diff options
Diffstat (limited to 'hosts')
26 files changed, 519 insertions, 72 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 088e1022..9208e391 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
| @@ -12,9 +12,8 @@ let | |||
| 12 | in { | 12 | in { |
| 13 | imports = with flake.nixosModules.systemProfiles; [ | 13 | imports = with flake.nixosModules.systemProfiles; [ |
| 14 | ./hw.nix | 14 | ./hw.nix |
| 15 | ./mail ./libvirt | 15 | ./mail ./libvirt ./greetd |
| 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines | 16 | tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager |
| 17 | networkmanager | ||
| 18 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 | 17 | flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 |
| 19 | flakeInputs.impermanence.nixosModules.impermanence | 18 | flakeInputs.impermanence.nixosModules.impermanence |
| 20 | flakeInputs.nixVirt.nixosModules.default | 19 | flakeInputs.nixVirt.nixosModules.default |
| @@ -61,15 +60,20 @@ in { | |||
| 61 | plymouth.enable = true; | 60 | plymouth.enable = true; |
| 62 | 61 | ||
| 63 | kernelPackages = pkgs.linuxPackages_latest; | 62 | kernelPackages = pkgs.linuxPackages_latest; |
| 64 | extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; | ||
| 65 | kernelModules = ["v4l2loopback"]; | ||
| 66 | kernelPatches = [ | 63 | kernelPatches = [ |
| 67 | { name = "edac-config"; | 64 | { name = "edac-config"; |
| 68 | patch = null; | 65 | patch = null; |
| 69 | extraConfig = '' | 66 | extraStructuredConfig = with lib.kernel; { |
| 70 | EDAC y | 67 | EDAC = yes; |
| 71 | EDAC_IE31200 y | 68 | EDAC_IE31200 = yes; |
| 72 | ''; | 69 | }; |
| 70 | } | ||
| 71 | { name = "zswap-default"; | ||
| 72 | patch = null; | ||
| 73 | extraStructuredConfig = with lib.kernel; { | ||
| 74 | ZSWAP_DEFAULT_ON = yes; | ||
| 75 | ZSWAP_SHRINKER_DEFAULT_ON = yes; | ||
| 76 | }; | ||
| 73 | } | 77 | } |
| 74 | ]; | 78 | ]; |
| 75 | 79 | ||
| @@ -438,7 +442,7 @@ in { | |||
| 438 | }; | 442 | }; |
| 439 | 443 | ||
| 440 | xserver = { | 444 | xserver = { |
| 441 | enable = true; | 445 | enable = false; |
| 442 | 446 | ||
| 443 | xkb = { | 447 | xkb = { |
| 444 | layout = "us"; | 448 | layout = "us"; |
| @@ -464,47 +468,18 @@ in { | |||
| 464 | }; | 468 | }; |
| 465 | libinput.enable = true; | 469 | libinput.enable = true; |
| 466 | 470 | ||
| 467 | greetd = { | 471 | envfs.enable = false; |
| 468 | enable = true; | ||
| 469 | # settings.default_session.command = let | ||
| 470 | # cfg = config.programs.regreet; | ||
| 471 | # in pkgs.writeShellScript "greeter" '' | ||
| 472 | # modprobe -r nvidia_drm | ||
| 473 | 472 | ||
| 474 | # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package} | 473 | displayManager.defaultSession = "Niri"; |
| 475 | # ''; | ||
| 476 | }; | ||
| 477 | }; | ||
| 478 | |||
| 479 | programs.regreet = { | ||
| 480 | enable = true; | ||
| 481 | theme = { | ||
| 482 | package = pkgs.equilux-theme; | ||
| 483 | name = "Equilux-compact"; | ||
| 484 | }; | ||
| 485 | iconTheme = { | ||
| 486 | package = pkgs.paper-icon-theme; | ||
| 487 | name = "Paper-Mono-Dark"; | ||
| 488 | }; | ||
| 489 | font = { | ||
| 490 | package = pkgs.fira; | ||
| 491 | name = "Fira Sans"; | ||
| 492 | # size = 6; | ||
| 493 | }; | ||
| 494 | cageArgs = [ "-s" "-m" "last" ]; | ||
| 495 | settings = { | ||
| 496 | GTK.application_prefer_dark_theme = true; | ||
| 497 | }; | ||
| 498 | }; | 474 | }; |
| 499 | programs.hyprland.enable = true; | ||
| 500 | 475 | ||
| 501 | systemd.tmpfiles.settings = { | 476 | systemd.tmpfiles.settings = { |
| 502 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; | 477 | "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; |
| 503 | 478 | ||
| 504 | "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { | 479 | # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { |
| 505 | last_user = "gkleen"; | 480 | # last_user = "gkleen"; |
| 506 | user_to_last_sess.gkleen = "Hyprland"; | 481 | # user_to_last_sess.gkleen = "Niri"; |
| 507 | }); | 482 | # }); |
| 508 | }; | 483 | }; |
| 509 | 484 | ||
| 510 | users = { | 485 | users = { |
| @@ -613,15 +588,15 @@ in { | |||
| 613 | }; | 588 | }; |
| 614 | 589 | ||
| 615 | nvidia = { | 590 | nvidia = { |
| 616 | open = true; | 591 | open = false; |
| 617 | modesetting.enable = true; | 592 | modesetting.enable = true; |
| 618 | powerManagement.enable = true; | 593 | powerManagement.enable = true; |
| 619 | prime = { | 594 | # prime = { |
| 620 | nvidiaBusId = "PCI:1:0:0"; | 595 | # nvidiaBusId = "PCI:1:0:0"; |
| 621 | intelBusId = "PCI:0:2:0"; | 596 | # intelBusId = "PCI:0:2:0"; |
| 622 | reverseSync.enable = true; | 597 | # reverseSync.enable = true; |
| 623 | offload.enableOffloadCmd = true; | 598 | # offload.enableOffloadCmd = true; |
| 624 | }; | 599 | # }; |
| 625 | }; | 600 | }; |
| 626 | 601 | ||
| 627 | graphics = { | 602 | graphics = { |
| @@ -695,6 +670,7 @@ in { | |||
| 695 | 670 | ||
| 696 | services.dbus.packages = with pkgs; | 671 | services.dbus.packages = with pkgs; |
| 697 | [ dbus dconf | 672 | [ dbus dconf |
| 673 | xdg-desktop-portal-gtk | ||
| 698 | ]; | 674 | ]; |
| 699 | 675 | ||
| 700 | services.udisks2.enable = true; | 676 | services.udisks2.enable = true; |
| @@ -703,12 +679,8 @@ in { | |||
| 703 | light.enable = true; | 679 | light.enable = true; |
| 704 | wireshark.enable = true; | 680 | wireshark.enable = true; |
| 705 | dconf.enable = true; | 681 | dconf.enable = true; |
| 706 | }; | 682 | niri.enable = true; |
| 707 | 683 | fuse.userAllowOther = true; | |
| 708 | zramSwap = { | ||
| 709 | enable = true; | ||
| 710 | algorithm = "zstd"; | ||
| 711 | writebackDevice = "/dev/disk/by-label/swap"; | ||
| 712 | }; | 684 | }; |
| 713 | 685 | ||
| 714 | services.pcscd.enable = true; | 686 | services.pcscd.enable = true; |
| @@ -728,6 +700,16 @@ in { | |||
| 728 | environment.sessionVariables."GTK_USE_PORTAL" = "1"; | 700 | environment.sessionVariables."GTK_USE_PORTAL" = "1"; |
| 729 | xdg.portal = { | 701 | xdg.portal = { |
| 730 | enable = true; | 702 | enable = true; |
| 703 | extraPortals = with pkgs; [ xdg-desktop-portal-gtk ]; | ||
| 704 | config.niri = { | ||
| 705 | default = ["gnome" "gtk"]; | ||
| 706 | "org.freedesktop.impl.portal.FileChooser" = ["gtk"]; | ||
| 707 | "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; | ||
| 708 | "org.freedesktop.impl.portal.Access" = ["gtk"]; | ||
| 709 | "org.freedesktop.impl.portal.Notification" = ["gtk"]; | ||
| 710 | "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; | ||
| 711 | "org.freedesktop.impl.portal.Inhibit" = ["none"]; | ||
| 712 | }; | ||
| 731 | }; | 713 | }; |
| 732 | 714 | ||
| 733 | environment.persistence."/.bcachefs" = { | 715 | environment.persistence."/.bcachefs" = { |
| @@ -735,11 +717,11 @@ in { | |||
| 735 | directories = [ | 717 | directories = [ |
| 736 | "/nix" | 718 | "/nix" |
| 737 | "/root" | 719 | "/root" |
| 720 | "/home" | ||
| 738 | "/var/log" | 721 | "/var/log" |
| 739 | "/var/lib/sops-nix" | 722 | "/var/lib/sops-nix" |
| 740 | "/var/lib/nixos" | 723 | "/var/lib/nixos" |
| 741 | "/var/lib/systemd" | 724 | "/var/lib/systemd" |
| 742 | "/home" | ||
| 743 | "/var/lib/chrony" | 725 | "/var/lib/chrony" |
| 744 | "/var/lib/fprint" | 726 | "/var/lib/fprint" |
| 745 | "/var/lib/bluetooth" | 727 | "/var/lib/bluetooth" |
| @@ -768,6 +750,10 @@ in { | |||
| 768 | 750 | ||
| 769 | home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; | 751 | home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; |
| 770 | 752 | ||
| 753 | environment.pathsToLink = [ | ||
| 754 | "share/zsh" | ||
| 755 | ]; | ||
| 756 | |||
| 771 | system.stateVersion = "24.11"; | 757 | system.stateVersion = "24.11"; |
| 772 | }; | 758 | }; |
| 773 | } | 759 | } |
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix new file mode 100644 index 00000000..37ca13c5 --- /dev/null +++ b/hosts/sif/greetd/default.nix | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | { pkgs, ... }: | ||
| 2 | { | ||
| 3 | config = { | ||
| 4 | services.greetd = { | ||
| 5 | enable = true; | ||
| 6 | # settings.default_session.command = let | ||
| 7 | # cfg = config.programs.regreet; | ||
| 8 | # in pkgs.writeShellScript "greeter" '' | ||
| 9 | # modprobe -r nvidia_drm | ||
| 10 | |||
| 11 | # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package} | ||
| 12 | # ''; | ||
| 13 | }; | ||
| 14 | systemd.services.greetd.environment = { | ||
| 15 | XKB_DEFAULT_LAYOUT = "us,us"; | ||
| 16 | XKB_DEFAULT_VARIANT = "dvp,"; | ||
| 17 | XKB_DEFAULT_OPTIONS = "compose:caps,grp:win_space_toggle"; | ||
| 18 | }; | ||
| 19 | programs.regreet = { | ||
| 20 | enable = true; | ||
| 21 | theme = { | ||
| 22 | package = pkgs.equilux-theme; | ||
| 23 | name = "Equilux-compact"; | ||
| 24 | }; | ||
| 25 | iconTheme = { | ||
| 26 | package = pkgs.paper-icon-theme; | ||
| 27 | name = "Paper-Mono-Dark"; | ||
| 28 | }; | ||
| 29 | font = { | ||
| 30 | package = pkgs.fira; | ||
| 31 | name = "Fira Sans"; | ||
| 32 | # size = 6; | ||
| 33 | }; | ||
| 34 | cageArgs = [ "-s" "-m" "last" ]; | ||
| 35 | settings = { | ||
| 36 | GTK.application_prefer_dark_theme = true; | ||
| 37 | widget.clock.format = "%F %H:%M:%S%:z"; | ||
| 38 | background = { | ||
| 39 | path = pkgs.runCommand "wallpaper.png" { | ||
| 40 | buildInputs = with pkgs; [ imagemagick ]; | ||
| 41 | } '' | ||
| 42 | magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out" | ||
| 43 | ''; | ||
| 44 | fit = "Cover"; | ||
| 45 | }; | ||
| 46 | }; | ||
| 47 | }; | ||
| 48 | }; | ||
| 49 | } | ||
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png new file mode 100644 index 00000000..20fc761a --- /dev/null +++ b/hosts/sif/greetd/wallpaper.png | |||
| Binary files differ | |||
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix index d1fb2934..1bcf0261 100644 --- a/hosts/sif/hw.nix +++ b/hosts/sif/hw.nix | |||
| @@ -19,6 +19,9 @@ | |||
| 19 | "/var/lib/sops-nix".neededForBoot = true; | 19 | "/var/lib/sops-nix".neededForBoot = true; |
| 20 | "/var/lib/systemd".neededForBoot = true; | 20 | "/var/lib/systemd".neededForBoot = true; |
| 21 | }; | 21 | }; |
| 22 | swapDevices = [ | ||
| 23 | { label = "swap"; } | ||
| 24 | ]; | ||
| 22 | # system.etc.overlay.enable = false; | 25 | # system.etc.overlay.enable = false; |
| 23 | 26 | ||
| 24 | boot.initrd.systemd.packages = [ | 27 | boot.initrd.systemd.packages = [ |
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix index d0be7dff..9712d0d9 100644 --- a/hosts/sif/libvirt/default.nix +++ b/hosts/sif/libvirt/default.nix | |||
| @@ -8,6 +8,7 @@ with flakeInputs.nixVirt.lib; | |||
| 8 | qemu.swtpm.enable = true; | 8 | qemu.swtpm.enable = true; |
| 9 | allowedBridges = ["virbr0" "rz-0971" "rz-2403"]; | 9 | allowedBridges = ["virbr0" "rz-0971" "rz-2403"]; |
| 10 | }; | 10 | }; |
| 11 | virtualisation.spiceUSBRedirection.enable = true; | ||
| 11 | virtualisation.libvirt = { | 12 | virtualisation.libvirt = { |
| 12 | enable = true; | 13 | enable = true; |
| 13 | swtpm.enable = true; | 14 | swtpm.enable = true; |
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix index f36cd599..8d6cd705 100644 --- a/hosts/sif/mail/default.nix +++ b/hosts/sif/mail/default.nix | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | { config, pkgs, ... }: | 1 | { config, lib, pkgs, ... }: |
| 2 | { | 2 | { |
| 3 | services.postfix = { | 3 | services.postfix = { |
| 4 | enable = true; | 4 | enable = true; |
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index b8a639d5..3bbd51a4 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
| @@ -7,6 +7,7 @@ with lib; | |||
| 7 | tmpfs-root qemu-guest openssh rebuild-machines zfs | 7 | tmpfs-root qemu-guest openssh rebuild-machines zfs |
| 8 | ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql | 8 | ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql |
| 9 | ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix | 9 | ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix |
| 10 | ./paperless.nix ./hledger.nix | ||
| 10 | ]; | 11 | ]; |
| 11 | 12 | ||
| 12 | config = { | 13 | config = { |
diff --git a/hosts/surtr/dns/Gupfile b/hosts/surtr/dns/Gupfile index ac96f620..70674cce 100644 --- a/hosts/surtr/dns/Gupfile +++ b/hosts/surtr/dns/Gupfile | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | key.gup: | 1 | key.gup: |
| 2 | keys/*.yaml \ No newline at end of file | 2 | keys/* \ No newline at end of file |
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index ee1d089d..5dd60190 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -157,7 +157,7 @@ in { | |||
| 157 | ${concatMapStringsSep "\n" mkZone [ | 157 | ${concatMapStringsSep "\n" mkZone [ |
| 158 | { domain = "yggdrasil.li"; | 158 | { domain = "yggdrasil.li"; |
| 159 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; | 159 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; |
| 160 | acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li"]; | 160 | acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li"]; |
| 161 | } | 161 | } |
| 162 | { domain = "nights.email"; | 162 | { domain = "nights.email"; |
| 163 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; | 163 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; |
diff --git a/hosts/surtr/dns/key.gup b/hosts/surtr/dns/key.gup index 32d4f7d6..5b5058b3 100644 --- a/hosts/surtr/dns/key.gup +++ b/hosts/surtr/dns/key.gup | |||
| @@ -3,4 +3,4 @@ | |||
| 3 | keyName=${${2:t}%.yaml}_key | 3 | keyName=${${2:t}%.yaml}_key |
| 4 | 4 | ||
| 5 | keymgr -t ${keyName} > $1 | 5 | keymgr -t ${keyName} > $1 |
| 6 | sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary --output-type=binary -e -i $1 \ No newline at end of file | 6 | sops --input-type=binary --output-type=binary -e -i $1 |
diff --git a/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme new file mode 100644 index 00000000..b3f4cfb6 --- /dev/null +++ b/hosts/surtr/dns/keys/hledger.yggdrasil.li_acme | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:lCj8VYJL9z29FJ154XQtxKQLwwitCRGy4krJ6u8yw2FMzoHprEpFgm33+mFspxSKk/It2G8cfTGMZSeVkYJEHb66HNKHl0A2Fz3hwjpRjh1MZAw0wiZJlnS/LNqoGstQ2PJmTQTW3aJRMoT1GS7q/gSp/3rqySA5EOm0GgUiA3Vi7nGpkBenKDEbQbcIBXRdMOk66BCdiz5XGm/1VLQQLO9oVwY2KBnLaZSISohyGVhbIy7GT2ygoWHHxHn0c5CRVNvGNwesM1gO1NnTFrISLMWSrsDPaAtQ,iv:fa8LFjzqsf2ccfbEe5MOmerb7FzXb4xr24y1GWIMT1Q=,tag:7oQ54DKBb76Pbw1lmEHt+Q==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcHJLRHh0VkpDNDU3cGZS\nMWFlVWpFemZ2RnpnSllDWU1EWGoyWUxyejNzClBGandzaFI5NXY1bG51Y3VxRk9r\nc29NbXBOaEZDblBuaVowemQydkxBdjgKLS0tICtVb2xkMmh4T0Q0cU4xQnBzZExI\namFRUnRYTWIyQ3RHNUVHWTFrUzhhK1UKqmATNmxlhkxM5PP1U6w7fSYVA8AgIRAt\nJ9WZrTffQfXMdw4RmjWcoVHFH39Fe4SteedxliCCcqjkjgSEB4Rgow==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlhpQWI4c0x0ZXRGYVE2\nR1dHZzZud0ZxQWsrREhJWUowWE1zem5FVFI0CkJBUnIwY1FGS3N2VnpuSkZjRllZ\ncVgyeVg4cTVjRitzL0RKb0ZQb3BsOEkKLS0tIGs3SDBkamVBNDhQUlh5dmVVZXJs\nM3VKdlFKc21GcFY0UUtiaHFvYWI4V0kKKuWYEncxe9NT2ZS3X3+l/gT4BQOrdCg8\nj2jGL+Yzy/356GO3PFTn2HHLam6KWDKaYB5TlK/zSohfUt5giQH2Lw==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-19T17:13:51Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:XsBdMCBjB+YuBMZQrjJ5uZtaYKSqsdWVvm+IEoJflCKPIhPk2rBZ3nY8KngXFbq2fWgsYyTM83kb2trEGIEHUPuERt+mgfCI3bSlylriwgsDWihCjyBecNE+BbdXE0+YcNl8pIwBU4M+3f2StQMH22YamToLJ9i9kfKcBrirDuU=,iv:VTIdBVY3kVBMYWhYUmrP2vZ9rpH90DzF68y1aDf2EAs=,tag:YkL+nw6LNXAceZtx9vgf6A==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/paperless.yggdrasil.li_acme b/hosts/surtr/dns/keys/paperless.yggdrasil.li_acme new file mode 100644 index 00000000..bc4640db --- /dev/null +++ b/hosts/surtr/dns/keys/paperless.yggdrasil.li_acme | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:wOl8KLHD0H+btq0A3UreyVF9bOXZsiTwWJkVH8GubyIQDyiDC8vQm+dfv0rz8TwcBWYpC4aMIPPflG2HsdYO4rKGQ/nBmWmxhNXjpnyRo8iKM1BGb5bxNe4eVcUVhI60NuRJDRLmtDp+0rYGT/MVYp0/mHBINsQCXWBPDoaN2PI2GSnRag/x0wcL27xgH6NDd8glcdCN5nCAPDvazA3LialkXXv7/cceA5Q/Ee6HGzPP0w212/UvBm07Z5tXnHiy5cTbAGTUBfIqC8n501jtaQhpMh/yzA1R8KwUrw==,iv:bLzsthCaanNikNS2Es4J1++E5lijEbjyW5hU4zzNBcg=,tag:eWfZ3AtcSAGv8jWXzqlAwQ==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYWZKOHd2UmxWYVlIamk4\nZ04zQnAwcDdsSDBDWUZnekNva3BzRERyWXljCmNvUU1Fczc2aUN6VGl6NEJ6MGIx\nWHVpeVluWnRnbjNadGxkSmYyNE1rZzQKLS0tIGpkYVZQRDJGS21ZZHdlRk1MMm02\nQ09aanNXSWltNi9QeUNtUVQ2UEZybmMK6/qcNYLMcyKTmtROX+ZsRqDxMXwkXiAV\ndsdsWJ5+zSJuK5SEIh0fqEZ/t4pxnMcr1WieETgLSd+w0sNQS7EKPQ==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRjdJOHdjamRHVjlZOTNV\nbTBuam5vNERIWTB6T0JkR2pLUnlQN1BGbUJNClhrZ2hPRWZtT3BERFNwdmNEMmVu\nT0dxcjNkNGIvMVJQWENoUmRhTGd6SXcKLS0tIDV6WDd1bks4K1VuVkgybjdMd0w0\nMHBsT3FmOWU0WnJsM2diQm1sTU1ON2MKtf5HZ0S1cLMx98vDKRKamS7aHIJZ0OnA\nzH4VoeVm+PKsOeqVfY+gMHLdaMEWLKYsz3B8bxIoL5pvnCdT1QAN2A==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-13T19:23:42Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:o7zNTjkohzAouYpJUGqf8DUfYf4/g3GZgc+4cf+PjI0OF8uc1WDCPvliBFe6pf/8QMhV5DFWd2SfszWnpnQhtiIVG/2BEk5sw3P6r/SUbSErakFYHueVQKp+9rdxK6uKcHUYhO46E332AwIxTuvNeHtSBMxx0kAwQPuuD/u3L4A=,iv:aiM0sGyGMk5lfBOpB2bDFCY+UfWwyUNixieww6eOSLs=,tag:MI7xJ7RsyZgQfF1SBVVmcQ==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index d42b4719..ab117f09 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN 141.li. | 1 | $ORIGIN 141.li. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
| 4 | 2024102100 ; serial | 4 | 2025020900 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -59,5 +59,3 @@ _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | |||
| 59 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | 59 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. |
| 60 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | 60 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. |
| 61 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | 61 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. |
| 62 | |||
| 63 | _factorio._udp IN SRV 5 0 34197 game01.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 9af6232f..2ef120e6 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
| 4 | 2025010300 ; serial | 4 | 2025021901 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -77,6 +77,22 @@ _acme-challenge.immich IN NS ns.yggdrasil.li. | |||
| 77 | 77 | ||
| 78 | immich IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" | 78 | immich IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" |
| 79 | 79 | ||
| 80 | paperless IN A 202.61.241.61 | ||
| 81 | paperless IN AAAA 2a03:4000:52:ada:: | ||
| 82 | paperless IN MX 0 surtr.yggdrasil.li | ||
| 83 | paperless IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | ||
| 84 | _acme-challenge.paperless IN NS ns.yggdrasil.li. | ||
| 85 | |||
| 86 | paperless IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" | ||
| 87 | |||
| 88 | hledger IN A 202.61.241.61 | ||
| 89 | hledger IN AAAA 2a03:4000:52:ada:: | ||
| 90 | hledger IN MX 0 surtr.yggdrasil.li | ||
| 91 | hledger IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | ||
| 92 | _acme-challenge.hledger IN NS ns.yggdrasil.li. | ||
| 93 | |||
| 94 | hledger IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" | ||
| 95 | |||
| 80 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: | 96 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: |
| 81 | vidhar IN MX 0 ymir.yggdrasil.li | 97 | vidhar IN MX 0 ymir.yggdrasil.li |
| 82 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" | 98 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" |
| @@ -104,6 +120,3 @@ _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | |||
| 104 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | 120 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. |
| 105 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | 121 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. |
| 106 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | 122 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. |
| 107 | |||
| 108 | game01 IN A 94.16.107.151 | ||
| 109 | game01 IN AAAA 2a03:4000:50:13d:34ee:a2ff:fed0:328f | ||
diff --git a/hosts/surtr/hledger.nix b/hosts/surtr/hledger.nix new file mode 100644 index 00000000..e44933c3 --- /dev/null +++ b/hosts/surtr/hledger.nix | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | { config, ... }: | ||
| 2 | |||
| 3 | { | ||
| 4 | config = { | ||
| 5 | security.acme.rfc2136Domains = { | ||
| 6 | "hledger.yggdrasil.li" = { | ||
| 7 | restartUnits = ["nginx.service"]; | ||
| 8 | }; | ||
| 9 | }; | ||
| 10 | |||
| 11 | services.nginx = { | ||
| 12 | upstreams."hledger" = { | ||
| 13 | servers = { | ||
| 14 | "[2a03:4000:52:ada:4:1::]:5000" = {}; | ||
| 15 | }; | ||
| 16 | extraConfig = '' | ||
| 17 | keepalive 8; | ||
| 18 | ''; | ||
| 19 | }; | ||
| 20 | virtualHosts = { | ||
| 21 | "hledger.yggdrasil.li" = { | ||
| 22 | kTLS = true; | ||
| 23 | http3 = true; | ||
| 24 | forceSSL = true; | ||
| 25 | sslCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.pem"; | ||
| 26 | sslCertificateKey = "/run/credentials/nginx.service/hledger.yggdrasil.li.key.pem"; | ||
| 27 | sslTrustedCertificate = "/run/credentials/nginx.service/hledger.yggdrasil.li.chain.pem"; | ||
| 28 | extraConfig = '' | ||
| 29 | charset utf-8; | ||
| 30 | ''; | ||
| 31 | |||
| 32 | locations = { | ||
| 33 | "/".extraConfig = '' | ||
| 34 | proxy_pass http://hledger; | ||
| 35 | |||
| 36 | proxy_http_version 1.1; | ||
| 37 | proxy_set_header Upgrade $http_upgrade; | ||
| 38 | proxy_set_header Connection "upgrade"; | ||
| 39 | |||
| 40 | proxy_redirect off; | ||
| 41 | proxy_set_header Host $host; | ||
| 42 | proxy_set_header X-Real-IP $remote_addr; | ||
| 43 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| 44 | proxy_set_header X-Forwarded-Host $server_name; | ||
| 45 | proxy_set_header X-Forwarded-Proto $scheme; | ||
| 46 | |||
| 47 | client_max_body_size 0; | ||
| 48 | proxy_request_buffering off; | ||
| 49 | proxy_buffering off; | ||
| 50 | ''; | ||
| 51 | }; | ||
| 52 | }; | ||
| 53 | }; | ||
| 54 | }; | ||
| 55 | |||
| 56 | systemd.services.nginx = { | ||
| 57 | serviceConfig = { | ||
| 58 | LoadCredential = [ | ||
| 59 | "hledger.yggdrasil.li.key.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/key.pem" | ||
| 60 | "hledger.yggdrasil.li.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/fullchain.pem" | ||
| 61 | "hledger.yggdrasil.li.chain.pem:${config.security.acme.certs."hledger.yggdrasil.li".directory}/chain.pem" | ||
| 62 | ]; | ||
| 63 | }; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | } | ||
diff --git a/hosts/surtr/paperless.nix b/hosts/surtr/paperless.nix new file mode 100644 index 00000000..7bc4397c --- /dev/null +++ b/hosts/surtr/paperless.nix | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | { config, ... }: | ||
| 2 | |||
| 3 | { | ||
| 4 | config = { | ||
| 5 | security.acme.rfc2136Domains = { | ||
| 6 | "paperless.yggdrasil.li" = { | ||
| 7 | restartUnits = ["nginx.service"]; | ||
| 8 | }; | ||
| 9 | }; | ||
| 10 | |||
| 11 | services.nginx = { | ||
| 12 | upstreams."paperless" = { | ||
| 13 | servers = { | ||
| 14 | "[2a03:4000:52:ada:4:1::]:28981" = {}; | ||
| 15 | }; | ||
| 16 | extraConfig = '' | ||
| 17 | keepalive 8; | ||
| 18 | ''; | ||
| 19 | }; | ||
| 20 | virtualHosts = { | ||
| 21 | "paperless.yggdrasil.li" = { | ||
| 22 | kTLS = true; | ||
| 23 | http3 = true; | ||
| 24 | forceSSL = true; | ||
| 25 | sslCertificate = "/run/credentials/nginx.service/paperless.yggdrasil.li.pem"; | ||
| 26 | sslCertificateKey = "/run/credentials/nginx.service/paperless.yggdrasil.li.key.pem"; | ||
| 27 | sslTrustedCertificate = "/run/credentials/nginx.service/paperless.yggdrasil.li.chain.pem"; | ||
| 28 | extraConfig = '' | ||
| 29 | charset utf-8; | ||
| 30 | ''; | ||
| 31 | |||
| 32 | locations = { | ||
| 33 | "/".extraConfig = '' | ||
| 34 | proxy_pass http://paperless; | ||
| 35 | |||
| 36 | proxy_http_version 1.1; | ||
| 37 | proxy_set_header Upgrade $http_upgrade; | ||
| 38 | proxy_set_header Connection "upgrade"; | ||
| 39 | |||
| 40 | proxy_redirect off; | ||
| 41 | proxy_set_header Host $host; | ||
| 42 | proxy_set_header X-Real-IP $remote_addr; | ||
| 43 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| 44 | proxy_set_header X-Forwarded-Host $server_name; | ||
| 45 | proxy_set_header X-Forwarded-Proto $scheme; | ||
| 46 | |||
| 47 | client_max_body_size 0; | ||
| 48 | proxy_request_buffering off; | ||
| 49 | proxy_buffering off; | ||
| 50 | ''; | ||
| 51 | }; | ||
| 52 | }; | ||
| 53 | }; | ||
| 54 | }; | ||
| 55 | |||
| 56 | systemd.services.nginx = { | ||
| 57 | serviceConfig = { | ||
| 58 | LoadCredential = [ | ||
| 59 | "paperless.yggdrasil.li.key.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/key.pem" | ||
| 60 | "paperless.yggdrasil.li.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/fullchain.pem" | ||
| 61 | "paperless.yggdrasil.li.chain.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/chain.pem" | ||
| 62 | ]; | ||
| 63 | }; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | } | ||
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index 583e4443..059f4088 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix | |||
| @@ -89,6 +89,10 @@ in { | |||
| 89 | "d /var/spool/pgbackrest 0750 postgres postgres - -" | 89 | "d /var/spool/pgbackrest 0750 postgres postgres - -" |
| 90 | ]; | 90 | ]; |
| 91 | 91 | ||
| 92 | systemd.services.postgresql.serviceConfig = { | ||
| 93 | ReadWritePaths = [ "/var/spool/pgbackrest" "/var/lib/pgbackrest/archive/surtr" ]; | ||
| 94 | }; | ||
| 95 | |||
| 92 | systemd.services.migrate-postgresql = { | 96 | systemd.services.migrate-postgresql = { |
| 93 | after = [ "postgresql.service" ]; | 97 | after = [ "postgresql.service" ]; |
| 94 | bindsTo = [ "postgresql.service" ]; | 98 | bindsTo = [ "postgresql.service" ]; |
diff --git a/hosts/surtr/tls/tsig_key.gup b/hosts/surtr/tls/tsig_key.gup index 825479e5..46a3789e 100644 --- a/hosts/surtr/tls/tsig_key.gup +++ b/hosts/surtr/tls/tsig_key.gup | |||
| @@ -3,4 +3,4 @@ | |||
| 3 | keyFile=../dns/keys/${2:t}_acme | 3 | keyFile=../dns/keys/${2:t}_acme |
| 4 | gup -u $keyFile | 4 | gup -u $keyFile |
| 5 | sops -d --input-type=binary --output-type=binary ${keyFile} | yq -r '.key[0].secret' > $1 | 5 | sops -d --input-type=binary --output-type=binary ${keyFile} | yq -r '.key[0].secret' > $1 |
| 6 | sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary -e -i $1 | 6 | sops --input-type=binary -e -i $1 |
diff --git a/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li new file mode 100644 index 00000000..ab6cdd68 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/hledger.yggdrasil.li | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:Yd70QIj9DE6a5IN+Mf2M5p95vkRMHRg9BXaM686W7BRtthOw9m54/5FK6JWr,iv:cIOIKinkqFFPgTZdewWVY0h6kM5hGfVzuA4iYNhwK5c=,tag:Ds/oI+TOERbIdcGbI4WoEg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NnJ4SmsvSlh3ZlliSm9C\nNG45clh3NEZWZ05jaHhVK0xqTVRFL2wxN1ZrCk5hL2p2ZjhtcDBjTEZscXFTNkY5\nemVZSUUwV2V5cFBTdWo4RWxsM2xROVEKLS0tIDBFSFlkUVJ0ajJEUENlelVFKzVk\ndnJhMURMU2o3WVBKZGNVRXBiNytqUFEKHivcSTYy5D770C0h7RsmLBmkIG9+MDoV\ngJHvfkGzXPKwmDTMKdHbIk+ctI+u0/1jMn/K2Q9OFnOIYxP3gHiFag==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYUNCQ1U2MXpQdmM4SHR0\nTnJWZlFGTUQ1NjVqZ3Z2MGt5NFpBVFp0b0YwCkdseitkbzI1RkZyL3V5Z1pNMG9R\nVnEzRUxrTDQrS3BiMXB1QUFPeUcxZUkKLS0tIGJFODkwNFY3c0tBLzFBNjFiYjJk\nZW82bTdia2F1NHpNSG1IYmhWb1ZCTHMK9ovFx3+x5PrV4y6+RH5XA5DK2wRPXlAt\ncxxpRZIlmnvhZXIeCYE9yhHFmz3uAn0Oib1RUDblca9FlnF9tyYD6g==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-19T17:13:51Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:ReRuK9qdZV8AbMzA9Yur0AZW+1RF3aRnfBvsKJkQtXsFdkmJQ4QkRGtL27RmjFdvQ3kXBIyhib7hYA60AJ0amduYrSScY0dtz8AurjyE4f2BGQ9/QeKRBfKXHxLvj4/xWNvS4+PVdGKkKbqIs8isz9n77WQQ3lTHop2K/TjaTuQ=,iv:gUhDK9oeUHdpQ2Fp8mFDIgPFo2JjHE0jjooL7FmvmrE=,tag:2lkwSl3j3oqamdLbM9wbow==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/paperless.yggdrasil.li b/hosts/surtr/tls/tsig_keys/paperless.yggdrasil.li new file mode 100644 index 00000000..b1029931 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/paperless.yggdrasil.li | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:D9l0pklD2KDZ4/TXHtXg00MmCnjCVVBG0AK9j5OxxBCyYseCTckp2P/iPOng,iv:DjvuKWPr/jldfk0eZ5+jWHN0RurdruR4Md7AMAPzRQg=,tag:h0c4m3hpATzzb6a7DVmi9w==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3S05aS0ZEcVU2T3BIOG13\nSDJLTUp4OG9ZYVluK2gxbUJDSFRaQ0xnS0YwClFkKzByanJGOWFwbTlISndyU0Rx\nN1FJb3FVaUZOVDBsWEdHTVNGaGNtMVkKLS0tIDI1RmxaMlhVd1FPL1dNdlRGK0Nq\nMFpJZTNnWncrbkV5YS82ZnhGRld0UG8KIuf7bC7GVxaGeR7gwC7kGu/wtBppjq4H\nyDT05CYJf9/EE3K5aJpIOlxyqowRs2SINvIVkyd5ggYkkxCctmGXjQ==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUV3ZqTVJkNWdHeTlKK3Vl\nVTdrdzE2Z3YzVmZxelNFMDNMTUJneHNtNzFRCmQxTU84ekV4bFVLajU0ajB6ZzZK\neEpuQTcyS1o4MW9xTU5nMXVUR0gxTmcKLS0tIGVzZC8xYTc1VkU2RzA2NFQ1K2xz\nLzhPVjBUcytWNGRsdnFob3A4aWljelkKFMlmigcEVzelcEiv6WGya1dsIOJYr7YT\naBHgMttV7zzYHLqvIVJSCz+uw2FqDyqN46twmzFC0HSHeiKbvRrHVw==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-13T19:23:42Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:0Fcgq0pOZtBBSiK8pUr/jadXMdtbZYFhUbSe+7DQpB8Fo2r8cEoT+Cpcy7tu+l9eXUiDk/tXTBJyMXaW4XWwS/Fe6Zcb95UYaYR1Y6OM9JVPYmwd6QSeC13MwzhYaCDlBiWWq69Zn8grEg7npWo/LS9LK7IEbN7EI8o7QYDI6cw=,iv:C+8ZmVTNWySQ+/6j+YirSwZzoMqXRlgstk47Efxmqps=,tag:Be/6Ve6M/Dcm/6QrbF+JTw==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b0797d8a..90ab40dd 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
| @@ -4,7 +4,7 @@ with lib; | |||
| 4 | 4 | ||
| 5 | { | 5 | { |
| 6 | imports = with flake.nixosModules.systemProfiles; [ | 6 | imports = with flake.nixosModules.systemProfiles; [ |
| 7 | ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix | 7 | ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger |
| 8 | tmpfs-root zfs | 8 | tmpfs-root zfs |
| 9 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 9 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
| 10 | build-server | 10 | build-server |
diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix new file mode 100644 index 00000000..ae080f66 --- /dev/null +++ b/hosts/vidhar/hledger/default.nix | |||
| @@ -0,0 +1,83 @@ | |||
| 1 | { config, lib, pkgs, ... }: | ||
| 2 | { | ||
| 3 | config = { | ||
| 4 | services.hledger-web = { | ||
| 5 | enable = true; | ||
| 6 | allow = "view"; | ||
| 7 | stateDir = "/var/lib/hledger"; | ||
| 8 | journalFiles = lib.mkForce ["web.journal"]; | ||
| 9 | baseUrl = "https://hledger.yggdrasil.li"; | ||
| 10 | extraOptions = [ | ||
| 11 | "--socket=/run/hledger-web/http.sock" | ||
| 12 | ]; | ||
| 13 | }; | ||
| 14 | users = { | ||
| 15 | users.hledger.uid = 982; | ||
| 16 | groups.hledger.gid = 979; | ||
| 17 | }; | ||
| 18 | systemd.services.hledger-web = { | ||
| 19 | serviceConfig = { | ||
| 20 | UMask = "0002"; | ||
| 21 | ReadOnlyPaths = [ config.services.hledger-web.stateDir ]; | ||
| 22 | RuntimeDirectory = [ "hledger-web" ]; | ||
| 23 | PrivateDevices = true; | ||
| 24 | StateDirectory = "hledger"; | ||
| 25 | CapabilityBoundingSet = ""; | ||
| 26 | AmbientCapabilities = ""; | ||
| 27 | ProtectSystem = "strict"; | ||
| 28 | ProtectKernelTunables = true; | ||
| 29 | ProtectKernelModules = true; | ||
| 30 | ProtectControlGroups = true; | ||
| 31 | ProtectClock = true; | ||
| 32 | ProtectHostname = true; | ||
| 33 | ProtectHome = "tmpfs"; | ||
| 34 | ProtectKernelLogs = true; | ||
| 35 | ProtectProc = "invisible"; | ||
| 36 | ProcSubset = "pid"; | ||
| 37 | PrivateNetwork = false; | ||
| 38 | RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; | ||
| 39 | SystemCallArchitectures = "native"; | ||
| 40 | SystemCallFilter = [ | ||
| 41 | "@system-service @resources" | ||
| 42 | "~@obsolete @privileged" | ||
| 43 | ]; | ||
| 44 | RestrictSUIDSGID = true; | ||
| 45 | RemoveIPC = true; | ||
| 46 | NoNewPrivileges = true; | ||
| 47 | RestrictRealtime = true; | ||
| 48 | RestrictNamespaces = true; | ||
| 49 | LockPersonality = true; | ||
| 50 | PrivateUsers = true; | ||
| 51 | TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ]; | ||
| 52 | }; | ||
| 53 | }; | ||
| 54 | services.nginx = { | ||
| 55 | upstreams.hledger = { | ||
| 56 | servers = { "unix:/run/hledger-web/http.sock" = {}; }; | ||
| 57 | }; | ||
| 58 | virtualHosts."hledger.yggdrasil.li" = { | ||
| 59 | listen = [ | ||
| 60 | { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; } | ||
| 61 | ]; | ||
| 62 | extraConfig = '' | ||
| 63 | set_real_ip_from 2a03:4000:52:ada:4::; | ||
| 64 | auth_basic "hledger"; | ||
| 65 | auth_basic_user_file "/run/credentials/nginx.service/hledger_users"; | ||
| 66 | ''; | ||
| 67 | locations."/" = { | ||
| 68 | proxyPass = "http://hledger/"; | ||
| 69 | proxyWebsockets = true; | ||
| 70 | }; | ||
| 71 | }; | ||
| 72 | }; | ||
| 73 | systemd.services.nginx.serviceConfig = { | ||
| 74 | SupplementaryGroups = [ "hledger" ]; | ||
| 75 | LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ]; | ||
| 76 | }; | ||
| 77 | sops.secrets."hledger_users" = { | ||
| 78 | format = "binary"; | ||
| 79 | sopsFile = ./htpasswd; | ||
| 80 | reloadUnits = [ "nginx.service" ]; | ||
| 81 | }; | ||
| 82 | }; | ||
| 83 | } | ||
diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd new file mode 100644 index 00000000..016cb525 --- /dev/null +++ b/hosts/vidhar/hledger/htpasswd | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-19T17:11:17Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 10fd4c51..1edae167 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -92,6 +92,8 @@ table inet filter { | |||
| 92 | counter tftp-rx {} | 92 | counter tftp-rx {} |
| 93 | counter pgbackrest-rx {} | 93 | counter pgbackrest-rx {} |
| 94 | counter immich-rx {} | 94 | counter immich-rx {} |
| 95 | counter paperless-rx {} | ||
| 96 | counter hledger-rx {} | ||
| 95 | 97 | ||
| 96 | counter established-rx {} | 98 | counter established-rx {} |
| 97 | 99 | ||
| @@ -121,6 +123,8 @@ table inet filter { | |||
| 121 | counter tftp-tx {} | 123 | counter tftp-tx {} |
| 122 | counter pgbackrest-tx {} | 124 | counter pgbackrest-tx {} |
| 123 | counter immich-tx {} | 125 | counter immich-tx {} |
| 126 | counter paperless-tx {} | ||
| 127 | counter hledger-tx {} | ||
| 124 | 128 | ||
| 125 | counter tx {} | 129 | counter tx {} |
| 126 | 130 | ||
| @@ -197,6 +201,8 @@ table inet filter { | |||
| 197 | tcp dport 8432 counter name pgbackrest-rx accept | 201 | tcp dport 8432 counter name pgbackrest-rx accept |
| 198 | 202 | ||
| 199 | iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept | 203 | iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept |
| 204 | iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept | ||
| 205 | iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept | ||
| 200 | 206 | ||
| 201 | ct state { established, related } counter name established-rx accept | 207 | ct state { established, related } counter name established-rx accept |
| 202 | 208 | ||
| @@ -246,6 +252,8 @@ table inet filter { | |||
| 246 | tcp sport 8432 counter name pgbackrest-tx accept | 252 | tcp sport 8432 counter name pgbackrest-tx accept |
| 247 | 253 | ||
| 248 | iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept | 254 | iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept |
| 255 | iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept | ||
| 256 | iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept | ||
| 249 | 257 | ||
| 250 | 258 | ||
| 251 | counter name tx | 259 | counter name tx |
diff --git a/hosts/vidhar/paperless/default.nix b/hosts/vidhar/paperless/default.nix new file mode 100644 index 00000000..34cd18c4 --- /dev/null +++ b/hosts/vidhar/paperless/default.nix | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | { config, ... }: | ||
| 2 | |||
| 3 | { | ||
| 4 | config = { | ||
| 5 | services.paperless = { | ||
| 6 | enable = true; | ||
| 7 | address = "[2a03:4000:52:ada:4:1::]"; | ||
| 8 | passwordFile = config.sops.secrets."paperless-rootpw".path; | ||
| 9 | settings = { | ||
| 10 | PAPERLESS_OCR_LANGUAGE = "deu+eng"; | ||
| 11 | PAPERLESS_URL = "https://paperless.yggdrasil.li"; | ||
| 12 | PAPERLESS_FILENAME_FORMAT = "{{ created_year }}/{{ document_type }}/{{ correspondent }}/{{ created }}_{{ doc_pk }}_{{ title }}"; | ||
| 13 | PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = "true"; | ||
| 14 | PAPERLESS_TASK_WORKERS = "3"; | ||
| 15 | PAPERLESS_THREADS_PER_WORKER = "4"; | ||
| 16 | }; | ||
| 17 | database.createLocally = true; | ||
| 18 | }; | ||
| 19 | |||
| 20 | sops.secrets."paperless-rootpw" = { | ||
| 21 | format = "binary"; | ||
| 22 | sopsFile = ./rootpw; | ||
| 23 | }; | ||
| 24 | }; | ||
| 25 | } | ||
diff --git a/hosts/vidhar/paperless/rootpw b/hosts/vidhar/paperless/rootpw new file mode 100644 index 00000000..11f48fcb --- /dev/null +++ b/hosts/vidhar/paperless/rootpw | |||
| @@ -0,0 +1,24 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:Bsns3bLs7aA++eTf2Vh4g2iAXhmrMRTF,iv:zQ6hgXEvgHAloN6UMW54f2nYCvEhHPXQSBVSihHFiC0=,tag:uiGTEs07dpx12PcAjmbr9Q==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUJjdEdIZGd6UDJBRXlL\nODFyWDhHOU9oTEVCVlFiUXVXNm9XZmVuampVCkJ0YkFXTlZXVnRldmtlVkJaR3R2\nMFhpaHB5M3pLeDFkUkkzMUFydGNnOFEKLS0tIEJtNWc0V2JaaWYvQlp6TGxVdVZO\neVpzQzB5Um82TUZOeHBHeE50MGlqNWsKj1P54Fc+c5n35+Og9DwBWkvW947hgFsp\ni/G2QcaLHHJMTexTCZYsr1naSVa/cMBAbrZmtjz0HV4Q1kCJtvlrIg==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UG1QSWtXcFZoQVRBOC9D\nT2VnTW9pcTRCMForcHdZVld0c1NmNFZpWUNBCkRkMERKUVliYXRqb25saWxyb2JN\nbC9YL2ZQbytRM0ZjNmlQOTlTZTQrV2sKLS0tIFZyUWtRcXNqZUZxMGN5d0tHUng2\nVXNSdFEwMmtIVEdVRVlWeVU1YmJVSkUKRJa42k551QtiC6S0tmMv7eVN7GRqpXWz\nvzNh+BM9TOJNaTMmVesr4vXNDLOSFS3PxYv95xuOBzVg3zOHuai72g==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 16 | } | ||
| 17 | ], | ||
| 18 | "lastmodified": "2025-02-13T19:20:33Z", | ||
| 19 | "mac": "ENC[AES256_GCM,data:mG6AC3L8MMeZ0Ajr7zV1mzPcHviQw2adtGjSbrbPRw1xqN7siu6svoybv8xkahP2Grq/xKAiyfXFOFo7Uyc3ub5fSovAEolNazqybZYsyam5vHpeC23dXcEkZUJSPJ9/CSB5uI9nX3NPC64QUjCxHZ7qfH5gcXT9D12H8LSqKlQ=,iv:4Skdj8l9jlTX9Unc2xE2hCKVawHBnHR8L4kZA6H8xNw=,tag:zJsJ3S//faAn7AGwLefNoA==,type:str]", | ||
| 20 | "pgp": null, | ||
| 21 | "unencrypted_suffix": "_unencrypted", | ||
| 22 | "version": "3.9.4" | ||
| 23 | } | ||
| 24 | } \ No newline at end of file | ||
