zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:5945310dd4f8369415168dad290dcd84b7168ca3
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
...
compare: zuckerberg:pia-client
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

66 Commits
5945310dd4 ... pia-client

Author SHA1 Message Date
Zuckerberg
a0c199ba06 Unfinished attempt at packaging pia client 2023-02-08 01:38:54 -05:00
Zuckerberg
6f9edd8870 Add ISO build 2023-02-08 01:36:23 -05:00
Zuckerberg
076bdb3ab4 Use upstream nvidia reverse prime support 2023-02-08 01:35:25 -05:00
Zuckerberg
fcbd877d06 flake.lock: Update 
Flake lock file updates:

• Updated input 'nix-locate':
    'github:googlebot42/nix-index/a28bb3175d370c6cb9569e6d4b5570e9ca016a3e' (2022-05-17)
  → 'github:bennofs/nix-index/5f98881b1ed27ab6656e6d71b534f88430f6823a' (2023-01-17)
• Updated input 'nix-locate/flake-compat':
    'github:edolstra/flake-compat/b7547d3eed6f32d06102ead8991ec52ab0a4f1a7' (2022-01-03)
  → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
  → 'github:NixOS/nixpkgs/32f914af34f126f54b45e482fb2da4ae78f3095f' (2023-02-08)
 2023-02-08 00:59:29 -05:00
Zuckerberg
27f4b5af78 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
  → 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31)
• Added input 'agenix/darwin':
    'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
• Added input 'agenix/darwin/nixpkgs':
    follows 'agenix/nixpkgs'
• Updated input 'archivebox':
    'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=master&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
  → 'git+https://git.neet.dev/zuckerberg/archivebox.git?ref=refs%2fheads%2fmaster&rev=39d338b9b24159d8ef3309eecc0d32a2a9f102b5' (2022-03-30)
• Updated input 'dailybuild_modules':
    'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=master&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
  → 'git+https://git.neet.dev/zuckerberg/dailybuild_modules.git?ref=refs%2fheads%2fmaster&rev=1290ddd9a2ff2bf2d0f702750768312b80efcd34' (2022-05-05)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
  → 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
  → 'github:NixOS/nixpkgs/0874168639713f547c05947c76124f78441ea46c' (2023-01-01)
• Removed input 'nixpkgs-nvidia'
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
  → 'github:NixOS/nixpkgs/836b2bed01d19dce142298e58c998f4f65057c6a' (2023-02-08)
• Updated input 'radio-web':
    'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=master&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
  → 'git+https://git.neet.dev/zuckerberg/radio-web.git?ref=refs%2fheads%2fmaster&rev=72e7a9e80b780c84ed8d4a6374bfbb242701f900' (2022-05-09)
 2023-02-08 00:33:47 -05:00
Zuckerberg
7238d6e6c5 latest kernel not needed for wifi anymore 2023-02-06 22:45:34 -05:00
Zuckerberg
094905a727 virt-manager 2023-02-06 22:44:22 -05:00
Zuckerberg
cf3fa0ff12 depthai udev 2023-02-06 22:44:09 -05:00
Zuckerberg
7c7b356aab Remove 'I don't care about cookies'. It is under new management 2023-02-06 22:43:43 -05:00
Zuckerberg
c57e4f022f flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/7e5e58b98c3dcbf497543ff6f22591552ebfe65b' (2022-05-16)
  → 'github:ryantm/agenix/a630400067c6d03c9b3e0455347dc8559db14288' (2022-10-15)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30)
  → 'github:numtide/flake-utils/c0e246b9b83f637f4681389ecabcb2681b4f3af0' (2022-08-07)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d17a56d90ecbd1b8fc908d49598fb854ef188461' (2022-06-17)
  → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/42948b300670223ca8286aaf916bc381f66a5313' (2022-04-08)
  → 'github:NixOS/nixpkgs/301aada7a64812853f2e2634a530ef5d34505048' (2022-10-21)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/a48082c79cff8f3b314ba4f95f4ae87ca7d4d068' (2022-06-14)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f535d8123c4761b2ed8138f3d202ea710a334a1d' (2022-06-22)
 2022-10-23 10:43:19 -04:00
zuckerberg
f5a9f04cf2 Rekey secrets 2022-08-25 23:16:22 -04:00
zuckerberg
50fd928cda Change key 2022-08-25 23:16:09 -04:00
Zuckerberg
11072c374b Owncast 2022-07-24 15:18:29 -04:00
Zuckerberg
60f1235848 Add shell aliases 2022-07-24 13:23:03 -04:00
Zuckerberg
55ea5aebc4 Add README and TODO files 2022-07-24 12:57:05 -04:00
Zuckerberg
2738f6b794 WIP wireguard vpn 2022-07-24 12:13:17 -04:00
Zuckerberg
ec2b248ed8 Don't use tailscale in containers 2022-06-23 22:37:14 -04:00
Zuckerberg
aa7bbc5932 Use Tailscale 2022-06-23 22:30:07 -04:00
Zuckerberg
eef574c9f7 Pin nixpkgs to a version that works for bcachefs 2022-06-20 11:51:45 -04:00
Zuckerberg
25fb7a1645 Jellyfin Client only on desktop 2022-06-20 00:04:54 -04:00
Zuckerberg
301fd8462b Update to NixOS 22.05 2022-06-20 00:00:49 -04:00
Zuckerberg
a92800cbcc Update to NixOS 22.05 2022-06-19 23:59:52 -04:00
Zuckerberg
5e361b2fc8 Update to NixOS 22.05 2022-06-19 23:44:01 -04:00
Zuckerberg
b41e4dc375 add jellyfin media player 2022-06-19 23:29:54 -04:00
Zuckerberg
7e615f814d Rewrite VPN container 2022-05-28 18:54:41 -04:00
Zuckerberg
c560a63182 More vpn options 2022-05-27 16:43:25 -04:00
Zuckerberg
2f14d07f82 Proxy jellyfin correctly 2022-05-20 19:30:14 -04:00
Zuckerberg
a89fde8aa5 Don't export bazarr 2022-05-20 19:15:33 -04:00
Zuckerberg
1856fe00d6 Jellyfin open port 2022-05-20 18:58:13 -04:00
Zuckerberg
388599e08c Use aarch64-linux friendly nix-locate 2022-05-20 16:42:38 -04:00
Zuckerberg
75a33a0b5e Add .gitignore 2022-05-20 16:37:33 -04:00
Zuckerberg
918b53e383 Move jellyfin to container 2022-05-20 16:37:05 -04:00
Zuckerberg
c643244dab set sendmail send domain 2022-05-16 17:46:11 -04:00
Zuckerberg
9fc6f816fb Use nix-locate for command-not-found 2022-05-16 15:01:15 -04:00
Zuckerberg
63902fcb46 Require auth for public samba share 2022-05-16 13:22:00 -04:00
Zuckerberg
8a1e0b76f1 Remove sauerbraten 2022-05-16 13:07:32 -04:00
Zuckerberg
f144bda9e6 Minimal kexec image builder 2022-05-16 13:04:31 -04:00
Zuckerberg
b8c9278f37 Use runyan.org 2022-05-09 14:46:18 -04:00
Zuckerberg
9f45df7903 Update dailybot 2022-05-04 22:55:53 -04:00
Zuckerberg
a894a5429e Eanble sender dependent authentication 2022-05-03 19:21:10 -04:00
Zuckerberg
dfec18e904 Send mail through mailgun 2022-05-03 18:33:48 -04:00
Zuckerberg
91e38f5866 Remove pi.agency 2022-05-03 14:54:09 -04:00
Zuckerberg
fed1aecd64 Update dailybot 2022-05-03 14:53:58 -04:00
Zuckerberg
ec3056f8c1 Don't store awful files 2022-05-03 14:53:42 -04:00
Zuckerberg
339eed1f55 Move services to ponyo 2022-05-02 18:01:03 -04:00
Zuckerberg
5ac5b4551b Rekey secrets 2022-05-02 11:56:25 -04:00
Zuckerberg
d378a287fa Add ponyo system 2022-05-02 11:56:14 -04:00
Zuckerberg
d71af55727 Better samba mount options 2022-05-02 02:54:41 -04:00
Zuckerberg
de05a535ea Prune services 2022-05-02 02:54:22 -04:00
Zuckerberg
910af494b5 Retire neetdev 2022-05-02 02:50:54 -04:00
Zuckerberg
3d1c078a44 Revert radio to previous version 2022-04-30 22:15:27 -04:00
Zuckerberg
c85beff7ed SSDs for NAS 2022-04-26 00:57:11 -04:00
Zuckerberg
7ab4906710 Use '*.containers' instead of ips 2022-04-25 00:46:40 -04:00
Zuckerberg
af3af7b2ae Add samba share user 2022-04-25 00:30:57 -04:00
Zuckerberg
f627abc649 More hosts 2022-04-25 00:20:14 -04:00
Zuckerberg
e37878c544 Automount samba shares 2022-04-24 21:56:28 -04:00
Zuckerberg
73bbd39c64 Create samba users 2022-04-24 21:55:24 -04:00
Zuckerberg
acbf162ffe Use latest pykms 2022-04-24 21:54:04 -04:00
Zuckerberg
516121b26c Revert broken samba config for now... 2022-04-24 21:53:41 -04:00
Zuckerberg
8742352ea9 Disable scroll jacking extension works poorly 2022-04-24 21:26:29 -04:00
Zuckerberg
61391cc180 Improve samba speed 2022-04-23 04:32:33 -04:00
Zuckerberg
60771ea56e Access transmission files over samba 2022-04-23 04:32:19 -04:00
Zuckerberg
2f19903a45 Remove pi.agency 2022-04-21 15:17:59 -04:00
Zuckerberg
8102981a01 Update dailybot 2022-04-21 15:17:32 -04:00
Zuckerberg
d975477c05 Update dailybot 2022-04-21 14:50:11 -04:00
Zuckerberg
af9333feff Ponyo as media proxy 2022-04-21 02:24:45 -04:00
58 changed files with 1697 additions and 1333 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
result

12
README.md Normal file
View File

@@ -0,0 +1,12 @@
# My NixOS configurations
### Source Layout
- `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines`
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

85
TODO.md Normal file
View File

@@ -0,0 +1,85 @@
# A place for brain dump ideas maybe to be taken off of the shelve one day
### NixOS webtools
- Better options search https://mynixos.com/options/services
### Interesting ideas for restructuring nixos config
- https://github.com/gytis-ivaskevicius/flake-utils-plus
- https://github.com/divnix/digga/tree/main/examples/devos
- https://digga.divnix.com/
- https://nixos.wiki/wiki/Comparison_of_NixOS_setups
### Housekeeping
- Format everything here using nixfmt
- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
- remove `options.currentSystem`
- allow `hostname` option for webservices to be null to disable configuring nginx
### NAS
- helios64 extra led lights
- safely turn off NAS on power disconnect
- hardware de/encoding for rk3399 helios64 https://forum.pine64.org/showthread.php?tid=14018
- tor unlock
### bcachefs
- bcachefs health alerts via email
- bcachefs periodic snapshotting
- use mount.bcachefs command for mounting
- bcachefs native encryption
- just need a kernel module? https://github.com/firestack/bcachefs-tools-flake/blob/kf/dev/mvp/nixos/module/bcachefs.nix#L40
### Shell Comands
- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
### Services
- setup archivebox
- radio https://tildegit.org/tilderadio/site
- music
- mopidy
- use the jellyfin plugin?
- navidrome
- spotify secrets for navidrome
- picard for music tagging
- alternative music software
- https://www.smarthomebeginner.com/best-music-server-software-options/
- https://funkwhale.audio/
- https://github.com/epoupon/lms
- https://github.com/benkaiser/stretto
- https://github.com/blackcandy-org/black_candy
- https://github.com/koel/koel
- https://airsonic.github.io/
- https://ampache.org/
- replace nextcloud with seafile
### VPN container
- use wireguard for vpn
- https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
- https://github.com/pia-foss/manual-connections
- port forwarding for vpn
- transmission using forwarded port
- https://www.wireguard.com/netns/
- one way firewall for vpn container
### Networking
- tailscale for p2p connections
- remove all use of zerotier
### Archive
- https://www.backblaze.com/b2/cloud-storage.html
- email
- https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
- http://kb.unixservertech.com/software/dovecot/archiveserver
### Paranoia
- https://christine.website/blog/paranoid-nixos-2021-07-18
- https://nixos.wiki/wiki/Impermanence
### Misc
- https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email
- remap razer keys https://github.com/sezanzeb/input-remapper
### Future Interests (upon merge into nixpkgs)
- nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
- glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356

12
common/default.nix
View File

@@ -3,10 +3,9 @@
{
imports = [
./flakes.nix
./pia.nix
./zerotier.nix
./auto-update.nix
./hosts.nix
./shell.nix
./network
./boot
./server
./pc
@@ -57,13 +56,12 @@
shell = pkgs.fish;
openssh.authorizedKeys.keys = (import ./ssh.nix).users;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000;
};
nix.trustedUsers = [ "root" "googlebot" ];
nix.gc.automatic = true;
programs.fish.enable = true;
programs.fish.shellInit = ''
set fish_greeting
'';
security.acme.acceptTerms = true;
security.acme.defaults.email = "zuckerberg@neet.dev";
}

3
common/flakes.nix
View File

@@ -16,6 +16,9 @@ in {
# pin nixpkgs for system commands such as "nix shell"
registry.nixpkgs.flake = config.inputs.nixpkgs;
# pin system nixpkgs to the same version as the flake input
nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
};
};
}

23
common/network/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, lib, ... }:
with lib;
let
cfg = config.networking;
in
{
imports = [
./hosts.nix
./pia-openvpn.nix
./tailscale.nix
./vpn.nix
./zerotier.nix
];
options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
config = mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
}

15
common/hosts.nix → common/network/hosts.nix
View File

@@ -1,15 +1,22 @@
{ config, lib, ... }:
let
system = (import ./ssh.nix).system;
system = (import ../ssh.nix).system;
in {
networking.hosts = {
# some DNS providers filter local ip results from DNS request
"172.30.145.180" = [ "s0.zt.neet.dev" ];
"172.30.109.9" = [ "ponyo.zt.neet.dev" ];
"172.30.189.212" = [ "ray.zt.neet.dev" ];
};
programs.ssh.knownHosts = {
liza = {
hostNames = [ "liza" "liza.neet.dev" ];
publicKey = system.liza;
};
ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" ];
hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo;
};
ponyo-unlock = {
@@ -17,11 +24,11 @@ in {
publicKey = system.ponyo-unlock;
};
ray = {
hostNames = [ "ray" ];
hostNames = [ "ray" "ray.zt.neet.dev" ];
publicKey = system.ray;
};
s0 = {
hostNames = [ "s0" ];
hostNames = [ "s0" "s0.zt.neet.dev" ];
publicKey = system.s0;
};
n1 = {

113
common/network/pia-openvpn.nix Normal file
View File

@@ -0,0 +1,113 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe";
version = "0.0.1";
src = ./.;
installPhase = ''
mkdir -p $out
cp vpnfailsafe.sh $out/vpnfailsafe.sh
sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
'';
};
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
server = lib.mkOption {
type = lib.types.str;
default = "us-washingtondc.privacy.network";
example = "swiss.privacy.network";
};
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
pia = {
config = ''
client
dev tun
proto udp
remote ${cfg.server} 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/agenix/pia-login.conf
'';
autoStart = true;
up = "${vpnfailsafe}/vpnfailsafe.sh";
down = "${vpnfailsafe}/vpnfailsafe.sh";
};
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

16
common/network/tailscale.nix Normal file
View File

@@ -0,0 +1,16 @@
{ config, lib, ... }:
with lib;
let
cfg = config.services.tailscale;
in
{
options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
config.services.tailscale.enable = !config.boot.isContainer;
# exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
config.networking.ip_forward = mkIf cfg.exitNode true;
}

97
common/network/vpn.nix Normal file
View File

@@ -0,0 +1,97 @@
{ config, pkgs, lib, allModules, ... }:
with lib;
let
cfg = config.vpn-container;
in
{
options.vpn-container = {
enable = mkEnableOption "Enable VPN container";
containerName = mkOption {
type = types.str;
default = "vpn";
description = ''
Name of the VPN container.
'';
};
mounts = mkOption {
type = types.listOf types.str;
default = [ "/var/lib" ];
example = "/home/example";
description = ''
List of mounts on the host to bind to the vpn container.
'';
};
config = mkOption {
type = types.anything;
default = {};
example = ''
{
services.nginx.enable = true;
}
'';
description = ''
NixOS config for the vpn container.
'';
};
};
config = mkIf cfg.enable {
containers.${cfg.containerName} = {
ephemeral = true;
autoStart = true;
bindMounts = mkMerge ([{
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
}] ++ (lists.forEach cfg.mounts (mount:
{
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
}
)));
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = allModules ++ [cfg.config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = mkForce false;
pia.enable = true;
pia.server = "swiss.privacy.network"; # swiss vpn
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
# load secrets the container needs
age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
# forwarding for vpn container
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"ve-${cfg.containerName}"
];
networking.ip_forward = true;
# assumes only one potential interface
networking.usePredictableInterfaceNames = false;
networking.nat.externalInterface = "eth0";
};
}

0
common/vpnfailsafe.sh → common/network/vpnfailsafe.sh
View File

0
common/zerotier.nix → common/network/zerotier.nix
View File

4
common/pc/chromium.nix
View File

@@ -60,10 +60,9 @@ in {
"oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
"cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
"hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
"fihnjjcciajhdojfnbdddfaoknhalnja" # I don't care about cookies
"mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
"dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
"ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
# "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
];
extraOpts = {
"BrowserSignin" = 0;
@@ -80,7 +79,6 @@ in {
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
chromium = pkgs.chromium.override {
gnomeKeyringSupport = true;
enableWideVine = true;
# ungoogled = true;
# --enable-native-gpu-memory-buffers # fails on AMD APU

3
common/pc/default.nix
View File

@@ -17,6 +17,7 @@ in {
./discord.nix
./steam.nix
./touchpad.nix
./mount-samba.nix
];
options.de = {
@@ -41,7 +42,6 @@ in {
nextcloud-client
signal-desktop
minecraft
sauerbraten
gparted
libreoffice-fresh
thunderbird
@@ -49,6 +49,7 @@ in {
spotify-qt
arduino
yt-dlp
jellyfin-media-player
];
# Networking

36
common/pc/mount-samba.nix Normal file
View File

@@ -0,0 +1,36 @@
# mounts the samba share on s0 over zeroteir
{ config, lib, ... }:
let
cfg = config.services.mount-samba;
# prevents hanging on network split
network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";
user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
auth_opts = "credentials=/run/agenix/smb-secrets";
version_opts = "vers=2.1";
opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
in {
options.services.mount-samba = {
enable = lib.mkEnableOption "enable mounting samba shares";
};
config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
fileSystems."/mnt/public" = {
device = "//s0.zt.neet.dev/public";
fsType = "cifs";
options = [ opts ];
};
fileSystems."/mnt/private" = {
device = "//s0.zt.neet.dev/googlebot";
fsType = "cifs";
options = [ opts ];
};
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
};
}

76
common/pc/pia/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.pia;
in {
imports = [
./pia.nix
];
options.services.pia = {
enable = lib.mkEnableOption "Enable PIA Client";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pia";
description = ''
Path to the pia data directory
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "root";
description = ''
The user pia should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "piagrp";
description = ''
The group pia should run as
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
config = mkIf cfg.enable {
# users.users.${cfg.user} =
# if cfg.user == "pia" then {
# isSystemUser = true;
# group = cfg.group;
# home = cfg.dataDir;
# createHome = true;
# }
# else {};
users.groups.${cfg.group}.members = cfg.users;
systemd.services.pia-daemon = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
};
};
}

147
common/pc/pia/fix-pia.patch Normal file
View File

@@ -0,0 +1,147 @@
diff --git a/Rakefile b/Rakefile
index fa6d771..bcd6fb1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -151,41 +151,6 @@ end
# Install LICENSE.txt
stage.install('LICENSE.txt', :res)
-# Download server lists to ship preloaded copies with the app. These tasks
-# depend on version.txt so they're refreshed periodically (whenver a new commit
-# is made), but not for every build.
-#
-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
-# this is primarily intended for reproducing a build.
-#
-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
-serverDataProbe = Probe.new('serverdata')
-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
-# JSON resource build directory
-jsonFetched = Build.new('json-fetched')
-# These are the assets we need to fetch and the URIs we get them from
-{
- 'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
- 'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
- 'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
-}.each do |k, v|
- fetchedFile = jsonFetched.artifact(k.to_s)
- serverDataDir = ENV['SERVER_DATA_DIR']
- file fetchedFile => [version.artifact('version.txt'),
- serverDataProbe.artifact('serverdata.txt'),
- jsonFetched.componentDir] do |t|
- if(serverDataDir)
- # Use the copy provided instead of fetching (for reproducing a build)
- File.copy(File.join(serverDataDir, k), fetchedFile)
- else
- # Fetch from the web API (write with "binary" mode so LF is not
- # converted to CRLF on Windows)
- File.binwrite(t.name, Net::HTTP.get(URI(v)))
- end
- end
- stage.install(fetchedFile, :res)
-end
-
# Install version/brand/arch info in case an upgrade needs to know what is
# currently installed
stage.install(version.artifact('version.txt'), :res)
diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
index f820a6d..e1b6c33 100644
--- a/common/src/posix/unixsignalhandler.cpp
+++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
// we checked it, we can't even log because the logger is not reentrant.
auto pThis = instance();
if(pThis)
- ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
}
template<int Signal>
void UnixSignalHandler::setAbortAction()
diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
index fd3aced..2367a5e 100644
--- a/daemon/src/linux/linux_nl.cpp
+++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
unsigned char term = 0;
PosixFd killSocket = _workerKillSocket.get();
if(killSocket)
- ::write(killSocket.get(), &term, sizeof(term));
+ auto _ = ::write(killSocket.get(), &term, sizeof(term));
_workerThread.join();
}
diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
index 3f63ac2..420d54d 100644
--- a/extras/support-tool/launcher/linux-launcher.cpp
+++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
if(forkResult == 0)
{
// Apply gid as both real and effective
- setregid(gid, gid);
+ auto _ = setregid(gid, gid);
int execErr = execv(filename, argv);
std::cerr << "exec err: " << execErr << " / " << errno << " - "
diff --git a/rake/model/qt.rb b/rake/model/qt.rb
index c8cd362..a6abe59 100644
--- a/rake/model/qt.rb
+++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
end
def getQtRoot(qtVersion, arch)
- qtToolchainPtns = getQtToolchainPatterns(arch)
- qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
- # Explicitly filter for existing paths - if the pattern has wildcards
- # we only get existing directories, but if the patterns are just
- # alternates with no wildcards, we can get directories that don't exist
- qtRoots.find_all { |r| File.exist?(r) }.max
+ ENV['QTROOT']
end
def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
end
def getQtPathVersion(path)
- verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
- if(verMatch == nil)
- nil
- else
- [verMatch[1].to_i, verMatch[2].to_i]
- end
+ [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
end
# Build a component definition with the defaults. The "Core" component will
diff --git a/rake/product/linux.rb b/rake/product/linux.rb
index f43fb3e..83505af 100644
--- a/rake/product/linux.rb
+++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
# Version of libicu (needed to determine lib*.so.## file names in deployment)
- ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
- .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
+ ICU_VERSION = ENV['ICU_MAJOR'].to_i;
# Copy a directory recursively, excluding *.debug files (debugging symbols)
def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
# Since these are just development workflow tools, they can be skipped if
# specific dependencies are not available.
def self.defineTools(toolsStage)
- # Test if we have libthai-dev, for the Thai word breaking utility
- if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
- Executable.new('thaibreak')
- .source('tools/thaibreak')
- .lib('thai')
- .install(toolsStage, :bin)
- toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
- toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
- else
- puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
- end
end
end

139
common/pc/pia/pia.nix Normal file
View File

@@ -0,0 +1,139 @@
{ pkgs, lib, config, ... }:
{
nixpkgs.overlays = [
(self: super:
with self;
let
# arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
arch = "x86_64";
pia-desktop = clangStdenv.mkDerivation rec {
pname = "pia-desktop";
version = "3.3.0";
src = fetchgit {
url = "https://github.com/pia-foss/desktop";
rev = version;
fetchLFS = true;
sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
};
patches = [
./fix-pia.patch
];
nativeBuildInputs = [
cmake
rake
];
prePatch = ''
sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
'';
installPhase = ''
mkdir -p $out/bin $out/lib $out/share
cp -r ../out/pia_release_${arch}/stage/bin $out
cp -r ../out/pia_release_${arch}/stage/lib $out
cp -r ../out/pia_release_${arch}/stage/share $out
'';
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
];
QTROOT = "${qt5.full}";
QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
buildInputs = [
mesa
libsForQt5.qt5.qtquickcontrols
libsForQt5.qt5.qtquickcontrols2
icu
libnl
];
dontWrapQtApps = true;
};
in rec {
openvpn-updown = buildFHSUserEnv {
name = "openvpn-updown";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "openvpn-updown.sh";
};
pia-client = buildFHSUserEnv {
name = "pia-client";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-client";
};
piactl = buildFHSUserEnv {
name = "piactl";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "piactl";
};
pia-daemon = buildFHSUserEnv {
name = "pia-daemon";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-daemon";
};
pia-hnsd = buildFHSUserEnv {
name = "pia-hnsd";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-hnsd";
};
pia-openvpn = buildFHSUserEnv {
name = "pia-openvpn";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-openvpn";
};
pia-ss-local = buildFHSUserEnv {
name = "pia-ss-local";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-ss-local";
};
pia-support-tool = buildFHSUserEnv {
name = "pia-support-tool";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-support-tool";
};
pia-unbound = buildFHSUserEnv {
name = "pia-unbound";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-unbound";
};
pia-wireguard-go = buildFHSUserEnv {
name = "pia-wireguard-go";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-wireguard-go";
};
support-tool-launcher = buildFHSUserEnv {
name = "support-tool-launcher";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "support-tool-launcher";
};
})
];
}

108
common/pia.nix
View File

@@ -1,108 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe";
version = "0.0.1";
src = ./.;
installPhase = ''
mkdir -p $out
cp vpnfailsafe.sh $out/vpnfailsafe.sh
sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
'';
};
in
{
options.pia = {
enable = lib.mkEnableOption "Enable private internet access";
};
config = lib.mkIf cfg.enable {
services.openvpn = {
servers = {
pia = {
config = ''
client
dev tun
proto udp
remote us-washingtondc.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
auth-user-pass /run/agenix/pia-login.conf
'';
autoStart = true;
up = "${vpnfailsafe}/vpnfailsafe.sh";
down = "${vpnfailsafe}/vpnfailsafe.sh";
};
};
};
age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
};
}

58
common/server/cloudflared.nix
View File

@@ -1,58 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.cloudflared;
settingsFormat = pkgs.formats.yaml { };
in
{
meta.maintainers = with maintainers; [ pmc ];
options = {
services.cloudflared = {
enable = mkEnableOption "cloudflared";
package = mkOption {
type = types.package;
default = pkgs.cloudflared;
description = "The cloudflared package to use";
example = literalExpression ''pkgs.cloudflared'';
};
config = mkOption {
type = settingsFormat.type;
description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
example = literalExpression ''
{
url = "http://localhost:3000";
tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
}
'';
};
configFile = mkOption {
type = types.path;
description = "Path to cloudflared config.yaml.";
example = literalExpression ''"/etc/cloudflared/config.yaml"'';
};
};
};
config = mkIf cfg.enable ({
# Prefer the config file over settings if both are set.
services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
systemd.services.cloudflared = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Cloudflare Argo Tunnel";
serviceConfig = {
TimeoutStartSec = 0;
Type = "notify";
ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
Restart = "on-failure";
RestartSec = "5s";
};
};
});
}

2
common/server/default.nix
View File

@@ -13,6 +13,6 @@
./privatebin/privatebin.nix
./radio.nix
./samba.nix
./cloudflared.nix
./owncast.nix
];
}

4
common/server/matrix.nix
View File

@@ -59,10 +59,11 @@ in {
config = lib.mkIf cfg.enable {
services.matrix-synapse = {
enable = true;
settings = {
server_name = cfg.host;
enable_registration = cfg.enable_registration;
listeners = [ {
bind_address = "127.0.0.1";
bind_addresses = ["127.0.0.1"];
port = cfg.port;
tls = false;
resources = [ {
@@ -77,6 +78,7 @@ in {
turn_shared_secret = cfg.turn.secret;
turn_user_lifetime = "1h";
};
};
services.coturn = {
enable = true;

31
common/server/owncast.nix Normal file
View File

@@ -0,0 +1,31 @@
{ lib, config, ... }:
with lib;
let
cfg = config.services.owncast;
in {
options.services.owncast = {
hostname = lib.mkOption {
type = types.str;
example = "example.com";
};
};
config = mkIf cfg.enable {
services.owncast.listen = "127.0.0.1";
services.owncast.port = 62419; # random port
networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.hostname} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
};
};
};
}

27
common/server/samba.nix
View File

@@ -24,6 +24,10 @@
load printers = yes
printing = cups
printcap name = cups
# horrible files
veto files = /._*/.DS_Store/ /._*/._.DS_Store/
delete veto files = yes
'';
shares = {
@@ -31,22 +35,34 @@
path = "/data/samba/Public";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "public_data";
"force group" = "public_data";
};
private = {
path = "/data/samba/Private";
googlebot = {
path = "/data/samba/googlebot";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "googlebot";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "googlebot";
"force group" = "users";
};
cris = {
path = "/data/samba/cris";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"valid users" = "cris";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "root";
"force group" = "users";
};
printers = {
comment = "All Printers";
path = "/var/spool/samba";
@@ -90,5 +106,10 @@
uid = 994;
};
users.users.googlebot.extraGroups = [ "public_data" ];
# samba user for share
users.users.cris.isSystemUser = true;
users.users.cris.group = "cris";
users.groups.cris = {};
};
}

2
common/server/thelounge.nix
View File

@@ -23,7 +23,7 @@ in {
config = lib.mkIf cfg.enable {
services.thelounge = {
private = true;
public = false;
extraConfig = {
reverseProxy = true;
maxHistory = -1;

46
common/shell.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, pkgs, ... }:
# Improvements to the default shell
# - use nix-locate for command-not-found
# - disable fish's annoying greeting message
# - add some handy shell commands
let
nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
in {
programs.command-not-found.enable = false;
environment.systemPackages = [
nix-locate
];
programs.fish = {
enable = true;
shellInit = let
wrapper = pkgs.writeScript "command-not-found" ''
#!${pkgs.bash}/bin/bash
source ${nix-locate}/etc/profile.d/command-not-found.sh
command_not_found_handle "$@"
'';
in ''
# use nix-locate for command-not-found functionality
function __fish_command_not_found_handler --on-event fish_command_not_found
${wrapper} $argv
end
# disable annoying fish shell greeting
set fish_greeting
'';
};
environment.shellAliases = {
myip = "dig +short myip.opendns.com @resolver1.opendns.com";
# https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
};
}

4
common/ssh.nix
View File

@@ -11,7 +11,7 @@ rec {
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkTQNPzrIhsKk3OpTHq8b7slIp9LktB49r1w/DKb/5b";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
@@ -24,6 +24,7 @@ rec {
# groups
systems = with system; [
liza
ponyo
ray
s0
n1
@@ -39,6 +40,7 @@ rec {
];
servers = with system; [
liza
ponyo
s0
n1
n2

171
flake.lock generated
View File

@@ -2,16 +2,17 @@
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1648942457,
"narHash": "sha256-i29Z1t3sVfCNfpp+KAfeExvpqHQSbLO1KWylTtfradU=",
"lastModified": 1675176355,
"narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "0d5e59ed645e4c7b60174bc6f6aac6a203dc0b01",
"rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
"type": "github"
},
"original": {
@@ -32,7 +33,7 @@
"locked": {
"lastModified": 1648612759,
"narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
"ref": "master",
"ref": "refs/heads/master",
"rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
"revCount": 2,
"type": "git",
@@ -61,8 +62,6 @@
},
"dailybuild_modules": {
"inputs": {
"drastikbot": "drastikbot",
"drastikbot_modules": "drastikbot_modules",
"flake-utils": [
"flake-utils"
],
@@ -71,60 +70,64 @@
]
},
"locked": {
"lastModified": 1648509055,
"narHash": "sha256-y8AXfcbkAqn9UcfnfQz1MisT4YIXxj2I6P7uMnqMn9E=",
"lastModified": 1651719222,
"narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
"ref": "refs/heads/master",
"rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
"revCount": 19,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"rev": "82f4cddc27be4370f321a8d758db1b35c2ce28e5",
"revCount": 11,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
},
"original": {
"type": "git",
"url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
}
},
"drastikbot": {
"flake": false,
"locked": {
"lastModified": 1596211584,
"narHash": "sha256-1L8vTE1YEhFWzY5RYb+s5Hb4LrVJNN2leKlZEugEyRU=",
"owner": "olagood",
"repo": "drastikbot",
"rev": "ef72e3afe7602d95c8b014202e220f04796900ab",
"type": "github"
},
"original": {
"owner": "olagood",
"ref": "v2.1",
"repo": "drastikbot",
"repo": "nix-darwin",
"type": "github"
}
},
"drastikbot_modules": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1619214744,
"narHash": "sha256-w1164FkRkeyWnx6a95WDbwEUvNkNwFWa/6mhKtgVw0c=",
"owner": "olagood",
"repo": "drastikbot_modules",
"rev": "3af549a8c3f6e55b63758a61a751bebb1b2db3a3",
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "olagood",
"ref": "v2.1",
"repo": "drastikbot_modules",
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1648297722,
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@@ -133,49 +136,70 @@
"type": "github"
}
},
"nix-locate": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1673969751,
"narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
"owner": "bennofs",
"repo": "nix-index",
"rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
"type": "github"
},
"original": {
"owner": "bennofs",
"repo": "nix-index",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1649117019,
"narHash": "sha256-ID7nw/8MDgqj/cbJ0wy6AtQ9wp58hSnE6+weZwuHnso=",
"lastModified": 1672580127,
"narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ccb90fb9e11459aeaf83cc28d5f8910816d90dd0",
"rev": "0874168639713f547c05947c76124f78441ea46c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-21.11",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-21_05": {
"nixpkgs-22_05": {
"locked": {
"lastModified": 1625692408,
"narHash": "sha256-e9L3TLLDVIJpMnHtiNHJE62oOh6emRtSZ244bgYJUZs=",
"lastModified": 1654936503,
"narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c06613c25df3fe1dd26243847a3c105cf6770627",
"rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05",
"ref": "nixos-22.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1649408932,
"narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=",
"lastModified": 1675835843,
"narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "42948b300670223ca8286aaf916bc381f66a5313",
"rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
@@ -190,16 +214,17 @@
]
},
"locked": {
"lastModified": 1633288285,
"narHash": "sha256-pL8oEB1AoghvFTsSLLKA1zhV8Z8TM8vcAkeodS6/IZs=",
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"ref": "main",
"rev": "eb95b31089f5a107cb7efe0c55d45beb1399ebbb",
"revCount": 51,
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},
"original": {
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
}
@@ -207,11 +232,11 @@
"radio-web": {
"flake": false,
"locked": {
"lastModified": 1629918655,
"narHash": "sha256-sDVM1K1r2y4T37tvdu3mtjiswJ7/PrVGsDQrHzrNfac=",
"ref": "master",
"rev": "585ce4e3d09d1618d61358902a4231e91e15e1de",
"revCount": 4,
"lastModified": 1652121792,
"narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
"ref": "refs/heads/master",
"rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
"revCount": 5,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio-web.git"
},
@@ -226,6 +251,7 @@
"archivebox": "archivebox",
"dailybuild_modules": "dailybuild_modules",
"flake-utils": "flake-utils",
"nix-locate": "nix-locate",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"radio": "radio",
@@ -239,23 +265,20 @@
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-21_05": "nixpkgs-21_05",
"nixpkgs-21_11": [
"nixpkgs"
],
"nixpkgs-22_05": "nixpkgs-22_05",
"utils": "utils"
},
"locked": {
"lastModified": 1638911354,
"narHash": "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=",
"lastModified": 1655930346,
"narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "6e3a7b2ea6f0d68b82027b988aa25d3423787303",
"rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-21.11",
"ref": "nixos-22.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}

92
flake.nix
View File

@@ -1,21 +1,23 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
flake-utils.url = "github:numtide/flake-utils";
nix-locate.url = "github:bennofs/nix-index";
nix-locate.inputs.nixpkgs.follows = "nixpkgs";
# mail server
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.11";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs-21_11.follows = "nixpkgs";
# agenix
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
# radio
radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main";
radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
radio.inputs.nixpkgs.follows = "nixpkgs";
radio.inputs.flake-utils.follows = "flake-utils";
radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
@@ -32,21 +34,20 @@
archivebox.inputs.flake-utils.follows = "flake-utils";
};
outputs = inputs: {
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
nixosConfigurations =
let
nixpkgs = inputs.nixpkgs;
nixpkgs-unstable = inputs.nixpkgs-unstable;
modules = system: [
./common
inputs.simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModule
inputs.agenix.nixosModules.default
inputs.dailybuild_modules.nixosModule
inputs.archivebox.nixosModule
({ lib, ... }: {
config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
config.environment.systemPackages = [
inputs.agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; };
@@ -54,61 +55,22 @@
})
];
mkVpnContainer = system: pkgs: mount: config: {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = true;
};
"/dev/fuse" = {
hostPath = "/dev/fuse";
isReadOnly = false;
};
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = { lib, ... }: {
imports = (modules system) ++ [config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = lib.mkForce false;
pia.enable = true;
# run it's own DNS resolver
networking.useHostResolvConf = false;
services.resolved.enable = true;
};
};
mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem {
let
allModules = modules system;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = (modules system) ++ [path];
modules = allModules ++ [path];
specialArgs = {
mkVpnContainer = (mkVpnContainer system);
inherit allModules;
};
};
in
{
"reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
"ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
"nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"neetdev" = mkSystem "x86_64-linux" nixpkgs ./machines/neet.dev/configuration.nix;
"liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
@@ -120,5 +82,23 @@
"n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
"n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
};
packages = let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in {
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
};
}

12
machines/ephemeral/iso.nix Normal file
View File

@@ -0,0 +1,12 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
./minimal.nix
];
isoImage.makeUsbBootable = true;
networking.hostName = "iso";
}

48
machines/ephemeral/kexec.nix Normal file
View File

@@ -0,0 +1,48 @@
# From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
# Builds a kexec img
{ config, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/netboot/netboot.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./minimal.nix
];
networking.hostName = "kexec";
# stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
system.build = rec {
image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
mkdir $out
if [ -f ${config.system.build.kernel}/bzImage ]; then
cp ${config.system.build.kernel}/bzImage $out/kernel
else
cp ${config.system.build.kernel}/Image $out/kernel
fi
cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
nuke-refs $out/kernel
'';
kexec_script = pkgs.writeTextFile {
executable = true;
name = "kexec-nixos";
text = ''
#!${pkgs.stdenv.shell}
set -e
${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
sync
echo "executing kernel, filesystems will be improperly umounted"
${pkgs.kexectools}/bin/kexec -e
'';
};
kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
storeContents = [
{
object = config.system.build.kexec_script;
symlink = "/kexec_nixos";
}
];
contents = [ ];
};
};
}

28
machines/ephemeral/minimal.nix Normal file
View File

@@ -0,0 +1,28 @@
{ pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0" # enable serial console
"console=tty1"
];
boot.kernel.sysctl."vm.overcommit_memory" = "1";
environment.systemPackages = with pkgs; [
cryptsetup
btrfs-progs
];
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
networking.useDHCP = true;
services.openssh = {
enable = true;
challengeResponseAuthentication = false;
passwordAuthentication = false;
};
services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
}

227
machines/liza/configuration.nix
View File

@@ -1,17 +1,6 @@
{ config, pkgs, lib, mkVpnContainer, ... }:
{ config, pkgs, lib, ... }:
let
mta-sts-web = {
enableACME = true;
forceSSL = true;
locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.txt" ''
version: STSv1
mode: none
mx: mail.neet.dev
max_age: 86400
'';
};
in {
{
imports =[
./hardware-configuration.nix
];
@@ -35,158 +24,6 @@ in {
networking.interfaces.enp1s0.useDHCP = true;
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.peertube = {
enable = true;
localDomain = "tube.neet.space";
listenHttp = 9000;
listenWeb = 443;
enableWebHttps = true;
# dataDirs
serviceEnvironmentFile = "/run/agenix/peertube-init";
# settings
database = {
createLocally = true;
passwordFile = "/run/agenix/peertube-db-pw";
};
redis = {
createLocally = true;
passwordFile = "/run/agenix/peertube-redis-pw";
};
smtp = {
createLocally = false;
passwordFile = "/run/agenix/peertube-smtp";
};
};
services.nginx.virtualHosts."tube.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.peertube.listenHttp}";
proxyWebsockets = true;
};
};
age.secrets.peertube-init.file = ../../secrets/peertube-init.age;
age.secrets.peertube-db-pw.file = ../../secrets/peertube-db-pw.age;
age.secrets.peertube-redis-pw.file = ../../secrets/peertube-redis-pw.age;
age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
networking.firewall.allowedTCPPorts = [ 1935 ];
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
services.minecraft-server = {
enable = true;
jvmOpts = "-Xms2048M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
eula = true;
declarative = true;
serverProperties = {
motd = "Welcome :)";
server-port = 38358;
white-list = false;
};
openFirewall = true;
package = pkgs.minecraft-server.overrideAttrs (old: {
version = "1.17";
src = pkgs.fetchurl {
url = "https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar";
sha1 = "0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e";
};
});
};
# wrap radio in a VPN
containers.vpn = mkVpnContainer pkgs "/dev/null" {
services.radio = {
enable = true;
host = "radio.neet.space";
};
};
# containers cannot unlock their own secrets right now. unlock it here
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
services.drastikbot = {
enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha";
};
age.secrets.wolframalpha = {
file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user;
};
# icecast endpoint + website
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://172.16.100.2:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.nginx.virtualHosts."paradigminteractive.agency" = {
enableACME = true;
forceSSL = true;
locations."/".root = builtins.fetchTarball {
url = "https://git.neet.dev/zuckerberg/paradigminteractive.agency/archive/b91f3ea2884ddd902461a8acb47f20ae04bc28ee.tar.gz";
sha256 = "1x1fpsd1qr0004hfcxk6j4c4n3wwxykzhnv47gmrdnx5hq1nbzq4";
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
mailserver = {
enable = true;
fqdn = "mail.neet.dev";
@@ -201,7 +38,6 @@ in {
"runyan.org" "runyan.rocks"
"thunderhex.com" "tar.ninja"
"bsd.ninja" "bsd.rocks"
"paradigminteractive.agency"
];
loginAccounts = {
"jeremy@runyan.org" = {
@@ -211,7 +47,6 @@ in {
"@runyan.org" "@runyan.rocks"
"@thunderhex.com" "@tar.ninja"
"@bsd.ninja" "@bsd.rocks"
"@paradigminteractive.agency"
];
};
};
@@ -224,12 +59,35 @@ in {
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
services.nginx.virtualHosts."mta-sts.runyan.org" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.runyan.rocks" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.thunderhex.com" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.tar.ninja" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.bsd.ninja" = mta-sts-web;
services.nginx.virtualHosts."mta-sts.bsd.rocks" = mta-sts-web;
# sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain";
# relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay" ''
@neet.space ${relayHost}
@neet.cloud ${relayHost}
@neet.dev ${relayHost}
@runyan.org ${relayHost}
@runyan.rocks ${relayHost}
@thunderhex.com ${relayHost}
@tar.ninja ${relayHost}
@bsd.ninja ${relayHost}
@bsd.rocks ${relayHost}
'';
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
services.nextcloud = {
enable = true;
@@ -249,27 +107,4 @@ in {
enableACME = true;
forceSSL = true;
};
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"dns0" # iodine
"ve-vpn" # vpn container
];
networking.nat.externalInterface = "enp1s0";
services.postgresql.package = pkgs.postgresql_11;
security.acme.acceptTerms = true;
security.acme.email = "zuckerberg@neet.dev";
}

47
machines/neet.dev/configuration.nix
View File

@@ -1,47 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
# wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
};
networking.hostName = "neetdev";
system.autoUpgrade.enable = true;
networking.interfaces.eno1.useDHCP = true;
services.nginx.enable = true;
security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja";
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
}

38
machines/neet.dev/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

149
machines/ponyo/configuration.nix
View File

@@ -22,6 +22,151 @@
services.zerotierone.enable = true;
security.acme.acceptTerms = true;
security.acme.email = "zuckerberg@neet.dev";
services.gitea = {
enable = true;
hostname = "git.neet.dev";
disableRegistration = true;
};
services.thelounge = {
enable = true;
port = 9000;
fileUploadBaseUrl = "https://files.neet.cloud/irc/";
host = "irc.neet.dev";
fileHost = {
host = "files.neet.cloud";
path = "/irc";
};
};
services.murmur = {
enable = true;
port = 23563;
domain = "voice.neet.space";
};
services.drastikbot = {
enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha";
};
age.secrets.wolframalpha = {
file = ../../secrets/wolframalpha.age;
owner = config.services.drastikbot.user;
};
# wrap radio in a VPN
vpn-container.enable = true;
vpn-container.config = {
services.radio = {
enable = true;
host = "radio.runyan.org";
};
};
# tailscale
services.tailscale.exitNode = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true;
forceSSL = true;
locations = {
"/stream.mp3" = {
proxyPass = "http://vpn.containers:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/".root = config.inputs.radio-web;
};
};
services.matrix = {
enable = true;
host = "neet.space";
enable_registration = false;
element-web = {
enable = true;
host = "chat.neet.space";
};
jitsi-meet = {
enable = true;
host = "meet.neet.space";
};
turn = {
host = "turn.neet.space";
secret = "a8369a0e96922abf72494bb888c85831b";
};
};
services.postgresql.package = pkgs.postgresql_11;
services.searx = {
enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s0.zt.neet.dev";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
};
services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true;
forceSSL = true;
root = "/var/www/tmp";
};
# redirect to github
services.nginx.virtualHosts."runyan.org" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
rewrite ^/(.*)$ https://github.com/GoogleBot42 redirect;
'';
};
services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev";
}

2
machines/ponyo/hardware-configuration.nix
View File

@@ -31,7 +31,7 @@
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.ens3.useDHCP = lib.mkDefault true;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
machines/ray/ca.rsa.4096.crt Normal file
View File

@@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----

95
machines/ray/configuration.nix
View File

@@ -1,12 +1,8 @@
{ config, pkgs, lib, ... }:
{
disabledModules = [
"hardware/video/nvidia.nix"
];
imports = [
./hardware-configuration.nix
./nvidia.nix
];
firmware.x86_64.enable = true;
@@ -17,38 +13,107 @@
allowDiscards = true;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "ray";
hardware.enableAllFirmware = true;
# newer kernel for wifi
boot.kernelPackages = pkgs.linuxPackages_latest;
# depthai
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
'';
# gpu
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.logFile = "/var/log/Xorg.0.log";
hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver
prime = {
#reverse_sync.enable = true;
offload.enable = true;
reverseSync.enable = true;
offload.enableOffloadCmd = true;
#sync.enable = true;
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0";
};
powerManagement = {
# enable = true;
# finegrained = true;
coarsegrained = true;
};
};
# virt-manager
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ];
# vpn-container.enable = true;
# containers.vpn.interfaces = [ "piaw" ];
# allow traffic for wireguard interface to pass
# networking.firewall = {
# # wireguard trips rpfilter up
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
# '';
# };
# systemd.services.pia-vpn-wireguard = {
# enable = true;
# description = "PIA VPN WireGuard Tunnel";
# requires = [ "network-online.target" ];
# after = [ "network.target" "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# environment.DEVICE = "piaw";
# path = with pkgs; [ kmod wireguard-tools jq curl ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# WG_HOSTNAME=zurich406
# WG_SERVER_IP=156.146.62.153
# PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
# PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
# privKey=$(wg genkey)
# pubKey=$(echo "$privKey" | wg pubkey)
# wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
# echo "
# [Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
# PrivateKey = $privKey
# ListenPort = 51820
# [Peer]
# PersistentKeepalive = 25
# PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
# AllowedIPs = 0.0.0.0/0
# Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
# " > /tmp/piaw.conf
# # TODO make /tmp/piaw.conf ro to root
# ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
# wg-quick up /tmp/piaw.conf
# '';
# preStop = ''
# wg-quick down /tmp/piaw.conf
# '';
# };
# age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
virtualisation.docker.enable = true;
services.zerotierone.enable = true;
services.mount-samba.enable = true;
de.enable = true;
de.touchpad.enable = true;
}

485
machines/ray/nvidia.nix
View File

@@ -1,485 +0,0 @@
# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
{ config, lib, pkgs, ... }:
with lib;
let
nvidia_x11 = let
drivers = config.services.xserver.videoDrivers;
isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
hasDeprecated = drivers: any isDeprecated drivers;
in if (hasDeprecated drivers) then
throw ''
Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
''
else if (elem "nvidia" drivers) then cfg.package else null;
enabled = nvidia_x11 != null;
cfg = config.hardware.nvidia;
pCfg = cfg.prime;
syncCfg = pCfg.sync;
offloadCfg = pCfg.offload;
reverseSyncCfg = pCfg.reverse_sync;
primeEnabled = syncCfg.enable || reverseSyncCfg.enable || offloadCfg.enable;
nvidiaPersistencedEnabled = cfg.nvidiaPersistenced;
nvidiaSettings = cfg.nvidiaSettings;
in
{
imports =
[
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
];
options = {
hardware.nvidia.powerManagement.enable = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management through systemd. For more information, see
the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
'';
};
hardware.nvidia.powerManagement.finegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.powerManagement.coarsegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.modesetting.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see
<option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
by default because it is not officially supported by NVIDIA and would not
work with SLI.
'';
};
hardware.nvidia.prime.nvidiaBusId = mkOption {
type = types.str;
default = "";
example = "PCI:1:0:0";
description = ''
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
'';
};
hardware.nvidia.prime.intelBusId = mkOption {
type = types.str;
default = "";
example = "PCI:0:2:0";
description = ''
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
'';
};
hardware.nvidia.prime.amdgpuBusId = mkOption {
type = types.str;
default = "";
example = "PCI:4:0:0";
description = ''
Bus ID of the AMD APU. You can find it using lspci; for example if lspci
shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
'';
};
hardware.nvidia.prime.sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
If enabled, the NVIDIA GPU will be always on and used for all rendering,
while enabling output to displays attached only to the integrated Intel/AMD
GPU without a multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.prime.allowExternalGpu = mkOption {
type = types.bool;
default = false;
description = ''
Configure X to allow external NVIDIA GPUs when using Prime [Reverse] Sync.
'';
};
hardware.nvidia.prime.offload.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable render offload support using the NVIDIA proprietary driver via PRIME.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
'';
};
hardware.nvidia.prime.offload.enableOffloadCmd = mkOption {
type = types.bool;
default = false;
description = ''
Adds a `nvidia-offload` convenience script to <option>environment.systemPackages</option>
for offloading programs to an nvidia device. To work, should have also enabled
<option>hardware.nvidia.prime.offload.enable</option> or <option>hardware.nvidia.prime.reverse_sync.enable</option>
Example usage `nvidia-offload sauerbraten_client`
'';
};
hardware.nvidia.prime.reverse_sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Warning: This feature is relatively new, depending on your system this might
work poorly. AMD support, especially so.
See: https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse
PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while
enabling output to displays attached only to the NVIDIA GPU without a
multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to
be specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option> or
<option>hardware.nvidia.prime.amdgpuBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.nvidiaSettings = mkOption {
default = true;
type = types.bool;
description = ''
Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
systemPackages.
'';
};
hardware.nvidia.nvidiaPersistenced = mkOption {
default = false;
type = types.bool;
description = ''
Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
GPUs stay awake even during headless mode.
'';
};
hardware.nvidia.package = lib.mkOption {
type = lib.types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
description = ''
The NVIDIA X11 derivation to use.
'';
example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
};
};
config = let
igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
in mkIf enabled {
assertions = [
{
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
message = ''
You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
'';
}
{
assertion = offloadCfg.enableOffloadCmd -> offloadCfg.enable || reverseSyncCfg.enable;
message = ''
Offload command requires offloading or reverse prime sync to be enabled.
'';
}
{
assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
message = ''
When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
'';
}
{
assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
}
{
assertion = (reverseSyncCfg.enable && pCfg.amdgpuBusId != "") -> versionAtLeast nvidia_x11.version "470.0";
message = "NVIDIA PRIME render offload for AMD APUs is currently only supported on versions >= 470 beta.";
}
{
assertion = !(syncCfg.enable && offloadCfg.enable);
message = "PRIME Sync and Offload cannot be both enabled";
}
{
assertion = !(syncCfg.enable && reverseSyncCfg.enable);
message = "PRIME Sync and PRIME Reverse Sync cannot be both enabled";
}
{
assertion = !(syncCfg.enable && cfg.powerManagement.finegrained && cfg.powerManagement.coarsegrained);
message = "Sync precludes powering down the NVIDIA GPU.";
}
{
assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
message = "Fine-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.coarsegrained -> offloadCfg.enable;
message = "Coarse-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.enable -> (
builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
);
message = "Required files for driver based power management don't exist.";
}
];
# If Optimus/PRIME is enabled, we:
# - Specify the configured NVIDIA GPU bus ID in the Device section for the
# "nvidia" driver.
# - Add the AllowEmptyInitialConfiguration option to the Screen section for the
# "nvidia" driver, in order to allow the X server to start without any outputs.
# - Add a separate Device section for the Intel GPU, using the "modesetting"
# driver and with the configured BusID.
# - OR add a separate Device section for the AMD APU, using the "amdgpu"
# driver and with the configures BusID.
# - Reference that Device section from the ServerLayout section as an inactive
# device.
# - Configure the display manager to run specific `xrandr` commands which will
# configure/enable displays connected to the Intel iGPU / AMD APU.
services.xserver.useGlamor = mkDefault offloadCfg.enable;
# reverse sync implies offloading
hardware.nvidia.prime.offload.enable = mkDefault reverseSyncCfg.enable;
services.xserver.drivers = optional primeEnabled {
name = igpuDriver;
display = !syncCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = ''
BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
'';
} ++ singleton {
name = "nvidia";
modules = [ nvidia_x11.bin ];
display = syncCfg.enable;
deviceSection = optionalString primeEnabled ''
BusID "${pCfg.nvidiaBusId}"
${optionalString pCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
'';
};
services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
Inactive "Device-${igpuDriver}[0]"
'' + optionalString reverseSyncCfg.enable ''
Inactive "Device-nvidia[0]"
'' + optionalString offloadCfg.enable ''
Option "AllowNVIDIAGPUScreens"
'';
services.xserver.displayManager.setupCommands = let
gpuProviderName = if igpuDriver == "amdgpu" then
# find the name of the provider if amdgpu
"`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
else
igpuDriver;
providerCmdParams = if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
in optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
# Added by nvidia configuration module for Optimus/PRIME.
${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource ${providerCmdParams}
${pkgs.xorg.xrandr}/bin/xrandr --auto
'';
environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
};
# 'nvidia_x11' installs it's files to /run/opengl-driver/...
environment.etc."egl/egl_external_platform.d".source =
"/run/opengl-driver/share/egl/egl_external_platform.d/";
hardware.opengl.extraPackages = [
nvidia_x11.out
# pkgs.nvidia-vaapi-driver
];
hardware.opengl.extraPackages32 = [
nvidia_x11.lib32
# pkgs.pkgsi686Linux.nvidia-vaapi-driver
];
environment.systemPackages = [ nvidia_x11.bin ]
++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ]
++ optionals offloadCfg.enableOffloadCmd [
(pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@"
'')
];
systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
systemd.services = let
baseNvidiaService = state: {
description = "NVIDIA system ${state} actions";
path = with pkgs; [ kbd ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
};
};
nvidiaService = sleepState: (baseNvidiaService sleepState) // {
before = [ "systemd-${sleepState}.service" ];
requiredBy = [ "systemd-${sleepState}.service" ];
};
services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
// {
nvidia-resume = (baseNvidiaService "resume") // {
after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
};
};
in optionalAttrs cfg.powerManagement.enable services
// optionalAttrs nvidiaPersistencedEnabled {
"nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
description = "NVIDIA Persistence Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
};
};
};
systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
"L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
"L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ] ++
optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
# If requested enable modesetting via kernel parameter.
boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
services.udev.extraRules =
''
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'"
KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'"
KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $$(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
'' + optionalString (cfg.powerManagement.finegrained || cfg.powerManagement.coarsegrained) ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'';
boot.extraModprobeConfig = optionalString cfg.powerManagement.finegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x02"
'' + optionalString cfg.powerManagement.coarsegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x01"
'';
boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
services.acpid.enable = true;
};
}

78
machines/storage/s0/configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, mkVpnContainer, ... }:
{ config, pkgs, lib, ... }:
{
imports =[
@@ -29,25 +29,26 @@
services.samba.enable = true;
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.navidrome = {
enable = true;
settings = {
Address = "127.0.0.1";
Address = "0.0.0.0";
Port = 4533;
MusicFolder = "/data/samba/Public/Plex/Music";
};
};
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
users.users.googlebot.extraGroups = [ "transmission" ];
users.groups.transmission.gid = config.ids.gids.transmission;
containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" {
vpn-container.enable = true;
vpn-container.mounts = [
"/var/lib"
"/data/samba/Public/Plex"
];
vpn-container.config = {
# servarr services
services.prowlarr.enable = true;
services.sonarr.enable = true;
services.sonarr.user = "public_data";
@@ -61,15 +62,20 @@
services.lidarr.enable = true;
services.lidarr.user = "public_data";
services.lidarr.group = "public_data";
users.groups.transmission.members = [ "public_data" ];
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
services.transmission = {
enable = true;
performanceNetParameters = true;
user = "public_data";
group = "public_data";
settings = {
/* directory settings */
# "watch-dir" = "/srv/storage/Transmission/To-Download";
# "watch-dir-enabled" = true;
"download-dir" = "/var/lib/transmission/Downloads";
"download-dir" = "/data/samba/Public/Plex/Transmission";
"incomplete-dir" = "/var/lib/transmission/.incomplete";
"incomplete-dir-enabled" = true;
@@ -101,7 +107,7 @@
# "speed-limit-up-enabled" = true;
/* seeding limit */
"ratio-limit" = 10;
"ratio-limit" = 2;
"ratio-limit-enabled" = true;
"download-queue-enabled" = true;
@@ -115,45 +121,32 @@
uid = 994;
};
};
# containers cannot unlock their own secrets right now. unlock it here
age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# forwarding for vpn container
networking.nat.enable = true;
networking.nat.internalInterfaces = [
"ve-vpn" # vpn container
];
networking.nat.externalInterface = "eth0";
# unpackerr
# flaresolverr
services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://172.16.100.2:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://172.16.100.2:7878";
services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://172.16.100.2:8686";
services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://172.16.100.2:8989";
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://172.16.100.2:9696";
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
services.nginx.virtualHosts."lidarr.s0".locations."/".proxyPass = "http://vpn.containers:8686";
services.nginx.virtualHosts."sonarr.s0".locations."/".proxyPass = "http://vpn.containers:8989";
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
proxyPass = "http://localhost:8096";
proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true;
};
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true;
};
services.nginx.virtualHosts."transmission.s0".locations."/" = {
proxyPass = "http://172.16.100.2:9091";
proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true;
};
# navidrome over cloudflare
services.cloudflared = {
enable = true;
config = {
url = config.services.nginx.virtualHosts."music.s0".locations."/".proxyPass;
tunnel = "5975c2f1-d1f4-496a-a704-6d89ccccae0d";
credentials-file = "/run/agenix/cloudflared-navidrome.json";
};
};
age.secrets."cloudflared-navidrome.json".file = ../../../secrets/cloudflared-navidrome.json.age;
# tailscale
services.tailscale.exitNode = true;
nixpkgs.overlays = [
(final: prev: {
@@ -182,6 +175,15 @@
runHook postInstall
'';
});
pykms = prev.pykms.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
};
});
})
];
}

11
machines/storage/s0/hardware-configuration.nix
View File

@@ -17,14 +17,21 @@
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/36c4fab0-ea98-4ebc-9612-893f8f61c228";
boot.initrd.luks.devices."enc-pv1" = {
device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
allowDiscards = true; # SSD
};
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pvUSB" = {
device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
allowDiscards = true; # SSD
};
fileSystems."/" =
{ device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5";
{ device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
fsType = "bcachefs";
};

7
machines/storage/s0/helios64/default.nix
View File

@@ -14,9 +14,10 @@
# Required for rootfs on sata
boot.initrd.availableKernelModules = [
"pcie-rockchip-host"
"phy-rockchip-pcie"
"phy-rockchip-usb"
"pcie-rockchip-host" # required for rootfs on pcie sata disks
"phy-rockchip-pcie" # required for rootfs on pcie sata disks
"phy-rockchip-usb" # maybe not needed
"uas" # required for rootfs on USB 3.0 sata disks
];
# bcachefs kernel is 5.15. but need patches that are only in 5.16+

BIN
secrets/cloudflared-navidrome.json.age
View File

Binary file not shown.

BIN
secrets/email-pw.age
View File

Binary file not shown.

72
secrets/iodine.age
View File

@@ -1,35 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w r+afxdqj3CHvNWOr/x69lesf779KKN6tkPGiqU8p6FM
pz/yubzh2TtN4oj9ckGXHivmjzOX4rDrdww9ICJn5as
-> ssh-ed25519 mbw8xA bTxTx0DNHoyFF7snkZwwqu0jDPPkoFxdxosPaLCS71c
UY7jC5Um534Kq9KSd8XCSwX10vqzcM645teRGG5CDdk
-> ssh-ed25519 N240Tg d+WqpdRN+LrcdSAfmkM5cAlQTAwduCe0ySRe95O6DyA
Q3dmVDquzg314548T4/wQooHyDz7S4Ddq+AQ6Yd5b8A
-> ssh-ed25519 2a2Yhw bUdAeMCJYsBdtp9r+6yHWfAM0D/JJfO6DEgUqUHHrhc
xTASI/UtxetRL6RU7aPUFNrc6Zdq47lEbXkxKEReSuQ
-> ssh-ed25519 dMQYog wgWfWtVRAClfmrNaE2aIbJSomH5VAtuM0gX5vCSXXWw
myEbH1ITelgHIpXMBI882+f2f2KW1zyg6uqUtHBY5VM
-> ssh-ed25519 G2eSCQ YPwEtZvRURoZuVh77is1CNznrxcdqXqSUA2K3ouDdWQ
PFKHYmcXIfd0j8oHTiAMVwhq9MSq79FB+/ffrWtgRcA
-> ssh-ed25519 yHDAQw 5V2SN3sudRBe03CloUwX9re7Gw2kJcJBf/IfRRfyIAo
lH8yHZfOZDbYUvKMGPfv+EZ/zgvmhqWOwnn88nfBG8k
-> ssh-ed25519 2+FxVg iF1H8kQWjFwQpe3KuHdjQQd8/GOqN3WaOxw1tCKRTgA
NPGQ3wu59mWxkqRzMkiSrJCS0tmhEJQTCdTgLE8JsRU
-> ssh-ed25519 CRfjsA oxTKRDEq3CaZo4KlS0kqcxa73vLU2ZuEFD/HQVHM5yI
Wxb6dgCWsAZTYNJNLnCR7P3FmaQ8ADQfbchx3roqWow
-> ssh-ed25519 vwVIvQ 1pZ9SvnOAuuSv+tbvKEFvomtSgADl+kjYL6bR7gHLzY
drY5GZQawLsXrLfEOkofj9nI+s+qciNdP2TVwswlcFI
-> ssh-ed25519 fBrw3g pqmWiPcY/Fax85C41HS1lsvz4K3s4YH7f7KRrzLwPjY
PWGVsA3yuM6ZEyJK2fI3Y0medzD+on5e/pRDQbY1Dr4
-> ssh-ed25519 S5xQfg XFKG83SPrxAOHCMpzqmn9MiXUpTWss+owH+PZV4CsA4
OLzGFA4Y28fb7jcb5b0JdIY49Z1NVaCzEJ13q+Z2hu4
-> ssh-ed25519 XPxfUQ 1fJMzxpAJ2vzp5XHAsuxnml4766S3InVUTD1Egr2cWI
EHhyaDoMSJEqpouzmt2gxXsAXBhCI/rcGYelnCF/EAs
-> ssh-ed25519 SpD5mg zc1W/ZMQnqp6sK8XhiP0/ZNMcSUy6bAuVX59NmvO72Q
oV+VhcqCWq1VMBERoerA6xYzepQvkqrb+DdJB4dnTIU
-> ssh-ed25519 Kk8sng 7CnD4muTfpWcrpBwEj8kIEB4R6r917alzEwKCrnyWQA
SEBAjd0humcMaPFG7yV/rZFdFDV/QUGQ/EraFoXYQKg
-> XQD7Nl-grease J|n$Lto `~ ;"wQ6rB
SqadiwEKzHFE6PxetvpGTgFp/CAYDDRl
--- lsyP62ngq2FCsuDJ6CvVpqD/cf9fRGjY1WsoUjnjo9M
ð^ͱV$$Ì1ð†y²9÷HßÐd¸UJ´Ê©£Óï«+Ž†ÅTÞ7&#§è¢<C3A8><C2A2>ühê%
-> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
-> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
-> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
-> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
-> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
-> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
-> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
-> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
-> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
-> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
-> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
-> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
-> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
-> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
-> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
-> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
-> C89-grease >Fa(j6s UN5!{
nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
--- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
h,:ìüæ
H)'’ЊÂ/²)žÒ¾ìpˆ¡Rç2QU

74
secrets/nextcloud-pw.age
View File

@@ -1,37 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w x5N+ssi8L+5iX9SwLZ+kOPMytxHzuAJxed06+AseLkA
hk4VSRvzfy1fgFtZeIuWxoYHiOf04mnRnOlmtQlZYl0
-> ssh-ed25519 mbw8xA yXDnd0gV6utgLFciywFK6UDfE0DNQSLXTpkUL8nRaRA
Z3Fw502k9atnZBZdfvJksaorUs/ZaS/p+gbl4R9ApII
-> ssh-ed25519 N240Tg 7SIm+FpfDpC1NpnbkBx48lRu3WaSuBM/fNLPw+yFBHs
KMpXGlBdt5qkRUeCtMzHg0qrSbzh1cjq6j9MU4vXPf8
-> ssh-ed25519 2a2Yhw 9F6DkUmVK7ubfvdYzI9L/Rk/JcG3uebRFgQRNtVCVU8
7eR2Cu3sRPkHuY8XkLg/LfeW0jTtb8XrPeZW5mDTYkI
-> ssh-ed25519 dMQYog Cug/PgoiZ5ybWSo06qeiypiNfcIQn2vrpOZsqx769Rg
kGLJGX0P4hOAaP2LhOhfnr974X6HJ0QCPv0f5AgHBE4
-> ssh-ed25519 G2eSCQ zD62r2Bq579ZJYqZg1PN2Lj2xmba6p6QEvv98ZPP800
k9JOyc2kRLGb16G9tI5OHk4omYdhY/P5yWNNZOUkL7w
-> ssh-ed25519 yHDAQw f7Obm1bS7L4Ha1H1F1VzNYCiYzred8LJCM0rt/cuswU
dfxG0RQqq8bnTEYhj0h+V8970FMdbXPD7H9IzWbLwXQ
-> ssh-ed25519 2+FxVg H8gBnvm8oxblJYHQWqCWUMI53ub5Rr9zSV16mQYo6jI
D+bma+TF6gjcrsnviHqM20k7Dx7zMRW0hc70y/v4lJE
-> ssh-ed25519 CRfjsA RqogfYS2e+GIUVrBWzbG0fvetJfN3bxCCoNkHRqQREE
id+VmdheQKUVU8UklkmxqbjvZyluMRlMmESMmk4y5p4
-> ssh-ed25519 vwVIvQ ARvdDPsVL40YalpCtoaQYD7xnH9l5jQokHbQG/43HC0
FmG24aSO6V86ADKerTmUdpL+NDyjgvUvaXUUkgVA9lE
-> ssh-ed25519 fBrw3g JoXxSWMwpMd6Zx4q5D1QxGuukn1t4+RFG0hwZ5BMASo
jYIQCClT5GW9Lw0r1X3krCvkHowrfldG9ZNF8BhANkk
-> ssh-ed25519 S5xQfg sMa6Pumq2tSFXZR5qkwKBKaSYBPPVyPyYyFVj058I1E
4cWn6BrcEb+anvMct/NGVBBfeHa8Kp8h500hrcAT6b8
-> ssh-ed25519 XPxfUQ daQ4h1BanGf1yJnRY6mnSbAo00wx0SaH3v5t37hHYFA
lxrQe0xnTbMqoLI3FNucmYD+uSLV6BdrsG7KXCZNab0
-> ssh-ed25519 SpD5mg Ascex+4A67LrFffeh12PENBH4T7lG5FQ4JFrQja0z1U
N4L/KzWU60/XcoR3+y60uXRhSPhUxgq3OFzzotiqXrk
-> ssh-ed25519 Kk8sng u+FDM4E/tLi8JcDPAywz2WJWDwiY3W9zxyD2Za2yBV0
73D2Gt5RH0kwGURnkXnnjNvt3GGm57rsNXKUAFcbt8E
-> 8a\Bke-grease
2yU4S/MyJnxVcns0ktG1nZVuJ3kSKz5zOLOR1E/AO4bbzVPyJNLMMhulld9hmhad
9Qofq2QGyuGCj4IKNTfNs7MtNNa8vxEfNcPFpxJwCFS7vqDgInVomAOz1cytSQ
--- z87pmboliOcZNN0wTNSXvlmNQ22qnZ8hyE8YR3aGjMo
ê¬J>§ö «v¯š· þo‰'¢«¢g‡p%㬾;²¶à¤ƒ©ëaزD'
 •1Â'âùaív,ÃwÅ·o¨ÛZ~ÇjÃEá´ŽüÝ:T<>öw
-> ssh-ed25519 xoAm7w 7+DO9mI/zZfTIN/0KBMOIjMNnReyGoH/XVQa0OLdAHY
qg/UIBJr8GX79d7xrIIN9GUt3pDIormlOM7IdjIytHk
-> ssh-ed25519 mbw8xA 9KorXegEBX3PYQm+Ljdjs2hkxAIpz2CZrITNCGo0BnM
QNQWGWqoudiryg/0fV2KZUuJQGp/suZun9KF9c2OTqw
-> ssh-ed25519 N240Tg kfl4aaKI28cDfzX3MBisRGraQYChPdUF2WigjOFYx0Y
u8dgbgJSmcJBp2Uc8qbWMbpa/cKEmx4V3psQgzqnitA
-> ssh-ed25519 2a2Yhw MGk791xEYHlC4bYfU5CMS3rY8TVI8KYvEIwUhE7wQ3k
iFT3QUR8PyWw4grqy7/8KfLfYNIDkgDKM2MqSr6cj0U
-> ssh-ed25519 dMQYog IW1ntuHrV85WX60GI295c197NUlQMKuo5gd3sQZl/gA
gAnx0rMggqZ7Rn8tHFAXJx3z3t9MkZpmjpgI2qAtK4g
-> ssh-ed25519 G2eSCQ 7ZpZQAda0uxjIIdpLnC5JlU6cbLtJWr9LSIIdi7PUQw
PfGFrMVLCmy8SDv2nn6p6M560Xu8lte8DjbCORDM+uc
-> ssh-ed25519 6AT2/g JGE9jVFM2Wu348XIHpubyCEismpfBraxnFGTnEvqqnI
kDHfyJdBIGIURDJ0Nsce4DqzPzhk5p+LM1QZ44pZ4g8
-> ssh-ed25519 yHDAQw KNzCNjvErLwEJZpWWMIBFUGOC8jURyvoKzCWX0ATrRM
EyIJpn48eU8oEB5FbMhCOd16hAVrxTFLyJEoos7WGOY
-> ssh-ed25519 hPp1nw kdjLNwgYQV/4NMubVpJw8QCIuKn+u3CT1boZNJEWfCM
FXNLqmpZB+CtSmCY9zGr+3UebEwNK3JmdP4ifdXiQL4
-> ssh-ed25519 CRfjsA axLQSlgVkaYmRktIP+fwHnhN2pJ55NCOW0fzTzgjFF4
ElO0byzF3PJxN9WgENIN/YfmsOR9rOhEh3xRNIIGIyk
-> ssh-ed25519 vwVIvQ LtrPXRJ0hztkWFnoKt5c0UzWQpD9CO990k52gjWcQnY
nHb1hsXhHQokcA4WoRlbZy0EFQt8Xd0cYUGqblY17Q4
-> ssh-ed25519 fBrw3g dnWs7lWY8QoWOjWHG68FSYqZDzsIaA/qU4AXrndGNTw
gh4+t6THL2mtrPUzGlYd/YxDjk3hpHxUmGq+kRcz9BQ
-> ssh-ed25519 S5xQfg kEXs5hXXR4ocYYWoT2xFr4HITe9wIOOLz73zm/9bf0o
WpO+5/zXc+UGYJGkNNQr8UsEz2RyBUtQ4Syep718294
-> ssh-ed25519 XPxfUQ pL4j/idFPiIPnWI7bIwn0+FuB6az/hXURAh+tvdr7Hc
WWJPFYanmf3+KnjG84XlnEapI1vh0wRi9XFJRn5JVpo
-> ssh-ed25519 SpD5mg CpGcl7ONt0juh/N2hwcxWiuc9u9wjQ4d+AAF+1BQim0
7Xs7qYITkCsjloA74CDGn6lZhXNTqFV05omLiCz9efg
-> ssh-ed25519 Kk8sng DzLM7ewz+4yz5YNQfBDKcOOlqMxScGR34XfVpCUHMEM
eH2ogYJO2N4cqxRibCOEoL5cXcTdWavHS3uRX7wwHxY
-> h<Vf$Fh-grease :~Z8 qwh*'} 2*OyJh )iMU_m?t
u9QuYuPJEVl7Rt1cEcXZPQ0IfpOzqB59iTMch/SDoByr966PBlBfjDS/7i9U0sEI
GMeVtXePXkKPXVvhmbZ/C9KI
--- 1F0kxs/7SRrpoj9q4t1eCg381LzCgrwA1DYG7zcI3dI
ö>°cY§ÀeéEòƒ\ã¯<>Ôc¸j½ ßÎíÃS­—XpºýG<C3BD>§$½}i¼10
ϱ™< œ`á Œ<>, öAž¤£~r>ø$|wˆ¿

BIN
secrets/peertube-db-pw.age
View File

Binary file not shown.

75
secrets/peertube-init.age
View File

@@ -1,36 +1,41 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w QzUKcF09aFZCmJpEuEsypSG7rYT+8ZFY9OXbHZOPDlY
FSQSTXj3+dHuTfk8YvC4omVOppVMpTqpx/EFM3HT86k
-> ssh-ed25519 mbw8xA WoOrpN4MGqeXJyponTuNWkzgPcpRA2r0Yq+ChM4aIR8
4YhP9NZc3wADh6in0Ml5dx14fQ4jsdXTFfG0WBDrHaU
-> ssh-ed25519 N240Tg jeRJi+jmjwttPiqtcPJoKGjLWgQDw2W67Ly9GqQ6dC4
WaMJmSKRPbuqpQmfhVwm0qbZw+HlQe7Rx4sWtpIIA68
-> ssh-ed25519 2a2Yhw dWm0B50fFUfGaEb2JHtQoQINCtZ177+LH6UCbS3kbQ0
sOM7awbzqRhPJLSjXuWKuQqxhGv9U5VVzuWbC3INztE
-> ssh-ed25519 dMQYog U5ZpmTy1Qbs8loajBdTyEtR7CLdeAKpr2Qdl1cmqHy8
ObozQQpOrkj4ZE5wpg9bAj0OtAxriluMfD6Jy/ezYPI
-> ssh-ed25519 G2eSCQ Zd1KkAZ2IiYKBBIxUomCxx10o8RUlouGbgt6yiGQIys
JuwkZF8Vt/M1BOXOXfpdl8nlw4iTMoTuEEoO/K8s+Wg
-> ssh-ed25519 yHDAQw 9fooowI3DX9A4iGA2sXadna7vNiGqW5xyC1E9cFRcyk
p+S8NG+uPHjtS+MYNiSPoBpaZdJwuBrZQaZ/l6JrbPg
-> ssh-ed25519 2+FxVg lMI1/RUhrqvMIvCMnbKls7jcOKgmXZTL0gIlrH+Cq34
6Zu+UuY5AYgoRkvIEn4ElkbmlI79ILoSKvdv3Ma1axs
-> ssh-ed25519 CRfjsA X9n1y8mA1wVsGx8+lcD3PupOC5ugEx3OzhNeqsQ1Rh4
RrLWiNUozAHxuKM/KnwdBaJ0zmPnm3+S647Eoet8D8g
-> ssh-ed25519 vwVIvQ DlqtNj5LRYJ01OSdlIi1bomN3hzjI45FK/4gXHMsBm4
4zlpOBYcghurELrfmvTlwvnGjxA49MogQ1SC5s6lcN4
-> ssh-ed25519 fBrw3g tE9h+kf1nrY1WmKsb38smYMwWqHEBZUk/tLYmZ7A53k
0c5rT9kS6KmzfquJ2sBJDfzg8Wp18TMoUo4yaruoAQI
-> ssh-ed25519 S5xQfg wHOsvH7jpeONU+JQncN66Ioct9YziCK13qH6Nx3h+VA
Jd2Ghnv2wg8q6d3jieVYmfxm09WCz6FT6+OgwatK/To
-> ssh-ed25519 XPxfUQ CXVg0iFE2p8G6KYD5ED1e9tCOKI/BMgSEualHsLWM3A
fB18nWsU8FCBiar7VhRcQkiSBmPzFTlomhhyH+7xAl8
-> ssh-ed25519 SpD5mg hyjtaYim9W/wyHRTRJpNb6wOGzW1BzcTjG3G/a8A5wo
Cjl5EsTOAxcN9r38dBDg3GOpO6aKrlAmpmAcNPZQe7M
-> ssh-ed25519 Kk8sng iA/AZFPCssDZdr9ozMj6bgysWqpZEo4vy6LE/7ndBXc
ixmuIC76/8XHaeNY8ZhzVK9TCz1Wjj604225GRPI+zg
-> s}jEE-grease x -l=A].r J.
QxC8gGLOwclvhjVN702ccrxknUmC9AAzUpwMei3LeTINXJIgRzaKIUZ2Djc/0ZrK
pY/XwVQ2GAI6
--- p6EgKZ23iFcKIMeYbjQNAcZnZKcTArbXqmz1kKAvN+E
B—xV 2,tº x Ô¨#ÅjºxoR„ÇnÚàVD°Á!éQóáÐÔž:+YçcÃŽ<C383>ZZÍXèrÜçüÎ4¢U?<3F>ÆàÑ<C3A0>@•<>ÓcoF<6F>À»+æ¢;-pCŠvqüß$ãPy0xU¾ìp
-> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
-> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
-> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
-> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
-> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
-> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
-> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
-> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
-> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
-> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
-> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
-> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
-> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
-> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
-> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
-> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
-> vWbrVo-grease ,kVQ{
PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
--- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
>»KÝ-B<15>vœâŒ×ôÕŽ}4©QåÎ˳x
ÅîÝÒ{ʱí­
0U<01>Ò
ê¶×Ý

BIN
secrets/peertube-redis-pw.age
View File

Binary file not shown.

BIN
secrets/peertube-smtp.age
View File

Binary file not shown.

BIN
secrets/pia-login.conf
View File

Binary file not shown.

BIN
secrets/sasl_relay_passwd.age Normal file
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

2
secrets/secrets.nix
View File

@@ -17,4 +17,6 @@ in
"spotifyd.age".publicKeys = all;
"wolframalpha.age".publicKeys = all;
"cloudflared-navidrome.json.age".publicKeys = all;
"smb-secrets.age".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
}

38
secrets/smb-secrets.age Normal file
View File

@@ -0,0 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w Kg7UClnYqMV4+rPfZsUFgHyXUFfD9ZY2miGwr0m+NWc
SCfg3UYlGpUJreLgdkKUVru7Gqvh7AfmJLRoI+Jwmdo
-> ssh-ed25519 mbw8xA LeqtlUz7egt8G5z8Ca69GUM9Jgt7HMiqPxO/YN0rwR4
ILPsmKmjrc2m0kFMhpY2ebVXTsTRUiQMookDindWrig
-> ssh-ed25519 N240Tg G6vylAd18eW8zdF+vReXY7fTfdYseWY//4/ElWDMxXo
a1BWR4URSMmHV8Z48aChmVQAlfSfNn0S66WOG0uxNc0
-> ssh-ed25519 2a2Yhw XXZOpsj9uhKDzh6rnSWOj3HWeohsm3LvPw0RTR3zLkI
9U5oc+gWXmK5r4mLZueFBnkyal88lNbFNlzRcT77Zyo
-> ssh-ed25519 dMQYog m+Tm6nn0yVLiPPua1K7v2ToXg4JzRouarE63L/sh4kk
SZ7HXZ2wteV6mxJ2bdMOenMO3clsL7nRyAkDAJomODQ
-> ssh-ed25519 G2eSCQ sFl1qmmOPtEypFvjZStXITKedfQV45B2MDk90Bcb3hI
fetONY50e4lApLBWTABlDrV7iG0EdQl4sJE276LNz+0
-> ssh-ed25519 6AT2/g eL7ilpjXlLTIEqgOoX5jlDapUZjipe4ssmgFdaWGfQU
5JOCPit0JyCuHQk9JUqPUbk1l1YJcPfeFYqZLrlA2+4
-> ssh-ed25519 yHDAQw OL1GcsvJ1xxiGLqnkVVCMdwZTd1lSsxMV/ERkGlKqDU
gDiwmUUDPBoYE5uKmxUkfQXV95bAnTghmnE4URjEAC0
-> ssh-ed25519 hPp1nw Qq52IpfX5qtzg7E9ruK4qI3W0tyXTnm5ntITOzZ4r3M
QhTA1V4vN9qMKhIcmNKIOBYnggPP4FfbIkXR+00jJMY
-> ssh-ed25519 CRfjsA EtorS2Ba+6E4grspQXhDFiXSOxGsnNSQbkSpv+NkGkc
Oz6xPjiHUJI/md01GxNLA9O52V/inIeaEi0wGe/T2QE
-> ssh-ed25519 vwVIvQ yzWaeWjer2QysLCpcpiEGuUSX/JEf+CVOLEbV4cdwG4
00vNjH+LFNjGGFrJmJtpLGKZTnEtFDW94sDIeNeklbk
-> ssh-ed25519 fBrw3g PJqw2w4s10ncE5q95Srxc49S3UfiZpDskoCHLsYE8wo
SMpvtbRNMdGi3+VENOVziLt2U6kg4djaJwY9QN7qm+A
-> ssh-ed25519 S5xQfg QCkCr+gN488FKCu+TlhJ6HUbFxqdkwSaUYxgnJ66zl8
XhMSuZ/HOlXJmWRVrQjMY80IKxvrnNHh6eR6N2vSKeQ
-> ssh-ed25519 XPxfUQ k8Pp9ZlRAWZRXOQ9URro05DRIViGfs2DhXTrMTZyvgA
B7lvmKy5Dqw5qzLwnQEX1163NW0t6vYHPgTmqKE/2+4
-> ssh-ed25519 SpD5mg Y/Cg1GVTBo1r66Oj/bFN0uDWLfM2rIAAGRP0qu0tfRo
Rr+7yR2uf170A2pUylEwUthC0XGIXin51DK9JS8K0xY
-> ssh-ed25519 Kk8sng r//SXYT5xxLXwoDsWhFwaoLzhT8fdbXX3HShmS4SMX0
DrcuiBS+JLkzgsYumxvnsnKkrzFYkNPRJZOegj+0Q1c
-> X6%3Q-grease l? n?e
j/l9N+hzs80iS5YZrx8mrrIIb/+y82YM4lb1a0aBOCUMsK0IHbtnPjZbVfOmO55W
+yFtp3gXw1Fnffbircs8YnYpq5vdpEABGazjSg
--- o3H9hWurbhlvoOR4Ulmpt/hdPk+C/OR79T0YqvoXRR0
؆(ÚÙ0Ý íw¨WMæ‘@jO…°}2 mêNßnÙ³g«å„?¤gò³ª³†“rºB\ ï½ãØ

71
secrets/spotifyd.age
View File

@@ -1,35 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w 7BrgejPVmv8C6tVB7YSAr/F5vjf22UlxKDS0Ls5S0D0
x2Pr5vqVm9h9ilvkZx42aQ1dVr+rn+Qiy+Mx/CpPNl4
-> ssh-ed25519 mbw8xA +k0a5v212lrt59R+2o3odNJbGVLfkMrWdsXdZqut7UE
fFBA1rK4bFeRDIXAKmbrIEtIkYWqvpKzq139nu18FOs
-> ssh-ed25519 N240Tg ccPDe1H2Gk3WrJ+k7j54/arPTs2tGk0eIUUZMllG/wY
EgT7QblYooOaX77uptZefl5BRh/b8yJw1iPZtJRs7+I
-> ssh-ed25519 2a2Yhw umtT4T2KX+TPw6gF5zIGahgUFG4uSrCtrU7pFNd+LEs
kI0F0JwBNChSrWfgmaQUt1vsOQyVUOQHeSXeItsXBDg
-> ssh-ed25519 dMQYog KmL7HotDvfJwDmNAN/OCcGTUO946OAWlitGKs1BSJhk
9+vVVcDRxXTPvlxJ6GrqK8urS6ml+YuByLZmp2DGKn8
-> ssh-ed25519 G2eSCQ IQRSyMixCHfXr0/cdDV0fRMH73+qfaIF9ru9PUSDZwM
BBZrlblX/21GQDhg4HKvOhjc3gljCfZbtO1/TTg0XMo
-> ssh-ed25519 yHDAQw k0pukayQ+Z2RcqD5iUh0xQw95pD2bCAKmSxDn7Ue0wo
TjGdWZdkZDZ/bxHjINc1trMVxXLVUsUkVfwzQCM2IZE
-> ssh-ed25519 2+FxVg PoFmmcMMDTI82hCL9CZ74kkr+Ea2kFKhrnDjhfPw2lA
fnEZhhgiqzeAQ4IFA4WIETdTY3tOuGJuYKnaRK16FQo
-> ssh-ed25519 CRfjsA aqLSF8+2XWiA4N/SR7vmFpDhxBlrOhQKcuyIIojIUUQ
nDXKKIKBwwiz4dqfFYwZPAzzgETb3YPidvDbql0pLkc
-> ssh-ed25519 vwVIvQ LN2smnGPozsF1iUM3ijXMvZrM7Ck8gYAZd4UuGP9hGk
YOBFRqPXKiiNbrDe4SuvK9yrljc9+kkPaoGRWr7h768
-> ssh-ed25519 fBrw3g J73eAp5usahaUSRLNw9hNyC5HzYBRKR9vIxh9NjZSTs
Rytk2QlG3tKLFZ1ie4cfLtSwHdnDH3XmdHjE6rLQXIU
-> ssh-ed25519 S5xQfg c+d0Q2jRUp0gL1JtbHAM/nTAKRRknSMQkxONhkRFLmE
hGAtY5ORKcMv7l61HC4kZaXubwobgogJeuk4P9GzIUY
-> ssh-ed25519 XPxfUQ n5UfMcdy5LwNYApSZaT3Aw2rxBHnb8t0Cq2dFShN8DE
LqCBgqyE0Xa62STdWbFghZRSP/l/zxEyg6J6UNE1e78
-> ssh-ed25519 SpD5mg 6vJsAhRtDFbdn+1AlaoWVNdTQYOvlZDwDDfvcewRUhk
k67eUP/gbq6hKTzedvxZLQufIqE4J0ptwkUUwuM68EU
-> ssh-ed25519 Kk8sng +pLAyOnCP3ec+x3R4KCOzbD2wKxQWadDHJDu2XSEuFs
AUuRFemgRGt+BDeVWMgTQrbYfcmofa1aH7HVV4jWULA
-> 0Q{-grease nJV-{ s#h;@S_M pXx55p
tLBqexjhMwirCOgZ/ic1TiHh5VRKhR2Pklt2yaCA0KKjUtwDMa4VF4XHB9Y
--- CuF3mcjHMtAJ4fxRkTiXNqSp0M6tfHX8H5ApskPX3mo
œCtÞiS¡j}O‡b|ûûzûk» !ッ¬ÃúÃf÷‡ ÷nFw³oE ·7ߨ1æø“kø/ä“&kËvJçX¨ŸzíD¦Ú-é=¯o'î%<M®¨ò5ñŸ˜¿ºð
-> ssh-ed25519 xoAm7w F1C6i9iOvzUf6pS7eBfcsRFRn4q2YE7htxCqiLvasw0
viF83MLadEfum6wQWgbl/h0l65+jAtBszhevVS4jh4k
-> ssh-ed25519 mbw8xA Ec2wju2txmmCHuVNDWdLQkfUNY7/okY2koAz6Jur53o
JLmlpd43QO/LPvS0TW9eKh6f5zZmbVDWjYn44J5ZqMo
-> ssh-ed25519 N240Tg 1bl9Y+I3XGx7RiY8078wEMdaAishvW84nMrprt8jjVU
4lXtc1rGouF1DoTohQnSEMvNwRZaaenimEFypsfxajM
-> ssh-ed25519 2a2Yhw SDknhtgjNgNy3ktoNNvLie3OdO8bKhWW5P4s73OtLk8
Ihl/yNw35f2CgcZX6KHRXUTpAHp6aAQR/7oeU+gq3V4
-> ssh-ed25519 dMQYog dME46DZmwFnKBKlmx5AZEoaVipBmpuz66RXPQfFoXSY
eAzeaSpIL5KPQADGEeuX/bkQ014L8MeTQF2fapO2N/w
-> ssh-ed25519 G2eSCQ 8/xTD9nSXyAeZwBEdJgLcOembBwnMOgWX3jR4N2sXC8
0BmY7u5TEcIEza2PZIJEamV2dfC0sDeVl0UXECBwDlc
-> ssh-ed25519 6AT2/g xSdH52Oq0TOg0D76WlDVSY5kJb0hMAWoM3XVyMtAeWk
0p2AHJDa9XK6C2g8AM/g7cWdR5DGLk6SoUL3Nah2G1M
-> ssh-ed25519 yHDAQw mQBHUkvKf+Na8pCfl2Vb7+sKLmKth0lbxDFEcTtH/ng
JDPxV93vE8mKJtDp/MewHA0F78rW/0ZPYUQKkdNUivs
-> ssh-ed25519 hPp1nw htVxNW9zp7J38WN06jfEX417xtXt50iMTRUtrzLRO2k
iTHjoS5eWNiQxIWtuylkqXlO8E+Dx/2CkENs16lZqhQ
-> ssh-ed25519 CRfjsA Dqs/SAfRhgszI9pz4yZHyVp0iqPg1ssspX6ZW2QTv10
tA7NQXpPtJQ4mHjTDr4pTt9jrqDkMJZGMLVazOenMbs
-> ssh-ed25519 vwVIvQ oNmVe26rEpI7nNGlI5G7Er9fu7blpHNE6NOeGkoR/TM
vAL2gsM9NatGQpnNIh8XpCP+o9KoOnuLVt9e8+Kymcw
-> ssh-ed25519 fBrw3g 7GVBA1eUhgxGfiiKirK/i5JUbehOJVgmc2H/tgQ+A1s
n3i9gtNt4aRT4EOk8C94lGmXNN538HNOqo8uCmxZz6o
-> ssh-ed25519 S5xQfg 2KQLClmvqWMuJDOSAkzcpJkRTJgV6ig5Cq22RcCixWA
zYULXTJL5o5uZxxi/fOCrocxZooH3KarUj8vUDkfWn8
-> ssh-ed25519 XPxfUQ z0v4A6O509NqQgbKFzZrY2WL1ATc9SCYckbtqaSOdk0
PbDNvSWw4QEGLUzhp8IrX0oMDJzWjeemuEDZ02YlClo
-> ssh-ed25519 SpD5mg +A6LavFPjRHuTyk0MTZ6zmJf+CIMX69fT/HI6/0RJWI
CVgJC3y/H7MHUCMR5s77oPWA56oIEpj+7MZH+Qw/LTU
-> ssh-ed25519 Kk8sng 4Re6/B65/TMi45/fZh7zl7dAzH4MnCnHqca1Otpaa2o
zJAlQ96vODytPwtwPSxEEi8hn052vCGcPUxECyU9Ivo
-> V1&(!o4J-grease I)F/
AQ7tCx9XyVd3QDf9Tadcz8QIOJ3bgj4kDh8YuwATAmF7M9DPAlQiW5qkkvaALloG
KwwV
--- VnZ2JJVPKnr8hDMqsZidpehwkLY9W2UmF40/5Khu7rg
„;»­ 晣,‘ΧÂ<C2A7>òHµˆ¿ˆ±>ê¬?þL¬Üiv?PËwùìŒímW£­3„^¯{^ÂÆ«"ýçMÈ[…P¤$­Ràüú…£ÄŽýÓ6LÍ Ï

71
secrets/wolframalpha.age
View File

@@ -1,35 +1,38 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w iUMxXopuEaljvO57nzNgIxNJepbkuLvDjtukrrRerDY
DIUHBECZHDFSSUdH6KGRPM6/xPiy/JO6yJ9qVSPzuCE
-> ssh-ed25519 mbw8xA ad0JUaMYxEgBs9axprN43wO/vgIY4gpd9z3St0gXrWY
p3Cb7L6D7lUETK64BwTw4nNJXV2QN1WSZ3SBE+4XUPk
-> ssh-ed25519 N240Tg Q9c5sH3imMyRwceecMQ9R4KepYnl9Qb0toDPafjpWUI
VMnDZsWaCZVT+vvJyBlyittGPfecHfutbxsNCUQGnfM
-> ssh-ed25519 2a2Yhw B7pxvaQ0NFr7Fl1KY1sDguLXoc3Qtt6fm///zJnYiRc
5XQ682Wow0F/68aW8qe+KzfCzBsF05YOAUfy2nJtU5w
-> ssh-ed25519 dMQYog 458v1T2C1dxNBOyVWfSPECnDFfHTU4sr9lbnqAfRBw0
8yornb28sYVwhG2IIxz41fxRM13ZxAO15hemOYD2w5Y
-> ssh-ed25519 G2eSCQ L9edFGGnxoCjNi+AKzGMDeP2fMaVjXgTVfr0zvrooTA
bMWiCqeqRyFEZLiUrGYIwa7S6qe1HGHfCv25y6qTH04
-> ssh-ed25519 yHDAQw L/3gl+Wn51aXg5CG2/WVOs220xE+d4vWn8Z4etVakQ8
3IcSEPiVZ+0yot4MHd+ELPmlgT7XUq6SqYglqf37y4o
-> ssh-ed25519 2+FxVg JQmsAMwl1c8+9SH0cLMzECNEBP1HKU2nmmyihx+wGXU
h2usslsXtKnETsflwppUYE5DCZ8gAB4RyWMJs0OvP+w
-> ssh-ed25519 CRfjsA Ph1AGAgtr6KPdCvP+hZhmnHdToVxJvPFse48ddKZ/10
oFKXViquqAU+cfqKK2G4R/brUTIbL6NbcmrCB0qzJS4
-> ssh-ed25519 vwVIvQ 68afhQKfOtyiyk9roneM8/81WL46zZYv5Z4rFo3/T28
7e3q+Ch4GMcBuLZXN65aHvPIxn1aFS1fdN6p0sPo7/Y
-> ssh-ed25519 fBrw3g QlMFgT5cLASzHi9TO6W4I5zjARvPrvoYPTJ6lMkIK1E
1Qu/HmfJzBUYfgaZAEU8eyB2gMiCtDDWWQDVi7rv/ds
-> ssh-ed25519 S5xQfg enAX1OfjtwTC8np8An80yOG600POPtzwJAu7e1F7j0c
iWGTecDFDrHUuOL4mGRU8aCmgqwoia4dtwdNeXlDes8
-> ssh-ed25519 XPxfUQ oRQX0T/79kh1IeRn/gyMIiP82TtpNiFFf9rz2Cym0hs
AlxGYgsO5rB755y/HW2Tw/Sv8L4SVOuzRyjxgaJpDkQ
-> ssh-ed25519 SpD5mg 2ExBL2hagCAyADuIKRZ5Ol1tKcPBcbhrE1uKg5612yg
ReNE1WpbLglQLrASw6xYUYWh3fUZuqw6WuZnWFoGAO0
-> ssh-ed25519 Kk8sng bYCPT5PA5sBXxpa/dSm5ur5mTiDeHDnittAimUdHFWw
drB0un1yD1YRMHL5gBA7tzogfoCIMDAZVxKzQor7C6g
-> zAm1?5-grease
ah0qzWke7Fp/jaiYbHmEBQ
--- o48A6jJcSvjPO67t4JaYTIjfEb2TX2mg2kcwBW1zNH0
Ù¨8,!ó™öý䡯4ÞfÁ»xTMÛu2ëý…YÛ õR=ëçþQë;=šÔ
-> ssh-ed25519 xoAm7w QDzXkxhczV+ZUvEHmN1Uf7xWaEDSugv2dcisOakVPEc
+k9M+R98OqsfIROOedql7ksLCtejx5uzFXigxB1Dhzs
-> ssh-ed25519 mbw8xA ERuMyLhLVrNwmr1wS9h0ssZYayCn0Hc1dhu3zBKzDF0
pz2rEMX3MtxtVOTuEyO5K9ZE5s0C+2JL7lNE5BdUsRo
-> ssh-ed25519 N240Tg kHC1Wn8T3aUpWd4yK0+GJo+SDBXrVmTSrNz/Z+3kfGs
sg6A3DgaQev5ZezJeSNAR7+G4MS1rdwHd/6u1H5+0us
-> ssh-ed25519 2a2Yhw 64vHNVi/UCK1aCBFu+BnSyy42DHZIFeiDekfnQeDlHE
19On29XUAiUsTmlqxrY8PQGderv7VzBO4a10jT5aZwY
-> ssh-ed25519 dMQYog EHtR1wf5/2aWvGwkD4EBOECctp2zs2RjAUOKcncjUSI
s7dfQHaLjO6Hor6xXpx8h5hox3OQA4mPRGt8ewr0jQM
-> ssh-ed25519 G2eSCQ 4L9zIv4aApkZgFneUjVm2esXp4DJYVzm94LA2sS0Qkc
+iDy2G82PX6yuIyn7zITzp/jvBX2P25u26n/NuGdjVM
-> ssh-ed25519 6AT2/g HyH+8r/SZUXilmITIsFVyr2t6rCJK9scP9TR2/rO+1M
0Hkx2o3wlq7nj6fRSL3QNtrxKFxYlfhg7CwsyQDjIo8
-> ssh-ed25519 yHDAQw vZlwV2QvrzG1Xu4XZt4Yi5aDQ8qmPQnadCJtHdtTSlc
4NscOK2mu+P+vrZ8FIbIYhQ/97DPo5vgsl0jnlZM0gY
-> ssh-ed25519 hPp1nw YWRekiOxwuK8eAGehbBfOzW7Rmw95V+A/XD4rmFxS3Y
sd+q4ya9k/KE06GYGFV2O9P3O77aZcJl05tAvY6W1s8
-> ssh-ed25519 CRfjsA LfIzQhaql9b4EAotyVrvKBV1AhlMVcRarA49q7+rQXc
v4WddjXusd/m/s/T7E+wdKm9tDR3rGj6CNE3AdVrDb8
-> ssh-ed25519 vwVIvQ 53S5tWgmlVnKIHonBAmvxbv+w0j9b65NdyWvwlvgZWg
xa+z7MYrJHCgILtG/3Yw1OKH1/YKvuVG2jabnv3gSoA
-> ssh-ed25519 fBrw3g GsaGAXiMo4WhEZTQPgr761gAiQHmHPSwdWF0t910+DI
dmZGcEghoXi7giaxC/1UVJVAtyY5hcknUBxr0wQ4RBk
-> ssh-ed25519 S5xQfg wgkQBHQi8xY4++/quS4ZJWb9PPpg6b0KZpSwypdS7HY
+1yatx5SUanPC04jJMVVILHAwdtg2r9Bd+sj9728BnY
-> ssh-ed25519 XPxfUQ Hj2e1U4udGkp04dSdTSsaaJPIQ7gB1bwralXazBzpVM
LPOMpbX+ndXRkQlR3GKKpwSd5zOT03j5bII8btjY52o
-> ssh-ed25519 SpD5mg ++/8/U9XQKg6L3SHej+mvXeZYrvoWhiwmcurC3V0aTU
qR3nTcugxtBgDhcbZpCe0/NUavbzV6tFJZKv3IopAO4
-> ssh-ed25519 Kk8sng /bL56jng2lp0INyIDqUAX5L8mFmKxCBeHFWPUW6gE0U
4v+jq2N6RIQAh0VRrBZkMjSQW6L+LYcAfYUBvfTM+Jw
-> ";etw{[s-grease E;mh^R$ c8
ossMGyq0gpvz9PjjLBWD+QHRKKhzY6/9Kj4b0M7YdP0OgMdpr5QlA7UIDhiGQQBL
dbt0YyLxbAdhqG7S3lLeedQmvzv/oIyhmV0jsTB79W1l/27FujvPRWYf
--- pYjss6AEPZn0PG7FmO6bGq1O+k1IFGzoxsitB4qgotY
ÌÐçJöÇ<10>>Z`´ <0C>b%RW^óºñ–&<26>·ª ­-4¥ðè¬ÙÚW…á