${toString caddyPort}"; + } + // v) { + navidrome.extraConfig = '' + reverse_proxy localhost:${toString config.services.navidrome.settings.Port} + ''; + auth.extraConfig = "reverse_proxy ${authelia}"; + #jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO tmp off since i dont have proper auth yet + other = { + hostName = ":${toString caddyPort}"; + extraConfig = '' + respond 404 { + body "no such route you dummy" + } + ''; + }; + }; + }; + + systemd.services.navidrome = { + vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + serviceConfig = { + PrivateTmp = true; + NoNewPrivileges = true; + RestrictSUIDSGID = true; + ProtectProc = "invisible"; + }; + }; + + ## TODO might be unnecessary with authelia but specifying a custom PasswordEncryptionKey is recommended + services.navidrome = { + enable = true; + settings = { + Address = "localhost"; + MusicFolder = "/media/library/music"; + + ReverseProxyWhitelist = "0.0.0.0/0"; # cant be accessed from outside since the navidrome port isnt mapped to outside of the wireguard namespace + }; + }; + + systemd.services.authelia-main = { + vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + # serviceConfig.LoadCredential = [ + # "users.yaml:${}" + # ]; + }; + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path; + storageEncryptionKeyFile = config.sops.secrets.authelia_encryption_key.path; + sessionSecretFile = config.sops.secrets.authelia_session_secret.path; + }; + settings = { + # might change this to info in the future, for now its nice seeing debug messages if something goes wrong + log.level = "debug"; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.${domain}"; + policy = "one_factor"; # using totp requires me to set up smtp support :( + } + ]; + }; + + theme = "auto"; + default_2fa_method = "totp"; + ## use ldap backend, not yaml file + ## https://www.authelia.com/configuration/first-factor/ldap/ + # default_redirection_url = "https://auth.${domain}/"; + + notifier.filesystem.filename = "/tmp/authelia-notifier.txt"; ## TODO change this to something reasonable + + authentication_backend = { + password_reset.disable = true; + file.path = pkgs.writers.writeYAML "users.yaml" { + users.xun = { + disabled = false; + displayname = "xun"; + password = "$argon2id$v=19$m=65536,t=3,p=4$cwYrForToKZn7+urMrSXuQ$PStkqPlo/7/GZ+hMsJXfOyZ0WijNtuZpaHWyZUuBWBY"; + email = "xunuwu@gmail.com"; + groups = ["admin"]; + }; + }; + }; + + storage.postgres = { + address = "unix:///run/postgresql"; + database = "authelia-main"; + # this isnt used, ensureDBOwnership allows us to auth to postgres using unix users + username = "authelia-main"; + password = "unused"; + }; + + session.cookies = [ + { + domain = domain; + authelia_url = "https://auth.${domain}"; + default_redirection_url = "https://invalid.${domain}"; # TODO replace with overview thing mayb + } + ]; + + ## TODO: https://www.authelia.com/integration/proxies/forwarded-headers/#cloudflare + + server = { + address = "127.0.0.1:${toString autheliaPort}"; + endpoints.authz.forward-auth.implementation = "ForwardAuth"; + }; + }; + }; + + services.postgresql = let + databases = ["authelia-main"]; + in { + enable = true; + ensureDatabases = databases; + ensureUsers = lib.singleton { + name = "authelia-main"; + ensureDBOwnership = true; + }; + }; + + systemd.services.jellyfin.vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + + services.jellyfin = { + enable = true; + }; + + services.prometheus = { + enable = true; + port = 9001; + extraFlags = ["--storage.tsdb.retention.time=30d"]; + scrapeConfigs = [ + { + job_name = config.networking.hostName; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + }; + }; + + # services.grafana = { + # enable = true; + # domain = "grafana.hopper"; + # addr = "127.0.0.1"; + # security = { + # adminUser = "admin"; + # adminPasswordFile = config.sops.secrets.grafana-pass.path; + # }; + # }; + + ## TODO: add forgejo + + ## ignore this its cringe and ill prob remove it later idk, its also pasted from someone else, idk who tho ## + systemd.services.vpn-test-service = { + enable = true; + + vpnConfinement = { + enable = true; + vpnNamespace = "wg"; + }; + + script = "${pkgs.writeShellApplication { + name = "vpn-test"; + + runtimeInputs = with pkgs; [util-linux unixtools.ping coreutils curl bash libressl netcat-gnu openresolv dig]; + + text = '' + cd "$(mktemp -d)" + + # DNS information + dig google.com + + # Print resolv.conf + echo "/etc/resolv.conf contains:" + cat /etc/resolv.conf + + # Query resolvconf + # echo "resolvconf output:" + # resolvconf -l + # echo "" + + # Get ip + echo "Getting IP:" + curl -s ipinfo.io + + echo -ne "DNS leak test:" + curl -s https://raw.githubusercontent.com/macvk/dnsleaktest/b03ab54d574adbe322ca48cbcb0523be720ad38d/dnsleaktest.sh -o dnsleaktest.sh + chmod +x dnsleaktest.sh + ./dnsleaktest.sh + ''; + }}/bin/vpn-test"; + }; +} diff --git a/hosts/nixdesk/default.nix b/hosts/nixdesk/default.nix index 5ad966a..743eb2d 100644 --- a/hosts/nixdesk/default.nix +++ b/hosts/nixdesk/default.nix @@ -3,6 +3,7 @@ ./hardware.nix ./hibernate-boot.nix ./testing.nix + ./samba-mount.nix ]; networking.hostName = "nixdesk"; diff --git a/hosts/nixdesk/samba-mount.nix b/hosts/nixdesk/samba-mount.nix new file mode 100644 index 0000000..8451d3b --- /dev/null +++ b/hosts/nixdesk/samba-mount.nix @@ -0,0 +1,21 @@ +{config, ...}: { + systemd.mounts = [ + { + description = "smb hopper transmission download directory"; + what = "//192.168.50.97/transmission"; # hopper local ip + where = "/server/transmission"; + type = "cifs"; + options = builtins.readFile ./smbcreds; + } + ]; + systemd.automounts = [ + { + requires = ["network-online.target"]; + where = "/server/transmission"; + wantedBy = ["multi-user.target"]; + automountConfig = { + TimeoutIdleSec = "10min"; + }; + } + ]; +} diff --git a/hosts/nixdesk/smbcreds b/hosts/nixdesk/smbcreds new file mode 100644 index 0000000..3be106c --- /dev/null +++ b/hosts/nixdesk/smbcreds @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 Uot/1Q zOPmK3Ael5Ss1gclWT0Q/YLbtus/1Ef5QgSYP96MdjQ +Ut0OfpCHqMlWrkU298WDWXLseerYiwv8hAAf70nSgfo +-> mQ1Ds-grease V=M 7* +ZsOetI30y2vLGlwWP84sVSQzbrtA4m+yRrCc316MzHWPyuEJYnVzw7Eygayg8c26 +t+1VDhMHLhFpImAIXni2GsZNAxGnUw5VaRybmpHRt1Bri8k7ZENosX/7T6/kViO8 +BW8 +--- 0MsxoH3ENvyga/ICHX3448MZ9q7GJecTg5eOLPe2D2A +fh_ɿm>rc ӡJx׃E^-`!+uTu{soh"E%ϼ З! _>)Ҥ.'¼]U}蚃eB7L;9h` ++86#}4R/OSZ(BˮZ9 \ No newline at end of file diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..2433a14 --- /dev/null +++ b/readme.md @@ -0,0 +1,5 @@ +config files for my puters + +nixdesk - main desktop +hopper - server +kidney - wsl diff --git a/readme.txt b/readme.txt deleted file mode 100644 index 8b13789..0000000 --- a/readme.txt +++ /dev/null @@ -1 +0,0 @@ - diff --git a/secrets/global/tailscale-auth.yaml b/secrets/global/tailscale-auth.yaml index fba67c0..c5d881e 100644 --- a/secrets/global/tailscale-auth.yaml +++ b/secrets/global/tailscale-auth.yaml @@ -1,4 +1,4 @@ -tailscale-auth: ENC[AES256_GCM,data:aLtXJaD/PRYtBAS0rixS83dzQZ14NIY0W8HhqQx0b1dXhujmiH+ETOECDivt0zyPByFx2JDh4KNU,iv:1BZTqp87gCNYVS2UCv56X1/BguxitsjdmGv3AJUtWII=,tag:Xh2v9E1shOLN9uc+56jDWA==,type:str] +tailscale-auth: ENC[AES256_GCM,data:8+XTTS0YoJpQPYMhES6YTWGehQH992cfIjFed+kl2sXZ551PyvaA4Y0/7CuNM9udJe2ba2yte3DkN+AILWk=,iv:EK6ifjTYD4Y5zEjfty0eJyfDaQO8ooOHXdCcEAF3W0w=,tag:wfbrkPqHFk8dJaDkNeaChg==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +32,8 @@ sops: eVpKdlRpSnprclN4Wm4wVHpjYzVnSEUK49UF2IeDXzF9PiISIo0QjltkoFIa6Y8D w2DJIys0Pfw5kGrVTLAgHMOMYmss4EdD4mwY+DQYWHqxTX0P2TKM9w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-26T23:17:57Z" - mac: ENC[AES256_GCM,data:7vnKNCZsqSCersnIJviHetgTt6qZOvO50yOSWCq+8rPVt5IK9abWtTUEZfDtZI0oIvOsOJjAlvCPLn94kknn6y0UspKE4aTTIGQQctM5cHzFL2xMsOaTqBLLMWxvpkAkWFQ8Lpg5v57/X2Rex8M0x1GRB74/KDDXs4TXz0v9fJk=,iv:ZnbiB2JS7bQZy3QNdyz3Ijbukh2YoH63huCNUijFLcM=,tag:Fhi6/5+X5dMe/cKejunVvA==,type:str] + lastmodified: "2024-10-17T00:06:06Z" + mac: ENC[AES256_GCM,data:EWKH7alUhTJWmHd1Y/hrtN7N2rc9DnIUxRghgGL6YwXz4kk1VoTlzEACw9NTv0qrQSfTVbFmD5f24vvdlrn7/SERmacv3GOe1/OM6kC11MTgO8rUCCwUGa+c5ublke7DQW/wQR7ay9a4pHRHf1DVBB3PrO7+A34CYWGP6gt0jcM=,iv:YzccaJSS14OPqEUftQUOhnFnF0vUNAtRvdCaDuZFoMM=,tag:R/fKcXST7LbzTahXD4uO6Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/secrets/hopper/authelia.yaml b/secrets/hopper/authelia.yaml index 652cd0e..3535fb2 100644 --- a/secrets/hopper/authelia.yaml +++ b/secrets/hopper/authelia.yaml @@ -2,6 +2,7 @@ jwt_secret: ENC[AES256_GCM,data:O0LXijtmUCoBKiQgptto6/dhcCRgP9EAXPhnmb0Dw4Gk/8ir session_secret: ENC[AES256_GCM,data:lFkt5MasAri5ddS2JU9sNLTgHSSAelmvshX7jk5LEhWLcfTryoCdMHSiaqJpAY5NC0DgLPslyAyLtUgrAxTZqL/qHmSw4Q9XfxoWGk1IM4NERb0myOOTgmhcT4ImUEIROZHXNpgEUQ9c1stasix5uu5c1swUieZrDI7j79Xn5DWufzHc+SxaQwIggsLGpOazJO/UmBdGiX/uju2D/arp1okMClk8DcLWZtLdEs4V1Cqz5Yv21aeK/47DKy4rClqDB+8NNXk5ayA5wXa0DrvW7H+a+/ra6TRMcevMZBsjbvbRc2P654mpDt5XB3DMyoucYOHzUasymlYUMmUUtYFRhNaLWfgifAQJG8N+z1COe/DjWzhUOKfKNZQM7S0h61nh5RwLGh+PHMae0G7fLNTcNS7r8BxiIIF4wXJRmtxfnNY4GrQAtfatrHi6lbnrBzA7SsjaheK27/DVXZdUhkc6xxeIA3n+G9e4FSDC8aP6gKHPO8nDBzIEw21E0UtuNO7QYqw3NFwNX30ys+dw89S6RyZzJd9CHodYzmGHB9jlXJnu9aOsqmEUOuWD8Wwez9ogUQY5Uls/MbyXzX5dIEHeofPxzzQYepvMRmlNNyrWjQYmFqw8TblM1S8/dnI0FzmescPIKSdA/H5oEo8X9InpHbuEd2hOR0mQdDXoKFBw+ig=,iv:5yM3rohayzhGN1k8Njm/r8lggfaQDIeLNoVC3Vkc95s=,tag:JOH6xBEPFCYMHLSCNgFW9g==,type:str] encryption_key: ENC[AES256_GCM,data:VBPBoNaL5l3/MWNW/97m0RXX7dANgHEgoIU4+S3Z7gMtZjFqscfN612CkWM5t4h6Ojej/J8WuslnoDgEK14Efr3byvnVOayFHUxb8U8Y1sGQ7DqW28v+3QXttd2agrVATGoiErVUVH5lUqmtIRzugQuWi707fq8A9D3OU/L26+O+/sBJjfvj+es9Vyq120ri1njtZvQzVDUoKjyTQOiPCOsyEX2C6rws1BT9UQr7EY73e5xEpiBczwq+A9eRVH77/Hqr8t0otbcxPn9rubUFPy9bOxTnqG/eXmm2vtPQXGRdQ3fUzvQgBSxjxkssoWK/MRaXaL6Xs37mfiUc/7KX3Ua49G53jC18HfFmfklnP9xmtORFk/zWTj4+eB3QKt9/mtg6E8iZUlI16S/PYyuB6d37Oy0iuAHatwDqJBSZdnPl/ZXW8NuaZCKGLFMojqBXPxOTxZ/88KJcEI2MEuueBsS62L9Gb7g0jSjsNfTEmA5lCGHQ4rbeG/SahrbAzPKMWTTIgV5va9XY1e1amweTGSjed5nk+XB9ih6Z0MZ+da4RghjnHexOBqEewhDICUHd4Xyfyl3SqJKpBtGOCBW5tfkjy2kIWVL5KB4cB1FhHq9fvATDcG4qCV5ptZPgnGbqsme970UHO7CNTAso1ju8Nk9GT/46y/4oPCxU6DS9gy2oN0hxbut4mpJ+RyGEthtpQ+caSPsjsTx5yx33LUCqw19H1mRqzZo23tSzAcGvLZiHt3c3/S1QRNGOIqJmTz2Q41JOVBjqPF4W/ZgfZgax+vASRDMre7S6TlSMfUGU1i99vzFkELmfDiXVTpbj+Jq0/kIxdaf6RkfvvqA20CfNysSsD7RoLqy7CyTilwjJVHliGqR7T8RG4aJJVZdBBPsXkkPa5281pUO0lX/v48gw/UOqcswcSf0uV9MRidR/Rmb/u6PBNuIRjjUl0U94ZtiO8925gSLFGwFhrrz3NsjkCOzUIyDObh6EImNbzsjWBmiCTetr2huYhK4JkW/BarC75zfhsEFiU9Sv0PKcymgGZ4gm0aFcIyWyyim3YxGI80otIZLu1oGid7YX6ddzWZPrTq8bK9GmxsiNLtfPCahA5EDYKDXoIHcc+eWjzJijoTNaGCAElNK2/kY3cO9zpviib36eYO1C6X5VYrMivTTdvsm935PNmESG1CYaDiAekpvZTDBsCJYm7RCBAPoAfR8IOeZdZah73QAplpQlTo+lxbb/M/SuPO2JMWFpn5aWSgHKj0X0mqtQ8q78KJ7cUtYJV1BkWLnAEmeudq4NqB02PkortEkJb9Jjgj7+iZNbuJxvrdhEixsOAwOw9UbFOIO3q7mV9D39r+PhQ1JNqP7HJA==,iv:fArn1NcxTjBUrWfYYGoeWh7P8rdDhK9zHdrtRrvVxzA=,tag:sGsAX8qOWK4qBIZh8LZj8w==,type:str] storage_password: ENC[AES256_GCM,data:XH5szvA2s6WpBWauGjJCB0KHGti947/3Y/xGOCAvpc52JEaIrGP9/29ETw2omVVxvhlrg15vsca760Spa2VkpyO4pZOC1vUEmK00uAsNSwDzE5Xt9QGa3res1MthD5lKxRk+2IZBpMnoZYkX3Q11kvSpbyYwOpdFpK5ZU3M962yGs9JKGuDTofzT41Pz08fVXgVs2gGiYTjY+1k4OUzHPqBDRd4fRvlMxepKUJ5hIJlLFq5ncIyXYeDCbv+TDoX/Nw/SBl5cysQxjEnFSKF0ZegKt8u1TTjYL5Ag5378up9xwYtaBGHde1H3Mwq37cLUXOessPo0ftTuhZfa/Vz6mLace/QZoNCz/fnQSO56bIps0+RLqakrctajditJWX6yq3Y3tA1x7FqI+r83jriv334UToDE/LupUlTLax24cy/w34KW1l6sNkjqUwT8UPf3CcYIVSqhmNBMa71EQJFelXGQJyLfCsepe5IlNqFfXiY8Ywe/ncnx0sPCTQG43gN5PcUwNV15/EzOIyg4xp0CtgRBK/dnlVlQ019DaD0s3jwczfcyzC5xLWoguNu3mtm32KwkayMno0Y7timH0E7AwaYW6uLdSo5p582O5zbUcMVlGYUXLa27Y6madAPGZEonhZ9IvrpFrNCG7VVcKiBxdC7OzSn3VWiOoZ+d52m6bAAeIiy1wp3En2PcOqO+b4soc7RTy+acFypupB9//N0xd8Yq+VdALHa4tQGvT5oc0OlAIdMcF7oU0nGiyQKE495Q5/MtcilYseaQq0c2vp82y9YndlinzOnj7JinerXXfAUdTREPH6FvNR3Y6cdPKqgM89esrDJJum7L6eFUq5ozoqwxvOGv1CKEA+LgD9pXuXAPSdqiwZeEBD5P4fuLik5heKHJwcmgIaja7Vd5ni3cSQsLnwU/m2aQ5WmJe+7REbykYmC6J2+EinSm7CWYpq3EqKFmFsSoTbEpjL6ghOtjB4cD0A0fK5RJhU5nbpFC/whSg+6SPGe7w7RZa3suQ41QLY9MgwNKPDGDqwPQP4SnbBVYiQnyCJHj8ZDyWN38LMahEzjJT9leo9yr9h3hjvYdouNN4BTCFajgoQ38eapd9HqeTWBYbg5TOC+JOI3/tG5HYWNI/kI9jWrgIu4belvrnsdPMo0O7FIHiEKQWg/b6v0kBkeG7h+OHgs/qzq7GSz0rOoNgEBqHa2eVTwtmnMZgC3fJ78/QdRCbW+I5YsmFEZIcT4JSXnjFlPjsoFnhpHS5DcdCsY7YnY6006SprYF43lPunRFbpfPPSr4Zpn/G009M5ZasiHNzPPsr7leiDBkugGPtBaEEy+Fnct4bfc1JD6F+FHtTp+iGE0pT5wZCQ==,iv:SiRzgXm4hUSW+o80AA60oAIJus2FSZvL/Ly0bktT5XI=,tag:NuD9XVd4TNFOIo0jdHeSyQ==,type:str] +lldap_password: ENC[AES256_GCM,data:KbJam6qANZDc270gM7Umz1aABIW9N7xcz50PzhsX//dl97k6idDsDASd/33G7KxFCpVPtAQuhT3MLFuGQ+aFjy+YDasL6t8UdlR905CVbi2APH0pexqamhMpf1ZiMbYosdh0wAk5ZOJoWLdOZwVHUBWMgyRtEwc3i85Mla4CDvQ=,iv:PRoSle4GztDQv6QYeNsvHanREEZqs51t84Sa1qJh6Ys=,tag:XDTvZoHBbFtty61b9lugSA==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +27,8 @@ sops: OTBTbDlXaHZnanJSbUlLUmRTaDc0eE0K0AEhDK731gOTp5AjocYgPEdXnr76m8PF JoT4IWr2WYs5W/JgC8c4wIc4C9D4O8c+/mnE1RsG6EUXAz5ufMQcGw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-14T15:16:34Z" - mac: ENC[AES256_GCM,data:14fDEp1QyVtDsnbhm/DvFbvk52LAu1NVxUZGn/bhcfipG5PXAOKbtneec9ooe+M8wuWFUtq8nxE+y6341pyS4pKwLbsZ8tftDNm1k586B8QOp/8ctbiWG8zXgvuZn/LnhIDEnt52UaJOlGsY0vfdsC2JgxNx6z39xBIZjqHAjjA=,iv:OfPrtvS1kI3pAnGTX6D9xZod/yEMZM8BTZcB9KvLKcI=,tag:ApAySONamB1Ai7jjUU93Jw==,type:str] + lastmodified: "2024-10-01T04:33:16Z" + mac: ENC[AES256_GCM,data:JOpFhUp35Qh47yO0RySQGx9BHQfa8IrsiQarFNlid26D9jrDyF55Y5Wt88JgzPjGKVGhj+lJCz/vBGZ6wF8EVrT5Zd56cdKf5f7oOVF8s/sHl0O8MCstAUUazF8lP3SHRqZg4ZK45cFFt8ScFJd8KpCttiQY7xhjxyxCfUJ5E/U=,iv:cRedV+y5xEL8PB4gYzdEAmhqZ049geoPXHI6awqoi4Y=,tag:LvEb6Dc4flup2yEKPOnU2A==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/secrets/hopper/default.nix b/secrets/hopper/default.nix index 645505f..a0810e3 100644 --- a/secrets/hopper/default.nix +++ b/secrets/hopper/default.nix @@ -1,30 +1,21 @@ -{ +## TODO use defaultSopsFile mayb +{config, ...}: let + autheliaUser = config.services.authelia.instances.main.user; +in { sops.secrets = { wireguard = { format = "binary"; sopsFile = ./wireguard; }; - wg-private = { - key = "PrivateKey"; - sopsFile = ./wireguard.yaml; - group = "systemd-network"; - mode = "0640"; + grafana-pass = { + format = "binary"; + sopsFile = ./grafana-pass; }; - wg-preshared = { - key = "PresharedKey"; - sopsFile = ./wireguard.yaml; - group = "systemd-network"; - mode = "0640"; + wireguard-config = { + format = "binary"; + sopsFile = ./wireguard-config; }; - serverenv = { - format = "binary"; - sopsFile = ./serverenv; - }; - code-server = { - format = "binary"; - sopsFile = ./code-server; - }; slskd = { format = "binary"; sopsFile = ./slskd; @@ -45,27 +36,50 @@ restartUnits = ["podman-betanin.service"]; }; + # lldap_jwt_secret = { + # sopsFile = ./lldap.yaml; + # key = "jwt_secret"; + # owner = "lldap"; + # }; + # + # lldap_user_password = { + # sopsFile = ./lldap.yaml; + # key = "user_password"; + # owner = "lldap"; + # }; + # authelia + authelia_lldap_password = { + format = "yaml"; + sopsFile = ./authelia.yaml; + key = "lldap_password"; + owner = autheliaUser; + }; authelia_jwt_secret = { format = "yaml"; sopsFile = ./authelia.yaml; key = "jwt_secret"; + owner = autheliaUser; }; authelia_session_secret = { format = "yaml"; sopsFile = ./authelia.yaml; key = "session_secret"; + owner = autheliaUser; }; authelia_encryption_key = { format = "yaml"; sopsFile = ./authelia.yaml; key = "encryption_key"; + owner = autheliaUser; }; authelia_storage_password = { format = "yaml"; sopsFile = ./authelia.yaml; key = "storage_password"; + owner = autheliaUser; }; + brawlstars-api-key = { format = "binary"; sopsFile = ./brawlstars; diff --git a/secrets/hopper/grafana-pass b/secrets/hopper/grafana-pass new file mode 100644 index 0000000..e876beb --- /dev/null +++ b/secrets/hopper/grafana-pass @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:+jzTvF67htgSLx3//yu4CeH76/lQdxwcJSSplJm9eaVNs91PXF7hnZrEVyjIvMLi8lwOTSrH7SZJXOvZsoLRZHDdWC88+H32jsjVOopJgowAAQHuiKyQJjCACN5OBslKgTQEYo4eKpC8A1fliKf0fwJW+HY9pC9WUbZUkbpc9scMrZJIVb2Tm6UQoPoiEn9PbrC8tgGT1lOEk5EeiMgYg1JbEL7hcn1epuyYPYw45TV4SDLlnvo=,iv:qscpjBl/ifRGmjSHLUZ5rgC8oW86k1ca6JMna+VOFdM=,tag:Bsl3nrKTHrt27Xq/eLDLvg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYejVUVmNCQW9hSm40dzll\nT0Q2STNrNEt0OG5GcXlYMUpHaHpZZFdoejI0Cks2aDJ5b2R5d1BMSSt6UlVVelNL\nai9NRVNreGRZNHFvOVFJcTcra3M1K2sKLS0tIGFvc09pTDN6TGJuMU5XWG1ZT3c5\nWnJsa2k3U1pleUNuZmVzYnRpakxqalEKdNWuvPa9fm+UOiiZ0fb05Cw084z+tz5q\nnC8kK1ZAWvLKPgb3yNhfzrmVbdCfxvxnGYmV3f1SkVFaZv1XMJQCtQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3STVBMjcvMklVOFRuSThM\nWmtoOGxBYVVVVzFFVzNTSzl1TEEwckxsU0VJClFvcU9BbzlWZURSclNFek16L2I0\ndU95VS8vQlZqL0FIak9XMjBmWFdEVlkKLS0tIEJtb0FaZjZFaGE0S0MwNEQ1RnU4\nRUFSWG9LR3BoS21ENTMranhTQmcvTk0Kgm8BjUznYhzRbYwlettBVVK6r0bYkFFi\ngulgnbUSol7nm+eTsDLASZtm7V5Ms20Hv1/SKRry7Jr8zYZjWUqJ1w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-09-30T09:41:29Z", + "mac": "ENC[AES256_GCM,data:DvGuAiiSDScG2sWLq/SMCDvJ9JtS4nO+jqVnDmvRyjz14bRyiOSW/5p1vIaOgqPpuGKJ5OM+drlOdJpz8Co17OesQWWTH1GxRBkF3GkInG9xlY/PwlW/4R3mw1+3NIUE4xy0J1szU/27n4v4ToQ92Nn6NLe1fqZBH921xq9PcYA=,iv:1/pIrLsgLYea7MhxcchiliIDvNMTCjmLr2G8yhAMX6E=,tag:HcT47ZSCWkfju2kTitgdAg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/secrets/hopper/lldap.yaml b/secrets/hopper/lldap.yaml new file mode 100644 index 0000000..1290c9a --- /dev/null +++ b/secrets/hopper/lldap.yaml @@ -0,0 +1,31 @@ +jwt_secret: ENC[AES256_GCM,data:C5TnV7d/qdgiX+J/K7vsKXuZ6atsrEwwbr189c7kURHH5bK3xW0BBw3p+MGS6RAQBK9+SN7t5k4uWlEm9Ekm5wDbgt10/WXerC1ZNacxbcSlB7i+w/Fne+g2d6vg7SwC7wpgH0nBmWSAnCmOdDlXOO6NYQ1zL8apCN99Z2M4SVQ=,iv:DzkZjX8+stqZxzNjcgl+uWR142bAdfeQd3RyByHzOE4=,tag:7tbciVbRuLRt8/1q2NRlAw==,type:str] +user_password: ENC[AES256_GCM,data:IuBlcthybynSI4AJpJ7nZFOgzbH5v4ucKxEO7fe65M1hak33gX7uQSFMRcj9gJAh/E8h87VudQkpxWC6+RKW/w==,iv:WJrvL2RhmoWCaqAjK7nn98Js/TXOL/3oeVADoOt9Vr8=,tag:JcQeKs0O+exoWCG5m/EFtQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU3ZOQnE3bStmdVlOWWVU + cVNyRFp4STR4MFRhNmpVNmpVUUFCc3dFNnhFCjVtU2J0cGhVRVN5MFFobTMrQzI1 + VWoyaStZR1BPM1R4TUs4VjNVR3JrWTAKLS0tIFk2ZTJyN0ZpVFdtZFFKNjRacnFn + bitxRG03RU43ZENId1dIL3RWQVlQT1kKpGj5BKFO+iX8WaHbGOlUSfOp8bIJS3wS + 6Kqt1qkEPywYHgwd/amuELbkthu7mxCx4k45EEaN5gILyONGYJxR2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiejQxVXlVM29ldDNWbnlC + OTl3SmttaVlIUCtTK3ZteVRCY1JHYUg3cXhZCnNDY3JON1luUDcrS01xMVRGWVkx + Q1YvRzFpRnpybnE5SnM5NGxqUWVpQ2cKLS0tIFpIcEsxVkpRSW5KcmoxMVMrUW13 + WFgzK1BpVks3YmcxT3gxYzl3eHpySFEKJwsayqczYl2bFViRTWlP1p2OomPA1NnE + EKU51AINXIYfnNaXzMKWEj52yoVLvtKiA/rdJeVVOOopwD+qa/lRkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-01T04:00:12Z" + mac: ENC[AES256_GCM,data:9mu/knvioQT4y7WGdRjDvfeZxYgNb3TnNnDWOIALN6sqNhs8cI8Q+ussNny9zTygRN/LsS4cvhGypqxZ48CT4YyIKxJ2Xuf32Ho+ojh65a4Kabe3CjklLaAnj//MXnvpUtEXFGKlTiyKi/JxHaQLOaeZBeMv1yfYKuo0hjdzlho=,iv:KR2UMbNmsyxa8TEv6lwTJlqc3Qe81DaTTVtzSZRZyik=,tag:B3Hvr1RRGDrxROylhUuFxg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/hopper/wireguard-config b/secrets/hopper/wireguard-config new file mode 100644 index 0000000..ebbaf81 --- /dev/null +++ b/secrets/hopper/wireguard-config @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:GhwIkO2APhN+Ozgsj3YtCq40nd1x5IC9R2mbgmzwddT3yEBLQCadSZ3jvXwzJT5KlXXNlf+Wr6wRjRf1ICsVtt+HvbAkp6YmPbsiZZaBR5KqVCKZxhJQm00eOi9mP13RR1Mo+OWzGqu2uGCezG/HocgQoEoCDRTT4EL81jEuBra1j5WjAmFrmJjSTELbwJD1Qu9IKxh0Mu7dTMbb/Roc8ES++NR1Tt/TG4Ljgly0XBtib2sLWIJov5afEzwW0FpwMqHE8gqP+korlIXaEIqIqFGGwTHS54EoZPGmDrQfRYMuQrsNz8xWhuFOEqpd0/KKIb/UjZCc2NYf0pFuCxtQmOGofMFGaTFu8x6T1gehPprWJTf2q1ImYl0yc5aU+lyragr7j1PIowa2SkGu8TMeIDdga4Qusn78tSnycVakPqQE/pJ+xeStLC9Cg4IW6gRvKg0ByzFDgmXcNyPiXu9iGBecRDSNuWsheJUPV8h5qnQBlR4gyWhYXLh3E1549leQw2soG+iGXzOXC9UKwolzCmhXeuI=,iv:j9OIb4P+wSicxghVbuh6C7Sv6KLqjwFQ7uYLCGMeEPU=,tag:hqRxr0p7CPiSfPP9GMLfuA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVlpJdUdEZ1lNT240WHZt\nVnFlSzFQMjhMc0F1LzBvWExnc1dEL0RPTGxnCmFKeU5zOThOcVc4REhNeDh4Y004\nbDFuSVBtL0MvQ3RnS3VZakN0cGVJbEEKLS0tIFFuWTJRbFg1OHA4dnBvWEdQZElm\nNENNSEpPWEtqWS84R3lhNmRCYTdFSDQKsY0PV+8vYLGcU/KxeQZMWCkbkGUfR1gh\n8Tdt7Jo8Xvd4HFwf8a0XegxMxqQk8FE/44RnkwG8xf6HHXLuXxkmlg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaHR6bXdSZWlEemwrQklY\nRjFFU0VWZGNZYUxaaXVndjNpQ1FrUStQNnlNCkVpRmFIV3lvTHBSSnVwK1BhWGwx\nOTkycVVlNDdwdUlzbG5Tb1ZDMFExbjgKLS0tIEY0bVp5akRzeitrZ3ZEaVdueVM5\nVUp4bDhaVk1SWWxXM1pJdWs3UGtVNUkKIScfgHBYmQJE52GtVd32PEuA2/oBl30x\nclfnEzkCCAayBnFFoulY1LkNGelfJMr1/cTK/i9S8Qlts0Vn2mTBnA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-09-29T13:16:47Z", + "mac": "ENC[AES256_GCM,data:DcUk4FtCLgPf8YrlngmnCrflMpqL97QUI5s1eZTaK0ghvD3Ae0qlZ7whcUdalROhO2vsi5XHvDAXMSDhtbfnrEnuTJpwilONMRs66G8mJc9/fnGUAfEBNiZve8FXki+vjaiYjmCVX8VWGMq2NP3Ax4DR7+/obOjOKA9m1CThNH4=,iv:sT8H/ZK7TXOGq054w4jUWqVB/l/nHzXtg9DQJ4HF9Ps=,tag:S6RH3STimNR9KSeRP5V7gA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/secrets/nixdesk/default.nix b/secrets/nixdesk/default.nix index c2d46f4..08ada3d 100644 --- a/secrets/nixdesk/default.nix +++ b/secrets/nixdesk/default.nix @@ -20,5 +20,9 @@ format = "binary"; sopsFile = ./brawlstars; }; + samba = { + format = "binary"; + sopsFile = ./samba; + }; }; } diff --git a/secrets/nixdesk/samba b/secrets/nixdesk/samba new file mode 100644 index 0000000..b84e9f3 --- /dev/null +++ b/secrets/nixdesk/samba @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:IwlFjjTZqyL7QJaM1aBi5De0xPZ6T3/fQb+gIcyRP+sgyazLn4MEFABgoCKxTJaNhl4ld2HPA+uGxLOGavTwAxOPpCSxnfTPiPsDrIob9M+ssdVEinBb28E2GIp1ZEbwL7d+AsLstlI3k9JLNaWwqqC4uUb23cWl5/pXELI3ung5BytXGsGXBM/UqW7ce9VA6OQuCvcZiA==,iv:kt1FZBbOktLblC1Wnj4+apXB4dBMyY5Lk1XygdT9c58=,tag:gO8tkX+udOgiV+He2GIOrQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNnFIQStPV0d4TE0ya1F5\nSGRtckdUalBXVWI3TlkwY00zaUpESGlqem1jCjZJKzZaSDR1QW5ZWkVTS1hWcFEr\nMTJrTTYzRFFXUk9xbVM5aVphNDV5TjQKLS0tIDloRkMwSUNwM1RQN0lTQm81U21w\ndEdGN0R3Q1NKZmZjY0xCNFlKT3FkY0EKea+Gn8QJeu4iVZdx2WTRO1GOmC2IAeGt\njaMAek1JC9cOkzq0InCr8T4u2+R8ZNCNxf4B3uwRUQVBaVn1HV8Jsw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age155sscpw0x36t6s9usdrz7relpxqrtqnk98mrc7s0qcv2n0v3zd7sfl2xn8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMjNzVVhnZ3htWHEyV3NI\nV001YmtrYTFjQ2lZQWc3V3kvdDdUZ1M5cldzClE1SFVrV0lIc3lWaHVxYnBQS3N5\nbFp5dnJxZFhHdllXYko0b25OdWl5dnMKLS0tIEk1b3FPUG94dWJmS01qWUdnbkVy\nVThNODQvVXlQQ3FZaC8rdlFoOHhPVmsKbcGBJoLMFgpcIQsjlxeAViwne9ri/1WT\n56zPt9+f54K6W7hzJ7pVAG4+IYeWfaybMoPyIWTsTq9tlI6cc8MIag==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-21T08:11:03Z", + "mac": "ENC[AES256_GCM,data:4t/N1HbvMbXpF7pO0In8V3BKxK/6bz2BmFsH0DGTPNFZ9ZUNntOsOBtjjOhnRfbPY+Bl7JAQnHIVoAtyi6JavXpyH1WmzIpvpBUCWraIoKcD2XzrfraLEJazV6wIVE/vaBk9A6L54KivCXzMp35SDyIlWt6GBfyZJX64le2l5Ck=,iv:NVxByBu+6KNTKVnbjINOqQMgNI85lJxAKfeMFsVNz+0=,tag:mXeFyajv517gC095Wc80WQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/system/network/networkd.nix b/system/network/networkd.nix index c6f2e65..1f7cb03 100644 --- a/system/network/networkd.nix +++ b/system/network/networkd.nix @@ -8,4 +8,6 @@ dnssec = "true"; domains = ["~."]; }; + + # TODO use networkd-dispatcher to do some things when network connectivity changes maybe } diff --git a/system/network/tailscale.nix b/system/network/tailscale.nix index 8590f2d..9e32381 100644 --- a/system/network/tailscale.nix +++ b/system/network/tailscale.nix @@ -3,6 +3,6 @@ enable = true; openFirewall = true; useRoutingFeatures = "client"; - authKeyFile = config.sops.secrets.tailscale-auth.path; + #authKeyFile = config.sops.secrets.tailscale-auth.path; }; } diff --git a/system/programs/tools.nix b/system/programs/tools.nix index e27a145..4d7611c 100644 --- a/system/programs/tools.nix +++ b/system/programs/tools.nix @@ -23,5 +23,6 @@ else p7zip ) unar + openssl # for generating passwords ]; }