zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:10f054a9d9615b71af4add749bee867dd8b9bc0b
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
...
compare: zuckerberg:pia-client
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

80 Commits
10f054a9d9 ... pia-client

Author SHA1 Message Date
Zuckerberg
a0c199ba06 Unfinished attempt at packaging pia client 2023-02-08 01:38:54 -05:00
Zuckerberg
6f9edd8870 Add ISO build 2023-02-08 01:36:23 -05:00
Zuckerberg
076bdb3ab4 Use upstream nvidia reverse prime support 2023-02-08 01:35:25 -05:00
Zuckerberg
fcbd877d06 flake.lock: Update 
Flake lock file updates:

• Updated input 'nix-locate':
    'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17)
  → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17)
• Updated input 'nix-locate/flake-compat':
    'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03)
  → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
  → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)
 2023-02-08 00:59:29 -05:00
Zuckerberg
27f4b5af78 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
  → 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31)
• Added input 'agenix/darwin':
    'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
• Added input 'agenix/darwin/nixpkgs':
    follows 'agenix/nixpkgs'
• Updated input 'archivebox':
    'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=master&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
  → 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=refs%2fheads%2fmaster&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
• Updated input 'dailybuild_modules':
    'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=master&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
  → 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=refs%2fheads%2fmaster&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
  → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
  → 'github:NixOS/nixpkgs/0874168639713f547c05947c76124f78441ea46c' (2023-01-01)
• Removed input 'nixpkgs-nvidia'
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
  → 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
• Updated input 'radio-web':
    'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=master&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
  → 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=refs%2fheads%2fmaster&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
 2023-02-08 00:33:47 -05:00
Zuckerberg
7238d6e6c5 latest kernel not needed for wifi anymore 2023-02-06 22:45:34 -05:00
Zuckerberg
094905a727 virt-manager 2023-02-06 22:44:22 -05:00
Zuckerberg
cf3fa0ff12 depthai udev 2023-02-06 22:44:09 -05:00
Zuckerberg
7c7b356aab Remove 'I don't care about cookies'. It is under new management 2023-02-06 22:43:43 -05:00
Zuckerberg
c57e4f022f flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/7e5e58b98c3dcbf497543ff6f22591552ebfe65b' (2022-05-16)
  → 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30)
  → 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d17a56d90ecbd1b8fc908d49598fb854ef188461' (2022-06-17)
  → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/42948b300670223ca8286aaf916bc381f66a5313' (2022-04-08)
  → 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/a48082c79cff8f3b314ba4f95f4ae87ca7d4d068' (2022-06-14)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f535d8123c4761b2ed8138f3d202ea710a334a1d' (2022-06-22)
 2022-10-23 10:43:19 -04:00
zuckerberg
f5a9f04cf2 Rekey secrets 2022-08-25 23:16:22 -04:00
zuckerberg
50fd928cda Change key 2022-08-25 23:16:09 -04:00
Zuckerberg
11072c374b Owncast 2022-07-24 15:18:29 -04:00
Zuckerberg
60f1235848 Add shell aliases 2022-07-24 13:23:03 -04:00
Zuckerberg
55ea5aebc4 Add README and TODO files 2022-07-24 12:57:05 -04:00
Zuckerberg
2738f6b794 WIP wireguard vpn 2022-07-24 12:13:17 -04:00
Zuckerberg
ec2b248ed8 Don't use tailscale in containers 2022-06-23 22:37:14 -04:00
Zuckerberg
aa7bbc5932 Use Tailscale 2022-06-23 22:30:07 -04:00
Zuckerberg
eef574c9f7 Pin nixpkgs to a version that works for bcachefs 2022-06-20 11:51:45 -04:00
Zuckerberg
25fb7a1645 Jellyfin Client only on desktop 2022-06-20 00:04:54 -04:00
Zuckerberg
301fd8462b Update to NixOS 22.05 2022-06-20 00:00:49 -04:00
Zuckerberg
a92800cbcc Update to NixOS 22.05 2022-06-19 23:59:52 -04:00
Zuckerberg
5e361b2fc8 Update to NixOS 22.05 2022-06-19 23:44:01 -04:00
Zuckerberg
b41e4dc375 add jellyfin media player 2022-06-19 23:29:54 -04:00
Zuckerberg
7e615f814d Rewrite VPN container 2022-05-28 18:54:41 -04:00
Zuckerberg
c560a63182 More vpn options 2022-05-27 16:43:25 -04:00
Zuckerberg
2f14d07f82 Proxy jellyfin correctly 2022-05-20 19:30:14 -04:00
Zuckerberg
a89fde8aa5 Don't export bazarr 2022-05-20 19:15:33 -04:00
Zuckerberg
1856fe00d6 Jellyfin open port 2022-05-20 18:58:13 -04:00
Zuckerberg
388599e08c Use aarch64-linux friendly nix-locate 2022-05-20 16:42:38 -04:00
Zuckerberg
75a33a0b5e Add .gitignore 2022-05-20 16:37:33 -04:00
Zuckerberg
918b53e383 Move jellyfin to container 2022-05-20 16:37:05 -04:00
Zuckerberg
c643244dab set sendmail send domain 2022-05-16 17:46:11 -04:00
Zuckerberg
9fc6f816fb Use nix-locate for command-not-found 2022-05-16 15:01:15 -04:00
Zuckerberg
63902fcb46 Require auth for public samba share 2022-05-16 13:22:00 -04:00
Zuckerberg
8a1e0b76f1 Remove sauerbraten 2022-05-16 13:07:32 -04:00
Zuckerberg
f144bda9e6 Minimal kexec image builder 2022-05-16 13:04:31 -04:00
Zuckerberg
b8c9278f37 Use runyan.org 2022-05-09 14:46:18 -04:00
Zuckerberg
9f45df7903 Update dailybot 2022-05-04 22:55:53 -04:00
Zuckerberg
a894a5429e Eanble sender dependent authentication 2022-05-03 19:21:10 -04:00
Zuckerberg
dfec18e904 Send mail through mailgun 2022-05-03 18:33:48 -04:00
Zuckerberg
91e38f5866 Remove pi.agency 2022-05-03 14:54:09 -04:00
Zuckerberg
fed1aecd64 Update dailybot 2022-05-03 14:53:58 -04:00
Zuckerberg
ec3056f8c1 Don't store awful files 2022-05-03 14:53:42 -04:00
Zuckerberg
339eed1f55 Move services to ponyo 2022-05-02 18:01:03 -04:00
Zuckerberg
5ac5b4551b Rekey secrets 2022-05-02 11:56:25 -04:00
Zuckerberg
d378a287fa Add ponyo system 2022-05-02 11:56:14 -04:00
Zuckerberg
d71af55727 Better samba mount options 2022-05-02 02:54:41 -04:00
Zuckerberg
de05a535ea Prune services 2022-05-02 02:54:22 -04:00
Zuckerberg
910af494b5 Retire neetdev 2022-05-02 02:50:54 -04:00
Zuckerberg
3d1c078a44 Revert radio to previous version 2022-04-30 22:15:27 -04:00
Zuckerberg
c85beff7ed SSDs for NAS 2022-04-26 00:57:11 -04:00
Zuckerberg
7ab4906710 Use '*.containers' instead of ips 2022-04-25 00:46:40 -04:00
Zuckerberg
af3af7b2ae Add samba share user 2022-04-25 00:30:57 -04:00
Zuckerberg
f627abc649 More hosts 2022-04-25 00:20:14 -04:00
Zuckerberg
e37878c544 Automount samba shares 2022-04-24 21:56:28 -04:00
Zuckerberg
73bbd39c64 Create samba users 2022-04-24 21:55:24 -04:00
Zuckerberg
acbf162ffe Use latest pykms 2022-04-24 21:54:04 -04:00
Zuckerberg
516121b26c Revert broken samba config for now... 2022-04-24 21:53:41 -04:00
Zuckerberg
8742352ea9 Disable scroll jacking extension works poorly 2022-04-24 21:26:29 -04:00
Zuckerberg
61391cc180 Improve samba speed 2022-04-23 04:32:33 -04:00
Zuckerberg
60771ea56e Access transmission files over samba 2022-04-23 04:32:19 -04:00
Zuckerberg
2f19903a45 Remove pi.agency 2022-04-21 15:17:59 -04:00
Zuckerberg
8102981a01 Update dailybot 2022-04-21 15:17:32 -04:00
Zuckerberg
d975477c05 Update dailybot 2022-04-21 14:50:11 -04:00
Zuckerberg
af9333feff Ponyo as media proxy 2022-04-21 02:24:45 -04:00
Zuckerberg
5945310dd4 Ponyo keys 2022-04-21 01:27:47 -04:00
Zuckerberg
d5d986dd88 Rekey secrets 2022-04-21 01:26:53 -04:00
Zuckerberg
ffad65d902 OVH is annoying... 2022-04-21 01:15:51 -04:00
Zuckerberg
2cd7f12a75 Install as efi removable 2022-04-20 22:51:14 -04:00
Zuckerberg
fe48d7b009 New ponyo 2022-04-20 16:06:24 -04:00
Zuckerberg
448c3b280a New ponyo 2022-04-20 16:00:29 -04:00
Zuckerberg
ef2ad011cc Add ponyo 2022-04-20 00:04:25 -04:00
Zuckerberg
8267954e3d Improve file-roller 2022-04-19 16:33:12 -04:00
Zuckerberg
609f1d416a Stop scroll jacking 2022-04-19 16:32:03 -04:00
Zuckerberg
b4dce62d36 Fix permissions 2022-04-19 16:31:26 -04:00
Zuckerberg
e15b612b3c Shared group/user for consistent permissions+access 2022-04-17 23:43:42 -04:00
Zuckerberg
6233ce6c0d navidrome over cloudflared 2022-04-17 20:36:04 -04:00
Zuckerberg
1a4bdc4a8a Enable zerotier 2022-04-17 19:06:56 -04:00
Zuckerberg
73da58f6bf Bigger HDD 2022-04-13 21:15:35 -04:00
57 changed files with 1915 additions and 1352 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
result

12
README.md Normal file
View File

@@ -0,0 +1,12 @@
# My NixOS configurations
### Source Layout
- `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines`
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

85
TODO.md Normal file
View File

@@ -0,0 +1,85 @@
# A place for brain dump ideas maybe to be taken off of the shelve one day
### NixOS webtools
- Better options search https://mynixos.com/options/services
### Interesting ideas for restructuring nixos config
- https://github.com/gytis-ivaskevicius/flake-utils-plus
- https://github.com/divnix/digga/tree/main/examples/devos
- https://digga.divnix.com/
- https://nixos.wiki/wiki/Comparison_of_NixOS_setups
### Housekeeping
- Format everything here using nixfmt
- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
- remove `options.currentSystem`
- allow `hostname` option for webservices to be null to disable configuring nginx
### NAS
- helios64 extra led lights
- safely turn off NAS on power disconnect
- hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
- tor unlock
### bcachefs
- bcachefs health alerts via email
- bcachefs periodic snapshotting
- use mount.bcachefs command for mounting
- bcachefs native encryption
- just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
### Shell Comands
- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
### Services
- setup archivebox
- radio https://tildegit.org/tilderadio/site
- music
- mopidy
- use the jellyfin plugin?
- navidrome
- spotify secrets for navidrome
- picard for music tagging
- alternative music software
- https://www.smarthomebeginner.com/best-music-server-software-options/
- https://funkwhale.audio/
- https://github.com/epoupon/lms
- https://github.com/benkaiser/stretto
- https://github.com/blackcandy-org/black_candy
- https://github.com/koel/koel
- https://airsonic.github.io/
- https://ampache.org/
- replace nextcloud with seafile
### VPN container
- use wireguard for vpn
- https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
- https://github.com/pia-foss/manual-connections
- port forwarding for vpn
- transmission using forwarded port
- https://www.wireguard.com/netns/
- one way firewall for vpn container
### Networking
- tailscale for p2p connections
- remove all use of zerotier
### Archive
- https://www.backblaze.com/b2/cloud-storage.html
- email
- https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
- http://kb.unixservertech.com/software/dovecot/archiveserver
### Paranoia
- https://christine.website/blog/paranoid-nixos-2021-07-18
- https://nixos.wiki/wiki/Impermanence
### Misc
- https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email
- remap razer keys https://github.com/sezanzeb/input-remapper
### Future Interests (upon merge into nixpkgs)
- nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
- glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356

12
common/default.nix
View File

@@ -3,10 +3,9 @@
{ {
imports = [ imports = [
./flakes.nix ./flakes.nix
./pia.nix
./zerotier.nix
./auto-update.nix ./auto-update.nix
./hosts.nix ./shell.nix
./network
./boot ./boot
./server ./server
./pc ./pc
@@ -57,13 +56,12 @@
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = (import ./ssh.nix).users; openssh.authorizedKeys.keys = (import ./ssh.nix).users;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000;
}; };
nix.trustedUsers = [ "root" "googlebot" ]; nix.trustedUsers = [ "root" "googlebot" ];
nix.gc.automatic = true; nix.gc.automatic = true;
programs.fish.enable = true; security.acme.acceptTerms = true;
programs.fish.shellInit = '' security.acme.defaults.email = "zuckerberg@neet.dev";
set fish_greeting
'';
} }

3
common/flakes.nix
View File

@@ -16,6 +16,9 @@ in {
# pin nixpkgs for system commands such as "nix shell" # pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs; registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
}; };
}; };
} }

23
common/network/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, ... }:
with lib;
let
cfg = config.networking;
in
{
imports = [
./hosts.nix
./pia-openvpn.nix
./tailscale.nix
./vpn.nix
./zerotier.nix
];
options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
config = mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
}

21
common/hosts.nix → common/network/hosts.nix
View File

@@ -1,19 +1,34 @@
{ config, lib, ... }: { config, lib, ... }:
let let
system = (import ./ssh.nix).system; system = (import ../ssh.nix).system;
in { in {
networking.hosts = {
# some DNS providers filter local ip results from DNS request
"172.30.145.180" = [ "s0.zt.neet.dev" ];
"172.30.109.9" = [ "ponyo.zt.neet.dev" ];
"172.30.189.212" = [ "ray.zt.neet.dev" ];
};
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
liza = { liza = {
hostNames = [ "liza" "liza.neet.dev" ]; hostNames = [ "liza" "liza.neet.dev" ];
publicKey = system.liza; publicKey = system.liza;
}; };
ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo;
};
ponyo-unlock = {
hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
publicKey = system.ponyo-unlock;
};
ray = { ray = {
hostNames = [ "ray" ]; hostNames = [ "ray" "ray.zt.neet.dev" ];
publicKey = system.ray; publicKey = system.ray;
}; };
s0 = { s0 = {
hostNames = [ "s0" ]; hostNames = [ "s0" "s0.zt.neet.dev" ];
publicKey = system.s0; publicKey = system.s0;
}; };
n1 = { n1 = {

113
common/network/pia-openvpn.nix Normal file
View File

@@ -0,0 +1,113 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe";
version = "0.0.1";
src = ./.;
installPhase = ''
mkdir -p $out
cp vpnfailsafe.sh $out/vpnfailsafe.sh
sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
'';
};
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
server = lib.mkOption {
type = lib.types.str;
default = "us-washingtondc.privacy.network";
example = "swiss.privacy.network";
};
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
pia = {
config = ''
client
dev tun
proto udp
remote ${cfg.server} 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/agenix/pia-login.conf
'';
autoStart = true;
up = "${vpnfailsafe}/vpnfailsafe.sh";
down = "${vpnfailsafe}/vpnfailsafe.sh";
};
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

16
common/network/tailscale.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
with lib;
let
cfg = config.services.tailscale;
in
{
options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
config.services.tailscale.enable = !config.boot.isContainer;
# exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
config.networking.ip_forward = mkIf cfg.exitNode true;
}

97
common/network/vpn.nix Normal file
View File

@@ -0,0 +1,97 @@
{ config, pkgs, lib, allModules, ... }:
with lib;
let
cfg = config.vpn-container;
in
{
options.vpn-container = {
enable = mkEnableOption "Enable VPN container";
containerName = mkOption {
type = types.str;
default = "vpn";
description = ''
Name of the VPN container.
'';
};
mounts = mkOption {
type = types.listOf types.str;
default = [ "/var/lib" ];
example = "/home/example";
description = ''
List of mounts on the host to bind to the vpn container.
'';
};
config = mkOption {
type = types.anything;
default = {};
example = ''
{
services.nginx.enable = true;
}
'';
description = ''
NixOS config for the vpn container.
'';
};
};
config = mkIf cfg.enable {
containers.${cfg.containerName} = {
ephemeral = true;
autoStart = true;
bindMounts = mkMerge ([{
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
}] ++ (lists.forEach cfg.mounts (mount:
{
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
}
)));
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = allModules ++ [cfg.config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = mkForce false;
pia.enable = true;
pia.server = "swiss.privacy.network"; # swiss vpn
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
# load secrets the container needs
age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
# forwarding for vpn container
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"ve-${cfg.containerName}"
];
networking.ip_forward = true;
# assumes only one potential interface
networking.usePredictableInterfaceNames = false;
networking.nat.externalInterface = "eth0";
};
}

0
common/vpnfailsafe.sh → common/network/vpnfailsafe.sh
View File

0
common/zerotier.nix → common/network/zerotier.nix
View File

3
common/pc/chromium.nix
View File

@@ -60,9 +60,9 @@ in {
"oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
"cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
"hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
"fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
"mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
"dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
# "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
]; ];
extraOpts = { extraOpts = {
"BrowserSignin" = 0; "BrowserSignin" = 0;
@@ -79,7 +79,6 @@ in {
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
chromium = pkgs.chromium.override { chromium = pkgs.chromium.override {
gnomeKeyringSupport = true;
enableWideVine = true; enableWideVine = true;
# ungoogled = true; # ungoogled = true;
# --enable-native-gpu-memory-buffers # fails on AMD APU # --enable-native-gpu-memory-buffers # fails on AMD APU

6
common/pc/default.nix
View File

@@ -17,6 +17,7 @@ in {
./discord.nix ./discord.nix
./steam.nix ./steam.nix
./touchpad.nix ./touchpad.nix
./mount-samba.nix
]; ];
options.de = { options.de = {
@@ -41,8 +42,6 @@ in {
nextcloud-client nextcloud-client
signal-desktop signal-desktop
minecraft minecraft
sauerbraten
gnome.file-roller
gparted gparted
libreoffice-fresh libreoffice-fresh
thunderbird thunderbird
@@ -50,6 +49,7 @@ in {
spotify-qt spotify-qt
arduino arduino
yt-dlp yt-dlp
jellyfin-media-player
]; ];
# Networking # Networking
@@ -65,6 +65,8 @@ in {
services.avahi.enable = true; services.avahi.enable = true;
services.avahi.nssmdns = true; services.avahi.nssmdns = true;
programs.file-roller.enable = true;
# Security # Security
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
security.pam.services.googlebot.enableGnomeKeyring = true; security.pam.services.googlebot.enableGnomeKeyring = true;

36
common/pc/mount-samba.nix Normal file
View File

@@ -0,0 +1,36 @@
# mounts the samba share on s0 over zeroteir
{ config, lib, ... }:
let
cfg = config.services.mount-samba;
# prevents hanging on network split
network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
auth_opts = "credentials=/run/agenix/smb-secrets";
version_opts = "vers=2.1";
opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
in {
options.services.mount-samba = {
enable = lib.mkEnableOption "enable mounting samba shares";
};
config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
fileSystems."/mnt/public" = {
device = "//s0.zt.neet.dev/public";
fsType = "cifs";
options = [ opts ];
};
fileSystems."/mnt/private" = {
device = "//s0.zt.neet.dev/googlebot";
fsType = "cifs";
options = [ opts ];
};
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
};
}

76
common/pc/pia/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.pia;
in {
imports = [
./pia.nix
];
options.services.pia = {
enable = lib.mkEnableOption "Enable PIA Client";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pia";
description = ''
Path to the pia data directory
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "root";
description = ''
The user pia should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "piagrp";
description = ''
The group pia should run as
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
config = mkIf cfg.enable {
# users.users.${cfg.user} =
# if cfg.user == "pia" then {
# isSystemUser = true;
# group = cfg.group;
# home = cfg.dataDir;
# createHome = true;
# }
# else {};
users.groups.${cfg.group}.members = cfg.users;
systemd.services.pia-daemon = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
};
};
}

147
common/pc/pia/fix-pia.patch Normal file
View File

@@ -0,0 +1,147 @@
diff --git a/Rakefile b/Rakefile
index fa6d771..bcd6fb1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -151,41 +151,6 @@ end
# Install LICENSE.txt
stage.install('LICENSE.txt', :res)
-# Download server lists to ship preloaded copies with the app. These tasks
-# depend on version.txt so they're refreshed periodically (whenver a new commit
-# is made), but not for every build.
-#
-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
-# this is primarily intended for reproducing a build.
-#
-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
-serverDataProbe = Probe.new('serverdata')
-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
-# JSON resource build directory
-jsonFetched = Build.new('json-fetched')
-# These are the assets we need to fetch and the URIs we get them from
-{
- 'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
- 'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
- 'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
-}.each do |k, v|
- fetchedFile = jsonFetched.artifact(k.to_s)
- serverDataDir = ENV['SERVER_DATA_DIR']
- file fetchedFile => [version.artifact('version.txt'),
- serverDataProbe.artifact('serverdata.txt'),
- jsonFetched.componentDir] do |t|
- if(serverDataDir)
- # Use the copy provided instead of fetching (for reproducing a build)
- File.copy(File.join(serverDataDir, k), fetchedFile)
- else
- # Fetch from the web API (write with "binary" mode so LF is not
- # converted to CRLF on Windows)
- File.binwrite(t.name, Net::HTTP.get(URI(v)))
- end
- end
- stage.install(fetchedFile, :res)
-end
-
# Install version/brand/arch info in case an upgrade needs to know what is
# currently installed
stage.install(version.artifact('version.txt'), :res)
diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
index f820a6d..e1b6c33 100644
--- a/common/src/posix/unixsignalhandler.cpp
+++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
// we checked it, we can't even log because the logger is not reentrant.
auto pThis = instance();
if(pThis)
- ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
}
template<int Signal>
void UnixSignalHandler::setAbortAction()
diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
index fd3aced..2367a5e 100644
--- a/daemon/src/linux/linux_nl.cpp
+++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
unsigned char term = 0;
PosixFd killSocket = _workerKillSocket.get();
if(killSocket)
- ::write(killSocket.get(), &term, sizeof(term));
+ auto _ = ::write(killSocket.get(), &term, sizeof(term));
_workerThread.join();
}
diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
index 3f63ac2..420d54d 100644
--- a/extras/support-tool/launcher/linux-launcher.cpp
+++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
if(forkResult == 0)
{
// Apply gid as both real and effective
- setregid(gid, gid);
+ auto _ = setregid(gid, gid);
int execErr = execv(filename, argv);
std::cerr << "exec err: " << execErr << " / " << errno << " - "
diff --git a/rake/model/qt.rb b/rake/model/qt.rb
index c8cd362..a6abe59 100644
--- a/rake/model/qt.rb
+++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
end
def getQtRoot(qtVersion, arch)
- qtToolchainPtns = getQtToolchainPatterns(arch)
- qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
- # Explicitly filter for existing paths - if the pattern has wildcards
- # we only get existing directories, but if the patterns are just
- # alternates with no wildcards, we can get directories that don't exist
- qtRoots.find_all { |r| File.exist?(r) }.max
+ ENV['QTROOT']
end
def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
end
def getQtPathVersion(path)
- verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
- if(verMatch == nil)
- nil
- else
- [verMatch[1].to_i, verMatch[2].to_i]
- end
+ [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
end
# Build a component definition with the defaults. The "Core" component will
diff --git a/rake/product/linux.rb b/rake/product/linux.rb
index f43fb3e..83505af 100644
--- a/rake/product/linux.rb
+++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
# Version of libicu (needed to determine lib*.so.## file names in deployment)
- ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
- .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
+ ICU_VERSION = ENV['ICU_MAJOR'].to_i;
# Copy a directory recursively, excluding *.debug files (debugging symbols)
def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
# Since these are just development workflow tools, they can be skipped if
# specific dependencies are not available.
def self.defineTools(toolsStage)
- # Test if we have libthai-dev, for the Thai word breaking utility
- if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
- Executable.new('thaibreak')
- .source('tools/thaibreak')
- .lib('thai')
- .install(toolsStage, :bin)
- toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
- toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
- else
- puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
- end
end
end

139
common/pc/pia/pia.nix Normal file
View File

@@ -0,0 +1,139 @@
{ pkgs, lib, config, ... }:
{
nixpkgs.overlays = [
(self: super:
with self;
let
# arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
arch = "x86_64";
pia-desktop = clangStdenv.mkDerivation rec {
pname = "pia-desktop";
version = "3.3.0";
src = fetchgit {
url = "https://github.com/pia-foss/desktop";
rev = version;
fetchLFS = true;
sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
};
patches = [
./fix-pia.patch
];
nativeBuildInputs = [
cmake
rake
];
prePatch = ''
sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
'';
installPhase = ''
mkdir -p $out/bin $out/lib $out/share
cp -r ../out/pia_release_${arch}/stage/bin $out
cp -r ../out/pia_release_${arch}/stage/lib $out
cp -r ../out/pia_release_${arch}/stage/share $out
'';
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
];
QTROOT = "${qt5.full}";
QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
buildInputs = [
mesa
libsForQt5.qt5.qtquickcontrols
libsForQt5.qt5.qtquickcontrols2
icu
libnl
];
dontWrapQtApps = true;
};
in rec {
openvpn-updown = buildFHSUserEnv {
name = "openvpn-updown";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "openvpn-updown.sh";
};
pia-client = buildFHSUserEnv {
name = "pia-client";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-client";
};
piactl = buildFHSUserEnv {
name = "piactl";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "piactl";
};
pia-daemon = buildFHSUserEnv {
name = "pia-daemon";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-daemon";
};
pia-hnsd = buildFHSUserEnv {
name = "pia-hnsd";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-hnsd";
};
pia-openvpn = buildFHSUserEnv {
name = "pia-openvpn";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-openvpn";
};
pia-ss-local = buildFHSUserEnv {
name = "pia-ss-local";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-ss-local";
};
pia-support-tool = buildFHSUserEnv {
name = "pia-support-tool";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-support-tool";
};
pia-unbound = buildFHSUserEnv {
name = "pia-unbound";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-unbound";
};
pia-wireguard-go = buildFHSUserEnv {
name = "pia-wireguard-go";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-wireguard-go";
};
support-tool-launcher = buildFHSUserEnv {
name = "support-tool-launcher";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "support-tool-launcher";
};
})
];
}

108
common/pia.nix
View File

@@ -1,108 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe";
version = "0.0.1";
src = ./.;
installPhase = ''
mkdir -p $out
cp vpnfailsafe.sh $out/vpnfailsafe.sh
sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
'';
};
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
pia = {
config = ''
client
dev tun
proto udp
remote us-washingtondc.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/agenix/pia-login.conf
'';
autoStart = true;
up = "${vpnfailsafe}/vpnfailsafe.sh";
down = "${vpnfailsafe}/vpnfailsafe.sh";
};
};
};
age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
};
}

1
common/server/default.nix
View File

@@ -13,5 +13,6 @@
./privatebin/privatebin.nix ./privatebin/privatebin.nix
./radio.nix ./radio.nix
./samba.nix ./samba.nix
./owncast.nix
]; ];
} }

34
common/server/matrix.nix
View File

@@ -59,23 +59,25 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
server_name = cfg.host; settings = {
enable_registration = cfg.enable_registration; server_name = cfg.host;
listeners = [ { enable_registration = cfg.enable_registration;
bind_address = "127.0.0.1"; listeners = [ {
port = cfg.port; bind_addresses = ["127.0.0.1"];
tls = false; port = cfg.port;
resources = [ { tls = false;
compress = true; resources = [ {
names = [ "client" "federation" ]; compress = true;
names = [ "client" "federation" ];
} ];
} ]; } ];
} ]; turn_uris = [
turn_uris = [ "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp" "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp" ];
]; turn_shared_secret = cfg.turn.secret;
turn_shared_secret = cfg.turn.secret; turn_user_lifetime = "1h";
turn_user_lifetime = "1h"; };
}; };
services.coturn = { services.coturn = {

31
common/server/owncast.nix Normal file
View File

@@ -0,0 +1,31 @@
{ lib, config, ... }:
with lib;
let
cfg = config.services.owncast;
in {
options.services.owncast = {
hostname = lib.mkOption {
type = types.str;
example = "example.com";
};
};
config = mkIf cfg.enable {
services.owncast.listen = "127.0.0.1";
services.owncast.port = 62419; # random port
networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
};
};
};
}

47
common/server/samba.nix
View File

@@ -24,6 +24,10 @@
load printers = yes load printers = yes
printing = cups printing = cups
printcap name = cups printcap name = cups
# horrible files
veto files = /._*/.DS_Store/ /._*/._.DS_Store/
delete veto files = yes
''; '';
shares = { shares = {
@@ -31,22 +35,34 @@
path = "/data/samba/Public"; path = "/data/samba/Public";
browseable = "yes"; browseable = "yes";
"read only" = "no"; "read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "googlebot";
"force group" = "public_data";
};
private = {
path = "/data/samba/Private";
browseable = "yes";
"read only" = "no";
"guest ok" = "no"; "guest ok" = "no";
"create mask" = "0644"; "create mask" = "0644";
"directory mask" = "0755"; "directory mask" = "0755";
"force user" = "public_data";
"force group" = "public_data";
};
googlebot = {
path = "/data/samba/googlebot";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "googlebot";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "googlebot"; "force user" = "googlebot";
"force group" = "users"; "force group" = "users";
}; };
cris = {
path = "/data/samba/cris";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "cris";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "root";
"force group" = "users";
};
printers = { printers = {
comment = "All Printers"; comment = "All Printers";
path = "/var/spool/samba"; path = "/var/spool/samba";
@@ -84,5 +100,16 @@
]; ];
users.groups.public_data.gid = 994; users.groups.public_data.gid = 994;
users.users.public_data = {
isSystemUser = true;
group = "public_data";
uid = 994;
};
users.users.googlebot.extraGroups = [ "public_data" ];
# samba user for share
users.users.cris.isSystemUser = true;
users.users.cris.group = "cris";
users.groups.cris = {};
}; };
} }

2
common/server/thelounge.nix
View File

@@ -23,7 +23,7 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.thelounge = { services.thelounge = {
private = true; public = false;
extraConfig = { extraConfig = {
reverseProxy = true; reverseProxy = true;
maxHistory = -1; maxHistory = -1;

46
common/shell.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, pkgs, ... }:
# Improvements to the default shell
# - use nix-locate for command-not-found
# - disable fish's annoying greeting message
# - add some handy shell commands
let
nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
in {
programs.command-not-found.enable = false;
environment.systemPackages = [
nix-locate
];
programs.fish = {
enable = true;
shellInit = let
wrapper = pkgs.writeScript "command-not-found" ''
#!${pkgs.bash}/bin/bash
source ${nix-locate}/etc/profile.d/command-not-found.sh
command_not_found_handle "$@"
'';
in ''
# use nix-locate for command-not-found functionality
function __fish_command_not_found_handler --on-event fish_command_not_found
${wrapper} $argv
end
# disable annoying fish shell greeting
set fish_greeting
'';
};
environment.shellAliases = {
myip = "dig +short myip.opendns.com @resolver1.opendns.com";
# https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
};
}

6
common/ssh.nix
View File

@@ -8,8 +8,10 @@ rec {
]; ];
system = { system = {
liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl"; liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB"; ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkTQNPzrIhsKk3OpTHq8b7slIp9LktB49r1w/DKb/5b"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr"; n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5"; n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
@@ -22,6 +24,7 @@ rec {
# groups # groups
systems = with system; [ systems = with system; [
liza liza
ponyo
ray ray
s0 s0
n1 n1
@@ -37,6 +40,7 @@ rec {
]; ];
servers = with system; [ servers = with system; [
liza liza
ponyo
s0 s0
n1 n1
n2 n2

171
flake.lock generated
View File

@@ -2,16 +2,17 @@
"nodes": { "nodes": {
"agenix": { "agenix": {
"inputs": { "inputs": {
"darwin": "darwin",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1648942457, "lastModified": 1675176355,
"narHash": "sha256-i29Z1t3sVfCNfpp+KAfeExvpqHQSbLO1KWylTtfradU=", "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "0d5e59ed645e4c7b60174bc6f6aac6a203dc0b01", "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -32,7 +33,7 @@
"locked": { "locked": {
"lastModified": 1648612759, "lastModified": 1648612759,
"narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=", "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
"ref": "master", "ref": "refs/heads/master",
"rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5", "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
"revCount": 2, "revCount": 2,
"type": "git", "type": "git",
@@ -61,8 +62,6 @@
}, },
"dailybuild_modules": { "dailybuild_modules": {
"inputs": { "inputs": {
"drastikbot": "drastikbot",
"drastikbot_modules": "drastikbot_modules",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@@ -71,60 +70,64 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1648509055, "lastModified": 1651719222,
"narHash": "sha256-y8AXfcbkAqn9UcfnfQz1MisT4YIXxj2I6P7uMnqMn9E=", "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
"ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master", "ref": "master",
"rev": "82f4cddc27be4370f321a8d758db1b35c2ce28e5", "repo": "nix-darwin",
"revCount": 11,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"drastikbot": {
"flake": false,
"locked": {
"lastModified": 1596211584,
"narHash": "sha256-1L8vTE1YEhFWzY5RYb+s5Hb4LrVJNN2leKlZEugEyRU=",
"owner": "olagood",
"repo": "drastikbot",
"rev": "ef72e3afe7602d95c8b014202e220f04796900ab",
"type": "github"
},
"original": {
"owner": "olagood",
"ref": "v2.1",
"repo": "drastikbot",
"type": "github" "type": "github"
} }
}, },
"drastikbot_modules": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1619214744, "lastModified": 1668681692,
"narHash": "sha256-w1164FkRkeyWnx6a95WDbwEUvNkNwFWa/6mhKtgVw0c=", "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "olagood", "owner": "edolstra",
"repo": "drastikbot_modules", "repo": "flake-compat",
"rev": "3af549a8c3f6e55b63758a61a751bebb1b2db3a3", "rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "olagood", "owner": "edolstra",
"ref": "v2.1", "repo": "flake-compat",
"repo": "drastikbot_modules",
"type": "github" "type": "github"
} }
}, },
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1648297722, "lastModified": 1667395993,
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -133,49 +136,70 @@
"type": "github" "type": "github"
} }
}, },
"nix-locate": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1673969751,
"narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
"owner": "bennofs",
"repo": "nix-index",
"rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
"type": "github"
},
"original": {
"owner": "bennofs",
"repo": "nix-index",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1649117019, "lastModified": 1672580127,
"narHash": "sha256-ID7nw/8MDgqj/cbJ0wy6AtQ9wp58hSnE6+weZwuHnso=", "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0", "rev": "0874168639713f547c05947c76124f78441ea46c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-21.11", "ref": "nixos-22.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-21_05": { "nixpkgs-22_05": {
"locked": { "locked": {
"lastModified": 1625692408, "lastModified": 1654936503,
"narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=", "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c06613c25df3fe1dd26243847a3c105cf6770627", "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-21.05", "ref": "nixos-22.05",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1649408932, "lastModified": 1675835843,
"narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=", "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "42948b300670223ca8286aaf916bc381f66a5313", "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -190,16 +214,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1633288285, "lastModified": 1631585589,
"narHash": "sha256-pL8oEB1AoghvFTsSLLKA1zhV8Z8TM8vcAkeodS6/IZs=", "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main", "ref": "main",
"rev": "eb95b31089f5a107cb7efe0c55d45beb1399ebbb", "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 51, "revCount": 38,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git" "url": "https://git.neet.dev/zuckerberg/radio.git"
}, },
"original": { "original": {
"ref": "main", "ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git" "url": "https://git.neet.dev/zuckerberg/radio.git"
} }
@@ -207,11 +232,11 @@
"radio-web": { "radio-web": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1629918655, "lastModified": 1652121792,
"narHash": "sha256-sDVM1K1r2y4T37tvdu3mtjiswJ7/PrVGsDQrHzrNfac=", "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "master", "ref": "refs/heads/master",
"rev": "585ce4e3d09d1618d61358902a4231e91e15e1de", "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 4, "revCount": 5,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git" "url": "https://git.neet.dev/zuckerberg/radio-web.git"
}, },
@@ -226,6 +251,7 @@
"archivebox": "archivebox", "archivebox": "archivebox",
"dailybuild_modules": "dailybuild_modules", "dailybuild_modules": "dailybuild_modules",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nix-locate": "nix-locate",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"radio": "radio", "radio": "radio",
@@ -239,23 +265,20 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-21_05": "nixpkgs-21_05", "nixpkgs-22_05": "nixpkgs-22_05",
"nixpkgs-21_11": [
"nixpkgs"
],
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1638911354, "lastModified": 1655930346,
"narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=", "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303", "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-21.11", "ref": "nixos-22.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }

93
flake.nix
View File

@@ -1,21 +1,23 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
nix-locate.url = "github:bennofs/nix-index";
nix-locate.inputs.nixpkgs.follows = "nixpkgs";
# mail server # mail server
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs"; simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
# agenix # agenix
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";
# radio # radio
radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main"; radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
radio.inputs.nixpkgs.follows = "nixpkgs"; radio.inputs.nixpkgs.follows = "nixpkgs";
radio.inputs.flake-utils.follows = "flake-utils"; radio.inputs.flake-utils.follows = "flake-utils";
radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git"; radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
@@ -32,21 +34,20 @@
archivebox.inputs.flake-utils.follows = "flake-utils"; archivebox.inputs.flake-utils.follows = "flake-utils";
}; };
outputs = inputs: { outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
nixosConfigurations = nixosConfigurations =
let let
nixpkgs = inputs.nixpkgs;
nixpkgs-unstable = inputs.nixpkgs-unstable;
modules = system: [ modules = system: [
./common ./common
inputs.simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModule inputs.agenix.nixosModules.default
inputs.dailybuild_modules.nixosModule inputs.dailybuild_modules.nixosModule
inputs.archivebox.nixosModule inputs.archivebox.nixosModule
({ lib, ... }: { ({ lib, ... }: {
config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ]; config.environment.systemPackages = [
inputs.agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; }; options.inputs = lib.mkOption { default = inputs; };
@@ -54,62 +55,24 @@
}) })
]; ];
mkVpnContainer = system: pkgs: mount: config: {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
"/dev/fuse" = {
hostPath = "/dev/fuse";
isReadOnly = false;
};
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = { lib, ... }: {
imports = (modules system) ++ [config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = lib.mkForce false;
pia.enable = true;
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
mkSystem = system: nixpkgs: path: mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem { let
allModules = modules system;
in nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = (modules system) ++ [path]; modules = allModules ++ [path];
specialArgs = { specialArgs = {
mkVpnContainer = (mkVpnContainer system); inherit allModules;
}; };
}; };
in in
{ {
"reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix; "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix; "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
"nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix; "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"neetdev" = mkSystem "x86_64-linux" nixpkgs ./machines/neet.dev/configuration.nix;
"liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix; "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix; "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
"n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix; "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
"n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix; "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
@@ -119,5 +82,23 @@
"n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix; "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
"n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix; "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
}; };
packages = let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in {
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
}; };
} }

12
machines/ephemeral/iso.nix Normal file
View File

@@ -0,0 +1,12 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
./minimal.nix
];
isoImage.makeUsbBootable = true;
networking.hostName = "iso";
}

48
machines/ephemeral/kexec.nix Normal file
View File

@@ -0,0 +1,48 @@
# From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
# Builds a kexec img
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/netboot/netboot.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./minimal.nix
];
networking.hostName = "kexec";
# stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
system.build = rec {
image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
mkdir $out
if [ -f ${config.system.build.kernel}/bzImage ]; then
cp ${config.system.build.kernel}/bzImage $out/kernel
else
cp ${config.system.build.kernel}/Image $out/kernel
fi
cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
nuke-refs $out/kernel
'';
kexec_script = pkgs.writeTextFile {
executable = true;
name = "kexec-nixos";
text = ''
#!${pkgs.stdenv.shell}
set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync
echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e
'';
};
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
storeContents = [
{
object = config.system.build.kexec_script;
symlink = "/kexec_nixos";
}
];
contents = [ ];
};
};
}

28
machines/ephemeral/minimal.nix Normal file
View File

@@ -0,0 +1,28 @@
{ pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0" # enable serial console
"console=tty1"
];
boot.kernel.sysctl."vm.overcommit_memory" = "1";
environment.systemPackages = with pkgs; [
cryptsetup
btrfs-progs
];
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
networking.useDHCP = true;
services.openssh = {
enable = true;
challengeResponseAuthentication = false;
passwordAuthentication = false;
};
services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
}

227
machines/liza/configuration.nix
View File

@@ -1,17 +1,6 @@
{ config, pkgs, lib, mkVpnContainer, ... }: { config, pkgs, lib, ... }:
let {
mta-sts-web = {
enableACME = true;
forceSSL = true;
locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.txt" ''
version: STSv1
mode: none
mx: mail.neet.dev
max_age: 86400
'';
};
in {
imports =[ imports =[
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@@ -35,158 +24,6 @@ in {
networking.interfaces.enp1s0.useDHCP = true; networking.interfaces.enp1s0.useDHCP = true;
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.peertube = {
enable = true;
localDomain = "tube.neet.space";
listenHttp = 9000;
listenWeb = 443;
enableWebHttps = true;
# dataDirs
serviceEnvironmentFile = "/run/agenix/peertube-init";
# settings
database = {
createLocally = true;
passwordFile = "/run/agenix/peertube-db-pw";
};
redis = {
createLocally = true;
passwordFile = "/run/agenix/peertube-redis-pw";
};
smtp = {
createLocally = false;
passwordFile = "/run/agenix/peertube-smtp";
};
};
services.nginx.virtualHosts."tube.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.peertube.listenHttp}";
proxyWebsockets = true;
};
};
age.secrets.peertube-init.file = ../../secrets/peertube-init.age;
age.secrets.peertube-db-pw.file = ../../secrets/peertube-db-pw.age;
age.secrets.peertube-redis-pw.file = ../../secrets/peertube-redis-pw.age;
age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
networking.firewall.allowedTCPPorts = [ 1935 ];
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
services.minecraft-server = {
enable = true;
jvmOpts = "-Xms2048M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
eula = true;
declarative = true;
serverProperties = {
motd = "Welcome :)";
server-port = 38358;
white-list = false;
};
openFirewall = true;
package = pkgs.minecraft-server.overrideAttrs (old: {
version = "1.17";
src = pkgs.fetchurl {
url = "https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar";
sha1 = "0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e";
};
});
};
# wrap radio in a VPN
containers.vpn = mkVpnContainer pkgs "/dev/null" {
services.radio = {
enable = true;
host = "radio.neet.space";
};
};
# containers cannot unlock their own secrets right now. unlock it here
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
services.drastikbot = {
enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha";
};
age.secrets.wolframalpha = {
file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user;
};
# icecast endpoint + website
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://172.16.100.2:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.nginx.virtualHosts."paradigminteractive.agency" = {
enableACME = true;
forceSSL = true;
locations."/".root = builtins.fetchTarball {
url = "https://git.neet.dev/zuckerberg/paradigminteractive.agency/archive/b91f3ea2884ddd902461a8acb47f20ae04bc28ee.tar.gz";
sha256 = "1x1fpsd1qr0004hfcxk6j4c4n3wwxykzhnv47gmrdnx5hq1nbzq4";
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.neet.dev"; fqdn = "mail.neet.dev";
@@ -201,7 +38,6 @@ in {
"runyan.org" "runyan.rocks" "runyan.org" "runyan.rocks"
"thunderhex.com" "tar.ninja" "thunderhex.com" "tar.ninja"
"bsd.ninja" "bsd.rocks" "bsd.ninja" "bsd.rocks"
"paradigminteractive.agency"
]; ];
loginAccounts = { loginAccounts = {
"jeremy@runyan.org" = { "jeremy@runyan.org" = {
@@ -211,7 +47,6 @@ in {
"@runyan.org" "@runyan.rocks" "@runyan.org" "@runyan.rocks"
"@thunderhex.com" "@tar.ninja" "@thunderhex.com" "@tar.ninja"
"@bsd.ninja" "@bsd.rocks" "@bsd.ninja" "@bsd.rocks"
"@paradigminteractive.agency"
]; ];
}; };
}; };
@@ -224,12 +59,35 @@ in {
certificateScheme = 3; # use let's encrypt for certs certificateScheme = 3; # use let's encrypt for certs
}; };
age.secrets.email-pw.file = ../../secrets/email-pw.age; age.secrets.email-pw.file = ../../secrets/email-pw.age;
services.nginx.virtualHosts."mta-sts.runyan.org" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.runyan.rocks" = mta-sts-web; # sendmail to use xxx@domain instead of xxx@mail.domain
services.nginx.virtualHosts."mta-sts.thunderhex.com" = mta-sts-web; services.postfix.origin = "$mydomain";
services.nginx.virtualHosts."mta-sts.tar.ninja" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.bsd.ninja" = mta-sts-web; # relay sent mail through mailgun
services.nginx.virtualHosts."mta-sts.bsd.rocks" = mta-sts-web; # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay" ''
@neet.space ${relayHost}
@neet.cloud ${relayHost}
@neet.dev ${relayHost}
@runyan.org ${relayHost}
@runyan.rocks ${relayHost}
@thunderhex.com ${relayHost}
@tar.ninja ${relayHost}
@bsd.ninja ${relayHost}
@bsd.rocks ${relayHost}
'';
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
@@ -249,27 +107,4 @@ in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"dns0" # iodine
"ve-vpn" # vpn container
];
networking.nat.externalInterface = "enp1s0";
services.postgresql.package = pkgs.postgresql_11;
security.acme.acceptTerms = true;
security.acme.email = "zuckerberg@neet.dev";
} }

47
machines/neet.dev/configuration.nix
View File

@@ -1,47 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
# wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
};
networking.hostName = "neetdev";
system.autoUpgrade.enable = true;
networking.interfaces.eno1.useDHCP = true;
services.nginx.enable = true;
security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja";
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
}

38
machines/neet.dev/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

172
machines/ponyo/configuration.nix Normal file
View File

@@ -0,0 +1,172 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
networking.hostName = "ponyo";
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
};
system.autoUpgrade.enable = true;
services.zerotierone.enable = true;
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
services.drastikbot = {
enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha";
};
age.secrets.wolframalpha = {
file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user;
};
# wrap radio in a VPN
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
# tailscale
services.tailscale.exitNode = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.postgresql.package = pkgs.postgresql_11;
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s0.zt.neet.dev";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
# redirect to github
services.nginx.virtualHosts."runyan.org" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
'';
};
services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev";
}

37
machines/ponyo/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "nvme" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/enc-pv";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
fsType = "ext4";
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/b14668b8-9026-b041-8b71-f302b6b291bf";
randomEncryption.enable = true;
}
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
machines/ray/ca.rsa.4096.crt Normal file
View File

@@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----

95
machines/ray/configuration.nix
View File

@@ -1,12 +1,8 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
disabledModules = [
"hardware/video/nvidia.nix"
];
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./nvidia.nix
]; ];
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
@@ -17,38 +13,107 @@
allowDiscards = true; allowDiscards = true;
}; };
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "ray"; networking.hostName = "ray";
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
# newer kernel for wifi # depthai
boot.kernelPackages = pkgs.linuxPackages_latest; services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
'';
# gpu # gpu
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.logFile = "/var/log/Xorg.0.log";
hardware.nvidia = { hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver modesetting.enable = true; # for nvidia-vaapi-driver
prime = { prime = {
#reverse_sync.enable = true; reverseSync.enable = true;
offload.enable = true;
offload.enableOffloadCmd = true; offload.enableOffloadCmd = true;
#sync.enable = true;
nvidiaBusId = "PCI:1:0:0"; nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0"; amdgpuBusId = "PCI:4:0:0";
}; };
powerManagement = {
# enable = true;
# finegrained = true;
coarsegrained = true;
};
}; };
# virt-manager
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ];
# vpn-container.enable = true;
# containers.vpn.interfaces = [ "piaw" ];
# allow traffic for wireguard interface to pass
# networking.firewall = {
# # wireguard trips rpfilter up
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
# '';
# };
# systemd.services.pia-vpn-wireguard = {
# enable = true;
# description = "PIA VPN WireGuard Tunnel";
# requires = [ "network-online.target" ];
# after = [ "network.target" "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# environment.DEVICE = "piaw";
# path = with pkgs; [ kmod wireguard-tools jq curl ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# WG_HOSTNAME=zurich406
# WG_SERVER_IP=156.146.62.153
# PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
# PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
# privKey=$(wg genkey)
# pubKey=$(echo "$privKey" | wg pubkey)
# wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
# echo "
# [Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
# PrivateKey = $privKey
# ListenPort = 51820
# [Peer]
# PersistentKeepalive = 25
# PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
# AllowedIPs = 0.0.0.0/0
# Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
# " > /tmp/piaw.conf
# # TODO make /tmp/piaw.conf ro to root
# ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
# wg-quick up /tmp/piaw.conf
# '';
# preStop = ''
# wg-quick down /tmp/piaw.conf
# '';
# };
# age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.zerotierone.enable = true; services.zerotierone.enable = true;
services.mount-samba.enable = true;
de.enable = true; de.enable = true;
de.touchpad.enable = true; de.touchpad.enable = true;
} }

485
machines/ray/nvidia.nix
View File

@@ -1,485 +0,0 @@
# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
{ config, lib, pkgs, ... }:
with lib;
let
nvidia_x11 = let
drivers = config.services.xserver.videoDrivers;
isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
hasDeprecated = drivers: any isDeprecated drivers;
in if (hasDeprecated drivers) then
throw ''
Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
''
else if (elem "nvidia" drivers) then cfg.package else null;
enabled = nvidia_x11 != null;
cfg = config.hardware.nvidia;
pCfg = cfg.prime;
syncCfg = pCfg.sync;
offloadCfg = pCfg.offload;
reverseSyncCfg = pCfg.reverse_sync;
primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable;
nvidiaPersistencedEnabled = cfg.nvidiaPersistenced;
nvidiaSettings = cfg.nvidiaSettings;
in
{
imports =
[
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
];
options = {
hardware.nvidia.powerManagement.enable = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management through systemd. For more information, see
the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
'';
};
hardware.nvidia.powerManagement.finegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.powerManagement.coarsegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.modesetting.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see
<option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
by default because it is not officially supported by NVIDIA and would not
work with SLI.
'';
};
hardware.nvidia.prime.nvidiaBusId = mkOption {
type = types.str;
default = "";
example = "PCI:1:0:0";
description = ''
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
'';
};
hardware.nvidia.prime.intelBusId = mkOption {
type = types.str;
default = "";
example = "PCI:0:2:0";
description = ''
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
'';
};
hardware.nvidia.prime.amdgpuBusId = mkOption {
type = types.str;
default = "";
example = "PCI:4:0:0";
description = ''
Bus ID of the AMD APU. You can find it using lspci; for example if lspci
shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
'';
};
hardware.nvidia.prime.sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
If enabled, the NVIDIA GPU will be always on and used for all rendering,
while enabling output to displays attached only to the integrated Intel/AMD
GPU without a multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.prime.allowExternalGpu = mkOption {
type = types.bool;
default = false;
description = ''
Configure X to allow external NVIDIA GPUs when using Prime [Reverse] Sync.
'';
};
hardware.nvidia.prime.offload.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable render offload support using the NVIDIA proprietary driver via PRIME.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
'';
};
hardware.nvidia.prime.offload.enableOffloadCmd = mkOption {
type = types.bool;
default = false;
description = ''
Adds a `nvidia-offload` convenience script to <option>environment.systemPackages</option>
for offloading programs to an nvidia device. To work, should have also enabled
<option>hardware.nvidia.prime.offload.enable</option> or <option>hardware.nvidia.prime.reverse_sync.enable</option>
Example usage `nvidia-offload sauerbraten_client`
'';
};
hardware.nvidia.prime.reverse_sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Warning: This feature is relatively new, depending on your system this might
work poorly. AMD support, especially so.
See: https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse
PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while
enabling output to displays attached only to the NVIDIA GPU without a
multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.nvidiaSettings = mkOption {
default = true;
type = types.bool;
description = ''
Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
systemPackages.
'';
};
hardware.nvidia.nvidiaPersistenced = mkOption {
default = false;
type = types.bool;
description = ''
Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
GPUs stay awake even during headless mode.
'';
};
hardware.nvidia.package = lib.mkOption {
type = lib.types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
description = ''
The NVIDIA X11 derivation to use.
'';
example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
};
};
config = let
igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
in mkIf enabled {
assertions = [
{
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
message = ''
You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
'';
}
{
assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable;
message = ''
Offload command requires offloading or reverse prime sync to be enabled.
'';
}
{
assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
message = ''
When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
'';
}
{
assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
}
{
assertion = (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> versionAtLeast nvidia_x11.version "470.0";
message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta.";
}
{
assertion = !(syncCfg.enable && offloadCfg.enable);
message = "PRIME Sync and Offload cannot be both enabled";
}
{
assertion = !(syncCfg.enable && reverseSyncCfg.enable);
message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled";
}
{
assertion = !(syncCfg.enable && cfg.powerManagement.finegrained && cfg.powerManagement.coarsegrained);
message = "Sync precludes powering down the NVIDIA GPU.";
}
{
assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
message = "Fine-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.coarsegrained -> offloadCfg.enable;
message = "Coarse-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.enable -> (
builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
);
message = "Required files for driver based power management don't exist.";
}
];
# If Optimus/PRIME is enabled, we:
# - Specify the configured NVIDIA GPU bus ID in the Device section for the
# "nvidia" driver.
# - Add the AllowEmptyInitialConfiguration option to the Screen section for the
# "nvidia" driver, in order to allow the X server to start without any outputs.
# - Add a separate Device section for the Intel GPU, using the "modesetting"
# driver and with the configured BusID.
# - OR add a separate Device section for the AMD APU, using the "amdgpu"
# driver and with the configures BusID.
# - Reference that Device section from the ServerLayout section as an inactive
# device.
# - Configure the display manager to run specific `xrandr` commands which will
# configure/enable displays connected to the Intel iGPU / AMD APU.
services.xserver.useGlamor = mkDefault offloadCfg.enable;
# reverse sync implies offloading
hardware.nvidia.prime.offload.enable = mkDefault reverseSyncCfg.enable;
services.xserver.drivers = optional primeEnabled {
name = igpuDriver;
display = !syncCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = ''
BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
'';
} ++ singleton {
name = "nvidia";
modules = [ nvidia_x11.bin ];
display = syncCfg.enable;
deviceSection = optionalString primeEnabled ''
BusID "${pCfg.nvidiaBusId}"
${optionalString pCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
'';
};
services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
Inactive "Device-${igpuDriver}[0]"
'' + optionalString reverseSyncCfg.enable ''
Inactive "Device-nvidia[0]"
'' + optionalString offloadCfg.enable ''
Option "AllowNVIDIAGPUScreens"
'';
services.xserver.displayManager.setupCommands = let
gpuProviderName = if igpuDriver == "amdgpu" then
# find the name of the provider if amdgpu
"`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
else
igpuDriver;
providerCmdParams = if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
in optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
# Added by nvidia configuration module for Optimus/PRIME.
${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${providerCmdParams}
${pkgs.xorg.xrandr}/bin/xrandr --auto
'';
environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
};
# 'nvidia_x11' installs it's files to /run/opengl-driver/...
environment.etc."egl/egl_external_platform.d".source =
"/run/opengl-driver/share/egl/egl_external_platform.d/";
hardware.opengl.extraPackages = [
nvidia_x11.out
# pkgs.nvidia-vaapi-driver
];
hardware.opengl.extraPackages32 = [
nvidia_x11.lib32
# pkgs.pkgsi686Linux.nvidia-vaapi-driver
];
environment.systemPackages = [ nvidia_x11.bin ]
++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ]
++ optionals offloadCfg.enableOffloadCmd [
(pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'')
];
systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
systemd.services = let
baseNvidiaService = state: {
description = "NVIDIA system ${state} actions";
path = with pkgs; [ kbd ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
};
};
nvidiaService = sleepState: (baseNvidiaService sleepState) // {
before = [ "systemd-${sleepState}.service" ];
requiredBy = [ "systemd-${sleepState}.service" ];
};
services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
// {
nvidia-resume = (baseNvidiaService "resume") // {
after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
};
};
in optionalAttrs cfg.powerManagement.enable services
// optionalAttrs nvidiaPersistencedEnabled {
"nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
description = "NVIDIA Persistence Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
};
};
};
systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
"L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
"L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ] ++
optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
# If requested enable modesetting via kernel parameter.
boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
services.udev.extraRules =
''
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'"
KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'"
KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
'' + optionalString (cfg.powerManagement.finegrained || cfg.powerManagement.coarsegrained) ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'';
boot.extraModprobeConfig = optionalString cfg.powerManagement.finegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x02"
'' + optionalString cfg.powerManagement.coarsegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x01"
'';
boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
services.acpid.enable = true;
};
}

94
machines/storage/s0/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, mkVpnContainer, ... }: { config, pkgs, lib, ... }:
{ {
imports =[ imports =[
@@ -17,6 +17,8 @@
boot.supportedFilesystems = [ "bcachefs" ]; boot.supportedFilesystems = [ "bcachefs" ];
services.zerotierone.enable = true;
# for education purposes only # for education purposes only
services.pykms.enable = true; services.pykms.enable = true;
services.pykms.openFirewallPort = true; services.pykms.openFirewallPort = true;
@@ -27,46 +29,53 @@
services.samba.enable = true; services.samba.enable = true;
services.plex = {
enable = true;
openFirewall = true;
dataDir = "/data/plex";
};
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.navidrome = { services.navidrome = {
enable = true; enable = true;
settings = { settings = {
Address = "127.0.0.1"; Address = "0.0.0.0";
Port = 4533; Port = 4533;
MusicFolder = "/data/samba/Public/Plex/Music"; MusicFolder = "/data/samba/Public/Plex/Music";
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
users.users.${config.services.plex.user}.extraGroups = [ "public_data" ];
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
users.users.googlebot.extraGroups = [ "transmission" ]; users.users.googlebot.extraGroups = [ "transmission" ];
users.groups.transmission.gid = config.ids.gids.transmission; users.groups.transmission.gid = config.ids.gids.transmission;
containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" { vpn-container.enable = true;
vpn-container.mounts = [
"/var/lib"
"/data/samba/Public/Plex"
];
vpn-container.config = {
# servarr services
services.prowlarr.enable = true; services.prowlarr.enable = true;
services.sonarr.enable = true; services.sonarr.enable = true;
services.sonarr.user = "public_data";
services.sonarr.group = "public_data";
services.bazarr.enable = true; services.bazarr.enable = true;
services.bazarr.user = "public_data";
services.bazarr.group = "public_data";
services.radarr.enable = true; services.radarr.enable = true;
services.radarr.user = "public_data";
services.radarr.group = "public_data";
services.lidarr.enable = true; services.lidarr.enable = true;
users.groups.transmission.members = [ "prowlarr" "sonarr" "bazarr" "radarr" "lidarr" ]; services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
services.transmission = { services.transmission = {
enable = true; enable = true;
performanceNetParameters = true; performanceNetParameters = true;
user = "public_data";
group = "public_data";
settings = { settings = {
/* directory settings */ /* directory settings */
# "watch-dir" = "/srv/storage/Transmission/To-Download"; # "watch-dir" = "/srv/storage/Transmission/To-Download";
# "watch-dir-enabled" = true; # "watch-dir-enabled" = true;
"download-dir" = "/var/lib/transmission/Downloads"; "download-dir" = "/data/samba/Public/Plex/Transmission";
"incomplete-dir" = "/var/lib/transmission/.incomplete"; "incomplete-dir" = "/var/lib/transmission/.incomplete";
"incomplete-dir-enabled" = true; "incomplete-dir-enabled" = true;
@@ -98,49 +107,47 @@
# "speed-limit-up-enabled" = true; # "speed-limit-up-enabled" = true;
/* seeding limit */ /* seeding limit */
"ratio-limit" = 10; "ratio-limit" = 2;
"ratio-limit-enabled" = true; "ratio-limit-enabled" = true;
"download-queue-enabled" = true; "download-queue-enabled" = true;
"download-queue-size" = 20; # gotta go fast "download-queue-size" = 20; # gotta go fast
}; };
}; };
users.groups.public_data.members = [ "prowlarr" "sonarr" "bazarr" "radarr" "lidarr" "transmission" ];
users.groups.public_data.gid = 994; users.groups.public_data.gid = 994;
users.users.public_data = {
isSystemUser = true;
group = "public_data";
uid = 994;
};
}; };
# containers cannot unlock their own secrets right now. unlock it here
age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# forwarding for vpn container
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"ve-vpn" # vpn container
];
networking.nat.externalInterface = "eth0";
# unpackerr # unpackerr
# flaresolverr # flaresolverr
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://172.16.100.2:6767"; services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://172.16.100.2:7878"; services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://172.16.100.2:8686"; services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://vpn.containers:8686";
services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://172.16.100.2:8989"; services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://vpn.containers:8989";
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://172.16.100.2:9696"; services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533"; services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
services.nginx.virtualHosts."plex.s0".locations."/" = { services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
proxyPass = "http://localhost:32400"; proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."jellyfin.s0".locations."/" = { services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."transmission.s0".locations."/" = { services.nginx.virtualHosts."transmission.s0".locations."/" = {
proxyPass = "http://172.16.100.2:9091"; proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# tailscale
services.tailscale.exitNode = true;
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
radarr = prev.radarr.overrideAttrs (old: rec { radarr = prev.radarr.overrideAttrs (old: rec {
@@ -168,6 +175,15 @@
runHook postInstall runHook postInstall
''; '';
}); });
pykms = prev.pykms.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
};
});
}) })
]; ];
} }

13
machines/storage/s0/hardware-configuration.nix
View File

@@ -17,14 +17,21 @@
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/36c4fab0-ea98-4ebc-9612-893f8f61c228"; boot.initrd.luks.devices."enc-pv1" = {
device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
allowDiscards = true; # SSD
};
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5"; boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851"; boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/953efe14-af9f-4fb5-a658-417ec02dbdda"; boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"; boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pvUSB" = {
device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
allowDiscards = true; # SSD
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5"; { device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
fsType = "bcachefs"; fsType = "bcachefs";
}; };

7
machines/storage/s0/helios64/default.nix
View File

@@ -14,9 +14,10 @@
# Required for rootfs on sata # Required for rootfs on sata
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"pcie-rockchip-host" "pcie-rockchip-host" # required for rootfs on pcie sata disks
"phy-rockchip-pcie" "phy-rockchip-pcie" # required for rootfs on pcie sata disks
"phy-rockchip-usb" "phy-rockchip-usb" # maybe not needed
"uas" # required for rootfs on USB 3.0 sata disks
]; ];
# bcachefs kernel is 5.15. but need patches that are only in 5.16+ # bcachefs kernel is 5.15. but need patches that are only in 5.16+

37
secrets/cloudflared-navidrome.json.age Normal file
View File

@@ -0,0 +1,37 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w 6LPdjXDINKLmWzBbhs/gcQQnJTqePJAGVWX5YhwibHA
5O06D+H2KbLtueFoKNVIgFYlBeJimTL2Mk5S3biEKdw
-> ssh-ed25519 mbw8xA Ubq0SL3E410a1+3z2jZ6KFi6+tqNbqG7En0moLx+B1A
EWhz0Q4UWJDEwt1jYrX0udCdflA7unlYhddCg2vJpXA
-> ssh-ed25519 N240Tg 9UOgws8kFmAABuG68rjq9vNDLbBJa8pFOAnqtSsObm0
CWJLwZEVg4mK5DjDSXoDnHt51WTQ9WAka0sCM78bg7o
-> ssh-ed25519 2a2Yhw +xRtdu4UdGfIFkoLTQxBkkitPOKMcJJKepcvCGofaRI
qFjGwGjta954LgzVFCPOTmzbGO7ApEpIo88+dnLOA5s
-> ssh-ed25519 dMQYog wWsB7E4PjFCh44K2t65IVG2uOMJMyCDu4RyoMgbreQY
iFuu7dgxBzBTqt0iecUCt2avL7i6PQ7pf1rSRrsJo/I
-> ssh-ed25519 G2eSCQ mlVuEjjG1ZZbeRZ+mPPxIkEjNnzbRjvBQz7gBEUL+lg
1+8DUKJNvUxIpwIDEV6xRoI66Xgt4Z2YqtPA3hk/804
-> ssh-ed25519 6AT2/g n4A59l+hQA9jsQaM8ONFxp91c7jLN+bljIoNrRaSZlQ
lwmGQF1+dviOSkHGTg2pbSiHaDmhWSvav5XfUeaXDYE
-> ssh-ed25519 yHDAQw ACe/PrRD6xPh04w8WIPTpb5f051BmhaxD01u2YK82AM
itYUUUS1+aJ+lZ2IIwys1shG2GQWrF3q3ZgfVztMALg
-> ssh-ed25519 hPp1nw YY8vayLICissYqcnWCvxcDyB3KxnpH6xOSYAvunQzE8
SBzK7KsQy+Z+vsRKFgxkEJC4I4CwSM7MQ7ZbOJJ1W7Q
-> ssh-ed25519 CRfjsA iGbknT4mBJzDd8eEXLYCmDIzfLKzGrQNeHfRx0t0BSo
e9i000+K/KG0nikIGfXWEY8nPnnbOpWHhrys4qeXFY0
-> ssh-ed25519 vwVIvQ BYFMu0y8DnHivMOzITB+10tDGH3vXgUCuwASMPN4DnI
q8te5woh6MpFXKLOzZz8VK7vvivDnxIIm2YT9stxqLs
-> ssh-ed25519 fBrw3g qJT3udFmHFFf6p+B7+rQlKeBkDjiGPJjjDoAHoP/skI
UIC1B5eCaJArcEPetgG7cvHy2/7iOCPLPC1DM44/lmE
-> ssh-ed25519 S5xQfg teWDWxkmGO/6Pdq9BUSpyNP3HV6Abs7Dbe4YS4E8hV0
cij5vsyrDdKolTdEMKiWe4wFB0/T/5l6slHdJ7PaAcg
-> ssh-ed25519 XPxfUQ eNsWuyTu3Z7o9MkQ5c06F9nbwyKnNdCTBnVtHWfw5TU
bdlQbFoOflX0mN0fOfSRKv/pLSyy7wI4FKhMWtkC7sk
-> ssh-ed25519 SpD5mg BhsBDO0HY8ukC5xl6dPA0crSsFw5ItIEj1STIib+3zs
fJHJQUDczhv/XWBzi3CX1CRf2/zypk1tDTWro1EBA78
-> ssh-ed25519 Kk8sng rhJTlmqcgXZQY8KXCzhA/s8rZki7TmBxuFDlZgr27hY
wGjSOZgCYeVUYG6xXCG/kX18E5ljfytxfbSzPeG2M8k
-> BT2o-grease
d46Jzs4hD8i10FLG
--- UWVcEz0fWRw7B8XDTX4SJfRPIgzAN7YfHQEJAVqQxYc
v¯©ð˜‡ñò·ˆù•Tá4¡!ö=1¬ }nPÝ“$ºÖ~š€"nfêm‰V¡<56>>žÖ§3Å|ì~¸ó€Ü<E282AC>cRoeL=4(<28>"hòã¾ÌÞoPÀÇR3;ˆä’‹Æ.poÖþy-UO6¨í¢!Q2ìqo"Æìú V)³GÝàªE<08>ºf¥½°™<E284A2>4Ü?[~W±<57>ÎÌz qëÚY껪Góè.fm7w¸¹"•1˜šÜã,ÿi}Çø^Öæ¿Ž ø&/“RDgkÛªãn

BIN
secrets/email-pw.age
View File

Binary file not shown.

74
secrets/iodine.age
View File

@@ -1,37 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w Y14UkimxTTnY5OUJ8Mh/9Af2XC9EiQNbCpS4dn9kwE0 -> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
hSDrKT+ibFoks+v728vSIgo/lTaxG+lR1jauRKqik+c gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
-> ssh-ed25519 mbw8xA WqFMWK0PKbtBfdyJk7fYnMUODeg8MauI0BDD7Qu6yhM -> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
pvE2zr776Mwbj6QVGvhRku8s0f1YL71+FrKg8DhSvpY i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
-> ssh-ed25519 N240Tg Xikg52W6ctv11BfBKsbS84muAP9coAifV8cvWKUoBU8 -> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
WGYvqCmH7LKRk2LFiZGeaD+QlLHA+NDtfgFwFPH4MN0 RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
-> ssh-ed25519 2a2Yhw 52F8cRviVI98sRaM06YGj32YEKj+4YAaN02fgxg7HXs -> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
h0QjVkH+8TdT7x9gb0QsO+ak4z+2VVJl2x9drFbx3HQ qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
-> ssh-ed25519 dMQYog mPkd40iIv/8w7ByUy+5qUr0QlZr7xcMZMjciAYEeiVg -> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
5cY4jzBB+kYc+LVHWjc2oxNT073AfHRQLJ7MH9FnG7Y Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
-> ssh-ed25519 G2eSCQ G7jtA3tga+qqt/3eBC/5ddL745hWAcsE/EITZ157Qgg -> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
EJeewdBOy/fvnfPeAQ58DYSaLiR8OHA5Bhr1siMD1BA eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
-> ssh-ed25519 yHDAQw LntMixBlWCdvX2y0CGv0R4NGl2WrnN05F/j4NhZdBTQ -> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
RusiWeQmE4QipRPGVTrp+fzvvhwHmYN4Yr24sG2obFY r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
-> ssh-ed25519 2+FxVg ailAxqdcbIAz6rUV2mCmMvvh0fU2fzm3hFNbe1bAmDM -> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
H8wyUV+20nj9V1bQJzUweU40rVtagdGmuN8Wz2v7kwI baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
-> ssh-ed25519 CRfjsA x2syP1Xe+6P2OvPnz5C9a3wSRhswJ+rpmGS7UxEGO3A -> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
ZfF7tioaEEi03p0H/7dS9gWgchZHvzpOBYhHsjMr6tU tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
-> ssh-ed25519 vwVIvQ 1brK3xKsB9/ee5gu+pX67t31wwETz9e8bYuahwiLfg8 -> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
r9npXBRibQ32JqxpmkFlEUdyYk6uKYycXE9VxQg5RDw slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
-> ssh-ed25519 fBrw3g zjNiYSc6+bPGvcV5mcn/M3SJ2oWWpeHPyXGS/KdOth8 -> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
ZTJE++qdJGvwFBjbZkrCpwYSq8K2f5x5TpOaTwZDKfA znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
-> ssh-ed25519 S5xQfg XPJP0Ru7UiC5H3MtvAihbKDRGrk6vtiqTgtzytWD7z8 -> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
3TTZo+ItHyAHYbXbV2/UkYlLFSqJ/1yJz8SEjEwCqHA q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
-> ssh-ed25519 XPxfUQ ryuPyyTqevrnrGrT3FL2fDZNkC65PodoGuiDfUOeHBI -> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
p++gm9ffjhdjJkznF3REzD1IInYbkOq3OGZd+WPoTEQ EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
-> ssh-ed25519 SpD5mg TkicA/6ALqst6gRCh7ohWu90RGJIJjzzrnD/UPmrSCU -> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
pWPJDG3SYTDjUd0womBasUf3Q+P6uhv+E2clPgYOO5Y xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
-> ssh-ed25519 Kk8sng cc7WyAVETlhjdvh574b5zoy130h5BOoMc35ADV4aG2k -> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
4XJZvl+JSWIF1S72U9cRmk0gen5CF5LsOpoI0msExuA FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
-> "{MuGOlq-grease f[ -> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
KQva/rb6/t8n7BZYJggyXDK6YJV+AHoDEkjno1T+DbJj/p6rFLzdA5DhjC8YB8ud fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
G1xiN3ZQgBTy+v55 -> C89-grease >Fa(j6s UN5!{
--- Sb77uYABsJhnv2bHdTX/QlT6xhPeA6B23t69qyiPftY nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
收8nd<6E><64> 5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
ア(栽ヨッノ<EFBDAF>G數Oリサ\ー0檪棗R、ル=<3D> --- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
h,:ìüæ
H)'’ЊÂ/²)žÒ¾ìpˆ¡Rç2QU

73
secrets/nextcloud-pw.age
View File

@@ -1,36 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w neWuC2CMLuoeAY56hsTFWSAsa2XnllgSW+QXIgpS+kI -> ssh-ed25519 xoAm7w 7+DO9mI/zZfTIN/0KBMOIjMNnReyGoH/XVQa0OLdAHY
knlKQX6RkfFiAaKNZ4P2NK+ukblZzLe1rQX+JjOztxk qg/UIBJr8GX79d7xrIIN9GUt3pDIormlOM7IdjIytHk
-> ssh-ed25519 mbw8xA r+ga8qNibXiCL9S35JCmoaZPaV872shQ3KJmJRUMRnQ -> ssh-ed25519 mbw8xA 9KorXegEBX3PYQm+Ljdjs2hkxAIpz2CZrITNCGo0BnM
Q9040Ts8EWKZG8lxTv9OcZrwspoTFO0xb3ZbCITb36M QNQWGWqoudiryg/0fV2KZUuJQGp/suZun9KF9c2OTqw
-> ssh-ed25519 N240Tg dpKvMXArLA2HO8/aiHEwRp7+Kb3PDKxuYmvJYvrwMV8 -> ssh-ed25519 N240Tg kfl4aaKI28cDfzX3MBisRGraQYChPdUF2WigjOFYx0Y
ujLNxKQbiHxj156PqLMfrDhppdkne54LkPJRY4EY0nA u8dgbgJSmcJBp2Uc8qbWMbpa/cKEmx4V3psQgzqnitA
-> ssh-ed25519 2a2Yhw Yq7wqPkQ863DRkRJT9+02R0ENChV6fEuskpdrRPSkh4 -> ssh-ed25519 2a2Yhw MGk791xEYHlC4bYfU5CMS3rY8TVI8KYvEIwUhE7wQ3k
1ZAQsK0dPdJaPAGNDKndLsYt6MToF4UvooBiNDJ1vvo iFT3QUR8PyWw4grqy7/8KfLfYNIDkgDKM2MqSr6cj0U
-> ssh-ed25519 dMQYog gdplGTTCr6XMQDtoiSzziBVJWyr3IwXXoQBWJ5WcMXg -> ssh-ed25519 dMQYog IW1ntuHrV85WX60GI295c197NUlQMKuo5gd3sQZl/gA
YxEYj8Q5db4ant6AsWk5ha6Vlm0vsnqshWr/FkSoMdI gAnx0rMggqZ7Rn8tHFAXJx3z3t9MkZpmjpgI2qAtK4g
-> ssh-ed25519 G2eSCQ srr54IQbHGl9mjZ+5UCxT/iGOJKSb4W7GSsgsRlCenY -> ssh-ed25519 G2eSCQ 7ZpZQAda0uxjIIdpLnC5JlU6cbLtJWr9LSIIdi7PUQw
a5z9MrMWV6Qt6vMs0fXPXsAqeh1vOAZuRErqVLpeIhg PfGFrMVLCmy8SDv2nn6p6M560Xu8lte8DjbCORDM+uc
-> ssh-ed25519 yHDAQw +hlGCrHE9IrdAHxrty6eDT94A9k9wPMG3BK/LXm7cik -> ssh-ed25519 6AT2/g JGE9jVFM2Wu348XIHpubyCEismpfBraxnFGTnEvqqnI
J8zk/2iSDYkW6g3kIzcSzjaTe7Hczd4dkhJHF7l/cNk kDHfyJdBIGIURDJ0Nsce4DqzPzhk5p+LM1QZ44pZ4g8
-> ssh-ed25519 2+FxVg ueSAaoNSH/JOHJs3p7wucm1xrBuwRtVQCWbJ5VfO+hc -> ssh-ed25519 yHDAQw KNzCNjvErLwEJZpWWMIBFUGOC8jURyvoKzCWX0ATrRM
g2b3ZotYFaDCDPvhh8lHnFI5JP9rXWlxN2R0qaeGg28 EyIJpn48eU8oEB5FbMhCOd16hAVrxTFLyJEoos7WGOY
-> ssh-ed25519 CRfjsA KsK6umYfvdFKPtdQUj9aWJ68pcnFjHkaNXX3hNYgrEA -> ssh-ed25519 hPp1nw kdjLNwgYQV/4NMubVpJw8QCIuKn+u3CT1boZNJEWfCM
UpTTv6UoSj/tpUvV/joDDi7O7wj3YybYv7SUc8R0kVU FXNLqmpZB+CtSmCY9zGr+3UebEwNK3JmdP4ifdXiQL4
-> ssh-ed25519 vwVIvQ GYAV+Cayt5GRjJS96v4EmEY3cnjTmOZZQ5eOr0nTM3k -> ssh-ed25519 CRfjsA axLQSlgVkaYmRktIP+fwHnhN2pJ55NCOW0fzTzgjFF4
OtbJYGF+VO+3JkM6bAkyaBNCjU+Wre7/mx7WQOG+azM ElO0byzF3PJxN9WgENIN/YfmsOR9rOhEh3xRNIIGIyk
-> ssh-ed25519 fBrw3g eOZLXgtAXBJc6wVBioVVik7okCqZp6ZM6iuzWjl5/g8 -> ssh-ed25519 vwVIvQ LtrPXRJ0hztkWFnoKt5c0UzWQpD9CO990k52gjWcQnY
BmE7LMieUgSehkPYMrsEE5gsB/M3DiHbJN+bSABgaME nHb1hsXhHQokcA4WoRlbZy0EFQt8Xd0cYUGqblY17Q4
-> ssh-ed25519 S5xQfg WNBQB8xvc+tBxIw2FImH6ec4QiNMYvoZgNDq7TGxJXk -> ssh-ed25519 fBrw3g dnWs7lWY8QoWOjWHG68FSYqZDzsIaA/qU4AXrndGNTw
ssPA+UlD0G/EqgAI/TzcaVasAVcHDFw+seQYGgHCB5w gh4+t6THL2mtrPUzGlYd/YxDjk3hpHxUmGq+kRcz9BQ
-> ssh-ed25519 XPxfUQ TlwZJKztNfCMGwogtnDRfTb1gdoDMdd544kiNH1wEEc -> ssh-ed25519 S5xQfg kEXs5hXXR4ocYYWoT2xFr4HITe9wIOOLz73zm/9bf0o
p1xZuSR24XYFEqThAR5Atm5XYSOd3Oi372aT7xdusok WpO+5/zXc+UGYJGkNNQr8UsEz2RyBUtQ4Syep718294
-> ssh-ed25519 SpD5mg RzL0vYIoHrguZaCk5v5WOOX/ZK4KChOE+G/sKmxVnXg -> ssh-ed25519 XPxfUQ pL4j/idFPiIPnWI7bIwn0+FuB6az/hXURAh+tvdr7Hc
bM4r9PVVjJnwyRHDfglL1ea5Jhi9OMz9u1Hg1SgvcaE WWJPFYanmf3+KnjG84XlnEapI1vh0wRi9XFJRn5JVpo
-> ssh-ed25519 Kk8sng errNHEjqYoHRQ5wXZS7jUbAvnP7ih4ZGRvrm0ufCmkk -> ssh-ed25519 SpD5mg CpGcl7ONt0juh/N2hwcxWiuc9u9wjQ4d+AAF+1BQim0
poU+TuEzUbv66wKSiu7ii1OY8APrCya8sE327ngPGhM 7Xs7qYITkCsjloA74CDGn6lZhXNTqFV05omLiCz9efg
-> =LaE]>zq-grease UL 31dg x8yj -> ssh-ed25519 Kk8sng DzLM7ewz+4yz5YNQfBDKcOOlqMxScGR34XfVpCUHMEM
iA3iWLaxcHvqgNkKtOrlSPQGQrbTPn5nLOHffAW/yEr45WmA9LeOLC+NvxJLbsMc eH2ogYJO2N4cqxRibCOEoL5cXcTdWavHS3uRX7wwHxY
5dZJmFU65RC9OMnA3Ntu8mwj4814sw -> h<Vf$Fh-grease :~Z8 qwh*'} 2*OyJh )iMU_m?t
--- XJcRCZ/A6sTf+yR5JYUYgSrb/WxRNs8jq+Gl5J7mQhg u9QuYuPJEVl7Rt1cEcXZPQ0IfpOzqB59iTMch/SDoByr966PBlBfjDS/7i9U0sEI
¦áïÊ“®Dñº×]{× 1†8XRV$žg†Wì¨#Aq GMeVtXePXkKPXVvhmbZ/C9KI
--- 1F0kxs/7SRrpoj9q4t1eCg381LzCgrwA1DYG7zcI3dI
ö>°cY§ÀeéEòƒ\ã¯<>Ôc¸j½ ßÎíÃS­—XpºýG<C3BD>§$½}i¼10
ϱ™< œ`á Œ<>, öAž¤£~r>ø$|wˆ¿

72
secrets/peertube-db-pw.age
View File

@@ -1,35 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w FOjYoGZbU1vGvJAbRDXaifHhUXb8IdAlU8N3+M+hcXg -> ssh-ed25519 xoAm7w 6fOw4Kh4O0WAdZG0WPBdl63ap/Xr/w+Rweylt/0mKDU
kHOtTnFMD54CpZgkOc77Xs59/jPgZfPPHMNlE0ornso M2ZYVPz9vVGjJ6us48pXSFKKH8tK8PhkvBUJAUriimY
-> ssh-ed25519 mbw8xA gwC+3PpZSSRR3+l/wAZVirFaVTj6dn0ooFDn5FCKqBE -> ssh-ed25519 mbw8xA JBYsd9iwH4E2GfGP63DwdwT4Y+gvL31sB3rSY2GKDmQ
scLKGc69boRG9JFhcLjoyvoFadbe7fMQV6SChs0h5sw zMHRL3bDxeAkWdKYPPtc/xyrkZlNtzBwzMyt5lb0H4o
-> ssh-ed25519 N240Tg PrO08MJrRQmhNnADOouLrpQz8U5mG+urr6JyZXkEJgQ -> ssh-ed25519 N240Tg 9DErfKdTHuvUcw9+5yzo8kMHa+IKxspGlWb6KRvPB0o
Xf4G2CdTwW9FyuCfMMpDX/xSoLinFVOXrMQiQPDFCVs q1FLalljaHyYxEu6JrmcXGYhYi0L7TAtV0U8UsaQ4cs
-> ssh-ed25519 2a2Yhw iBGGgXyH7EgeBW9RznLe+UNj3kN56//aamL0oYOcJnk -> ssh-ed25519 2a2Yhw eDolYbro00zktVZA8xdhbjvLkcOItFU/lTBPXNYypWI
5XTcuYxRehsNP2+w4uoWbvkJ7uyTp023mIaxHu1yVfs d1MlKnVGRf2T2VFPhDnsSF8fboF+5mAdXEMeJRTjJz8
-> ssh-ed25519 dMQYog BuGC1wuF923Ngn2/yEtWoyBt0CW7CL5T7uyeGxiwfkk -> ssh-ed25519 dMQYog 2y6zkr37iC5VarUPOlrXVj9XyS5pihQq6O/K20gTMnc
pIBQ9GUdGyu+EMaONidn+HLW9WtXd3D/uLy8DVzQmQg jQxtJYCH1JagBpaupGVizzk0ZCswOQvFTcxT8IeFtRI
-> ssh-ed25519 G2eSCQ DqtdYPsUlNeXg2GFeS/7CvAAbAHihCkJ+RTlGAOeQhE -> ssh-ed25519 G2eSCQ 8b0ZqtAxiFRfLEMHnj6LZmq5CQT7nMmfTwc+gpKbQQs
TBdtUDR1t397UuNj1dzV+w5wPZlpxLUSKRusOxjWYxE kl9EvBs9BpZXoomdg30ViCMBV8xEnYlCD9GFY+dNVBM
-> ssh-ed25519 yHDAQw FE8JxlMwUbd/gc3hmcVJKHvmnicj7U0izPcGmHb9eUo -> ssh-ed25519 6AT2/g kA3H9/fN5qyPquKIBQqYSGZYhxqDc7Zyj0CrjF0Nqgg
Eas3XNj9eoNWq++UHvOHfXCH/UViQpkser0zDuH6QNc zXrT+jpTJo6ToVzLuLzDcqblXKdDbjxt4Zr9CvWBZc0
-> ssh-ed25519 2+FxVg R+UhDPw6J89vWk8rFQjiYbm/vR8wwanDDS8NCY3M8xg -> ssh-ed25519 yHDAQw vuMN4IU9wAIAWDFEDCr1yjEPtEMCISxYTx27qh4QS3U
hfzVjv2GBWW/0ONtJL7RwygYk8q3ESSr7olvQCi2TA8 2vrVYYbBlbyEOmd7cpeijKeNk6uEe/1iWQcZO8dSrWI
-> ssh-ed25519 CRfjsA l644WgLTV5OjxHXxuIYgcBlCtDJpP4LY02E/XjPQXEg -> ssh-ed25519 hPp1nw TwogaV1PZXUekJoqXepW8sUm+DvPCxTEL+RobecJ3ys
xKjf3XhQuXTxiSW2uztFBPExG4OOw3p1twiANP3yoRY VKM1QHFM8qDW1ZCpueQEqQtQknoQ470nll7y6WTjlWA
-> ssh-ed25519 vwVIvQ JzvRwuIkCw3rJrGS63h5X6/fAzPWYBU4alKq0oR9P3g -> ssh-ed25519 CRfjsA dvkLphHpCButJtI/RMlt7RvaIuMNHLbF9y663tvuvhs
aC3GECnDGZCNydVD2RrkGFgN7C2pFHBUU6K4AnPJVdU VEwK/KDK93e2iwEcwmGM8vvhwqi+tNW8SYrbsehZbWE
-> ssh-ed25519 fBrw3g ituz8lJHI2lSF0v5Kf7sqrnFZD1Ao2B0bZkBQqAGdDs -> ssh-ed25519 vwVIvQ xnd9Vgz9FCeRu6yZbbIZbSBEvSkgPzFifye5eT8kmT0
2bDHgwsvoWuaFs5yOT98Y+SMCBhe/sj8ejXwWVDK/bk XOCZBNTP66Wzy5Vdn4qJwzApDx3U2qNnQqEBcwfARHk
-> ssh-ed25519 S5xQfg s0slkEt9bPmbYUygVp6EFwa5BHhRj7oFDFzJBjtlGXI -> ssh-ed25519 fBrw3g 81Mv0OtBk9J2Tb7kjnT4uCGeytV7HJfOTcA5C4NoLy4
ctpRNQhsv4OvmORNr9Qy1oktfGDzbAKBf+0XK2FCgBg hiMbGjXjtvBa2Puhb8GBas3WXc0fozRD4hg73MvQumw
-> ssh-ed25519 XPxfUQ gbrD2WBVQAI/af8d1CaqA0+8e9PRZFkAJlKxb3gUq34 -> ssh-ed25519 S5xQfg F2oOMdM1U1aT4K6pIhCnCz5EbxnEb9Q4QZ0MkhSJKnE
lqFFh8gTJVqCXm3RLSIaeK9BwCljGWZavzuNH5ARyK4 Pz2cyF+IGLz64466ne8np3xA7g+51S4s4mlaLRohIM4
-> ssh-ed25519 SpD5mg 12Y7X6RQybpqHGYjjfbOxChPK0LmE22Nsi6qdYtT5wY -> ssh-ed25519 XPxfUQ 3rIutnjj8fXIo3mCAL5nfzJep7q70j+AGLE3j/JxOhY
EPjGuvbSpK6WlC1haiCrbDwrEYzeS4ASxgBw4xVNvfY v2Xj5PbpFMsf6Tx68u7VHCRqGa3Wrnsk4E6Q08SklUc
-> ssh-ed25519 Kk8sng ZoE1X7UmQovPF75Fj6VIW25UbI0UVk0lwLKcy7CXOxc -> ssh-ed25519 SpD5mg tmM+zaXpX+W8xsMfBCoWZc+7wPRI6yFt2W/p4O2s4lo
ed1s3hP/GC0KGSBkEaTERVJrzViH47bebSFK7iJ53Q4 ckNxHza6ruYdIffwxDFOWnYOUgpbWNfwzU5AQJb6ZAA
-> 'TZ!-grease <F$! :r4X QRDuBq5e oEbPI) -> ssh-ed25519 Kk8sng 2ddBuZ+DEVuvRmWS2O8r+xT4Qtrev78Vre+yQ3kNdEA
+i4b1zmcomKHc13ZMZ6oI498HELFn/U LojDcUOsZtA5kw8kIPC2y+G21T1uKUEUkwkJ3xPiUX4
--- eHNVOIogpZqWnWhrGJz/LTv+cPnieDcblHEX9/q53fg -> "JnF1%Gd-grease |=~ P
85:®LËûÛuc@Zoù²>zSâ ~N±úû&ߢIÎIÈñ\H7ŠþÐbšªB†©™Ãׇ°¥ÆáO:ëÆMFà˜1©Ñw tzG7OLiEsRVyoTBpLPGwqNBUGkz0
--- /AHllIllItlnpPXQAkywTF1UsUb7Wpec2jdYE6kOkO4
´ <>§K
^U5{Ôpœ_l9ûá7I#J¯˜Á!ë†å`Cθ^vÚÕˆEòµßŸÁˆuž¥òä×_WPæo2.<èù w}¶Ì
(!V®

75
secrets/peertube-init.age
View File

@@ -1,36 +1,41 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w t3Ti3MpAVTccCbTs5tqUzg+7hJxeG2ZhGbFZ/5C6L2A -> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
9qzqifICduMTnqUtmwYuF6DTi0CuhScLqUIEZgGG9OI qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
-> ssh-ed25519 mbw8xA 5waycpRdXQ6okDSDWXzudgvEQ+rT5AP/fofylQzpzQs -> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
a1tdnvnIppLVZy5VILJp1iyt739O76L/M5OziQ8+nHA 7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
-> ssh-ed25519 N240Tg YG3N4uhDMdAwMFJlDBECpEsiOwnu75sC4b4o4AjfIH0 -> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
fO2BxdWTc4x2ndSxC+B3JNoKF+Eqk97tDaBxiWpf+h4 FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
-> ssh-ed25519 2a2Yhw PBK2/Wl2q50w74wvCCGU23RJg2ONqBHXBO7ruWhsUAA -> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
zMR2fyQHsmdEQAXQI03G1hZTeCTJirVPgNq8b5XB7Z8 9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
-> ssh-ed25519 dMQYog Me9T8kfmQhZS7AD/SiXDEXdc6UebRdygkfNZMzGO/jk -> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
CxV/+xx0GyF1ldBLuJK11fd/Qp/Iz6+ZQqzPn47fNlQ 6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
-> ssh-ed25519 G2eSCQ /MDFbdc1rG8kgEnnDL5qjs+k3l0kRWWPtMHZw+fK5ig -> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
CBctzpTRRtu2PVriedbYbGJxfKLivhuRTaw2MJ38njs A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
-> ssh-ed25519 yHDAQw GZpqEpBklj3/faWLyT4Rp3bgaDqDRYYlnqE7hG6Q1w0 -> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
13E2RnifaS8QvWsmrbjw9zpkVc/62uTILMatIo7q7+Y sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
-> ssh-ed25519 2+FxVg t066I5lFZI5dn1nc9TkTwEyuOrjEbftHPWT21EBJxzA -> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
4YM7QEC2TmaFfsiMizgGMmPx0bR/QsbTShn/CrqiPXs LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
-> ssh-ed25519 CRfjsA mplrSUnhdP0BoPvjsK8AT7lgqYX756d7Rwehn7EGUx0 -> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
UiVkXUOmaZlVrcF7x2n+65zI975N4h0PAIlT4RKBgD4 1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
-> ssh-ed25519 vwVIvQ yMlyHf9GCm4NKLBEIg0r3TwirYPDX6pY06x+8DqdWnU -> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
FaXslZlkZxhe1Z8aKdmyeV5m8steD3QV1rTbN/wPVLk 9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
-> ssh-ed25519 fBrw3g 0eU15YqB0f5s91QK2IGKLHnud/7gNWQ0mByWB3MeKT0 -> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
pVeEZUd34CMFDonRny2ayknSFdji9hm6uYegcYyqlTg gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
-> ssh-ed25519 S5xQfg FvR/a7fAcg/l6Yxja9xiSDjNzTTfS/C5xRM1iifGgVM -> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
uAGv9SYBY5GVWTJTanUVzVRkTeOzGP9KR0JoKmBD+VA f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
-> ssh-ed25519 XPxfUQ Qg4+hCKKWYXS8VY/X3n4hFBHfvOQg+rpq0iGQhIQuHI -> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
b18nkytY58Kzeb7MPjDx8UOUV+JYau3X9vmIKX27sqc 6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
-> ssh-ed25519 SpD5mg +gTXPfFDSMFljPfCeF75eGnKMITMXHkFKUDx6Rwe1E4 -> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
IZfWP9YzjHRa4M4voqvWtrhnCf47VcLt9qNl5xPr7IU vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
-> ssh-ed25519 Kk8sng OFsVY5zSkxzYTxV4wRfiBoXSeDQjFyMxizUnQkEflhI -> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
bFY2FIHGCrztIEpoZisa4/b154KaZ2abAAT3WtmVFRA jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
-> ]hKvxo-grease Y[+JLtFp /E5On[j% -> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
+yVCQYGvj63LqYEeTHAPq6Ia+joYeP5Z24+UlPnYOknEub6jN7/KBoInhlOfhknL VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
1QqK43DhX8/zATdYBOmYEl+hFHBgE1IrsipbzlOyeLGCfKE8EZ3nEwpHDFXHEg -> vWbrVo-grease ,kVQ{
--- Vz8d2FPAITZUcnMvF8qlJSTBA17QS1Hu5/5zjI9VJOc PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
‘€Ç¹z ŒÏÅÏ«(´³Ê^/}Mõ0å‡ELJɤŸ³ˆå³üs†š’ù—6sPí—Çè=qÇî8%)ꌢ¾ÈXø²pϸ¿¹Ûzå&ÈÛ%ûüSÊÊbôxÐý`½&cŽ<63>øÑ mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
--- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
>»KÝ-B<15>vœâŒ×ôÕŽ}4©QåÎ˳x
ÅîÝÒ{ʱí­
0U<01>Ò
ê¶×Ý

BIN
secrets/peertube-redis-pw.age
View File

Binary file not shown.

BIN
secrets/peertube-smtp.age
View File

Binary file not shown.

73
secrets/pia-login.conf
View File

@@ -1,37 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w lc9zr3zLkuoBn7CvFVQS+wGMqW1eKU/4lcvig0zcAA4 -> ssh-ed25519 xoAm7w SqYHa6RK3Qc2q7PnzW+2zWIc+A45lcgsGUOcloo5NCY
p8XUKS+odARRdJKvo54mEeDIX15gPC/t3GomSzkxPRw YK3fq1eFLcrYyeB0jrbpaDlvZI4QXtGDB6gBsNOHRbc
-> ssh-ed25519 mbw8xA gtrVIX4px9j3wnrZhMk63ncs1PBuNIg55xi0diy2jCk -> ssh-ed25519 mbw8xA td67bdiy9OVhynehUE0t9WNhSm5mibBSouANJsb54DI
qLMsbQfQYsX+tbD2b3havqtSjmSLc6wrKxmeu8HSHds k5Q0NYRDLuEVqi6spysZ3wczsl6KeJHnzeQs4AcfOPM
-> ssh-ed25519 N240Tg MftPPEGuEyT82CkgdoM+Wi/Btd3PJqYV1WTf1SQIBG0 -> ssh-ed25519 N240Tg yQxm7sk3zmluyfrHuXcfcUH4bep9yO2yasWsZL8jlm0
pdPcLci5vBKQBjHipcyWw3qUghCq6kH1zhVLWX0vvtU 0uLbEiU6G+BOFnhdtQ7y1TaZun3L9cayeOJUiKmhK3I
-> ssh-ed25519 2a2Yhw 4EZ9CZSeiz2Fo1gAsHRJvXFFNoG9XdqzDUq+7hxoE0w -> ssh-ed25519 2a2Yhw rWgv/wgxs/G8JqWRMX4K8OMkbDDEWKXn8tr1EZHXNTg
PFYOsiY7SKPzMqe9DgKO8HxRGPCDkdKg67XRhB+zZ60 //vsUBg5VSyyPOhUppiV4hkEhSVh7TUxlgRhroeMH2Y
-> ssh-ed25519 dMQYog zThW4avHOtTLUrbW1M4DKP2sR69sPVuU8gSGliPh230 -> ssh-ed25519 dMQYog C231LaIgcDukZz+Q0w3BS6QoRNPYBpQnDc0iapNDACY
A8OSApp1LZPeX4nr6KVU4OzcGiWkZffWRscgVllD48M h053cONj1m8SP/V9oFU7MuMRNKq8KNxr9FyWoRShZ2w
-> ssh-ed25519 G2eSCQ +yUZDV2yA3HLWIS2SbdU1EvGSUeHrV2R3zSZpHgcS0g -> ssh-ed25519 G2eSCQ oazxEulqB0zTHwBBZxxBvskYLENNm62hy0EMt/6BIi0
/yUHbqdXeI/AaQpEXc33O+pe4FTzgbqduQnUZcLsM5E rM8Evty9wq4qC/Tau0bU0LgBqNP1J6Zt+iQeYwhBJ1g
-> ssh-ed25519 yHDAQw +I8F/+E6rGJFt+GWkWkNaiu1gYYWLt5h/ghXlb4GJHQ -> ssh-ed25519 6AT2/g GWYlWQLxy+JjQUGGG4P2ePuqYkUov/0OV1gyAUfo7xE
42oCHbvNX1thV4ntF7f72ZbaABDNzqZlysupyJB6g/0 CT4W8xfyQyZ8LgnVWncxL9TMyf2tC1mXhjJ8/OrV/yk
-> ssh-ed25519 2+FxVg DY+ujFBbzJr4cgDaCVGj7dFltK+0CZgg/o2ifkqWN1o -> ssh-ed25519 yHDAQw 5FsOvziKO7oXBvIbJ6ikUHyZsfJcwoXcXYmCCCZlUl4
ZJwibEGvzYVYODo2ZPRMGoiWU+jkIcHkOD1s86I7XC4 5wywGXF9/QbqT0H3f7GY1J79ZwrFaSG6qzHll5G9Xcc
-> ssh-ed25519 CRfjsA BXmCkaaWUxL8ZAAOsab7mH8GrhElGFq2s8vj4Rh3uyI -> ssh-ed25519 hPp1nw Aii3iq5LHQPAWIGj7RbK18ChTij7zYnARHqXTAcU+wo
5GU+/7oM74cqPKk4Wcv8YiPSAkEgFDuoPU7TAJONDLw 218UL87Ev75zAsloHSkLlQoSLk3u+XaRgMpqFlHQEIM
-> ssh-ed25519 vwVIvQ BnZS84gwwESKj6OxkRNeqHuvI+OCUzTB+1XB5b546Xg -> ssh-ed25519 CRfjsA AafQ3rTlpqLZqz614VPy0h0o+ha4f7gdx3zuoO7h9BI
mHOUdji252qEeVNFMLM6iHkQDJ6h29OMhuzkrTW2lhQ jyhVN8DsgSo58YPKb8c/eBWSgunbLgN0tnvqTaaOxTU
-> ssh-ed25519 fBrw3g cXw4C0Dp4X718mt961AWOoEXF6T1S2EM2CLSEd/00H8 -> ssh-ed25519 vwVIvQ oQHpWgGDhgea9M774iyQ2gP0hvSgFr5ScM4ZdhMHD2g
gsBCaIhmw81IHonJp+46WFZHmve6ePZuK3XwnCYQvAU 9vJjWXwOqpOfegf9ZtKMxAayDsn2ziHGTHGIBlAO71E
-> ssh-ed25519 S5xQfg rDlIbYA1+vhMxSfeQO5Yw2ikujtEP5Ln65T3EoFDFzA -> ssh-ed25519 fBrw3g lGSzsEt5Ot/RHwJbL3fNQoR29ZQ7EsFUWv7HjWnU9wg
MC5GjT8i9u/NKVV2D0f2DS72GQ/QsoXQu/PioiQYXnc cufwuuyT/Vcf3QeJGXEcYFUQqjf0US95po7FaGMYXAE
-> ssh-ed25519 XPxfUQ JfMapW+N5v8CxqSL2BtOluTKKW96vC1K2aaR4wI98Ek -> ssh-ed25519 S5xQfg CGj9qzx3vvlNnHh5RUyg4+3gVpIEcgGYbYJr61oTJgI
f85HwaDoAoizzlTVfX4IrHdFt/QxOq6AA2sIUU+N2Hw x3TLtdaRpFtMRTC/RdngyBOeXQFEVvQIRdfAsaj8hj4
-> ssh-ed25519 SpD5mg B91OQnfsUMHjMHXsbjTJ4Ye970yQAEfwSuJLTgZWjlQ -> ssh-ed25519 XPxfUQ r1iu+mpoUVuf0AqaDsrumw8SOdiHapODcgrYRrAuSjo
K6aJjq49IAUf++0dJtQNfINHD/2J0jcedCvBgSn4f/0 1XNRKfEgm2U9DXZmNogFr9B9MqibE72NjyHiy2zZFMk
-> ssh-ed25519 Kk8sng Toy03Tt/kjmMP0joE0ZKzX4RxLgktjA9do8R5HyE21g -> ssh-ed25519 SpD5mg NM2MP1/5yxwQvvpiHnq1aiXQg4yxWpsNH/Isrwcz1Vo
HS/JSkGD41P9lnnddue2lnanzElujgdhAU9zGMRj1BY IdWPzZg+/mwCr91bIlDMpAiii/HWsnIxTGXnetYjRPA
-> LpRs-grease 3,;D{mwd <4HS] -> ssh-ed25519 Kk8sng 4NAaCbs1EOQpZz/qm8yW7PkFdsn8seSTgInow1zqBiE
5qGL3G/9WQCmAwNX 2MJJNUFyBkxy26adDmoJKNndeQT+MsJGjdYiXMpMS4g
--- FI6/wTAqIVcAumvoHenkInu80h2sb4zjGjdyq6FfEL0 -> A-grease L''*[IU]
ÇF•€»ïäedºI¹ë³ŸŸ)xwñø<­¬Þ°Ìð^žã!ÿmM:­CXáÄâl ÖøÓÙ 5xdl3E2HB0Yz2TKiRucf1X/PV2JS4rc4LG4cKJ9VYIUksE5Aoj26E8h1izCrhEsp
=â'E³z£„øÂdèog°ëI"°Æ¢ð嚧 Hnr2xC029yD3shPQ1w
 --- OjLAmZwep6nKTZYMUuBBaMe+F3FmWqsCM2XCDqoiG/4
ÍZÎëk²¬¨œoéG´ûCbÇÚ!Zö{ʦ ƒ\ öO˜+PK±¬†rîЕî A´~zÕô@ö’\Õ±M3G¿iÚGl‹èçÒ~€!þ§Á*Qõ‡ã

BIN
secrets/sasl_relay_passwd.age Normal file
View File

Binary file not shown.

74
secrets/searx.age
View File

@@ -1,36 +1,40 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w TmABtEpa/HJilGsWu0biKr38mPLxyv4QvTumkTN3dEs -> ssh-ed25519 xoAm7w CNXq63Qxe5wvwn0dr7QKcJogg9cO5+no3FcNmxkL7Gg
paMKdBQ/S2H7e5Hu3G8jbcIrBt9+WoysI6oG+qY/XX0 w14UiCOJofq3r8VikRCOjIp29NXvoKJHyRms6tjr3/M
-> ssh-ed25519 mbw8xA aafzS+opAcPSmwOk9TwBIVVJwHLpdWVaCm2y8GrL/Dw -> ssh-ed25519 mbw8xA tzrtBUcTaOZBi2BNhgwN45MqMlQKGZU6FYm8IEQJKH8
WZmcaQpnUYcV5H7H8LSB2rzvQ+C419HVkEyGohVQofw Vpc/0IHNizsxTozoVm0YZdm0qgKwx1sZ/JMIKSjQW3g
-> ssh-ed25519 N240Tg 1ZQ04swjtJC9U4OGIcGlOZRDUFV7gRhmlhWmoHPTXRQ -> ssh-ed25519 N240Tg F4wZmhSgHx1+tLok5IdJe+CCzWf6LmlkOFNGWqOpxXc
j5qTsbKQevss6oGjPcWtfQ0bY4etLda4a3a8Bolt6l8 ZF7+t0HDmfaJnyNe3lkz5aVFezD7mAxqRiDCZCwW2sk
-> ssh-ed25519 2a2Yhw l0YscyGeZiZnEI7yzMirIYKrUUlWrQkk7etP5c4BNj0 -> ssh-ed25519 2a2Yhw rC3PH9ftW4UWPuUpP6tThaSe9AkfKUiEgQPPXerJ/SA
ZkSQBBTEH9+9/gRtAwF4iJuY7IDPFZX97L9xVnYObBs UNKobz02TnEN/oqhp7hwS46mU1IA0ehVzLqeIm9QVVk
-> ssh-ed25519 dMQYog RO5UU1eqj1VAUuqi9Hw08dKP6kDn1/t7JTbBUbs0lSA -> ssh-ed25519 dMQYog XowiBliO/PhqZFnmfnXWmw7KVT8I8Rp46RjuFd/amEM
7PtfL0ah0+x2mFAklwpH0rhysmRMHd0rBFts1YOlGFk eAhc4PVY/3ZjwiNihO9Yqa/au6ebkXmqbK4Zehf/FxQ
-> ssh-ed25519 G2eSCQ yRAP3Ftv21k3be6j1D3EVFXEP5VN4pR5av1NwbkHKmw -> ssh-ed25519 G2eSCQ ann2y2LP2fIHtQRLtpLow/g2yTmcEYpUrbc0N69iJxI
8cQChFrEzNCHkmBq4jM768F9wUrIpzb8gru3fWU2KBk N1VAHkPjzxA5Vf9lKY5o7SWFy1kxlv78LSDcRt/MxaU
-> ssh-ed25519 yHDAQw si+cRHMFQqGkrBurAa4MSStvQfWeGai3mtPeG+4L2Fo -> ssh-ed25519 6AT2/g uQhLUtHpvNoLBUs0zvdMeGTtXQH8gHzNiRfDq1x/3yA
+v/LiLK/qIJRV3FAIx518meo5Hc1jAWftUAw5yJx9Ic rhSm2KQw3k/nhrm2UmCWJ1oBcmYwP1S8hAY5xUALY5U
-> ssh-ed25519 2+FxVg I/ksVFfJIk5s7AzeWDGJ6uQmUC4NX7dwZS9vbvcBizc -> ssh-ed25519 yHDAQw qO/7smo6DZpW4/dBvkorYBYSGBdemDe7UrdSXDjb8zk
nz/gIhKbtEMWlJkLe+bWgYcXz1d5VdOnItkzjZokn48 xkRizpKMEbD0X3BsdSfc5DgjYG1IQLKJuQjLLSwPnzU
-> ssh-ed25519 CRfjsA ekNM5YKsls5A5Y5U0fBFd5x6F20av3UnhhxAFAppeis -> ssh-ed25519 hPp1nw +Y+MeoeD58k8uedCeD2RbRyGlcLYEgNc2PC0Hr7MuTY
XqGQAFVdimTkznNKQcvP0imAa6rJonh5XK9+ZO0lA1Q B3wQcio9YW1Vl6reg6APLKDbizQDxWY32CkXbuzyyt4
-> ssh-ed25519 vwVIvQ /VOCSE0RPskVag8I5pgvGva7WwNL5vhwNCS5wYKaGnc -> ssh-ed25519 CRfjsA 6KxnAOe2pmjfwTiQZe8zHaeNJApPYdCCFK1OlFaE61A
0FVkmS324EdgVJMKZ3CUD0BLcOzQXKENQqJT7k/T6WA 9psQfGIFCSjSYw0AKpKRFZ5qIYFOvq3FvHFyVRa/zbI
-> ssh-ed25519 fBrw3g f0vL9mXMyD3OCoPUVG501EXrfywnLTGQgJess6HYW1U -> ssh-ed25519 vwVIvQ Zghw7uz/yR4dgsFhbeXfPvk1HmSaXV6CcRD6GlHeiGI
H35vPHPtU6WtwF/nWc27TZah1/VEsn/TtYPYajDaZgY KTM1Xu01FBcsmhJVeB6VGhMqHpnpLNmvWVBxV0+JW5Y
-> ssh-ed25519 S5xQfg s/qLWzz0VKeZtSxyLCsJGG7u1g4sygyCp+/HPDwwUis -> ssh-ed25519 fBrw3g h+wmH368BHkFp5Mu3PnbZFjyMVRBNcwU4hloIaZEaGo
PuVldVNe8NycTiUtN2zwz25Cz+SF1+Hr4muYt8HL9Pw TKPz2C3yF2wBsiT8/WhbKEg792PLcQ3YN5UWcxJnwtE
-> ssh-ed25519 XPxfUQ Via9/6XdwsrELqUhJgeOQ0ivSscMCoLk835mdkRKVH8 -> ssh-ed25519 S5xQfg YZcNHfVDJ0GRF+IpLVSxOeBOSoDhDhdL7r2npRYcuEg
JhEpu2B97fdMtHUhoykrXf2lQoLtl92A8K9Deg5XmKI mPfQ+m3SGGnGO32oA917AfosSnXGqHRDdMfIypK+UOw
-> ssh-ed25519 SpD5mg FB5YdMoYdYa/T080ZpDH6v7Hvm+TsuoVFgg//nPcmRs -> ssh-ed25519 XPxfUQ jsXVjpItFnuJiaeYIaYKsJFusASry67LiqDW3n5+QSg
BU6H8LveSj8GKYEoZkbvSX34OEcaCVToRnF2hrFhYto 0KzbBSbRrq6JrpWEyTbs41b4gUUiKeZzWI3rBaa/AdM
-> ssh-ed25519 Kk8sng CAKOO+iC7fFKNgV7MC2JzQqN68FcU1zClMlSS9FlMys -> ssh-ed25519 SpD5mg 873X6UIo87svyS+jhQGjILcVy+RjtsKwJfDyj6gmF3I
AHFi+OTfduk09/+qlDLu64X4emZeFKXmQOai4SW1G8k KNHCRKZ5NhJbNmrhWehpUXEv6jBGeJkRxCi9+/bgouA
-> Bg)(-grease _9&+S -> ssh-ed25519 Kk8sng /ItiKGK46Wia6VSKa2AtEPj+PqpDtWxBhea4s3mqOVo
6L0OH3hPz0igqvI OPclxoc2MygKYJtahVbLfE72X4s4yVil4dugeSF/3DU
--- fq1HD415SlwlPiw0Ie+FSbAZRxNrXKgGz8ChPXTp3+c -> U(/M3X-grease Jh[D'
«)ˆ-šÎiŠò<>êÊÛgon!ÓN‰<4E>È­g<C2AD>UÕPÖ™Ö/ú×£ê˜y æ†2Ó½R z6L8qVMUmuElYKbQViqc6tecJic8gho79RaMilbwp7uS+owmgqNMUFxv9+8bbtYY
Ž„¶ŸT#•÷§pq+ ýÀý@¹à ÖWì²ÉÓ¨ñõ:¶%RxPÌQW¸-S€"<22>,°÷óBc&g+Ì£?@<40>¬9 3“é*¨Œ& wC+YIigf5xAKlwcOipCJ7xv3jlqt8yUFWV8hg3J0GRbkWnhFYdWGXHnPtomPFtE
--- bD5IgVE3GQSnej0FLxh1nGD2q2/fuhqRL2yYw+2KMek
·)ˆ7&ªð„Ñ_¾â%!2aâýÍݱQ
ÿ6hêlÑ )Í0ß}*ÌmìO(¿l8^"È‘Ì‘ù<H¡Žqr¶²û³!r<0F>ÌXóÖ˜ºxó:FF£¹áÉó§‚#.Ž™Ú"[Š9çZ„°
C¾ÜÊ62¥-'™ÛX$S

3
secrets/secrets.nix
View File

@@ -16,4 +16,7 @@ in
"iodine.age".publicKeys = all; "iodine.age".publicKeys = all;
"spotifyd.age".publicKeys = all; "spotifyd.age".publicKeys = all;
"wolframalpha.age".publicKeys = all; "wolframalpha.age".publicKeys = all;
"cloudflared-navidrome.json.age".publicKeys = all;
"smb-secrets.age".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
} }

38
secrets/smb-secrets.age Normal file
View File

@@ -0,0 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w Kg7UClnYqMV4+rPfZsUFgHyXUFfD9ZY2miGwr0m+NWc
SCfg3UYlGpUJreLgdkKUVru7Gqvh7AfmJLRoI+Jwmdo
-> ssh-ed25519 mbw8xA LeqtlUz7egt8G5z8Ca69GUM9Jgt7HMiqPxO/YN0rwR4
ILPsmKmjrc2m0kFMhpY2ebVXTsTRUiQMookDindWrig
-> ssh-ed25519 N240Tg G6vylAd18eW8zdF+vReXY7fTfdYseWY//4/ElWDMxXo
a1BWR4URSMmHV8Z48aChmVQAlfSfNn0S66WOG0uxNc0
-> ssh-ed25519 2a2Yhw XXZOpsj9uhKDzh6rnSWOj3HWeohsm3LvPw0RTR3zLkI
9U5oc+gWXmK5r4mLZueFBnkyal88lNbFNlzRcT77Zyo
-> ssh-ed25519 dMQYog m+Tm6nn0yVLiPPua1K7v2ToXg4JzRouarE63L/sh4kk
SZ7HXZ2wteV6mxJ2bdMOenMO3clsL7nRyAkDAJomODQ
-> ssh-ed25519 G2eSCQ sFl1qmmOPtEypFvjZStXITKedfQV45B2MDk90Bcb3hI
fetONY50e4lApLBWTABlDrV7iG0EdQl4sJE276LNz+0
-> ssh-ed25519 6AT2/g eL7ilpjXlLTIEqgOoX5jlDapUZjipe4ssmgFdaWGfQU
5JOCPit0JyCuHQk9JUqPUbk1l1YJcPfeFYqZLrlA2+4
-> ssh-ed25519 yHDAQw OL1GcsvJ1xxiGLqnkVVCMdwZTd1lSsxMV/ERkGlKqDU
gDiwmUUDPBoYE5uKmxUkfQXV95bAnTghmnE4URjEAC0
-> ssh-ed25519 hPp1nw Qq52IpfX5qtzg7E9ruK4qI3W0tyXTnm5ntITOzZ4r3M
QhTA1V4vN9qMKhIcmNKIOBYnggPP4FfbIkXR+00jJMY
-> ssh-ed25519 CRfjsA EtorS2Ba+6E4grspQXhDFiXSOxGsnNSQbkSpv+NkGkc
Oz6xPjiHUJI/md01GxNLA9O52V/inIeaEi0wGe/T2QE
-> ssh-ed25519 vwVIvQ yzWaeWjer2QysLCpcpiEGuUSX/JEf+CVOLEbV4cdwG4
00vNjH+LFNjGGFrJmJtpLGKZTnEtFDW94sDIeNeklbk
-> ssh-ed25519 fBrw3g PJqw2w4s10ncE5q95Srxc49S3UfiZpDskoCHLsYE8wo
SMpvtbRNMdGi3+VENOVziLt2U6kg4djaJwY9QN7qm+A
-> ssh-ed25519 S5xQfg QCkCr+gN488FKCu+TlhJ6HUbFxqdkwSaUYxgnJ66zl8
XhMSuZ/HOlXJmWRVrQjMY80IKxvrnNHh6eR6N2vSKeQ
-> ssh-ed25519 XPxfUQ k8Pp9ZlRAWZRXOQ9URro05DRIViGfs2DhXTrMTZyvgA
B7lvmKy5Dqw5qzLwnQEX1163NW0t6vYHPgTmqKE/2+4
-> ssh-ed25519 SpD5mg Y/Cg1GVTBo1r66Oj/bFN0uDWLfM2rIAAGRP0qu0tfRo
Rr+7yR2uf170A2pUylEwUthC0XGIXin51DK9JS8K0xY
-> ssh-ed25519 Kk8sng r//SXYT5xxLXwoDsWhFwaoLzhT8fdbXX3HShmS4SMX0
DrcuiBS+JLkzgsYumxvnsnKkrzFYkNPRJZOegj+0Q1c
-> X6%3Q-grease l? n?e
j/l9N+hzs80iS5YZrx8mrrIIb/+y82YM4lb1a0aBOCUMsK0IHbtnPjZbVfOmO55W
+yFtp3gXw1Fnffbircs8YnYpq5vdpEABGazjSg
--- o3H9hWurbhlvoOR4Ulmpt/hdPk+C/OR79T0YqvoXRR0
؆(ÚÙ0Ý íw¨WMæ‘@jO…°}2 mêNßnÙ³g«å„?¤gò³ª³†“rºB\ ï½ãØ

71
secrets/spotifyd.age
View File

@@ -1,35 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w a0ayID6UGUku1PXl2lYA5VheB/xyzb6OLCNrk4gqYAk -> ssh-ed25519 xoAm7w F1C6i9iOvzUf6pS7eBfcsRFRn4q2YE7htxCqiLvasw0
vAEqftzP/AWCNfuQpcKtEIuoXkygf/D3VbfAanh6BMI viF83MLadEfum6wQWgbl/h0l65+jAtBszhevVS4jh4k
-> ssh-ed25519 mbw8xA +encxyEaKOuSuBmFVPdySEJP4dS+SOOnwIlkApifDRc -> ssh-ed25519 mbw8xA Ec2wju2txmmCHuVNDWdLQkfUNY7/okY2koAz6Jur53o
JuTj3ldHfsGeqgXGGEB5PFcu4QHHYhcuCRPOctvG5mg JLmlpd43QO/LPvS0TW9eKh6f5zZmbVDWjYn44J5ZqMo
-> ssh-ed25519 N240Tg P6fjGAaRS6/10v3NdnnXwvc+ZuWxdqzk3CU/C5Tzw1E -> ssh-ed25519 N240Tg 1bl9Y+I3XGx7RiY8078wEMdaAishvW84nMrprt8jjVU
p9EHrSch7QKF5X4gUm08bAsgdnzP+gTCTdA2gR4KA34 4lXtc1rGouF1DoTohQnSEMvNwRZaaenimEFypsfxajM
-> ssh-ed25519 2a2Yhw ylRPAhl/neJLCylG9rJ7yT1scOe1OsEe3COHO7IdcyQ -> ssh-ed25519 2a2Yhw SDknhtgjNgNy3ktoNNvLie3OdO8bKhWW5P4s73OtLk8
fgE7XdwfcreVRqUVMZEhVZtbr8xI7/eczlfFy+zERuE Ihl/yNw35f2CgcZX6KHRXUTpAHp6aAQR/7oeU+gq3V4
-> ssh-ed25519 dMQYog HlDigBekN/UDyNATXDT9o76zPsIpIxPHplVBt/p8XhI -> ssh-ed25519 dMQYog dME46DZmwFnKBKlmx5AZEoaVipBmpuz66RXPQfFoXSY
yL+lbSNbIz/n6SCgkloO6p3P2eklnOZZImGmGlfXyzU eAzeaSpIL5KPQADGEeuX/bkQ014L8MeTQF2fapO2N/w
-> ssh-ed25519 G2eSCQ Oj0yOi0cBAMs16D3Lo1W1fWl0SeiaU0oP2cw1ZIRB0A -> ssh-ed25519 G2eSCQ 8/xTD9nSXyAeZwBEdJgLcOembBwnMOgWX3jR4N2sXC8
oLVZAhMe9yIZGwZxX+DWMZBZYBhN43PcEulyVPpJLH4 0BmY7u5TEcIEza2PZIJEamV2dfC0sDeVl0UXECBwDlc
-> ssh-ed25519 yHDAQw OC/PuKj9h33oXOroXjKSLxzA2TEBGAYA3pA55nZUcnQ -> ssh-ed25519 6AT2/g xSdH52Oq0TOg0D76WlDVSY5kJb0hMAWoM3XVyMtAeWk
I/GV1mQj38AXW61eW8HnbHSfsk3d0jpuHL5XYdZkbYU 0p2AHJDa9XK6C2g8AM/g7cWdR5DGLk6SoUL3Nah2G1M
-> ssh-ed25519 2+FxVg vvNdouvWW6UbHtS0Agw/D46LBZ/t/5d6q4uJpO/EO0Y -> ssh-ed25519 yHDAQw mQBHUkvKf+Na8pCfl2Vb7+sKLmKth0lbxDFEcTtH/ng
/img0q0fTXWAkGCnPu4FMempzOKV7j0NhoqCd3pCi6k JDPxV93vE8mKJtDp/MewHA0F78rW/0ZPYUQKkdNUivs
-> ssh-ed25519 CRfjsA XzT9OM/zgU3H4cUdX5QDNvPvSe7tGhamVokmcWMwFUE -> ssh-ed25519 hPp1nw htVxNW9zp7J38WN06jfEX417xtXt50iMTRUtrzLRO2k
DL6XWi9cYOfX/klHaqhiO4JLG8S2srNfn9Ez/SrD0fM iTHjoS5eWNiQxIWtuylkqXlO8E+Dx/2CkENs16lZqhQ
-> ssh-ed25519 vwVIvQ 1rW+L1BP//VoUdW7pCimPkYS1ktLw/ZD3HTBhte0l1Y -> ssh-ed25519 CRfjsA Dqs/SAfRhgszI9pz4yZHyVp0iqPg1ssspX6ZW2QTv10
oqSyg/ptgmpPvCtaxYml8DwbIxwCS4aKysDuP7jzUUw tA7NQXpPtJQ4mHjTDr4pTt9jrqDkMJZGMLVazOenMbs
-> ssh-ed25519 fBrw3g 6GXyHXyiGhrDPNc9JrfiJUEFHbUD8mJUn87fGCdWCWU -> ssh-ed25519 vwVIvQ oNmVe26rEpI7nNGlI5G7Er9fu7blpHNE6NOeGkoR/TM
fo8ArkL2qxOJGmy9lwKAFUkg+3nCgQO0EhuK/WYf8P8 vAL2gsM9NatGQpnNIh8XpCP+o9KoOnuLVt9e8+Kymcw
-> ssh-ed25519 S5xQfg 0yjzWf9A85SvffzZZGyDvx4PUGOPszYOrLW+fgpF8ig -> ssh-ed25519 fBrw3g 7GVBA1eUhgxGfiiKirK/i5JUbehOJVgmc2H/tgQ+A1s
4gywojYnE4rLr6DIYRWQxlHwGy+pEaK6lz40uiFWVRM n3i9gtNt4aRT4EOk8C94lGmXNN538HNOqo8uCmxZz6o
-> ssh-ed25519 XPxfUQ V2pT37K8mdaHaqL2PUG+qOPhfwT3yrTbuJ4eQFRXH20 -> ssh-ed25519 S5xQfg 2KQLClmvqWMuJDOSAkzcpJkRTJgV6ig5Cq22RcCixWA
O8YA4FJwOWv21Gl0DLOxjrofyoxj92YHLQwGh2/9SI4 zYULXTJL5o5uZxxi/fOCrocxZooH3KarUj8vUDkfWn8
-> ssh-ed25519 SpD5mg bl0pYtgg1K4UgCMUTDTfiKD1HK17UBbEzizIzvin7Qc -> ssh-ed25519 XPxfUQ z0v4A6O509NqQgbKFzZrY2WL1ATc9SCYckbtqaSOdk0
vzlO2qLrksJ8UFckLsiNR9fJTmmK3CDFL9EmYhgINAw PbDNvSWw4QEGLUzhp8IrX0oMDJzWjeemuEDZ02YlClo
-> ssh-ed25519 Kk8sng 4v3obojVpPhhd2KmkPQzxQ2XTZbLAhuMMB/itcET/w0 -> ssh-ed25519 SpD5mg +A6LavFPjRHuTyk0MTZ6zmJf+CIMX69fT/HI6/0RJWI
ZLWkwL+956podqVfT9aVXhGodpPrTKlqav7LJsZsPlc CVgJC3y/H7MHUCMR5s77oPWA56oIEpj+7MZH+Qw/LTU
-> OzS$+AQ-grease .S/z rVC)uBgT \g ` -> ssh-ed25519 Kk8sng 4Re6/B65/TMi45/fZh7zl7dAzH4MnCnHqca1Otpaa2o
Irgp8AvpZbTd4DYYE6uZ/8Zgi/WtRQ zJAlQ96vODytPwtwPSxEEi8hn052vCGcPUxECyU9Ivo
--- dcXq8r6m1GVNOQKtN/mRmUlhOTVM9HD2/TQ5SKJru7A -> V1&(!o4J-grease I)F/
Æá÷ïúC<EFBFBD>¢nÿ©F.왣N´F 쀊O+‰aŠÉ ùÐ8bâHƒûñrì`¬ƒ*¾ˆÏ| ,2WUÂG“eœŒa,.iB+S44èG$”•s*:kå2U²NÔJ«>g.¨Åu¹ ô AQ7tCx9XyVd3QDf9Tadcz8QIOJ3bgj4kDh8YuwATAmF7M9DPAlQiW5qkkvaALloG
KwwV
--- VnZ2JJVPKnr8hDMqsZidpehwkLY9W2UmF40/5Khu7rg
„;»­ 晣,‘ΧÂ<C2A7>òHµˆ¿ˆ±>ê¬?þL¬Üiv?PËwùìŒímW£­3„^¯{^ÂÆ«"ýçMÈ[…P¤$­Ràüú…£ÄŽýÓ6LÍ Ï

BIN
secrets/wolframalpha.age
View File

Binary file not shown.