From 15547689177c5e9bb5c5c0223d818283c90bf310 Mon Sep 17 00:00:00 2001 From: Truxnell <19149206+truxnell@users.noreply.github.com> Date: Wed, 10 Apr 2024 18:00:25 +1000 Subject: [PATCH] Feat: containers and helios join the party (#79) * feat: add * hack * feat: add secrets pre-commit * wip * wip * hacking at gatus * hacking at gatus * wip * wip * hack * hack * hack * hack * feat: gatus doing gatus stuff * hack * guh * hacking * hack * hack * hack * feat: add helios * hack * chore: new hosts reencrypt * Auto lint/format --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> Co-authored-by: truxnell --- .gitignore | 2 + .pre-commit-config.yaml | 10 + .sops.yaml | 2 + .taskfiles/nix/Taskfile.yaml | 40 ++- .taskfiles/nix/update-all.sh | 37 +++ .taskfiles/nix/update-single-machine.sh | 33 +++ docs/tips.md | 1 + docs/vm/installing-x86_64.md | 1 + docs/vm/installing-zfs-impermance.md | 41 ++++ docs/vm/servers.md | 11 + flake.nix | 30 ++- .../modules/programs/de/gnome/default.nix | 2 +- nixos/home/modules/shell/wezterm/default.nix | 6 +- nixos/home/truxnell/workstation.nix | 7 + nixos/hosts/bootstrap/configuration.nix | 1 + nixos/hosts/{shodan => durandal}/default.nix | 7 +- nixos/hosts/helios/default.nix | 88 +++++++ .../{services => containers}/arr/default.nix | 0 .../arr/lidarr/default.nix | 24 +- .../containers/arr/lidarr/secrets.sops.yaml | 68 ++++++ .../arr/prowlarr/default.nix | 23 +- .../containers/arr/prowlarr/secrets.sops.yaml | 68 ++++++ .../arr/radarr/default.nix | 24 +- .../containers/arr/radarr/secrets.sops.yaml | 68 ++++++ .../arr/readarr/default.nix | 25 +- .../containers/arr/readarr/secrets.sops.yaml | 68 ++++++ .../arr/sonarr/default.nix | 25 +- .../containers/arr/sonarr/secrets.sops.yaml | 68 ++++++ .../nixos/containers/cross-seed/default.nix | 42 ++++ nixos/modules/nixos/containers/default.nix | 9 + .../nixos/containers/gatus/default.nix | 230 ++++++++++++++++++ .../nixos/containers/gatus/secrets.sops.yaml | 68 ++++++ .../homepage/default.nix | 174 +++++++++++-- .../containers/homepage/secrets.sops.yaml | 68 ++++++ .../nixos/containers/qbittorrent/default.nix | 71 ++++++ .../nixos/containers/sabnzbd/default.nix | 72 ++++++ nixos/modules/nixos/default.nix | 3 +- .../modules/nixos/hardware/nvidia/default.nix | 25 +- .../services/arr/lidarr/secrets.sops.yaml | 59 ----- .../services/arr/prowlarr/secrets.sops.yaml | 59 ----- .../services/arr/radarr/secrets.sops.yaml | 59 ----- .../services/arr/readarr/secrets.sops.yaml | 59 ----- .../services/arr/sonarr/secrets.sops.yaml | 59 ----- nixos/modules/nixos/services/bind/default.nix | 23 +- .../nixos/services/bind/secrets.sops.yaml | 102 ++++---- nixos/modules/nixos/services/bind/zone | 0 .../cloudflare-dyndns.sops.yaml | 67 ++--- nixos/modules/nixos/services/default.nix | 3 +- .../dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml | 65 ++--- .../nixos/services/maddy/maddy.sops.yaml | 65 ++--- .../modules/nixos/services/podman/default.nix | 3 +- .../nixos/services/traefik/default.nix | 66 ++++- .../nixos/services/traefik/secrets.sops.yaml | 67 ++--- nixos/modules/nixos/system/default.nix | 1 + nixos/modules/nixos/system/zfs.nix | 43 ++++ nixos/profiles/global/default.nix | 1 + nixos/profiles/role-server.nix | 8 + shell.nix | 29 ++- zone | 20 ++ 59 files changed, 1833 insertions(+), 567 deletions(-) create mode 100755 .taskfiles/nix/update-all.sh create mode 100755 .taskfiles/nix/update-single-machine.sh create mode 100644 docs/vm/installing-zfs-impermance.md create mode 100644 docs/vm/servers.md rename nixos/hosts/{shodan => durandal}/default.nix (87%) create mode 100644 nixos/hosts/helios/default.nix rename nixos/modules/nixos/{services => containers}/arr/default.nix (100%) rename nixos/modules/nixos/{services => containers}/arr/lidarr/default.nix (79%) create mode 100644 nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml rename nixos/modules/nixos/{services => containers}/arr/prowlarr/default.nix (80%) create mode 100644 nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml rename nixos/modules/nixos/{services => containers}/arr/radarr/default.nix (79%) create mode 100644 nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml rename nixos/modules/nixos/{services => containers}/arr/readarr/default.nix (77%) create mode 100644 nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml rename nixos/modules/nixos/{services => containers}/arr/sonarr/default.nix (78%) create mode 100644 nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml create mode 100644 nixos/modules/nixos/containers/cross-seed/default.nix create mode 100644 nixos/modules/nixos/containers/default.nix create mode 100644 nixos/modules/nixos/containers/gatus/default.nix create mode 100644 nixos/modules/nixos/containers/gatus/secrets.sops.yaml rename nixos/modules/nixos/{services => containers}/homepage/default.nix (51%) create mode 100644 nixos/modules/nixos/containers/homepage/secrets.sops.yaml create mode 100644 nixos/modules/nixos/containers/qbittorrent/default.nix create mode 100644 nixos/modules/nixos/containers/sabnzbd/default.nix delete mode 100644 nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml delete mode 100644 nixos/modules/nixos/services/bind/zone create mode 100644 nixos/modules/nixos/system/zfs.nix create mode 100644 zone diff --git a/.gitignore b/.gitignore index e023299..b5a66ea 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ **/*.tmp.sops.yaml result .direnv +**/*.sops.tmp.yaml +.kube diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b4b5cfe..8864a6f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,3 +26,13 @@ repos: - id: remove-crlf - id: remove-tabs exclude: (Makefile) + - repo: https://github.com/zricethezav/gitleaks + rev: v8.18.1 + hooks: + - id: gitleaks + - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops + rev: v1.0 + hooks: + - id: sops-encryption + # Uncomment to exclude all markdown files from encryption + # exclude: *.\.md diff --git a/.sops.yaml b/.sops.yaml index 51cfa16..6eb68a1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -14,6 +14,7 @@ keys: - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + - &helios age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 creation_rules: - path_regex: .*\.sops\.yaml$ @@ -24,3 +25,4 @@ creation_rules: - *citadel - *rickenbacker - *shodan + - *helios diff --git a/.taskfiles/nix/Taskfile.yaml b/.taskfiles/nix/Taskfile.yaml index 96271fb..a2689cb 100644 --- a/.taskfiles/nix/Taskfile.yaml +++ b/.taskfiles/nix/Taskfile.yaml @@ -3,7 +3,9 @@ version: "3" vars: - host: $HOSTNAME + hostname: $HOSTNAME + host: '{{ or .host .hostname }}' + tasks: switch: @@ -16,12 +18,46 @@ tasks: - echo "This will switch your config." - task: .prompt_to_continue - git add . - - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.hostname}}" --impure preconditions: - sh: which nix msg: "nix not found" - sh: which nixos-rebuild msg: "nixos-rebuild not found" + + deploy-single: + desc: Deploy flake to single node + # silent: true + requires: + vars: + - host + cmds: + - echo "This will deploy the local flake to host {{ .host }}." + - task: .prompt_to_continue + - .taskfiles/nix/update-single-machine.sh {{.host}} + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + deploy-all: + desc: Deploy flake to all nodes + # silent: true + requires: + vars: + - host + cmds: + - echo "This will deploy the local flake to all whitelisted hosts." + - task: .prompt_to_continue + - .taskfiles/nix/update-all.sh + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + test: desc: Build and apply nix configuration diff --git a/.taskfiles/nix/update-all.sh b/.taskfiles/nix/update-all.sh new file mode 100755 index 0000000..e3b47ce --- /dev/null +++ b/.taskfiles/nix/update-all.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +set -e + +hosts=($(echo $(nix eval .#nixosConfigurations --apply 'pkgs: builtins.concatStringsSep " " (builtins.attrNames pkgs)') | xargs)) +skip=( + "citadel" + "rickenbacker" +) + +reboot=0 + +while getopts ":r" option; do + case $option in + r) + reboot=1 + ;; + esac +done + +for host in "${hosts[@]}"; do + # Check if the host is in the skip list + if [[ " ${skip[*]} " =~ " ${host} " ]]; then + continue + fi + fqdn="$host.l.trux.dev" + if [ $reboot -eq 0 ]; then + echo $fqdn + nixos-rebuild switch -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host" + else + echo "$fqdn with reboot" + nixos-rebuild boot -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host" + ssh -i $rsa_key $fqdn 'sudo reboot' + fi + echo + echo +done diff --git a/.taskfiles/nix/update-single-machine.sh b/.taskfiles/nix/update-single-machine.sh new file mode 100755 index 0000000..fbd9ded --- /dev/null +++ b/.taskfiles/nix/update-single-machine.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +set -e + +cd /home/truxnell/.local/nix-config + +# rsa_key="~/.nixos/secrets/ssh_keys/ansible/ansible.key" +# export NIX_SSHOPTS="-t -i $rsa_key" + +reboot=0 + +while getopts ":r" option; do + case $option in + r) + reboot=1 + host=$2 + fqdn="$host.l.trux.dev" + echo "$fqdn with reboot" + nixos-rebuild boot -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host" + # ssh -i $rsa_key $fqdn 'sudo reboot' + ssh $fqdn 'sudo reboot' + ;; + esac +done + +if [ $reboot -eq 0 ]; then + host=$1 + fqdn="$host.l.trux.dev" + echo "$fqdn" + nixos-rebuild switch -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host" +fi +echo +echo diff --git a/docs/tips.md b/docs/tips.md index 048e9f4..17e4d79 100644 --- a/docs/tips.md +++ b/docs/tips.md @@ -2,3 +2,4 @@ * Dont make conditional imports (nix needs to resolve imports upfront) * can pass between nixos and home-manager with config.homemanager.users.. and osConfig. https://grahamc.com/blog/erase-your-darlings/ + +# Partitioning +parted /dev/nvme0n1 -- mklabel gpt +parted /dev/nvme0n1 -- mkpart root ext4 512MB -8GB +parted /dev/nvme0n1 -- mkpart swap linux-swap -8GB 100% +parted /dev/nvme0n1 -- mkpart ESP fat32 1MB 512MB +parted /dev/nvme0n1 -- set 3 esp on + +# Formatting +mkswap -L swap /dev/nvme0n1p2 +mkfs.fat -F 32 -n boot /dev/nvme0n1p3 + +# ZFS on root partition +zpool create -O mountpoint=none rpool /dev/nvme0n1p1 + +zfs create -p -o mountpoint=none rpool/local/root +## immediate blank snapshot +zfs snapshot rpool/local/root@blank +mount -t zfs rpool/local/root /mnt + +# Boot partition +mkdir /mnt/boot +mount /dev/nvme0n1p3 /mnt/boot + +#mk nix +zfs create -p -o mountpoint=legacy rpool/local/nix +mkdir /mnt/nix +mount -t zfs rpool/local/nix /mnt/nix + +# And a dataset for /home: if needed + +zfs create -p -o mountpoint=legacy rpool/safe/home +mkdir /mnt/home +mount -t zfs rpool/safe/home /mnt/home + +zfs create -p -o mountpoint=legacy rpool/safe/persist +mkdir /mnt/persist +mount -t zfs rpool/safe/persist /mnt/persist + +Set `networking.hostid`` in the nixos config to `head -c 8 /etc/machine-id` diff --git a/docs/vm/servers.md b/docs/vm/servers.md new file mode 100644 index 0000000..196a2bb --- /dev/null +++ b/docs/vm/servers.md @@ -0,0 +1,11 @@ + +SHODAN = lab01 +XERXES = lab02 + +DURANDAL = dns01 +dns02 + +pikvm + +CITADEL = gaming pc +HYPERION = laptop diff --git a/flake.nix b/flake.nix index db33108..cc6c4f8 100644 --- a/flake.nix +++ b/flake.nix @@ -69,6 +69,10 @@ # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); + # setup devshells against shell.nix + devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; }); + + nixosConfigurations = # with self.lib; let @@ -188,10 +192,10 @@ ]; }; - "shodan" = mkNixosConfig { - # Rpi for DNS and misc services + "durandal" = mkNixosConfig { + # test lenovo tiny - hostname = "shodan"; + hostname = "durandal"; system = "x86_64-linux"; hardwareModules = [ ./nixos/profiles/hw-generic-x86.nix @@ -202,6 +206,21 @@ ]; }; + "helios" = mkNixosConfig { + # lenovo tiny NAS + + hostname = "helios"; + system = "x86_64-linux"; + hardwareModules = [ + ./nixos/profiles/hw-generic-x86.nix + ]; + profileModules = [ + ./nixos/profiles/role-server.nix + { home-manager.users.truxnell = ./nixos/home/truxnell/server.nix; } + ]; + }; + + }; @@ -254,9 +273,8 @@ }; in { - dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01; - dns02 = mkDeployConfig "10.8.10.10" self.nixosConfigurations.dns02; - shodan = mkDeployConfig "10.8.20.33" self.nixosConfigurations.shodan; + dns01 = mkDeployConfig "dns01" self.nixosConfigurations.dns01; + dns02 = mkDeployConfig "dns02" self.nixosConfigurations.dns02; # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02; }; diff --git a/nixos/home/modules/programs/de/gnome/default.nix b/nixos/home/modules/programs/de/gnome/default.nix index 490026e..b8c0bc6 100644 --- a/nixos/home/modules/programs/de/gnome/default.nix +++ b/nixos/home/modules/programs/de/gnome/default.nix @@ -30,7 +30,7 @@ with lib.hm.gvariant; { favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ]; }; "org/gnome/nautilus/preferences" = { - default-folder-viewer = "icon-view"; + default-folder-viewer = "list-view"; }; "org/gnome/nautilus/icon-view" = { default-zoom-level = "small"; diff --git a/nixos/home/modules/shell/wezterm/default.nix b/nixos/home/modules/shell/wezterm/default.nix index 21df262..73b90d7 100644 --- a/nixos/home/modules/shell/wezterm/default.nix +++ b/nixos/home/modules/shell/wezterm/default.nix @@ -14,7 +14,6 @@ in }; }; - # Temporary make .config/wezterm/wezterm.lua link to the local copy config = mkIf cfg.enable { # xdg.configFile."wezterm/wezterm.lua".source = config.lib.file.mkOutOfStoreSymlink cfg.configPath; programs.wezterm.package = pkgs.unstable.wezterm; @@ -23,8 +22,11 @@ in extraConfig = '' local wez = require('wezterm') return { + -- issue relating to nvidia drivers -- https://github.com/wez/wezterm/issues/2011 - enable_wayland = false, + -- had to build out 550.67 manually to 'fix' + enable_wayland = true, + color_scheme = "Dracula (Official)", check_for_updates = false, window_background_opacity = .90, diff --git a/nixos/home/truxnell/workstation.nix b/nixos/home/truxnell/workstation.nix index 71e4577..ed4535b 100644 --- a/nixos/home/truxnell/workstation.nix +++ b/nixos/home/truxnell/workstation.nix @@ -12,6 +12,7 @@ with config; myHome.security = { ssh = { + #TODO make this dynamic enable = true; matchBlocks = { citadel = { @@ -40,6 +41,12 @@ with config; user = "root"; identityFile = "~/.ssh/id_ed25519"; }; + durandal = { + hostname = "durandal"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + helios = { hostname = "helios"; user = "nat"; diff --git a/nixos/hosts/bootstrap/configuration.nix b/nixos/hosts/bootstrap/configuration.nix index cfc2294..912b4be 100644 --- a/nixos/hosts/bootstrap/configuration.nix +++ b/nixos/hosts/bootstrap/configuration.nix @@ -16,6 +16,7 @@ networking = { hostName = "nixos-bootstrap"; + hostId = ""; # set to `head -c 8 /etc/machine-id` dhcpcd.enable = true; }; # Pick only one of the below networking options. diff --git a/nixos/hosts/shodan/default.nix b/nixos/hosts/durandal/default.nix similarity index 87% rename from nixos/hosts/shodan/default.nix rename to nixos/hosts/durandal/default.nix index 891a9dc..dbb8af9 100644 --- a/nixos/hosts/shodan/default.nix +++ b/nixos/hosts/durandal/default.nix @@ -20,9 +20,12 @@ radarr.enable = true; lidarr.enable = true; readarr.enable = true; - + gatus.enable = true; + sabnzbd.enable = true; + qbittorrent.enable = true; }; mySystem.nfs.nas.enable = true; + mySystem.persistentFolder = "/persistent/nixos"; boot = { @@ -43,7 +46,7 @@ }; }; - networking.hostName = "shodan1"; # Define your hostname. + networking.hostName = "durandal"; # Define your hostname. networking.useDHCP = lib.mkDefault true; fileSystems."/" = diff --git a/nixos/hosts/helios/default.nix b/nixos/hosts/helios/default.nix new file mode 100644 index 0000000..6171db2 --- /dev/null +++ b/nixos/hosts/helios/default.nix @@ -0,0 +1,88 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). +{ config +, lib +, pkgs +, ... +}: { + imports = [ + + + ]; + + mySystem.services = { + openssh.enable = true; + + #containers + podman.enable = true; + traefik.enable = true; + homepage.enable = true; + sonarr.enable = true; + radarr.enable = true; + lidarr.enable = true; + readarr.enable = true; + gatus.enable = true; + sabnzbd.enable = true; + qbittorrent.enable = true; + }; + + mySystem.system = { + zfs.enable = true; + zfs.mountPoolsAtBoot = [ "tank" ]; + zfs.impermanenceRollback = true; + }; + + boot = { + + initrd.availableKernelModules = [ "xhci_pci" "ahci" "mpt3sas" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + networking.hostName = "helios"; # Define your hostname. + networking.hostId = "fae0e831"; # for zfs, helps stop importing to wrong machine + networking.useDHCP = lib.mkDefault true; + + fileSystems."/" = + { + device = "rpool/local/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { + device = "rpool/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/persist" = + { + device = "rpool/safe/persist"; + fsType = "zfs"; + }; + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/B19B-8223"; + fsType = "vfat"; + }; + + + swapDevices = + [{ device = "/dev/disk/by-uuid/1d7b6e4a-aa76-4217-af18-44378c2d93d9"; }]; + + + +} diff --git a/nixos/modules/nixos/services/arr/default.nix b/nixos/modules/nixos/containers/arr/default.nix similarity index 100% rename from nixos/modules/nixos/services/arr/default.nix rename to nixos/modules/nixos/containers/arr/default.nix diff --git a/nixos/modules/nixos/services/arr/lidarr/default.nix b/nixos/modules/nixos/containers/arr/lidarr/default.nix similarity index 79% rename from nixos/modules/nixos/services/arr/lidarr/default.nix rename to nixos/modules/nixos/containers/arr/lidarr/default.nix index bd2f085..07c7de2 100644 --- a/nixos/modules/nixos/services/arr/lidarr/default.nix +++ b/nixos/modules/nixos/containers/arr/lidarr/default.nix @@ -38,6 +38,7 @@ in virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; + dependsOn = [ "prowlarr" ]; environment = { PUSHOVER_DEBUG = "false"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; @@ -51,16 +52,13 @@ in "/mnt/nas/natflix:/media:rw" "/etc/localtime:/etc/localtime:ro" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; }; - mySystem.services.homepage.media-services = [ + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ { Lidarr = { icon = "${app}.png"; @@ -69,11 +67,21 @@ in container = "${app}"; widget = { type = "${app}"; - url = "http://${app}:${toString port}"; + url = "https://${app}.${config.networking.domain}"; key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}"; }; }; } ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml new file mode 100644 index 0000000..3caf6a3 --- /dev/null +++ b/nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + lidarr: + env: ENC[AES256_GCM,data:7YX4nyGmGWCLWfAq2C+wgFDhsldtB+HtCgTOFzloTUCNzF+FkCiqOfCoelrLlpDDWzTY2zLVHmPpsn65170SUfm93nAAxS2Wje5nK18USoKIDd+M4lOkq1vPkVcIMHJlW6U7K8Uf9HidCFsTg9k=,iv:1R1K+ZSRTiltIN6c5s0s1Bev7xdRWBvHTaOO4/zIzWE=,tag:4jOnhVk9of3wzzgvL/4F4w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NlFJVE1WaWtkRGtwa3VM + TnVHTjVkekRlL05lcDlSM2EvaUNvbzliV1F3CjhQajQ4dERzSGl0Y3RsK21HOS9K + TURVdlY0Z3Qxd3AzcHU5bVcyeisrbFUKLS0tIHRYeEhyNzNveUU3QVVvd2FHaUo0 + ZnQwbmZKc3J1aUF2Z3YwWDZzeXM2RncKOldAtGrvchEjB43g4yGFMObsU+PsV+Br + kGqwFZfQYult/pIPuu0uitY4DGzqGFvVZSHbRlafVksg9yfllW/TZA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d05KN0tOTTdITWlkSFNk + WGM4WFJYb2RmN3RIU1NFRytzNWxSTFc4SmxjCmt3Nkh4Yy9MK1lkYmxwRWxIeEJR + YitCbXAwdzhBWXVrUGJjcmRDam9Qc1UKLS0tIEZPUjRqZVV2UEpsWkZaYVFSZVd6 + YXNFK2t5RzlJc1JyUWlFeHNLdFpqU0UKr0HL7K9cdaHIDa2J/3fOxuY9ciHmyoaC + O9fPgDV7MUG1cG7lFMQUXw17ke/3aqxBrQdixCIJDVFiD3Bp5CNUwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRmtvVS83Qk50Qnp3MGlH + MDg0czVSRDc1MkdLV01EOG5JZWtwUGFXeVNJClNtWmZLSzVQTjcwVmhpaE1lcTcx + VDFGT0RqZDQ5ZTh1QWhVWXpLQ3Q3VmcKLS0tIEJ1REI1a2lWTFpWZ0RZVHVRNXBI + Q0VoNjMrZXNzbkl2cy9tUW1wajNaR2cKPDjjplQ9v9aFkHuDPhGri/VLBDrHdAeN + 040urbUo0MV8rf5wysRkDKFqoZeIJF9pTetkSTL3BawV/G9uo1ccBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWTdIMCtCRVFXSXcxZDRZ + eTJiaVVMYVRoOHFoNEZ3OWlZZ2VXYlk5NGdFCkFKeFhpbGltUGNwR0FwWGpCWVpD + aGI1TG9uK2cyYlQ4dGdYOHFQWkNkOTAKLS0tIFFvOE5lNmFkNnppZkRNSW5zTWtD + enpoY1NscGhSTWxVTEU4M1lNS21ZWmMK/vkbqW5oQT/NImNFGx7d42Q/bHMTA3cy + SzoDd762QD84ONgwh8OtXEHk3TlxrVrMKbqRa3OyYSV9AdPZ4QiHaQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRVJRdkJwdE95eE1NbEJE + eUZXWlppUXBDOGFGVjBoMzhYWnFkc0Z3OEFFCnU4MlhFMmV3YjI2R3dPY2QzWW9q + elhGSE1FQlVVWUp1dHIrUFlkRlV3Z0kKLS0tIFRrR3VxVFdsbld4QXB6Qlc5UGZQ + ZmpvRy8zNkExN2lWTEZvQllLcHo4cjgKXJt9NVNxEy0gaow2Uwm1NfLytLLsHyoF + C+RAWMpEhxyJHQ3cyGaYmOe9AkArO3lV9xwiNLcAzQTjZaIjy3KO0Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSXFaZ0EvNjRzazhsZzhP + ZGZqRFhoT1RVNHI0cG41OVhmYU1HWTI3ZnlRCndKREo1UmNhTTRPdGxIdkpaeVZy + Ujk1M005NTRtaC9YQ2dteGNQZ1A5cGsKLS0tIEJhSWkvaWY3eGRyR1VlckYzL1BQ + SjVNbnhXeGhxTHEyRU5Jd1BaNzc0TjQK+JalyEaNtqABGJbphWUdVKG3dNoU8/zv + 9uivNH47OBZmWPWhDMWFKU3EZ05LRJMPHax4W1PyWXsvV8keda1K1A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:O6qkL2lH7dxsadSwJeYkRLr98jvmonuuHrQF52A9OP44fNdhA0SVagd4iLpIh4nlghIpWGnaLRzl+eL4u36Dh3rrlJoOKaWJmkSQDEVvRXpE36/+7ChvJj995s2qX/2MAMhG2ytrgAmGb0TuzsP8ySTJlFFubwk/lZoVaWAy+Fc=,iv:OFfOpQy+mCiO8RpHQStW34H7J9LJ3PFkZyrlCj5kOcA=,tag:7C0rafYEwMoakDR3sSWL6w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/prowlarr/default.nix b/nixos/modules/nixos/containers/arr/prowlarr/default.nix similarity index 80% rename from nixos/modules/nixos/services/arr/prowlarr/default.nix rename to nixos/modules/nixos/containers/arr/prowlarr/default.nix index b1d1cb3..8ff2b2e 100644 --- a/nixos/modules/nixos/services/arr/prowlarr/default.nix +++ b/nixos/modules/nixos/containers/arr/prowlarr/default.nix @@ -50,16 +50,13 @@ in "${persistentFolder}:/config:rw" "/etc/localtime:/etc/localtime:ro" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; }; - mySystem.services.homepage.media-services = [ + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ { Prowlarr = { icon = "${app}.png"; @@ -68,11 +65,21 @@ in container = "${app}"; widget = { type = "${app}"; - url = "http://${app}:${toString port}"; + url = "https://${app}.${config.networking.domain}"; key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}"; }; }; } ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml new file mode 100644 index 0000000..dad3aef --- /dev/null +++ b/nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + prowlarr: + env: ENC[AES256_GCM,data:bB13WWB+H9OHK4FMOEuURU0oZLdCTpG67bY/E6ikN8MBixG5PPwZuUHVt3gfpcdiQC3/BVj8UhkEC3ATRlihZCsUAB9kWUMAPrxOeXQr0VJ+RQpl2q9IjdUa4nz42AZkG1ZevCoYojxFKvJGmGaVj9CI,iv:yUe+L4cOwI52462FMu2zKvjLShXFI5joaEHxcENcVPI=,tag:rVdZZ2E0Ikx8OhIFs+8rMw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2h5a2dnc005dGFPdkxD + YlBQakZRUFYyUHNFUklzQ2dXTUp1ZXpaVkcwClVpZzJFTTNBeitYOWpJdUx0K3FL + bnRkbnNDZzBqOTNCRnJnekU0N043MjgKLS0tIGZ1WTdkb1g5c3MzNXBnVGdPZGw2 + cklqZXFTS0JKb1hHNG8yQm9jQ0dyRkUKsJIGwRQUpQ2rWtLAEnm8C9+5yLfTY4He + mDB2V6IitkKFEPzEpPi9vk+2zkf6dqWbwUa9VANs14uLu5Ue0WTsjQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWFRlL0VQY0d1aDIreksr + UjZwMzM3RkhyamlVVGtOWFdTRlhodlphZmo4Cm1WMlNRVDhSVTlqUG84TG5iK1cw + M290eVZXVXlpbCs5aEhpRERRRWVzSVEKLS0tIFlBemlwWjZuczVFSVE0UWJOZFJh + T2h5eEJXekxKVnBmQWJoL0h4aGJreHcKQSgjZWxd8lBhMrv4bqmoQICK/hf/hWOp + a2Un0jXCvomlCCRiMXpc1Ii9Xy6y012bHrAlom3eiAU11wKOBYZ0Qg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MWliQTFvM0MrUmN1NDFK + VEM4TnhrSWM2cEU2dHE3UnQzeHZhN1BKT1E4CllBMEEwY1FxVWI5S1JndnVQUkFT + VzBUYVozN1M2Z2o0b3hxaHd3aUV0ajAKLS0tIHBRQ3RTOGxzTlQ2emlqTXdoZy92 + VGQ1RklSUy9UclRYaVNmWTlHTXRHMDgKk6MlwJIlSsZRxYwNC39bkwUly3m+y+68 + XpLbncjI55Uyno1z2J+6NJotAFFKpzuQ/VpAiE+FwBM7CLrkh11KvQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb3dyZ2RrZXZjUlYvZFI1 + Ui8vQmx2bFlYV2pUQmc1eUordnd6RVFyQXpJCk92SFk5QTA2Qk1WbTArSFpQaGNi + N0gwUEI1b3NWZ3JURGVPQ3ZuZnU4NGsKLS0tIE1GUWJ2NUFzck0vNUI5T1VqMUly + NkFQb21LVzloQnd0L0tYUEpRZTF3eE0K4xTWCCiceDKCla7kWfBvftNjTFY5aXZa + azlnCmlg/geKrQvWRYe63i+20q+ZkhQfm6qGugkRuHpMSsXG8woTlg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MkhmRytsWHJSalBucjlH + NTFCc01UQW9HMjFJSkJnM1EzM2pza1gzaVRNCm5lTEhnU2E0VnlCR1pKT2xSWCtT + Z3FXclRmQkxvOFliMVVIS2ZJY0dsOGMKLS0tIGE0eWVuVXRsYXg4Z0syNS9mWCt3 + ajJ5RzBDaTZXMnlkSFJFQXRqZ0FOUTgKGEaHiHOO45JfVheInmxiModzF5fzo2e7 + 5XF9WUKPz9Jx53ugivb/S9turWA4eZaeA9rmLb3yQ0HcQoaLVsB7ng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVVBFL1VYYnlyQVRoN2hx + NnJ6SzFucHp6THJTYktJRC9Tb2J6bUpYVFVjCnhEYjcvZUNGTXhZci9wMWtHaERE + NW9KNkc5ZE9TdFpKdUoyUGRVQ1JGSXMKLS0tIGdGS3lpUWVMRTlwTElHUE9uY0Nm + dExpb1kvR1o0V2RFOE9GckkzWG93NmMK4JM8Vp0zTa9zVRiMzw5AY+3zaNqKnYAt + bD9iTN/TQbjyowvdxRiziLE4hZ6plav7x8/o3MRT8uXMdnaykIT0PQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:ygSwpOo/ZuqTVLKDgmQvAEY8KYkq1O/3grLL5i/0LGlSOM9n9j4oBjBodmGRrXtZ5ui0BL8PZlExfjK7QUni7m0wRXRhWoiuYadiiPVmfzSLQ4aDet4eCt5mTvjn2Xm68cOB3Vyu+dGzmU9O1H0y7EoUsItVPsrreOAlItGEKM0=,iv:10jClAw0BkJJbLg4zdPxZ3/7I20M0UQUcfL+SRtg/MI=,tag:Bhu5V35Hp6pGKfRCUgKSSQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/radarr/default.nix b/nixos/modules/nixos/containers/arr/radarr/default.nix similarity index 79% rename from nixos/modules/nixos/services/arr/radarr/default.nix rename to nixos/modules/nixos/containers/arr/radarr/default.nix index 6ab03d2..cdc8874 100644 --- a/nixos/modules/nixos/services/arr/radarr/default.nix +++ b/nixos/modules/nixos/containers/arr/radarr/default.nix @@ -38,6 +38,7 @@ in virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; + dependsOn = [ "prowlarr" ]; environment = { PUSHOVER_DEBUG = "false"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; @@ -51,16 +52,13 @@ in "/mnt/nas/natflix/series:/media:rw" "/etc/localtime:/etc/localtime:ro" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; }; - mySystem.services.homepage.media-services = [ + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ { Radarr = { icon = "${app}.png"; @@ -69,11 +67,21 @@ in container = "${app}"; widget = { type = "${app}"; - url = "http://${app}:${toString port}"; + url = "https://${app}.${config.networking.domain}"; key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}"; }; }; } ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml new file mode 100644 index 0000000..eb07bf6 --- /dev/null +++ b/nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + radarr: + env: ENC[AES256_GCM,data:eCok5/+DTT4DvI+3Tmgel3h7rRMQzPyGKmGzjWr9Bk+7KhuCutqT8VKRT6cvk6N6GkAaF8fLeZ8ANxy2bK6RyPrB0jOb6J2SsYWrXHNdgtTLPVccIDRfJ+R7Xp01eHp6JGY5xmpF7HEjN9JHFQkwcsy+GpNBK+ALfBH6BFMbnK2AGlM6RwclN+BSvMZirfRnxSZ1XTUNPuLX/+ClWTqlfEHfab0lM1ZcA0VFSKNpk1ivshewRpv7ZgLGGHU4JXZXT1amJrYoSCPKkl2Aaf52,iv:N0L7Vmv7yOSprFAxpdpkrH8uFj0cHgVbpyCSJnqrugI=,tag:3xLCZY0EN505xfWKvDs+hg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnV0tvc1FncHB0Mkt1QjNh + VzlZdXBjb3VTSjRpWWpZclE1RE9xM2FsUlFVCkU2eEtNL1FrRTVLZ3lrSXdTOHp4 + RERqbWRyeURJTFVZT2lQVWk2eDhrZ0EKLS0tIDl2OWUxTHUwR0ZtbnY1d3dLRUtR + QTF0WnJZbjVmSHMwdlQ2cjhuTzF3eTgKRWyMgPMCPCQaFyMoemfaVKR4Nz/9zqE1 + QYfyVdzo+EGp8aFsJUDW7i8tnNWuqSkU/arEX2HXZ4eURoVOV56M/A== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1BxVU8xb3Qxbk9nY2hG + a2dBbGwwZmtRYUdvenlWYklDL3RleWx6RnlJClFkcXhwbFROR3dZNWprUkh0SG9W + eXNLOHhNTHdBcmJmNnMwRGk1M21adXcKLS0tIHBzaHQ3U255MlMxWDBZdzRqSUpN + S2taWVhLWmRCcW81ejY3T2lVM1dSeGMKMEExqNLhSDxcFSUvAx4Uoet1Cr9pMbM5 + JFmIuiEOF7idfJ0/fceM9IxMS22LBTRC9Vlkkr9lYj/trO9KmF0l/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZG1VMGtyMnhwTzZkMlp6 + Z3Z4K1JIYjcyaTBVSjJjRnNXQWc4ZFNxRUJzCkVIdVFvaldOR1FtTkFZbjFuVG5B + VUY2Zm9mTDRFeWxudGtOWlp5c1hvdGMKLS0tIEFYLzlJcDN5a1ZJMm9mUW9YR1BR + dm4rV0t6SkVwVk5udVI5c3ZYNHRoUkUKIR9FbffWcyslWbURZ+PkWSqW1QDaS3m0 + HW4aSEPPbA+SIDIlZY/6CdY3MS5p/STkqfLPIpAuswEaMGdAcHI9Cw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbzNjdFgydlhFcjRQZGh4 + eExFSG1uZkl2aDl1SWk5SExlWjlid2V3V3dRCkErY2tYanprRXoreHB3OFpRNFRO + MzB1NEtnVTZMd2V0WVpPMnJ2V1ZlbkEKLS0tIDAxQ0FkeFdXb1FPUm9uWjVscFZ3 + WTlObk85TGJkMlNZQ0RKc0FkTyszSGMKk29wTRW8QtioBdX6vaiM5NycbVJCmf1V + 3w9D4uJyIocBvXbhHOoL7JJp7rRKCx+rcs6nxYrtgI/f5pWR4mG5Ng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTmpjK3VzOHlKbnAveHNR + TWdIR1FjZW44NHdiMk1qRkwrWHZsMDR0ZkhFCmdyNUNOZ2I4elJSVzF2S0poaTJm + M2gzTHNMejZTNzVoUHJOdEJkNkkrTEkKLS0tIDdUWlhMcmVOUnAyaXZKN25sMGpX + RExtMlBhNEpnYnZSY0NUS2ZLZWpLSUUKXDbDA8JdpfHMJuB1dr68mzETGJn6SfrZ + V0c127YS2LvNl1jwDl4nMPpUy2MH0gYYi3JTJSOWFbqzWVDx2lsrHw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNGFzc2pJS09ldkFRTjQ0 + WHB4TUdUTElMZ09BanRRS3gvdldIRUozWDFzCktyUUVsTndPTFduNGlubVBaZjk0 + REhBckdmNTIwcGh4UURLdnJVL0tnOFkKLS0tIHNtdW1UcTVadGtwbUt6Z0lMZHZs + NThTZi91NWRubGl6YWNMOHFiYktia2cKE8eNGhd9c5/nnCMoRD5fkYstVzvSg4Un + AgyBwvsh8H75HOQaxB2fLqOnzFmmEapRCflaymq9R5qBk8kpQ5iChA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:4g+4hRWHD5L/SjxKu8VhCU2oznUP/GZ5iNsKrC7GWHg4iLXY2MRSwbkcR1SoQrCWqFACNQCFQzdAqUFbhHMx85AL9V+YEVYMxBmDt2arOF1yNVbxYnDfbBbWRjYva2Yt9er2P1Topfku5XhIfPXyPi7nuZuGamRWiGNt98bpsTY=,iv:LbWJzgT8QRE7AaxSNdPCT0jvjZiBUh7xlKsBQQfnVwA=,tag:w/nNS+6eYYt1tMixoX97IA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/readarr/default.nix b/nixos/modules/nixos/containers/arr/readarr/default.nix similarity index 77% rename from nixos/modules/nixos/services/arr/readarr/default.nix rename to nixos/modules/nixos/containers/arr/readarr/default.nix index d6e1c90..9160f3c 100644 --- a/nixos/modules/nixos/services/arr/readarr/default.nix +++ b/nixos/modules/nixos/containers/arr/readarr/default.nix @@ -38,7 +38,9 @@ in virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; + dependsOn = [ "prowlarr" ]; environment = { + TZ = "${config.time.timeZone}"; READARR__INSTANCE_NAME = "Lidarr"; READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; READARR__LOG_LEVEL = "info"; @@ -49,16 +51,13 @@ in "/mnt/nas/natflix:/media:rw" "/etc/localtime:/etc/localtime:ro" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; }; - mySystem.services.homepage.media-services = [ + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ { Readar = { icon = "${app}.png"; @@ -67,11 +66,21 @@ in container = "${app}"; widget = { type = "${app}"; - url = "http://${app}:${toString port}"; + url = "https://${app}.${config.networking.domain}"; key = "{{HOMEPAGE_VAR_READARR__API_KEY}}"; }; }; } ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml new file mode 100644 index 0000000..771192b --- /dev/null +++ b/nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + readarr: + env: ENC[AES256_GCM,data:vPKL/0rOBlly7EW1Pbt8dJ7fQHBP+AHXElIZbfZBB3Wl1GibhJs69rAnRH7xGwPLZgjFtT742sUnIOw+ZdGDU7Aws/LyU9AeNcmGVjFHNz3tPi3ikoHV1Glofku/Q7pje69dqoKuDvN/y2U8D8vYIg==,iv:A+/Q9/8ZCaYEUY0V624eOe6nM/9LGVidaK+56KGG+3s=,tag:y0fcBeEoHMgFz85PQkqt+Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbmJOZ3RHVGZyMVdQcXJ5 + aDdEeUFNTGVlTmxzQTdKNUFzVCt5c1FndEU4Ck9ja28vOXJoWWhlYXI0RXlpS0o1 + ZUszUi9vc1NiVHFDNXJ3TGdzNUhwOG8KLS0tIEJQRURjZHBqNkVKYkp3YUxuOFdB + YnIycXFuV2JiQ1lSZDRIekhFTUpWdDgKYJuej3+o8YOysAm8zaOsxbok9x53vAMi + 9tAPF1FPC/JJvYJnncpynxEWVLQ9VEQ+T72HDWy6Xf1PD18mhA7ZSw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cllLVVYraHRueklwR1h3 + bDE5TnI4eFBCMjNIcU01MGZlWlJ0K0JGMjNNCnluOGpjaTFhdFk4TUoveS94UlVH + K0daVThXcDV6SDRma2pyRHdtUWRhV1kKLS0tIE44T3owMU9pOEkrdlFhM1hwM3Zn + VUlELytqTnVNcER1K1BkbStpa0d5UjQK7nF3pq7ajVA2y/2VE+k96INyrWU44uQM + SxIEsqjYkuyjaQdYBtxZSqiwpQBKdLj47X8U42m9M9NOjG3Uc0J1og== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreDF3bms5aXN5blpkZEs4 + eTNET0ZaRFp5K0FuVWowWTMvWjMvNldBV0E4ClcyOWpKa0RpZXB5dXpsa3o1UkR6 + V1gxaHhiSERkT0lIQ3l5c1lNMVVpUDgKLS0tIHRCd3pFdnp3WTBJdzBlQ04zWDBN + bGhvc213TmV6aDZYbzZhQUNtT3dYVlkKlkUuDfB/81dShrlL1KzfOsE6fNb/7vFE + 3grwJMKQKZhvN+nK/BVAAUCamdMa07Q+DX0+VXdSc+QspHNpLrRCdg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheVV6Wkc3NHZiTFAycnU2 + TDkrTVhGd0gxTmN6aENFdEhnb2JQZ3c0SHljCmZnQTBqVXhGT0FyRUN4VERQZW9T + d1QydTMzVG5MdFhYMmV4L1dJRTBtYzQKLS0tIEVMZ1VRbjFjSThoTXB3TW9KcGRM + V2JQdGxIUHRkbHdVSXhZMktTWTczazAKtU+XFzoNTfhRC+He+UqM5w/o9VoqJF2r + 4LIpVuITrD8cCFjRQYBvg/04zdSXoN9plpHcW7EpzoQE1enKNFN02A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN254K3k3SksxOENzYURJ + SnFVeXdtd2RscGkwMmV6Yk5LSTN6YUhhOUVjCndYajFrZGpwQldiek9XVURMZ3hR + Uk9DM1NJQVpqMmxkSnZ5QTJhOUZFWkEKLS0tIHc0V280TDZDby9NbDRRS3pkWDVP + QWhJQW5WaTZ2TGtvaGt0OW9nM2tBREkK1GHdyV5JKNWWOXJR0HszGRnGYes+xIlG + JMKIZswINap3RUNThr+xOfjajdsj5gBt6N0yozArLNGupxo6qp3zPw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OWVWL3Y1SDYwTTNwcnha + SEM3RmlCa01RTkpOczIramIwSE9NdGEyZkJRCjM2dTBIUGNENlhDVHNCN0VxbEZk + WUxtOFdjSk1jb2ttanFST05LVER0UVEKLS0tIG9oTk1aRXBHK2RmNXlHZkt1ZUNm + bW53aTdhL21hbEZPSkx0d0dZR3BBK3cKkPeXkGtmEqi7MKplyKoIY3yOEFiLAWe0 + qZHN/IO0dgWmmSKpWQTtrAve9GJx/Apz/9VTouWaVpq3a/pDU1de/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:eexZeVU3wnYJryPVkIyokKqkvHASFCMBKT9MyTMqf7JAW/gDB+7irGs4WEv8UgJUCHKDNUh5KRngMk/W8ugFccuGhsiDnNUm4/KAMPjL+GtR0EdIjSDNUhwFJYqvN0KiZ47P2zzb3Lfpe3cix7A/HhzF3Vk+NAljnyE9uCk0sEA=,iv:G4dXYsVjpCqr/AxlQmcxArFdx7gPQTRNt8iK5IAYGi8=,tag:aQ1dNARwJd/PBc1aWoK9eA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/sonarr/default.nix b/nixos/modules/nixos/containers/arr/sonarr/default.nix similarity index 78% rename from nixos/modules/nixos/services/arr/sonarr/default.nix rename to nixos/modules/nixos/containers/arr/sonarr/default.nix index bb10471..3a46f5d 100644 --- a/nixos/modules/nixos/services/arr/sonarr/default.nix +++ b/nixos/modules/nixos/containers/arr/sonarr/default.nix @@ -39,7 +39,9 @@ in virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; + dependsOn = [ "prowlarr" ]; environment = { + TZ = "${config.time.timeZone}"; PUSHOVER_DEBUG = "false"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; SONARR__INSTANCE_NAME = "Radarr"; @@ -52,16 +54,13 @@ in "/mnt/nas/natflix:/media:rw" "/etc/localtime:/etc/localtime:ro" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; - + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; }; - mySystem.services.homepage.media-services = [ + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ { Sonarr = { icon = "${app}.png"; @@ -70,11 +69,21 @@ in container = "${app}"; widget = { type = "${app}"; - url = "http://${app}:${toString port}"; + url = "https://${app}.${config.networking.domain}"; key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}"; }; }; } ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml b/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml new file mode 100644 index 0000000..b1b26b6 --- /dev/null +++ b/nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + sonarr: + env: ENC[AES256_GCM,data:y0OW/T+/6DpkFlwXszG6IyeWs2xIKEwX3KQhw4U6TLQuAlBMwIAD7HeRdT6GE1f1N5MIt46lho+d6vyAXTMs78Oi+R8/HVRQ+Ch4soUM1nNyRtK0FhCzxIlczR+owumJSFst3WfrjHYWolk7z5men8/mQpocJMo7t/n0QozHlNiPkEM2KlKU6viXs4u1UbQwqhmA9I6x2b3vHBrSml7CM0ch4/2IMc5VPagBeaGd1nRHvr+TiHRFv1tbkhbY8O43DcbmVqUHLNBhpyJ7A6Pz,iv:TUAgMJu8HDP+fuRKIQXv3Yi4ImZBv+WaA081e8w7cQw=,tag:rCCR0xBMcHKMiDkGEhsvkw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMXVtN2FvVHhia1l1TzRF + ZmJucjk1dU9GNGE3UEZLUVZVRnNyWVp1azNVCjRyRGRvSTZpbnB0aDhxaTNLcmll + NE9tbVp1b0FxQ0VoSmgrWkRFN3hTS2sKLS0tIEc5VVE5L3d5VTEzQ2hZbFU5MElx + NkNJSEdJYjYycDhudUFLWHNVcGZTcUUKm4WNGOnXRIFfYKrsBZAd05p1Y/PgaA+O + OMmcQtKKkgv++IW5IN9W637kfIAXRn9+8uREGVfhx08ScZPT0ciyfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWUcyUU1ZbGVQMTNZWVNo + SGZ0WVVYamYwQzR0UXl1QWpvZ1d4OEh5aEZjCmplQ1laSkdkbzlkc3IzRStQLy8z + U2Nmc3dyN3pQaGEzNnBHSDc5Q2FOZ2sKLS0tIFdPc05oTExQeDhMd3RUdzZmTlll + OXVFdmFicnlsQjFhM3NyOXVMc2NGelEK5dc1ofhg/asnKpwGlwqxkXf/V0jUPqnA + PRZejTMGsct73NtKXvejGJ2vD1lctd3T3vfe3NM+ebKPgDUSOSk6Iw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWjZrdWhOVkRGdERNTTBo + QlA3bWFtalk2eDlsTTJyWHVrbUlCT2Yvd2xFCmJUUDJUQmxnQi80cHcxMEhtOGJX + VDNUZFZoNTI1WHZyNWFWYjdDYTRidmMKLS0tIDNuSm9hTzVDTmsxVmZ0NlhJNmty + N0R3OHU2OVdaa2FiWEl0b2E4R0pvQzgKuCmGQA0fJXGzcaASpKDptxhZhjD3Px2X + TUkYkzQXUoaDCIkh1le1ntPGwRM36lQQqWtCi7ObvOmNamj8cgGdoA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXZpTGJWODJKcytuTmNh + cDEvOUlvaXBUUUxiWHVTSS9pOXZNcUdEOGl3ClFhMnljcmdPQkh6dWg1eTZUOUM4 + OFBwOEI5aXhnWFhGT3VPYmRZa3EwV1EKLS0tIG5NN0FZa0VVOTRyNkxQdC9lajdM + WmJJc05yM0ZJNGtwRFJySFQ4YXdHTXMKqAJM38MRRxEipfVv9k6B6Bzb8i16if05 + AYdkjb6K6kUnZqzSrqvafmsvP+9Ke2uhr7yCLll1tHhjtMP7TYMW4A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSmJvM1FlbXBTOHNsemZF + NU9YVnNWT1RrZlc5Y2FIWVBhdXVnRjFyKzNnCjFnSWp6MUdtQjcwYmx2bjJML1ls + aWRnN0piMmZKTE91QnZuK1dFSTZHeVkKLS0tIFAzckd3aDVHQTk3eDUxVFdTRURH + K0ltdWd6ZDZUOURyNlZsTW9RdVFMY1UKi4OzpjsDeckTIVLwHr1MlYKSqTO7ExXg + FIupYmfFvwnQVex5Y/rgtTCiM6qFaV7gzVhG9paGMD5h1g5moG9eBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNGRjc2xqT243TFFzT3Bk + elJmNnlmdUdFS0JjMUdXVW5XUC91YWlSOEEwCm51blRhb2dyM0FzdGZZdUpVcWgv + MXN0bFYvOXkvNnVMaW5zNmVaS2R2V2sKLS0tIDQwVys3ZUpHNWdydG1NRUt3Y0Yv + Qk94L3lpMjFMWUJUTjVXbnNuSWVMaHMKiewu7zoAMlL55BoU9lZYryVG32e6bg0K + toNX6iv4tGZ7EIjgB2L6TKlLisQW+Ta4P7VA+TAd2Z/nfYmDS77jNA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:zGC93zgG64/scDXYlUWY6arUW9f+jIZiA/wC3RBbFokT5430ubXhRVcBErwvqnghuC60sC0ZeNqoJNi4jQwE7BAbnnU8DTUsAoH4qhmNLfUeJtL8oF0NRl3i+hpauabg6E/qNbtuNG0/lUsnWXswz+7VbJP2ggTVpj+h+0vRN20=,iv:2JCto2Sy1i5gmHpAR3VgRbf0I4WSJVQLYxN4Vf/8Uz4=,tag:ZzYRKWy2HnMLyVn8CRJBqg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/containers/cross-seed/default.nix b/nixos/modules/nixos/containers/cross-seed/default.nix new file mode 100644 index 0000000..764deb4 --- /dev/null +++ b/nixos/modules/nixos/containers/cross-seed/default.nix @@ -0,0 +1,42 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "cross-seed"; + image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:bb20d3940ff32c672111ad7169ce4156f1c4c08bb653241f1b14f6d00f93b3cc"; + user = "568"; #string + group = "568"; #string + port = 8080; #int + cfg = config.mySystem.services.${app}; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; + configFile = builtins.toFile "config.js" (builtins.toJSON configVar); + +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + cmd = [ "daemon" ]; + volumes = [ + "${persistentFolder}:/config:rw" + "${configFile}:/config/config.yaml:ro" + "/etc/localtime:/etc/localtime:ro" + ]; + }; + + }; +} diff --git a/nixos/modules/nixos/containers/default.nix b/nixos/modules/nixos/containers/default.nix new file mode 100644 index 0000000..97f13d7 --- /dev/null +++ b/nixos/modules/nixos/containers/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./arr + ./homepage + ./gatus + ./sabnzbd + ./qbittorrent + ]; +} diff --git a/nixos/modules/nixos/containers/gatus/default.nix b/nixos/modules/nixos/containers/gatus/default.nix new file mode 100644 index 0000000..7432e8a --- /dev/null +++ b/nixos/modules/nixos/containers/gatus/default.nix @@ -0,0 +1,230 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "gatus"; + image = "ghcr.io/twin/gatus:v5.8.0@sha256:fecb4c38722df59f5e00ab4fcf2393d9b8dad9161db208d8d79386dc86da8a55"; + user = "568"; #string + group = "568"; #string + port = 8080; #int + cfg = config.mySystem.services.${app}; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; + containerPersistentFolder = "/config"; + extraEndpoints = [ + { + name = "firewall"; + group = "servers"; + url = "icmp://unifi.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "pikvm"; + group = "servers"; + url = "icmp://pikvm.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "octoprint"; + group = "servers"; + url = "icmp://prusa.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "icarus"; + group = "k8s"; + url = "icmp://icarus.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "xerxes"; + group = "k8s"; + url = "icmp://xerxes.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "shodan"; + group = "k8s"; + url = "icmp://shodan.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + + { + name = "helios"; + group = "servers"; + url = "icmp://helios.l.trux.dev"; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[CONNECTED] == true" ]; + } + { + name = "dns01 external dns"; + group = "dns"; + url = "dns01.l.trux.dev"; + dns = { + query-name = "cloudflare.com"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + { + name = "dns02 external dns"; + group = "dns"; + url = "dns02.l.trux.dev"; + dns = { + query-name = "cloudflare.com"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + { + name = "dns01 internal dns"; + group = "dns"; + url = "dns01.l.trux.dev"; + dns = { + query-name = "unifi.l.trux.dev"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + { + name = "dns02 internal dns"; + group = "dns"; + url = "dns02.l.trux.dev"; + dns = { + query-name = "unifi.l.trux.dev"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + { + name = "dns01 split DNS"; + group = "dns"; + url = "dns01.l.trux.dev"; + dns = { + query-name = "${app}.trux.dev"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + { + name = "dns02 split DNS"; + group = "dns"; + url = "dns02.l.trux.dev"; + dns = { + query-name = "${app}.trux.dev"; + query-type = "A"; + }; + interval = "30s"; + alerts = [{ type = "pushover"; }]; + conditions = [ "[DNS_RCODE] == NOERROR" ]; + } + + + ] ++ config.mySystem.services.gatus.monitors; + + configAlerting = { + pushover = { + title = "${app} Internal"; + application-token = "$PUSHOVER_APP_TOKEN"; + user-key = "$PUSHOVER_USER_KEY"; + default-alert = { + failure-threshold = 5; + success-threshold = 2; + send-on-resolved = true; + }; + }; + }; + configVar = + { + metrics = true; + endpoints = extraEndpoints; + alerting = configAlerting; + ui = { + title = "Home Status | Gatus"; + header = "Home Status"; + }; + }; + + configFile = builtins.toFile "config.yaml" (builtins.toJSON configVar); + +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + monitors = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + description = "Services to add for montoring"; + default = [ ]; + }; + + }; + + config = mkIf cfg.enable { + sops.secrets."services/${app}/env" = { + sopsFile = ./secrets.sops.yaml; + owner = config.users.users.kah.name; + inherit (config.users.users.kah) group; + restartUnits = [ "podman-${app}.service" ]; + }; + + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environmentFiles = [ config.sops.secrets."services/${app}/env".path ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${configFile}:/config/config.yaml:ro" + ]; + + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; + }; + + extraOptions = [ "--cap-add=NET_RAW" ]; # Required for ping/etc to do monitoring + }; + + mySystem.services.homepage.infrastructure-services = mkIf cfg.addToHomepage [ + { + "Gatus Internal" = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Internal Infrastructure Monitoring"; + container = "${app}"; + widget = { + type = "${app}"; + url = "https://${app}.${config.networking.domain}"; + }; + }; + } + ]; + }; +} diff --git a/nixos/modules/nixos/containers/gatus/secrets.sops.yaml b/nixos/modules/nixos/containers/gatus/secrets.sops.yaml new file mode 100644 index 0000000..3a57713 --- /dev/null +++ b/nixos/modules/nixos/containers/gatus/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + gatus: + env: ENC[AES256_GCM,data:Wx6rATQ7Q7XUh47ZyV19wXH6Rv1YY43Rd5ijFmFCK2cjQ0p6uVPJ/JQqtSd99daAmT0844ug6PTUGMiVajm+fFZSV9gi294/5s25OOVRZiL+QND0rHF0xPWEUnIsBNmvk1LV,iv:PLds5favGpAwJVmlQEYJaunkTGPQH+OtehP+fK2Gagg=,tag:VIf02wjvPG9MYPN+y9vyRA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWxxVitWUTMyTTB5LzBH + MktCV044YUMyZzRUc0dIQk9YVEJoUFhQZjBnCndXUG5vQW5aNlkyWWl4WHZ6RDcr + OU5RTFN6RHFkdlU4aUlDL3NSRVBxKzgKLS0tIFdtY2JZNlVKWHlGV1RESFhGK0V1 + VGFCU0hmRFBPR3pGSGxyOU9mcFZyMzgKCc2Ti52M0ZMibetv1pg6hiMSXfb6JdAg + ZYEmOfoa0yvrt8Hn1gmYDpBH4UPQRh8x9uIW1uR7kfOoWsjQPzwkrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd29DMEMxbXNJcGczTEd3 + RGMvSEVuUEFzWklQTTBWck40RkV3OTF6d3lzCkNyNEFsV3Vua1JJeU56Mmhma2JI + K1pCcGZuS3BQWERtK28rYStHU29pNzgKLS0tIFFsMnlFblRhc2k4dlhFTnBIZjhY + WlRNbERzU1pxelZxVFlDbFdtNm53ekUKrK7AClzYOwTaBowqf0J6wg987MWSNydh + yOF4SbGj0LScSVz0ZM3wwaP1QFtI+ziojVuMd0sIuRZixUHkD3n25g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbkdNMUlpY2IzZ1BrTVdi + cEFRTkFCMkpJeGhqRXEzY3ZaRHcxZVVDYWlrCnFBR2xrZDkyL2padmI3TkdYQ05R + SE1GQVR3OHdoRDUvams4Nk1vbEVVVEEKLS0tIFdCM0RDanBBbUdEN1lrSVN6TFVJ + ZGkydk1VVkZxZmlmVHg2KzdvNUtuYnMKRI7q8nyzq+Kqjx+9qJxXJ1YBSsOSFJXJ + ZzKYDf/OvQuqdOmsKOzjEOPANCgjbZ3w2no2A/lVyhiaYg1yQM6Vdw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUUduTFhmNkhtZnU4R2ZK + YlJwUDg0c1REL2NoYTZPS0Vyc0lMNkNkc3pzClZNektlYkp2TkdtTUFGZUlwbkly + bmZ2Y1Z4MjBmZzZEVFAweUJHUU9KSWsKLS0tIE5NMkRIY3h4TGNpNnpkNHBDRTgx + TFJSU1VXVzBxWDh0RUYxc0NFamZEV3MK7sIQcpSrYSDjuliI/taIKzi9qryHt1dR + E7W433ZZykhKyRn5IYAOrOCabc5E5Ny7wyd7TjlJs/IqSB+16TII9Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlZXSnZoNFlkcDE0Q1Qr + TUFoYU1KRmp6aXY1c3FGeWx4RUQ0azJlYXdjCjFzQTF4S1VHUUNTaWloT1dHcnk3 + Qzg1dGVxa0V1L2tsUllDZzhnbjhBVzgKLS0tIEZYWkJpV1V3ZWUyLzAyZnhKVHU1 + M0xraFdna05SeHVuQXlsT2VmSW56QVkKAZsbdSvrzJDnxAY2PlM7re05GJvrElD/ + 74dbBdReIuLQZnanU5KRh5sp41HoxtK8vRBteZE+zy3vva5CIylKEg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGY0UFA4SDlDYWMyN2xa + ZFFyemFMRjh3ZVBlUGpyYjNmWW03SlRrU1gwCll5elRzMjZKRjBmUkRNVDVVSGNx + K2lWUnlTL1E3RlJyMEdJQUZPaFJzTkUKLS0tIGhLWEF4Z1ZTNkZjeHl1WWloa3Rp + dE42TnhlK2szanphamFsZHl2V1o2OGMKpIS2v2mnofHOSpALJh+g9/2C3GIMH3oY + GuPsMaRCxUW1NAL/i5EjNKm8t3QKR9r+JnIwCTDNkQdG1N00gpUgRg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:0ECI2z14unAGgc2xcRdjjkaaAzi0c/x7V9HcTtB9tdMKZwIINHu+m1UC4SG+prRBuTX+7j4tpN343PzdgYzeXSx/aZlUDgc5cwPpgJyLhmIkDG8vPaKxcxtKOD5tHrnHe8tpdrZ3+/5NqneLPshlJZMX12PSpln50O8g9YPVKiI=,iv:5wGiTGpJ7+7U4XmRd6dH8455po/65XqT9+cdNxGuQwg=,tag:cXJ8sAEYkYDnZ6I/32y+0w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/services/homepage/default.nix b/nixos/modules/nixos/containers/homepage/default.nix similarity index 51% rename from nixos/modules/nixos/services/homepage/default.nix rename to nixos/modules/nixos/containers/homepage/default.nix index 3cdaedf..04b25ca 100644 --- a/nixos/modules/nixos/services/homepage/default.nix +++ b/nixos/modules/nixos/containers/homepage/default.nix @@ -14,12 +14,31 @@ let cfg = config.mySystem.services.homepage; - settings = { - # title = "Hades"; - # theme = "dark"; - # color = "slate"; - showStats = true; - }; + # TODO refactor out this sht + settings = + { + title = "NatFlix"; + theme = "dark"; + color = "slate"; + showStats = true; + disableCollape = true; + cardBlur = "md"; + statusStyle = "none"; + + datetime = { + text_size = "l"; + format = { + timeStyle = "short"; + dateStyle = "short"; + hourCycle = "h23"; + }; + }; + + providers = { + openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}"; + }; + }; + settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings); bookmarks = [ @@ -55,20 +74,93 @@ let }; } { - search = { - provider = "duckduckgo"; - target = "_blank"; + datetime = { + text_size = "l"; + locale = "au"; + format = { + timeStyle = "short"; + dateStyle = "short"; + hourCycle = "h23"; + }; + }; + } + { + openmeteo = { + label = "Melbourne"; + latitude = "-37.8136"; + longitude = "144.9631"; + timezone = config.time.timeZone; + units = "metric"; + cache = 5; }; } ]; widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets); + extraInfrastructure = [ + { + "UDMP" = { + href = "https://10.8.10.1"; + description = "Unifi Dream Machine Pro"; + icon = "ubiquiti"; + widget = { + url = "https://10.8.10.1:443"; + username = "unifi_read_only"; + password = "{{HOMEPAGE_VAR_UNIFI_PASSWORD}}"; + type = "unifi"; + }; + }; + } + { + "Nextdns" = { + href = "https://my.nextdns.io/"; + description = "Adblocking DNS"; + icon = "nextdns"; + widget = { + profile = "{{HOMEPAGE_VAR_NEXTDNS_TRUSTED_PROFILE}}"; + key = "{{HOMEPAGE_VAR_NEXTDNS_API_KEY}}"; + type = "nextdns"; + }; + }; + } + { + "Cloudflare" = { + href = "https://dash.cloudflare.com"; + description = "DNS and security provider"; + icon = "cloudflare"; + widget = { + key = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API}}"; + accountid = "{{HOMEPAGE_VAR_CLOUDFLARE_ACCOUNT_ID}}"; + tunnelid = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_ID}}"; + type = "cloudflared"; + }; + }; + } + + ]; + + extraHome = [ + { + "Prusa Octoprint" = { + href = "http://prusa:5000"; # TODO fix with better hostname + description = "Prusa MK3s 3D printer"; + icon = "octoprint"; + widget = { + type = "octoprint"; + url = "http://prusa:5000"; + key = "{{HOMEPAGE_VAR_PRUSA_OCTOPRINT_API}}"; + }; + }; + } + ]; services = [ - { Infrastructure = cfg.infrastructure-services; } - { Home = cfg.home-services; } + { Infrastructure = cfg.infrastructure-services ++ extraInfrastructure; } + { Home = cfg.home-services ++ extraHome; } { Media = cfg.media-services; } ]; servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services); + emptyFile = builtins.toFile "docker.yaml" (builtins.toJSON [{ }]); + in { options.mySystem.services.homepage = { @@ -92,6 +184,18 @@ in config = mkIf cfg.enable { + # homepage secrets + # ensure you dont have whitespace around your ='s! + # ex: HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API="supersecretlol" + sops.secrets."services/homepage/env" = { + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + owner = "kah"; + group = "kah"; + restartUnits = [ "podman-${app}.service" ]; + }; + + # api secrets from other apps sops.secrets."services/sonarr/env" = { # configure secret for forwarding rules sopsFile = ../arr/sonarr/secrets.sops.yaml; @@ -128,11 +232,6 @@ in restartUnits = [ "podman-${app}.service" ]; }; - # ensure folder exist and has correct owner/group - systemd.tmpfiles.rules = [ - "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period - ]; - virtualisation.oci-containers.containers.${app} = { image = "${image}"; user = "${user}:${group}"; @@ -141,9 +240,13 @@ in UMASK = "002"; PUID = "${user}"; PGID = "${group}"; + LOG_TARGETS = "stdout"; }; + # secrets environmentFiles = [ + config.sops.secrets."services/homepage/env".path + config.sops.secrets."services/sonarr/env".path config.sops.secrets."services/radarr/env".path config.sops.secrets."services/readarr/env".path @@ -151,11 +254,15 @@ in config.sops.secrets."services/prowlarr/env".path ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.${app}.entrypoints" = "websecure"; - "traefik.http.routers.${app}.middlewares" = "local-only@file"; - "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + # labels = { + # "traefik.enable" = "true"; + # "traefik.http.routers.${app}.entrypoints" = "websecure"; + # "traefik.http.routers.${app}.middlewares" = "local-ip-only@file"; + # "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; + # }; + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; }; # not using docker socket for discovery, just # building up the apps from a shared key @@ -164,15 +271,28 @@ in # easier to have/move services between hosts volumes = [ "/etc/localtime:/etc/localtime:ro" - "${persistentFolder}:/app/config/logs:rw" - "${settingsFile}:/app/config/settings.yaml" - "${servicesFile}:/app/config/services.yaml" - "${bookmarksFile}:/app/config/bookmarks.yaml" - "${widgetsFile}:/app/config/widgets.yaml" - + "${settingsFile}:/app/config/settings.yaml:ro" + "${servicesFile}:/app/config/services.yaml:ro" + "${bookmarksFile}:/app/config/bookmarks.yaml:ro" + "${widgetsFile}:/app/config/widgets.yaml:ro" + "${emptyFile}:/app/config/docker.yaml:ro" + "${emptyFile}:/app/config/kubernetes.yaml:ro" ]; + extraOptions = [ + "--read-only" + "--tmpfs=/app/config" + ]; }; + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + name = app; + group = "infrastructure"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + + }; } diff --git a/nixos/modules/nixos/containers/homepage/secrets.sops.yaml b/nixos/modules/nixos/containers/homepage/secrets.sops.yaml new file mode 100644 index 0000000..76f56bd --- /dev/null +++ b/nixos/modules/nixos/containers/homepage/secrets.sops.yaml @@ -0,0 +1,68 @@ +services: + homepage: + env: ENC[AES256_GCM,data:9T4cgUUy631Hp9GRiR2N2MTJxOfiV/O3b0huRRTGH8vbgXZRbwn6xkE2hyJgvaPxLyybvcZSTMP7h73lqUuOiSl1FNlWE1QJpkkWew2XAbxSV7yYoFf573csD/fMnfDjS2CWjVR2fPbPUDfmFSx0nVjKo4k3zgDbGPTpiGXdVzN7OdvkwTfsMmpXL0Risl0a9NK7Iiriwk+Ieg5peJllxGlmHNgEnbgykZe0JjZlWbqg5KFmK+vN8cvSrlhsjfYeoVcTaSjQJ9SdeqQmRaThA9DE8cMY4dS395gWF6Y4hkmZ8uPrMnY9HIHn5qgv4LCKBL8UB8BaYH6yAk/zIFIRM3GEsLObMiHgUurgZDrrMFuzn46lngXBfUZp9bFYPJ5WEUEPrFaEeFVz3HHYbtSpxiGDfrDLmKNConC44G/sU0snMANUntvEpMXdhwBIzfhtPzu9XChYiVkvLOU28Z624UOYNd0tKLtZpFk9gME5nsIF5+Z6Rk+f5ycv6+h4Ruv0Yx1+I3pXsjiiio1CT6hh/D7nM3/SgbWp/LHMOtV0YKnvTL89BDmFMDZdy452dVSw+xOX9hE4L79HDThIYX2fZKQ8CkZTyE1f9/6cU03GDA893oQ6k9nG1cY1vW2zgQLXSnYR4hQ2HbUXOlpEAp1Nm6t5yVdST8bSGHvlV+Sn/JI4OFi7NgM+66Owf/b/SzuuhHUzfvtk6O3VEvyyOySA3GwRIwowsQydu4/QN7ZogJ5yqvCMTQU34J1WalRqM1dohnOXI84+fakdz1M2E68wMs1rIyuXa7w6Tn6DoE2nx7n1wQ==,iv:kaW+31hzliWY/sMZyVr8bIvAk0MwfLJVdHiRrcVICoQ=,tag:FPp+sn1AYVBJyLQy14vogg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhenRKQldGQkVlRmhKd1dY + R0lPM0FOekU4SWdIZS9oWU5nZlNsaTRua1MwCkFINGZ1cWhURUlLMmhqQjQ4blRM + eFR2anR6VGZFZy8wN28rNXhkbk9DcGMKLS0tIGxQbTV2eWNNbEg4Y2o2UGM4WmlB + RmF5Q1pFMGs1cVJqaHExL1Q1WVBDSE0Kc/gxa62PA75jGtLhhTlweL+1jbNA34UG + lAdqTDI81uQVHuX/K7CSffMSNa1dQR9BBwSmAI7FD1q+gdnx3qOXog== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKKzljNnRwWEpJUS84bGtG + QjVIL2xUZDhtVGozWE1Wd1h5NWNpM1gvRzFRCk9nN2ZQQWxSNU1URytqRTFQNU1k + WVhDWEVicENUZnlZODF6b0JDMUdoaWsKLS0tIGFiMUMzVExncHVmQU9ETDdYSkpa + YVdadDJDVWkyMXJ3YVhLUnJxUEp1bjgKRM5xrW3hl1RgcK0ynHSEnwV5J8uHyGiP + 8p5bnKrE5YYtBaK8d6O0evKgufxEhnajwvuOATlfbRBlmbce/BjhgA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR3hCVVlXZFU0UGsrckl0 + MGVDV0hSQVJqeTFraFFqK1I0emdxem9Ga1dzCi9HemtJMGNOenBVRzAzS0I1cUE4 + dGdoWnZXODVzRGtIM293R3F3M0VpcjgKLS0tIDNUT1Yvb2NKckxWMW9yYkJPK0hj + U2VhOUFXSnVtaHl6WUVBSVBXUHkvYVUKhHGoMsNhwnbq0YOTX7U9h119GxsYq+u9 + fwhkqozV8/yIH/pgu14ZKrXJyzXhC1jWgYXqhGVVzpuJelCg4V86cg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ1B3QjlrSHZDU3Y1bng4 + aTcvN3M5K0Vabm9wb21RQ3VxYkxJWnRVakZNCmVEOC9nbDlXaS9hUHk4blRValJO + THJ1ajEvbFVsN3FwU2ZBdkNudlhmU3MKLS0tIDFDL0ZnTE5IaHU5dUF5UVNzRkt6 + ZUh5MjNBeXNBa0JBWEhaVE90azMvT28KLd980Jlt+vkIKYuM3BbSBIEZjiec6s+i + 8/SKkpwuuzGPHEnA3VsV2a9o8ejzQOPFQjSbd2Fw8caKjF9T6KFqTA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWlkzWmJBZmVFbU84SFI4 + ck4wTDc3Z0VGbmxRNGRKRkJ3Qmd1LytVZnlBCjErNjNSNy9nTTVMMzBMbWRUU2FV + SU1QeUI3bEpGV3ZCUHRFUWpsZHo3Z1EKLS0tIHZNd2xrT1hrKzhTWHU5STdyV3U3 + ZGd4SU52YkVNWHBkWGNvTjBDUXNsNlEKnLnev2PXIwVqUMqttGFQra3/pmHG2jhz + h6OANuguMMCasK1CaMY8s756Lm/7qgoCO1l8pnx2Effet514gR7Bbw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMDVnd3NmWWJUczhwb3hs + UVE3S0llK1FKL3ArYW9xWms2ZXhzYkJYY2xvCmxPTVlvY0tpcXRwTExmUm9WL3oy + bU54eEVtMkU0Y21BVDZ6Sy9YNkZWSDQKLS0tIGYvbUxzRXpRQmU1a0czVGRENXpj + dkNtZWNnek9uUnd1Z2U2enR4N1hqWE0K1Zu/GCw/aIPkXvWmVSxqZwBSnagjXS1J + uyefLabImtdR4FjWSPsldIACH1zi69ucaXTccQptrxqABzqltjBXxA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:aKCkHTYBHaSZpn43uI6Ihws2CETNnbsKvR4+BkqbHd1FpPrZ4V1wojaPcQSFNULgYmAnQM6MJD0may6OGt9Ux16U/ygytCt1BMVTMhxihb2R9IdlQxxDnou56e+E/jTjwIei2yr2RBxra+d47NbF6domaQ66DoIAmGELPfqcOg8=,iv:wyLUspsNZsYQMcqzl6UT6TcURYGLkUnU616xb8huqho=,tag:APVPI3+Lhvvw11sHIs33HA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/nixos/containers/qbittorrent/default.nix b/nixos/modules/nixos/containers/qbittorrent/default.nix new file mode 100644 index 0000000..7351115 --- /dev/null +++ b/nixos/modules/nixos/containers/qbittorrent/default.nix @@ -0,0 +1,71 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "qbittorrent"; + image = "ghcr.io/onedr0p/qbittorrent:4.6.3@sha256:a4ad890e8c4a287c17d12ca22eb1d84a046aba2efbd882bf7d6eb12459f6a70c"; + user = "568"; #string + group = "568"; #string + port = 8080; #int + cfg = config.mySystem.services.${app}; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + QBITTORRENT__BT_PORT = "32189"; + }; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; + }; + }; + + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ + { + Qbittorrent = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Torrent Downloader"; + container = "${app}"; + widget = { + type = "${app}"; + url = "https://${app}.${config.networking.domain}"; + }; + }; + } + ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + + }; +} diff --git a/nixos/modules/nixos/containers/sabnzbd/default.nix b/nixos/modules/nixos/containers/sabnzbd/default.nix new file mode 100644 index 0000000..b15b986 --- /dev/null +++ b/nixos/modules/nixos/containers/sabnzbd/default.nix @@ -0,0 +1,72 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + app = "sabnzbd"; + image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:bb20d3940ff32c672111ad7169ce4156f1c4c08bb653241f1b14f6d00f93b3cc"; + user = "568"; #string + group = "568"; #string + port = 8080; #int + cfg = config.mySystem.services.${app}; + persistentFolder = "${config.mySystem.persistentFolder}/${app}"; +in +{ + options.mySystem.services.${app} = + { + enable = mkEnableOption "${app}"; + addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; }; + }; + + config = mkIf cfg.enable { + # ensure folder exist and has correct owner/group + systemd.tmpfiles.rules = [ + "d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period + ]; + + virtualisation.oci-containers.containers.${app} = { + image = "${image}"; + user = "${user}:${group}"; + environment = { + SABNZBD__HOST_WHITELIST_ENTRIES = "sabnzbd, sabnzbd.trux.dev"; + }; + volumes = [ + "${persistentFolder}:/config:rw" + "/mnt/nas/natflix:/media:rw" + "/etc/localtime:/etc/localtime:ro" + ]; + labels = config.lib.mySystem.mkTraefikLabels { + name = app; + inherit port; + }; + }; + + mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [ + { + Sabnzbd = { + icon = "${app}.png"; + href = "https://${app}.${config.networking.domain}"; + description = "Usenet Downloader"; + container = "${app}"; + widget = { + type = "${app}"; + url = "https://${app}.${config.networking.domain}"; + key = "{{HOMEPAGE_VAR_SABNZBD__API_KEY}}"; + }; + }; + } + ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = app; + group = "arr"; + url = "https://${app}.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + + }; +} diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index a67b19e..c1cc75a 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -8,12 +8,13 @@ ./de ./editor ./hardware + ./containers ]; options.mySystem.persistentFolder = lib.mkOption { type = lib.types.str; description = "persistent folter for mutable files"; - default = "/persistent/nixos/"; + default = "/persist/nixos/"; }; diff --git a/nixos/modules/nixos/hardware/nvidia/default.nix b/nixos/modules/nixos/hardware/nvidia/default.nix index 0d9a4e0..a66ce0d 100644 --- a/nixos/modules/nixos/hardware/nvidia/default.nix +++ b/nixos/modules/nixos/hardware/nvidia/default.nix @@ -19,6 +19,9 @@ in driSupport = true; driSupport32Bit = true; }; + hardware.opengl.extraPackages = with pkgs; [ + vaapiVdpau + ]; # This is for the benefit of VSCODE running natively in wayland environment.sessionVariables.NIXOS_OZONE_WL = "1"; @@ -52,7 +55,27 @@ in nvidiaSettings = true; # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; + # package = config.boot.kernelPackages.nvidiaPackages.stable; + + # manual build nvidia driver, works around some wezterm issues + # https://github.com/wez/wezterm/issues/2011 + package = + # let + # rcu_patch = pkgs.fetchpatch { + # url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch"; + # hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg="; + # }; + # in + config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "550.67"; + sha256_64bit = "sha256-mSAaCccc/w/QJh6w8Mva0oLrqB+cOSO1YMz1Se/32uI="; + sha256_aarch64 = "sha256-+UuK0UniAsndN15VDb/xopjkdlc6ZGk5LIm/GNs5ivA="; + openSha256 = "sha256-M/1qAQxTm61bznAtCoNQXICfThh3hLqfd0s1n1BFj2A="; + settingsSha256 = "sha256-FUEwXpeUMH1DYH77/t76wF1UslkcW721x9BHasaRUaM="; + persistencedSha256 = "sha256-ojHbmSAOYl3lOi2X6HOBlokTXhTCK6VNsH6+xfGQsyo="; + + # patches = [ rcu_patch ]; + }; }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml deleted file mode 100644 index eb80106..0000000 --- a/nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml +++ /dev/null @@ -1,59 +0,0 @@ -services: - lidarr: - env: ENC[AES256_GCM,data:QMvX7WRcLegLbHS7JQm8rcyc9ac12Urj29Pkv8socA2kvgL0TI1w7jL0qhXLNUmCJmtcvhCwNL91lN/5UOFFWxEVzUcJEWvY7NmHi9twSXT6evOej3Q1qALO+xG6ZAuKTc5EHlqPx6aUnSdt9rU=,iv:myoud9cBoCQ2AIsD2zJAMaqB8Uyp9PwEgSAIJofQk3Y=,tag:llN0afX1zpvij44Wk9guJw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeFc1WkRCejJPN2VsK1BK - K3V5dWxHc3RxL1NzVUtXcmxsSG1EZnJqS0dNCnVkbExwK1dMR1ZuNnc5TWcrNmdL - R2xzR0xXSktHVEJwWVdIU2JSbHR0UjgKLS0tIGtmVSs2aGtVQnZtYURBRDdVdjYv - ZEIwTUtSeEVDeEMzeUFKazFFQzhXdFUKAlFKK2unF7tfjFAznL+MmsDOVG7w9clb - j4UVT8hVYySnRmoEivKPmmPrkIgsMvlewFyViL9m8XoiZ8BOGIApRw== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWhyMnh5RzFua3NHMXMy - UUM0NEd1NGFvbzlzMTdmam1NdWRDRXFDdlJJCnZkdFg4ejRCSCt6TWg4QWl5KzFu - MTIyTGZuc0JvQWU5ZFdEY0VWeGZFTHMKLS0tIEtrRDdkQWFMOSsxdkg5dkx3aXhQ - ZFlpT1d2d3dYaEhpOVRqWkx1Sk1nYlUKABWHbKvk7XqRdRHmaPfGMBs2j0KJSY1z - eZJXlXFMY/WLLf3FkvVsU03DBxnDzi3NIDhNkZUf1uywVfIV6G2FNg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT2VvYWpmOVlHSHBiM29M - NDdNbjZKb3M3TXRMeUUyVEsxekNFUXZGNlI4ClBoQjVYSTJaZFplRnBwb0NQZFFm - QXN0ditMUU12ZkhIMHhPQy92Nno4MUUKLS0tIGVIWUk5YWxrTFg3N3NOZEJJNW9R - VWJJT0hkeVB6d1B4QldyY01sdU0rSVkKlDsj2lmzB0E9FpESBzDDLieJ5uLtspSf - vnPNi6J3EznHAcO9CoXejrbkEEBTafueAx6/U9T9nzxkAhNFt7wYdQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUTlNUE1PczRlNVJ0dnlF - aG5id1ZERE83TEdqWUdXQ2V0K3VXWENacDBBClcvYVFvZVRYTVA3bXdUblYzeFBR - VzdBdVVNSGxCbG9yVmVQbnZmK0ZTVDQKLS0tIGl4WUFxOVRlOWZsaVhaKzR1UmhZ - UlRkM1NqT1BRY1U3ZGVwS1NIeG5hZEEKo9yIGo2q+XemTtqsVRUGZol+ToorrA7s - LKQTB92x6ZIL1Nc0ssXNppTDxDWnIl5GMGlQliwCVmtc9+IhXAjNOQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZUN2d1FJRUc2dWhaR0lz - VUxDK3VSKy9aNmxoWW9leUZibFlJYXVPWkFnCmY0ODYzeWYyWVdmdXdoNFRQUno1 - b0lWeHdpWERVczJTbXpjMEpxT2dNUTAKLS0tIE1odzZ1WVFNdEJIclZFL3UvMjFV - Y3ZhWHpVb0lLL09xOU1rZllDRVNXSFkKUXNaWZt+lOv0D7gzh6DLSn0bHmhKNygC - L/jFAJUkya8fsdqOfLpxzprLrJ8tXlEyCIBkz/6RPTQO82hbB0vXRg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T02:06:18Z" - mac: ENC[AES256_GCM,data:Hul7Mj+gIPXdDLInM+bSyMr/2cw7XGoIKxB1IGDbW6fnJAt91fdgl8t3g4C35h0W9lFV4nIbWB8BolIq2gX0AfAqVyiL4WiEbVodJlwhVS4I/lha3gTfST0n8H4rZCeLFaDe4JKyhcfvFa+mCTS0mwtgtcRHDi2TLa8AP+Ue5dg=,iv:/fkQeo6T72WKKXjhaywSyPlj27Npg1DA+ktihR5jN9E=,tag:gCRJzcLT65q58rbvSf5BCQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml deleted file mode 100644 index 73b2195..0000000 --- a/nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml +++ /dev/null @@ -1,59 +0,0 @@ -services: - prowlarr: - env: ENC[AES256_GCM,data:zzyYxJrgKQJg9IgWdRePrw6yY4OfM4CjX1yHd3xM4+Nw2CqQlfkKvFkoTerDFlOFKvYZB30JOgExdtv9fAFdXUWoKeuqTyliQZG71SGcQrnkikrSzgBfuiKF2vsXiLlDzG1zWGAhnqQsOpymf9u1jAQ1,iv:BYybV11VMWZUaFPsUvrb7OpAr/ypqpGvQsG8+UzuZJc=,tag:hNpX44HPSN+ZoPmDHiKYBA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WS9DU3JmV3d3aklRSXNF - clJpOUJyOWN2eXJDQkNxOVBVR2dpY1NOTkRvClpnenViWEY4VmNJaFZPN2RLTk5D - cThTRy9LOVVJT2xZUUpoRzZQZS9SVm8KLS0tIE9iVkNWb0dwK0ZndW51aHdMVFBX - SEVkRDNtZEgwajlOQ3RITmFZMnNoZFkKcvUmNpFMk51aWGjWvzzg4QJ9JjRmOaoz - aQtrZB4rZ0etRK5qn7ax/uzCnG5P21hcZePm70v0b+TZnVDuDLHmbg== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidDZZdzBkYytsekM4TEt2 - Rkw0blVjTnBwaWFzd2RyUVM1Rks0ODJYRXpNCmdwWmt2dnBwSFJBTERYUFdMb0wv - T3JOYUwrSVFhdjVtZjlpcEkyY2hveG8KLS0tIDNaREVmb3BDa2tlbHpOM05pMWZh - Z1hPQ1dBbUlxZDBhRXBWSnk4NlBiRG8KL767jh7h/YJBfMttJSgdSP9iPgMg1/Za - sIJ2Z7wUcmnYAKaQh9Ol2xgzOyWhLOM+Tj4DuJvyZVgMWlhHLgrdFw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ3FKMXJGQmcxTU5XSmZr - RFRRT3Rib0tDckN1ZWNFT3Z1TC9hdUw4aXlNClRFc2p3REptR2ZWYW8xVk15Q0Rh - Rms1TWdtREFybHNaTWZWaGZmYnJUMVUKLS0tIHhsKytqakxXNnJYd3ZvMGk2RVNj - bmpCbEw2bDFQOFFwelFrUTcyemlCU28KoxcnwQIJigjDi4a7R3PzlLKjPOlovuT1 - 8N8sxfSV6FrdyyrDF/ey8K3zWlig/yrRLpgCSlNMzw/3VRZI/gMI4g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VEZ2bkFJTWo2VGV0OXpS - OGc4YkhZS0tuTUxBNUM4K05HZWpmTXhwVGhFCmVIVUYzRDdBNC9sZmdzL3I3K2NG - TVo5djUva09xR1g2ZEN3NitBN1d2cGsKLS0tIDlDMDBGbTFTUXgwYUQzaWh0MVJT - SGFnYW9DTWRrUlBQNjJsN251L1Ayam8KhQ4Qr3JMsy4w6gl1Fym6ejDtzJSgZ+wm - 6+F1PJw4xWzwHVZe3INAK3hMglg/o21u2lX9u9Rm7aKsSm/p/nNr6w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZHU0NjF5Z1JFWlBsblpJ - MXJjZCt5eU5YSCtWRmpQQ2NkTDd3VXJaekIwCjY0b0xKTk4zRWxqdFF4KzJWdStl - bkp5bXpDYXl2MXZvNVJJNCtRazhnK0kKLS0tIDV6MnR5RkZRYUNCcCtmSHJhQzlq - aGJLM01UMzFOcjZqeUtCL1lTTEZZSlUKQrhkgXiRjT7lQoTdMKv6V4famp3p8/Ca - Qc+xgxh4VwIqa7hcQoqneaWRFxjVeYLEwM5JbBaqkIYfIGZFZG+3rg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T02:03:18Z" - mac: ENC[AES256_GCM,data:+V/l66ndBKtXe1W3gdsAPA335OQRm7Why+O++bL/eMjzgTWb7NJaQSgBQ1MV0K5/fOhzTtgTu/eSoni4DQwaotuzILlXix0BW6HZ+OxFWCGucPEce9KXYWFLhKJmbEqXJCxo+Gbnc0TJ50JOXIpWevoCsEoOp26NUaHcoX9uw08=,iv:hhluUr9R8cT/uYKoRPoxRmBuEz0+o/S50kGV74rbK5o=,tag:/beFhlp0k0k3EjlWrSwSjA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml deleted file mode 100644 index b599bb9..0000000 --- a/nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml +++ /dev/null @@ -1,59 +0,0 @@ -services: - radarr: - env: ENC[AES256_GCM,data:582m9MfhLUMDG7Kbu4ePV5EmOTpHhXZojxaqjNeAFhHo2yzNpWwKf8sESUJlo5JgZevyKcjxJOM0ZujwVEqKe5MP74uPOsCUPgPZoo17sf1VGgfE5uyowJX0XCcnXn403k3gASDZacKTGDHpOQ8BJdoKKJbRffx8wYGeX8UtdevUP/284gU1kuCgL9DQRieNGyoFTi7ltudg/N7t0pg/9LCq31A1amn3Zb+sDHQdEFSWYO6qKibW2eGBwvz0jNQ2f6Si47msw+wX3O/6OXGF,iv:OuFoJOglImRcbOZgSdUR3Ijfaoj7fC2Sfvw/hWoG4iM=,tag:cZVNBBU8WfZVVqk+4d+IWQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TzlaRncyMUtiR0prTzhG - SDJ2TU8rK3E5VHB5QjJhZjZNZWs1cmVuSlRZCnJUQTZpVE5HMHpHQXFkUFRRNUtv - K0hzckxFb1dyRGJ1ejRWYlpabThTeU0KLS0tIHk0NXRPaVUrazVzMTlmWFViSHJI - SVE3Z25lVWtwdHlxNTJMSk9laDRvTUkK4t9ZdoH6JUMMR/p6gQc3jfAGboGeR31X - gvrbz2Q+cp8YSyI3XrAVJG3/HqqO99bx8BSWwIqnSk1iOIl6qrwYpA== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGKy84ck1CWFlhQUdwYTVZ - eU5hdEprQW12d01lN2tLSnl2RTdTODJlWUQwCnpxRnJ0ZHNDMEYzZTRBMHhoc0hq - MHB0aGFRNGRwdmlIV0RoK0Z6b04ySWMKLS0tIGlZZGNZbnF1M2FLRVJvdkVuVnJ2 - bGZFc2pQK2xUQUk5WVVMbVdsRWU4OXMK2CGUFSLA5omweArXyHmi9eewDua+8o9G - 44rzu4oS9Uwcaq92Z6XyoJqWvXnFmW+pUPDBq36MlY7fanVdoaXBhQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cVRaTUNhUGJOYVZ4Mi9n - aEk4ZkZ2VjB4NFpCbjFtK1JQVFI5dnJHVlJVCkRrN2dRUEphZVdDa0N6VU11QlZs - cVhaYzQ4a0o5L0JWZ1kzMXBOSUV0ajAKLS0tIHljYVNwQ2QxOENQSFY2RldQV2Jr - N0JpbUp6TnNLWXAwYUFuN2YrQmN1VW8KyJA7i+CZH2zRhK+vvPao2xMlxD2vm+yD - aJCTO+EwL0T0imhg7DDHhgwoAUCQTc89qwBkj84JeSGBD8nSxCOtUw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZkdvM1dnT2VyTmpCdFp4 - dFdWaEQ1aUVNYUVkclRXd09pS2d0bmNmUVc0CitvQTdCZ0hwa3NuTFQyeWN5bmRM - WlcrMTZETVNZSGZXNzRaa3lZOVRoVkUKLS0tIHAwaUpYd3Jsb1ArT1U0Qm54WkNP - YUY5N25qWkx3cHJIS0NBYSs5MXhkWncKQjlZaY1AO8mpqZaIjwMGBKHnZMQyzJm+ - A4+B95P8DBKuZTJjHwVrjVvWfFFL3XglmftbiDyHL/WjRUGCL332Vg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QjUvYmFoNGFDRWFkN1Qx - Ti9iMVJQZHFrYzN6S0hhaFkwRE5tUTRYcXpFCjhhZElEVFlhbyt6dkdvUFM2QXhr - QktxSzdIWi9YUHpYS0lPbEJ4Z0tMNFUKLS0tIDg5dG16d1NJblprY3A1ZDdhTTBh - SS95dStzKzI0ZFVDcURxd2k5UHduYUkK/NQCeduzIPws13zJmBD0NGSbfb0iHrfQ - UxXWyesEZmItT0LorZp+PL5iYZ9Iax9DONe9CKN9fOxS4G8x8U9cDw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T02:05:52Z" - mac: ENC[AES256_GCM,data:Z5USXKjnL5PhpC1GRftGuBukjmAVc3VXnBG//qwrJUryC4WoxJExsmJ9okS9CWeNiPy1EoPbNx+7v1Xlnbgg/5op+unLCufc7lb/hRZc89umQEkVt9XWyCQvd5Ar6PCmGwkP/oG2zoTAYXEg9njyO9ae7F++EJNpa92VstvfWtI=,iv:by6YKmRDnOaoneEVbGzx5jbCxesv8K2XJxZg2LjnzLQ=,tag:y1IZXfVOuMvqr6dHKA5oTg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml deleted file mode 100644 index 7c13e8b..0000000 --- a/nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml +++ /dev/null @@ -1,59 +0,0 @@ -services: - readarr: - env: ENC[AES256_GCM,data:+ZpTnRHTU8cQQKouzVEXTlk4mq27wgV135YDwQNh3Jp45Woj8czlliuR7SEr86dvTYOord5jtFUJzYcOli9+0H0JynJNiUT1ZkY26gnD8tDJYK97vrLAKgfZVbxcdXsJaRD0q9CGwbQrPWiXkMZLNQ==,iv:GhTkFKT3G8XXu4D+UUwfiVGz6NgRcS4tKIqQZWgYyI4=,tag:LettwkiVj31G8KL8nLr83Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWmt6Qi80bkR1Y1pnSG8v - d1owbWxJL0s5M3NmUGd6dnRaWXpwT1JrdHl3ClEwL2pvakNNT2pqU2lWdkk5ZzUx - UFQyRzB5NFVxc056N1ZTbUpISGFKVFEKLS0tIGlmZmJUR1REOWl3anh6b0JYQmo5 - bmt0S0ozR2d3eGhWa1g1NHJhYW5jKzgKSoY7i2uMbzFJiWRCoxhMqul0GJpUAKcd - fMPyg09a+pmAeoEKSxSpC3z6OR1CLAyr9Yo9FIsIYBS2jRPwwwCXOA== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQ2tLVkp4MFBkT2pueHBF - dnJ0TUlhZUpjakJEU0NmMkpSbVg1Um9SeUhFCkV2azN4L3IyZDhrQ2hvQ1NEMGhw - d1NXaVVHOWNGSGZuS2xuVUQ0Tm04NE0KLS0tIDNJWUJJaVdLaUxSS2ZwM1h4UTFH - OXpzREdpWitzZnd0cDZ6WVdacmh3MEUKxB4dMNuaFXYRtt33tGpR03mHhPRho8oO - uwSFpJSK+s50T6eQQeDH9E/6JsJSiH4haVV2MWgTZ2IgqEwZ6Wc5nQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSem9EVzZmNXh1eGxhZ1ZD - WXkvNGRZbkRaZ0l3R0s3d3hQN1VjZThMRzJVCmZkb0M3aTF4UFdKUCtXSmpDbVpQ - T2h5K0lIdWNWcVFmc21VblBaVjhKemcKLS0tIGNCQUVRbkRlZHpLRGJjbVFyMWRy - djJPMXpvU3d3Y0dXeDdRTHVtWjNUT3cK+3O7uXPkdxN5ksKs+OVOmRzAMCXP+sYy - kA6JCOYMu1CInY3GzKHs93fl8B5BixZy+pHDqMfix6eWrVrGICMvXQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWGNtWmREZ0Z3R2V6U0xU - dlhLKzhRRkJlV3BvUHJVazNMYjZTOXQ3dnlVClk2V08yYkVHNU5qYXo0ZmVhdVZB - cG1XWTd2V2xjUFZESktZbU5NWnU2TG8KLS0tIDdoeHA5WktCSXZsOWp3a2VIMTlw - bmFqTHZRQ0ZrcERWVlBmb3hCTnhYQVEKLKJ6r3t6YZmq5U0ncsepBjbxD6DtEjly - ++ayk7xxfFKi9XgaMItDAXC3/dldPg2fS8kjbRlXzq2TQPOhweWm/Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcGF2Zjl6aGl2azRKRE5p - ZmdLWWk5WWcxM0FkdUlpNTYvUW54ZFQxMEYwCnY0YnA3N0JhQTU5eXltUEFkZDla - T3hBQThKUFJqUy9pdGJKYnNDYnRwQ3MKLS0tIHRRODc0OWl6MzhvZUtndUtLUW9l - RktMK3ZQOHJLd1M0aHJadGk3Y2krQ2MKQDDFKPzL4/2l+MepcvQpx5UHPeVXU2tJ - 6cl6BJ2/mZAbp2136W6/JwpE8lTkk0WUyT7/s//RjO57F3qPXZxA7A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T02:00:29Z" - mac: ENC[AES256_GCM,data:2rsGhSOFbqv8GdvQzL6ieXqq5sIs46ojdgal8BiWNBZfV7oadubWIaB0rLdjpeiaqvjQLICyUekc/JiXhXG7mO1jhTlIkjP9TDbszbNB4cwuf1H06DN4DrkxeboF0X0vytCZ8AQFVwjbD1ghGvd0CmDgtCSHzaHzZ6iDBeey+zo=,iv:e/bty/8FnMcG7NOoiFi4zRTwKGI4iiDsaK6JVfEqfpo=,tag:C3GIgRanRUkQ2Lxb/wML1g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml b/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml deleted file mode 100644 index 7cea01a..0000000 --- a/nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml +++ /dev/null @@ -1,59 +0,0 @@ -services: - sonarr: - env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz - ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy - QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS - MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY - 3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw== - -----END AGE ENCRYPTED FILE----- - - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3 - ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO - b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6 - Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN - tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs - cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw - QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ - UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9 - PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho - SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv - Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP - QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s - f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ - NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC - NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx - M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw - EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-06T21:26:23Z" - mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nixos/modules/nixos/services/bind/default.nix b/nixos/modules/nixos/services/bind/default.nix index 9befff8..90530a2 100644 --- a/nixos/modules/nixos/services/bind/default.nix +++ b/nixos/modules/nixos/services/bind/default.nix @@ -22,6 +22,16 @@ in # Restart dnscrypt when secret changes "system/networking/bind/trux.dev".restartUnits = [ "bind.service" ]; }; + sops.secrets = { + + # configure secret for forwarding rules + "system/networking/bind/natallan.com".sopsFile = ./secrets.sops.yaml; + "system/networking/bind/natallan.com".mode = "0444"; # This is world-readable but theres nothing security related in the file + + # Restart dnscrypt when secret changes + "system/networking/bind/natallan.com".restartUnits = [ "bind.service" ]; + }; + networking.resolvconf.useLocalResolver = mkForce false; @@ -42,13 +52,13 @@ in options { listen-on port 5353 { any; }; + listen-on-v6 port 5353 { ::1; }; allow-query { cachenetworks; }; blackhole { badnetworks; }; forward first; forwarders { 10.8.10.1; }; directory "/run/named"; pid-file "/run/named/named.pid"; - listen-on port 5353 { any; }; recursion yes; dnssec-validation auto; @@ -89,6 +99,17 @@ in allow-query { any; }; }; + zone "natallan.com." { + type master; + file "${config.sops.secrets."system/networking/bind/natallan.com".path}"; + allow-transfer { + + }; + + allow-query { any; }; + + }; + ''; diff --git a/nixos/modules/nixos/services/bind/secrets.sops.yaml b/nixos/modules/nixos/services/bind/secrets.sops.yaml index 2da347b..0351428 100644 --- a/nixos/modules/nixos/services/bind/secrets.sops.yaml +++ b/nixos/modules/nixos/services/bind/secrets.sops.yaml @@ -1,60 +1,70 @@ system: networking: bind: - trux.dev: ENC[ES256_GCM,dt:WI9GxgL94/r05nK10P/jiaKhkqj/uh+svApuANzIwHblIfkygL8oK//G/Mrd7a+uStz4EuoAPb5w6kvcrzKlTAR3YTz3xtVlTHXB8qxmO4UjvzpjCqYZKsiX3O/VSlEs3z2qIPrUIOLKepXpsebQaa2/Gjr/KVTA/9119QfqnDlxcQVnY3hIVr+jEhAMhKrXHJhxKrQ8trl7oiPvD7Ll5N4vZ0lkQcpiGyqMwgy6D9P1L+l4IGwn81JfKzd0BM2vhqGBejoqVQvpF600e8wF+8TbS0u8C9jNlVm8H4id7BOArggmJoAnRsFyD2/unce4Wb2CSJWsv09ETTbvkdsJDOpIE7UMBU5S7JiWTZEhV3HcckIwm1gwc5w0ucGKtKcFLOOcihhByCW3SyV/EU3H3mQJDBVx/skCtVZLApa6MkRgi7WpGusjxGcAj+fqHRNfotgrulZdEEAHp5yxsjMMFgfKyXDyRVKIac+tkLVY/Qx3J3NcPZkc3NPYIX0n0l7TZXSpfMiG7nGzy9VVa9n/YcUrm44+kCWH6/Jx4w259YMLMUMwLC/uJZiIMyLIQZ70bs70zVFbz6ul3ltB3Sl6Svlawu2xdpBAIp8aQvAY6dh3v2beXDnRrSXejmG2RiMm619kZE5k3H0AqIWwk2e/nSjSa3nq7DI7WxetEqJ9t9uOe98KRx+UqxYinS1LS2lvvpWa4RnWSCO/LjKAsKUUGbAoJ0eBDQT2E6fTd7DMtaF8wUU6/2JpVRH+YGPBVjQPRlBi5bb3eZg6AsiFyrCAbC9SgigXUGXG3R2fJHYEFMn0drjSLKQ9LLcnTXnHipYzRp4doCqP97WqUh13S3PeNko5QxBiP7//eapEn7UfrtXqi7M4mxGiGack/WhGdBNmCuNV404VrJnmIZhwo/LgO4m753ubN5s4jtOAVjH+z+9cXGlc0+lsQCWAuna/MkeTrKS0+EdynBxEwSWaqKtvwA6VFlQRCwvwzciqklmXYZRfO5wDEHqtpeWKJ4FGUkUMDYUrU6u7yIdQjaJ7FeXtKjT6UrfWvB3aOZXXNbwYwpG2uNPVj2i4LCzugHiBIbAvw1yw9SX2uiJiQjJ6NSbMyapvcWcmlu+zVqMpxshrxZR6VHjAhA2Cthc9E7rBpq22AcZAGXPnYcGYDpP+bP+1eC23dpusA/7T4D1/4VsGA4Rz1DsYH0flhgBBZ2f0/yHfv5oSsjDUHOAGdRGghDCHUlOCayTnODiXuR9/SQQos1issAKn0I8mgjlNNIsPZ0SbEZNNOAo+0aJpiYwu8qY5ZSxAVJNwxxzOZDjB0PBA32LCT0i0wcIbgIa0sPmKsKpOwsPzbJj21GLD9GGEQhq+XAxgCBFn2Ou9e5k808z5TubLAXWR1RdPzhsp3J2zDwamVcOPW8VyHp9sbgabwrC7DFX/KI8o6ZRzxc0kF1cZl9h4M/7IdYvJ49YAuPqDSFlCeQx8Z5EOtpbTBluSrt6Jqx6fuy0N20DEqzzbB6xWBMQ0A3/b8l0vLSNzUVoZ381YbD679jSnsVjLimd23PRmvGnIZaV94kIHjEOW3MIgaiJJSXECpMiWQEObjBeFG0SJjvyO+ZEkkNA9vvnyJ9dxu16qlKE7yts0lw5Qiljl6akUdgoraPvXrUozdkzzac7HLvJimcoJqSSJkDZhvtzq//ERsRCL9OfDU5Jk7HmgIXzZRCaDq6ZSYxt/ks+x7296YCd2Li6C0DOLHSCAGrFzKAIruUBNInPcaI87IsAM5ji1Bi+h0z5upwYohTOFHtMfF92MZDk/hSgbquenn6LGJYldCTCAswE/YVdN4SHLH0fXL/WyXMsNUYplMBB22MkHXhoJc4yB2UP62piwETDM6pnt1yA1sklHplwuTGSY6CReKecGpqeLQHjdNRa2SZRBOyd4sKb21W+AldSWuCZllnvo8pGi1Ei7U50Ua1aQ6h6nZbi2iPDaxtOUHy0kxaRUTQxrtQ3K7mwMvs4+5gTCphaqc1N6x10ONcDhpDjZFhMV/Y2xzG3LyxMvxaeABCnasPZru3KQWgx+QM+6M+eFmRG5f+E1o+gP42+2+/hP/vXYKiHHDfo/TzarzduupY8s4ogANu3Y4c8d5FvThOzmANvEHLWUzzw2LV/cQK7VWexD4BqPG5PGHfmi73Lp39IE6Xd6j2dtIUYl/aA+a/2wZmP3XAM3hyp8uoEM4Usc6v0zGfIzB8ppDVeeWIdn5av/j/4KNllC/utfDAqIKR/YQbY2asdV59kmS0RCdJvr7yZH3HfMkKlVqsYOntj5Ug5jx8M5i7Nqw41Ltw1Tnr42MvB4CwLbso8ijw3VHsltq3NKBDPpzgt9OwW0k1icz6lySPioegMykCzHNwi+VT46+7Bmvc4be+KulB9exDfoOtcnBH1cwZEvndRdvclOKtib7tyrRS6iyVK2ZPp14U2EQ2gZr/xml9bdj0cXM0j1sIrGP00NXOzAlIUQBJjAVafBbevCoa+4nl65ukL+uoMx46yG+oDFu0ZFiJr26niGv5DoJuKXSgB99GZ/N4ksDf4XZQ+drIh7P0LdmRpepVNh2ytZrO96vI3d64fV7ULyFaT/MKybjnSY0BTWCz2k50YHJCGZJHCefq0F4jN3kt9G3kHrt00in9nkycVF9zCgNZd4qB6Rh2+QZPaFQPgKLE0xTI5nVzGkoPDu+6AZMVcLl7hqB/e+SeoEYD8KaPNzr9aOGXW2dMw13L8hEyTZaWsvYV2PHGrr/8cahsjcN6aZ6Ht8+GUXn7IlPxHsbE+0BoCfEqem4zXZWjJxHqpZMmCoP3yIU355fyQvctipzAwPzLNMrtzo0BVgbpSvyDn0qfhNHRcXcS2uDyiPbYtQVihB/yrUmPKYtySIsG2gR60XuPKju2Ss09LKRQkh80hq1eSCJcZJ7Vlwqa0U0ccnMUEYcm+/2p8Ee1cB07Dpj5TrTYIB0v9WQ4vhNsZiglJzKoOv8uDxv0P2v98P5nyrTIBiOefhs7tL7/fj4YXnSDiFY3NT9gG9wcNNISKp+3SvyB,iv:b+V6/ImnEF+8TO/xmwu1jks9N8QFSPSRRnWbS8gy/8=,tg:WseBC+XsjhQdWjemtJGQ==,type:str] + trux.dev: ENC[AES256_GCM,data:YoUfdxTXEtEe9z1aLkfZlX3LeBS0yeZTx+86QkXMQKiBCStmJtjLMW2q0uOmjAYEz3O0iUgwTLyMDEOV6ZQKyvI/kNBFl8S6dSe4dTYwVuNUdyoQq9qmK7GRGRyEwyqT+uSWujFbFXnjKOFDbMEx5McOO0Opt+YI/9QgoBZKgmVgylEF5B0SCsIVVUGXEzgk5r03p63rgTli0+dRY3bh8KonKLykKU17epTdUrp3A/Vogom9JZBxhE9ZHLO6yOv89y/z7zeKT0bzUgGKe9bXSr3swxpYr/FoirW/2YttNmL3pHXbtnAqdsWWdZduacaHO5Ac40z1+8SFce0e/yh8q6/d7Z5uLAY8CBYSVCQkrr2HaV0vwtnlDD26INVgDt7KwnGjazLC9KyjawYYt+TS0ZN7ifVN6nYJU/CQJCv9YzknCXG2HY4CxbGZwFbE6Tjrn2C5JBvBFchmxWBtOQcnktSltmvane3OVje9URtqoTaiF86fsRleb+IJ7mLv/qFJKcVHKDWVOSDYeSzuot/et96Asjc1dhXpEE5J2qqwKHxBkT9T5zDl+3QGIOqt+mkFl0jPh0FTQyTZGj0aZElm/9ll8UtxOmrzi7GijK8e5ltCwtZi7XPulBIIqPxn7pvn/UaDMojFZc8qN2/ND9pG5BNJwyZN0yduymoWnxRoPI4gARYGhLN4tswBImDqQtnTQ1JwTw0infY1WyznpVSkzfSYZC9fZWdcgnfl1z4WEbvGohrVd94mYF8UUwp6XIgDcycqyBbrHs5/8eTS8f5dLfcq7Jn7lBdYHUEu2oa07RjCDfhfHSKV1jpmeie0pWXKdGlaW9zon12jPXvQgP15fmc58mFlgxSCc2LJzyNAj16vUEcfgPMHW7sW9xItOnDvrA7O1VXNtYD2Nuce2bbLz+P0nGLbNarAgUqUSLCU297FVYfJNSW2YSqdbtjogbTkSrXVNRjQLgh1mHMWJfw+huPTKyvijCPSzt6fU+68/aXwWxiXeiSJK66kg1KdWWDUpoRaeeoV8u1JmBXkVAKv2yVhNkZVOEuQoCJ36hiHbGWeXY9cx0E3nNf3J9tJ7iuvb+Tdt8YCqGkuMv11GGNe939ac5iHhOM+yOgk+f+/ndpLtg8Ck2yMJ+0FaI4dkb/q+BFk+ZO+48abq6WTCuxAE9KpDFLSVik890uluYKWigCLSHqT9+xK5OnBsVFmMK2FfGI8OlblVP2tclRghY1cblnbR3YdRbpmfZ/dFIL4MJ4EBJRWYfoQqCoJYQveWdNw3s24iX0JKuiQB7Jjn1R8jWfQBGWtVhbnpDF40F+SSeUOatOVr3Um5F1zwY6CU3Z5EZVWqT1sgumJdmB4CcZzpSYOu0PImRdBT6FsF6vNsBjnB22H79aenRTTEfK7IPFpQEVMCJmlsgXjELKbwSOSA352by2OBuJU0agrbEX5rc0mxsRmNCHwS55e3C6VAYoUPo7q2qzzLZsCgdpll4RKi/WuRlHVXWxKyjVv+W09aYpXXpYHUaptRQeaufXdWcRD/rd4JsHwUtagu/mO89ujTaXblG/x7GbXRgw29t+lLCzKV5AfuMGdhdQShY2tUVH4gP2FX57rD9XRELM/iKawO38kfCxHaNQy7Be/LItaLTCkkBdErrm3SeUr4Boy65tBK5ogG+5hCf+adYJ2jEgFR+/DWslYpyvDB4prX+f0xhkUctCTeiDgMVqyxFvh32vdJ/TQFrbCHkLSK/IZyGQ5bsLB/wOxmjP1UFfo9nxJPvg8TCoIQCY2AUyEZEM0fEMkMfddHkTJJ7KW3PdRmPhKVLDNlWYcqnC205xgF6JOJ8LVOabW6v+eqa8dzn+jqImSzq+T2x6SRFV8GdYReQGeZ6odAATpBwmBFOQ/7066wUzNggQih7BrOY/4LhO876LzG/PqRh9JiI9wOtDFnCa1vg1wUnb7sRhnYN1SlXeSLuTVBqCbrXw99bzpR345fvjuV3PtC4DXXmx1vUsegieN/1+Cosr4Ce+afhqT3+F+cd+geW4Zw8oq2GUDNBQKZAxzQtEjdPhSYmyG4V9uh9pOrADDd2vKtuVG63ZviKvxVcrncNM7c7Jrzip/3zg2D5ae7TvqXSMlEokUwsVHxNBRXV6VBKHY/VCQYfQuZnjRKMLg1BCEOSIotEorHYRRdhldiUHomAHIcFOXL2VpzUM1X9H+UwTdNwXo9lPR5WckmU+jk/CducKAHaD5aRfugt/xogST7/0TtNUz21UUHHqEzrKyRqKCgYKsaHMwcO8tMzaSMpiDo0au9vZ3MWnDne5rD/KYhL9KKpS44C5ClGlgy8X6f1sN3tbNef59Jd/X/e/3hyZ15QSQ8967oUxKPm3Ci/Bg0a7FjugJg2WKhW08mrQfvm8R9nAZFW9sCoYPdYVYmin3OtLn67Yi9/3Fa20WUgA4aBdPWJ61lAOPHIwW/Gr7bJncTQqg7gZ+1s1dn21CIA6RfjdZyK5V9IaOFT6qyc5NoKsB+oXT9853AFa5EbdTdiHvjN2MIBIzunjAyWskiYN6cyJU31lutoxSP3irB4dxskWnii/Pi4EYd30Oq2DXUKaZx1W9ZNN8XTZJMlClWNkyBMjo4am7fxdH5yx+bilHV2dE20x+p5SKCYsuoWjWoNdTGGi5Qff6t66vybDUIFInBIcXUJRi8zPv0tD3eZDdPV5zbminnCRSuY7dvGqCHroPH6qTnPQPf6rWtKMeqiAmhsyZ6kN0f8P4Qpz4KU5MnYHVMdU1aqyxEWlwIJV8Bx5uoIbhNcuY24YuQZZOSMG8LLmyyMeLdV0AlGfmBqi1PjtYViho2NRa2bY5+XnBGfV8xM6RTXADhWItRu2oSHOYTS1vYByVLIFU7E8HMDCVZKSdvJe1TntADDYS51c+ht2/jUbnmYd6RyQ4ShtoHzgJtR0CYQoTliGBKQbVaaoWXL2zfBt9N5CYDdwN+CftKkVBh6bWhlpiHul2Nr/ax0HNq3UsEELz0a5TlwLlYg1P5KVHniZxAXS7VlCvUHX9fbaG9q36wUBzSUYnII6VOdWBMtR1udA8wWVOke4HH83baaG0KVabCRDk/dSWdplDgMdIjI35z/HpIwk0wI/vm5sw0WCb4VLIq7QxGCNqkJaOyJH0Wc6FzFQ59rX6KWLSJoKiD4jqLM8m09RZJAHejyGAB+98nr9B6sa/0oXXDoL//q516xfYjpTxTcN6QxGvt5JdBeupHDnRtgCA/amitDtHqu8sfVvEGdP+EzhbxyWdLx+vltKZZMsLzryf0UMYkaYqayVvjzUdAMzyPw958GSR+zZzTlcsGsfPQSuESEWbrXYxbESkwam4EZeLHSescaIATy3w6AsC/HL/4faSwJysrkCZJZS0CzBdsPM1wzZ1,iv:Za9EQYc9Zzhw28+gTV8BeZOphIrUpODvI71xboNQfv0=,tag:mcJ7+heEmmVl/CwnvQB45A==,type:str] + natallan.com: ENC[AES256_GCM,data:nc7QDUtsKlhfXaVc5gktDmvJGmLqAg69hzQZp1l411gvOO6yGrWzIuLJ52kAVKf1CH0Jfd7fzhDQhFRJ0nrnnHi9FHmLBYsAwvWP3wNzV5Fetly1DW6ozCUm6uSbcs46Gu2mxM0ozsIZnCwMO9p87cxAnZLL/jHKPsZ7ADHvDxYK6UsROhbkeCIfZ0dVf/1IH3FjkhfaEAAsZW+KYF8tynzKURHD0EJZWT4su43rf3pk9/fjyv2e1lxM3jx3KPrF1LJqwQhggmenJj9dhbRnxih2/Y5oF4lAmGqyUxJNTfn2yFd1DVaEElcl1DaXIiZ+HyDJH2rXAVE101VuUraJYe6wV1nzo0rziI2ZlTrs6qk2HDeiFmdEDbB5dahkLqDbttEjWJdxwVblDYrI2omKcFsXtQncpwczyZs+r3gSEJfG9PWV+eVzOzp+HLnmt68+mNIbtiSSAanDlvJJXw85XM853Nqxveru9Co4M2SpsM5FhWGK/f4A7tQLUFDUakcx175rYRTo5gpji4RUM47v0Gdd5qddw+/L0ruIXCKv0/f4IJ1seDwfsKlrRrMYSbG3oGbHB0bl/rNWTPlgDeLfR/nDCplsX+U+y5YsPcLLPAhlE9/7cS7CR7nwUWB/vgHVy6NoyiZin06l0Kz5Sh+onckdpYafhHKWqcazmPViMjslY0f6i76HGiZWdi79AqFFZ8nMgFfXqqyUMP4plU/jzn5Sb8mNixpSBtGTXPsAmkDxxpHxusVSAZOMR8MQF30gZ11di5epQbMK/VSkK9p+lHI=,iv:TMhgrwFes8a2tGrwi32emOXdAvGEGJV00cJ1Jl97OrI=,tag:KsTUPg0ykCFs685XOR9Peg==,type:str] sops: kms: [] gcp_kms: [] - zure_kv: [] - hc_vult: [] - ge: - - recipient: ge1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | - -----BEGIN GE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocGE4ZGUweDdp0ZFYUdY - cDVoOEJrUVdoZ1kyWk91zRNUxTN2JQYVJRCk9QemlMdHRhRGlPakFPYmNEaGV6 - nd6UVZrdWU3dWQ2SkRpS1c0MWhUMEEKLS0tIFE0eXI3Z3BkeG5ay9VRjdPaFgw - dVFrTCtSakxFY0hpRHZmQzNrWis3U3cKsxUYyjRk6Tb7nKAs1pALQJZb2QB9ope - c74VLxs/6hl3cLgkD5//20b4TQYpcGq/lbCkeFI5pyU5zKuFHbE0A== - -----END GE ENCRYPTED FILE----- - - recipient: ge17edew3hg3t5nte5g0505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETG5pMVlDa2tDTFF5S2lQ + V1BFNUU2bjgyT256YjNoMnZ1OWwrc0xmS21BCjcvd0pmbDhBS0gyRXcwUWQvemdi + UVIzMDlwWXU3K29qNWRpU2cxbFFKZWMKLS0tIFlIYlhyNmVMZFBqMnRjOXdldVcy + NzFGVU43N2EvWVRpaWhzN0p6TzVVeUEKsvZbM38E9MG1jl7RXgK/QE4DPGqqchw7 + NyKu6TijJUwfw3No7vS+DVZHtILxy/sjtM48T++Txf25+d++J3YY/A== + -----END AGE ENCRYPTED FILE----- + - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | - -----BEGIN GE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaFY4SE1BSWxkMEh3U3ZC - eGhNb3ExRXgvaHFUYVFyZ3iUSt2ZHRmeXhVCnlUUWdYQzJQUhOS28raFBOcSs2 - ZlZscnpzNnZIRXB1WHVXRVNJMlFPYjAKLS0tIDRlRGV0S2gwRVA0Wk2V2NLdnQ3 - NURGaHAreXNTeVJMY0xXUnFPMlcNmcKjSQDxUQMoREdEhyutDC3PXcVRgYXNLsE - IvVK+GkthAyPfgYkia/j+tIZIHwI3aXshb9vMkf+4Rl4S4nayPHKw== - -----END GE ENCRYPTED FILE----- - - recipient: ge1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0V2RKdXpOb2cvYXFyUmtl + UFpEeWZFaVVuZEt5QmxFUCsvRHVpdFVWOEJBCnZ5Nk13dzNiWHFmQytGU2lpaUlH + a0lYSXArZ3lUeGJWeXVKY05zRTc1aGsKLS0tIDYvNHAxR0lHbTg1Zm9XaXJoSGR1 + UGsvc0xIU0NUcGhUZmVpN01oTStDUXcKVlKnlqXpB04Ex015ZynOqJUJ3sEiHE8h + tN+svpAdCfUgDVpUr8ynPWvW6kfeOh1RtW6Rr1Nl42WeGNsMdk8iNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | - -----BEGIN GE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOS3UEIxZVZuY0NheHl6NDJT - XBjSjZsMUVNNy9nTmwzMWZXdlk1UXFvQlFJCmJrRjcyU1JieitBSDVyTlJZZTZ4 - ZlA2empwU0tPcjhPcDN5enlkc3BQeTKLS0tIDBhRVh3bXl1QTFTL2UweS9GNmxL - SnZWSzJRQXZkN1ByaGpwaTBjL29yQWK9GbYzpqKM52UDqvlBx3JXbkpoRkLt3e - WN2gmSAqkQr9c8KMHqjjW61O1MqIAeKY3X/PHiu2cU0Uc+kfv0MEA== - -----END GE ENCRYPTED FILE----- - - recipient: ge1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkggc + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNlZ5ZTgyTkZKUXVqMlBy + ajUxSEtWTEZLM3BvbHR5YnhzZVBxN1dLL0hBCjdDQnM4WnFzQU5TbUU4cURnbEdX + dFhUSlBQNnVyWG9zazIyTk90YlBtbEEKLS0tIEJsOVFqVU96OVptbXBTT21HcEpy + Mm1HN2ZtUzl6TnAza08zUG0zVTN4alUKhjafzCDCJw9ZScEBQ+W7ZDdUlT67l0b5 + dTtSI1YMm8Q9EyxOA4ZH7UYe1b0h2+v2z2bv1J/CUTuzP+N3ksMmYg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | - -----BEGIN GE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdStRbG5YdGplRkVuUXZn - ZFp4Mkh5dnB1GFQ3NrS0xxZHNDUVhem5FCmZNTEVhNmlSYmNDVWp3K1oxT0Ix - eDZzZlNSM3hrNlFKd0plUll4QnJucGcKLS0tIEVKdzJUSlQR1ZyZjNVSjc0N0hT - QzNIaGVMUnhUR1kxN0FmZzdXN1daaEkKTOflqGPdSzNYRZeltDbkrZ6r++9GAdcL - UVV/9mnky4ZGOXkjykPQB6yvHy+g5qhhENre13NlBJNo3XlyFSEoQ== - -----END GE ENCRYPTED FILE----- - - recipient: ge1j2r8mypw44uvqhfs53424h6fu2rkr5m7sl7rl3zn3xzv9m3dcqp97gw + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdDFubmJTQjRSeW5YNmk3 + akN5U1N6T3U5cm5VVkFtcVB5Rkp6NzZQQlNzClBpZlRpTG9MVzU0dElUOUI3MTVR + eGdLNjVPTS9QbkNvYnhYWmRvV1RhM1EKLS0tIFNGK04zL3J4TUdmZ3VmOW5qQ3hw + QndpUStZUFlBZ3RsZ2V2V3pPQzIwbEUKDtTBG7tMnxwaDvdPGvpw1RNOJwLDL7x8 + tOY1B3YQbS6Hj43c30NeeGYvFju676h94x+08ePSO4+ihdNMM387gQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | - -----BEGIN GE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSTNGR5K2grVTdUTGpwOFdm - YmpMMXB2WGNXUzkyK1JDeVFHc1ZhWnN3b0NzCisyd0p5YmlhcFVPVloc3dwbnNJ - b1lEY3FWOGl3aldWazV3Y09DbzlbUUKLS0tIFdmZ05TLyt3c0g3ZXNmdkZLVHV4 - M3lDZW9tUlR2T2NSclh4R3dNSnBoTDQK+53REvxwR6hu+K79TrdyPzyg9Gptt/Sr - 309zukSR7TLPRM7Hf0dj3VfFqBjJlFmPj7c2dyZ0tNGVhEbRQ== - -----END GE ENCRYPTED FILE----- - lstmodified: "2024-04-08T01:58:59Z" - mc: ENC[ES256_GCM,dt:9/Q43NdE9eP15Z0f4jYOjz5H0nTNrIec1CM0kIzteJg7t9xNTVw6SyKom/tquni+GEr3xEJKVrB/LHPXaiLqG1pK0PrPZR+D0WlAq5hJHAyhgOdQFwyL3mrM0ZZAWo3Bk7VJMsIhjA8WSxi3TfttH8xpHiiyhuebC5a9oo=,iv:L5EObYh8rkQUq8275EFZ35afVmjUeekHyTytm+s0Gt=,tg:lj8BxGoh0vWVQHI9ewsqzA==,type:str] + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZzJrVXZ0bFE0YndVRDhr + WncwTjJ5dHhDVlJXQVpXbEI3QWtZNkZiS0ZzCm5FblhIR0NPZU96R2I4R2V2aCsv + SUUxY3greVB5TDJzemRGbkdQdEtZRWcKLS0tIEkrQzRrcGJqOUt1WU1YMGFRTmor + Njg3a2xNdEhEbjBKRFFqWUV3MGNkcmcKM+aSG/4FLuM/XsrwGyNYMk3dKr+CJO4z + yc0x4LzIGpN1MAMV4YBzKleL6nbv5LZbk17uaGdEe9VSJIM+GIhBLg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeWlJeFdlRW5NbFBka0Zt + ZWpiZGkxaTlaYW9jWFVSYWUrSTZvK1pyRWd3CnM3OEpFOGtYZWpoa2JibGxGODZS + SVI0cWdZaHpKVjBLemF3eENFUTYvNHcKLS0tIFFQNXZwOFQ1KzBMOUxuUUpkT2t0 + a01TckpGaUFQTWYxN1dlY0MyeEVrcmsKsbvBgFCgyB1IsUQBdg2z2RK1Pqhp4+2G + PiYoxl01WOqjR7tR4pyyMwadOGxK7NUJGykYinwdap/DqAGbdKyebg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:58:45Z" + mac: ENC[AES256_GCM,data:OcJWd7icGYtZfLZGezGRGvYRfdLWBpgYeUQDBV+wsVwYpFEaXsuuISkj1UeAwSwZsyd3dHbjf23ynkAZqlvd+ThH84bVzwg6U79Jc9ut+QPI7jRE+Us/wz1k3h/jqld34lHT9wPmsyHvy2u066BNonXbZoP2/7vJAlwdqcZU6rU=,iv:jW47SHCpYz6dBGu/MkdKn2xDZo7NC/2HnhWYaqiQO18=,tag:VUTINSn8tsYLp9ARQLXj1A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/bind/zone b/nixos/modules/nixos/services/bind/zone deleted file mode 100644 index e69de29..0000000 diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index 9c1004b..b0d6616 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -1,8 +1,8 @@ system: networking: - #ENC[AES256_GCM,data:TDvdPPvdl3DrEj5qW67F43J++D7V3YzfO6YL3g9P5vGMnC0IZAqETl1YbczJZflq9+RHooTcMbT3kIw/PC7xcC7bxQd0gV6Gk21iUw==,iv:Vy6/Vw5xX5gWttooacsDf5/dDVPW3VKjnpmKGFy+RhA=,tag:/Mitoy6mvym5/xY4dom4QA==,type:comment] + #ENC[AES256_GCM,data:qhveeLaM/v48No/13sSjYbqdrdNlAv8fF9ZaQeTIgO3XKjvCbu3RNMmWLzR8tFKrIBn8EAmAN53LG9CIVd7QdXY3J68sHeOHKb9fNw==,iv:D6BSMXhIeBSftqmtlPACN121knQaVLKUYedmKyyA1CY=,tag:XcvdgpMB/72yzgquR9ORkA==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:q2KbAnezy/pZ80NzrDnkYJqmPpdws+DJR4wSWuZ78yOw53SP7Gec92JO4gQHZfrQNX0W5u8Df0RLc0uiXNnTia17MzWyFpRYiBtZ+jFdwUlqWn1ZzT6whIG8vHKNFEuZxDYy9IhAamtLZrpsmt0JYs6yog==,iv:53k9hR0GxErCk+HjtIaysaZhNt1cYOZbjwvhqKpbatc=,tag:hABkc/jzHErnlpQzkPeavw==,type:str] + apiTokenFile: ENC[AES256_GCM,data:PhKfudZaWKI5xPBAk3jMYB2HRieEzjLoDw4cctCYxJshjXVkNfpybkZeNs6rFasXI3KBjZHcP5yC6KA1xDFKZqTqQvhoJGpQqpAQUy2MMgUCblG4MYoz+mHiBiEWKZWZhxikRAODAYeeeuVO70cdZiKLQQ==,iv:AY0vYBSl8Slzms7HLgUz4MrPHk0i6Y9wwRemgyDBsrg=,tag:sBxerSCfqWB2hZ9+WjBjgQ==,type:str] sops: kms: [] gcp_kms: [] @@ -12,50 +12,59 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcCs0ZGRIaXhUY2kwU2VH - Wm9GRXVvM0oySU43UkROUW1MNHlTY3BoN0VRCmNJUjcxbVpTNmxoaXNWckhNMkFP - bWR0eGNUVUkwVHBZcVp1Z2Q5OGYwUmcKLS0tIEc4bFp3cXBmR3ZKbEtnTldZeU52 - TS9aQnp4cUxBRkZmQmVTSk92T3dkUFEKRGWQaqeL++nglVzX1RbbfdhhCMsKB64c - EsBkSk/dufQ+VjRFqPOW76SrgIHxR5EbmH4V1R42OBOxEJmwqczRiQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYys4SllQRGF0Q09HdzUw + a0k0YTZTOVRkSFZaK2xZeWpjNDIydVZsNURnCm1pU2lzSzR4bXJqQ04rQkFrdU1y + YmUrTHFlWFdWbEN2TVo4RlRCaUFSK1EKLS0tIFNXUFgrSnNMbVA4ZVo4TWE3WS9p + UUVHZmpzQ1dGbmVnK2tXQlV3ZXNoWVEKWz8ryyNlZ190FSE/E06IazAdnYer5hgN + YgC4Sa4EBXoMpe4UEsyHNknNY+NpJSYq/mAkkJiYxKA4zFW61o+JzQ== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRGZNZFp4UjZHV3UxZHFP - Wk5vc2NMOEpndkV2aUpicTV6Y1M2aE93N0NVCjQyVVpBSjRWdWFzV2ovcHhPQ3R4 - bnpxc2habWE2cHFUOE81b2t5cGJHK0EKLS0tIHVtQUVuMFM2RnNBUnMvK3c4eWpO - VnltK3pzcUxHRDRPS1VZWlJ2eHd1RTgKl440Bo+xdkcKUDUl6v3OoaJKd+EYkpMh - gqGyQeIYDoNA2QC4ekCaCv4RMhkjT1CPIxDZV2KfM87+iB2jJK/G0Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoejNQSzdyUkFhSWlrVG9S + N1RpNkJQUUwrMWhKK05TWWFwbmlUUnpicUNBCi9nR2N0cWZROHBjWXhKdVFXRGxv + WWQycHBsZEF4QnNFRGE2YWpKbUxFSGMKLS0tIDQySU00TVF1UkZXdHpKZUM0dS90 + Zmx6aHlxYS9TKzZWb2dUZG54OFlVWmsK6dQcFoFQVZA4oR7rJtfxLOA/hCiBUJZJ + FqmNsr7ek/iuKfE/s7ZlL0bpHAIKdpCgpxcdW22PDkHJcl7hDTDypw== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ODJXaEZydXltNHZTTnhu - ZjNIbXA2S0dYb2NRSUhKUlBYUVlnMUtZWVJZCjg5eVQ1WHM4VEhBcGRSZ1VJWmRU - cEd1V3BkK1NkRDN5MUpoU2tGZ2dscFUKLS0tIHNmcUdwdEsweEJwekZQSXF3dXgr - SkVnWXdCREdlRVRLdEdlVzdzeDFxelEKqaPpTuDxh/v9vj3nc6VCB6CgCD0rrqIA - st3JxRm0DFfjrqqA1urwVvlsMW05QmP8rZTlb3+Uar67Fj7V9niEpg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicjZUOGRpb3ozRFZRZ1F6 + eWxZc3NIY3VOMFp0clhsb29OWFU2UzF2ZUY0Cm0vdDIyZ05rQkd4NTR2Q3pEMlVv + ZVV3YVg3bmkyYmdrU3NaY1JGQm1STWMKLS0tIDNYRmZVUm1JR0xjd2c0SGlKK21D + VUNJR01URUV0K3R5QzY1dUd5b0tuaGMKmgJGFCVvV4DmQ5Kqf/jViWt3YnCSzeOi + RiIpMva+BW5h/7L/6i1WGpwt9yuel1eYr+3lQmjef/POpsTrk5etsw== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bGpJcTdwMDhjSnVzVUov - NzluNFJIbnhxQ3dlSXdocldPVkVISVNtejJJCnZjUW4rMXo5RDFWak92ZW9LSVM2 - akgvT1Q0dnJmd0l6V0JRZUE2Wi9ZY28KLS0tIGo1T3p3YzBvK0s0M3djWFIzNFE1 - aUlHcWZVV2hQYldDZm1heDNtYUptZGcKaf9F8FQQiliNQzZnuFZ2doolfJ/R/NbZ - yExXrqhg2kCQSY0bPoUZKBIrdFRQ2SVJfBn5YThz2XiK7ayBm3wt0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcFRKVjFDcnFvV0VJOHJH + YnVEam0zdmtjakR1SlR5V3pBV1pucmNZY3hZCmpXRlNjU2xZVFNSVjJWRlFPZE8x + YmxJb0J2d1ppcGlrR2NBaWFwM2NCS0EKLS0tIGpmbkdaWkZBczRzRXlqUFowd2l2 + UDB4a1JnZDdXcXgybTdIeURnYmFIQzQKGV7Uze0yGx74lYaSe850I+s3rB+h0ezA + DqH5SRjtZpmYpJZDppFkIEXcAN2q2At/U9fS1LJdOopYJrSbef8LSg== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0S0pVcFlSNVZJSzdHU296 - RUxmYXZjQW1jRFE5YmhncldUWDFzeng4eFZZClo4MnZqaEdBdXBiUDVQYk1nTTJK - bTF6Qy9hbGFZT2g3TFdQREVsVSt6Z0UKLS0tIHNHMThrMTMrSXhDd1dCekxZS3Ro - cUhrVWFuVE5QTitrbXNDVzk4TmFaNGMKtxL2Nh2R8RxK6Cme/GEr8ebJUNr+wJYO - S8UhoOG07m59GIgyce+IdGKD6rl9Y2LeGDwhnOq+7L8H5l5X+8xqbQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2aHdtajRQeXhEK1JRcWVv + SFlBYXB4bkdqbzl6Q0lHS1hJQ0x3dG5mOEQwCnBKZnhLbDFIOTNJSHpkalNVOXdm + Ym1DUDU1bWtoSlVEWGFieGxPeTNrMFEKLS0tIENaa0NYVDV1R3VTdUc0b3VXSlhM + T3dKVWJhUlZKOG9PNUNTTGE0aU9nd28KPXDHnFPYZkxRadqYyHGQAdWJy4sH4LYz + KS5wKZZcK+kyPkQVf3QmB0A+YJc439CFc+t8zZihR1OZeSidCIUwLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T01:59:28Z" - mac: ENC[AES256_GCM,data:Cd8D58YH+/c2S+ViYnHR+eoEIQ8y8SKPuuUo4dvS78KJeuO33rADlghm9TiPLHH+JaPF52Yle0vsT6EWUJfOy+sE4Q4Esxohnj0mOBc3WM56tK4HMBpl5jDdplstkKzCtGtL8ztdjIB8g6+hcmFvXeHftKP9hPBRBc2yCmAxofM=,iv:C8oR1UW1z9HbbcjjksMyeepxngzVdizogKUVjZkN0ko=,tag:+fXA8NztLKL62NJIp+JJcg==,type:str] + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dXNmTWxJeWN6azdzU2t1 + TkRzazRCaEYxSTRTakozVFY4THorZW85Qm04CnBEYXRHbFkxck1keU9zOEtuakVz + Rzd3RWN3UzJRMU9HRlR1aCtqdzN6MXMKLS0tIDArMzNpNmRVUElhdXdrSVBVQ3dO + OUw2dnVzYnJKVjA1cUNxckkrNk0rbWMKEQ9HmXY6BOIlj8nuV4jOxJ091PNkcyaS + kW0onE22VurJQH45vVXc5uvVajwVCtNnHK9VwzvneQBOsXu3UB6RpQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:IGomSlCiHulZQ9ZkCpQ3dg4E6D4AXHjNwBBYubGCUIfPNU4lMn0pP0scdfXxOXvjX8dYpyDVZDaflIrSVFa9GFzI6ufqU9wziSfAuRBjEiQgrg/zJY8vwHAbladoKsLDRlChh8Yu3K82HBfAoRRKGsNCfY2OhkQCf7pyrubhMY4=,iv:TbW+JvoJz1gC2ElsU6LxQj4ctCUja6TySggGfleGSbU=,tag:XRgiDkOJFPvEw39UDl01EA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index 2d6efc9..69578ac 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -11,7 +11,6 @@ ./nfs ./nix-serve ./bind - ./arr - ./homepage + ]; } diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index 2dbb8d5..f7628e6 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -1,7 +1,7 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:P5GAwlcuUI2hXcJBzAPSQBviqi8z0ccz29sv1bsSx7lkD9isTaurylD07v3tlXFN,iv:lPIbdMpUMzyhnkakw4FSxvHolyNXMVuciwKK7jz9MMY=,tag:0pKhfclkbWbPBJ6/vs5a3w==,type:str] + forwarding-rules: ENC[AES256_GCM,data:eGLh6dckR9E13wympTA2faMf6ChW6L2lM0zO/Ea9cIwTndtsbRU3dKh280vkdg==,iv:SS3cj+JkT64pn9anJBPtVHT2cQ5Ag2VLPpLFM1LkGS8=,tag:V/HyhSW/HDXp9LfOSjM4JA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,59 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU2V4cmpHZ0hhRUlDNTU4 - c0FGTGxCTzNTTUJxN2lkZmZQUVlCRFVxZld3ClU2TmpxcHFvR0lZeVUxZ0x1YmFC - bFZ4QlQvajNxYTByenlDVXNJb0dGNEEKLS0tIFQvaUhCYnE4MWc1bFZtSlB6cDFq - aTJyS2RGWFJTNEd3Rlo3dVN6UjhlUVEKZvaWNTcKkSzLDsQ99S3/d9eQ350QM+e0 - R19K1QHuljx3vKV+LhnJ+fCUL5bnIhvDCFVnWBWGirVzJNp4iwfuWw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1U1ZEaFZ5K21LMVVCU01l + UHYwUVZoMVM5bFZ3d3JXRjA5YUZDajZIbWhZCjRGRitzU1pvc3d3LzNWaXN1NFJE + M0RhQVBQVWxoZ2R6bEdHRVFwcDBid0EKLS0tIHJtaVVvd3NCbFFqOTVZY2o2cHNQ + aEdiNXZoc3ZiUzFyT0lPV2F1R2JLR1kKMFHEXnH/3qgwtJ8koKMCmSMi4IwtwxW4 + 5kFFGaxQ47CejOJzNnrsOyDCKJtv8+3arzwlhuZSG2558trcvugCaw== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbnR4T1d4M3pKdExGYUZZ - Y0R4WVNLZnZJTmhqVW4vSzJwZjkxdk92N3lNCk9iWmJNZHVZVDFINEErRi9JZjBZ - MDEyM1Q3cGZDWkUyZEZhaVo3K2FpUjgKLS0tIEhHR0dTak43T3pDcUtvYk02aFZZ - M2w2RDV4UmY1Zll5WjdxSWIxZVhVMUUKAvOmavnidng3QxxHaVqQKwq9TMgbusOE - SnBx1ShiX0m7ZBLHPzcHuwzEOxYRvpKuV1tVDVbROPfaOYusgIMa+A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUmlHNnNrd0E5cFQ4ZTl4 + ZXJmRGtScW5Nc3M5SHlqbkIxbWlTb2YzSFIwCmZ3a2llTHlITnBwMjc1UDlhRFNn + TkRpK0dKSWROTWsybWNGeGpBZWZiK1EKLS0tICtHYmNMV2RaY2llOEJpeDNqV1FT + ejh2bTlVVE9QUXNRR3pLN1NCM0VVNUEKdesWjss0MoH6SABH1ZLT1fauZVOJyO8U + 9mqP/WsE727MhwsodZAnccQ906mm8IGK0LtCUxUhlJGZl+Vw5n4eqg== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaWV0VGZFc0toUXJURURF - eDRKMGV6UktYWVRUcFJKVTdiQ3h6LzhlV2tRCjVMZkFqWGZCV1Q5OFBkOW1lWnFj - NGFMVXBNbVF4azlUV3dLZFB3aHdnZk0KLS0tIEFObC9ING4wRUtwZXhOS2VRcnR3 - NnkrVjdGcFE0cGtEY0Vub3Z5R09zVWcKEjgqoO+4n02mwa8idy1FdASqoCkB4Ooe - j04tUVa0xufui6gITvO9DBgXbSdni5wbtabZNJ13S3dgWVY4CiDuYw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNEJwR1ljN1ZwMWt2c3NW + QmlPNUNvYTh3QmQzSkJKa3EzMlN5VjZwS2tzClFrQzFYdHN5eXNZOUVWeFZIMkll + YzRUcDkvWTVoTHJwSW11dTZJTVZtd2sKLS0tIGRUdGJ0SWJ6RDBjL25qenBWMXQ5 + Q1pUTlIxSFRiQ0JQb3VzdzBIQTd1RTQKis/oM+GK1zWRlSePma3dAsfOAI7d0HLB + RByMVCfQhVcwalWFg5kdSguUkpTX9FFkYKELDMluSyec3APRA6w1UA== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aC9hTTB1enJYcUpiUHZS - eENnaEhPL3JIeGp5QmczQ1pSMTRmejZ1L0FNCldzM2FFSm9NaTNGTHVmNTJwVW9F - YXIrSGFsWG05U0NXdWg2VUQ1NDVyYWsKLS0tIFQxd2hpMXJRWXhJclFzQjVzZWFI - VHdoVHJnNit3OE5mU2YvTjYxSmxkcXcKBips96WiE/NI7GWZVUOzdJSTIyoG4U4R - haVYaHJJ1xW/E7WqJKn/E+wiMHFNcQJFOi6/JkWGLCkEE5tDLSDibw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Y21VVmUyaS9DUkNTM0N5 + S1kxdGR3MDBRM1kxcHc1UWRxSnhzY2h3L0FZCjY4S24vQS83Z2V6aGRVV0UwSUpY + ZG1mYzF0MXVUOC9HNXNFRzRZb3VwQ2cKLS0tIEdUSy8zSHNrN0s1SUt3anE4eGwr + VzM4eExndDIyeVdRVFIza25xcVlJd28KSsMwl6kWUiA/1euqHhuicwrhApVBs/zb + lf5ez4x8FDiZKY+fyhJRSrZnW607d48OegIjZrslJLSU2EBqt+ZHXg== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY0pEaVR5NWMzR29YQUFY - R1p2ZFdEaVN1NXYzMW9oR3V2aXJxdDR2QlFvCmxsVDBCQUZnRllvY3NEMm1DQXpj - aDRCZjlnM0xZaVpTVlpXd08wU1VIR3cKLS0tIHo5TGNmMXZHSXpYQW5ITHpwTWJE - a1hDZXkxSG9FR0laYW9nZXFnN0NyUUUKa9dtMzPzZqWi1Z6gBxOh355Om8865AT5 - j0SjD1Zl00RvaC6mZQrhOB6Aq+eYHe3w29jkmkAGvIHXH8p1fNt8Hg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWG9HNSswN3RiYk9KcW5S + dGNpWXcvZXNsVmR2dmtOZjRTL09DVmw4ekVzCmhwZVh5M0hHMW9VM0tDZnp6bUVO + TFdyeVVqaldqdlk2Uk1vbCtMbXlZSkkKLS0tIE4vWGhaOUZZbWRlZkRtWXJkOXMv + TCtaeERmVWpXNlFLS2pTNVZVK1Y3NFEKV5keoMVWpjC6H9enpcNwOb1kraWlKAJD + E9qoFk70o4LOJbp+WauuNw8I6/WIxgKxUr4xN4Uj/WN+/IG3NtssZw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-06T05:12:13Z" - mac: ENC[AES256_GCM,data:JVJ58TeYh66P6PuhSeCAZpXS5tu4H33rG5GZcJYorhT8Bldn72CTo9AhyhNzVHhfK1fIPI6VLyQM5rBUxBQVHWufx8hnYDrhBQdR9d3po8KKnyfpNgYS0rhifYyon5GUl4BW89RaD45+ZbrE1kIsqCYwwim/bcVYqXuRh1CGYeA=,iv:lRU08rccGMH5ykhSE8bREkog4ftXUporCj+YMsOmUN8=,tag:tIekpP6QIp1Ce2s4a2qO8Q==,type:str] + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K05kM2M4NU9vRTVGQWpO + SWRWckhyTmxaTSttNHRFbVJyZkF6ZldzVkRRCklIekxYZW8wNWtlOER6d24yM1NE + R1U0WExrbU5QbEhoZXp4c0xLT3ZuNFEKLS0tIGZrN1JiR1RRajB2MEhYb3FMZlcr + MXhHSlRORktTMlZKenpKOUpQeWd2ZDQKluaK9G++4UbKZZ+eesZd+7j+uZ3VEsOm + FPEUQJnnxNCou2t2CoDNwm9u4xyQJXBW2Au6ucJx9noLpjvuB/NZUw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:rOSRK5QlwvURaliwEeowRNJfQRnvj0cuu6TPvmtSpcX4BBuqZ9zItmXm6aGPVAJaRgEznRVjdA9yLRDU8p/bwZckeyaR0Z5Sf7N9e9Gq9NaX1goT190wIADy1pHnCbf2nroNao38M8AH+REwJ21yWLAfSf26i6YTJgQFgmypEFQ=,iv:7pyXsGJmWgU9l4jSzPqYNgzNzvIjDT2jy238QE6UghU=,tag:dq5mNG0Qr0380vfhDGWjsg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml index 87464a3..0738b5e 100644 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -1,7 +1,7 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:9WbOJfLkcobfnZJBOVqMaw8UNCH7kwXz5Cle5PHEUSLMAtrUKXTEmjkD+nYZK1sdf0fueGxNTxS20f+W+rRBRDMGT3VpJtdFAizt3vprkV/n4y5X/qHtu4y9WmnkfjHfHsJyt2h3DkmD/IV5p21VU3dc+rFGeiFza9jar2WhlrDLRAA=,iv:3Cw9JBiHlmFq2oMHyUQn88fxHifimdOjn69EcRnP1Zg=,tag:I+1hs8C8WbEr+w6aye1Kxw==,type:str] + envFile: ENC[AES256_GCM,data:g2KPadrCaW/TWvoRc+AbhdJbSgG2FcL+h1k+0FCgzHkQ4dFhIBunFIw0jdPvV8Xou+/gLw7Mogkgg/MMzJzsvUHkosK1TotH8TaKxtJ0VsH0SlDWrOhFUMrt1474/O3iLkS5YK2U9+3r9HIJ2SqnSy6Kp9IZWrh7ttbWvOth5pdfR0g=,iv:rzpBXGhCWzRMkLNhgQaT42exCKfMTJlcSFRFsDz6Jns=,tag:KPypsSSuxgBvf7LAMdudRA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,59 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Ri81REp4T2xXZGNZWTRj - UmR0ZmlweTQzaGhkTExBWVg2bjhvVXhIQVFRCjM3STlpekJEaU9VM1cvQ2dTa25Q - SmhxMW9ENGxRdzdpTS9VZUJQQUx6cEkKLS0tIHV3NDBHbFBuRnM0OFQ3WDd6Tmor - dEVUeW00SUdGQTFZSXpiZlkwWCt4SVkKabNchXZ58+lR1EvuOS8131g1OuhlJOiX - Co11IqKudC80CM5KKlAmYcgzQNQvHJ+mDJHUG4Da7Q1aSBvu7nO/4w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5c1FCWWlsTzg0NHdKOHEw + SENVRzlKL21DWFZ5SlV0ZDVNSmgxSEV2K0M0CmVlSjR5OW45VVp4Sm1LV2J0bTYv + SWl2cWEwTzBXZG9FdGkrVnFDQnIzcTAKLS0tIEJnendjTmRGZis0eEI4MHJtNkpY + aUpEeW1xWTI2RVJza09DU2lhdzcwWlUKdZjovENidw2gsdhrwd2CfBVW8Sghx2x9 + oZCM5u6089go+wQuhyURhyG8ZFSwAylA65VPTH9mm9hpV7AMSbS6Bw== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTlZJNHpvcXorR29iWW83 - REVMUXBXSENia0ovcldKS2dxUGdyYTJ0akZZCjAxS1RyeTZ4SStyeWdoOVlRT1NF - UE8wMFZwRGhIUkxKTVd4ZHdmeTArMlUKLS0tICtBdk8xd01zT2pNdjE5d292bjJu - NENlVVV1SWpWWDJ0R3BDR08yUjdISWsKl/57RicdIvCDEfa2tgfJgWG+H0Iokx0T - 5fOtsbLFx79pHGiuOaUMBXL9LuEAcoIpTJrK8XrythIIfPQNST0P+w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOUs0ejBMN0YyVjR4Q3cz + YnhLZ1d5Sk1tbnRMWmZlR01zY0owaWlaeEMwCjlKZ09pSjdob1NKL2FuRzlXTkdq + a0c4YjhGZytHTERvaWg2bEZCQjNiL0EKLS0tIGttdDE4VG0xYUEzc0pOM25ZVXBi + ZnZ6TzBjeXdGSnVsTktGN0k3WkJsOWsKg6vWDZA9fScS2Vw5Iz+jt9TcUMK/K8/G + /Y+SYNoRP90Iov6idl4LJugsRRjY3X+AjAy+ThHEzanIFMOUSkdQ+g== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ME53U3RUb3pKdDNhTm5o - eWRDWDZGVGJPVWIvSnpQUkRRcXdVclppMFFzCjF4YVpRS1dCYk1VQi9FYmJuc2VI - YUJrNWRTaE5UWm9OWVJ2UzJDaE9jVjAKLS0tIE0zWmFmSlhGN241QVJoUWpqTUpu - dmN6ZWs1THZ4bWViK2dJeTh2Q1dnQ2cKg7BQoyElsRF3Udx1aHLSK+dGVcyZUnLe - +4inhxJj07J0rfIhME5hY0FDf4z6uJ4VhmQOoDSL82FML5GGBrS79A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUVNxQldIaXk2WU5hR2RF + R1Q2QnJIY1JLcDE4QWZjeHdBQlRHZE9BTHhnCkhZQkppWHIxR1N4MGFVWjNlbk11 + UldBMllITk1Tekl4MVY0MXpQT092cG8KLS0tIDRaYVdwT3VYRHJzVVlueW8xL3hQ + UGU5SGJVSU50OW1OS3hRRGNKSnI0WjgKR22yT/87dDaUnUn5p66Mp/sAkaFofHJ4 + k9tYGeZ0ASqRG0FMOZO6er41M6MzBt66jDxnkeJsa8ZW/qa4tx4MCA== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNTE1ZjJlVzNSMm8zZzRZ - alNBaGFSOHRxWE9LdHI3azFienk1OTRnTURZCjU4enpTcHFlOXBzalZqbGFXQXB6 - c3FON0FsQStDOUtaQm1xNVBIWWdiMTAKLS0tICt5MVBDNGJGMVhBaWhRUW5LeWsw - VExYT3BiNThraEM2Y0EvdGFDUU9OZW8K8feLH4aFtQB+AypdriaS6HyX2T/Ziz/E - 7vROXS8BoU60RXcCcUE8v8HnrZ+eslWgR91Jw1Uvc0j1jqm5+A2yDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSU55S1B1QXl5UElqbHRX + WmVMcFNOZXVjVDhzeTRJVWJUV2JVeUhqc0RFCjJYT2wyem45Vlh1WkpTR3BsSnVt + T0VxbEExVGlySENJQXVSRmZXMDAzZnMKLS0tIFpLZHJQekdGRTZrYys2cXlVTmVv + RElIUFZURktLd2trcnRKVXArV0pkQUUKXwaXOUQWDqJhtgIKz0wwTIyh9bED87mm + E/0dYsbdMcpguk3FRT4g3mcuU2w4b57l/0pcGWui1QwHWsA3X/tkJA== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUUFUQXBvVkN5aVB4cGhG - Q3Z0RFc1ajJCbEhWUWVKVCtRTGs5NVRDaDNZCmVXbldRbm5CT0tQZDhXei9IQ0E3 - YS8rTnNsQkVtU3NTWnNCUEx2U1grT2MKLS0tIEVlaFlieGVWQ3hnWWQzMElaeG4z - NWRYMDhnNURKUldQUzhhNXR4MC93OVEKrm6N5Nvr0ywLwzT24eTSlKotBuE2u+2O - 7EXddIRuKEg1Lc0DporbE1eXAehKSofp10pmzXfLlp6dF82asIro9Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R0VlSGRuK2g2d0xUODFq + YVBCU0tqaG96Z1RhSWJ5KzAxcGtPeDc2UTNnClVtb0NnazJuZFhFdzhoVzY2cXcw + a3k0c0s5OVRPeFQzazcyTjVXVG4ySjgKLS0tIFVlSU1QUlRPSFcvcDVBNWo1b0cv + QS9jZWNuYlE4U3FhTmNWZFNvT3lzZkkKsQDEqNUUUcNXKvAip9a0SSEIVglgHrmI + qvfv8dGMxmh55RYJ6+jOypMhwD2HcIqBBUvSUIAW31K0k9SqmrNx8g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-08T01:59:36Z" - mac: ENC[AES256_GCM,data:GtTLqVnxurgGZNIXBNJ0P+huf24hwVOzabFJUZ+E8vBfV3sebV/V20K/rPKX84USpAh+7D59x8iVI5ZsBZEpAPXemYkDQk/6qfeGso514prPS8HqjQJxQ0NHqC7bv16/b5WltJEGjL+AkpJLJnWdBSzO7x7LgVMKtnpc+r3qm3Q=,iv:lbZ8OQS5MdSwj1Usag6UUR+4Yo51d2lglSknWH0UD5s=,tag:lZFGSPWrnJLIX5EqLTxYdw==,type:str] + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZlhXY1ZReloxODlRWVdr + SFh5eDhWS0pGV0xYcGxicHhFZ0JxUkF4RkVRCmRhaGl0ZktiY3ZKSm1uTS9VWFFQ + Z2Q3V1lKNldHaVUxWC9rUS9scFB3UncKLS0tIGJ3NnZUNnhxWjRseTdGQW9oakhj + SkZnMHhDRENkSExNWkFKUU9XOTVQb0UKzCbZsDqSwbtHRkKH7oXOITHJ5LHU3pzp + 7pEsBGmhk8PyNHlaJlAWXunqBW+zD7tuhJgH+hSA/Wr46y2Hck5P1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:5of7TtrBQXrreK6yxAZ4zddm0byWbAyvWmJSDQ1LC7GmIxJOWHeY0Mvy/oUqioz5HbEjQIt84ftQLpPeJHed3qfsqujV4lXWyb66R+lXw9JvkCx02KgM3Jli82etjv91EzPv1HolfSv6e6pQd6xjhpPQTGucp4Ombu4PvzU9Q3Y=,iv:JINmbJloNXcF503e6Iwvp8+zrjfXTmRBNXX8KPqIDo4=,tag:zo8IjbFb5zsNVi0sCfhNKw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/podman/default.nix b/nixos/modules/nixos/services/podman/default.nix index af02a87..d3e54cb 100644 --- a/nixos/modules/nixos/services/podman/default.nix +++ b/nixos/modules/nixos/services/podman/default.nix @@ -35,12 +35,11 @@ in # extra user for containers users.users.kah = { - uid = 568; group = "kah"; - }; users.groups.kah = { }; + users.users.truxnell.extraGroups = [ "kah" ]; }; } diff --git a/nixos/modules/nixos/services/traefik/default.nix b/nixos/modules/nixos/services/traefik/default.nix index cc74f75..86da29e 100644 --- a/nixos/modules/nixos/services/traefik/default.nix +++ b/nixos/modules/nixos/services/traefik/default.nix @@ -11,17 +11,34 @@ in { options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy"; - # TODO add to homepage - # modules.homepage.infrastructure-services = [{ - # Traefik = { - # icon = "traefik.svg"; - # description = "Reverse proxy"; - # href = "https://traefik.dhupar.xyz:444"; - # }; - # }]; + config = mkIf cfg.enable { + lib.mySystem.mkTraefikLabels = options: ( + let + inherit (options) name; + subdomain = if builtins.hasAttr "subdomain" options then options.subdomain else options.name; + # created if port is specified + service = if builtins.hasAttr "service" options then options.service else options.name; + middleware = if builtins.hasAttr "middleware" options then options.middleware else "local-ip-only@file"; + in + { + "traefik.enable" = "true"; + "traefik.http.routers.${name}.rule" = "Host(`${options.name}.${config.networking.domain}`)"; + "traefik.http.routers.${name}.entrypoints" = "websecure"; + "traefik.http.routers.${name}.middlewares" = "${middleware}"; + } // lib.attrsets.optionalAttrs (builtins.hasAttr "port" options) { + "traefik.http.routers.${name}.service" = service; + "traefik.http.services.${service}.loadbalancer.server.port" = "${builtins.toString options.port}"; + } // lib.attrsets.optionalAttrs (builtins.hasAttr "scheme" options) { + "traefik.http.routers.${name}.service" = service; + "traefik.http.services.${service}.loadbalancer.server.scheme" = "${options.scheme}"; + } // lib.attrsets.optionalAttrs (builtins.hasAttr "service" options) { + "traefik.http.routers.${name}.service" = service; + } + ); + networking.firewall.allowedTCPPorts = [ 80 443 ]; sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml; @@ -35,6 +52,9 @@ in ]; }; + # add user to group to view files/storage + users.users.truxnell.extraGroups = [ config.services.traefik.group ]; + services.traefik = { enable = true; group = "podman"; # podman backend, required to access socket @@ -95,7 +115,7 @@ in http.middlewares = { # Whitelist local network and VPN addresses - local-only.ipWhiteList.sourceRange = [ + local-ip-only.ipWhiteList.sourceRange = [ "127.0.0.1/32" # localhost "192.168.0.0/16" # RFC1918 "10.0.0.0/8" # RFC1918 @@ -158,13 +178,35 @@ in main = "${config.networking.domain}"; sans = "*.${config.networking.domain}"; }]; - middlewares = "local-only@file"; + middlewares = "local-ip-only@file"; service = "api@internal"; }; - }; - }; }; + + mySystem.services.homepage.infrastructure-services = [ + { + Traefik = { + icon = "traefik.png"; + href = "https://traefik.${config.networking.domain}/dashboard/"; + description = "Reverse Proxy"; + widget = { + type = "traefik"; + url = "https://traefik.${config.networking.domain}"; + }; + }; + } + ]; + + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = "traefik"; + group = "infrastructure"; + url = "https://traefik.${config.networking.domain}"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; + }; } diff --git a/nixos/modules/nixos/services/traefik/secrets.sops.yaml b/nixos/modules/nixos/services/traefik/secrets.sops.yaml index 904b85c..55d4d10 100644 --- a/nixos/modules/nixos/services/traefik/secrets.sops.yaml +++ b/nixos/modules/nixos/services/traefik/secrets.sops.yaml @@ -1,8 +1,8 @@ system: services: - #ENC[AES256_GCM,data:L5ZUZZoFkMaTErRqwkG03SVET5x6AVL+4OvX6ukQlvFX+P9ICYY6lDGDmJARUXDm2yW6hllqA2FxoteFXT5LEikraLywI5jGDgQMGw==,iv:fHYZ9LBvFVT24xeN7HSjlNhFse/MIhb6/3XCUbdCppA=,tag:tq+MbSt+jhvNJfdpuQ5ddg==,type:comment] + #ENC[AES256_GCM,data:VQrWiLlHkqKk80oZqXVyLJt8JBaLIoqKr7tGlXxaRD4Dny8/ZlOy6qw4Bdj6vEUmawBDlHEK+sn93+XnmwzHgnWtUdzgzbAklBSnoA==,iv:Pq3DN3+iWW4mnFSiRhqo+SI3HNZoqjvsuQYaPXKYTZg=,tag:G0yjrWrpnHBn/TB+HUEL3Q==,type:comment] traefik: - apiTokenFile: ENC[AES256_GCM,data:hVIUCHU/AU6SOGt7JEVYuE55LlT7AhSuRpkCEWrsKxhy0K5jRZhYb4G30sXrOv80gb8T82ItYjpi5ytckGq325A4Uzn2dYQ4P9sv1uRxrcJrSOuMvpeWnijT33wbxn/fcg==,iv:5065MjT63rYvx/+ivfVha/+VxaTaHicfmshPI/9qfYw=,tag:S7t/Fr5R30lwO3KvuDjHWw==,type:str] + apiTokenFile: ENC[AES256_GCM,data:ja9KJ7/jhEJnEyI7Nj/9CtnP+VOP0Xpv2ZSmxAvHcRhcE3JG4NSHN1YgxzbzCwa0xvy1vMf4Qw0R/zHbmdgytgzBPuWHoML+GJndY6LDJlihda5gXG909KWOTuTIbuGqvw==,iv:zmDwzHpYdpBuhEHieJxiSRSkHWaHgshysaJkbGGpMzM=,tag:QErXZHxZKPsWhuJProt0Tg==,type:str] sops: kms: [] gcp_kms: [] @@ -12,50 +12,59 @@ sops: - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbVBCZGdUU3dJR0VXMUQ2 - ZUhYcEZkYVBRZkxteGkzaXdDNUVzNjdFUWxrCkgwcXZYZlZ2Wk1KbDg2VGpmZXQ5 - K3ZxR21FZGpJWFpSakltdzN6MUh0b28KLS0tIHRDK2dKQ1Q0UGpBM2oyYzhuSGo2 - TWFTYnpYbDZPeUVtbTdXNm84RFJoaDQKFB0HX9yJ6D5jQRd8qUsLUy4ZcweYv1Qh - BJlQJOlMi+OliSiWOPsI8L8SJSTWJvy6ZX/LcebuQ0tlXeNd3HYAQQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVHcyRjRJZW9ZQlZBa3py + djV5THprVjhPT3JGT1Z0MjhkNlFKdFZnNFhjCkpmUVhGTmlyQXJVOExxQ2ZaNjEx + TllocWNOSjBmVUtCblNUb3V3TkVuSWcKLS0tIDh6T1FKZmx6K1dWZEVlMUU3S2RC + MG10QTAzU2l2azg2Tlh5L0dxRG1aQ0kKED5IgaOfb4rBbfpd2XzCbzF7wXyNj+6T + VYYAnxILFNm0FcqeV9sCva40KidCBGL9FRaURJLOIK6Nl8vtGO61Ew== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTXp6aExQTVh4OFVKV1Nz - UU0zbEJnR3Nvb256TllyYXg4OTVOektoSURnCllWZUpwc3ZObjlWT0YyLzRiQ0dM - Sy9GSCtsTkZyVkJ1dDJnbmh2ZHdrZG8KLS0tIDRPakxzRWt6ckRzZzVZQzN6RVlU - MEhwbFpIK3hTeGttS0x3Q0dHdHZhNG8KovgKj2k7N/lpGT2j+e1u+3uX3EAMwAwt - uHI2LqEtfaMJZQvsP409G4QkEy+o7GJ7N3LpAXFAPvnJbH5/n7WxiA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybm9lWS9JWXZybnVKR1Q1 + UDB0djBKdTQ1aFdUM1dScDFFOGMyeGM5Nm53ClpzbVBWZjZydkY4NVVQT3lMK3l5 + NjRkbHFxZlYvOXBoWGNPVGJQQkxsclUKLS0tIDFiR1IzZEhxbUFSUzV0Qzh3aFBs + WFYwa3NsR0VHb2RkQ1JyZnhMR2Rkc1UKi3X1ZzzMzr565t889tCM1duwqu+HlXAS + G/4aaaqJr+7TMmjuNIVh2o19XNv0SquW1RWbv1dJ7fc4maXnaJBxSw== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjFiSDIzMVVNMmk3ZlBn - SFFpbE10Q0ZZMlhGbElMTURjeDFhUmlnNmdrCk55ZHY0Y3o2SGtaM2ZOTE5QOFo1 - WVdEWGtzWTIxbWtXMmF5V3JvVjBpVFEKLS0tIEtVMldydlRvdHJLYzVnQy9kUnNZ - OHJUSlBlQ3Rhb1RYUVNQSWNLWU5NOGcKEHjjav+ACT+HQ9haoMfRei7cAOPugMDs - JsSRPWnVBYPx+9AxDY030Aw6vMw9+rFSuCp3PMH4mNbCcCucaIWWSA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUVBUMmp1NVNsRldvS0Ns + Vk9Sd1JzS1REdGMxMWNaNnNEWVpCWVFIY0dFCjlLc0w0T01Oc0RUTXQ2eFNjMjBF + ZGFjOHc0czREcTF5L1QvWWc1TWpxK28KLS0tIHpHUnlhbC9SbTEzUGtNQ2U1aXk4 + bFZQbm1HYTRoUlFrVVdRcUt1Sk83eTAKhtrNaITlaCSJaIlN93SwsTIX6IoKtO0W + 2rJWmtVzZ2gpgBpqGUS+do/mJ09ltmsz0dc9/wbSTNgVKC+kcef0Cg== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWhCM2dpZDFkVVE4SVJq - SXY1ZVh2ZWlDRnN4d2hsREpwU0tYMmpKK0hzCmhkSllSM0NGdHZiV0o4dWVac2Ft - Y01nUlBKUHg4eE1YZWZlU29Vd2lEelEKLS0tIG9DdmdoaWVBMTJ2WnBnWXI5d1ZX - VGtCSTdPcDZHeVdUL1Z6S3hoUE9IR2sK8WyNXZDiJG3ox+nBcwTXdn3fmd4kS2z/ - aUV6ql3vLdsu3/BxLq3v00AXXYNOnWmVrUxTJ9Lv1j0FM5Gh5LupQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZkpjNm1nbm5nR3V3RFhy + WTIrMjZOMHozS0JiNHZGZFRQa0Q3aDhGeldnCmtmUC9NSFFsdnozOGZuR1hyWU5Z + b0t4Y3lyNVVodWxPaXlYandkYXlON0UKLS0tIGNrR1dmSU1LNS91d09GbkdmZkFj + S2lxSGlNWHltUFhaQ1lRQ01aalNPWDgKmRpcodDVgO9Rb2zpRKmIUaS00FoAyCif + izDG6Tcsf4fa4wnMVwKBRnmJHJ8OTyDThk5RIv96ZlAVrZJAn7p77w== -----END AGE ENCRYPTED FILE----- - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdU9TeFlSUWZISytBTnNn - RWlITURiQnY2Ni9LMWZ4R0pBWDJmaHpTZDJ3ClVackV1UHNYUXFmeUliT0h1aHNR - S0M4NWg0NkYrL2V4NXlIUDJ6RE8rODgKLS0tIGEwdGpxNVNtVDc0M0k1ejl1ZmFX - c2VQSk53WEFoTFdFUTM3eWNVamxwNTgKBYqQy+ILW9MdRPDgRBVw8sOyYF40rhYz - yP+Bu6EBAjJDOP/Ywx6I7u6AmlTRcOtk8PmJ8eo3raP07at+jrXsaw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVXRjRHV5NStlU2Q4Qzhw + ZHBhUzYydlB5TlUzQzJKQ0dtRFZSYTZMNml3CkRqSkRKYWdTWFlJYm9aNlAzdjg0 + Q2Urc2QzRkV3SG9UZ0U4b0RmcE9qOUEKLS0tIFM0bG1hSWV1bGRUTDBNaWVaOGFk + eWFqK2taVTN2aE5yVWQvTXhPQXN0SEEKUtgEBN5hxt+8N0/CuuqrFfTVlb4WGieR + Ww8jDkzXsmaYcbTRv0lajyxdTlfhubhDcKSWguP5PzqRC5cdJxXpqg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T08:20:07Z" - mac: ENC[AES256_GCM,data:a/J87IQL0X7XQycpZXWg2otlBe7/W7Ebe0CAKunnyF8Gm9RRMWdECrFeBDtAyVAHl2F6gqlNTyEMsOVE+aR6+xu91rXr332k66SnSQcMOjQ987+r+t3b1hUZ9Cz+qNbtepXaGTuCNQ0JH+o3ezkA1D6BDIvf6S4IRWRT9psOiHI=,iv:2TXiGQDDK2nSTAb+n3baFfng9jDPoe7Ts9Au9dTRclA=,tag:MZFBEcpOmoX0TN33OMoApg==,type:str] + - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmK2FjbGJkbmFqekUwOFkx + d2ZDN2ZZRU5pMENNbjlVRTIrZGlGNEtpanhvClBDbndLcHFTbldlZlZ1aGpHMDFP + ZW53Y1pBbGJ6dFR1Y1ZWbU01Q2lKdUUKLS0tIGRoSDdSbmIzSjBEamZIQ2Q4KzBK + emttN0Jmak5DU0R1cDlxdmkzL2tQT3cKW/3h9EQnwzw0AvLKv5yPc3boXKcgqFv+ + rLyBO0sTld1T8JQ5tpw9dX/H8RgKXu+9E2zVdHWkPrnEpRlK11TyRg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-10T07:18:45Z" + mac: ENC[AES256_GCM,data:mVVRkH+oCh+V/witg8XWh9pfDSOMc3nRCxnyqoE3DVA1XEiX3T7dC9bbJspAUGI+fte19u0FafbswmRUO1K70zfXkRhK4GKDRyAysBmdCZXpcf3IIlEaP/XblR6jHtuEE68hNXfA15SEPk3x3+P5kNBXIQwKl5nPCah7ZOugJao=,iv:uK19ZNnejxWGu5dLKDFLGP6gLZ3GOteWWYsCPkxZ0pU=,tag:1F2eU32hP2dV4ssWQBh4KQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/system/default.nix b/nixos/modules/nixos/system/default.nix index 57e42b9..4c501de 100644 --- a/nixos/modules/nixos/system/default.nix +++ b/nixos/modules/nixos/system/default.nix @@ -5,5 +5,6 @@ ./security.nix ./systempackages.nix ./nix.nix + ./zfs.nix ]; } diff --git a/nixos/modules/nixos/system/zfs.nix b/nixos/modules/nixos/system/zfs.nix new file mode 100644 index 0000000..64abe46 --- /dev/null +++ b/nixos/modules/nixos/system/zfs.nix @@ -0,0 +1,43 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.system.zfs; +in +with lib; +{ + options.mySystem.system.zfs = { + enable = lib.mkEnableOption "zfs"; + mountPoolsAtBoot = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + impermanenceRollback = lib.mkEnableOption "Rollback root on boot for impermance"; + + }; + + config = lib.mkIf cfg.enable { + boot = { + supportedFilesystems = [ + "zfs" + ]; + zfs = { + forceImportRoot = false; + extraPools = cfg.mountPoolsAtBoot; + }; + + initrd.postDeviceCommands = lib.mkIf cfg.impermanenceRollback (lib.mkAfter '' + zfs rollback -r rpool/local/root@blank + ''); + + }; + + services.zfs = { + autoScrub.enable = true; + trim.enable = true; + }; + + + }; +} diff --git a/nixos/profiles/global/default.nix b/nixos/profiles/global/default.nix index 395d6ee..9a3b0c0 100644 --- a/nixos/profiles/global/default.nix +++ b/nixos/profiles/global/default.nix @@ -5,4 +5,5 @@ ./system.nix ./users.nix ]; + } diff --git a/nixos/profiles/role-server.nix b/nixos/profiles/role-server.nix index 6db8d23..8da5d3d 100644 --- a/nixos/profiles/role-server.nix +++ b/nixos/profiles/role-server.nix @@ -15,6 +15,14 @@ with lib; mySystem.services.rebootRequiredCheck.enable = true; mySystem.security.wheelNeedsSudoPassword = false; mySystem.services.cockpit.enable = true; + mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{ + + name = config.networking.hostName; + group = "servers"; + url = "icmp://${config.networking.hostName}.l.trux.dev"; + interval = "30s"; + conditions = [ "[CONNECTED] == true" ]; + }]; nix.settings = { # TODO factor out into mySystem diff --git a/shell.nix b/shell.nix index aefda51..8a231da 100644 --- a/shell.nix +++ b/shell.nix @@ -11,17 +11,20 @@ in import nixpkgs { inherit system overlays; } , ... -}: pkgs.mkShell { - # Enable experimental features without having to specify the argument - NIX_CONFIG = "experimental-features = nix-command flakes"; - nativeBuildInputs = with pkgs; [ - nix - home-manager - git - nil - nixpkgs-fmt - go-task - sops - pre-commit - ]; +}: { + default = pkgs.mkShell { + # Enable experimental features without having to specify the argument + NIX_CONFIG = "experimental-features = nix-command flakes"; + nativeBuildInputs = with pkgs; [ + nix + home-manager + git + nil + nixpkgs-fmt + go-task + sops + pre-commit + gitleaks + ]; + }; } diff --git a/zone b/zone new file mode 100644 index 0000000..0d9398b --- /dev/null +++ b/zone @@ -0,0 +1,20 @@ +; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically +; https://www.epochconverter.com/ +; you can check this file with the tool 'named-checkzone' from 'bind' package + +; SOA Records +$TTL 3600 +$ORIGIN natallan.com. +@ 3600 IN SOA gateway.natallan.com. gateway.natallan.com. ( +1682790203 ; serial number (epoch timestamp) +7200 ; refresh period +3600 ; retry period +1209600 ; expire time +3600 ; minimum ttl +) + +; NS Records +@ IN NS unifi.l.trux.dev. + +; Metallb +hegira IN A 10.8.20.30