diff --git a/TODO.md b/TODO.md index 934eb1f..ddf853c 100644 --- a/TODO.md +++ b/TODO.md @@ -1,14 +1,15 @@ # Todo +## desktop + * clickup (package https://nixos.org/manual/nixpkgs/stable/#sec-pkgs-appimageTools) * curseforge (package) -* deezer (mpd / mopidy) * mail (thunderbird / mailspring / prospect-mail) +* assign windows to right desktop +* autostart standard tools on desktops -# Maybe +## server -* hexchat (irc client) -* irssi (irc client) -* kitty (terminal) -* mangohud (fps overlay) -* ncmpcpp (mpd client) +* coredns for private domain names +* nfs server on asgard +* mount nfs volumes on utgard diff --git a/flake.lock b/flake.lock index 0cbb57c..335747a 100644 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,26 @@ "type": "github" } }, + "arion": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1654878283, + "narHash": "sha256-JWdKBMzEibS2neY0nEs9E8kn4zRepEbwSw7HzxbEiAg=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "e5fb978143240f8d293e6e5acc9691acf472928d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "type": "github" + } + }, "deployrs": { "inputs": { "flake-compat": "flake-compat", @@ -60,16 +80,15 @@ }, "hardware": { "locked": { - "lastModified": 1664387039, - "narHash": "sha256-RlSksOo/OUwBXus7qnS84mzjNwO3cRgHbdF0KzATPlw=", + "lastModified": 1665987993, + "narHash": "sha256-MvlaIYTRiqefG4dzI5p6vVCfl+9V8A1cPniUjcn6Ngc=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "203dd7d7b9361c92579f086581f278f2707bcd76", + "rev": "0e6593630071440eb89cd97a52921497482b22c6", "type": "github" }, "original": { "owner": "nixos", - "ref": "master", "repo": "nixos-hardware", "type": "github" } @@ -78,30 +97,30 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "utils": "utils_2" }, "locked": { - "lastModified": 1656169755, - "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=", + "lastModified": 1664783440, + "narHash": "sha256-KlMwR7mUf5h8MPnzV7nGFUAt6ih/euW5xgvZ5x+hwvI=", "owner": "nix-community", "repo": "home-manager", - "rev": "4a3d01fb53f52ac83194081272795aa4612c2381", + "rev": "e4e639dd4dc3e431aa5b5f95325f9a66ac7e0dd9", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1664281702, - "narHash": "sha256-haixZ4TJLu1Dciow54wrHrHvlGDVr5sW6MTeAV/ZLuI=", + "lastModified": 1664780719, + "narHash": "sha256-Oxe6la5dSqRfJogjtY4sRzJjDDqvroJIVkcGEOT87MA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7e52b35fe98481a279d89f9c145f8076d049d2b9", + "rev": "fd54651f5ffb4a36e8463e0c327a78442b26cbe7", "type": "github" }, "original": { @@ -113,11 +132,11 @@ }, "nur": { "locked": { - "lastModified": 1664400119, - "narHash": "sha256-G6gKRK9uOk7kt1uWCzmyuLB/qdQtGO8mxjs/dtTIr9A=", + "lastModified": 1664894790, + "narHash": "sha256-FAixnreJ0bXzK/m5a9KsC5XoiZFHqC4le0tseldsHZc=", "owner": "nix-community", "repo": "NUR", - "rev": "e378da2e2cd205a55a0203b91162fefba04087e6", + "rev": "529b4b6fc32b428cd07cc2a11abf728bdc59b4e5", "type": "github" }, "original": { @@ -129,12 +148,13 @@ "root": { "inputs": { "agenix": "agenix", + "arion": "arion", "deployrs": "deployrs", "hardware": "hardware", "homemanager": "homemanager", "nixpkgs": "nixpkgs", "nur": "nur", - "utils": "utils_2" + "utils": "utils_3" } }, "utils": { @@ -166,6 +186,21 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_3": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0ff1394..95345ee 100644 --- a/flake.nix +++ b/flake.nix @@ -6,10 +6,6 @@ url = "github:nixos/nixpkgs/nixos-unstable"; }; - hardware = { - url = "github:nixos/nixos-hardware/master"; - }; - nur = { url = "github:nix-community/NUR"; }; @@ -18,23 +14,32 @@ url = "github:numtide/flake-utils"; }; - deployrs = { - url = "github:serokell/deploy-rs"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; homemanager = { - url = "github:nix-community/home-manager/release-22.05"; + url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + + deployrs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + arion = { + url = "github:hercules-ci/arion"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + hardware = { + url = "github:nixos/nixos-hardware"; + }; }; - outputs = { self, nixpkgs, hardware, nur, utils, deployrs, agenix, homemanager, ... }@inputs: + outputs = { self, nixpkgs, nur, utils, agenix, homemanager, deployrs, arion, hardware, ... }@inputs: let in @@ -64,8 +69,12 @@ }) homemanager.nixosModules.home-manager agenix.nixosModules.age + arion.nixosModules.arion ./machines/chnum ./profiles/thomas + # ./profiles/anna + # ./profiles/adrian + # ./profiles/tabea ]; specialArgs = { @@ -98,8 +107,12 @@ hardware.nixosModules.raspberry-pi-4 homemanager.nixosModules.home-manager agenix.nixosModules.age + arion.nixosModules.arion ./machines/midgard ./profiles/thomas + # ./profiles/anna + # ./profiles/adrian + # ./profiles/tabea ]; specialArgs = { @@ -133,8 +146,12 @@ }) homemanager.nixosModules.home-manager agenix.nixosModules.age + arion.nixosModules.arion ./machines/utgard ./profiles/thomas + # ./profiles/anna + # ./profiles/adrian + # ./profiles/tabea ]; specialArgs = { @@ -166,8 +183,12 @@ }) homemanager.nixosModules.home-manager agenix.nixosModules.age + arion.nixosModules.arion ./machines/asgard ./profiles/thomas + # ./profiles/anna + # ./profiles/adrian + # ./profiles/tabea ]; specialArgs = { diff --git a/machines/asgard/default.nix b/machines/asgard/default.nix index 3427eaa..ce63e29 100644 --- a/machines/asgard/default.nix +++ b/machines/asgard/default.nix @@ -12,7 +12,17 @@ ]; personal = { - services = { }; + services = { + docker = { + enable = true; + }; + samba = { + enable = true; + }; + tailscale = { + enable = true; + }; + }; }; system = { diff --git a/machines/midgard/default.nix b/machines/midgard/default.nix index 3427eaa..6adb78a 100644 --- a/machines/midgard/default.nix +++ b/machines/midgard/default.nix @@ -12,7 +12,23 @@ ]; personal = { - services = { }; + services = { + acme = { + enable = true; + }; + adguard = { + enable = true; + }; + coredns = { + enable = true; + }; + docker = { + enable = true; + }; + tailscale = { + enable = true; + }; + }; }; system = { diff --git a/machines/modules/default.nix b/machines/modules/default.nix index 58de72b..cd534b5 100644 --- a/machines/modules/default.nix +++ b/machines/modules/default.nix @@ -3,7 +3,6 @@ with lib; { imports = [ - ./frpc.nix ./network.nix ./nixpkgs.nix ./prowlarr.nix diff --git a/machines/modules/frpc.nix b/machines/modules/frpc.nix deleted file mode 100644 index f83637e..0000000 --- a/machines/modules/frpc.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ pkgs, lib, config, options, ... }: -with lib; - -let - cfg = config.services.frpc; - - configFile = - pkgs.writeText "frpc.conf" (generators.toINI { } cfg.settings); - -in -{ - options.services.frpc = { - enable = mkEnableOption "frpc"; - - user = mkOption { - type = types.str; - default = "frpc"; - description = '' - User under which frpc runs. - ''; - }; - - group = mkOption { - type = types.str; - default = "frpc"; - description = '' - Group under which frpc runs. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.frp; - defaultText = "pkgs.frp"; - description = '' - The frp package to use. - ''; - }; - - token = mkOption { - type = types.str; - default = ""; - description = '' - Path to token secret file. - ''; - }; - - settings = mkOption { - description = '' - Full settings for the client. - ''; - type = types.attrsOf types.attrs; - default = { }; - example = literalExpression '' - common = { - server_addr = "example.com"; - server_port = 7001; - }; - http = { - type = "tcp"; - local_ip = "127.0.0.1"; - local_port = 80; - }; - https = { - type = "tcp"; - local_ip = "127.0.0.1"; - local_port = 443; - }; - ''; - }; - }; - - config = mkIf cfg.enable { - users.groups = mkIf (cfg.group == "frpc") { - frpc = { }; - }; - - users.users = mkIf (cfg.user == "frpc") { - frpc = { - group = cfg.group; - shell = pkgs.bashInteractive; - createHome = false; - description = "frpc user"; - isSystemUser = true; - }; - }; - - systemd.services.frpc = { - description = "FRP Client"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - Restart = "on-failure"; - ExecStart = pkgs.writeShellScript "frpc.sh" '' - set -eu - export FRP_TOKEN=$(<${cfg.token}) - ${cfg.package}/bin/frpc -c ${configFile} - ''; - }; - }; - }; -} diff --git a/machines/modules/tools.nix b/machines/modules/tools.nix index 5a8b9d4..7a25ce7 100644 --- a/machines/modules/tools.nix +++ b/machines/modules/tools.nix @@ -6,6 +6,7 @@ with lib; environment = { systemPackages = with pkgs; [ coreutils + dig file git gnumake diff --git a/machines/modules/users.nix b/machines/modules/users.nix index 0b229df..eecd219 100644 --- a/machines/modules/users.nix +++ b/machines/modules/users.nix @@ -10,7 +10,7 @@ with lib; users = { root = { shell = pkgs.zsh; - hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0"; + passwordFile = config.age.secrets."users/root/password".path; openssh = { authorizedKeys = { keys = [ @@ -20,10 +20,11 @@ with lib; }; }; admin = { + description = "Admin"; shell = pkgs.zsh; isNormalUser = true; + passwordFile = config.age.secrets."users/admin/password".path; uid = 1337; - hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0"; openssh = { authorizedKeys = { keys = [ @@ -39,5 +40,13 @@ with lib; }; }; }; + + age.secrets."users/root/password" = { + file = ../../secrets/users/root/password.age; + }; + + age.secrets."users/admin/password" = { + file = ../../secrets/users/admin/password.age; + }; }; } diff --git a/machines/services/adguard.nix b/machines/services/adguard.nix new file mode 100644 index 0000000..2be5469 --- /dev/null +++ b/machines/services/adguard.nix @@ -0,0 +1,63 @@ +{ pkgs, lib, config, options, fetchurl, ... }: +with lib; + +let + cfg = config.personal.services.adguard; + +in +{ + options = { + personal = { + services = { + adguard = { + enable = mkEnableOption "Adguard"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + services = { + adguardhome = { + enable = true; + mutableSettings = false; + + host = "127.0.0.1"; + port = 3000; + + settings = { + dns = { + port = 5353; + bind_host = "127.0.0.1"; + bootstrap_dns = "1.1.1.1"; + + upstream_dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + + users = [{ + name = "admin"; + password = "$2y$05$wzuDDF0NaP0zX.gguP8EyuBJ1wlyTPjLvXf.LCK8VCBKIUq4PnR62"; + }]; + }; + }; + }; + + personal = { + services = { + webserver = { + enable = true; + + hosts = [ + { + domain = "adguard.boerger.ws"; + proxy = "http://localhost:3000"; + } + ]; + }; + }; + }; + }; +} diff --git a/machines/services/citrix.nix b/machines/services/citrix.nix index 77994dc..a5193d9 100644 --- a/machines/services/citrix.nix +++ b/machines/services/citrix.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, options, ... }: +{ pkgs, lib, config, options, fetchurl, ... }: with lib; let diff --git a/machines/services/coredns.nix b/machines/services/coredns.nix new file mode 100644 index 0000000..b90d722 --- /dev/null +++ b/machines/services/coredns.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, config, options, fetchurl, ... }: +with lib; + +let + cfg = config.personal.services.coredns; + +in +{ + options = { + personal = { + services = { + coredns = { + enable = mkEnableOption "CoreDNS"; + }; + }; + }; + }; + + config = mkIf cfg.enable { }; +} diff --git a/machines/services/default.nix b/machines/services/default.nix index 8a9664c..4e7487f 100644 --- a/machines/services/default.nix +++ b/machines/services/default.nix @@ -3,15 +3,18 @@ { imports = [ ./acme.nix + ./adguard.nix ./citrix.nix + ./coredns.nix ./desktop.nix ./docker.nix - ./frpc.nix + ./hass.nix ./haveged.nix ./libvirt.nix ./media.nix ./nixbuild.nix ./openssh.nix + ./tailscale.nix ./timesyncd.nix ./webserver.nix ]; diff --git a/machines/services/frpc.nix b/machines/services/frpc.nix deleted file mode 100644 index 58595d0..0000000 --- a/machines/services/frpc.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ pkgs, lib, config, options, ... }: -with lib; - -let - cfg = config.personal.services.frpc; - -in -{ - options = { - personal = { - services = { - frpc = { - enable = mkEnableOption "FRP Client"; - }; - }; - }; - }; - - config = mkIf cfg.enable { - services = { - frpc = { - enable = true; - token = config.age.secrets."services/frpc/token".path; - - settings = { - common = { - server_addr = "frps.boerger.ws"; - server_port = 30601; - token = "{{ .Envs.FRP_TOKEN }}"; - admin_addr = "127.0.0.1"; - admin_port = 7400; - admin_user = "admin"; - admin_pwd = "admin"; - tls_enable = true; - }; - http = { - type = "tcp"; - local_ip = "127.0.0.1"; - local_port = 80; - use_encryption = true; - use_compression = true; - remote_port = 8080; - health_check_type = "tcp"; - health_check_timeout_s = 3; - health_check_max_failed = 3; - health_check_interval_s = 10; - }; - https = { - type = "tcp"; - local_ip = "127.0.0.1"; - local_port = 443; - use_encryption = true; - use_compression = true; - remote_port = 8443; - health_check_type = "tcp"; - health_check_timeout_s = 3; - health_check_max_failed = 3; - health_check_interval_s = 10; - }; - }; - }; - }; - - age.secrets."services/frpc/token" = { - file = ../../secrets/services/frpc/token.age; - owner = "frpc"; - group = "frpc"; - }; - }; -} diff --git a/machines/services/hass.nix b/machines/services/hass.nix new file mode 100644 index 0000000..78b78f5 --- /dev/null +++ b/machines/services/hass.nix @@ -0,0 +1,93 @@ +{ pkgs, lib, config, options, fetchurl, ... }: +with lib; + +let + cfg = config.personal.services.hass; + +in +{ + options = { + personal = { + services = { + hass = { + enable = mkEnableOption "Home Assistant"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment = { + systemPackages = with pkgs; [ + sqlite + ]; + }; + + services = { + home-assistant = { + enable = true; + + package = (pkgs.home-assistant.override { + extraPackages = python3Packages: with python3Packages; [ + pyicloud + radios + securetar + ]; + + extraComponents = [ + "accuweather" + "adguard" + "alexa" + "default_config" + ]; + }).overrideAttrs (oldAttrs: { + doInstallCheck = false; + }); + + config = { + http = { + server_host = "127.0.0.1"; + server_port = 8123; + trusted_proxies = [ "127.0.0.1" ]; + use_x_forwarded_for = true; + }; + + homeassistant = { + name = "Boerger"; + latitude = 49.406330; + longitude = 11.036830; + time_zone = "Europe/Berlin"; + unit_system = "metric"; + temperature_unit = "C"; + }; + + default_config = { }; + }; + }; + }; + + personal = { + services = { + webserver = { + enable = true; + + hosts = [ + { + domain = "home.boerger.ws"; + proxy = "http://127.0.0.1:8123"; + + proxyOptions = '' + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + } + ]; + }; + }; + }; + }; +} diff --git a/machines/services/media.nix b/machines/services/media.nix index 3345322..11a0712 100644 --- a/machines/services/media.nix +++ b/machines/services/media.nix @@ -11,14 +11,6 @@ in services = { media = { enable = mkEnableOption "Media"; - - domain = mkOption { - description = '' - Domain used for media vhosts - ''; - type = types.str; - default = "boerger.ws"; - }; }; }; }; @@ -28,10 +20,13 @@ in users = { users = { media = { + uid = 20000; + description = "Media"; + shell = pkgs.zsh; + isSystemUser = true; group = "media"; home = "/var/lib/media"; - uid = 20000; - isSystemUser = true; + passwordFile = config.age.secrets."users/media/password".path; }; }; @@ -138,35 +133,35 @@ in hosts = [ { - domain = "nzbget.${cfg.domain}"; + domain = "nzbget.boerger.ws"; proxy = "http://localhost:6789"; } { - domain = "jellyfin.${cfg.domain}"; + domain = "jellyfin.boerger.ws"; proxy = "http://localhost:8096"; } { - domain = "radarr.${cfg.domain}"; + domain = "radarr.boerger.ws"; proxy = "http://localhost:7878"; } { - domain = "sonarr.${cfg.domain}"; + domain = "sonarr.boerger.ws"; proxy = "http://localhost:8989"; } { - domain = "lidarr.${cfg.domain}"; + domain = "lidarr.boerger.ws"; proxy = "http://localhost:8686"; } { - domain = "readarr.${cfg.domain}"; + domain = "readarr.boerger.ws"; proxy = "http://localhost:8787"; } { - domain = "bazarr.${cfg.domain}"; + domain = "bazarr.boerger.ws"; proxy = "http://localhost:6767"; } { - domain = "prowlarr.${cfg.domain}"; + domain = "prowlarr.boerger.ws"; proxy = "http://localhost:9696"; } ]; @@ -180,5 +175,9 @@ in allowedUDPPorts = [ 1900 7359 ]; }; }; + + age.secrets."users/media/password" = { + file = ../../secrets/users/media/password.age; + }; }; } diff --git a/machines/services/samba.nix b/machines/services/samba.nix new file mode 100644 index 0000000..2f9b119 --- /dev/null +++ b/machines/services/samba.nix @@ -0,0 +1,188 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + cfg = config.personal.services.samba; + +in +{ + options = { + personal = { + services = { + samba = { + enable = mkEnableOption "Samba"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + users = { + users = { + media = { + uid = 20000; + description = "Media"; + shell = pkgs.zsh; + isSystemUser = true; + group = "media"; + home = "/var/lib/media"; + passwordFile = config.age.secrets."users/media/password".path; + }; + printer = { + uid = 20001; + description = "Printer"; + shell = pkgs.zsh; + isSystemUser = true; + group = "printer"; + home = "/var/lib/printer"; + passwordFile = config.age.secrets."users/printer/password".path; + }; + }; + + groups = { + media = { + gid = 20000; + }; + printer = { + gid = 20001; + }; + }; + }; + + services = { + samba = { + enable = true; + openFirewall = true; + + extraConfig = '' + workgroup = WORKGROUP + server string = Sharing + netbios name = Sharing + guest account = nobody + map to guest = bad user + ''; + + shares = { + photos = { + comment = "Shared photos"; + path = "/var/lib/media/photos"; + + "browseable" = "yes"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "yes"; + "force user" = "media"; + "force group" = "media"; + }; + + videos = { + comment = "Shared videos"; + path = "/var/lib/media/videos"; + + "browseable" = "yes"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "yes"; + "force user" = "media"; + "force group" = "media"; + }; + + movies = { + comment = "Shared movies"; + path = "/var/lib/media/movies"; + + "browseable" = "no"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + "force user" = "media"; + "force group" = "media"; + "valid users" = "media"; + }; + + shows = { + comment = "Shared shows"; + path = "/var/lib/media/shows"; + + "browseable" = "no"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + "force user" = "media"; + "force group" = "media"; + "valid users" = "media"; + }; + + books = { + comment = "Shared books"; + path = "/var/lib/media/books"; + + "browseable" = "no"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + "force user" = "media"; + "force group" = "media"; + "valid users" = "media"; + }; + + music = { + comment = "Shared music"; + path = "/var/lib/media/music"; + + "browseable" = "no"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + "force user" = "media"; + "force group" = "media"; + "valid users" = "media"; + }; + + downloads = { + comment = "Shared downloads"; + path = "/var/lib/media/downloads"; + + "browseable" = "no"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + "force user" = "media"; + "force group" = "media"; + "valid users" = "media"; + }; + + printer = { + comment = "Shared printer"; + path = "/var/lib/printer"; + + "browseable" = "yes"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "yes"; + "force user" = "printer"; + "force group" = "printer"; + }; + + backup = { + comment = "Shared backup"; + path = "/var/lib/backup/%u"; + + "browseable" = "yes"; + "read only" = "no"; + "writeable" = "yes"; + "guest ok" = "no"; + }; + }; + }; + }; + + age.secrets."users/printer/password" = { + file = ../../secrets/users/printer/password.age; + }; + + age.secrets."users/media/password" = { + file = ../../secrets/users/media/password.age; + }; + }; +} diff --git a/machines/services/tailscale.nix b/machines/services/tailscale.nix new file mode 100644 index 0000000..45fb5d3 --- /dev/null +++ b/machines/services/tailscale.nix @@ -0,0 +1,57 @@ +{ pkgs, lib, config, options, fetchurl, ... }: +with lib; + +let + cfg = config.personal.services.tailscale; + +in +{ + options = { + personal = { + services = { + tailscale = { + enable = mkEnableOption "Tailscale"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + networking = { + firewall = { + checkReversePath = "loose"; + }; + }; + + services = { + tailscale = { + enable = true; + }; + }; + + systemd.services.tailscaled-autoconnect = { + description = "Automatic connection for Tailscale"; + + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = '' + sleep 3 + + STATUS="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" + if [ $\{STATUS\} = "Running" ]; then + exit 0 + fi + + ${pkgs.tailscale}/bin/tailscale up --auth-key file:${config.age.secrets."services/tailscale/authkey".path} + ''; + }; + + age.secrets."services/tailscale/authkey" = { + file = ../../secrets/services/tailscale/authkey.age; + }; + }; +} diff --git a/machines/services/webserver.nix b/machines/services/webserver.nix index e6d3048..23c2637 100644 --- a/machines/services/webserver.nix +++ b/machines/services/webserver.nix @@ -60,22 +60,6 @@ in type = types.str; default = "boerger.ws"; }; - - defaultDomain = mkOption { - description = '' - Domain used by default vhost - ''; - type = types.str; - default = "boerger.ws"; - }; - - redirectDomain = mkOption { - description = '' - Domain to redirect the default - ''; - type = types.str; - default = "jellyfin.boerger.ws"; - }; }; }; }; @@ -101,20 +85,25 @@ in locations = { "/" = mkIf (builtins.hasAttr "proxy" elem) { proxyPass = elem.proxy; - extraConfig = '' - proxy_set_header X-Forwarded-Ssl on; - '' + (elem.proxyOptions or ""); + extraConfig = ( + elem.proxyOptions or '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_set_header X-Forwarded-Ssl on; + '' + ); }; }; } // (elem.domainOptions or { }); }) config.personal.services.webserver.hosts) // { - "${cfg.defaultDomain}" = { + "boerger.ws" = { useACMEHost = cfg.acmeHost; addSSL = true; forceSSL = false; default = true; - globalRedirect = cfg.redirectDomain; + root = "/var/empty"; }; }; }; diff --git a/machines/utgard/default.nix b/machines/utgard/default.nix index 46c4e72..67ec094 100644 --- a/machines/utgard/default.nix +++ b/machines/utgard/default.nix @@ -16,12 +16,15 @@ acme = { enable = true; }; - frpc = { + hass = { enable = true; }; media = { enable = true; }; + tailscale = { + enable = true; + }; }; }; diff --git a/machines/utgard/filesystems.nix b/machines/utgard/filesystems.nix index c40e614..c60ee65 100644 --- a/machines/utgard/filesystems.nix +++ b/machines/utgard/filesystems.nix @@ -1,6 +1,25 @@ { config, lib, pkgs, ... }: +let + cifsServer = "\\192.168.1.10"; + cifsOptions = [ + "x-systemd.automount" + "noauto" + "x-systemd.idle-timeout=60" + "x-systemd.device-timeout=5s" + "x-systemd.mount-timeout=5s" + "credentials=${config.age.secrets."users/media/smbpasswd".path}" + "uid=${config.users.users.media.uid}" + "gid=${config.users.groups.media.gid}" + ]; +in { + environment = { + systemPackages = with pkgs; [ + cifs-utils + ]; + }; + swapDevices = [{ device = "/dev/disk/by-label/swap"; }]; @@ -109,20 +128,6 @@ ]; }; - fileSystems."/var/lib/media/downloads" = { - device = "/dev/disk/by-label/downloads"; - fsType = "ext4"; - options = [ - "noatime" - "discard" - ]; - }; - - # fileSystems."/var/lib/media/downloads" = { - # device = "192.168.1.10:/downloads"; - # fsType = "nfs"; - # }; - fileSystems."/var/lib/media/movies" = { device = "/dev/disk/by-label/movies"; fsType = "ext4"; @@ -133,8 +138,9 @@ }; # fileSystems."/var/lib/media/movies" = { - # device = "192.168.1.10:/movies"; - # fsType = "nfs"; + # device = "${cifsServer}/movies"; + # fsType = "cifs"; + # options = cifsOptions; # }; fileSystems."/var/lib/media/series" = { @@ -146,9 +152,10 @@ ]; }; - # fileSystems."/var/lib/media/series" = { - # device = "192.168.1.10:/series"; - # fsType = "nfs"; + # fileSystems."/var/lib/media/shows" = { + # device = "${cifsServer}/shows"; + # fsType = "cifs"; + # options = cifsOptions; # }; fileSystems."/var/lib/media/books" = { @@ -161,8 +168,9 @@ }; # fileSystems."/var/lib/media/books" = { - # device = "192.168.1.10:/books"; - # fsType = "nfs"; + # device = "${cifsServer}/books"; + # fsType = "cifs"; + # options = cifsOptions; # }; fileSystems."/var/lib/media/music" = { @@ -175,7 +183,27 @@ }; # fileSystems."/var/lib/media/music" = { - # device = "192.168.1.10:/music"; - # fsType = "nfs"; + # device = "${cifsServer}/music"; + # fsType = "cifs"; + # options = cifsOptions; # }; + + fileSystems."/var/lib/media/downloads" = { + device = "/dev/disk/by-label/downloads"; + fsType = "ext4"; + options = [ + "noatime" + "discard" + ]; + }; + + # fileSystems."/var/lib/media/downloads" = { + # device = "${cifsServer}/downloads"; + # fsType = "cifs"; + # options = cifsOptions; + # }; + + age.secrets."users/media/smbpasswd" = { + file = ../../secrets/users/media/smbpasswd.age; + }; } diff --git a/profiles/adrian/default.nix b/profiles/adrian/default.nix new file mode 100644 index 0000000..9927c22 --- /dev/null +++ b/profiles/adrian/default.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + username = "adrian"; + fullname = "Adrian Boerger"; + desktop = config.personal.services.desktop.enable; + +in +{ + imports = [ + ../modules + ./desktop + + ../programs + ./programs + + ../services + ./services + ]; + + profile = { + username = username; + }; + + users = { + users = { + "${username}" = { + description = "${fullname}"; + shell = pkgs.zsh; + isNormalUser = true; + passwordFile = config.age.secrets."users/${username}/password".path; + extraGroups = [ + "audio" + "video" + "networkmanager" + ]; + }; + }; + }; + + home-manager.users."${username}" = { config, ... }: { + home = { + homeDirectory = "/home/${username}"; + stateVersion = "18.09"; + }; + }; + + age.secrets."users/${username}/password" = { + file = ../../secrets/users/${username}/password.age; + }; +} diff --git a/profiles/adrian/desktop/default.nix b/profiles/adrian/desktop/default.nix new file mode 100644 index 0000000..ccfa329 --- /dev/null +++ b/profiles/adrian/desktop/default.nix @@ -0,0 +1,9 @@ +{ pkgs, lib, config, options, ... }: + +{ + options = { + profile = { + desktop = { }; + }; + }; +} diff --git a/profiles/adrian/programs/default.nix b/profiles/adrian/programs/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/adrian/programs/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/adrian/services/default.nix b/profiles/adrian/services/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/adrian/services/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/anna/default.nix b/profiles/anna/default.nix new file mode 100644 index 0000000..320a132 --- /dev/null +++ b/profiles/anna/default.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + username = "anna"; + fullname = "Anna Boerger"; + desktop = config.personal.services.desktop.enable; + +in +{ + imports = [ + ../modules + ./desktop + + ../programs + ./programs + + ../services + ./services + ]; + + profile = { + username = username; + }; + + users = { + users = { + "${username}" = { + description = "${fullname}"; + shell = pkgs.zsh; + isNormalUser = true; + passwordFile = config.age.secrets."users/${username}/password".path; + extraGroups = [ + "audio" + "video" + "networkmanager" + ]; + }; + }; + }; + + home-manager.users."${username}" = { config, ... }: { + home = { + homeDirectory = "/home/${username}"; + stateVersion = "18.09"; + }; + }; + + age.secrets."users/${username}/password" = { + file = ../../secrets/users/${username}/password.age; + }; +} diff --git a/profiles/anna/desktop/default.nix b/profiles/anna/desktop/default.nix new file mode 100644 index 0000000..ccfa329 --- /dev/null +++ b/profiles/anna/desktop/default.nix @@ -0,0 +1,9 @@ +{ pkgs, lib, config, options, ... }: + +{ + options = { + profile = { + desktop = { }; + }; + }; +} diff --git a/profiles/anna/programs/default.nix b/profiles/anna/programs/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/anna/programs/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/anna/services/default.nix b/profiles/anna/services/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/anna/services/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/programs/default.nix b/profiles/programs/default.nix index edeecd5..46fdf3f 100644 --- a/profiles/programs/default.nix +++ b/profiles/programs/default.nix @@ -31,6 +31,8 @@ ./slack.nix ./steam.nix ./teams.nix + ./telegram.nix + ./thunderbird.nix ./tmux.nix ./whatsapp.nix ./wine.nix diff --git a/profiles/programs/develop.nix b/profiles/programs/develop.nix index d278fbe..04122af 100644 --- a/profiles/programs/develop.nix +++ b/profiles/programs/develop.nix @@ -4,18 +4,18 @@ with lib; let cfg = config.profile.programs.develop; - python = pkgs.python39.withPackages (p: with p; [ - ansible-core - ansible-doctor - # ansible-later - ansible-lint - boto3 - botocore - hcloud - passlib - requests - yamllint - ]); + # python = pkgs.python39.withPackages (p: with p; [ + # ansible-core + # ansible-doctor + # # ansible-later + # ansible-lint + # boto3 + # botocore + # hcloud + # passlib + # requests + # yamllint + # ]); in { @@ -32,20 +32,18 @@ in config = mkIf cfg.enable { environment = { systemPackages = with pkgs; [ - python - - php80 - php80Packages.composer - - nodejs-16_x - yarn + # python act + ansible-doctor + ansible-later + ansible-lint awscli2 eksctl git-chglog gopass graphviz + hcloud httpie ipcalc ngrok @@ -53,9 +51,17 @@ in reflex shellcheck sops + upx + yamllint + + checkov terraform terragrunt - upx + tflint + tfsec + + nodejs-16_x + yarn ]; }; }; diff --git a/profiles/programs/mattermost.nix b/profiles/programs/mattermost.nix index d2355df..26a3df3 100644 --- a/profiles/programs/mattermost.nix +++ b/profiles/programs/mattermost.nix @@ -19,7 +19,7 @@ in config = mkIf cfg.enable { environment = { systemPackages = with pkgs; [ - mattermost + mattermost-desktop ]; }; }; diff --git a/profiles/programs/telegram.nix b/profiles/programs/telegram.nix new file mode 100644 index 0000000..c952c92 --- /dev/null +++ b/profiles/programs/telegram.nix @@ -0,0 +1,26 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + cfg = config.profile.programs.telegram; + +in +{ + options = { + profile = { + programs = { + telegram = { + enable = mkEnableOption "Telegram"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment = { + systemPackages = with pkgs; [ + tdesktop + ]; + }; + }; +} diff --git a/profiles/programs/thunderbird.nix b/profiles/programs/thunderbird.nix new file mode 100644 index 0000000..3264bb4 --- /dev/null +++ b/profiles/programs/thunderbird.nix @@ -0,0 +1,26 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + cfg = config.profile.programs.thunderbird; + +in +{ + options = { + profile = { + programs = { + thunderbird = { + enable = mkEnableOption "Thunderbird"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment = { + systemPackages = with pkgs; [ + thunderbird-bin + ]; + }; + }; +} diff --git a/profiles/services/default.nix b/profiles/services/default.nix index b9fe4bf..c71de2d 100644 --- a/profiles/services/default.nix +++ b/profiles/services/default.nix @@ -5,6 +5,7 @@ ./blueman.nix ./caffeine.nix ./flameshot.nix + ./mopidy.nix ./nmapplet.nix ./owncloud.nix ./udiskie.nix diff --git a/profiles/services/mopidy.nix b/profiles/services/mopidy.nix new file mode 100644 index 0000000..43bc9ff --- /dev/null +++ b/profiles/services/mopidy.nix @@ -0,0 +1,50 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + cfg = config.profile.services.mopidy; + +in +{ + options = { + profile = { + services = { + mopidy = { + enable = mkEnableOption "Mopidy"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + home-manager.users."${config.profile.username}" = { config, ... }: { + programs = { + ncmpcpp = { + enable = true; + }; + }; + + services = { + mopidy = { + enable = true; + + extensionPackages = with pkgs; [ + mopidy-iris + mopidy-jellyfin + mopidy-mpd + mopidy-tunein + ]; + + # extraConfigFiles = [ + # config.age.secrets."services/mopidy/jellyfin".path + # ]; + }; + }; + }; + + # age.secrets."services/mopidy/jellyfin" = { + # file = ../../secrets/services/mopidy/jellyfin.age; + # owner = config.profile.username; + # }; + }; +} diff --git a/profiles/tabea/default.nix b/profiles/tabea/default.nix new file mode 100644 index 0000000..4b934e1 --- /dev/null +++ b/profiles/tabea/default.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, config, options, ... }: +with lib; + +let + username = "tabea"; + fullname = "Tabea Boerger"; + desktop = config.personal.services.desktop.enable; + +in +{ + imports = [ + ../modules + ./desktop + + ../programs + ./programs + + ../services + ./services + ]; + + profile = { + username = username; + }; + + users = { + users = { + "${username}" = { + description = "${fullname}"; + shell = pkgs.zsh; + isNormalUser = true; + passwordFile = config.age.secrets."users/${username}/password".path; + extraGroups = [ + "audio" + "video" + "networkmanager" + ]; + }; + }; + }; + + home-manager.users."${username}" = { config, ... }: { + home = { + homeDirectory = "/home/${username}"; + stateVersion = "18.09"; + }; + }; + + age.secrets."users/${username}/password" = { + file = ../../secrets/users/${username}/password.age; + }; +} diff --git a/profiles/tabea/desktop/default.nix b/profiles/tabea/desktop/default.nix new file mode 100644 index 0000000..ccfa329 --- /dev/null +++ b/profiles/tabea/desktop/default.nix @@ -0,0 +1,9 @@ +{ pkgs, lib, config, options, ... }: + +{ + options = { + profile = { + desktop = { }; + }; + }; +} diff --git a/profiles/tabea/programs/default.nix b/profiles/tabea/programs/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/tabea/programs/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/tabea/services/default.nix b/profiles/tabea/services/default.nix new file mode 100644 index 0000000..6810a52 --- /dev/null +++ b/profiles/tabea/services/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, options, ... }: + +{ + imports = [ + + ]; +} diff --git a/profiles/thomas/default.nix b/profiles/thomas/default.nix index fc0722d..18ec13c 100644 --- a/profiles/thomas/default.nix +++ b/profiles/thomas/default.nix @@ -20,7 +20,7 @@ in ]; profile = { - username = "${username}"; + username = username; desktop = { i3 = { @@ -68,6 +68,9 @@ in lutris = { enable = desktop; }; + thunderbird = { + enable = desktop; + }; mattermost = { enable = desktop; }; @@ -80,9 +83,9 @@ in owncloud = { enable = desktop; }; - playonlinux = { - enable = desktop; - }; + # playonlinux = { + # enable = desktop; + # }; rocketchat = { enable = desktop; }; @@ -101,6 +104,9 @@ in teams = { enable = desktop; }; + telegram = { + enable = desktop; + }; whatsapp = { enable = desktop; }; @@ -141,6 +147,9 @@ in flameshot = { enable = desktop; }; + mopidy = { + enable = desktop; + }; nmapplet = { enable = desktop; }; @@ -151,9 +160,9 @@ in enable = desktop; }; - dunst = { - enable = desktop; - }; + # dunst = { + # enable = desktop; + # }; polybar = { enable = desktop; }; @@ -166,7 +175,7 @@ in description = "${fullname}"; shell = pkgs.zsh; isNormalUser = true; - hashedPassword = "$6$yuwsoikF5utqohar$fdcvq0iXdmiioiRyBGeVZICzQm4nKlv6.pj9AWh13VRCsE07dN9StDnXV0aslIBb0SWRFC4dY5Um2MYiAMfmH0"; + passwordFile = config.age.secrets."users/${username}/password".path; openssh = { authorizedKeys = { keys = [ @@ -229,4 +238,8 @@ in stateVersion = "18.09"; }; }; + + age.secrets."users/${username}/password" = { + file = ../../secrets/users/${username}/password.age; + }; } diff --git a/profiles/thomas/desktop/i3.nix b/profiles/thomas/desktop/i3.nix index 95428f2..acde595 100644 --- a/profiles/thomas/desktop/i3.nix +++ b/profiles/thomas/desktop/i3.nix @@ -4,6 +4,81 @@ with lib; let cfg = config.profile.desktop.i3; + programs = { + term = [ + { + exec = "Alacritty"; + class = "Alacritty"; + } + ]; + + editor = [ + { + exec = "code"; + class = "code"; + } + ]; + + browser = [ + { + exec = "google-chrome-stable"; + class = "google-chrome"; + } + ]; + + music = [ ]; + + mail = [ + { + exec = "thunderbird"; + class = "thunderbird"; + } + ]; + + chat = [ + { + exec = "discord"; + class = "discord"; + } + { + exec = "element-desktop"; + class = "element"; + } + { + exec = "mattermost-desktop"; + class = "mattermost"; + } + { + exec = "rocketchat-desktop"; + class = "rocket.chat"; + } + { + exec = "signal-desktop"; + class = "signal"; + } + { + exec = "skypeforlinux"; + class = "skype"; + } + { + exec = "slack"; + class = "slack"; + } + { + exec = "teams"; + class = "microsoft teams"; + } + { + exec = "tdekstop"; + class = "telegram-desktop"; + } + { + exec = "whatsapp-for-linux"; + class = "whatsapp-for-linux"; + } + ]; + }; + in { options = { @@ -21,15 +96,23 @@ in home = { packages = with pkgs; [ betterlockscreen + deadd-notification-center feh gnome.nautilus gucharmap + libnotify lxappearance playerctl scrot ]; }; + services = { + gnome-keyring = { + enable = true; + }; + }; + xsession = { enable = true; @@ -55,21 +138,23 @@ in }; assigns = { - "1" = [{ - class = "Alacritty"; - }]; - "3" = [{ - class = "google-chrome"; - }]; + "1" = map (i: { class = i.class; }) programs.term; + "2" = map (i: { class = i.class; }) programs.editor; + "3" = map (i: { class = i.class; }) programs.browser; + "4" = map (i: { class = i.class; }) programs.mail; + "5" = map (i: { class = i.class; }) programs.music; + "6" = map (i: { class = i.class; }) programs.chat; }; startup = [ { - command = "feh --borderless --no-fehbg --bg-scale $HOME/.wallpapers/tower.jpg"; + command = "feh --no-fehbg --bg-scale $HOME/.wallpapers/tower.jpg"; + always = false; notification = false; } { - command = "betterlockscreen -w dim -u $HOME/.wallpapers/tower.jpg"; + command = "betterlockscreen --update $HOME/.wallpapers/tower.jpg"; + always = false; notification = false; } { @@ -77,11 +162,11 @@ in always = true; notification = false; } - { - command = "systemctl --user restart dunst"; - always = true; - notification = false; - } + # { + # command = "systemctl --user restart dunst"; + # always = true; + # notification = false; + # } { command = "systemctl --user restart udiskie"; always = true; @@ -97,7 +182,19 @@ in always = true; notification = false; } - ]; + + { + command = "deadd-notification-center"; + always = false; + notification = false; + } + + # { + # command = "clockify"; + # always = false; + # notification = false; + # } + ] ++ (map (i: { command = i.exec; notification = false; }) programs.term) ++ (map (i: { command = i.exec; notification = false; }) programs.editor) ++ (map (i: { command = i.exec; notification = false; }) programs.browser) ++ (map (i: { command = i.exec; notification = false; }) programs.mail) ++ (map (i: { command = i.exec; notification = false; }) programs.music) ++ (map (i: { command = i.exec; notification = false; }) programs.chat); gaps = { smartGaps = true; @@ -210,7 +307,7 @@ in set $power "[l]ock log[o]ut [s]uspend [h]ibernate [r]eboot [p]oweroff" mode $power { - bindsym l exec betterlockscreen -w dim -u $HOME/.wallpapers/tower.jpg; mode "default" + bindsym l exec betterlockscreen --lock dim; mode "default" bindsym o exec i3-msg exit; mode "default" bindsym s exec systemctl suspend; mode "default" bindsym h exec systemctl hibernate; mode "default" diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c8474f3..977abe4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,11 +2,27 @@ let thomas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaQYR0/Oj6k1H03kshz2J7rlGCaDSuaGPhhOs9FcZfn"; users = [ thomas ]; + midgard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGC6aSeeKiMO9y3NMxPOh2JvvGYcyS4za+0+hSqI3Bj"; + asgard = ""; utgard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN02izetkp+Wru4KE0ZASwOcjJfXr3U0H/Q/i0fjdgJ7"; - systems = [ utgard ]; + systems = [ midgard asgard utgard ]; in { "services/acme/credentials.age".publicKeys = users ++ systems; "services/frpc/token.age".publicKeys = users ++ systems; + "services/mopidy/jellyfin.age".publicKeys = users ++ systems; "services/nixbuild/sshkey.age".publicKeys = users ++ systems; + "services/tailscale/authkey.age".publicKeys = users ++ systems; + + "users/media/password.age".publicKeys = users ++ systems; + "users/media/smbpasswd.age".publicKeys = users ++ systems; + + "users/printer/password.age".publicKeys = users ++ systems; + "users/root/password.age".publicKeys = users ++ systems; + "users/admin/password.age".publicKeys = users ++ systems; + + "users/thomas/password.age".publicKeys = users ++ systems; + "users/anna/password.age".publicKeys = users ++ systems; + "users/adrian/password.age".publicKeys = users ++ systems; + "users/tabea/password.age".publicKeys = users ++ systems; } diff --git a/secrets/services/acme/credentials.age b/secrets/services/acme/credentials.age index faacf73..9318ad9 100644 Binary files a/secrets/services/acme/credentials.age and b/secrets/services/acme/credentials.age differ diff --git a/secrets/services/frpc/token.age b/secrets/services/frpc/token.age index e7e1b26..d6a7ba0 100644 --- a/secrets/services/frpc/token.age +++ b/secrets/services/frpc/token.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 ptT1OQ zh94IvnUClD1KSf07GormPU11pydyI2mJ0QR+dj35AU -WJmyov9jnDRU0XOfNly+YctW4u/74nbLjp84JRHncWE --> ssh-ed25519 QkapZw 63is6AXw4FTrqsD0up52mIGSfLFcb+X+ZJ47QiOLgHo -NiILE2Wc05JFcISN0HV0oZ+m8H4HUQOADLrNoAWMVmk --> [nwC-grease dC<=9 ssh-ed25519 ptT1OQ G0UMa/hBBgKiYtBUgm6E+LHVVly/sr2+0dThm+VsNV0 +GFlyE+NmG7wND92/WXCJFFkq9M1Nsfq3k7YRnAIiH+s +-> ssh-ed25519 vDK6kA IMw7Ugc3JS3lo+jdy3VTfxNe+BcWRvIurYcHo8/20Gw +x6EZAsfUt/Q99W5ibar3GznBJPxgZiHGwplouzXDFdc +-> ssh-ed25519 QkapZw u+G8NcRFQARVgqHA8GgQI/FwAVJIEPYdyMOwEcQYIDY +EQdhk9LxqWPdIwzIhBG13dLVpXZJyadWr87YQ8M1UcQ +-> J-grease SyWuYE |$6Yno7V B^+)$-n +xH13RODn/QcYvsniQH4 +--- ha8bj14RU/C0zmMc4kVty3WsN6fRF8ZdyhSmqKyPshs +P]2(y> VCZ;Ѭc+\!.OEpqI&fSL>AK \ No newline at end of file diff --git a/secrets/services/mopidy/jellyfin.age b/secrets/services/mopidy/jellyfin.age new file mode 100644 index 0000000..bc41baa Binary files /dev/null and b/secrets/services/mopidy/jellyfin.age differ diff --git a/secrets/services/nixbuild/sshkey.age b/secrets/services/nixbuild/sshkey.age index a7fdbcc..58cf3e8 100644 Binary files a/secrets/services/nixbuild/sshkey.age and b/secrets/services/nixbuild/sshkey.age differ diff --git a/secrets/services/tailscale/authkey.age b/secrets/services/tailscale/authkey.age new file mode 100644 index 0000000..d0bc3ee --- /dev/null +++ b/secrets/services/tailscale/authkey.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ LnnwfsdOcAom5MZY4xYG+m1CUOcR2LhCYU+UMGQxwU4 +UxV1cyR0seHEmhzI0ngmf9MNEqA7Se77G52b4kw8a5E +-> ssh-ed25519 vDK6kA 4iqbkl1XVdmO/4bb8oCPstM+c90jjlNUqx1EPnKZqAs +voRRt0wWr4DIpkY5R+S9e7dhJ7PsirrQGYkku/86iLY +-> ssh-ed25519 QkapZw 7atPx1R+UvxoIevJwJSuDWjs4Uwtarae1ubDKXLLWGA +z3Xfmk2ysy+j57aRbt4kv0Jv+7ajeBlDw1VrADjNJlw +-> Jo:^-grease 68x TN\24 Y ssh-ed25519 ptT1OQ OnQmMRmL4vooeJARScu0RFDRxF+DAwzzHA6Xfs9E60M +q0oXUE7RKv/b5/v2nHbRDK0B/m/D5HQ9pCnCF1Hub/c +-> ssh-ed25519 vDK6kA iYH6SGuEb2frh2Av9/NnhsD5SYxPU/ymow7qiwPdPAA +iei5JokDZ4vyKYa4+oKi6tt4X+m6C9Q64YUHX75cJKo +-> ssh-ed25519 QkapZw WrWt+aqpoT/jQdD3ktFygrodrZ1dutukEWzSlAiCFDk +1mvKL9cnEE61wfY+yZE1N8E8SfYUWyyLftOg30JIgRg +-> W^&%6jtg-grease v8zD(} +NZAuTFXfI/X9rK8azx1w4fqKMrvOKcRWrGx3iXWn8Cdkb/cAtfRyckPc659jONns +/gJx2jcqstgYR7O38wnOuuevexEeRn/2i5bISRLbN1AGW4Q +--- LW/pRhTdYie4pUsBKMqRp38ltz1fJ9tZMRAcV71ykZk +db^FBfm +s"2TLb#p_ \ No newline at end of file diff --git a/secrets/users/adrian/password.age b/secrets/users/adrian/password.age new file mode 100644 index 0000000..064ee60 --- /dev/null +++ b/secrets/users/adrian/password.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ 6owQsraIjwntWOLM/IgsCfo9k4xP7EgBqGHz/9ACOgc +Qlee7D1NbteTDL97/yfvfkZnuuF1n5oCMCjwJZIERH0 +-> ssh-ed25519 vDK6kA 6OPdEol4Z3nCRInYKRNb+EboSByN+ed1X0dVVZBTLkE +6kDLoKD+GQVaIzAy5GHdF8K/3iMZTg7x0cb8ScNA0B4 +-> ssh-ed25519 QkapZw oZ6I/sL0ZGVu+8qK+Ol4QMlOCAFy4CaS83EAnV1XLWw +R63uqZ48KJ+M7HZ2vCQ/1eEXyzeTLZSHpp3AM6zLlTQ +-> dw,mS#A0-grease -?,a d<}@U< +aiBxTwXkpHMDz2mrp3+6PZE9pxA4TZe/+ioGsek0iWLjNGZ2zh1/z3cZ5dHodDfc +pHW/9wWa0j4 +--- Yl4jZiBuNi+e4Hxo5JcbRmQGM5tzYz1UG0naPSH8fzI +6߮S.BXp JR KՑ_IJdA \ No newline at end of file diff --git a/secrets/users/anna/password.age b/secrets/users/anna/password.age new file mode 100644 index 0000000..d71287e --- /dev/null +++ b/secrets/users/anna/password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ ZwHZuEtXIywjlO1Qylc54X5yliYN2C20lXtxRleDOgE +h3PEPfWVR7Y3Xc80e26UwMg8SU9ZDgs4SkyAQsYzj+Q +-> ssh-ed25519 vDK6kA +yWQE2uLXFSpX4iCxaKyaxk/219fItLaZGC3vlzgQFs +g6wiwF/Ym7KUuWnPVLZyMzcvwOc+gEzQtVEOMcTGE2c +-> ssh-ed25519 QkapZw Ymvdm1Lh4AdNYQsvtnlTB+xFU0ukt0qvQGmSPodVT1M +5wKYkK+69TVRm0P+dZEASBfbAT0R7jBNJKmzwU6KIKk +-> (`jv:-grease j(N +2LnNRS5xWT3s9x5gg1ls7pfVbg/uFgCyLNr9/KK4YbQbsNKrNg +--- hLiE6yB2F7kOJw3qT31+bCbnMtcK32XYgxbI82WVlmY +A,Xx[Zg-2#)9zb[V \ No newline at end of file diff --git a/secrets/users/media/password.age b/secrets/users/media/password.age new file mode 100644 index 0000000..1409a68 --- /dev/null +++ b/secrets/users/media/password.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ 6nrRFAT0bfW/YJUvUidI1VKSuLYwInjTHAVBsW1m8QE +zXaMZLYdHMe552DAOJIE+2Ej4FbNoiC0lMUVK0HwkYw +-> ssh-ed25519 vDK6kA IgdF+Ru31yku4rGyIX9Kb5kbxfi8flHMw9jElsr/twM +HKL3yIg8tiYgmMnjVbSxk4kq5XvtSrk30bNuyj35mg4 +-> ssh-ed25519 QkapZw vgukk5ZXct7y3e+3IDfKjM1Z/jKJhqmF2lg1WO/FfCo +kK1WaS6PCfhbJj04PVOMgc3nGU8tFQS6kJxqhWHV6ZE +-> V-grease * G#N'H$( +BV3zew7ZPBc3kj8Vlsm8egFoTN0jTe7mqzFqjucThfldN+YFcKZK6VxzzCsbB6mn +Ez2qmevGVI43inhwSmIUSnqVvj1+8hc5NICZJs24P+34HA +--- vjzDvpUTaCep8r5cGc5JDnZUdaQ/I2qXMDHIF7gDIdo +FaC` S@Op8{)|q+v::l'!칦c, \ No newline at end of file diff --git a/secrets/users/media/smbpasswd.age b/secrets/users/media/smbpasswd.age new file mode 100644 index 0000000..7a201d5 Binary files /dev/null and b/secrets/users/media/smbpasswd.age differ diff --git a/secrets/users/printer/password.age b/secrets/users/printer/password.age new file mode 100644 index 0000000..ca26d4d --- /dev/null +++ b/secrets/users/printer/password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ 9z0mc7gau0SlDVq8NAZI0T+t2yetYhRJ5jJ+cx/pFTM +4Yz8DPjhtAsy0abWxKR5WE9uC7n5BfhADTSUiDZBqUk +-> ssh-ed25519 vDK6kA UPR/LPzCEBBo3WcTywbS/yjb7v+uQTjPzGVVv05VOkk +UcbxNWcmE14VIUa6Sq4U4Q0SHLhQ7OKiE+xnGVq90tc +-> ssh-ed25519 QkapZw uPxyBvN/TO//OGorad6hxvnDIqoLhROtU+HIcOOhXVs +J3u69kfjynkf5lUVDk7X+4JHmOSca0Q14YOwAV14lb8 +-> GY`;C-grease (L,'+} $/@h ~ ++ur0Lzp2w7e9/dJlEDbya+IIzQ6mwiEowxCUnCzm/JPELX/OLh/hlwUUzLOAJsVS +Kw6Rf41t6o5HPJZXLFBtQtyjgLeZx/rlIjrBmFQ41BJ0Lbmf7/g +--- E1i31zsuxNyizZMMeGBbgi1f77T3T5cn/kORrliha6U +cgBMZ/M +]CLbR* `,i|eD \ No newline at end of file diff --git a/secrets/users/root/password.age b/secrets/users/root/password.age new file mode 100644 index 0000000..3498c88 --- /dev/null +++ b/secrets/users/root/password.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ YcyAUwVMlw4/ALw7mnNSf0mZEIBy2QutWPnw/dIcdGU +T12rjnbOaILGoVMRr2Ggi/kNThnacoLBFjCOBIROQgU +-> ssh-ed25519 vDK6kA t/nieYJLDvK/t6nmqv9uZeznMXKZx0w6haAdGGbRUig +L1RtzBdd2byvSb+Bei7cQk4pSeG572CmRnQ2fMl4xk8 +-> ssh-ed25519 QkapZw h50sCx6P4KcKJ1FuKBG7b1fXvfE3uLHM4CbFj0p2+zU +b4llW691ia4zsUewi61ubDdTVuqKmZHkOQc+zcow3lo +-> [@JJ3u-grease H9 XQF %fy3, Za.Zvj_} +T68o20cFBiNu9Wgmk8ZpABs80V7f7Y6wBa3ldggYvp62kTswfS0mIGsO+ta6FZt9 +++GxRoSprkcVmg4 +--- 4yMs1I5euxBUuhkdu98y/ExONALCQkfx7K/6uHAFh6A +Ju!];)57bsɹw:= \ No newline at end of file diff --git a/secrets/users/tabea/password.age b/secrets/users/tabea/password.age new file mode 100644 index 0000000..1576bf0 --- /dev/null +++ b/secrets/users/tabea/password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ aldRZAe2K4bGX8GbnW01BC7pkreWmEYG50iFM5+cVkM +Ix3RuSN12AQr0kggdEwgVBmpv7oal99PHyTeAv0tDdc +-> ssh-ed25519 vDK6kA c9sm7SGxgbgJt2M/mKT0mnDPv8kMgvU4E+WM88pszDE +K7jsUZzDX5cXcnTCeswxOz/5+wMJMt80/pSU36UkE+w +-> ssh-ed25519 QkapZw HsnZIJNhcwAf7uAU6g+NtsNYSpnK0A7LOWZfNYN8tkE +i6y8GMfYo3iwH5reeUdMwmbzjR/BcKGZg+2OKNPRfIU +-> |/"ga-grease \:S|s5} 3HKp9_~ +hewqWDDpTlc +--- gznXnky7kkgfMGD88xGo4dAXpZkLX7DKx8xMxRFgL+w +*p(4qG0YE>H*7wNecG[L`q \ No newline at end of file diff --git a/secrets/users/thomas/password.age b/secrets/users/thomas/password.age new file mode 100644 index 0000000..a04a8ca --- /dev/null +++ b/secrets/users/thomas/password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptT1OQ fwUu8pY2budRGKQ5KH8g3PpQkYw8nxQjXPMypWRVzmg +KqgwVHgyLsJHXn46OwwH5a6+mXIeu4JjsXXH3nZCFQQ +-> ssh-ed25519 vDK6kA QWFjCWEDx9y9hsBaVfdECb/9XiPtNR3SRf1dXd9szmI +fv9QTZ9h2JWW9d+rjjTnePOW/lxOnvVNYl3P3a2Fgnc +-> ssh-ed25519 QkapZw 9aLnV1zSbaws9Kzx7gFYBc3xQPzoNpqF8C3woF8D03E +CUZodCA2dAvZra7367A1PNdHlVkgKqfMl/LBlD35MKo +-> D-grease ;95[E YS| [,!+^H P~& ++fpm +--- FJSm4ETZT3yielQi7G05UJXRRNpOJawgSogBmyC51MU +i%`v\? \Y{Iw5CrpP=GX \ No newline at end of file