From 0bd4baf3d1c7a6ed9e557c67b7fff52355a73ab1 Mon Sep 17 00:00:00 2001 From: 4o1x5 <4o1x5@4o1x5.dev> Date: Wed, 29 May 2024 17:15:20 +0200 Subject: [PATCH] default --- configs/default.nix | 39 +++ configs/docker.nix | 10 + flake.lock | 238 ++++++++++++++++++ flake.nix | 116 +++++++++ hosts/carbon/hardware-configuration.nix | 42 ++++ hosts/carbon/root.nix | 56 +++++ hosts/carbon/services/ai.nix | 18 ++ hosts/carbon/services/firewall.nix | 17 ++ hosts/carbon/services/forgejo.nix | 45 ++++ .../services/monitoring/exporters/node.nix | 8 + .../monitoring/exporters/smartctl.nix | 16 ++ hosts/carbon/services/nginx.nix | 40 +++ hosts/carbon/services/postgresql.nix | 5 + .../services/privacy/anonymousoverflow.nix | 28 +++ hosts/carbon/services/privacy/binternet.nix | 24 ++ hosts/carbon/services/privacy/breezewiki.nix | 25 ++ hosts/carbon/services/privacy/dumb.nix | 25 ++ hosts/carbon/services/privacy/gothub.nix | 37 +++ hosts/carbon/services/privacy/libreddit.nix | 23 ++ hosts/carbon/services/privacy/libremdb.nix | 33 +++ hosts/carbon/services/privacy/librey.nix | 43 ++++ hosts/carbon/services/privacy/piped.nix | 33 +++ hosts/carbon/services/privacy/quetre.nix | 43 ++++ hosts/carbon/services/privacy/rimgo.nix | 51 ++++ hosts/carbon/services/privacy/safetwitch.nix | 55 ++++ hosts/carbon/services/privacy/searxng.nix | 36 +++ hosts/carbon/services/routes/csengo.nix | 29 +++ hosts/carbon/services/routes/hydra.nix | 22 ++ hosts/carbon/services/routes/matrix.nix | 39 +++ hosts/carbon/services/routes/openproject.nix | 24 ++ hosts/carbon/services/routes/owncast.nix | 26 ++ hosts/carbon/services/website/default.nix | 20 ++ hosts/lime/hardware-configuration.nix | 35 +++ hosts/lime/root.nix | 31 +++ hosts/lime/services/ai.nix | 29 +++ hosts/lime/services/ddns-updater.nix | 12 + hosts/lime/services/firewall.nix | 31 +++ hosts/lime/services/loki.nix | 45 ++++ hosts/lime/services/matrix.nix | 43 ++++ .../services/monitoring/exporters/node.nix | 8 + .../monitoring/exporters/smartctl.nix | 18 ++ hosts/lime/services/mumble.nix | 28 +++ hosts/lime/services/owncast.nix | 10 + hosts/lime/services/postgresql.nix | 14 ++ hosts/pink/hardware-configuration.nix | 40 +++ hosts/pink/root.nix | 36 +++ hosts/pink/services/dns.nix | 19 ++ hosts/pink/services/endlessh.nix | 17 ++ hosts/pink/services/firewall.nix | 43 ++++ hosts/pink/services/hydra.nix | 19 ++ hosts/pink/services/i2pd.nix | 35 +++ .../services/monitoring/exporters/node.nix | 6 + .../monitoring/exporters/smartctl.nix | 15 ++ hosts/pink/services/monitoring/grafana.nix | 29 +++ hosts/pink/services/monitoring/prometheus.nix | 79 ++++++ root.nix | 62 +++++ secrets/anonymousoverflow.age | 8 + secrets/carbon.nix | 3 + secrets/forgejo-runner.age | 7 + secrets/lime.nix | 5 + secrets/porkbun-user.age | 7 + secrets/porkbun.age | Bin 0 -> 391 bytes secrets/secrets.nix | 18 ++ secrets/synapse.age | 7 + 64 files changed, 2025 insertions(+) create mode 100644 configs/default.nix create mode 100644 configs/docker.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/carbon/hardware-configuration.nix create mode 100644 hosts/carbon/root.nix create mode 100644 hosts/carbon/services/ai.nix create mode 100644 hosts/carbon/services/firewall.nix create mode 100644 hosts/carbon/services/forgejo.nix create mode 100644 hosts/carbon/services/monitoring/exporters/node.nix create mode 100644 hosts/carbon/services/monitoring/exporters/smartctl.nix create mode 100644 hosts/carbon/services/nginx.nix create mode 100644 hosts/carbon/services/postgresql.nix create mode 100644 hosts/carbon/services/privacy/anonymousoverflow.nix create mode 100644 hosts/carbon/services/privacy/binternet.nix create mode 100644 hosts/carbon/services/privacy/breezewiki.nix create mode 100644 hosts/carbon/services/privacy/dumb.nix create mode 100644 hosts/carbon/services/privacy/gothub.nix create mode 100644 hosts/carbon/services/privacy/libreddit.nix create mode 100644 hosts/carbon/services/privacy/libremdb.nix create mode 100644 hosts/carbon/services/privacy/librey.nix create mode 100644 hosts/carbon/services/privacy/piped.nix create mode 100644 hosts/carbon/services/privacy/quetre.nix create mode 100644 hosts/carbon/services/privacy/rimgo.nix create mode 100644 hosts/carbon/services/privacy/safetwitch.nix create mode 100644 hosts/carbon/services/privacy/searxng.nix create mode 100644 hosts/carbon/services/routes/csengo.nix create mode 100644 hosts/carbon/services/routes/hydra.nix create mode 100644 hosts/carbon/services/routes/matrix.nix create mode 100644 hosts/carbon/services/routes/openproject.nix create mode 100644 hosts/carbon/services/routes/owncast.nix create mode 100644 hosts/carbon/services/website/default.nix create mode 100644 hosts/lime/hardware-configuration.nix create mode 100644 hosts/lime/root.nix create mode 100644 hosts/lime/services/ai.nix create mode 100644 hosts/lime/services/ddns-updater.nix create mode 100644 hosts/lime/services/firewall.nix create mode 100644 hosts/lime/services/loki.nix create mode 100644 hosts/lime/services/matrix.nix create mode 100644 hosts/lime/services/monitoring/exporters/node.nix create mode 100644 hosts/lime/services/monitoring/exporters/smartctl.nix create mode 100644 hosts/lime/services/mumble.nix create mode 100644 hosts/lime/services/owncast.nix create mode 100644 hosts/lime/services/postgresql.nix create mode 100644 hosts/pink/hardware-configuration.nix create mode 100644 hosts/pink/root.nix create mode 100644 hosts/pink/services/dns.nix create mode 100644 hosts/pink/services/endlessh.nix create mode 100644 hosts/pink/services/firewall.nix create mode 100644 hosts/pink/services/hydra.nix create mode 100644 hosts/pink/services/i2pd.nix create mode 100644 hosts/pink/services/monitoring/exporters/node.nix create mode 100644 hosts/pink/services/monitoring/exporters/smartctl.nix create mode 100644 hosts/pink/services/monitoring/grafana.nix create mode 100644 hosts/pink/services/monitoring/prometheus.nix create mode 100644 root.nix create mode 100644 secrets/anonymousoverflow.age create mode 100644 secrets/carbon.nix create mode 100644 secrets/forgejo-runner.age create mode 100644 secrets/lime.nix create mode 100644 secrets/porkbun-user.age create mode 100644 secrets/porkbun.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/synapse.age diff --git a/configs/default.nix b/configs/default.nix new file mode 100644 index 0000000..2e6ac41 --- /dev/null +++ b/configs/default.nix @@ -0,0 +1,39 @@ +{ pkgs, ... }: { + + environment.systemPackages = with pkgs; [ + zip + btop + unzip + neovim + w3m + git + ]; + + + programs.zsh.enable = true; + users.users.root.shell = pkgs.zsh; + + home-manager.root.pink = { + programs.zsh = { + enable = true; + shellAliases = { + # docker + dc = "docker compose"; + dco = "docker container"; + dn = "docker network"; + dv = "docker volume"; + }; + + loginExtra = '' + PROMPT="[%M] %~ " + ''; + antidote = { + enable = true; + plugins = [ + "marlonrichert/zsh-autocomplete" + "zsh-users/zsh-syntax-highlighting" + ]; + }; + }; + }; +} diff --git a/configs/docker.nix b/configs/docker.nix new file mode 100644 index 0000000..433e622 --- /dev/null +++ b/configs/docker.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + docker-compose + ]; + virtualisation.docker = { + enable = true; + enableOnBoot = false; + }; + +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8c22b7f --- /dev/null +++ b/flake.lock @@ -0,0 +1,238 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1716561646, + "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", + "owner": "ryantm", + "repo": "agenix", + "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716729592, + "narHash": "sha256-Y3bOjoh2cFBqZN0Jw1zUdyr7tjygyxl2bD/QY73GZP0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "2c78a57c544dd19b07442350727ced097e1aa6e6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "i2pd-exporter": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716319699, + "narHash": "sha256-Q4cyjCDMa7QOKiJz6ya1ah0qW14uVNuJX0uQjcUo+oc=", + "ref": "refs/heads/master", + "rev": "5a0eeb2dbb107d3f35b10f10dd64bd3204254ebd", + "revCount": 8, + "type": "git", + "url": "https://git.4o1x5.dev/4o1x5/i2pd-exporter" + }, + "original": { + "type": "git", + "url": "https://git.4o1x5.dev/4o1x5/i2pd-exporter" + } + }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1716754174, + "narHash": "sha256-L2Vni6dGDFWXWwY0rqkQWtZXt+qYQKUZr+Fj+EpI97Q=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "fa4262c3c9197e7d62185858907f2e5acff3258d", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1716633019, + "narHash": "sha256-xim1b5/HZYbWaZKyI7cn9TJCM6ewNVZnesRr00mXeS4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9d29cd266cebf80234c98dd0b87256b6be0af44e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "home-manager": "home-manager_2", + "i2pd-exporter": "i2pd-exporter", + "microvm": "microvm", + "nixpkgs": "nixpkgs_2" + } + }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1708358594, + "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=", + "ref": "refs/heads/main", + "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c", + "revCount": 614, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f42bccf --- /dev/null +++ b/flake.nix @@ -0,0 +1,116 @@ +{ + description = "4o1x5 infrastructure/homelab"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + i2pd-exporter = { + url = "git+https://git.4o1x5.dev/4o1x5/i2pd-exporter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix.url = "github:ryantm/agenix"; + }; + + outputs = + { self + , nixpkgs + , home-manager + , i2pd-exporter + , microvm + , agenix + }: + let + system = "x86_64-linux"; + in + { + nixosConfigurations = { + + pink = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./hosts/pink/root.nix + ./root.nix + i2pd-exporter.nixosModules.default + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + + ]; + }; + + carbon = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./hosts/carbon/root.nix + ./root.nix + ./secrets/carbon.nix + agenix.nixosModules.default + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + + ({ pkgs, ... }: { + ixpkgs.overlays = [ + (self: super: { + inadyn = super.inadyn.overrideAttrs + (oldAttrs: rec { + src = pkgs.fetchFromGitHub + { + owner = "troglobit"; + repo = "inadyn"; + rev = "7d576c4d00d312597c2b9c06c00529d2dde5ac89"; + hash = "sha256-EJ9/MZhz/Gjj2RCMRDkwuKRatig/t1wAqQRqOcHA2gc="; + }; + }); + }) + ]; + }) + ]; + }; + + lime = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ({ pkgs, ... }: { + nixpkgs.overlays = [ + (self: super: { + inadyn = super.inadyn.overrideAttrs + (oldAttrs: rec { + src = pkgs.fetchFromGitHub + { + owner = "troglobit"; + repo = "inadyn"; + rev = "7d576c4d00d312597c2b9c06c00529d2dde5ac89"; + hash = "sha256-EJ9/MZhz/Gjj2RCMRDkwuKRatig/t1wAqQRqOcHA2gc="; + }; + }); + }) + ]; + }) + ./hosts/lime/root.nix + ./root.nix + ./secrets/lime.nix + agenix.nixosModules.default + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + ]; + }; + }; + }; +} diff --git a/hosts/carbon/hardware-configuration.nix b/hosts/carbon/hardware-configuration.nix new file mode 100644 index 0000000..1a6ac0f --- /dev/null +++ b/hosts/carbon/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/f6788d24-084f-497d-a4f0-d42baa139ddf"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/E3E1-9724"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/332e974a-b0c1-4d39-a6a3-7aacdc4d754d"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/carbon/root.nix b/hosts/carbon/root.nix new file mode 100644 index 0000000..57e8f7d --- /dev/null +++ b/hosts/carbon/root.nix @@ -0,0 +1,56 @@ +{ pkgs, ... }: { + # + imports = [ + ./hardware-configuration.nix + + + # other services + #./services/matrix.nix + ./services/forgejo.nix + + # routes (other servers) + ./services/routes/owncast.nix + ./services/routes/openproject.nix + ./services/routes/hydra.nix + ./services/routes/csengo.nix + ./services/routes/matrix.nix + + #./services/ai.nix + + # essentials + ./services/postgresql.nix + ./services/nginx.nix + ./services/firewall.nix + + # privacy services + + ./services/privacy/libreddit.nix + #./services/privacy/safetwitch.nix + #./services/privacy/piped.nix + ./services/privacy/breezewiki.nix + ./services/privacy/gothub.nix + # ./services/privacy/nitter.nix not maintained anymore + ./services/privacy/anonymousoverflow.nix + ./services/privacy/binternet.nix + ./services/privacy/quetre.nix + ./services/privacy/rimgo.nix + #./services/privacy/libretranslate.nix + ./services/privacy/libremdb.nix + ./services/privacy/librey.nix + ./services/privacy/dumb.nix + #./services/privacy/searxng.nix + + + # monitoring + ./services/monitoring/exporters/node.nix + ./services/monitoring/exporters/smartctl.nix + ]; + networking.hostName = "carbon"; + networking.domain = "4o1x5.dev"; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + +} diff --git a/hosts/carbon/services/ai.nix b/hosts/carbon/services/ai.nix new file mode 100644 index 0000000..a2024f0 --- /dev/null +++ b/hosts/carbon/services/ai.nix @@ -0,0 +1,18 @@ +{ pkgs, config, ... }: + +let + ollamaPort = "4827"; +in +{ + services.ollama.listenAddress = "0.0.0.0:${ollamaPort}"; + services.ollama.environmentVariables = { + "CUDA_VISIBLE_DEVICES" = "GPU-cf2321f0-d34b-ec9b-31e9-8c0c69e1444a"; + OLLAMA_LLM_LIBRARY = "gpu"; + }; + services.ollama.enable = true; + services.ollama.acceleration = "cuda"; + + +} + + diff --git a/hosts/carbon/services/firewall.nix b/hosts/carbon/services/firewall.nix new file mode 100644 index 0000000..3687d7f --- /dev/null +++ b/hosts/carbon/services/firewall.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: { + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + + 443 + 80 + ]; + allowedUDPPorts = [ + 443 + 80 + ]; + }; + +} + diff --git a/hosts/carbon/services/forgejo.nix b/hosts/carbon/services/forgejo.nix new file mode 100644 index 0000000..23976e5 --- /dev/null +++ b/hosts/carbon/services/forgejo.nix @@ -0,0 +1,45 @@ +{ pkgs, config, ... }: +{ + services.forgejo = { + enable = true; + settings = { + server = { + DOMAIN = "git.4o1x5.dev"; + ROOT_URL = "https://git.${config.networking.domain}/"; + DISABLE_REGISTRATION = true; + DISABLE_SSH = true; + }; + DEFAULT.APP_NAME = "2005's git server"; + actions.ENABLED = true; + }; + database = { + type = "postgres"; + createDatabase = true; + }; + }; + + services.nginx = { + virtualHosts = { + "git.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:3000"; + }; + }; + }; + }; + + services.gitea-actions-runner.instances = { + root = { + enable = true; + url = "https://git.${config.networking.domain}"; + tokenFile = config.age.secrets.forgejo-runner.path; + labels = [ + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + ]; + name = config.networking.domain; + }; + }; +} diff --git a/hosts/carbon/services/monitoring/exporters/node.nix b/hosts/carbon/services/monitoring/exporters/node.nix new file mode 100644 index 0000000..5216ed7 --- /dev/null +++ b/hosts/carbon/services/monitoring/exporters/node.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + services.prometheus.exporters.node = { + enable = true; + port = 9001; + openFirewall = true; + enabledCollectors = [ "systemd" ]; + }; +} diff --git a/hosts/carbon/services/monitoring/exporters/smartctl.nix b/hosts/carbon/services/monitoring/exporters/smartctl.nix new file mode 100644 index 0000000..3a17891 --- /dev/null +++ b/hosts/carbon/services/monitoring/exporters/smartctl.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: { + services.prometheus.exporters.smartctl = { + enable = true; + openFirewall = true; + devices = [ "/dev/sda" ]; + }; + services.smartd = { + enable = true; + notifications.wall.enable = true; + devices = [ + { + device = "/dev/sda"; + } + ]; + }; +} diff --git a/hosts/carbon/services/nginx.nix b/hosts/carbon/services/nginx.nix new file mode 100644 index 0000000..ffd6028 --- /dev/null +++ b/hosts/carbon/services/nginx.nix @@ -0,0 +1,40 @@ +{ pkgs, inputs, config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + + "www.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + root = pkgs.callPackage ../services/website/default.nix { }; + }; + }; + + "${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + root = pkgs.callPackage ../services/website/default.nix { }; + }; + extraConfig = '' + error_page 404 /404.html; + deny 3.1.202.244; + deny 170.64.219.93; + deny 91.215.85.43; + client_max_body_size 900M; + ''; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin+acme@4o1x5.dev"; + }; + +} + diff --git a/hosts/carbon/services/postgresql.nix b/hosts/carbon/services/postgresql.nix new file mode 100644 index 0000000..9e8d890 --- /dev/null +++ b/hosts/carbon/services/postgresql.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: { + + services.postgresql.enable = true; + +} diff --git a/hosts/carbon/services/privacy/anonymousoverflow.nix b/hosts/carbon/services/privacy/anonymousoverflow.nix new file mode 100644 index 0000000..c7b302a --- /dev/null +++ b/hosts/carbon/services/privacy/anonymousoverflow.nix @@ -0,0 +1,28 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + anonymousoverflow = { + image = "ghcr.io/httpjamesm/anonymousoverflow:release"; + ports = [ + "7344:8080" + ]; + environment = { + APP_URL = "https://.anonymousoverflow.4o1x5.dev"; + # TODO add JTW_SIGNING_KEY to work + }; + }; + }; + services.nginx = { + virtualHosts = { + + "anonymousoverflow.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:7344"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/privacy/binternet.nix b/hosts/carbon/services/privacy/binternet.nix new file mode 100644 index 0000000..6ffc5cf --- /dev/null +++ b/hosts/carbon/services/privacy/binternet.nix @@ -0,0 +1,24 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + binternet = { + image = "ghcr.io/ahwxorg/binternet:latest"; + ports = [ + "7382:80" + ]; + }; + }; + services.nginx = { + virtualHosts = { + "binternet.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = " http://127.0.0.1:7382"; + }; + }; + }; + }; + +} diff --git a/hosts/carbon/services/privacy/breezewiki.nix b/hosts/carbon/services/privacy/breezewiki.nix new file mode 100644 index 0000000..96e2474 --- /dev/null +++ b/hosts/carbon/services/privacy/breezewiki.nix @@ -0,0 +1,25 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + breezewiki = { + image = "quay.io/pussthecatorg/breezewiki:latest"; + ports = [ + "1584:10416" + ]; + }; + }; + services.nginx = { + virtualHosts = { + + "breezewiki.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:1584"; + }; + }; + }; + }; + +} diff --git a/hosts/carbon/services/privacy/dumb.nix b/hosts/carbon/services/privacy/dumb.nix new file mode 100644 index 0000000..9be56b8 --- /dev/null +++ b/hosts/carbon/services/privacy/dumb.nix @@ -0,0 +1,25 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + dumb = { + image = "ghcr.io/rramiachraf/dumb:latest"; + ports = [ + "8332:5555" + ]; + }; + }; + + services.nginx = { + virtualHosts = { + "dumb.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:8332"; + }; + }; + }; + }; +} + diff --git a/hosts/carbon/services/privacy/gothub.nix b/hosts/carbon/services/privacy/gothub.nix new file mode 100644 index 0000000..0a5878a --- /dev/null +++ b/hosts/carbon/services/privacy/gothub.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + gothub = { + image = "codeberg.org/gothub/gothub:latest"; + ports = [ + "4032:3000" + ]; + environment = { + DOCKER = "true"; + GOTHUB_SETUP_COMPLETE = "true"; + GOTHUB_PROXYING_ENABLED = "true"; + GOTHUB_IP_LOGGED = "false"; + GOTHUB_REQUEST_URL_LOGGED = "true"; + GOTHUB_USER_AGENT_LOGGED = "true"; + GOTHUB_DIAGNOSTIC_INFO_LOGGED = "false"; + GOTHUB_INSTANCE_PRIVACY_POLICY = "https://4o1x5.dev/privacy-policy"; + GOTHUB_INSTANCE_COUNTRY = "Hungary"; + GOTHUB_INSTANCE_PROVIDER = "Telekom"; + GOTHUB_INSTANCE_CLOUDFLARE = "false"; + }; + }; + }; + services.nginx = { + virtualHosts = { + "gothub.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:4032"; + }; + }; + }; + }; + +} diff --git a/hosts/carbon/services/privacy/libreddit.nix b/hosts/carbon/services/privacy/libreddit.nix new file mode 100644 index 0000000..568a75c --- /dev/null +++ b/hosts/carbon/services/privacy/libreddit.nix @@ -0,0 +1,23 @@ +{ pkgs, config, ... }: { + + + services.libreddit = { + enable = true; + address = "127.0.0.1"; + port = 3672; + }; + + services.nginx = { + virtualHosts = { + # Privacy services + "libreddit.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = " http://127.0.0.1:3672"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/privacy/libremdb.nix b/hosts/carbon/services/privacy/libremdb.nix new file mode 100644 index 0000000..e441fbb --- /dev/null +++ b/hosts/carbon/services/privacy/libremdb.nix @@ -0,0 +1,33 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + libremdb = { + image = "quay.io/pussthecatorg/libremdb:latest"; + ports = [ + "7345:3000" + ]; + environment = { + NEXT_PUBLIC_URL = "https://libremdb.${config.networking.domain}"; + AXIOS_USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0"; + AXIOS_ACCEPT = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"; + NEXT_TELEMETRY_DISABLED = "1"; + USE_REDIS = "false"; + NEXT_PUBLIC_INSTANCE_NAME = "libremdb.${config.networking.domain}"; + }; + }; + }; + + + services.nginx = { + virtualHosts = { + "libremdb.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:7345"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/privacy/librey.nix b/hosts/carbon/services/privacy/librey.nix new file mode 100644 index 0000000..35f5229 --- /dev/null +++ b/hosts/carbon/services/privacy/librey.nix @@ -0,0 +1,43 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + librey = { + image = "ghcr.io/ahwxorg/librey:latest"; + ports = [ + "3345:8080" + ]; + environment = { + CONFIG_GOOGLE_DOMAIN = "com"; + CONFIG_LANGUAGE = "en"; + CONFIG_NUMBER_OF_RESULTS = "10"; + CONFIG_INVIDIOUS_INSTANCE = "https://yt.ahwx.org"; + CONFIG_DISABLE_BITTORRENT_SEARCH = "false"; + CONFIG_HIDDEN_SERVICE_SEARCH = "true"; + CONFIG_INSTANCE_FALLBACK = "true"; + CONFIG_RATE_LIMIT_COOLDOWN = "25"; + CONFIG_CACHE_TIME = "20"; + CONFIG_DISABLE_API = "false"; + CONFIG_TEXT_SEARCH_ENGINE = "auto"; + CURLOPT_PROXY_ENABLED = "false"; + CURLOPT_PROXY = "192.0.2.53:8388"; + CURLOPT_PROXYTYPE = "CURLPROXY_HTTP"; + CURLOPT_USERAGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:116.0) Gecko/20100101 Firefox/116.0"; + CURLOPT_FOLLOWLOCATION = "true"; + }; + }; + }; + + + services.nginx = { + virtualHosts = { + "librey.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:3345"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/privacy/piped.nix b/hosts/carbon/services/privacy/piped.nix new file mode 100644 index 0000000..ed482ed --- /dev/null +++ b/hosts/carbon/services/privacy/piped.nix @@ -0,0 +1,33 @@ +{ pkgs, config, ... }: { + + # TODO fix + services.piped = { + enable = true; + + domain = "piped.${config.networking.domain}"; + backend = { + port = 5632; + database = { + # TODO fix + #TODO SECRET + host = "127.0.0.1"; + username = "piped-backend"; + passwordFile = ./piped; + database = "piped-backend"; + + createLocally = false; + }; + }; + }; + services.postgresql = { + enable = true; + enableTCPIP = true; + ensureDatabases = [ "piped-backend" ]; + ensureUsers = [ + { + name = "piped-backend"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/hosts/carbon/services/privacy/quetre.nix b/hosts/carbon/services/privacy/quetre.nix new file mode 100644 index 0000000..3f3c83e --- /dev/null +++ b/hosts/carbon/services/privacy/quetre.nix @@ -0,0 +1,43 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + quetre = { + image = "quay.io/pussthecatorg/quetre:latest"; + extraOptions = [ + "--network=host" + ]; + environment = { + NODE_ENV = "production"; + PORT = "2355"; + CACHE_PERIOD = "24h"; + + REDIS_URL = "localhost:3442"; + REDIS_TTL = "3600"; + }; + }; + + }; + services.redis.servers = { + quetre = { + port = 3442; + enable = true; + }; + }; + + services.nginx = { + + virtualHosts = { + "quetre.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = " http://127.0.0.1:2355"; + }; + }; + }; + }; + +} + diff --git a/hosts/carbon/services/privacy/rimgo.nix b/hosts/carbon/services/privacy/rimgo.nix new file mode 100644 index 0000000..7d0b91c --- /dev/null +++ b/hosts/carbon/services/privacy/rimgo.nix @@ -0,0 +1,51 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + rimgo = { + image = "codeberg.org/rimgo/rimgo:latest"; + ports = [ + "4312:3000" + ]; + environment = { + ADDRESS = "0.0.0.0"; + PORT = "3000"; + FIBER_PREFORK = "false"; + + # Link to a privacy policy (optional) + PRIVACY_POLICY = "https://4o1x5.dev/privacy-policy"; + # Explain how this data is used/why it is collected (optional) + PRIVACY_MESSAGE = "Read my privacy policy on my website"; + # Country where instance is located. Leave blank if running on Tor without clearnet. + PRIVACY_COUNTRY = "HU"; + # Hosting provider or ISP name. Leave blank if running on Tor without clearnet. + PRIVACY_PROVIDER = "Telekom"; + # Set to true if you use Cloudflare (using Cloudflare only as DNS (gray cloud icon), set to false) + PRIVACY_CLOUDFLARE = "false"; + PRIVACY_NOT_COLLECTED = "false"; + + # IP address + PRIVACY_IP = "true"; + # Request URL + PRIVACY_URL = "true"; + # Device Type (User agent) + PRIVACY_DEVICE = "false"; + + PRIVACY_DIAGNOSTICS = "false"; + }; + }; + }; + + + services.nginx = { + virtualHosts = { + "rimgo.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:4312"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/privacy/safetwitch.nix b/hosts/carbon/services/privacy/safetwitch.nix new file mode 100644 index 0000000..6aa7455 --- /dev/null +++ b/hosts/carbon/services/privacy/safetwitch.nix @@ -0,0 +1,55 @@ +{ pkgs, config, ... }: +{ + virtualisation.oci-containers.containers = { + # TODO fix routing + + safe-twitch-frontend = { + image = "codeberg.org/safetwitch/safetwitch:latest"; + ports = [ + "8280:8280" + ]; + environment = { + SAFETWITCH_BACKEND_DOMAIN = "sf.${config.networking.domain}"; + SAFETWITCH_INSTANCE_DOMAIN = "safetwitch.${config.networking.domain}"; + SAFETWITCH_HTTPS = "true"; + SAFETWITCH_DEFAULT_LOCALE = "en"; + SAFETWITCH_FALLBACK_LOCALE = "en"; + }; + }; + safetwitch-backend = { + image = "codeberg.org/safetwitch/safetwitch-backend:latest"; + ports = [ + "7100:7100" + ]; + environment = { + URL = "sf.${config.networking.domain}"; + PORT = "7100"; + }; + }; + }; + services.nginx = { + + virtualHosts = { + "safetwitch.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = " http://127.0.0.1:8280"; + }; + }; + "sf.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = " http://127.0.0.1:7100"; + }; + + }; + }; + }; + + +} diff --git a/hosts/carbon/services/privacy/searxng.nix b/hosts/carbon/services/privacy/searxng.nix new file mode 100644 index 0000000..251b4c8 --- /dev/null +++ b/hosts/carbon/services/privacy/searxng.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: { + + virtualisation.oci-containers.containers = { + + searxng = { + image = "docker.io/searxng/searxng:latest"; + ports = [ + "3345:3000" + ]; + # TODO implement limiter + #volumes = [ + # "/home/carbon/searxng.yml:/etc/searxng:rw" + #]; + + }; + }; + + services.redis.servers = { + searxng = { + port = 3442; + enable = true; + }; + }; + + services.nginx = { + virtualHosts = { + "librey.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://127.0.0.1:3345"; + }; + }; + }; + }; +} diff --git a/hosts/carbon/services/routes/csengo.nix b/hosts/carbon/services/routes/csengo.nix new file mode 100644 index 0000000..5cfe2f7 --- /dev/null +++ b/hosts/carbon/services/routes/csengo.nix @@ -0,0 +1,29 @@ +{ pkgs, config, ... }: { + + services.nginx = { + virtualHosts = { + "csengo.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://32.54.31.99:8422"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + + locations."/api" = { + proxyPass = " http://32.54.31.99:5333"; + extraConfig = '' + rewrite /api/(.*) /$1 break; + ''; + }; + + }; + }; + }; +} diff --git a/hosts/carbon/services/routes/hydra.nix b/hosts/carbon/services/routes/hydra.nix new file mode 100644 index 0000000..fd9dadd --- /dev/null +++ b/hosts/carbon/services/routes/hydra.nix @@ -0,0 +1,22 @@ +{ pkgs, config, ... }: { + + services.nginx = { + virtualHosts = { + "hydra.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://32.54.31.99:6732"; + }; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; + +} diff --git a/hosts/carbon/services/routes/matrix.nix b/hosts/carbon/services/routes/matrix.nix new file mode 100644 index 0000000..9c70ec7 --- /dev/null +++ b/hosts/carbon/services/routes/matrix.nix @@ -0,0 +1,39 @@ +{ pkgs, config, ... }: +let + fqdn = "${config.networking.domain}"; + baseUrl = "https://${fqdn}"; + clientConfig."m.homeserver".base_url = "https://matrix.${fqdn}"; + serverConfig."m.server" = "${fqdn}:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + +in +{ + + services.nginx = { + virtualHosts = { + "matrix.${config.networking.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://32.54.31.241:8008"; + + }; + extraConfig = '' + client_max_body_size 9000M; + ''; + }; + "${fqdn}" = { + + # well known paths for matrix + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."/_matrix".proxyPass = "http://32.54.31.241:8008"; + locations."/_synapse".proxyPass = "http://32.54.31.241:8008"; + locations."= /.well-known/matrix/client" .extraConfig = mkWellKnown clientConfig; + }; + }; + }; +} diff --git a/hosts/carbon/services/routes/openproject.nix b/hosts/carbon/services/routes/openproject.nix new file mode 100644 index 0000000..e9c6f58 --- /dev/null +++ b/hosts/carbon/services/routes/openproject.nix @@ -0,0 +1,24 @@ +{ pkgs, config, ... }: { + + services.nginx = { + virtualHosts = { + "openproject.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://32.54.31.99:8080"; + }; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + +} diff --git a/hosts/carbon/services/routes/owncast.nix b/hosts/carbon/services/routes/owncast.nix new file mode 100644 index 0000000..7513c61 --- /dev/null +++ b/hosts/carbon/services/routes/owncast.nix @@ -0,0 +1,26 @@ +{ pkgs, config, ... }: { + + services.nginx = { + virtualHosts = { + "live.${config.networking.domain}" = + { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = " http://32.54.31.241:3413"; + }; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + }; + }; +} diff --git a/hosts/carbon/services/website/default.nix b/hosts/carbon/services/website/default.nix new file mode 100644 index 0000000..d6e7403 --- /dev/null +++ b/hosts/carbon/services/website/default.nix @@ -0,0 +1,20 @@ +{ pkgs }: + +pkgs.stdenv.mkDerivation rec { + name = "website"; + version = "0.1.25"; + src = /home/grape/code/4o1x5/website; + + buildInputs = [ pkgs.hugo ]; + dontConfigure = true; + + buildPhase = '' + cp -r $src/* . + ${pkgs.hugo}/bin/hugo + ''; + + installPhase = '' + mkdir -p $out + cp -r public/* $out/ + ''; +} diff --git a/hosts/lime/hardware-configuration.nix b/hosts/lime/hardware-configuration.nix new file mode 100644 index 0000000..75776e8 --- /dev/null +++ b/hosts/lime/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/16777af0-cb7b-470c-a172-d1761e6a8a12"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/57420b12-9218-4110-9fb2-22ca3171f6a0"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lime/root.nix b/hosts/lime/root.nix new file mode 100644 index 0000000..3123821 --- /dev/null +++ b/hosts/lime/root.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + + ./services/firewall.nix + #./services/loki.nix + + ./services/mumble.nix + #./services/ddns-updater.nix + #./services/ai.nix + + ./services/postgresql.nix + ./services/matrix.nix + ./services/owncast.nix + + # monitoring + ./services/monitoring/exporters/node.nix + ./services/monitoring/exporters/smartctl.nix + + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.useOSProber = true; + networking.hostName = "lime"; + networking.domain = "4o1x5.dev"; + + +} diff --git a/hosts/lime/services/ai.nix b/hosts/lime/services/ai.nix new file mode 100644 index 0000000..5933a5e --- /dev/null +++ b/hosts/lime/services/ai.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: { + + environment.systemPackages = with pkgs; [ + ollama + ]; + + + services.ollama.listenAddress = "0.0.0.0:4827"; + services.ollama.environmentVariables = { + #"CUDA_VISIBLE_DEVICES" = "GPU-cf2321f0-d34b-ec9b-31e9-8c0c69e1444a"; + OLLAMA_LLM_LIBRARY = "gpu"; + }; + services.ollama.enable = true; + #services.ollama.acceleration = "cuda"; + + + # virtualisation.oci-containers.containers = { + + # webui = { + # image = "ghcr.io/ollama-webui/ollama-webui:main"; + # ports = [ + # "5121:8080" + # ]; + # volumes = [ + # "/home/carbon/ollamawebui:/app/backend/data" + # ]; + # }; + # }; +} diff --git a/hosts/lime/services/ddns-updater.nix b/hosts/lime/services/ddns-updater.nix new file mode 100644 index 0000000..737ed46 --- /dev/null +++ b/hosts/lime/services/ddns-updater.nix @@ -0,0 +1,12 @@ +{ pkgs, config, ... }: { + + services.inadyn = { + enable = true; + # TODO fix + settings.provider.porkbun = { + username = config.age.secrets.porkbun-user.path; + password = config.age.secrets.porkbun.path; + ssl = true; + }; + }; +} diff --git a/hosts/lime/services/firewall.nix b/hosts/lime/services/firewall.nix new file mode 100644 index 0000000..f849f76 --- /dev/null +++ b/hosts/lime/services/firewall.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: { + + networking.firewall = { + enable = false; + allowedTCPPorts = [ + 25565 + 22 + 222 + 4827 + 2222 + 9001 + 1141 + # matrix + 8008 + ]; + allowedUDPPorts = [ + 25565 + 22 + 222 + 2222 + 4827 + 1141 + 5121 # olama + 9001 + + # matrix + 8008 + ]; + }; + +} diff --git a/hosts/lime/services/loki.nix b/hosts/lime/services/loki.nix new file mode 100644 index 0000000..4e6043f --- /dev/null +++ b/hosts/lime/services/loki.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: { + # + services.loki = { + enable = false; + configuration = { + auth_enabled = false; + server = { + http_listen_port = 3100; + }; + ingester = { + lifecycler = { + address = "0.0.0.0"; + ring = { + kvstore.store = "inmemory"; + replication_factor = 1; + }; + }; + chunk_idle_period = "15m"; + }; + schema_config.configs = [ + { + from = "2020-02-25"; + store = "boltdb"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + + storage_config = { + boltdb.directory = "/tmp/loki/index"; + }; + limits_config = { + enforce_metric_name = false; + reject_old_samples = true; + reject_old_samples_max_age = "500h"; + }; + chunk_store_config.max_look_back_period = "0s"; + + }; + }; +} diff --git a/hosts/lime/services/matrix.nix b/hosts/lime/services/matrix.nix new file mode 100644 index 0000000..35cfe0c --- /dev/null +++ b/hosts/lime/services/matrix.nix @@ -0,0 +1,43 @@ +{ pkgs, config, ... }: +let + baseUrl = "https://${config.networking.domain}"; +in +{ + services.matrix-synapse = { + enable = true; + settings = { + + server_name = config.networking.domain; + public_baseurl = baseUrl; + enable_registration = false; + + trusted_key_servers = [{ server_name = "matrix.org"; } + { + server_name = "tchncs.de"; + }]; + suppress_key_server_warning = true; + enable_registration_without_verification = true; + max_upload_size = "9861M"; + listeners = [ + { + port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = true; + }]; + } + ]; + server_notices = { + system_mxid_localpart = "server"; + system_mxid_display_name = "Server Notices"; + room_name = "Server Notices"; + room_topic = "Notices about 4o1x5.dev"; + auto_join = true; + }; + }; + }; +} diff --git a/hosts/lime/services/monitoring/exporters/node.nix b/hosts/lime/services/monitoring/exporters/node.nix new file mode 100644 index 0000000..5216ed7 --- /dev/null +++ b/hosts/lime/services/monitoring/exporters/node.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + services.prometheus.exporters.node = { + enable = true; + port = 9001; + openFirewall = true; + enabledCollectors = [ "systemd" ]; + }; +} diff --git a/hosts/lime/services/monitoring/exporters/smartctl.nix b/hosts/lime/services/monitoring/exporters/smartctl.nix new file mode 100644 index 0000000..a9891b6 --- /dev/null +++ b/hosts/lime/services/monitoring/exporters/smartctl.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: { + services.prometheus.exporters.smartctl = { + enable = true; + openFirewall = true; + devices = [ "/dev/sda" ]; + }; + + services.smartd = { + enable = true; + notifications.wall.enable = true; + devices = [ + { + device = "/dev/sda"; + } + ]; + }; + +} diff --git a/hosts/lime/services/mumble.nix b/hosts/lime/services/mumble.nix new file mode 100644 index 0000000..1badc75 --- /dev/null +++ b/hosts/lime/services/mumble.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: { + # + services.murmur = { + enable = true; + openFirewall = true; + bandwidth = 1300000; + welcometext = ''Welcome to 4o1x5.dev server
Enjoy your stay.''; + }; + + # Musicbot + services.botamusique.enable = true; + services.botamusique.settings = { + server = { + certificate = "/etc/botamusique.pem"; + }; + bot = { + channel = "/music"; + name = "Zenebona"; + comment = "szia"; + admin = "penge;dmk"; + stereo = true; + when_nobody_in_channel = "pause_resume"; + bitrate = 1300000; + }; + + commands.command_symbol = ".:@:;:4:!:1"; + }; +} diff --git a/hosts/lime/services/owncast.nix b/hosts/lime/services/owncast.nix new file mode 100644 index 0000000..ffe362b --- /dev/null +++ b/hosts/lime/services/owncast.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: { + + + services.owncast = { + enable = true; + openFirewall = true; + listen = "0.0.0.0"; + port = 3413; + }; +} diff --git a/hosts/lime/services/postgresql.nix b/hosts/lime/services/postgresql.nix new file mode 100644 index 0000000..dad9ca4 --- /dev/null +++ b/hosts/lime/services/postgresql.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: { + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + +} diff --git a/hosts/pink/hardware-configuration.nix b/hosts/pink/hardware-configuration.nix new file mode 100644 index 0000000..20b7be1 --- /dev/null +++ b/hosts/pink/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/c5780502-0721-40d7-a41a-477120247835"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/1DF7-6D92"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/pink/root.nix b/hosts/pink/root.nix new file mode 100644 index 0000000..4183636 --- /dev/null +++ b/hosts/pink/root.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + + # SERVICES + ./services/firewall.nix + ./services/dns.nix + ./services/endlessh.nix + ./services/i2pd.nix + ./services/hydra.nix + + + # monitoring + ./services/monitoring/prometheus.nix + ./services/monitoring/grafana.nix + ./services/monitoring/exporters/node.nix + ./services/monitoring/exporters/smartctl.nix + + ]; + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "pink"; + networking.domain = "stuff.local"; + + users.users.pink = { + isNormalUser = true; + description = "pink"; + extraGroups = [ "networkmanager" "wheel" ]; + packages = with pkgs; [ ]; + }; + +} diff --git a/hosts/pink/services/dns.nix b/hosts/pink/services/dns.nix new file mode 100644 index 0000000..23ffda3 --- /dev/null +++ b/hosts/pink/services/dns.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: { + + + services.adguardhome = { + enable = true; + openFirewall = true; + settings = { + #bind_port = 4000; + upstream_dns = [ + "194.242.2.2" + "9.9.9.9" + "1.1.1.1" + ]; + }; + # todo add blocklist + # https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.plus.txt + }; + +} diff --git a/hosts/pink/services/endlessh.nix b/hosts/pink/services/endlessh.nix new file mode 100644 index 0000000..a62194c --- /dev/null +++ b/hosts/pink/services/endlessh.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: { + services.endlessh-go = { + enable = true; + extraOptions = [ + "-max_clients=200" + "-geoip_supplier=ip-api" + ]; + port = 2333; + openFirewall = true; + + prometheus = { + enable = true; + port = 4212; + listenAddress = "127.0.0.1"; + }; + }; +} diff --git a/hosts/pink/services/firewall.nix b/hosts/pink/services/firewall.nix new file mode 100644 index 0000000..6ffafbf --- /dev/null +++ b/hosts/pink/services/firewall.nix @@ -0,0 +1,43 @@ +{ pkgs, config, ... }: { + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 #ssh + + # pihole + 53 + 1444 + + # prometheus + 9090 + 8080 + + config.services.i2pd.port + + 8422 # csengoclient + 5333 # csengoserver + 5432 + + ]; + allowedUDPPorts = [ + 22 # ssh + + # pihole + 53 + 1444 + + # prometheus + 9090 + 8080 + + 8422 # csengoclient + 5333 # csengoserver + 5432 + + config.services.i2pd.port + ]; + }; + +} + diff --git a/hosts/pink/services/hydra.nix b/hosts/pink/services/hydra.nix new file mode 100644 index 0000000..f6d3e42 --- /dev/null +++ b/hosts/pink/services/hydra.nix @@ -0,0 +1,19 @@ +{ pkgs, config, ... }: { + services.hydra = { + enable = true; + hydraURL = "https://hydra.${config.networking.domain}"; # externally visible URL + notificationSender = "hydra@localhost"; # + # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines + buildMachinesFiles = [ ]; + # you will probably also want, otherwise *everything* will be built from scratch + useSubstitutes = true; + port = 6732; + }; + + networking.firewall = { + allowedTCPPorts = [ config.services.hydra.port ]; + allowedUDPPorts = [ config.services.hydra.port ]; + }; + + +} diff --git a/hosts/pink/services/i2pd.nix b/hosts/pink/services/i2pd.nix new file mode 100644 index 0000000..91fd1e5 --- /dev/null +++ b/hosts/pink/services/i2pd.nix @@ -0,0 +1,35 @@ +{ pkgs, lib, config, ... }: { + + services.i2pd = { + enable = false; + port = 9732; + enableIPv6 = true; + floodfill = true; + }; + + #i2pcontrol + services.i2pd.proto.i2pControl = { + enable = true; + port = 7659; + name = "i2pcontrol"; + address = "0.0.0.0"; + }; + + + services.i2pd.proto.http = { + enable = true; + }; + + # todo proxy + # todo privacy respecting services + # todo reseed export + # need to create a nginx proxy that proxies the reseed file + + services.prometheus.exporters.i2pd = { + enable = false; + port = 3321; + openFirewall = true; + routerAddress = "https://127.0.0.1:${toString config.services.i2pd.proto.i2pControl.port}"; + routerPassword = "itoopie"; + }; +} diff --git a/hosts/pink/services/monitoring/exporters/node.nix b/hosts/pink/services/monitoring/exporters/node.nix new file mode 100644 index 0000000..f9210de --- /dev/null +++ b/hosts/pink/services/monitoring/exporters/node.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: { + services.prometheus.exporters.node = { + enable = true; + port = 9001; + }; +} diff --git a/hosts/pink/services/monitoring/exporters/smartctl.nix b/hosts/pink/services/monitoring/exporters/smartctl.nix new file mode 100644 index 0000000..134b62d --- /dev/null +++ b/hosts/pink/services/monitoring/exporters/smartctl.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: { + services.prometheus.exporters.smartctl = { + enable = true; + devices = [ "/dev/sda" ]; + }; + services.smartd = { + enable = true; + notifications.wall.enable = true; + devices = [ + { + device = "/dev/sda"; + } + ]; + }; +} diff --git a/hosts/pink/services/monitoring/grafana.nix b/hosts/pink/services/monitoring/grafana.nix new file mode 100644 index 0000000..0301c51 --- /dev/null +++ b/hosts/pink/services/monitoring/grafana.nix @@ -0,0 +1,29 @@ +{ pkgs, config, ... }: + +let + grafanaPort = 3033; +in +{ + services.grafana = { + enable = true; + settings.server = { + http_port = grafanaPort; + http_addr = "0.0.0.0"; + }; + provision = { + enable = true; + datasources.settings.datasources = [ + { + name = "prometheus"; + type = "prometheus"; + url = "http://127.0.0.1:${toString config.services.prometheus.port}"; + isDefault = true; + } + ]; + }; + }; + networking.firewall = { + allowedTCPPorts = [ grafanaPort ]; + allowedUDPPorts = [ grafanaPort ]; + }; +} diff --git a/hosts/pink/services/monitoring/prometheus.nix b/hosts/pink/services/monitoring/prometheus.nix new file mode 100644 index 0000000..1ed5256 --- /dev/null +++ b/hosts/pink/services/monitoring/prometheus.nix @@ -0,0 +1,79 @@ +{ pkgs, config, ... }: + +let + + lime = "32.54.31.241"; + carbon = "32.54.31.180"; +in +{ + + services.prometheus = { + enable = true; + + scrapeConfigs = [ + { + job_name = "node"; + scrape_interval = "5s"; + static_configs = [ + { + targets = [ "localhost:9001" ]; + labels = { alias = "node.pink.local"; }; + } + + { + targets = [ "${carbon}:9001" ]; + labels = { alias = "node.carbon.local"; }; + } + + { + targets = [ "${lime}:9001" ]; + labels = { alias = "node.lime.local"; }; + } + + { + targets = [ "32.54.31.172:9001" ]; + labels = { alias = "node.strix.local"; }; + } + ]; + } + { + job_name = "smartmontools"; + scrape_interval = "5s"; + static_configs = [ + { + targets = [ "localhost:9633" ]; + labels = { alias = "smartctl.pink.local"; }; + } + { + targets = [ "${lime}:9633" ]; + labels = { alias = "smartctl.lime.local"; }; + } + { + targets = [ "${carbon}:9633" ]; + labels = { alias = "smartctl.carbon.local"; }; + } + ]; + } + { + job_name = "endlessh"; + scrape_interval = "5s"; + static_configs = [ + { + targets = [ "localhost:${toString config.services.endlessh-go.prometheus.port}" ]; + labels = { alias = "endlessh.pink.local"; }; + } + ]; + } + { + job_name = "i2p"; + scrape_interval = "5s"; + static_configs = [ + { + targets = [ "localhost:${toString config.services.prometheus.exporters.i2pd.port}" ]; + labels = { alias = "i2pd.pink.local"; }; + } + ]; + } + ]; + }; +} diff --git a/root.nix b/root.nix new file mode 100644 index 0000000..02f89a0 --- /dev/null +++ b/root.nix @@ -0,0 +1,62 @@ +{ pkgs, ... }: { + + home-manager.users.root = { + programs.zsh = { + enable = true; + initExtra = '' + PROMPT="[%M] %~ " + ''; + antidote = { + enable = true; + plugins = [ + "marlonrichert/zsh-autocomplete" + "zsh-users/zsh-syntax-highlighting" + ]; + }; + }; + }; + home-manager.users.root.home.stateVersion = "23.11"; + + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Budapest"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "hu_HU.UTF-8"; + LC_IDENTIFICATION = "hu_HU.UTF-8"; + LC_MEASUREMENT = "hu_HU.UTF-8"; + LC_MONETARY = "hu_HU.UTF-8"; + LC_NAME = "hu_HU.UTF-8"; + LC_NUMERIC = "hu_HU.UTF-8"; + LC_PAPER = "hu_HU.UTF-8"; + LC_TELEPHONE = "hu_HU.UTF-8"; + LC_TIME = "hu_HU.UTF-8"; + }; + + services.xserver = { + layout = "us"; + }; + + users.users."root".openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2I8OcbOP85iszYjK12GrNJ5jTF4Kh3XHzALOr2Mk6Y5uCbOQOtsGq64rfm8lY+MPS6PGQlRy00UJUgbp6RV2rbOkBurUCJ4LkvMqukfU32H1IIe2h7fAdCMlBv5wNbtbX+Tx6LsRCvfivNmg/GJ+a4PsTm1TxzAFh2SPNu/iA44GPyho0rCtCKGgGsaux2vqI2PuGceXgHhjqdRw4lmmLeBuR/oWzOc6R27AcZtKRofeQS0bB8WdsWBLTFT37hqiWsIUEGNxPGP1D5diGhgZ9dNFPw5rH48j5VPwE72c2z+DQVdHdUYq23MCvy/6P98yvKUxLZFQuHaat0291cyOjVkaq3TBUPokeUi4JwGZCYs3081HQ/l7p1/3rMdB0DJS3SOlQ9k0ibHhZ/pG9n9CWVka8ImpSymdXcc1Vw5a/cN8rNynsju80ycast2RldY50lq1tnANqnR6T77arFtPMldnZrVt3jVlw6dQnhfZp+bbYSSF2+98pjtewvp/aMNqXpcTJz4+cgr3uopVwJ73qFgP4fgllhZdlW0ArpdzC4OEqbcpFCI+f3ThIafwQKpngYDonejz2dRz5VmQ8fy+zHvPu32XWnQfmMX8pZKAsHysewtDA+5CTBfWI5aZFQspdNkqRIKKzEMpxB4hWFH3HEoKjBo9NiS0ilaFyN//2lw== pear@rog-strix" + ]; + + services.openssh = { + enable = true; + allowSFTP = true; + openFirewall = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.config.allowUnfree = true; + system.stateVersion = "23.11"; + +} diff --git a/secrets/anonymousoverflow.age b/secrets/anonymousoverflow.age new file mode 100644 index 0000000..45c2175 --- /dev/null +++ b/secrets/anonymousoverflow.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 VxAJjg 7I7xNPaCZPE1JUdjgAWeSpLBiuCPcHOmEsYi10zClxY +tHU+7llwklkoxrucgV2eOfG4gSGMaL2lJth3e+1Nkvg +-> ssh-ed25519 pw11Hg NOFrYZt4SnJ8pcR4SvyoaRwQHY/CCnFiLBlDXjoN9iw +ezmF8oYZTmGc5SULU/aImcAbpNMchXKIhzhPywi0+L0 +--- hp8XULTiIl3wXkiJHq63G45VnxBM4i88yVOz+SkUSFk +6z +gyzJx䙑I%#׭ 6A1>Ľp8ҙ ~ \ No newline at end of file diff --git a/secrets/carbon.nix b/secrets/carbon.nix new file mode 100644 index 0000000..186ad3e --- /dev/null +++ b/secrets/carbon.nix @@ -0,0 +1,3 @@ +{ pkgs, ... }: { + age.secrets.forgejo-runner.file = ./forgejo-runner.age; +} diff --git a/secrets/forgejo-runner.age b/secrets/forgejo-runner.age new file mode 100644 index 0000000..0bb2485 --- /dev/null +++ b/secrets/forgejo-runner.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 VxAJjg FCHQ8R8lunZeC1W5GgHRuXOzKebT3H7+WgmkfC1MhHI +Yh11JHjmuMCNl4cGpJYgYEHxfGSPtCaE5WNvEldh+FE +-> ssh-ed25519 pw11Hg bwbMaWmmWy5N9DlvWbLc8Np1ZsVyvFBFzKuc+AC46G0 +mMk+gUs+HDVF7Ud36JUZYrocc4rlDpjcmIlG6Zov34A +--- G5mTwB+gZ3fJx1OyFbHnvYpYmjDJEAjKJAPd9LXBHHQ +`H@G}c>|g@/ 9b mMx,}gE"w4J^ \ No newline at end of file diff --git a/secrets/lime.nix b/secrets/lime.nix new file mode 100644 index 0000000..dbc43f8 --- /dev/null +++ b/secrets/lime.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: { + + age.secrets.porkbun.file = ./porkbun.age; + age.secrets.porkbun-user.file = ./porkbun-user.age; +} diff --git a/secrets/porkbun-user.age b/secrets/porkbun-user.age new file mode 100644 index 0000000..c02031d --- /dev/null +++ b/secrets/porkbun-user.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 VxAJjg SAzffPLeKmWwiPBrxqb8b1lSjnvX0xXGoErceOwrfz8 +qOu9fsxq0yneo5Wx0S6sJriYl9I+0geuD85ZVK8LEUg +-> ssh-ed25519 2+o3cg ODYd9WzF/r4ScnLNmnxne3NiuqlAQ4E3koozu4EKBQE +iiLf5yuAnGDTSFXLTbxm0PsQQBjnoFPVS7rh9v91GzY +--- BT5nFRlqsSubodxJI5M1+xE8yD/vzSHkvUTKhwOScWQ +vˉ(1Oɥvf"(r$5)Ћb;t1 \ No newline at end of file diff --git a/secrets/porkbun.age b/secrets/porkbun.age new file mode 100644 index 0000000000000000000000000000000000000000..f37be8d71a8d962e5802b86aba18a4b6ff458a86 GIT binary patch literal 391 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+t8nznN>`{X^L5QL z$PA7O(Jpf`@ho?AODf1Uh%}F|j7&<(^t3R|3oGN{sMzGIn=$&d)V;Ox(xALNS-YUh zusA!w$TK(<+{`5Ki4m`xe5#Ldpju{Uv+b_cBiv*mWAHr zcX5$M4xgT%&FAT8TC=q1eT|j*i^WzGye3Y$?9499`ZAJbN|lex1rgtvgAFUs=i2pt Z_l=)=bpgY{3a8^HPAiqyJ__OW0|4{0ifsS@ literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..6f39afc --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,18 @@ +let + grape = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJwT2EBbcTCeB9KJrAlsE15EwyldWCiGodjSLeJu6Cz grape@strix"; + users = [ grape ]; + + carbon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgB3WAu0WWaRog795SwgM2vUXXB1/oosIhXRZ9kPZ+P"; + lime = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiO7+7mFkXQ5jYNSmGErC+C6js0CvSWw0Pe9NAtuL1W"; + systems = [ carbon ]; +in +{ + "synapse.age".publicKeys = [ grape carbon ]; + "anonymousoverflow.age".publicKeys = [ grape carbon ]; + "forgejo-runner.age".publicKeys = [ grape carbon ]; + + "porkbun.age".publicKeys = [ grape lime ]; + "porkbun-user.age".publicKeys = [ grape lime ]; + + +} diff --git a/secrets/synapse.age b/secrets/synapse.age new file mode 100644 index 0000000..b9c3f1d --- /dev/null +++ b/secrets/synapse.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 VxAJjg rj/YumbJppvgqWezT5U/Mt8O8Pb7FyjHIB37akQZMGo +PR+7pNN1bzh8X5DhDDgKNdyvsuysn5VAOkfvwy37j/Y +-> ssh-ed25519 pw11Hg gKvZHPXnvV8hk3CByniFT4BpGsrUxK7hLBE2UAlwmlw +oNKGVQwqKXLmA5gZudnuSCLPToC7gOL7lNu3DhW9bA8 +--- nUHssI5El0LVBdGhwFOFA/7kM3SmW76Rfg+rg0OAmHw +ynq~YW$w]ׄvOfX#Y!ʺ \ No newline at end of file