From e2014034bbf9b266283902f97fbcc6a6d66e3c63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 17 Dec 2024 22:18:04 +0100 Subject: [PATCH 01/21] hosts/youko: init --- hosts/default.nix | 1 + hosts/youko/default.nix | 26 ++++++++++++++++++ hosts/youko/disks.nix | 58 ++++++++++++++++++++++++++++++++++++++++ hosts/youko/hardware.nix | 19 +++++++++++++ 4 files changed, 104 insertions(+) create mode 100644 hosts/youko/default.nix create mode 100644 hosts/youko/disks.nix create mode 100644 hosts/youko/hardware.nix diff --git a/hosts/default.nix b/hosts/default.nix index a245e1c..03d464d 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -14,6 +14,7 @@ # ./installer ./ude ./kogata + ./youko ]; builders = diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix new file mode 100644 index 0000000..d708d8a --- /dev/null +++ b/hosts/youko/default.nix @@ -0,0 +1,26 @@ +{ + configurations.nixos.youko = { + imports = [ + ./disks.nix + ./hardware.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + networking.networkmanager.enable = true; + + settei.user.config = + { lib, ... }: + { + programs.git.signing = lib.mkForce { + key = null; + signByDefault = false; + }; + }; + }; +} diff --git a/hosts/youko/disks.nix b/hosts/youko/disks.nix new file mode 100644 index 0000000..3156235 --- /dev/null +++ b/hosts/youko/disks.nix @@ -0,0 +1,58 @@ +{ + disko.devices.disk.main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + esp = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = + let + mountOptions = [ + "noatime" + "compress=zstd" + ]; + in + { + "/root" = { + inherit mountOptions; + mountpoint = "/"; + }; + "/home" = { + inherit mountOptions; + mountpoint = "/home"; + }; + "/nix" = { + inherit mountOptions; + mountpoint = "/nix"; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "16G"; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/youko/hardware.nix b/hosts/youko/hardware.nix new file mode 100644 index 0000000..2160bd9 --- /dev/null +++ b/hosts/youko/hardware.nix @@ -0,0 +1,19 @@ +{ + boot = { + initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; + kernelModules = [ + "kvm-amd" + "i2c-dev" + ]; + }; + + services.smartd.enable = true; + hardware.cpu.amd.updateMicrocode = true; +} From aaa0b853f7e68b41f49be788459cdacc075b764e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 17 Dec 2024 23:11:05 +0100 Subject: [PATCH 02/21] hosts/youko: add youko ssh keys, set user password --- assets/ssh.nix | 2 ++ hosts/youko/default.nix | 38 +++++++++++++++++-------------------- secrets/secrets.nix | 4 ++++ secrets/youko-niko-pass.age | 7 +++++++ 4 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 secrets/youko-niko-pass.age diff --git a/assets/ssh.nix b/assets/ssh.nix index fb8a04d..afdc92c 100644 --- a/assets/ssh.nix +++ b/assets/ssh.nix @@ -15,6 +15,7 @@ kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com"; hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXVPUBYAMn9H3efG/ldWl/ySmZV0CXleyH7E5nKf/N7 nikodem@rabulinski.com"; tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPKXcihNVgsStMstnZYvh+Ai+JsydX3vu4O0yhlN+zw niko@tsukasa"; + youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAGBazVVFr1+beFxpC701IPz4JwdPIyFJybVVZ9kTkr niko@youko"; }; system = { @@ -25,5 +26,6 @@ kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l"; hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsTkICNuUwGqrToisTViFCBoql39+DFYVZSWj7vfbXK"; tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKy32XGCkB0KOUm4f0ybrutfAzR7+baifM2yv5KuYV7 root@tsukasa"; + youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSbIjEo28aB2TACkvLY+VRKElZEdH9qFlTTfxCrblGZ root@youko"; }; } diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix index d708d8a..9372442 100644 --- a/hosts/youko/default.nix +++ b/hosts/youko/default.nix @@ -1,26 +1,22 @@ { - configurations.nixos.youko = { - imports = [ - ./disks.nix - ./hardware.nix - ]; + configurations.nixos.youko = + { config, username, ... }: + { + imports = [ + ./disks.nix + ./hardware.nix + ]; - nixpkgs.hostPlatform = "x86_64-linux"; + nixpkgs.hostPlatform = "x86_64-linux"; - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; - - networking.networkmanager.enable = true; - - settei.user.config = - { lib, ... }: - { - programs.git.signing = lib.mkForce { - key = null; - signByDefault = false; - }; + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; }; - }; + + networking.networkmanager.enable = true; + + age.secrets.niko-pass.file = ../../secrets/youko-niko-pass.age; + users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fc8ce14..239830e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -89,4 +89,8 @@ in keys.system.ude keys.other.bootstrap ]; + "youko-niko-pass.age".publicKeys = [ + keys.system.youko + keys.other.bootstrap + ]; } diff --git a/secrets/youko-niko-pass.age b/secrets/youko-niko-pass.age new file mode 100644 index 0000000..755dffd --- /dev/null +++ b/secrets/youko-niko-pass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 rA7dkQ ztMXNi12xb4ZTd1w6KxB6RXLzdk0b8s73aFObVcUjSc +gVE8z6agYlnMj9N2ZhudUX9BfgpiYXqwisYuYsFMCrE +-> ssh-ed25519 GKhvwg C+uqtkHl5BNPLERwVByw4oQQgXSbbxwejy2nhJRjYzs +xS/4KSywTRvgbvLeeIgvylWu5TRPTlOQiG+wsaLEZoY +--- d7crfFYKvz20fbdLgtYh+QuPrC9cFKvIrrJz+Rsl0vk +7R3d֋!bP$ѿ' e|- HR%ɼ`䑹HS@x"dY8%*AϓW#3 \ No newline at end of file From 2dc36618af5be20bd71c0c00f05907deadf3b1a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Thu, 16 Jan 2025 13:44:22 +0100 Subject: [PATCH 03/21] hosts/youko: sway --- hosts/youko/default.nix | 10 +++ hosts/youko/sway.nix | 137 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+) create mode 100644 hosts/youko/sway.nix diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix index 9372442..ead565c 100644 --- a/hosts/youko/default.nix +++ b/hosts/youko/default.nix @@ -5,6 +5,7 @@ imports = [ ./disks.nix ./hardware.nix + ./sway.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -18,5 +19,14 @@ age.secrets.niko-pass.file = ../../secrets/youko-niko-pass.age; users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path; + + settei.user.config = { + settei.desktop.enable = true; + }; + + services.udisks2.enable = true; + settei.incus.enable = true; + virtualisation.podman.enable = true; + hardware.keyboard.qmk.enable = true; }; } diff --git a/hosts/youko/sway.nix b/hosts/youko/sway.nix new file mode 100644 index 0000000..9402602 --- /dev/null +++ b/hosts/youko/sway.nix @@ -0,0 +1,137 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + services.greetd = { + enable = true; + vt = 2; + settings.default_session = + let + swayWrapper = pkgs.writeShellScript "sway-wrapper" '' + export XCURSOR_THEME=volantes_cursors + exec ${lib.getExe config.programs.sway.package} + ''; + in + { + command = "${lib.getExe pkgs.greetd.tuigreet} --time --cmd ${swayWrapper}"; + user = "niko"; + }; + }; + + programs.sway = { + enable = true; + wrapperFeatures.base = true; + wrapperFeatures.gtk = true; + }; + + security.pam.services.swaylock = { }; + xdg.portal.config.common.default = "*"; + + settei.user.config = + { config, ... }: + { + home.pointerCursor = { + name = "volantes_cursors"; + package = pkgs.volantes-cursors; + }; + + home.packages = with pkgs; [ + (writeShellApplication { + name = "lock"; + text = '' + swaymsg output '*' power off + swaylock -c 000000 + swaymsg output '*' power on + ''; + }) + (writeShellApplication { + name = "screenshot"; + runtimeInputs = [ + slurp + grim + wl-clipboard + ]; + text = '' + grim -g "$(slurp)" - | \ + wl-copy -t image/png + ''; + }) + # Bitwarden stuff, move to separate module or properly package? + # Maybe use some other input method? + (rofi-rbw.override { waylandSupport = true; }) + rbw + pinentry-rofi + ]; + + wayland.windowManager.sway = + let + mod = config.wayland.windowManager.sway.config.modifier; + in + { + enable = true; + package = null; + config.workspaceAutoBackAndForth = true; + config.terminal = "wezterm"; + config.modifier = "Mod4"; + config.fonts.names = [ "IosevkaTerm Nerd Font" ]; + config.keybindings = lib.mkOptionDefault { + "${mod}+b" = "exec rofi-rbw --selector rofi"; + "${mod}+d" = "exec rofi -show drun"; + "${mod}+Shift+s" = "exec screenshot"; + }; + config.keycodebindings = { + "${mod}+Shift+60" = "exec lock"; + }; + config.window.commands = + let + alwaysFloating = [ + { window_role = "pop-up"; } + { window_role = "bubble"; } + { window_role = "dialog"; } + { window_type = "dialog"; } + { window_role = "task_dialog"; } + { window_type = "menu"; } + { app_id = "floating"; } + { app_id = "floating_update"; } + { class = "(?i)pinentry"; } + { title = "Administrator privileges required"; } + { title = "About Mozilla Firefox"; } + { window_role = "About"; } + { + app_id = "firefox"; + title = "Library"; + } + ]; + in + map (criteria: { + inherit criteria; + command = "floating enable"; + }) alwaysFloating; + config.input = { + "type:pointer" = { + accel_profile = "flat"; + pointer_accel = "0.2"; + }; + "type:keyboard" = { + xkb_layout = "pl"; + }; + }; + config.seat."*" = { + xcursor_theme = "volantes_cursors 24"; + }; + config.startup = [ + { + command = "${lib.getExe' pkgs.glib "gsettings"} set org.gnome.desktop.interface cursor-theme 'volantes_cursors'"; + always = true; + } + ]; + }; + programs.rofi = { + enable = true; + package = pkgs.rofi-wayland; + }; + }; +} From 3622d231f801bc7310dce302ce6528d72b3bc389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Thu, 16 Jan 2025 15:59:22 +0100 Subject: [PATCH 04/21] secrets: sign alert-plain-pass for all systems --- secrets/alert-nrab-lol-pass.age | Bin 384 -> 384 bytes secrets/alert-plain-pass.age | Bin 339 -> 999 bytes secrets/attic-creds.age | Bin 452 -> 452 bytes secrets/github-token.age | 24 ++++++++++++------------ secrets/hercules-cache.age | Bin 979 -> 979 bytes secrets/hercules-secrets.age | 27 +++++++++++++++------------ secrets/hercules-token.age | Bin 888 -> 888 bytes secrets/leet-nrab-lol-pass.age | 13 ++++++------- secrets/legion-niko-pass.age | Bin 395 -> 395 bytes secrets/miyagi-niko-pass.age | 14 +++++++------- secrets/nrab-lol-cf.age | Bin 380 -> 380 bytes secrets/ntfy-alert-pass.age | Bin 907 -> 1017 bytes secrets/ntfy-niko-pass.age | 12 ++++++------ secrets/rab-lol-cf.age | 17 ++++++++--------- secrets/rabulinski-com-cf.age | 12 ++++++------ secrets/secrets.nix | 3 +-- secrets/storage-box-creds.age | 14 ++++++-------- secrets/storage-box-webdav.age | Bin 382 -> 382 bytes secrets/ude-deluge.age | 12 ++++++------ secrets/youko-niko-pass.age | 12 ++++++------ secrets/zitadel-master.age | Bin 354 -> 354 bytes 21 files changed, 79 insertions(+), 81 deletions(-) diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age index 4e3428173aa1c5115e5b01096e33936830072262..85d17abbf941274ac00ddef5e6b304aa694eff72 100644 GIT binary patch delta 349 zcmZo*ZeX6EQy&poUYzQjZrPw;AL9o;_4ZZ z&t>XkRH$!Sni~`xQRHnH=^h%98X9a|R1lhz=|Iz@7FrN!nwM=+%%y9mP+Xj$ zo0?)|YHDby;O?DKR-Ue4losrrWtv{%oM(}rWo(-7U!U${oNp0Qk)0jo=af^RT~VnY zZju|Bo{?+8mF8ERYEhc$6JAhkUKQ*aX<=bx<{RV~X&6xHudVHFtZiNrViw{On3|Z* zrK_u}pl=vhn39@r7*bYl>>B9e?wxGvVquyZ5t8SnUzVFvQl93KrXOBf=3XAiH7)9$ zKwy!ccbNN&O+Tf-TFV*!eI9PP*siT(u6vfN#`g(zvG>2vF;-gF*7qTE*W~xSngWIk xqE9^em}`CD&aUvIg?XA~#jbZESKnp1boAg8*3&w-4CJ~aSdBdmKeh)X003_kfR_LO delta 349 zcmZo*ZeX6EQ=jkRYU$|~796q@cG5|~n2<>*~$ z!Icyel^qoBnHm*p?o?$N?vdn}mth%dQCgg2;Ov|c;F0NSo>CR!UuYZ@%B5?kP+Xj$ zo0?)|YHDby;O?DKR-Ue4;cgk0Xlh#N;Zf+}>6KpYS0Cn_?hzH}XHuc<<(*N+6`G%8n3)yj?dPZ;k(%ZgRP36OUhL%+ndRXeSm|Mw>**Nj<>Q_dkO;C) zS69KDf86=goXRE0+8CW#zb*8#zqVP-++H^ diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age index 0204c326573cf2777adaf5cd7ff08bb368459715..032dbb285e699aa0c0a42d73702a6fb78fdd2bcb 100644 GIT binary patch literal 999 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4_s%FQPggKaEzL+R z2`hCDEe^}ADt2=U3oJ4SH8-&IPcJjeGR)O3%18`0jEV@%DCa7$ObN+yE-oyO2y#o0 zG%PHO^3TmF@N$pztkTZNGO{o$4$#j}j4(9yFhRG?!yqVK-%-K0D910zC?Y-Fz{I&Y zC8Hq4u-GUht;jgN*u^5pFfu&LG)Ldm)yuWS-IGh(I4INK)ZN3!%fGm!!qvOXugozg z%CIsy+`}idG|#}>yeQF2-@+_W-xu9B3zIC%+;Rn@a?c1iOOvRieB(4H^R%FTX1)BKzg!)&f#BS$000E^_DijZtCr;@^;kdWY1k5q5x?Budk z*T}@gP!q$HOoKAZYz*5>9nA|;0~Or0eJipH!i%#ji;YbxgS^9>EuCE>Qql@bvwTC{ z^~+4c3M|9R0wROT4Y-^fwR22;JRLnF4D`KIgM*SQe1a;I0!@tkqr&u~A}kAhoINti zvONvclhOT_nIGWm;i%vmkr$?&9vR_WUg~O@?PKBL%TRwMT=`epYHuSgw0kNn%F2cX>#5W_eU-cyL9wvxiqvq+52bwtHcSOCXnf zu}f5`ae88)W08lyt6QLlNnyTMaA3J%Zd#6acv-k#WPzu4P*l37z5%*zo^GX)+T{u* z;pu4xeyKS{23eVw-bI#aP9@q#MJYuFi8+bs?(UXm2BlTu7C}Cim9AWF;ilmwrvAPz z78d5k&N;1RY*COLZ~rj$gwMdfC>hn5#cl(N z85KJgnFSh#mXw#~C8g%L7iotU`j)4b6uWZi>gp<_g2nO?Dc_`X@#cx7RH&WsevUHmc@xC6@e8d6+!vN1y!yAnIUdfnPx@? z`jx?fo?Jz_7C!lwM&UtOQ3e@~NyZVbrOt)UY58WQS*H30IRRPO5nd_YiLPcrW%b3OJ~=Mw1(8*eh6N$| zQB}T0p&?#nSteEKTrMS%C2q!f0ftpsj@hn0<@tqKQEnb4UfCvrWly78Sq_$CM zMO1n~l%rujS6WbrpJ!EZm`QMHskd3Ar%9Gmjz?f|sd;upm{Vy%U`0|&k*86rlZ&Az zm#(g^f@x}zTWDBhU`Ay|MOscuX0WA~Sygy)WVpU|aGGg>t7U|DX}EETV{T49*9RrP zYplo{xGZ?xO=d(P!Q8Yf;ydWyc_6q*}&OfXY=M|9+A z25ER zE>(6aseP+B$vxI3wj*P%@M;&9Md4;u$MTHd$?b^gwVd-;+P%x}@3~DfAv*Pn`d1=i R6@)gN`OOk{clVsq9spQ=pv(XO delta 418 zcmX@Ye1v&|PQ8JPS5{C-xIuWKdw7(EUwBwxq`P;zdqqU5Z%Rr^W>v9%cxZT9aD{1T zIaipETeg#XuzyxYpp$7)rf*hppi!t5SMZUk z?7vR49%0)n-N>PM1AVy;n19`Wa^Hpu2s!D~^>I8L{P(`~cm+v;1^=4m`cKIBVCB5bKhX|(43#O~` R8}7|eUu;msmic>LGyv~ ssh-ed25519 IFuY+w nyBEszEusqQE6jM7y9G4KCyzNHawdyy+hTfm9LsuRCY -1bbg4kmmv9m2Gwp+3x8zvqFOkmTKt898/sGCUK9rpGE --> ssh-ed25519 84j9mw 5s2PNoIOMWf2gBwzmRHmssMOuvu2kv43316E20McKh8 -FyA+VjPgPynvMQfxm3d2+SOEpsJFIKJE8pbXeIkOfGI --> ssh-ed25519 ioPMHA 4N9PsYYaeqJDbxpQpyCgvR/JWwLPDCAi65YB6M0uT0U -mFCqo1htPi2WRKiJz/t8Y7TMD/p7X81HsHGG0KIsROQ --> ssh-ed25519 5A7peQ ZjRTqjDou2xS638dR8AWKCv5uKTSmOSJ/4rkfFckhjY -yUJABvMDLN0C15XBmnZJZ88khXAXLUP+aEqH5DlJcKY --> ssh-ed25519 GKhvwg w1OKhVPY89J/pbrrXIHVifV++5e1tLqlSL9yM/2rqX0 -VF0cvmdtCZAlPgIqcNZYp7ANPhvDqlFE7h018lCbWyg ---- YWa0wXlaYVF+g06+w/u/h+NURlfMY8lauf5ZtrrhrF4 -3ͅP׆?4)mf.²`aFCj"Jwd鱇Bƌ+{dK \ No newline at end of file +-> ssh-ed25519 IFuY+w hrfVBxFIiDTvbm7OMYbme2+97WI3nqxYbjBNRXRS9H4 +SaKftmSA+8LitXnkqaw67xw378sNeGs/ENxmMsOVdvQ +-> ssh-ed25519 84j9mw opGXl7a35TsSj2/ADgdbS5bp6/EDTsUDkS/IjIgjUBA +Cw5O6wt9vzqCgbWxxCrzmXJQH+/Ae1wwyHCcHLfpEck +-> ssh-ed25519 ioPMHA 5fAg0NsD/KlXSAJg1UQYsJEzZMy/wCHfwmv19cbWRyQ +OhDaO75k9xEdCE0GdyJ6iK6B11ie/l4yCfVKp6py31I +-> ssh-ed25519 5A7peQ pqvZetDuRh5pesWPZ9725h7i+XuvSNMn7810ukhNjyM +96JlWRIyIZ07siNa1kk0HtHhiB4NQbSKQ4KXsDJGGdE +-> ssh-ed25519 GKhvwg Ba5tOdWUlE9qs1tPb7t+0ZtHN82a6RmMHP1tzGe/VSg +wLWBaFUkWkB5lMEKX0ISEQTGx/RDTF1vbvuGo9w8Qm4 +--- yVc69z1O1UOM+93dnjV0wkeqb4StW4HcBYi00z+0dIQ +"49bW5v WjsUڲoO#S%\qn[hAjEhޢtjC \ No newline at end of file diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age index 615b2c2a47889ff7da851f6984b96c769f913e06..783c7f309280746233edec2a94fa38d3831fa709 100644 GIT binary patch delta 891 zcmcc2ewlrOPQ6D;WnPMRc1l@sl}CATWPpc-OQ^Ytev)y4e?X!|ZfH=tS9(!cN^*&@ zFPCvrc1~eYX^~H{k&mx-Xo*QmNq9TRAF|6OSqF)y1%PQRj^-jvRiU+P)?##uyIC?pQCfAerZl= zNoq=FWQd_Bmt%!TRk(MycW_o%W>us|rmKmUk+z4idts4lk&{PAR%xofX+VUrbEu!i z#E;_PVLtki1{vDL+L_sY21)+ePL`pOmKmj)#%Ym``tGHPM#Vw-9@-Y+rlGD}CPuDF zdAX&LQ3fShmBHcKVfkTEZe`|qemRNx;od2x?qwD}g}FHyg{Fa%;~B-nBg`sHJk2db zEWG@~gSC^wyv$0=-8>_`GrV1mobpl(9P`UE^32o2(~Ld2T+^M+b4f$V@Jd3=XMu3(YmjOE&Sz^tKF3G|kHMbj?XK5A@5g zbgQhYH}VNj^-Rond%`c zT9e{G%GsrvbL4H)uW}ZQy0YZJbq$Glri|?~|BG2({x8L)n|>;kZKn6lv)ekCH7M@- zYj7t#rt^U9;?|-EzHqS!J!pO`gguhVo^T~tvjcz&Jzq4fi;w=iLb+0FBRCCD~?=(2J=H>_8 zs+DRw>51E=mkMgFvMuUKV2|4ucyj*!cVZ1(jA7ULTCOiFNZEGB_I_f)5=E)_&0 z6aLM2|0bxsY<}MjjnkSc7O(H@xpR7=!je}j^>p}7xA<$gzKPR1#cYzK7jmWB({TOf j+|XOXVyAmpbnegG%F1cJFm(E&Lx$?yjj1~(&y@uLXrNk! delta 891 zcmcc2ewlrOPQ8zxafU@zL}5g#f3RheS$0-ZTA^QNaJXBTUzA~FSXf}PpL=$)Q(m5< z1($Y6L6uQrK(>=W1@bpd3i)dQL2+^GMBEMLUD11 zZfc5=si~o*LS}w|uZN>TibuAGX|7w5c6xGAxwCeJiCbl|OK@?piD$l>aj~VNUy**5 zeo~fqx<`m7S7A^_vPD#(W4^y}enDt@fR9I>wxg?Cl)pz-kXK<=MWm&FsbzpqVMLn2 z#E;_PuH|8d+L^_^o{5GT+3x-pl}RqSX1@9b`X*I=$wvCA1)g~>X%^Y3*_DA@>4vU} z`lV&%`98T}Mm}CiQGw;5spY=D&Z&8pB_)P=nZ~J(J}ChuftJ~m;~B-nJzOe_1M*5s zEy}|}jND7g%|gvBEnLc-+*2xD^MivkLNiR0%zRu6!@}~pa(rA;EHcVmU0kYyBFvL3 ziyX^5f_y_VT{6;)^<4u>T@u4XjQ!FhwEeOtpJf!U&rb5oPYsLE&rb_6$xQX|H*|MP z%nA25G0V&dH*(f5@y;sGFAniB4~PiligGUT%`i1A^DlQvG0V#~an?_BG|r36bSzCb zclXHD_6{!9&n|W^OioGX($&>fFeu9Q4h=DNadFo+^i2)*Ny+i@HYy5E&nhVj(D%qN zGSW`2ck^}%cg+cKXD~UAgB8{{i2R=Jw35xpw|oD6+HqZf+KP3uCYSr1ftk-hN}<7XD}E z8z1pXWj}m9+shR$F zB6S4WdycJKO$?|>zw{>)Jp8#f7@*3l7M^8rv)_DypOvn@Oi;L z*FD;wH*8pJdqTz4;^f)FsV;rH5<=Kl>8)oBdb_xAXRc?SNazo?RR!`MJiL^X;$h>@!oiWS1o57(KTrqZa^dvtMWc diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age index f63b958..8b55761 100644 --- a/secrets/hercules-secrets.age +++ b/secrets/hercules-secrets.age @@ -1,13 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw P7StDsdpmJLp0ni5ZwdhVy2lx5TSfVlIqFAF9y4Zn34 -UksAEE1WWb2xWgHM8h4lhTW2pwqF8ydgGtFnqcp1KUo --> ssh-ed25519 ioPMHA roPhy0I+dRtPuWsnFSxl2m7Uh7GgXkupwHSgL+LHrzs -8rUE3mr9dukcAeR1213wjSm6Bme9ExpGX6TjEhHRYnc --> ssh-ed25519 IFuY+w crwMCw/ElBMNFhUMHLAg+ZxpsutBwV7hhG79bXEmCDE -7rnOVAVI/HgGbaswauWxCqB7Tkzx3hCxB2RZOi4aIpQ --> ssh-ed25519 5A7peQ bcqPb+IVrI8BKlcpIrZ/qnbnG3p/mLsk/iSCVYlvwmY -2q9KmMmyeYey9txiYrmxM5T86qXw7arKZSAbxszgxVo --> ssh-ed25519 GKhvwg H9Pka72t6kmmxGcoAaRtyn8m9xlP9DJSeBrE6jVtRh4 -w/lcxBFd5w9mMn/sarr+7yCY+IGJzMJUgvi+KrQA4s4 ---- wO1f52ZjrCtOdgOrnkKWPao5ZS2BhmWFQmvLGliosyM -S]luG cU LHb/(f $&XmݒFPt.n,)t8 9g~3.h`0i|Zi9S߫ޔ~vf,~\;IۮFVO)uj:u[& 6`OZ|yVɥ_PeK.vꪹ^2-Ҁ<\^m!.ys l K`fbDcdbD<_6zR?g̮`H ,5h$\Xl \ No newline at end of file +-> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk +PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4 +-> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk +tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw +-> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0 +i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk +-> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo +i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU +-> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ +mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo +--- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4 +%DJ#0AD +qz,3sHVbTުˇ8[ ?VgNVd +ĝȗL=̵g%ι[md6oqE4ŏF3@P\(MDM;%^ܫpxp):O9,iBT +sǚ-JWE\0£y>0;yL{t.g%W,X} JJdg3\#) 0h=lhBBXb$^ BM[~u? hlc;zk \ No newline at end of file diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age index 66500a157566e436c66eadfbc9ba04911c1f2a21..54dd108e0526d2c42e8ea042ba4d575c947948c5 100644 GIT binary patch delta 800 zcmeyt_JeJLPQ68^Xo zCzn~Gxu>s%c2=Z+URiF2bCz+kwx4%dxJN`(s;Q%2V3u2zv2lf8g;7p%D3`9CLUD11 zZfc5=si~o*LS}w|uZN?8c8OzVRJy)nxpr}|Q#m$rekhec?GX}Ei0X;6i8h-+q4RfJhVe!5#knP-@BM7objX|ZE&RivTg z#E;_Pj#;VhS*hW9CFxG4Nlw~HE*a%%22SY#mTA5gA$}YIps!)VTR`Z8J-1cPDNRs`c8#G*)E>mk=l7-0V#RG&L#Pi;~B-nUBlcQLz6s% zJ>8x1A}S5MqB8wmJc@%n!pvNgeJnByTzuUPJq(f@-E)h%^1^c+^W8FXQlp&9OhQ8p z{1T(e0{xTB4a@w~D%`UTyo?gfLW`X8JbcS1pJf!Uw=hU6F1HL!FOMko@OSeM3-)vl z4K@ka);CTI@ea>Q4-59SbatyUGp{V>3dnGCH}i4R5A_Nw2@f#Hu5>g^%quC*t29qE z4hb}f^7bn<3Qsijw9HQC($&>fC~!*;Osq7hFv!gda&#(7E3oj_4@-41b_t6}Npml* zaxAQTp=T{`z>a=uCt1$gWuBlQNe-EZQDu zk$8cJ{npfF+j4$y{T%yypVje|XENK)NV7FHXvrx_O3du>SMgxpw=vlN$)naKC$`2k zol}$8#HsaLc=NTkU(L158|2GGl!a$ZXs&Jz$~58--(9b>TjC(=0@s7w79Y>1y!vC2 zWsick2_^04j=nfJYjy^Id(NZ3ysEYiKW&p^_Zt^Xt8`PW*w$a9eOBmrV%~%3 zm4A|??*6lB-ow1$=#KM&9acXdPWwFlVZ)}DhdUq7xqE1gWtY)0*h4r)I4r~Pg^tm)N delta 800 zcmeyt_JeJLPQ8&wah85mWocT7pQ(A3zP5H=RcUHrpi6i_gok@td1$C{hEsNSP>@$; zF_%F^uz!YmRYbO@v3|IBeq}~#YG{&4wp)IAj;VXHPhhEmL2`C*ws%HUAeXM4LUD11 zZfc5=si~o*LS}w|uZN>Tl1pxiw?}zVS$Jh(VrGb8u$y0YT5z(qkAI$7R(Wfh;WKB4lpUm2`Wx2a5f4J&nqiR@$#&w^zzgFtyvb|UUqxc#QP8)YO`PB2%MKkfbLZO|^Z ssh-ed25519 84j9mw ZuGILSHnMIMy/GDEjkAriTBKBykkytcIVo63DPd4MhA -aa/sGLpf+GrLzo8Jf3JWAPI0Uk96SH/CvGhynNJVx6E --> ssh-ed25519 GKhvwg STHVqp1zYhQzu73INk2Cmkuf8X8kJPLtGSY8LJze/Tc -Ny1C5CAnqSCcunIbM8if8oQ2VlerIIW5Dqds/Ztektw ---- gaHP+odPfw8A4f5NJkYOuvvYRWwo5EzRZVkXp6E7dfI -NfO=+T3T 0w ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo +ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA +-> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0 +uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo +--- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY +ߵSAѶBzwg@"PY^+E[',K[X~Xg{2c4 \ No newline at end of file diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age index 20ed0ff980faf8c1763c67e6325578d90b90d482..455628db805bf50b05111f41424a8b93b8b241b7 100644 GIT binary patch delta 360 zcmeBX?q;5#Q}2?jUsw|9rJo;=;cgsWkf!ewo@L}+l^^65Xl4**X&&a8k(XGOUzqBc z&y|&0=3Ek(>g!jP=^Rq#Zx);rW$YZ`Tbh$!WL}jNl&hUrk(L*fnj5Yi$fawiP+Xj$ zo0?)|YHDby;O?DKR-Ud99N_2`SYBvhSrujJR^{PpTwmy%XOL8q>1LAT9F`vJ8WCJz zQ0Nw5lpPkzRpgc)S!GmM=#{1KnUh>86W6e4PGvEmz}8v1PgkjC+N7|M3YP_6o>3EAwYUyKG--<%`p& zMb=bh8um3aTndgftm>=Oj0?TdVe;sYDAW8D?M>>IE&h>LXWwx-CAs!^@9*zd)nDCl IP7UY=0F2m#WB>pF delta 360 zcmeBX?q;5#Q}1nN;+&Cfs-I>MP*CoXZt7W89O@TYWSSFLQIO^785ojkmQ!q*lb7q1 z&*f!o?p$SIke-_zV(uPc99foBo?{wlZeUSfkY$;lS&`-IoLd>5WbEq_$fawiP+Xj$ zo0?)|YHDby;O?DKR-Ud6;u8 z=^UDBo@Eru6&9YD>=;^?6Z0 z>(P{7Jc*B4<8`N28EbGFE_lMhyrD7iD_6**e}8s6Br9HNl&*PTE4C^xy>#J+Qg6<6 zoX56*5xU2=smP`1_1SP;?zF$U)3sgBc+dOjoUr>)(BGLCj#(Wt&Gk63Nu(%cvz~K_ IaEFo?0B|OQj{pDw diff --git a/secrets/miyagi-niko-pass.age b/secrets/miyagi-niko-pass.age index 17e59da..460e357 100644 --- a/secrets/miyagi-niko-pass.age +++ b/secrets/miyagi-niko-pass.age @@ -1,8 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 g2vRWw //TMaNWwTNS5wE3Hg/SEwqriIaOiOUE5remdVF449Vk -8K3isM05ep9HJ58TlNE9bmiIuqJPoq3lI/3AbUrLw8Q --> ssh-ed25519 GKhvwg GANoFnELye0945KaMuS7xw6CGPhI5vigD+vScnpbQxI -CSx0E7fOB8A5MSc1ySywNFj5mkkdi6DDUc+ObaW/kew ---- +BiFZI/o5loCYZ95bkY4zQYr2y6SYc2bmnRuAMg2MPM -"D1Mh`dclU;]Puռ /?5\\D1l6øzNS -N;<+^Bpm՚y sZ;Vj \ No newline at end of file +-> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg +xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg +-> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k +2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc +--- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw +-1dm +fR,[#[-;M}vi4x~=)oN^n"XB}W583惍fv:uZ ɶ \ No newline at end of file diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age index d1672d7b593ff5396e3917b831bed184206a28d9..d3b901588a4989d08f60b9d04d047819a807653d 100644 GIT binary patch delta 345 zcmeyv^oMDJPJLp5iC*sM3GZiO161oxMP`DQE`@~V^xNuX>wU)uyILV zI+uTrQ)WO_eoml^kF!%ys*g)Sd9JosX1cy#N}_gXaA~EVx1URJzNu$OGMBEMLUD11 zZfc5=si~o*g1dJ{S$VobRhp%KP;jMlR(g7gNm7MpQoUoIc43BFc|@pJsgp^Occ4*$ zkzZh8o?)N?mw8cWUYMhkc6y{iuAgaudq|jpcUW3(Qh1L-SEi2v zm#(g^g0q`ha*=;xP+_@+SxRX|x}m3EXo_iZxka(5TWGjhR$x>{aj}7`k&|I0SBGr* zx`}R5aY62@gv=f@X9*iS-G6#YddBQSA#r;aJ2p-CeXX)z<+NC-N^{ERO>%d$4f2k6 t+`hfiGv=`8)c+nTAm^g|BC}wrg-iqFF&|ig|X4caC3}x2JDN zD3^9bWxjJ%N=j6wcX~xpk$--8s&iRZuxo*(MTtp4s#92TP-2LiQ*v@(AeXM4LUD11 zZfc5=si~o*g1dJ{S$VpGiK~B+L5gFzQMhG6VUTM^NqtseQj&Q^U`}~>o`qSdS!7hM zyGxjPK$wv$S8{1&n2C>fRhC<6hCxAAd8UO?qKk{RL8WU^mP>fJsjF8>KyGAyMOaZj zm#(g^LT+x7n~|xZTX=}RezBvarFOEplYy&OzEN_bwn4gOX-ZPMnOB6TS9Wne7sJPM z7pjuod4i_hm>75Tu=CVgu)dXwrErfEy>ib sNeR|YJyc#+)GNQ?ak=FDuUC8*9RAvIrrL=q*8L5uUFc3GpX1`002}&!pa1{> diff --git a/secrets/ntfy-alert-pass.age b/secrets/ntfy-alert-pass.age index 78192174c6e2278cf5acc229b39ab0e78ecd12bb..27558ca312ea665aa8cb339ca8fbd428923bc21f 100644 GIT binary patch delta 930 zcmeBX|H(cdbBdpx5%F@HP zEHkn!($&#~%TYf)Ej!HECoMg|FSx2WKO#S{z{o5jq9WO+GCMKfxX?L0z`WQcEG5r( z;z#lDl)yqy4}afWr__{Ui-?>^ugpl3lq{EG@9bh9M*|l}!_d$q=kQ=}pR7o(bnPrt zU*jk<4-+TDDhrQ%&wx^=;E+812=_`$P#@39@r>f(>BhzBDW%zA z;U1=zK1GS?*}eq@A-R>siNO)&rk<`rm4;^eCay*XZW-BJIZkDPCE2ODWtK(-KBf^# zX@R9BCdTf`AvuOF1!>_qdD?kqIRynpM%gBl&oYYFr-hjrW|c>|T4aY-nftjG8W{R` z75St`MjAz!83g9L7nXZ+<+`St1r(>|Wu=>BI2yb8RT%jBX{2_!g1?hlx?fgBWM!_ovAcVoM|gcuM5(J`WJIx- zOI|^sm%n?OQ=)f(bEtW)3718(X?BIVpIdoGL8ehsa6wM4g}Ya!v0HJ7Z;q3HZeo78 zkz1%iesX@GBf51(j^-)ZfeM9*5oy8h?nRLv<-Tc#0bVKEA%>!DH+BgX@0qZnQ7rsNd~FG1@6AN#zyJ6QK=?L`aY3a=Kf`c zl^E8!duNoDrz@D7B^Twprusy98i#sSMHYqzmRA;=WhIqld#5F(xaEbVdV3fbIBKVP z_PB_=tAlmrEO7Wot!B{_2G>gpmwI^Wr)8EzR+@0_5V5IybYC_y z{R6APLfQ7xo~w(cjYB8=>zQ(Y;q0R2@-a6%&n-FKEn=}(a;KEz1J28A*Z(r`vh~|` Pd{%f7|9PHE%EtWw;0Zj2 delta 819 zcmey#-pxKir`{kf*d)Wv-Lb$q!ZoZSHQ1;u%Qq{-z|q^NvcSyKJUh!c%P+_zAm7V9 zl1tmT%)LA@CCA(=Ej`k)FyAl8#V9b-Fw!#3H_5`QAi&!-FeNj)tT-&)lS|i5p}06h zH#Nn`)YQ;Y!NMfVGPhj8FwvvjExe?_#ofpy&?BWh%&ok@HQmeGw9vgg-ykQ?Aj&w( ztFk;aA~MW`tJpi)H!vm2DXhRGKQ+R*#5Ff3+_NyM#Iz#Rv(z^%u)v_yCof(o{o7XmgS`e zW!c7s1|gZLNv`JpS!vqdo+f!k<*C}47F8+b>8V+Hrbez@=H|g(-d>(rUKYhgCK)NY z;f?_nK^Z1SUQvPhrp}(Z8HLF?ewjuE7LM7I&oYYFr<#=I8|9ff=7k%jC5M>hmgX2# zmUtGVxrZbNX_pi_hnKsD<>Uk>muGl#1sM8d2jzN2T3YCbMwMrJWoief6nkbTXBVbh zrbHMfx<>?NX9O2ic)6#e$AG6>X{2_!Lat|sv$j{dX}E8)WoTNZnOl8!Qldp}V!pYd zes+LCZfdxGP*!k&YmmONCznr7rFl?UpovqGL6l=zT0};;U%HQvV{VC&qmyq@g+)e6 zc!fo7ctk)|Il6W3-Wg@(=?ePV&K4CR$!;O;7CyP&{#C^WrsaXf&LtIa@xgJTC#g!=r#fkZuk?#4SS%&$RZsz7$N$%#6 zd9GZ#y1EMPhW?f*nP$l@zCQXEMy}@J*(pxJLCGOSxvohr;qJzzW?2E29;W^UPJvw7 z{$~yLU4NrD|NCX#a}UdJ-Hlz!#Bx?<2B%h1u3+WrlF-vii=`d3g(`)mf0!Lgy794H XG~bPHt;Nxaas@{>$lb9_VgCaFp3f5k diff --git a/secrets/ntfy-niko-pass.age b/secrets/ntfy-niko-pass.age index cca1985..276c72f 100644 --- a/secrets/ntfy-niko-pass.age +++ b/secrets/ntfy-niko-pass.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw tR4gg/XeVdS8xCIuHxN25uaRKu6a09DSW26SI3AWDlM -uC2gJ9UWDE6uVXkUDlaVZlWAH5iLDgagkN+54msvyoY --> ssh-ed25519 GKhvwg q27QskTYhI5gjIKKpNHn5V2FRmhIg8QFJ8m0TPZiwSY -/0RIbiG/nwxKDJ613BLoCNvjej6f65mr1xwCN7/aueI ---- XU82wFZVE+zTZ/mGhnoxqWrdUOv3n6VOwQizZSHPLfw -"1KĽ. J'!nlO]>Y EX \ No newline at end of file +-> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw +tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc +-> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw +GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s +--- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk +zPCSxf -žic7_2~jA \ No newline at end of file diff --git a/secrets/rab-lol-cf.age b/secrets/rab-lol-cf.age index 00a6556..4b5734a 100644 --- a/secrets/rab-lol-cf.age +++ b/secrets/rab-lol-cf.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 ioPMHA efHpBvtB+mXXa7RoRdqePHGOmsY5BXVOgGsfOhPm30w -2GvumVVuuLGEarpdauTCrB61aLtVtrkM3/pPlWIODnk --> ssh-ed25519 84j9mw rqj6xvESlvrfcjhVEWCbpd//vvdKjrTjt3ZDPeLHowQ -dcUD131zvVQGiUYQWt9A51CnIpLGNSGinSZk7HSGHoc --> ssh-ed25519 GKhvwg cIji8zRSGWEbC/xxS8C4jyDCpQsFv05j2Yo8UjaHSAk -+c/tIYPigZdPQWKvGYaoA6AYRAB83XlEEdfucihB984 ---- TEQTQ/lm/JqyyWU2sC10qHl4AL/2IP9yCUfhXG4LdP4 -ȮS F-dc‹D\?h Qg@W -xA|M*rt0ű~ѰXa{y/WUѸY렬{װ}TAxD \ No newline at end of file +-> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY +U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo +-> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc +40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8 +-> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s +jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc +--- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg +4L7H3F ̈́"fU(L~%sbԀ~Z}Z>2KO'Q\W[όe1^I‘ \ No newline at end of file diff --git a/secrets/rabulinski-com-cf.age b/secrets/rabulinski-com-cf.age index 2a15532..6e80a30 100644 --- a/secrets/rabulinski-com-cf.age +++ b/secrets/rabulinski-com-cf.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw LuZiZnebklpoXQ6RPZSrELwY4CzwY+Qb/LrlVPFiSC4 -QVi6XyetJxwvOB+v+CyKEdcq96ykcK3wfWh3i75Dq1o --> ssh-ed25519 GKhvwg V3iEXNodDDKKKrHSfNYVKTphsMQfgl3Z/LUwTyArx3A -FQJLg7uHWzc6/U+/QOCYwrkwvvw8rQNG+h+PJ1rRKXA ---- FVExbzlz8e7moZFIkpMR+sj4Kurv+Ge6yMW/uJLr5H4 -Ѡ׿I-iOJbzk1"KxI{Bƚd#71ܮm-0D f\y}=ڸ 4ݣ \ No newline at end of file +-> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8 +SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4 +-> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc +Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c +--- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0 +-oSԐ-?{r]5;+0 GoE9tHXjqj2@3@ mmkyQ;_W϶Q~ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 239830e..ef3acb5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -33,9 +33,8 @@ in keys.other.bootstrap ]; "alert-plain-pass.age".publicKeys = [ - keys.system.legion keys.other.bootstrap - ]; + ] ++ builtins.attrValues keys.system; "legion-niko-pass.age".publicKeys = [ keys.system.legion keys.other.bootstrap diff --git a/secrets/storage-box-creds.age b/secrets/storage-box-creds.age index 02e128e..8b0a272 100644 --- a/secrets/storage-box-creds.age +++ b/secrets/storage-box-creds.age @@ -1,9 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw voingQjX/CjAjo63KLaRPFaG74IpxcRb0qv+r2b5wzo -ccWzQQSJW7cc8RiS9PzN2U5Xj0+Z7804tPsaGrq09KA --> ssh-ed25519 GKhvwg 2z8J0YRxQ4WP1G/W7DxRK7z1b6UBjodvN8ECP4fLg1U -wRG4U9oAJ2KtPUHg5l0yDmmHatmwXOrn2nJlOQJMlpE ---- qs7kR5AIkwQ8NtDjYnmKZmCl4+1G6MFBNB3Mu3J9Y1M - -8[WѕS]&ZaؼuEB!pϴ4pYݱ" -QYqSƬ` \ No newline at end of file +-> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY +4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4 +-> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q +wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc +--- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc +Io5q&CU*[T.HɊʺkkpOYs,g49ʼn$^l-A/QX \ No newline at end of file diff --git a/secrets/storage-box-webdav.age b/secrets/storage-box-webdav.age index 8a7f3b830711da757e8fa8f52ac5302889d23cdc..93a739a260da400923cc96df066ec56daa171223 100644 GIT binary patch delta 347 zcmeyz^p9zRPQ68tN2GgjaZ;eWiJNw=w{KE}SE*&9TbWsfpK(-WMUazIhMSkMhlQ(K zBv)}zV18ajR%Ky;Po9slV^UgadP;6lqDNJjw|S7Ou}@Y;X_ZfAk!P;EFPE;JLUD11 zZfc5=si~o*g1dJ{S$VobqN}T?Q%+fwzP@*^YhiYTVSPb%R8fd|ptoglenGjncczP3 zWN4ygj-zolS8-8jNs4xvLAFa;l5=sCxqo>;SyfP&XK7+ic&>%Bqe*T?dWxT;SFW}r zm#(g^LS=Y{e@=Fio27ebh`E2UZ>e#Rfxb(!c3yzFOHpWQNojyjl$Tp&a6o}8SF`!d zcLo6o-$KqZg*=sKD-Kz{(f05WttYm{2hSAP?U&0fnHDKfz46n;?X9|Nzghbl%onY? v;>;nQTf1)G$NRr~zV8!DpX|SzJLHzMjQe@vd0EF#x6l3e;Naeu>}UJ{7RrL? delta 347 zcmeyz^p9zRPQ7QEeyU|jn0{$xSzutWV^(Q|X+Wk+RC=UIn0{heazTEHlUHJZWn`(N z30HDao~M&>UU9g8nrV4>hG$h+X{kkSKvG^>vcH*smbOb&NT8{^cDi%0FPE;JLUD11 zZfc5=si~o*g1dJ{S$VobK~YJNW3Gu;NqMf5W4Lc|X}x7xWQ4zYdZd|wg=Ls!Rc@Mj za7Bc_lb^dISDCv(dakEopng)Zw}DrlTSTBmM6tPPMud-kqPAahXsAbgn71Gu%(BaM`o5wVVZ?$Nn&9j7h`3P z;rS9*mXI<PXUwOR~K|w3v)a^a<4bw^`QjOV-rjAEu ssh-ed25519 IFuY+w +zbPYKlvvfaIQl+PnnZlEai/TAgzsQ7s/1bLXNXnXEw -BTQQRxlaRFbWnV6e+QBPDfN+lyg9URj+2h85tDKZ19k --> ssh-ed25519 GKhvwg DzWYIGY0CNdA5wp7PkV1gpWmtYG28or8XeNZ7DkLz1c -ELQVeuyaIOWVH6+oMDDlI3CikDLe5jijwVPbaRBL2NQ ---- vCU0PryisDG8cOKr6CmPcUwjIdThsRjrty/fowZNwOk -h+Ѯ>HV`w|e/]kyS ~dm&9Y))T nS8@ۿzsSg' \ No newline at end of file +-> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4 +OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM +-> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo +9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU +--- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk +C<\}Jf|6G@WXc-"ϐAGZ'x_Ԡz,@n" 3[? Lb@e \ No newline at end of file diff --git a/secrets/youko-niko-pass.age b/secrets/youko-niko-pass.age index 755dffd..4c85947 100644 --- a/secrets/youko-niko-pass.age +++ b/secrets/youko-niko-pass.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 rA7dkQ ztMXNi12xb4ZTd1w6KxB6RXLzdk0b8s73aFObVcUjSc -gVE8z6agYlnMj9N2ZhudUX9BfgpiYXqwisYuYsFMCrE --> ssh-ed25519 GKhvwg C+uqtkHl5BNPLERwVByw4oQQgXSbbxwejy2nhJRjYzs -xS/4KSywTRvgbvLeeIgvylWu5TRPTlOQiG+wsaLEZoY ---- d7crfFYKvz20fbdLgtYh+QuPrC9cFKvIrrJz+Rsl0vk -7R3d֋!bP$ѿ' e|- HR%ɼ`䑹HS@x"dY8%*AϓW#3 \ No newline at end of file +-> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4 +GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg +-> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk +OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c +--- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI +wO.➌aA&ޝz [ oXĂu,ajxGƜu/eL̛/6S[SU \ No newline at end of file diff --git a/secrets/zitadel-master.age b/secrets/zitadel-master.age index 68a374a8f72931ef5bbfa9eac9e2f2d8701568e9..6dbbbf435a30fa5c1bf6a6683046c43dc7c5762e 100644 GIT binary patch delta 319 zcmaFF^oVJKPJNg~YNfw%h(%RsSz)M2MV4i7NTPFInX`{+QhrpfpIeBNXOgpve`1#X^>I6o3TksqP^v|KK9{bYLUD11 zZfc5=si~o*g1dJ{S$VpGn^$&*VP?2tQBZ|Tu!V7+Q+=daZg7crxVDqNZ>B-HTeeAJ zaZ0duK}238SEheadPH$@o^eU4i@AGQK~7P*rAL6Tab$R2aAUrO^6r+7YI^ypOKlEZg}m&*zibRR`Uh SbIRsgP2Jj3dSt)NO$7j44RiMZ delta 319 zcmaFF^oVJKPQ6D!nu%|DPM&i~k!x0_SyWPXnz^=LX1ZCTXQo?dkeQ!$VwRDMQ*uyx zIagX_xuI`Ra8+c6V{*82VThqoX;eviQC?V?k55{hjF@JKw?2gczULGwwZfCV5PsdYgS@T3AoOFux`P Date: Thu, 16 Jan 2025 16:27:46 +0100 Subject: [PATCH 05/21] hosts/youko: move zfs pool --- hosts/youko/default.nix | 4 ++++ hosts/youko/msmtp.nix | 36 ++++++++++++++++++++++++++++++++++++ hosts/youko/nas.nix | 29 +++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 hosts/youko/msmtp.nix create mode 100644 hosts/youko/nas.nix diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix index ead565c..9863b6e 100644 --- a/hosts/youko/default.nix +++ b/hosts/youko/default.nix @@ -6,6 +6,8 @@ ./disks.nix ./hardware.nix ./sway.nix + ./msmtp.nix + ./nas.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -28,5 +30,7 @@ settei.incus.enable = true; virtualisation.podman.enable = true; hardware.keyboard.qmk.enable = true; + + networking.hostId = "b49ee8de"; }; } diff --git a/hosts/youko/msmtp.nix b/hosts/youko/msmtp.nix new file mode 100644 index 0000000..dc51c15 --- /dev/null +++ b/hosts/youko/msmtp.nix @@ -0,0 +1,36 @@ +# TODO: Potentially make this a common module? +{ + pkgs, + config, + username, + ... +}: +let + mail = "alert@nrab.lol"; + aliases = pkgs.writeText "mail-aliases" '' + ${username}: nikodem@rabulinski.com + root: ${mail} + ''; +in +{ + age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age; + + programs.msmtp = { + enable = true; + setSendmail = true; + defaults = { + inherit aliases; + tls = "on"; + auth = "login"; + tls_starttls = "off"; + }; + accounts = { + default = { + host = "mail.nrab.lol"; + passwordeval = "cat ${config.age.secrets.alert-plaintext.path}"; + user = mail; + from = mail; + }; + }; + }; +} diff --git a/hosts/youko/nas.nix b/hosts/youko/nas.nix new file mode 100644 index 0000000..291cdff --- /dev/null +++ b/hosts/youko/nas.nix @@ -0,0 +1,29 @@ +{ + username, + lib, + pkgs, + ... +}: +{ + boot = { + supportedFilesystems = [ "zfs" ]; + zfs.extraPools = [ "yottapool" ]; + + }; + + services.zfs = { + autoScrub.enable = true; + zed.settings = { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + ZED_EMAIL_ADDR = [ username ]; + ZED_EMAIL_PROG = lib.getExe pkgs.msmtp; + ZED_EMAIL_OPTS = "@ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = true; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = true; + }; + }; +} From dcb2f78a9c0aabbacd296340f868b906b5fae9a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Fri, 17 Jan 2025 10:56:13 +0100 Subject: [PATCH 06/21] hosts/youko: add kernel module for fan control --- hosts/youko/hardware.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/youko/hardware.nix b/hosts/youko/hardware.nix index 2160bd9..0f1386d 100644 --- a/hosts/youko/hardware.nix +++ b/hosts/youko/hardware.nix @@ -1,5 +1,7 @@ +{ config, ... }: { boot = { + extraModulePackages = with config.boot.kernelPackages; [ it87 ]; initrd.availableKernelModules = [ "nvme" "xhci_pci" @@ -11,7 +13,11 @@ kernelModules = [ "kvm-amd" "i2c-dev" + "it87" ]; + extraModprobeConfig = '' + options it87 ignore_resource_conflict=1 + ''; }; services.smartd.enable = true; From 994732bf6b59722736ee5225168b8b5165f5ebca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 29 Jan 2025 21:24:49 +0100 Subject: [PATCH 07/21] hosts/youko: enable smb --- hosts/youko/nas.nix | 64 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/hosts/youko/nas.nix b/hosts/youko/nas.nix index 291cdff..9017b8b 100644 --- a/hosts/youko/nas.nix +++ b/hosts/youko/nas.nix @@ -8,7 +8,6 @@ boot = { supportedFilesystems = [ "zfs" ]; zfs.extraPools = [ "yottapool" ]; - }; services.zfs = { @@ -26,4 +25,67 @@ ZED_SCRUB_AFTER_RESILVER = true; }; }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + # TODO: Clean up. Potentially make it a separate module + services.avahi = { + publish.enable = true; + publish.userServices = true; + nssmdns4 = true; + enable = true; + openFirewall = true; + extraServiceFiles = { + timemachine = '' + + + + %h + + _smb._tcp + 445 + + + _device-info._tcp + 0 + model=TimeCapsule8,119 + + + _adisk._tcp + dk0=adVN=tm_share,adVF=0x82 + sys=waMa=0,adVF=0x100 + + + ''; + }; + }; + + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "hosts allow" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + "getwd cache" = "true"; + "strict sync" = "no"; + "use sendfile" = "true"; + }; + "tm_share" = { + "path" = "/media/data/tm_share"; + "valid users" = "niko"; + "public" = "no"; + "writeable" = "yes"; + "force user" = "niko"; + "fruit:aapl" = "yes"; + "fruit:time machine" = "yes"; + "vfs objects" = "catia fruit streams_xattr"; + }; + }; + }; } From c0d6938a39611c692f155193e06faf2562a367c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Sun, 9 Feb 2025 19:11:21 +0100 Subject: [PATCH 08/21] modules/system/sane-defaults: add user to networkmanager group --- modules/system/sane-defaults.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/system/sane-defaults.nix b/modules/system/sane-defaults.nix index fcd1cde..918b34d 100644 --- a/modules/system/sane-defaults.nix +++ b/modules/system/sane-defaults.nix @@ -92,7 +92,10 @@ let isNormalUser = true; home = "/home/${username}"; group = username; - extraGroups = [ "wheel" ]; + extraGroups = lib.mkMerge [ + [ "wheel" ] + (lib.mkIf config.networking.networkmanager.enable [ "networkmanager" ]) + ]; }; groups.${username} = { }; }; From ddaec1196e43f4b35203140d4081709030722274 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Mon, 24 Feb 2025 23:06:01 +0100 Subject: [PATCH 09/21] hosts/youko/nas: sail the high seas --- hosts/youko/nas.nix | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/hosts/youko/nas.nix b/hosts/youko/nas.nix index 9017b8b..2e83912 100644 --- a/hosts/youko/nas.nix +++ b/hosts/youko/nas.nix @@ -88,4 +88,35 @@ }; }; }; + + services.jellyfin = { + enable = true; + openFirewall = true; + }; + services.radarr.enable = true; + # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged + nixpkgs.config.permittedInsecurePackages = [ + "dotnet-sdk-6.0.428" + "aspnetcore-runtime-6.0.36" + ]; + services.sonarr.enable = true; + services.prowlarr.enable = true; + services.jellyseerr.enable = true; + services.deluge = { + enable = true; + web.enable = true; + config.download_location = "/media/deluge"; + }; + + users = { + users = { + jellyfin.extraGroups = [ + "radarr" + "sonarr" + ]; + radarr.extraGroups = [ "deluge" ]; + sonarr.extraGroups = [ "deluge" ]; + ${username}.extraGroups = [ "deluge" ]; + }; + }; } From 94b293acbb01ac335a9b12d0a9ef087e48d400cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Mon, 24 Feb 2025 23:08:34 +0100 Subject: [PATCH 10/21] modules/system/incus: initialize default profile --- modules/system/incus.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/modules/system/incus.nix b/modules/system/incus.nix index 4313573..b46ab37 100644 --- a/modules/system/incus.nix +++ b/modules/system/incus.nix @@ -49,6 +49,23 @@ let }; } ]; + profiles = [ + { + devices = { + eth0 = { + name = "eth0"; + network = "incusbr0"; + type = "nic"; + }; + root = { + path = "/"; + pool = "default"; + type = "disk"; + }; + }; + name = "default"; + } + ]; }; }; networking = { From 21920907feeb8a1dba7e85068a32478560e1c4c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 18 Mar 2025 22:05:47 +0100 Subject: [PATCH 11/21] hosts/youko: enable vmware --- hosts/youko/default.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix index 9863b6e..3a2fe49 100644 --- a/hosts/youko/default.nix +++ b/hosts/youko/default.nix @@ -1,6 +1,11 @@ { configurations.nixos.youko = - { config, username, ... }: + { + config, + lib, + username, + ... + }: { imports = [ ./disks.nix @@ -31,6 +36,13 @@ virtualisation.podman.enable = true; hardware.keyboard.qmk.enable = true; + settei.unfree.allowedPackages = [ "vmware-workstation" ]; + virtualisation.vmware.host.enable = true; + environment.etc."vmware/config" = lib.mkForce { + source = "${config.virtualisation.vmware.host.package}/etc/vmware/config"; + text = null; + }; + networking.hostId = "b49ee8de"; }; } From b97f24c12c4f0848f9797209c8fb6e166643fdaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 18 Mar 2025 23:58:46 +0100 Subject: [PATCH 12/21] services/forgejo-runner: init --- secrets/forgejo-token.age | 9 ++++++++ secrets/secrets.nix | 5 +++++ services/default.nix | 1 + services/forgejo-runner.nix | 41 +++++++++++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 secrets/forgejo-token.age create mode 100644 services/forgejo-runner.nix diff --git a/secrets/forgejo-token.age b/secrets/forgejo-token.age new file mode 100644 index 0000000..13f30a6 --- /dev/null +++ b/secrets/forgejo-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 rA7dkQ tnp92QTb/uXAEizZuUrnaGcJCCkCSjIcE4RiQiYVdw8 +HXsRlqJSrDYaAeYslcR+g5KIQC1SUxFp+QdSHpKT61s +-> ssh-ed25519 IFuY+w LI7kx/XwfF0JU8tSmW75nxpeLTUkEfY8NunAZljafCc +f+WEjASZzP9ISv+7kPIMVNgEjdHUxVnLzUkqFHo4byY +-> ssh-ed25519 GKhvwg EZDwzHfhaY0iHHeIDvm6BIY64kPPUgKjZnNuuwwqoAw +FvZEeIqnsFA1fQka4R7sax1O13UZWoVbksSMLP3eEaA +--- XBBcs7w5J7w01fKGoAXVTgOffS9ajheUMz3vDsxHgTo +gؤRnlgÒA*%Yr 9}=L~f7Zgx >R}hQz`rZ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ef3acb5..57943fa 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -92,4 +92,9 @@ in keys.system.youko keys.other.bootstrap ]; + "forgejo-token.age".publicKeys = [ + keys.system.youko + keys.system.ude + keys.other.bootstrap + ]; } diff --git a/services/default.nix b/services/default.nix index d588ede..1837462 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./attic.nix + ./forgejo-runner.nix ]; } diff --git a/services/forgejo-runner.nix b/services/forgejo-runner.nix new file mode 100644 index 0000000..759ed59 --- /dev/null +++ b/services/forgejo-runner.nix @@ -0,0 +1,41 @@ +{ + services.forgejo-runner = { + hosts = [ + "ude" + "youko" + ]; + config = + { config, pkgs, ... }: + { + age.secrets.forgejo-runner-token.file = ../secrets/forgejo-token.age; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = config.networking.hostName; + url = "https://git.rab.lol"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + settings = { + container.network = "bridge"; + }; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "native:host" + "native-${pkgs.system}:host" + ]; + }; + }; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + }; + + networking.firewall.trustedInterfaces = [ "podman+" ]; + }; + }; +} From b7ee2ec2fff5660855765eae92a60261bf044775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 19 Mar 2025 17:40:09 +0100 Subject: [PATCH 13/21] ci: use forgejo runner --- .forgejo/workflows/build.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .forgejo/workflows/build.yaml diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml new file mode 100644 index 0000000..f3d8cb8 --- /dev/null +++ b/.forgejo/workflows/build.yaml @@ -0,0 +1,8 @@ +on: [push] + +jobs: + check: + runs-on: native + steps: + - uses: actions/checkout@v4 + - run: nix flake check From 00a797fd0976c8200072fe7af3afd74f2e6551cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 19 Mar 2025 17:49:52 +0100 Subject: [PATCH 14/21] services/forgejo-runner: add nix to path --- services/forgejo-runner.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/services/forgejo-runner.nix b/services/forgejo-runner.nix index 759ed59..693d1d1 100644 --- a/services/forgejo-runner.nix +++ b/services/forgejo-runner.nix @@ -5,7 +5,12 @@ "youko" ]; config = - { config, pkgs, ... }: + { + config, + lib, + pkgs, + ... + }: { age.secrets.forgejo-runner-token.file = ../secrets/forgejo-token.age; @@ -19,6 +24,9 @@ settings = { container.network = "bridge"; }; + hostPackages = lib.mkOptionDefault [ + pkgs.nix + ]; labels = [ "ubuntu-latest:docker://node:16-bullseye" "ubuntu-22.04:docker://node:16-bullseye" From f3168cea0f4eaa07998e5e205fe9fb918754fbaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 19 Mar 2025 18:14:22 +0100 Subject: [PATCH 15/21] ci: trigger on prs --- .forgejo/workflows/build.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml index f3d8cb8..c779660 100644 --- a/.forgejo/workflows/build.yaml +++ b/.forgejo/workflows/build.yaml @@ -1,4 +1,7 @@ -on: [push] +on: + push: + pull_request: + types: [opened, synchronize, reopened] jobs: check: From 008a38e3976d2e1ab971aea4bb1dd7084cfd767f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Thu, 20 Mar 2025 22:54:32 +0100 Subject: [PATCH 16/21] ci: check all systems --- .forgejo/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml index c779660..89693ab 100644 --- a/.forgejo/workflows/build.yaml +++ b/.forgejo/workflows/build.yaml @@ -8,4 +8,4 @@ jobs: runs-on: native steps: - uses: actions/checkout@v4 - - run: nix flake check + - run: nix flake check --all-systems From 16e8f3f0f4f54fb3ece2460f0950c7e18265aa72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Thu, 20 Mar 2025 22:53:47 +0100 Subject: [PATCH 17/21] flake.lock: update --- flake.lock | 142 +++++++++++++++---------------- flake.nix | 5 +- modules/home/unfree.nix | 4 +- modules/system/sane-defaults.nix | 4 +- 4 files changed, 76 insertions(+), 79 deletions(-) diff --git a/flake.lock b/flake.lock index f409834..c260a9c 100644 --- a/flake.lock +++ b/flake.lock @@ -47,11 +47,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1738514772, - "narHash": "sha256-ng38xM+7MfmoWYcQj6/Ejgt732nbFIDx14QvWVpG0d4=", + "lastModified": 1742497754, + "narHash": "sha256-fCM/cnenyg+HQ3Ek7uXu04UX/aXrHBD6BW93/rYWZHE=", "ref": "refs/heads/main", - "rev": "b691dd3a7746afd73e944db98c0b000c1424cd5e", - "revCount": 362, + "rev": "af9d18efe24894a63c39d37bc0d2ddbea413aaa8", + "revCount": 366, "type": "git", "url": "https://git.lix.systems/nrabulinski/attic.git" }, @@ -79,11 +79,11 @@ "conduit-src": { "flake": false, "locked": { - "lastModified": 1730678249, - "narHash": "sha256-Xn1BnCbwbRFhqcFJ4GvSmB+H509fiHFhTJcpi4G+2oo=", + "lastModified": 1742005420, + "narHash": "sha256-v4LCx7VUZ+8Hy1+6ziREVY/QEADjZbo8c0h9eU7nMVY=", "owner": "famedly", "repo": "conduit", - "rev": "e952522a39883e4431e74c42cef3d9bc562752f8", + "rev": "063d13a0e10619f17bc21f0dd291c5a733581394", "type": "gitlab" }, "original": { @@ -95,11 +95,11 @@ }, "crane": { "locked": { - "lastModified": 1737689766, - "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", + "lastModified": 1742394900, + "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", "owner": "ipetkov", "repo": "crane", - "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", + "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", "type": "github" }, "original": { @@ -115,15 +115,16 @@ ] }, "locked": { - "lastModified": 1738277753, - "narHash": "sha256-iyFcCOk0mmDiv4ut9mBEuMxMZIym3++0qN1rQBg8FW0=", + "lastModified": 1742382197, + "narHash": "sha256-5OtFbbdKAkWDVuzjs1J9KwdFuDxsEvz0FZX3xR2jEUM=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "49b807fa7c37568d7fbe2aeaafb9255c185412f9", + "rev": "643b57fd32135769f809913663130a95fe6db49e", "type": "github" }, "original": { "owner": "lnl7", + "ref": "refs/pull/1335/merge", "repo": "nix-darwin", "type": "github" } @@ -135,11 +136,11 @@ ] }, "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "lastModified": 1741786315, + "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", "owner": "nix-community", "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", "type": "github" }, "original": { @@ -156,11 +157,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1738564312, - "narHash": "sha256-awAp1Qe+c95PQxP7v+Zfse+w3URaP3UQLCRlaPMzYtE=", + "lastModified": 1742452566, + "narHash": "sha256-sVuLDQ2UIWfXUBbctzrZrXM2X05YjX08K7XHMztt36E=", "owner": "nix-community", "repo": "fenix", - "rev": "d99d2a562b9c9d5f0e4399e5bb677b37a791c7eb", + "rev": "7d9ba794daf5e8cc7ee728859bc688d8e26d5f06", "type": "github" }, "original": { @@ -176,11 +177,11 @@ ] }, "locked": { - "lastModified": 1738544198, - "narHash": "sha256-bdGeUx6SBs37wQ6gHo5m+apn5Uze2fVz/oYfkD6DKUA=", + "lastModified": 1742432361, + "narHash": "sha256-FlqTrkzSn6oPR5iJTPsCQDd0ioMGzzxnPB+2wve9W2w=", "owner": "bandithedoge", "repo": "nixpkgs-firefox-darwin", - "rev": "6a14fbdbc697c7f1c93376ecbed4b095ccc55f00", + "rev": "c868ff433ea5123e837a62ae689543045187d7a4", "type": "github" }, "original": { @@ -245,11 +246,11 @@ ] }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -265,11 +266,11 @@ ] }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -386,9 +387,6 @@ }, "helix": { "inputs": { - "crane": [ - "crane" - ], "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" @@ -396,11 +394,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1738547365, - "narHash": "sha256-4GrVwyIZKx14eVG8TZMKmgyw8v3TuETPrLvYkFNqlyc=", + "lastModified": 1742479163, + "narHash": "sha256-YC0zdGyZMu7seA2Jm1mxtcxE4lSeVwvCPMfWzJ8+o/c=", "owner": "helix-editor", "repo": "helix", - "rev": "066e938ba083c0259ff411b681eca7bad30980df", + "rev": "b7d735ffe66a03ab5970e5f860923aada50d4e4c", "type": "github" }, "original": { @@ -416,11 +414,11 @@ ] }, "locked": { - "lastModified": 1738448366, - "narHash": "sha256-4ATtQqBlgsGqkHTemta0ydY6f7JBRXz4Hf574NHQpkg=", + "lastModified": 1742501496, + "narHash": "sha256-LYwyZmhckDKK7i4avmbcs1pBROpOaHi98lbjX1fmVpU=", "owner": "nix-community", "repo": "home-manager", - "rev": "18fa9f323d8adbb0b7b8b98a8488db308210ed93", + "rev": "d725df5ad8cee60e61ee6fe3afb735e4fbc1ff41", "type": "github" }, "original": { @@ -432,11 +430,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1738446528, - "narHash": "sha256-NYL/r7EXSyYP7nXuYGvGYMI9QtztGjVaKKofBt/pCv8=", + "lastModified": 1742411066, + "narHash": "sha256-8vXOKPQFRzTjapsRnTJ1nuFjUfC+AGI2ybdK5cAEHZ8=", "ref": "refs/heads/main", - "rev": "a51380645f61b33d37a536b596d16c481f7b84a6", - "revCount": 17342, + "rev": "2491b7cc2128ee440d24768c4521c38b1859fc28", + "revCount": 17705, "type": "git", "url": "https://git.lix.systems/lix-project/lix.git" }, @@ -457,11 +455,11 @@ ] }, "locked": { - "lastModified": 1738176840, - "narHash": "sha256-NG3IRvRs3u3btVCN861FqHvgOwqcNT/Oy6PBG86F5/E=", + "lastModified": 1741894565, + "narHash": "sha256-2FD0NDJbEjUHloVrtEIms5miJsj1tvQCc/0YK5ambyc=", "ref": "refs/heads/main", - "rev": "621aae0f3cceaffa6d73a4fb0f89c08d338d729e", - "revCount": 133, + "rev": "a6da43f8193d9e329bba1795c42590c27966082e", + "revCount": 136, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module.git" }, @@ -480,11 +478,11 @@ "nixpkgs-24_11": "nixpkgs-24_11" }, "locked": { - "lastModified": 1737736848, - "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=", + "lastModified": 1742413977, + "narHash": "sha256-NkhM9GVu3HL+MiXtGD0TjuPCQ4GFVJPBZ8KyI2cFDGU=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261", + "rev": "b4fbffe79c00f19be94b86b4144ff67541613659", "type": "gitlab" }, "original": { @@ -609,11 +607,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1738452225, - "narHash": "sha256-Qmwx3FXM0x0pdjibwTk/uRbayqDrs3EwmRJe7tQWu48=", + "lastModified": 1742395137, + "narHash": "sha256-WWNNjCSzQCtATpCFEijm81NNG1xqlLMVbIzXAiZysbs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6c4e0724e0a785a20679b1bca3a46bfce60f05b6", + "rev": "2a725d40de138714db4872dc7405d86457aa17ad", "type": "github" }, "original": { @@ -632,11 +630,11 @@ "nvidia-patch-src": "nvidia-patch-src" }, "locked": { - "lastModified": 1736930913, - "narHash": "sha256-f7v5s924/CiDCW7j/SEvefwm6Jb07zQWYShJ+FIYS0A=", + "lastModified": 1742460640, + "narHash": "sha256-Qks0TRMOiuVKjcSPkg251Q2/wdU5ooMt4b2f2numPzg=", "owner": "arcnmx", "repo": "nvidia-patch.nix", - "rev": "6ca6f8dd2139b9c01049de29979c1c0db157a647", + "rev": "c85990250376300fe11413e22458911f408f64d0", "type": "github" }, "original": { @@ -648,11 +646,11 @@ "nvidia-patch-src": { "flake": false, "locked": { - "lastModified": 1736882949, - "narHash": "sha256-s1qtdm0UGd4uImNts42W5hT6W1nOVz8eTyBF37QlUfc=", + "lastModified": 1742384429, + "narHash": "sha256-5O0TXVrLsFrULXli2vB2iJ7TECUckMHKvJZYmdkcnGE=", "owner": "keylase", "repo": "nvidia-patch", - "rev": "0837f46dfe25b6e750abc7e601032bdd12c70be0", + "rev": "07080317245ac30c38001d2149810b2dee3cce1f", "type": "github" }, "original": { @@ -710,11 +708,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1738488035, - "narHash": "sha256-sLLW0S7OGlFYgNvAQnqWK1Ws5V1YNGvfXHdWoZ91CeI=", + "lastModified": 1742296961, + "narHash": "sha256-gCpvEQOrugHWLimD1wTFOJHagnSEP6VYBDspq96Idu0=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f3998f7f8a197596c5edf72e937996e6674b423b", + "rev": "15d87419f1a123d8f888d608129c3ce3ff8f13d4", "type": "github" }, "original": { @@ -732,11 +730,11 @@ ] }, "locked": { - "lastModified": 1737599167, - "narHash": "sha256-S2rHCrQWCDVp63XxL/AQbGr1g5M8Zx14C7Jooa4oM8o=", + "lastModified": 1740623427, + "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "38374302ae9edf819eac666d1f276d62c712dd06", + "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab", "type": "github" }, "original": { @@ -753,11 +751,11 @@ ] }, "locked": { - "lastModified": 1737166965, - "narHash": "sha256-vlDROBAgq+7PEVM0vaS2zboY6DXs3oKK0qW/1dVuFs4=", + "lastModified": 1739240901, + "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "fc839c9d5d1ebc789b4657c43c4d54838c7c01de", + "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c", "type": "github" }, "original": { @@ -851,11 +849,11 @@ ] }, "locked": { - "lastModified": 1738070913, - "narHash": "sha256-j6jC12vCFsTGDmY2u1H12lMr62fnclNjuCtAdF1a4Nk=", + "lastModified": 1742370146, + "narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "bebf27d00f7d10ba75332a0541ac43676985dea3", + "rev": "adc195eef5da3606891cedf80c0d9ce2d3190808", "type": "github" }, "original": { @@ -923,11 +921,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1738084440, - "narHash": "sha256-sARyUquyuNapFbICL/PJEhcDgBzpxTcHUNw8R/xL1iA=", + "lastModified": 1741803511, + "narHash": "sha256-DcCGBWvAvt+OWI+EcPRO+/IXZHkFgPxZUmxf2VLl8no=", "owner": "dj95", "repo": "zjstatus", - "rev": "096dc72a909fd0fb34768a98354aad6207002671", + "rev": "df9c77718f7023de8406e593eda6b5b0bc09cddd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f2007c6..217b7cc 100644 --- a/flake.nix +++ b/flake.nix @@ -86,7 +86,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; darwin = { - url = "github:lnl7/nix-darwin"; + # TODO: Move back once https://github.com/LnL7/nix-darwin/issues/1392 is resolved + # url = "github:lnl7/nix-darwin"; + url = "github:lnl7/nix-darwin?ref=refs/pull/1335/merge"; inputs.nixpkgs.follows = "nixpkgs"; }; agenix = { @@ -147,7 +149,6 @@ helix = { url = "github:helix-editor/helix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.crane.follows = "crane"; }; zjstatus = { url = "github:dj95/zjstatus"; diff --git a/modules/home/unfree.nix b/modules/home/unfree.nix index cd2060c..b551f32 100644 --- a/modules/home/unfree.nix +++ b/modules/home/unfree.nix @@ -1,5 +1,5 @@ # Copy of modules/system/unfree.nix -{ config, lib, ... }: +args@{ config, lib, ... }: { _file = ./unfree.nix; @@ -11,7 +11,7 @@ }; }; - config = { + config = lib.mkIf (!args ? osConfig) { nixpkgs.config.allowUnfreePredicate = lib.mkForce ( pkg: builtins.elem (lib.getName pkg) config.settei.unfree.allowedPackages ); diff --git a/modules/system/sane-defaults.nix b/modules/system/sane-defaults.nix index 918b34d..ae4a097 100644 --- a/modules/system/sane-defaults.nix +++ b/modules/system/sane-defaults.nix @@ -52,7 +52,6 @@ let experimental-features = [ "nix-command" "flakes" - "repl-flake" "auto-allocate-uids" ]; trusted-users = lib.optionals (!adminNeedsPassword) [ username ]; @@ -117,9 +116,8 @@ let darwinConfig = lib.optionalAttrs (!isLinux) { system.stateVersion = 4; - services.nix-daemon.enable = true; - security.pam.enableSudoTouchIdAuth = true; + security.pam.services.sudo_local.touchIdAuth = true; users.users.${username}.home = "/Users/${username}"; # Every macOS ARM machine can emulate x86. From cdfd00a99ce456a2b1c639251a5802981f37a44f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Fri, 21 Mar 2025 23:31:18 +0100 Subject: [PATCH 18/21] modules/home/desktop/zellij: disable shell integrations --- modules/home/desktop/zellij.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/home/desktop/zellij.nix b/modules/home/desktop/zellij.nix index b5c34d0..3a4a025 100644 --- a/modules/home/desktop/zellij.nix +++ b/modules/home/desktop/zellij.nix @@ -3,7 +3,12 @@ # TODO: Move zellij to a wrapper programs.zellij = { enable = true; + enableBashIntegration = false; + enableFishIntegration = false; + enableZshIntegration = false; settings = { + default_layout = "compacter"; + show_startup_tips = false; keybinds = { shared_except = { _args = [ "locked" ]; From 33d26822457edb54230f6b08f9ceba22edd291dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 4 Feb 2025 23:29:50 +0100 Subject: [PATCH 19/21] services/kanidm: init --- secrets/kanidm-admin-pass.age | 7 +++ secrets/kanidm-idm-admin-pass.age | 8 +++ secrets/secrets.nix | 8 +++ services/default.nix | 1 + services/kanidm.nix | 85 +++++++++++++++++++++++++++++++ 5 files changed, 109 insertions(+) create mode 100644 secrets/kanidm-admin-pass.age create mode 100644 secrets/kanidm-idm-admin-pass.age create mode 100644 services/kanidm.nix diff --git a/secrets/kanidm-admin-pass.age b/secrets/kanidm-admin-pass.age new file mode 100644 index 0000000..2b229b2 --- /dev/null +++ b/secrets/kanidm-admin-pass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA +0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw +-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0 +kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE +--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I +iyd$vVl TK$4G[MI[#tz:r9~ESA6}׵ \ No newline at end of file diff --git a/secrets/kanidm-idm-admin-pass.age b/secrets/kanidm-idm-admin-pass.age new file mode 100644 index 0000000..0eac321 --- /dev/null +++ b/secrets/kanidm-idm-admin-pass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM +n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc +-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8 +Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98 +--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I +Җ܉Y +9!42DVP9N]G;?ЉS ' \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 57943fa..552e4e3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -97,4 +97,12 @@ in keys.system.ude keys.other.bootstrap ]; + "kanidm-admin-pass.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; + "kanidm-idm-admin-pass.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; } diff --git a/services/default.nix b/services/default.nix index 1837462..8cf5ccf 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,5 +2,6 @@ imports = [ ./attic.nix ./forgejo-runner.nix + ./kanidm.nix ]; } diff --git a/services/kanidm.nix b/services/kanidm.nix new file mode 100644 index 0000000..b288e14 --- /dev/null +++ b/services/kanidm.nix @@ -0,0 +1,85 @@ +{ + services.kanidm = + let + port = 8443; + domain = "auth.rabulinski.com"; + in + { + host = "kazuki"; + ports = [ port ]; + config = + { config, pkgs, ... }: + let + cert = config.security.acme.certs.${domain}; + in + { + age.secrets.rabulinski-com-cf = { + file = ../secrets/rabulinski-com-cf.age; + owner = config.services.nginx.user; + }; + age.secrets.kanidm-admin-pass = { + file = ../secrets/kanidm-admin-pass.age; + owner = "kanidm"; + }; + age.secrets.kanidm-idm-admin-pass = { + file = ../secrets/kanidm-idm-admin-pass.age; + owner = "kanidm"; + }; + + services.kanidm = { + enableServer = true; + package = pkgs.kanidmWithSecretProvisioning; + serverSettings = { + bindaddress = "127.0.0.1:${toString port}"; + inherit domain; + origin = "https://${domain}"; + trust_x_forward_for = true; + tls_chain = "${cert.directory}/fullchain.pem"; + tls_key = "${cert.directory}/key.pem"; + }; + provision = { + enable = true; + idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path; + adminPasswordFile = config.age.secrets.kanidm-admin-pass.path; + }; + }; + + systemd.services.kanidm.serviceConfig = { + SupplementaryGroups = [ cert.group ]; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."auth.rabulinski.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "https://localhost:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_ssl_verify off; + proxy_ssl_name ${domain}; + ''; + }; + }; + }; + + security.acme.certs.${domain} = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.rabulinski-com-cf.path; + reloadServices = [ "kanidm" ]; + }; + }; + }; +} From 1a62c97de423f662850044c0cab7e7c1adcac375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 5 Feb 2025 16:28:31 +0100 Subject: [PATCH 20/21] services/forgejo: move from hosts/kazuki --- hosts/kazuki/default.nix | 1 - hosts/kazuki/forgejo.nix | 62 ------------------------------------ services/default.nix | 1 + services/forgejo.nix | 69 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 63 deletions(-) delete mode 100644 hosts/kazuki/forgejo.nix create mode 100644 services/forgejo.nix diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index df92f1c..8464cb5 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -15,7 +15,6 @@ ./storage.nix ./ntfy.nix ./zitadel.nix - ./forgejo.nix ./prometheus.nix ]; diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix deleted file mode 100644 index 9f200e2..0000000 --- a/hosts/kazuki/forgejo.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, ... }: -{ - age.secrets.rab-lol-cf = { - file = ../../secrets/rab-lol-cf.age; - owner = config.services.nginx.user; - }; - - services.forgejo = { - enable = true; - settings = { - server = { - DOMAIN = "git.rab.lol"; - ROOT_URL = "https://git.rab.lol/"; - }; - oauth2_client = { - REGISTER_EMAIL_CONFIRM = false; - ENABLE_AUTO_REGISTRATION = true; - ACCOUNT_LINKING = "auto"; - UPDATE_AVATAR = true; - }; - service = { - DISABLE_REGISTRATION = false; - ALLOW_ONLY_INTERNAL_REGISTRATION = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - }; - federation.ENABLED = true; - }; - repositoryRoot = "/storage-box/forgejo/repos"; - lfs = { - enable = true; - contentDir = "/storage-box/forgejo/lfs"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - virtualHosts."git.rab.lol" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - extraConfig = '' - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "acme" ]; - security.acme.acceptTerms = true; - security.acme.certs."git.rab.lol" = { - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.rab-lol-cf.path; - email = "nikodem@rabulinski.com"; - }; -} diff --git a/services/default.nix b/services/default.nix index 8cf5ccf..6da3b28 100644 --- a/services/default.nix +++ b/services/default.nix @@ -3,5 +3,6 @@ ./attic.nix ./forgejo-runner.nix ./kanidm.nix + ./forgejo.nix ]; } diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..2f69a55 --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,69 @@ +{ + services.forgejo = { + host = "kazuki"; + ports = [ 3000 ]; + config = + { config, ... }: + { + age.secrets.rab-lol-cf = { + file = ../secrets/rab-lol-cf.age; + owner = config.services.nginx.user; + }; + + services.forgejo = { + enable = true; + settings = { + server = { + DOMAIN = "git.rab.lol"; + ROOT_URL = "https://git.rab.lol/"; + }; + oauth2_client = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_AUTO_REGISTRATION = true; + ACCOUNT_LINKING = "auto"; + UPDATE_AVATAR = true; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + federation.ENABLED = true; + }; + repositoryRoot = "/storage-box/forgejo/repos"; + lfs = { + enable = true; + contentDir = "/storage-box/forgejo/lfs"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."git.rab.lol" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + extraConfig = '' + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + ''; + }; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + security.acme.acceptTerms = true; + security.acme.certs."git.rab.lol" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.rab-lol-cf.path; + email = "nikodem@rabulinski.com"; + }; + }; + }; +} From ae66e9fd21f49e75ddbb120be62e34a965578a70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 4 Mar 2025 13:47:56 +0100 Subject: [PATCH 21/21] modules/system/containers: enable nat for container interfaces --- modules/system/containers.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/system/containers.nix b/modules/system/containers.nix index a0942f9..26e7e7e 100644 --- a/modules/system/containers.nix +++ b/modules/system/containers.nix @@ -85,6 +85,12 @@ let services.openssh.hostKeys = [ ]; system.stateVersion = lib.mkDefault config.system.stateVersion; + + networking.useHostResolvConf = false; + networking.nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; }; bindMounts = { @@ -95,6 +101,11 @@ let privateNetwork = lib.mkForce true; } ) config.settei.containers; + + networking.nat = lib.mkIf (config.settei.containers != { }) { + enable = true; + internalInterfaces = [ "ve-+" ]; + }; }; darwinConfig = lib.optionalAttrs (!isLinux) {