From 5de5e57518da3f425de012f2738988d5151f12b6 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 10 Aug 2023 21:45:49 +0200 Subject: [PATCH] feat(router0-dmz0): init bpir3 based router --- .sops.yaml | 18 +- flake.lock | 163 +++--- flake.nix | 16 +- nix/os/containers/backup-target.nix | 8 +- nix/os/containers/mailserver.nix | 8 - nix/os/containers/webserver.nix | 23 +- nix/os/devices/router0-dmz0/.gitignore | 1 + nix/os/devices/router0-dmz0/configuration.nix | 524 ++++++++++++++++++ nix/os/devices/router0-dmz0/default.nix | 39 ++ nix/os/devices/router0-dmz0/flake.lock | 205 +++++++ nix/os/devices/router0-dmz0/flake.nix | 93 ++++ nix/os/devices/sj-vps-htz0/pkg.nix | 26 - nix/os/devices/steveej-t14/system.nix | 4 + nix/os/lib/default.nix | 1 + nix/os/modules/ddclient-hetzner.nix | 25 - nix/os/modules/ddclient-ovh.nix | 11 - nix/os/profiles/containers/configuration.nix | 4 +- secrets/router0-dmz0/secrets.yaml | 41 ++ secrets/shared-users.yaml | 95 ++-- secrets/sj-vps-htz0/secrets.yaml | 37 ++ 20 files changed, 1133 insertions(+), 209 deletions(-) create mode 100644 nix/os/devices/router0-dmz0/.gitignore create mode 100644 nix/os/devices/router0-dmz0/configuration.nix create mode 100644 nix/os/devices/router0-dmz0/default.nix create mode 100644 nix/os/devices/router0-dmz0/flake.lock create mode 100644 nix/os/devices/router0-dmz0/flake.nix delete mode 100644 nix/os/devices/sj-vps-htz0/pkg.nix create mode 100644 secrets/router0-dmz0/secrets.yaml create mode 100644 secrets/sj-vps-htz0/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 00c147f..4ba5ffb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,8 @@ keys: - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - + # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz + - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: @@ -19,10 +20,13 @@ creation_rules: - *steveej age: - *steveej-t14 - - *sj-vps-htz0 - - *srv0-dmz0 - *elias-e525 - *justyna-p300 + + - *srv0-dmz0 + - *router0-dmz0 + + - *sj-vps-htz0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - pgp: @@ -46,4 +50,10 @@ creation_rules: - pgp: - *steveej age: - - *srv0-dmz0 \ No newline at end of file + - *srv0-dmz0 + - path_regex: ^secrets/router0-dmz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-dmz0 \ No newline at end of file diff --git a/flake.lock b/flake.lock index 69f97f8..b026e10 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1688690832, - "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=", + "lastModified": 1691423162, + "narHash": "sha256-cReUZCo83YEEmFcHX8CcOVTZYUrcWgHQO34zxQzy7WI=", "owner": "ipetkov", "repo": "crane", - "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3", + "rev": "b5d9d42ea3fa8fea1805d9af1416fe207d0dd1dc", "type": "github" }, "original": { @@ -93,11 +93,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1688624761, - "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=", + "lastModified": 1691648495, + "narHash": "sha256-JULr+eKL9rjfex17hZYn0K/fBxxfK/FM9TOCcxPQay4=", "owner": "nix-community", "repo": "fenix", - "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541", + "rev": "6c9f0709358f212766cff5ce79f6e8300ec1eb91", "type": "github" }, "original": { @@ -158,11 +158,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -234,11 +234,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -252,11 +252,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -298,11 +298,11 @@ "jay": { "flake": false, "locked": { - "lastModified": 1683988763, - "narHash": "sha256-vaHNBwCIMNf/rnnievmxhF5wxci0Rbu2IUXiUxxKF74=", + "lastModified": 1689440887, + "narHash": "sha256-+61dHuxk3FCP+H2PCoup6lZDlaTuJBqDzkiBNY6yaJ4=", "owner": "mahkoh", "repo": "jay", - "rev": "80dc8770c51c0409a32b212499e0803dd585cab1", + "rev": "eb83505e39ec8c2383ac233a8b8449803db52549", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1688299754, - "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=", + "lastModified": 1691323683, + "narHash": "sha256-G7kMLDbYN03VNO+QYymFIp0o9jv+gflUpde8V4iYri8=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "6107c923522c233458760d0c7f31ad71bf1d2146", + "rev": "99d95d9ca592022832e9f1b4d2a8327b8d50eb60", "type": "github" }, "original": { @@ -349,14 +349,15 @@ "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1688608231, - "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=", + "lastModified": 1691371197, + "narHash": "sha256-YazAJxDjmAG9kiIEuqc+1CmmYIIt4wRIbEFb+TXf8WA=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d", + "rev": "b02b4e287fddc969fc490478b5666603f4ab0d3c", "type": "github" }, "original": { @@ -393,11 +394,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1687941964, - "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=", + "lastModified": 1691224484, + "narHash": "sha256-0oodXqRRHXjUL7ssi1nIOKC8EzYD4f1e3eAaWexuF4M=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df", + "rev": "9df79870b04667f2d16f1a78a1ab87d124403fb7", "type": "github" }, "original": { @@ -434,11 +435,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688607075, - "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=", + "lastModified": 1691370583, + "narHash": "sha256-LnKMx9NQ0Qx0DTYQVewkcRr+7uW5NY7xU9kjh+Lxnb0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6", + "rev": "b51660a128c09baf31c614284b500eb53772496f", "type": "github" }, "original": { @@ -466,11 +467,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1691592289, + "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", "type": "github" }, "original": { @@ -483,11 +484,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", + "lastModified": 1690881714, + "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", + "rev": "9e1960bc196baf6881340d53dccb203a951745a2", "type": "github" }, "original": { @@ -500,11 +501,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1688259758, - "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "lastModified": 1691282883, + "narHash": "sha256-YLu1Fs+J+hw0BebUhWIeFzSqhlsnf0K88RqhVJebF9E=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "rev": "b1d35b759161787e1cda815c460050142bda9adb", "type": "github" }, "original": { @@ -515,11 +516,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1688256355, - "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=", + "lastModified": 1690066826, + "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c", + "rev": "ce45b591975d070044ca24e3003c830d26fea1c8", "type": "github" }, "original": { @@ -531,11 +532,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690179384, - "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", + "lastModified": 1691565530, + "narHash": "sha256-qZZ6DxvS1X/tjxXNUwJrPiaIWLZyWUDM2gkJCi5uZpE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", + "rev": "e528fa15d5f740a25b5f536c33932db64cb10fc8", "type": "github" }, "original": { @@ -547,11 +548,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1691472822, - "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=", + "lastModified": 1691644995, + "narHash": "sha256-/OL3sk+9iPv+pto8hs/3cPhGmcS+ugKowQ8FvopLMEA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff", + "rev": "f6f59fdce76ca4ee03852417a642b77a960229cd", "type": "github" }, "original": { @@ -569,11 +570,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688653033, - "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=", + "lastModified": 1691518836, + "narHash": "sha256-sY9Unk1pCbMxMSX/SuoSUg8TY4TDN+edKY83cCEqb8g=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "bc84572c913933dbb49df2746dc8669f562da454", + "rev": "982c0c1ee398e8584d8c9cce011ec98392d2e3cc", "type": "github" }, "original": { @@ -584,11 +585,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1688590700, - "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "lastModified": 1691368598, + "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "rev": "5a8e9243812ba528000995b294292d3b5e120947", "type": "github" }, "original": { @@ -647,11 +648,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1688576197, - "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=", + "lastModified": 1691604464, + "narHash": "sha256-nNc/c9r1O8ajE/LkMhGcvJGlyR6ykenR3aRkEkhutxA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "aa91eda9028758839487ad0f0eb120944a549ff3", + "rev": "05b061205179dab9a5cd94ae66d1c0e9b8febe08", "type": "github" }, "original": { @@ -673,11 +674,11 @@ ] }, "locked": { - "lastModified": 1688351637, - "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "lastModified": 1691029059, + "narHash": "sha256-QwVeE9YTgH3LmL7yw2V/hgswL6yorIvYSp4YGI8lZYM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "rev": "99df4908445be37ddb2d332580365fce512a7dcf", "type": "github" }, "original": { @@ -710,11 +711,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1688268466, - "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=", + "lastModified": 1690199016, + "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957", + "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500", "type": "github" }, "original": { @@ -730,11 +731,11 @@ ] }, "locked": { - "lastModified": 1688619474, - "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=", + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", "owner": "numtide", "repo": "srvos", - "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", "type": "github" }, "original": { @@ -810,6 +811,28 @@ "type": "github" } }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690874496, + "narHash": "sha256-qYZJVAfilFbUL6U+euMjKLXUADueMNQBqwihpNzTbDU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "fab56c8ce88f593300cd8c7351c9f97d10c333c5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "yofi": { "inputs": { "flake-utils": "flake-utils_4", diff --git a/flake.nix b/flake.nix index 7d7f0cd..3412ee3 100644 --- a/flake.nix +++ b/flake.nix @@ -100,15 +100,25 @@ repoFlakeWithSystem = withSystem; nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; }) [ - "sj-vps-htz0" "steveej-t14" - "srv0-dmz0" "elias-e525" "justyna-p300" + + "srv0-dmz0" + "router0-dmz0" + + "sj-vps-htz0" ]); # this makes nixos-anywhere work - flake.nixosConfigurations = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + flake.nixosConfigurations = + (inputs.colmena.lib.makeHive self.outputs.colmena).nodes + // (let + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in { + router0-dmz0 = router0-dmz0.native; + cross_router0-dmz0 = router0-dmz0.cross; + }); inherit systems; diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix index d1ff1f0..608ac47 100644 --- a/nix/os/containers/backup-target.nix +++ b/nix/os/containers/backup-target.nix @@ -17,10 +17,10 @@ networking.firewall.enable = false; - services.ddclientovh = { - enable = true; - domain = containerBackupCfg.addr; - }; + # services.ddclientovh = { + # enable = true; + # domain = containerBackupCfg.addr; + # }; services.openssh.enable = true; diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 79c6e55..d113925 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -43,14 +43,6 @@ }; # TODO: switch to something other than ddclient as it's no longer maintained - services.ddclient-hetzner = { - enable = false; - zone = "stefanjunker.de"; - domains = [ - "mailserver.svc.stefanjunker.de" - ]; - passwordFile = config.sops.secrets.hetznerDnsApiToken.path; - }; # TODO: switch to a let's encrypt certificate sops.secrets.dovecotSslServerCert = { diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index d3600a3..520aa30 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -5,7 +5,9 @@ httpPort ? 80, httpsPort ? 443, autoStart ? false, -}: { +}: let + domain = "www.stefanjunker.de"; +in { config = { config, pkgs, @@ -22,11 +24,6 @@ networking.firewall.enable = false; - services.ddclientovh = { - enable = true; - domain = "www.stefanjunker.de"; - }; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets.hedgedoc_environment_file = { sopsFile = ./webserver_secrets.yaml; @@ -35,30 +32,30 @@ services.caddy = { enable = true; - virtualHosts."${config.services.ddclientovh.domain}" = { + virtualHosts."${domain}" = { extraConfig = let port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; path = "${config.services.authelia.instances.default.settings.server.path}"; in '' - redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain} + redir /hedgedoc* https://hedgedoc.${domain} respond "Hi!" ''; }; - virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = { + virtualHosts."hedgedoc.${domain}" = { extraConfig = '' reverse_proxy http://[::1]:3000 ''; }; - virtualHosts."authelia.${config.services.ddclientovh.domain}" = { + virtualHosts."authelia.${domain}" = { extraConfig = '' reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} ''; }; - virtualHosts."lldap.${config.services.ddclientovh.domain}" = { + virtualHosts."lldap.${domain}" = { extraConfig = '' reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} ''; @@ -68,7 +65,7 @@ services.hedgedoc = { enable = true; settings = { - domain = "hedgedoc.${config.services.ddclientovh.domain}"; + domain = "hedgedoc.${domain}"; urlPath = ""; protocolUseSSL = true; db = { @@ -185,7 +182,7 @@ verbose = true; ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${config.services.ddclientovh.domain}"; + http_url = "https://lldap.${domain}"; ## Options to configure SMTP parameters, to send password reset emails. ## To set these options from environment variables, use the following format diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/router0-dmz0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix new file mode 100644 index 0000000..17f987d --- /dev/null +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -0,0 +1,524 @@ +{ + modulesPath, + repoFlake, + packages', + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + ... +}: let + inherit + (nodeFlake.inputs) + bpir3 + nixos-nftables-firewall + ; +in { + disabledModules = [ + # "services/networking/hostapd.nix" + ]; + + imports = [ + # nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + + "${bpir3}/lib/sd-image-mt7986.nix" + + nixos-nftables-firewall.nixosModules.default + + # TODO + # ./network.nix + # ./monitoring.nix + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = false; + + # No local firewall. + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + nftables = { + enable = true; + stopRuleset = ""; + firewall = { + enable = true; + zones = { + lan.interfaces = ["br-lan"]; + wan.interfaces = ["wan"]; + }; + rules = { + lan = { + from = ["lan"]; + to = ["fw"]; + verdict = "accept"; + }; + outbound = { + from = ["lan"]; + to = ["lan" "wan"]; + verdict = "accept"; + }; + nat = { + from = ["lan"]; + to = ["wan"]; + masquerade = true; + }; + + incoming-wan = { + from = ["wan"]; + to = ["fw"]; + verdict = "drop"; + }; + }; + }; + }; + }; + + systemd.network = { + wait-online.anyInterface = true; + netdevs = { + # Create the bridge interface + "20-br-lan" = { + netdevConfig = { + Kind = "bridge"; + Name = "br-lan"; + }; + }; + }; + networks = { + # Connect the bridge ports to the bridge + "30-lan0" = { + matchConfig.Name = "lan0"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + # Configure the bridge for its desired function + "40-br-lan" = { + matchConfig.Name = "br-lan"; + bridgeConfig = {}; + address = [ + "192.168.10.1/24" + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + }; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + + # wireless access point + services.hostapd = { + enable = true; + radios = { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS + + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + }; + networks = { + wlan0 = { + ssid = "justtestingwifi-wpa3"; + authentication = { + mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + }; + + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:40"; + settings = { + bridge = "br-lan"; + }; + }; + + wlan0-1 = { + ssid = "justtestingwifi-compat"; + authentication = { + mode = "wpa3-sae-transition"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + wpaPassword = "justtestingwifi"; + }; + + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:41"; + settings = { + bridge = "br-lan"; + }; + }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = "br-lan"; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; + }; + }; + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = "br-lan"; + # }; + # }; + # }; + # }; + }; + }; + + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + # upstream DNS servers + server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"]; + # sensible behaviours + domain-needed = true; + bogus-priv = true; + no-resolv = true; + + dhcp-range = ["br-lan,192.168.10.50,192.168.10.254,24h"]; + interface = "br-lan"; + dhcp-host = "192.168.10.1"; + + # local domains + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + # don't use /etc/hosts as this would advertise surfer as localhost + no-hosts = true; + address = "/surfer.lan/192.168.10.1"; + }; + }; + + # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. + services.irqbalance.enable = true; + + # disko.devices = { + # disk = { + # nvme0n1 = { + # device = "/dev/nvme0n1"; + # type = "disk"; + # content = { + # type = "table"; + # format = "gpt"; + # partitions = [ + # { + # name = "var-log"; + # start = "1MiB"; + # end = "20G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var/log"; + # }; + # } + # { + # name = "tmp"; + # start = "20G"; + # end = "60G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/tmp"; + # }; + # } + # { + # name = "var"; + # start = "60G"; + # end = "100G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var"; + # }; + # } + # { + # name = "swap"; + # start = "100G"; + # end = "100%"; + # content = { + # type = "swap"; + # randomEncryption = false; + # }; + # } + # ]; + # }; + # }; + # }; + # }; + + system.stateVersion = "23.05"; + + boot.kernelPackages = pkgs.linuxPackages_bpir3; + # boot.kernelPackages = bpir3.packages.aarch64-linux.linuxPackages_bpir3; + # We exclude a number of modules included in the default list. A non-insignificant amount do + # not apply to embedded hardware like this, so simply skip the defaults. + # + # Custom kernel is required as a lot of MTK components misbehave when built as modules. + # They fail to load properly, leaving the system without working ethernet, they'll oops on + # remove. MTK-DSA parts and PCIe were observed to do this. + boot.initrd.includeDefaultModules = false; + boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + boot.initrd.availableKernelModules = ["nvme"]; + + boot.kernelParams = ["console=ttyS0,115200"]; + hardware.enableRedistributableFirmware = true; + # Wireless hardware exists, regulatory database is essential. + hardware.wirelessRegulatoryDatabase = true; + + # Extlinux compatible with custom uboot patches in this repo, which also provide unique + # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test. + boot.initrd.compressor = "gzip"; + hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; + + hardware.deviceTree.overlays = [ + { + name = "bpir3-sd-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts"; + } + { + name = "bpir3-nand-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts"; + } + { + name = "bpi-r3 wifi training data"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts"; + } + { + name = "reset button disable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts"; + } + { + name = "mt7986a efuses"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts"; + } + ]; + + boot.initrd.preDeviceCommands = '' + if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then + if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then + # Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first + echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove + # Rescan brings PCI root back and brings the NVMe device in. + echo 1 > /sys/bus/pci/rescan + else + info "PCIe bridge missing" + fi + fi + ''; + + environment.systemPackages = [ + pkgs.ethtool + ]; +} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix new file mode 100644 index 0000000..e8d521a --- /dev/null +++ b/nix/os/devices/router0-dmz0/default.nix @@ -0,0 +1,39 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let + system = "aarch64-linux"; +in { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake system; + packages' = repoFlake.packages.${system}; + + inherit + (nodeFlake.inputs.bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; + }; + + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "router0.dmz0.noosphere.life"; + deployment.replaceUnknownProfiles = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock new file mode 100644 index 0000000..9ad07a0 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -0,0 +1,205 @@ +{ + "nodes": { + "bpir3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688620001, + "narHash": "sha256-8ACxxssPiQy/lsUsT8cAaT2te8p8d8ngmPwTc/erPnU=", + "owner": "nakato", + "repo": "nixos-bpir3-example", + "rev": "4210480bdebbf3a7953e22d5d9f183f47b725bff", + "type": "github" + }, + "original": { + "owner": "nakato", + "repo": "nixos-bpir3-example", + "type": "github" + } + }, + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691743546, + "narHash": "sha256-nS2uWOeEmMgUBEMDCvwLlXBBCLkW7agDcMtOXuf9PDc=", + "owner": "nix-community", + "repo": "disko", + "rev": "241c878d4b542fea7c61ed4421e9224af054ff56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1673819588, + "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=", + "owner": "ursi", + "repo": "get-flake", + "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691672736, + "narHash": "sha256-HNPA/dKHerA0p4OsToEcW/DtTSXBcK5gFRsy/yPgV/Y=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "6e1eff9aac0e8d84bda7f2d60ba6108eea9b7e79", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677020959, + "narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1691654369, + "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1691753935, + "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "650596759b8b38399a0c4d5e366847d190360e55", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1691703261, + "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "bpir3": "bpir3", + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", + "owner": "numtide", + "repo": "srvos", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix new file mode 100644 index 0000000..c934242 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -0,0 +1,93 @@ +{ + inputs = { + # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/master"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + bpir3.url = "github:nakato/nixos-bpir3-example"; + bpir3.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = { + self, + get-flake, + nixpkgs, + bpir3, + ... + } @ attrs: let + system = "aarch64-linux"; + nodeName = "router0-dmz0"; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + inherit + (bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; + }; + + modules = + [ + ./configuration.nix + + # flake registry + { + nix.registry.nixpkgs.flake = nixpkgs; + } + + { + nixpkgs.overlays = [ + (final: previous: let + bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {}; + in { + inherit + (bpir3Pkgs) + linuxPackages_bpir3 + ; + }) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; + }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/sj-vps-htz0/pkg.nix b/nix/os/devices/sj-vps-htz0/pkg.nix deleted file mode 100644 index 11d8bad..0000000 --- a/nix/os/devices/sj-vps-htz0/pkg.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - extraPackages = [ - # required by vscode's remote-ssh plugin - pkgs.nodejs - - # allow clipboard exchanges - pkgs.xsel - pkgs.xclip - ]; - }; -} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 9ced0b4..c2cd584 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -132,4 +132,8 @@ in { sopsFile = ../../../../secrets/zerotierone.txt; format = "binary"; }; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 0554d6e..5ed886d 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -19,6 +19,7 @@ in { "video" "cdrom" "adbusers" + "dialout" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 75765d1..893620a 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -11,29 +11,4 @@ in { domains = mkOption {type = types.listOf types.str;}; passwordFile = mkOption {type = types.path;}; }; - - config = lib.mkIf cfg.enable { - users.groups.ddclient = {}; - users.users.ddclient = { - isSystemUser = true; - group = "ddclient"; - }; - - services.ddclient = { - enable = cfg.enable; - verbose = true; - protocol = "hetzner"; - - # see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775 - username = "token"; - - inherit (cfg) zone domains passwordFile; - - extraConfig = '' - ''; - }; - - systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name; - systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name; - }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 7ac124c..9b0321d 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -9,15 +9,4 @@ in { enable = mkEnableOption "Enable ddclient-ovh"; domain = mkOption {type = types.str;}; }; - - config = lib.mkIf cfg.enable { - services.ddclient = { - enable = true; - protocol = "dyndns2"; - server = "www.ovh.com"; - ssl = true; - domains = [cfg.domain]; - use = "web"; - }; - }; } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 4a3e475..edf3974 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -14,7 +14,7 @@ }; imports = [ - ../../modules/ddclient-ovh.nix - ../../modules/ddclient-hetzner.nix + # ../../modules/ddclient-ovh.nix + # ../../modules/ddclient-hetzner.nix ]; } diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml new file mode 100644 index 0000000..ee184e9 --- /dev/null +++ b/secrets/router0-dmz0/secrets.yaml @@ -0,0 +1,41 @@ +#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment] +passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] +ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] +ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] +ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk + REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P + T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r + THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv + J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:46:38Z" + mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str] + pgp: + - created_at: "2023-08-11T16:15:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ + NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 + pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 + ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a + 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB + 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY + pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O + v5QlxcXSMuOeGygclwHdxzs+ + =NQjH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index f64bef7..abd3292 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,64 +16,73 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov - TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho - TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3 - b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh - 7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4 - aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo - RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP - V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH - 8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM - ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK - cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02 - TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+ - q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVEs2NzlqWnExV28vOG9j + Zjc0QXgrc2M3SkkvS3dyL3QrSHFYa0JSRmhZCmZFd3EzcURSWmRvK3VIakQyNFhR + dWN0c1FqR09XSkFUV3pEOFpsRlZhVlUKLS0tIDVDb25JMUh3TkJYa0pTdDUrYnpl + R3RVdkdvVnhIc2ZKUldGYjlnMzdicHcKL0Bcw6N93/v32cqFuoalcdmTv8/MLs7f + 9EgegS0+/xOriZmrwel6kNZlcoBR1JbC9qZO6s0D1B5nA1QLHnwvRw== -----END AGE ENCRYPTED FILE----- - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU - ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1 - SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW - QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F - rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MFg3TkhOY3hNZE9Uc1pF + OWJGWHh2cHJDUlhJUmVSMlFGR0lxSG1pcVRjCjZqMTdOTkJyT2N1QWdBOC9sbVo2 + NnIvRUtqUTZkbFI3WGZJaHg5M01DUnMKLS0tIGY1eG44NHlSY2RPeVFWWlpaQ2w5 + dGNsUHhEYjhkTVY1bFdpQmJMSzh5aVkKK6t7EUzhCUNjxl5dFXPezX53EVCworvn + NMaDqS5RgwQhILl04/eGyb5KcQksGQBdN5MacXX872BlOUeuWOez2g== -----END AGE ENCRYPTED FILE----- - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB - dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG - S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq - RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz - wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdXA0SllGSjZRMDhXajFK + REp4RzBjQ3pqYnRZLzRMb0NGQVJyeDJYa2dRCk4ydjFmU0pEazJaUTNDV2pKQUUr + cExrU09iTHFWdXB1UGJBcnRsd3VraGcKLS0tIHVid2dhUWpSN09uU0IwUVFBcmdM + OGxuOTZJR3JnVUFGbjczYzQwSGc1Sm8KhzJ0+4No3Z8sAshkEIj5/4Sz3rJxC7Ki + 0VTPwftdnPcnOAhZ3z8xrZILeOPjzHwCC4N45vAvYbiNOXCr8VF5NA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZEFoTWFWMHl0dkoycXU5 + TmhYU3hCWENGMzRqdnZNckVhODhzUUFlcWpFCldBYkkveTBPSGkvSEVrUXRXcE5E + UnFkNnB4TjZBN2Z1ODZVOHlacHZkc0EKLS0tIEI3Vjhzb2FXU05aSTNpT2pzWndV + NEdsK2xDaEkwekR2SS9DUmxzc2pKdTQKq/blmeAXpmo9Gmh8Ws1kLuio+sJUZXaC + BOBc0m4Dp5y+lTpqvyA9jA9sAZngPo502B+M9tY5rdIxkAR+aCbVUQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUGorR0ZIa3hNRWJvc0Zl + a1pPRExtbWc3a0VRS2duamZKTVBvL2FtaTFFCkpyTzdoRTh1bHJTclNFQXJBdDlw + M3RSQk9jMWh5ODdxY3FRamw1eWYwcFEKLS0tIHRIVk1ESk4yNkZ0MGxBTmtUVTJB + czlMQml3R1FlNEh6cnNoaGxXQk5jSk0KWuhdW4hVOTHaLwmmlnUazb5XLQdRcZRz + aN2qDOsAnSOqPgE/iXp4+88Y3iu05dWHgbMuWpS1lAFN+bv4s0zxCg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VG5odWxKdkN5NFRUcnA3 + ZFZpWDl3MGlzUmVrWVBEaWhrczVDdDgrM0FVCk5pOFJYSlcyclE1V3lUT1JWY01a + czVHcnlMcVZISFprdEZvRGxKditsVlUKLS0tIGJmZVVnTngyZWZaSkoyZ0doa0VD + bkIzU1ZCV20wRHhNaWtFcTMrNlQvSUEKrd4c5oMU+UqxbDM4sc2JVmlK+Qmoj/zp + 2Qc29mNIxP98cjfiPKe3IHidXIbzH0OluYfeFTfBCclbsn3mLpvltg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-07-10T08:17:16Z" + - created_at: "2023-08-11T16:15:15Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm - dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98 - OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP - sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf - q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx - YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW - w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c - OUwOtIhmRp4PNBU+402xfgYI - =X23Q + wcBMA0SHG/zF3227AQf/aAO5OvMbhN/6/U9b1gj415csZ/PYBB8GJuQ+disXV/Tp + mTMdzmsQVcfefdVoBhd2HUfLv/OlcM2eF4751eu6NP7MBDad5XHZpYON0SCRjiJv + vG0xl+KwI/AQYUWQjBhyMcECqjRLJL6EyyW37ykSGMLNMjbdDCISkVniNYFt9pRE + XkuWQNnDF++vDSZtVxDZvuCIXNZC7isSh5UNjtFdGpc9nMcAra/ALuWx2NjOTKpG + QJ4Ilic2mrE4PIQuf60MnC5lfOJWWbKgR832Sik+ZY/2Nocp2KYsrDyrKRglUu2S + AGdmQrPl3nq0yp1zCGujYFQIQmCQKLPTcoz99x5xR9JRAeK6e/xKJcCM5UgRk6IK + ULdIYK3EGv432KHj6DJFhW6lYWJBnZwkcNsVhxS3qbuccP7CJr51UDZ4ipfoQQtV + irHq+0IfShQpgoPu8YJ+A1T1 + =qLIi -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml new file mode 100644 index 0000000..6f888b6 --- /dev/null +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -0,0 +1,37 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:32:20Z" + mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3