summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2024-08-08 10:45:09 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2024-08-08 10:45:09 +0200
commit63adb41f1a060c21a68143eb9e86c2790ef66f36 (patch)
tree3902b85e7659fd396ded1d2e42ea318153d08a13 /modules
parent73b08cbd76d4471c9a6fddd05265d7d7fc4c45ff (diff)
downloadnixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.gz
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.bz2
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.xz
nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.zip
...
Diffstat (limited to 'modules')
-rw-r--r--modules/borgcopy/default.nix9
-rw-r--r--modules/build-client.nix4
-rw-r--r--modules/certspotter.nix67
-rw-r--r--modules/coturn.nix60
-rw-r--r--modules/envfs.nix8
-rw-r--r--modules/etebase-server.nix228
-rw-r--r--modules/home-manager.nix3
-rw-r--r--modules/knot.nix1
-rw-r--r--modules/netns.nix7
-rw-r--r--modules/openssh.nix3
-rw-r--r--modules/pgbackrest.nix19
-rw-r--r--modules/postfix-mta-sts-resolver.nix4
-rw-r--r--modules/postfwd.nix1
-rw-r--r--modules/prometheus-lvm-exporter.nix4
-rw-r--r--modules/yggdrasil/default.nix50
-rw-r--r--modules/yggdrasil/hosts/sif/default.nix13
-rw-r--r--modules/yggdrasil/hosts/sif/private-keys.yaml31
-rw-r--r--modules/yggdrasil/hosts/ymir.nix19
18 files changed, 83 insertions, 448 deletions
diff --git a/modules/borgcopy/default.nix b/modules/borgcopy/default.nix
index afc6c37b..475edbd9 100644
--- a/modules/borgcopy/default.nix
+++ b/modules/borgcopy/default.nix
@@ -61,33 +61,40 @@ in {
61 options = { 61 options = {
62 from = mkOption { 62 from = mkOption {
63 type = types.str; 63 type = types.str;
64 description = "Copy from this repository";
64 }; 65 };
65 to = mkOption { 66 to = mkOption {
66 type = types.str; 67 type = types.str;
68 description = "Copy to this repository";
67 }; 69 };
68 70
69 verbosity = mkOption { 71 verbosity = mkOption {
70 type = types.int; 72 type = types.int;
71 default = 3; 73 default = 3;
74 description = "Set verbosity";
72 }; 75 };
73 76
74 sshConfig = mkOption { 77 sshConfig = mkOption {
75 type = with types; nullOr str; 78 type = with types; nullOr str;
76 default = null; 79 default = null;
80 description = "SSH client configuration";
77 }; 81 };
78 82
79 keyfile = mkOption { 83 keyfile = mkOption {
80 type = with types; nullOr str; 84 type = with types; nullOr str;
81 default = null; 85 default = null;
86 description = "Keyfile to pass to borg";
82 }; 87 };
83 88
84 unknownUnencryptedRepoAccessOk = mkOption { 89 unknownUnencryptedRepoAccessOk = mkOption {
85 type = types.bool; 90 type = types.bool;
86 default = false; 91 default = false;
92 description = "Set `BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK`?";
87 }; 93 };
88 hostnameIsUnique = mkOption { 94 hostnameIsUnique = mkOption {
89 type = types.bool; 95 type = types.bool;
90 default = true; 96 default = true;
97 description = "Set `BORG_HOSTNAME_IS_UNIQUE`?";
91 }; 98 };
92 99
93 timerOptions = mkOption { 100 timerOptions = mkOption {
@@ -96,10 +103,12 @@ in {
96 default = { 103 default = {
97 wantedBy = ["timers.target"]; 104 wantedBy = ["timers.target"];
98 }; 105 };
106 description = "Systemd timer options";
99 }; 107 };
100 }; 108 };
101 }); 109 });
102 default = {}; 110 default = {};
111 description = "Copy borg archives from one repository to another";
103 }; 112 };
104 }; 113 };
105 114
diff --git a/modules/build-client.nix b/modules/build-client.nix
index 9924b751..6322e6c0 100644
--- a/modules/build-client.nix
+++ b/modules/build-client.nix
@@ -15,6 +15,7 @@ in {
15 options = { 15 options = {
16 address = mkOption { 16 address = mkOption {
17 type = types.str; 17 type = types.str;
18 description = "Address of buildserver";
18 }; 19 };
19 20
20 system = mkOption { 21 system = mkOption {
@@ -82,10 +83,11 @@ in {
82 }; 83 };
83 }); 84 });
84 default = {}; 85 default = {};
86 description = "Buildservers to use";
85 }; 87 };
86 }; 88 };
87 }; 89 };
88 90
89 config = mkIf (cfg != {}) { 91 config = mkIf (cfg != {}) {
90 programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' 92 programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: ''
91 Host ${buildHostName name} 93 Host ${buildHostName name}
diff --git a/modules/certspotter.nix b/modules/certspotter.nix
deleted file mode 100644
index ff7ff7c2..00000000
--- a/modules/certspotter.nix
+++ /dev/null
@@ -1,67 +0,0 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.certspotter;
7
8 script = pkgs.writeShellApplication {
9 name = "certspotter-script";
10 runtimeInputs = with pkgs; [ coreutils ];
11 text = ''
12 mkdir -p "''${LOGS_DIRECTORY}"
13 env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")"
14 '';
15 };
16
17 startOptions = cfg.extraOptions
18 ++ optionals (cfg.logs != null) ["-logs" cfg.logs]
19 ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
20 "-script" "${script}/bin/certspotter-script"
21 ];
22
23 startScript = pkgs.writeShellApplication {
24 name = "certspotter-start";
25 runtimeInputs = [ pkgs.coreutils cfg.package ];
26 text = ''
27 rm -f "''${STATE_DIRECTORY}/lock"
28 exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions}
29 '';
30 };
31in {
32 options = {
33 services.certspotter = {
34 watchList = mkOption {
35 type = types.listOf types.str;
36 default = [];
37 };
38
39 logs = mkOption {
40 type = types.nullOr types.str;
41 default = null;
42 };
43
44 extraOptions = mkOption {
45 type = types.listOf types.str;
46 default = [ "-verbose" ];
47 };
48
49 package = mkPackageOption pkgs "certspotter" {};
50 };
51 };
52
53 config = mkIf (cfg.watchList != []) {
54 systemd.services.certspotter = {
55 serviceConfig = {
56 Type = "oneshot";
57 ExecStart = "${startScript}/bin/certspotter-start";
58 StateDirectory = "certspotter";
59 LogsDirectory = "certspotter";
60 DynamicUser = true;
61
62 CPUSchedulingPolicy = "idle";
63 IOSchedulingClass = "idle";
64 };
65 };
66 };
67}
diff --git a/modules/coturn.nix b/modules/coturn.nix
index faa4b5a2..d73d1bba 100644
--- a/modules/coturn.nix
+++ b/modules/coturn.nix
@@ -42,11 +42,11 @@ in {
42 42
43 options = { 43 options = {
44 services.coturn = { 44 services.coturn = {
45 enable = mkEnableOption (lib.mdDoc "coturn TURN server"); 45 enable = mkEnableOption "coturn TURN server";
46 listening-port = mkOption { 46 listening-port = mkOption {
47 type = types.int; 47 type = types.int;
48 default = 3478; 48 default = 3478;
49 description = lib.mdDoc '' 49 description = ''
50 TURN listener port for UDP and TCP. 50 TURN listener port for UDP and TCP.
51 Note: actually, TLS and DTLS sessions can connect to the 51 Note: actually, TLS and DTLS sessions can connect to the
52 "plain" TCP and UDP port(s), too - if allowed by configuration. 52 "plain" TCP and UDP port(s), too - if allowed by configuration.
@@ -55,7 +55,7 @@ in {
55 tls-listening-port = mkOption { 55 tls-listening-port = mkOption {
56 type = types.int; 56 type = types.int;
57 default = 5349; 57 default = 5349;
58 description = lib.mdDoc '' 58 description = ''
59 TURN listener port for TLS. 59 TURN listener port for TLS.
60 Note: actually, "plain" TCP and UDP sessions can connect to the TLS and 60 Note: actually, "plain" TCP and UDP sessions can connect to the TLS and
61 DTLS port(s), too - if allowed by configuration. The TURN server 61 DTLS port(s), too - if allowed by configuration. The TURN server
@@ -71,7 +71,7 @@ in {
71 type = types.int; 71 type = types.int;
72 default = cfg.listening-port + 1; 72 default = cfg.listening-port + 1;
73 defaultText = literalExpression "listening-port + 1"; 73 defaultText = literalExpression "listening-port + 1";
74 description = lib.mdDoc '' 74 description = ''
75 Alternative listening port for UDP and TCP listeners; 75 Alternative listening port for UDP and TCP listeners;
76 default (or zero) value means "listening port plus one". 76 default (or zero) value means "listening port plus one".
77 This is needed for RFC 5780 support 77 This is needed for RFC 5780 support
@@ -86,7 +86,7 @@ in {
86 type = types.int; 86 type = types.int;
87 default = cfg.tls-listening-port + 1; 87 default = cfg.tls-listening-port + 1;
88 defaultText = literalExpression "tls-listening-port + 1"; 88 defaultText = literalExpression "tls-listening-port + 1";
89 description = lib.mdDoc '' 89 description = ''
90 Alternative listening port for TLS and DTLS protocols. 90 Alternative listening port for TLS and DTLS protocols.
91 ''; 91 '';
92 }; 92 };
@@ -94,7 +94,7 @@ in {
94 type = types.listOf types.str; 94 type = types.listOf types.str;
95 default = []; 95 default = [];
96 example = [ "203.0.113.42" "2001:DB8::42" ]; 96 example = [ "203.0.113.42" "2001:DB8::42" ];
97 description = lib.mdDoc '' 97 description = ''
98 Listener IP addresses of relay server. 98 Listener IP addresses of relay server.
99 If no IP(s) specified in the config file or in the command line options, 99 If no IP(s) specified in the config file or in the command line options,
100 then all IPv4 and IPv6 system IPs will be used for listening. 100 then all IPv4 and IPv6 system IPs will be used for listening.
@@ -104,7 +104,7 @@ in {
104 type = types.listOf types.str; 104 type = types.listOf types.str;
105 default = []; 105 default = [];
106 example = [ "203.0.113.42" "2001:DB8::42" ]; 106 example = [ "203.0.113.42" "2001:DB8::42" ];
107 description = lib.mdDoc '' 107 description = ''
108 Relay address (the local IP address that will be used to relay the 108 Relay address (the local IP address that will be used to relay the
109 packets to the peer). 109 packets to the peer).
110 Multiple relay addresses may be used. 110 Multiple relay addresses may be used.
@@ -120,28 +120,28 @@ in {
120 min-port = mkOption { 120 min-port = mkOption {
121 type = types.int; 121 type = types.int;
122 default = 49152; 122 default = 49152;
123 description = lib.mdDoc '' 123 description = ''
124 Lower bound of UDP relay endpoints 124 Lower bound of UDP relay endpoints
125 ''; 125 '';
126 }; 126 };
127 max-port = mkOption { 127 max-port = mkOption {
128 type = types.int; 128 type = types.int;
129 default = 65535; 129 default = 65535;
130 description = lib.mdDoc '' 130 description = ''
131 Upper bound of UDP relay endpoints 131 Upper bound of UDP relay endpoints
132 ''; 132 '';
133 }; 133 };
134 lt-cred-mech = mkOption { 134 lt-cred-mech = mkOption {
135 type = types.bool; 135 type = types.bool;
136 default = false; 136 default = false;
137 description = lib.mdDoc '' 137 description = ''
138 Use long-term credential mechanism. 138 Use long-term credential mechanism.
139 ''; 139 '';
140 }; 140 };
141 no-auth = mkOption { 141 no-auth = mkOption {
142 type = types.bool; 142 type = types.bool;
143 default = false; 143 default = false;
144 description = lib.mdDoc '' 144 description = ''
145 This option is opposite to lt-cred-mech. 145 This option is opposite to lt-cred-mech.
146 (TURN Server with no-auth option allows anonymous access). 146 (TURN Server with no-auth option allows anonymous access).
147 If neither option is defined, and no users are defined, 147 If neither option is defined, and no users are defined,
@@ -153,7 +153,7 @@ in {
153 use-auth-secret = mkOption { 153 use-auth-secret = mkOption {
154 type = types.bool; 154 type = types.bool;
155 default = false; 155 default = false;
156 description = lib.mdDoc '' 156 description = ''
157 TURN REST API flag. 157 TURN REST API flag.
158 Flag that sets a special authorization option that is based upon authentication secret. 158 Flag that sets a special authorization option that is based upon authentication secret.
159 This feature can be used with the long-term authentication mechanism, only. 159 This feature can be used with the long-term authentication mechanism, only.
@@ -177,7 +177,7 @@ in {
177 static-auth-secret = mkOption { 177 static-auth-secret = mkOption {
178 type = types.nullOr types.str; 178 type = types.nullOr types.str;
179 default = null; 179 default = null;
180 description = lib.mdDoc '' 180 description = ''
181 'Static' authentication secret value (a string) for TURN REST API only. 181 'Static' authentication secret value (a string) for TURN REST API only.
182 If not set, then the turn server 182 If not set, then the turn server
183 will try to use the 'dynamic' value in turn_secret table 183 will try to use the 'dynamic' value in turn_secret table
@@ -188,7 +188,7 @@ in {
188 static-auth-secret-file = mkOption { 188 static-auth-secret-file = mkOption {
189 type = types.nullOr types.str; 189 type = types.nullOr types.str;
190 default = null; 190 default = null;
191 description = lib.mdDoc '' 191 description = ''
192 Path to the file containing the static authentication secret. 192 Path to the file containing the static authentication secret.
193 ''; 193 '';
194 }; 194 };
@@ -197,7 +197,7 @@ in {
197 default = config.networking.hostName; 197 default = config.networking.hostName;
198 defaultText = literalExpression "config.networking.hostName"; 198 defaultText = literalExpression "config.networking.hostName";
199 example = "example.com"; 199 example = "example.com";
200 description = lib.mdDoc '' 200 description = ''
201 The default realm to be used for the users when no explicit 201 The default realm to be used for the users when no explicit
202 origin/realm relationship was found in the database, or if the TURN 202 origin/realm relationship was found in the database, or if the TURN
203 server is not using any database (just the commands-line settings 203 server is not using any database (just the commands-line settings
@@ -209,7 +209,7 @@ in {
209 type = types.nullOr types.str; 209 type = types.nullOr types.str;
210 default = null; 210 default = null;
211 example = "/var/lib/acme/example.com/fullchain.pem"; 211 example = "/var/lib/acme/example.com/fullchain.pem";
212 description = lib.mdDoc '' 212 description = ''
213 Certificate file in PEM format. 213 Certificate file in PEM format.
214 ''; 214 '';
215 }; 215 };
@@ -217,21 +217,21 @@ in {
217 type = types.nullOr types.str; 217 type = types.nullOr types.str;
218 default = null; 218 default = null;
219 example = "/var/lib/acme/example.com/key.pem"; 219 example = "/var/lib/acme/example.com/key.pem";
220 description = lib.mdDoc '' 220 description = ''
221 Private key file in PEM format. 221 Private key file in PEM format.
222 ''; 222 '';
223 }; 223 };
224 dh-file = mkOption { 224 dh-file = mkOption {
225 type = types.nullOr types.str; 225 type = types.nullOr types.str;
226 default = null; 226 default = null;
227 description = lib.mdDoc '' 227 description = ''
228 Use custom DH TLS key, stored in PEM format in the file. 228 Use custom DH TLS key, stored in PEM format in the file.
229 ''; 229 '';
230 }; 230 };
231 secure-stun = mkOption { 231 secure-stun = mkOption {
232 type = types.bool; 232 type = types.bool;
233 default = false; 233 default = false;
234 description = lib.mdDoc '' 234 description = ''
235 Require authentication of the STUN Binding request. 235 Require authentication of the STUN Binding request.
236 By default, the clients are allowed anonymous access to the STUN Binding functionality. 236 By default, the clients are allowed anonymous access to the STUN Binding functionality.
237 ''; 237 '';
@@ -239,28 +239,28 @@ in {
239 no-cli = mkOption { 239 no-cli = mkOption {
240 type = types.bool; 240 type = types.bool;
241 default = false; 241 default = false;
242 description = lib.mdDoc '' 242 description = ''
243 Turn OFF the CLI support. 243 Turn OFF the CLI support.
244 ''; 244 '';
245 }; 245 };
246 cli-ip = mkOption { 246 cli-ip = mkOption {
247 type = types.str; 247 type = types.str;
248 default = "127.0.0.1"; 248 default = "127.0.0.1";
249 description = lib.mdDoc '' 249 description = ''
250 Local system IP address to be used for CLI server endpoint. 250 Local system IP address to be used for CLI server endpoint.
251 ''; 251 '';
252 }; 252 };
253 cli-port = mkOption { 253 cli-port = mkOption {
254 type = types.int; 254 type = types.int;
255 default = 5766; 255 default = 5766;
256 description = lib.mdDoc '' 256 description = ''
257 CLI server port. 257 CLI server port.
258 ''; 258 '';
259 }; 259 };
260 cli-password = mkOption { 260 cli-password = mkOption {
261 type = types.nullOr types.str; 261 type = types.nullOr types.str;
262 default = null; 262 default = null;
263 description = lib.mdDoc '' 263 description = ''
264 CLI access password. 264 CLI access password.
265 For the security reasons, it is recommended to use the encrypted 265 For the security reasons, it is recommended to use the encrypted
266 for of the password (see the -P command in the turnadmin utility). 266 for of the password (see the -P command in the turnadmin utility).
@@ -269,37 +269,37 @@ in {
269 no-udp = mkOption { 269 no-udp = mkOption {
270 type = types.bool; 270 type = types.bool;
271 default = false; 271 default = false;
272 description = lib.mdDoc "Disable UDP client listener"; 272 description = "Disable UDP client listener";
273 }; 273 };
274 no-tcp = mkOption { 274 no-tcp = mkOption {
275 type = types.bool; 275 type = types.bool;
276 default = false; 276 default = false;
277 description = lib.mdDoc "Disable TCP client listener"; 277 description = "Disable TCP client listener";
278 }; 278 };
279 no-tls = mkOption { 279 no-tls = mkOption {
280 type = types.bool; 280 type = types.bool;
281 default = false; 281 default = false;
282 description = lib.mdDoc "Disable TLS client listener"; 282 description = "Disable TLS client listener";
283 }; 283 };
284 no-dtls = mkOption { 284 no-dtls = mkOption {
285 type = types.bool; 285 type = types.bool;
286 default = false; 286 default = false;
287 description = lib.mdDoc "Disable DTLS client listener"; 287 description = "Disable DTLS client listener";
288 }; 288 };
289 no-udp-relay = mkOption { 289 no-udp-relay = mkOption {
290 type = types.bool; 290 type = types.bool;
291 default = false; 291 default = false;
292 description = lib.mdDoc "Disable UDP relay endpoints"; 292 description = "Disable UDP relay endpoints";
293 }; 293 };
294 no-tcp-relay = mkOption { 294 no-tcp-relay = mkOption {
295 type = types.bool; 295 type = types.bool;
296 default = false; 296 default = false;
297 description = lib.mdDoc "Disable TCP relay endpoints"; 297 description = "Disable TCP relay endpoints";
298 }; 298 };
299 extraConfig = mkOption { 299 extraConfig = mkOption {
300 type = types.lines; 300 type = types.lines;
301 default = ""; 301 default = "";
302 description = lib.mdDoc "Additional configuration options"; 302 description = "Additional configuration options";
303 }; 303 };
304 }; 304 };
305 }; 305 };
diff --git a/modules/envfs.nix b/modules/envfs.nix
index ff992b61..b5b453a5 100644
--- a/modules/envfs.nix
+++ b/modules/envfs.nix
@@ -26,9 +26,9 @@ in {
26 26
27 options = { 27 options = {
28 services.envfs = { 28 services.envfs = {
29 enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { 29 enable = lib.mkEnableOption "Envfs filesystem" // {
30 default = true; 30 default = true;
31 description = lib.mdDoc '' 31 description = ''
32 Fuse filesystem that returns symlinks to executables based on the PATH 32 Fuse filesystem that returns symlinks to executables based on the PATH
33 of the requesting process. This is useful to execute shebangs on NixOS 33 of the requesting process. This is useful to execute shebangs on NixOS
34 that assume hard coded locations in locations like /bin or /usr/bin 34 that assume hard coded locations in locations like /bin or /usr/bin
@@ -40,7 +40,7 @@ in {
40 type = lib.types.package; 40 type = lib.types.package;
41 default = pkgs.envfs; 41 default = pkgs.envfs;
42 defaultText = lib.literalExpression "pkgs.envfs"; 42 defaultText = lib.literalExpression "pkgs.envfs";
43 description = lib.mdDoc "Which package to use for the envfs."; 43 description = "Which package to use for the envfs.";
44 }; 44 };
45 45
46 paths = lib.mkOption { 46 paths = lib.mkOption {
@@ -60,7 +60,7 @@ in {
60 ''') 60 ''')
61 ] 61 ]
62 ''; 62 '';
63 description = lib.mdDoc "Extra packages to join into collection of fallback executables in case not other executable is found"; 63 description = "Extra packages to join into collection of fallback executables in case not other executable is found";
64 }; 64 };
65 }; 65 };
66 }; 66 };
diff --git a/modules/etebase-server.nix b/modules/etebase-server.nix
deleted file mode 100644
index 341e7fa0..00000000
--- a/modules/etebase-server.nix
+++ /dev/null
@@ -1,228 +0,0 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.etebase-server;
7
8 pythonEnv = pkgs.python3.withPackages (ps: with ps;
9 [ etebase-server daphne psycopg2 ]);
10
11 iniFmt = pkgs.formats.ini {};
12
13 configIni = iniFmt.generate "etebase-server.ini" cfg.settings;
14
15 defaultUser = "etebase-server";
16in
17{
18 disabledModules = [ "services/misc/etebase-server.nix" ];
19
20 imports = [
21 (mkRemovedOptionModule
22 [ "services" "etebase-server" "customIni" ]
23 "Set the option `services.etebase-server.settings' instead.")
24 (mkRemovedOptionModule
25 [ "services" "etebase-server" "database" ]
26 "Set the option `services.etebase-server.settings.database' instead.")
27 (mkRenamedOptionModule
28 [ "services" "etebase-server" "secretFile" ]
29 [ "services" "etebase-server" "settings" "secret_file" ])
30 (mkRenamedOptionModule
31 [ "services" "etebase-server" "host" ]
32 [ "services" "etebase-server" "settings" "allowed_hosts" "allowed_host1" ])
33 ];
34
35 options = {
36 services.etebase-server = {
37 enable = mkOption {
38 type = types.bool;
39 default = false;
40 example = true;
41 description = lib.mdDoc ''
42 Whether to enable the Etebase server.
43
44 Once enabled you need to create an admin user by invoking the
45 shell command `etebase-server createsuperuser` with
46 the user specified by the `user` option or a superuser.
47 Then you can login and create accounts on your-etebase-server.com/admin
48 '';
49 };
50
51 dataDir = mkOption {
52 type = types.str;
53 default = "/var/lib/etebase-server";
54 description = lib.mdDoc "Directory to store the Etebase server data.";
55 };
56
57 port = mkOption {
58 type = with types; nullOr port;
59 default = 8001;
60 description = lib.mdDoc "Port to listen on.";
61 };
62
63 openFirewall = mkOption {
64 type = types.bool;
65 default = false;
66 description = lib.mdDoc ''
67 Whether to open ports in the firewall for the server.
68 '';
69 };
70
71 unixSocket = mkOption {
72 type = with types; nullOr str;
73 default = null;
74 description = lib.mdDoc "The path to the socket to bind to.";
75 example = "/run/etebase-server/etebase-server.sock";
76 };
77
78 settings = mkOption {
79 type = lib.types.submodule {
80 freeformType = iniFmt.type;
81
82 options = {
83 global = {
84 debug = mkOption {
85 type = types.bool;
86 default = false;
87 description = lib.mdDoc ''
88 Whether to set django's DEBUG flag.
89 '';
90 };
91 secret_file = mkOption {
92 type = with types; nullOr str;
93 default = null;
94 description = lib.mdDoc ''
95 The path to a file containing the secret
96 used as django's SECRET_KEY.
97 '';
98 };
99 static_root = mkOption {
100 type = types.str;
101 default = "${cfg.dataDir}/static";
102 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/static"'';
103 description = lib.mdDoc "The directory for static files.";
104 };
105 media_root = mkOption {
106 type = types.str;
107 default = "${cfg.dataDir}/media";
108 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/media"'';
109 description = lib.mdDoc "The media directory.";
110 };
111 };
112 allowed_hosts = {
113 allowed_host1 = mkOption {
114 type = types.str;
115 default = "0.0.0.0";
116 example = "localhost";
117 description = lib.mdDoc ''
118 The main host that is allowed access.
119 '';
120 };
121 };
122 database = {
123 engine = mkOption {
124 type = types.enum [ "django.db.backends.sqlite3" "django.db.backends.postgresql" ];
125 default = "django.db.backends.sqlite3";
126 description = lib.mdDoc "The database engine to use.";
127 };
128 name = mkOption {
129 type = types.str;
130 default = "${cfg.dataDir}/db.sqlite3";
131 defaultText = literalExpression ''"''${config.services.etebase-server.dataDir}/db.sqlite3"'';
132 description = lib.mdDoc "The database name.";
133 };
134 };
135 };
136 };
137 default = {};
138 description = lib.mdDoc ''
139 Configuration for `etebase-server`. Refer to
140 <https://github.com/etesync/server/blob/master/etebase-server.ini.example>
141 and <https://github.com/etesync/server/wiki>
142 for details on supported values.
143 '';
144 example = {
145 global = {
146 debug = true;
147 media_root = "/path/to/media";
148 };
149 allowed_hosts = {
150 allowed_host2 = "localhost";
151 };
152 };
153 };
154
155 user = mkOption {
156 type = types.str;
157 default = defaultUser;
158 description = lib.mdDoc "User under which Etebase server runs.";
159 };
160 };
161 };
162
163 config = mkIf cfg.enable {
164
165 environment.systemPackages = with pkgs; [
166 (runCommand "etebase-server" {
167 nativeBuildInputs = [ makeWrapper ];
168 } ''
169 makeWrapper ${pythonEnv}/bin/etebase-server \
170 $out/bin/etebase-server \
171 --chdir ${escapeShellArg cfg.dataDir} \
172 --prefix ETEBASE_EASY_CONFIG_PATH : "${configIni}"
173 '')
174 ];
175
176 systemd.tmpfiles.rules = [
177 "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
178 ];
179
180 systemd.services.etebase-server = {
181 description = "An Etebase (EteSync 2.0) server";
182 after = [ "network.target" "systemd-tmpfiles-setup.service" ];
183 wantedBy = [ "multi-user.target" ];
184 path = [ pythonEnv ];
185 serviceConfig = {
186 User = cfg.user;
187 Restart = "always";
188 WorkingDirectory = cfg.dataDir;
189 };
190 environment = {
191 ETEBASE_EASY_CONFIG_PATH = configIni;
192 };
193 preStart = ''
194 # Auto-migrate on first run or if the package has changed
195 versionFile="${cfg.dataDir}/src-version"
196 if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then
197 etebase-server migrate --no-input
198 etebase-server collectstatic --no-input --clear
199 echo ${pkgs.etebase-server} > "$versionFile"
200 fi
201 '';
202 script =
203 let
204 networking = if cfg.unixSocket != null
205 then "-u ${cfg.unixSocket}"
206 else "-b 0.0.0.0 -p ${toString cfg.port}";
207 in ''
208 cd "${pythonEnv}/lib/etebase-server";
209 daphne ${networking} \
210 etebase_server.asgi:application
211 '';
212 };
213
214 users = optionalAttrs (cfg.user == defaultUser) {
215 users.${defaultUser} = {
216 isSystemUser = true;
217 group = defaultUser;
218 home = cfg.dataDir;
219 };
220
221 groups.${defaultUser} = {};
222 };
223
224 networking.firewall = mkIf cfg.openFirewall {
225 allowedTCPPorts = [ cfg.port ];
226 };
227 };
228}
diff --git a/modules/home-manager.nix b/modules/home-manager.nix
index ebe3e153..c485dd99 100644
--- a/modules/home-manager.nix
+++ b/modules/home-manager.nix
@@ -8,6 +8,9 @@ with lib;
8 type = types.bool; 8 type = types.bool;
9 default = true; 9 default = true;
10 example = true; 10 example = true;
11 description = ''
12 Are we using home-manager version that starts late as systemd user service?
13 '';
11 }; 14 };
12 }; 15 };
13} 16}
diff --git a/modules/knot.nix b/modules/knot.nix
index a4691324..f7165029 100644
--- a/modules/knot.nix
+++ b/modules/knot.nix
@@ -81,6 +81,7 @@ in {
81 81
82 cliWrappers = mkOption { 82 cliWrappers = mkOption {
83 readOnly = true; 83 readOnly = true;
84 internal = true;
84 type = types.package; 85 type = types.package;
85 default = knot-cli-wrappers; 86 default = knot-cli-wrappers;
86 defaultText = "knot-cli-wrappers"; 87 defaultText = "knot-cli-wrappers";
diff --git a/modules/netns.nix b/modules/netns.nix
index dca3c0db..79dc123b 100644
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -125,6 +125,13 @@ in {
125 containers = mkOption { 125 containers = mkOption {
126 default = {}; 126 default = {};
127 type = types.attrsOf (types.submodule containerOpts); 127 type = types.attrsOf (types.submodule containerOpts);
128 description = ''
129 A set of NixOS system configurations to be run as lightweight
130 containers. Each container appears as a service
131 `container-«name»`
132 on the host system, allowing it to be started and stopped via
133 {command}`systemctl`.
134 '';
128 }; 135 };
129 }; 136 };
130 }; 137 };
diff --git a/modules/openssh.nix b/modules/openssh.nix
index 78749869..8bdc3df6 100644
--- a/modules/openssh.nix
+++ b/modules/openssh.nix
@@ -30,6 +30,7 @@ with lib;
30 "rsa-sha2-512" 30 "rsa-sha2-512"
31 "rsa-sha2-512-cert-v01@openssh.com" 31 "rsa-sha2-512-cert-v01@openssh.com"
32 ]; 32 ];
33 description = "HostKeyAlgorithms";
33 }; 34 };
34 settings.CASignatureAlgorithms = mkOption { 35 settings.CASignatureAlgorithms = mkOption {
35 type = types.str; 36 type = types.str;
@@ -43,6 +44,7 @@ with lib;
43 "rsa-sha2-512" 44 "rsa-sha2-512"
44 "rsa-sha2-256" 45 "rsa-sha2-256"
45 ]; 46 ];
47 description = "CASignatureAlgorithms";
46 }; 48 };
47 settings.PubkeyAcceptedAlgorithms = mkOption { 49 settings.PubkeyAcceptedAlgorithms = mkOption {
48 type = types.str; 50 type = types.str;
@@ -69,6 +71,7 @@ with lib;
69 "rsa-sha2-512" 71 "rsa-sha2-512"
70 "rsa-sha2-512-cert-v01@openssh.com" 72 "rsa-sha2-512-cert-v01@openssh.com"
71 ]; 73 ];
74 description = "PubkeyAcceptedAlgorithms";
72 }; 75 };
73 }; 76 };
74 }; 77 };
diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix
index e02849f5..886840b9 100644
--- a/modules/pgbackrest.nix
+++ b/modules/pgbackrest.nix
@@ -50,8 +50,8 @@ in {
50 package = mkPackageOption pkgs "pgbackrest" {}; 50 package = mkPackageOption pkgs "pgbackrest" {};
51 dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; }; 51 dscpPackage = mkPackageOption pkgs "libdscp" { nullable = true; default = null; };
52 52
53 dscp.archive-push = mkDSCPOption { default = 24; }; 53 dscp.archive-push = mkDSCPOption { default = 24; description = "DSCP during archive push"; };
54 dscp.backup = mkDSCPOption { default = 8; }; 54 dscp.backup = mkDSCPOption { default = 8; description = "DSCP during backup"; };
55 55
56 configurePostgresql = { 56 configurePostgresql = {
57 enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // { 57 enable = mkEnableOption "configuring PostgreSQL for sending WAL to pgBackRest" // {
@@ -63,6 +63,7 @@ in {
63 type = types.str; 63 type = types.str;
64 default = config.networking.hostName; 64 default = config.networking.hostName;
65 defaultText = literalExpression "config.networking.hostName"; 65 defaultText = literalExpression "config.networking.hostName";
66 description = "Stanza";
66 }; 67 };
67 }; 68 };
68 69
@@ -74,23 +75,28 @@ in {
74 global.log-level-console = mkOption { 75 global.log-level-console = mkOption {
75 type = loglevelType; 76 type = loglevelType;
76 default = "detail"; 77 default = "detail";
78 description = "Log level to console";
77 }; 79 };
78 global.log-level-file = mkOption { 80 global.log-level-file = mkOption {
79 type = loglevelType; 81 type = loglevelType;
80 default = "off"; 82 default = "off";
83 description = "Log level to logfile";
81 }; 84 };
82 global.log-level-stderr = mkOption { 85 global.log-level-stderr = mkOption {
83 type = loglevelType; 86 type = loglevelType;
84 default = "warn"; 87 default = "warn";
88 description = "Log level to stderr";
85 }; 89 };
86 90
87 global.log-subprocess = mkOption { 91 global.log-subprocess = mkOption {
88 type = types.bool; 92 type = types.bool;
89 default = true; 93 default = true;
94 description = "Log subprocesses?";
90 }; 95 };
91 global.log-timestamp = mkOption { 96 global.log-timestamp = mkOption {
92 type = types.bool; 97 type = types.bool;
93 default = false; 98 default = false;
99 description = "Log timestamps?";
94 }; 100 };
95 }; 101 };
96 }; 102 };
@@ -106,10 +112,12 @@ in {
106 user = mkOption { 112 user = mkOption {
107 type = types.str; 113 type = types.str;
108 default = "postgres"; 114 default = "postgres";
115 description = "User";
109 }; 116 };
110 group = mkOption { 117 group = mkOption {
111 type = types.str; 118 type = types.str;
112 default = "postgres"; 119 default = "postgres";
120 description = "Group";
113 }; 121 };
114 }; 122 };
115 123
@@ -119,32 +127,39 @@ in {
119 type = mkOption { 127 type = mkOption {
120 type = types.enum ["full" "incr" "diff"]; 128 type = types.enum ["full" "incr" "diff"];
121 default = "full"; 129 default = "full";
130 description = "Type";
122 }; 131 };
123 132
124 stanza = mkOption { 133 stanza = mkOption {
125 type = types.str; 134 type = types.str;
126 default = cfg.configurePostgresql.stanza; 135 default = cfg.configurePostgresql.stanza;
127 defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza"; 136 defaultText = literalExpression "config.services.pgbackrest.configurePostgresql.stanza";
137 description = "Stanza";
128 }; 138 };
129 repo = mkOption { 139 repo = mkOption {
130 type = types.nullOr (types.strMatching "^[0-9]+$"); 140 type = types.nullOr (types.strMatching "^[0-9]+$");
141 description = "Repository number";
131 }; 142 };
132 143
133 user = mkOption { 144 user = mkOption {
134 type = types.str; 145 type = types.str;
135 default = "postgres"; 146 default = "postgres";
147 description = "User";
136 }; 148 };
137 group = mkOption { 149 group = mkOption {
138 type = types.str; 150 type = types.str;
139 default = "postgres"; 151 default = "postgres";
152 description = "Group";
140 }; 153 };
141 154
142 timerConfig = mkOption { 155 timerConfig = mkOption {
143 type = types.attrsOf unitOption; 156 type = types.attrsOf unitOption;
157 description = "Systemd timer options";
144 }; 158 };
145 }; 159 };
146 })); 160 }));
147 default = {}; 161 default = {};
162 description = "Configure backups";
148 }; 163 };
149 }; 164 };
150 }; 165 };
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
index fcbd9390..193c54fb 100644
--- a/modules/postfix-mta-sts-resolver.nix
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -8,7 +8,7 @@ in {
8 options = { 8 options = {
9 services.postfix-mta-sts-resolver = { 9 services.postfix-mta-sts-resolver = {
10 enable = mkEnableOption "mta-sts-daemon"; 10 enable = mkEnableOption "mta-sts-daemon";
11 package = mkPackageOption pkgs "postfix-mta-sts-resolver"; 11 package = mkPackageOption pkgs "postfix-mta-sts-resolver" {};
12 12
13 redis = mkEnableOption "redis cache" // { default = true; example = false; }; 13 redis = mkEnableOption "redis cache" // { default = true; example = false; };
14 proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; }; 14 proactive-policy-fetching = mkEnableOption "proactive policy fetching" // { default = true; example = false; };
@@ -16,10 +16,12 @@ in {
16 loglevel = mkOption { 16 loglevel = mkOption {
17 type = types.enum ["debug" "info" "warn" "error" "fatal"]; 17 type = types.enum ["debug" "info" "warn" "error" "fatal"];
18 default = "info"; 18 default = "info";
19 description = "Loglevel";
19 }; 20 };
20 21
21 settings = mkOption { 22 settings = mkOption {
22 type = types.attrs; 23 type = types.attrs;
24 description = "Settings";
23 }; 25 };
24 }; 26 };
25 }; 27 };
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index e10c04a7..3edff44d 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -12,6 +12,7 @@ in {
12 rules = mkOption { 12 rules = mkOption {
13 type = lines; 13 type = lines;
14 default = ""; 14 default = "";
15 description = "Rules";
15 }; 16 };
16 }; 17 };
17 }; 18 };
diff --git a/modules/prometheus-lvm-exporter.nix b/modules/prometheus-lvm-exporter.nix
index 7ef082c3..ad46f835 100644
--- a/modules/prometheus-lvm-exporter.nix
+++ b/modules/prometheus-lvm-exporter.nix
@@ -21,7 +21,7 @@ in {
21 openFirewall = mkOption { 21 openFirewall = mkOption {
22 type = types.bool; 22 type = types.bool;
23 default = false; 23 default = false;
24 description = lib.mdDoc '' 24 description = ''
25 Open port in firewall for incoming connections. 25 Open port in firewall for incoming connections.
26 ''; 26 '';
27 }; 27 };
@@ -31,7 +31,7 @@ in {
31 example = literalExpression '' 31 example = literalExpression ''
32 "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}" 32 "-i eth0 -p tcp -m tcp --dport ${toString cfg.port}"
33 ''; 33 '';
34 description = lib.mdDoc '' 34 description = ''
35 Specify a filter for iptables to use when 35 Specify a filter for iptables to use when
36 {option}`services.prometheus.exporters.lvm.openFirewall` 36 {option}`services.prometheus.exporters.lvm.openFirewall`
37 is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`. 37 is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix
deleted file mode 100644
index f4100e73..00000000
--- a/modules/yggdrasil/default.nix
+++ /dev/null
@@ -1,50 +0,0 @@
1{ config, lib, customUtils, ... }:
2let
3 cfg = config.services.tinc.yggdrasil;
4in {
5 options = {
6 services.tinc.yggdrasil = lib.mkOption {
7 default = {};
8 type = lib.types.submodule {
9 options = {
10 enable = lib.mkEnableOption "Yggdrasil tinc network";
11
12 connect = lib.mkOption {
13 default = true;
14 type = lib.types.bool;
15 description = ''
16 Connect to central server
17 '';
18 };
19 };
20 };
21 };
22 };
23
24 config = lib.mkIf cfg.enable {
25 services.tinc.networks.yggdrasil = {
26 name = config.networking.hostName;
27 hostSettings = customUtils.nixImport { dir = ./hosts; };
28 debugLevel = 2;
29 interfaceType = "tap";
30 settings = {
31 Mode = "switch";
32 PingTimeout = 30;
33 ConnectTo = lib.mkIf cfg.connect "ymir";
34 };
35 };
36
37 sops.secrets = {
38 tinc-yggdrasil-rsa = {
39 key = "rsa";
40 path = "/etc/tinc/yggdrasil/rsa_key.priv";
41 sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
42 };
43 tinc-yggdrasil-ed25519 = {
44 key = "ed25519";
45 path = "/etc/tinc/yggdrasil/rsa_key.priv";
46 sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
47 };
48 };
49 };
50}
diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix
deleted file mode 100644
index 32b844de..00000000
--- a/modules/yggdrasil/hosts/sif/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
1{
2 settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK";
3 rsaPublicKey = ''
4 -----BEGIN RSA PUBLIC KEY-----
5 MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI
6 WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi
7 laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC
8 usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH
9 +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7
10 KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB
11 -----END RSA PUBLIC KEY-----
12 '';
13}
diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml
deleted file mode 100644
index 0c4274d1..00000000
--- a/modules/yggdrasil/hosts/sif/private-keys.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
1ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str]
2rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str]
3sops:
4 kms: []
5 gcp_kms: []
6 azure_kv: []
7 hc_vault: []
8 age:
9 - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866
10 enc: |
11 -----BEGIN AGE ENCRYPTED FILE-----
12 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjludkxXUm5OREx4Zndk
13 czI0VmMxUE5kOHVKQ1lTL1RvQXlIQ3FhWFRVCmVXbmFqNTBDNy94RDJtakQra0lh
14 a2JrZlBxWFNVVFh6WFU3bjBwaFVIa1kKLS0tIFNObGZvVmpuQlU4SFBjZk45dlJM
15 d3VHVVZsVGlBd2craGNVbHdoeUpyVFEK/Tj9QVqAOWmAJv/PESvIOnnIbZkKof6E
16 HHaEYANQTp5kLyWaz4rfJiiQOP2bL5hDr1XV61mf6y9W8m9w4IynHg==
17 -----END AGE ENCRYPTED FILE-----
18 - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne
19 enc: |
20 -----BEGIN AGE ENCRYPTED FILE-----
21 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6L2lSdUUvSE1iUTEvdkxm
22 Nm4vV3MySWlTdldMZEw2dEhtSlZCb0wvL0VBCnJxY2dNUlJhcktQNVVOdHhPemJF
23 ZUJ3NUR0ZTRZdFkwMmExR2gwOHFlMTQKLS0tIHhLbkZQalBuNm5mRHBVQ1NNbGM4
24 YUNsNE8vbnk0RnpRbHB5azM2NmdmKzAKwUVFQHvBvGjc/mGI9lhkW86ovUVvUxok
25 O6QelapJHGP2gQ3aZBk8eFJJs7Ve+q1yiQUbO34BFFdIfRyiObmbKw==
26 -----END AGE ENCRYPTED FILE-----
27 lastmodified: "2021-01-02T14:46:16Z"
28 mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str]
29 pgp: []
30 unencrypted_suffix: _unencrypted
31 version: 3.6.1
diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix
deleted file mode 100644
index b77a9216..00000000
--- a/modules/yggdrasil/hosts/ymir.nix
+++ /dev/null
@@ -1,19 +0,0 @@
1{
2 addresses = [{ address = "ymir.yggdrasil.li"; }];
3 settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC";
4 rsaPublicKey = ''
5 -----BEGIN RSA PUBLIC KEY-----
6 MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9
7 ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke
8 XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN
9 r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR
10 Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6
11 BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9
12 dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk
13 jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil
14 2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0
15 E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ
16 SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ==
17 -----END RSA PUBLIC KEY-----
18 '';
19}