Compare commits
3 commits
0e3e67554a
...
733985c773
Author | SHA1 | Date | |
---|---|---|---|
|
733985c773 | ||
|
74f7208936 | ||
|
79db8373c2 |
31 changed files with 128 additions and 589 deletions
|
@ -175,7 +175,7 @@ with lib;
|
|||
];
|
||||
})
|
||||
(entry { machine = "cherry"; })
|
||||
(entry { machine = "cream"; })
|
||||
#(entry { machine = "cream"; })
|
||||
(entry { machine = "mobi"; })
|
||||
(entry { machine = "bobi"; })
|
||||
{
|
||||
|
|
|
@ -61,7 +61,7 @@ with lib;
|
|||
path = lib.mkDefault "/tmp/books";
|
||||
devices = [
|
||||
"chungus"
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
];
|
||||
versioning = {
|
||||
|
@ -74,7 +74,7 @@ with lib;
|
|||
path = lib.mkDefault "/tmp/desktop";
|
||||
devices = [
|
||||
"chungus"
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
];
|
||||
};
|
||||
|
@ -83,7 +83,7 @@ with lib;
|
|||
path = lib.mkDefault "/tmp/finance";
|
||||
devices = [
|
||||
"chungus"
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
];
|
||||
versioning = {
|
||||
|
@ -122,7 +122,7 @@ with lib;
|
|||
path = lib.mkDefault "/tmp/oscar_cpap";
|
||||
devices = [
|
||||
"chungus"
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
];
|
||||
};
|
||||
|
@ -131,7 +131,7 @@ with lib;
|
|||
path = lib.mkDefault "/tmp/password-store";
|
||||
devices = [
|
||||
"chungus"
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
];
|
||||
versioning = {
|
||||
|
@ -144,7 +144,7 @@ with lib;
|
|||
enable = lib.mkDefault false;
|
||||
path = lib.mkDefault "/tmp/password-store";
|
||||
devices = [
|
||||
"cream"
|
||||
# "cream"
|
||||
"cherry"
|
||||
"orbi"
|
||||
];
|
||||
|
|
|
@ -14,7 +14,7 @@ let
|
|||
bobi = "10.23.42.25";
|
||||
cherry = "10.23.42.29";
|
||||
chungus = "10.23.42.28";
|
||||
cream = "10.23.42.27";
|
||||
# cream = "10.23.42.27";
|
||||
mobi = "10.23.42.23";
|
||||
orbi = "10.23.42.100";
|
||||
};
|
||||
|
@ -67,10 +67,10 @@ in
|
|||
subnets = [ { address = hosts.bobi; } ];
|
||||
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
|
||||
};
|
||||
cream = {
|
||||
subnets = [ { address = hosts.cream; } ];
|
||||
settings.Ed25519PublicKey = Ed25519PublicKey "cream";
|
||||
};
|
||||
# cream = {
|
||||
# subnets = [ { address = hosts.cream; } ];
|
||||
# settings.Ed25519PublicKey = Ed25519PublicKey "cream";
|
||||
# };
|
||||
cherry = {
|
||||
subnets = [ { address = hosts.cherry; } ];
|
||||
settings.Ed25519PublicKey = Ed25519PublicKey "cherry";
|
||||
|
|
|
@ -12,7 +12,7 @@ let
|
|||
port = 721;
|
||||
hosts = {
|
||||
cherry = "10.123.42.29";
|
||||
cream = "10.123.42.27";
|
||||
# cream = "10.123.42.27";
|
||||
robi = "10.123.42.123";
|
||||
sternchen = "10.123.42.25";
|
||||
sterni = "10.123.42.24";
|
||||
|
@ -35,10 +35,10 @@ in
|
|||
subnets = [ { address = hosts.sternchen; } ];
|
||||
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
|
||||
};
|
||||
cream = {
|
||||
subnets = [ { address = hosts.cream; } ];
|
||||
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
|
||||
};
|
||||
# cream = {
|
||||
# subnets = [ { address = hosts.cream; } ];
|
||||
# settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
|
||||
# };
|
||||
cherry = {
|
||||
subnets = [ { address = hosts.cherry; } ];
|
||||
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
|
||||
|
@ -80,13 +80,13 @@ in
|
|||
);
|
||||
|
||||
services.openssh.knownHosts = {
|
||||
"cream.${network}" = {
|
||||
hostNames = [
|
||||
"cream.${network}"
|
||||
hosts.cream
|
||||
];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
|
||||
};
|
||||
# "cream.${network}" = {
|
||||
# hostNames = [
|
||||
# "cream.${network}"
|
||||
# hosts.cream
|
||||
# ];
|
||||
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
|
||||
# };
|
||||
"sternchen.${network}" = {
|
||||
hostNames = [
|
||||
"sterni.${network}"
|
||||
|
|
37
flake.nix
37
flake.nix
|
@ -404,28 +404,6 @@
|
|||
|
||||
machines = {
|
||||
|
||||
cream = clanSetup {
|
||||
name = "cream";
|
||||
host = "cream.bear";
|
||||
modules = [
|
||||
defaultAuthorizedKeys
|
||||
zerotierModules
|
||||
nixos-hardware.nixosModules.framework-12th-gen-intel
|
||||
retiolum.nixosModules.retiolum
|
||||
private-parts.nixosModules.cream
|
||||
homeManagerModules
|
||||
stylixModules
|
||||
{ home-manager.users.mainUser.gui.enable = true; }
|
||||
{
|
||||
home-manager.users.mainUser = import ./homes/palo;
|
||||
home-manager.users.root = import ./homes/root;
|
||||
}
|
||||
{
|
||||
clan.core.machineDescription = "Laptop";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
cherry = clanSetup {
|
||||
name = "cherry";
|
||||
host = "cherry.bear";
|
||||
|
@ -445,12 +423,15 @@
|
|||
{
|
||||
clan.core.machineDescription = "Laptop";
|
||||
}
|
||||
{
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
# yubikey key
|
||||
./assets/mrvandalo_rsa.pub
|
||||
];
|
||||
}
|
||||
(
|
||||
{ config, ... }:
|
||||
{
|
||||
# keys only to access cherry
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
|
||||
];
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -20,7 +20,8 @@
|
|||
./37c3.nix
|
||||
./topology.nix
|
||||
|
||||
./ssh.nix
|
||||
./ssh-chungus.nix
|
||||
./ssh-cherry.nix
|
||||
|
||||
];
|
||||
|
||||
|
|
1
machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
Normal file
1
machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry
|
46
machines/cherry/ssh-cherry.nix
Normal file
46
machines/cherry/ssh-cherry.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
factsGenerator,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hostname = "cherry";
|
||||
in
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||
name = "root.${hostname}";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||
lib.genAttrs
|
||||
[
|
||||
"${hostname}.bear"
|
||||
"${hostname}.private"
|
||||
"${hostname}.wg0"
|
||||
]
|
||||
(name: {
|
||||
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
});
|
||||
|
||||
}
|
46
machines/cherry/ssh-chungus.nix
Normal file
46
machines/cherry/ssh-chungus.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
factsGenerator,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hostname = "chungus";
|
||||
in
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||
name = "root.${hostname}";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||
lib.genAttrs
|
||||
[
|
||||
"${hostname}.bear"
|
||||
"${hostname}.private"
|
||||
"${hostname}.wg0"
|
||||
]
|
||||
(name: {
|
||||
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
});
|
||||
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing the backup server.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the backup server.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks = {
|
||||
"chungus.bear" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
"chungus.private" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
"chungus.wg0" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -1,137 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
imports = [
|
||||
|
||||
./hardware-configuration.nix
|
||||
|
||||
./syncthing.nix
|
||||
|
||||
./network-tinc.nix
|
||||
./network-tinc_retiolum.nix
|
||||
./network-wireguard-wg0.nix
|
||||
./network-wireguard-wg1.nix
|
||||
|
||||
];
|
||||
|
||||
system.stateVersion = "22.11";
|
||||
|
||||
# Use the systemd-boot EFI boot loader, not grub
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
components.virtualisation.enable = true;
|
||||
|
||||
components.gui.enable = true;
|
||||
components.gui.xorg.enable = true;
|
||||
components.gui.wayland.enable = false;
|
||||
components.mainUser.enable = true;
|
||||
components.media.enable = true;
|
||||
components.media.tts-client.enable = false;
|
||||
components.network.enable = true;
|
||||
components.network.wifi.enable = true;
|
||||
components.terminal.enable = true;
|
||||
|
||||
telemetry.enable = true;
|
||||
telemetry.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
|
||||
telemetry.prometheus.exporters.zfs.enable = false;
|
||||
|
||||
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
|
||||
home-manager.users.mainUser.bugwarrior.config = {
|
||||
general = {
|
||||
targets = [
|
||||
"terranix"
|
||||
"my_github"
|
||||
];
|
||||
log_level = "INFO";
|
||||
static_fields = [ "priority" ];
|
||||
merge_annotations = false;
|
||||
};
|
||||
terranix = {
|
||||
service = "github";
|
||||
login = "mrVanDalo";
|
||||
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
|
||||
username = "mrVanDalo";
|
||||
default_priority = "";
|
||||
description_template = "{{githubtitle}} {{githuburl}}";
|
||||
add_tags = "github";
|
||||
project_template = "terranix";
|
||||
involved_issues = true;
|
||||
query = "org:terranix is:open";
|
||||
include_user_issues = false;
|
||||
include_user_repos = false;
|
||||
};
|
||||
my_github = {
|
||||
service = "github";
|
||||
login = "mrVanDalo";
|
||||
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
|
||||
username = "mrVanDalo";
|
||||
description_template = "{{githubtitle}} {{githuburl}}";
|
||||
add_tags = "github";
|
||||
include_user_issues = true;
|
||||
include_user_repos = true;
|
||||
exclude_repos = [
|
||||
"azubi"
|
||||
"csv-to-qif"
|
||||
"stepp0r"
|
||||
];
|
||||
};
|
||||
# todo : add github issues
|
||||
};
|
||||
|
||||
users.users.mainUser.extraGroups = [ "pipewire" ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
networking.hostName = "cream";
|
||||
|
||||
#services.flatpak.enable = true;
|
||||
|
||||
# make sure battery is charged in a way to live for a long time
|
||||
services.power-profiles-daemon.enable = false;
|
||||
services.tlp = {
|
||||
enable = true;
|
||||
settings = {
|
||||
CPU_BOOST_ON_BAT = 0;
|
||||
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
|
||||
START_CHARGE_THRESH_BAT0 = 30;
|
||||
STOP_CHARGE_THRESH_BAT0 = 85;
|
||||
RUNTIME_PM_ON_BAT = "auto";
|
||||
};
|
||||
};
|
||||
|
||||
security.wrappers = {
|
||||
pmount = {
|
||||
source = "${pkgs.pmount}/bin/pmount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
pumount = {
|
||||
source = "${pkgs.pmount}/bin/pumount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
samba-share = {
|
||||
enable = false;
|
||||
folders = {
|
||||
share = "/home/share";
|
||||
video = "/home/video-material";
|
||||
};
|
||||
};
|
||||
|
||||
# for congress and streaming
|
||||
hardware.graphics.enable = true;
|
||||
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPz1SRSthwDEmXZXcBMi0FZhqgZxF7i1lDcGT534Gy7 nixbld@cherry
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArokGctZ2VLf92FhfE8pHzkx/bjz0/J1QjeaGgDSj1s ingolf.wagner@jobrad.org
|
|
@ -1 +0,0 @@
|
|||
VQSHJ6K-MUWCTPJ-LJINXBP-7O244YK-TIY3D5B-T6PU7BY-2NPWPXI-HO2Q5Q6
|
|
@ -1 +0,0 @@
|
|||
b8xU34/kYj3LxYfdrozDnpmXt25mLbYsnhUxgvFz2CG
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAqFNvj8lg1ET9rala1W7RSi+ObQoN8JoQ7fTZ63XBycDr3bEkubGk
|
||||
vIbLFFsdhIiMrJG6eRr25EiKQxew6Pb4HwwqjCJugHzSELHgiWN93Dx5hgl+EXV2
|
||||
8EYQ3xWO+8ZH4PQsfUMqxBx553UMOiDZ0L4OE275z5XuLyDXnjXqv2WCU7qY57lt
|
||||
MlJ3BFOhtWz7wl7fOu8rzalVuDLc/yp3KKhzLxr7lUUIHOZOT8EsoSAOiy+qUq6Q
|
||||
K9JrHcTGP3FmBucY5bSyVQxbX75tLqBiadTvlcx4n0mHTbCyHjC2tIHmN2MtUhsS
|
||||
Qw4uITn7NTd/c9H89Le2Z3Z01sRNEo1eZ3ru0JlYqUEL0sE2lAtPJWRgRePEzCWs
|
||||
s8GN6LFrAvl8T/FmW6XFzxGBViOhFqP61HO17KhALwl5kVXpUMFKxbn1/ZXP5Ono
|
||||
+h/Aaph56D/EZAFVvAPR7xx/Cp+cjOvKaKLgnZ5vG3VrjmbL9KkDtHiiiHcKC/Z8
|
||||
OrOirkxalJJd2bMYpIUO/7TYEUCQzni3ollYae3myFuwRIeiqNnVjtHiQnPMEYmn
|
||||
pjgWmvtYjvPLJkpnnP96nn+FI7FXqro8nY59COaIne3m0SxPo6JrGwugvYuLeOJS
|
||||
96v4hcSTrB3LEaH49a3vaFKQUsEOFCCTc6Qx+/ejgV/3cEzQjDblep8CAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1 +0,0 @@
|
|||
B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
|
||||
jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
|
||||
JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
|
||||
aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
|
||||
hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
|
||||
7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
|
||||
7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
|
||||
cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
|
||||
OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
|
||||
bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
|
||||
lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1 +0,0 @@
|
|||
nrSEGYNGKiEdXaVAnGkb7ihBnKf/PcpGJEvn1NMLNoB
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEA8xuGW5yLty6aWYhhBK/T+7TmP3QsU2Y3ew7KvSNLhuxQc63CwzSA
|
||||
eJpDHYgoLujoi6VGd1L+I7G3Imy0wF5FsFgsFKY7wTbSL/Y/6gc6wm7yL/gYebH7
|
||||
zm//n6wqMSlrFKMpnWQj9x43f8eseMl0D3rlXYpE7HfKZI3sPTNexUrWRsqVFUFN
|
||||
Jmi5SQHIWuczWh0EGUaSc8ueMYHh9WkzDHS7Y8UbLy7bSclRSPxIp7D87513n7YT
|
||||
0OH7dEDD/is0uoRHQg+TpgFm9HcJeX5ULmsv1x6gssm7D7r+nXF7ATNJrKO0h78O
|
||||
hAS7kfugHFzrYQP/NRxNLRETSuyL4kQS5WiVfdQWIi+UJtasCSPH4hT34DBPN8vX
|
||||
GC0nneV9RztnTBUpuIH/BsBOmHBHwLTb9miN6dTyq1MAL/NsiO8+zgxE4gJnownR
|
||||
r6Dn3fF2bGX9ij9/7WUyi9hez+3c5q3CsG0CDccDsvgkFc4nDdWxmwqKtIg4hM7x
|
||||
M6FA5W9g1hgupcIdRt/+dKp+nwGH5TYAXa9+XFwfSuegds2hZFluEhmgfet2tB26
|
||||
wA4w6+mNcTzikvU0262w9VvkvIhAXWxAvMFtDTOzY2aWqoYJfDTmdaRHdj8c2F7A
|
||||
UCknUC9a3Kwi3BubAARtO1zTe6fhvkdAm9eJi985Y98xaHHXU6QeDX0CAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1 +0,0 @@
|
|||
10.100.0.6/32
|
|
@ -1 +0,0 @@
|
|||
10.100.0.6
|
|
@ -1 +0,0 @@
|
|||
u0HcEa3lGDxqGqrot+9AtrqQNqNzOtCv/PDuuZqB9Ek=
|
|
@ -1 +0,0 @@
|
|||
fdb3:fdc0:b880:37a1:3a99:93df:ed1c:3754
|
|
@ -1,75 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"thunderbolt"
|
||||
"nvme"
|
||||
"usb_storage"
|
||||
"uas"
|
||||
"sd_mod"
|
||||
];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.luks.devices = {
|
||||
pool = {
|
||||
device = "/dev/nvme0n1p2";
|
||||
preLVM = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/13A0-D756";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
#fileSystems."/removable" =
|
||||
# {
|
||||
# device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
|
||||
# fsType = "ext4";
|
||||
# };
|
||||
|
||||
fileSystems."/share" = {
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
};
|
||||
|
||||
fileSystems."/browsers" = {
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.27";
|
||||
|
||||
#tinc.secret.enable = true;
|
||||
#tinc.secret.ipv4 = "10.123.42.27";
|
||||
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{
|
||||
|
||||
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
|
||||
|
||||
networking.retiolum.port = 720;
|
||||
networking.retiolum.nodename = "sol";
|
||||
|
||||
services.tinc.networks.retiolum = {
|
||||
ed25519PrivateKeyFile =
|
||||
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
|
||||
rsaPrivateKeyFile =
|
||||
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
|
||||
};
|
||||
|
||||
#fileSystems."/retiolum/sicily" = {
|
||||
# device = "//sicily.r/tonne";
|
||||
# fsType = "cifs";
|
||||
# options = [
|
||||
# "guest"
|
||||
# "nofail"
|
||||
# "noauto"
|
||||
# "ro"
|
||||
# "rsize=16777216"
|
||||
# "cache=loose"
|
||||
# "x-systemd.after=network.target"
|
||||
# ];
|
||||
#};
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
{
|
||||
config,
|
||||
factsGenerator,
|
||||
clanLib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||
clan.core.facts.services.wireguard_ip = factsGenerator.public {
|
||||
"wireguard.wg0.cidr" = "10.100.0.6/32";
|
||||
"wireguard.wg0.ip" = "10.100.0.6";
|
||||
};
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [
|
||||
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
|
||||
allowedIPs = [
|
||||
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
|
||||
];
|
||||
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
clan.core.facts.services.wg1 = {
|
||||
secret."wg1.conf" = { };
|
||||
generator = {
|
||||
# I download the config from my fritz.box
|
||||
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
|
||||
prompt = "please enter the wg1.conf";
|
||||
path = with pkgs; [ coreutils ];
|
||||
script = ''
|
||||
echo "$prompt_value" > "$secrets"/wg1.conf
|
||||
'';
|
||||
};
|
||||
};
|
||||
home-manager.users.root.home.packages = [
|
||||
(pkgs.writers.writeBashBin "wg1-up" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick up ${
|
||||
config.clan.core.facts.services.wg1.secret."wg1.conf".path
|
||||
}
|
||||
'')
|
||||
(pkgs.writers.writeBashBin "wg1-down" ''
|
||||
${pkgs.wireguard-tools}/bin/wg-quick up ${
|
||||
config.clan.core.facts.services.wg1.secret."wg1.conf".path
|
||||
}
|
||||
'')
|
||||
];
|
||||
}
|
|
@ -1,69 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = "awesome.cache";
|
||||
in
|
||||
{
|
||||
|
||||
networking.extraHosts = ''
|
||||
127.0.0.1 ${domain}
|
||||
'';
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
proxyCachePath.nixos = {
|
||||
enable = true;
|
||||
inactive = "365d";
|
||||
keysZoneSize = "100m";
|
||||
keysZoneName = "nixos";
|
||||
};
|
||||
|
||||
virtualHosts = {
|
||||
${domain} = {
|
||||
extraConfig = ''
|
||||
proxy_cache nixos;
|
||||
proxy_ignore_headers "Set-Cookie";
|
||||
proxy_hide_header "Set-Cookie";
|
||||
proxy_buffering on;
|
||||
'';
|
||||
locations."/" = {
|
||||
recommendedProxySettings = false;
|
||||
proxyPass = "https://cache.nixos.org";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host "cache.nixos.org";
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# most likely not needed
|
||||
systemd.services.nginx.serviceConfig = {
|
||||
RestrictNamespaces = lib.mkForce false;
|
||||
ProtectSystem = lib.mkForce false;
|
||||
ProtectControlGroups = lib.mkForce false;
|
||||
ProtectHome = lib.mkForce false;
|
||||
ProtectHostname = lib.mkForce false;
|
||||
ProtectKernelLogs = lib.mkForce false;
|
||||
ProtectKernelModules = lib.mkForce false;
|
||||
ProtectKernelTunables = lib.mkForce false;
|
||||
PrivateDevices = lib.mkForce false;
|
||||
PrivateMounts = lib.mkForce false;
|
||||
PrivateTmp = lib.mkForce false;
|
||||
MemoryDenyWriteExecute = lib.mkForce false;
|
||||
NoNewPrivileges = lib.mkForce false;
|
||||
ProtectProc = lib.mkForce "default";
|
||||
RestrictRealtime = lib.mkForce false;
|
||||
RestrictSUIDSGID = lib.mkForce false;
|
||||
};
|
||||
|
||||
#services.permown."/data" = {
|
||||
# owner = "nginx";
|
||||
#};
|
||||
|
||||
#systemd.services."permown./data" = {
|
||||
# bindsTo = [ "nginx.service" ];
|
||||
# after = [ "nginx.service" ];
|
||||
#};
|
||||
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = false;
|
||||
user = "palo";
|
||||
group = "users";
|
||||
dataDir = "/home/palo/.syncthing";
|
||||
configDir = "/home/palo/.syncthing";
|
||||
overrideFolders = true;
|
||||
settings.folders = {
|
||||
oscar_cpap = {
|
||||
enable = true;
|
||||
path = "/home/palo/Documents/OSCAR_Data";
|
||||
};
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/palo/.password-store";
|
||||
};
|
||||
logseq = {
|
||||
enable = true;
|
||||
path = "/home/palo/logseq";
|
||||
};
|
||||
art = {
|
||||
enable = true;
|
||||
path = "/home/palo/art";
|
||||
};
|
||||
desktop = {
|
||||
enable = true;
|
||||
path = "/home/palo/desktop";
|
||||
};
|
||||
finance = {
|
||||
enable = true;
|
||||
path = "/home/palo/finance";
|
||||
};
|
||||
share = {
|
||||
enable = true;
|
||||
path = "/home/palo/share";
|
||||
type = "sendonly";
|
||||
};
|
||||
books = {
|
||||
enable = true;
|
||||
path = "/home/palo/books";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.permown."/home/palo/music-library" = {
|
||||
owner = "palo";
|
||||
group = "users";
|
||||
};
|
||||
|
||||
services.permown."/home/palo/finance" = {
|
||||
owner = "palo";
|
||||
group = "syncthing";
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue