Compare commits

..

3 commits

Author SHA1 Message Date
Ingolf Wagner
733985c773
🔧 dedicated ssh key for cherry as well
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
2024-10-19 16:25:14 +09:00
Ingolf Wagner
74f7208936
🔥 delete cream 2024-10-19 16:24:26 +09:00
Ingolf Wagner
79db8373c2
Update facts/secrets for service ssh.root.cherry in machine cherry 2024-10-19 16:03:45 +09:00
31 changed files with 128 additions and 589 deletions

View file

@ -175,7 +175,7 @@ with lib;
];
})
(entry { machine = "cherry"; })
(entry { machine = "cream"; })
#(entry { machine = "cream"; })
(entry { machine = "mobi"; })
(entry { machine = "bobi"; })
{

View file

@ -61,7 +61,7 @@ with lib;
path = lib.mkDefault "/tmp/books";
devices = [
"chungus"
"cream"
# "cream"
"cherry"
];
versioning = {
@ -74,7 +74,7 @@ with lib;
path = lib.mkDefault "/tmp/desktop";
devices = [
"chungus"
"cream"
# "cream"
"cherry"
];
};
@ -83,7 +83,7 @@ with lib;
path = lib.mkDefault "/tmp/finance";
devices = [
"chungus"
"cream"
# "cream"
"cherry"
];
versioning = {
@ -122,7 +122,7 @@ with lib;
path = lib.mkDefault "/tmp/oscar_cpap";
devices = [
"chungus"
"cream"
# "cream"
"cherry"
];
};
@ -131,7 +131,7 @@ with lib;
path = lib.mkDefault "/tmp/password-store";
devices = [
"chungus"
"cream"
# "cream"
"cherry"
];
versioning = {
@ -144,7 +144,7 @@ with lib;
enable = lib.mkDefault false;
path = lib.mkDefault "/tmp/password-store";
devices = [
"cream"
# "cream"
"cherry"
"orbi"
];

View file

@ -14,7 +14,7 @@ let
bobi = "10.23.42.25";
cherry = "10.23.42.29";
chungus = "10.23.42.28";
cream = "10.23.42.27";
# cream = "10.23.42.27";
mobi = "10.23.42.23";
orbi = "10.23.42.100";
};
@ -67,10 +67,10 @@ in
subnets = [ { address = hosts.bobi; } ];
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
};
cream = {
subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cream";
};
# cream = {
# subnets = [ { address = hosts.cream; } ];
# settings.Ed25519PublicKey = Ed25519PublicKey "cream";
# };
cherry = {
subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cherry";

View file

@ -12,7 +12,7 @@ let
port = 721;
hosts = {
cherry = "10.123.42.29";
cream = "10.123.42.27";
# cream = "10.123.42.27";
robi = "10.123.42.123";
sternchen = "10.123.42.25";
sterni = "10.123.42.24";
@ -35,10 +35,10 @@ in
subnets = [ { address = hosts.sternchen; } ];
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
};
cream = {
subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
};
# cream = {
# subnets = [ { address = hosts.cream; } ];
# settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
# };
cherry = {
subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
@ -80,13 +80,13 @@ in
);
services.openssh.knownHosts = {
"cream.${network}" = {
hostNames = [
"cream.${network}"
hosts.cream
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
};
# "cream.${network}" = {
# hostNames = [
# "cream.${network}"
# hosts.cream
# ];
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
# };
"sternchen.${network}" = {
hostNames = [
"sterni.${network}"

View file

@ -404,28 +404,6 @@
machines = {
cream = clanSetup {
name = "cream";
host = "cream.bear";
modules = [
defaultAuthorizedKeys
zerotierModules
nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum
private-parts.nixosModules.cream
homeManagerModules
stylixModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
}
{
clan.core.machineDescription = "Laptop";
}
];
};
cherry = clanSetup {
name = "cherry";
host = "cherry.bear";
@ -445,12 +423,15 @@
{
clan.core.machineDescription = "Laptop";
}
{
users.users.root.openssh.authorizedKeys.keyFiles = [
# yubikey key
./assets/mrvandalo_rsa.pub
];
}
(
{ config, ... }:
{
# keys only to access cherry
users.users.root.openssh.authorizedKeys.keyFiles = [
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
];
}
)
];
};

View file

@ -20,7 +20,8 @@
./37c3.nix
./topology.nix
./ssh.nix
./ssh-chungus.nix
./ssh-cherry.nix
];

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry

View file

@ -0,0 +1,46 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "cherry";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

View file

@ -0,0 +1,46 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "chungus";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

View file

@ -1,39 +0,0 @@
{ config, factsGenerator, ... }:
{
# Defines the root SSH key to be used exclusively for accessing the backup server.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the backup server.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks = {
"chungus.bear" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.private" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.wg0" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
};
}

View file

@ -1,137 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [
./hardware-configuration.nix
./syncthing.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard-wg0.nix
./network-wireguard-wg1.nix
];
system.stateVersion = "22.11";
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
components.virtualisation.enable = true;
components.gui.enable = true;
components.gui.xorg.enable = true;
components.gui.wayland.enable = false;
components.mainUser.enable = true;
components.media.enable = true;
components.media.tts-client.enable = false;
components.network.enable = true;
components.network.wifi.enable = true;
components.terminal.enable = true;
telemetry.enable = true;
telemetry.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
telemetry.prometheus.exporters.zfs.enable = false;
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
home-manager.users.mainUser.bugwarrior.config = {
general = {
targets = [
"terranix"
"my_github"
];
log_level = "INFO";
static_fields = [ "priority" ];
merge_annotations = false;
};
terranix = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
default_priority = "";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
project_template = "terranix";
involved_issues = true;
query = "org:terranix is:open";
include_user_issues = false;
include_user_repos = false;
};
my_github = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
include_user_issues = true;
include_user_repos = true;
exclude_repos = [
"azubi"
"csv-to-qif"
"stepp0r"
];
};
# todo : add github issues
};
users.users.mainUser.extraGroups = [ "pipewire" ];
services.nginx.enable = true;
networking.hostName = "cream";
#services.flatpak.enable = true;
# make sure battery is charged in a way to live for a long time
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
CPU_BOOST_ON_BAT = 0;
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
START_CHARGE_THRESH_BAT0 = 30;
STOP_CHARGE_THRESH_BAT0 = 85;
RUNTIME_PM_ON_BAT = "auto";
};
};
security.wrappers = {
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
services.printing.enable = true;
samba-share = {
enable = false;
folders = {
share = "/home/share";
video = "/home/video-material";
};
};
# for congress and streaming
hardware.graphics.enable = true;
}

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPz1SRSthwDEmXZXcBMi0FZhqgZxF7i1lDcGT534Gy7 nixbld@cherry

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArokGctZ2VLf92FhfE8pHzkx/bjz0/J1QjeaGgDSj1s ingolf.wagner@jobrad.org

View file

@ -1 +0,0 @@
VQSHJ6K-MUWCTPJ-LJINXBP-7O244YK-TIY3D5B-T6PU7BY-2NPWPXI-HO2Q5Q6

View file

@ -1 +0,0 @@
b8xU34/kYj3LxYfdrozDnpmXt25mLbYsnhUxgvFz2CG

View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAqFNvj8lg1ET9rala1W7RSi+ObQoN8JoQ7fTZ63XBycDr3bEkubGk
vIbLFFsdhIiMrJG6eRr25EiKQxew6Pb4HwwqjCJugHzSELHgiWN93Dx5hgl+EXV2
8EYQ3xWO+8ZH4PQsfUMqxBx553UMOiDZ0L4OE275z5XuLyDXnjXqv2WCU7qY57lt
MlJ3BFOhtWz7wl7fOu8rzalVuDLc/yp3KKhzLxr7lUUIHOZOT8EsoSAOiy+qUq6Q
K9JrHcTGP3FmBucY5bSyVQxbX75tLqBiadTvlcx4n0mHTbCyHjC2tIHmN2MtUhsS
Qw4uITn7NTd/c9H89Le2Z3Z01sRNEo1eZ3ru0JlYqUEL0sE2lAtPJWRgRePEzCWs
s8GN6LFrAvl8T/FmW6XFzxGBViOhFqP61HO17KhALwl5kVXpUMFKxbn1/ZXP5Ono
+h/Aaph56D/EZAFVvAPR7xx/Cp+cjOvKaKLgnZ5vG3VrjmbL9KkDtHiiiHcKC/Z8
OrOirkxalJJd2bMYpIUO/7TYEUCQzni3ollYae3myFuwRIeiqNnVjtHiQnPMEYmn
pjgWmvtYjvPLJkpnnP96nn+FI7FXqro8nY59COaIne3m0SxPo6JrGwugvYuLeOJS
96v4hcSTrB3LEaH49a3vaFKQUsEOFCCTc6Qx+/ejgV/3cEzQjDblep8CAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -1 +0,0 @@
B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB

View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -1 +0,0 @@
nrSEGYNGKiEdXaVAnGkb7ihBnKf/PcpGJEvn1NMLNoB

View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA8xuGW5yLty6aWYhhBK/T+7TmP3QsU2Y3ew7KvSNLhuxQc63CwzSA
eJpDHYgoLujoi6VGd1L+I7G3Imy0wF5FsFgsFKY7wTbSL/Y/6gc6wm7yL/gYebH7
zm//n6wqMSlrFKMpnWQj9x43f8eseMl0D3rlXYpE7HfKZI3sPTNexUrWRsqVFUFN
Jmi5SQHIWuczWh0EGUaSc8ueMYHh9WkzDHS7Y8UbLy7bSclRSPxIp7D87513n7YT
0OH7dEDD/is0uoRHQg+TpgFm9HcJeX5ULmsv1x6gssm7D7r+nXF7ATNJrKO0h78O
hAS7kfugHFzrYQP/NRxNLRETSuyL4kQS5WiVfdQWIi+UJtasCSPH4hT34DBPN8vX
GC0nneV9RztnTBUpuIH/BsBOmHBHwLTb9miN6dTyq1MAL/NsiO8+zgxE4gJnownR
r6Dn3fF2bGX9ij9/7WUyi9hez+3c5q3CsG0CDccDsvgkFc4nDdWxmwqKtIg4hM7x
M6FA5W9g1hgupcIdRt/+dKp+nwGH5TYAXa9+XFwfSuegds2hZFluEhmgfet2tB26
wA4w6+mNcTzikvU0262w9VvkvIhAXWxAvMFtDTOzY2aWqoYJfDTmdaRHdj8c2F7A
UCknUC9a3Kwi3BubAARtO1zTe6fhvkdAm9eJi985Y98xaHHXU6QeDX0CAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -1 +0,0 @@
10.100.0.6/32

View file

@ -1 +0,0 @@
10.100.0.6

View file

@ -1 +0,0 @@
u0HcEa3lGDxqGqrot+9AtrqQNqNzOtCv/PDuuZqB9Ek=

View file

@ -1 +0,0 @@
fdb3:fdc0:b880:37a1:3a99:93df:ed1c:3754

View file

@ -1,75 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usb_storage"
"uas"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
pool = {
device = "/dev/nvme0n1p2";
preLVM = true;
};
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/13A0-D756";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
fsType = "ext4";
};
#fileSystems."/removable" =
# {
# device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
# fsType = "ext4";
# };
fileSystems."/share" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/browsers" = {
device = "none";
fsType = "tmpfs";
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -1,10 +0,0 @@
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.27";
#tinc.secret.enable = true;
#tinc.secret.ipv4 = "10.123.42.27";
}

View file

@ -1,29 +0,0 @@
{ config, factsGenerator, ... }:
{
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {
# device = "//sicily.r/tonne";
# fsType = "cifs";
# options = [
# "guest"
# "nofail"
# "noauto"
# "ro"
# "rsize=16777216"
# "cache=loose"
# "x-systemd.after=network.target"
# ];
#};
}

View file

@ -1,38 +0,0 @@
{
config,
factsGenerator,
clanLib,
...
}:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.6/32";
"wireguard.wg0.ip" = "10.100.0.6";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
}
];
};
};
}

View file

@ -1,27 +0,0 @@
{ pkgs, config, ... }:
{
clan.core.facts.services.wg1 = {
secret."wg1.conf" = { };
generator = {
# I download the config from my fritz.box
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
prompt = "please enter the wg1.conf";
path = with pkgs; [ coreutils ];
script = ''
echo "$prompt_value" > "$secrets"/wg1.conf
'';
};
};
home-manager.users.root.home.packages = [
(pkgs.writers.writeBashBin "wg1-up" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${
config.clan.core.facts.services.wg1.secret."wg1.conf".path
}
'')
(pkgs.writers.writeBashBin "wg1-down" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${
config.clan.core.facts.services.wg1.secret."wg1.conf".path
}
'')
];
}

View file

@ -1,69 +0,0 @@
{ config, lib, ... }:
let
domain = "awesome.cache";
in
{
networking.extraHosts = ''
127.0.0.1 ${domain}
'';
services.nginx = {
enable = true;
proxyCachePath.nixos = {
enable = true;
inactive = "365d";
keysZoneSize = "100m";
keysZoneName = "nixos";
};
virtualHosts = {
${domain} = {
extraConfig = ''
proxy_cache nixos;
proxy_ignore_headers "Set-Cookie";
proxy_hide_header "Set-Cookie";
proxy_buffering on;
'';
locations."/" = {
recommendedProxySettings = false;
proxyPass = "https://cache.nixos.org";
extraConfig = ''
proxy_set_header Host "cache.nixos.org";
'';
};
};
};
};
# most likely not needed
systemd.services.nginx.serviceConfig = {
RestrictNamespaces = lib.mkForce false;
ProtectSystem = lib.mkForce false;
ProtectControlGroups = lib.mkForce false;
ProtectHome = lib.mkForce false;
ProtectHostname = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
PrivateDevices = lib.mkForce false;
PrivateMounts = lib.mkForce false;
PrivateTmp = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce false;
NoNewPrivileges = lib.mkForce false;
ProtectProc = lib.mkForce "default";
RestrictRealtime = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
};
#services.permown."/data" = {
# owner = "nginx";
#};
#systemd.services."permown./data" = {
# bindsTo = [ "nginx.service" ];
# after = [ "nginx.service" ];
#};
}

View file

@ -1,63 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
group = "users";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
overrideFolders = true;
settings.folders = {
oscar_cpap = {
enable = true;
path = "/home/palo/Documents/OSCAR_Data";
};
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
logseq = {
enable = true;
path = "/home/palo/logseq";
};
art = {
enable = true;
path = "/home/palo/art";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
share = {
enable = true;
path = "/home/palo/share";
type = "sendonly";
};
books = {
enable = true;
path = "/home/palo/books";
};
};
};
services.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
services.permown."/home/palo/finance" = {
owner = "palo";
group = "syncthing";
};
}