diff --git a/common/default.nix b/common/default.nix index 70458a0..a4ec350 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: { - imports = [ ./users ./microcode.nix ]; + imports = [ ./services ./users ./microcode.nix ]; boot.cleanTmpDir = true; boot.kernelModules = [ "wireguard" ]; diff --git a/common/services/backup.nix b/common/services/backup.nix new file mode 100644 index 0000000..c9814ab --- /dev/null +++ b/common/services/backup.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.within.backups; +in with lib; { + options.within.backups = { + enable = mkEnableOption "Enables per-host backups to rsync.net"; + paths = mkOption { + type = with types; listOf str; + default = [ "/home" "/srv" "/var/lib" "/root" ]; + description = "paths to backup to rsync.net"; + }; + exclude = mkOption { + type = with types; listOf str; + default = [ + "/var/lib/docker" + "/var/lib/systemd" + "/var/lib/libvirt" + "'**/.cache'" + "'**/.nix-profile'" + "'**/.elm'" + "'**/.emacs.d'" + ]; + description = "paths to NOT backup to rsync.net"; + }; + repo = mkOption { + type = types.str; + description = "Repo to submit backups to"; + }; + }; + + config = mkIf config.within.backups.enable { + services.borgbackup.jobs."borgbase" = { + paths = cfg.paths; + exclude = cfg.exclude; + repo = cfg.repo; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /root/borgbackup_passphrase"; + }; + environment.BORG_RSH = "ssh -i /root/borgbackup_ssh_key"; + compression = "auto,lzma"; + startAt = "daily"; + extraArgs = "--remote-path=borg1"; + }; + + age.secrets = { + borgbackup-passphrase = { + file = ../../secret/borgbackup_passphrase; + path = "/root/borgbackup_passphrase"; + }; + borgbackup-ssh-key = { + file = ../../secret/borgbackup_ssh_key; + path = "/root/borgbackup_ssh_key"; + }; + }; + }; +} diff --git a/common/services/default.nix b/common/services/default.nix new file mode 100644 index 0000000..2f24450 --- /dev/null +++ b/common/services/default.nix @@ -0,0 +1,11 @@ +{ ... }: { + imports = [ + ./backup.nix + ./graphviz.nix + ./lewa.nix + ./mi + ./tron + ./tulpanomicon + ./withinbot + ]; +} diff --git a/common/services/graphviz.nix b/common/services/graphviz.nix new file mode 100644 index 0000000..12609d3 --- /dev/null +++ b/common/services/graphviz.nix @@ -0,0 +1,41 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.within.services.graphviz; + graphviz = pkgs.stdenv.mkDerivation { + name = "GraphvizOnline"; + src = pkgs.fetchFromGitHub { + owner = "Xe"; + repo = "GraphvizOnline"; + rev = "98ab98e6dbabba984e49be2c8b46c470aca829fe"; + sha256 = "l3BEmY20pfC1rWyQLz6j4pDPdZcv1FYKeIpBZUmosXc="; + fetchSubmodules = false; + }; + + phases = "installPhase"; + + installPhase = '' + mkdir -p $out + cp -vrf $src/* $out + ''; + }; +in { + options.within.services.graphviz.enable = + mkEnableOption "Activates the graphviz site"; + + config = mkIf cfg.enable { + services.nginx.virtualHosts."graphviz" = { + serverName = "graphviz.christine.website"; + locations."/".root = graphviz; + forceSSL = true; + useACMEHost = "christine.website"; + extraConfig = '' + access_log /var/log/nginx/graphviz.access.log; + ''; + }; + + services.cfdyndns.records = [ "graphviz.christine.website" ]; + }; +} diff --git a/common/services/lewa.nix b/common/services/lewa.nix new file mode 100644 index 0000000..e52d895 --- /dev/null +++ b/common/services/lewa.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.within.services.lewa; + l'ewa = pkgs.fetchzip { + url = "https://xena.greedo.xeserv.us/files/lewa-book.tar.gz"; + sha256 = "0n86fq25cnqwgfp7hfzh8l1h57a1sgvafq7lyd477amgvq0drk4c"; + }; +in { + options.within.services.lewa = { + enable = mkEnableOption "Activates the eBook for l'ewa"; + useACME = mkEnableOption "enables ACME for cert stuff"; + + domain = mkOption { + type = types.str; + default = "lewa.akua"; + example = "lewa.cetacean.club"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + }; + + config = mkIf cfg.enable { + services.nginx.virtualHosts."lewa" = { + serverName = "${cfg.domain}"; + locations."/".root = "${l'ewa}/book"; + forceSSL = cfg.useACME; + useACMEHost = "within.website"; + extraConfig = '' + access_log /var/log/nginx/lewa.access.log; + ''; + }; + + services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; }; + }; +} diff --git a/common/services/mi/default.nix b/common/services/mi/default.nix new file mode 100644 index 0000000..9970c51 --- /dev/null +++ b/common/services/mi/default.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.within.services.mi; + mi = with pkgs; + import + (fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { }; +in { + options.within.services.mi = { + enable = mkEnableOption "Activates mi (a personal API)"; + useACME = mkEnableOption "Enables ACME for cert stuff"; + + port = mkOption { + type = types.int; + default = 38288; + example = 9001; + description = "The port number mi should listen on for HTTP traffic"; + }; + + domain = mkOption { + type = types.str; + default = "mi.within.website"; + example = "mi.within.website"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + }; + + config = mkIf cfg.enable { + users.users.mi = { + createHome = true; + description = "github.com/Xe/mi"; + isSystemUser = true; + group = "within"; + home = "/srv/within/mi"; + extraGroups = [ "keys" ]; + }; + + age.secrets.mi = { + file = ../../secret/mi.toml.age; + path = "/srv/within/mi/Rocket.toml"; + owner = "mi"; + group = "within"; + mode = "0400"; + }; + + systemd.services.mi = { + wantedBy = [ "multi-user.target" ]; + after = [ "mi-key.service" "systemd-resolved.service" ]; + wants = [ "mi-key.service" "systemd-resolved.service" ]; + + serviceConfig = { + User = "mi"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/mi"; + RestartSec = "30s"; + Type = "notify"; + }; + + script = '' + export ROCKET_PORT=${toString cfg.port} + exec ${mi}/bin/mi-backend + ''; + }; + + systemd.services.mi-package-updater = { + wantedBy = [ "multi-user.target" ]; + after = [ "mi-key.service" ]; + wants = [ "mi-key.service" ]; + + serviceConfig = { + User = "mi"; + Group = "within"; + WorkingDirectory = "/srv/within/mi"; + Type = "oneshot"; + }; + + script = '' + export DATABASE_URL=./mi.db + exec ${mi}/bin/package_track + ''; + + startAt = "*-*-* 00:00:00"; # daily + }; + + services.nginx.virtualHosts."mi" = { + serverName = "${cfg.domain}"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + proxyWebsockets = true; + }; + forceSSL = cfg.useACME; + useACMEHost = "within.website"; + extraConfig = '' + access_log /var/log/nginx/mi.access.log; + ''; + }; + + services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; }; + }; +} diff --git a/common/services/mi/source.json b/common/services/mi/source.json new file mode 100644 index 0000000..0d54d50 --- /dev/null +++ b/common/services/mi/source.json @@ -0,0 +1,7 @@ +{ + "owner": "Xe", + "repo": "mi", + "rev": "220a123b586445da1f99b59226f7ccbe5b4a566a", + "sha256": "wbvA3++JFv7PjVl0RyRSbhdmSouJ4k3NWgh5J4jYyGk=", + "fetchSubmodules": false +} diff --git a/common/services/tron/default.nix b/common/services/tron/default.nix new file mode 100644 index 0000000..0258b81 --- /dev/null +++ b/common/services/tron/default.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +let + tron = with pkgs; + callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json))) + { }; + +in with lib; { + options.within.services.tron.enable = + mkEnableOption "Activates Tron (a furbooru moderation tool)"; + + config = mkIf config.within.services.tron.enable { + # User account + users.users.tron = { + createHome = true; + description = "tulpa.dev/cadey/tron"; + isSystemUser = true; + group = "within"; + home = "/srv/within/tron"; + extraGroups = [ "keys" ]; + }; + + # Secret config + age.secrets.tron = { + file = ../../../secret/tron.env.age; + path = "/srv/within/tron/.env"; + owner = "tron"; + group = "within"; + mode = "0640"; + }; + + # Service + systemd.services.tron = { + wantedBy = [ "multi-user.target" ]; + after = [ "tron-key.service" ]; + wants = [ "tron-key.service" ]; + + serviceConfig = { + User = "tron"; + Group = "within"; + Restart = "on-failure"; + RestartSec = "30s"; + }; + + script = '' + export $(cat /srv/within/tron/.env | xargs) + export REGEXES=${tron}/regexes.dhall + exec ${tron}/bin/tron + ''; + }; + }; +} diff --git a/common/services/tron/source.json b/common/services/tron/source.json new file mode 100644 index 0000000..60e99f3 --- /dev/null +++ b/common/services/tron/source.json @@ -0,0 +1,9 @@ +{ + "url": "https://tulpa.dev/cadey/tron.git", + "rev": "20e69676d9899013b5c9630ad9ea01e73b8d2b06", + "sha256": "1qpkis92a837c4j1f17ic57l9qpzvnbxg61vccqhcjxfx5vbyc7k", + "fetchLFS": false, + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false +} diff --git a/common/services/tulpanomicon/default.nix b/common/services/tulpanomicon/default.nix new file mode 100644 index 0000000..b997187 --- /dev/null +++ b/common/services/tulpanomicon/default.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.within.services.tulpanomicon; + book = with pkgs; + callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json))) + { }; +in { + options.within.services.tulpanomicon.enable = + mkEnableOption "Activates tulpa --force"; + + config = mkIf cfg.enable { + services.nginx.virtualHosts."tulpanomicon" = { + serverName = "tulpanomicon.guide"; + locations."/".root = "${book}"; + forceSSL = true; + useACMEHost = "tulpanomicon.guide"; + extraConfig = '' + access_log /var/log/nginx/tulpanomicon.access.log; + ''; + }; + + services.cfdyndns.records = [ "tulpanomicon.guide" ]; + }; +} diff --git a/common/services/tulpanomicon/source.json b/common/services/tulpanomicon/source.json new file mode 100644 index 0000000..6cabc57 --- /dev/null +++ b/common/services/tulpanomicon/source.json @@ -0,0 +1,9 @@ +{ + "url": "https://tulpa.dev/tulpa-ebooks/tulpanomicon.git", + "rev": "5a2cce637ec680ce6aea1e9e35cdbb73d5570221", + "sha256": "0r7imilh9p84wdb15qwmk05yab2y5qndpqka4nwqv8mk4l9jdpga", + "fetchLFS": false, + "fetchSubmodules": false, + "deepClone": false, + "leaveDotGit": false +} diff --git a/common/services/withinbot/default.nix b/common/services/withinbot/default.nix new file mode 100644 index 0000000..b88d26a --- /dev/null +++ b/common/services/withinbot/default.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: +let + bot = with pkgs; + import + (fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { }; +in with lib; { + options.within.services.withinbot.enable = + mkEnableOption "Activates Withinbot (the furryhole chatbot)"; + + config = mkIf config.within.services.withinbot.enable { + users.users.withinbot = { + createHome = true; + description = "github.com/Xe/withinbot"; + isSystemUser = true; + group = "within"; + home = "/srv/within/withinbot"; + extraGroups = [ "keys" ]; + }; + + age.secrets.withinbot = { + file = ../../../secret/withinbot.env; + path = "/srv/within/withinbot/.env"; + owner = "withinbot"; + group = "within"; + mode = "0400"; + }; + + systemd.services.withinbot = { + wantedBy = [ "multi-user.target" ]; + after = [ "withinbot-key.service" ]; + wants = [ "withinbot-key.service" ]; + + serviceConfig = { + User = "withinbot"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/withinbot"; + RestartSec = "30s"; + + # security settings + CapabilityBoundingSet = ""; + DeviceAllow = [ ]; + NoNewPrivileges = "true"; + ProtectControlGroups = "true"; + ProtectClock = "true"; + PrivateDevices = "true"; + PrivateUsers = "true"; + ProtectHome = "true"; + ProtectHostname = "true"; + ProtectKernelLogs = "true"; + ProtectKernelModules = "true"; + ProtectKernelTunables = "true"; + ProtectSystem = "true"; + ProtectProc = "invisible"; + RemoveIPC = "true"; + RestrictAddressFamilies = [ "~AF_UNIX" "~AF_NETLINK" ]; + RestrictNamespaces = [ + "CLONE_NEWCGROUP" + "CLONE_NEWIPC" + "CLONE_NEWNET" + "CLONE_NEWNS" + "CLONE_NEWPID" + "CLONE_NEWUTS" + "CLONE_NEWUSER" + ]; + RestrictSUIDSGID = "true"; + RestrictRealtime = "true"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@reboot" + "~@module" + "~@mount" + "~@swap" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + "~@debug" + "~@privileged" + ]; + UMask = "077"; + }; + + script = let withinbot = bot; + in '' + export CAMPAIGN_FOLDER=${withinbot}/campaigns + export RUST_LOG=error,serenity::client::bridge::gateway::shard_runner=error,serenity::gateway::shard=error + exec ${withinbot}/bin/withinbot + ''; + }; + }; +} diff --git a/common/services/withinbot/source.json b/common/services/withinbot/source.json new file mode 100644 index 0000000..925e8bf --- /dev/null +++ b/common/services/withinbot/source.json @@ -0,0 +1,7 @@ +{ + "owner": "Xe", + "repo": "withinbot", + "rev": "b819aec3add88298a65277fbf4e13de4fe254bc0", + "sha256": "wIZ9znXL98yNlHUxhQXH/fJihukyK6XfUCyjiJ5fgzY=", + "fetchSubmodules": false +} diff --git a/flake.lock b/flake.lock index ea2fa41..dcd83f9 100644 --- a/flake.lock +++ b/flake.lock @@ -2,7 +2,9 @@ "nodes": { "agenix": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1665870395, @@ -18,6 +20,29 @@ "type": "github" } }, + "aura": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "utils": [ + "utils" + ] + }, + "locked": { + "lastModified": 1672605913, + "narHash": "sha256-TRHzwtCZC2IMPTq3UsFDJno3Y1k58HONotnA4B9dT+8=", + "owner": "PonyvilleFM", + "repo": "aura", + "rev": "ffc55b4177cdc1a3c6323397d077e26476843e65", + "type": "github" + }, + "original": { + "owner": "PonyvilleFM", + "repo": "aura", + "type": "github" + } + }, "deno2nix": { "inputs": { "devshell": "devshell", @@ -48,8 +73,12 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2", - "utils": "utils" + "nixpkgs": [ + "nixpkgs" + ], + "utils": [ + "utils" + ] }, "locked": { "lastModified": 1672327199, @@ -219,8 +248,12 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs_3", - "utils": "utils_2" + "nixpkgs": [ + "nixpkgs" + ], + "utils": [ + "utils" + ] }, "locked": { "lastModified": 1672349765, @@ -285,7 +318,7 @@ }, "naersk_2": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1650265945, @@ -345,54 +378,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1665732960, - "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1671417167, - "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1671983799, - "narHash": "sha256-Z2Ro6hFPZHkBqkVXY5/aBUzxi5xizQGvuHQ9+T5B/ks=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "fad51abd42ca17a60fc1d4cb9382e2d79ae31836", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { "locked": { "lastModified": 1672350804, "narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=", @@ -408,7 +393,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_2": { "locked": { "lastModified": 1650555608, "narHash": "sha256-e34oMPWPwRWhF1K6NZnF0mNle7qDADJzjWujp8UupGo=", @@ -422,7 +407,7 @@ "type": "indirect" } }, - "nixpkgs_6": { + "nixpkgs_3": { "locked": { "lastModified": 1650161686, "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=", @@ -437,7 +422,7 @@ "type": "indirect" } }, - "nixpkgs_7": { + "nixpkgs_4": { "locked": { "lastModified": 1640319671, "narHash": "sha256-ZkKmakwaOaLiZOpIZWbeJZwap5CzJ30s4UJTfydYIYc=", @@ -455,7 +440,7 @@ }, "portable-svc": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1650586426, @@ -506,11 +491,11 @@ ] }, "locked": { - "lastModified": 1667491896, - "narHash": "sha256-v2iUBQ0kwUz5a/MZGJvhlpDj+H8PLMJFRvvgYb1knZg=", + "lastModified": 1672602248, + "narHash": "sha256-VH7/DqYZfQ5N+38gYm3xHEwMVG3iGaPmjfvVAU9ifk4=", "owner": "Xe", "repo": "rhea", - "rev": "30a0900b9409b9c9044c83deaaaa9f708b402eb3", + "rev": "a47a471a202e3335569e4254ad35254fb483f416", "type": "github" }, "original": { @@ -522,14 +507,15 @@ "root": { "inputs": { "agenix": "agenix", + "aura": "aura", "deploy-rs": "deploy-rs", "emacs-overlay": "emacs-overlay", "home-manager": "home-manager", "mara": "mara", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs", "printerfacts": "printerfacts", "rhea": "rhea", - "utils": "utils_4", + "utils": "utils_2", "waifud": "waifud", "wsl": "wsl", "x": "x", @@ -562,36 +548,6 @@ } }, "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_2": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_3": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -606,7 +562,7 @@ "type": "github" } }, - "utils_4": { + "utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -682,11 +638,11 @@ ] }, "locked": { - "lastModified": 1672596703, - "narHash": "sha256-jq2PwMWQE8Dt3v4WRBa2qj77apR37L0l/Dwm+es2qcQ=", + "lastModified": 1672604621, + "narHash": "sha256-V5VtmCB6htNBkYWy7zc8TD/lI+oFqUVMGxuE5IsKnXk=", "owner": "Xe", "repo": "x", - "rev": "88ab7e70b442a45a67e4a9f4f1ee79b0aa622273", + "rev": "1a031713e7a4813b40694ffb902b73de4e3d36da", "type": "github" }, "original": { @@ -708,11 +664,11 @@ ] }, "locked": { - "lastModified": 1672519133, - "narHash": "sha256-KkwWlxbX1HSBDtyKX1/4L+z+ocGkptQMGe3VnsowXZg=", + "lastModified": 1672607480, + "narHash": "sha256-iDQRK6YjXz8iCfTjhZ9LI48YzLP7xE1IaGT6a1vrxMk=", "owner": "Xe", "repo": "site", - "rev": "3890085b77db7637ca9b48cb7809cf898a26ec1c", + "rev": "9ab1724f06c38001afa87c38398f021d9cc64298", "type": "github" }, "original": { @@ -723,8 +679,8 @@ }, "xess": { "inputs": { - "nixpkgs": "nixpkgs_7", - "utils": "utils_3" + "nixpkgs": "nixpkgs_4", + "utils": "utils" }, "locked": { "lastModified": 1640540322, diff --git a/flake.nix b/flake.nix index 220a33e..2c00d02 100644 --- a/flake.nix +++ b/flake.nix @@ -2,17 +2,32 @@ description = "My deploy-rs config for logos"; inputs = { - agenix.url = "github:ryantm/agenix"; - deploy-rs.url = "github:serokell/deploy-rs"; - home-manager.url = "github:nix-community/home-manager"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; utils.url = "github:numtide/flake-utils"; + # external dependencies + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "utils"; + }; + emacs-overlay = { url = "github:nix-community/emacs-overlay"; inputs.nixpkgs.follows = "nixpkgs"; }; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "utils"; + }; + wsl = { url = "github:nix-community/NixOS-WSL"; inputs.nixpkgs.follows = "nixpkgs"; @@ -20,41 +35,57 @@ }; # my apps + aura = { + url = "github:PonyvilleFM/aura"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "utils"; + }; + printerfacts = { url = "git+https://tulpa.dev/cadey/printerfacts.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "utils"; }; + mara = { url = "git+https://tulpa.dev/Xe/mara.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; inputs.utils.follows = "utils"; }; + rhea = { url = "github:Xe/rhea"; inputs.nixpkgs.follows = "nixpkgs"; }; + waifud = { url = "github:Xe/waifud"; inputs.nixpkgs.follows = "nixpkgs"; inputs.utils.follows = "utils"; }; + x = { url = "github:Xe/x"; inputs.nixpkgs.follows = "nixpkgs"; inputs.utils.follows = "utils"; }; + xesite = { url = "github:Xe/site"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "utils"; }; + + # legacy apps }; outputs = { self, nixpkgs, deploy-rs, home-manager, agenix, printerfacts, mara - , rhea, waifud, emacs-overlay, wsl, x, xesite, ... }: + , rhea, waifud, emacs-overlay, wsl, x, xesite, aura, ... }: let - pkgs = nixpkgs.legacyPackages."x86_64-linux"; + pkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = [ x.overlays.x86_64-linux.default ]; + }; mkSystem = extraModules: nixpkgs.lib.nixosSystem rec { @@ -64,15 +95,13 @@ home-manager.nixosModules.home-manager ({ config, ... }: { - system.configurationRevision = self.sourceInfo.rev; - services.getty.greetingLine = - "<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>"; + # system.configurationRevision = self.sourceInfo.rev; + # services.getty.greetingLine = + # "<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>"; home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - nixpkgs.overlays = [ - emacs-overlay.overlay - ]; + nixpkgs.overlays = [ emacs-overlay.overlay ]; }) ./common @@ -80,8 +109,9 @@ mara.nixosModules.${system}.bot rhea.nixosModule.${system} x.nixosModules.default - #xesite.nixosModules.default - + xesite.nixosModules.default + aura.nixosModules.aerial + aura.nixosModules.aura ] ++ extraModules; }; in { @@ -328,12 +358,11 @@ ]; # cloud - akko = mkSystem [ - ./hosts/akko - ./hardware/location/YYZ - ]; + akko = mkSystem [ ./hosts/akko ./hardware/location/YYZ ]; firgu = mkSystem [ ./hosts/firgu ./hardware/location/YYZ ]; + + lufta = mkSystem [ ./hosts/lufta ]; }; deploy.nodes.akko = { diff --git a/hosts/lufta/.gitignore b/hosts/lufta/.gitignore new file mode 100644 index 0000000..d97c5ea --- /dev/null +++ b/hosts/lufta/.gitignore @@ -0,0 +1 @@ +secret diff --git a/hosts/lufta/acme.nix b/hosts/lufta/acme.nix new file mode 100644 index 0000000..daf4505 --- /dev/null +++ b/hosts/lufta/acme.nix @@ -0,0 +1,114 @@ +{ pkgs, ... }: + +let + aws = "/var/lib/acme/.env"; + + extraLegoFlags = [ "--dns.resolvers=8.8.8.8:53" ]; + +in { + age.secrets.aws = { + file = ../../secret/lufta.aws.env.age; + path = "/var/lib/acme/.env"; + mode = "600"; + owner = "acme"; + group = "nginx"; + }; + + security.acme.defaults.email = "me@christine.website"; + security.acme.acceptTerms = true; + + security.acme.certs."xeiaso.net" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.xeiaso.net" "xelaso.net" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."tulpa.dev" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.tulpa.dev" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."christine.website" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.christine.website" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."cetacean.club" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = + [ "*.cetacean.club" "*.kahless.cetacean.club" "*.lufta.cetacean.club" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."pvfmsets.cf" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + inherit extraLegoFlags; + }; + + security.acme.certs."tulpanomicon.guide" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.tulpanomicon.guide" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."tulpaforce.xyz" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.tulpaforce.xyz" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."within.website" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.within.website" ]; + inherit extraLegoFlags; + }; + + security.acme.certs."xeserv.us" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ + "*.xeserv.us" + "*.greedo.xeserv.us" + "*.apps.xeserv.us" + "*.minipaas.xeserv.us" + ]; + inherit extraLegoFlags; + }; + + security.acme.certs."xn--u7hz981o.ws" = { + group = "nginx"; + email = "me@christine.website"; + dnsProvider = "route53"; + credentialsFile = "${aws}"; + extraDomainNames = [ "*.xn--u7hz981o.ws" ]; + inherit extraLegoFlags; + }; +} diff --git a/hosts/lufta/akua.nix b/hosts/lufta/akua.nix new file mode 100644 index 0000000..ad77597 --- /dev/null +++ b/hosts/lufta/akua.nix @@ -0,0 +1,9 @@ +{ pkgs, config, ... }: + +let metadata = pkgs.callPackage ../../ops/metadata/peers.nix { }; +in { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; +} diff --git a/hosts/lufta/bootstrap.nix b/hosts/lufta/bootstrap.nix new file mode 100644 index 0000000..06d7f69 --- /dev/null +++ b/hosts/lufta/bootstrap.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: + +{ + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi" + ]; + + networking.usePredictableInterfaceNames = false; + systemd.network = { + enable = true; + networks."eth0".extraConfig = '' + [Match] + Name = eth0 + [Network] + # Add your own assigned ipv6 subnet here here! + Address = 2a01:4f9:3a:1a1c::/64 + Gateway = fe80::1 + # optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;) + Address = 135.181.162.99/26 + Gateway = 135.181.162.65 + ''; + }; + + boot.supportedFilesystems = [ "zfs" ]; + + environment.systemPackages = with pkgs; [ wget vim zfs ]; +} diff --git a/hosts/lufta/certs.akua.nix b/hosts/lufta/certs.akua.nix new file mode 100644 index 0000000..06a38ec --- /dev/null +++ b/hosts/lufta/certs.akua.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + services.nginx.virtualHosts."certs.akua" = { }; +} diff --git a/hosts/lufta/default.nix b/hosts/lufta/default.nix new file mode 100644 index 0000000..9501448 --- /dev/null +++ b/hosts/lufta/default.nix @@ -0,0 +1,171 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ./acme.nix + ./akua.nix + ./docker.nix + ./gitea.nix + ./hardware-configuration.nix + ./monitoring.nix + ./weechat.nix + ./within.nix + ./when-then-zen.nix + ./zrepl.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only + boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ]; + boot.zfs.devNodes = "/dev/disk/by-partuuid"; + + networking.hostName = "lufta"; # Define your hostname. + networking.hostId = "2487cd1f"; + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = false; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi" + ]; + + security.polkit.enable = true; + + networking.usePredictableInterfaceNames = false; + systemd.network = { + enable = true; + networks."eth0".extraConfig = '' + [Match] + Name = eth0 + [Network] + # Add your own assigned ipv6 subnet here here! + Address = 2a01:4f9:3a:1a1c::/64 + Gateway = fe80::1 + # optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;) + Address = 135.181.162.99/26 + Gateway = 135.181.162.65 + ''; + }; + + services.tor.enable = true; + services.tor.client.enable = true; + services.tor.settings.SOCKSPort = [ 9051 ]; + + boot.supportedFilesystems = [ "zfs" ]; + + environment.systemPackages = with pkgs; [ wget vim zfs weechat tailscale ]; + + networking.firewall = { + enable = false; + allowedTCPPorts = [ 22 80 443 1965 6667 6697 ]; + allowedUDPPorts = [ 41641 51822 51820 ]; + + allowedUDPPortRanges = [{ + from = 32768; + to = 65535; + }]; + + trustedInterfaces = [ "akua" "tailscale0" ]; + }; + + system.stateVersion = "20.09"; # Did you read the comment? + + within.microcode = { + enable = true; + vendor = "amd"; + }; + + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "zfs"; + virtualisation.libvirtd.enable = true; + + systemd.services.nginx.serviceConfig.SupplementaryGroups = "within"; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + statusPage = true; + enableReload = true; + commonHttpConfig = '' + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 104.16.0.0/13; + set_real_ip_from 104.24.0.0/14; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 131.0.72.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 172.64.0.0/13; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + set_real_ip_from 2c0f:f248::/32; + set_real_ip_from 2a06:98c0::/29; + real_ip_header CF-Connecting-IP; + ''; + + virtualHosts."withinwebsite" = { + locations = { + "/.well-known/matrix/server".extraConfig = let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "matrix.within.website:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + + "/.well-known/matrix/client".extraConfig = let + client = { + "m.homeserver" = { "base_url" = "https://matrix.within.website"; }; + }; + # ACAO required to allow riot-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + }; + }; + + services.tailscale.enable = true; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + settings.mysqld.bind-address = "127.0.0.1"; + }; + + services.zfs.autoScrub.enable = true; + services.zfs.autoSnapshot = { + enable = true; + monthly = 1; + }; + + services.yggdrasil = { + enable = true; + persistentKeys = true; + openMulticastPort = true; + config = { + IfName = "yggdrasil0"; + Peers = [ + "tls://94.103.82.150:8080" + "tcp://ams1.y.sota.sh:8080" + "tls://45.147.198.155:6010" + "tls://ygg-nl.incognet.io:8884" + ]; + }; + }; +} diff --git a/hosts/lufta/docker.nix b/hosts/lufta/docker.nix new file mode 100644 index 0000000..658d6e2 --- /dev/null +++ b/hosts/lufta/docker.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +{ + virtualisation.oci-containers.containers = { + olin = { + image = "xena/olin:latest"; + ports = [ "127.0.0.1:25723:5000" ]; + environment.PORT = "5000"; + }; + }; + + services.nginx.virtualHosts."olin.within.website" = { + locations."/".proxyPass = "http://127.0.0.1:25723"; + forceSSL = true; + useACMEHost = "within.website"; + extraConfig = '' + access_log /var/log/nginx/olin.access.log; + ''; + }; +} diff --git a/hosts/lufta/gitea.nix b/hosts/lufta/gitea.nix new file mode 100644 index 0000000..e61a082 --- /dev/null +++ b/hosts/lufta/gitea.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, ... }: + +let cfg = config.services.gitea; +in { + users.users.git = { + description = "Gitea Service"; + home = cfg.stateDir; + useDefaultShell = true; + group = "git"; + isSystemUser = true; + }; + users.groups.git = { }; + + services.gitea = { + enable = true; + user = "git"; + domain = "tulpa.dev"; + appName = "${cfg.domain}: git in plurality"; + rootUrl = "https://${cfg.domain}/"; + httpAddress = "127.0.0.1"; + httpPort = 49381; + log.level = "Error"; + settings = { + i18n = { + LANGS = "en-US"; + NAMES = "glico"; + }; + metrics = { + ENABLED = true; + ENABLED_ISSUE_BY_LABEL = true; + ENABLED_ISSUE_BY_REPOSITORY = true; + }; + other.SHOW_FOOTER_VERSION = false; + security.INSTALL_LOCK = true; + service = { + DISABLE_REGISTRATION = lib.mkForce true; + REGISTER_MANUAL_CONFIRM = true; + REQUIRE_SIGNIN_VIEW = false; + REGISTER_EMAIL_CONFIRM = false; + ENABLE_NOTIFY_MAIL = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ENABLE_CAPTCHA = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_ALLOW_CREATE_ORGANIZATION = true; + DEFAULT_ENABLE_TIMETRACKING = true; + }; + server.SSH_DOMAIN = "ssh.tulpa.dev"; + }; + dump.enable = false; + database.user = "git"; + }; + + services.cfdyndns.records = [ "lufta.tulpa.dev" "tulpa.dev" ]; + + services.nginx.virtualHosts."lufta.tulpa.dev" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.httpPort}"; + proxyWebsockets = true; + }; + forceSSL = true; + useACMEHost = "tulpa.dev"; + extraConfig = '' + access_log /var/log/nginx/gitea.access.log; + ''; + }; + + services.nginx.virtualHosts."tulpa.dev" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.httpPort}"; + proxyWebsockets = true; + }; + forceSSL = true; + useACMEHost = "tulpa.dev"; + extraConfig = '' + access_log /var/log/nginx/gitea.access.log; + ''; + }; +} diff --git a/hosts/lufta/hardware-configuration.nix b/hosts/lufta/hardware-configuration.nix new file mode 100644 index 0000000..9179f9e --- /dev/null +++ b/hosts/lufta/hardware-configuration.nix @@ -0,0 +1,72 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "rpool/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = { + device = "rpool/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/srv/within" = { + device = "rpool/safe/srv/within"; + fsType = "zfs"; + }; + + fileSystems."/srv/within/aura" = { + device = "rpool/safe/srv/aura"; + fsType = "zfs"; + }; + + fileSystems."/srv/http/xena.greedo.xeserv.us" = { + device = "rpool/safe/srv/xena-greedo-xeserv-us"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8e7e8aed-d92c-4bbd-8d8e-318c8920740a"; + fsType = "ext4"; + }; + + fileSystems."/var/lib/libvirt/images/pool" = { + device = "rpool/safe/vm-images"; + fsType = "zfs"; + }; + + fileSystems."/srv/backup" = { + device = "rpool/safe/srv/backup"; + fsType = "zfs"; + }; + + fileSystems."/srv/certs" = { + device = "rpool/safe/srv/certs"; + fsType = "zfs"; + }; + + fileSystems."/srv/http" = { + device = "rpool/safe/srv/http"; + fsType = "zfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/23cb316c-06d8-4a74-86d2-0d2f7474ade2"; }]; +} diff --git a/hosts/lufta/monitoring.nix b/hosts/lufta/monitoring.nix new file mode 100644 index 0000000..773b991 --- /dev/null +++ b/hosts/lufta/monitoring.nix @@ -0,0 +1,54 @@ +{ config, pkgs, ... }: + +{ + services.prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + wireguard = { enable = true; }; + nginx = { enable = true; }; + nginxlog = { + enable = true; + settings = { + namespaces = let + format = '' + $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"''; + mkApp = name: { + metrics_override.prefix = "nginx"; + inherit name format; + source.files = [ "/var/log/nginx/${name}.access.log" ]; + namespace_label = "vhost"; + }; + in [ + { + name = "filelogger"; + inherit format; + source.files = [ "/var/log/nginx/access.log" ]; + } + (mkApp "gitea") + (mkApp "goproxy") + (mkApp "graphviz") + (mkApp "idp") + (mkApp "johaus") + (mkApp "lewa") + (mkApp "maison") + (mkApp "mi") + (mkApp "olin") + (mkApp "printerfacts") + (mkApp "todayinmarch2020") + (mkApp "tulpaforce") + (mkApp "tulpanomicon") + (mkApp "when-then-zen") + (mkApp "withinwebsite") + (mkApp "xenafiles") + (mkApp "xesite") + ]; + }; + group = "nginx"; + user = "nginx"; + }; + }; + }; +} diff --git a/hosts/lufta/weechat.nix b/hosts/lufta/weechat.nix new file mode 100644 index 0000000..c0c837d --- /dev/null +++ b/hosts/lufta/weechat.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +let + domain = name: "irc-${name}.lufta.cetacean.club"; + vhost = { domain, port, ... }: { + forceSSL = true; + locations."^~ /weechat" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + }; + locations."/" = { root = pkgs.glowing-bear; }; + useACMEHost = "cetacean.club"; + }; + cadey = domain "cadey"; + mai = domain "mai"; +in { + services.cfdyndns.records = [ cadey mai ]; + + services.nginx.virtualHosts = { + "${cadey}" = vhost { + domain = cadey; + port = 28945; + }; + + "${mai}" = vhost { + domain = mai; + port = 28946; + }; + }; +} diff --git a/hosts/lufta/when-then-zen.nix b/hosts/lufta/when-then-zen.nix new file mode 100644 index 0000000..45ce647 --- /dev/null +++ b/hosts/lufta/when-then-zen.nix @@ -0,0 +1,167 @@ +{ pkgs, ... }: + +let + port = 38471; + config = pkgs.writeTextFile { + name = "Caddyfile"; + text = '' + when-then-zen.christine.website:${toString port} { + tls off + errors syslog + + root /srv/http/when-then-zen.christine.website + + internal /README.md + internal /templates + internal /LICENSE + internal /Caddyfile + + ext .md + + browse /bonus + browse /meditation /srv/http/when-then-zen.christine.website/templates/index.html + browse /skills /srv/http/when-then-zen.christine.website/templates/index.html + + markdown / { + template templates/page.html + } + } + + xena.greedo.xeserv.us:${toString port} { + tls off + errors syslog + + header / X-Clacks-Overhead "GNU Ashlynn" + + root /srv/http/xena.greedo.xeserv.us + markdown / { + template blog templates/blog.html + template index templates/index.html + } + + browse + } + + xn--u7hz981o.ws:${toString port} { + tls off + errors syslog + + header / X-Clacks-Overhead "GNU Ashlynn" + + internal /templates + + root /srv/http/xn--u7hz981o.ws + markdown / { + template index templates/index.html + template page templates/page.html + } + } + ''; + }; + caddyPkg = pkgs.stdenv.mkDerivation { + pname = "caddy"; + version = "1.0.4"; + src = builtins.fetchurl { + url = + "https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz"; + sha256 = "0cmlwkp3cjx5yw3947y91wymsr398knq92q3iwc57bdzdi33fzwy"; + }; + + phases = "unpackPhase installPhase"; + + installPhase = '' + tar zxf $src + mkdir -p $out/bin + cp ./caddy $out/bin/caddy + ''; + }; +in { + age.secrets.mi-token = { + file = ../../secret/lufta.aws.env.age; + path = "/var/lib/nginx/mi-token"; + mode = "600"; + owner = "nginx"; + group = "nginx"; + }; + + services.fcgiwrap.enable = true; + services.nginx.virtualHosts = { + "home.cetacean.club" = { + locations."/front".extraConfig = '' + root /tmp; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT /srv/http/home.cetacean.club; + fastcgi_param SERVER_PROTOCOL $server_protocol; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + fastcgi_param HTTPS $https; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + fastcgi_param MI_TOKEN_PATH /var/lib/nginx/mi-token; + fastcgi_param SCRIPT_FILENAME ${pkgs.xeserv.whoisfront}; + fastcgi_pass unix:/run/fcgiwrap.sock; + ''; + forceSSL = true; + useACMEHost = "cetacean.club"; + extraConfig = '' + access_log /var/log/nginx/home.cetacean.club.access.log; + ''; + }; + + "when-then-zen.christine.website" = { + locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; + forceSSL = true; + useACMEHost = "christine.website"; + extraConfig = '' + access_log /var/log/nginx/when-then-zen.access.log; + ''; + }; + + "xena.greedo.xeserv.us" = { + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + forceSSL = true; + useACMEHost = "xeserv.us"; + extraConfig = '' + access_log /var/log/nginx/xenafiles.access.log; + ''; + }; + + "xn--u7hz981o.ws" = { + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + forceSSL = true; + useACMEHost = "xn--u7hz981o.ws"; + }; + }; + + systemd.services.caddy = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "nginx"; + Group = "within"; + Restart = "on-failure"; + RestartSec = "30s"; + }; + + script = '' + exec ${caddyPkg}/bin/caddy -conf ${config} -port ${toString port} -agree + ''; + }; +} diff --git a/hosts/lufta/within.nix b/hosts/lufta/within.nix new file mode 100644 index 0000000..58d417b --- /dev/null +++ b/hosts/lufta/within.nix @@ -0,0 +1,173 @@ +{ config, ... }: + +let + paths = [ + "/srv" + "/home/cadey/.weechat" + "/home/mai/.weechat" + "/home/cadey/life" + "/home/cadey/org" + "/var/lib/acme" + "/var/lib/gitea" + "/var/lib/mysql" + "/var/lib/tor/onion" + "/srv/http/xena.greedo.xeserv.us/articles" + "/srv/http/xena.greedo.xeserv.us/books" + "/srv/http/xena.greedo.xeserv.us/css" + "/srv/http/xena.greedo.xeserv.us/fics" + "/srv/http/xena.greedo.xeserv.us/pkg" + "/srv/http/xena.greedo.xeserv.us/repo" + "/srv/http/xena.greedo.xeserv.us/templates" + "/srv/http/xena.greedo.xeserv.us/tumblr" + "/srv/gemini" + "/home/cadey/prefix/flightjournal" + "/run/keys" + "/home/cadey/backup/ponychat" + "/home/cadey/backup/shadowh511" + "/home/cadey/go/src" + "/home/cadey/code" + "/home/cadey/prefix" + "/home/cadey/backup/construct" + "/home/cadey/backup/greedo" + "/home/cadey/backup/luna" + "/home/cadey/backup/tulpa" + ]; + exclude = [ + # temporary files created by cargo + "**/target" + "/home/cadey/prefix/aura" + "/srv/http/xena.greedo.xeserv.us" + "/srv/backup" + + "/var/lib/docker" + "/var/lib/systemd" + "/var/lib/libvirt" + "'**/.cache'" + "'**/.nix-profile'" + "'**/.elm'" + "'**/.emacs.d'" + ]; +in { + # services.borgbackup.jobs."hetzner" = { + # inherit paths exclude; + # repo = "ssh://u252481@u252481.your-storagebox.de:23/./lufta"; + # encryption = { + # mode = "repokey-blake2"; + # passCommand = "cat /root/borgbackup_passphrase"; + # }; + # environment.BORG_RSH = "ssh -i /root/.ssh/id_rsa"; + # compression = "auto,lzma"; + # startAt = "daily"; + # }; + + within = { + backups = { + inherit exclude paths; + enable = true; + repo = "57196@usw-s007.rsync.net:lufta"; + }; + + services = { + # webapps + aura = { + enable = true; + domain = "pvfmsets.cf"; + }; + + mi = { + enable = false; + useACME = true; + domain = "mi.within.website"; + port = 38184; + }; + + printerfacts = { + enable = true; + useACME = true; + domain = "printerfacts.cetacean.club"; + }; + + xesite = { + enable = true; + useACME = true; + domain = "christine.website"; + }; + + # gemini server + rhea = { + enable = true; + sites = [rec { + domain = "cetacean.club"; + certPath = "/run/${domain}.crt"; + keyPath = "/run/${domain}.key"; + files = { + root = "/srv/gemini/${domain}"; + autoIndex = true; + userPaths = false; + }; + }]; + }; + + # bots + aerial.enable = true; + tron.enable = true; + withinbot.enable = false; + + # static sites + lewa = { + enable = true; + useACME = true; + domain = "lewa.within.website"; + }; + + tulpanomicon.enable = true; + graphviz.enable = true; + }; + }; + + xeserv.services = { + aegis = { + enable = true; + hostport = "[::]:43705"; + sockdir = "/srv/within/run"; + }; + + todayinmarch2020.enable = true; + within-website.enable = true; + }; + + age.secrets = { + "cetacean-club-cert" = { + file = ../../secret/cetacean.club.crt.age; + path = "/run/cetacean.club.crt"; + }; + "cetacean-club-key" = { + file = ../../secret/cetacean.club.key.age; + path = "/run/cetacean.club.key"; + }; + + aerial-env = { + file = ../../secret/aerial.env.age; + path = "/srv/within/aerial/.env"; + owner = "aerial"; + group = "within"; + mode = "600"; + }; + + aura-env = { + file = ../../secret/aura.env.age; + path = "/srv/within/aura/.env"; + owner = "aura"; + group = "within"; + mode = "600"; + }; + + xesite = { + file = ../../secrets/xesite.env.age; + path = "/srv/within/xesite/.env"; + owner = "xesite"; + group = "within"; + mode = "0400"; + }; + }; +} diff --git a/hosts/lufta/zrepl.nix b/hosts/lufta/zrepl.nix new file mode 100644 index 0000000..e1f7b1e --- /dev/null +++ b/hosts/lufta/zrepl.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +{ + services.zrepl = { + enable = false; + settings = { + global = { + logging = [{ + type = "syslog"; + level = "info"; + format = "human"; + }]; + }; + + jobs = [{ + name = "backups"; + type = "push"; + connect = { + type = "tcp"; + address = "[fda2:d982:1da2:180d:ce10:49d:742d:aab7]:29491"; + }; + filesystems = { + "rpool/safe/vm<" = true; + "rpool/safe/vm-images" = true; + "rpool/safe/srv<" = true; + "rpool/mkvm-test/buddy" = true; + "rpool/safe/home" = true; + "rpool/safe/root" = true; + }; + send.compressed = true; + snapshotting = { + type = "periodic"; + prefix = "zrepl_"; + interval = "10m"; + }; + pruning = { + keep_sender = [ + { type = "not_replicated"; } + { + type = "last_n"; + count = 10; + } + ]; + keep_receiver = [{ + type = "grid"; + regex = "^zrepl_"; + grid = + lib.concatStringsSep " | " [ "1x1h(keep=all)" "24x1h" "365x1d" ]; + }]; + }; + }]; + }; + }; +} diff --git a/hosts/toxapex/default.nix b/hosts/toxapex/default.nix deleted file mode 100644 index fca1e9d..0000000 --- a/hosts/toxapex/default.nix +++ /dev/null @@ -1,111 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ../../hardware/macos-rosetta - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # networking.hostName = "nixos"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Set your time zone. - # time.timeZone = "Europe/Amsterdam"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkbOptions in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - - - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = { - # "eurosign:e"; - # "caps:escape" # map caps to escape. - # }; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.alice = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # firefox - # thunderbird - # ]; - # }; - - # List packages installed in system profile. To search, run: - # $ nix search wget - # environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - # ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? - -} - diff --git a/hosts/toxapex/hardware-configuration.nix b/hosts/toxapex/hardware-configuration.nix deleted file mode 100644 index 40e9782..0000000 --- a/hosts/toxapex/hardware-configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ ]; - - boot.initrd.availableKernelModules = [ "virtio_pci" "xhci_pci" "usb_storage" "usbhid" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/402c8c24-de0b-4392-9a28-37517b15d0cf"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/CF82-94A5"; - fsType = "vfat"; - }; - - fileSystems."/host" = - { device = "share"; - fsType = "virtiofs"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/3fb88e75-9469-4b50-8ec0-c4fdd4dea9d0"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/secret/aerial.env.age b/secret/aerial.env.age new file mode 100644 index 0000000..b127dcb --- /dev/null +++ b/secret/aerial.env.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ sX8QXT0aNypOPGyo6VVCcsPu1bqKo0kr1Kd+KRZMdGI +bwzaVLVoiKk5HMI7WMxlA4kTwMpuWlD6nSAfMoK9CHY +-> ssh-ed25519 txQL9A pDxZPtIHKEldOyPsCKLFi6qW05ASwhdG1UHL2zE0jwI +3kpzZZ/BghlLsOMtBb1+IPHVR9aKMLT0fPPcXW1V/0w +-> ssh-ed25519 YcYwVA E07VHnKdJ0ndOeF9CnP5rpaZlWA6Ik0EQz3KrrZbpyE +1gOR1mZYEK5BjkwZP98vuQ1KY6HQ57M87ay+K90TZJM +-> ssh-ed25519 rIaBGw pX28F96rAo9uV+eY8z/CpymFvEst7T9hX5zwr6A6QEY +2cXfDbyPHavifi9IKmCDYJ99GuaNJA0JdeVpWzCxdXk +-> ssh-ed25519 H5HtPA 3hJ4CUQ23w7SHKqpdMgMw4i5Ka/CU7EsA1uiUfpaxx4 +NvOVzLd0QNkyySxRh7l2glJP8bMZc20EXj85VGtf4SM +-> ssh-ed25519 Yy06mw 4ybL32VLmuUdE2iXu3b0dY1FCweOH0pJfyBii3+exgc +0gEcM4MWuQzJIeiEsbabIC8IdIbLQYyrBhpcTR3hazE +-> ssh-ed25519 6Sqpww qV//WNxYiqbFzdSrd4YEQ/ji7wDSo+b7zHJqpj9wv3w +VHDq5APsm+BkZFXwGbVZkiLWzwLONw4TsyLweokrtGU +-> ssh-ed25519 Cb6l4g jd1R/g3pOX9mtuaZR0kUqTdUU4U83QXi6OI8SYCLayU +8WDPeDK6bKQYZX5LE4bTmcODkwWFXcAcYNuEyOgXDSk +-> ssh-ed25519 x40ZwA Ix0DVuYIb+6beM0dWdYnIWUOw+xdggofhi8671RoExM +1uI1L9L1r5NBTaCwOhvwPtIstP9hPRNwiOB62rAc1fY +-> ssh-ed25519 ZvILxA X2kLLYS+c/cMBEUrV++LF5vImgcfpWCX2YoKAusRA1c +UgoAYHE4kqa+8Jl9mqFQxNpeUhaazqA2TigD1VZ6ywo +-> ssh-ed25519 0rx8bA yrAvfxjl3mqeKrCSCvimj/IFHP4OzPtbmO0tbryc/gk +DoMOm0Kgv75sxWS9qkMsSDRse3+XymWf2m+MQLyUc8M +-> ssh-ed25519 extxyg vWN8YTDceSAAJvLtRZap11YkSKBRQdXktgRjJm6oMWo +KZeby3vB80nBTWIYiHpbhCl13eOyksvu9TX+KhON5GE +-> /x-grease +zIM +--- atvkZYi9jdu47B/KnBbmWqf0pJOgl+vXT0n94s6d2qE +RK gݩ$L +/ʰSRO:"6D >{po>bll^7*O:_# xHu(򅣦`M_n \ No newline at end of file diff --git a/secret/aura.env.age b/secret/aura.env.age new file mode 100644 index 0000000..89aede3 Binary files /dev/null and b/secret/aura.env.age differ diff --git a/secret/borg_ssh_key.pub b/secret/borg_ssh_key.pub new file mode 100644 index 0000000..5873bcc --- /dev/null +++ b/secret/borg_ssh_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMy3uSs/gLpFnRVbLPUBVJd3GHlCqFbjCnnJd7kKiErI cadey@shachi diff --git a/secret/borgbackup_passphrase b/secret/borgbackup_passphrase new file mode 100644 index 0000000..0a964d1 --- /dev/null +++ b/secret/borgbackup_passphrase @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ tcy9nhpJ+UPN75OkSmbysFYVJzGb+AlbmXObhnON5BQ +yQmNFxNqKQGY8HbW0ihuVnBzBp4/uxtjZYFYRSn6tNc +-> ssh-ed25519 txQL9A HtGBgibnD1j0S5PPKZaiR3q8fAU8U2kwHIlI1cNIsXM +Po5AEklI7tLGfYEqP4wQ3EVrEKvpP2rszTQAH84OJ2g +-> ssh-ed25519 YcYwVA bcXifq9JiaALth6WEJW/vo/R/2ZfhzjjvmLC4PLy7XI +d5XAJCeDmTuKZSuYpK6NLJgmL/dXMa+tY+pb0g+QnDs +-> ssh-ed25519 rIaBGw Ed5MYSq54gzHibDdwGDFl4YrOWapeoKdjOAus91UxGY +L/FGN/v7c4rPpH5MvrsJlY7z2HuS4VdCOxRyrw3I3FA +-> ssh-ed25519 H5HtPA k5YIiz/4ys7UMTTBeXNAwBNf9OQxHXl5296T9ohdcTg +gJubCP/bIYU4oe4AIMgaAEcy2Mv+WY0Lk9rsJhd9LvI +-> ssh-ed25519 Yy06mw 5GyyzJn8OduTQkThFaN2BHouEmLAT7bA9/JL9z24gBA +buY52j20/qUtOrxpY7inEpWcRAmMY9KAMj3uCsqrRJA +-> ssh-ed25519 6Sqpww pLp0l+R5n+O/YsMZOQ1sMdE6428LX8HemN4mYa0OaQU +9xCpVbzTbWWfydcCakBKNXww4aADfRXGHRX7ekvedPk +-> ssh-ed25519 Cb6l4g T9pAZAUZh05W233esyWksKcH1EmjXEF/B+X6P8b1NW0 +PvT+RJYkVWg/lKl7DiYU9gTuVq6pi5xaI3rFa1mUsYM +-> ssh-ed25519 x40ZwA n9H9PP4MnWpI6KK/OwDLajbw4XC/2y+xfEUpEnJVMg0 +3AZZT+YCRuJswxVyDWQIqaow34goNhLif6x5Xo445gM +-> ssh-ed25519 ZvILxA 2e3rs7856mAhe6Ak/emu3bqyOCkmwwAGZKq+glJpGwI +RtW50MXUf4OnX6kOEcMIzdBPlsjYxHhOCv0Ba4XHASM +-> ssh-ed25519 0rx8bA r6R57M+kOsN84QUHru71E7wBQRqfU43Z0ON95Up0Xnk +F6kr7g6MOfhrFSsdEjz3AfBzzGNBtRkOZtlu3YJVIC4 +-> ssh-ed25519 extxyg cKtLG7W85XXDy7MRS6+Z/gTEEsxoO7w+GwstY+V84SU +4cQB1BMsIFc2tvYK4LbD7b6B5MDpzMurBj+w9EwYnT4 +-> Q?-grease +8wPImyj0LyPiATdO14ObjpwPi/viYFMmPTjpfr8FLuGj3SriUUI2wRqhfHwkfKxX +EuhnMufWCr/b/jLnyS65mVOOPw +--- 9BOzJF8aanp+LJE/40BiLjoFnmausvs8Qd0BGLSgGBY +OCBq2aUMg9D΍˚.hXп+k{n ܇I$3Aز>!B`]LrS(=5"Ծu+ެp`_q +٧M# 3)MK[Uc`+KN \ No newline at end of file diff --git a/secret/borgbackup_ssh_key b/secret/borgbackup_ssh_key new file mode 100644 index 0000000..9d343c8 Binary files /dev/null and b/secret/borgbackup_ssh_key differ diff --git a/secret/cetacean.club.crt.age b/secret/cetacean.club.crt.age new file mode 100644 index 0000000..70bfee8 Binary files /dev/null and b/secret/cetacean.club.crt.age differ diff --git a/secret/cetacean.club.key.age b/secret/cetacean.club.key.age new file mode 100644 index 0000000..928a890 Binary files /dev/null and b/secret/cetacean.club.key.age differ diff --git a/secret/lufta.aws.env.age b/secret/lufta.aws.env.age new file mode 100644 index 0000000..8c525e3 Binary files /dev/null and b/secret/lufta.aws.env.age differ diff --git a/secret/mi-token.age b/secret/mi-token.age new file mode 100644 index 0000000..20dfb06 --- /dev/null +++ b/secret/mi-token.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ FgUB+cUmDdeoXYKPM57kBZdTTqmXIv1JwfYq9PWfAWI +gBRG1mv2R4k3q2J6Q2gLIrizLvr8D+mX4EMGEEyxdlo +-> ssh-ed25519 txQL9A cTP+Kff1oAigqllVHyb7gcoOeYUjrAHtGIDjG0/yKD0 +i1OiWrm8jnKUuQQDVyhElhT5Irv2Rd+DhoKbbuoINPo +-> ssh-ed25519 YcYwVA cdeO/P4hX78OlQSZ8EF+sVvodpf00SWZYl0ZpJwLbF4 +WIv2kkMakaNM9XmhGY3CM9H9qA8YiaqFDVTOomb0WlA +-> ssh-ed25519 rIaBGw nv+YH10pIzm2aA0aSdM5sMKy+NS7ztatMwqQ5OswqHo +f+JYkuPza0cggSdXpR3ygmaE4nWaaxhFZy6UbBoXQWQ +-> ssh-ed25519 H5HtPA 1+ZauOpNaBFSWlwpX5MLD7RcSmEMmpTVCB0fnSH2LVg +2/C2EjUY6C5aBpShLN5vdtnQa5LEKHJEL8AtQH9pOAM +-> ssh-ed25519 Yy06mw jpnvL/OtH5+RqT4yVdogNrBtsno2UgiR53FXGwzIoiY +jzrP/abR/KdCWFUnJ435Cx0PJ07Zc63SJsTRrZAq0Os +-> ssh-ed25519 6Sqpww d7n4/2JusHBvxFn27L9g5Ke5pSp7tjtX5oOvJbhosEQ +TKhIBUusBhM+D3WpXPeRxOwIU8bdBtD8uKtor2WMv0w +-> ssh-ed25519 Cb6l4g xK4SFl2hT+P9tEjZ7qkiRMomK+/lFFtj+9VA1mvVbAU +8aYpeNT/gwdvmaQ6QREA/6w5qijnTUkG9DbOw5K+29s +-> ssh-ed25519 x40ZwA GDrRgIdNjxOnIwve+lXonInZMwGvbrmekIaKuvZfaUY +IZFOEjBbsklqcwHaBl+R75c1MhIfYvwnb6nIvNkZFDo +-> ssh-ed25519 ZvILxA hMi50mp2fID8yXl6hGD7eSdVZIKL3MCwgASmRb49zX0 +9Iw7VguynWY3TNyWA4cZBoHiAqYGDf0LdAgkynbfky8 +-> ssh-ed25519 0rx8bA HARyXEVwjdvFGmHS4Ira8W97onUHTgGih+mKG4exnAs +Rq5igLlDK2BMGMy/zy/dq6yhg8Z3nqToDjWNV/lVyLI +-> ssh-ed25519 extxyg 09iNDxRuPlkTgECbeDK6ERbPhZaCWw9Jwlr7RFFuhBQ +QTBd86g+0Hy8gHnmYTsaq5kT9MfyakByqu8E+MV8Hs0 +-> |T?6xR-grease +y7ddROPArLKhAq6nHbv08HCr1rWZaSrz3enXHo+N49KqVfDqiC+Zhp3MbbdPrSoc +FYCVSeUTsu9D +--- HThg4VKfAxrrBEaeutTM2umVl8Me0wRkjt1fNec1vOM + FcЪtf #RpɡDA s?: *{BK'Z1@M@!lCHcShgIBsp&@/yxlt a6 av _)3E cX}л^+* +v鸍ޏqv]pɮl/dOYHXY j|Gʚ`p`+fN'@5l@ybLl 0wNt_2lܭ|}? &X y~܁<3 \ No newline at end of file diff --git a/secret/mi.toml.age b/secret/mi.toml.age new file mode 100644 index 0000000..8befb3a Binary files /dev/null and b/secret/mi.toml.age differ diff --git a/secret/tron.env.age b/secret/tron.env.age new file mode 100644 index 0000000..4148db3 --- /dev/null +++ b/secret/tron.env.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ mDZCMTQsUZUAJ+8UknZJnRRev4MX/A1PBP6qRSolekA +2Dj7wO070kEkH0RMbrqQvymI4ItFNyQNA3EzdY84D7s +-> ssh-ed25519 txQL9A YDunYGniXh7RVWEKSeCwI703g9oiBKKDRVJj/ZGFXB0 +W4GoPvWYPYZp8gy6X5LOwbhbwRl2waMqOHXZfFanrfw +-> ssh-ed25519 YcYwVA 1rLnVW4M49GscZCPu8S5/s2I8Zf12PPYAr85X685pHA +R1DCWV6rymwWjPBouEawPfLfIISvChYBMDwUw9rskXE +-> ssh-ed25519 rIaBGw 9lZXrVgN+2pE7cZGTWvY6s+paAxYcqH+sRa3sKFhT1Q +L9cDIMNK6NEwlcMe/A14+kK9i6ZcJ3ft/Mft/5HOuBE +-> ssh-ed25519 H5HtPA LsXMHQsp3+qapm05iw1PQ3BTm10Um5wpFwwvwXLKpWY +r80F1ibwCcT8sd7q2yKpMoTrDlJF2ooxdGuwWfjFsrg +-> ssh-ed25519 Yy06mw KDXc4HHC7wBr411HA8YikQtnlVQeHlPK2sAjSyhlwVo +380kd7mGLFcvKwVf1hbuJ+pwk6AP2h5HkuwGwrbyOwo +-> ssh-ed25519 6Sqpww UL7ktmcNpvQbYmnIi/ZAedmzw+V/f7Os9ojRPnGcOlo +yDnXQ+IpuHdpf3dHHyThsHIXiWRje2u+84w/aDUbfKg +-> ssh-ed25519 Cb6l4g 2+ZGxy6UAAuFPbw0xZZhNxRyszLjDYrTKmizkYIgFl8 +Dg12lcrf3uCnjnpXmm6zkJAZAM4nRoP6dzbxNgdmkWk +-> ssh-ed25519 x40ZwA V3+q6OxOiJJBP6RctIPv3z0CBhp+EHl0vQ+Q3x0QgAM +RViINU3HmPYpvPE1Yl0j0ha2JBD7NrRu982lc6fHSoU +-> ssh-ed25519 ZvILxA Hyh4CU07bOP+rmFhde2LjwDOhR8fgTsdF3Ds9JPZSkw +BJv1bU/uvcI1xLYY8R9LY31gtGH2xIqiwoZNRxlqKsQ +-> ssh-ed25519 0rx8bA xMqZLnnXZxqCyZdmj2xOQNlNRUlIN9rGRmvt2FD8omI +YCx5pt85/ie5WaaPiHfjSj5gM197CF9XkZ8XNiUQJQk +-> ssh-ed25519 extxyg ix+lckxf5kMdfS7O0F41x6fpmrT3RBOAv5N6Axzk3RU +XfYTFcbkyAcSW1JN3FUxKlx9RY1/HYVmhooYU4ymWos +-> ^-grease AtJ2D(w %6#@ +X +09Q88UAZ958OPbSivI9BN8nZlSL6PELmwBRbN8LVVQEy0R33henNTOBnaoWG +--- B+U3Sp+GEBqpwkN2CetGC4KJxuQyR3O3c3K/O8X5h5k + +үS :J[DE'_|"r(ihVv)ow E<(O|Z \ No newline at end of file diff --git a/secret/withinbot.env.age b/secret/withinbot.env.age new file mode 100644 index 0000000..5e73d89 --- /dev/null +++ b/secret/withinbot.env.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ Uqja6onXASxq/OgzpL7cB9qK0jAYnGqDyG0U6sJLklI +r2XL6JW4E4xlYLezbyeV4G7SDBKOAebczM9jKCaeV/4 +-> ssh-ed25519 txQL9A 41VU+wHlNsjhwek53oYLIXYCD5mARh6AS7laNmes6Ro +NO85NXuhHbzlAPUycs98U/uRRgkypOWH8J39NlA48Nc +-> ssh-ed25519 YcYwVA i95rlp2R6+P8KmrgX9/zSmIrTVELL/VDIShGo93OWiM +oI8tBddvzBX9v3cHUetUEarq5thpCMaqjPLm5gxQpWk +-> ssh-ed25519 rIaBGw iD8mwEvyCBpRZ9yQu5EgTsVLHS590GZ5Kbhz8TDff0c +lVnDL5voPEa0q7AkSUmw6/j66uwR9R6vrYf53zm+VZg +-> ssh-ed25519 H5HtPA p6dMYLz2snmRGdexOUSSEW7JmLPInQnvpxsRoNxLJSw +mqcHZnRYnApdwl05t0MmZPYbOfvn6F86Dr1Bbg6gLD0 +-> ssh-ed25519 Yy06mw DohydHTDA5W4LySkd684err2MAytcivGt+ZJiK7cTiY +nt/ASg+TIcOKrePS2LWoaSaRjHxdOdt5pBUfw/7klfo +-> ssh-ed25519 6Sqpww r4u0HdIMxDAUw1LEpBb4WJ0v9lA6L9mfalzPIua+Rkc +CxwaeandCpsV+T1nV+RJTl9tyaVS7oIdqavQByMxmjo +-> ssh-ed25519 Cb6l4g soPlS7R3EOgcWBwaqqWPNiqk4PMT9LiYs/5b3hmtWEQ +uLwwU9KsZLWZ4+4SZpXFP/OIlfgQF1U+wy8lav5KWbg +-> ssh-ed25519 x40ZwA zC5vV+0CjXayFhyImI05Exw2gfG/FZ6wDT4Jz0BBjxE +0bk5S68ztbskuKeZg+3NRF0HaXDJzdsCkqMFt6mECRk +-> ssh-ed25519 ZvILxA FN7midnLj+m/8EfFyRZuAg/xjpLPQjt9f1Xo/89YMHw +uqRJT9kyS4P7Kxs1voQLP/RPlbRhZRKvTeFC6Mxo2eY +-> ssh-ed25519 0rx8bA 4rsg7DfsFoKNOOCVKMI4ulNE308QO8GSCqTGxVC2NV8 +YYtbPih/hWnVoRZlOjSpInDuTk/YKPedNrH3778SWV4 +-> ssh-ed25519 extxyg 9JMMEZIafrZNNN7H11IY92Jqt8BEPa2V/dGZMk8A1kE +wCslVYjUb9LboUybhYbi3klAqX3MTzPyIXxl7wQccVc +-> ,Deat~W-grease Nbch}6{- 0_F]3MI D-J +DWDGbJzdtUl0aEHnz0MDQVV2UqYD5QL+OUp8p0PkNM0Ilhg7BmjXSrX74HUHX4DU +JZ2Vvcjc8vFvAg +--- 8+Jz48tU6YdydL2ku2YxWSs4TCSVVKiwJzc5QursTWg +lbr ,ٺ?Mla0vYs^̍S3r-Y2Nl̊<]b xwYrQ|TG$ `T@0R8 \ No newline at end of file diff --git a/secret/xesite.env.age b/secret/xesite.env.age new file mode 100644 index 0000000..4441e37 --- /dev/null +++ b/secret/xesite.env.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ TjUmCJ3Bw0/Swc7GLe0IpCqZvRDC9yevhXmAOhgqYAQ +jgWPK6sNIFLcAWSeIvV3Um8CJkThfLLGHAkVKpT74oA +-> ssh-ed25519 txQL9A N+5p2jxwM/VY9kUYgTwJmeZm0XRMWX5bVHJmJzeUC1c +6leDM4rQLTSuUWy4xLctHS+u9tvmOeJfHL0HVzTnJS4 +-> ssh-ed25519 YcYwVA kiUBJ7+Q6WOMIRZWJB9zusXdX2+qIeg75citJjuCAzY +PbyclvAWL4tsgOwJoNoZZ38fw5f+kcVBGPTKO6RejWY +-> ssh-ed25519 rIaBGw TBwyoDlUqNCC4/wUEmEIdRFxkV+4eEIXKhiJBl+OCAU +ocIuXQLOxr5xQN7Eh+e/g8Yk1w9K7QTiDoPT24hCfvc +-> ssh-ed25519 H5HtPA cbr71ypHuKc2oxlDolQBd/Htz/1IJ+lSgt431PzrKgE +rQmpI1uX9PKvef1+0DymkpcegoIErKIEl1krRwK7JaY +-> ssh-ed25519 Yy06mw lIV0rxlf7FwDici0VRqaTgTSWadJZOKzJ2LqK3Qv5jA +0kMrJb3nzeaSlMtZle5tv5Jo2urC/uvhEEPuL8m0zww +-> ssh-ed25519 6Sqpww eVRoSIdrN0CBRABKjQLNtfHU0kEYsyOE9imF5B1sMxg +XHVf/cvXOuERIBjYAnaDGXjUAy9exImImLPRvt90IDo +-> ssh-ed25519 Cb6l4g U5npiwIynsMAtfjGCO9tD3xt23yZEn4xbS7HuBJktF8 ++Vaq6PLqcopZn8iP9tgFvIag4onr8qs3JS2B4z/jJ6A +-> ssh-ed25519 x40ZwA iVYMar5SvPQdZBTOMdH/x6TYBwgU2VZbvY+sQnIlYh8 +H/lpnxsCCVHRSD70Srrwv3VCc80FGHDpsSODzMi49rg +-> ssh-ed25519 ZvILxA RQ+3LBulXOuq+vDjFTYQq9egZsP2iXN0MWEOl3EXfns +rCGsLoYn8VUVM4ptp+IIAgXuZetxalSoKIO3tbJEUBg +-> ssh-ed25519 0rx8bA bvj4/eT1Fz+1XuxG4yQjwadYgPPIxOyiQfs3q0NDQGY +KWU5ffP74jxZ8wvohWDkzJ13wxvGb9b4ANL2G3YCrQI +-> ssh-ed25519 extxyg BIkVxRIC9pPQENcjDjSLmTEoO6RHGXY0oVSiP6dCSAE +yCZfCpEdxI7VaX1UfHEBniht9jkC80Dsm1tS72NYIZM +-> ht-grease Ekx [Y_)&: O+o>A o +jLirD/Pjc46GwjoBqEHIcKGxLROLSSFSkb/OsLzVzT41ex1FBRqQ50wT0Bg +--- 4sBE3L2C6hGzI81Aheg4NSMUmgLdwzky+270B7k+oGU +??)yeSHSPGbGRVLÄ?ѵr蘮PX!8~'kR|qy^0;eTƁA1"'hX:c50J(_:G^ŭ$ɥK\xs%TC,>S?-@9.N)W2Tp\C3ۯ=G1#|Ɋx+,g#WUl>mfK@Yݍgzk+}KTr&d>[>5 Il •mO5'ooO(OO 4kf3W>aȐ^bBҜE|z[(GaS4<)_.0xO2 +Ocbpl>fvTtjTHM+E \ No newline at end of file diff --git a/secret/xn--sz8hf6d.ws.crt.age b/secret/xn--sz8hf6d.ws.crt.age new file mode 100644 index 0000000..385247a Binary files /dev/null and b/secret/xn--sz8hf6d.ws.crt.age differ diff --git a/secret/xn--sz8hf6d.ws.key.age b/secret/xn--sz8hf6d.ws.key.age new file mode 100644 index 0000000..4c8243d --- /dev/null +++ b/secret/xn--sz8hf6d.ws.key.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jO2MvQ GvwQEupjkNthH7Rme8NgSP9L788ftHSFG6jPDB+efXY +XCOQ6x8zcXjnsLavUDBVJKXc5zWlLZsQUXe48oGKK88 +-> ssh-ed25519 txQL9A IepeTe/QqjZGzlDXUkzYaaajDOI9kWFIyJexqZZYOxo +21dwm6HCaKCrySRzgjEuoSqEcaKkgOgiRkhh7G4fnVI +-> ssh-ed25519 YcYwVA gpsJpz1TOlPQwIF9L0y1hPdwIB5LyUpRcWI+7uxaRjY +eujCfAZNsy1vY85UuhoHbvLv0s578N8V1KjfrvNzrlY +-> ssh-ed25519 rIaBGw nvzFLfXF7gYWs/qjm7zZdZKi1EoTeLhtuQm9DFF6rjk +ucl1p4Lfdm5cX+amaPg4AGaOgx/8gAFGo338DDx8ISA +-> ssh-ed25519 H5HtPA vMEBfV7Kq7LXEwPTHunG7MLocmE9mVk+wt4nN+5y/kg +rrGGvqNSAVgWHAo+O20eDPwmwZql8Bv3Ka6oHR1dsgw +-> ssh-ed25519 Yy06mw iCjTX6uZ4P7RC1dPz26hAzmyv6agefQXXo7tLXadcRo +uQTS59ehxTqWuCTwevrHJ3HOehYsLh1uRzL+/rR0WzY +-> ssh-ed25519 6Sqpww ALV9B4PuGdizQTk/GBKUUjKxuthziVxdc0rGIcUnBjc +0jB5nl23QuEz1bHsui5cPHNYNUluxKZcBkbq+xJxuaY +-> ssh-ed25519 Cb6l4g x58bPssYWy2Rz9M5C1FJlHz7uCOK/g80daUyrY3ieTs +k0effIcWAe6oFBuS7dknsTBjazFindVdVGieue7F8jA +-> ssh-ed25519 x40ZwA mE1GF+8IlAC/N6+lBfvo88WTbYZ9SI/uC7LdrfmGvAI +O++6THxVg2aej5xGbeZo5Icv2OH8ZzfvURA/AAQpWOI +-> ssh-ed25519 ZvILxA KuvWA10QyzriOwQT0M9wlvx9rCKQNlEYMfmBGefWJz4 +ACglU4mnTNQZeW/wRAeCBPiEOtC7U86xUCGd+iJlWpY +-> ssh-ed25519 0rx8bA MSV57AL6ZCJtB0IMD43ZIPILPFGyV6Vd7YHXG+aYMUA +R+uNOkDBjrXbv5EP+TWEoGEUGF9HtSI5RFME5LsxOoI +-> ssh-ed25519 extxyg 0b371PzvXf89GSHtvlzxGIze2XhRu9mKYvPH8tQFUUg +cc1EHeYEp90gGMzOqxW2+V/qBDrk06GokS3iMBg06Pk +-> r=򝨌v22>"}]%&֠KV&u@uvj(-egb[tIXoF$zMȋ \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 2a3d778..c0aa158 100644 --- a/secrets.nix +++ b/secrets.nix @@ -40,8 +40,29 @@ in { "hosts/firgu/secret/cf.env.age".publicKeys = publicKeys; "hosts/firgu/secret/snoo2nebby.age".publicKeys = publicKeys; - "secret/aws-within.website.age".publicKeys = publicKeys; + # backup + "secret/borgbackup_passphrase".publicKeys = publicKeys; + "secret/borgbackup_ssh_key".publicKeys = publicKeys; + + # robocadey "secret/robocadey.age".publicKeys = publicKeys; + + # akkoma + "secret/aws-within.website.age".publicKeys = publicKeys; "secret/akko-keyid.age".publicKeys = publicKeys; "secret/akko-applicationkey.age".publicKeys = publicKeys; + + # lufta + "secret/cetacean.club.crt.age".publicKeys = publicKeys; + "secret/cetacean.club.key.age".publicKeys = publicKeys; + "secret/xn--sz8hf6d.ws.crt.age".publicKeys = publicKeys; + "secret/xn--sz8hf6d.ws.key.age".publicKeys = publicKeys; + "secret/lufta.aws.env.age".publicKeys = publicKeys; + "secret/mi-token.age".publicKeys = publicKeys; + "secret/mi.toml.age".publicKeys = publicKeys; + "secret/aerial.env.age".publicKeys = publicKeys; + "secret/aura.env.age".publicKeys = publicKeys; + "secret/tron.env.age".publicKeys = publicKeys; + "secret/withinbot.env.age".publicKeys = publicKeys; + "secret/xesite.env.age".publicKeys = publicKeys; }