zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:acbbb8a37a3fb3650556866fc905279de1df0fc0
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:pia-client
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

1 Commits
acbbb8a37a ... pia-client

Author SHA1 Message Date
Zuckerberg
a0c199ba06 Unfinished attempt at packaging pia client 2023-02-08 01:38:54 -05:00
76 changed files with 1836 additions and 1363 deletions
Expand all files Collapse all files

2
README.md
View File

@@ -3,7 +3,7 @@
### Source Layout ### Source Layout
- `/common` - common configuration imported into all `/machines` - `/common` - common configuration imported into all `/machines`
- `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA - `/network` - config for tailscale, zeroteir, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing. - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs - `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines` - `/ssh.nix` - all ssh public host and user keys for all `/machines`

13
TODO.md
View File

@@ -52,6 +52,19 @@
- https://ampache.org/ - https://ampache.org/
- replace nextcloud with seafile - replace nextcloud with seafile
### VPN container
- use wireguard for vpn
- https://github.com/triffid/pia-wg/blob/master/pia-wg.sh
- https://github.com/pia-foss/manual-connections
- port forwarding for vpn
- transmission using forwarded port
- https://www.wireguard.com/netns/
- one way firewall for vpn container
### Networking
- tailscale for p2p connections
- remove all use of zerotier
### Archive ### Archive
- https://www.backblaze.com/b2/cloud-storage.html - https://www.backblaze.com/b2/cloud-storage.html
- email - email

2
common/boot/default.nix
View File

@@ -5,6 +5,6 @@
./firmware.nix ./firmware.nix
./efi.nix ./efi.nix
./bios.nix ./bios.nix
./remote-luks-unlock.nix ./luks.nix
]; ];
} }

50
common/boot/remote-luks-unlock.nix → common/boot/luks.nix
View File

@@ -1,14 +1,22 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.remoteLuksUnlock; cfg = config.luks;
in { in {
options.remoteLuksUnlock = { options.luks = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor"; enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
enableTorUnlock = lib.mkOption { device = {
name = lib.mkOption {
type = lib.types.str;
default = "enc-pv";
};
path = lib.mkOption {
type = lib.types.either lib.types.str lib.types.path;
};
allowDiscards = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = cfg.enable; default = false;
description = "Make machine accessable over tor for ssh boot unlock"; };
}; };
sshHostKeys = lib.mkOption { sshHostKeys = lib.mkOption {
type = lib.types.listOf (lib.types.either lib.types.str lib.types.path); type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
@@ -32,10 +40,10 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# boot.initrd.luks.devices.${cfg.device.name} = { boot.initrd.luks.devices.${cfg.device.name} = {
# device = cfg.device.path; device = cfg.device.path;
# allowDiscards = cfg.device.allowDiscards; allowDiscards = cfg.device.allowDiscards;
# }; };
# Unlock LUKS disk over ssh # Unlock LUKS disk over ssh
boot.initrd.network.enable = true; boot.initrd.network.enable = true;
@@ -53,26 +61,27 @@ in {
echo /crypt-ramfs/passphrase >> /dev/null echo /crypt-ramfs/passphrase >> /dev/null
''; '';
boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock { # Make machine accessable over tor for boot unlock
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = cfg.onionConfig; "/etc/tor/onion/bootup" = cfg.onionConfig;
}; };
boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock '' boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor copy_bin_and_libs ${pkgs.tor}/bin/tor
copy_bin_and_libs ${pkgs.haveged}/bin/haveged copy_bin_and_libs ${pkgs.haveged}/bin/haveged
''; '';
boot.initrd.network.postCommands = lib.mkMerge [ # start tor during boot process
('' boot.initrd.network.postCommands = let
# Add nice prompt for giving LUKS passphrase over ssh torRc = (pkgs.writeText "tor.rc" ''
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
'')
(let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063 SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22 HiddenServicePort 22 127.0.0.1:22
''); in lib.mkIf cfg.enableTorUnlock '' '');
in ''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
echo "tor: preparing onion folder" echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start # have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor chmod -R 700 /etc/tor
@@ -87,7 +96,6 @@ in {
echo "tor: starting tor" echo "tor: starting tor"
tor -f ${torRc} --verify-config tor -f ${torRc} --verify-config
tor -f ${torRc} & tor -f ${torRc} &
'') '';
];
}; };
} }

24
common/default.nix
View File

@@ -1,10 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
ssh = import ./ssh.nix;
sshUserKeys = ssh.users;
sshHigherTrustKeys = ssh.higherTrustUserKeys;
in
{ {
imports = [ imports = [
./flakes.nix ./flakes.nix
@@ -25,15 +20,10 @@ in
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
time.timeZone = "America/Denver"; time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
services.openssh = { services.openssh.enable = true;
enable = true;
settings = {
PasswordAuthentication = false;
};
};
programs.mosh.enable = true; programs.mosh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@@ -52,7 +42,6 @@ in
micro micro
helix helix
lm_sensors lm_sensors
picocom
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@@ -65,16 +54,11 @@ in
"dialout" # serial "dialout" # serial
]; ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = sshUserKeys; openssh.authorizedKeys.keys = (import ./ssh.nix).users;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000; uid = 1000;
}; };
users.users.root = { nix.trustedUsers = [ "root" "googlebot" ];
openssh.authorizedKeys.keys = sshHigherTrustKeys;
};
nix.settings = {
trusted-users = [ "root" "googlebot" ];
};
nix.gc.automatic = true; nix.gc.automatic = true;

3
common/network/default.nix
View File

@@ -9,10 +9,9 @@ in
imports = [ imports = [
./hosts.nix ./hosts.nix
./pia-openvpn.nix ./pia-openvpn.nix
./pia-wireguard.nix
./ping.nix
./tailscale.nix ./tailscale.nix
./vpn.nix ./vpn.nix
./zerotier.nix
]; ];
options.networking.ip_forward = mkEnableOption "Enable ip forwarding"; options.networking.ip_forward = mkEnableOption "Enable ip forwarding";

83
common/network/hosts.nix
View File

@@ -1,62 +1,63 @@
{ config, lib, ... }: { config, lib, ... }:
with builtins;
let let
# TODO: remove when all systems are updated to new enough nixpkgs
concatMapAttrs =
f: with lib; flip pipe [ (mapAttrs f) attrValues (foldl' mergeAttrs { }) ];
system = (import ../ssh.nix).system; system = (import ../ssh.nix).system;
# hostnames that resolve on clearnet for LUKS unlocking
unlock-clearnet-hosts = {
ponyo = "unlock.ponyo.neet.dev";
s0 = "s0";
};
# hostnames that resolve on tor for LUKS unlocking
unlock-onion-hosts = {
liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
in { in {
networking.hosts = {
# some DNS providers filter local ip results from DNS request
"172.30.145.180" = [ "s0.zt.neet.dev" ];
"172.30.109.9" = [ "ponyo.zt.neet.dev" ];
"172.30.189.212" = [ "ray.zt.neet.dev" ];
};
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
liza = {
hostNames = [ "liza" "liza.neet.dev" ];
publicKey = system.liza;
};
ponyo = { ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ]; hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo; publicKey = system.ponyo;
}; };
ponyo-unlock = { ponyo-unlock = {
hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ]; hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
publicKey = system.ponyo-unlock; publicKey = system.ponyo-unlock;
}; };
router = {
hostNames = [ "router" "192.168.1.228" ];
publicKey = system.router;
};
router-unlock = {
hostNames = [ unlock-onion-hosts.router ];
publicKey = system.router-unlock;
};
ray = { ray = {
hostNames = [ "ray" ]; hostNames = [ "ray" "ray.zt.neet.dev" ];
publicKey = system.ray; publicKey = system.ray;
}; };
s0 = { s0 = {
hostNames = [ "s0" ]; hostNames = [ "s0" "s0.zt.neet.dev" ];
publicKey = system.s0; publicKey = system.s0;
}; };
s0-unlock = { n1 = {
hostNames = [ unlock-onion-hosts.s0 ]; hostNames = [ "n1" ];
publicKey = system.s0-unlock; publicKey = system.n1;
};
n2 = {
hostNames = [ "n2" ];
publicKey = system.n2;
};
n3 = {
hostNames = [ "n3" ];
publicKey = system.n3;
};
n4 = {
hostNames = [ "n4" ];
publicKey = system.n4;
};
n5 = {
hostNames = [ "n5" ];
publicKey = system.n5;
};
n6 = {
hostNames = [ "n6" ];
publicKey = system.n6;
};
n7 = {
hostNames = [ "n7" ];
publicKey = system.n7;
}; };
}; };
# prebuilt cmds for easy ssh LUKS unlock
environment.shellAliases =
concatMapAttrs (host: addr: {"unlock-over-tor_${host}" = "torsocks ssh root@${addr}";}) unlock-onion-hosts
//
concatMapAttrs (host: addr: {"unlock_${host}" = "ssh root@${addr}";}) unlock-clearnet-hosts;
} }

4
common/network/pia-openvpn.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.pia.openvpn; cfg = config.pia;
vpnfailsafe = pkgs.stdenv.mkDerivation { vpnfailsafe = pkgs.stdenv.mkDerivation {
pname = "vpnfailsafe"; pname = "vpnfailsafe";
version = "0.0.1"; version = "0.0.1";
@@ -14,7 +14,7 @@ let
}; };
in in
{ {
options.pia.openvpn = { options.pia = {
enable = lib.mkEnableOption "Enable private internet access"; enable = lib.mkEnableOption "Enable private internet access";
server = lib.mkOption { server = lib.mkOption {
type = lib.types.str; type = lib.types.str;

356
common/network/pia-wireguard.nix
View File

@@ -1,356 +0,0 @@
{ config, lib, pkgs, ... }:
# Server list:
# https://serverlist.piaservers.net/vpninfo/servers/v6
# Reference materials:
# https://github.com/pia-foss/manual-connections
# https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
# TODO handle potential errors (or at least print status, success, and failures to the console)
# TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
# TODO implement this module such that the wireguard VPN doesn't have to live in a container
# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
# TODO verify signatures of PIA responses
with builtins;
with lib;
let
cfg = config.pia.wireguard;
getPIAToken = ''
PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN only lasts 24hrs
PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
'';
chooseWireguardServer = ''
servers=$(mktemp)
servers_json=$(mktemp)
curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
# extract json part only
head -n 1 "$servers" | tr -d '\n' > "$servers_json"
echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
# Some locations have multiple servers available. Pick a random one.
totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
echo "Location \"${cfg.serverLocation}\" not found."
exit 1
fi
serverindex=$(( RANDOM % totalservers))
WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
# write chosen server
rm -f /tmp/${cfg.interfaceName}-server.conf
touch /tmp/${cfg.interfaceName}-server.conf
chmod 700 /tmp/${cfg.interfaceName}-server.conf
echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
rm $servers_json $servers
'';
getChosenWireguardServer = ''
WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
'';
refreshPIAPort = ''
${getChosenWireguardServer}
signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
'';
portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
containerServiceName = "container@${config.vpn-container.containerName}.service";
in {
options.pia.wireguard = {
enable = mkEnableOption "Enable private internet access";
badPortForwardPorts = mkOption {
type = types.listOf types.port;
description = ''
Ports that will not be accepted from PIA.
If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
'';
};
wireguardListenPort = mkOption {
type = types.port;
description = "The port wireguard listens on for this VPN connection";
default = 51820;
};
serverLocation = mkOption {
type = types.str;
default = "swiss";
};
interfaceName = mkOption {
type = types.str;
default = "piaw";
};
forwardedPort = mkOption {
type = types.nullOr types.port;
description = "The port to redirect port forwarded TCP VPN traffic too";
default = null;
};
forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
message = ''
The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
'';
}
];
# mounts used to pass the connection parameters to the container
# the container doesn't have internet until it uses these parameters so it cannot fetch them itself
vpn-container.mounts = [
"/tmp/${cfg.interfaceName}.conf"
"/tmp/${cfg.interfaceName}-server.conf"
"/tmp/${cfg.interfaceName}-address.conf"
];
# The container takes ownership of the wireguard interface on its startup
containers.vpn.interfaces = [ cfg.interfaceName ];
# TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
# allow traffic for wireguard interface to pass since wireguard trips up rpfilter
# networking.firewall = {
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
# '';
# };
networking.firewall.checkReversePath = "loose";
systemd.services.pia-vpn-wireguard-init = {
description = "Creates PIA VPN Wireguard Interface";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
before = [ containerServiceName ];
requiredBy = [ containerServiceName ];
partOf = [ containerServiceName ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools jq curl iproute ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# restart once a month; PIA forwarded port expires after two months
# because the container is "PartOf" this unit, it gets restarted too
RuntimeMaxSec="30d";
};
script = ''
# Prepare to connect by generating wg secrets and auth'ing with PIA since the container
# cannot do without internet to start with. NAT'ing the host's internet would address this
# issue but is not ideal because then leaking network outside of the VPN is more likely.
${chooseWireguardServer}
${getPIAToken}
# generate wireguard keys
privKey=$(wg genkey)
pubKey=$(echo "$privKey" | wg pubkey)
# authorize our WG keys with the PIA server we are about to connect to
wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
# create wg-quick config file
rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
echo "
[Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
PrivateKey = $privKey
ListenPort = ${toString cfg.wireguardListenPort}
[Peer]
PersistentKeepalive = 25
PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
AllowedIPs = 0.0.0.0/0
Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
" >> /tmp/${cfg.interfaceName}.conf
# create file storing the VPN ip address PIA assigned to us
echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
# Create wg interface now so it inherits from the namespace with internet access
# the container will handle actually connecting the interface since that info is
# not preserved upon moving into the container's networking namespace
# Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
[[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
ip link add ${cfg.interfaceName} type wireguard
'';
preStop = ''
# cleanup wireguard interface
ip link del ${cfg.interfaceName}
rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
'';
};
vpn-container.config.systemd.services.pia-vpn-wireguard = {
description = "Initializes the PIA VPN WireGuard Tunnel";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
# pseudo calls wg-quick
# Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
# cannot actually call wg-quick because the interface has to be already
# created before the container taken ownership of the interface
# Thus, assumes wg interface was already created:
# ip link add ${cfg.interfaceName} type wireguard
${getChosenWireguardServer}
myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
ip -4 address add $myaddress dev ${cfg.interfaceName}
ip link set mtu 1420 up dev ${cfg.interfaceName}
wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
# TODO is this needed?
ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
ip -4 rule add table main suppress_prefixlength 0
# The rest of the script is only for only for port forwarding skip if not needed
if [ ${boolToString portForwarding} == false ]; then exit 0; fi
# Reserve port
${getPIAToken}
payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
signature=$(echo "$payload_and_signature" | jq -r '.signature')
payload=$(echo "$payload_and_signature" | jq -r '.payload')
port=$(echo "$payload" | base64 -d | jq -r '.port')
# Check if the port is acceptable
notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
# the port PIA assigned is not allowed, kill the connection
wg-quick down /tmp/${cfg.interfaceName}.conf
exit 1
fi
# write reserved port to file readable for all users
echo $port > /tmp/${cfg.interfaceName}-port
chmod 644 /tmp/${cfg.interfaceName}-port
# write payload and signature info needed to allow refreshing allocated forwarded port
rm -f /tmp/${cfg.interfaceName}-port-renewal
touch /tmp/${cfg.interfaceName}-port-renewal
chmod 700 /tmp/${cfg.interfaceName}-port-renewal
echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
# Block all traffic from VPN interface except for traffic that is from the forwarded port
iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
# The first port refresh triggers the port to be actually allocated
${refreshPIAPort}
${optionalString (cfg.forwardedPort != null) ''
# redirect the fowarded port
iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
''}
${optionalString cfg.forwardPortForTransmission ''
# assumes no auth needed for transmission
curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
regex='X-Transmission-Session-Id\: (\w*)'
if [[ $curlout =~ $regex ]]; then
sessionId=''${BASH_REMATCH[1]}
else
exit 1
fi
# set the port in transmission
data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
''}
'';
preStop = ''
wg-quick down /tmp/${cfg.interfaceName}.conf
# The rest of the script is only for only for port forwarding skip if not needed
if [ ${boolToString portForwarding} == false ]; then exit 0; fi
${optionalString (cfg.forwardedPort != null) ''
# stop redirecting the forwarded port
iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
''}
'';
};
vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
enable = portForwarding;
description = "PIA VPN WireGuard Tunnel Port Forwarding";
after = [ "pia-vpn-wireguard.service" ];
requires = [ "pia-vpn-wireguard.service" ];
path = with pkgs; [ curl ];
serviceConfig = {
Type = "oneshot";
};
script = refreshPIAPort;
};
vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
enable = portForwarding;
partOf = [ "pia-vpn-wireguard-forward-port.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10"; # 10 minutes
RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

58
common/network/ping.nix
View File

@@ -1,58 +0,0 @@
{ config, pkgs, lib, ... }:
# keeps peer to peer connections alive with a periodic ping
with lib;
with builtins;
# todo auto restart
let
cfg = config.keepalive-ping;
serviceTemplate = host:
{
"keepalive-ping@${host}" = {
description = "Periodic ping keep alive for ${host} connection";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart="always";
path = with pkgs; [ iputils ];
script = ''
ping -i ${cfg.delay} ${host} &>/dev/null
'';
};
};
combineAttrs = foldl recursiveUpdate {};
serviceList = map serviceTemplate cfg.hosts;
services = combineAttrs serviceList;
in {
options.keepalive-ping = {
enable = mkEnableOption "Enable keep alive ping task";
hosts = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Hosts to ping periodically
'';
};
delay = mkOption {
type = types.str;
default = "60";
description = ''
Ping interval in seconds of periodic ping per host being pinged
'';
};
};
config = mkIf cfg.enable {
systemd.services = services;
};
}

6
common/network/tailscale.nix
View File

@@ -8,11 +8,7 @@ in
{ {
options.services.tailscale.exitNode = mkEnableOption "Enable exit node support"; options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
config.services.tailscale.enable = mkDefault (!config.boot.isContainer); config.services.tailscale.enable = !config.boot.isContainer;
# MagicDNS
config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" "100.100.100.100" ];
config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
# exit node # exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose"; config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";

30
common/network/vpn.nix
View File

@@ -26,8 +26,6 @@ in
''; '';
}; };
useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
config = mkOption { config = mkOption {
type = types.anything; type = types.anything;
default = {}; default = {};
@@ -43,9 +41,6 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
pia.wireguard.enable = !cfg.useOpenVPN;
pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
containers.${cfg.containerName} = { containers.${cfg.containerName} = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
@@ -64,7 +59,7 @@ in
} }
))); )));
enableTun = cfg.useOpenVPN; enableTun = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "172.16.100.1"; hostAddress = "172.16.100.1";
localAddress = "172.16.100.2"; localAddress = "172.16.100.2";
@@ -72,35 +67,28 @@ in
config = { config = {
imports = allModules ++ [cfg.config]; imports = allModules ++ [cfg.config];
# speeds up evaluation
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
# networking.firewall.enable = mkForce false; networking.firewall.enable = mkForce false;
networking.firewall.trustedInterfaces = [
# completely trust internal interface to host
"eth0"
];
pia.openvpn.enable = cfg.useOpenVPN; pia.enable = true;
pia.openvpn.server = "swiss.privacy.network"; # swiss vpn pia.server = "swiss.privacy.network"; # swiss vpn
# TODO fix so it does run it's own resolver again
# run it's own DNS resolver # run it's own DNS resolver
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
# services.resolved.enable = true; services.resolved.enable = true;
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
}; };
}; };
# load secrets the container needs # load secrets the container needs
age.secrets = config.containers.${cfg.containerName}.config.age.secrets; age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
# forwarding for vpn container (only for OpenVPN) # forwarding for vpn container
networking.nat.enable = mkIf cfg.useOpenVPN true; networking.nat.enable = true;
networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [ networking.nat.internalInterfaces = [
"ve-${cfg.containerName}" "ve-${cfg.containerName}"
]; ];
networking.ip_forward = mkIf cfg.useOpenVPN true; networking.ip_forward = true;
# assumes only one potential interface # assumes only one potential interface
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;

14
common/network/zerotier.nix Normal file
View File

@@ -0,0 +1,14 @@
{ lib, config, ... }:
let
cfg = config.services.zerotierone;
in {
config = lib.mkIf cfg.enable {
services.zerotierone.joinNetworks = [
"565799d8f6d654c0"
];
networking.firewall.allowedUDPPorts = [
9993
];
};
}

2
common/pc/default.nix
View File

@@ -50,8 +50,6 @@ in {
arduino arduino
yt-dlp yt-dlp
jellyfin-media-player jellyfin-media-player
joplin-desktop
config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
]; ];
# Networking # Networking

16
common/pc/mount-samba.nix
View File

@@ -1,6 +1,6 @@
# mounts the samba share on s0 over tailscale # mounts the samba share on s0 over zeroteir
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
cfg = config.services.mount-samba; cfg = config.services.mount-samba;
@@ -18,25 +18,19 @@ in {
enable = lib.mkEnableOption "enable mounting samba shares"; enable = lib.mkEnableOption "enable mounting samba shares";
}; };
config = lib.mkIf (cfg.enable && config.services.tailscale.enable) { config = lib.mkIf (cfg.enable && config.services.zerotierone.enable) {
fileSystems."/mnt/public" = { fileSystems."/mnt/public" = {
device = "//s0.koi-bebop.ts.net/public"; device = "//s0.zt.neet.dev/public";
fsType = "cifs"; fsType = "cifs";
options = [ opts ]; options = [ opts ];
}; };
fileSystems."/mnt/private" = { fileSystems."/mnt/private" = {
device = "//s0.koi-bebop.ts.net/googlebot"; device = "//s0.zt.neet.dev/googlebot";
fsType = "cifs"; fsType = "cifs";
options = [ opts ]; options = [ opts ];
}; };
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age; age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
# Encrypted Vault
environment.shellAliases = {
vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
vault_lock = "umount /mnt/vault/";
};
}; };
} }

76
common/pc/pia/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.pia;
in {
imports = [
./pia.nix
];
options.services.pia = {
enable = lib.mkEnableOption "Enable PIA Client";
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/pia";
description = ''
Path to the pia data directory
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "root";
description = ''
The user pia should run as
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "piagrp";
description = ''
The group pia should run as
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
'';
};
};
config = mkIf cfg.enable {
# users.users.${cfg.user} =
# if cfg.user == "pia" then {
# isSystemUser = true;
# group = cfg.group;
# home = cfg.dataDir;
# createHome = true;
# }
# else {};
users.groups.${cfg.group}.members = cfg.users;
systemd.services.pia-daemon = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.pia-daemon}/bin/pia-daemon";
serviceConfig.PrivateTmp="yes";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
};
};
}

147
common/pc/pia/fix-pia.patch Normal file
View File

@@ -0,0 +1,147 @@
diff --git a/Rakefile b/Rakefile
index fa6d771..bcd6fb1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -151,41 +151,6 @@ end
# Install LICENSE.txt
stage.install('LICENSE.txt', :res)
-# Download server lists to ship preloaded copies with the app. These tasks
-# depend on version.txt so they're refreshed periodically (whenver a new commit
-# is made), but not for every build.
-#
-# SERVER_DATA_DIR can be set to use existing files instead of downloading them;
-# this is primarily intended for reproducing a build.
-#
-# Create a probe for SERVER_DATA_DIR so these are updated if it changes.
-serverDataProbe = Probe.new('serverdata')
-serverDataProbe.file('serverdata.txt', "#{ENV['SERVER_DATA_DIR']}")
-# JSON resource build directory
-jsonFetched = Build.new('json-fetched')
-# These are the assets we need to fetch and the URIs we get them from
-{
- 'modern_shadowsocks.json': 'https://serverlist.piaservers.net/shadow_socks',
- 'modern_servers.json': 'https://serverlist.piaservers.net/vpninfo/servers/v6',
- 'modern_region_meta.json': 'https://serverlist.piaservers.net/vpninfo/regions/v2'
-}.each do |k, v|
- fetchedFile = jsonFetched.artifact(k.to_s)
- serverDataDir = ENV['SERVER_DATA_DIR']
- file fetchedFile => [version.artifact('version.txt'),
- serverDataProbe.artifact('serverdata.txt'),
- jsonFetched.componentDir] do |t|
- if(serverDataDir)
- # Use the copy provided instead of fetching (for reproducing a build)
- File.copy(File.join(serverDataDir, k), fetchedFile)
- else
- # Fetch from the web API (write with "binary" mode so LF is not
- # converted to CRLF on Windows)
- File.binwrite(t.name, Net::HTTP.get(URI(v)))
- end
- end
- stage.install(fetchedFile, :res)
-end
-
# Install version/brand/arch info in case an upgrade needs to know what is
# currently installed
stage.install(version.artifact('version.txt'), :res)
diff --git a/common/src/posix/unixsignalhandler.cpp b/common/src/posix/unixsignalhandler.cpp
index f820a6d..e1b6c33 100644
--- a/common/src/posix/unixsignalhandler.cpp
+++ b/common/src/posix/unixsignalhandler.cpp
@@ -132,7 +132,7 @@ void UnixSignalHandler::_signalHandler(int, siginfo_t *info, void *)
// we checked it, we can't even log because the logger is not reentrant.
auto pThis = instance();
if(pThis)
- ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
+ auto _ = ::write(pThis->_sigFd[0], info, sizeof(siginfo_t));
}
template<int Signal>
void UnixSignalHandler::setAbortAction()
diff --git a/daemon/src/linux/linux_nl.cpp b/daemon/src/linux/linux_nl.cpp
index fd3aced..2367a5e 100644
--- a/daemon/src/linux/linux_nl.cpp
+++ b/daemon/src/linux/linux_nl.cpp
@@ -642,6 +642,6 @@ LinuxNl::~LinuxNl()
unsigned char term = 0;
PosixFd killSocket = _workerKillSocket.get();
if(killSocket)
- ::write(killSocket.get(), &term, sizeof(term));
+ auto _ = ::write(killSocket.get(), &term, sizeof(term));
_workerThread.join();
}
diff --git a/extras/support-tool/launcher/linux-launcher.cpp b/extras/support-tool/launcher/linux-launcher.cpp
index 3f63ac2..420d54d 100644
--- a/extras/support-tool/launcher/linux-launcher.cpp
+++ b/extras/support-tool/launcher/linux-launcher.cpp
@@ -48,7 +48,7 @@ int fork_execv(gid_t gid, char *filename, char *const argv[])
if(forkResult == 0)
{
// Apply gid as both real and effective
- setregid(gid, gid);
+ auto _ = setregid(gid, gid);
int execErr = execv(filename, argv);
std::cerr << "exec err: " << execErr << " / " << errno << " - "
diff --git a/rake/model/qt.rb b/rake/model/qt.rb
index c8cd362..a6abe59 100644
--- a/rake/model/qt.rb
+++ b/rake/model/qt.rb
@@ -171,12 +171,7 @@ class Qt
end
def getQtRoot(qtVersion, arch)
- qtToolchainPtns = getQtToolchainPatterns(arch)
- qtRoots = FileList[*Util.joinPaths([[qtVersion], qtToolchainPtns])]
- # Explicitly filter for existing paths - if the pattern has wildcards
- # we only get existing directories, but if the patterns are just
- # alternates with no wildcards, we can get directories that don't exist
- qtRoots.find_all { |r| File.exist?(r) }.max
+ ENV['QTROOT']
end
def getQtVersionScore(minor, patch)
@@ -192,12 +187,7 @@ class Qt
end
def getQtPathVersion(path)
- verMatch = path.match('^.*/Qt[^/]*/5\.(\d+)\.?(\d*)$')
- if(verMatch == nil)
- nil
- else
- [verMatch[1].to_i, verMatch[2].to_i]
- end
+ [ENV['QT_MAJOR'].to_i, ENV['QT_MINOR'].to_i]
end
# Build a component definition with the defaults. The "Core" component will
diff --git a/rake/product/linux.rb b/rake/product/linux.rb
index f43fb3e..83505af 100644
--- a/rake/product/linux.rb
+++ b/rake/product/linux.rb
@@ -18,8 +18,7 @@ module PiaLinux
QT_BINARIES = %w(pia-client pia-daemon piactl pia-support-tool)
# Version of libicu (needed to determine lib*.so.## file names in deployment)
- ICU_VERSION = FileList[File.join(Executable::Qt.targetQtRoot, 'lib', 'libicudata.so.*')]
- .first.match(/libicudata\.so\.(\d+)(\..*|)/)[1]
+ ICU_VERSION = ENV['ICU_MAJOR'].to_i;
# Copy a directory recursively, excluding *.debug files (debugging symbols)
def self.copyWithoutDebug(sourceDir, destDir)
@@ -220,16 +219,5 @@ module PiaLinux
# Since these are just development workflow tools, they can be skipped if
# specific dependencies are not available.
def self.defineTools(toolsStage)
- # Test if we have libthai-dev, for the Thai word breaking utility
- if(Executable::Tc.sysHeaderAvailable?('thai/thwbrk.h'))
- Executable.new('thaibreak')
- .source('tools/thaibreak')
- .lib('thai')
- .install(toolsStage, :bin)
- toolsStage.install('tools/thaibreak/thai_ts.sh', :bin)
- toolsStage.install('tools/onesky_import/import_translations.sh', :bin)
- else
- puts "skipping thaibreak utility, install libthai-dev to build thaibreak"
- end
end
end

139
common/pc/pia/pia.nix Normal file
View File

@@ -0,0 +1,139 @@
{ pkgs, lib, config, ... }:
{
nixpkgs.overlays = [
(self: super:
with self;
let
# arch = builtins.elemAt (lib.strings.splitString "-" builtins.currentSystem) 0;
arch = "x86_64";
pia-desktop = clangStdenv.mkDerivation rec {
pname = "pia-desktop";
version = "3.3.0";
src = fetchgit {
url = "https://github.com/pia-foss/desktop";
rev = version;
fetchLFS = true;
sha256 = "D9txL5MUWyRYTnsnhlQdYT4dGVpj8PFsVa5hkrb36cw=";
};
patches = [
./fix-pia.patch
];
nativeBuildInputs = [
cmake
rake
];
prePatch = ''
sed -i 's|/usr/include/libnl3|${libnl.dev}/include/libnl3|' Rakefile
'';
installPhase = ''
mkdir -p $out/bin $out/lib $out/share
cp -r ../out/pia_release_${arch}/stage/bin $out
cp -r ../out/pia_release_${arch}/stage/lib $out
cp -r ../out/pia_release_${arch}/stage/share $out
'';
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
];
QTROOT = "${qt5.full}";
QT_MAJOR = lib.versions.minor (lib.strings.parseDrvName qt5.full.name).version;
QT_MINOR = lib.versions.patch (lib.strings.parseDrvName qt5.full.name).version;
ICU_MAJOR = lib.versions.major (lib.strings.parseDrvName icu.name).version;
buildInputs = [
mesa
libsForQt5.qt5.qtquickcontrols
libsForQt5.qt5.qtquickcontrols2
icu
libnl
];
dontWrapQtApps = true;
};
in rec {
openvpn-updown = buildFHSUserEnv {
name = "openvpn-updown";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "openvpn-updown.sh";
};
pia-client = buildFHSUserEnv {
name = "pia-client";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-client";
};
piactl = buildFHSUserEnv {
name = "piactl";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "piactl";
};
pia-daemon = buildFHSUserEnv {
name = "pia-daemon";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-daemon";
};
pia-hnsd = buildFHSUserEnv {
name = "pia-hnsd";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-hnsd";
};
pia-openvpn = buildFHSUserEnv {
name = "pia-openvpn";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-openvpn";
};
pia-ss-local = buildFHSUserEnv {
name = "pia-ss-local";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-ss-local";
};
pia-support-tool = buildFHSUserEnv {
name = "pia-support-tool";
targetPkgs = pkgs: (with pkgs; [
pia-desktop
xorg.libXau
xorg.libXdmcp
]);
runScript = "pia-support-tool";
};
pia-unbound = buildFHSUserEnv {
name = "pia-unbound";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-unbound";
};
pia-wireguard-go = buildFHSUserEnv {
name = "pia-wireguard-go";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "pia-wireguard-go";
};
support-tool-launcher = buildFHSUserEnv {
name = "support-tool-launcher";
targetPkgs = pkgs: (with pkgs; [ pia-desktop ]);
runScript = "support-tool-launcher";
};
})
];
}

4
common/server/default.nix
View File

@@ -14,9 +14,5 @@
./radio.nix ./radio.nix
./samba.nix ./samba.nix
./owncast.nix ./owncast.nix
./mailserver.nix
./nextcloud.nix
./iodine.nix
./searx.nix
]; ];
} }

9
common/server/gitea.nix
View File

@@ -14,8 +14,11 @@ in {
domain = cfg.hostname; domain = cfg.hostname;
rootUrl = "https://${cfg.hostname}/"; rootUrl = "https://${cfg.hostname}/";
appName = cfg.hostname; appName = cfg.hostname;
ssh.enable = true;
# lfs.enable = true; # lfs.enable = true;
dump.enable = true; dump.enable = true;
cookieSecure = true;
disableRegistration = true;
settings = { settings = {
other = { other = {
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
@@ -23,12 +26,6 @@ in {
ui = { ui = {
DEFAULT_THEME = "arc-green"; DEFAULT_THEME = "arc-green";
}; };
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
}; };
}; };
services.nginx.enable = true; services.nginx.enable = true;

20
common/server/iodine.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.iodine.server;
in {
config = lib.mkIf cfg.enable {
# iodine DNS-based vpn
services.iodine.server = {
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
};
}

83
common/server/mailserver.nix
View File

@@ -1,83 +0,0 @@
{ config, pkgs, lib, ... }:
with builtins;
let
cfg = config.mailserver;
domains = [
"neet.space"
"neet.dev"
"neet.cloud"
"runyan.org"
"runyan.rocks"
"thunderhex.com"
"tar.ninja"
"bsd.ninja"
"bsd.rocks"
];
in {
config = lib.mkIf cfg.enable {
# kresd doesn't work with tailscale MagicDNS
mailserver.localDnsResolver = false;
services.resolved.enable = true;
mailserver = {
fqdn = "mail.neet.dev";
dkimKeyBits = 2048;
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
inherit domains;
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/email-pw";
# catchall for all domains
aliases = map (domain: "@${domain}") domains;
};
};
rejectRecipients = [
"george@runyan.org"
"joslyn@runyan.org"
"damon@runyan.org"
"jonas@runyan.org"
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain";
# relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay"
(concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
# webmail
services.nginx.enable = true;
services.roundcube = {
enable = true;
hostName = config.mailserver.fqdn;
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
};
}

27
common/server/nextcloud.nix
View File

@@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
in {
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
package = pkgs.nextcloud25;
hostName = "neet.cloud";
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true;
enableBrokenCiphersForSSE = false;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
owner = "nextcloud";
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
};
};
}

29
common/server/searx.nix
View File

@@ -1,29 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
in {
config = lib.mkIf cfg.enable {
services.searx = {
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
};
}

54
common/shell.nix
View File

@@ -1,24 +1,34 @@
{ config, lib, pkgs, ... }: { config, pkgs, ... }:
# Improvements to the default shell # Improvements to the default shell
# - use nix-index for command-not-found # - use nix-locate for command-not-found
# - disable fish's annoying greeting message # - disable fish's annoying greeting message
# - add some handy shell commands # - add some handy shell commands
{ let
environment.systemPackages = with pkgs; [ nix-locate = config.inputs.nix-locate.packages.${config.currentSystem}.default;
comma in {
];
# nix-index
programs.nix-index.enable = true;
programs.nix-index.enableFishIntegration = true;
programs.command-not-found.enable = false; programs.command-not-found.enable = false;
environment.systemPackages = [
nix-locate
];
programs.fish = { programs.fish = {
enable = true; enable = true;
shellInit = '' shellInit = let
wrapper = pkgs.writeScript "command-not-found" ''
#!${pkgs.bash}/bin/bash
source ${nix-locate}/etc/profile.d/command-not-found.sh
command_not_found_handle "$@"
'';
in ''
# use nix-locate for command-not-found functionality
function __fish_command_not_found_handler --on-event fish_command_not_found
${wrapper} $argv
end
# disable annoying fish shell greeting # disable annoying fish shell greeting
set fish_greeting set fish_greeting
''; '';
@@ -28,23 +38,9 @@
myip = "dig +short myip.opendns.com @resolver1.opendns.com"; myip = "dig +short myip.opendns.com @resolver1.opendns.com";
# https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_seq_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_seq_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file"; io_rand_read = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file"; io_rand_write = "nix run nixpkgs#fio -- --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
}; };
nixpkgs.overlays = [
(final: prev: {
# comma uses the "nix-index" package built into nixpkgs by default.
# That package doesn't use the prebuilt nix-index database so it needs to be changed.
comma = prev.comma.overrideAttrs (old: {
postInstall = ''
wrapProgram $out/bin/comma \
--prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
ln -s $out/bin/comma $out/bin/,
'';
});
})
];
} }

45
common/ssh.nix
View File

@@ -2,37 +2,62 @@ rec {
users = [ users = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
] ++ higherTrustUserKeys; ];
system = { system = {
liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN"; ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi"; ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB"; ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q"; s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH"; n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
n3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+rJEaRrFDGirQC2UoWQkmpzLg4qgTjGJgVqiipWiU5";
n4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYm2ROIfCeGz6QtDwqAmcj2DX9tq2CZn0eLhskdvB4Z";
n5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Qhvwq3PiHEKf+2/4w5ZJkSMNzFLhIRrPOR98m7wW4";
n6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/P/pa9+qhKAPfvvd8xSO2komJqDW0M1nCK7ZrP6PO7";
n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL";
}; };
higherTrustUserKeys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido
];
# groups # groups
systems = with system; [ systems = with system; [
liza
ponyo ponyo
ray ray
router
s0 s0
n1
n2
n3
n4
n5
n6
n7
]; ];
personal = with system; [ personal = with system; [
ray ray
]; ];
servers = with system; [ servers = with system; [
liza
ponyo ponyo
router
s0 s0
n1
n2
n3
n4
n5
n6
n7
];
compute = with system; [
n1
n2
n3
n4
n5
n6
n7
]; ];
storage = with system; [ storage = with system; [
s0 s0

70
flake.lock generated
View File

@@ -105,31 +105,6 @@
"type": "github" "type": "github"
} }
}, },
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": [
"simple-nixos-mailserver",
"utils"
]
},
"locked": {
"lastModified": 1674127017,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -161,38 +136,39 @@
"type": "github" "type": "github"
} }
}, },
"nix-index-database": { "nix-locate": {
"inputs": { "inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1677382901, "lastModified": 1673969751,
"narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=", "narHash": "sha256-U6aYz3lqZ4NVEGEWiti1i0FyqEo4bUjnTAnA73DPnNU=",
"owner": "Mic92", "owner": "bennofs",
"repo": "nix-index-database", "repo": "nix-index",
"rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c", "rev": "5f98881b1ed27ab6656e6d71b534f88430f6823a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "Mic92", "owner": "bennofs",
"repo": "nix-index-database", "repo": "nix-index",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1677823547, "lastModified": 1672580127,
"narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=", "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a", "rev": "0874168639713f547c05947c76124f78441ea46c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master", "ref": "nixos-22.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -212,6 +188,22 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1675835843,
"narHash": "sha256-y1dSCQPcof4CWzRYRqDj4qZzbBl+raVPAko5Prdil28=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "32f914af34f126f54b45e482fb2da4ae78f3095f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"radio": { "radio": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
@@ -258,10 +250,10 @@
"agenix": "agenix", "agenix": "agenix",
"archivebox": "archivebox", "archivebox": "archivebox",
"dailybuild_modules": "dailybuild_modules", "dailybuild_modules": "dailybuild_modules",
"deploy-rs": "deploy-rs",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nix-index-database": "nix-index-database", "nix-locate": "nix-locate",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"radio": "radio", "radio": "radio",
"radio-web": "radio-web", "radio-web": "radio-web",
"simple-nixos-mailserver": "simple-nixos-mailserver" "simple-nixos-mailserver": "simple-nixos-mailserver"

78
flake.nix
View File

@@ -1,11 +1,13 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/master"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
# nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
# nixpkgs-patch-howdy.flake = false;
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
nix-locate.url = "github:bennofs/nix-index";
nix-locate.inputs.nixpkgs.follows = "nixpkgs";
# mail server # mail server
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs"; simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
@@ -30,31 +32,21 @@
archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git"; archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
archivebox.inputs.nixpkgs.follows = "nixpkgs"; archivebox.inputs.nixpkgs.follows = "nixpkgs";
archivebox.inputs.flake-utils.follows = "flake-utils"; archivebox.inputs.flake-utils.follows = "flake-utils";
# nixos config deployment
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils";
# prebuilt nix-index database
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs, ... }@inputs: { outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
nixosConfigurations = nixosConfigurations =
let let
modules = system: with inputs; [ modules = system: [
./common ./common
simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
agenix.nixosModules.default inputs.agenix.nixosModules.default
dailybuild_modules.nixosModule inputs.dailybuild_modules.nixosModule
archivebox.nixosModule inputs.archivebox.nixosModule
nix-index-database.nixosModules.nix-index
({ lib, ... }: { ({ lib, ... }: {
config.environment.systemPackages = [ config.environment.systemPackages = [
agenix.packages.${system}.agenix inputs.agenix.packages.${system}.agenix
]; ];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
@@ -66,18 +58,7 @@
mkSystem = system: nixpkgs: path: mkSystem = system: nixpkgs: path:
let let
allModules = modules system; allModules = modules system;
in nixpkgs.lib.nixosSystem {
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
# inputs.nixpkgs-patch-howdy
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self=nixpkgs; });
in patchedNixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = allModules ++ [path]; modules = allModules ++ [path];
@@ -87,11 +68,19 @@
}; };
in in
{ {
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix; "reg" = mkSystem "x86_64-linux" nixpkgs ./machines/reg/configuration.nix;
# "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix; "ray" = mkSystem "x86_64-linux" nixpkgs-unstable ./machines/ray/configuration.nix;
"nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"liza" = mkSystem "x86_64-linux" nixpkgs ./machines/liza/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix; "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix; "s0" = mkSystem "aarch64-linux" nixpkgs-unstable ./machines/storage/s0/configuration.nix;
"s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix; "n1" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n1/configuration.nix;
"n2" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n2/configuration.nix;
"n3" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n3/configuration.nix;
"n4" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n4/configuration.nix;
"n5" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n5/configuration.nix;
"n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
"n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
}; };
packages = let packages = let
@@ -111,22 +100,5 @@
"aarch64-linux"."kexec" = mkKexec "aarch64-linux"; "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux"; "aarch64-linux"."iso" = mkIso "aarch64-linux";
}; };
deploy.nodes =
let
mkDeploy = configName: hostname: {
inherit hostname;
magicRollback = false;
sshUser = "root";
profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
};
in {
s0 = mkDeploy "s0" "s0";
router = mkDeploy "router" "192.168.1.228";
ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
}; };
} }

24
machines/compute/common.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, ... }:
{
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
system.autoUpgrade.enable = true;
networking.interfaces.eth0.useDHCP = true;
hardware.deviceTree.enable = true;
hardware.deviceTree.overlays = [
./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
];
}

9
machines/compute/n1/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n1";
}

9
machines/compute/n2/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n2";
}

9
machines/compute/n3/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n3";
}

9
machines/compute/n4/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n4";
}

9
machines/compute/n5/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n5";
}

9
machines/compute/n6/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n6";
}

9
machines/compute/n7/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ... }:
{
imports = [
../common.nix
];
networking.hostName = "n7";
}

BIN
machines/compute/sopine-baseboard-ethernet.dtbo Normal file
View File

Binary file not shown.

15
machines/compute/sopine-baseboard-ethernet.dts Normal file
View File

@@ -0,0 +1,15 @@
/dts-v1/;
/ {
model = "SoPine with baseboard";
compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
fragment@0 {
/* target = <&ethernet@1c30000>; */
target-path = "/soc/ethernet@1c30000";
__overlay__ {
allwinner,tx-delay-ps = <500>;
};
};
};

23
machines/ephemeral/minimal.nix
View File

@@ -1,35 +1,18 @@
{ pkgs, modulesPath, ... }: { pkgs, ... }:
{ {
imports = [
(modulesPath + "/installer/cd-dvd/channel.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [ boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200" # enable serial console "console=ttyS0" # enable serial console
"console=tty1" "console=tty1"
]; ];
boot.kernel.sysctl."vm.overcommit_memory" = "1"; boot.kernel.sysctl."vm.overcommit_memory" = "1";
boot.kernelPackages = pkgs.linuxPackages_latest;
# hardware.enableAllFirmware = true;
# nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cryptsetup cryptsetup
btrfs-progs btrfs-progs
git git-lfs
wget
htop
dnsutils
pciutils
usbutils
lm_sensors
]; ];
environment.variables.GC_INITIAL_HEAP_SIZE = "1M"; environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
networking.useDHCP = true; networking.useDHCP = true;
@@ -41,5 +24,5 @@
}; };
services.getty.autologinUser = "root"; services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users; users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
} }

110
machines/liza/configuration.nix Normal file
View File

@@ -0,0 +1,110 @@
{ config, pkgs, lib, ... }:
{
imports =[
./hardware-configuration.nix
];
# 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
};
system.autoUpgrade.enable = true;
networking.hostName = "liza";
networking.interfaces.enp1s0.useDHCP = true;
mailserver = {
enable = true;
fqdn = "mail.neet.dev";
dkimKeyBits = 2048;
indexDir = "/var/lib/mailindex";
enableManageSieve = true;
fullTextSearch.enable = true;
fullTextSearch.indexAttachments = true;
fullTextSearch.memoryLimit = 500;
domains = [
"neet.space" "neet.dev" "neet.cloud"
"runyan.org" "runyan.rocks"
"thunderhex.com" "tar.ninja"
"bsd.ninja" "bsd.rocks"
];
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/email-pw";
aliases = [
"@neet.space" "@neet.cloud" "@neet.dev"
"@runyan.org" "@runyan.rocks"
"@thunderhex.com" "@tar.ninja"
"@bsd.ninja" "@bsd.rocks"
];
};
};
rejectRecipients = [
"george@runyan.org"
"joslyn@runyan.org"
"damon@runyan.org"
"jonas@runyan.org"
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain
services.postfix.origin = "$mydomain";
# relay sent mail through mailgun
# https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
services.postfix.config = {
smtp_sasl_auth_enable = "yes";
smtp_sasl_security_options = "noanonymous";
smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
smtp_use_tls = "yes";
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay" ''
@neet.space ${relayHost}
@neet.cloud ${relayHost}
@neet.dev ${relayHost}
@runyan.org ${relayHost}
@runyan.rocks ${relayHost}
@thunderhex.com ${relayHost}
@tar.ninja ${relayHost}
@bsd.ninja ${relayHost}
@bsd.rocks ${relayHost}
'';
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
services.nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud22;
hostName = "neet.cloud";
config.dbtype = "sqlite";
config.adminuser = "jeremy";
config.adminpassFile = "/run/agenix/nextcloud-pw";
autoUpdateApps.enable = true;
};
age.secrets.nextcloud-pw = {
file = ../../secrets/nextcloud-pw.age;
owner = "nextcloud";
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
};
}

36
machines/liza/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
fsType = "btrfs";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
fsType = "ext3";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
];
}

2
machines/nat/configuration.nix
View File

@@ -10,6 +10,8 @@
networking.hostName = "nat"; networking.hostName = "nat";
networking.interfaces.ens160.useDHCP = true; networking.interfaces.ens160.useDHCP = true;
services.zerotierone.enable = true;
de.enable = true; de.enable = true;
de.touchpad.enable = true; de.touchpad.enable = true;
} }

82
machines/ponyo/configuration.nix
View File

@@ -7,24 +7,27 @@
networking.hostName = "ponyo"; networking.hostName = "ponyo";
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
luks = {
enable = true;
device.path = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
};
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
# p2p mesh network services.zerotierone.enable = true;
services.tailscale.exitNode = true;
# email server
mailserver.enable = true;
# nextcloud
services.nextcloud.enable = true;
# git
services.gitea = { services.gitea = {
enable = true; enable = true;
hostname = "git.neet.dev"; hostname = "git.neet.dev";
disableRegistration = true;
}; };
# IRC
services.thelounge = { services.thelounge = {
enable = true; enable = true;
port = 9000; port = 9000;
@@ -36,14 +39,12 @@
}; };
}; };
# mumble
services.murmur = { services.murmur = {
enable = true; enable = true;
port = 23563; port = 23563;
domain = "voice.neet.space"; domain = "voice.neet.space";
}; };
# IRC bot
services.drastikbot = { services.drastikbot = {
enable = true; enable = true;
wolframAppIdFile = "/run/agenix/wolframalpha"; wolframAppIdFile = "/run/agenix/wolframalpha";
@@ -53,7 +54,7 @@
owner = config.services.drastikbot.user; owner = config.services.drastikbot.user;
}; };
# music radio # wrap radio in a VPN
vpn-container.enable = true; vpn-container.enable = true;
vpn-container.config = { vpn-container.config = {
services.radio = { services.radio = {
@@ -61,7 +62,11 @@
host = "radio.runyan.org"; host = "radio.runyan.org";
}; };
}; };
pia.wireguard.badPortForwardPorts = [];
# tailscale
services.tailscale.exitNode = true;
# icecast endpoint + website
services.nginx.virtualHosts."radio.runyan.org" = { services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -76,7 +81,6 @@
}; };
}; };
# matrix home server
services.matrix = { services.matrix = {
enable = true; enable = true;
host = "neet.space"; host = "neet.space";
@@ -94,36 +98,67 @@
secret = "a8369a0e96922abf72494bb888c85831b"; secret = "a8369a0e96922abf72494bb888c85831b";
}; };
}; };
# pin postgresql for matrix (will need to migrate eventually)
services.postgresql.package = pkgs.postgresql_11; services.postgresql.package = pkgs.postgresql_11;
# iodine DNS-based vpn services.searx = {
services.iodine.server.enable = true; enable = true;
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
};
};
services.nginx.virtualHosts."search.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
age.secrets.searx.file = ../../secrets/searx.age;
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
domain = "tun.neet.dev";
passwordFile = "/run/agenix/iodine";
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [
"dns0" # iodine
];
# proxied web services
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."jellyfin.neet.cloud" = { services.nginx.virtualHosts."jellyfin.neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://s0.koi-bebop.ts.net"; proxyPass = "http://s0.zt.neet.dev";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
services.nginx.virtualHosts."navidrome.neet.cloud" = { services.nginx.virtualHosts."navidrome.neet.cloud" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://s0.koi-bebop.ts.net:4533"; locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
}; };
# TODO replace with a proper file hosting service
services.nginx.virtualHosts."tmp.neet.dev" = { services.nginx.virtualHosts."tmp.neet.dev" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www/tmp"; root = "/var/www/tmp";
}; };
# redirect runyan.org to github # redirect to github
services.nginx.virtualHosts."runyan.org" = { services.nginx.virtualHosts."runyan.org" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -132,7 +167,6 @@
''; '';
}; };
# owncast live streaming
services.owncast.enable = true; services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev"; services.owncast.hostname = "live.neet.dev";
} }

19
machines/ponyo/hardware-configuration.nix
View File

@@ -10,17 +10,6 @@
boot.kernelModules = [ "kvm-intel" "nvme" ]; boot.kernelModules = [ "kvm-intel" "nvme" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
firmware.x86_64.enable = true;
bios = {
enable = true;
device = "/dev/sda";
};
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
fileSystems."/" = fileSystems."/" =
{ device = "/dev/mapper/enc-pv"; { device = "/dev/mapper/enc-pv";
fsType = "btrfs"; fsType = "btrfs";
@@ -38,5 +27,11 @@
} }
]; ];
networking.interfaces.eth0.useDHCP = true; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

0
common/network/ca.rsa.4096.crt → machines/ray/ca.rsa.4096.crt
View File

101
machines/ray/configuration.nix
View File

@@ -5,24 +5,37 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
firmware.x86_64.enable = true;
efi.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.hostName = "ray"; networking.hostName = "ray";
# for luks onlock over tor hardware.enableAllFirmware = true;
services.tor.enable = true;
services.tor.client.enable = true;
# services.howdy.enable = true;
hardware.openrazer.enable = true;
hardware.openrazer.users = [ "googlebot" ];
hardware.openrazer.devicesOffOnScreensaver = false;
users.users.googlebot.packages = [ pkgs.polychromatic ];
# depthai # depthai
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666" SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
''; '';
# gpu
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver
prime = {
reverseSync.enable = true;
offload.enableOffloadCmd = true;
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0";
};
};
# virt-manager # virt-manager
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
programs.dconf.enable = true; programs.dconf.enable = true;
@@ -30,13 +43,75 @@
environment.systemPackages = with pkgs; [ virt-manager ]; environment.systemPackages = with pkgs; [ virt-manager ];
users.users.googlebot.extraGroups = [ "libvirtd" ]; users.users.googlebot.extraGroups = [ "libvirtd" ];
# allow building ARM derivations # vpn-container.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # containers.vpn.interfaces = [ "piaw" ];
services.spotifyd.enable = true; # allow traffic for wireguard interface to pass
# networking.firewall = {
# # wireguard trips rpfilter up
# extraCommands = ''
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
# ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
# '';
# extraStopCommands = ''
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
# ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
# '';
# };
# systemd.services.pia-vpn-wireguard = {
# enable = true;
# description = "PIA VPN WireGuard Tunnel";
# requires = [ "network-online.target" ];
# after = [ "network.target" "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# environment.DEVICE = "piaw";
# path = with pkgs; [ kmod wireguard-tools jq curl ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# WG_HOSTNAME=zurich406
# WG_SERVER_IP=156.146.62.153
# PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
# PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
# PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
# privKey=$(wg genkey)
# pubKey=$(echo "$privKey" | wg pubkey)
# wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
# echo "
# [Interface]
# Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
# PrivateKey = $privKey
# ListenPort = 51820
# [Peer]
# PersistentKeepalive = 25
# PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
# AllowedIPs = 0.0.0.0/0
# Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
# " > /tmp/piaw.conf
# # TODO make /tmp/piaw.conf ro to root
# ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
# wg-quick up /tmp/piaw.conf
# '';
# preStop = ''
# wg-quick down /tmp/piaw.conf
# '';
# };
# age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.zerotierone.enable = true;
services.mount-samba.enable = true; services.mount-samba.enable = true;
de.enable = true; de.enable = true;

31
machines/ray/hardware-configuration.nix
View File

@@ -8,55 +8,34 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
# boot
efi.enable = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
# kernel
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# firmware
firmware.x86_64.enable = true;
hardware.enableAllFirmware = true;
# gpu
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true; # for nvidia-vaapi-driver
prime = {
reverseSync.enable = true;
offload.enableOffloadCmd = true;
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:4:0:0";
};
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/vg/root"; { device = "/dev/vg/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" ]; options = [ "subvol=root" ];
}; };
fileSystems."/home" = fileSystems."/home" =
{ device = "/dev/vg/root"; { device = "/dev/vg/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" ]; options = [ "subvol=home" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2C85-2B59"; { device = "/dev/disk/by-uuid/2C85-2B59";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[ { device = "/dev/vg/swap"; } [ { device = "/dev/vg/swap"; }
]; ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display # high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true; hardware.video.hidpi.enable = lib.mkDefault true;
} }

35
machines/reg/configuration.nix Normal file
View File

@@ -0,0 +1,35 @@
{ config, pkgs, fetchurl, ... }:
{
imports = [
./hardware-configuration.nix
];
# smcxui7kwoyxpswwage4fkcppxnqzpw33xcmxmlhxvk5gcp5s6lrtfad.onion
boot.kernelPackages = pkgs.linuxPackages_5_12;
firmware.x86_64.enable = true;
efi.enable = true;
luks = {
enable = true;
device = {
path = "/dev/disk/by-uuid/975d8427-2c6a-440d-a1d2-18dd15ba5bc2";
allowDiscards = true;
};
};
networking.hostName = "reg";
de.enable = true;
de.touchpad.enable = true;
services.zerotierone.enable = true;
# VNC
networking.firewall.allowedTCPPorts = [ 5900 ];
networking.interfaces.enp57s0f1.useDHCP = true;
}

38
machines/reg/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b3a2906b-e9a5-45bd-aac5-960297437fe9";
fsType = "btrfs";
options = [ "subvol=root" "noatime" "nodiratime" "discard" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/b3a2906b-e9a5-45bd-aac5-960297437fe9";
fsType = "btrfs";
options = [ "subvol=home" "noatime" "nodiratime" "discard" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6C41-24A0";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/34ec322f-79c3-4993-a073-ef1da3c6ef51"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

15
machines/router/configuration.nix
View File

@@ -1,15 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
networking.hostName = "router";
system.autoUpgrade.enable = true;
services.tailscale.exitNode = true;
networking.useDHCP = lib.mkForce true;
}

49
machines/router/hardware-configuration.nix
View File

@@ -1,49 +0,0 @@
{ config, pkgs, ... }:
{
# kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = [ "igb" "mt7915e" "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enable serial output
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200n8" # enable serial console
];
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
# firmware
firmware.x86_64.enable = true;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
# boot
bios = {
enable = true;
device = "/dev/sda";
};
# disks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
fsType = "ext3";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }
];
nixpkgs.hostPlatform = "x86_64-linux";
}

106
machines/storage/s0/configuration.nix
View File

@@ -2,48 +2,50 @@
{ {
imports =[ imports =[
./helios64
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
networking.hostName = "s0"; networking.hostName = "s0";
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
system.autoUpgrade.enable = true; system.autoUpgrade.enable = true;
services.iperf3.enable = true; boot.supportedFilesystems = [ "bcachefs" ];
services.iperf3.openFirewall = true;
# p2p mesh network services.zerotierone.enable = true;
services.tailscale.exitNode = true;
# for education purposes only # for education purposes only
services.pykms.enable = true; services.pykms.enable = true;
services.pykms.openFirewallPort = true; services.pykms.openFirewallPort = true;
# samba users.users.googlebot.packages = with pkgs; [
bcachefs-tools
];
services.samba.enable = true; services.samba.enable = true;
# disable suspend on lid close
services.logind.lidSwitch = "ignore";
# navidrome
services.navidrome = { services.navidrome = {
enable = true; enable = true;
settings = { settings = {
Address = "0.0.0.0"; Address = "0.0.0.0";
Port = 4533; Port = 4533;
MusicFolder = "/data/samba/Public/Media/Music"; MusicFolder = "/data/samba/Public/Plex/Music";
}; };
}; };
networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ]; networking.firewall.allowedTCPPorts = [ config.services.navidrome.settings.Port ];
# allow access to transmisson data
users.users.googlebot.extraGroups = [ "transmission" ]; users.users.googlebot.extraGroups = [ "transmission" ];
users.groups.transmission.gid = config.ids.gids.transmission; users.groups.transmission.gid = config.ids.gids.transmission;
vpn-container.enable = true; vpn-container.enable = true;
vpn-container.mounts = [ vpn-container.mounts = [
"/var/lib" "/var/lib"
"/data/samba/Public" "/data/samba/Public/Plex"
]; ];
vpn-container.config = { vpn-container.config = {
# servarr services # servarr services
@@ -61,6 +63,9 @@
services.lidarr.user = "public_data"; services.lidarr.user = "public_data";
services.lidarr.group = "public_data"; services.lidarr.group = "public_data";
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
services.transmission = { services.transmission = {
enable = true; enable = true;
performanceNetParameters = true; performanceNetParameters = true;
@@ -70,7 +75,7 @@
/* directory settings */ /* directory settings */
# "watch-dir" = "/srv/storage/Transmission/To-Download"; # "watch-dir" = "/srv/storage/Transmission/To-Download";
# "watch-dir-enabled" = true; # "watch-dir-enabled" = true;
"download-dir" = "/data/samba/Public/Media/Transmission"; "download-dir" = "/data/samba/Public/Plex/Transmission";
"incomplete-dir" = "/var/lib/transmission/.incomplete"; "incomplete-dir" = "/var/lib/transmission/.incomplete";
"incomplete-dir-enabled" = true; "incomplete-dir-enabled" = true;
@@ -116,35 +121,10 @@
uid = 994; uid = 994;
}; };
}; };
pia.wireguard.badPortForwardPorts = [
9696 # prowlarr
8989 # sonarr
6767 # bazarr
7878 # radarr
8686 # lidarr
9091 # transmission web
];
# jellyfin # unpackerr
# jellyfin cannot run in the vpn container and use hardware encoding # flaresolverr
# I could not figure out how to allow the container to access the encoder
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "public_data" ];
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
];
};
# nginx
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767"; services.nginx.virtualHosts."bazarr.s0".locations."/".proxyPass = "http://vpn.containers:6767";
services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878"; services.nginx.virtualHosts."radarr.s0".locations."/".proxyPass = "http://vpn.containers:7878";
@@ -153,15 +133,57 @@
services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696"; services.nginx.virtualHosts."prowlarr.s0".locations."/".proxyPass = "http://vpn.containers:9696";
services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533"; services.nginx.virtualHosts."music.s0".locations."/".proxyPass = "http://localhost:4533";
services.nginx.virtualHosts."jellyfin.s0".locations."/" = { services.nginx.virtualHosts."jellyfin.s0".locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = { services.nginx.virtualHosts."jellyfin.neet.cloud".locations."/" = {
proxyPass = "http://localhost:8096"; proxyPass = "http://vpn.containers:8096";
proxyWebsockets = true; proxyWebsockets = true;
}; };
services.nginx.virtualHosts."transmission.s0".locations."/" = { services.nginx.virtualHosts."transmission.s0".locations."/" = {
proxyPass = "http://vpn.containers:9091"; proxyPass = "http://vpn.containers:9091";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# tailscale
services.tailscale.exitNode = true;
nixpkgs.overlays = [
(final: prev: {
radarr = prev.radarr.overrideAttrs (old: rec {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Radarr \
--add-flags "$out/share/${old.pname}-${old.version}/Radarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
prowlarr = prev.prowlarr.overrideAttrs (old: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/${old.pname}-${old.version}}
cp -r * $out/share/${old.pname}-${old.version}/.
makeWrapper "${final.dotnet-runtime}/bin/dotnet" $out/bin/Prowlarr \
--add-flags "$out/share/${old.pname}-${old.version}/Prowlarr.dll" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
final.curl final.sqlite final.libmediainfo final.mono final.openssl final.icu final.zlib ]}
runHook postInstall
'';
});
pykms = prev.pykms.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "Py-KMS-Organization";
repo = "py-kms";
rev = "7bea3a2cb03c4c3666ff41185ace9f7ea2a07b99";
sha256 = "90DqMqPjfqfyRq86UzG9B/TjY+yclJBlggw+eIDgRe0=";
};
});
})
];
} }

81
machines/storage/s0/hardware-configuration.nix
View File

@@ -1,3 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
@@ -5,59 +8,51 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
# boot boot.initrd.availableKernelModules = [
efi.enable = true; "ahci"
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ]; "usb_storage"
"bcache"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# firmware boot.initrd.luks.devices."enc-pv1" = {
firmware.x86_64.enable = true; device = "/dev/disk/by-uuid/e3b588b6-d07f-4221-a194-e1e900299752";
allowDiscards = true; # SSD
### disks ### };
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/514231c1-5934-401f-80e1-e3b6b62dc9d5";
# zfs boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/f45abe73-d0c6-446f-b28c-7a96a3f87851";
networking.hostId = "5e6791f0";
boot.supportedFilesystems = [ "zfs" ];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# luks
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"; boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
boot.initrd.luks.devices."enc-pv5".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pvUSB" = {
device = "/dev/disk/by-uuid/c8e18f86-a950-4e4e-8f3c-366cc78db29b";
allowDiscards = true; # SSD
};
# mounts
fileSystems."/" = fileSystems."/" =
{ device = "rpool/nixos/root"; { device = "/dev/mapper/enc-pv1:/dev/mapper/enc-pv2:/dev/mapper/enc-pv3:/dev/mapper/enc-pv4:/dev/mapper/enc-pv5:/dev/mapper/enc-pvUSB";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ]; fsType = "bcachefs";
};
fileSystems."/home" =
{ device = "rpool/nixos/home";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" =
{ device = "rpool/nixos/var/lib";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/log" =
{ device = "rpool/nixos/var/log";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
}; };
fileSystems."/data" =
{ device = "rpool/nixos/data";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4FB4-738E"; { device = "/dev/disk/by-uuid/8F7E-53C4";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ];
networking.interfaces.eth0.useDHCP = true; swapDevices = [
{
powerManagement.cpuFreqGovernor = "powersave"; device = "/dev/mmcblk1p2";
randomEncryption.enable = true;
}
];
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
networking.interfaces.eth1.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

62
machines/storage/s0/helios64/README.md Normal file
View File

@@ -0,0 +1,62 @@
Kobol Helios64
==============
The `default.nix` module provides the required setup for the system to work.
The `recommended.nix` module adds recommended settings for the system.
Status
------
### Works
- SATA hard drives
- Ethernet (1gbps)
- Serial through USB type-c (`ttyS2`)
### Untested
- Ethernet (2.5gbps)
- DP video out
- UPS behaviour
- `rootfs` on SATA drives
### Disabled
Due to misbehaviour, `ttyS0` (`&uart0`, `serial@ff180000`) has been disabled
via a kernel patch.
Without this change, using, or attempting to use `ttyS0` will break serial
output from `ttyS2`.
Kernel
------
Only Linux 5.10 (LTS) is supported, using the patch set derived from Armbian.
Requirements
------------
A *platform firmware* needs to be provided out of band for the system.
The author recommends Tow-Boot, for which a [draft pull request](https://github.com/Tow-Boot/Tow-Boot/pull/54)
adds support for the Helios64.
Any other supported *platform firmware* should work too.
> **NOTE**: at the time of writing (2021-10-10) the *platform firmware*
> **must** make use of the proprietary ram training. The open source equivalent
> will make the system unstable, and worse, will cause silent memory
> corruption, in addition to loud memory corruption.
Notes
-----
### Baud rate
The serial baud rate is configured for `115200`, which is a more common default
than the usual for Rockchip at `1500000`. See [the rationale for the decision](https://github.com/Tow-Boot/Tow-Boot/pull/33).

27
machines/storage/s0/helios64/default.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
imports = [
./modules/fancontrol.nix
./modules/heartbeat.nix
./modules/ups.nix
];
boot.kernelParams = lib.mkAfter [
"console=ttyS2,115200n8"
"earlycon=uart8250,mmio32,0xff1a0000"
];
# Required for rootfs on sata
boot.initrd.availableKernelModules = [
"pcie-rockchip-host" # required for rootfs on pcie sata disks
"phy-rockchip-pcie" # required for rootfs on pcie sata disks
"phy-rockchip-usb" # maybe not needed
"uas" # required for rootfs on USB 3.0 sata disks
];
# bcachefs kernel is 5.15. but need patches that are only in 5.16+
# Patch the device tree to add support for getting the cpu thermal temp
hardware.deviceTree.enable = true;
hardware.deviceTree.kernelPackage = pkgs.linux_latest;
}

23
machines/storage/s0/helios64/modules/bsp/90-helios64-hwmon.rules Executable file
View File

@@ -0,0 +1,23 @@
# Helios64 persistent hwmon
ACTION=="remove", GOTO="helios64_hwmon_end"
#
KERNELS=="fan1", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p6", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="fan2", SUBSYSTEMS=="platform", ENV{_HELIOS64_FAN_}="p7", ENV{_IS_HELIOS64_FAN_}="1", ENV{IS_HELIOS64_HWMON}="1"
KERNELS=="2-004c", SUBSYSTEMS=="i2c", DRIVERS=="lm75", ENV{IS_HELIOS64_HWMON}="1"
SUBSYSTEM!="hwmon", GOTO="helios64_hwmon_end"
ENV{HWMON_PATH}="/sys%p"
#
ATTR{name}=="cpu_thermal", ENV{IS_HELIOS64_HWMON}="1", ENV{HELIOS64_SYMLINK}="/dev/thermal-cpu"
#
ENV{IS_HELIOS64_HWMON}=="1", ATTR{name}=="lm75", ENV{HELIOS64_SYMLINK}="/dev/thermal-board"
ENV{_IS_HELIOS64_FAN_}=="1", ENV{HELIOS64_SYMLINK}="/dev/fan-$env{_HELIOS64_FAN_}"
#
ENV{IS_HELIOS64_HWMON}=="1", RUN+="/bin/ln -sf $env{HWMON_PATH} $env{HELIOS64_SYMLINK}"
LABEL="helios64_hwmon_end"

11
machines/storage/s0/helios64/modules/bsp/90-helios64-ups.rules Normal file
View File

@@ -0,0 +1,11 @@
ACTION=="add", GOTO="helios64_ups_end"
ACTION=="remove", GOTO="helios64_ups_end"
# Power loss event
ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="0", RUN+="/usr/bin/systemctl start helios64-ups.timer"
# Power restore event
ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTRS{online}=="1", RUN+="/usr/bin/systemctl stop helios64-ups.timer"
LABEL="helios64_ups_end"

41
machines/storage/s0/helios64/modules/fancontrol.nix Normal file
View File

@@ -0,0 +1,41 @@
{ pkgs, ... }:
{
hardware.fancontrol.enable = true;
hardware.fancontrol.config = ''
# Helios64 PWM Fan Control Configuration
# Temp source : /dev/thermal-cpu
INTERVAL=10
FCTEMPS=/dev/fan-p6/pwm1=/dev/thermal-cpu/temp1_input /dev/fan-p7/pwm1=/dev/thermal-cpu/temp1_input
MINTEMP=/dev/fan-p6/pwm1=40 /dev/fan-p7/pwm1=40
MAXTEMP=/dev/fan-p6/pwm1=80 /dev/fan-p7/pwm1=80
MINSTART=/dev/fan-p6/pwm1=60 /dev/fan-p7/pwm1=60
MINSTOP=/dev/fan-p6/pwm1=29 /dev/fan-p7/pwm1=29
MINPWM=20
'';
services.udev.packages = [
# Fan control
(pkgs.callPackage (
{ stdenv, lib, coreutils }:
stdenv.mkDerivation {
name = "helios64-udev-fancontrol";
dontUnpack = true;
dontBuild = true;
installPhase = ''
mkdir -p "$out/etc/udev/rules.d/";
install -Dm644 "${./bsp/90-helios64-hwmon.rules}" \
"$out/etc/udev/rules.d/90-helios64-hwmon.rules"
substituteInPlace "$out/etc/udev/rules.d/90-helios64-hwmon.rules" \
--replace '/bin/ln' '${lib.getBin coreutils}/bin/ln'
'';
meta = with lib; {
description = "Udev rules for fancontrol for the Helios64";
platforms = platforms.linux;
};
}
) {})
];
}

22
machines/storage/s0/helios64/modules/heartbeat.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, lib, ... }:
{
systemd.services.heartbeat = {
enable = true;
description = "Enable heartbeat & network activity led on Helios64";
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${lib.getBin pkgs.bash}/bin/bash -c 'echo heartbeat | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:green\\:status/trigger'
# this led is not supported yet in the kernel i'm using
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo netdev | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/trigger'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo eth0 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/device_name'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/link'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/rx'
# ${lib.getBin pkgs.bash}/bin/bash -c 'echo 1 | ${lib.getBin pkgs.coreutils}/bin/tee /sys/class/leds/helios64\\:blue\\:net/tx'
'';
};
after = [ "getty.target" ];
wantedBy = [ "multi-user.target" ];
};
}

51
machines/storage/s0/helios64/modules/ups.nix Normal file
View File

@@ -0,0 +1,51 @@
{ pkgs, ... }:
{
systemd.services.helios64-ups = {
enable = true;
description = "Helios64 UPS Action";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/poweroff";
};
};
systemd.timers.helios64-ups = {
enable = true;
description = "Helios64 UPS Shutdown timer on power loss";
# disabling the timer by default. Even though armbian enaled
# the timer by default through this, we don't, as we can't
# rely on the udev rules to disable it after a system switch.
# wantedBy = [ "multi-user.target" ];
timerConfig = {
OnActiveSec = "10m";
AccuracySec = "1s";
Unit = "helios64-ups.service";
};
};
# The udev rule that will trigger the above service.
services.udev.packages = [
(pkgs.callPackage (
{ stdenv, lib, coreutils, systemd }:
stdenv.mkDerivation {
name = "helios64-udev-ups";
dontUnpack = true;
dontBuild = true;
installPhase = ''
mkdir -p "$out/etc/udev/rules.d/";
install -Dm644 "${./bsp/90-helios64-ups.rules}" \
"$out/etc/udev/rules.d/90-helios64-ups.rules"
substituteInPlace "$out/etc/udev/rules.d/90-helios64-ups.rules" \
--replace '/bin/ln' '${lib.getBin coreutils}/bin/ln' \
--replace '/usr/bin/systemctl' '${lib.getBin systemd}/bin/systemctl'
'';
meta = with lib; {
description = "Udev rules for UPS for the Helios64";
platforms = platforms.linux;
};
}
) {})
];
}

8
machines/storage/s0/helios64/recommended.nix Normal file
View File

@@ -0,0 +1,8 @@
{ lib, ... }:
{
# Since 20.03, you must explicitly specify to use dhcp on an interface
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
# Helps with 4GiB of RAM
zramSwap.enable = lib.mkDefault true;
}

37
secrets/cloudflared-navidrome.json.age Normal file
View File

@@ -0,0 +1,37 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w 6LPdjXDINKLmWzBbhs/gcQQnJTqePJAGVWX5YhwibHA
5O06D+H2KbLtueFoKNVIgFYlBeJimTL2Mk5S3biEKdw
-> ssh-ed25519 mbw8xA Ubq0SL3E410a1+3z2jZ6KFi6+tqNbqG7En0moLx+B1A
EWhz0Q4UWJDEwt1jYrX0udCdflA7unlYhddCg2vJpXA
-> ssh-ed25519 N240Tg 9UOgws8kFmAABuG68rjq9vNDLbBJa8pFOAnqtSsObm0
CWJLwZEVg4mK5DjDSXoDnHt51WTQ9WAka0sCM78bg7o
-> ssh-ed25519 2a2Yhw +xRtdu4UdGfIFkoLTQxBkkitPOKMcJJKepcvCGofaRI
qFjGwGjta954LgzVFCPOTmzbGO7ApEpIo88+dnLOA5s
-> ssh-ed25519 dMQYog wWsB7E4PjFCh44K2t65IVG2uOMJMyCDu4RyoMgbreQY
iFuu7dgxBzBTqt0iecUCt2avL7i6PQ7pf1rSRrsJo/I
-> ssh-ed25519 G2eSCQ mlVuEjjG1ZZbeRZ+mPPxIkEjNnzbRjvBQz7gBEUL+lg
1+8DUKJNvUxIpwIDEV6xRoI66Xgt4Z2YqtPA3hk/804
-> ssh-ed25519 6AT2/g n4A59l+hQA9jsQaM8ONFxp91c7jLN+bljIoNrRaSZlQ
lwmGQF1+dviOSkHGTg2pbSiHaDmhWSvav5XfUeaXDYE
-> ssh-ed25519 yHDAQw ACe/PrRD6xPh04w8WIPTpb5f051BmhaxD01u2YK82AM
itYUUUS1+aJ+lZ2IIwys1shG2GQWrF3q3ZgfVztMALg
-> ssh-ed25519 hPp1nw YY8vayLICissYqcnWCvxcDyB3KxnpH6xOSYAvunQzE8
SBzK7KsQy+Z+vsRKFgxkEJC4I4CwSM7MQ7ZbOJJ1W7Q
-> ssh-ed25519 CRfjsA iGbknT4mBJzDd8eEXLYCmDIzfLKzGrQNeHfRx0t0BSo
e9i000+K/KG0nikIGfXWEY8nPnnbOpWHhrys4qeXFY0
-> ssh-ed25519 vwVIvQ BYFMu0y8DnHivMOzITB+10tDGH3vXgUCuwASMPN4DnI
q8te5woh6MpFXKLOzZz8VK7vvivDnxIIm2YT9stxqLs
-> ssh-ed25519 fBrw3g qJT3udFmHFFf6p+B7+rQlKeBkDjiGPJjjDoAHoP/skI
UIC1B5eCaJArcEPetgG7cvHy2/7iOCPLPC1DM44/lmE
-> ssh-ed25519 S5xQfg teWDWxkmGO/6Pdq9BUSpyNP3HV6Abs7Dbe4YS4E8hV0
cij5vsyrDdKolTdEMKiWe4wFB0/T/5l6slHdJ7PaAcg
-> ssh-ed25519 XPxfUQ eNsWuyTu3Z7o9MkQ5c06F9nbwyKnNdCTBnVtHWfw5TU
bdlQbFoOflX0mN0fOfSRKv/pLSyy7wI4FKhMWtkC7sk
-> ssh-ed25519 SpD5mg BhsBDO0HY8ukC5xl6dPA0crSsFw5ItIEj1STIib+3zs
fJHJQUDczhv/XWBzi3CX1CRf2/zypk1tDTWro1EBA78
-> ssh-ed25519 Kk8sng rhJTlmqcgXZQY8KXCzhA/s8rZki7TmBxuFDlZgr27hY
wGjSOZgCYeVUYG6xXCG/kX18E5ljfytxfbSzPeG2M8k
-> BT2o-grease
d46Jzs4hD8i10FLG
--- UWVcEz0fWRw7B8XDTX4SJfRPIgzAN7YfHQEJAVqQxYc
v¯©ð˜‡ñò·ˆù•Tá4¡!ö=1¬ }nPÝ“$ºÖ~š€"nfêm‰V¡<56>>žÖ§3Å|ì~¸ó€Ü<E282AC>cRoeL=4(<28>"hòã¾ÌÞoPÀÇR3;ˆä’‹Æ.poÖþy-UO6¨í¢!Q2ìqo"Æìú V)³GÝàªE<08>ºf¥½°™<E284A2>4Ü?[~W±<57>ÎÌz qëÚY껪Góè.fm7w¸¹"•1˜šÜã,ÿi}Çø^Öæ¿Ž ø&/“RDgkÛªãn

BIN
secrets/email-pw.age
View File

Binary file not shown.

76
secrets/iodine.age
View File

@@ -1,39 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w ubom+8Q47IB+J+Oq2engREnGa0DE+H2wmG2fz2mjxi8 -> ssh-ed25519 xoAm7w NvgGcHYNA6WmPn3sCmMzPCib+6P7s5R/G6lSJFpih2E
wpYS6ylA2PFgcsvClvv1nZBgG+Cy4RD4sVpqRcdW820 gLugCNcPJtAl9+2fa80OD7D7XaBkpb2bzKJclOdjGfw
-> ssh-ed25519 mbw8xA lh99YoeAM6ktJXa5z46A0JVuUcfLcwvFj3ncaf4gmxU -> ssh-ed25519 mbw8xA dBYbSV7QcUTOp9a5hUAZeMlL828KrRp6tB3zMIopPDA
WCOvhJJU+A6Slju2HN9kAQsGRm/0aE/rhprkMG+17BU i4QRHxTVaN60elfiuYXuESwbphxPN4tsQ7scH0ZJjoA
-> ssh-ed25519 2a2Yhw PVqMJAGJZOb62UAfQF5shDnGUu5VPUHFZjLOCOPfIgg -> ssh-ed25519 N240Tg Xg5q74f1ylRZGLpPggkTy1QU+LWEcHpqCV6wQ2OhQlk
+fRdzAagc+MmbgPdx6sOp3Vna97gaxnc4L5KZuXciRU RubXACwdS4+xNt8nt0C0wk8XU2YIWOSRwIXUg47sNA0
-> ssh-ed25519 dMQYog f0o48KwYRsZ9w1WowdZtH8aag/TgrV0w9r4DwJ4SdBo -> ssh-ed25519 2a2Yhw p5w1WsmcVHImVtolvrULgSsYXlm06g2za8zSiDf9uR8
VGtlt0K/IpbJhOnqc/IEdcqDMt90pjUR+FwRco7Ca0U qVuj2L8jvRmINprQbYg91yoJU0XZmO7TprQv2UsvpmY
-> ssh-ed25519 G2eSCQ vtbTZPGjRxUmWiE/V41pwPYw0y8rDSqSlK9g8FF8rmc -> ssh-ed25519 dMQYog EFYjggjACyNwvNCG75XsceqnUrrrsX4cv7e+Mu2Z2zI
iHQjLPdVYWCnuHEcQiOPwG/ymWS873dmEQ3YBeypdlE Q7VPIP7iNqHxGGtRG2Q122f60ZztSRsRHRbziGAinNY
-> ssh-ed25519 6AT2/g CTGtBM6qUCPKIp6SsipQtGIM4K2gKYlcKm1lZ7oU5Gg -> ssh-ed25519 G2eSCQ 5Y6Tazqz2Wjl2/lrlQMUWgEnSBJpmzwXAUGEK56upgE
2toLIu43LGBsK4zEzPe3xu1sGdf0TiH61TuvaI1uu7Q eVxcvshe+uecw4ORKdS/2W8p+jcrro8cDcDdmeY7Olg
-> ssh-ed25519 yHDAQw mgKQj9uQitIfCzLATi0QeDjj/ZNdfmLN3mDMq4lhBxo -> ssh-ed25519 6AT2/g h6E5M1uJRhqfR1bm82rXrJvmr+nkeUPbygD8S+zbAmY
HWt4Q0ZjKeoxkT4XB/doa6YhgF5OgrJEVe0NRPPpT4Y r5yR6W2uCcR4cEnbk/1tXwhAanT2EqTsH1mIDbrVGVM
-> ssh-ed25519 VyYH/Q zrxZoR6lY4yTOYvqxLVnJ1B/tLJqP3JiuhkFVRaUmF8 -> ssh-ed25519 yHDAQw lWomhFF/IyKtOUlBori7wNjrtsbqvKXXhAwF4a1y8js
rHBLx0H/70YLpdHfYzlqbRjFgCso3voEu0Nht7UlZz0 baOAc0tKMbh6Sw0bWyynI3OMrsOPA3W1fCCIn26azeQ
-> ssh-ed25519 hPp1nw 0zPkmUgLopoLsvG2pk3hXLFZ4y1U2zLYAnw6EnrsEis -> ssh-ed25519 hPp1nw ZGwi0yK0Nu+Y/uXIxnQH6Pwmw1SWBE0yQ9FOuBNKp1U
bcbjMtvpDs+aKUf5GUW2x8mXMm5xBZ2S/aS6ePYoZOM tN8kk/0AxUIiFbEOSeIlGiBIy0d96wTG8VrGPnEHTg4
-> ssh-ed25519 CRfjsA x5fkEqFAn2gyPjOL91H+TU0t8fGbelyYNF3Gkm2PM2I -> ssh-ed25519 CRfjsA ntYznFouB2JWY2LZ6aycDogIFbLHOhqcx50QbJIB+RY
CCS0OxGVfRKCXzIEGIGGtVbEmzzY/uE30snLB9kRaK8 slo38Rvg+2GV2fKRlt4Yns644kd55DrDz7ivi6RTyXg
-> ssh-ed25519 vwVIvQ 1WBqhGRWns+zq69pFhRGPKWE2UwXmwAp7XPGgU8MG1o -> ssh-ed25519 vwVIvQ UF+Bo3Rl5OPPqqddi0bqleRJV9XTuykrl2dkPPSyRAE
TAEdHH7heHvG+i/jOTAxUbtosLIJ4TL012eoivpYbF0 znn5KNsXZPHN2/E652cPhOx8RF5+uuFUyGhrI+kCou0
-> ssh-ed25519 fBrw3g rnGGZG45LWTLl9rMUtusEADK//cskSRDbVNHqymaRX0 -> ssh-ed25519 fBrw3g w8EkEo1db0Po5ZhDzz/5nshsSmjy9wMSKp+XFDEuUQA
eQyOhsDPF3o1hlfrVJqHd873wPtMkWW1QhslCY9qyL4 q50eyTDTxQULpogMbVXI2zSfu+ZZP9DOXjM+Y2/rMNI
-> ssh-ed25519 S5xQfg /SYkIjBEuboiTRBN3/Hy54WCm30rPeTb7hyW8Ne8XQo -> ssh-ed25519 S5xQfg 651xn3mNSl/3+KT5d4XD2pkMNcxi6BScqX3teoKbgio
Zixg9/lPh8sEylM0k4UZMbKiM7G07C1s8z0U+RWGxb0 EOfzB+woFBWBaVKuv4t4E0Gx3vf7Lg40WXSovXs8N6s
-> ssh-ed25519 XPxfUQ YMnUrS3KvUfwX+QXvHMDWj/dF58e8CpaFMMuQlHaBCc -> ssh-ed25519 XPxfUQ FL+FYVsRNJBv7xEpwf0fXgJt3G/FiARQ7+aWK/sxryE
qtOCQrVvAzaG3TlG2EUHwMHXC6Q1STC5ZnEGZ/yh6U4 xneOKh3muAhjkLC2upsRrc4B0mggwm7IOMFsg+25gT8
-> ssh-ed25519 SpD5mg e+roG6erU7LFz/JG081vYo2QG5/72pGhxrrmJfNTLVM -> ssh-ed25519 SpD5mg f140sUr/7itxtllfcbBaNV9xhRaV/IULGVn6AaP7zkw
taKovBNCmrYb5712fnZ2Gq1GLQfog9IyezIhyN2hYkA FnostzjoSC/bdOu2UF+rT+0mZ0aUM8rAAoQltUXn534
-> ssh-ed25519 Kk8sng T+387c8n+DojonjyQnB19JJifJWHufU+/oTLrvjzW2I -> ssh-ed25519 Kk8sng 9JnybgIcROZf+l0C9YGNb4xWkZLtdfUPm2V0WJsGPUI
nhjogEUDM7m6jTLiY3qZibKfe/8SPDkoz4v5TqY0Or0 fs4wBEIdK6kU1CIhI8zz/yqa4Fb6Q2u+MO6SsudQlCM
-> Nd\-#+C1-grease ~l H Gz# -> C89-grease >Fa(j6s UN5!{
52s5cUftipJSF08pl6py9q7wRH03s++6wqZZwNXTWfTyfVRpiv+LT+1vG8G40ByB nb+ymnliEEKJf3IGloFQMNl/SyFjvFUqekC2YEY2qJblAUaft3Tf6hMYf7uDSjew
XZHLe7A6CJuPj6FEabA5Yz5Q9IcY5KklKoCSzlJPaWHUySon 5SRhESY0VucHhAK6OybwPWYRlXXv2gM/wxUicB8
--- VqPdz+C6jxXzt5awQag/7jMrGk8dkpe4JSPBB91fKUo --- t6Q6ULdQzW4/xDtZDVI/lfP5i8Cq8lnURqQSyKWHvyI
l ˆÎyÌn‡ Œéë„<C3AB>üFŸÕ_Ÿ1„%~²×‰9ÌÿîŠ%üÍp^o<63>k h,:ìüæ
¥:tcƒéþ<> H)'’ЊÂ/²)žÒ¾ìpˆ¡Rç2QU

75
secrets/nextcloud-pw.age
View File

@@ -1,38 +1,39 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w TBgxtsm66foJGt2nHrXtgzpohAgCjlFZKJJ92wVRwHE -> ssh-ed25519 xoAm7w 7+DO9mI/zZfTIN/0KBMOIjMNnReyGoH/XVQa0OLdAHY
3v4D4OIsYkS/f1cFzjkqsZWRY+06H/hK5BRUlK0rezE qg/UIBJr8GX79d7xrIIN9GUt3pDIormlOM7IdjIytHk
-> ssh-ed25519 mbw8xA DGk5uuy20YbA60OCsRRUpDPDn8/34kXB6fLPM5EaM1A -> ssh-ed25519 mbw8xA 9KorXegEBX3PYQm+Ljdjs2hkxAIpz2CZrITNCGo0BnM
gX+54o4ZGMepfR+IgWtnfRrQyJI7cIaVfrB6F0bhJpM QNQWGWqoudiryg/0fV2KZUuJQGp/suZun9KF9c2OTqw
-> ssh-ed25519 2a2Yhw 4duxFtOvot0/yg/mat9/mq7e+3FyBRVZbDxab1kUIz0 -> ssh-ed25519 N240Tg kfl4aaKI28cDfzX3MBisRGraQYChPdUF2WigjOFYx0Y
eYGM5bSmdkepVFtC/hu9QryA7bAmyZ1aGk+Gz11IUeI u8dgbgJSmcJBp2Uc8qbWMbpa/cKEmx4V3psQgzqnitA
-> ssh-ed25519 dMQYog j1ltBo3adLkVjynrfftU3SUuXbtkPJwqvLScqV3Egi0 -> ssh-ed25519 2a2Yhw MGk791xEYHlC4bYfU5CMS3rY8TVI8KYvEIwUhE7wQ3k
8MPpwdCulNGlw261+weh0Lg5Nn7nztUrMHyai9WFV5Q iFT3QUR8PyWw4grqy7/8KfLfYNIDkgDKM2MqSr6cj0U
-> ssh-ed25519 G2eSCQ /IbtFM08snzoYcw59E0VDWE3Y8GUSqJDZ5X6i6l5ghU -> ssh-ed25519 dMQYog IW1ntuHrV85WX60GI295c197NUlQMKuo5gd3sQZl/gA
x0TAzntr4kHb9iZVqsSYAdS0mIBjdZjG6muniNz/R1A gAnx0rMggqZ7Rn8tHFAXJx3z3t9MkZpmjpgI2qAtK4g
-> ssh-ed25519 6AT2/g htY9fgi/p9aGNEGsUdcVJ7tQ5cEXDxFXAXNRvf2aAlU -> ssh-ed25519 G2eSCQ 7ZpZQAda0uxjIIdpLnC5JlU6cbLtJWr9LSIIdi7PUQw
gxhbdfZuyPVHYLl9lsfSe1Hu/cNwgFNbT8BzScL23AM PfGFrMVLCmy8SDv2nn6p6M560Xu8lte8DjbCORDM+uc
-> ssh-ed25519 yHDAQw r/Q4+U6D9kBM+2Tks18bVh3ketV6XPsPooq+mD84WhQ -> ssh-ed25519 6AT2/g JGE9jVFM2Wu348XIHpubyCEismpfBraxnFGTnEvqqnI
Mpy9wGJRPhBvpnI9Nl38BkRdXgezKg8aOdXZIzuttds kDHfyJdBIGIURDJ0Nsce4DqzPzhk5p+LM1QZ44pZ4g8
-> ssh-ed25519 VyYH/Q bj6YIiIkAWr9f7jagbx57jRvSDcnmbqtx6Q1ijcOTDk -> ssh-ed25519 yHDAQw KNzCNjvErLwEJZpWWMIBFUGOC8jURyvoKzCWX0ATrRM
IWktummkI2rkjpxG1wP7VG5NAZKixC/qEi//fBfPWCs EyIJpn48eU8oEB5FbMhCOd16hAVrxTFLyJEoos7WGOY
-> ssh-ed25519 hPp1nw Q4EhATKtqAuvaaSZ6mvdHYxLtEUIiq6vXCt2TIW3ujw -> ssh-ed25519 hPp1nw kdjLNwgYQV/4NMubVpJw8QCIuKn+u3CT1boZNJEWfCM
XzrrxplNBzH84lzWheGA7GFtw6KAhD/Fn1dUh/IC0RQ FXNLqmpZB+CtSmCY9zGr+3UebEwNK3JmdP4ifdXiQL4
-> ssh-ed25519 CRfjsA tJMmvRH7ycObgJ5ZjVnIsC1NuqmUwpcAfIl6zxRfdTg -> ssh-ed25519 CRfjsA axLQSlgVkaYmRktIP+fwHnhN2pJ55NCOW0fzTzgjFF4
eDxKa8mqdbZbmbv+WmhbQWO+0KG7vsu3i1V+Fj1/1IU ElO0byzF3PJxN9WgENIN/YfmsOR9rOhEh3xRNIIGIyk
-> ssh-ed25519 vwVIvQ mAizKoyN4QkTztzMBiz53+H7pJunPT6mZmXW75hcMh8 -> ssh-ed25519 vwVIvQ LtrPXRJ0hztkWFnoKt5c0UzWQpD9CO990k52gjWcQnY
/T03UWjaTw9TcJg9wrFJINs02PG11vabRgptlY/QyTk nHb1hsXhHQokcA4WoRlbZy0EFQt8Xd0cYUGqblY17Q4
-> ssh-ed25519 fBrw3g wTn+uGVURTaLh2uuy+hOMXADU8Y5X5rjt/I5hlgkiEU -> ssh-ed25519 fBrw3g dnWs7lWY8QoWOjWHG68FSYqZDzsIaA/qU4AXrndGNTw
djupGCAIbmou/kaeS8bvCHFU4h/tDJUPj1D7Ad3uGOg gh4+t6THL2mtrPUzGlYd/YxDjk3hpHxUmGq+kRcz9BQ
-> ssh-ed25519 S5xQfg ndVRf5DZJG6ppRG4BLadwFdHcJBO7YsLamdY8h6M4GU -> ssh-ed25519 S5xQfg kEXs5hXXR4ocYYWoT2xFr4HITe9wIOOLz73zm/9bf0o
GdYFdMZtd7zRAejs0CoGkKEg3LquMD3rXqbXIakfv2g WpO+5/zXc+UGYJGkNNQr8UsEz2RyBUtQ4Syep718294
-> ssh-ed25519 XPxfUQ OzGJy6jOdsX2FOaqyPaGfGVvnmMessbQSFaaRSiJrkA -> ssh-ed25519 XPxfUQ pL4j/idFPiIPnWI7bIwn0+FuB6az/hXURAh+tvdr7Hc
/F4Rb1DdKrq8cXW1wJZQME3cjdvCg8uGnORzJH4apIA WWJPFYanmf3+KnjG84XlnEapI1vh0wRi9XFJRn5JVpo
-> ssh-ed25519 SpD5mg rwLBuiTLSo3Sg1pfrKX72AtOYylGVsUqVvpPjfWy+n8 -> ssh-ed25519 SpD5mg CpGcl7ONt0juh/N2hwcxWiuc9u9wjQ4d+AAF+1BQim0
Ly2MAPdLr5T91QEaDK/SzBHa6eRXM4qnl6AUzc1LkMk 7Xs7qYITkCsjloA74CDGn6lZhXNTqFV05omLiCz9efg
-> ssh-ed25519 Kk8sng MPQqZeCMmHpseUkC1ysBlqhfOFZBWvb0rII9vLj2fG4 -> ssh-ed25519 Kk8sng DzLM7ewz+4yz5YNQfBDKcOOlqMxScGR34XfVpCUHMEM
bx/POtqvkke0V8mtug14PzjekwvKu8lqY1C3BBHdrq0 eH2ogYJO2N4cqxRibCOEoL5cXcTdWavHS3uRX7wwHxY
-> H;;#1-grease NIQ|aNi" ^ m ub=UpUr` -> h<Vf$Fh-grease :~Z8 qwh*'} 2*OyJh )iMU_m?t
62l691hcYEUai/MhlIgoxGmJwGl1NA6CgWl8LSGbHHfAwtCa6pO7kORspVcI1nBY u9QuYuPJEVl7Rt1cEcXZPQ0IfpOzqB59iTMch/SDoByr966PBlBfjDS/7i9U0sEI
fm6hfhPep5Djdinrz3ti+fprTjOpJafJoAsvxE14 GMeVtXePXkKPXVvhmbZ/C9KI
--- fxAevZGLf/QUXm/kEserDh7XPyy0lfDaUI+NnCfrZbA --- 1F0kxs/7SRrpoj9q4t1eCg381LzCgrwA1DYG7zcI3dI
^ŜˡÁ2Í?éÈüÇ‚tve<76> ö>°cY§ÀeéEòƒ\ã¯<>Ôc¸j½ ßÎíÃS­—XpºýG<C3BD>§$½}i¼10
ϱ™< œ`á Œ<>, öAž¤£~r>ø$|wˆ¿

39
secrets/peertube-db-pw.age Normal file
View File

@@ -0,0 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w 6fOw4Kh4O0WAdZG0WPBdl63ap/Xr/w+Rweylt/0mKDU
M2ZYVPz9vVGjJ6us48pXSFKKH8tK8PhkvBUJAUriimY
-> ssh-ed25519 mbw8xA JBYsd9iwH4E2GfGP63DwdwT4Y+gvL31sB3rSY2GKDmQ
zMHRL3bDxeAkWdKYPPtc/xyrkZlNtzBwzMyt5lb0H4o
-> ssh-ed25519 N240Tg 9DErfKdTHuvUcw9+5yzo8kMHa+IKxspGlWb6KRvPB0o
q1FLalljaHyYxEu6JrmcXGYhYi0L7TAtV0U8UsaQ4cs
-> ssh-ed25519 2a2Yhw eDolYbro00zktVZA8xdhbjvLkcOItFU/lTBPXNYypWI
d1MlKnVGRf2T2VFPhDnsSF8fboF+5mAdXEMeJRTjJz8
-> ssh-ed25519 dMQYog 2y6zkr37iC5VarUPOlrXVj9XyS5pihQq6O/K20gTMnc
jQxtJYCH1JagBpaupGVizzk0ZCswOQvFTcxT8IeFtRI
-> ssh-ed25519 G2eSCQ 8b0ZqtAxiFRfLEMHnj6LZmq5CQT7nMmfTwc+gpKbQQs
kl9EvBs9BpZXoomdg30ViCMBV8xEnYlCD9GFY+dNVBM
-> ssh-ed25519 6AT2/g kA3H9/fN5qyPquKIBQqYSGZYhxqDc7Zyj0CrjF0Nqgg
zXrT+jpTJo6ToVzLuLzDcqblXKdDbjxt4Zr9CvWBZc0
-> ssh-ed25519 yHDAQw vuMN4IU9wAIAWDFEDCr1yjEPtEMCISxYTx27qh4QS3U
2vrVYYbBlbyEOmd7cpeijKeNk6uEe/1iWQcZO8dSrWI
-> ssh-ed25519 hPp1nw TwogaV1PZXUekJoqXepW8sUm+DvPCxTEL+RobecJ3ys
VKM1QHFM8qDW1ZCpueQEqQtQknoQ470nll7y6WTjlWA
-> ssh-ed25519 CRfjsA dvkLphHpCButJtI/RMlt7RvaIuMNHLbF9y663tvuvhs
VEwK/KDK93e2iwEcwmGM8vvhwqi+tNW8SYrbsehZbWE
-> ssh-ed25519 vwVIvQ xnd9Vgz9FCeRu6yZbbIZbSBEvSkgPzFifye5eT8kmT0
XOCZBNTP66Wzy5Vdn4qJwzApDx3U2qNnQqEBcwfARHk
-> ssh-ed25519 fBrw3g 81Mv0OtBk9J2Tb7kjnT4uCGeytV7HJfOTcA5C4NoLy4
hiMbGjXjtvBa2Puhb8GBas3WXc0fozRD4hg73MvQumw
-> ssh-ed25519 S5xQfg F2oOMdM1U1aT4K6pIhCnCz5EbxnEb9Q4QZ0MkhSJKnE
Pz2cyF+IGLz64466ne8np3xA7g+51S4s4mlaLRohIM4
-> ssh-ed25519 XPxfUQ 3rIutnjj8fXIo3mCAL5nfzJep7q70j+AGLE3j/JxOhY
v2Xj5PbpFMsf6Tx68u7VHCRqGa3Wrnsk4E6Q08SklUc
-> ssh-ed25519 SpD5mg tmM+zaXpX+W8xsMfBCoWZc+7wPRI6yFt2W/p4O2s4lo
ckNxHza6ruYdIffwxDFOWnYOUgpbWNfwzU5AQJb6ZAA
-> ssh-ed25519 Kk8sng 2ddBuZ+DEVuvRmWS2O8r+xT4Qtrev78Vre+yQ3kNdEA
LojDcUOsZtA5kw8kIPC2y+G21T1uKUEUkwkJ3xPiUX4
-> "JnF1%Gd-grease |=~ P
tzG7OLiEsRVyoTBpLPGwqNBUGkz0
--- /AHllIllItlnpPXQAkywTF1UsUb7Wpec2jdYE6kOkO4
´ <>§K
^U5{Ôpœ_l9ûá7I#J¯˜Á!ë†å`Cθ^vÚÕˆEòµßŸÁˆuž¥òä×_WPæo2.<èù w}¶Ì
(!V®

41
secrets/peertube-init.age Normal file
View File

@@ -0,0 +1,41 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w N9ZPma02+vK6eoQ6X9/AufI8d9Sq0fAmbCygEAprM30
qUcK7qCxU/wGxssjMO3BFmiP+ZPCMMA+MPsqTS6Hau8
-> ssh-ed25519 mbw8xA 1uhQY3YHakSRBjgVfqWc3ynGGNT+T6qR74oy7UpbdGM
7cvBh7xPxDxZqrQURBUUnyk2YjzVY/kzAUf7dy5y/JI
-> ssh-ed25519 N240Tg ujiP5iMMSupxkwhY1DpkmRQOQlZSr9WjPGrY7aUKmnQ
FNeXuINzgDB+gn/u76gQq7J1zYCQC0wbFyUVxvbalI4
-> ssh-ed25519 2a2Yhw C8/2A7AOzjyrH4Ulre9G+w1y7H1pvVZe6k5PTmGBlCI
9W6w4Ib0riy9sbZEQvSYeJ42LXwPruV8kPvTOP+dMqg
-> ssh-ed25519 dMQYog hIbfS8dz5LGPZ9sU+lHHnL8KB0CceM2nYV5mFV038gY
6r14pRwszEZGVzDRZQlymlgjdp1Zd+r/O2IfjqxBZcs
-> ssh-ed25519 G2eSCQ kvgWxBHowwVcGlm3KiWjxug+Wx3zkcMWl4wbPRrhrl8
A5VtHqvDwaa8jONXMTvVQC1ALcnsiqxllM/DrRXWFws
-> ssh-ed25519 6AT2/g XUGBtkOcpLRKNDS3hsyXAap1DXAIeaRX9jFOfhUpMw4
sq/Ziv4RGRBmrUgS0GWTQs8AViUXBWjUxqf0V/rAN8E
-> ssh-ed25519 yHDAQw GmscTQwu+lHC2VARJusQ606NLf6OlxITZzINjrbxf2o
LmuIU71tE+2OlF0HGNS+DdXCLdA5lAeTPXl1S+V5KCA
-> ssh-ed25519 hPp1nw XQbGxz+YJ8RieN0HxEQz9kJfikbWTtz1hFNGQBHkXzg
1yst2YMs9XelKpIGyl+qxAgrFZ+Hq9odh6wBovbb8sc
-> ssh-ed25519 CRfjsA 79TlEM5+g11lMOkkW/KvSTmt//ChklK3jlUHLAM/1hQ
9X1VP6SYST3Q841ahE+fAeg0FhKq+/XcZdysigIOgdc
-> ssh-ed25519 vwVIvQ 1r0/J5T1fEmOjM7ybKDPOBdE2UIDEUdkIFNWGJBzXGs
gAOX/3koAfQx8er8nt4dlvLbIoYfeVPENjz7wLNoFwg
-> ssh-ed25519 fBrw3g 9hdWAt6qEwjAwVmTprCkR2q6GsE4dEOCiCTRfz58fTk
f24fPWUrwtt1UN2ebk7tj7gBY8EiAMwvEvztCvaNZRc
-> ssh-ed25519 S5xQfg wyY1lx8QIDJy9pCi9zS3T3lNV0jQGhVC8HvyI60zrD4
6+agBFHfxcaTLfZLyEeUMl9zyaFbsM9X2EXPvf6DfeM
-> ssh-ed25519 XPxfUQ IabbhU0TM3zImRHyKk1NLnGRUUTuQHHCMLzp9AltDVE
vf+5OlycHphA0i4nB7c6OtBBahWPJR/8VSWzudM9FEc
-> ssh-ed25519 SpD5mg VSBErQVSLWPcA7C3p+wuL0/JaP58O5Gvy8z5eJduky0
jnd3tBVjqhf8oZy9h2soMZVPEa2dvYHxvrNUdKK/UwU
-> ssh-ed25519 Kk8sng 3gM4o/sdewPR8BZo8owBVEE2GwqnQgUeA1Uxsd8nOlM
VpgZRzc4tN7QX8s41iKoCstfU0KgrGhWolfws8QXYr8
-> vWbrVo-grease ,kVQ{
PpMMMc8V/eqh5OBEcK067OIY3UQt9QTjHCVVesZediQxm/E2rRYvKm793NdgsflT
mAA0Lcu8/6EPFWtK05TxkDO+JaVfrvKLKuh/E3k
--- eKZw2cOm1WsLYj/Bx14q433kkZ6altIqL0qnBSYXjn8
>»KÝ-B<15>vœâŒ×ôÕŽ}4©QåÎ˳x
ÅîÝÒ{ʱí­
0U<01>Ò
ê¶×Ý

BIN
secrets/peertube-redis-pw.age Normal file
View File

Binary file not shown.

BIN
secrets/peertube-smtp.age Normal file
View File

Binary file not shown.

74
secrets/pia-login.conf
View File

@@ -1,38 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w xqcRHP0MHuiK/zomHCYc66ovGuTBwG3e74adAtR8Mwc -> ssh-ed25519 xoAm7w SqYHa6RK3Qc2q7PnzW+2zWIc+A45lcgsGUOcloo5NCY
GxxxVe1BtI+XFgivxLx4iqPs/bOqY0YgRUaN5WL+J6Q YK3fq1eFLcrYyeB0jrbpaDlvZI4QXtGDB6gBsNOHRbc
-> ssh-ed25519 mbw8xA d5zP1zd7jaeoDurJdLaZH3bqRuuKaSLhvYW0ZJR5Ei0 -> ssh-ed25519 mbw8xA td67bdiy9OVhynehUE0t9WNhSm5mibBSouANJsb54DI
vDZiTBxgzUUv5F7k9DNWyHmDq+72zZ++fK/QsNMejQw k5Q0NYRDLuEVqi6spysZ3wczsl6KeJHnzeQs4AcfOPM
-> ssh-ed25519 2a2Yhw PflULmGrCX2W7PTYFuu36LudH9P1w2T9Ac2BkWDtR1o -> ssh-ed25519 N240Tg yQxm7sk3zmluyfrHuXcfcUH4bep9yO2yasWsZL8jlm0
cKCcIGfBgnVhyBQ9/w1en4QV5OnfkKahv+iWbY75rcA 0uLbEiU6G+BOFnhdtQ7y1TaZun3L9cayeOJUiKmhK3I
-> ssh-ed25519 dMQYog MPQk/1Vo/ZYw3gPBU0pWlDgrc0OV+gwW+5RS08C6w18 -> ssh-ed25519 2a2Yhw rWgv/wgxs/G8JqWRMX4K8OMkbDDEWKXn8tr1EZHXNTg
89xYLEHa67LA/3WJZLPaZjubI215XlLXFOu/Eya85fc //vsUBg5VSyyPOhUppiV4hkEhSVh7TUxlgRhroeMH2Y
-> ssh-ed25519 G2eSCQ U0xOVFq1wFNyT/BnkYI4w5KsNrOo+Hwx273zZI8PlQw -> ssh-ed25519 dMQYog C231LaIgcDukZz+Q0w3BS6QoRNPYBpQnDc0iapNDACY
FUcdjrHZgjokvc5qZ7VeIw0Z8CJMNjMOmf78Gg1b6Hw h053cONj1m8SP/V9oFU7MuMRNKq8KNxr9FyWoRShZ2w
-> ssh-ed25519 6AT2/g geU2DAuZLH0NDF+0h8A/rp2FrfaXAumy2GC1O2p/CHE -> ssh-ed25519 G2eSCQ oazxEulqB0zTHwBBZxxBvskYLENNm62hy0EMt/6BIi0
Oh8GY149dxknV6QhpUrD39fwP9bREGkgVm8YPLpZdvg rM8Evty9wq4qC/Tau0bU0LgBqNP1J6Zt+iQeYwhBJ1g
-> ssh-ed25519 yHDAQw m4eSQTxExlAHfmyQ1DdBCWemb+z6ldeaEKmBwbrgTRk -> ssh-ed25519 6AT2/g GWYlWQLxy+JjQUGGG4P2ePuqYkUov/0OV1gyAUfo7xE
+kYjyUWVP7PHVoqqYG5JxwLmmCc1ezDUCGIFnX02lx0 CT4W8xfyQyZ8LgnVWncxL9TMyf2tC1mXhjJ8/OrV/yk
-> ssh-ed25519 VyYH/Q 22pJQ5qJFkDpyhhJ8PgpI8BVSN70kkMGJHZqbgkIACw -> ssh-ed25519 yHDAQw 5FsOvziKO7oXBvIbJ6ikUHyZsfJcwoXcXYmCCCZlUl4
8sPrt+XceTHR4PvelbxfAwH1/IUOB1f1/aVyBFISCL8 5wywGXF9/QbqT0H3f7GY1J79ZwrFaSG6qzHll5G9Xcc
-> ssh-ed25519 hPp1nw oemF2kqJpkM5wmPzV7pxWq7gwyeBtHMA2ZDcKQ8AuBM -> ssh-ed25519 hPp1nw Aii3iq5LHQPAWIGj7RbK18ChTij7zYnARHqXTAcU+wo
jKnhqbGtI8Ll7n8APN4ppWomGVwCNxeMobMfn51baHU 218UL87Ev75zAsloHSkLlQoSLk3u+XaRgMpqFlHQEIM
-> ssh-ed25519 CRfjsA n1rHsp+O9p67x98MXOq0p1Z01IAvDmQEeOrxb3bsfAU -> ssh-ed25519 CRfjsA AafQ3rTlpqLZqz614VPy0h0o+ha4f7gdx3zuoO7h9BI
jQqxXAuT0Z0xNn6YKAs+KOkG7wxDFDxq5Fm2gKxB1j4 jyhVN8DsgSo58YPKb8c/eBWSgunbLgN0tnvqTaaOxTU
-> ssh-ed25519 vwVIvQ Ydiw3i6yquUvUh9dhFST8Dnpsm6/4SJMuDGm7ka/UnE -> ssh-ed25519 vwVIvQ oQHpWgGDhgea9M774iyQ2gP0hvSgFr5ScM4ZdhMHD2g
R0wpu+tP+apJFWOxfb6B1eFqHtx8CfgxrVM+hGmPF/I 9vJjWXwOqpOfegf9ZtKMxAayDsn2ziHGTHGIBlAO71E
-> ssh-ed25519 fBrw3g nJVo9VPVhidY50WrecFb4Z3gvbVa+HvJVoWtcTqUSiI -> ssh-ed25519 fBrw3g lGSzsEt5Ot/RHwJbL3fNQoR29ZQ7EsFUWv7HjWnU9wg
gi+5LVtpaKI/RzpB26PPwb3Z2bznBMWyYy5T1iVDnLw cufwuuyT/Vcf3QeJGXEcYFUQqjf0US95po7FaGMYXAE
-> ssh-ed25519 S5xQfg Qg3EG+SWYIbt6bb5KIHPB3IsrVp4dOCtxDwsDfPxwzo -> ssh-ed25519 S5xQfg CGj9qzx3vvlNnHh5RUyg4+3gVpIEcgGYbYJr61oTJgI
XS5K+J6Rdg0ffVKPxDjhqG14ue4sZ+2AWvTrGgUcqzQ x3TLtdaRpFtMRTC/RdngyBOeXQFEVvQIRdfAsaj8hj4
-> ssh-ed25519 XPxfUQ +dpWU2v78/sgzjCKMI/PF7dUH6gvyQH/Sq7IepJ5Iks -> ssh-ed25519 XPxfUQ r1iu+mpoUVuf0AqaDsrumw8SOdiHapODcgrYRrAuSjo
e+sjwJ5yVVIqi/XFNEunzddKaeZoyt6SSQIaARKQKcA 1XNRKfEgm2U9DXZmNogFr9B9MqibE72NjyHiy2zZFMk
-> ssh-ed25519 SpD5mg LNEibIixLpNDeI29JpwyAy7Yj98hz+crpA3CUrdLCh8 -> ssh-ed25519 SpD5mg NM2MP1/5yxwQvvpiHnq1aiXQg4yxWpsNH/Isrwcz1Vo
/ecP3HwrkcqMEi5KHKJ2GDs/FVMBYiOogbsmbnsKcXg IdWPzZg+/mwCr91bIlDMpAiii/HWsnIxTGXnetYjRPA
-> ssh-ed25519 Kk8sng XYXpGlL5N5Q0fW/CNR/MM5l1H4wnGc07PmG7pfIYPEA -> ssh-ed25519 Kk8sng 4NAaCbs1EOQpZz/qm8yW7PkFdsn8seSTgInow1zqBiE
ZHDIG4o16QpkXOgEoMEElVdjuMHBOYnu1+r9j7oWJqc 2MJJNUFyBkxy26adDmoJKNndeQT+MsJGjdYiXMpMS4g
-> uz.p77*-grease \LNG +]\N }$z/#os -> A-grease L''*[IU]
v9I+wGZRCAIjCEeJespiFlyqUu+OblQlv9/hJcSTjEo8jMIlhjTgitVN0gcG/iGc 5xdl3E2HB0Yz2TKiRucf1X/PV2JS4rc4LG4cKJ9VYIUksE5Aoj26E8h1izCrhEsp
Eb8YAQ Hnr2xC029yD3shPQ1w
--- 6EmzITbtgIPahwrQlzo06L8D2UykOG023TWIcXmflJ4 --- OjLAmZwep6nKTZYMUuBBaMe+F3FmWqsCM2XCDqoiG/4
úPá™.Öú¥RvÎûÎ7*@»Ò¨N3^¸†‰ßáá"{&²ÛZOb¦Š\ÑÙB$cb¤I20F/FYºýGæ—»ÂJ%™? ¢P<C2A2>¾Ü3ÐdÖ½˜<C2BD>$<24>øP ÍZÎëk²¬¨œoéG´ûCbÇÚ!Zö{ʦ ƒ\ öO˜+PK±¬†rîЕî A´~zÕô@ö’\Õ±M3G¿iÚGl‹èçÒ~€!þ§Á*Qõ‡ã

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

76
secrets/searx.age
View File

@@ -1,38 +1,40 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w 8X/mQQdaVvKGFTa8S8Kq0gjXQizdQqKjCbLPbj+E+xg -> ssh-ed25519 xoAm7w CNXq63Qxe5wvwn0dr7QKcJogg9cO5+no3FcNmxkL7Gg
ztcO7CI7PlIg+kqGi5mIriGs1uYAdsvsA5TC+vU2D0E w14UiCOJofq3r8VikRCOjIp29NXvoKJHyRms6tjr3/M
-> ssh-ed25519 mbw8xA fcD+NYtWgZaXpIwe0kIGplhsHphwjwr5bWn3fu9bCxY -> ssh-ed25519 mbw8xA tzrtBUcTaOZBi2BNhgwN45MqMlQKGZU6FYm8IEQJKH8
HEdS7uNl7BEajuPvMVhWM/B2Z5SLavZ1go6wSCuUN20 Vpc/0IHNizsxTozoVm0YZdm0qgKwx1sZ/JMIKSjQW3g
-> ssh-ed25519 2a2Yhw 6exAx6FTladZDoIkXDFwiH4b2qYCMUWgPDrXzP//uQI -> ssh-ed25519 N240Tg F4wZmhSgHx1+tLok5IdJe+CCzWf6LmlkOFNGWqOpxXc
HAN7bkNCLhYPwt6Fcdkij+9c+EBrN88lxhJr9rJlfc4 ZF7+t0HDmfaJnyNe3lkz5aVFezD7mAxqRiDCZCwW2sk
-> ssh-ed25519 dMQYog ZFiEF1MYdIha67bN75Rv+6Wr6Z9E34NVk3tHsSEEQyY -> ssh-ed25519 2a2Yhw rC3PH9ftW4UWPuUpP6tThaSe9AkfKUiEgQPPXerJ/SA
Y24l9R+jd1kN3mwSnaaZ+kogwIgNtIUb2gLW0eLAi54 UNKobz02TnEN/oqhp7hwS46mU1IA0ehVzLqeIm9QVVk
-> ssh-ed25519 G2eSCQ sYOr9ilW7CW+P/0hsv/RAmv/v34JevYIyYN+I6lHph8 -> ssh-ed25519 dMQYog XowiBliO/PhqZFnmfnXWmw7KVT8I8Rp46RjuFd/amEM
SzmVgwmecQuo5c468CMh4yXpHFUi5EovS9GeYGerFbs eAhc4PVY/3ZjwiNihO9Yqa/au6ebkXmqbK4Zehf/FxQ
-> ssh-ed25519 6AT2/g HRkU3oRZwF826qweInLFI6+3rrOdsVhDJWoYdmuuWHQ -> ssh-ed25519 G2eSCQ ann2y2LP2fIHtQRLtpLow/g2yTmcEYpUrbc0N69iJxI
OCoS/Ody/GzMr2TFXDf3VXUwE0gCu/cHFl+AHcnU6i0 N1VAHkPjzxA5Vf9lKY5o7SWFy1kxlv78LSDcRt/MxaU
-> ssh-ed25519 yHDAQw TxlUhpGkdVzkBa51kUb4ry5oibol/QD+VPj0h4XOhWc -> ssh-ed25519 6AT2/g uQhLUtHpvNoLBUs0zvdMeGTtXQH8gHzNiRfDq1x/3yA
48aqzpCdhR2rYltDlpsq8FdnCAOaRZ+t8RdIFsWjHjk rhSm2KQw3k/nhrm2UmCWJ1oBcmYwP1S8hAY5xUALY5U
-> ssh-ed25519 VyYH/Q ctWC4UZPhsQngMldM97HwJuvQKMuJm5ANSs3bSIjJFg -> ssh-ed25519 yHDAQw qO/7smo6DZpW4/dBvkorYBYSGBdemDe7UrdSXDjb8zk
evx82bQ4zeuFDRunameiCgn5UjwhAPa46w7KHQkjVe8 xkRizpKMEbD0X3BsdSfc5DgjYG1IQLKJuQjLLSwPnzU
-> ssh-ed25519 hPp1nw oKSXL61Cjahb3BHYybXWFZ5eQyzGtjG0arMU8xWpABo -> ssh-ed25519 hPp1nw +Y+MeoeD58k8uedCeD2RbRyGlcLYEgNc2PC0Hr7MuTY
1KvSvzZoLMuAR9+ekO8hjE2yOqZgRtEghD6pSgfOi44 B3wQcio9YW1Vl6reg6APLKDbizQDxWY32CkXbuzyyt4
-> ssh-ed25519 CRfjsA /lA/ylPuiOtKXYQynlwDoMiZknOf/BCR9UUJqxZTQiE -> ssh-ed25519 CRfjsA 6KxnAOe2pmjfwTiQZe8zHaeNJApPYdCCFK1OlFaE61A
yGVXz5L3UxxNN2z2mx51o/GGb3Q02z3ZDm3JrP2/3/g 9psQfGIFCSjSYw0AKpKRFZ5qIYFOvq3FvHFyVRa/zbI
-> ssh-ed25519 vwVIvQ bgVIF75qEP72heamHRLHB+21R9NTQ1tBbbYVcAXVWn0 -> ssh-ed25519 vwVIvQ Zghw7uz/yR4dgsFhbeXfPvk1HmSaXV6CcRD6GlHeiGI
brIkrynLCEDIEwYe86w9auMkpZKgDNPs1JIUYdP3eQE KTM1Xu01FBcsmhJVeB6VGhMqHpnpLNmvWVBxV0+JW5Y
-> ssh-ed25519 fBrw3g AWnifShqHcTU/eUuLQvuexV9KVWIssqkXz6SzvIrgDc -> ssh-ed25519 fBrw3g h+wmH368BHkFp5Mu3PnbZFjyMVRBNcwU4hloIaZEaGo
tbAY5ZgkiolGeZsSmFqahBARhXkiur2DuXhY0xLAcYw TKPz2C3yF2wBsiT8/WhbKEg792PLcQ3YN5UWcxJnwtE
-> ssh-ed25519 S5xQfg Bdl1p1oV/YXfIIYfWJpghpxW0iyVdBHoFExbODeRAEA -> ssh-ed25519 S5xQfg YZcNHfVDJ0GRF+IpLVSxOeBOSoDhDhdL7r2npRYcuEg
3NOolEtebZWathrLTUYx8xj0Lox2AA15pPGFHAJLoLs mPfQ+m3SGGnGO32oA917AfosSnXGqHRDdMfIypK+UOw
-> ssh-ed25519 XPxfUQ b9EHQK/9OnEDTRAlpW02LM2aCb6o2EY5yi3QI5bmyHI -> ssh-ed25519 XPxfUQ jsXVjpItFnuJiaeYIaYKsJFusASry67LiqDW3n5+QSg
xChQko2D2OhElau65jID1OpLlsSF7K80zxIb5m7l+VI 0KzbBSbRrq6JrpWEyTbs41b4gUUiKeZzWI3rBaa/AdM
-> ssh-ed25519 SpD5mg KnEt9/djsQISjA3foA2ZQzPdyWTg9jXnROLQo9vG6Ec -> ssh-ed25519 SpD5mg 873X6UIo87svyS+jhQGjILcVy+RjtsKwJfDyj6gmF3I
qq3t1LPxKYQLuZQdD+Dv/OsxTJHhO/0Qe6wFNXJFIEU KNHCRKZ5NhJbNmrhWehpUXEv6jBGeJkRxCi9+/bgouA
-> ssh-ed25519 Kk8sng vMGJcs3ihnJ35jqfC7gpcr42wcRoOvk5+PbLF2BokWo -> ssh-ed25519 Kk8sng /ItiKGK46Wia6VSKa2AtEPj+PqpDtWxBhea4s3mqOVo
rR9PrXl+aSQhyx0DYl0mSbrSbAe1+Q8JbHfitwfOlOM OPclxoc2MygKYJtahVbLfE72X4s4yVil4dugeSF/3DU
-> )!'e>x-grease )w;#| HUZG$ lzX;qm0 -> U(/M3X-grease Jh[D'
JAhpSw3t1WV3CFI/YTh3GPjMjGg3HRXqJH+jtwa7LjpTymLsQsC4spxLugccRSL8 z6L8qVMUmuElYKbQViqc6tecJic8gho79RaMilbwp7uS+owmgqNMUFxv9+8bbtYY
1P6SN9WEL5lmoyf+wSirBayoYsdduG7NtGJW wC+YIigf5xAKlwcOipCJ7xv3jlqt8yUFWV8hg3J0GRbkWnhFYdWGXHnPtomPFtE
--- UCMko0rEs8lHjZnQSJJJBrRAgJjfCDfKHTFNlsHi5SQ --- bD5IgVE3GQSnej0FLxh1nGD2q2/fuhqRL2yYw+2KMek
Žì÷ôG%)—½íŽ™U(Û(<ÅÚó‹BÒZŽÄ?­îàêü6+£• ·)ˆ7&ªð„Ñ_¾â%!2aâýÍݱQ
ÿ6hêlÑ )Í0ß}*ÌmìO(¿l8^"È‘Ì‘ù<H¡Žqr¶²û³!r<0F>ÌXóÖ˜ºxó:FF£¹áÉó§‚#.Ž™Ú"[Š9çZ„°
C¾ÜÊ62¥-'™ÛX$S

17
secrets/secrets.nix
View File

@@ -5,13 +5,18 @@ let
all = users ++ systems; all = users ++ systems;
in in
{ {
"email-pw.age".publicKeys = all;
"iodine.age".publicKeys = all;
"nextcloud-pw.age".publicKeys = all;
"pia-login.conf".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
"searx.age".publicKeys = all; "searx.age".publicKeys = all;
"smb-secrets.age".publicKeys = all; "pia-login.conf".publicKeys = all;
"peertube-init.age".publicKeys = all;
"peertube-db-pw.age".publicKeys = all;
"peertube-redis-pw.age".publicKeys = all;
"peertube-smtp.age".publicKeys = all;
"email-pw.age".publicKeys = all;
"nextcloud-pw.age".publicKeys = all;
"iodine.age".publicKeys = all;
"spotifyd.age".publicKeys = all; "spotifyd.age".publicKeys = all;
"wolframalpha.age".publicKeys = all; "wolframalpha.age".publicKeys = all;
"cloudflared-navidrome.json.age".publicKeys = all;
"smb-secrets.age".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
} }

74
secrets/smb-secrets.age
View File

@@ -1,38 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w Y5MLu+HhgDeKPDSyg5vzGIw7jpOkCbkuW07QjqLicjM -> ssh-ed25519 xoAm7w Kg7UClnYqMV4+rPfZsUFgHyXUFfD9ZY2miGwr0m+NWc
XDsAENs5+79A5f24nXNCwY8RM5Ac9jypxCip5EYG34Q SCfg3UYlGpUJreLgdkKUVru7Gqvh7AfmJLRoI+Jwmdo
-> ssh-ed25519 mbw8xA 4ESXjbxaKpfnCYTN+/a/y91jyrhoWyD3lppboLuF2ws -> ssh-ed25519 mbw8xA LeqtlUz7egt8G5z8Ca69GUM9Jgt7HMiqPxO/YN0rwR4
tc5m9m4/mF/KUvy3QAqf/Wr7qFYGPgACNgu8vHqYl6k ILPsmKmjrc2m0kFMhpY2ebVXTsTRUiQMookDindWrig
-> ssh-ed25519 2a2Yhw MwU09hKahVJ5QQhcz6F0NJm/3J0JSdNMvL19Uh8Oc2s -> ssh-ed25519 N240Tg G6vylAd18eW8zdF+vReXY7fTfdYseWY//4/ElWDMxXo
EVJ/POUeJ4ybwC9IIzkNzwnGp4PkO4Zn6P007Y00iKw a1BWR4URSMmHV8Z48aChmVQAlfSfNn0S66WOG0uxNc0
-> ssh-ed25519 dMQYog IZltBF7HETAKqvxTjkBtRpLLbmrGfk7s1I88gZedkB4 -> ssh-ed25519 2a2Yhw XXZOpsj9uhKDzh6rnSWOj3HWeohsm3LvPw0RTR3zLkI
K3iu+GfLMnd5PE2XTkDNRcOYWpVQ7uhCx29J3vTMUIM 9U5oc+gWXmK5r4mLZueFBnkyal88lNbFNlzRcT77Zyo
-> ssh-ed25519 G2eSCQ zBk6wQ4TMoxIS4QBtAphyTyCAFbZ/wNYQqBkps/X/TU -> ssh-ed25519 dMQYog m+Tm6nn0yVLiPPua1K7v2ToXg4JzRouarE63L/sh4kk
W+5tTl1P4m93taLUrSljvEdYeob88wgAzrjW8N0flkc SZ7HXZ2wteV6mxJ2bdMOenMO3clsL7nRyAkDAJomODQ
-> ssh-ed25519 6AT2/g 5mX5s28Y8Z1XlpWUHjyi1sqLL4eytYC4MP2r1Oe8xmM -> ssh-ed25519 G2eSCQ sFl1qmmOPtEypFvjZStXITKedfQV45B2MDk90Bcb3hI
pfvf78ZSok4qTq07vQzPl5G0YmsshBZvizwEdaywXAY fetONY50e4lApLBWTABlDrV7iG0EdQl4sJE276LNz+0
-> ssh-ed25519 yHDAQw qVbOBU732m24b1z7L6FbkQ60Lz1/Nxsflo1QwmNKyk4 -> ssh-ed25519 6AT2/g eL7ilpjXlLTIEqgOoX5jlDapUZjipe4ssmgFdaWGfQU
b26BFy5h0khO6a4wRg3hB2Bkxzh9qssm5JOxWSgwCPI 5JOCPit0JyCuHQk9JUqPUbk1l1YJcPfeFYqZLrlA2+4
-> ssh-ed25519 VyYH/Q Q58vyR9AeGSbrh/tVi304IRWv6PFSGRkYbafP6C0IXE -> ssh-ed25519 yHDAQw OL1GcsvJ1xxiGLqnkVVCMdwZTd1lSsxMV/ERkGlKqDU
4v8XAdt3/shftljWDAloEUK8jbhXz8g19i6jYqPanOM gDiwmUUDPBoYE5uKmxUkfQXV95bAnTghmnE4URjEAC0
-> ssh-ed25519 hPp1nw nMT+3ux5DZTEttaQDSGR4TFqMjJOnpmw6VuYmYew41A -> ssh-ed25519 hPp1nw Qq52IpfX5qtzg7E9ruK4qI3W0tyXTnm5ntITOzZ4r3M
pQmpkCPJ7tLusjS5kIgqcujeTjiKf53IpUVv1LrmlZE QhTA1V4vN9qMKhIcmNKIOBYnggPP4FfbIkXR+00jJMY
-> ssh-ed25519 CRfjsA btyR2YFxYAuBRtNKL3HxPEK4BzYptB5BJ1Et/OOA8Cc -> ssh-ed25519 CRfjsA EtorS2Ba+6E4grspQXhDFiXSOxGsnNSQbkSpv+NkGkc
pT7HayclLxdcCbmfA8Rm3EvXFin13koKKgKYX5D6zd8 Oz6xPjiHUJI/md01GxNLA9O52V/inIeaEi0wGe/T2QE
-> ssh-ed25519 vwVIvQ Pf2x6AjYZvotGoZHRv2YgLlySxT5MIbgKpo/iKD0cjA -> ssh-ed25519 vwVIvQ yzWaeWjer2QysLCpcpiEGuUSX/JEf+CVOLEbV4cdwG4
W4mubpJM7n+rh1U+7220Obhgx2PiCLSmlRB7c8g94Kg 00vNjH+LFNjGGFrJmJtpLGKZTnEtFDW94sDIeNeklbk
-> ssh-ed25519 fBrw3g aWphvCv0R/42EkyQgbtmrZ3c0+d8Yj+fd3W4BHBrt1I -> ssh-ed25519 fBrw3g PJqw2w4s10ncE5q95Srxc49S3UfiZpDskoCHLsYE8wo
unRlUKNZHLdUXpTnMYOKt2r6Ku3IFFN0Qt2KfEzBXRo SMpvtbRNMdGi3+VENOVziLt2U6kg4djaJwY9QN7qm+A
-> ssh-ed25519 S5xQfg 4EwsQL2IgpSrucGFE9ycyS4/82vfLKgIR7jtfyK9RQs -> ssh-ed25519 S5xQfg QCkCr+gN488FKCu+TlhJ6HUbFxqdkwSaUYxgnJ66zl8
2ytPuFQd0mDPIN7d+k2FlN7fHnKNPJU2Wf04DM2sOGM XhMSuZ/HOlXJmWRVrQjMY80IKxvrnNHh6eR6N2vSKeQ
-> ssh-ed25519 XPxfUQ cV3abyNYwf8ddo7QTKG/jlLrtMc2EhTlBjvj/3BO7h0 -> ssh-ed25519 XPxfUQ k8Pp9ZlRAWZRXOQ9URro05DRIViGfs2DhXTrMTZyvgA
DLzsdjDvWuiwSQd4tB2TTlVozXc9X3UZY4C1kptpl0g B7lvmKy5Dqw5qzLwnQEX1163NW0t6vYHPgTmqKE/2+4
-> ssh-ed25519 SpD5mg CuXwDlnSjnGrSK2RJmgNFxjTKWdZEVR5wSTYHbjDu3U -> ssh-ed25519 SpD5mg Y/Cg1GVTBo1r66Oj/bFN0uDWLfM2rIAAGRP0qu0tfRo
qGYlRJe0x2NvC9gi4IO1907NF2sY3M+3nrsYY9F/6Eo Rr+7yR2uf170A2pUylEwUthC0XGIXin51DK9JS8K0xY
-> ssh-ed25519 Kk8sng 8+lugR1z3j5TDFCv+eNDsVY0iD9RSBqE1uZw9xkL1w8 -> ssh-ed25519 Kk8sng r//SXYT5xxLXwoDsWhFwaoLzhT8fdbXX3HShmS4SMX0
Ey+Y8TSfRnnKUrlT8z1AGs6Ze5P3vylWtH//QENLq7k DrcuiBS+JLkzgsYumxvnsnKkrzFYkNPRJZOegj+0Q1c
-> e;){a}-grease mxF{/I -> X6%3Q-grease l? n?e
ij3j1VjVrATiBw j/l9N+hzs80iS5YZrx8mrrIIb/+y82YM4lb1a0aBOCUMsK0IHbtnPjZbVfOmO55W
--- U4dnDq0KmjHdJFRBc85V2AjVPkBlTylAI6gnqrPL5Aw +yFtp3gXw1Fnffbircs8YnYpq5vdpEABGazjSg
‘ÅÌËôõ-lN®p>YxwƳ”ÉDÒŽ¸r¬÷ùŸ Vç+oV=€ËùŸâ¿n9ßu¼|Xb]×Ϻ‚ÖaØ(M_® ¾Ä׋ --- o3H9hWurbhlvoOR4Ulmpt/hdPk+C/OR79T0YqvoXRR0
ƒm4yå@7Fs0V4÷Tö‰XÀºþžõ½Å"±cM ؆(ÚÙ0Ý íw¨WMæ‘@jO…°}2 mêNßnÙ³g«å„?¤gò³ª³†“rºB\ ï½ãØ

75
secrets/spotifyd.age
View File

@@ -1,39 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w kuMA8ICWwTmJRc1yL93aZaZV19JIuPqGxjxKFuVpJUg -> ssh-ed25519 xoAm7w F1C6i9iOvzUf6pS7eBfcsRFRn4q2YE7htxCqiLvasw0
2mT/VTjvxolyhJm5JbkwrPrsuuUjGzqym9M/rcxUkSI viF83MLadEfum6wQWgbl/h0l65+jAtBszhevVS4jh4k
-> ssh-ed25519 mbw8xA gFKcwWHvFNXa2ohvZGo2rwHXhAghdc0dWmC8nQFHEzc -> ssh-ed25519 mbw8xA Ec2wju2txmmCHuVNDWdLQkfUNY7/okY2koAz6Jur53o
cCeCLBYa6MbD51gsqVvJCc9tQYMTu8WjNi4E16WjBBM JLmlpd43QO/LPvS0TW9eKh6f5zZmbVDWjYn44J5ZqMo
-> ssh-ed25519 2a2Yhw Ni01ZgIQWBcHK/tPas9XWhHvBKpusGVWT+VLoRaycmU -> ssh-ed25519 N240Tg 1bl9Y+I3XGx7RiY8078wEMdaAishvW84nMrprt8jjVU
FJE6jpgnvjMk7JtRNCie59qnbEC8uVWUqOOFM6yuRXk 4lXtc1rGouF1DoTohQnSEMvNwRZaaenimEFypsfxajM
-> ssh-ed25519 dMQYog Ux82p5oapnhQ48v5YC7LtUgTkh0z4heN2wIZ4zdkBHc -> ssh-ed25519 2a2Yhw SDknhtgjNgNy3ktoNNvLie3OdO8bKhWW5P4s73OtLk8
617zDYbNTKqtYrR9A8G7KHOiTvu7gM1KTheDENb0Mbo Ihl/yNw35f2CgcZX6KHRXUTpAHp6aAQR/7oeU+gq3V4
-> ssh-ed25519 G2eSCQ DXiNCQrPLznpFlNWjAw8AGE7N+2S+bZEPq2pxw7tYQc -> ssh-ed25519 dMQYog dME46DZmwFnKBKlmx5AZEoaVipBmpuz66RXPQfFoXSY
O/cqBzb901Ig+7ve5LMNM9w8TKPlR9AOMJaNrZ5F3hw eAzeaSpIL5KPQADGEeuX/bkQ014L8MeTQF2fapO2N/w
-> ssh-ed25519 6AT2/g IKSN6LZpelB1Qa0WxPpGWQ2BLWK71r9J8cqB7XIfMAg -> ssh-ed25519 G2eSCQ 8/xTD9nSXyAeZwBEdJgLcOembBwnMOgWX3jR4N2sXC8
8HRo/7Wuui5imZ9rr67LlYdAO1mS13HqUv+jrSeLiOA 0BmY7u5TEcIEza2PZIJEamV2dfC0sDeVl0UXECBwDlc
-> ssh-ed25519 yHDAQw ax0q3ja7Q70+sGUZNdvyUkA0bRZYiNV5nvVhnTtcezo -> ssh-ed25519 6AT2/g xSdH52Oq0TOg0D76WlDVSY5kJb0hMAWoM3XVyMtAeWk
GWps1K/7Lf4sBBo+rQCVT42NpJXdF9h+G2vB8/bTPOk 0p2AHJDa9XK6C2g8AM/g7cWdR5DGLk6SoUL3Nah2G1M
-> ssh-ed25519 VyYH/Q 0bzf+qa/YkcMdfFwn53X/nINPkatTGpJj+fs8/kvOB0 -> ssh-ed25519 yHDAQw mQBHUkvKf+Na8pCfl2Vb7+sKLmKth0lbxDFEcTtH/ng
yu+xVqTTjbQAv8d8Tx814GrP6C4G2Ivikl1yb3kQUA4 JDPxV93vE8mKJtDp/MewHA0F78rW/0ZPYUQKkdNUivs
-> ssh-ed25519 hPp1nw SDKk2Cwoya2DmFlTNymeoyDCtiOxrr93F4ZpVXKQwxE -> ssh-ed25519 hPp1nw htVxNW9zp7J38WN06jfEX417xtXt50iMTRUtrzLRO2k
0HwqXkVqE0mPiGenC8H6MTa2ElidAamGXLP3VZaB23I iTHjoS5eWNiQxIWtuylkqXlO8E+Dx/2CkENs16lZqhQ
-> ssh-ed25519 CRfjsA +PqVqX6J1ZhcfjlEBg9hJpDeYQEeCbJifYzC4iVpzBM -> ssh-ed25519 CRfjsA Dqs/SAfRhgszI9pz4yZHyVp0iqPg1ssspX6ZW2QTv10
8aOqAQvJIxTcUfxW0QVYJFHpMO0aSUxbF6z4wEo1Y+g tA7NQXpPtJQ4mHjTDr4pTt9jrqDkMJZGMLVazOenMbs
-> ssh-ed25519 vwVIvQ r4wRXXLTg8RpDq4gjWZGuFp9NH33kekLIu4NUvtjoH0 -> ssh-ed25519 vwVIvQ oNmVe26rEpI7nNGlI5G7Er9fu7blpHNE6NOeGkoR/TM
2FFFi1HMKgqFYZltig76rSL9zHst5rE1/2zltjk/gmo vAL2gsM9NatGQpnNIh8XpCP+o9KoOnuLVt9e8+Kymcw
-> ssh-ed25519 fBrw3g fdCixr2OJQDSJJXcNeGwKbaM22Uj3669/GAZxVNVhEs -> ssh-ed25519 fBrw3g 7GVBA1eUhgxGfiiKirK/i5JUbehOJVgmc2H/tgQ+A1s
/bIa/EtjEHgAsMsSrGnqJ+owKlZ6WlG2yHcr7tAPpF8 n3i9gtNt4aRT4EOk8C94lGmXNN538HNOqo8uCmxZz6o
-> ssh-ed25519 S5xQfg 0jb5owsvZa1tApkTRo6Ai9+MiJaWHM09SmffDS6q1R8 -> ssh-ed25519 S5xQfg 2KQLClmvqWMuJDOSAkzcpJkRTJgV6ig5Cq22RcCixWA
zsfdzGq1HxQtvWgjBwac0BWzoZ81/9mOh3bwLHQ7eZE zYULXTJL5o5uZxxi/fOCrocxZooH3KarUj8vUDkfWn8
-> ssh-ed25519 XPxfUQ Tcaed1l2jarovJJcQcF3aH0oRTHG3+CjRC8nReQMphQ -> ssh-ed25519 XPxfUQ z0v4A6O509NqQgbKFzZrY2WL1ATc9SCYckbtqaSOdk0
aKPAQekq1S2ENodDJ+X9tURYHC5UeYX6IkAiZAwq/2s PbDNvSWw4QEGLUzhp8IrX0oMDJzWjeemuEDZ02YlClo
-> ssh-ed25519 SpD5mg CI+doikC251HbDmvWkmxMPPuCxs7DhCs5djaV/yK8Q4 -> ssh-ed25519 SpD5mg +A6LavFPjRHuTyk0MTZ6zmJf+CIMX69fT/HI6/0RJWI
j9mNZ9jOKyC/FoGMl4mSfLUF9jQcxoapUZ7AzJLVaC4 CVgJC3y/H7MHUCMR5s77oPWA56oIEpj+7MZH+Qw/LTU
-> ssh-ed25519 Kk8sng tfmmLUnB6P00bnx8oi05hkz1YsumbW3po5TLrUY9UHs -> ssh-ed25519 Kk8sng 4Re6/B65/TMi45/fZh7zl7dAzH4MnCnHqca1Otpaa2o
yh4L1HpuA9QHAl1o3KaMLuPNxcoHrd9xT24BSQB0gHI zJAlQ96vODytPwtwPSxEEi8hn052vCGcPUxECyU9Ivo
-> E^;,0J-grease @1%uq:\ -> V1&(!o4J-grease I)F/
rsHU3TVrPPYHVgxVVSD69DWk1ms+dBCh2/ET8h7lIz2xrDqQf8bx+oJriPv+78Qb AQ7tCx9XyVd3QDf9Tadcz8QIOJ3bgj4kDh8YuwATAmF7M9DPAlQiW5qkkvaALloG
bjoq88amMcGrJKSoNrcRxYqj7OGw4SQk2gfzotxF57BdoLSeRNboLwv8DTSJpPLt KwwV
m1o --- VnZ2JJVPKnr8hDMqsZidpehwkLY9W2UmF40/5Khu7rg
--- KNvXo+zbpLVsT8S8XMPRoCjjz55fW3d97axYONHvs0U „;»­ 晣,‘ΧÂ<C2A7>òHµˆ¿ˆ±>ê¬?þL¬Üiv?PËwùìŒímW£­3„^¯{^ÂÆ«"ýçMÈ[…P¤$­Ràüú…£ÄŽýÓ6LÍ Ï
ýüGrsT­RrÒß …eG­r݆¹02bé:|òmj{øqÂØD~<7E>þP35)Ü£^í´ÞH´(\rV6VŽIΞ »Ì5wL!㣭ó!«|Iañ¾\

74
secrets/wolframalpha.age
View File

@@ -1,38 +1,38 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 xoAm7w HClJLz2DJRlS7owQ8Wu6lkOWBZY2t4tL3m4Xd1wf6Ts -> ssh-ed25519 xoAm7w QDzXkxhczV+ZUvEHmN1Uf7xWaEDSugv2dcisOakVPEc
T/SjmYmVs4x74n/Q3fFQujyeDTaSMatIDK67N3uo6H8 +k9M+R98OqsfIROOedql7ksLCtejx5uzFXigxB1Dhzs
-> ssh-ed25519 mbw8xA JFGWHAkip5tKBG9ett2/Y0Dr2wsiStKve0mpZVJN/gE -> ssh-ed25519 mbw8xA ERuMyLhLVrNwmr1wS9h0ssZYayCn0Hc1dhu3zBKzDF0
lwTtXrW+0N5SYkllt6KAQs82KLa7YH/godphEWkhgdw pz2rEMX3MtxtVOTuEyO5K9ZE5s0C+2JL7lNE5BdUsRo
-> ssh-ed25519 2a2Yhw blLit/oIYe10zPJOu0QOKUd7NHAS3NvSSd0DMvrqiGM -> ssh-ed25519 N240Tg kHC1Wn8T3aUpWd4yK0+GJo+SDBXrVmTSrNz/Z+3kfGs
VlC0shqH1HgAR5EokdgKtWDOAS4tL5C1YKgCJ6kAeCA sg6A3DgaQev5ZezJeSNAR7+G4MS1rdwHd/6u1H5+0us
-> ssh-ed25519 dMQYog s5CZNbbI00B74zlzP6jNaw6l/YKDbLgTJPQpRlXRfSg -> ssh-ed25519 2a2Yhw 64vHNVi/UCK1aCBFu+BnSyy42DHZIFeiDekfnQeDlHE
NQohEMrbchdS433sw3MKRH/8lryh6j4VZFBvjW1qmc0 19On29XUAiUsTmlqxrY8PQGderv7VzBO4a10jT5aZwY
-> ssh-ed25519 G2eSCQ PbfTCAk1+DJhW7F+26xvaSZlhpIAtfIAvqm9Xfi9xGE -> ssh-ed25519 dMQYog EHtR1wf5/2aWvGwkD4EBOECctp2zs2RjAUOKcncjUSI
CbVJJl6zzm2857A5oDhF8Z4Vtq0felJ7j96Tc3aN9eI s7dfQHaLjO6Hor6xXpx8h5hox3OQA4mPRGt8ewr0jQM
-> ssh-ed25519 6AT2/g A2B3VdkSf88kbSQKCSfaAR6bUREanrTyKLiZhVP3ugM -> ssh-ed25519 G2eSCQ 4L9zIv4aApkZgFneUjVm2esXp4DJYVzm94LA2sS0Qkc
Z8FvbHNpGMh6Wsaxu44MAUhSFOv8UIRFTugyrtvXr9Q +iDy2G82PX6yuIyn7zITzp/jvBX2P25u26n/NuGdjVM
-> ssh-ed25519 yHDAQw LZPhYf49feALAiKTT2oiM61BgcRfrXTKal+zhjLoMxA -> ssh-ed25519 6AT2/g HyH+8r/SZUXilmITIsFVyr2t6rCJK9scP9TR2/rO+1M
Qi7Eu6Rq7LjNvhwgN1Cy5/B+VCOLvOdkH5jWsXGvydc 0Hkx2o3wlq7nj6fRSL3QNtrxKFxYlfhg7CwsyQDjIo8
-> ssh-ed25519 VyYH/Q s2gMTJIyJZkWXeVX+kv/bUpNKqN3Zt5FpVR1bfOb+zg -> ssh-ed25519 yHDAQw vZlwV2QvrzG1Xu4XZt4Yi5aDQ8qmPQnadCJtHdtTSlc
Ho1k4VljmGXcpr4NGo7RkKhjrxnckMGL3GzDMK1U0NE 4NscOK2mu+P+vrZ8FIbIYhQ/97DPo5vgsl0jnlZM0gY
-> ssh-ed25519 hPp1nw dg3SZjzCIzJU2Ef68SOwXmZE0Efg9MaE1J6+JKgW9xQ -> ssh-ed25519 hPp1nw YWRekiOxwuK8eAGehbBfOzW7Rmw95V+A/XD4rmFxS3Y
8/hJdKcQAcvDtarn8u7W0tKblu02thOylJ+zThWlpic sd+q4ya9k/KE06GYGFV2O9P3O77aZcJl05tAvY6W1s8
-> ssh-ed25519 CRfjsA FIF0LZf60q7MExEDJi0UMODKi3Q0c39c26fFUE9tHDc -> ssh-ed25519 CRfjsA LfIzQhaql9b4EAotyVrvKBV1AhlMVcRarA49q7+rQXc
TIdABrVJ6FmbqfhWbz3+6xZtyRJAehas83JmBFEoVfU v4WddjXusd/m/s/T7E+wdKm9tDR3rGj6CNE3AdVrDb8
-> ssh-ed25519 vwVIvQ uXexIx8K6/AOpX0P2JSZP27mo7Iq7kePt54m0B/83Wc -> ssh-ed25519 vwVIvQ 53S5tWgmlVnKIHonBAmvxbv+w0j9b65NdyWvwlvgZWg
sakOup9vuUx4/52FltGPHOT1SUG7nIIUbhTlev0Tg+4 xa+z7MYrJHCgILtG/3Yw1OKH1/YKvuVG2jabnv3gSoA
-> ssh-ed25519 fBrw3g YoekhSoktfoGXc/soCDSSvOV6Y1SMOwsahtxeOkPgj0 -> ssh-ed25519 fBrw3g GsaGAXiMo4WhEZTQPgr761gAiQHmHPSwdWF0t910+DI
YD0/HFmw/rJ5h8p0+IF9rfL+PLe7lwvwIV4tp6cb1AY dmZGcEghoXi7giaxC/1UVJVAtyY5hcknUBxr0wQ4RBk
-> ssh-ed25519 S5xQfg pmm6X5Tl94OTiz9oWoTvfggF4UAOcCUNATbLbTHUg2s -> ssh-ed25519 S5xQfg wgkQBHQi8xY4++/quS4ZJWb9PPpg6b0KZpSwypdS7HY
tFA3SJGfTDi2FhV4JBKWz1/p7SAHtPaQ+dvSmI6edLU +1yatx5SUanPC04jJMVVILHAwdtg2r9Bd+sj9728BnY
-> ssh-ed25519 XPxfUQ XW93ctvokekrrlNySXSl0b6TFAosf0zBxmT4dc7Ybkk -> ssh-ed25519 XPxfUQ Hj2e1U4udGkp04dSdTSsaaJPIQ7gB1bwralXazBzpVM
chKtenAqQ2tavjBzDxVyi6OwYp6oKW2Cf6g9YxEYqYU LPOMpbX+ndXRkQlR3GKKpwSd5zOT03j5bII8btjY52o
-> ssh-ed25519 SpD5mg me2egMTBnAAwko5Hk+6rtjl7DwcGJsWpiiHFaTG8cgA -> ssh-ed25519 SpD5mg ++/8/U9XQKg6L3SHej+mvXeZYrvoWhiwmcurC3V0aTU
h6Kzkc/jRlNE2p+CeAMLTMzLGrm0bSQEKJj4yQcQ2Eg qR3nTcugxtBgDhcbZpCe0/NUavbzV6tFJZKv3IopAO4
-> ssh-ed25519 Kk8sng BEeiCUQ9QWlYscSHtvQKrYPl+/G1BCfJn13J17QTWmo -> ssh-ed25519 Kk8sng /bL56jng2lp0INyIDqUAX5L8mFmKxCBeHFWPUW6gE0U
3xd4hNsMGmhAg2d8jvsJ3/rVOvIooYMMOgpn9N3t3EM 4v+jq2N6RIQAh0VRrBZkMjSQW6L+LYcAfYUBvfTM+Jw
-> _'bSoQ-grease uFb7xPe, S K.f; Y7i"cG -> ";etw{[s-grease E;mh^R$ c8
D1xxRIgIslR33p/N+cnKEqSGP7iCgVS2pS8DZtGgAz3DzSUf7a1+OF4uRPOz3juH ossMGyq0gpvz9PjjLBWD+QHRKKhzY6/9Kj4b0M7YdP0OgMdpr5QlA7UIDhiGQQBL
b790V0/2CzNGwSbd dbt0YyLxbAdhqG7S3lLeedQmvzv/oIyhmV0jsTB79W1l/27FujvPRWYf
--- hNoZqGbHUS8/YCysJPb8fV7RwGv8AViuQXbI5n1aPJc --- pYjss6AEPZn0PG7FmO6bGq1O+k1IFGzoxsitB4qgotY
+¸o…˜•Kui/ψü´²0j!÷œ¯Ð—þâA&½8[èƒsd0þrê@ö1SÙõ ÌÐçJöÇ<10>>Z`´ <0C>b%RW^óºñ–&<26>·ª ­-4¥ðè¬ÙÚW…á