cadey
/
nixos-configs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first attempt 

Signed-off-by: Xe <me@christine.website>
This commit is contained in:
Cadey Ratio 2023-01-01 16:51:47 -05:00
parent e9856cb8d8
commit 12d499bcc7
47 changed files with 1769 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/default.nix
View File

@ -1,5 +1,5 @@
{ config, lib, pkgs, ... }: {
imports = [ ./users ./microcode.nix ];
imports = [ ./services ./users ./microcode.nix ];
boot.cleanTmpDir = true;
boot.kernelModules = [ "wireguard" ];

57
common/services/backup.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
let cfg = config.within.backups;
in with lib; {
options.within.backups = {
enable = mkEnableOption "Enables per-host backups to rsync.net";
paths = mkOption {
type = with types; listOf str;
default = [ "/home" "/srv" "/var/lib" "/root" ];
description = "paths to backup to rsync.net";
};
exclude = mkOption {
type = with types; listOf str;
default = [
"/var/lib/docker"
"/var/lib/systemd"
"/var/lib/libvirt"
"'**/.cache'"
"'**/.nix-profile'"
"'**/.elm'"
"'**/.emacs.d'"
];
description = "paths to NOT backup to rsync.net";
};
repo = mkOption {
type = types.str;
description = "Repo to submit backups to";
};
};
config = mkIf config.within.backups.enable {
services.borgbackup.jobs."borgbase" = {
paths = cfg.paths;
exclude = cfg.exclude;
repo = cfg.repo;
encryption = {
mode = "repokey-blake2";
passCommand = "cat /root/borgbackup_passphrase";
};
environment.BORG_RSH = "ssh -i /root/borgbackup_ssh_key";
compression = "auto,lzma";
startAt = "daily";
extraArgs = "--remote-path=borg1";
};
age.secrets = {
borgbackup-passphrase = {
file = ../../secret/borgbackup_passphrase;
path = "/root/borgbackup_passphrase";
};
borgbackup-ssh-key = {
file = ../../secret/borgbackup_ssh_key;
path = "/root/borgbackup_ssh_key";
};
};
};
}

11
common/services/default.nix Normal file
View File

@ -0,0 +1,11 @@
{ ... }: {
imports = [
./backup.nix
./graphviz.nix
./lewa.nix
./mi
./tron
./tulpanomicon
./withinbot
];
}

41
common/services/graphviz.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.within.services.graphviz;
graphviz = pkgs.stdenv.mkDerivation {
name = "GraphvizOnline";
src = pkgs.fetchFromGitHub {
owner = "Xe";
repo = "GraphvizOnline";
rev = "98ab98e6dbabba984e49be2c8b46c470aca829fe";
sha256 = "l3BEmY20pfC1rWyQLz6j4pDPdZcv1FYKeIpBZUmosXc=";
fetchSubmodules = false;
};
phases = "installPhase";
installPhase = ''
mkdir -p $out
cp -vrf $src/* $out
'';
};
in {
options.within.services.graphviz.enable =
mkEnableOption "Activates the graphviz site";
config = mkIf cfg.enable {
services.nginx.virtualHosts."graphviz" = {
serverName = "graphviz.christine.website";
locations."/".root = graphviz;
forceSSL = true;
useACMEHost = "christine.website";
extraConfig = ''
access_log /var/log/nginx/graphviz.access.log;
'';
};
services.cfdyndns.records = [ "graphviz.christine.website" ];
};
}

38
common/services/lewa.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.within.services.lewa;
l'ewa = pkgs.fetchzip {
url = "https://xena.greedo.xeserv.us/files/lewa-book.tar.gz";
sha256 = "0n86fq25cnqwgfp7hfzh8l1h57a1sgvafq7lyd477amgvq0drk4c";
};
in {
options.within.services.lewa = {
enable = mkEnableOption "Activates the eBook for l'ewa";
useACME = mkEnableOption "enables ACME for cert stuff";
domain = mkOption {
type = types.str;
default = "lewa.akua";
example = "lewa.cetacean.club";
description =
"The domain name that nginx should check against for HTTP hostnames";
};
};
config = mkIf cfg.enable {
services.nginx.virtualHosts."lewa" = {
serverName = "${cfg.domain}";
locations."/".root = "${l'ewa}/book";
forceSSL = cfg.useACME;
useACMEHost = "within.website";
extraConfig = ''
access_log /var/log/nginx/lewa.access.log;
'';
};
services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
};
}

104
common/services/mi/default.nix Normal file
View File

@ -0,0 +1,104 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.within.services.mi;
mi = with pkgs;
import
(fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { };
in {
options.within.services.mi = {
enable = mkEnableOption "Activates mi (a personal API)";
useACME = mkEnableOption "Enables ACME for cert stuff";
port = mkOption {
type = types.int;
default = 38288;
example = 9001;
description = "The port number mi should listen on for HTTP traffic";
};
domain = mkOption {
type = types.str;
default = "mi.within.website";
example = "mi.within.website";
description =
"The domain name that nginx should check against for HTTP hostnames";
};
};
config = mkIf cfg.enable {
users.users.mi = {
createHome = true;
description = "github.com/Xe/mi";
isSystemUser = true;
group = "within";
home = "/srv/within/mi";
extraGroups = [ "keys" ];
};
age.secrets.mi = {
file = ../../secret/mi.toml.age;
path = "/srv/within/mi/Rocket.toml";
owner = "mi";
group = "within";
mode = "0400";
};
systemd.services.mi = {
wantedBy = [ "multi-user.target" ];
after = [ "mi-key.service" "systemd-resolved.service" ];
wants = [ "mi-key.service" "systemd-resolved.service" ];
serviceConfig = {
User = "mi";
Group = "within";
Restart = "on-failure";
WorkingDirectory = "/srv/within/mi";
RestartSec = "30s";
Type = "notify";
};
script = ''
export ROCKET_PORT=${toString cfg.port}
exec ${mi}/bin/mi-backend
'';
};
systemd.services.mi-package-updater = {
wantedBy = [ "multi-user.target" ];
after = [ "mi-key.service" ];
wants = [ "mi-key.service" ];
serviceConfig = {
User = "mi";
Group = "within";
WorkingDirectory = "/srv/within/mi";
Type = "oneshot";
};
script = ''
export DATABASE_URL=./mi.db
exec ${mi}/bin/package_track
'';
startAt = "*-*-* 00:00:00"; # daily
};
services.nginx.virtualHosts."mi" = {
serverName = "${cfg.domain}";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
proxyWebsockets = true;
};
forceSSL = cfg.useACME;
useACMEHost = "within.website";
extraConfig = ''
access_log /var/log/nginx/mi.access.log;
'';
};
services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
};
}

7
common/services/mi/source.json Normal file
View File

@ -0,0 +1,7 @@
{
"owner": "Xe",
"repo": "mi",
"rev": "220a123b586445da1f99b59226f7ccbe5b4a566a",
"sha256": "wbvA3++JFv7PjVl0RyRSbhdmSouJ4k3NWgh5J4jYyGk=",
"fetchSubmodules": false
}

52
common/services/tron/default.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
let
tron = with pkgs;
callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json)))
{ };
in with lib; {
options.within.services.tron.enable =
mkEnableOption "Activates Tron (a furbooru moderation tool)";
config = mkIf config.within.services.tron.enable {
# User account
users.users.tron = {
createHome = true;
description = "tulpa.dev/cadey/tron";
isSystemUser = true;
group = "within";
home = "/srv/within/tron";
extraGroups = [ "keys" ];
};
# Secret config
age.secrets.tron = {
file = ../../../secret/tron.env.age;
path = "/srv/within/tron/.env";
owner = "tron";
group = "within";
mode = "0640";
};
# Service
systemd.services.tron = {
wantedBy = [ "multi-user.target" ];
after = [ "tron-key.service" ];
wants = [ "tron-key.service" ];
serviceConfig = {
User = "tron";
Group = "within";
Restart = "on-failure";
RestartSec = "30s";
};
script = ''
export $(cat /srv/within/tron/.env | xargs)
export REGEXES=${tron}/regexes.dhall
exec ${tron}/bin/tron
'';
};
};
}

9
common/services/tron/source.json Normal file
View File

@ -0,0 +1,9 @@
{
"url": "https://tulpa.dev/cadey/tron.git",
"rev": "20e69676d9899013b5c9630ad9ea01e73b8d2b06",
"sha256": "1qpkis92a837c4j1f17ic57l9qpzvnbxg61vccqhcjxfx5vbyc7k",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false
}

27
common/services/tulpanomicon/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.within.services.tulpanomicon;
book = with pkgs;
callPackage (fetchgit (builtins.fromJSON (builtins.readFile ./source.json)))
{ };
in {
options.within.services.tulpanomicon.enable =
mkEnableOption "Activates tulpa --force";
config = mkIf cfg.enable {
services.nginx.virtualHosts."tulpanomicon" = {
serverName = "tulpanomicon.guide";
locations."/".root = "${book}";
forceSSL = true;
useACMEHost = "tulpanomicon.guide";
extraConfig = ''
access_log /var/log/nginx/tulpanomicon.access.log;
'';
};
services.cfdyndns.records = [ "tulpanomicon.guide" ];
};
}

9
common/services/tulpanomicon/source.json Normal file
View File

@ -0,0 +1,9 @@
{
"url": "https://tulpa.dev/tulpa-ebooks/tulpanomicon.git",
"rev": "5a2cce637ec680ce6aea1e9e35cdbb73d5570221",
"sha256": "0r7imilh9p84wdb15qwmk05yab2y5qndpqka4nwqv8mk4l9jdpga",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false
}

91
common/services/withinbot/default.nix Normal file
View File

@ -0,0 +1,91 @@
{ config, lib, pkgs, ... }:
let
bot = with pkgs;
import
(fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { };
in with lib; {
options.within.services.withinbot.enable =
mkEnableOption "Activates Withinbot (the furryhole chatbot)";
config = mkIf config.within.services.withinbot.enable {
users.users.withinbot = {
createHome = true;
description = "github.com/Xe/withinbot";
isSystemUser = true;
group = "within";
home = "/srv/within/withinbot";
extraGroups = [ "keys" ];
};
age.secrets.withinbot = {
file = ../../../secret/withinbot.env;
path = "/srv/within/withinbot/.env";
owner = "withinbot";
group = "within";
mode = "0400";
};
systemd.services.withinbot = {
wantedBy = [ "multi-user.target" ];
after = [ "withinbot-key.service" ];
wants = [ "withinbot-key.service" ];
serviceConfig = {
User = "withinbot";
Group = "within";
Restart = "on-failure";
WorkingDirectory = "/srv/within/withinbot";
RestartSec = "30s";
# security settings
CapabilityBoundingSet = "";
DeviceAllow = [ ];
NoNewPrivileges = "true";
ProtectControlGroups = "true";
ProtectClock = "true";
PrivateDevices = "true";
PrivateUsers = "true";
ProtectHome = "true";
ProtectHostname = "true";
ProtectKernelLogs = "true";
ProtectKernelModules = "true";
ProtectKernelTunables = "true";
ProtectSystem = "true";
ProtectProc = "invisible";
RemoveIPC = "true";
RestrictAddressFamilies = [ "~AF_UNIX" "~AF_NETLINK" ];
RestrictNamespaces = [
"CLONE_NEWCGROUP"
"CLONE_NEWIPC"
"CLONE_NEWNET"
"CLONE_NEWNS"
"CLONE_NEWPID"
"CLONE_NEWUTS"
"CLONE_NEWUSER"
];
RestrictSUIDSGID = "true";
RestrictRealtime = "true";
SystemCallArchitectures = "native";
SystemCallFilter = [
"~@reboot"
"~@module"
"~@mount"
"~@swap"
"~@resources"
"~@cpu-emulation"
"~@obsolete"
"~@debug"
"~@privileged"
];
UMask = "077";
};
script = let withinbot = bot;
in ''
export CAMPAIGN_FOLDER=${withinbot}/campaigns
export RUST_LOG=error,serenity::client::bridge::gateway::shard_runner=error,serenity::gateway::shard=error
exec ${withinbot}/bin/withinbot
'';
};
};
}

7
common/services/withinbot/source.json Normal file
View File

@ -0,0 +1,7 @@
{
"owner": "Xe",
"repo": "withinbot",
"rev": "b819aec3add88298a65277fbf4e13de4fe254bc0",
"sha256": "wIZ9znXL98yNlHUxhQXH/fJihukyK6XfUCyjiJ5fgzY=",
"fetchSubmodules": false
}

160
flake.lock
View File

@ -2,7 +2,9 @@
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1665870395,
@ -18,6 +20,29 @@
"type": "github"
}
},
"aura": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": [
"utils"
]
},
"locked": {
"lastModified": 1672605913,
"narHash": "sha256-TRHzwtCZC2IMPTq3UsFDJno3Y1k58HONotnA4B9dT+8=",
"owner": "PonyvilleFM",
"repo": "aura",
"rev": "ffc55b4177cdc1a3c6323397d077e26476843e65",
"type": "github"
},
"original": {
"owner": "PonyvilleFM",
"repo": "aura",
"type": "github"
}
},
"deno2nix": {
"inputs": {
"devshell": "devshell",
@ -48,8 +73,12 @@
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"utils": "utils"
"nixpkgs": [
"nixpkgs"
],
"utils": [
"utils"
]
},
"locked": {
"lastModified": 1672327199,
@ -219,8 +248,12 @@
},
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"utils": "utils_2"
"nixpkgs": [
"nixpkgs"
],
"utils": [
"utils"
]
},
"locked": {
"lastModified": 1672349765,
@ -285,7 +318,7 @@
},
"naersk_2": {
"inputs": {
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1650265945,
@ -345,54 +378,6 @@
}
},
"nixpkgs": {
"locked": {
"lastModified": 1665732960,
"narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1671983799,
"narHash": "sha256-Z2Ro6hFPZHkBqkVXY5/aBUzxi5xizQGvuHQ9+T5B/ks=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fad51abd42ca17a60fc1d4cb9382e2d79ae31836",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1672350804,
"narHash": "sha256-jo6zkiCabUBn3ObuKXHGqqORUMH27gYDIFFfLq5P4wg=",
@ -408,7 +393,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_2": {
"locked": {
"lastModified": 1650555608,
"narHash": "sha256-e34oMPWPwRWhF1K6NZnF0mNle7qDADJzjWujp8UupGo=",
@ -422,7 +407,7 @@
"type": "indirect"
}
},
"nixpkgs_6": {
"nixpkgs_3": {
"locked": {
"lastModified": 1650161686,
"narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=",
@ -437,7 +422,7 @@
"type": "indirect"
}
},
"nixpkgs_7": {
"nixpkgs_4": {
"locked": {
"lastModified": 1640319671,
"narHash": "sha256-ZkKmakwaOaLiZOpIZWbeJZwap5CzJ30s4UJTfydYIYc=",
@ -455,7 +440,7 @@
},
"portable-svc": {
"inputs": {
"nixpkgs": "nixpkgs_6"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1650586426,
@ -506,11 +491,11 @@
]
},
"locked": {
"lastModified": 1667491896,
"narHash": "sha256-v2iUBQ0kwUz5a/MZGJvhlpDj+H8PLMJFRvvgYb1knZg=",
"lastModified": 1672602248,
"narHash": "sha256-VH7/DqYZfQ5N+38gYm3xHEwMVG3iGaPmjfvVAU9ifk4=",
"owner": "Xe",
"repo": "rhea",
"rev": "30a0900b9409b9c9044c83deaaaa9f708b402eb3",
"rev": "a47a471a202e3335569e4254ad35254fb483f416",
"type": "github"
},
"original": {
@ -522,14 +507,15 @@
"root": {
"inputs": {
"agenix": "agenix",
"aura": "aura",
"deploy-rs": "deploy-rs",
"emacs-overlay": "emacs-overlay",
"home-manager": "home-manager",
"mara": "mara",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs",
"printerfacts": "printerfacts",
"rhea": "rhea",
"utils": "utils_4",
"utils": "utils_2",
"waifud": "waifud",
"wsl": "wsl",
"x": "x",
@ -562,36 +548,6 @@
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
@ -606,7 +562,7 @@
"type": "github"
}
},
"utils_4": {
"utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -682,11 +638,11 @@
]
},
"locked": {
"lastModified": 1672596703,
"narHash": "sha256-jq2PwMWQE8Dt3v4WRBa2qj77apR37L0l/Dwm+es2qcQ=",
"lastModified": 1672604621,
"narHash": "sha256-V5VtmCB6htNBkYWy7zc8TD/lI+oFqUVMGxuE5IsKnXk=",
"owner": "Xe",
"repo": "x",
"rev": "88ab7e70b442a45a67e4a9f4f1ee79b0aa622273",
"rev": "1a031713e7a4813b40694ffb902b73de4e3d36da",
"type": "github"
},
"original": {
@ -708,11 +664,11 @@
]
},
"locked": {
"lastModified": 1672519133,
"narHash": "sha256-KkwWlxbX1HSBDtyKX1/4L+z+ocGkptQMGe3VnsowXZg=",
"lastModified": 1672607480,
"narHash": "sha256-iDQRK6YjXz8iCfTjhZ9LI48YzLP7xE1IaGT6a1vrxMk=",
"owner": "Xe",
"repo": "site",
"rev": "3890085b77db7637ca9b48cb7809cf898a26ec1c",
"rev": "9ab1724f06c38001afa87c38398f021d9cc64298",
"type": "github"
},
"original": {
@ -723,8 +679,8 @@
},
"xess": {
"inputs": {
"nixpkgs": "nixpkgs_7",
"utils": "utils_3"
"nixpkgs": "nixpkgs_4",
"utils": "utils"
},
"locked": {
"lastModified": 1640540322,

63
flake.nix
View File

@ -2,17 +2,32 @@
description = "My deploy-rs config for logos";
inputs = {
agenix.url = "github:ryantm/agenix";
deploy-rs.url = "github:serokell/deploy-rs";
home-manager.url = "github:nix-community/home-manager";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
utils.url = "github:numtide/flake-utils";
# external dependencies
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
emacs-overlay = {
url = "github:nix-community/emacs-overlay";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
wsl = {
url = "github:nix-community/NixOS-WSL";
inputs.nixpkgs.follows = "nixpkgs";
@ -20,41 +35,57 @@
};
# my apps
aura = {
url = "github:PonyvilleFM/aura";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
printerfacts = {
url = "git+https://tulpa.dev/cadey/printerfacts.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "utils";
};
mara = {
url = "git+https://tulpa.dev/Xe/mara.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
rhea = {
url = "github:Xe/rhea";
inputs.nixpkgs.follows = "nixpkgs";
};
waifud = {
url = "github:Xe/waifud";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
x = {
url = "github:Xe/x";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
xesite = {
url = "github:Xe/site";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "utils";
};
# legacy apps
};
outputs = { self, nixpkgs, deploy-rs, home-manager, agenix, printerfacts, mara
, rhea, waifud, emacs-overlay, wsl, x, xesite, ... }:
, rhea, waifud, emacs-overlay, wsl, x, xesite, aura, ... }:
let
pkgs = nixpkgs.legacyPackages."x86_64-linux";
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ x.overlays.x86_64-linux.default ];
};
mkSystem = extraModules:
nixpkgs.lib.nixosSystem rec {
@ -64,15 +95,13 @@
home-manager.nixosModules.home-manager
({ config, ... }: {
system.configurationRevision = self.sourceInfo.rev;
services.getty.greetingLine =
"<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>";
# system.configurationRevision = self.sourceInfo.rev;
# services.getty.greetingLine =
# "<<< Welcome to NixOS ${config.system.nixos.label} @ ${self.sourceInfo.rev} - \\l >>>";
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
nixpkgs.overlays = [
emacs-overlay.overlay
];
nixpkgs.overlays = [ emacs-overlay.overlay ];
})
./common
@ -80,8 +109,9 @@
mara.nixosModules.${system}.bot
rhea.nixosModule.${system}
x.nixosModules.default
#xesite.nixosModules.default
xesite.nixosModules.default
aura.nixosModules.aerial
aura.nixosModules.aura
] ++ extraModules;
};
in {
@ -328,12 +358,11 @@
];
# cloud
akko = mkSystem [
./hosts/akko
./hardware/location/YYZ
];
akko = mkSystem [ ./hosts/akko ./hardware/location/YYZ ];
firgu = mkSystem [ ./hosts/firgu ./hardware/location/YYZ ];
lufta = mkSystem [ ./hosts/lufta ];
};
deploy.nodes.akko = {

1
hosts/lufta/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
secret

114
hosts/lufta/acme.nix Normal file
View File

@ -0,0 +1,114 @@
{ pkgs, ... }:
let
aws = "/var/lib/acme/.env";
extraLegoFlags = [ "--dns.resolvers=8.8.8.8:53" ];
in {
age.secrets.aws = {
file = ../../secret/lufta.aws.env.age;
path = "/var/lib/acme/.env";
mode = "600";
owner = "acme";
group = "nginx";
};
security.acme.defaults.email = "me@christine.website";
security.acme.acceptTerms = true;
security.acme.certs."xeiaso.net" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.xeiaso.net" "xelaso.net" ];
inherit extraLegoFlags;
};
security.acme.certs."tulpa.dev" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.tulpa.dev" ];
inherit extraLegoFlags;
};
security.acme.certs."christine.website" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.christine.website" ];
inherit extraLegoFlags;
};
security.acme.certs."cetacean.club" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames =
[ "*.cetacean.club" "*.kahless.cetacean.club" "*.lufta.cetacean.club" ];
inherit extraLegoFlags;
};
security.acme.certs."pvfmsets.cf" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
inherit extraLegoFlags;
};
security.acme.certs."tulpanomicon.guide" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.tulpanomicon.guide" ];
inherit extraLegoFlags;
};
security.acme.certs."tulpaforce.xyz" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.tulpaforce.xyz" ];
inherit extraLegoFlags;
};
security.acme.certs."within.website" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.within.website" ];
inherit extraLegoFlags;
};
security.acme.certs."xeserv.us" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [
"*.xeserv.us"
"*.greedo.xeserv.us"
"*.apps.xeserv.us"
"*.minipaas.xeserv.us"
];
inherit extraLegoFlags;
};
security.acme.certs."xn--u7hz981o.ws" = {
group = "nginx";
email = "me@christine.website";
dnsProvider = "route53";
credentialsFile = "${aws}";
extraDomainNames = [ "*.xn--u7hz981o.ws" ];
inherit extraLegoFlags;
};
}

9
hosts/lufta/akua.nix Normal file
View File

@ -0,0 +1,9 @@
{ pkgs, config, ... }:
let metadata = pkgs.callPackage ../../ops/metadata/peers.nix { };
in {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
}

28
hosts/lufta/bootstrap.nix Normal file
View File

@ -0,0 +1,28 @@
{ pkgs, ... }:
{
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi"
];
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks."eth0".extraConfig = ''
[Match]
Name = eth0
[Network]
# Add your own assigned ipv6 subnet here here!
Address = 2a01:4f9:3a:1a1c::/64
Gateway = fe80::1
# optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;)
Address = 135.181.162.99/26
Gateway = 135.181.162.65
'';
};
boot.supportedFilesystems = [ "zfs" ];
environment.systemPackages = with pkgs; [ wget vim zfs ];
}

5
hosts/lufta/certs.akua.nix Normal file
View File

@ -0,0 +1,5 @@
{ ... }:
{
services.nginx.virtualHosts."certs.akua" = { };
}

171
hosts/lufta/default.nix Normal file
View File

@ -0,0 +1,171 @@
{ config, pkgs, lib, ... }:
{
imports = [
./acme.nix
./akua.nix
./docker.nix
./gitea.nix
./hardware-configuration.nix
./monitoring.nix
./weechat.nix
./within.nix
./when-then-zen.nix
./zrepl.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ];
boot.zfs.devNodes = "/dev/disk/by-partuuid";
networking.hostName = "lufta"; # Define your hostname.
networking.hostId = "2487cd1f";
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = false;
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9 cadey@shachi"
];
security.polkit.enable = true;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks."eth0".extraConfig = ''
[Match]
Name = eth0
[Network]
# Add your own assigned ipv6 subnet here here!
Address = 2a01:4f9:3a:1a1c::/64
Gateway = fe80::1
# optionally you can do the same for ipv4 and disable DHCP (networking.dhcpcd.enable = false;)
Address = 135.181.162.99/26
Gateway = 135.181.162.65
'';
};
services.tor.enable = true;
services.tor.client.enable = true;
services.tor.settings.SOCKSPort = [ 9051 ];
boot.supportedFilesystems = [ "zfs" ];
environment.systemPackages = with pkgs; [ wget vim zfs weechat tailscale ];
networking.firewall = {
enable = false;
allowedTCPPorts = [ 22 80 443 1965 6667 6697 ];
allowedUDPPorts = [ 41641 51822 51820 ];
allowedUDPPortRanges = [{
from = 32768;
to = 65535;
}];
trustedInterfaces = [ "akua" "tailscale0" ];
};
system.stateVersion = "20.09"; # Did you read the comment?
within.microcode = {
enable = true;
vendor = "amd";
};
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "zfs";
virtualisation.libvirtd.enable = true;
systemd.services.nginx.serviceConfig.SupplementaryGroups = "within";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
statusPage = true;
enableReload = true;
commonHttpConfig = ''
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
'';
virtualHosts."withinwebsite" = {
locations = {
"/.well-known/matrix/server".extraConfig = let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "matrix.within.website:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
"/.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://matrix.within.website"; };
};
# ACAO required to allow riot-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
};
};
services.tailscale.enable = true;
services.mysql = {
enable = true;
package = pkgs.mariadb;
settings.mysqld.bind-address = "127.0.0.1";
};
services.zfs.autoScrub.enable = true;
services.zfs.autoSnapshot = {
enable = true;
monthly = 1;
};
services.yggdrasil = {
enable = true;
persistentKeys = true;
openMulticastPort = true;
config = {
IfName = "yggdrasil0";
Peers = [
"tls://94.103.82.150:8080"
"tcp://ams1.y.sota.sh:8080"
"tls://45.147.198.155:6010"
"tls://ygg-nl.incognet.io:8884"
];
};
};
}

20
hosts/lufta/docker.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
virtualisation.oci-containers.containers = {
olin = {
image = "xena/olin:latest";
ports = [ "127.0.0.1:25723:5000" ];
environment.PORT = "5000";
};
};
services.nginx.virtualHosts."olin.within.website" = {
locations."/".proxyPass = "http://127.0.0.1:25723";
forceSSL = true;
useACMEHost = "within.website";
extraConfig = ''
access_log /var/log/nginx/olin.access.log;
'';
};
}

78
hosts/lufta/gitea.nix Normal file
View File

@ -0,0 +1,78 @@
{ config, pkgs, lib, ... }:
let cfg = config.services.gitea;
in {
users.users.git = {
description = "Gitea Service";
home = cfg.stateDir;
useDefaultShell = true;
group = "git";
isSystemUser = true;
};
users.groups.git = { };
services.gitea = {
enable = true;
user = "git";
domain = "tulpa.dev";
appName = "${cfg.domain}: git in plurality";
rootUrl = "https://${cfg.domain}/";
httpAddress = "127.0.0.1";
httpPort = 49381;
log.level = "Error";
settings = {
i18n = {
LANGS = "en-US";
NAMES = "glico";
};
metrics = {
ENABLED = true;
ENABLED_ISSUE_BY_LABEL = true;
ENABLED_ISSUE_BY_REPOSITORY = true;
};
other.SHOW_FOOTER_VERSION = false;
security.INSTALL_LOCK = true;
service = {
DISABLE_REGISTRATION = lib.mkForce true;
REGISTER_MANUAL_CONFIRM = true;
REQUIRE_SIGNIN_VIEW = false;
REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
ENABLE_CAPTCHA = false;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
DEFAULT_ENABLE_TIMETRACKING = true;
};
server.SSH_DOMAIN = "ssh.tulpa.dev";
};
dump.enable = false;
database.user = "git";
};
services.cfdyndns.records = [ "lufta.tulpa.dev" "tulpa.dev" ];
services.nginx.virtualHosts."lufta.tulpa.dev" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
proxyWebsockets = true;
};
forceSSL = true;
useACMEHost = "tulpa.dev";
extraConfig = ''
access_log /var/log/nginx/gitea.access.log;
'';
};
services.nginx.virtualHosts."tulpa.dev" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.httpPort}";
proxyWebsockets = true;
};
forceSSL = true;
useACMEHost = "tulpa.dev";
extraConfig = ''
access_log /var/log/nginx/gitea.access.log;
'';
};
}

72
hosts/lufta/hardware-configuration.nix Normal file
View File

@ -0,0 +1,72 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "rpool/safe/root";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "rpool/local/nix";
fsType = "zfs";
};
fileSystems."/home" = {
device = "rpool/safe/home";
fsType = "zfs";
};
fileSystems."/srv/within" = {
device = "rpool/safe/srv/within";
fsType = "zfs";
};
fileSystems."/srv/within/aura" = {
device = "rpool/safe/srv/aura";
fsType = "zfs";
};
fileSystems."/srv/http/xena.greedo.xeserv.us" = {
device = "rpool/safe/srv/xena-greedo-xeserv-us";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8e7e8aed-d92c-4bbd-8d8e-318c8920740a";
fsType = "ext4";
};
fileSystems."/var/lib/libvirt/images/pool" = {
device = "rpool/safe/vm-images";
fsType = "zfs";
};
fileSystems."/srv/backup" = {
device = "rpool/safe/srv/backup";
fsType = "zfs";
};
fileSystems."/srv/certs" = {
device = "rpool/safe/srv/certs";
fsType = "zfs";
};
fileSystems."/srv/http" = {
device = "rpool/safe/srv/http";
fsType = "zfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/23cb316c-06d8-4a74-86d2-0d2f7474ade2"; }];
}

54
hosts/lufta/monitoring.nix Normal file
View File

@ -0,0 +1,54 @@
{ config, pkgs, ... }:
{
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
wireguard = { enable = true; };
nginx = { enable = true; };
nginxlog = {
enable = true;
settings = {
namespaces = let
format = ''
$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'';
mkApp = name: {
metrics_override.prefix = "nginx";
inherit name format;
source.files = [ "/var/log/nginx/${name}.access.log" ];
namespace_label = "vhost";
};
in [
{
name = "filelogger";
inherit format;
source.files = [ "/var/log/nginx/access.log" ];
}
(mkApp "gitea")
(mkApp "goproxy")
(mkApp "graphviz")
(mkApp "idp")
(mkApp "johaus")
(mkApp "lewa")
(mkApp "maison")
(mkApp "mi")
(mkApp "olin")
(mkApp "printerfacts")
(mkApp "todayinmarch2020")
(mkApp "tulpaforce")
(mkApp "tulpanomicon")
(mkApp "when-then-zen")
(mkApp "withinwebsite")
(mkApp "xenafiles")
(mkApp "xesite")
];
};
group = "nginx";
user = "nginx";
};
};
};
}

30
hosts/lufta/weechat.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, pkgs, ... }:
let
domain = name: "irc-${name}.lufta.cetacean.club";
vhost = { domain, port, ... }: {
forceSSL = true;
locations."^~ /weechat" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
};
locations."/" = { root = pkgs.glowing-bear; };
useACMEHost = "cetacean.club";
};
cadey = domain "cadey";
mai = domain "mai";
in {
services.cfdyndns.records = [ cadey mai ];
services.nginx.virtualHosts = {
"${cadey}" = vhost {
domain = cadey;
port = 28945;
};
"${mai}" = vhost {
domain = mai;
port = 28946;
};
};
}

167
hosts/lufta/when-then-zen.nix Normal file
View File

@ -0,0 +1,167 @@
{ pkgs, ... }:
let
port = 38471;
config = pkgs.writeTextFile {
name = "Caddyfile";
text = ''
when-then-zen.christine.website:${toString port} {
tls off
errors syslog
root /srv/http/when-then-zen.christine.website
internal /README.md
internal /templates
internal /LICENSE
internal /Caddyfile
ext .md
browse /bonus
browse /meditation /srv/http/when-then-zen.christine.website/templates/index.html
browse /skills /srv/http/when-then-zen.christine.website/templates/index.html
markdown / {
template templates/page.html
}
}
xena.greedo.xeserv.us:${toString port} {
tls off
errors syslog
header / X-Clacks-Overhead "GNU Ashlynn"
root /srv/http/xena.greedo.xeserv.us
markdown / {
template blog templates/blog.html
template index templates/index.html
}
browse
}
xn--u7hz981o.ws:${toString port} {
tls off
errors syslog
header / X-Clacks-Overhead "GNU Ashlynn"
internal /templates
root /srv/http/xn--u7hz981o.ws
markdown / {
template index templates/index.html
template page templates/page.html
}
}
'';
};
caddyPkg = pkgs.stdenv.mkDerivation {
pname = "caddy";
version = "1.0.4";
src = builtins.fetchurl {
url =
"https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz";
sha256 = "0cmlwkp3cjx5yw3947y91wymsr398knq92q3iwc57bdzdi33fzwy";
};
phases = "unpackPhase installPhase";
installPhase = ''
tar zxf $src
mkdir -p $out/bin
cp ./caddy $out/bin/caddy
'';
};
in {
age.secrets.mi-token = {
file = ../../secret/lufta.aws.env.age;
path = "/var/lib/nginx/mi-token";
mode = "600";
owner = "nginx";
group = "nginx";
};
services.fcgiwrap.enable = true;
services.nginx.virtualHosts = {
"home.cetacean.club" = {
locations."/front".extraConfig = ''
root /tmp;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /srv/http/home.cetacean.club;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param MI_TOKEN_PATH /var/lib/nginx/mi-token;
fastcgi_param SCRIPT_FILENAME ${pkgs.xeserv.whoisfront};
fastcgi_pass unix:/run/fcgiwrap.sock;
'';
forceSSL = true;
useACMEHost = "cetacean.club";
extraConfig = ''
access_log /var/log/nginx/home.cetacean.club.access.log;
'';
};
"when-then-zen.christine.website" = {
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
forceSSL = true;
useACMEHost = "christine.website";
extraConfig = ''
access_log /var/log/nginx/when-then-zen.access.log;
'';
};
"xena.greedo.xeserv.us" = {
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
forceSSL = true;
useACMEHost = "xeserv.us";
extraConfig = ''
access_log /var/log/nginx/xenafiles.access.log;
'';
};
"xn--u7hz981o.ws" = {
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
forceSSL = true;
useACMEHost = "xn--u7hz981o.ws";
};
};
systemd.services.caddy = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nginx";
Group = "within";
Restart = "on-failure";
RestartSec = "30s";
};
script = ''
exec ${caddyPkg}/bin/caddy -conf ${config} -port ${toString port} -agree
'';
};
}

173
hosts/lufta/within.nix Normal file
View File

@ -0,0 +1,173 @@
{ config, ... }:
let
paths = [
"/srv"
"/home/cadey/.weechat"
"/home/mai/.weechat"
"/home/cadey/life"
"/home/cadey/org"
"/var/lib/acme"
"/var/lib/gitea"
"/var/lib/mysql"
"/var/lib/tor/onion"
"/srv/http/xena.greedo.xeserv.us/articles"
"/srv/http/xena.greedo.xeserv.us/books"
"/srv/http/xena.greedo.xeserv.us/css"
"/srv/http/xena.greedo.xeserv.us/fics"
"/srv/http/xena.greedo.xeserv.us/pkg"
"/srv/http/xena.greedo.xeserv.us/repo"
"/srv/http/xena.greedo.xeserv.us/templates"
"/srv/http/xena.greedo.xeserv.us/tumblr"
"/srv/gemini"
"/home/cadey/prefix/flightjournal"
"/run/keys"
"/home/cadey/backup/ponychat"
"/home/cadey/backup/shadowh511"
"/home/cadey/go/src"
"/home/cadey/code"
"/home/cadey/prefix"
"/home/cadey/backup/construct"
"/home/cadey/backup/greedo"
"/home/cadey/backup/luna"
"/home/cadey/backup/tulpa"
];
exclude = [
# temporary files created by cargo
"**/target"
"/home/cadey/prefix/aura"
"/srv/http/xena.greedo.xeserv.us"
"/srv/backup"
"/var/lib/docker"
"/var/lib/systemd"
"/var/lib/libvirt"
"'**/.cache'"
"'**/.nix-profile'"
"'**/.elm'"
"'**/.emacs.d'"
];
in {
# services.borgbackup.jobs."hetzner" = {
# inherit paths exclude;
# repo = "ssh://u252481@u252481.your-storagebox.de:23/./lufta";
# encryption = {
# mode = "repokey-blake2";
# passCommand = "cat /root/borgbackup_passphrase";
# };
# environment.BORG_RSH = "ssh -i /root/.ssh/id_rsa";
# compression = "auto,lzma";
# startAt = "daily";
# };
within = {
backups = {
inherit exclude paths;
enable = true;
repo = "57196@usw-s007.rsync.net:lufta";
};
services = {
# webapps
aura = {
enable = true;
domain = "pvfmsets.cf";
};
mi = {
enable = false;
useACME = true;
domain = "mi.within.website";
port = 38184;
};
printerfacts = {
enable = true;
useACME = true;
domain = "printerfacts.cetacean.club";
};
xesite = {
enable = true;
useACME = true;
domain = "christine.website";
};
# gemini server
rhea = {
enable = true;
sites = [rec {
domain = "cetacean.club";
certPath = "/run/${domain}.crt";
keyPath = "/run/${domain}.key";
files = {
root = "/srv/gemini/${domain}";
autoIndex = true;
userPaths = false;
};
}];
};
# bots
aerial.enable = true;
tron.enable = true;
withinbot.enable = false;
# static sites
lewa = {
enable = true;
useACME = true;
domain = "lewa.within.website";
};
tulpanomicon.enable = true;
graphviz.enable = true;
};
};
xeserv.services = {
aegis = {
enable = true;
hostport = "[::]:43705";
sockdir = "/srv/within/run";
};
todayinmarch2020.enable = true;
within-website.enable = true;
};
age.secrets = {
"cetacean-club-cert" = {
file = ../../secret/cetacean.club.crt.age;
path = "/run/cetacean.club.crt";
};
"cetacean-club-key" = {
file = ../../secret/cetacean.club.key.age;
path = "/run/cetacean.club.key";
};
aerial-env = {
file = ../../secret/aerial.env.age;
path = "/srv/within/aerial/.env";
owner = "aerial";
group = "within";
mode = "600";
};
aura-env = {
file = ../../secret/aura.env.age;
path = "/srv/within/aura/.env";
owner = "aura";
group = "within";
mode = "600";
};
xesite = {
file = ../../secrets/xesite.env.age;
path = "/srv/within/xesite/.env";
owner = "xesite";
group = "within";
mode = "0400";
};
};
}

54
hosts/lufta/zrepl.nix Normal file
View File

@ -0,0 +1,54 @@
{ config, pkgs, lib, ... }:
{
services.zrepl = {
enable = false;
settings = {
global = {
logging = [{
type = "syslog";
level = "info";
format = "human";
}];
};
jobs = [{
name = "backups";
type = "push";
connect = {
type = "tcp";
address = "[fda2:d982:1da2:180d:ce10:49d:742d:aab7]:29491";
};
filesystems = {
"rpool/safe/vm<" = true;
"rpool/safe/vm-images" = true;
"rpool/safe/srv<" = true;
"rpool/mkvm-test/buddy" = true;
"rpool/safe/home" = true;
"rpool/safe/root" = true;
};
send.compressed = true;
snapshotting = {
type = "periodic";
prefix = "zrepl_";
interval = "10m";
};
pruning = {
keep_sender = [
{ type = "not_replicated"; }
{
type = "last_n";
count = 10;
}
];
keep_receiver = [{
type = "grid";
regex = "^zrepl_";
grid =
lib.concatStringsSep " | " [ "1x1h(keep=all)" "24x1h" "365x1d" ];
}];
};
}];
};
};
}

111
hosts/toxapex/default.nix
View File

@ -1,111 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
../../hardware/macos-rosetta
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = {
# "eurosign:e";
# "caps:escape" # map caps to escape.
# };
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.alice = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# firefox
# thunderbird
# ];
# };
# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

41
hosts/toxapex/hardware-configuration.nix
View File

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "virtio_pci" "xhci_pci" "usb_storage" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/402c8c24-de0b-4392-9a28-37517b15d0cf";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/CF82-94A5";
fsType = "vfat";
};
fileSystems."/host" =
{ device = "share";
fsType = "virtiofs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3fb88e75-9469-4b50-8ec0-c4fdd4dea9d0"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

30
secret/aerial.env.age Normal file
View File

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ sX8QXT0aNypOPGyo6VVCcsPu1bqKo0kr1Kd+KRZMdGI
bwzaVLVoiKk5HMI7WMxlA4kTwMpuWlD6nSAfMoK9CHY
-> ssh-ed25519 txQL9A pDxZPtIHKEldOyPsCKLFi6qW05ASwhdG1UHL2zE0jwI
3kpzZZ/BghlLsOMtBb1+IPHVR9aKMLT0fPPcXW1V/0w
-> ssh-ed25519 YcYwVA E07VHnKdJ0ndOeF9CnP5rpaZlWA6Ik0EQz3KrrZbpyE
1gOR1mZYEK5BjkwZP98vuQ1KY6HQ57M87ay+K90TZJM
-> ssh-ed25519 rIaBGw pX28F96rAo9uV+eY8z/CpymFvEst7T9hX5zwr6A6QEY
2cXfDbyPHavifi9IKmCDYJ99GuaNJA0JdeVpWzCxdXk
-> ssh-ed25519 H5HtPA 3hJ4CUQ23w7SHKqpdMgMw4i5Ka/CU7EsA1uiUfpaxx4
NvOVzLd0QNkyySxRh7l2glJP8bMZc20EXj85VGtf4SM
-> ssh-ed25519 Yy06mw 4ybL32VLmuUdE2iXu3b0dY1FCweOH0pJfyBii3+exgc
0gEcM4MWuQzJIeiEsbabIC8IdIbLQYyrBhpcTR3hazE
-> ssh-ed25519 6Sqpww qV//WNxYiqbFzdSrd4YEQ/ji7wDSo+b7zHJqpj9wv3w
VHDq5APsm+BkZFXwGbVZkiLWzwLONw4TsyLweokrtGU
-> ssh-ed25519 Cb6l4g jd1R/g3pOX9mtuaZR0kUqTdUU4U83QXi6OI8SYCLayU
8WDPeDK6bKQYZX5LE4bTmcODkwWFXcAcYNuEyOgXDSk
-> ssh-ed25519 x40ZwA Ix0DVuYIb+6beM0dWdYnIWUOw+xdggofhi8671RoExM
1uI1L9L1r5NBTaCwOhvwPtIstP9hPRNwiOB62rAc1fY
-> ssh-ed25519 ZvILxA X2kLLYS+c/cMBEUrV++LF5vImgcfpWCX2YoKAusRA1c
UgoAYHE4kqa+8Jl9mqFQxNpeUhaazqA2TigD1VZ6ywo
-> ssh-ed25519 0rx8bA yrAvfxjl3mqeKrCSCvimj/IFHP4OzPtbmO0tbryc/gk
DoMOm0Kgv75sxWS9qkMsSDRse3+XymWf2m+MQLyUc8M
-> ssh-ed25519 extxyg vWN8YTDceSAAJvLtRZap11YkSKBRQdXktgRjJm6oMWo
KZeby3vB80nBTWIYiHpbhCl13eOyksvu9TX+KhON5GE
-> /x-grease
zIM
--- atvkZYi9jdu47B/KnBbmWqf0pJOgl+vXT0n94s6d2qE
<EFBFBD>R—¤K« æö¿gÝ©$ç”L
/ÿœ‰äÿÊ°SÏ•ÓROñ:Ò"6ãD„ ¬>{ópo>»Äb¥Ïll^ 7 ·Ž°<C5BD>*OŒ<4F>:_#Ö •xHu(Ìåò…£¦ù°`M_n‡

BIN
secret/aura.env.age Normal file
View File

Binary file not shown.

1
secret/borg_ssh_key.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMy3uSs/gLpFnRVbLPUBVJd3GHlCqFbjCnnJd7kKiErI cadey@shachi

31
secret/borgbackup_passphrase Normal file
View File

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ tcy9nhpJ+UPN75OkSmbysFYVJzGb+AlbmXObhnON5BQ
yQmNFxNqKQGY8HbW0ihuVnBzBp4/uxtjZYFYRSn6tNc
-> ssh-ed25519 txQL9A HtGBgibnD1j0S5PPKZaiR3q8fAU8U2kwHIlI1cNIsXM
Po5AEklI7tLGfYEqP4wQ3EVrEKvpP2rszTQAH84OJ2g
-> ssh-ed25519 YcYwVA bcXifq9JiaALth6WEJW/vo/R/2ZfhzjjvmLC4PLy7XI
d5XAJCeDmTuKZSuYpK6NLJgmL/dXMa+tY+pb0g+QnDs
-> ssh-ed25519 rIaBGw Ed5MYSq54gzHibDdwGDFl4YrOWapeoKdjOAus91UxGY
L/FGN/v7c4rPpH5MvrsJlY7z2HuS4VdCOxRyrw3I3FA
-> ssh-ed25519 H5HtPA k5YIiz/4ys7UMTTBeXNAwBNf9OQxHXl5296T9ohdcTg
gJubCP/bIYU4oe4AIMgaAEcy2Mv+WY0Lk9rsJhd9LvI
-> ssh-ed25519 Yy06mw 5GyyzJn8OduTQkThFaN2BHouEmLAT7bA9/JL9z24gBA
buY52j20/qUtOrxpY7inEpWcRAmMY9KAMj3uCsqrRJA
-> ssh-ed25519 6Sqpww pLp0l+R5n+O/YsMZOQ1sMdE6428LX8HemN4mYa0OaQU
9xCpVbzTbWWfydcCakBKNXww4aADfRXGHRX7ekvedPk
-> ssh-ed25519 Cb6l4g T9pAZAUZh05W233esyWksKcH1EmjXEF/B+X6P8b1NW0
PvT+RJYkVWg/lKl7DiYU9gTuVq6pi5xaI3rFa1mUsYM
-> ssh-ed25519 x40ZwA n9H9PP4MnWpI6KK/OwDLajbw4XC/2y+xfEUpEnJVMg0
3AZZT+YCRuJswxVyDWQIqaow34goNhLif6x5Xo445gM
-> ssh-ed25519 ZvILxA 2e3rs7856mAhe6Ak/emu3bqyOCkmwwAGZKq+glJpGwI
RtW50MXUf4OnX6kOEcMIzdBPlsjYxHhOCv0Ba4XHASM
-> ssh-ed25519 0rx8bA r6R57M+kOsN84QUHru71E7wBQRqfU43Z0ON95Up0Xnk
F6kr7g6MOfhrFSsdEjz3AfBzzGNBtRkOZtlu3YJVIC4
-> ssh-ed25519 extxyg cKtLG7W85XXDy7MRS6+Z/gTEEsxoO7w+GwstY+V84SU
4cQB1BMsIFc2tvYK4LbD7b6B5MDpzMurBj+w9EwYnT4
-> Q?-grease
8wPImyj0LyPiATdO14ObjpwPi/viYFMmPTjpfr8FLuGj3SriUUI2wRqhfHwkfKxX
EuhnMufWCr/b/jLnyS65mVOOPw
--- 9BOzJF8aanp+LJE/40BiLjoFnmausvs8Qd0BGLSgGBY
‰OCÜBûõìq2a”UMg9±D·ìÎ<EFBFBD>“„Ëš.hX»п+»kçÚ{n¸ Û܇IÞ$ž3´Aýز>â<>!B¢µ`”]ùþµËLûrîS®ˆÖ(·=5"ÕÔ¾·uò+Þ¬p`­_Åq
Ù§M†# 3)M÷K[Uc`¸Ø+ï¥KN

BIN
secret/borgbackup_ssh_key Normal file
View File

Binary file not shown.

BIN
secret/cetacean.club.crt.age Normal file
View File

Binary file not shown.

BIN
secret/cetacean.club.key.age Normal file
View File

Binary file not shown.

BIN
secret/lufta.aws.env.age Normal file
View File

Binary file not shown.

31
secret/mi-token.age Normal file
View File

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ FgUB+cUmDdeoXYKPM57kBZdTTqmXIv1JwfYq9PWfAWI
gBRG1mv2R4k3q2J6Q2gLIrizLvr8D+mX4EMGEEyxdlo
-> ssh-ed25519 txQL9A cTP+Kff1oAigqllVHyb7gcoOeYUjrAHtGIDjG0/yKD0
i1OiWrm8jnKUuQQDVyhElhT5Irv2Rd+DhoKbbuoINPo
-> ssh-ed25519 YcYwVA cdeO/P4hX78OlQSZ8EF+sVvodpf00SWZYl0ZpJwLbF4
WIv2kkMakaNM9XmhGY3CM9H9qA8YiaqFDVTOomb0WlA
-> ssh-ed25519 rIaBGw nv+YH10pIzm2aA0aSdM5sMKy+NS7ztatMwqQ5OswqHo
f+JYkuPza0cggSdXpR3ygmaE4nWaaxhFZy6UbBoXQWQ
-> ssh-ed25519 H5HtPA 1+ZauOpNaBFSWlwpX5MLD7RcSmEMmpTVCB0fnSH2LVg
2/C2EjUY6C5aBpShLN5vdtnQa5LEKHJEL8AtQH9pOAM
-> ssh-ed25519 Yy06mw jpnvL/OtH5+RqT4yVdogNrBtsno2UgiR53FXGwzIoiY
jzrP/abR/KdCWFUnJ435Cx0PJ07Zc63SJsTRrZAq0Os
-> ssh-ed25519 6Sqpww d7n4/2JusHBvxFn27L9g5Ke5pSp7tjtX5oOvJbhosEQ
TKhIBUusBhM+D3WpXPeRxOwIU8bdBtD8uKtor2WMv0w
-> ssh-ed25519 Cb6l4g xK4SFl2hT+P9tEjZ7qkiRMomK+/lFFtj+9VA1mvVbAU
8aYpeNT/gwdvmaQ6QREA/6w5qijnTUkG9DbOw5K+29s
-> ssh-ed25519 x40ZwA GDrRgIdNjxOnIwve+lXonInZMwGvbrmekIaKuvZfaUY
IZFOEjBbsklqcwHaBl+R75c1MhIfYvwnb6nIvNkZFDo
-> ssh-ed25519 ZvILxA hMi50mp2fID8yXl6hGD7eSdVZIKL3MCwgASmRb49zX0
9Iw7VguynWY3TNyWA4cZBoHiAqYGDf0LdAgkynbfky8
-> ssh-ed25519 0rx8bA HARyXEVwjdvFGmHS4Ira8W97onUHTgGih+mKG4exnAs
Rq5igLlDK2BMGMy/zy/dq6yhg8Z3nqToDjWNV/lVyLI
-> ssh-ed25519 extxyg 09iNDxRuPlkTgECbeDK6ERbPhZaCWw9Jwlr7RFFuhBQ
QTBd86g+0Hy8gHnmYTsaq5kT9MfyakByqu8E+MV8Hs0
-> |T?6xR-grease
y7ddROPArLKhAq6nHbv08HCr1rWZaSrz3enXHo+N49KqVfDqiC+Zhp3MbbdPrSoc
FYCVSeUTsu9D
--- HThg4VKfAxrrBEaeutTM2umVl8Me0wRkjt1fNec1vOM
ö·FcЪt™žf íÔ#<23>R³pÉ¡DøA ¸ØsŒû„?:³ *ûí{B¬KÍ'Z1·ÄßéØ@M@¤ç!lCH³cSÖóhà‰àgIBsp&@ÿ¬þ/¶ÛyxÏlÇ̵Ît• a6 Âavð Ää<C384>_)3E ¿«¶cX©}˜×óл^ÜÙî+˜*
¸<C3A9>Þ<EFBFBD>¼qŸž¤”Ýåvœ„]÷pÉ®lâÓÜ/åd²OºY¢HžXY ¢j°Ž<C2B0>|GÊš”ü`Ÿº˜p`ê+ÌfàN'@Ø5l¶Ý@Àyáób§­„µL•l »Ð0­ÍwNéÊîtçÎÌ_œî2­|¾Š}ˆþ? Ó &Xâ <0A>yÃÐõÑðÚö~Ü<><ã§È3

BIN
secret/mi.toml.age Normal file
View File

Binary file not shown.

30
secret/tron.env.age Normal file
View File

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ mDZCMTQsUZUAJ+8UknZJnRRev4MX/A1PBP6qRSolekA
2Dj7wO070kEkH0RMbrqQvymI4ItFNyQNA3EzdY84D7s
-> ssh-ed25519 txQL9A YDunYGniXh7RVWEKSeCwI703g9oiBKKDRVJj/ZGFXB0
W4GoPvWYPYZp8gy6X5LOwbhbwRl2waMqOHXZfFanrfw
-> ssh-ed25519 YcYwVA 1rLnVW4M49GscZCPu8S5/s2I8Zf12PPYAr85X685pHA
R1DCWV6rymwWjPBouEawPfLfIISvChYBMDwUw9rskXE
-> ssh-ed25519 rIaBGw 9lZXrVgN+2pE7cZGTWvY6s+paAxYcqH+sRa3sKFhT1Q
L9cDIMNK6NEwlcMe/A14+kK9i6ZcJ3ft/Mft/5HOuBE
-> ssh-ed25519 H5HtPA LsXMHQsp3+qapm05iw1PQ3BTm10Um5wpFwwvwXLKpWY
r80F1ibwCcT8sd7q2yKpMoTrDlJF2ooxdGuwWfjFsrg
-> ssh-ed25519 Yy06mw KDXc4HHC7wBr411HA8YikQtnlVQeHlPK2sAjSyhlwVo
380kd7mGLFcvKwVf1hbuJ+pwk6AP2h5HkuwGwrbyOwo
-> ssh-ed25519 6Sqpww UL7ktmcNpvQbYmnIi/ZAedmzw+V/f7Os9ojRPnGcOlo
yDnXQ+IpuHdpf3dHHyThsHIXiWRje2u+84w/aDUbfKg
-> ssh-ed25519 Cb6l4g 2+ZGxy6UAAuFPbw0xZZhNxRyszLjDYrTKmizkYIgFl8
Dg12lcrf3uCnjnpXmm6zkJAZAM4nRoP6dzbxNgdmkWk
-> ssh-ed25519 x40ZwA V3+q6OxOiJJBP6RctIPv3z0CBhp+EHl0vQ+Q3x0QgAM
RViINU3HmPYpvPE1Yl0j0ha2JBD7NrRu982lc6fHSoU
-> ssh-ed25519 ZvILxA Hyh4CU07bOP+rmFhde2LjwDOhR8fgTsdF3Ds9JPZSkw
BJv1bU/uvcI1xLYY8R9LY31gtGH2xIqiwoZNRxlqKsQ
-> ssh-ed25519 0rx8bA xMqZLnnXZxqCyZdmj2xOQNlNRUlIN9rGRmvt2FD8omI
YCx5pt85/ie5WaaPiHfjSj5gM197CF9XkZ8XNiUQJQk
-> ssh-ed25519 extxyg ix+lckxf5kMdfS7O0F41x6fpmrT3RBOAv5N6Axzk3RU
XfYTFcbkyAcSW1JN3FUxKlx9RY1/HYVmhooYU4ymWos
-> ^-grease AtJ2D(w %6#@ +X
09Q88UAZ958OPbSivI9BN8nZlSL6PELmwBRbN8LVVQEy0R33henNTOBnaoWG
--- B+U3Sp+GEBqpwkN2CetGC4KJxuQyR3O3c3K/O8X5h5k
ê
äÒ¯SÕý” <Š!!À‚ ãð{ù„©~Áô£Êù<C38A>÷HŠ¾¼8õ<38>ÿÊoâRê%ØãtH¹vDV_%N:—)Bÿ/¹Cr<43>k?ØüÌáµÔ B§žzgÝÎ<C39D>×7|·ÏȺR<C2BA>°ƒìÉÏžv<C5BE>cpMŒ_©ü¹DUæF:•#=<3D>37C¬Ñ wÖÄlõÌ~¼J×<4A>ý42÷RŽxT!ÝcÃ)Ž-Vä@îb<C3AE>öŽ>Ø:¨˜ŠJ[DáÄE'ýÕùù†Ê_ï|£—ü’Î"r´³<C2B4>«(Á<>º©iÌh„öVvõø»Ì)§£Àío¬ÁÂw E<(ƒóO|ZòÛ

30
secret/withinbot.env.age Normal file
View File

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ Uqja6onXASxq/OgzpL7cB9qK0jAYnGqDyG0U6sJLklI
r2XL6JW4E4xlYLezbyeV4G7SDBKOAebczM9jKCaeV/4
-> ssh-ed25519 txQL9A 41VU+wHlNsjhwek53oYLIXYCD5mARh6AS7laNmes6Ro
NO85NXuhHbzlAPUycs98U/uRRgkypOWH8J39NlA48Nc
-> ssh-ed25519 YcYwVA i95rlp2R6+P8KmrgX9/zSmIrTVELL/VDIShGo93OWiM
oI8tBddvzBX9v3cHUetUEarq5thpCMaqjPLm5gxQpWk
-> ssh-ed25519 rIaBGw iD8mwEvyCBpRZ9yQu5EgTsVLHS590GZ5Kbhz8TDff0c
lVnDL5voPEa0q7AkSUmw6/j66uwR9R6vrYf53zm+VZg
-> ssh-ed25519 H5HtPA p6dMYLz2snmRGdexOUSSEW7JmLPInQnvpxsRoNxLJSw
mqcHZnRYnApdwl05t0MmZPYbOfvn6F86Dr1Bbg6gLD0
-> ssh-ed25519 Yy06mw DohydHTDA5W4LySkd684err2MAytcivGt+ZJiK7cTiY
nt/ASg+TIcOKrePS2LWoaSaRjHxdOdt5pBUfw/7klfo
-> ssh-ed25519 6Sqpww r4u0HdIMxDAUw1LEpBb4WJ0v9lA6L9mfalzPIua+Rkc
CxwaeandCpsV+T1nV+RJTl9tyaVS7oIdqavQByMxmjo
-> ssh-ed25519 Cb6l4g soPlS7R3EOgcWBwaqqWPNiqk4PMT9LiYs/5b3hmtWEQ
uLwwU9KsZLWZ4+4SZpXFP/OIlfgQF1U+wy8lav5KWbg
-> ssh-ed25519 x40ZwA zC5vV+0CjXayFhyImI05Exw2gfG/FZ6wDT4Jz0BBjxE
0bk5S68ztbskuKeZg+3NRF0HaXDJzdsCkqMFt6mECRk
-> ssh-ed25519 ZvILxA FN7midnLj+m/8EfFyRZuAg/xjpLPQjt9f1Xo/89YMHw
uqRJT9kyS4P7Kxs1voQLP/RPlbRhZRKvTeFC6Mxo2eY
-> ssh-ed25519 0rx8bA 4rsg7DfsFoKNOOCVKMI4ulNE308QO8GSCqTGxVC2NV8
YYtbPih/hWnVoRZlOjSpInDuTk/YKPedNrH3778SWV4
-> ssh-ed25519 extxyg 9JMMEZIafrZNNN7H11IY92Jqt8BEPa2V/dGZMk8A1kE
wCslVYjUb9LboUybhYbi3klAqX3MTzPyIXxl7wQccVc
-> ,Deat~W-grease Nbch}6{- 0_F]3MI D-J
DWDGbJzdtUl0aEHnz0MDQVV2UqYD5QL+OUp8p0PkNM0Ilhg7BmjXSrX74HUHX4DU
JZ2Vvcjc8vFvAg
--- 8+Jz48tU6YdydL2ku2YxWSs4TCSVVKiwJzc5QursTWg
<<3C>dLìjbä‰é^K•„gdNh”Ô9. +j IF¦ "i§÷ ‚;œ]<5D>¼Ö*züߢP2XFÖ%¹â Î'oè¤^¨(m£¯[DSˆ3,Á¿zÛ^ksæ…%ìê‡evú¨l…D-¤—é\ÆÿA¿é a¸Ò•tŽT]¾Â<C2BE>Ï Im˜œ8Φ,;EhkÀø>lÃbrÛ ¹¬…, Ùºê?Mýäla€ 0íšvùYs^Ì<>ÕÎS3Ãír×Ç-úÝYÌ2èNÓlÈëê„ÌŠ<]ãb §x ÷“ÚwYr÷÷QÏÈ|¦TÝG$ ĸŒ`£T@¾0R˜8

30
secret/xesite.env.age Normal file
View File

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ TjUmCJ3Bw0/Swc7GLe0IpCqZvRDC9yevhXmAOhgqYAQ
jgWPK6sNIFLcAWSeIvV3Um8CJkThfLLGHAkVKpT74oA
-> ssh-ed25519 txQL9A N+5p2jxwM/VY9kUYgTwJmeZm0XRMWX5bVHJmJzeUC1c
6leDM4rQLTSuUWy4xLctHS+u9tvmOeJfHL0HVzTnJS4
-> ssh-ed25519 YcYwVA kiUBJ7+Q6WOMIRZWJB9zusXdX2+qIeg75citJjuCAzY
PbyclvAWL4tsgOwJoNoZZ38fw5f+kcVBGPTKO6RejWY
-> ssh-ed25519 rIaBGw TBwyoDlUqNCC4/wUEmEIdRFxkV+4eEIXKhiJBl+OCAU
ocIuXQLOxr5xQN7Eh+e/g8Yk1w9K7QTiDoPT24hCfvc
-> ssh-ed25519 H5HtPA cbr71ypHuKc2oxlDolQBd/Htz/1IJ+lSgt431PzrKgE
rQmpI1uX9PKvef1+0DymkpcegoIErKIEl1krRwK7JaY
-> ssh-ed25519 Yy06mw lIV0rxlf7FwDici0VRqaTgTSWadJZOKzJ2LqK3Qv5jA
0kMrJb3nzeaSlMtZle5tv5Jo2urC/uvhEEPuL8m0zww
-> ssh-ed25519 6Sqpww eVRoSIdrN0CBRABKjQLNtfHU0kEYsyOE9imF5B1sMxg
XHVf/cvXOuERIBjYAnaDGXjUAy9exImImLPRvt90IDo
-> ssh-ed25519 Cb6l4g U5npiwIynsMAtfjGCO9tD3xt23yZEn4xbS7HuBJktF8
+Vaq6PLqcopZn8iP9tgFvIag4onr8qs3JS2B4z/jJ6A
-> ssh-ed25519 x40ZwA iVYMar5SvPQdZBTOMdH/x6TYBwgU2VZbvY+sQnIlYh8
H/lpnxsCCVHRSD70Srrwv3VCc80FGHDpsSODzMi49rg
-> ssh-ed25519 ZvILxA RQ+3LBulXOuq+vDjFTYQq9egZsP2iXN0MWEOl3EXfns
rCGsLoYn8VUVM4ptp+IIAgXuZetxalSoKIO3tbJEUBg
-> ssh-ed25519 0rx8bA bvj4/eT1Fz+1XuxG4yQjwadYgPPIxOyiQfs3q0NDQGY
KWU5ffP74jxZ8wvohWDkzJ13wxvGb9b4ANL2G3YCrQI
-> ssh-ed25519 extxyg BIkVxRIC9pPQENcjDjSLmTEoO6RHGXY0oVSiP6dCSAE
yCZfCpEdxI7VaX1UfHEBniht9jkC80Dsm1tS72NYIZM
-> ht-grease Ekx [Y_)&: O+o>A o
jLirD/Pjc46GwjoBqEHIcKGxLROLSSFSkb/OsLzVzT41ex1FBRqQ50wT0Bg
--- 4sBE3L2C6hGzI81Aheg4NSMUmgLdwzky+270B7k+oGU
?æ?)yeÆSHSPG¤bºGR…¦¾ÅV¦åLÓÄŠª¡?Âѵ¨¤Èrœú蘮ûPÚXöää!8±è~'øŒØk—ïÀRñÂþ«|¦¹¼qñ°Ây^… 0ü;<3B>ö‹ÄTÆ<54>ÜA1†Ÿ"¡'hŽæùžX:cø50J(_:G^­Å­¬¥$É¥K\xsŸ%T¦‡C±<43>,>SŒ·£ñì<C3B1>ùð¬?¢Íú‚ü-@½¯æŽƒà9Öá±.ûN)åW2Tp\š˜C3 Û¯=G1#|ÉŠxîª+,òg#•W‰áUl>ÞmfKŽ´@†ªYÉÝ<C389>g§Êzùk¯+Œ}¤‰¢Ã×KTr ¯µ÷õ&ýéd>[>”·5• IÅÝäæl¢Ù •mÆOñ5'oo¿ó¶O<C2B6>ç(‰ïOO 4Ùkf3W·>aÈ<61>ã^¦bŒBçÒœÂE|îz[ž(Ga³ëSœÏÏ4Œ<Ï)<29>ç_×.ø¼0xÑ÷Oºû2
¡O¬cbplÎý>åfœ÷®v£TtÄj½ËTHM+ÙEý†

BIN
secret/xn--sz8hf6d.ws.crt.age Normal file
View File

Binary file not shown.

30
secret/xn--sz8hf6d.ws.key.age Normal file
View File

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jO2MvQ GvwQEupjkNthH7Rme8NgSP9L788ftHSFG6jPDB+efXY
XCOQ6x8zcXjnsLavUDBVJKXc5zWlLZsQUXe48oGKK88
-> ssh-ed25519 txQL9A IepeTe/QqjZGzlDXUkzYaaajDOI9kWFIyJexqZZYOxo
21dwm6HCaKCrySRzgjEuoSqEcaKkgOgiRkhh7G4fnVI
-> ssh-ed25519 YcYwVA gpsJpz1TOlPQwIF9L0y1hPdwIB5LyUpRcWI+7uxaRjY
eujCfAZNsy1vY85UuhoHbvLv0s578N8V1KjfrvNzrlY
-> ssh-ed25519 rIaBGw nvzFLfXF7gYWs/qjm7zZdZKi1EoTeLhtuQm9DFF6rjk
ucl1p4Lfdm5cX+amaPg4AGaOgx/8gAFGo338DDx8ISA
-> ssh-ed25519 H5HtPA vMEBfV7Kq7LXEwPTHunG7MLocmE9mVk+wt4nN+5y/kg
rrGGvqNSAVgWHAo+O20eDPwmwZql8Bv3Ka6oHR1dsgw
-> ssh-ed25519 Yy06mw iCjTX6uZ4P7RC1dPz26hAzmyv6agefQXXo7tLXadcRo
uQTS59ehxTqWuCTwevrHJ3HOehYsLh1uRzL+/rR0WzY
-> ssh-ed25519 6Sqpww ALV9B4PuGdizQTk/GBKUUjKxuthziVxdc0rGIcUnBjc
0jB5nl23QuEz1bHsui5cPHNYNUluxKZcBkbq+xJxuaY
-> ssh-ed25519 Cb6l4g x58bPssYWy2Rz9M5C1FJlHz7uCOK/g80daUyrY3ieTs
k0effIcWAe6oFBuS7dknsTBjazFindVdVGieue7F8jA
-> ssh-ed25519 x40ZwA mE1GF+8IlAC/N6+lBfvo88WTbYZ9SI/uC7LdrfmGvAI
O++6THxVg2aej5xGbeZo5Icv2OH8ZzfvURA/AAQpWOI
-> ssh-ed25519 ZvILxA KuvWA10QyzriOwQT0M9wlvx9rCKQNlEYMfmBGefWJz4
ACglU4mnTNQZeW/wRAeCBPiEOtC7U86xUCGd+iJlWpY
-> ssh-ed25519 0rx8bA MSV57AL6ZCJtB0IMD43ZIPILPFGyV6Vd7YHXG+aYMUA
R+uNOkDBjrXbv5EP+TWEoGEUGF9HtSI5RFME5LsxOoI
-> ssh-ed25519 extxyg 0b371PzvXf89GSHtvlzxGIze2XhRu9mKYvPH8tQFUUg
cc1EHeYEp90gGMzOqxW2+V/qBDrk06GokS3iMBg06Pk
-> <G-grease mnuC*3{ mD@e },U6!
KjhiKqIS4fD8BYfxa25NLQcdlQW4EvMKXHbf0atwyvZTvJdcaduCWqWf0DG6uRoD
h913xdhXq1c/AQRDj0RAL5oN76oap5YzK/Gvw/5O
--- PPomXfotXOn4BScoWpGYidrg61bEaYghSSQwlhyNKEY
âv6!¤¤hëDÔ¨B÷ÎÉ,öqLŽ(“òÕ×3g®0ÿõ ½s¯|‰¶^q&@Ý1NTUŠ&iOvî-7ΊԆ¤×WljàÓ/–š<6½s­tLï#Ót'É=Ç@<3yt¨Ã‡æ« Ĉµ~`³ý\jÈSí—Ñ.Ü™rjœœìÕl*ùø<C3B9>+&<>Î)XfIÛØ´ØF´¢ÿ=ƒA.]??ÎÈ*>r=Í×ò<C397>¨Œž„žvó22>"¿—ý÷}“ö]ú%&°Ö ¢ôÛKÅV&¶Ùþªu@¾†²îu²vj(¹-°eâgæbÎ[tIÿÜX¿ÿoú<6F>F$èÃzžë§MÈ«

23
secrets.nix
View File

@ -40,8 +40,29 @@ in {
"hosts/firgu/secret/cf.env.age".publicKeys = publicKeys;
"hosts/firgu/secret/snoo2nebby.age".publicKeys = publicKeys;
"secret/aws-within.website.age".publicKeys = publicKeys;
# backup
"secret/borgbackup_passphrase".publicKeys = publicKeys;
"secret/borgbackup_ssh_key".publicKeys = publicKeys;
# robocadey
"secret/robocadey.age".publicKeys = publicKeys;
# akkoma
"secret/aws-within.website.age".publicKeys = publicKeys;
"secret/akko-keyid.age".publicKeys = publicKeys;
"secret/akko-applicationkey.age".publicKeys = publicKeys;
# lufta
"secret/cetacean.club.crt.age".publicKeys = publicKeys;
"secret/cetacean.club.key.age".publicKeys = publicKeys;
"secret/xn--sz8hf6d.ws.crt.age".publicKeys = publicKeys;
"secret/xn--sz8hf6d.ws.key.age".publicKeys = publicKeys;
"secret/lufta.aws.env.age".publicKeys = publicKeys;
"secret/mi-token.age".publicKeys = publicKeys;
"secret/mi.toml.age".publicKeys = publicKeys;
"secret/aerial.env.age".publicKeys = publicKeys;
"secret/aura.env.age".publicKeys = publicKeys;
"secret/tron.env.age".publicKeys = publicKeys;
"secret/withinbot.env.age".publicKeys = publicKeys;
"secret/xesite.env.age".publicKeys = publicKeys;
}