zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:504e4efad6f0df36265799d6b47dd01f163d8e31
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:pia-client
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

119 Commits
504e4efad6 ... pia-client

Author SHA1 Message Date
Zuckerberg
a0c199ba06 Unfinished attempt at packaging pia client 2023-02-08 01:38:54 -05:00
Zuckerberg
6f9edd8870 Add ISO build 2023-02-08 01:36:23 -05:00
Zuckerberg
076bdb3ab4 Use upstream nvidia reverse prime support 2023-02-08 01:35:25 -05:00
Zuckerberg
fcbd877d06 flake.lock: Update 
Flake lock file updates:

• Updated input 'nix-locate':
    'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17)
  → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17)
• Updated input 'nix-locate/flake-compat':
    'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03)
  → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
  → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)
 2023-02-08 00:59:29 -05:00
Zuckerberg
27f4b5af78 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
  → 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31)
• Added input 'agenix/darwin':
    'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
• Added input 'agenix/darwin/nixpkgs':
    follows 'agenix/nixpkgs'
• Updated input 'archivebox':
    'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=master&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
  → 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=refs%2fheads%2fmaster&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
• Updated input 'dailybuild_modules':
    'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=master&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
  → 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=refs%2fheads%2fmaster&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
  → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
  → 'github:NixOS/nixpkgs/0874168639713f547c05947c76124f78441ea46c' (2023-01-01)
• Removed input 'nixpkgs-nvidia'
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
  → 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
• Updated input 'radio-web':
    'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=master&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
  → 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=refs%2fheads%2fmaster&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
 2023-02-08 00:33:47 -05:00
Zuckerberg
7238d6e6c5 latest kernel not needed for wifi anymore 2023-02-06 22:45:34 -05:00
Zuckerberg
094905a727 virt-manager 2023-02-06 22:44:22 -05:00
Zuckerberg
cf3fa0ff12 depthai udev 2023-02-06 22:44:09 -05:00
Zuckerberg
7c7b356aab Remove 'I don't care about cookies'. It is under new management 2023-02-06 22:43:43 -05:00
Zuckerberg
c57e4f022f flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/7e5e58b98c3dcbf497543ff6f22591552ebfe65b' (2022-05-16)
  → 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30)
  → 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d17a56d90ecbd1b8fc908d49598fb854ef188461' (2022-06-17)
  → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/42948b300670223ca8286aaf916bc381f66a5313' (2022-04-08)
  → 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/a48082c79cff8f3b314ba4f95f4ae87ca7d4d068' (2022-06-14)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f535d8123c4761b2ed8138f3d202ea710a334a1d' (2022-06-22)
 2022-10-23 10:43:19 -04:00
zuckerberg
f5a9f04cf2 Rekey secrets 2022-08-25 23:16:22 -04:00
zuckerberg
50fd928cda Change key 2022-08-25 23:16:09 -04:00
Zuckerberg
11072c374b Owncast 2022-07-24 15:18:29 -04:00
Zuckerberg
60f1235848 Add shell aliases 2022-07-24 13:23:03 -04:00
Zuckerberg
55ea5aebc4 Add README and TODO files 2022-07-24 12:57:05 -04:00
Zuckerberg
2738f6b794 WIP wireguard vpn 2022-07-24 12:13:17 -04:00
Zuckerberg
ec2b248ed8 Don't use tailscale in containers 2022-06-23 22:37:14 -04:00
Zuckerberg
aa7bbc5932 Use Tailscale 2022-06-23 22:30:07 -04:00
Zuckerberg
eef574c9f7 Pin nixpkgs to a version that works for bcachefs 2022-06-20 11:51:45 -04:00
Zuckerberg
25fb7a1645 Jellyfin Client only on desktop 2022-06-20 00:04:54 -04:00
Zuckerberg
301fd8462b Update to NixOS 22.05 2022-06-20 00:00:49 -04:00
Zuckerberg
a92800cbcc Update to NixOS 22.05 2022-06-19 23:59:52 -04:00
Zuckerberg
5e361b2fc8 Update to NixOS 22.05 2022-06-19 23:44:01 -04:00
Zuckerberg
b41e4dc375 add jellyfin media player 2022-06-19 23:29:54 -04:00
Zuckerberg
7e615f814d Rewrite VPN container 2022-05-28 18:54:41 -04:00
Zuckerberg
c560a63182 More vpn options 2022-05-27 16:43:25 -04:00
Zuckerberg
2f14d07f82 Proxy jellyfin correctly 2022-05-20 19:30:14 -04:00
Zuckerberg
a89fde8aa5 Don't export bazarr 2022-05-20 19:15:33 -04:00
Zuckerberg
1856fe00d6 Jellyfin open port 2022-05-20 18:58:13 -04:00
Zuckerberg
388599e08c Use aarch64-linux friendly nix-locate 2022-05-20 16:42:38 -04:00
Zuckerberg
75a33a0b5e Add .gitignore 2022-05-20 16:37:33 -04:00
Zuckerberg
918b53e383 Move jellyfin to container 2022-05-20 16:37:05 -04:00
Zuckerberg
c643244dab set sendmail send domain 2022-05-16 17:46:11 -04:00
Zuckerberg
9fc6f816fb Use nix-locate for command-not-found 2022-05-16 15:01:15 -04:00
Zuckerberg
63902fcb46 Require auth for public samba share 2022-05-16 13:22:00 -04:00
Zuckerberg
8a1e0b76f1 Remove sauerbraten 2022-05-16 13:07:32 -04:00
Zuckerberg
f144bda9e6 Minimal kexec image builder 2022-05-16 13:04:31 -04:00
Zuckerberg
b8c9278f37 Use runyan.org 2022-05-09 14:46:18 -04:00
Zuckerberg
9f45df7903 Update dailybot 2022-05-04 22:55:53 -04:00
Zuckerberg
a894a5429e Eanble sender dependent authentication 2022-05-03 19:21:10 -04:00
Zuckerberg
dfec18e904 Send mail through mailgun 2022-05-03 18:33:48 -04:00
Zuckerberg
91e38f5866 Remove pi.agency 2022-05-03 14:54:09 -04:00
Zuckerberg
fed1aecd64 Update dailybot 2022-05-03 14:53:58 -04:00
Zuckerberg
ec3056f8c1 Don't store awful files 2022-05-03 14:53:42 -04:00
Zuckerberg
339eed1f55 Move services to ponyo 2022-05-02 18:01:03 -04:00
Zuckerberg
5ac5b4551b Rekey secrets 2022-05-02 11:56:25 -04:00
Zuckerberg
d378a287fa Add ponyo system 2022-05-02 11:56:14 -04:00
Zuckerberg
d71af55727 Better samba mount options 2022-05-02 02:54:41 -04:00
Zuckerberg
de05a535ea Prune services 2022-05-02 02:54:22 -04:00
Zuckerberg
910af494b5 Retire neetdev 2022-05-02 02:50:54 -04:00
Zuckerberg
3d1c078a44 Revert radio to previous version 2022-04-30 22:15:27 -04:00
Zuckerberg
c85beff7ed SSDs for NAS 2022-04-26 00:57:11 -04:00
Zuckerberg
7ab4906710 Use '*.containers' instead of ips 2022-04-25 00:46:40 -04:00
Zuckerberg
af3af7b2ae Add samba share user 2022-04-25 00:30:57 -04:00
Zuckerberg
f627abc649 More hosts 2022-04-25 00:20:14 -04:00
Zuckerberg
e37878c544 Automount samba shares 2022-04-24 21:56:28 -04:00
Zuckerberg
73bbd39c64 Create samba users 2022-04-24 21:55:24 -04:00
Zuckerberg
acbf162ffe Use latest pykms 2022-04-24 21:54:04 -04:00
Zuckerberg
516121b26c Revert broken samba config for now... 2022-04-24 21:53:41 -04:00
Zuckerberg
8742352ea9 Disable scroll jacking extension works poorly 2022-04-24 21:26:29 -04:00
Zuckerberg
61391cc180 Improve samba speed 2022-04-23 04:32:33 -04:00
Zuckerberg
60771ea56e Access transmission files over samba 2022-04-23 04:32:19 -04:00
Zuckerberg
2f19903a45 Remove pi.agency 2022-04-21 15:17:59 -04:00
Zuckerberg
8102981a01 Update dailybot 2022-04-21 15:17:32 -04:00
Zuckerberg
d975477c05 Update dailybot 2022-04-21 14:50:11 -04:00
Zuckerberg
af9333feff Ponyo as media proxy 2022-04-21 02:24:45 -04:00
Zuckerberg
5945310dd4 Ponyo keys 2022-04-21 01:27:47 -04:00
Zuckerberg
d5d986dd88 Rekey secrets 2022-04-21 01:26:53 -04:00
Zuckerberg
ffad65d902 OVH is annoying... 2022-04-21 01:15:51 -04:00
Zuckerberg
2cd7f12a75 Install as efi removable 2022-04-20 22:51:14 -04:00
Zuckerberg
fe48d7b009 New ponyo 2022-04-20 16:06:24 -04:00
Zuckerberg
448c3b280a New ponyo 2022-04-20 16:00:29 -04:00
Zuckerberg
ef2ad011cc Add ponyo 2022-04-20 00:04:25 -04:00
Zuckerberg
8267954e3d Improve file-roller 2022-04-19 16:33:12 -04:00
Zuckerberg
609f1d416a Stop scroll jacking 2022-04-19 16:32:03 -04:00
Zuckerberg
b4dce62d36 Fix permissions 2022-04-19 16:31:26 -04:00
Zuckerberg
e15b612b3c Shared group/user for consistent permissions+access 2022-04-17 23:43:42 -04:00
Zuckerberg
6233ce6c0d navidrome over cloudflared 2022-04-17 20:36:04 -04:00
Zuckerberg
1a4bdc4a8a Enable zerotier 2022-04-17 19:06:56 -04:00
Zuckerberg
73da58f6bf Bigger HDD 2022-04-13 21:15:35 -04:00
Zuckerberg
10f054a9d9 Bigger HDD 2022-04-12 17:25:08 -04:00
Zuckerberg
3f389e233f lm_sensors on everything 2022-04-12 17:24:56 -04:00
Zuckerberg
bece0911b3 don't bump system.stateVersion so carelessly... 2022-04-11 01:58:22 -04:00
Zuckerberg
5cf1dff4e0 ssh hosts 2022-04-09 22:41:21 -04:00
Zuckerberg
8d9c80d5b7 Use nixos unstable for NAS 2022-04-09 19:24:00 -04:00
Zuckerberg
0b99df46b7 Use nixos unstable for NAS 2022-04-09 19:22:38 -04:00
Zuckerberg
fdedd6fe4d Basic NAS services 2022-04-09 19:20:15 -04:00
Zuckerberg
e8ebcfc2be VPN failsafe working 2022-04-09 19:04:11 -04:00
Zuckerberg
11600ef4d7 vpnleak protection doesn't work correctly 2022-04-09 02:49:52 -04:00
Zuckerberg
285c4d3d58 Prevent VPN leaks 2022-04-09 01:02:20 -04:00
Zuckerberg
b2bd980947 rekey script 2022-04-09 01:01:45 -04:00
Zuckerberg
3158f8c3af Easy nixos vpn containers 2022-04-09 01:01:14 -04:00
Zuckerberg
809dd0b5eb s0 new key 2022-04-09 01:00:52 -04:00
Zuckerberg
b347656b6a Rekey secrets 2022-04-07 13:11:16 -04:00
Zuckerberg
1bb464f966 NAS Samba+Plex 2022-04-07 12:27:49 -04:00
Zuckerberg
ba570ec51a Swap for NAS 2022-04-07 12:26:56 -04:00
Zuckerberg
c5efc2db4d Cleanup 2022-04-07 12:23:21 -04:00
Zuckerberg
74c7f696d8 Remove annoying greeting 2022-04-06 20:13:12 -04:00
Zuckerberg
dfc66651ab Update inputs, clean up inputs 2022-04-06 19:53:27 -04:00
Zuckerberg
f386bc8871 bcachefs rootfs on helios64 2022-04-06 19:45:36 -04:00
Zuckerberg
c8bf265f83 Small changes 2022-04-06 19:43:40 -04:00
Zuckerberg
4d4b0b8240 Bump nixos baseline option 2022-04-06 19:34:30 -04:00
Zuckerberg
598c1d275b Archivebox as a flake 2022-04-06 19:33:15 -04:00
Zuckerberg
ca6a2c1bef drastikbot as a flake 2022-03-28 19:20:32 -04:00
Zuckerberg
43e31a8d2d WolframAlpha For drastikbot 2022-03-27 19:23:07 -04:00
Zuckerberg
49eb594429 Improve NVIDIA 2022-03-27 19:21:03 -04:00
Zuckerberg
a30b584fd9 Printer working 2022-03-27 19:19:32 -04:00
Zuckerberg
7445624273 New applications 2022-03-27 19:19:13 -04:00
Zuckerberg
7d01f0ab41 Chromium on AMD 2022-03-27 19:16:52 -04:00
Zuckerberg
49f1821bf2 tampermonkey in chromium 2022-03-27 19:16:08 -04:00
Zuckerberg
8984524ff1 Make using serial easier... 2022-03-27 19:15:36 -04:00
Zuckerberg
4d80638ab8 Enable bcachefs 2022-03-16 01:44:00 -04:00
Zuckerberg
0e9d3f53e7 typo 2022-03-16 01:38:17 -04:00
Zuckerberg
6673463214 Helios64 use upstream kernel + bcachefs 2022-03-16 01:31:24 -04:00
Zuckerberg
524bef9215 Turn on docker 2022-03-15 17:57:09 -04:00
Zuckerberg
ec60a18e5c Follow nixpkgs 2022-03-15 17:55:00 -04:00
Zuckerberg
dad421111a Sponsorblock 2022-03-15 17:50:40 -04:00
Zuckerberg
f6ec67a689 Add libreoffice, lm_sensors, git-lfs, killall 2022-03-15 17:49:58 -04:00
Zuckerberg
8f4af4f646 Enable spotifyd 2022-03-15 17:49:11 -04:00
77 changed files with 2422 additions and 5536 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
result

12
README.md Normal file
View File

@@ -0,0 +1,12 @@
# My NixOS configurations
### Source Layout
- `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines`
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

85
TODO.md Normal file
View File

@@ -0,0 +1,85 @@
# A place for brain dump ideas maybe to be taken off of the shelve one day
### NixOS webtools
- Better options search https://mynixos.com/options/services
### Interesting ideas for restructuring nixos config
- https://github.com/gytis-ivaskevicius/flake-utils-plus
- https://github.com/divnix/digga/tree/main/examples/devos
- https://digga.divnix.com/
- https://nixos.wiki/wiki/Comparison_of_NixOS_setups
### Housekeeping
- Format everything here using nixfmt
- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
- remove `options.currentSystem`
- allow `hostname` option for webservices to be null to disable configuring nginx
### NAS
- helios64 extra led lights
- safely turn off NAS on power disconnect
- hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
- tor unlock
### bcachefs
- bcachefs health alerts via email
- bcachefs periodic snapshotting
- use mount.bcachefs command for mounting
- bcachefs native encryption
- just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
### Shell Comands
- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
### Services
- setup archivebox
- radio https://tildegit.org/tilderadio/site
- music
- mopidy
- use the jellyfin plugin?
- navidrome
- spotify secrets for navidrome
- picard for music tagging
- alternative music software
- https://www.smarthomebeginner.com/best-music-server-software-options/
- https://funkwhale.audio/
- https://github.com/epoupon/lms
- https://github.com/benkaiser/stretto
- https://github.com/blackcandy-org/black_candy
- https://github.com/koel/koel
- https://airsonic.github.io/
- https://ampache.org/
- replace nextcloud with seafile
### VPN container
- use wireguard for vpn
- https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
- https://github.com/pia-foss/manual-connections
- port forwarding for vpn
- transmission using forwarded port
- https://www.wireguard.com/netns/
- one way firewall for vpn container
### Networking
- tailscale for p2p connections
- remove all use of zerotier
### Archive
- https://www.backblaze.com/b2/cloud-storage.html
- email
- https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
- http://kb.unixservertech.com/software/dovecot/archiveserver
### Paranoia
- https://christine.website/blog/paranoid-nixos-2021-07-18
- https://nixos.wiki/wiki/Impermanence
### Misc
- https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email
- remap razer keys https://github.com/sezanzeb/input-remapper
### Future Interests (upon merge into nixpkgs)
- nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
- glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356

37
common/default.nix
View File

@@ -3,18 +3,23 @@
{ {
imports = [ imports = [
./flakes.nix ./flakes.nix
./pia.nix
./zerotier.nix
./auto-update.nix ./auto-update.nix
./shell.nix
./network
./boot ./boot
./server ./server
./pc ./pc
]; ];
system.stateVersion = "20.09"; nix.flakes.enable = true;
system.stateVersion = "21.11";
networking.useDHCP = false; networking.useDHCP = false;
networking.firewall.enable = true;
networking.firewall.allowPing = true;
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
@@ -22,7 +27,21 @@
programs.mosh.enable = true; programs.mosh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget kakoune htop git dnsutils tmux nethogs iotop pciutils usbutils wget
kakoune
htop
git git-lfs
dnsutils
tmux
nethogs
iotop
pciutils
usbutils
killall
screen
micro
helix
lm_sensors
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@@ -30,11 +49,19 @@
users.mutableUsers = false; users.mutableUsers = false;
users.users.googlebot = { users.users.googlebot = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [
"wheel"
"dialout" # serial
];
shell = pkgs.fish;
openssh.authorizedKeys.keys = (import ./ssh.nix).users; openssh.authorizedKeys.keys = (import ./ssh.nix).users;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000;
}; };
nix.trustedUsers = [ "root" "googlebot" ]; nix.trustedUsers = [ "root" "googlebot" ];
nix.gc.automatic = true; nix.gc.automatic = true;
security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev";
} }

3
common/flakes.nix
View File

@@ -16,6 +16,9 @@ in {
# pin nixpkgs for system commands such as "nix shell" # pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs; registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
}; };
}; };
} }

23
common/network/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, ... }:
with lib;
let
cfg = config.networking;
in
{
imports = [
./hosts.nix
./pia-openvpn.nix
./tailscale.nix
./vpn.nix
./zerotier.nix
];
options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
config = mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
}

63
common/network/hosts.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, lib, ... }:
let
system = (import ../ssh.nix).system;
in {
networking.hosts = {
# some DNS providers filter local ip results from DNS request
"172.30.145.180" = [ "s0.zt.neet.dev" ];
"172.30.109.9" = [ "ponyo.zt.neet.dev" ];
"172.30.189.212" = [ "ray.zt.neet.dev" ];
};
programs.ssh.knownHosts = {
liza = {
hostNames = [ "liza" "liza.neet.dev" ];
publicKey = system.liza;
};
ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo;
};
ponyo-unlock = {
hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
publicKey = system.ponyo-unlock;
};
ray = {
hostNames = [ "ray" "ray.zt.neet.dev" ];
publicKey = system.ray;
};
s0 = {
hostNames = [ "s0" "s0.zt.neet.dev" ];
publicKey = system.s0;
};
n1 = {
hostNames = [ "n1" ];
publicKey = system.n1;
};
n2 = {
hostNames = [ "n2" ];
publicKey = system.n2;
};
n3 = {
hostNames = [ "n3" ];
publicKey = system.n3;
};
n4 = {
hostNames = [ "n4" ];
publicKey = system.n4;
};
n5 = {
hostNames = [ "n5" ];
publicKey = system.n5;
};
n6 = {
hostNames = [ "n6" ];
publicKey = system.n6;
};
n7 = {
hostNames = [ "n7" ];
publicKey = system.n7;
};
};
}

113
common/network/pia-openvpn.nix Normal file
View File

@@ -0,0 +1,113 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe";
version = "0.0.1";
src = ./.;
installPhase = ''
mkdir -p $out
cp vpnfailsafe.sh $out/vpnfailsafe.sh
sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
'';
};
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
server = lib.mkOption {
type = lib.types.str;
default = "us-washingtondc.privacy.network";
example = "swiss.privacy.network";
};
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
pia = {
config = ''
client
dev tun
proto udp
remote ${cfg.server} 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/agenix/pia-login.conf
'';
autoStart = true;
up = "${vpnfailsafe}/vpnfailsafe.sh";
down = "${vpnfailsafe}/vpnfailsafe.sh";
};
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

16
common/network/tailscale.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
with lib;
let
cfg = config.services.tailscale;
in
{
options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
config.services.tailscale.enable = !config.boot.isContainer;
# exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
config.networking.ip_forward = mkIf cfg.exitNode true;
}

97
common/network/vpn.nix Normal file
View File

@@ -0,0 +1,97 @@
{ config, pkgs, lib, allModules, ... }:
with lib;
let
cfg = config.vpn-container;
in
{
options.vpn-container = {
enable = mkEnableOption "Enable VPN container";
containerName = mkOption {
type = types.str;
default = "vpn";
description = ''
Name of the VPN container.
'';
};
mounts = mkOption {
type = types.listOf types.str;
default = [ "/var/lib" ];
example = "/home/example";
description = ''
List of mounts on the host to bind to the vpn container.
'';
};
config = mkOption {
type = types.anything;
default = {};
example = ''
{
services.nginx.enable = true;
}
'';
description = ''
NixOS config for the vpn container.
'';
};
};
config = mkIf cfg.enable {
containers.${cfg.containerName} = {
ephemeral = true;
autoStart = true;
bindMounts = mkMerge ([{
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
}] ++ (lists.forEach cfg.mounts (mount:
{
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
}
)));
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = allModules ++ [cfg.config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = mkForce false;
pia.enable = true;
pia.server = "swiss.privacy.network"; # swiss vpn
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
# load secrets the container needs
age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
# forwarding for vpn container
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"ve-${cfg.containerName}"
];
networking.ip_forward = true;
# assumes only one potential interface
networking.usePredictableInterfaceNames = false;
networking.nat.externalInterface = "eth0";
};
}

187
common/network/vpnfailsafe.sh Executable file
View File

@@ -0,0 +1,187 @@
#!/usr/bin/env bash
set -eEo pipefail
# $@ := ""
set_route_vars() {
local network_var
local -a network_vars; read -ra network_vars <<<"${!route_network_*}"
for network_var in "${network_vars[@]}"; do
local -i i="${network_var#route_network_}"
local -a vars=("route_network_$i" "route_netmask_$i" "route_gateway_$i" "route_metric_$i")
route_networks[i]="${!vars[0]}"
route_netmasks[i]="${!vars[1]:-255.255.255.255}"
route_gateways[i]="${!vars[2]:-$route_vpn_gateway}"
route_metrics[i]="${!vars[3]:-0}"
done
}
# Configuration.
readonly prog="$(basename "$0")"
readonly private_nets="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
declare -a remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
read -ra remotes <<<"$(env|grep -oP '^remote_[0-9]+=.*'|sort -n|cut -d= -f2|tr '\n' '\t')"
read -ra cnf_remote_domains <<<"$(printf '%s\n' "${remotes[@]%%*[0-9]}"|sort -u|tr '\n' '\t')"
read -ra cnf_remote_ips <<<"$(printf '%s\n' "${remotes[@]##*[!0-9.]*}"|sort -u|tr '\n' '\t')"
set_route_vars
read -ra numbered_vars <<<"${!foreign_option_*} ${!proto_*} ${!remote_*} ${!remote_port_*} \
${!route_network_*} ${!route_netmask_*} ${!route_gateway_*} ${!route_metric_*}"
readonly numbered_vars "${numbered_vars[@]}" dev ifconfig_local ifconfig_netmask ifconfig_remote \
route_net_gateway route_vpn_gateway script_type trusted_ip trusted_port untrusted_ip untrusted_port \
remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
readonly cur_remote_ip="${trusted_ip:-$untrusted_ip}"
readonly cur_port="${trusted_port:-$untrusted_port}"
# $@ := ""
update_hosts() {
if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then
local -r beg="# VPNFAILSAFE BEGIN" end="# VPNFAILSAFE END"
{
sed -e "/^$beg/,/^$end/d" /etc/hosts
echo -e "$beg\\n$remote_entries\\n$end"
} >/etc/hosts.vpnfailsafe
chmod --reference=/etc/hosts /etc/hosts.vpnfailsafe
mv /etc/hosts.vpnfailsafe /etc/hosts
fi
}
# $@ := "up" | "down"
update_routes() {
local -a resolved_ips
read -ra resolved_ips <<<"$(getent -s files hosts "${cnf_remote_domains[@]:-ENOENT}"|cut -d' ' -f1|tr '\n' '\t' || true)"
local -ar remote_ips=("$cur_remote_ip" "${resolved_ips[@]}" "${cnf_remote_ips[@]}")
if [[ "$*" == up ]]; then
for remote_ip in "${remote_ips[@]}"; do
if [[ -n "$remote_ip" && -z "$(ip route show "$remote_ip")" ]]; then
ip route add "$remote_ip" via "$route_net_gateway"
fi
done
for net in 0.0.0.0/1 128.0.0.0/1; do
if [[ -z "$(ip route show "$net")" ]]; then
ip route add "$net" via "$route_vpn_gateway"
fi
done
for i in $(seq 1 "${#route_networks[@]}"); do
if [[ -z "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
ip route add "${route_networks[i]}/${route_netmasks[i]}" \
via "${route_gateways[i]}" metric "${route_metrics[i]}" dev "$dev"
fi
done
elif [[ "$*" == down ]]; then
for route in "${remote_ips[@]}" 0.0.0.0/1 128.0.0.0/1; do
if [[ -n "$route" && -n "$(ip route show "$route")" ]]; then
ip route del "$route"
fi
done
for i in $(seq 1 "${#route_networks[@]}"); do
if [[ -n "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
ip route del "${route_networks[i]}/${route_netmasks[i]}"
fi
done
fi
}
# $@ := ""
update_firewall() {
# $@ := "INPUT" | "OUTPUT" | "FORWARD"
insert_chain() {
if iptables -C "$*" -j "VPNFAILSAFE_$*" 2>/dev/null; then
iptables -D "$*" -j "VPNFAILSAFE_$*"
for opt in F X; do
iptables -"$opt" "VPNFAILSAFE_$*"
done
fi
iptables -N "VPNFAILSAFE_$*"
iptables -I "$*" -j "VPNFAILSAFE_$*"
}
# $@ := "INPUT" | "OUTPUT"
accept_remotes() {
case "$@" in
INPUT) local -r icmp_type=reply io=i sd=s states="";;
OUTPUT) local -r icmp_type=request io=o sd=d states=NEW,;;
esac
local -r public_nic="$(ip route show "$cur_remote_ip"|cut -d' ' -f5)"
local -ar suf=(-m conntrack --ctstate "$states"RELATED,ESTABLISHED -"$io" "${public_nic:?}" -j ACCEPT)
icmp_rule() {
iptables "$1" "$2" -p icmp --icmp-type "echo-$icmp_type" -"$sd" "$3" "${suf[@]/%ACCEPT/RETURN}"
}
for ((i=1; i <= ${#remotes[*]}; ++i)); do
local port="remote_port_$i"
local proto="proto_$i"
iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"
if ! icmp_rule -C "VPNFAILSAFE_$*" "${remotes[i-1]}" 2>/dev/null; then
icmp_rule -A "VPNFAILSAFE_$*" "${remotes[i-1]}"
fi
done
if ! iptables -S|grep -q "^-A VPNFAILSAFE_$* .*-$sd $cur_remote_ip/32 .*-j ACCEPT$"; then
for p in tcp udp; do
iptables -A "VPNFAILSAFE_$*" -p "$p" -"$sd" "$cur_remote_ip" --"$sd"port "${cur_port}" "${suf[@]}"
done
icmp_rule -A "VPNFAILSAFE_$*" "$cur_remote_ip"
fi
}
# $@ := "OUTPUT" | "FORWARD"
reject_dns() {
for proto in udp tcp; do
iptables -A "VPNFAILSAFE_$*" -p "$proto" --dport 53 ! -o "$dev" -j REJECT
done
}
# $@ := "INPUT" | "OUTPUT" | "FORWARD"
pass_private_nets() {
case "$@" in
INPUT) local -r io=i sd=s;;&
OUTPUT|FORWARD) local -r io=o sd=d;;&
INPUT) local -r vpn="${ifconfig_remote:-$ifconfig_local}/${ifconfig_netmask:-32}"
iptables -A "VPNFAILSAFE_$*" -"$sd" "$vpn" -"$io" "$dev" -j RETURN
for i in $(seq 1 "${#route_networks[@]}"); do
iptables -A "VPNFAILSAFE_$*" -"$sd" "${route_networks[i]}/${route_netmasks[i]}" -"$io" "$dev" -j RETURN
done;;&
*) iptables -A "VPNFAILSAFE_$*" -"$sd" "$private_nets" ! -"$io" "$dev" -j RETURN;;&
INPUT) iptables -A "VPNFAILSAFE_$*" -s "$private_nets" -i "$dev" -j DROP;;&
*) for iface in "$dev" lo+; do
iptables -A "VPNFAILSAFE_$*" -"$io" "$iface" -j RETURN
done;;
esac
}
# $@ := "INPUT" | "OUTPUT" | "FORWARD"
drop_other() {
iptables -A "VPNFAILSAFE_$*" -j DROP
}
for chain in INPUT OUTPUT FORWARD; do
insert_chain "$chain"
[[ $chain == FORWARD ]] || accept_remotes "$chain"
[[ $chain == INPUT ]] || reject_dns "$chain"
pass_private_nets "$chain"
drop_other "$chain"
done
}
# $@ := ""
cleanup() {
update_resolv down
update_routes down
}
trap cleanup INT TERM
# $@ := line_number exit_code
err_msg() {
echo "$0:$1: \`$(sed -n "$1,+0{s/^\\s*//;p}" "$0")' returned $2" >&2
cleanup
}
trap 'err_msg "$LINENO" "$?"' ERR
# $@ := ""
main() {
case "${script_type:-down}" in
up) for f in hosts routes firewall; do "update_$f" up; done;;
down) update_routes down
update_resolv down;;
esac
}
main

0
common/zerotier.nix → common/network/zerotier.nix
View File

8
common/pc/chromium.nix
View File

@@ -60,6 +60,9 @@ in {
"oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
"cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
"hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
"mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
"dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
# "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
]; ];
extraOpts = { extraOpts = {
"BrowserSignin" = 0; "BrowserSignin" = 0;
@@ -76,10 +79,11 @@ in {
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
chromium = pkgs.chromium.override { chromium = pkgs.chromium.override {
gnomeKeyringSupport = true;
enableWideVine = true; enableWideVine = true;
# ungoogled = true; # ungoogled = true;
commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-native-gpu-memory-buffers --enable-gpu-rasterization"; # --enable-native-gpu-memory-buffers # fails on AMD APU
# --enable-webrtc-vp9-support
commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video --enable-gpu-rasterization";
}; };
}; };
# todo vulkan in chrome # todo vulkan in chrome

18
common/pc/default.nix
View File

@@ -17,6 +17,7 @@ in {
./discord.nix ./discord.nix
./steam.nix ./steam.nix
./touchpad.nix ./touchpad.nix
./mount-samba.nix
]; ];
options.de = { options.de = {
@@ -41,9 +42,14 @@ in {
nextcloud-client nextcloud-client
signal-desktop signal-desktop
minecraft minecraft
sauerbraten
gnome.file-roller
gparted gparted
libreoffice-fresh
thunderbird
spotifyd
spotify-qt
arduino
yt-dlp
jellyfin-media-player
]; ];
# Networking # Networking
@@ -52,6 +58,14 @@ in {
# Printing # Printing
services.printing.enable = true; services.printing.enable = true;
services.printing.drivers = with pkgs; [
gutenprint
];
# Printer discovery
services.avahi.enable = true;
services.avahi.nssmdns = true;
programs.file-roller.enable = true;
# Security # Security
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;

5
common/pc/kde.nix
View File

@@ -14,7 +14,10 @@ in {
# kde apps # kde apps
nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true; nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
users.users.googlebot.packages = with pkgs; [ users.users.googlebot.packages = with pkgs; [
akonadi kmail plasma5Packages.kmail-account-wizard # akonadi
# kmail
# plasma5Packages.kmail-account-wizard
kate
]; ];
}; };
} }

36
common/pc/mount-samba.nix Normal file
View File

@@ -0,0 +1,36 @@
# mounts the samba share on s0 over zeroteir
{ config, lib, ... }:
let
cfg = config.services.mount-samba;
# prevents hanging on network split
network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
auth_opts = "credentials=/run/agenix/smb-secrets";
version_opts = "vers=2.1";
opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
in {
options.services.mount-samba = {
enable = lib.mkEnableOption "enable mounting samba shares";
};
config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
fileSystems."/mnt/public" = {
device = "//s0.zt.neet.dev/public";
fsType = "cifs";
options = [ opts ];
};
fileSystems."/mnt/private" = {
device = "//s0.zt.neet.dev/googlebot";
fsType = "cifs";
options = [ opts ];
};
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
};
}

76
common/pc/pia/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.pia;
in {
imports = [
./pia.nix
];
options.services.pia = {
enable = lib.mkEnableOption "Enable PIA Client";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pia";
description = ''
Path to the pia data directory
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "root";
description = ''
The user pia should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "piagrp";
description = ''
The group pia should run as
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
config = mkIf cfg.enable {
# users.users.${cfg.user} =
# if cfg.user == "pia" then {
# isSystemUser = true;
# group = cfg.group;
# home = cfg.dataDir;
# createHome = true;
# }
# else {};
users.groups.${cfg.group}.members = cfg.users;
systemd.services.pia-daemon = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
};
};
}

147
common/pc/pia/fix-pia.patch Normal file
View File

@@ -0,0 +1,147 @@
diff --git a/Rakefile b/Rakefile
index fa6d771..bcd6fb1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -151,41 +151,6 @@ end
# Install LICENSE.txt
stage.install('LICENSE.txt', :res)
-# Download server lists to ship preloaded copies with the app. These tasks
-# depend on version.txt so they're refreshed periodically (whenver a new commit
-# is made), but not for every build.
-#
-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
-# this is primarily intended for reproducing a build.
-#
-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
-serverDataProbe = Probe.new('serverdata')
-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
-# JSON resource build directory
-jsonFetched = Build.new('json-fetched')
-# These are the assets we need to fetch and the URIs we get them from
-{
- 'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
- 'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
- 'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
-}.each do |k, v|
- fetchedFile = jsonFetched.artifact(k.to_s)
- serverDataDir = ENV['SERVER_DATA_DIR']
- file fetchedFile => [version.artifact('version.txt'),
- serverDataProbe.artifact('serverdata.txt'),
- jsonFetched.componentDir] do |t|
- if(serverDataDir)
- # Use the copy provided instead of fetching (for reproducing a build)
- File.copy(File.join(serverDataDir, k), fetchedFile)
- else
- # Fetch from the web API (write with "binary" mode so LF is not
- # converted to CRLF on Windows)
- File.binwrite(t.name, Net::HTTP.get(URI(v)))
- end
- end
- stage.install(fetchedFile, :res)
-end
-
# Install version/brand/arch info in case an upgrade needs to know what is
# currently installed
stage.install(version.artifact('version.txt'), :res)
diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
index f820a6d..e1b6c33 100644
--- a/common/src/posix/unixsignalhandler.cpp
+++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
// we checked it, we can't even log because the logger is not reentrant.
auto pThis = instance();
if(pThis)
- ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
}
template<int Signal>
void UnixSignalHandler::setAbortAction()
diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
index fd3aced..2367a5e 100644
--- a/daemon/src/linux/linux_nl.cpp
+++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
unsigned char term = 0;
PosixFd killSocket = _workerKillSocket.get();
if(killSocket)
- ::write(killSocket.get(), &term, sizeof(term));
+ auto _ = ::write(killSocket.get(), &term, sizeof(term));
_workerThread.join();
}
diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
index 3f63ac2..420d54d 100644
--- a/extras/support-tool/launcher/linux-launcher.cpp
+++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
if(forkResult == 0)
{
// Apply gid as both real and effective
- setregid(gid, gid);
+ auto _ = setregid(gid, gid);
int execErr = execv(filename, argv);
std::cerr << "exec err: " << execErr << " / " << errno << " - "
diff --git a/rake/model/qt.rb b/rake/model/qt.rb
index c8cd362..a6abe59 100644
--- a/rake/model/qt.rb
+++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
end
def getQtRoot(qtVersion, arch)
- qtToolchainPtns = getQtToolchainPatterns(arch)
- qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
- # Explicitly filter for existing paths - if the pattern has wildcards
- # we only get existing directories, but if the patterns are just
- # alternates with no wildcards, we can get directories that don't exist
- qtRoots.find_all { |r| File.exist?(r) }.max
+ ENV['QTROOT']
end
def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
end
def getQtPathVersion(path)
- verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
- if(verMatch == nil)
- nil
- else
- [verMatch[1].to_i, verMatch[2].to_i]
- end
+ [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
end
# Build a component definition with the defaults. The "Core" component will
diff --git a/rake/product/linux.rb b/rake/product/linux.rb
index f43fb3e..83505af 100644
--- a/rake/product/linux.rb
+++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
# Version of libicu (needed to determine lib*.so.## file names in deployment)
- ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
- .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
+ ICU_VERSION = ENV['ICU_MAJOR'].to_i;
# Copy a directory recursively, excluding *.debug files (debugging symbols)
def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
# Since these are just development workflow tools, they can be skipped if
# specific dependencies are not available.
def self.defineTools(toolsStage)
- # Test if we have libthai-dev, for the Thai word breaking utility
- if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
- Executable.new('thaibreak')
- .source('tools/thaibreak')
- .lib('thai')
- .install(toolsStage, :bin)
- toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
- toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
- else
- puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
- end
end
end

139
common/pc/pia/pia.nix Normal file
View File

@@ -0,0 +1,139 @@
{ pkgs, lib, config, ... }:
{
nixpkgs.overlays = [
(self: super:
with self;
let
# arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
arch = "x86_64";
pia-desktop = clangStdenv.mkDerivation rec {
pname = "pia-desktop";
version = "3.3.0";
src = fetchgit {
url = "https://github.com/pia-foss/desktop";
rev = version;
fetchLFS = true;
sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
};
patches = [
./fix-pia.patch
];
nativeBuildInputs = [
cmake
rake
];
prePatch = ''
sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
'';
installPhase = ''
mkdir -p $out/bin $out/lib $out/share
cp -r ../out/pia_release_${arch}/stage/bin $out
cp -r ../out/pia_release_${arch}/stage/lib $out
cp -r ../out/pia_release_${arch}/stage/share $out
'';
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
];
QTROOT = "${qt5.full}";
QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
buildInputs = [
mesa
libsForQt5.qt5.qtquickcontrols
libsForQt5.qt5.qtquickcontrols2
icu
libnl
];
dontWrapQtApps = true;
};
in rec {
openvpn-updown = buildFHSUserEnv {
name = "openvpn-updown";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "openvpn-updown.sh";
};
pia-client = buildFHSUserEnv {
name = "pia-client";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-client";
};
piactl = buildFHSUserEnv {
name = "piactl";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "piactl";
};
pia-daemon = buildFHSUserEnv {
name = "pia-daemon";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-daemon";
};
pia-hnsd = buildFHSUserEnv {
name = "pia-hnsd";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-hnsd";
};
pia-openvpn = buildFHSUserEnv {
name = "pia-openvpn";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-openvpn";
};
pia-ss-local = buildFHSUserEnv {
name = "pia-ss-local";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-ss-local";
};
pia-support-tool = buildFHSUserEnv {
name = "pia-support-tool";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-support-tool";
};
pia-unbound = buildFHSUserEnv {
name = "pia-unbound";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-unbound";
};
pia-wireguard-go = buildFHSUserEnv {
name = "pia-wireguard-go";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-wireguard-go";
};
support-tool-launcher = buildFHSUserEnv {
name = "support-tool-launcher";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "support-tool-launcher";
};
})
];
}

6
common/pc/spotify.nix
View File

@@ -53,6 +53,7 @@ in
age.secrets.spotifyd = { age.secrets.spotifyd = {
file = ../../secrets/spotifyd.age; file = ../../secrets/spotifyd.age;
group = "spotifyd"; group = "spotifyd";
mode = "0440"; # group can read
}; };
# spotifyd to read secrets and run as user service # spotifyd to read secrets and run as user service
@@ -70,8 +71,9 @@ in
}; };
systemd.user.services.spotifyd-daemon = { systemd.user.services.spotifyd-daemon = {
wantedBy = [ "multi-user.target" ]; enable = true;
after = [ "network-online.target" "sound.target" ]; wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
description = "spotifyd, a Spotify playing daemon"; description = "spotifyd, a Spotify playing daemon";
environment.SHELL = "/bin/sh"; environment.SHELL = "/bin/sh";
serviceConfig = { serviceConfig = {

98
common/pia.nix
View File

@@ -1,98 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
us-east = {
config = ''
client
dev tun
proto udp
remote us-washingtondc.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/secrets/pia-login.conf
'';
autoStart = true;
# up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
# down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
};
};
age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
};
}

17
common/server/archivebox/composition.nix
View File

@@ -1,17 +0,0 @@
# This file has been generated by node2nix 1.9.0. Do not edit!
{pkgs ? import <nixpkgs> {
inherit system;
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
let
nodeEnv = import ./node-env.nix {
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
inherit pkgs nodejs;
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
};
in
import ./node-packages.nix {
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
inherit nodeEnv;
}

456
common/server/archivebox/default.nix
View File

@@ -1,456 +0,0 @@
{ pkgs, lib, config, ... }:
# TODO pocket integration (POCKET_CONSUMER_KEY, POCKET_ACCESS_TOKENS)
# TODO fix http timeout?
let
cfg = config.services.archivebox;
archiveboxPkgs = import ./composition.nix { inherit pkgs; };
mercury-parser = archiveboxPkgs."@postlight/mercury-parser";
readability-extractor = archiveboxPkgs."readability-extractor-git+https://github.com/ArchiveBox/readability-extractor.git";
single-file = archiveboxPkgs."single-file-git+https://github.com/gildas-lormeau/SingleFile.git";
in {
options.services.archivebox = {
enable = lib.mkEnableOption "Enable ArchiveBox";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/archivebox";
description = ''
Path to the archivebox data directory
'';
};
listenAddress = lib.mkOption {
type = lib.types.str;
default = "localhost";
example = "127.0.0.1";
description = ''
The address archivebox should listen to
'';
};
listenPort = lib.mkOption {
type = lib.types.int;
default = 37226;
example = 1357;
description = ''
The port archivebox should listen on
'';
};
hostname = lib.mkOption {
type = lib.types.str;
example = "example.com";
};
enableACME = lib.mkEnableOption "Enable ACME + SSL";
user = lib.mkOption {
type = lib.types.str;
default = "archivebox";
description = ''
The user archivebox should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "archivebox";
description = ''
The group archivebox should run as
'';
};
timeout = lib.mkOption {
type = lib.types.int;
default = 60;
example = 120;
description = ''
Maximum allowed download time per archive method for each link in seconds
'';
};
snapshotsPerPage = lib.mkOption {
type = lib.types.int;
default = 40;
example = 100;
description = ''
Maximum number of Snapshots to show per page on Snapshot list pages
'';
};
footerInfo = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "Content is hosted for personal archiving purposes only. Contact server owner for any takedown requests.";
description = ''
Some text to display in the footer of the archive index.
Useful for providing server admin contact info to respond to takedown requests.
'';
};
urlBlacklist = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "\\.(css|js|otf|ttf|woff|woff2|gstatic\\.com|googleapis\\.com/css)(\\?.*)?$";
description = ''
A regex expression used to exclude certain URLs from archiving.
'';
};
urlWhitelist = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "^http(s)?:\\/\\/(.+)?example\\.com\\/?.*$";
description = ''
A regex expression used to exclude all URLs that don't match the given pattern from archiving
'';
};
saveTitle = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save the title of the webpage
'';
};
saveFavicon = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save the favicon of the webpage
'';
};
saveWget = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save the webpage with wget
'';
};
saveWgetRequisites = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch images/css/js with wget. (True is highly recommended, otherwise your won't download many critical assets to render the page, like images, js, css, etc.)
'';
};
wgetUserAgent = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
This is the user agent to use during wget archiving.
'';
};
wgetCookiesFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Cookies file to pass to wget. To capture sites that require a user to be logged in,
you can specify a path to a netscape-format cookies.txt file for wget to use.
'';
};
saveWARC = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save a timestamped WARC archive of all the page requests and responses during the wget archive process.
'';
};
savePDF = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Print page as PDF. (Uses chromium)
'';
};
saveScreenshot = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch a screenshot of the page. (Uses chromium)
'';
};
screenshotResolution = lib.mkOption {
type = lib.types.str;
default = "1440,2000";
example = "1024,768";
description = ''
Screenshot resolution in pixels width,height.
'';
};
saveDOM = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch a DOM dump of the page. (Uses chromium)
'';
};
saveHeaders = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save the webpage's response headers
'';
};
saveSingleFile = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch an HTML file with all assets embedded using Single File. (Uses chromium) https://github.com/gildas-lormeau/SingleFile
'';
};
saveReadability = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Extract article text, summary, and byline using Mozilla's Readability library. https://github.com/mozilla/readability
Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
'';
};
saveMercury = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Extract article text, summary, and byline using the Mercury library. https://github.com/postlight/mercury-parser
Unlike the other methods, this does not download any additional files, so it's practically free from a disk usage perspective.
'';
};
saveGit = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch any git repositories on the page.
'';
};
gitDomains = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "git.example.com";
description = ''
Domains to attempt download of git repositories on using `git clone`
'';
};
saveMedia = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Fetch all audio, video, annotations, and media metadata on the page using `yt-dlp`.
Warning, this can use up a lot of storage very quickly.
'';
};
mediaTimeout = lib.mkOption {
type = lib.types.int;
default = 3600;
example = 120;
description = ''
Maximum allowed download time for fetching media
'';
};
mediaMaxSize = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "750m";
description = ''
Maxium size of media to download
'';
};
saveArchiveDotOrg = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Submit the page's URL to be archived on Archive.org. (The Internet Archive)
'';
};
checkSSLCert = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to enforce HTTPS certificate and HSTS chain of trust when archiving sites.
Set this to False if you want to archive pages even if they have expired or invalid certificates.
Be aware that when False you cannot guarantee that you have not been man-in-the-middle'd while archiving content.
'';
};
curlUserAgent = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
This is the user agent to use during curl archiving.
'';
};
chromiumUserAgent = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
This is the user agent to use during Chromium headless archiving.
'';
};
chromiumUserDataDir = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Path to a Chrome user profile directory.
'';
};
publicCreateSnapshots = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Anon users can add URLs to be archived
'';
};
publicViewSnapshots = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Anon users can view archived pages
'';
};
publicViewIndex = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Anon users can view the archive index
'';
};
};
config = lib.mkIf cfg.enable {
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = cfg.enableACME;
forceSSL = cfg.enableACME;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.listenPort}";
};
};
users.users.${cfg.user} =
if cfg.user == "archivebox" then {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
}
else {};
users.groups.${cfg.group} = {};
systemd.services.archivebox = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.archivebox}/bin/archivebox server";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
environment = let
boolToStr = bool: if bool then "true" else "false";
useCurl = cfg.saveArchiveDotOrg || cfg.saveFavicon || cfg.saveHeaders || cfg.saveTitle;
useGit = cfg.saveGit;
useWget = cfg.saveWget;
useSinglefile = cfg.saveSingleFile;
useReadability = cfg.saveReadability;
useMercury = cfg.saveMercury;
useYtdlp = cfg.saveMedia;
useChromium = cfg.saveDOM || cfg.savePDF || cfg.saveScreenshot || cfg.saveSingleFile;
in {
SAVE_TITLE = boolToStr cfg.saveTitle;
SAVE_FAVICON = boolToStr cfg.saveFavicon;
SAVE_WGET = boolToStr cfg.saveWget;
SAVE_WGET_REQUISITES = boolToStr cfg.saveWgetRequisites;
SAVE_SINGLEFILE = boolToStr cfg.saveSingleFile;
SAVE_READABILITY = boolToStr cfg.saveReadability;
SAVE_MERCURY = boolToStr cfg.saveMercury;
SAVE_PDF = boolToStr cfg.savePDF;
SAVE_SCREENSHOT = boolToStr cfg.saveScreenshot;
SAVE_DOM = boolToStr cfg.saveDOM;
SAVE_HEADERS = boolToStr cfg.saveHeaders;
SAVE_WARC = boolToStr cfg.saveWARC;
SAVE_GIT = boolToStr cfg.saveGit;
SAVE_MEDIA = boolToStr cfg.saveMedia;
SAVE_ARCHIVE_DOT_ORG = boolToStr cfg.saveArchiveDotOrg;
TIMEOUT = toString cfg.timeout;
MEDIA_TIMEOUT = toString cfg.mediaTimeout;
URL_BLACKLIST = cfg.urlBlacklist;
URL_WHITELIST = cfg.urlWhitelist;
BIND_ADDR = "${cfg.listenAddress}:${toString cfg.listenPort}";
PUBLIC_INDEX = boolToStr cfg.publicViewIndex;
PUBLIC_SNAPSHOTS = boolToStr cfg.publicViewSnapshots;
PUBLIC_ADD_VIEW = boolToStr cfg.publicCreateSnapshots;
FOOTER_INFO = cfg.footerInfo;
SNAPSHOTS_PER_PAGE = toString cfg.snapshotsPerPage;
RESOLUTION = cfg.screenshotResolution;
GIT_DOMAINS = cfg.gitDomains;
CHECK_SSL_VALIDITY = boolToStr cfg.checkSSLCert;
MEDIA_MAX_SIZE = cfg.mediaMaxSize;
CURL_USER_AGENT = cfg.curlUserAgent;
WGET_USER_AGENT = cfg.wgetUserAgent;
CHROME_USER_AGENT = cfg.chromiumUserAgent;
COOKIES_FILE = cfg.wgetCookiesFile;
CHROME_USER_DATA_DIR = cfg.chromiumUserDataDir;
CURL_BINARY = if useCurl then "${pkgs.curl}/bin/curl" else null;
GIT_BINARY = if useGit then "${pkgs.git}/bin/git" else null;
WGET_BINARY = if useWget then "${pkgs.wget}/bin/wget" else null;
SINGLEFILE_BINARY = if useSinglefile then "${single-file}/bin/single-file" else null;
READABILITY_BINARY = if useReadability then "${readability-extractor}/bin/readability-extractor" else null;
MERCURY_BINARY = if useMercury then "${mercury-parser}/bin/mercury-parser" else null;
YOUTUBEDL_BINARY = if useYtdlp then "${pkgs.yt-dlp}/bin/yt-dlp" else null;
NODE_BINARY = "${pkgs.nodejs}/bin/nodejs"; # is this really needed? Nix already includes nodejs inside packages where needed
RIPGREP_BINARY = "${pkgs.ripgrep}/bin/rg";
CHROME_BINARY = if useChromium then "${pkgs.chromium}/bin/chromium-browser" else null;
USE_CURL = boolToStr useCurl;
USE_WGET = boolToStr useWget;
USE_SINGLEFILE = boolToStr useSinglefile;
USE_READABILITY = boolToStr useReadability;
USE_MERCURY = boolToStr useMercury;
USE_GIT = boolToStr useGit;
USE_CHROME = boolToStr useChromium;
USE_YOUTUBEDL = boolToStr useYtdlp;
USE_RIPGREP = boolToStr true;
OUTPUT_DIR = cfg.dataDir;
};
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
# initalize/migrate data directory
cd ${cfg.dataDir}
${pkgs.archivebox}/bin/archivebox init
'';
};
};
}

3
common/server/archivebox/generate.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
rm -f ./node-env.nix
nix run nixpkgs#nodePackages.node2nix -- -i node-packages.json -o node-packages.nix -c composition.nix --no-out-link

588
common/server/archivebox/node-env.nix
View File

@@ -1,588 +0,0 @@
# This file originates from node2nix
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
let
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
python = if nodejs ? python then nodejs.python else python2;
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
tarWrapper = runCommand "tarWrapper" {} ''
mkdir -p $out/bin
cat > $out/bin/tar <<EOF
#! ${stdenv.shell} -e
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
EOF
chmod +x $out/bin/tar
'';
# Function that generates a TGZ file from a NPM project
buildNodeSourceDist =
{ name, version, src, ... }:
stdenv.mkDerivation {
name = "node-tarball-${name}-${version}";
inherit src;
buildInputs = [ nodejs ];
buildPhase = ''
export HOME=$TMPDIR
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
'';
installPhase = ''
mkdir -p $out/tarballs
mv $tgzFile $out/tarballs
mkdir -p $out/nix-support
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
'';
};
# Common shell logic
installPackage = writeShellScript "install-package" ''
installPackage() {
local packageName=$1 src=$2
local strippedName
local DIR=$PWD
cd $TMPDIR
unpackFile $src
# Make the base dir in which the target dependency resides first
mkdir -p "$(dirname "$DIR/$packageName")"
if [ -f "$src" ]
then
# Figure out what directory has been unpacked
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
# Restore write permissions to make building work
find "$packageDir" -type d -exec chmod u+x {} \;
chmod -R u+w "$packageDir"
# Move the extracted tarball into the output folder
mv "$packageDir" "$DIR/$packageName"
elif [ -d "$src" ]
then
# Get a stripped name (without hash) of the source directory.
# On old nixpkgs it's already set internally.
if [ -z "$strippedName" ]
then
strippedName="$(stripHash $src)"
fi
# Restore write permissions to make building work
chmod -R u+w "$strippedName"
# Move the extracted directory into the output folder
mv "$strippedName" "$DIR/$packageName"
fi
# Change to the package directory to install dependencies
cd "$DIR/$packageName"
}
'';
# Bundle the dependencies of the package
#
# Only include dependencies if they don't exist. They may also be bundled in the package.
includeDependencies = {dependencies}:
lib.optionalString (dependencies != []) (
''
mkdir -p node_modules
cd node_modules
''
+ (lib.concatMapStrings (dependency:
''
if [ ! -e "${dependency.name}" ]; then
${composePackage dependency}
fi
''
) dependencies)
+ ''
cd ..
''
);
# Recursively composes the dependencies of a package
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
installPackage "${packageName}" "${src}"
${includeDependencies { inherit dependencies; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
'';
pinpointDependencies = {dependencies, production}:
let
pinpointDependenciesFromPackageJSON = writeTextFile {
name = "pinpointDependencies.js";
text = ''
var fs = require('fs');
var path = require('path');
function resolveDependencyVersion(location, name) {
if(location == process.env['NIX_STORE']) {
return null;
} else {
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
if(fs.existsSync(dependencyPackageJSON)) {
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
if(dependencyPackageObj.name == name) {
return dependencyPackageObj.version;
}
} else {
return resolveDependencyVersion(path.resolve(location, ".."), name);
}
}
}
function replaceDependencies(dependencies) {
if(typeof dependencies == "object" && dependencies !== null) {
for(var dependency in dependencies) {
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
if(resolvedVersion === null) {
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
} else {
dependencies[dependency] = resolvedVersion;
}
}
}
}
/* Read the package.json configuration */
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
/* Pinpoint all dependencies */
replaceDependencies(packageObj.dependencies);
if(process.argv[2] == "development") {
replaceDependencies(packageObj.devDependencies);
}
replaceDependencies(packageObj.optionalDependencies);
/* Write the fixed package.json file */
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
'';
};
in
''
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
${lib.optionalString (dependencies != [])
''
if [ -d node_modules ]
then
cd node_modules
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
cd ..
fi
''}
'';
# Recursively traverses all dependencies of a package and pinpoints all
# dependencies in the package.json file to the versions that are actually
# being used.
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
''
if [ -d "${packageName}" ]
then
cd "${packageName}"
${pinpointDependencies { inherit dependencies production; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
fi
'';
# Extract the Node.js source code which is used to compile packages with
# native bindings
nodeSources = runCommand "node-sources" {} ''
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
mv node-* $out
'';
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
addIntegrityFieldsScript = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
function augmentDependencies(baseDir, dependencies) {
for(var dependencyName in dependencies) {
var dependency = dependencies[dependencyName];
// Open package.json and augment metadata fields
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
var packageJSONPath = path.join(packageJSONDir, "package.json");
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
console.log("Adding metadata fields to: "+packageJSONPath);
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
if(dependency.integrity) {
packageObj["_integrity"] = dependency.integrity;
} else {
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
}
if(dependency.resolved) {
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
} else {
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
}
if(dependency.from !== undefined) { // Adopt from property if one has been provided
packageObj["_from"] = dependency.from;
}
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
}
// Augment transitive dependencies
if(dependency.dependencies !== undefined) {
augmentDependencies(packageJSONDir, dependency.dependencies);
}
}
}
if(fs.existsSync("./package-lock.json")) {
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
if(![1, 2].includes(packageLock.lockfileVersion)) {
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
process.exit(1);
}
if(packageLock.dependencies !== undefined) {
augmentDependencies(".", packageLock.dependencies);
}
}
'';
};
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
reconstructPackageLock = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
var packageObj = JSON.parse(fs.readFileSync("package.json"));
var lockObj = {
name: packageObj.name,
version: packageObj.version,
lockfileVersion: 1,
requires: true,
dependencies: {}
};
function augmentPackageJSON(filePath, dependencies) {
var packageJSON = path.join(filePath, "package.json");
if(fs.existsSync(packageJSON)) {
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
dependencies[packageObj.name] = {
version: packageObj.version,
integrity: "sha1-000000000000000000000000000=",
dependencies: {}
};
processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
}
}
function processDependencies(dir, dependencies) {
if(fs.existsSync(dir)) {
var files = fs.readdirSync(dir);
files.forEach(function(entry) {
var filePath = path.join(dir, entry);
var stats = fs.statSync(filePath);
if(stats.isDirectory()) {
if(entry.substr(0, 1) == "@") {
// When we encounter a namespace folder, augment all packages belonging to the scope
var pkgFiles = fs.readdirSync(filePath);
pkgFiles.forEach(function(entry) {
if(stats.isDirectory()) {
var pkgFilePath = path.join(filePath, entry);
augmentPackageJSON(pkgFilePath, dependencies);
}
});
} else {
augmentPackageJSON(filePath, dependencies);
}
}
});
}
}
processDependencies("node_modules", lockObj.dependencies);
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
'';
};
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
let
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
in
''
# Pinpoint the versions of all dependencies to the ones that are actually being used
echo "pinpointing versions of dependencies..."
source $pinpointDependenciesScriptPath
# Patch the shebangs of the bundled modules to prevent them from
# calling executables outside the Nix store as much as possible
patchShebangs .
# Deploy the Node.js package by running npm install. Since the
# dependencies have been provided already by ourselves, it should not
# attempt to install them again, which is good, because we want to make
# it Nix's responsibility. If it needs to install any dependencies
# anyway (e.g. because the dependency parameters are
# incomplete/incorrect), it fails.
#
# The other responsibilities of NPM are kept -- version checks, build
# steps, postprocessing etc.
export HOME=$TMPDIR
cd "${packageName}"
runHook preRebuild
${lib.optionalString bypassCache ''
${lib.optionalString reconstructLock ''
if [ -f package-lock.json ]
then
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
rm package-lock.json
else
echo "No package-lock.json file found, reconstructing..."
fi
node ${reconstructPackageLock}
''}
node ${addIntegrityFieldsScript}
''}
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
if [ "''${dontNpmInstall-}" != "1" ]
then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
fi
'';
# Builds and composes an NPM package including all its dependencies
buildNodePackage =
{ name
, packageName
, version
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, preRebuild ? ""
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, meta ? {}
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
in
stdenv.mkDerivation ({
name = "${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit nodejs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
compositionScript = composePackage args;
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
# Create and enter a root node_modules/ folder
mkdir -p $out/lib/node_modules
cd $out/lib/node_modules
# Compose the package and all its dependencies
source $compositionScriptPath
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Create symlink to the deployed executable folder, if applicable
if [ -d "$out/lib/node_modules/.bin" ]
then
ln -s $out/lib/node_modules/.bin $out/bin
fi
# Create symlinks to the deployed manual page folders, if applicable
if [ -d "$out/lib/node_modules/${packageName}/man" ]
then
mkdir -p $out/share
for dir in "$out/lib/node_modules/${packageName}/man/"*
do
mkdir -p $out/share/man/$(basename "$dir")
for page in "$dir"/*
do
ln -s $page $out/share/man/$(basename "$dir")
done
done
fi
# Run post install hook, if provided
runHook postInstall
'';
meta = {
# default to Node.js' platforms
platforms = nodejs.meta.platforms;
} // meta;
} // extraArgs);
# Builds a node environment (a node_modules folder and a set of binaries)
buildNodeDependencies =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
in
stdenv.mkDerivation ({
name = "node-dependencies-${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall unpackPhase buildPhase;
includeScript = includeDependencies { inherit dependencies; };
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
mkdir -p $out/${packageName}
cd $out/${packageName}
source $includeScriptPath
# Create fake package.json to make the npm commands work properly
cp ${src}/package.json .
chmod 644 package.json
${lib.optionalString bypassCache ''
if [ -f ${src}/package-lock.json ]
then
cp ${src}/package-lock.json .
fi
''}
# Go to the parent folder to make sure that all packages are pinpointed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Expose the executables that were installed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
mv ${packageName} lib
ln -s $out/lib/node_modules/.bin $out/bin
'';
} // extraArgs);
# Builds a development shell
buildNodeShell =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
nodeDependencies = buildNodeDependencies args;
in
stdenv.mkDerivation {
name = "node-shell-${name}-${version}";
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
buildCommand = ''
mkdir -p $out/bin
cat > $out/bin/shell <<EOF
#! ${stdenv.shell} -e
$shellHook
exec ${stdenv.shell}
EOF
chmod +x $out/bin/shell
'';
# Provide the dependencies in a development shell through the NODE_PATH environment variable
inherit nodeDependencies;
shellHook = lib.optionalString (dependencies != []) ''
export NODE_PATH=${nodeDependencies}/lib/node_modules
export PATH="${nodeDependencies}/bin:$PATH"
'';
};
in
{
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
buildNodePackage = lib.makeOverridable buildNodePackage;
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
buildNodeShell = lib.makeOverridable buildNodeShell;
}

5
common/server/archivebox/node-packages.json
View File

@@ -1,5 +0,0 @@
[
"@postlight/mercury-parser"
, { "readability-extractor": "git+https://github.com/ArchiveBox/readability-extractor.git" }
, { "single-file": "git+https://github.com/gildas-lormeau/SingleFile.git" }
]

3009
common/server/archivebox/node-packages.nix
View File

File diff suppressed because it is too large Load Diff

4
common/server/default.nix
View File

@@ -2,7 +2,6 @@
{ {
imports = [ imports = [
./archivebox
./nginx.nix ./nginx.nix
./thelounge.nix ./thelounge.nix
./mumble.nix ./mumble.nix
@@ -12,7 +11,8 @@
./zerobin.nix ./zerobin.nix
./gitea.nix ./gitea.nix
./privatebin/privatebin.nix ./privatebin/privatebin.nix
./drastikbot.nix
./radio.nix ./radio.nix
./samba.nix
./owncast.nix
]; ];
} }

80
common/server/drastikbot.nix
View File

@@ -1,80 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.drastikbot;
drastikbot = pkgs.python3Packages.buildPythonApplication rec {
pname = "drastikbot";
version = "v2.1";
format = "other";
srcs = [
config.inputs.drastikbot
config.inputs.drastikbot_modules
config.inputs.dailybuild_modules
];
nativeBuildInputs = [ pkgs.makeWrapper ];
phases = [ "installPhase" ]; # Removes all phases except installPhase
installPhase = ''
arr=($srcs)
mkdir -p $out/irc/modules
cp -r ''${arr[0]}/src/* $out/
cp -r ''${arr[1]}/* $out/irc/modules
cp -r ''${arr[2]}/* $out/irc/modules
makeWrapper ${pkgs.python3}/bin/python3 $out/drastikbot \
--prefix PYTHONPATH : ${with pkgs.python3Packages; makePythonPath [requests beautifulsoup4]} \
--add-flags "$out/drastikbot.py"
'';
};
in {
options.services.drastikbot = {
enable = lib.mkEnableOption "enable drastikbot";
user = lib.mkOption {
type = lib.types.str;
default = "drastikbot";
description = ''
The user drastikbot should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "drastikbot";
description = ''
The group drastikbot should run as
'';
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/drastikbot";
description = ''
Path to the drastikbot data directory
'';
};
};
config = lib.mkIf cfg.enable {
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = {};
systemd.services.drastikbot = {
enable = true;
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig.ExecStart = "${drastikbot}/drastikbot -c ${cfg.dataDir}";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user} ${cfg.dataDir}
'';
};
};
}

4
common/server/matrix.nix
View File

@@ -59,10 +59,11 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
settings = {
server_name = cfg.host; server_name = cfg.host;
enable_registration = cfg.enable_registration; enable_registration = cfg.enable_registration;
listeners = [ { listeners = [ {
bind_address = "127.0.0.1"; bind_addresses = ["127.0.0.1"];
port = cfg.port; port = cfg.port;
tls = false; tls = false;
resources = [ { resources = [ {
@@ -77,6 +78,7 @@ in {
turn_shared_secret = cfg.turn.secret; turn_shared_secret = cfg.turn.secret;
turn_user_lifetime = "1h"; turn_user_lifetime = "1h";
}; };
};
services.coturn = { services.coturn = {
enable = true; enable = true;

31
common/server/owncast.nix Normal file
View File

@@ -0,0 +1,31 @@
{ lib, config, ... }:
with lib;
let
cfg = config.services.owncast;
in {
options.services.owncast = {
hostname = lib.mkOption {
type = types.str;
example = "example.com";
};
};
config = mkIf cfg.enable {
services.owncast.listen = "127.0.0.1";
services.owncast.port = 62419; # random port
networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
};
};
};
}

115
common/server/samba.nix Normal file
View File

@@ -0,0 +1,115 @@
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.services.samba.enable {
services.samba = {
openFirewall = true;
package = pkgs.sambaFull; # printer sharing
securityType = "user";
# should this be on?
nsswins = true;
extraConfig = ''
workgroup = HOME
server string = smbnix
netbios name = smbnix
security = user
use sendfile = yes
min protocol = smb2
guest account = nobody
map to guest = bad user
# printing
load printers = yes
printing = cups
printcap name = cups
# horrible files
veto files = /._*/.DS_Store/ /._*/._.DS_Store/
delete veto files = yes
'';
shares = {
public = {
path = "/data/samba/Public";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "public_data";
"force group" = "public_data";
};
googlebot = {
path = "/data/samba/googlebot";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "googlebot";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "googlebot";
"force group" = "users";
};
cris = {
path = "/data/samba/cris";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "cris";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "root";
"force group" = "users";
};
printers = {
comment = "All Printers";
path = "/var/spool/samba";
public = "yes";
browseable = "yes";
# to allow user 'guest account' to print.
"guest ok" = "yes";
writable = "no";
printable = "yes";
"create mode" = 0700;
};
};
};
# Windows discovery of samba server
services.samba-wsdd = {
enable = true;
# are these needed?
workgroup = "HOME";
hoplimit = 3;
discovery = true;
};
networking.firewall.allowedTCPPorts = [ 5357 ];
networking.firewall.allowedUDPPorts = [ 3702 ];
# Printer discovery
# (is this needed?)
services.avahi.enable = true;
services.avahi.nssmdns = true;
# printer sharing
systemd.tmpfiles.rules = [
"d /var/spool/samba 1777 root root -"
];
users.groups.public_data.gid = 994;
users.users.public_data = {
isSystemUser = true;
group = "public_data";
uid = 994;
};
users.users.googlebot.extraGroups = [ "public_data" ];
# samba user for share
users.users.cris.isSystemUser = true;
users.users.cris.group = "cris";
users.groups.cris = {};
};
}

2
common/server/thelounge.nix
View File

@@ -23,7 +23,7 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.thelounge = { services.thelounge = {
private = true; public = false;
extraConfig = { extraConfig = {
reverseProxy = true; reverseProxy = true;
maxHistory = -1; maxHistory = -1;

46
common/shell.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, pkgs, ... }:
# Improvements to the default shell
# - use nix-locate for command-not-found
# - disable fish's annoying greeting message
# - add some handy shell commands
let
nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
in {
programs.command-not-found.enable = false;
environment.systemPackages = [
nix-locate
];
programs.fish = {
enable = true;
shellInit = let
wrapper = pkgs.writeScript "command-not-found" ''
#!${pkgs.bash}/bin/bash
source ${nix-locate}/etc/profile.d/command-not-found.sh
command_not_found_handle "$@"
'';
in ''
# use nix-locate for command-not-found functionality
function __fish_command_not_found_handler --on-event fish_command_not_found
${wrapper} $argv
end
# disable annoying fish shell greeting
set fish_greeting
'';
};
environment.shellAliases = {
myip = "dig +short myip.opendns.com @resolver1.opendns.com";
# https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
};
}

6
common/ssh.nix
View File

@@ -8,8 +8,10 @@ rec {
]; ];
system = { system = {
liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl"; liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB"; ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4xi9PqTvcA/XB+gTwjFXk+f3sycGSFoioO3e8yDy7H"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt"; n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr"; n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5"; n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
@@ -22,6 +24,7 @@ rec {
# groups # groups
systems = with system; [ systems = with system; [
liza liza
ponyo
ray ray
s0 s0
n1 n1
@@ -37,6 +40,7 @@ rec {
]; ];
servers = with system; [ servers = with system; [
liza liza
ponyo
s0 s0
n1 n1
n2 n2

270
flake.lock generated
View File

@@ -2,14 +2,17 @@
"nodes": { "nodes": {
"agenix": { "agenix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "darwin": "darwin",
"nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1646845404, "lastModified": 1675176355,
"narHash": "sha256-JENXFCI2HVqi0whBzt7MAW9PX3ziEaYqBhMux+4g+VM=", "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "764c975e74bce2f89a5106b68ec48e2b586f893c", "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -18,6 +21,29 @@
"type": "github" "type": "github"
} }
}, },
"archivebox": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1648612759,
"narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
"ref": "refs/heads/master",
"rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
"revCount": 2,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/archivebox.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/archivebox.git"
}
},
"blobs": { "blobs": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -35,62 +61,73 @@
} }
}, },
"dailybuild_modules": { "dailybuild_modules": {
"flake": false, "inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1633210754, "lastModified": 1651719222,
"narHash": "sha256-jBIE07mLsF+qHoa/CQLSRipvfNSivgbuWUatI6Wwy0s=", "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
"ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master", "ref": "master",
"rev": "e6a1c8686dad46b7847a5c690107a48fc20a6a29", "repo": "nix-darwin",
"revCount": 9,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"drastikbot": {
"flake": false,
"locked": {
"lastModified": 1596211584,
"narHash": "sha256-1L8vTE1YEhFWzY5RYb+s5Hb4LrVJNN2leKlZEugEyRU=",
"owner": "olagood",
"repo": "drastikbot",
"rev": "ef72e3afe7602d95c8b014202e220f04796900ab",
"type": "github"
},
"original": {
"owner": "olagood",
"ref": "v2.1",
"repo": "drastikbot",
"type": "github" "type": "github"
} }
}, },
"drastikbot_modules": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1619214744, "lastModified": 1668681692,
"narHash": "sha256-w1164FkRkeyWnx6a95WDbwEUvNkNwFWa/6mhKtgVw0c=", "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "olagood", "owner": "edolstra",
"repo": "drastikbot_modules", "repo": "flake-compat",
"rev": "3af549a8c3f6e55b63758a61a751bebb1b2db3a3", "rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "olagood", "owner": "edolstra",
"ref": "v2.1", "repo": "flake-compat",
"repo": "drastikbot_modules",
"type": "github" "type": "github"
} }
}, },
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1620759905, "lastModified": 1667395993,
"narHash": "sha256-WiyWawrgmyN0EdmiHyG2V+fqReiVi8bM9cRdMaKQOFg=", "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b543720b25df6ffdfcf9227afafc5b8c1fabfae8", "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -99,113 +136,95 @@
"type": "github" "type": "github"
} }
}, },
"nix-locate": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1673969751,
"narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
"owner": "bennofs",
"repo": "nix-index",
"rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
"type": "github"
},
"original": {
"owner": "bennofs",
"repo": "nix-index",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1638587357, "lastModified": 1672580127,
"narHash": "sha256-2ySMW3QARG8BsRPmwe7clTbdCuaObromOKewykP+UJc=", "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e34c5379866833f41e2a36f309912fa675d687c7", "rev": "0874168639713f547c05947c76124f78441ea46c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-21.11", "ref": "nixos-22.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-21_05": { "nixpkgs-22_05": {
"locked": { "locked": {
"lastModified": 1625692408, "lastModified": 1654936503,
"narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=", "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c06613c25df3fe1dd26243847a3c105cf6770627", "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-21.05", "ref": "nixos-22.05",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-21_11": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1638371214, "lastModified": 1675835843,
"narHash": "sha256-0kE6KhgH7n0vyuX4aUoGsGIQOqjIx2fJavpCWtn73rc=", "narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a640d8394f34714578f3e6335fc767d0755d78f9", "rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.11",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1646675913,
"narHash": "sha256-ZvGf51XpXM7JojKLZ5yI0XLUq8UOFX6AwZ3bhtdcpIo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b1c7ba323732ddc85a51850a7f10ecc5269b8e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-21.11", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1621784194,
"narHash": "sha256-CQWN/QvVHG8qCn7UhGGwoT3jAPvnJHQUvzBlIt48FGs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c5265c01a944b1cecfcfab392d5204d73d65d4ec",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1626852498,
"narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "16105403bdd843540cbef9c63fc0f16c1c6eaa70",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"radio": { "radio": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": [
"nixpkgs": "nixpkgs_3" "flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1633288285, "lastModified": 1631585589,
"narHash": "sha256-pL8oEB1AoghvFTsSLLKA1zhV8Z8TM8vcAkeodS6/IZs=", "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main", "ref": "main",
"rev": "eb95b31089f5a107cb7efe0c55d45beb1399ebbb", "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 51, "revCount": 38,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git" "url": "https://git.neet.dev/zuckerberg/radio.git"
}, },
"original": { "original": {
"ref": "main", "ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git" "url": "https://git.neet.dev/zuckerberg/radio.git"
} }
@@ -213,11 +232,11 @@
"radio-web": { "radio-web": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1629918655, "lastModified": 1652121792,
"narHash": "sha256-sDVM1K1r2y4T37tvdu3mtjiswJ7/PrVGsDQrHzrNfac=", "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "master", "ref": "refs/heads/master",
"rev": "585ce4e3d09d1618d61358902a4231e91e15e1de", "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 4, "revCount": 5,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git" "url": "https://git.neet.dev/zuckerberg/radio-web.git"
}, },
@@ -229,10 +248,12 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"archivebox": "archivebox",
"dailybuild_modules": "dailybuild_modules", "dailybuild_modules": "dailybuild_modules",
"drastikbot": "drastikbot", "flake-utils": "flake-utils",
"drastikbot_modules": "drastikbot_modules", "nix-locate": "nix-locate",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"radio": "radio", "radio": "radio",
"radio-web": "radio-web", "radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver" "simple-nixos-mailserver": "simple-nixos-mailserver"
@@ -241,22 +262,23 @@
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"nixpkgs": "nixpkgs_4", "nixpkgs": [
"nixpkgs-21_05": "nixpkgs-21_05", "nixpkgs"
"nixpkgs-21_11": "nixpkgs-21_11", ],
"nixpkgs-22_05": "nixpkgs-22_05",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1638911354, "lastModified": 1655930346,
"narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=", "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303", "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-21.11", "ref": "nixos-22.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }

85
flake.nix
View File

@@ -1,54 +1,79 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
flake-utils.url = "github:numtide/flake-utils";
nix-locate.url = "github:bennofs/nix-index";
nix-locate.inputs.nixpkgs.follows = "nixpkgs";
# mail server
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
# agenix
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
# radio # radio
radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main"; radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
radio.inputs.nixpkgs.follows = "nixpkgs";
radio.inputs.flake-utils.follows = "flake-utils";
radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git"; radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
radio-web.flake = false; radio-web.flake = false;
# drastikbot # drastikbot
drastikbot.url = "github:olagood/drastikbot/v2.1";
drastikbot.flake = false;
drastikbot_modules.url = "github:olagood/drastikbot_modules/v2.1";
drastikbot_modules.flake = false;
dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git"; dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
dailybuild_modules.flake = false; dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs";
dailybuild_modules.inputs.flake-utils.follows = "flake-utils";
# archivebox
archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
archivebox.inputs.nixpkgs.follows = "nixpkgs";
archivebox.inputs.flake-utils.follows = "flake-utils";
}; };
outputs = inputs: { outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
nixosConfigurations = nixosConfigurations =
let let
nixpkgs = inputs.nixpkgs; modules = system: [
mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [
path
./common ./common
inputs.simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModules.age inputs.agenix.nixosModules.default
inputs.dailybuild_modules.nixosModule
inputs.archivebox.nixosModule
({ lib, ... }: { ({ lib, ... }: {
config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ]; config.environment.systemPackages = [
inputs.agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; }; options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; }; options.currentSystem = lib.mkOption { default = system; };
}) })
]; ];
# specialArgs = {};
mkSystem = system: nixpkgs: path:
let
allModules = modules system;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [path];
specialArgs = {
inherit allModules;
};
}; };
in in
{ {
"reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix; "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix; "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
"nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix; "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"neetdev" = mkSystem "x86_64-linux" nixpkgs ./machines/neet.dev/configuration.nix;
"liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix; "liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
"s0" = mkSystem "aarch64-linux" nixpkgs ./machines/storage/s0/configuration.nix; "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
"n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix; "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
"n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix; "n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
"n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix; "n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
@@ -57,5 +82,23 @@
"n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix; "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
"n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix; "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
}; };
packages = let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in {
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
}; };
} }

2
machines/compute/common.nix
View File

@@ -13,8 +13,6 @@
}; };
}; };
nix.flakes.enable = true;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;

12
machines/ephemeral/iso.nix Normal file
View File

@@ -0,0 +1,12 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
./minimal.nix
];
isoImage.makeUsbBootable = true;
networking.hostName = "iso";
}

48
machines/ephemeral/kexec.nix Normal file
View File

@@ -0,0 +1,48 @@
# From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
# Builds a kexec img
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/netboot/netboot.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./minimal.nix
];
networking.hostName = "kexec";
# stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
system.build = rec {
image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
mkdir $out
if [ -f ${config.system.build.kernel}/bzImage ]; then
cp ${config.system.build.kernel}/bzImage $out/kernel
else
cp ${config.system.build.kernel}/Image $out/kernel
fi
cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
nuke-refs $out/kernel
'';
kexec_script = pkgs.writeTextFile {
executable = true;
name = "kexec-nixos";
text = ''
#!${pkgs.stdenv.shell}
set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync
echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e
'';
};
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
storeContents = [
{
object = config.system.build.kexec_script;
symlink = "/kexec_nixos";
}
];
contents = [ ];
};
};
}

28
machines/ephemeral/minimal.nix Normal file
View File

@@ -0,0 +1,28 @@
{ pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0" # enable serial console
"console=tty1"
];
boot.kernel.sysctl."vm.overcommit_memory" = "1";
environment.systemPackages = with pkgs; [
cryptsetup
btrfs-progs
];
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
networking.useDHCP = true;
services.openssh = {
enable = true;
challengeResponseAuthentication = false;
passwordAuthentication = false;
};
services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
}

266
machines/liza/configuration.nix
View File

@@ -1,25 +1,12 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let {
mta-sts-web = {
enableACME = true;
forceSSL = true;
locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.txt" ''
version: STSv1
mode: none
mx: mail.neet.dev
max_age: 86400
'';
};
in {
imports =[ imports =[
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
bios = { bios = {
enable = true; enable = true;
@@ -37,194 +24,6 @@ in {
networking.interfaces.enp1s0.useDHCP = true; networking.interfaces.enp1s0.useDHCP = true;
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.peertube = {
enable = true;
localDomain = "tube.neet.space";
listenHttp = 9000;
listenWeb = 443;
enableWebHttps = true;
# dataDirs
serviceEnvironmentFile = "/run/secrets/peertube-init";
# settings
database = {
createLocally = true;
passwordFile = "/run/secrets/peertube-db-pw";
};
redis = {
createLocally = true;
passwordFile = "/run/secrets/peertube-redis-pw";
};
smtp = {
createLocally = false;
passwordFile = "/run/secrets/peertube-smtp";
};
};
services.nginx.virtualHosts."tube.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.peertube.listenHttp}";
proxyWebsockets = true;
};
};
age.secrets.peertube-init.file = ../../secrets/peertube-init.age;
age.secrets.peertube-db-pw.file = ../../secrets/peertube-db-pw.age;
age.secrets.peertube-redis-pw.file = ../../secrets/peertube-redis-pw.age;
age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
networking.firewall.allowedTCPPorts = [ 1935 ];
services.searx = {
enable = true;
environmentFile = "/run/secrets/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
services.minecraft-server = {
enable = true;
jvmOpts = "-Xms2048M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
eula = true;
declarative = true;
serverProperties = {
motd = "Welcome :)";
server-port = 38358;
white-list = false;
};
openFirewall = true;
package = pkgs.minecraft-server.overrideAttrs (old: {
version = "1.17";
src = pkgs.fetchurl {
url = "https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar";
sha1 = "0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e";
};
});
};
# wrap radio and drastikbot in a VPN
containers.vpn-continer = {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
"/run/secrets" = {
hostPath = "/run/secrets";
isReadOnly = true;
};
"/dev/fuse" = {
hostPath = "/dev/fuse";
isReadOnly = false;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = [
../../common
config.inputs.agenix.nixosModules.age
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = config.inputs; };
options.currentSystem = lib.mkOption { default = config.currentSystem; };
config = {
pia.enable = true;
nixpkgs.pkgs = pkgs;
networking.firewall.enable = false;
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
services.radio = {
enable = true;
host = "radio.neet.space";
};
};
};
};
# load the secret on behalf of the container
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
services.drastikbot.enable = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://172.16.100.2:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.nginx.virtualHosts."paradigminteractive.agency" = {
enableACME = true;
forceSSL = true;
locations."/".root = builtins.fetchTarball {
url = "https://git.neet.dev/zuckerberg/paradigminteractive.agency/archive/b91f3ea2884ddd902461a8acb47f20ae04bc28ee.tar.gz";
sha256 = "1x1fpsd1qr0004hfcxk6j4c4n3wwxykzhnv47gmrdnx5hq1nbzq4";
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.neet.dev"; fqdn = "mail.neet.dev";
@@ -239,17 +38,15 @@ in {
"runyan.org" "runyan.rocks" "runyan.org" "runyan.rocks"
"thunderhex.com" "tar.ninja" "thunderhex.com" "tar.ninja"
"bsd.ninja" "bsd.rocks" "bsd.ninja" "bsd.rocks"
"paradigminteractive.agency"
]; ];
loginAccounts = { loginAccounts = {
"jeremy@runyan.org" = { "jeremy@runyan.org" = {
hashedPasswordFile = "/run/secrets/email-pw"; hashedPasswordFile = "/run/agenix/email-pw";
aliases = [ aliases = [
"@neet.space" "@neet.cloud" "@neet.dev" "@neet.space" "@neet.cloud" "@neet.dev"
"@runyan.org" "@runyan.rocks" "@runyan.org" "@runyan.rocks"
"@thunderhex.com" "@tar.ninja" "@thunderhex.com" "@tar.ninja"
"@bsd.ninja" "@bsd.rocks" "@bsd.ninja" "@bsd.rocks"
"@paradigminteractive.agency"
]; ];
}; };
}; };
@@ -257,16 +54,40 @@ in {
"george@runyan.org" "george@runyan.org"
"joslyn@runyan.org" "joslyn@runyan.org"
"damon@runyan.org" "damon@runyan.org"
"jonas@runyan.org"
]; ];
certificateScheme = 3; # use let's encrypt for certs certificateScheme = 3; # use let's encrypt for certs
}; };
age.secrets.email-pw.file = ../../secrets/email-pw.age; age.secrets.email-pw.file = ../../secrets/email-pw.age;
services.nginx.virtualHosts."mta-sts.runyan.org" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.runyan.rocks" = mta-sts-web; # sendmail to use xxx@domain instead of xxx@mail.domain
services.nginx.virtualHosts."mta-sts.thunderhex.com" = mta-sts-web; services.postfix.origin = "$mydomain";
services.nginx.virtualHosts."mta-sts.tar.ninja" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.bsd.ninja" = mta-sts-web; # relay sent mail through mailgun
services.nginx.virtualHosts."mta-sts.bsd.rocks" = mta-sts-web; # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay" ''
@neet.space ${relayHost}
@neet.cloud ${relayHost}
@neet.dev ${relayHost}
@runyan.org ${relayHost}
@runyan.rocks ${relayHost}
@thunderhex.com ${relayHost}
@tar.ninja ${relayHost}
@bsd.ninja ${relayHost}
@bsd.rocks ${relayHost}
'';
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
@@ -275,7 +96,7 @@ in {
hostName = "neet.cloud"; hostName = "neet.cloud";
config.dbtype = "sqlite"; config.dbtype = "sqlite";
config.adminuser = "jeremy"; config.adminuser = "jeremy";
config.adminpassFile = "/run/secrets/nextcloud-pw"; config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
}; };
age.secrets.nextcloud-pw = { age.secrets.nextcloud-pw = {
@@ -286,25 +107,4 @@ in {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/secrets/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"dns0" # iodine
"ve-vpn-continer" # vpn container
];
networking.nat.externalInterface = "enp1s0";
security.acme.acceptTerms = true;
security.acme.email = "zuckerberg@neet.dev";
} }

2
machines/nat/configuration.nix
View File

@@ -5,8 +5,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
nix.flakes.enable = true;
efi.enable = true; efi.enable = true;
networking.hostName = "nat"; networking.hostName = "nat";

49
machines/neet.dev/configuration.nix
View File

@@ -1,49 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
# wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
nix.flakes.enable = true;
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
};
networking.hostName = "neetdev";
system.autoUpgrade.enable = true;
networking.interfaces.eno1.useDHCP = true;
services.nginx.enable = true;
security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja";
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
}

38
machines/neet.dev/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

172
machines/ponyo/configuration.nix Normal file
View File

@@ -0,0 +1,172 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
networking.hostName = "ponyo";
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
};
system.autoUpgrade.enable = true;
services.zerotierone.enable = true;
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
services.drastikbot = {
enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha";
};
age.secrets.wolframalpha = {
file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user;
};
# wrap radio in a VPN
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
# tailscale
services.tailscale.exitNode = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.postgresql.package = pkgs.postgresql_11;
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s0.zt.neet.dev";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
# redirect to github
services.nginx.virtualHosts."runyan.org" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
'';
};
services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev";
}

37
machines/ponyo/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "nvme" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/mapper/enc-pv";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
fsType = "ext4";
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/b14668b8-9026-b041-8b71-f302b6b291bf";
randomEncryption.enable = true;
}
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
machines/ray/ca.rsa.4096.crt Normal file
View File

@@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----

118
machines/ray/configuration.nix
View File

@@ -1,25 +1,10 @@
{ config, pkgs, fetchurl, lib, ... }: { config, pkgs, lib, ... }:
let
nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'';
in
{ {
disabledModules = [
"hardware/video/nvidia.nix"
];
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./nvidia.nix
]; ];
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
efi.enable = true; efi.enable = true;
@@ -28,36 +13,107 @@ in
allowDiscards = true; allowDiscards = true;
}; };
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "ray"; networking.hostName = "ray";
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
# newer kernel for wifi # depthai
boot.kernelPackages = pkgs.linuxKernel.packages.linux_5_15; services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
'';
# gpu # gpu
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.logFile = "/var/log/Xorg.0.log"; hardware.nvidia = {
hardware.nvidia.modesetting.enable = true; # for nvidia-vaapi-driver modesetting.enable = true; # for nvidia-vaapi-driver
hardware.nvidia.prime = { prime = {
# reverse_sync.enable = true; reverseSync.enable = true;
# offload.enable = true; offload.enableOffloadCmd = true;
sync.enable = true;
nvidiaBusId = "PCI:1:0:0"; nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0"; amdgpuBusId = "PCI:4:0:0";
}; };
services.archivebox = {
enable = true;
hostname = "localhost";
publicCreateSnapshots = true;
}; };
services.spotifyd.enable = true; # virt-manager
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ];
# vpn-container.enable = true;
# containers.vpn.interfaces = [ "piaw" ];
# allow traffic for wireguard interface to pass
# networking.firewall = {
# # wireguard trips rpfilter up
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
# '';
# };
# systemd.services.pia-vpn-wireguard = {
# enable = true;
# description = "PIA VPN WireGuard Tunnel";
# requires = [ "network-online.target" ];
# after = [ "network.target" "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# environment.DEVICE = "piaw";
# path = with pkgs; [ kmod wireguard-tools jq curl ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# WG_HOSTNAME=zurich406
# WG_SERVER_IP=156.146.62.153
# PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
# PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
# privKey=$(wg genkey)
# pubKey=$(echo "$privKey" | wg pubkey)
# wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
# echo "
# [Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
# PrivateKey = $privKey
# ListenPort = 51820
# [Peer]
# PersistentKeepalive = 25
# PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
# AllowedIPs = 0.0.0.0/0
# Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
# " > /tmp/piaw.conf
# # TODO make /tmp/piaw.conf ro to root
# ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
# wg-quick up /tmp/piaw.conf
# '';
# preStop = ''
# wg-quick down /tmp/piaw.conf
# '';
# };
# age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
virtualisation.docker.enable = true;
services.zerotierone.enable = true; services.zerotierone.enable = true;
services.mount-samba.enable = true;
de.enable = true; de.enable = true;
de.touchpad.enable = true; de.touchpad.enable = true;
} }

431
machines/ray/nvidia.nix
View File

@@ -1,431 +0,0 @@
# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
{ config, lib, pkgs, ... }:
with lib;
let
nvidia_x11 = let
drivers = config.services.xserver.videoDrivers;
isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
hasDeprecated = drivers: any isDeprecated drivers;
in if (hasDeprecated drivers) then
throw ''
Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
''
else if (elem "nvidia" drivers) then cfg.package else null;
enabled = nvidia_x11 != null;
cfg = config.hardware.nvidia;
pCfg = cfg.prime;
syncCfg = pCfg.sync;
offloadCfg = pCfg.offload;
reverseSyncCfg = pCfg.reverse_sync;
primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable;
nvidiaPersistencedEnabled = cfg.nvidiaPersistenced;
nvidiaSettings = cfg.nvidiaSettings;
in
{
imports =
[
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
];
options = {
hardware.nvidia.powerManagement.enable = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management through systemd. For more information, see
the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
'';
};
hardware.nvidia.powerManagement.finegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.modesetting.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see
<option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
by default because it is not officially supported by NVIDIA and would not
work with SLI.
'';
};
hardware.nvidia.prime.nvidiaBusId = mkOption {
type = types.str;
default = "";
example = "PCI:1:0:0";
description = ''
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
'';
};
hardware.nvidia.prime.intelBusId = mkOption {
type = types.str;
default = "";
example = "PCI:0:2:0";
description = ''
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
'';
};
hardware.nvidia.prime.amdgpuBusId = mkOption {
type = types.str;
default = "";
example = "PCI:4:0:0";
description = ''
Bus ID of the AMD APU. You can find it using lspci; for example if lspci
shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
'';
};
hardware.nvidia.prime.sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
If enabled, the NVIDIA GPU will be always on and used for all rendering,
while enabling output to displays attached only to the integrated Intel/AMD
GPU without a multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.prime.allowExternalGpu = mkOption {
type = types.bool;
default = false;
description = ''
Configure X to allow external NVIDIA GPUs when using optimus.
'';
};
hardware.nvidia.prime.offload.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable render offload support using the NVIDIA proprietary driver via PRIME.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
'';
};
hardware.nvidia.prime.reverse_sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse
PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while
enabling output to displays attached only to the NVIDIA GPU without a
multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.nvidiaSettings = mkOption {
default = true;
type = types.bool;
description = ''
Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
systemPackages.
'';
};
hardware.nvidia.nvidiaPersistenced = mkOption {
default = false;
type = types.bool;
description = ''
Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
GPUs stay awake even during headless mode.
'';
};
hardware.nvidia.package = lib.mkOption {
type = lib.types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
description = ''
The NVIDIA X11 derivation to use.
'';
example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
};
};
config = let
igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
in mkIf enabled {
assertions = [
{
assertion = with config.services.xserver.displayManager; (gdm.enable && gdm.nvidiaWayland) -> cfg.modesetting.enable;
message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`";
}
{
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
message = ''
You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
'';
}
{
assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
message = ''
When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
'';
}
{
assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
}
{
assertion = !(syncCfg.enable && offloadCfg.enable);
message = "PRIME Sync and Offload cannot be both enabled";
}
{
assertion = !(syncCfg.enable && reverseSyncCfg.enable);
message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled";
}
{
assertion = !(syncCfg.enable && cfg.powerManagement.finegrained);
message = "Sync precludes powering down the NVIDIA GPU.";
}
{
assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
message = "Fine-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.enable -> (
builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
);
message = "Required files for driver based power management don't exist.";
}
];
# If Optimus/PRIME is enabled, we:
# - Specify the configured NVIDIA GPU bus ID in the Device section for the
# "nvidia" driver.
# - Add the AllowEmptyInitialConfiguration option to the Screen section for the
# "nvidia" driver, in order to allow the X server to start without any outputs.
# - Add a separate Device section for the Intel GPU, using the "modesetting"
# driver and with the configured BusID.
# - OR add a separate Device section for the AMD APU, using the "amdgpu"
# driver and with the configures BusID.
# - Reference that Device section from the ServerLayout section as an inactive
# device.
# - Configure the display manager to run specific `xrandr` commands which will
# configure/enable displays connected to the Intel iGPU / AMD APU.
services.xserver.useGlamor = mkDefault offloadCfg.enable;
# reverse sync implies offloading
hardware.nvidia.prime.offload.enable = mkDefault reverseSyncCfg.enable;
services.xserver.drivers = optional primeEnabled {
name = igpuDriver;
display = !syncCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = ''
BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
'';
} ++ singleton {
name = "nvidia";
modules = [ nvidia_x11.bin ];
display = syncCfg.enable;
deviceSection = optionalString primeEnabled ''
BusID "${pCfg.nvidiaBusId}"
${optionalString pCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
'';
};
services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
Inactive "Device-${igpuDriver}[0]"
'' + optionalString reverseSyncCfg.enable ''
Inactive "Device-nvidia[0]"
'' + optionalString offloadCfg.enable ''
Option "AllowNVIDIAGPUScreens"
'';
services.xserver.displayManager.setupCommands = let
gpuProviderName = if igpuDriver == "amdgpu" then
# find the name of the provider if amdgpu
"`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
else
igpuDriver;
providerCmdParams = if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
in optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
# Added by nvidia configuration module for Optimus/PRIME.
${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${providerCmdParams}
${pkgs.xorg.xrandr}/bin/xrandr --auto
'';
environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
};
# 'nvidia_x11' installs it's files to /run/opengl-driver/...
environment.etc."egl/egl_external_platform.d".source =
"/run/opengl-driver/share/egl/egl_external_platform.d/";
hardware.opengl.extraPackages = [ nvidia_x11.out ];
hardware.opengl.extraPackages32 = [ nvidia_x11.lib32 ];
environment.systemPackages = [ nvidia_x11.bin ]
++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ];
systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
systemd.services = let
baseNvidiaService = state: {
description = "NVIDIA system ${state} actions";
path = with pkgs; [ kbd ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
};
};
nvidiaService = sleepState: (baseNvidiaService sleepState) // {
before = [ "systemd-${sleepState}.service" ];
requiredBy = [ "systemd-${sleepState}.service" ];
};
services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
// {
nvidia-resume = (baseNvidiaService "resume") // {
after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
};
};
in optionalAttrs cfg.powerManagement.enable services
// optionalAttrs nvidiaPersistencedEnabled {
"nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
description = "NVIDIA Persistence Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
};
};
};
systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
"L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
"L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ] ++
optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
# If requested enable modesetting via kernel parameter.
boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
services.udev.extraRules =
''
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'"
KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'"
KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
'' + optionalString cfg.powerManagement.finegrained ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'';
boot.extraModprobeConfig = mkIf cfg.powerManagement.finegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x02"
'';
boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
services.acpid.enable = true;
};
}

2
machines/reg/configuration.nix
View File

@@ -9,8 +9,6 @@
boot.kernelPackages = pkgs.linuxPackages_5_12; boot.kernelPackages = pkgs.linuxPackages_5_12;
nix.flakes.enable = true;
firmware.x86_64.enable = true; firmware.x86_64.enable = true;
efi.enable = true; efi.enable = true;

177
machines/storage/s0/configuration.nix
View File

@@ -8,25 +8,182 @@
# nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
nix.flakes.enable = true;
networking.hostName = "s0"; networking.hostName = "s0";
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/96b216e1-071b-4c02-899e-29e2eeced7a8";
allowDiscards = true;
};
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true; boot.loader.generic-extlinux-compatible.enable = true;
networking.interfaces.eth0.useDHCP = true;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
boot.supportedFilesystems = [ "bcachefs" ];
services.zerotierone.enable = true;
# for education purposes only # for education purposes only
services.pykms.enable = true; services.pykms.enable = true;
services.pykms.openFirewallPort = true; services.pykms.openFirewallPort = true;
zramSwap.enable = true; users.users.googlebot.packages = with pkgs; [
bcachefs-tools
];
services.samba.enable = true;
services.navidrome = {
enable = true;
settings = {
Address = "0.0.0.0";
Port = 4533;
MusicFolder = "/data/samba/Public/Plex/Music";
};
};
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
users.users.googlebot.extraGroups = [ "transmission" ];
users.groups.transmission.gid = config.ids.gids.transmission;
vpn-container.enable = true;
vpn-container.mounts = [
"/var/lib"
"/data/samba/Public/Plex"
];
vpn-container.config = {
# servarr services
services.prowlarr.enable = true;
services.sonarr.enable = true;
services.sonarr.user = "public_data";
services.sonarr.group = "public_data";
services.bazarr.enable = true;
services.bazarr.user = "public_data";
services.bazarr.group = "public_data";
services.radarr.enable = true;
services.radarr.user = "public_data";
services.radarr.group = "public_data";
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
services.transmission = {
enable = true;
performanceNetParameters = true;
user = "public_data";
group = "public_data";
settings = {
/* directory settings */
# "watch-dir" = "/srv/storage/Transmission/To-Download";
# "watch-dir-enabled" = true;
"download-dir" = "/data/samba/Public/Plex/Transmission";
"incomplete-dir" = "/var/lib/transmission/.incomplete";
"incomplete-dir-enabled" = true;
/* web interface, accessible from local network */
"rpc-enabled" = true;
"rpc-bind-address" = "0.0.0.0";
"rpc-whitelist" = "127.0.0.1,192.168.*.*,172.16.*.*";
"rpc-host-whitelist" = "void,192.168.*.*,172.16.*.*";
"rpc-host-whitelist-enabled" = false;
"port-forwarding-enabled" = true;
"peer-port" = 50023;
"peer-port-random-on-start" = false;
"encryption" = 1;
"lpd-enabled" = true; /* local peer discovery */
"dht-enabled" = true; /* dht peer discovery in swarm */
"pex-enabled" = true; /* peer exchange */
/* ip blocklist */
"blocklist-enabled" = true;
"blocklist-updates-enabled" = true;
"blocklist-url" = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
/* download speed settings */
# "speed-limit-down" = 1200;
# "speed-limit-down-enabled" = false;
# "speed-limit-up" = 500;
# "speed-limit-up-enabled" = true;
/* seeding limit */
"ratio-limit" = 2;
"ratio-limit-enabled" = true;
"download-queue-enabled" = true;
"download-queue-size" = 20; # gotta go fast
};
};
users.groups.public_data.gid = 994;
users.users.public_data = {
isSystemUser = true;
group = "public_data";
uid = 994;
};
};
# unpackerr
# flaresolverr
services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://vpn.containers:8686";
services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://vpn.containers:8989";
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true;
};
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true;
};
services.nginx.virtualHosts."transmission.s0".locations."/" = {
proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true;
};
# tailscale
services.tailscale.exitNode = true;
nixpkgs.overlays = [
(final: prev: {
radarr = prev.radarr.overrideAttrs (old: rec {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Radarr \
--add-flags "$out/share/${old.pname}-${old.version}/Radarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
prowlarr = prev.prowlarr.overrideAttrs (old: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Prowlarr \
--add-flags "$out/share/${old.pname}-${old.version}/Prowlarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
pykms = prev.pykms.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
};
});
})
];
} }

46
machines/storage/s0/hardware-configuration.nix
View File

@@ -8,31 +8,51 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "usb_storage" ]; boot.initrd.availableKernelModules = [
boot.initrd.kernelModules = [ "dm-snapshot" ]; "ahci"
"usb_storage"
"bcache"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = boot.initrd.luks.devices."enc-pv1" = {
{ device = "/dev/mapper/vg-root"; device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
fsType = "btrfs"; allowDiscards = true; # SSD
options = [ "subvol=root" ]; };
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pvUSB" = {
device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
allowDiscards = true; # SSD
}; };
fileSystems."/home" = fileSystems."/" =
{ device = "/dev/mapper/vg-root"; { device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
fsType = "btrfs"; fsType = "bcachefs";
options = [ "subvol=home" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DF1E-0D0D"; { device = "/dev/disk/by-uuid/8F7E-53C4";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/mapper/vg-swap"; } {
device = "/dev/mmcblk1p2";
randomEncryption.enable = true;
}
]; ];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
networking.interfaces.eth1.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

14
machines/storage/s0/helios64/115200baud.patch
View File

@@ -1,14 +0,0 @@
diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
index 714616618..b1fb824f3 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -16,6 +16,11 @@
compatible = "kobol,helios64", "rockchip,rk3399";
+ chosen {
+ bootargs = "earlycon=uart8250,mmio32,0xff1a0000 earlyprintk";
+ stdout-path = "serial2:115200n8";
+ };
+
adc-keys {
compatible = "adc-keys";

19
machines/storage/s0/helios64/default.nix
View File

@@ -5,18 +5,23 @@
./modules/fancontrol.nix ./modules/fancontrol.nix
./modules/heartbeat.nix ./modules/heartbeat.nix
./modules/ups.nix ./modules/ups.nix
./modules/usbnet.nix
];
nixpkgs.overlays = [
(import ./overlay.nix)
]; ];
boot.kernelParams = lib.mkAfter [ boot.kernelParams = lib.mkAfter [
"console=ttyS2,115200n8" "console=ttyS2,115200n8"
"earlyprintk"
"earlycon=uart8250,mmio32,0xff1a0000" "earlycon=uart8250,mmio32,0xff1a0000"
]; ];
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_5_10_helios64; # Required for rootfs on sata
boot.initrd.availableKernelModules = [
"pcie-rockchip-host" # required for rootfs on pcie sata disks
"phy-rockchip-pcie" # required for rootfs on pcie sata disks
"phy-rockchip-usb" # maybe not needed
"uas" # required for rootfs on USB 3.0 sata disks
];
# bcachefs kernel is 5.15. but need patches that are only in 5.16+
# Patch the device tree to add support for getting the cpu thermal temp
hardware.deviceTree.enable = true;
hardware.deviceTree.kernelPackage = pkgs.linux_latest;
} }

38
machines/storage/s0/helios64/modules/bsp/50-usb-realtek-net.rules
View File

@@ -1,38 +0,0 @@
# This is used to change the default configuration of Realtek USB ethernet adapters
ACTION!="add", GOTO="usb_realtek_net_end"
SUBSYSTEM!="usb", GOTO="usb_realtek_net_end"
ENV{DEVTYPE}!="usb_device", GOTO="usb_realtek_net_end"
# Modify this to change the default value
ENV{REALTEK_NIC_MODE}="1"
# Realtek
ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="0bda", ATTR{idProduct}=="8153", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="0bda", ATTR{idProduct}=="8152", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
# Samsung
ATTR{idVendor}=="04e8", ATTR{idProduct}=="a101", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
# Lenovo
ATTR{idVendor}=="17ef", ATTR{idProduct}=="304f", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="3052", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="3054", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="3057", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="3082", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="7205", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="720a", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="720b", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="720c", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="721e", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="a359", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
ATTR{idVendor}=="17ef", ATTR{idProduct}=="a387", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
# TP-LINK
ATTR{idVendor}=="2357", ATTR{idProduct}=="0601", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
# Nvidia
ATTR{idVendor}=="0955", ATTR{idProduct}=="09ff", ATTR{bConfigurationValue}!="$env{REALTEK_NIC_MODE}", ATTR{bConfigurationValue}="$env{REALTEK_NIC_MODE}"
LABEL="usb_realtek_net_end"

1
machines/storage/s0/helios64/modules/bsp/70-keep-usb-lan-as-eth1.rules
View File

@@ -1 +0,0 @@
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="r8152", KERNEL=="eth1", NAME="eth1"

6
machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules
View File

@@ -3,15 +3,15 @@
ACTION=="remove", GOTO="helios64_hwmon_end" ACTION=="remove", GOTO="helios64_hwmon_end"
# #
KERNELS=="p6-fan", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1" KERNELS=="fan1", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="p7-fan", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1" KERNELS=="fan2", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1" KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1"
SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end" SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end"
ENV{HWMON_PATH}="/sys%p" ENV{HWMON_PATH}="/sys%p"
# #
ATTR{name}=="cpu", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu" ATTR{name}=="cpu_thermal", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu"
# #
ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board" ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board"
ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}" ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}"

14
machines/storage/s0/helios64/modules/heartbeat.nix
View File

@@ -6,12 +6,14 @@
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = '' ExecStart = ''
${lib.getBin pkgs.bash}/bin/bash -c 'echo heartbeat | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:\\:status/trigger' ${lib.getBin pkgs.bash}/bin/bash -c 'echo heartbeat | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:green\\:status/trigger'
${lib.getBin pkgs.bash}/bin/bash -c 'echo netdev | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/trigger'
${lib.getBin pkgs.bash}/bin/bash -c 'echo eth0 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/device_name' # this led is not supported yet in the kernel i'm using
${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/link' # ${lib.getBin pkgs.bash}/bin/bash -c 'echo netdev | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/trigger'
${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/rx' # ${lib.getBin pkgs.bash}/bin/bash -c 'echo eth0 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/device_name'
${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/tx' # ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/link'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/rx'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/tx'
''; '';
}; };
after = [ "getty.target" ]; after = [ "getty.target" ];

32
machines/storage/s0/helios64/modules/usbnet.nix
View File

@@ -1,32 +0,0 @@
{ pkgs, ... }:
{
services.udev.packages = [
# this one will set the usb net ethernet into the right mode
# and stop it from spamming the console.
(pkgs.callPackage (
{ stdenv, lib, coreutils }:
stdenv.mkDerivation {
name = "helios64-udev-usb-net";
dontUnpack = true;
dontBuild = true;
installPhase = ''
mkdir -p "$out/etc/udev/rules.d/";
install -Dm644 "${./bsp/50-usb-realtek-net.rules}" \
"$out/etc/udev/rules.d/50-usb-realtek-net.rules"
install -Dm644 "${./bsp/70-keep-usb-lan-as-eth1.rules}" \
"$out/etc/udev/rules.d/70-keep-usb-lan-as-eth1.rules"
substituteInPlace "$out/etc/udev/rules.d/50-usb-realtek-net.rules" \
--replace '/bin/ln' '${lib.getBin coreutils}/bin/ln'
'';
meta = with lib; {
description = "Udev rules for the USB network interface for the Helios64";
platforms = platforms.linux;
};
}
) {})
];
}

75
machines/storage/s0/helios64/overlay.nix
View File

@@ -1,75 +0,0 @@
self: super: {
linux_5_10_helios64 = self.linux_5_10.override {
kernelPatches = [
{
name = "helios64-patch-set.patch";
patch = self.fetchurl {
# v5.10.68..v5.10-helios64-2021-10-10 @ https://github.com/samueldr/linux
# Hosted as a pre-rendered patch because `fetchpatch` strips added files.
url = "https://gist.githubusercontent.com/samueldr/1a409f88f2107054c87a70403686b871/raw/abee3d5d5415c466f8111371b63f759f614547c6/helios64.patch";
sha256 = "1gx2z345vb4r2mdfmydbzc5baj58rrn416rzb2fz7azxpyib5ym4";
};
}
{ name = "115200 baud"; patch = ./115200baud.patch; }
];
# Configuration mainly to remove unused platforms and things.
structuredExtraConfig = with self.lib.kernel; {
ARCH_ROCKCHIP = yes;
ARCH_ACTIONS = no;
ARCH_AGILEX = no;
ARCH_SUNXI = no;
ARCH_ALPINE = no;
ARCH_BCM2835 = no;
ARCH_BERLIN = no;
ARCH_BRCMSTB = no;
ARCH_EXYNOS = no;
ARCH_K3 = no;
ARCH_LAYERSCAPE = no;
ARCH_LG1K = no;
ARCH_HISI = no;
ARCH_MEDIATEK = no;
ARCH_MESON = no;
ARCH_MVEBU = no;
ARCH_MXC = no;
ARCH_QCOM = no;
ARCH_RENESAS = no;
ARCH_S32 = no;
ARCH_SEATTLE = no;
ARCH_STRATIX10 = no;
ARCH_SYNQUACER = no;
ARCH_TEGRA = no;
ARCH_SPRD = no;
ARCH_THUNDER = no;
ARCH_THUNDER2 = no;
ARCH_UNIPHIER = no;
ARCH_VEXPRESS = no;
ARCH_VISCONTI = no;
ARCH_XGENE = no;
ARCH_ZX = no;
ARCH_ZYNQMP = no;
ARCH_RANDOM = no;
ARCH_R8A77995 = no;
ARCH_R8A77990 = no;
ARCH_R8A77950 = no;
ARCH_R8A77951 = no;
ARCH_R8A77965 = no;
ARCH_R8A77960 = no;
ARCH_R8A77961 = no;
ARCH_R8A77980 = no;
ARCH_R8A77970 = no;
ARCH_R8A774C0 = no;
ARCH_R8A774E1 = no;
ARCH_R8A774A1 = no;
ARCH_R8A774B1 = no;
ARCH_STACKWALK = no;
};
};
# Force modules closure to be built even if some modules are missing
# (Workaround for a NixOS change in strictness)
makeModulesClosure = x:
super.makeModulesClosure (x // { allowMissing = true; });
}

37
secrets/cloudflared-navidrome.json.age Normal file
View File

@@ -0,0 +1,37 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w 6LPdjXDINKLmWzBbhs/gcQQnJTqePJAGVWX5YhwibHA
5O06D+H2KbLtueFoKNVIgFYlBeJimTL2Mk5S3biEKdw
-> ssh-ed25519 mbw8xA Ubq0SL3E410a1+3z2jZ6KFi6+tqNbqG7En0moLx+B1A
EWhz0Q4UWJDEwt1jYrX0udCdflA7unlYhddCg2vJpXA
-> ssh-ed25519 N240Tg 9UOgws8kFmAABuG68rjq9vNDLbBJa8pFOAnqtSsObm0
CWJLwZEVg4mK5DjDSXoDnHt51WTQ9WAka0sCM78bg7o
-> ssh-ed25519 2a2Yhw +xRtdu4UdGfIFkoLTQxBkkitPOKMcJJKepcvCGofaRI
qFjGwGjta954LgzVFCPOTmzbGO7ApEpIo88+dnLOA5s
-> ssh-ed25519 dMQYog wWsB7E4PjFCh44K2t65IVG2uOMJMyCDu4RyoMgbreQY
iFuu7dgxBzBTqt0iecUCt2avL7i6PQ7pf1rSRrsJo/I
-> ssh-ed25519 G2eSCQ mlVuEjjG1ZZbeRZ+mPPxIkEjNnzbRjvBQz7gBEUL+lg
1+8DUKJNvUxIpwIDEV6xRoI66Xgt4Z2YqtPA3hk/804
-> ssh-ed25519 6AT2/g n4A59l+hQA9jsQaM8ONFxp91c7jLN+bljIoNrRaSZlQ
lwmGQF1+dviOSkHGTg2pbSiHaDmhWSvav5XfUeaXDYE
-> ssh-ed25519 yHDAQw ACe/PrRD6xPh04w8WIPTpb5f051BmhaxD01u2YK82AM
itYUUUS1+aJ+lZ2IIwys1shG2GQWrF3q3ZgfVztMALg
-> ssh-ed25519 hPp1nw YY8vayLICissYqcnWCvxcDyB3KxnpH6xOSYAvunQzE8
SBzK7KsQy+Z+vsRKFgxkEJC4I4CwSM7MQ7ZbOJJ1W7Q
-> ssh-ed25519 CRfjsA iGbknT4mBJzDd8eEXLYCmDIzfLKzGrQNeHfRx0t0BSo
e9i000+K/KG0nikIGfXWEY8nPnnbOpWHhrys4qeXFY0
-> ssh-ed25519 vwVIvQ BYFMu0y8DnHivMOzITB+10tDGH3vXgUCuwASMPN4DnI
q8te5woh6MpFXKLOzZz8VK7vvivDnxIIm2YT9stxqLs
-> ssh-ed25519 fBrw3g qJT3udFmHFFf6p+B7+rQlKeBkDjiGPJjjDoAHoP/skI
UIC1B5eCaJArcEPetgG7cvHy2/7iOCPLPC1DM44/lmE
-> ssh-ed25519 S5xQfg teWDWxkmGO/6Pdq9BUSpyNP3HV6Abs7Dbe4YS4E8hV0
cij5vsyrDdKolTdEMKiWe4wFB0/T/5l6slHdJ7PaAcg
-> ssh-ed25519 XPxfUQ eNsWuyTu3Z7o9MkQ5c06F9nbwyKnNdCTBnVtHWfw5TU
bdlQbFoOflX0mN0fOfSRKv/pLSyy7wI4FKhMWtkC7sk
-> ssh-ed25519 SpD5mg BhsBDO0HY8ukC5xl6dPA0crSsFw5ItIEj1STIib+3zs
fJHJQUDczhv/XWBzi3CX1CRf2/zypk1tDTWro1EBA78
-> ssh-ed25519 Kk8sng rhJTlmqcgXZQY8KXCzhA/s8rZki7TmBxuFDlZgr27hY
wGjSOZgCYeVUYG6xXCG/kX18E5ljfytxfbSzPeG2M8k
-> BT2o-grease
d46Jzs4hD8i10FLG
--- UWVcEz0fWRw7B8XDTX4SJfRPIgzAN7YfHQEJAVqQxYc
v¯©ð˜‡ñò·ˆù•Tá4¡!ö=1¬ }nPÝ“$ºÖ~š€"nfêm‰V¡<56>>žÖ§3Å|ì~¸ó€Ü<E282AC>cRoeL=4(<28>"hòã¾ÌÞoPÀÇR3;ˆä’‹Æ.poÖþy-UO6¨í¢!Q2ìqo"Æìú V)³GÝàªE<08>ºf¥½°™<E284A2>4Ü?[~W±<57>ÎÌz qëÚY껪Góè.fm7w¸¹"•1˜šÜã,ÿi}Çø^Öæ¿Ž ø&/“RDgkÛªãn

BIN
secrets/email-pw.age
View File

Binary file not shown.

72
secrets/iodine.age
View File

@@ -1,35 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w fAV1y3tuoxPR5TE4uVv5Qqsy7JMWEJBfRcFc/N1i6hA -> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
PxT69hIE66L2uPMwGaz3nPs1VgHa2bEBDQyF4kH8lfg gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
-> ssh-ed25519 mbw8xA qMpVWJ+yOgvdhLAlhN0MRu49rebNCMjCNn4WfkrNOys -> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
SZLspU77lDKuEhB1hDKIFiEZ/GHyzMxqlWjt7Fn9WqU i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
-> ssh-ed25519 N240Tg HYd8EOPNF1GcyZE4oN1hVvYHUenNLkkYvJfvPjbLAVo -> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
fn47o9xte8HGcyxIWrsA9IYr+ibUnMz+ZpMWAV5QDow RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
-> ssh-ed25519 2a2Yhw Q7ye7cc20HWOU1J7F8cCpBdcSCaNp9Y4jUAJ28PIm2Q -> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
Z5aBoyiN9p7YBy9SqxBeH7B9Uj1Ve2sIrxERjEnSMfo qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
-> ssh-ed25519 dMQYog CNDCWf/wRDDTjzGQuvyE6dknRbOoDe5FflMokExIYgg -> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
y549HRV0w4naDzqYmMRul5Tho6rsSacaW5tOEclo7/g Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
-> ssh-ed25519 G2eSCQ HbAQtTFHedRnp3QUCnyOY1hsOhFwglvzVU4mcidcaWE -> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
AwDg/lcMw3JsPebMM8pZYWIXncRyc5n2doc4pPes2Iw eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
-> ssh-ed25519 yHDAQw KAykBV5wRcdjl/+p2o3EcEvIkhBRRKBcB2drtpmDqws -> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
QrLtshwV//CHnm62KoGR6Y5h6Nx9fJyZdnVy3jDPpCw r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
-> ssh-ed25519 nsBZfA UsZ2rI6jvBjSaYFce4Y+BgfHunpbWQXsQ5W0kbQj3lc -> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
26WM2X1TTB55ohVuQfkbFHJAHBQswILjjtiEGPS8jEo baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
-> ssh-ed25519 CRfjsA eDIQcxnoJfMdVGro0YLzoO6M/tUfstkSSXOMG6/wBWw -> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
P+KOyDPYcS6stmOq2eP4Y+fDbElkUK1t7OdwwE9LF3Y tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
-> ssh-ed25519 vwVIvQ jcw/ox9qd3phFIjv2TWq/PeKtX7VjV90tAZZlzPMJC4 -> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
03YQ9Ot2v2jLlf55lIfhnjwJNIsv5qVoYcjDe89SY8Q slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
-> ssh-ed25519 fBrw3g ZeQCZ2T93FO9Qmvbe25T2iOPLilUoJeN5zoqyHdvJAc -> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
1XTu7eyoEh72UwQ/lag5BHKivCixKMRrm6Q3Nw2AyA4 znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
-> ssh-ed25519 S5xQfg zJpJ8QVj6+dUYUYcZb3netXvdC8d5cSy0/pKAtl7+T0 -> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
tQqv9EuW1XA/sUn6anDF2Bo0AfIyvaCtgBVrtvq0HCI q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
-> ssh-ed25519 XPxfUQ BCLu2qYJNJfDKYJnSDLQnyKnIB4XKwgs4bbS6H9iCjc -> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
ll/pKktgOm/WgQv7xB8mBgnqKjfPcKnFPjZIMZjhJGY EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
-> ssh-ed25519 SpD5mg /d2IlArCbohCEPNoSer0gHOt8rn3525sHpACbjlci0s -> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
m/l+IL3L0O80dSIywmUJ9E9PWEs6osfzc5mjEWRRwcc xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
-> ssh-ed25519 Kk8sng NOWe0FGoWLo9Ft68dTHaoBRB0DGYWil0Rd7f7/Jf5Cc -> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
wShBg7rm6YhHL4r3RX3DTNMPT//9NpKpAmUZn3Bw8qQ FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
-> Py&q-grease ;- iI% -> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
K8r7QIS9BEYqFS2ACAngb4Ha4A fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
--- umfj2GACK1NJYFpyl7KFGpXa7mqyeJOYKLDQ4stucis -> C89-grease >Fa(j6s UN5!{
ì>@ë¨0$ûº3ä<33>Ãbè·Î{x_¯¯;)Ÿ‘>nwR t@²¢è°itzVqAi•¥$bßµÞ nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
--- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
h,:ìüæ
H)'’ЊÂ/²)žÒ¾ìpˆ¡Rç2QU

BIN
secrets/nextcloud-pw.age
View File

Binary file not shown.

72
secrets/peertube-db-pw.age
View File

@@ -1,35 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w AL6Ieg6FN45tJO6Kwz9k/PxYuX3qxDKL/U8/D1EwZ1s -> ssh-ed25519 xoAm7w 6fOw4Kh4O0WAdZG0WPBdl63ap/Xr/w+Rweylt/0mKDU
6qUpv364dQ529xVXZPngAeyqFAkIiTXfn94XXLzI4Ac M2ZYVPz9vVGjJ6us48pXSFKKH8tK8PhkvBUJAUriimY
-> ssh-ed25519 mbw8xA 6fAQlWvvDdBDqWZpZOKbVr2K7jTOKIqqapu3WN3zF2c -> ssh-ed25519 mbw8xA JBYsd9iwH4E2GfGP63DwdwT4Y+gvL31sB3rSY2GKDmQ
cI3kfPCLOV4gtqCtpgLkBR0630RQXoxz8FZAWmSpfXI zMHRL3bDxeAkWdKYPPtc/xyrkZlNtzBwzMyt5lb0H4o
-> ssh-ed25519 N240Tg qoRkbghYBpAvd9iScGMUS/iHkZgg3Qg9rQxX4yAbgyw -> ssh-ed25519 N240Tg 9DErfKdTHuvUcw9+5yzo8kMHa+IKxspGlWb6KRvPB0o
d6O9NJa4/49BZJfki3OACq6u4SI0ZjVhDzO8/0CNyVw q1FLalljaHyYxEu6JrmcXGYhYi0L7TAtV0U8UsaQ4cs
-> ssh-ed25519 2a2Yhw RIMdr+8VJcBrNry/K2m2uAgxMKwnGm0fGyiX44hpuUg -> ssh-ed25519 2a2Yhw eDolYbro00zktVZA8xdhbjvLkcOItFU/lTBPXNYypWI
jM0qeOMcSH9GprC84kL8Qq7f2pptHxbWG8nh4TqQh+A d1MlKnVGRf2T2VFPhDnsSF8fboF+5mAdXEMeJRTjJz8
-> ssh-ed25519 dMQYog h6Mn5ZCypwM6sQdXFYJkJq59GnRLdsJF8bRE/ZSK0l0 -> ssh-ed25519 dMQYog 2y6zkr37iC5VarUPOlrXVj9XyS5pihQq6O/K20gTMnc
w8r0x8Zp/zL9pB/yCOMPtHsEykWVcdrso8yoTW0EmgM jQxtJYCH1JagBpaupGVizzk0ZCswOQvFTcxT8IeFtRI
-> ssh-ed25519 G2eSCQ xgfImWd66BJwi61wo1ck7RZQnT4+c4KsganhGLvtGlI -> ssh-ed25519 G2eSCQ 8b0ZqtAxiFRfLEMHnj6LZmq5CQT7nMmfTwc+gpKbQQs
K5qDLxWlWkVY47bVgT7Dw+UcdRQTgb0vCKjJ4FiaeHQ kl9EvBs9BpZXoomdg30ViCMBV8xEnYlCD9GFY+dNVBM
-> ssh-ed25519 yHDAQw OCcfiG9sDzjNiGEbqBJGu26qwF4HrCRjCKcUTpbjXXc -> ssh-ed25519 6AT2/g kA3H9/fN5qyPquKIBQqYSGZYhxqDc7Zyj0CrjF0Nqgg
yoXC0QlN4vLdcIc/OqJzwVb2lqzJ7NhrijUEU8Yrhy8 zXrT+jpTJo6ToVzLuLzDcqblXKdDbjxt4Zr9CvWBZc0
-> ssh-ed25519 nsBZfA gcYvl192Nhd4NSCPamaMchXtg76IXbu6DKZSDoFcpn4 -> ssh-ed25519 yHDAQw vuMN4IU9wAIAWDFEDCr1yjEPtEMCISxYTx27qh4QS3U
ZH+qZ8ZDEAdUjVDCdoYStgBug1fO59otqAJSrXa0qWg 2vrVYYbBlbyEOmd7cpeijKeNk6uEe/1iWQcZO8dSrWI
-> ssh-ed25519 CRfjsA kXHNpSCtptP2H7MPcTGjZRteftb7deg+w7J6M58W9EA -> ssh-ed25519 hPp1nw TwogaV1PZXUekJoqXepW8sUm+DvPCxTEL+RobecJ3ys
KWabg5pAUvs4HHafKxtTf3RM5cj6q8YSX54zud718mM VKM1QHFM8qDW1ZCpueQEqQtQknoQ470nll7y6WTjlWA
-> ssh-ed25519 vwVIvQ 6nOm1eUfTKpTxZMw/dtBRB4HarEbeKemI6mMuf8WCSo -> ssh-ed25519 CRfjsA dvkLphHpCButJtI/RMlt7RvaIuMNHLbF9y663tvuvhs
vDH4ENMU6SGYUYClIDk5YoCOKetmRaqOtGUhJBM21r4 VEwK/KDK93e2iwEcwmGM8vvhwqi+tNW8SYrbsehZbWE
-> ssh-ed25519 fBrw3g XJPvzjlvAfL/bdb1p5fTcNYvo2xq/hJ8ioHOi3L8iRo -> ssh-ed25519 vwVIvQ xnd9Vgz9FCeRu6yZbbIZbSBEvSkgPzFifye5eT8kmT0
Wr9yj1N3aojpb+6yxiQAFU+8jm1QZajr1sYkTnXLjRI XOCZBNTP66Wzy5Vdn4qJwzApDx3U2qNnQqEBcwfARHk
-> ssh-ed25519 S5xQfg Qk82hXfT2CigawsByb9K/H/MuTl4JiYcOd876QcoyGY -> ssh-ed25519 fBrw3g 81Mv0OtBk9J2Tb7kjnT4uCGeytV7HJfOTcA5C4NoLy4
hw0DkzAvCV/UAH4dTsi17VvXRYDt9m/BKoiKt0SSp8M hiMbGjXjtvBa2Puhb8GBas3WXc0fozRD4hg73MvQumw
-> ssh-ed25519 XPxfUQ p8chrw6lhLXtesN9zfJWGLxsX91R8Kpm3odU4sCLblE -> ssh-ed25519 S5xQfg F2oOMdM1U1aT4K6pIhCnCz5EbxnEb9Q4QZ0MkhSJKnE
om6QDf7ZYSS70cjPblbz5TK/1DE9OyUJl0DoXCmLMAQ Pz2cyF+IGLz64466ne8np3xA7g+51S4s4mlaLRohIM4
-> ssh-ed25519 SpD5mg DOWa85OMA/oknqMCEXE/CcFthUG4CaPczyHR+3c8fzA -> ssh-ed25519 XPxfUQ 3rIutnjj8fXIo3mCAL5nfzJep7q70j+AGLE3j/JxOhY
hLfgOCAn8/X9jdUe9NLp/ZSnIPpE8VlT0evTtV8CUV0 v2Xj5PbpFMsf6Tx68u7VHCRqGa3Wrnsk4E6Q08SklUc
-> ssh-ed25519 Kk8sng nxdSDZA4/L2F7a7AeeYzpLmPBP3WDZ2vvhnMX41RLxw -> ssh-ed25519 SpD5mg tmM+zaXpX+W8xsMfBCoWZc+7wPRI6yFt2W/p4O2s4lo
218QEWvPg84NErnqx/w0wi7nu/liHCB2dqih9BsKcwA ckNxHza6ruYdIffwxDFOWnYOUgpbWNfwzU5AQJb6ZAA
-> `+rb8*a-grease G5p) <oTjGUi )~Np>{i ";rLwf{ -> ssh-ed25519 Kk8sng 2ddBuZ+DEVuvRmWS2O8r+xT4Qtrev78Vre+yQ3kNdEA
X9mVN2/oUBkLMejgBk3tGg0sfV7NbVYMUqsWQS7FYHEi LojDcUOsZtA5kw8kIPC2y+G21T1uKUEUkwkJ3xPiUX4
--- 9R+nrjJM0MGX09y05oerYFBNjhvtF5v9z5CX9HF+YAk -> "JnF1%Gd-grease |=~ P
;µf…=ýÂeóŒO7TÉQeÍ…­g/ø1¦àä7Ô|äx|p tzG7OLiEsRVyoTBpLPGwqNBUGkz0
--- /AHllIllItlnpPXQAkywTF1UsUb7Wpec2jdYE6kOkO4
´ <>§K
^U5{Ôpœ_l9ûá7I#J¯˜Á!ë†å`Cθ^vÚÕˆEòµßŸÁˆuž¥òä×_WPæo2.<èù w}¶Ì
(!V®

75
secrets/peertube-init.age
View File

@@ -1,36 +1,41 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w gWPSJ+Iy38kXBwA1M+E2Ny3aU177dt0qc7TTAS02iSY -> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
KCA3WoLPZbUztarjaPUR2rRH+74+82C/EooDvEvckP0 qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
-> ssh-ed25519 mbw8xA 5nxnmB9JQf18hZlfctLAGoUdM578QZgK5ZE1lF1jP0I -> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
sn81Nv9/PHcoCUINuIDzeD/W6je/chOKtfQaWN9x9ZY 7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
-> ssh-ed25519 N240Tg d/C5uJ6ORt0dULleDbQvRbVyVmjckbfAXgNVrGjL+w4 -> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
dUOFOq5xfq52BWhBYodYdwxhrv16wtMxwFtba6fKozk FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
-> ssh-ed25519 2a2Yhw 7sSUbLltlcgqQESwd5x5RKmUKLrOLqRInHpUS/wIs1k -> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
j1AGJWmQ/q8Pwu0ScP2pjRRfgdSkdE/ohkMwHhi9SAk 9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
-> ssh-ed25519 dMQYog GaHXFoI+hlRSTTfJ+8vNbkqb0VQpr3Bn0skePcnhhFI -> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
LuMhTS34/8IBcFMMZKGG9qug4QCQWfD0197NPV8GG7A 6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
-> ssh-ed25519 G2eSCQ 2pb606lrHmAW/JpXaZbttFEdHbEZ1rNo60tHY+1uvlw -> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
V3YzpwodAbzijZtztGXc2pB/YGUzZJ3HpS0XOso+/t8 A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
-> ssh-ed25519 yHDAQw FJtu9jYlSSU2dfgFuV5PgEZ/QEGK5bsPn7KwTknnegk -> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
Ijp69vJGT1qRkTqiuDu0bBCKQ1SPwnbu5LLu89VqXWA sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
-> ssh-ed25519 nsBZfA a8B2CSOVN2TyBIXatgGMNTdY4Ezx19mIWpzNrxc3YQg -> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
Mm0T3vjsPy5GzlLqug3LpkrJVwTH1xkFNS6KWZd8Zwk LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
-> ssh-ed25519 CRfjsA ZQR4nNiLPKaOyL9ta9S9J5IN+XyDiAXMYzR+1+3RixU -> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
F81PJwKVac7mO/pDJi8aLSOK3FRNFMNlE7P1va0Tvu8 1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
-> ssh-ed25519 vwVIvQ BCd4C6byOnGBwZcuchM/bnMvXLiBVKkalVvV7Zuk71o -> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
bZN9YXGYQuyT5RWHnFkz5uXGLpczushGy2eTSUOCMQE 9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
-> ssh-ed25519 fBrw3g BoxBCwJYbt+XI8cl3kcfHGEXfvgyXNKxQsHGf5WJKGg -> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
AdGeYLc3Y3vGElaLQx84KuBCaKBzecSvqztqizEB9PY gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
-> ssh-ed25519 S5xQfg eKuFuZo5BIKPDtsTDRcrClbF5iUam6n+ztgqcuEW93k -> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
Dp5qdW0B5p/vFCNVCcFIYm7BGO73VhtbWkNKiVBA5tQ f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
-> ssh-ed25519 XPxfUQ mBHM9aITnDzrFnUzYuSogyI8iV2H5KplKUnyH8uWQzE -> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
87X22HysswNP1AfLk7bc48tWHN/6AjQRpdQRAs8YeBI 6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
-> ssh-ed25519 SpD5mg HYsGouhUa3VTIuMvbTU3kGxDdo3tFwPWLpurAhEtyDU -> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
rT9lnWw3DahtGteS2DZI8QPK2rXCyqWx701Ynom70NU vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
-> ssh-ed25519 Kk8sng nHvo+zri2br9eCQHc8zGVM94tihDgMOrLUO6+R8wuTc -> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
400PEAFR5kYmAqV5MamMd+w1AI7+B29etfGKd0akA/A jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
-> z[3-grease qQW .%*.5Vt 0r-` |J'fBXC] -> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
wu3bbKlQSBpP0pjPdfk+V4Hb37WWVWsR+E08Zmf6h2MtlEyWLxG8XkLRQtTh3Alh VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
CIDw1yOJ0lIQ0IoW66v0vlG6AxZV -> vWbrVo-grease ,kVQ{
--- BxqfiQrLJJx1zL1pa2tkxFbcqiFIL3YMV6mRrCvJHZI PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
4&=éµ/Ë¡¯ë}ëÎJÕß8Îâiq mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
--- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
>»KÝ-B<15>vœâŒ×ôÕŽ}4©QåÎ˳x
ÅîÝÒ{ʱí­
0U<01>Ò
ê¶×Ý

BIN
secrets/peertube-redis-pw.age
View File

Binary file not shown.

BIN
secrets/peertube-smtp.age
View File

Binary file not shown.

BIN
secrets/pia-login.conf
View File

Binary file not shown.

5
secrets/rekey.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
set -e
agenix -r
git commit . -m "Rekey secrets"

BIN
secrets/sasl_relay_passwd.age Normal file
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

4
secrets/secrets.nix
View File

@@ -15,4 +15,8 @@ in
"nextcloud-pw.age".publicKeys = all; "nextcloud-pw.age".publicKeys = all;
"iodine.age".publicKeys = all; "iodine.age".publicKeys = all;
"spotifyd.age".publicKeys = all; "spotifyd.age".publicKeys = all;
"wolframalpha.age".publicKeys = all;
"cloudflared-navidrome.json.age".publicKeys = all;
"smb-secrets.age".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
} }

38
secrets/smb-secrets.age Normal file
View File

@@ -0,0 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w Kg7UClnYqMV4+rPfZsUFgHyXUFfD9ZY2miGwr0m+NWc
SCfg3UYlGpUJreLgdkKUVru7Gqvh7AfmJLRoI+Jwmdo
-> ssh-ed25519 mbw8xA LeqtlUz7egt8G5z8Ca69GUM9Jgt7HMiqPxO/YN0rwR4
ILPsmKmjrc2m0kFMhpY2ebVXTsTRUiQMookDindWrig
-> ssh-ed25519 N240Tg G6vylAd18eW8zdF+vReXY7fTfdYseWY//4/ElWDMxXo
a1BWR4URSMmHV8Z48aChmVQAlfSfNn0S66WOG0uxNc0
-> ssh-ed25519 2a2Yhw XXZOpsj9uhKDzh6rnSWOj3HWeohsm3LvPw0RTR3zLkI
9U5oc+gWXmK5r4mLZueFBnkyal88lNbFNlzRcT77Zyo
-> ssh-ed25519 dMQYog m+Tm6nn0yVLiPPua1K7v2ToXg4JzRouarE63L/sh4kk
SZ7HXZ2wteV6mxJ2bdMOenMO3clsL7nRyAkDAJomODQ
-> ssh-ed25519 G2eSCQ sFl1qmmOPtEypFvjZStXITKedfQV45B2MDk90Bcb3hI
fetONY50e4lApLBWTABlDrV7iG0EdQl4sJE276LNz+0
-> ssh-ed25519 6AT2/g eL7ilpjXlLTIEqgOoX5jlDapUZjipe4ssmgFdaWGfQU
5JOCPit0JyCuHQk9JUqPUbk1l1YJcPfeFYqZLrlA2+4
-> ssh-ed25519 yHDAQw OL1GcsvJ1xxiGLqnkVVCMdwZTd1lSsxMV/ERkGlKqDU
gDiwmUUDPBoYE5uKmxUkfQXV95bAnTghmnE4URjEAC0
-> ssh-ed25519 hPp1nw Qq52IpfX5qtzg7E9ruK4qI3W0tyXTnm5ntITOzZ4r3M
QhTA1V4vN9qMKhIcmNKIOBYnggPP4FfbIkXR+00jJMY
-> ssh-ed25519 CRfjsA EtorS2Ba+6E4grspQXhDFiXSOxGsnNSQbkSpv+NkGkc
Oz6xPjiHUJI/md01GxNLA9O52V/inIeaEi0wGe/T2QE
-> ssh-ed25519 vwVIvQ yzWaeWjer2QysLCpcpiEGuUSX/JEf+CVOLEbV4cdwG4
00vNjH+LFNjGGFrJmJtpLGKZTnEtFDW94sDIeNeklbk
-> ssh-ed25519 fBrw3g PJqw2w4s10ncE5q95Srxc49S3UfiZpDskoCHLsYE8wo
SMpvtbRNMdGi3+VENOVziLt2U6kg4djaJwY9QN7qm+A
-> ssh-ed25519 S5xQfg QCkCr+gN488FKCu+TlhJ6HUbFxqdkwSaUYxgnJ66zl8
XhMSuZ/HOlXJmWRVrQjMY80IKxvrnNHh6eR6N2vSKeQ
-> ssh-ed25519 XPxfUQ k8Pp9ZlRAWZRXOQ9URro05DRIViGfs2DhXTrMTZyvgA
B7lvmKy5Dqw5qzLwnQEX1163NW0t6vYHPgTmqKE/2+4
-> ssh-ed25519 SpD5mg Y/Cg1GVTBo1r66Oj/bFN0uDWLfM2rIAAGRP0qu0tfRo
Rr+7yR2uf170A2pUylEwUthC0XGIXin51DK9JS8K0xY
-> ssh-ed25519 Kk8sng r//SXYT5xxLXwoDsWhFwaoLzhT8fdbXX3HShmS4SMX0
DrcuiBS+JLkzgsYumxvnsnKkrzFYkNPRJZOegj+0Q1c
-> X6%3Q-grease l? n?e
j/l9N+hzs80iS5YZrx8mrrIIb/+y82YM4lb1a0aBOCUMsK0IHbtnPjZbVfOmO55W
+yFtp3gXw1Fnffbircs8YnYpq5vdpEABGazjSg
--- o3H9hWurbhlvoOR4Ulmpt/hdPk+C/OR79T0YqvoXRR0
؆(ÚÙ0Ý íw¨WMæ‘@jO…°}2 mêNßnÙ³g«å„?¤gò³ª³†“rºB\ ï½ãØ

BIN
secrets/spotifyd.age
View File

Binary file not shown.

38
secrets/wolframalpha.age Normal file
View File

@@ -0,0 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w QDzXkxhczV+ZUvEHmN1Uf7xWaEDSugv2dcisOakVPEc
+k9M+R98OqsfIROOedql7ksLCtejx5uzFXigxB1Dhzs
-> ssh-ed25519 mbw8xA ERuMyLhLVrNwmr1wS9h0ssZYayCn0Hc1dhu3zBKzDF0
pz2rEMX3MtxtVOTuEyO5K9ZE5s0C+2JL7lNE5BdUsRo
-> ssh-ed25519 N240Tg kHC1Wn8T3aUpWd4yK0+GJo+SDBXrVmTSrNz/Z+3kfGs
sg6A3DgaQev5ZezJeSNAR7+G4MS1rdwHd/6u1H5+0us
-> ssh-ed25519 2a2Yhw 64vHNVi/UCK1aCBFu+BnSyy42DHZIFeiDekfnQeDlHE
19On29XUAiUsTmlqxrY8PQGderv7VzBO4a10jT5aZwY
-> ssh-ed25519 dMQYog EHtR1wf5/2aWvGwkD4EBOECctp2zs2RjAUOKcncjUSI
s7dfQHaLjO6Hor6xXpx8h5hox3OQA4mPRGt8ewr0jQM
-> ssh-ed25519 G2eSCQ 4L9zIv4aApkZgFneUjVm2esXp4DJYVzm94LA2sS0Qkc
+iDy2G82PX6yuIyn7zITzp/jvBX2P25u26n/NuGdjVM
-> ssh-ed25519 6AT2/g HyH+8r/SZUXilmITIsFVyr2t6rCJK9scP9TR2/rO+1M
0Hkx2o3wlq7nj6fRSL3QNtrxKFxYlfhg7CwsyQDjIo8
-> ssh-ed25519 yHDAQw vZlwV2QvrzG1Xu4XZt4Yi5aDQ8qmPQnadCJtHdtTSlc
4NscOK2mu+P+vrZ8FIbIYhQ/97DPo5vgsl0jnlZM0gY
-> ssh-ed25519 hPp1nw YWRekiOxwuK8eAGehbBfOzW7Rmw95V+A/XD4rmFxS3Y
sd+q4ya9k/KE06GYGFV2O9P3O77aZcJl05tAvY6W1s8
-> ssh-ed25519 CRfjsA LfIzQhaql9b4EAotyVrvKBV1AhlMVcRarA49q7+rQXc
v4WddjXusd/m/s/T7E+wdKm9tDR3rGj6CNE3AdVrDb8
-> ssh-ed25519 vwVIvQ 53S5tWgmlVnKIHonBAmvxbv+w0j9b65NdyWvwlvgZWg
xa+z7MYrJHCgILtG/3Yw1OKH1/YKvuVG2jabnv3gSoA
-> ssh-ed25519 fBrw3g GsaGAXiMo4WhEZTQPgr761gAiQHmHPSwdWF0t910+DI
dmZGcEghoXi7giaxC/1UVJVAtyY5hcknUBxr0wQ4RBk
-> ssh-ed25519 S5xQfg wgkQBHQi8xY4++/quS4ZJWb9PPpg6b0KZpSwypdS7HY
+1yatx5SUanPC04jJMVVILHAwdtg2r9Bd+sj9728BnY
-> ssh-ed25519 XPxfUQ Hj2e1U4udGkp04dSdTSsaaJPIQ7gB1bwralXazBzpVM
LPOMpbX+ndXRkQlR3GKKpwSd5zOT03j5bII8btjY52o
-> ssh-ed25519 SpD5mg ++/8/U9XQKg6L3SHej+mvXeZYrvoWhiwmcurC3V0aTU
qR3nTcugxtBgDhcbZpCe0/NUavbzV6tFJZKv3IopAO4
-> ssh-ed25519 Kk8sng /bL56jng2lp0INyIDqUAX5L8mFmKxCBeHFWPUW6gE0U
4v+jq2N6RIQAh0VRrBZkMjSQW6L+LYcAfYUBvfTM+Jw
-> ";etw{[s-grease E;mh^R$ c8
ossMGyq0gpvz9PjjLBWD+QHRKKhzY6/9Kj4b0M7YdP0OgMdpr5QlA7UIDhiGQQBL
dbt0YyLxbAdhqG7S3lLeedQmvzv/oIyhmV0jsTB79W1l/27FujvPRWYf
--- pYjss6AEPZn0PG7FmO6bGq1O+k1IFGzoxsitB4qgotY
ÌÐçJöÇ<10>>Z`´ <0C>b%RW^óºñ–&<26>·ª ­-4¥ðè¬ÙÚW…á