steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat(router0-dmz0): init bpir3 based router

Browse source
This commit is contained in:
steveej 2023-08-10 21:45:49 +02:00
parent 742e432ce7
commit 5de5e57518
20 changed files with 1133 additions and 209 deletions
Download patch file Download diff file Expand all files Collapse all files

16
.sops.yaml
View file

@ -11,7 +11,8 @@ keys:
- &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
- &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
# - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
- &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$
key_groups:
@ -19,10 +20,13 @@ creation_rules:
- *steveej
age:
- *steveej-t14
- *sj-vps-htz0
- *srv0-dmz0
- *elias-e525
- *justyna-p300
- *srv0-dmz0
- *router0-dmz0
- *sj-vps-htz0
- path_regex: ^secrets/steveej-t14/.+$
key_groups:
- pgp:
@ -47,3 +51,9 @@ creation_rules:
- *steveej
age:
- *srv0-dmz0
- path_regex: ^secrets/router0-dmz0/.+$
key_groups:
- pgp:
- *steveej
age:
- *router0-dmz0

163
flake.lock generated
View file

@ -50,11 +50,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1688690832,
"narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=",
"lastModified": 1691423162,
"narHash": "sha256-cReUZCo83YEEmFcHX8CcOVTZYUrcWgHQO34zxQzy7WI=",
"owner": "ipetkov",
"repo": "crane",
"rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3",
"rev": "b5d9d42ea3fa8fea1805d9af1416fe207d0dd1dc",
"type": "github"
},
"original": {
@ -93,11 +93,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1688624761,
"narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=",
"lastModified": 1691648495,
"narHash": "sha256-JULr+eKL9rjfex17hZYn0K/fBxxfK/FM9TOCcxPQay4=",
"owner": "nix-community",
"repo": "fenix",
"rev": "a2ea120926a1234ec804c090f90312e0ec2d4541",
"rev": "6c9f0709358f212766cff5ce79f6e8300ec1eb91",
"type": "github"
},
"original": {
@ -158,11 +158,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1688466019,
"narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
"lastModified": 1690933134,
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
"type": "github"
},
"original": {
@ -201,11 +201,11 @@
]
},
"locked": {
"lastModified": 1688466019,
"narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
"lastModified": 1690933134,
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
"type": "github"
},
"original": {
@ -234,11 +234,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1687709756,
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
@ -252,11 +252,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1687709756,
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
@ -298,11 +298,11 @@
"jay": {
"flake": false,
"locked": {
"lastModified": 1683988763,
"narHash": "sha256-vaHNBwCIMNf/rnnievmxhF5wxci0Rbu2IUXiUxxKF74=",
"lastModified": 1689440887,
"narHash": "sha256-+61dHuxk3FCP+H2PCoup6lZDlaTuJBqDzkiBNY6yaJ4=",
"owner": "mahkoh",
"repo": "jay",
"rev": "80dc8770c51c0409a32b212499e0803dd585cab1",
"rev": "eb83505e39ec8c2383ac233a8b8449803db52549",
"type": "github"
},
"original": {
@ -317,11 +317,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1688299754,
"narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=",
"lastModified": 1691323683,
"narHash": "sha256-G7kMLDbYN03VNO+QYymFIp0o9jv+gflUpde8V4iYri8=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "6107c923522c233458760d0c7f31ad71bf1d2146",
"rev": "99d95d9ca592022832e9f1b4d2a8327b8d50eb60",
"type": "github"
},
"original": {
@ -349,14 +349,15 @@
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1688608231,
"narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=",
"lastModified": 1691371197,
"narHash": "sha256-YazAJxDjmAG9kiIEuqc+1CmmYIIt4wRIbEFb+TXf8WA=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d",
"rev": "b02b4e287fddc969fc490478b5666603f4ab0d3c",
"type": "github"
},
"original": {
@ -393,11 +394,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1687941964,
"narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=",
"lastModified": 1691224484,
"narHash": "sha256-0oodXqRRHXjUL7ssi1nIOKC8EzYD4f1e3eAaWexuF4M=",
"owner": "numtide",
"repo": "nixos-anywhere",
"rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df",
"rev": "9df79870b04667f2d16f1a78a1ab87d124403fb7",
"type": "github"
},
"original": {
@ -434,11 +435,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1688607075,
"narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=",
"lastModified": 1691370583,
"narHash": "sha256-LnKMx9NQ0Qx0DTYQVewkcRr+7uW5NY7xU9kjh+Lxnb0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6",
"rev": "b51660a128c09baf31c614284b500eb53772496f",
"type": "github"
},
"original": {
@ -466,11 +467,11 @@
},
"nixpkgs-2305": {
"locked": {
"lastModified": 1688594934,
"narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
"lastModified": 1691592289,
"narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e11142026e2cef35ea52c9205703823df225c947",
"rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7",
"type": "github"
},
"original": {
@ -483,11 +484,11 @@
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1688049487,
"narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
"lastModified": 1690881714,
"narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
"rev": "9e1960bc196baf6881340d53dccb203a951745a2",
"type": "github"
},
"original": {
@ -500,11 +501,11 @@
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1688259758,
"narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
"lastModified": 1691282883,
"narHash": "sha256-YLu1Fs+J+hw0BebUhWIeFzSqhlsnf0K88RqhVJebF9E=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
"rev": "b1d35b759161787e1cda815c460050142bda9adb",
"type": "github"
},
"original": {
@ -515,11 +516,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1688256355,
"narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=",
"lastModified": 1690066826,
"narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c",
"rev": "ce45b591975d070044ca24e3003c830d26fea1c8",
"type": "github"
},
"original": {
@ -531,11 +532,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1690179384,
"narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
"lastModified": 1691565530,
"narHash": "sha256-qZZ6DxvS1X/tjxXNUwJrPiaIWLZyWUDM2gkJCi5uZpE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
"rev": "e528fa15d5f740a25b5f536c33932db64cb10fc8",
"type": "github"
},
"original": {
@ -547,11 +548,11 @@
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1691472822,
"narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=",
"lastModified": 1691644995,
"narHash": "sha256-/OL3sk+9iPv+pto8hs/3cPhGmcS+ugKowQ8FvopLMEA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff",
"rev": "f6f59fdce76ca4ee03852417a642b77a960229cd",
"type": "github"
},
"original": {
@ -569,11 +570,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1688653033,
"narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=",
"lastModified": 1691518836,
"narHash": "sha256-sY9Unk1pCbMxMSX/SuoSUg8TY4TDN+edKY83cCEqb8g=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "bc84572c913933dbb49df2746dc8669f562da454",
"rev": "982c0c1ee398e8584d8c9cce011ec98392d2e3cc",
"type": "github"
},
"original": {
@ -584,11 +585,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1688590700,
"narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
"lastModified": 1691368598,
"narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
"rev": "5a8e9243812ba528000995b294292d3b5e120947",
"type": "github"
},
"original": {
@ -647,11 +648,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1688576197,
"narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=",
"lastModified": 1691604464,
"narHash": "sha256-nNc/c9r1O8ajE/LkMhGcvJGlyR6ykenR3aRkEkhutxA=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "aa91eda9028758839487ad0f0eb120944a549ff3",
"rev": "05b061205179dab9a5cd94ae66d1c0e9b8febe08",
"type": "github"
},
"original": {
@ -673,11 +674,11 @@
]
},
"locked": {
"lastModified": 1688351637,
"narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=",
"lastModified": 1691029059,
"narHash": "sha256-QwVeE9YTgH3LmL7yw2V/hgswL6yorIvYSp4YGI8lZYM=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "f9b92316727af9e6c7fee4a761242f7f46880329",
"rev": "99df4908445be37ddb2d332580365fce512a7dcf",
"type": "github"
},
"original": {
@ -710,11 +711,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1688268466,
"narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
"lastModified": 1690199016,
"narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
"rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500",
"type": "github"
},
"original": {
@ -730,11 +731,11 @@
]
},
"locked": {
"lastModified": 1688619474,
"narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=",
"lastModified": 1691630941,
"narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=",
"owner": "numtide",
"repo": "srvos",
"rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a",
"rev": "b7407c2dc143402de6f140575398020175f3ae1a",
"type": "github"
},
"original": {
@ -810,6 +811,28 @@
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixpkgs-wayland",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1690874496,
"narHash": "sha256-qYZJVAfilFbUL6U+euMjKLXUADueMNQBqwihpNzTbDU=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "fab56c8ce88f593300cd8c7351c9f97d10c333c5",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yofi": {
"inputs": {
"flake-utils": "flake-utils_4",

16
flake.nix
View file

@ -100,15 +100,25 @@
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
"sj-vps-htz0"
"steveej-t14"
"srv0-dmz0"
"elias-e525"
"justyna-p300"
"srv0-dmz0"
"router0-dmz0"
"sj-vps-htz0"
]);
# this makes nixos-anywhere work
flake.nixosConfigurations = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
flake.nixosConfigurations =
(inputs.colmena.lib.makeHive self.outputs.colmena).nodes
// (let
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in {
router0-dmz0 = router0-dmz0.native;
cross_router0-dmz0 = router0-dmz0.cross;
});
inherit systems;

8
nix/os/containers/backup-target.nix
View file

@ -17,10 +17,10 @@
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = containerBackupCfg.addr;
};
# services.ddclientovh = {
# enable = true;
# domain = containerBackupCfg.addr;
# };
services.openssh.enable = true;

8
nix/os/containers/mailserver.nix
View file

@ -43,14 +43,6 @@
};
# TODO: switch to something other than ddclient as it's no longer maintained
services.ddclient-hetzner = {
enable = false;
zone = "stefanjunker.de";
domains = [
"mailserver.svc.stefanjunker.de"
];
passwordFile = config.sops.secrets.hetznerDnsApiToken.path;
};
# TODO: switch to a let's encrypt certificate
sops.secrets.dovecotSslServerCert = {

23
nix/os/containers/webserver.nix
View file

@ -5,7 +5,9 @@
httpPort ? 80,
httpsPort ? 443,
autoStart ? false,
}: {
}: let
domain = "www.stefanjunker.de";
in {
config = {
config,
pkgs,
@ -22,11 +24,6 @@
networking.firewall.enable = false;
services.ddclientovh = {
enable = true;
domain = "www.stefanjunker.de";
};
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
@ -35,30 +32,30 @@
services.caddy = {
enable = true;
virtualHosts."${config.services.ddclientovh.domain}" = {
virtualHosts."${domain}" = {
extraConfig = let
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain}
redir /hedgedoc* https://hedgedoc.${domain}
respond "Hi!"
'';
};
virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = {
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${config.services.ddclientovh.domain}" = {
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${config.services.ddclientovh.domain}" = {
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
@ -68,7 +65,7 @@
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${config.services.ddclientovh.domain}";
domain = "hedgedoc.${domain}";
urlPath = "";
protocolUseSSL = true;
db = {
@ -185,7 +182,7 @@
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${config.services.ddclientovh.domain}";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format

1
nix/os/devices/router0-dmz0/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
result

524
nix/os/devices/router0-dmz0/configuration.nix Normal file
View file

@ -0,0 +1,524 @@
{
modulesPath,
repoFlake,
packages',
pkgs,
lib,
config,
nodeFlake,
nodeName,
system,
...
}: let
inherit
(nodeFlake.inputs)
bpir3
nixos-nftables-firewall
;
in {
disabledModules = [
# "services/networking/hostapd.nix"
];
imports = [
# nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
../../profiles/common/user.nix
"${bpir3}/lib/sd-image-mt7986.nix"
nixos-nftables-firewall.nixosModules.default
# TODO
# ./network.nix
# ./monitoring.nix
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
users.commonUsers = {
enable = true;
enableNonRoot = false;
rootPasswordFile = config.sops.secrets.passwords-root.path;
};
sops.secrets.passwords-root = {
sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
neededForUsers = true;
format = "yaml";
};
}
];
# sops.secrets.ssh_host_ed25519_key = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_ed25519_key";
# mode = "0600";
# };
# sops.secrets.ssh_host_ed25519_key_pub = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_ed25519_key.pub";
# mode = "0600";
# };
# sops.secrets.ssh_host_rsa_key = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_rsa_key";
# mode = "0600";
# };
# sops.secrets.ssh_host_rsa_key_pub = {
# sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# format = "yaml";
# path = "/etc/ssh/ssh_host_rsa_key.pub";
# mode = "0644";
# };
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = false;
# No local firewall.
nat.enable = lib.mkForce false;
firewall.enable = lib.mkForce false;
# Use the nftables firewall instead of the base nixos scripted rules.
# This flake provides a similar utility to the base nixos scripting.
# https://github.com/thelegy/nixos-nftables-firewall/tree/main
nftables = {
enable = true;
stopRuleset = "";
firewall = {
enable = true;
zones = {
lan.interfaces = ["br-lan"];
wan.interfaces = ["wan"];
};
rules = {
lan = {
from = ["lan"];
to = ["fw"];
verdict = "accept";
};
outbound = {
from = ["lan"];
to = ["lan" "wan"];
verdict = "accept";
};
nat = {
from = ["lan"];
to = ["wan"];
masquerade = true;
};
incoming-wan = {
from = ["wan"];
to = ["fw"];
verdict = "drop";
};
};
};
};
};
systemd.network = {
wait-online.anyInterface = true;
netdevs = {
# Create the bridge interface
"20-br-lan" = {
netdevConfig = {
Kind = "bridge";
Name = "br-lan";
};
};
};
networks = {
# Connect the bridge ports to the bridge
"30-lan0" = {
matchConfig.Name = "lan0";
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
"30-lan1" = {
matchConfig.Name = "lan1";
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
"30-lan2" = {
matchConfig.Name = "lan2";
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
"30-lan3" = {
matchConfig.Name = "lan3";
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
# Configure the bridge for its desired function
"40-br-lan" = {
matchConfig.Name = "br-lan";
bridgeConfig = {};
address = [
"192.168.10.1/24"
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no";
};
"10-wan" = {
matchConfig.Name = "wan";
networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
DNSOverTLS = true;
DNSSEC = true;
IPv6PrivacyExtensions = false;
IPForward = true;
};
# make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
};
};
# wireless access point
services.hostapd = {
enable = true;
radios = {
wlan0 = {
band = "2g";
countryCode = "CH";
channel = 0; # ACS
# use 'iw phy#1 info' to determine your VHT capabilities
wifi4 = {
enable = true;
capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"];
};
networks = {
wlan0 = {
ssid = "justtestingwifi-wpa3";
authentication = {
mode = "wpa3-sae";
# saePasswordsFile = config.sops.secrets.wifiPassword.path;
saePasswords = [
{password = "justtestingwifi";}
];
};
# generated with https://miniwebtool.com/mac-address-generator/
bssid = "34:56:ce:0f:ed:40";
settings = {
bridge = "br-lan";
};
};
wlan0-1 = {
ssid = "justtestingwifi-compat";
authentication = {
mode = "wpa3-sae-transition";
# saePasswordsFile = config.sops.secrets.wifiPassword.path;
saePasswords = [
{password = "justtestingwifi";}
];
wpaPassword = "justtestingwifi";
};
# generated with https://miniwebtool.com/mac-address-generator/
bssid = "34:56:ce:0f:ed:41";
settings = {
bridge = "br-lan";
};
};
# Uncomment when needed otherwise remove
# wlan0-1 = {
# ssid = "koteczkowo3";
# authentication = {
# mode = "none"; # this is overriden by settings
# };
# managementFrameProtection = "optional";
# bssid = "e6:02:43:07:00:00";
# settings = {
# bridge = "br-lan";
# wpa = lib.mkForce 2;
# wpa_key_mgmt = "WPA-PSK";
# wpa_pairwise = "CCMP";
# wpa_psk_file = config.sops.secrets.legacyWifiPassword.path;
# };
# };
};
};
# wlan1 = {
# band = "5g";
# # channels with 160 MHz width in Poland: 36, 52, 100 i 116
# channel = 0; # ACS
# countryCode = "PL";
# # use 'iw phy#1 info' to determine your VHT capabilities
# wifi4 = {
# enable = true;
# capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"];
# };
# wifi5 = {
# enable = true;
# operatingChannelWidth = "160";
# capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
# };
# wifi6 = {
# enable = true;
# singleUserBeamformer = true;
# singleUserBeamformee = true;
# multiUserBeamformer = true;
# operatingChannelWidth = "160";
# };
# settings = {
# # these two are mandatory for wifi 5 & 6 to work
# vht_oper_centr_freq_seg0_idx = 50;
# he_oper_centr_freq_seg0_idx = 50;
# # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for
# # transmitting data packets from the second data queue of a network interface.
# # It determines the number of packets that can be sent in a burst.
# # Adjusting this parameter can impact network throughput and latency.
# tx_queue_data2_burst = 2;
# # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header.
# # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios.
# # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference.
# he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63
# # Magic values that were set by openwrt but I didn't bother inspecting every single one
# he_spr_sr_control = 3;
# he_default_pe_duration = 4;
# he_rts_threshold = 1023;
# he_mu_edca_qos_info_param_count = 0;
# he_mu_edca_qos_info_q_ack = 0;
# he_mu_edca_qos_info_queue_request = 0;
# he_mu_edca_qos_info_txop_request = 0;
# # he_mu_edca_ac_be_aci=0; missing in 2.10
# he_mu_edca_ac_be_aifsn = 8;
# he_mu_edca_ac_be_ecwmin = 9;
# he_mu_edca_ac_be_ecwmax = 10;
# he_mu_edca_ac_be_timer = 255;
# he_mu_edca_ac_bk_aifsn = 15;
# he_mu_edca_ac_bk_aci = 1;
# he_mu_edca_ac_bk_ecwmin = 9;
# he_mu_edca_ac_bk_ecwmax = 10;
# he_mu_edca_ac_bk_timer = 255;
# he_mu_edca_ac_vi_ecwmin = 5;
# he_mu_edca_ac_vi_ecwmax = 7;
# he_mu_edca_ac_vi_aifsn = 5;
# he_mu_edca_ac_vi_aci = 2;
# he_mu_edca_ac_vi_timer = 255;
# he_mu_edca_ac_vo_aifsn = 5;
# he_mu_edca_ac_vo_aci = 3;
# he_mu_edca_ac_vo_ecwmin = 5;
# he_mu_edca_ac_vo_ecwmax = 7;
# he_mu_edca_ac_vo_timer = 255;
# };
# networks = {
# wlan1 = {
# ssid = "koteczkowo5";
# authentication = {
# mode = "wpa3-sae";
# saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible.
# };
# bssid = "36:b9:02:21:08:a2";
# settings = {
# bridge = "br-lan";
# };
# };
# };
# };
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
# upstream DNS servers
server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"];
# sensible behaviours
domain-needed = true;
bogus-priv = true;
no-resolv = true;
dhcp-range = ["br-lan,192.168.10.50,192.168.10.254,24h"];
interface = "br-lan";
dhcp-host = "192.168.10.1";
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts as this would advertise surfer as localhost
no-hosts = true;
address = "/surfer.lan/192.168.10.1";
};
};
# The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often.
services.irqbalance.enable = true;
# disko.devices = {
# disk = {
# nvme0n1 = {
# device = "/dev/nvme0n1";
# type = "disk";
# content = {
# type = "table";
# format = "gpt";
# partitions = [
# {
# name = "var-log";
# start = "1MiB";
# end = "20G";
# content = {
# type = "filesystem";
# format = "ext4";
# mountpoint = "/var/log";
# };
# }
# {
# name = "tmp";
# start = "20G";
# end = "60G";
# content = {
# type = "filesystem";
# format = "ext4";
# mountpoint = "/tmp";
# };
# }
# {
# name = "var";
# start = "60G";
# end = "100G";
# content = {
# type = "filesystem";
# format = "ext4";
# mountpoint = "/var";
# };
# }
# {
# name = "swap";
# start = "100G";
# end = "100%";
# content = {
# type = "swap";
# randomEncryption = false;
# };
# }
# ];
# };
# };
# };
# };
system.stateVersion = "23.05";
boot.kernelPackages = pkgs.linuxPackages_bpir3;
# boot.kernelPackages = bpir3.packages.aarch64-linux.linuxPackages_bpir3;
# We exclude a number of modules included in the default list. A non-insignificant amount do
# not apply to embedded hardware like this, so simply skip the defaults.
#
# Custom kernel is required as a lot of MTK components misbehave when built as modules.
# They fail to load properly, leaving the system without working ethernet, they'll oops on
# remove. MTK-DSA parts and PCIe were observed to do this.
boot.initrd.includeDefaultModules = false;
boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
boot.initrd.availableKernelModules = ["nvme"];
boot.kernelParams = ["console=ttyS0,115200"];
hardware.enableRedistributableFirmware = true;
# Wireless hardware exists, regulatory database is essential.
hardware.wirelessRegulatoryDatabase = true;
# Extlinux compatible with custom uboot patches in this repo, which also provide unique
# MAC addresses instead of the non-unique one that gets used by a lot of MTK devices...
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test.
boot.initrd.compressor = "gzip";
hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb";
hardware.deviceTree.overlays = [
{
name = "bpir3-sd-enable";
dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts";
}
{
name = "bpir3-nand-enable";
dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts";
}
{
name = "bpi-r3 wifi training data";
dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts";
}
{
name = "reset button disable";
dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts";
}
{
name = "mt7986a efuses";
dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts";
}
];
boot.initrd.preDeviceCommands = ''
if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then
if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then
# Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first
echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove
# Rescan brings PCI root back and brings the NVMe device in.
echo 1 > /sys/bus/pci/rescan
else
info "PCIe bridge missing"
fi
fi
'';
environment.systemPackages = [
pkgs.ethtool
];
}

39
nix/os/devices/router0-dmz0/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "aarch64-linux";
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
inherit
(nodeFlake.inputs.bpir3.packages.${system})
armTrustedFirmwareMT7986
;
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "router0.dmz0.noosphere.life";
deployment.replaceUnknownProfiles = true;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
networking.hostName = nodeName;
};
}

205
nix/os/devices/router0-dmz0/flake.lock generated Normal file
View file

@ -0,0 +1,205 @@
{
"nodes": {
"bpir3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1688620001,
"narHash": "sha256-8ACxxssPiQy/lsUsT8cAaT2te8p8d8ngmPwTc/erPnU=",
"owner": "nakato",
"repo": "nixos-bpir3-example",
"rev": "4210480bdebbf3a7953e22d5d9f183f47b725bff",
"type": "github"
},
"original": {
"owner": "nakato",
"repo": "nixos-bpir3-example",
"type": "github"
}
},
"dependencyDagOfSubmodule": {
"inputs": {
"nixpkgs": [
"nixos-nftables-firewall",
"nixpkgs"
]
},
"locked": {
"lastModified": 1656615370,
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1691743546,
"narHash": "sha256-nS2uWOeEmMgUBEMDCvwLlXBBCLkW7agDcMtOXuf9PDc=",
"owner": "nix-community",
"repo": "disko",
"rev": "241c878d4b542fea7c61ed4421e9224af054ff56",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1673819588,
"narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=",
"owner": "ursi",
"repo": "get-flake",
"rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1691672736,
"narHash": "sha256-HNPA/dKHerA0p4OsToEcW/DtTSXBcK5gFRsy/yPgV/Y=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6e1eff9aac0e8d84bda7f2d60ba6108eea9b7e79",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
},
"nixos-nftables-firewall": {
"inputs": {
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1677020959,
"narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1691654369,
"narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1691753935,
"narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "650596759b8b38399a0c4d5e366847d190360e55",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1691703261,
"narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"bpir3": "bpir3",
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1691630941,
"narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=",
"owner": "numtide",
"repo": "srvos",
"rev": "b7407c2dc143402de6f140575398020175f3ae1a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

93
nix/os/devices/router0-dmz0/flake.nix Normal file
View file

@ -0,0 +1,93 @@
{
inputs = {
# nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
get-flake.url = "github:ursi/get-flake";
home-manager.url = "github:nix-community/home-manager/master";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
bpir3.url = "github:nakato/nixos-bpir3-example";
bpir3.inputs.nixpkgs.follows = "nixpkgs";
nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
};
# outputs = _: {};
outputs = {
self,
get-flake,
nixpkgs,
bpir3,
...
} @ attrs: let
system = "aarch64-linux";
nodeName = "router0-dmz0";
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
inherit
(bpir3.packages.${system})
armTrustedFirmwareMT7986
;
};
modules =
[
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
{
nixpkgs.overlays = [
(final: previous: let
bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {};
in {
inherit
(bpir3Pkgs)
linuxPackages_bpir3
;
})
];
}
]
++ extraModules;
}
);
in {
nixosConfigurations = {
native = mkNixosConfiguration {
inherit system;
};
cross = mkNixosConfiguration {
extraModules = [
{
nixpkgs.buildPlatform.system = "x86_64-linux";
nixpkgs.hostPlatform.system = system;
}
];
};
};
};
}

26
nix/os/devices/sj-vps-htz0/pkg.nix
View file

@ -1,26 +0,0 @@
{
config,
pkgs,
lib,
...
}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
extraPackages = [
# required by vscode's remote-ssh plugin
pkgs.nodejs
# allow clipboard exchanges
pkgs.xsel
pkgs.xclip
];
};
}

4
nix/os/devices/steveej-t14/system.nix
View file

@ -132,4 +132,8 @@ in {
sopsFile = ../../../../secrets/zerotierone.txt;
format = "binary";
};
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
}

1
nix/os/lib/default.nix
View file

@ -19,6 +19,7 @@ in {
"video"
"cdrom"
"adbusers"
"dialout"
];
openssh.authorizedKeys.keys = keys.users.steveej.openssh;

25
nix/os/modules/ddclient-hetzner.nix
View file

@ -11,29 +11,4 @@ in {
domains = mkOption {type = types.listOf types.str;};
passwordFile = mkOption {type = types.path;};
};
config = lib.mkIf cfg.enable {
users.groups.ddclient = {};
users.users.ddclient = {
isSystemUser = true;
group = "ddclient";
};
services.ddclient = {
enable = cfg.enable;
verbose = true;
protocol = "hetzner";
# see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775
username = "token";
inherit (cfg) zone domains passwordFile;
extraConfig = ''
'';
};
systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name;
systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name;
};
}

11
nix/os/modules/ddclient-ovh.nix
View file

@ -9,15 +9,4 @@ in {
enable = mkEnableOption "Enable ddclient-ovh";
domain = mkOption {type = types.str;};
};
config = lib.mkIf cfg.enable {
services.ddclient = {
enable = true;
protocol = "dyndns2";
server = "www.ovh.com";
ssl = true;
domains = [cfg.domain];
use = "web";
};
};
}

4
nix/os/profiles/containers/configuration.nix
View file

@ -14,7 +14,7 @@
};
imports = [
../../modules/ddclient-ovh.nix
../../modules/ddclient-hetzner.nix
# ../../modules/ddclient-ovh.nix
# ../../modules/ddclient-hetzner.nix
];
}

41
secrets/router0-dmz0/secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment]
passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str]
ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str]
ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str]
ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str]
ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk
REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P
T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r
THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv
J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-11T16:46:38Z"
mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str]
pgp:
- created_at: "2023-08-11T16:15:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+
NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3
pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8
ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a
8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB
596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY
pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O
v5QlxcXSMuOeGygclwHdxzs+
=NQjH
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

95
secrets/shared-users.yaml
View file

@ -16,64 +16,73 @@ sops:
- recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov
TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho
TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3
b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh
7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4
aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo
RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP
V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH
8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM
ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK
cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02
TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+
q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVEs2NzlqWnExV28vOG9j
Zjc0QXgrc2M3SkkvS3dyL3QrSHFYa0JSRmhZCmZFd3EzcURSWmRvK3VIakQyNFhR
dWN0c1FqR09XSkFUV3pEOFpsRlZhVlUKLS0tIDVDb25JMUh3TkJYa0pTdDUrYnpl
R3RVdkdvVnhIc2ZKUldGYjlnMzdicHcKL0Bcw6N93/v32cqFuoalcdmTv8/MLs7f
9EgegS0+/xOriZmrwel6kNZlcoBR1JbC9qZO6s0D1B5nA1QLHnwvRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU
ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1
SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW
QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F
rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MFg3TkhOY3hNZE9Uc1pF
OWJGWHh2cHJDUlhJUmVSMlFGR0lxSG1pcVRjCjZqMTdOTkJyT2N1QWdBOC9sbVo2
NnIvRUtqUTZkbFI3WGZJaHg5M01DUnMKLS0tIGY1eG44NHlSY2RPeVFWWlpaQ2w5
dGNsUHhEYjhkTVY1bFdpQmJMSzh5aVkKK6t7EUzhCUNjxl5dFXPezX53EVCworvn
NMaDqS5RgwQhILl04/eGyb5KcQksGQBdN5MacXX872BlOUeuWOez2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB
dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG
S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq
RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz
wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdXA0SllGSjZRMDhXajFK
REp4RzBjQ3pqYnRZLzRMb0NGQVJyeDJYa2dRCk4ydjFmU0pEazJaUTNDV2pKQUUr
cExrU09iTHFWdXB1UGJBcnRsd3VraGcKLS0tIHVid2dhUWpSN09uU0IwUVFBcmdM
OGxuOTZJR3JnVUFGbjczYzQwSGc1Sm8KhzJ0+4No3Z8sAshkEIj5/4Sz3rJxC7Ki
0VTPwftdnPcnOAhZ3z8xrZILeOPjzHwCC4N45vAvYbiNOXCr8VF5NA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZEFoTWFWMHl0dkoycXU5
TmhYU3hCWENGMzRqdnZNckVhODhzUUFlcWpFCldBYkkveTBPSGkvSEVrUXRXcE5E
UnFkNnB4TjZBN2Z1ODZVOHlacHZkc0EKLS0tIEI3Vjhzb2FXU05aSTNpT2pzWndV
NEdsK2xDaEkwekR2SS9DUmxzc2pKdTQKq/blmeAXpmo9Gmh8Ws1kLuio+sJUZXaC
BOBc0m4Dp5y+lTpqvyA9jA9sAZngPo502B+M9tY5rdIxkAR+aCbVUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUGorR0ZIa3hNRWJvc0Zl
a1pPRExtbWc3a0VRS2duamZKTVBvL2FtaTFFCkpyTzdoRTh1bHJTclNFQXJBdDlw
M3RSQk9jMWh5ODdxY3FRamw1eWYwcFEKLS0tIHRIVk1ESk4yNkZ0MGxBTmtUVTJB
czlMQml3R1FlNEh6cnNoaGxXQk5jSk0KWuhdW4hVOTHaLwmmlnUazb5XLQdRcZRz
aN2qDOsAnSOqPgE/iXp4+88Y3iu05dWHgbMuWpS1lAFN+bv4s0zxCg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VG5odWxKdkN5NFRUcnA3
ZFZpWDl3MGlzUmVrWVBEaWhrczVDdDgrM0FVCk5pOFJYSlcyclE1V3lUT1JWY01a
czVHcnlMcVZISFprdEZvRGxKditsVlUKLS0tIGJmZVVnTngyZWZaSkoyZ0doa0VD
bkIzU1ZCV20wRHhNaWtFcTMrNlQvSUEKrd4c5oMU+UqxbDM4sc2JVmlK+Qmoj/zp
2Qc29mNIxP98cjfiPKe3IHidXIbzH0OluYfeFTfBCclbsn3mLpvltg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-06T20:14:22Z"
mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str]
pgp:
- created_at: "2023-07-10T08:17:16Z"
- created_at: "2023-08-11T16:15:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm
dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98
OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP
sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf
q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx
YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW
w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c
OUwOtIhmRp4PNBU+402xfgYI
=X23Q
wcBMA0SHG/zF3227AQf/aAO5OvMbhN/6/U9b1gj415csZ/PYBB8GJuQ+disXV/Tp
mTMdzmsQVcfefdVoBhd2HUfLv/OlcM2eF4751eu6NP7MBDad5XHZpYON0SCRjiJv
vG0xl+KwI/AQYUWQjBhyMcECqjRLJL6EyyW37ykSGMLNMjbdDCISkVniNYFt9pRE
XkuWQNnDF++vDSZtVxDZvuCIXNZC7isSh5UNjtFdGpc9nMcAra/ALuWx2NjOTKpG
QJ4Ilic2mrE4PIQuf60MnC5lfOJWWbKgR832Sik+ZY/2Nocp2KYsrDyrKRglUu2S
AGdmQrPl3nq0yp1zCGujYFQIQmCQKLPTcoz99x5xR9JRAeK6e/xKJcCM5UgRk6IK
ULdIYK3EGv432KHj6DJFhW6lYWJBnZwkcNsVhxS3qbuccP7CJr51UDZ4ipfoQQtV
irHq+0IfShQpgoPu8YJ+A1T1
=qLIi
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted

37
secrets/sj-vps-htz0/secrets.yaml Normal file
View file

@ -0,0 +1,37 @@
#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v
ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL
dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2
czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-11T16:32:20Z"
mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str]
pgp:
- created_at: "2023-08-11T16:31:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n
TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7
R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ
JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP
kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy
0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT
eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7
C5Jot9exml6467YZkApBm0eM
=HulH
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3