jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Feat: containers and helios join the party (#79)

Browse source 
* feat: add

* hack

* feat: add secrets pre-commit

* wip

* wip

* hacking at gatus

* hacking at gatus

* wip

* wip

* hack

* hack

* hack

* hack

* feat: gatus doing gatus stuff

* hack

* guh

* hacking

* hack

* hack

* hack

* feat: add helios

* hack

* chore: new hosts reencrypt

* Auto lint/format

---------

Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
Co-authored-by: truxnell <truxnell@users.noreply.github.com>
This commit is contained in:
Truxnell 2024-04-10 18:00:25 +10:00 committed by GitHub
parent b646419432
commit 1554768917
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
59 changed files with 1833 additions and 567 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -2,3 +2,5 @@
**/*.tmp.sops.yaml **/*.tmp.sops.yaml
result result
.direnv .direnv
**/*.sops.tmp.yaml
.kube

10
.pre-commit-config.yaml
View file

@ -26,3 +26,13 @@ repos:
- id: remove-crlf - id: remove-crlf
- id: remove-tabs - id: remove-tabs
exclude: (Makefile) exclude: (Makefile)
- repo: https://github.com/zricethezav/gitleaks
rev: v8.18.1
hooks:
- id: gitleaks
- repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
rev: v1.0
hooks:
- id: sops-encryption
# Uncomment to exclude all markdown files from encryption
# exclude: *.\.md

2
.sops.yaml
View file

@ -14,6 +14,7 @@ keys:
- &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
- &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
- &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
- &helios age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
creation_rules: creation_rules:
- path_regex: .*\.sops\.yaml$ - path_regex: .*\.sops\.yaml$
@ -24,3 +25,4 @@ creation_rules:
- *citadel - *citadel
- *rickenbacker - *rickenbacker
- *shodan - *shodan
- *helios

40
.taskfiles/nix/Taskfile.yaml
View file

@ -3,7 +3,9 @@
version: "3" version: "3"
vars: vars:
host: $HOSTNAME hostname: $HOSTNAME
host: '{{ or .host .hostname }}'
tasks: tasks:
switch: switch:
@ -16,13 +18,47 @@ tasks:
- echo "This will switch your config." - echo "This will switch your config."
- task: .prompt_to_continue - task: .prompt_to_continue
- git add . - git add .
- sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.hostname}}" --impure
preconditions: preconditions:
- sh: which nix - sh: which nix
msg: "nix not found" msg: "nix not found"
- sh: which nixos-rebuild - sh: which nixos-rebuild
msg: "nixos-rebuild not found" msg: "nixos-rebuild not found"
deploy-single:
desc: Deploy flake to single node
# silent: true
requires:
vars:
- host
cmds:
- echo "This will deploy the local flake to host {{ .host }}."
- task: .prompt_to_continue
- .taskfiles/nix/update-single-machine.sh {{.host}}
preconditions:
- sh: which nix
msg: "nix not found"
- sh: which nixos-rebuild
msg: "nixos-rebuild not found"
deploy-all:
desc: Deploy flake to all nodes
# silent: true
requires:
vars:
- host
cmds:
- echo "This will deploy the local flake to all whitelisted hosts."
- task: .prompt_to_continue
- .taskfiles/nix/update-all.sh
preconditions:
- sh: which nix
msg: "nix not found"
- sh: which nixos-rebuild
msg: "nixos-rebuild not found"
test: test:
desc: Build and apply nix configuration desc: Build and apply nix configuration
silent: true silent: true

37
.taskfiles/nix/update-all.sh Executable file
View file

@ -0,0 +1,37 @@
#!/usr/bin/env bash
set -e
hosts=($(echo $(nix eval .#nixosConfigurations --apply 'pkgs: builtins.concatStringsSep " " (builtins.attrNames pkgs)') | xargs))
skip=(
"citadel"
"rickenbacker"
)
reboot=0
while getopts ":r" option; do
case $option in
r)
reboot=1
;;
esac
done
for host in "${hosts[@]}"; do
# Check if the host is in the skip list
if [[ " ${skip[*]} " =~ " ${host} " ]]; then
continue
fi
fqdn="$host.l.trux.dev"
if [ $reboot -eq 0 ]; then
echo $fqdn
nixos-rebuild switch -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host"
else
echo "$fqdn with reboot"
nixos-rebuild boot -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host"
ssh -i $rsa_key $fqdn 'sudo reboot'
fi
echo
echo
done

33
.taskfiles/nix/update-single-machine.sh Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -e
cd /home/truxnell/.local/nix-config
# rsa_key="~/.nixos/secrets/ssh_keys/ansible/ansible.key"
# export NIX_SSHOPTS="-t -i $rsa_key"
reboot=0
while getopts ":r" option; do
case $option in
r)
reboot=1
host=$2
fqdn="$host.l.trux.dev"
echo "$fqdn with reboot"
nixos-rebuild boot -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host"
# ssh -i $rsa_key $fqdn 'sudo reboot'
ssh $fqdn 'sudo reboot'
;;
esac
done
if [ $reboot -eq 0 ]; then
host=$1
fqdn="$host.l.trux.dev"
echo "$fqdn"
nixos-rebuild switch -j auto --use-remote-sudo --target-host $fqdn --flake ".#$host"
fi
echo
echo

1
docs/tips.md
View file

@ -2,3 +2,4 @@
* Dont make conditional imports (nix needs to resolve imports upfront) * Dont make conditional imports (nix needs to resolve imports upfront)
* can pass between nixos and home-manager with config.homemanager.users.<X>.<y> and osConfig.<x? * can pass between nixos and home-manager with config.homemanager.users.<X>.<y> and osConfig.<x?
* when adding home-manager to existing setup, the home-manager service may fail due to trying to over-write existing files in `~`. Deleting these should allow the service to start * when adding home-manager to existing setup, the home-manager service may fail due to trying to over-write existing files in `~`. Deleting these should allow the service to start
* yaml = json, so using nix + builtins.toJSON a lot (and repl to vscode for testing)

1
docs/vm/installing-x86_64.md
View file

@ -58,6 +58,7 @@ nixos-rebuild switch
``` ```
Set the password for the user that was created. Set the password for the user that was created.
Might need to use su?
```sh ```sh
passwd truxnell passwd truxnell

41
docs/vm/installing-zfs-impermance.md Normal file
View file

@ -0,0 +1,41 @@
> https://grahamc.com/blog/erase-your-darlings/
# Partitioning
parted /dev/nvme0n1 -- mklabel gpt
parted /dev/nvme0n1 -- mkpart root ext4 512MB -8GB
parted /dev/nvme0n1 -- mkpart swap linux-swap -8GB 100%
parted /dev/nvme0n1 -- mkpart ESP fat32 1MB 512MB
parted /dev/nvme0n1 -- set 3 esp on
# Formatting
mkswap -L swap /dev/nvme0n1p2
mkfs.fat -F 32 -n boot /dev/nvme0n1p3
# ZFS on root partition
zpool create -O mountpoint=none rpool /dev/nvme0n1p1
zfs create -p -o mountpoint=none rpool/local/root
## immediate blank snapshot
zfs snapshot rpool/local/root@blank
mount -t zfs rpool/local/root /mnt
# Boot partition
mkdir /mnt/boot
mount /dev/nvme0n1p3 /mnt/boot
#mk nix
zfs create -p -o mountpoint=legacy rpool/local/nix
mkdir /mnt/nix
mount -t zfs rpool/local/nix /mnt/nix
# And a dataset for /home: if needed
zfs create -p -o mountpoint=legacy rpool/safe/home
mkdir /mnt/home
mount -t zfs rpool/safe/home /mnt/home
zfs create -p -o mountpoint=legacy rpool/safe/persist
mkdir /mnt/persist
mount -t zfs rpool/safe/persist /mnt/persist
Set `networking.hostid`` in the nixos config to `head -c 8 /etc/machine-id`

11
docs/vm/servers.md Normal file
View file

@ -0,0 +1,11 @@
SHODAN = lab01
XERXES = lab02
DURANDAL = dns01
dns02
pikvm
CITADEL = gaming pc
HYPERION = laptop

30
flake.nix
View file

@ -69,6 +69,10 @@
# Use nixpkgs-fmt for 'nix fmt' # Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
# setup devshells against shell.nix
devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
nixosConfigurations = nixosConfigurations =
# with self.lib; # with self.lib;
let let
@ -188,10 +192,10 @@
]; ];
}; };
"shodan" = mkNixosConfig { "durandal" = mkNixosConfig {
# Rpi for DNS and misc services # test lenovo tiny
hostname = "shodan"; hostname = "durandal";
system = "x86_64-linux"; system = "x86_64-linux";
hardwareModules = [ hardwareModules = [
./nixos/profiles/hw-generic-x86.nix ./nixos/profiles/hw-generic-x86.nix
@ -202,6 +206,21 @@
]; ];
}; };
"helios" = mkNixosConfig {
# lenovo tiny NAS
hostname = "helios";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-generic-x86.nix
];
profileModules = [
./nixos/profiles/role-server.nix
{ home-manager.users.truxnell = ./nixos/home/truxnell/server.nix; }
];
};
}; };
@ -254,9 +273,8 @@
}; };
in in
{ {
dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01; dns01 = mkDeployConfig "dns01" self.nixosConfigurations.dns01;
dns02 = mkDeployConfig "10.8.10.10" self.nixosConfigurations.dns02; dns02 = mkDeployConfig "dns02" self.nixosConfigurations.dns02;
shodan = mkDeployConfig "10.8.20.33" self.nixosConfigurations.shodan;
# dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02; # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
}; };

2
nixos/home/modules/programs/de/gnome/default.nix
View file

@ -30,7 +30,7 @@ with lib.hm.gvariant; {
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ]; favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ];
}; };
"org/gnome/nautilus/preferences" = { "org/gnome/nautilus/preferences" = {
default-folder-viewer = "icon-view"; default-folder-viewer = "list-view";
}; };
"org/gnome/nautilus/icon-view" = { "org/gnome/nautilus/icon-view" = {
default-zoom-level = "small"; default-zoom-level = "small";

6
nixos/home/modules/shell/wezterm/default.nix
View file

@ -14,7 +14,6 @@ in
}; };
}; };
# Temporary make .config/wezterm/wezterm.lua link to the local copy
config = mkIf cfg.enable { config = mkIf cfg.enable {
# xdg.configFile."wezterm/wezterm.lua".source = config.lib.file.mkOutOfStoreSymlink cfg.configPath; # xdg.configFile."wezterm/wezterm.lua".source = config.lib.file.mkOutOfStoreSymlink cfg.configPath;
programs.wezterm.package = pkgs.unstable.wezterm; programs.wezterm.package = pkgs.unstable.wezterm;
@ -23,8 +22,11 @@ in
extraConfig = '' extraConfig = ''
local wez = require('wezterm') local wez = require('wezterm')
return { return {
-- issue relating to nvidia drivers
-- https://github.com/wez/wezterm/issues/2011 -- https://github.com/wez/wezterm/issues/2011
enable_wayland = false, -- had to build out 550.67 manually to 'fix'
enable_wayland = true,
color_scheme = "Dracula (Official)", color_scheme = "Dracula (Official)",
check_for_updates = false, check_for_updates = false,
window_background_opacity = .90, window_background_opacity = .90,

7
nixos/home/truxnell/workstation.nix
View file

@ -12,6 +12,7 @@ with config;
myHome.security = { myHome.security = {
ssh = { ssh = {
#TODO make this dynamic
enable = true; enable = true;
matchBlocks = { matchBlocks = {
citadel = { citadel = {
@ -40,6 +41,12 @@ with config;
user = "root"; user = "root";
identityFile = "~/.ssh/id_ed25519"; identityFile = "~/.ssh/id_ed25519";
}; };
durandal = {
hostname = "durandal";
port = 22;
identityFile = "~/.ssh/id_ed25519";
};
helios = { helios = {
hostname = "helios"; hostname = "helios";
user = "nat"; user = "nat";

1
nixos/hosts/bootstrap/configuration.nix
View file

@ -16,6 +16,7 @@
networking = { networking = {
hostName = "nixos-bootstrap"; hostName = "nixos-bootstrap";
hostId = ""; # set to `head -c 8 /etc/machine-id`
dhcpcd.enable = true; dhcpcd.enable = true;
}; };
# Pick only one of the below networking options. # Pick only one of the below networking options.

7
nixos/hosts/shodan/default.nix → nixos/hosts/durandal/default.nix
View file

@ -20,9 +20,12 @@
radarr.enable = true; radarr.enable = true;
lidarr.enable = true; lidarr.enable = true;
readarr.enable = true; readarr.enable = true;
gatus.enable = true;
sabnzbd.enable = true;
qbittorrent.enable = true;
}; };
mySystem.nfs.nas.enable = true; mySystem.nfs.nas.enable = true;
mySystem.persistentFolder = "/persistent/nixos";
boot = { boot = {
@ -43,7 +46,7 @@
}; };
}; };
networking.hostName = "shodan1"; # Define your hostname. networking.hostName = "durandal"; # Define your hostname.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
fileSystems."/" = fileSystems."/" =

88
nixos/hosts/helios/default.nix Normal file
View file

@ -0,0 +1,88 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config
, lib
, pkgs
, ...
}: {
imports = [
];
mySystem.services = {
openssh.enable = true;
#containers
podman.enable = true;
traefik.enable = true;
homepage.enable = true;
sonarr.enable = true;
radarr.enable = true;
lidarr.enable = true;
readarr.enable = true;
gatus.enable = true;
sabnzbd.enable = true;
qbittorrent.enable = true;
};
mySystem.system = {
zfs.enable = true;
zfs.mountPoolsAtBoot = [ "tank" ];
zfs.impermanenceRollback = true;
};
boot = {
initrd.availableKernelModules = [ "xhci_pci" "ahci" "mpt3sas" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
# for managing/mounting ntfs
supportedFilesystems = [ "ntfs" ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
# why not ensure we can memtest workstatons easily?
grub.memtest86.enable = true;
};
};
networking.hostName = "helios"; # Define your hostname.
networking.hostId = "fae0e831"; # for zfs, helps stop importing to wrong machine
networking.useDHCP = lib.mkDefault true;
fileSystems."/" =
{
device = "rpool/local/root";
fsType = "zfs";
};
fileSystems."/nix" =
{
device = "rpool/local/nix";
fsType = "zfs";
};
fileSystems."/persist" =
{
device = "rpool/safe/persist";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B19B-8223";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/1d7b6e4a-aa76-4217-af18-44378c2d93d9"; }];
}

0
nixos/modules/nixos/services/arr/default.nix → nixos/modules/nixos/containers/arr/default.nix
View file

24
nixos/modules/nixos/services/arr/lidarr/default.nix → nixos/modules/nixos/containers/arr/lidarr/default.nix
View file

@ -38,6 +38,7 @@ in
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
dependsOn = [ "prowlarr" ];
environment = { environment = {
PUSHOVER_DEBUG = "false"; PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
@ -51,16 +52,13 @@ in
"/mnt/nas/natflix:/media:rw" "/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = config.lib.mySystem.mkTraefikLabels {
"traefik.enable" = "true"; name = app;
"traefik.http.routers.${app}.entrypoints" = "websecure"; inherit port;
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
}; };
mySystem.services.homepage.media-services = [ mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{ {
Lidarr = { Lidarr = {
icon = "${app}.png"; icon = "${app}.png";
@ -69,11 +67,21 @@ in
container = "${app}"; container = "${app}";
widget = { widget = {
type = "${app}"; type = "${app}";
url = "http://${app}:${toString port}"; url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}"; key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}";
}; };
}; };
} }
]; ];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
lidarr:
env: ENC[AES256_GCM,data:7YX4nyGmGWCLWfAq2C+wgFDhsldtB+HtCgTOFzloTUCNzF+FkCiqOfCoelrLlpDDWzTY2zLVHmPpsn65170SUfm93nAAxS2Wje5nK18USoKIDd+M4lOkq1vPkVcIMHJlW6U7K8Uf9HidCFsTg9k=,iv:1R1K+ZSRTiltIN6c5s0s1Bev7xdRWBvHTaOO4/zIzWE=,tag:4jOnhVk9of3wzzgvL/4F4w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NlFJVE1WaWtkRGtwa3VM
TnVHTjVkekRlL05lcDlSM2EvaUNvbzliV1F3CjhQajQ4dERzSGl0Y3RsK21HOS9K
TURVdlY0Z3Qxd3AzcHU5bVcyeisrbFUKLS0tIHRYeEhyNzNveUU3QVVvd2FHaUo0
ZnQwbmZKc3J1aUF2Z3YwWDZzeXM2RncKOldAtGrvchEjB43g4yGFMObsU+PsV+Br
kGqwFZfQYult/pIPuu0uitY4DGzqGFvVZSHbRlafVksg9yfllW/TZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d05KN0tOTTdITWlkSFNk
WGM4WFJYb2RmN3RIU1NFRytzNWxSTFc4SmxjCmt3Nkh4Yy9MK1lkYmxwRWxIeEJR
YitCbXAwdzhBWXVrUGJjcmRDam9Qc1UKLS0tIEZPUjRqZVV2UEpsWkZaYVFSZVd6
YXNFK2t5RzlJc1JyUWlFeHNLdFpqU0UKr0HL7K9cdaHIDa2J/3fOxuY9ciHmyoaC
O9fPgDV7MUG1cG7lFMQUXw17ke/3aqxBrQdixCIJDVFiD3Bp5CNUwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRmtvVS83Qk50Qnp3MGlH
MDg0czVSRDc1MkdLV01EOG5JZWtwUGFXeVNJClNtWmZLSzVQTjcwVmhpaE1lcTcx
VDFGT0RqZDQ5ZTh1QWhVWXpLQ3Q3VmcKLS0tIEJ1REI1a2lWTFpWZ0RZVHVRNXBI
Q0VoNjMrZXNzbkl2cy9tUW1wajNaR2cKPDjjplQ9v9aFkHuDPhGri/VLBDrHdAeN
040urbUo0MV8rf5wysRkDKFqoZeIJF9pTetkSTL3BawV/G9uo1ccBA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWTdIMCtCRVFXSXcxZDRZ
eTJiaVVMYVRoOHFoNEZ3OWlZZ2VXYlk5NGdFCkFKeFhpbGltUGNwR0FwWGpCWVpD
aGI1TG9uK2cyYlQ4dGdYOHFQWkNkOTAKLS0tIFFvOE5lNmFkNnppZkRNSW5zTWtD
enpoY1NscGhSTWxVTEU4M1lNS21ZWmMK/vkbqW5oQT/NImNFGx7d42Q/bHMTA3cy
SzoDd762QD84ONgwh8OtXEHk3TlxrVrMKbqRa3OyYSV9AdPZ4QiHaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRVJRdkJwdE95eE1NbEJE
eUZXWlppUXBDOGFGVjBoMzhYWnFkc0Z3OEFFCnU4MlhFMmV3YjI2R3dPY2QzWW9q
elhGSE1FQlVVWUp1dHIrUFlkRlV3Z0kKLS0tIFRrR3VxVFdsbld4QXB6Qlc5UGZQ
ZmpvRy8zNkExN2lWTEZvQllLcHo4cjgKXJt9NVNxEy0gaow2Uwm1NfLytLLsHyoF
C+RAWMpEhxyJHQ3cyGaYmOe9AkArO3lV9xwiNLcAzQTjZaIjy3KO0Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSXFaZ0EvNjRzazhsZzhP
ZGZqRFhoT1RVNHI0cG41OVhmYU1HWTI3ZnlRCndKREo1UmNhTTRPdGxIdkpaeVZy
Ujk1M005NTRtaC9YQ2dteGNQZ1A5cGsKLS0tIEJhSWkvaWY3eGRyR1VlckYzL1BQ
SjVNbnhXeGhxTHEyRU5Jd1BaNzc0TjQK+JalyEaNtqABGJbphWUdVKG3dNoU8/zv
9uivNH47OBZmWPWhDMWFKU3EZ05LRJMPHax4W1PyWXsvV8keda1K1A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:O6qkL2lH7dxsadSwJeYkRLr98jvmonuuHrQF52A9OP44fNdhA0SVagd4iLpIh4nlghIpWGnaLRzl+eL4u36Dh3rrlJoOKaWJmkSQDEVvRXpE36/+7ChvJj995s2qX/2MAMhG2ytrgAmGb0TuzsP8ySTJlFFubwk/lZoVaWAy+Fc=,iv:OFfOpQy+mCiO8RpHQStW34H7J9LJ3PFkZyrlCj5kOcA=,tag:7C0rafYEwMoakDR3sSWL6w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

23
nixos/modules/nixos/services/arr/prowlarr/default.nix → nixos/modules/nixos/containers/arr/prowlarr/default.nix
View file

@ -50,16 +50,13 @@ in
"${persistentFolder}:/config:rw" "${persistentFolder}:/config:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = config.lib.mySystem.mkTraefikLabels {
"traefik.enable" = "true"; name = app;
"traefik.http.routers.${app}.entrypoints" = "websecure"; inherit port;
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
}; };
mySystem.services.homepage.media-services = [ mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{ {
Prowlarr = { Prowlarr = {
icon = "${app}.png"; icon = "${app}.png";
@ -68,11 +65,21 @@ in
container = "${app}"; container = "${app}";
widget = { widget = {
type = "${app}"; type = "${app}";
url = "http://${app}:${toString port}"; url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}"; key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}";
}; };
}; };
} }
]; ];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
prowlarr:
env: ENC[AES256_GCM,data:bB13WWB+H9OHK4FMOEuURU0oZLdCTpG67bY/E6ikN8MBixG5PPwZuUHVt3gfpcdiQC3/BVj8UhkEC3ATRlihZCsUAB9kWUMAPrxOeXQr0VJ+RQpl2q9IjdUa4nz42AZkG1ZevCoYojxFKvJGmGaVj9CI,iv:yUe+L4cOwI52462FMu2zKvjLShXFI5joaEHxcENcVPI=,tag:rVdZZ2E0Ikx8OhIFs+8rMw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2h5a2dnc005dGFPdkxD
YlBQakZRUFYyUHNFUklzQ2dXTUp1ZXpaVkcwClVpZzJFTTNBeitYOWpJdUx0K3FL
bnRkbnNDZzBqOTNCRnJnekU0N043MjgKLS0tIGZ1WTdkb1g5c3MzNXBnVGdPZGw2
cklqZXFTS0JKb1hHNG8yQm9jQ0dyRkUKsJIGwRQUpQ2rWtLAEnm8C9+5yLfTY4He
mDB2V6IitkKFEPzEpPi9vk+2zkf6dqWbwUa9VANs14uLu5Ue0WTsjQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWFRlL0VQY0d1aDIreksr
UjZwMzM3RkhyamlVVGtOWFdTRlhodlphZmo4Cm1WMlNRVDhSVTlqUG84TG5iK1cw
M290eVZXVXlpbCs5aEhpRERRRWVzSVEKLS0tIFlBemlwWjZuczVFSVE0UWJOZFJh
T2h5eEJXekxKVnBmQWJoL0h4aGJreHcKQSgjZWxd8lBhMrv4bqmoQICK/hf/hWOp
a2Un0jXCvomlCCRiMXpc1Ii9Xy6y012bHrAlom3eiAU11wKOBYZ0Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MWliQTFvM0MrUmN1NDFK
VEM4TnhrSWM2cEU2dHE3UnQzeHZhN1BKT1E4CllBMEEwY1FxVWI5S1JndnVQUkFT
VzBUYVozN1M2Z2o0b3hxaHd3aUV0ajAKLS0tIHBRQ3RTOGxzTlQ2emlqTXdoZy92
VGQ1RklSUy9UclRYaVNmWTlHTXRHMDgKk6MlwJIlSsZRxYwNC39bkwUly3m+y+68
XpLbncjI55Uyno1z2J+6NJotAFFKpzuQ/VpAiE+FwBM7CLrkh11KvQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb3dyZ2RrZXZjUlYvZFI1
Ui8vQmx2bFlYV2pUQmc1eUordnd6RVFyQXpJCk92SFk5QTA2Qk1WbTArSFpQaGNi
N0gwUEI1b3NWZ3JURGVPQ3ZuZnU4NGsKLS0tIE1GUWJ2NUFzck0vNUI5T1VqMUly
NkFQb21LVzloQnd0L0tYUEpRZTF3eE0K4xTWCCiceDKCla7kWfBvftNjTFY5aXZa
azlnCmlg/geKrQvWRYe63i+20q+ZkhQfm6qGugkRuHpMSsXG8woTlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MkhmRytsWHJSalBucjlH
NTFCc01UQW9HMjFJSkJnM1EzM2pza1gzaVRNCm5lTEhnU2E0VnlCR1pKT2xSWCtT
Z3FXclRmQkxvOFliMVVIS2ZJY0dsOGMKLS0tIGE0eWVuVXRsYXg4Z0syNS9mWCt3
ajJ5RzBDaTZXMnlkSFJFQXRqZ0FOUTgKGEaHiHOO45JfVheInmxiModzF5fzo2e7
5XF9WUKPz9Jx53ugivb/S9turWA4eZaeA9rmLb3yQ0HcQoaLVsB7ng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVVBFL1VYYnlyQVRoN2hx
NnJ6SzFucHp6THJTYktJRC9Tb2J6bUpYVFVjCnhEYjcvZUNGTXhZci9wMWtHaERE
NW9KNkc5ZE9TdFpKdUoyUGRVQ1JGSXMKLS0tIGdGS3lpUWVMRTlwTElHUE9uY0Nm
dExpb1kvR1o0V2RFOE9GckkzWG93NmMK4JM8Vp0zTa9zVRiMzw5AY+3zaNqKnYAt
bD9iTN/TQbjyowvdxRiziLE4hZ6plav7x8/o3MRT8uXMdnaykIT0PQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:ygSwpOo/ZuqTVLKDgmQvAEY8KYkq1O/3grLL5i/0LGlSOM9n9j4oBjBodmGRrXtZ5ui0BL8PZlExfjK7QUni7m0wRXRhWoiuYadiiPVmfzSLQ4aDet4eCt5mTvjn2Xm68cOB3Vyu+dGzmU9O1H0y7EoUsItVPsrreOAlItGEKM0=,iv:10jClAw0BkJJbLg4zdPxZ3/7I20M0UQUcfL+SRtg/MI=,tag:Bhu5V35Hp6pGKfRCUgKSSQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

24
nixos/modules/nixos/services/arr/radarr/default.nix → nixos/modules/nixos/containers/arr/radarr/default.nix
View file

@ -38,6 +38,7 @@ in
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
dependsOn = [ "prowlarr" ];
environment = { environment = {
PUSHOVER_DEBUG = "false"; PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
@ -51,16 +52,13 @@ in
"/mnt/nas/natflix/series:/media:rw" "/mnt/nas/natflix/series:/media:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = config.lib.mySystem.mkTraefikLabels {
"traefik.enable" = "true"; name = app;
"traefik.http.routers.${app}.entrypoints" = "websecure"; inherit port;
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
}; };
mySystem.services.homepage.media-services = [ mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{ {
Radarr = { Radarr = {
icon = "${app}.png"; icon = "${app}.png";
@ -69,11 +67,21 @@ in
container = "${app}"; container = "${app}";
widget = { widget = {
type = "${app}"; type = "${app}";
url = "http://${app}:${toString port}"; url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}"; key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}";
}; };
}; };
} }
]; ];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
radarr:
env: ENC[AES256_GCM,data:eCok5/+DTT4DvI+3Tmgel3h7rRMQzPyGKmGzjWr9Bk+7KhuCutqT8VKRT6cvk6N6GkAaF8fLeZ8ANxy2bK6RyPrB0jOb6J2SsYWrXHNdgtTLPVccIDRfJ+R7Xp01eHp6JGY5xmpF7HEjN9JHFQkwcsy+GpNBK+ALfBH6BFMbnK2AGlM6RwclN+BSvMZirfRnxSZ1XTUNPuLX/+ClWTqlfEHfab0lM1ZcA0VFSKNpk1ivshewRpv7ZgLGGHU4JXZXT1amJrYoSCPKkl2Aaf52,iv:N0L7Vmv7yOSprFAxpdpkrH8uFj0cHgVbpyCSJnqrugI=,tag:3xLCZY0EN505xfWKvDs+hg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnV0tvc1FncHB0Mkt1QjNh
VzlZdXBjb3VTSjRpWWpZclE1RE9xM2FsUlFVCkU2eEtNL1FrRTVLZ3lrSXdTOHp4
RERqbWRyeURJTFVZT2lQVWk2eDhrZ0EKLS0tIDl2OWUxTHUwR0ZtbnY1d3dLRUtR
QTF0WnJZbjVmSHMwdlQ2cjhuTzF3eTgKRWyMgPMCPCQaFyMoemfaVKR4Nz/9zqE1
QYfyVdzo+EGp8aFsJUDW7i8tnNWuqSkU/arEX2HXZ4eURoVOV56M/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1BxVU8xb3Qxbk9nY2hG
a2dBbGwwZmtRYUdvenlWYklDL3RleWx6RnlJClFkcXhwbFROR3dZNWprUkh0SG9W
eXNLOHhNTHdBcmJmNnMwRGk1M21adXcKLS0tIHBzaHQ3U255MlMxWDBZdzRqSUpN
S2taWVhLWmRCcW81ejY3T2lVM1dSeGMKMEExqNLhSDxcFSUvAx4Uoet1Cr9pMbM5
JFmIuiEOF7idfJ0/fceM9IxMS22LBTRC9Vlkkr9lYj/trO9KmF0l/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZG1VMGtyMnhwTzZkMlp6
Z3Z4K1JIYjcyaTBVSjJjRnNXQWc4ZFNxRUJzCkVIdVFvaldOR1FtTkFZbjFuVG5B
VUY2Zm9mTDRFeWxudGtOWlp5c1hvdGMKLS0tIEFYLzlJcDN5a1ZJMm9mUW9YR1BR
dm4rV0t6SkVwVk5udVI5c3ZYNHRoUkUKIR9FbffWcyslWbURZ+PkWSqW1QDaS3m0
HW4aSEPPbA+SIDIlZY/6CdY3MS5p/STkqfLPIpAuswEaMGdAcHI9Cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbzNjdFgydlhFcjRQZGh4
eExFSG1uZkl2aDl1SWk5SExlWjlid2V3V3dRCkErY2tYanprRXoreHB3OFpRNFRO
MzB1NEtnVTZMd2V0WVpPMnJ2V1ZlbkEKLS0tIDAxQ0FkeFdXb1FPUm9uWjVscFZ3
WTlObk85TGJkMlNZQ0RKc0FkTyszSGMKk29wTRW8QtioBdX6vaiM5NycbVJCmf1V
3w9D4uJyIocBvXbhHOoL7JJp7rRKCx+rcs6nxYrtgI/f5pWR4mG5Ng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTmpjK3VzOHlKbnAveHNR
TWdIR1FjZW44NHdiMk1qRkwrWHZsMDR0ZkhFCmdyNUNOZ2I4elJSVzF2S0poaTJm
M2gzTHNMejZTNzVoUHJOdEJkNkkrTEkKLS0tIDdUWlhMcmVOUnAyaXZKN25sMGpX
RExtMlBhNEpnYnZSY0NUS2ZLZWpLSUUKXDbDA8JdpfHMJuB1dr68mzETGJn6SfrZ
V0c127YS2LvNl1jwDl4nMPpUy2MH0gYYi3JTJSOWFbqzWVDx2lsrHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNGFzc2pJS09ldkFRTjQ0
WHB4TUdUTElMZ09BanRRS3gvdldIRUozWDFzCktyUUVsTndPTFduNGlubVBaZjk0
REhBckdmNTIwcGh4UURLdnJVL0tnOFkKLS0tIHNtdW1UcTVadGtwbUt6Z0lMZHZs
NThTZi91NWRubGl6YWNMOHFiYktia2cKE8eNGhd9c5/nnCMoRD5fkYstVzvSg4Un
AgyBwvsh8H75HOQaxB2fLqOnzFmmEapRCflaymq9R5qBk8kpQ5iChA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:4g+4hRWHD5L/SjxKu8VhCU2oznUP/GZ5iNsKrC7GWHg4iLXY2MRSwbkcR1SoQrCWqFACNQCFQzdAqUFbhHMx85AL9V+YEVYMxBmDt2arOF1yNVbxYnDfbBbWRjYva2Yt9er2P1Topfku5XhIfPXyPi7nuZuGamRWiGNt98bpsTY=,iv:LbWJzgT8QRE7AaxSNdPCT0jvjZiBUh7xlKsBQQfnVwA=,tag:w/nNS+6eYYt1tMixoX97IA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

25
nixos/modules/nixos/services/arr/readarr/default.nix → nixos/modules/nixos/containers/arr/readarr/default.nix
View file

@ -38,7 +38,9 @@ in
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
dependsOn = [ "prowlarr" ];
environment = { environment = {
TZ = "${config.time.timeZone}";
READARR__INSTANCE_NAME = "Lidarr"; READARR__INSTANCE_NAME = "Lidarr";
READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}"; READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
READARR__LOG_LEVEL = "info"; READARR__LOG_LEVEL = "info";
@ -49,16 +51,13 @@ in
"/mnt/nas/natflix:/media:rw" "/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = config.lib.mySystem.mkTraefikLabels {
"traefik.enable" = "true"; name = app;
"traefik.http.routers.${app}.entrypoints" = "websecure"; inherit port;
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
}; };
mySystem.services.homepage.media-services = [ mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{ {
Readar = { Readar = {
icon = "${app}.png"; icon = "${app}.png";
@ -67,11 +66,21 @@ in
container = "${app}"; container = "${app}";
widget = { widget = {
type = "${app}"; type = "${app}";
url = "http://${app}:${toString port}"; url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_READARR__API_KEY}}"; key = "{{HOMEPAGE_VAR_READARR__API_KEY}}";
}; };
}; };
} }
]; ];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
readarr:
env: ENC[AES256_GCM,data:vPKL/0rOBlly7EW1Pbt8dJ7fQHBP+AHXElIZbfZBB3Wl1GibhJs69rAnRH7xGwPLZgjFtT742sUnIOw+ZdGDU7Aws/LyU9AeNcmGVjFHNz3tPi3ikoHV1Glofku/Q7pje69dqoKuDvN/y2U8D8vYIg==,iv:A+/Q9/8ZCaYEUY0V624eOe6nM/9LGVidaK+56KGG+3s=,tag:y0fcBeEoHMgFz85PQkqt+Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbmJOZ3RHVGZyMVdQcXJ5
aDdEeUFNTGVlTmxzQTdKNUFzVCt5c1FndEU4Ck9ja28vOXJoWWhlYXI0RXlpS0o1
ZUszUi9vc1NiVHFDNXJ3TGdzNUhwOG8KLS0tIEJQRURjZHBqNkVKYkp3YUxuOFdB
YnIycXFuV2JiQ1lSZDRIekhFTUpWdDgKYJuej3+o8YOysAm8zaOsxbok9x53vAMi
9tAPF1FPC/JJvYJnncpynxEWVLQ9VEQ+T72HDWy6Xf1PD18mhA7ZSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cllLVVYraHRueklwR1h3
bDE5TnI4eFBCMjNIcU01MGZlWlJ0K0JGMjNNCnluOGpjaTFhdFk4TUoveS94UlVH
K0daVThXcDV6SDRma2pyRHdtUWRhV1kKLS0tIE44T3owMU9pOEkrdlFhM1hwM3Zn
VUlELytqTnVNcER1K1BkbStpa0d5UjQK7nF3pq7ajVA2y/2VE+k96INyrWU44uQM
SxIEsqjYkuyjaQdYBtxZSqiwpQBKdLj47X8U42m9M9NOjG3Uc0J1og==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreDF3bms5aXN5blpkZEs4
eTNET0ZaRFp5K0FuVWowWTMvWjMvNldBV0E4ClcyOWpKa0RpZXB5dXpsa3o1UkR6
V1gxaHhiSERkT0lIQ3l5c1lNMVVpUDgKLS0tIHRCd3pFdnp3WTBJdzBlQ04zWDBN
bGhvc213TmV6aDZYbzZhQUNtT3dYVlkKlkUuDfB/81dShrlL1KzfOsE6fNb/7vFE
3grwJMKQKZhvN+nK/BVAAUCamdMa07Q+DX0+VXdSc+QspHNpLrRCdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheVV6Wkc3NHZiTFAycnU2
TDkrTVhGd0gxTmN6aENFdEhnb2JQZ3c0SHljCmZnQTBqVXhGT0FyRUN4VERQZW9T
d1QydTMzVG5MdFhYMmV4L1dJRTBtYzQKLS0tIEVMZ1VRbjFjSThoTXB3TW9KcGRM
V2JQdGxIUHRkbHdVSXhZMktTWTczazAKtU+XFzoNTfhRC+He+UqM5w/o9VoqJF2r
4LIpVuITrD8cCFjRQYBvg/04zdSXoN9plpHcW7EpzoQE1enKNFN02A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN254K3k3SksxOENzYURJ
SnFVeXdtd2RscGkwMmV6Yk5LSTN6YUhhOUVjCndYajFrZGpwQldiek9XVURMZ3hR
Uk9DM1NJQVpqMmxkSnZ5QTJhOUZFWkEKLS0tIHc0V280TDZDby9NbDRRS3pkWDVP
QWhJQW5WaTZ2TGtvaGt0OW9nM2tBREkK1GHdyV5JKNWWOXJR0HszGRnGYes+xIlG
JMKIZswINap3RUNThr+xOfjajdsj5gBt6N0yozArLNGupxo6qp3zPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OWVWL3Y1SDYwTTNwcnha
SEM3RmlCa01RTkpOczIramIwSE9NdGEyZkJRCjM2dTBIUGNENlhDVHNCN0VxbEZk
WUxtOFdjSk1jb2ttanFST05LVER0UVEKLS0tIG9oTk1aRXBHK2RmNXlHZkt1ZUNm
bW53aTdhL21hbEZPSkx0d0dZR3BBK3cKkPeXkGtmEqi7MKplyKoIY3yOEFiLAWe0
qZHN/IO0dgWmmSKpWQTtrAve9GJx/Apz/9VTouWaVpq3a/pDU1de/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:eexZeVU3wnYJryPVkIyokKqkvHASFCMBKT9MyTMqf7JAW/gDB+7irGs4WEv8UgJUCHKDNUh5KRngMk/W8ugFccuGhsiDnNUm4/KAMPjL+GtR0EdIjSDNUhwFJYqvN0KiZ47P2zzb3Lfpe3cix7A/HhzF3Vk+NAljnyE9uCk0sEA=,iv:G4dXYsVjpCqr/AxlQmcxArFdx7gPQTRNt8iK5IAYGi8=,tag:aQ1dNARwJd/PBc1aWoK9eA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

25
nixos/modules/nixos/services/arr/sonarr/default.nix → nixos/modules/nixos/containers/arr/sonarr/default.nix
View file

@ -39,7 +39,9 @@ in
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
dependsOn = [ "prowlarr" ];
environment = { environment = {
TZ = "${config.time.timeZone}";
PUSHOVER_DEBUG = "false"; PUSHOVER_DEBUG = "false";
PUSHOVER_APP_URL = "${app}.${config.networking.domain}"; PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
SONARR__INSTANCE_NAME = "Radarr"; SONARR__INSTANCE_NAME = "Radarr";
@ -52,16 +54,13 @@ in
"/mnt/nas/natflix:/media:rw" "/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
]; ];
labels = { labels = config.lib.mySystem.mkTraefikLabels {
"traefik.enable" = "true"; name = app;
"traefik.http.routers.${app}.entrypoints" = "websecure"; inherit port;
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
}; };
}; };
mySystem.services.homepage.media-services = [ mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{ {
Sonarr = { Sonarr = {
icon = "${app}.png"; icon = "${app}.png";
@ -70,11 +69,21 @@ in
container = "${app}"; container = "${app}";
widget = { widget = {
type = "${app}"; type = "${app}";
url = "http://${app}:${toString port}"; url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}"; key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}";
}; };
}; };
} }
]; ];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
sonarr:
env: ENC[AES256_GCM,data:y0OW/T+/6DpkFlwXszG6IyeWs2xIKEwX3KQhw4U6TLQuAlBMwIAD7HeRdT6GE1f1N5MIt46lho+d6vyAXTMs78Oi+R8/HVRQ+Ch4soUM1nNyRtK0FhCzxIlczR+owumJSFst3WfrjHYWolk7z5men8/mQpocJMo7t/n0QozHlNiPkEM2KlKU6viXs4u1UbQwqhmA9I6x2b3vHBrSml7CM0ch4/2IMc5VPagBeaGd1nRHvr+TiHRFv1tbkhbY8O43DcbmVqUHLNBhpyJ7A6Pz,iv:TUAgMJu8HDP+fuRKIQXv3Yi4ImZBv+WaA081e8w7cQw=,tag:rCCR0xBMcHKMiDkGEhsvkw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMXVtN2FvVHhia1l1TzRF
ZmJucjk1dU9GNGE3UEZLUVZVRnNyWVp1azNVCjRyRGRvSTZpbnB0aDhxaTNLcmll
NE9tbVp1b0FxQ0VoSmgrWkRFN3hTS2sKLS0tIEc5VVE5L3d5VTEzQ2hZbFU5MElx
NkNJSEdJYjYycDhudUFLWHNVcGZTcUUKm4WNGOnXRIFfYKrsBZAd05p1Y/PgaA+O
OMmcQtKKkgv++IW5IN9W637kfIAXRn9+8uREGVfhx08ScZPT0ciyfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWUcyUU1ZbGVQMTNZWVNo
SGZ0WVVYamYwQzR0UXl1QWpvZ1d4OEh5aEZjCmplQ1laSkdkbzlkc3IzRStQLy8z
U2Nmc3dyN3pQaGEzNnBHSDc5Q2FOZ2sKLS0tIFdPc05oTExQeDhMd3RUdzZmTlll
OXVFdmFicnlsQjFhM3NyOXVMc2NGelEK5dc1ofhg/asnKpwGlwqxkXf/V0jUPqnA
PRZejTMGsct73NtKXvejGJ2vD1lctd3T3vfe3NM+ebKPgDUSOSk6Iw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWjZrdWhOVkRGdERNTTBo
QlA3bWFtalk2eDlsTTJyWHVrbUlCT2Yvd2xFCmJUUDJUQmxnQi80cHcxMEhtOGJX
VDNUZFZoNTI1WHZyNWFWYjdDYTRidmMKLS0tIDNuSm9hTzVDTmsxVmZ0NlhJNmty
N0R3OHU2OVdaa2FiWEl0b2E4R0pvQzgKuCmGQA0fJXGzcaASpKDptxhZhjD3Px2X
TUkYkzQXUoaDCIkh1le1ntPGwRM36lQQqWtCi7ObvOmNamj8cgGdoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXZpTGJWODJKcytuTmNh
cDEvOUlvaXBUUUxiWHVTSS9pOXZNcUdEOGl3ClFhMnljcmdPQkh6dWg1eTZUOUM4
OFBwOEI5aXhnWFhGT3VPYmRZa3EwV1EKLS0tIG5NN0FZa0VVOTRyNkxQdC9lajdM
WmJJc05yM0ZJNGtwRFJySFQ4YXdHTXMKqAJM38MRRxEipfVv9k6B6Bzb8i16if05
AYdkjb6K6kUnZqzSrqvafmsvP+9Ke2uhr7yCLll1tHhjtMP7TYMW4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSmJvM1FlbXBTOHNsemZF
NU9YVnNWT1RrZlc5Y2FIWVBhdXVnRjFyKzNnCjFnSWp6MUdtQjcwYmx2bjJML1ls
aWRnN0piMmZKTE91QnZuK1dFSTZHeVkKLS0tIFAzckd3aDVHQTk3eDUxVFdTRURH
K0ltdWd6ZDZUOURyNlZsTW9RdVFMY1UKi4OzpjsDeckTIVLwHr1MlYKSqTO7ExXg
FIupYmfFvwnQVex5Y/rgtTCiM6qFaV7gzVhG9paGMD5h1g5moG9eBA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNGRjc2xqT243TFFzT3Bk
elJmNnlmdUdFS0JjMUdXVW5XUC91YWlSOEEwCm51blRhb2dyM0FzdGZZdUpVcWgv
MXN0bFYvOXkvNnVMaW5zNmVaS2R2V2sKLS0tIDQwVys3ZUpHNWdydG1NRUt3Y0Yv
Qk94L3lpMjFMWUJUTjVXbnNuSWVMaHMKiewu7zoAMlL55BoU9lZYryVG32e6bg0K
toNX6iv4tGZ7EIjgB2L6TKlLisQW+Ta4P7VA+TAd2Z/nfYmDS77jNA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:zGC93zgG64/scDXYlUWY6arUW9f+jIZiA/wC3RBbFokT5430ubXhRVcBErwvqnghuC60sC0ZeNqoJNi4jQwE7BAbnnU8DTUsAoH4qhmNLfUeJtL8oF0NRl3i+hpauabg6E/qNbtuNG0/lUsnWXswz+7VbJP2ggTVpj+h+0vRN20=,iv:2JCto2Sy1i5gmHpAR3VgRbf0I4WSJVQLYxN4Vf/8Uz4=,tag:ZzYRKWy2HnMLyVn8CRJBqg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

42
nixos/modules/nixos/containers/cross-seed/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "cross-seed";
image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:bb20d3940ff32c672111ad7169ce4156f1c4c08bb653241f1b14f6d00f93b3cc";
user = "568"; #string
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
configFile = builtins.toFile "config.js" (builtins.toJSON configVar);
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
cmd = [ "daemon" ];
volumes = [
"${persistentFolder}:/config:rw"
"${configFile}:/config/config.yaml:ro"
"/etc/localtime:/etc/localtime:ro"
];
};
};
}

9
nixos/modules/nixos/containers/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./arr
./homepage
./gatus
./sabnzbd
./qbittorrent
];
}

230
nixos/modules/nixos/containers/gatus/default.nix Normal file
View file

@ -0,0 +1,230 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "gatus";
image = "ghcr.io/twin/gatus:v5.8.0@sha256:fecb4c38722df59f5e00ab4fcf2393d9b8dad9161db208d8d79386dc86da8a55";
user = "568"; #string
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
containerPersistentFolder = "/config";
extraEndpoints = [
{
name = "firewall";
group = "servers";
url = "icmp://unifi.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "pikvm";
group = "servers";
url = "icmp://pikvm.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "octoprint";
group = "servers";
url = "icmp://prusa.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "icarus";
group = "k8s";
url = "icmp://icarus.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "xerxes";
group = "k8s";
url = "icmp://xerxes.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "shodan";
group = "k8s";
url = "icmp://shodan.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "helios";
group = "servers";
url = "icmp://helios.l.trux.dev";
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[CONNECTED] == true" ];
}
{
name = "dns01 external dns";
group = "dns";
url = "dns01.l.trux.dev";
dns = {
query-name = "cloudflare.com";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
{
name = "dns02 external dns";
group = "dns";
url = "dns02.l.trux.dev";
dns = {
query-name = "cloudflare.com";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
{
name = "dns01 internal dns";
group = "dns";
url = "dns01.l.trux.dev";
dns = {
query-name = "unifi.l.trux.dev";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
{
name = "dns02 internal dns";
group = "dns";
url = "dns02.l.trux.dev";
dns = {
query-name = "unifi.l.trux.dev";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
{
name = "dns01 split DNS";
group = "dns";
url = "dns01.l.trux.dev";
dns = {
query-name = "${app}.trux.dev";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
{
name = "dns02 split DNS";
group = "dns";
url = "dns02.l.trux.dev";
dns = {
query-name = "${app}.trux.dev";
query-type = "A";
};
interval = "30s";
alerts = [{ type = "pushover"; }];
conditions = [ "[DNS_RCODE] == NOERROR" ];
}
] ++ config.mySystem.services.gatus.monitors;
configAlerting = {
pushover = {
title = "${app} Internal";
application-token = "$PUSHOVER_APP_TOKEN";
user-key = "$PUSHOVER_USER_KEY";
default-alert = {
failure-threshold = 5;
success-threshold = 2;
send-on-resolved = true;
};
};
};
configVar =
{
metrics = true;
endpoints = extraEndpoints;
alerting = configAlerting;
ui = {
title = "Home Status | Gatus";
header = "Home Status";
};
};
configFile = builtins.toFile "config.yaml" (builtins.toJSON configVar);
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
monitors = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Services to add for montoring";
default = [ ];
};
};
config = mkIf cfg.enable {
sops.secrets."services/${app}/env" = {
sopsFile = ./secrets.sops.yaml;
owner = config.users.users.kah.name;
inherit (config.users.users.kah) group;
restartUnits = [ "podman-${app}.service" ];
};
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${configFile}:/config/config.yaml:ro"
];
labels = config.lib.mySystem.mkTraefikLabels {
name = app;
inherit port;
};
extraOptions = [ "--cap-add=NET_RAW" ]; # Required for ping/etc to do monitoring
};
mySystem.services.homepage.infrastructure-services = mkIf cfg.addToHomepage [
{
"Gatus Internal" = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Internal Infrastructure Monitoring";
container = "${app}";
widget = {
type = "${app}";
url = "https://${app}.${config.networking.domain}";
};
};
}
];
};
}

68
nixos/modules/nixos/containers/gatus/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
gatus:
env: ENC[AES256_GCM,data:Wx6rATQ7Q7XUh47ZyV19wXH6Rv1YY43Rd5ijFmFCK2cjQ0p6uVPJ/JQqtSd99daAmT0844ug6PTUGMiVajm+fFZSV9gi294/5s25OOVRZiL+QND0rHF0xPWEUnIsBNmvk1LV,iv:PLds5favGpAwJVmlQEYJaunkTGPQH+OtehP+fK2Gagg=,tag:VIf02wjvPG9MYPN+y9vyRA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTWxxVitWUTMyTTB5LzBH
MktCV044YUMyZzRUc0dIQk9YVEJoUFhQZjBnCndXUG5vQW5aNlkyWWl4WHZ6RDcr
OU5RTFN6RHFkdlU4aUlDL3NSRVBxKzgKLS0tIFdtY2JZNlVKWHlGV1RESFhGK0V1
VGFCU0hmRFBPR3pGSGxyOU9mcFZyMzgKCc2Ti52M0ZMibetv1pg6hiMSXfb6JdAg
ZYEmOfoa0yvrt8Hn1gmYDpBH4UPQRh8x9uIW1uR7kfOoWsjQPzwkrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJd29DMEMxbXNJcGczTEd3
RGMvSEVuUEFzWklQTTBWck40RkV3OTF6d3lzCkNyNEFsV3Vua1JJeU56Mmhma2JI
K1pCcGZuS3BQWERtK28rYStHU29pNzgKLS0tIFFsMnlFblRhc2k4dlhFTnBIZjhY
WlRNbERzU1pxelZxVFlDbFdtNm53ekUKrK7AClzYOwTaBowqf0J6wg987MWSNydh
yOF4SbGj0LScSVz0ZM3wwaP1QFtI+ziojVuMd0sIuRZixUHkD3n25g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbkdNMUlpY2IzZ1BrTVdi
cEFRTkFCMkpJeGhqRXEzY3ZaRHcxZVVDYWlrCnFBR2xrZDkyL2padmI3TkdYQ05R
SE1GQVR3OHdoRDUvams4Nk1vbEVVVEEKLS0tIFdCM0RDanBBbUdEN1lrSVN6TFVJ
ZGkydk1VVkZxZmlmVHg2KzdvNUtuYnMKRI7q8nyzq+Kqjx+9qJxXJ1YBSsOSFJXJ
ZzKYDf/OvQuqdOmsKOzjEOPANCgjbZ3w2no2A/lVyhiaYg1yQM6Vdw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUUduTFhmNkhtZnU4R2ZK
YlJwUDg0c1REL2NoYTZPS0Vyc0lMNkNkc3pzClZNektlYkp2TkdtTUFGZUlwbkly
bmZ2Y1Z4MjBmZzZEVFAweUJHUU9KSWsKLS0tIE5NMkRIY3h4TGNpNnpkNHBDRTgx
TFJSU1VXVzBxWDh0RUYxc0NFamZEV3MK7sIQcpSrYSDjuliI/taIKzi9qryHt1dR
E7W433ZZykhKyRn5IYAOrOCabc5E5Ny7wyd7TjlJs/IqSB+16TII9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlZXSnZoNFlkcDE0Q1Qr
TUFoYU1KRmp6aXY1c3FGeWx4RUQ0azJlYXdjCjFzQTF4S1VHUUNTaWloT1dHcnk3
Qzg1dGVxa0V1L2tsUllDZzhnbjhBVzgKLS0tIEZYWkJpV1V3ZWUyLzAyZnhKVHU1
M0xraFdna05SeHVuQXlsT2VmSW56QVkKAZsbdSvrzJDnxAY2PlM7re05GJvrElD/
74dbBdReIuLQZnanU5KRh5sp41HoxtK8vRBteZE+zy3vva5CIylKEg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGY0UFA4SDlDYWMyN2xa
ZFFyemFMRjh3ZVBlUGpyYjNmWW03SlRrU1gwCll5elRzMjZKRjBmUkRNVDVVSGNx
K2lWUnlTL1E3RlJyMEdJQUZPaFJzTkUKLS0tIGhLWEF4Z1ZTNkZjeHl1WWloa3Rp
dE42TnhlK2szanphamFsZHl2V1o2OGMKpIS2v2mnofHOSpALJh+g9/2C3GIMH3oY
GuPsMaRCxUW1NAL/i5EjNKm8t3QKR9r+JnIwCTDNkQdG1N00gpUgRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:0ECI2z14unAGgc2xcRdjjkaaAzi0c/x7V9HcTtB9tdMKZwIINHu+m1UC4SG+prRBuTX+7j4tpN343PzdgYzeXSx/aZlUDgc5cwPpgJyLhmIkDG8vPaKxcxtKOD5tHrnHe8tpdrZ3+/5NqneLPshlJZMX12PSpln50O8g9YPVKiI=,iv:5wGiTGpJ7+7U4XmRd6dH8455po/65XqT9+cdNxGuQwg=,tag:cXJ8sAEYkYDnZ6I/32y+0w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

170
nixos/modules/nixos/services/homepage/default.nix → nixos/modules/nixos/containers/homepage/default.nix
View file

@ -14,12 +14,31 @@ let
cfg = config.mySystem.services.homepage; cfg = config.mySystem.services.homepage;
settings = { # TODO refactor out this sht
# title = "Hades"; settings =
# theme = "dark"; {
# color = "slate"; title = "NatFlix";
theme = "dark";
color = "slate";
showStats = true; showStats = true;
disableCollape = true;
cardBlur = "md";
statusStyle = "none";
datetime = {
text_size = "l";
format = {
timeStyle = "short";
dateStyle = "short";
hourCycle = "h23";
}; };
};
providers = {
openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
};
};
settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings); settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings);
bookmarks = [ bookmarks = [
@ -55,20 +74,93 @@ let
}; };
} }
{ {
search = { datetime = {
provider = "duckduckgo"; text_size = "l";
target = "_blank"; locale = "au";
format = {
timeStyle = "short";
dateStyle = "short";
hourCycle = "h23";
};
};
}
{
openmeteo = {
label = "Melbourne";
latitude = "-37.8136";
longitude = "144.9631";
timezone = config.time.timeZone;
units = "metric";
cache = 5;
}; };
} }
]; ];
widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets); widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets);
extraInfrastructure = [
{
"UDMP" = {
href = "https://10.8.10.1";
description = "Unifi Dream Machine Pro";
icon = "ubiquiti";
widget = {
url = "https://10.8.10.1:443";
username = "unifi_read_only";
password = "{{HOMEPAGE_VAR_UNIFI_PASSWORD}}";
type = "unifi";
};
};
}
{
"Nextdns" = {
href = "https://my.nextdns.io/";
description = "Adblocking DNS";
icon = "nextdns";
widget = {
profile = "{{HOMEPAGE_VAR_NEXTDNS_TRUSTED_PROFILE}}";
key = "{{HOMEPAGE_VAR_NEXTDNS_API_KEY}}";
type = "nextdns";
};
};
}
{
"Cloudflare" = {
href = "https://dash.cloudflare.com";
description = "DNS and security provider";
icon = "cloudflare";
widget = {
key = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API}}";
accountid = "{{HOMEPAGE_VAR_CLOUDFLARE_ACCOUNT_ID}}";
tunnelid = "{{HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_ID}}";
type = "cloudflared";
};
};
}
];
extraHome = [
{
"Prusa Octoprint" = {
href = "http://prusa:5000"; # TODO fix with better hostname
description = "Prusa MK3s 3D printer";
icon = "octoprint";
widget = {
type = "octoprint";
url = "http://prusa:5000";
key = "{{HOMEPAGE_VAR_PRUSA_OCTOPRINT_API}}";
};
};
}
];
services = [ services = [
{ Infrastructure = cfg.infrastructure-services; } { Infrastructure = cfg.infrastructure-services ++ extraInfrastructure; }
{ Home = cfg.home-services; } { Home = cfg.home-services ++ extraHome; }
{ Media = cfg.media-services; } { Media = cfg.media-services; }
]; ];
servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services); servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services);
emptyFile = builtins.toFile "docker.yaml" (builtins.toJSON [{ }]);
in in
{ {
options.mySystem.services.homepage = { options.mySystem.services.homepage = {
@ -92,6 +184,18 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# homepage secrets
# ensure you dont have whitespace around your ='s!
# ex: HOMEPAGE_VAR_CLOUDFLARE_TUNNEL_API="supersecretlol"
sops.secrets."services/homepage/env" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
owner = "kah";
group = "kah";
restartUnits = [ "podman-${app}.service" ];
};
# api secrets from other apps
sops.secrets."services/sonarr/env" = { sops.secrets."services/sonarr/env" = {
# configure secret for forwarding rules # configure secret for forwarding rules
sopsFile = ../arr/sonarr/secrets.sops.yaml; sopsFile = ../arr/sonarr/secrets.sops.yaml;
@ -128,11 +232,6 @@ in
restartUnits = [ "podman-${app}.service" ]; restartUnits = [ "podman-${app}.service" ];
}; };
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.${app} = { virtualisation.oci-containers.containers.${app} = {
image = "${image}"; image = "${image}";
user = "${user}:${group}"; user = "${user}:${group}";
@ -141,9 +240,13 @@ in
UMASK = "002"; UMASK = "002";
PUID = "${user}"; PUID = "${user}";
PGID = "${group}"; PGID = "${group}";
LOG_TARGETS = "stdout";
}; };
# secrets
environmentFiles = [ environmentFiles = [
config.sops.secrets."services/homepage/env".path
config.sops.secrets."services/sonarr/env".path config.sops.secrets."services/sonarr/env".path
config.sops.secrets."services/radarr/env".path config.sops.secrets."services/radarr/env".path
config.sops.secrets."services/readarr/env".path config.sops.secrets."services/readarr/env".path
@ -151,11 +254,15 @@ in
config.sops.secrets."services/prowlarr/env".path config.sops.secrets."services/prowlarr/env".path
]; ];
labels = { # labels = {
"traefik.enable" = "true"; # "traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure"; # "traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file"; # "traefik.http.routers.${app}.middlewares" = "local-ip-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}"; # "traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
# };
labels = config.lib.mySystem.mkTraefikLabels {
name = app;
inherit port;
}; };
# not using docker socket for discovery, just # not using docker socket for discovery, just
# building up the apps from a shared key # building up the apps from a shared key
@ -164,15 +271,28 @@ in
# easier to have/move services between hosts # easier to have/move services between hosts
volumes = [ volumes = [
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
"${persistentFolder}:/app/config/logs:rw" "${settingsFile}:/app/config/settings.yaml:ro"
"${settingsFile}:/app/config/settings.yaml" "${servicesFile}:/app/config/services.yaml:ro"
"${servicesFile}:/app/config/services.yaml" "${bookmarksFile}:/app/config/bookmarks.yaml:ro"
"${bookmarksFile}:/app/config/bookmarks.yaml" "${widgetsFile}:/app/config/widgets.yaml:ro"
"${widgetsFile}:/app/config/widgets.yaml" "${emptyFile}:/app/config/docker.yaml:ro"
"${emptyFile}:/app/config/kubernetes.yaml:ro"
]; ];
extraOptions = [
"--read-only"
"--tmpfs=/app/config"
];
}; };
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "infrastructure";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
}; };
} }

68
nixos/modules/nixos/containers/homepage/secrets.sops.yaml Normal file
View file

@ -0,0 +1,68 @@
services:
homepage:
env: ENC[AES256_GCM,data:9T4cgUUy631Hp9GRiR2N2MTJxOfiV/O3b0huRRTGH8vbgXZRbwn6xkE2hyJgvaPxLyybvcZSTMP7h73lqUuOiSl1FNlWE1QJpkkWew2XAbxSV7yYoFf573csD/fMnfDjS2CWjVR2fPbPUDfmFSx0nVjKo4k3zgDbGPTpiGXdVzN7OdvkwTfsMmpXL0Risl0a9NK7Iiriwk+Ieg5peJllxGlmHNgEnbgykZe0JjZlWbqg5KFmK+vN8cvSrlhsjfYeoVcTaSjQJ9SdeqQmRaThA9DE8cMY4dS395gWF6Y4hkmZ8uPrMnY9HIHn5qgv4LCKBL8UB8BaYH6yAk/zIFIRM3GEsLObMiHgUurgZDrrMFuzn46lngXBfUZp9bFYPJ5WEUEPrFaEeFVz3HHYbtSpxiGDfrDLmKNConC44G/sU0snMANUntvEpMXdhwBIzfhtPzu9XChYiVkvLOU28Z624UOYNd0tKLtZpFk9gME5nsIF5+Z6Rk+f5ycv6+h4Ruv0Yx1+I3pXsjiiio1CT6hh/D7nM3/SgbWp/LHMOtV0YKnvTL89BDmFMDZdy452dVSw+xOX9hE4L79HDThIYX2fZKQ8CkZTyE1f9/6cU03GDA893oQ6k9nG1cY1vW2zgQLXSnYR4hQ2HbUXOlpEAp1Nm6t5yVdST8bSGHvlV+Sn/JI4OFi7NgM+66Owf/b/SzuuhHUzfvtk6O3VEvyyOySA3GwRIwowsQydu4/QN7ZogJ5yqvCMTQU34J1WalRqM1dohnOXI84+fakdz1M2E68wMs1rIyuXa7w6Tn6DoE2nx7n1wQ==,iv:kaW+31hzliWY/sMZyVr8bIvAk0MwfLJVdHiRrcVICoQ=,tag:FPp+sn1AYVBJyLQy14vogg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhenRKQldGQkVlRmhKd1dY
R0lPM0FOekU4SWdIZS9oWU5nZlNsaTRua1MwCkFINGZ1cWhURUlLMmhqQjQ4blRM
eFR2anR6VGZFZy8wN28rNXhkbk9DcGMKLS0tIGxQbTV2eWNNbEg4Y2o2UGM4WmlB
RmF5Q1pFMGs1cVJqaHExL1Q1WVBDSE0Kc/gxa62PA75jGtLhhTlweL+1jbNA34UG
lAdqTDI81uQVHuX/K7CSffMSNa1dQR9BBwSmAI7FD1q+gdnx3qOXog==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKKzljNnRwWEpJUS84bGtG
QjVIL2xUZDhtVGozWE1Wd1h5NWNpM1gvRzFRCk9nN2ZQQWxSNU1URytqRTFQNU1k
WVhDWEVicENUZnlZODF6b0JDMUdoaWsKLS0tIGFiMUMzVExncHVmQU9ETDdYSkpa
YVdadDJDVWkyMXJ3YVhLUnJxUEp1bjgKRM5xrW3hl1RgcK0ynHSEnwV5J8uHyGiP
8p5bnKrE5YYtBaK8d6O0evKgufxEhnajwvuOATlfbRBlmbce/BjhgA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR3hCVVlXZFU0UGsrckl0
MGVDV0hSQVJqeTFraFFqK1I0emdxem9Ga1dzCi9HemtJMGNOenBVRzAzS0I1cUE4
dGdoWnZXODVzRGtIM293R3F3M0VpcjgKLS0tIDNUT1Yvb2NKckxWMW9yYkJPK0hj
U2VhOUFXSnVtaHl6WUVBSVBXUHkvYVUKhHGoMsNhwnbq0YOTX7U9h119GxsYq+u9
fwhkqozV8/yIH/pgu14ZKrXJyzXhC1jWgYXqhGVVzpuJelCg4V86cg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ1B3QjlrSHZDU3Y1bng4
aTcvN3M5K0Vabm9wb21RQ3VxYkxJWnRVakZNCmVEOC9nbDlXaS9hUHk4blRValJO
THJ1ajEvbFVsN3FwU2ZBdkNudlhmU3MKLS0tIDFDL0ZnTE5IaHU5dUF5UVNzRkt6
ZUh5MjNBeXNBa0JBWEhaVE90azMvT28KLd980Jlt+vkIKYuM3BbSBIEZjiec6s+i
8/SKkpwuuzGPHEnA3VsV2a9o8ejzQOPFQjSbd2Fw8caKjF9T6KFqTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWlkzWmJBZmVFbU84SFI4
ck4wTDc3Z0VGbmxRNGRKRkJ3Qmd1LytVZnlBCjErNjNSNy9nTTVMMzBMbWRUU2FV
SU1QeUI3bEpGV3ZCUHRFUWpsZHo3Z1EKLS0tIHZNd2xrT1hrKzhTWHU5STdyV3U3
ZGd4SU52YkVNWHBkWGNvTjBDUXNsNlEKnLnev2PXIwVqUMqttGFQra3/pmHG2jhz
h6OANuguMMCasK1CaMY8s756Lm/7qgoCO1l8pnx2Effet514gR7Bbw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMDVnd3NmWWJUczhwb3hs
UVE3S0llK1FKL3ArYW9xWms2ZXhzYkJYY2xvCmxPTVlvY0tpcXRwTExmUm9WL3oy
bU54eEVtMkU0Y21BVDZ6Sy9YNkZWSDQKLS0tIGYvbUxzRXpRQmU1a0czVGRENXpj
dkNtZWNnek9uUnd1Z2U2enR4N1hqWE0K1Zu/GCw/aIPkXvWmVSxqZwBSnagjXS1J
uyefLabImtdR4FjWSPsldIACH1zi69ucaXTccQptrxqABzqltjBXxA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:aKCkHTYBHaSZpn43uI6Ihws2CETNnbsKvR4+BkqbHd1FpPrZ4V1wojaPcQSFNULgYmAnQM6MJD0may6OGt9Ux16U/ygytCt1BMVTMhxihb2R9IdlQxxDnou56e+E/jTjwIei2yr2RBxra+d47NbF6domaQ66DoIAmGELPfqcOg8=,iv:wyLUspsNZsYQMcqzl6UT6TcURYGLkUnU616xb8huqho=,tag:APVPI3+Lhvvw11sHIs33HA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

71
nixos/modules/nixos/containers/qbittorrent/default.nix Normal file
View file

@ -0,0 +1,71 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "qbittorrent";
image = "ghcr.io/onedr0p/qbittorrent:4.6.3@sha256:a4ad890e8c4a287c17d12ca22eb1d84a046aba2efbd882bf7d6eb12459f6a70c";
user = "568"; #string
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
QBITTORRENT__BT_PORT = "32189";
};
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = config.lib.mySystem.mkTraefikLabels {
name = app;
inherit port;
};
};
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{
Qbittorrent = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Torrent Downloader";
container = "${app}";
widget = {
type = "${app}";
url = "https://${app}.${config.networking.domain}";
};
};
}
];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
};
}

72
nixos/modules/nixos/containers/sabnzbd/default.nix Normal file
View file

@ -0,0 +1,72 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "sabnzbd";
image = "ghcr.io/onedr0p/sabnzbd:4.2.3@sha256:bb20d3940ff32c672111ad7169ce4156f1c4c08bb653241f1b14f6d00f93b3cc";
user = "568"; #string
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
SABNZBD__HOST_WHITELIST_ENTRIES = "sabnzbd, sabnzbd.trux.dev";
};
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = config.lib.mySystem.mkTraefikLabels {
name = app;
inherit port;
};
};
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{
Sabnzbd = {
icon = "${app}.png";
href = "https://${app}.${config.networking.domain}";
description = "Usenet Downloader";
container = "${app}";
widget = {
type = "${app}";
url = "https://${app}.${config.networking.domain}";
key = "{{HOMEPAGE_VAR_SABNZBD__API_KEY}}";
};
};
}
];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = app;
group = "arr";
url = "https://${app}.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
};
}

3
nixos/modules/nixos/default.nix
View file

@ -8,12 +8,13 @@
./de ./de
./editor ./editor
./hardware ./hardware
./containers
]; ];
options.mySystem.persistentFolder = lib.mkOption { options.mySystem.persistentFolder = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "persistent folter for mutable files"; description = "persistent folter for mutable files";
default = "/persistent/nixos/"; default = "/persist/nixos/";
}; };

25
nixos/modules/nixos/hardware/nvidia/default.nix
View file

@ -19,6 +19,9 @@ in
driSupport = true; driSupport = true;
driSupport32Bit = true; driSupport32Bit = true;
}; };
hardware.opengl.extraPackages = with pkgs; [
vaapiVdpau
];
# This is for the benefit of VSCODE running natively in wayland # This is for the benefit of VSCODE running natively in wayland
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
@ -52,7 +55,27 @@ in
nvidiaSettings = true; nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU. # Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable; # package = config.boot.kernelPackages.nvidiaPackages.stable;
# manual build nvidia driver, works around some wezterm issues
# https://github.com/wez/wezterm/issues/2011
package =
# let
# rcu_patch = pkgs.fetchpatch {
# url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
# hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
# };
# in
config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "550.67";
sha256_64bit = "sha256-mSAaCccc/w/QJh6w8Mva0oLrqB+cOSO1YMz1Se/32uI=";
sha256_aarch64 = "sha256-+UuK0UniAsndN15VDb/xopjkdlc6ZGk5LIm/GNs5ivA=";
openSha256 = "sha256-M/1qAQxTm61bznAtCoNQXICfThh3hLqfd0s1n1BFj2A=";
settingsSha256 = "sha256-FUEwXpeUMH1DYH77/t76wF1UslkcW721x9BHasaRUaM=";
persistencedSha256 = "sha256-ojHbmSAOYl3lOi2X6HOBlokTXhTCK6VNsH6+xfGQsyo=";
# patches = [ rcu_patch ];
};
}; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
services:
lidarr:
env: ENC[AES256_GCM,data:QMvX7WRcLegLbHS7JQm8rcyc9ac12Urj29Pkv8socA2kvgL0TI1w7jL0qhXLNUmCJmtcvhCwNL91lN/5UOFFWxEVzUcJEWvY7NmHi9twSXT6evOej3Q1qALO+xG6ZAuKTc5EHlqPx6aUnSdt9rU=,iv:myoud9cBoCQ2AIsD2zJAMaqB8Uyp9PwEgSAIJofQk3Y=,tag:llN0afX1zpvij44Wk9guJw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeFc1WkRCejJPN2VsK1BK
K3V5dWxHc3RxL1NzVUtXcmxsSG1EZnJqS0dNCnVkbExwK1dMR1ZuNnc5TWcrNmdL
R2xzR0xXSktHVEJwWVdIU2JSbHR0UjgKLS0tIGtmVSs2aGtVQnZtYURBRDdVdjYv
ZEIwTUtSeEVDeEMzeUFKazFFQzhXdFUKAlFKK2unF7tfjFAznL+MmsDOVG7w9clb
j4UVT8hVYySnRmoEivKPmmPrkIgsMvlewFyViL9m8XoiZ8BOGIApRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWhyMnh5RzFua3NHMXMy
UUM0NEd1NGFvbzlzMTdmam1NdWRDRXFDdlJJCnZkdFg4ejRCSCt6TWg4QWl5KzFu
MTIyTGZuc0JvQWU5ZFdEY0VWeGZFTHMKLS0tIEtrRDdkQWFMOSsxdkg5dkx3aXhQ
ZFlpT1d2d3dYaEhpOVRqWkx1Sk1nYlUKABWHbKvk7XqRdRHmaPfGMBs2j0KJSY1z
eZJXlXFMY/WLLf3FkvVsU03DBxnDzi3NIDhNkZUf1uywVfIV6G2FNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT2VvYWpmOVlHSHBiM29M
NDdNbjZKb3M3TXRMeUUyVEsxekNFUXZGNlI4ClBoQjVYSTJaZFplRnBwb0NQZFFm
QXN0ditMUU12ZkhIMHhPQy92Nno4MUUKLS0tIGVIWUk5YWxrTFg3N3NOZEJJNW9R
VWJJT0hkeVB6d1B4QldyY01sdU0rSVkKlDsj2lmzB0E9FpESBzDDLieJ5uLtspSf
vnPNi6J3EznHAcO9CoXejrbkEEBTafueAx6/U9T9nzxkAhNFt7wYdQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUTlNUE1PczRlNVJ0dnlF
aG5id1ZERE83TEdqWUdXQ2V0K3VXWENacDBBClcvYVFvZVRYTVA3bXdUblYzeFBR
VzdBdVVNSGxCbG9yVmVQbnZmK0ZTVDQKLS0tIGl4WUFxOVRlOWZsaVhaKzR1UmhZ
UlRkM1NqT1BRY1U3ZGVwS1NIeG5hZEEKo9yIGo2q+XemTtqsVRUGZol+ToorrA7s
LKQTB92x6ZIL1Nc0ssXNppTDxDWnIl5GMGlQliwCVmtc9+IhXAjNOQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZUN2d1FJRUc2dWhaR0lz
VUxDK3VSKy9aNmxoWW9leUZibFlJYXVPWkFnCmY0ODYzeWYyWVdmdXdoNFRQUno1
b0lWeHdpWERVczJTbXpjMEpxT2dNUTAKLS0tIE1odzZ1WVFNdEJIclZFL3UvMjFV
Y3ZhWHpVb0lLL09xOU1rZllDRVNXSFkKUXNaWZt+lOv0D7gzh6DLSn0bHmhKNygC
L/jFAJUkya8fsdqOfLpxzprLrJ8tXlEyCIBkz/6RPTQO82hbB0vXRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T02:06:18Z"
mac: ENC[AES256_GCM,data:Hul7Mj+gIPXdDLInM+bSyMr/2cw7XGoIKxB1IGDbW6fnJAt91fdgl8t3g4C35h0W9lFV4nIbWB8BolIq2gX0AfAqVyiL4WiEbVodJlwhVS4I/lha3gTfST0n8H4rZCeLFaDe4JKyhcfvFa+mCTS0mwtgtcRHDi2TLa8AP+Ue5dg=,iv:/fkQeo6T72WKKXjhaywSyPlj27Npg1DA+ktihR5jN9E=,tag:gCRJzcLT65q58rbvSf5BCQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
services:
prowlarr:
env: ENC[AES256_GCM,data:zzyYxJrgKQJg9IgWdRePrw6yY4OfM4CjX1yHd3xM4+Nw2CqQlfkKvFkoTerDFlOFKvYZB30JOgExdtv9fAFdXUWoKeuqTyliQZG71SGcQrnkikrSzgBfuiKF2vsXiLlDzG1zWGAhnqQsOpymf9u1jAQ1,iv:BYybV11VMWZUaFPsUvrb7OpAr/ypqpGvQsG8+UzuZJc=,tag:hNpX44HPSN+ZoPmDHiKYBA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WS9DU3JmV3d3aklRSXNF
clJpOUJyOWN2eXJDQkNxOVBVR2dpY1NOTkRvClpnenViWEY4VmNJaFZPN2RLTk5D
cThTRy9LOVVJT2xZUUpoRzZQZS9SVm8KLS0tIE9iVkNWb0dwK0ZndW51aHdMVFBX
SEVkRDNtZEgwajlOQ3RITmFZMnNoZFkKcvUmNpFMk51aWGjWvzzg4QJ9JjRmOaoz
aQtrZB4rZ0etRK5qn7ax/uzCnG5P21hcZePm70v0b+TZnVDuDLHmbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidDZZdzBkYytsekM4TEt2
Rkw0blVjTnBwaWFzd2RyUVM1Rks0ODJYRXpNCmdwWmt2dnBwSFJBTERYUFdMb0wv
T3JOYUwrSVFhdjVtZjlpcEkyY2hveG8KLS0tIDNaREVmb3BDa2tlbHpOM05pMWZh
Z1hPQ1dBbUlxZDBhRXBWSnk4NlBiRG8KL767jh7h/YJBfMttJSgdSP9iPgMg1/Za
sIJ2Z7wUcmnYAKaQh9Ol2xgzOyWhLOM+Tj4DuJvyZVgMWlhHLgrdFw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ3FKMXJGQmcxTU5XSmZr
RFRRT3Rib0tDckN1ZWNFT3Z1TC9hdUw4aXlNClRFc2p3REptR2ZWYW8xVk15Q0Rh
Rms1TWdtREFybHNaTWZWaGZmYnJUMVUKLS0tIHhsKytqakxXNnJYd3ZvMGk2RVNj
bmpCbEw2bDFQOFFwelFrUTcyemlCU28KoxcnwQIJigjDi4a7R3PzlLKjPOlovuT1
8N8sxfSV6FrdyyrDF/ey8K3zWlig/yrRLpgCSlNMzw/3VRZI/gMI4g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VEZ2bkFJTWo2VGV0OXpS
OGc4YkhZS0tuTUxBNUM4K05HZWpmTXhwVGhFCmVIVUYzRDdBNC9sZmdzL3I3K2NG
TVo5djUva09xR1g2ZEN3NitBN1d2cGsKLS0tIDlDMDBGbTFTUXgwYUQzaWh0MVJT
SGFnYW9DTWRrUlBQNjJsN251L1Ayam8KhQ4Qr3JMsy4w6gl1Fym6ejDtzJSgZ+wm
6+F1PJw4xWzwHVZe3INAK3hMglg/o21u2lX9u9Rm7aKsSm/p/nNr6w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZHU0NjF5Z1JFWlBsblpJ
MXJjZCt5eU5YSCtWRmpQQ2NkTDd3VXJaekIwCjY0b0xKTk4zRWxqdFF4KzJWdStl
bkp5bXpDYXl2MXZvNVJJNCtRazhnK0kKLS0tIDV6MnR5RkZRYUNCcCtmSHJhQzlq
aGJLM01UMzFOcjZqeUtCL1lTTEZZSlUKQrhkgXiRjT7lQoTdMKv6V4famp3p8/Ca
Qc+xgxh4VwIqa7hcQoqneaWRFxjVeYLEwM5JbBaqkIYfIGZFZG+3rg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T02:03:18Z"
mac: ENC[AES256_GCM,data:+V/l66ndBKtXe1W3gdsAPA335OQRm7Why+O++bL/eMjzgTWb7NJaQSgBQ1MV0K5/fOhzTtgTu/eSoni4DQwaotuzILlXix0BW6HZ+OxFWCGucPEce9KXYWFLhKJmbEqXJCxo+Gbnc0TJ50JOXIpWevoCsEoOp26NUaHcoX9uw08=,iv:hhluUr9R8cT/uYKoRPoxRmBuEz0+o/S50kGV74rbK5o=,tag:/beFhlp0k0k3EjlWrSwSjA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
services:
radarr:
env: ENC[AES256_GCM,data:582m9MfhLUMDG7Kbu4ePV5EmOTpHhXZojxaqjNeAFhHo2yzNpWwKf8sESUJlo5JgZevyKcjxJOM0ZujwVEqKe5MP74uPOsCUPgPZoo17sf1VGgfE5uyowJX0XCcnXn403k3gASDZacKTGDHpOQ8BJdoKKJbRffx8wYGeX8UtdevUP/284gU1kuCgL9DQRieNGyoFTi7ltudg/N7t0pg/9LCq31A1amn3Zb+sDHQdEFSWYO6qKibW2eGBwvz0jNQ2f6Si47msw+wX3O/6OXGF,iv:OuFoJOglImRcbOZgSdUR3Ijfaoj7fC2Sfvw/hWoG4iM=,tag:cZVNBBU8WfZVVqk+4d+IWQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TzlaRncyMUtiR0prTzhG
SDJ2TU8rK3E5VHB5QjJhZjZNZWs1cmVuSlRZCnJUQTZpVE5HMHpHQXFkUFRRNUtv
K0hzckxFb1dyRGJ1ejRWYlpabThTeU0KLS0tIHk0NXRPaVUrazVzMTlmWFViSHJI
SVE3Z25lVWtwdHlxNTJMSk9laDRvTUkK4t9ZdoH6JUMMR/p6gQc3jfAGboGeR31X
gvrbz2Q+cp8YSyI3XrAVJG3/HqqO99bx8BSWwIqnSk1iOIl6qrwYpA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGKy84ck1CWFlhQUdwYTVZ
eU5hdEprQW12d01lN2tLSnl2RTdTODJlWUQwCnpxRnJ0ZHNDMEYzZTRBMHhoc0hq
MHB0aGFRNGRwdmlIV0RoK0Z6b04ySWMKLS0tIGlZZGNZbnF1M2FLRVJvdkVuVnJ2
bGZFc2pQK2xUQUk5WVVMbVdsRWU4OXMK2CGUFSLA5omweArXyHmi9eewDua+8o9G
44rzu4oS9Uwcaq92Z6XyoJqWvXnFmW+pUPDBq36MlY7fanVdoaXBhQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cVRaTUNhUGJOYVZ4Mi9n
aEk4ZkZ2VjB4NFpCbjFtK1JQVFI5dnJHVlJVCkRrN2dRUEphZVdDa0N6VU11QlZs
cVhaYzQ4a0o5L0JWZ1kzMXBOSUV0ajAKLS0tIHljYVNwQ2QxOENQSFY2RldQV2Jr
N0JpbUp6TnNLWXAwYUFuN2YrQmN1VW8KyJA7i+CZH2zRhK+vvPao2xMlxD2vm+yD
aJCTO+EwL0T0imhg7DDHhgwoAUCQTc89qwBkj84JeSGBD8nSxCOtUw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZkdvM1dnT2VyTmpCdFp4
dFdWaEQ1aUVNYUVkclRXd09pS2d0bmNmUVc0CitvQTdCZ0hwa3NuTFQyeWN5bmRM
WlcrMTZETVNZSGZXNzRaa3lZOVRoVkUKLS0tIHAwaUpYd3Jsb1ArT1U0Qm54WkNP
YUY5N25qWkx3cHJIS0NBYSs5MXhkWncKQjlZaY1AO8mpqZaIjwMGBKHnZMQyzJm+
A4+B95P8DBKuZTJjHwVrjVvWfFFL3XglmftbiDyHL/WjRUGCL332Vg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QjUvYmFoNGFDRWFkN1Qx
Ti9iMVJQZHFrYzN6S0hhaFkwRE5tUTRYcXpFCjhhZElEVFlhbyt6dkdvUFM2QXhr
QktxSzdIWi9YUHpYS0lPbEJ4Z0tMNFUKLS0tIDg5dG16d1NJblprY3A1ZDdhTTBh
SS95dStzKzI0ZFVDcURxd2k5UHduYUkK/NQCeduzIPws13zJmBD0NGSbfb0iHrfQ
UxXWyesEZmItT0LorZp+PL5iYZ9Iax9DONe9CKN9fOxS4G8x8U9cDw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T02:05:52Z"
mac: ENC[AES256_GCM,data:Z5USXKjnL5PhpC1GRftGuBukjmAVc3VXnBG//qwrJUryC4WoxJExsmJ9okS9CWeNiPy1EoPbNx+7v1Xlnbgg/5op+unLCufc7lb/hRZc89umQEkVt9XWyCQvd5Ar6PCmGwkP/oG2zoTAYXEg9njyO9ae7F++EJNpa92VstvfWtI=,iv:by6YKmRDnOaoneEVbGzx5jbCxesv8K2XJxZg2LjnzLQ=,tag:y1IZXfVOuMvqr6dHKA5oTg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
services:
readarr:
env: ENC[AES256_GCM,data:+ZpTnRHTU8cQQKouzVEXTlk4mq27wgV135YDwQNh3Jp45Woj8czlliuR7SEr86dvTYOord5jtFUJzYcOli9+0H0JynJNiUT1ZkY26gnD8tDJYK97vrLAKgfZVbxcdXsJaRD0q9CGwbQrPWiXkMZLNQ==,iv:GhTkFKT3G8XXu4D+UUwfiVGz6NgRcS4tKIqQZWgYyI4=,tag:LettwkiVj31G8KL8nLr83Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWmt6Qi80bkR1Y1pnSG8v
d1owbWxJL0s5M3NmUGd6dnRaWXpwT1JrdHl3ClEwL2pvakNNT2pqU2lWdkk5ZzUx
UFQyRzB5NFVxc056N1ZTbUpISGFKVFEKLS0tIGlmZmJUR1REOWl3anh6b0JYQmo5
bmt0S0ozR2d3eGhWa1g1NHJhYW5jKzgKSoY7i2uMbzFJiWRCoxhMqul0GJpUAKcd
fMPyg09a+pmAeoEKSxSpC3z6OR1CLAyr9Yo9FIsIYBS2jRPwwwCXOA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQ2tLVkp4MFBkT2pueHBF
dnJ0TUlhZUpjakJEU0NmMkpSbVg1Um9SeUhFCkV2azN4L3IyZDhrQ2hvQ1NEMGhw
d1NXaVVHOWNGSGZuS2xuVUQ0Tm04NE0KLS0tIDNJWUJJaVdLaUxSS2ZwM1h4UTFH
OXpzREdpWitzZnd0cDZ6WVdacmh3MEUKxB4dMNuaFXYRtt33tGpR03mHhPRho8oO
uwSFpJSK+s50T6eQQeDH9E/6JsJSiH4haVV2MWgTZ2IgqEwZ6Wc5nQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSem9EVzZmNXh1eGxhZ1ZD
WXkvNGRZbkRaZ0l3R0s3d3hQN1VjZThMRzJVCmZkb0M3aTF4UFdKUCtXSmpDbVpQ
T2h5K0lIdWNWcVFmc21VblBaVjhKemcKLS0tIGNCQUVRbkRlZHpLRGJjbVFyMWRy
djJPMXpvU3d3Y0dXeDdRTHVtWjNUT3cK+3O7uXPkdxN5ksKs+OVOmRzAMCXP+sYy
kA6JCOYMu1CInY3GzKHs93fl8B5BixZy+pHDqMfix6eWrVrGICMvXQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWGNtWmREZ0Z3R2V6U0xU
dlhLKzhRRkJlV3BvUHJVazNMYjZTOXQ3dnlVClk2V08yYkVHNU5qYXo0ZmVhdVZB
cG1XWTd2V2xjUFZESktZbU5NWnU2TG8KLS0tIDdoeHA5WktCSXZsOWp3a2VIMTlw
bmFqTHZRQ0ZrcERWVlBmb3hCTnhYQVEKLKJ6r3t6YZmq5U0ncsepBjbxD6DtEjly
++ayk7xxfFKi9XgaMItDAXC3/dldPg2fS8kjbRlXzq2TQPOhweWm/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcGF2Zjl6aGl2azRKRE5p
ZmdLWWk5WWcxM0FkdUlpNTYvUW54ZFQxMEYwCnY0YnA3N0JhQTU5eXltUEFkZDla
T3hBQThKUFJqUy9pdGJKYnNDYnRwQ3MKLS0tIHRRODc0OWl6MzhvZUtndUtLUW9l
RktMK3ZQOHJLd1M0aHJadGk3Y2krQ2MKQDDFKPzL4/2l+MepcvQpx5UHPeVXU2tJ
6cl6BJ2/mZAbp2136W6/JwpE8lTkk0WUyT7/s//RjO57F3qPXZxA7A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T02:00:29Z"
mac: ENC[AES256_GCM,data:2rsGhSOFbqv8GdvQzL6ieXqq5sIs46ojdgal8BiWNBZfV7oadubWIaB0rLdjpeiaqvjQLICyUekc/JiXhXG7mO1jhTlIkjP9TDbszbNB4cwuf1H06DN4DrkxeboF0X0vytCZ8AQFVwjbD1ghGvd0CmDgtCSHzaHzZ6iDBeey+zo=,iv:e/bty/8FnMcG7NOoiFi4zRTwKGI4iiDsaK6JVfEqfpo=,tag:C3GIgRanRUkQ2Lxb/wML1g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
services:
sonarr:
env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz
ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy
QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS
MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY
3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3
ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO
b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6
Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN
tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs
cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw
QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ
UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9
PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho
SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv
Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP
QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s
f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ
NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC
NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx
M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw
EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T21:26:23Z"
mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

23
nixos/modules/nixos/services/bind/default.nix
View file

@ -22,6 +22,16 @@ in
# Restart dnscrypt when secret changes # Restart dnscrypt when secret changes
"system/networking/bind/trux.dev".restartUnits = [ "bind.service" ]; "system/networking/bind/trux.dev".restartUnits = [ "bind.service" ];
}; };
sops.secrets = {
# configure secret for forwarding rules
"system/networking/bind/natallan.com".sopsFile = ./secrets.sops.yaml;
"system/networking/bind/natallan.com".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes
"system/networking/bind/natallan.com".restartUnits = [ "bind.service" ];
};
networking.resolvconf.useLocalResolver = mkForce false; networking.resolvconf.useLocalResolver = mkForce false;
@ -42,13 +52,13 @@ in
options { options {
listen-on port 5353 { any; }; listen-on port 5353 { any; };
listen-on-v6 port 5353 { ::1; };
allow-query { cachenetworks; }; allow-query { cachenetworks; };
blackhole { badnetworks; }; blackhole { badnetworks; };
forward first; forward first;
forwarders { 10.8.10.1; }; forwarders { 10.8.10.1; };
directory "/run/named"; directory "/run/named";
pid-file "/run/named/named.pid"; pid-file "/run/named/named.pid";
listen-on port 5353 { any; };
recursion yes; recursion yes;
dnssec-validation auto; dnssec-validation auto;
@ -89,6 +99,17 @@ in
allow-query { any; }; allow-query { any; };
}; };
zone "natallan.com." {
type master;
file "${config.sops.secrets."system/networking/bind/natallan.com".path}";
allow-transfer {
};
allow-query { any; };
};
''; '';

102
nixos/modules/nixos/services/bind/secrets.sops.yaml
View file

@ -1,60 +1,70 @@
system: system:
networking: networking:
bind: bind:
trux.dev: ENC[ES256_GCM,dt:WI9GxgL94/r05nK10P/jiaKhkqj/uh+svApuANzIwHblIfkygL8oK//G/Mrd7a+uStz4EuoAPb5w6kvcrzKlTAR3YTz3xtVlTHXB8qxmO4UjvzpjCqYZKsiX3O/VSlEs3z2qIPrUIOLKepXpsebQaa2/Gjr/KVTA/9119QfqnDlxcQVnY3hIVr+jEhAMhKrXHJhxKrQ8trl7oiPvD7Ll5N4vZ0lkQcpiGyqMwgy6D9P1L+l4IGwn81JfKzd0BM2vhqGBejoqVQvpF600e8wF+8TbS0u8C9jNlVm8H4id7BOArggmJoAnRsFyD2/unce4Wb2CSJWsv09ETTbvkdsJDOpIE7UMBU5S7JiWTZEhV3HcckIwm1gwc5w0ucGKtKcFLOOcihhByCW3SyV/EU3H3mQJDBVx/skCtVZLApa6MkRgi7WpGusjxGcAj+fqHRNfotgrulZdEEAHp5yxsjMMFgfKyXDyRVKIac+tkLVY/Qx3J3NcPZkc3NPYIX0n0l7TZXSpfMiG7nGzy9VVa9n/YcUrm44+kCWH6/Jx4w259YMLMUMwLC/uJZiIMyLIQZ70bs70zVFbz6ul3ltB3Sl6Svlawu2xdpBAIp8aQvAY6dh3v2beXDnRrSXejmG2RiMm619kZE5k3H0AqIWwk2e/nSjSa3nq7DI7WxetEqJ9t9uOe98KRx+UqxYinS1LS2lvvpWa4RnWSCO/LjKAsKUUGbAoJ0eBDQT2E6fTd7DMtaF8wUU6/2JpVRH+YGPBVjQPRlBi5bb3eZg6AsiFyrCAbC9SgigXUGXG3R2fJHYEFMn0drjSLKQ9LLcnTXnHipYzRp4doCqP97WqUh13S3PeNko5QxBiP7//eapEn7UfrtXqi7M4mxGiGack/WhGdBNmCuNV404VrJnmIZhwo/LgO4m753ubN5s4jtOAVjH+z+9cXGlc0+lsQCWAuna/MkeTrKS0+EdynBxEwSWaqKtvwA6VFlQRCwvwzciqklmXYZRfO5wDEHqtpeWKJ4FGUkUMDYUrU6u7yIdQjaJ7FeXtKjT6UrfWvB3aOZXXNbwYwpG2uNPVj2i4LCzugHiBIbAvw1yw9SX2uiJiQjJ6NSbMyapvcWcmlu+zVqMpxshrxZR6VHjAhA2Cthc9E7rBpq22AcZAGXPnYcGYDpP+bP+1eC23dpusA/7T4D1/4VsGA4Rz1DsYH0flhgBBZ2f0/yHfv5oSsjDUHOAGdRGghDCHUlOCayTnODiXuR9/SQQos1issAKn0I8mgjlNNIsPZ0SbEZNNOAo+0aJpiYwu8qY5ZSxAVJNwxxzOZDjB0PBA32LCT0i0wcIbgIa0sPmKsKpOwsPzbJj21GLD9GGEQhq+XAxgCBFn2Ou9e5k808z5TubLAXWR1RdPzhsp3J2zDwamVcOPW8VyHp9sbgabwrC7DFX/KI8o6ZRzxc0kF1cZl9h4M/7IdYvJ49YAuPqDSFlCeQx8Z5EOtpbTBluSrt6Jqx6fuy0N20DEqzzbB6xWBMQ0A3/b8l0vLSNzUVoZ381YbD679jSnsVjLimd23PRmvGnIZaV94kIHjEOW3MIgaiJJSXECpMiWQEObjBeFG0SJjvyO+ZEkkNA9vvnyJ9dxu16qlKE7yts0lw5Qiljl6akUdgoraPvXrUozdkzzac7HLvJimcoJqSSJkDZhvtzq//ERsRCL9OfDU5Jk7HmgIXzZRCaDq6ZSYxt/ks+x7296YCd2Li6C0DOLHSCAGrFzKAIruUBNInPcaI87IsAM5ji1Bi+h0z5upwYohTOFHtMfF92MZDk/hSgbquenn6LGJYldCTCAswE/YVdN4SHLH0fXL/WyXMsNUYplMBB22MkHXhoJc4yB2UP62piwETDM6pnt1yA1sklHplwuTGSY6CReKecGpqeLQHjdNRa2SZRBOyd4sKb21W+AldSWuCZllnvo8pGi1Ei7U50Ua1aQ6h6nZbi2iPDaxtOUHy0kxaRUTQxrtQ3K7mwMvs4+5gTCphaqc1N6x10ONcDhpDjZFhMV/Y2xzG3LyxMvxaeABCnasPZru3KQWgx+QM+6M+eFmRG5f+E1o+gP42+2+/hP/vXYKiHHDfo/TzarzduupY8s4ogANu3Y4c8d5FvThOzmANvEHLWUzzw2LV/cQK7VWexD4BqPG5PGHfmi73Lp39IE6Xd6j2dtIUYl/aA+a/2wZmP3XAM3hyp8uoEM4Usc6v0zGfIzB8ppDVeeWIdn5av/j/4KNllC/utfDAqIKR/YQbY2asdV59kmS0RCdJvr7yZH3HfMkKlVqsYOntj5Ug5jx8M5i7Nqw41Ltw1Tnr42MvB4CwLbso8ijw3VHsltq3NKBDPpzgt9OwW0k1icz6lySPioegMykCzHNwi+VT46+7Bmvc4be+KulB9exDfoOtcnBH1cwZEvndRdvclOKtib7tyrRS6iyVK2ZPp14U2EQ2gZr/xml9bdj0cXM0j1sIrGP00NXOzAlIUQBJjAVafBbevCoa+4nl65ukL+uoMx46yG+oDFu0ZFiJr26niGv5DoJuKXSgB99GZ/N4ksDf4XZQ+drIh7P0LdmRpepVNh2ytZrO96vI3d64fV7ULyFaT/MKybjnSY0BTWCz2k50YHJCGZJHCefq0F4jN3kt9G3kHrt00in9nkycVF9zCgNZd4qB6Rh2+QZPaFQPgKLE0xTI5nVzGkoPDu+6AZMVcLl7hqB/e+SeoEYD8KaPNzr9aOGXW2dMw13L8hEyTZaWsvYV2PHGrr/8cahsjcN6aZ6Ht8+GUXn7IlPxHsbE+0BoCfEqem4zXZWjJxHqpZMmCoP3yIU355fyQvctipzAwPzLNMrtzo0BVgbpSvyDn0qfhNHRcXcS2uDyiPbYtQVihB/yrUmPKYtySIsG2gR60XuPKju2Ss09LKRQkh80hq1eSCJcZJ7Vlwqa0U0ccnMUEYcm+/2p8Ee1cB07Dpj5TrTYIB0v9WQ4vhNsZiglJzKoOv8uDxv0P2v98P5nyrTIBiOefhs7tL7/fj4YXnSDiFY3NT9gG9wcNNISKp+3SvyB,iv:b+V6/ImnEF+8TO/xmwu1jks9N8QFSPSRRnWbS8gy/8=,tg:WseBC+XsjhQdWjemtJGQ==,type:str] trux.dev: ENC[AES256_GCM,data:YoUfdxTXEtEe9z1aLkfZlX3LeBS0yeZTx+86QkXMQKiBCStmJtjLMW2q0uOmjAYEz3O0iUgwTLyMDEOV6ZQKyvI/kNBFl8S6dSe4dTYwVuNUdyoQq9qmK7GRGRyEwyqT+uSWujFbFXnjKOFDbMEx5McOO0Opt+YI/9QgoBZKgmVgylEF5B0SCsIVVUGXEzgk5r03p63rgTli0+dRY3bh8KonKLykKU17epTdUrp3A/Vogom9JZBxhE9ZHLO6yOv89y/z7zeKT0bzUgGKe9bXSr3swxpYr/FoirW/2YttNmL3pHXbtnAqdsWWdZduacaHO5Ac40z1+8SFce0e/yh8q6/d7Z5uLAY8CBYSVCQkrr2HaV0vwtnlDD26INVgDt7KwnGjazLC9KyjawYYt+TS0ZN7ifVN6nYJU/CQJCv9YzknCXG2HY4CxbGZwFbE6Tjrn2C5JBvBFchmxWBtOQcnktSltmvane3OVje9URtqoTaiF86fsRleb+IJ7mLv/qFJKcVHKDWVOSDYeSzuot/et96Asjc1dhXpEE5J2qqwKHxBkT9T5zDl+3QGIOqt+mkFl0jPh0FTQyTZGj0aZElm/9ll8UtxOmrzi7GijK8e5ltCwtZi7XPulBIIqPxn7pvn/UaDMojFZc8qN2/ND9pG5BNJwyZN0yduymoWnxRoPI4gARYGhLN4tswBImDqQtnTQ1JwTw0infY1WyznpVSkzfSYZC9fZWdcgnfl1z4WEbvGohrVd94mYF8UUwp6XIgDcycqyBbrHs5/8eTS8f5dLfcq7Jn7lBdYHUEu2oa07RjCDfhfHSKV1jpmeie0pWXKdGlaW9zon12jPXvQgP15fmc58mFlgxSCc2LJzyNAj16vUEcfgPMHW7sW9xItOnDvrA7O1VXNtYD2Nuce2bbLz+P0nGLbNarAgUqUSLCU297FVYfJNSW2YSqdbtjogbTkSrXVNRjQLgh1mHMWJfw+huPTKyvijCPSzt6fU+68/aXwWxiXeiSJK66kg1KdWWDUpoRaeeoV8u1JmBXkVAKv2yVhNkZVOEuQoCJ36hiHbGWeXY9cx0E3nNf3J9tJ7iuvb+Tdt8YCqGkuMv11GGNe939ac5iHhOM+yOgk+f+/ndpLtg8Ck2yMJ+0FaI4dkb/q+BFk+ZO+48abq6WTCuxAE9KpDFLSVik890uluYKWigCLSHqT9+xK5OnBsVFmMK2FfGI8OlblVP2tclRghY1cblnbR3YdRbpmfZ/dFIL4MJ4EBJRWYfoQqCoJYQveWdNw3s24iX0JKuiQB7Jjn1R8jWfQBGWtVhbnpDF40F+SSeUOatOVr3Um5F1zwY6CU3Z5EZVWqT1sgumJdmB4CcZzpSYOu0PImRdBT6FsF6vNsBjnB22H79aenRTTEfK7IPFpQEVMCJmlsgXjELKbwSOSA352by2OBuJU0agrbEX5rc0mxsRmNCHwS55e3C6VAYoUPo7q2qzzLZsCgdpll4RKi/WuRlHVXWxKyjVv+W09aYpXXpYHUaptRQeaufXdWcRD/rd4JsHwUtagu/mO89ujTaXblG/x7GbXRgw29t+lLCzKV5AfuMGdhdQShY2tUVH4gP2FX57rD9XRELM/iKawO38kfCxHaNQy7Be/LItaLTCkkBdErrm3SeUr4Boy65tBK5ogG+5hCf+adYJ2jEgFR+/DWslYpyvDB4prX+f0xhkUctCTeiDgMVqyxFvh32vdJ/TQFrbCHkLSK/IZyGQ5bsLB/wOxmjP1UFfo9nxJPvg8TCoIQCY2AUyEZEM0fEMkMfddHkTJJ7KW3PdRmPhKVLDNlWYcqnC205xgF6JOJ8LVOabW6v+eqa8dzn+jqImSzq+T2x6SRFV8GdYReQGeZ6odAATpBwmBFOQ/7066wUzNggQih7BrOY/4LhO876LzG/PqRh9JiI9wOtDFnCa1vg1wUnb7sRhnYN1SlXeSLuTVBqCbrXw99bzpR345fvjuV3PtC4DXXmx1vUsegieN/1+Cosr4Ce+afhqT3+F+cd+geW4Zw8oq2GUDNBQKZAxzQtEjdPhSYmyG4V9uh9pOrADDd2vKtuVG63ZviKvxVcrncNM7c7Jrzip/3zg2D5ae7TvqXSMlEokUwsVHxNBRXV6VBKHY/VCQYfQuZnjRKMLg1BCEOSIotEorHYRRdhldiUHomAHIcFOXL2VpzUM1X9H+UwTdNwXo9lPR5WckmU+jk/CducKAHaD5aRfugt/xogST7/0TtNUz21UUHHqEzrKyRqKCgYKsaHMwcO8tMzaSMpiDo0au9vZ3MWnDne5rD/KYhL9KKpS44C5ClGlgy8X6f1sN3tbNef59Jd/X/e/3hyZ15QSQ8967oUxKPm3Ci/Bg0a7FjugJg2WKhW08mrQfvm8R9nAZFW9sCoYPdYVYmin3OtLn67Yi9/3Fa20WUgA4aBdPWJ61lAOPHIwW/Gr7bJncTQqg7gZ+1s1dn21CIA6RfjdZyK5V9IaOFT6qyc5NoKsB+oXT9853AFa5EbdTdiHvjN2MIBIzunjAyWskiYN6cyJU31lutoxSP3irB4dxskWnii/Pi4EYd30Oq2DXUKaZx1W9ZNN8XTZJMlClWNkyBMjo4am7fxdH5yx+bilHV2dE20x+p5SKCYsuoWjWoNdTGGi5Qff6t66vybDUIFInBIcXUJRi8zPv0tD3eZDdPV5zbminnCRSuY7dvGqCHroPH6qTnPQPf6rWtKMeqiAmhsyZ6kN0f8P4Qpz4KU5MnYHVMdU1aqyxEWlwIJV8Bx5uoIbhNcuY24YuQZZOSMG8LLmyyMeLdV0AlGfmBqi1PjtYViho2NRa2bY5+XnBGfV8xM6RTXADhWItRu2oSHOYTS1vYByVLIFU7E8HMDCVZKSdvJe1TntADDYS51c+ht2/jUbnmYd6RyQ4ShtoHzgJtR0CYQoTliGBKQbVaaoWXL2zfBt9N5CYDdwN+CftKkVBh6bWhlpiHul2Nr/ax0HNq3UsEELz0a5TlwLlYg1P5KVHniZxAXS7VlCvUHX9fbaG9q36wUBzSUYnII6VOdWBMtR1udA8wWVOke4HH83baaG0KVabCRDk/dSWdplDgMdIjI35z/HpIwk0wI/vm5sw0WCb4VLIq7QxGCNqkJaOyJH0Wc6FzFQ59rX6KWLSJoKiD4jqLM8m09RZJAHejyGAB+98nr9B6sa/0oXXDoL//q516xfYjpTxTcN6QxGvt5JdBeupHDnRtgCA/amitDtHqu8sfVvEGdP+EzhbxyWdLx+vltKZZMsLzryf0UMYkaYqayVvjzUdAMzyPw958GSR+zZzTlcsGsfPQSuESEWbrXYxbESkwam4EZeLHSescaIATy3w6AsC/HL/4faSwJysrkCZJZS0CzBdsPM1wzZ1,iv:Za9EQYc9Zzhw28+gTV8BeZOphIrUpODvI71xboNQfv0=,tag:mcJ7+heEmmVl/CwnvQB45A==,type:str]
natallan.com: ENC[AES256_GCM,data:nc7QDUtsKlhfXaVc5gktDmvJGmLqAg69hzQZp1l411gvOO6yGrWzIuLJ52kAVKf1CH0Jfd7fzhDQhFRJ0nrnnHi9FHmLBYsAwvWP3wNzV5Fetly1DW6ozCUm6uSbcs46Gu2mxM0ozsIZnCwMO9p87cxAnZLL/jHKPsZ7ADHvDxYK6UsROhbkeCIfZ0dVf/1IH3FjkhfaEAAsZW+KYF8tynzKURHD0EJZWT4su43rf3pk9/fjyv2e1lxM3jx3KPrF1LJqwQhggmenJj9dhbRnxih2/Y5oF4lAmGqyUxJNTfn2yFd1DVaEElcl1DaXIiZ+HyDJH2rXAVE101VuUraJYe6wV1nzo0rziI2ZlTrs6qk2HDeiFmdEDbB5dahkLqDbttEjWJdxwVblDYrI2omKcFsXtQncpwczyZs+r3gSEJfG9PWV+eVzOzp+HLnmt68+mNIbtiSSAanDlvJJXw85XM853Nqxveru9Co4M2SpsM5FhWGK/f4A7tQLUFDUakcx175rYRTo5gpji4RUM47v0Gdd5qddw+/L0ruIXCKv0/f4IJ1seDwfsKlrRrMYSbG3oGbHB0bl/rNWTPlgDeLfR/nDCplsX+U+y5YsPcLLPAhlE9/7cS7CR7nwUWB/vgHVy6NoyiZin06l0Kz5Sh+onckdpYafhHKWqcazmPViMjslY0f6i76HGiZWdi79AqFFZ8nMgFfXqqyUMP4plU/jzn5Sb8mNixpSBtGTXPsAmkDxxpHxusVSAZOMR8MQF30gZ11di5epQbMK/VSkK9p+lHI=,iv:TMhgrwFes8a2tGrwi32emOXdAvGEGJV00cJ1Jl97OrI=,tag:KsTUPg0ykCFs685XOR9Peg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
zure_kv: [] azure_kv: []
hc_vult: [] hc_vault: []
ge: age:
- recipient: ge1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: | enc: |
-----BEGIN GE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocGE4ZGUweDdp0ZFYUdY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETG5pMVlDa2tDTFF5S2lQ
cDVoOEJrUVdoZ1kyWk91zRNUxTN2JQYVJRCk9QemlMdHRhRGlPakFPYmNEaGV6 V1BFNUU2bjgyT256YjNoMnZ1OWwrc0xmS21BCjcvd0pmbDhBS0gyRXcwUWQvemdi
nd6UVZrdWU3dWQ2SkRpS1c0MWhUMEEKLS0tIFE0eXI3Z3BkeG5ay9VRjdPaFgw UVIzMDlwWXU3K29qNWRpU2cxbFFKZWMKLS0tIFlIYlhyNmVMZFBqMnRjOXdldVcy
dVFrTCtSakxFY0hpRHZmQzNrWis3U3cKsxUYyjRk6Tb7nKAs1pALQJZb2QB9ope NzFGVU43N2EvWVRpaWhzN0p6TzVVeUEKsvZbM38E9MG1jl7RXgK/QE4DPGqqchw7
c74VLxs/6hl3cLgkD5//20b4TQYpcGq/lbCkeFI5pyU5zKuFHbE0A== NyKu6TijJUwfw3No7vS+DVZHtILxy/sjtM48T++Txf25+d++J3YY/A==
-----END GE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: ge17edew3hg3t5nte5g0505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: | enc: |
-----BEGIN GE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaFY4SE1BSWxkMEh3U3ZC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0V2RKdXpOb2cvYXFyUmtl
eGhNb3ExRXgvaHFUYVFyZ3iUSt2ZHRmeXhVCnlUUWdYQzJQUhOS28raFBOcSs2 UFpEeWZFaVVuZEt5QmxFUCsvRHVpdFVWOEJBCnZ5Nk13dzNiWHFmQytGU2lpaUlH
ZlZscnpzNnZIRXB1WHVXRVNJMlFPYjAKLS0tIDRlRGV0S2gwRVA0Wk2V2NLdnQ3 a0lYSXArZ3lUeGJWeXVKY05zRTc1aGsKLS0tIDYvNHAxR0lHbTg1Zm9XaXJoSGR1
NURGaHAreXNTeVJMY0xXUnFPMlcNmcKjSQDxUQMoREdEhyutDC3PXcVRgYXNLsE UGsvc0xIU0NUcGhUZmVpN01oTStDUXcKVlKnlqXpB04Ex015ZynOqJUJ3sEiHE8h
IvVK+GkthAyPfgYkia/j+tIZIHwI3aXshb9vMkf+4Rl4S4nayPHKw== tN+svpAdCfUgDVpUr8ynPWvW6kfeOh1RtW6Rr1Nl42WeGNsMdk8iNA==
-----END GE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: ge1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: | enc: |
-----BEGIN GE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOS3UEIxZVZuY0NheHl6NDJT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNlZ5ZTgyTkZKUXVqMlBy
XBjSjZsMUVNNy9nTmwzMWZXdlk1UXFvQlFJCmJrRjcyU1JieitBSDVyTlJZZTZ4 ajUxSEtWTEZLM3BvbHR5YnhzZVBxN1dLL0hBCjdDQnM4WnFzQU5TbUU4cURnbEdX
ZlA2empwU0tPcjhPcDN5enlkc3BQeTKLS0tIDBhRVh3bXl1QTFTL2UweS9GNmxL dFhUSlBQNnVyWG9zazIyTk90YlBtbEEKLS0tIEJsOVFqVU96OVptbXBTT21HcEpy
SnZWSzJRQXZkN1ByaGpwaTBjL29yQWK9GbYzpqKM52UDqvlBx3JXbkpoRkLt3e Mm1HN2ZtUzl6TnAza08zUG0zVTN4alUKhjafzCDCJw9ZScEBQ+W7ZDdUlT67l0b5
WN2gmSAqkQr9c8KMHqjjW61O1MqIAeKY3X/PHiu2cU0Uc+kfv0MEA== dTtSI1YMm8Q9EyxOA4ZH7UYe1b0h2+v2z2bv1J/CUTuzP+N3ksMmYg==
-----END GE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: ge1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkggc - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: | enc: |
-----BEGIN GE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdStRbG5YdGplRkVuUXZn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdDFubmJTQjRSeW5YNmk3
ZFp4Mkh5dnB1GFQ3NrS0xxZHNDUVhem5FCmZNTEVhNmlSYmNDVWp3K1oxT0Ix akN5U1N6T3U5cm5VVkFtcVB5Rkp6NzZQQlNzClBpZlRpTG9MVzU0dElUOUI3MTVR
eDZzZlNSM3hrNlFKd0plUll4QnJucGcKLS0tIEVKdzJUSlQR1ZyZjNVSjc0N0hT eGdLNjVPTS9QbkNvYnhYWmRvV1RhM1EKLS0tIFNGK04zL3J4TUdmZ3VmOW5qQ3hw
QzNIaGVMUnhUR1kxN0FmZzdXN1daaEkKTOflqGPdSzNYRZeltDbkrZ6r++9GAdcL QndpUStZUFlBZ3RsZ2V2V3pPQzIwbEUKDtTBG7tMnxwaDvdPGvpw1RNOJwLDL7x8
UVV/9mnky4ZGOXkjykPQB6yvHy+g5qhhENre13NlBJNo3XlyFSEoQ== tOY1B3YQbS6Hj43c30NeeGYvFju676h94x+08ePSO4+ihdNMM387gQ==
-----END GE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: ge1j2r8mypw44uvqhfs53424h6fu2rkr5m7sl7rl3zn3xzv9m3dcqp97gw - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: | enc: |
-----BEGIN GE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSTNGR5K2grVTdUTGpwOFdm YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZzJrVXZ0bFE0YndVRDhr
YmpMMXB2WGNXUzkyK1JDeVFHc1ZhWnN3b0NzCisyd0p5YmlhcFVPVloc3dwbnNJ WncwTjJ5dHhDVlJXQVpXbEI3QWtZNkZiS0ZzCm5FblhIR0NPZU96R2I4R2V2aCsv
b1lEY3FWOGl3aldWazV3Y09DbzlbUUKLS0tIFdmZ05TLyt3c0g3ZXNmdkZLVHV4 SUUxY3greVB5TDJzemRGbkdQdEtZRWcKLS0tIEkrQzRrcGJqOUt1WU1YMGFRTmor
M3lDZW9tUlR2T2NSclh4R3dNSnBoTDQK+53REvxwR6hu+K79TrdyPzyg9Gptt/Sr Njg3a2xNdEhEbjBKRFFqWUV3MGNkcmcKM+aSG/4FLuM/XsrwGyNYMk3dKr+CJO4z
309zukSR7TLPRM7Hf0dj3VfFqBjJlFmPj7c2dyZ0tNGVhEbRQ== yc0x4LzIGpN1MAMV4YBzKleL6nbv5LZbk17uaGdEe9VSJIM+GIhBLg==
-----END GE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lstmodified: "2024-04-08T01:58:59Z" - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
mc: ENC[ES256_GCM,dt:9/Q43NdE9eP15Z0f4jYOjz5H0nTNrIec1CM0kIzteJg7t9xNTVw6SyKom/tquni+GEr3xEJKVrB/LHPXaiLqG1pK0PrPZR+D0WlAq5hJHAyhgOdQFwyL3mrM0ZZAWo3Bk7VJMsIhjA8WSxi3TfttH8xpHiiyhuebC5a9oo=,iv:L5EObYh8rkQUq8275EFZ35afVmjUeekHyTytm+s0Gt=,tg:lj8BxGoh0vWVQHI9ewsqzA==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeWlJeFdlRW5NbFBka0Zt
ZWpiZGkxaTlaYW9jWFVSYWUrSTZvK1pyRWd3CnM3OEpFOGtYZWpoa2JibGxGODZS
SVI0cWdZaHpKVjBLemF3eENFUTYvNHcKLS0tIFFQNXZwOFQ1KzBMOUxuUUpkT2t0
a01TckpGaUFQTWYxN1dlY0MyeEVrcmsKsbvBgFCgyB1IsUQBdg2z2RK1Pqhp4+2G
PiYoxl01WOqjR7tR4pyyMwadOGxK7NUJGykYinwdap/DqAGbdKyebg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:58:45Z"
mac: ENC[AES256_GCM,data:OcJWd7icGYtZfLZGezGRGvYRfdLWBpgYeUQDBV+wsVwYpFEaXsuuISkj1UeAwSwZsyd3dHbjf23ynkAZqlvd+ThH84bVzwg6U79Jc9ut+QPI7jRE+Us/wz1k3h/jqld34lHT9wPmsyHvy2u066BNonXbZoP2/7vJAlwdqcZU6rU=,iv:jW47SHCpYz6dBGu/MkdKn2xDZo7NC/2HnhWYaqiQO18=,tag:VUTINSn8tsYLp9ARQLXj1A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

0
nixos/modules/nixos/services/bind/zone
View file

67
nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
View file

@ -1,8 +1,8 @@
system: system:
networking: networking:
#ENC[AES256_GCM,data:TDvdPPvdl3DrEj5qW67F43J++D7V3YzfO6YL3g9P5vGMnC0IZAqETl1YbczJZflq9+RHooTcMbT3kIw/PC7xcC7bxQd0gV6Gk21iUw==,iv:Vy6/Vw5xX5gWttooacsDf5/dDVPW3VKjnpmKGFy+RhA=,tag:/Mitoy6mvym5/xY4dom4QA==,type:comment] #ENC[AES256_GCM,data:qhveeLaM/v48No/13sSjYbqdrdNlAv8fF9ZaQeTIgO3XKjvCbu3RNMmWLzR8tFKrIBn8EAmAN53LG9CIVd7QdXY3J68sHeOHKb9fNw==,iv:D6BSMXhIeBSftqmtlPACN121knQaVLKUYedmKyyA1CY=,tag:XcvdgpMB/72yzgquR9ORkA==,type:comment]
cloudflare-dyndns: cloudflare-dyndns:
apiTokenFile: ENC[AES256_GCM,data:q2KbAnezy/pZ80NzrDnkYJqmPpdws+DJR4wSWuZ78yOw53SP7Gec92JO4gQHZfrQNX0W5u8Df0RLc0uiXNnTia17MzWyFpRYiBtZ+jFdwUlqWn1ZzT6whIG8vHKNFEuZxDYy9IhAamtLZrpsmt0JYs6yog==,iv:53k9hR0GxErCk+HjtIaysaZhNt1cYOZbjwvhqKpbatc=,tag:hABkc/jzHErnlpQzkPeavw==,type:str] apiTokenFile: ENC[AES256_GCM,data:PhKfudZaWKI5xPBAk3jMYB2HRieEzjLoDw4cctCYxJshjXVkNfpybkZeNs6rFasXI3KBjZHcP5yC6KA1xDFKZqTqQvhoJGpQqpAQUy2MMgUCblG4MYoz+mHiBiEWKZWZhxikRAODAYeeeuVO70cdZiKLQQ==,iv:AY0vYBSl8Slzms7HLgUz4MrPHk0i6Y9wwRemgyDBsrg=,tag:sBxerSCfqWB2hZ9+WjBjgQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -12,50 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcCs0ZGRIaXhUY2kwU2VH YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYys4SllQRGF0Q09HdzUw
Wm9GRXVvM0oySU43UkROUW1MNHlTY3BoN0VRCmNJUjcxbVpTNmxoaXNWckhNMkFP a0k0YTZTOVRkSFZaK2xZeWpjNDIydVZsNURnCm1pU2lzSzR4bXJqQ04rQkFrdU1y
bWR0eGNUVUkwVHBZcVp1Z2Q5OGYwUmcKLS0tIEc4bFp3cXBmR3ZKbEtnTldZeU52 YmUrTHFlWFdWbEN2TVo4RlRCaUFSK1EKLS0tIFNXUFgrSnNMbVA4ZVo4TWE3WS9p
TS9aQnp4cUxBRkZmQmVTSk92T3dkUFEKRGWQaqeL++nglVzX1RbbfdhhCMsKB64c UUVHZmpzQ1dGbmVnK2tXQlV3ZXNoWVEKWz8ryyNlZ190FSE/E06IazAdnYer5hgN
EsBkSk/dufQ+VjRFqPOW76SrgIHxR5EbmH4V1R42OBOxEJmwqczRiQ== YgC4Sa4EBXoMpe4UEsyHNknNY+NpJSYq/mAkkJiYxKA4zFW61o+JzQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRGZNZFp4UjZHV3UxZHFP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoejNQSzdyUkFhSWlrVG9S
Wk5vc2NMOEpndkV2aUpicTV6Y1M2aE93N0NVCjQyVVpBSjRWdWFzV2ovcHhPQ3R4 N1RpNkJQUUwrMWhKK05TWWFwbmlUUnpicUNBCi9nR2N0cWZROHBjWXhKdVFXRGxv
bnpxc2habWE2cHFUOE81b2t5cGJHK0EKLS0tIHVtQUVuMFM2RnNBUnMvK3c4eWpO WWQycHBsZEF4QnNFRGE2YWpKbUxFSGMKLS0tIDQySU00TVF1UkZXdHpKZUM0dS90
VnltK3pzcUxHRDRPS1VZWlJ2eHd1RTgKl440Bo+xdkcKUDUl6v3OoaJKd+EYkpMh Zmx6aHlxYS9TKzZWb2dUZG54OFlVWmsK6dQcFoFQVZA4oR7rJtfxLOA/hCiBUJZJ
gqGyQeIYDoNA2QC4ekCaCv4RMhkjT1CPIxDZV2KfM87+iB2jJK/G0Q== FqmNsr7ek/iuKfE/s7ZlL0bpHAIKdpCgpxcdW22PDkHJcl7hDTDypw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ODJXaEZydXltNHZTTnhu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicjZUOGRpb3ozRFZRZ1F6
ZjNIbXA2S0dYb2NRSUhKUlBYUVlnMUtZWVJZCjg5eVQ1WHM4VEhBcGRSZ1VJWmRU eWxZc3NIY3VOMFp0clhsb29OWFU2UzF2ZUY0Cm0vdDIyZ05rQkd4NTR2Q3pEMlVv
cEd1V3BkK1NkRDN5MUpoU2tGZ2dscFUKLS0tIHNmcUdwdEsweEJwekZQSXF3dXgr ZVV3YVg3bmkyYmdrU3NaY1JGQm1STWMKLS0tIDNYRmZVUm1JR0xjd2c0SGlKK21D
SkVnWXdCREdlRVRLdEdlVzdzeDFxelEKqaPpTuDxh/v9vj3nc6VCB6CgCD0rrqIA VUNJR01URUV0K3R5QzY1dUd5b0tuaGMKmgJGFCVvV4DmQ5Kqf/jViWt3YnCSzeOi
st3JxRm0DFfjrqqA1urwVvlsMW05QmP8rZTlb3+Uar67Fj7V9niEpg== RiIpMva+BW5h/7L/6i1WGpwt9yuel1eYr+3lQmjef/POpsTrk5etsw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bGpJcTdwMDhjSnVzVUov YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcFRKVjFDcnFvV0VJOHJH
NzluNFJIbnhxQ3dlSXdocldPVkVISVNtejJJCnZjUW4rMXo5RDFWak92ZW9LSVM2 YnVEam0zdmtjakR1SlR5V3pBV1pucmNZY3hZCmpXRlNjU2xZVFNSVjJWRlFPZE8x
akgvT1Q0dnJmd0l6V0JRZUE2Wi9ZY28KLS0tIGo1T3p3YzBvK0s0M3djWFIzNFE1 YmxJb0J2d1ppcGlrR2NBaWFwM2NCS0EKLS0tIGpmbkdaWkZBczRzRXlqUFowd2l2
aUlHcWZVV2hQYldDZm1heDNtYUptZGcKaf9F8FQQiliNQzZnuFZ2doolfJ/R/NbZ UDB4a1JnZDdXcXgybTdIeURnYmFIQzQKGV7Uze0yGx74lYaSe850I+s3rB+h0ezA
yExXrqhg2kCQSY0bPoUZKBIrdFRQ2SVJfBn5YThz2XiK7ayBm3wt0w== DqH5SRjtZpmYpJZDppFkIEXcAN2q2At/U9fS1LJdOopYJrSbef8LSg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0S0pVcFlSNVZJSzdHU296 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2aHdtajRQeXhEK1JRcWVv
RUxmYXZjQW1jRFE5YmhncldUWDFzeng4eFZZClo4MnZqaEdBdXBiUDVQYk1nTTJK SFlBYXB4bkdqbzl6Q0lHS1hJQ0x3dG5mOEQwCnBKZnhLbDFIOTNJSHpkalNVOXdm
bTF6Qy9hbGFZT2g3TFdQREVsVSt6Z0UKLS0tIHNHMThrMTMrSXhDd1dCekxZS3Ro Ym1DUDU1bWtoSlVEWGFieGxPeTNrMFEKLS0tIENaa0NYVDV1R3VTdUc0b3VXSlhM
cUhrVWFuVE5QTitrbXNDVzk4TmFaNGMKtxL2Nh2R8RxK6Cme/GEr8ebJUNr+wJYO T3dKVWJhUlZKOG9PNUNTTGE0aU9nd28KPXDHnFPYZkxRadqYyHGQAdWJy4sH4LYz
S8UhoOG07m59GIgyce+IdGKD6rl9Y2LeGDwhnOq+7L8H5l5X+8xqbQ== KS5wKZZcK+kyPkQVf3QmB0A+YJc439CFc+t8zZihR1OZeSidCIUwLw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T01:59:28Z" - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
mac: ENC[AES256_GCM,data:Cd8D58YH+/c2S+ViYnHR+eoEIQ8y8SKPuuUo4dvS78KJeuO33rADlghm9TiPLHH+JaPF52Yle0vsT6EWUJfOy+sE4Q4Esxohnj0mOBc3WM56tK4HMBpl5jDdplstkKzCtGtL8ztdjIB8g6+hcmFvXeHftKP9hPBRBc2yCmAxofM=,iv:C8oR1UW1z9HbbcjjksMyeepxngzVdizogKUVjZkN0ko=,tag:+fXA8NztLKL62NJIp+JJcg==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dXNmTWxJeWN6azdzU2t1
TkRzazRCaEYxSTRTakozVFY4THorZW85Qm04CnBEYXRHbFkxck1keU9zOEtuakVz
Rzd3RWN3UzJRMU9HRlR1aCtqdzN6MXMKLS0tIDArMzNpNmRVUElhdXdrSVBVQ3dO
OUw2dnVzYnJKVjA1cUNxckkrNk0rbWMKEQ9HmXY6BOIlj8nuV4jOxJ091PNkcyaS
kW0onE22VurJQH45vVXc5uvVajwVCtNnHK9VwzvneQBOsXu3UB6RpQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:IGomSlCiHulZQ9ZkCpQ3dg4E6D4AXHjNwBBYubGCUIfPNU4lMn0pP0scdfXxOXvjX8dYpyDVZDaflIrSVFa9GFzI6ufqU9wziSfAuRBjEiQgrg/zJY8vwHAbladoKsLDRlChh8Yu3K82HBfAoRRKGsNCfY2OhkQCf7pyrubhMY4=,iv:TbW+JvoJz1gC2ElsU6LxQj4ctCUja6TySggGfleGSbU=,tag:XRgiDkOJFPvEw39UDl01EA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

3
nixos/modules/nixos/services/default.nix
View file

@ -11,7 +11,6 @@
./nfs ./nfs
./nix-serve ./nix-serve
./bind ./bind
./arr
./homepage
]; ];
} }

65
nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml
View file

@ -1,7 +1,7 @@
system: system:
networking: networking:
dnscrypt-proxy2: dnscrypt-proxy2:
forwarding-rules: ENC[AES256_GCM,data:P5GAwlcuUI2hXcJBzAPSQBviqi8z0ccz29sv1bsSx7lkD9isTaurylD07v3tlXFN,iv:lPIbdMpUMzyhnkakw4FSxvHolyNXMVuciwKK7jz9MMY=,tag:0pKhfclkbWbPBJ6/vs5a3w==,type:str] forwarding-rules: ENC[AES256_GCM,data:eGLh6dckR9E13wympTA2faMf6ChW6L2lM0zO/Ea9cIwTndtsbRU3dKh280vkdg==,iv:SS3cj+JkT64pn9anJBPtVHT2cQ5Ag2VLPpLFM1LkGS8=,tag:V/HyhSW/HDXp9LfOSjM4JA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -11,50 +11,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU2V4cmpHZ0hhRUlDNTU4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1U1ZEaFZ5K21LMVVCU01l
c0FGTGxCTzNTTUJxN2lkZmZQUVlCRFVxZld3ClU2TmpxcHFvR0lZeVUxZ0x1YmFC UHYwUVZoMVM5bFZ3d3JXRjA5YUZDajZIbWhZCjRGRitzU1pvc3d3LzNWaXN1NFJE
bFZ4QlQvajNxYTByenlDVXNJb0dGNEEKLS0tIFQvaUhCYnE4MWc1bFZtSlB6cDFq M0RhQVBQVWxoZ2R6bEdHRVFwcDBid0EKLS0tIHJtaVVvd3NCbFFqOTVZY2o2cHNQ
aTJyS2RGWFJTNEd3Rlo3dVN6UjhlUVEKZvaWNTcKkSzLDsQ99S3/d9eQ350QM+e0 aEdiNXZoc3ZiUzFyT0lPV2F1R2JLR1kKMFHEXnH/3qgwtJ8koKMCmSMi4IwtwxW4
R19K1QHuljx3vKV+LhnJ+fCUL5bnIhvDCFVnWBWGirVzJNp4iwfuWw== 5kFFGaxQ47CejOJzNnrsOyDCKJtv8+3arzwlhuZSG2558trcvugCaw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbnR4T1d4M3pKdExGYUZZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUmlHNnNrd0E5cFQ4ZTl4
Y0R4WVNLZnZJTmhqVW4vSzJwZjkxdk92N3lNCk9iWmJNZHVZVDFINEErRi9JZjBZ ZXJmRGtScW5Nc3M5SHlqbkIxbWlTb2YzSFIwCmZ3a2llTHlITnBwMjc1UDlhRFNn
MDEyM1Q3cGZDWkUyZEZhaVo3K2FpUjgKLS0tIEhHR0dTak43T3pDcUtvYk02aFZZ TkRpK0dKSWROTWsybWNGeGpBZWZiK1EKLS0tICtHYmNMV2RaY2llOEJpeDNqV1FT
M2w2RDV4UmY1Zll5WjdxSWIxZVhVMUUKAvOmavnidng3QxxHaVqQKwq9TMgbusOE ejh2bTlVVE9QUXNRR3pLN1NCM0VVNUEKdesWjss0MoH6SABH1ZLT1fauZVOJyO8U
SnBx1ShiX0m7ZBLHPzcHuwzEOxYRvpKuV1tVDVbROPfaOYusgIMa+A== 9mqP/WsE727MhwsodZAnccQ906mm8IGK0LtCUxUhlJGZl+Vw5n4eqg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaWV0VGZFc0toUXJURURF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNEJwR1ljN1ZwMWt2c3NW
eDRKMGV6UktYWVRUcFJKVTdiQ3h6LzhlV2tRCjVMZkFqWGZCV1Q5OFBkOW1lWnFj QmlPNUNvYTh3QmQzSkJKa3EzMlN5VjZwS2tzClFrQzFYdHN5eXNZOUVWeFZIMkll
NGFMVXBNbVF4azlUV3dLZFB3aHdnZk0KLS0tIEFObC9ING4wRUtwZXhOS2VRcnR3 YzRUcDkvWTVoTHJwSW11dTZJTVZtd2sKLS0tIGRUdGJ0SWJ6RDBjL25qenBWMXQ5
NnkrVjdGcFE0cGtEY0Vub3Z5R09zVWcKEjgqoO+4n02mwa8idy1FdASqoCkB4Ooe Q1pUTlIxSFRiQ0JQb3VzdzBIQTd1RTQKis/oM+GK1zWRlSePma3dAsfOAI7d0HLB
j04tUVa0xufui6gITvO9DBgXbSdni5wbtabZNJ13S3dgWVY4CiDuYw== RByMVCfQhVcwalWFg5kdSguUkpTX9FFkYKELDMluSyec3APRA6w1UA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aC9hTTB1enJYcUpiUHZS YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Y21VVmUyaS9DUkNTM0N5
eENnaEhPL3JIeGp5QmczQ1pSMTRmejZ1L0FNCldzM2FFSm9NaTNGTHVmNTJwVW9F S1kxdGR3MDBRM1kxcHc1UWRxSnhzY2h3L0FZCjY4S24vQS83Z2V6aGRVV0UwSUpY
YXIrSGFsWG05U0NXdWg2VUQ1NDVyYWsKLS0tIFQxd2hpMXJRWXhJclFzQjVzZWFI ZG1mYzF0MXVUOC9HNXNFRzRZb3VwQ2cKLS0tIEdUSy8zSHNrN0s1SUt3anE4eGwr
VHdoVHJnNit3OE5mU2YvTjYxSmxkcXcKBips96WiE/NI7GWZVUOzdJSTIyoG4U4R VzM4eExndDIyeVdRVFIza25xcVlJd28KSsMwl6kWUiA/1euqHhuicwrhApVBs/zb
haVYaHJJ1xW/E7WqJKn/E+wiMHFNcQJFOi6/JkWGLCkEE5tDLSDibw== lf5ez4x8FDiZKY+fyhJRSrZnW607d48OegIjZrslJLSU2EBqt+ZHXg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY0pEaVR5NWMzR29YQUFY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWG9HNSswN3RiYk9KcW5S
R1p2ZFdEaVN1NXYzMW9oR3V2aXJxdDR2QlFvCmxsVDBCQUZnRllvY3NEMm1DQXpj dGNpWXcvZXNsVmR2dmtOZjRTL09DVmw4ekVzCmhwZVh5M0hHMW9VM0tDZnp6bUVO
aDRCZjlnM0xZaVpTVlpXd08wU1VIR3cKLS0tIHo5TGNmMXZHSXpYQW5ITHpwTWJE TFdyeVVqaldqdlk2Uk1vbCtMbXlZSkkKLS0tIE4vWGhaOUZZbWRlZkRtWXJkOXMv
a1hDZXkxSG9FR0laYW9nZXFnN0NyUUUKa9dtMzPzZqWi1Z6gBxOh355Om8865AT5 TCtaeERmVWpXNlFLS2pTNVZVK1Y3NFEKV5keoMVWpjC6H9enpcNwOb1kraWlKAJD
j0SjD1Zl00RvaC6mZQrhOB6Aq+eYHe3w29jkmkAGvIHXH8p1fNt8Hg== E9qoFk70o4LOJbp+WauuNw8I6/WIxgKxUr4xN4Uj/WN+/IG3NtssZw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T05:12:13Z" - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
mac: ENC[AES256_GCM,data:JVJ58TeYh66P6PuhSeCAZpXS5tu4H33rG5GZcJYorhT8Bldn72CTo9AhyhNzVHhfK1fIPI6VLyQM5rBUxBQVHWufx8hnYDrhBQdR9d3po8KKnyfpNgYS0rhifYyon5GUl4BW89RaD45+ZbrE1kIsqCYwwim/bcVYqXuRh1CGYeA=,iv:lRU08rccGMH5ykhSE8bREkog4ftXUporCj+YMsOmUN8=,tag:tIekpP6QIp1Ce2s4a2qO8Q==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K05kM2M4NU9vRTVGQWpO
SWRWckhyTmxaTSttNHRFbVJyZkF6ZldzVkRRCklIekxYZW8wNWtlOER6d24yM1NE
R1U0WExrbU5QbEhoZXp4c0xLT3ZuNFEKLS0tIGZrN1JiR1RRajB2MEhYb3FMZlcr
MXhHSlRORktTMlZKenpKOUpQeWd2ZDQKluaK9G++4UbKZZ+eesZd+7j+uZ3VEsOm
FPEUQJnnxNCou2t2CoDNwm9u4xyQJXBW2Au6ucJx9noLpjvuB/NZUw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:rOSRK5QlwvURaliwEeowRNJfQRnvj0cuu6TPvmtSpcX4BBuqZ9zItmXm6aGPVAJaRgEznRVjdA9yLRDU8p/bwZckeyaR0Z5Sf7N9e9Gq9NaX1goT190wIADy1pHnCbf2nroNao38M8AH+REwJ21yWLAfSf26i6YTJgQFgmypEFQ=,iv:7pyXsGJmWgU9l4jSzPqYNgzNzvIjDT2jy238QE6UghU=,tag:dq5mNG0Qr0380vfhDGWjsg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

65
nixos/modules/nixos/services/maddy/maddy.sops.yaml
View file

@ -1,7 +1,7 @@
system: system:
mail: mail:
maddy: maddy:
envFile: ENC[AES256_GCM,data:9WbOJfLkcobfnZJBOVqMaw8UNCH7kwXz5Cle5PHEUSLMAtrUKXTEmjkD+nYZK1sdf0fueGxNTxS20f+W+rRBRDMGT3VpJtdFAizt3vprkV/n4y5X/qHtu4y9WmnkfjHfHsJyt2h3DkmD/IV5p21VU3dc+rFGeiFza9jar2WhlrDLRAA=,iv:3Cw9JBiHlmFq2oMHyUQn88fxHifimdOjn69EcRnP1Zg=,tag:I+1hs8C8WbEr+w6aye1Kxw==,type:str] envFile: ENC[AES256_GCM,data:g2KPadrCaW/TWvoRc+AbhdJbSgG2FcL+h1k+0FCgzHkQ4dFhIBunFIw0jdPvV8Xou+/gLw7Mogkgg/MMzJzsvUHkosK1TotH8TaKxtJ0VsH0SlDWrOhFUMrt1474/O3iLkS5YK2U9+3r9HIJ2SqnSy6Kp9IZWrh7ttbWvOth5pdfR0g=,iv:rzpBXGhCWzRMkLNhgQaT42exCKfMTJlcSFRFsDz6Jns=,tag:KPypsSSuxgBvf7LAMdudRA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -11,50 +11,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Ri81REp4T2xXZGNZWTRj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5c1FCWWlsTzg0NHdKOHEw
UmR0ZmlweTQzaGhkTExBWVg2bjhvVXhIQVFRCjM3STlpekJEaU9VM1cvQ2dTa25Q SENVRzlKL21DWFZ5SlV0ZDVNSmgxSEV2K0M0CmVlSjR5OW45VVp4Sm1LV2J0bTYv
SmhxMW9ENGxRdzdpTS9VZUJQQUx6cEkKLS0tIHV3NDBHbFBuRnM0OFQ3WDd6Tmor SWl2cWEwTzBXZG9FdGkrVnFDQnIzcTAKLS0tIEJnendjTmRGZis0eEI4MHJtNkpY
dEVUeW00SUdGQTFZSXpiZlkwWCt4SVkKabNchXZ58+lR1EvuOS8131g1OuhlJOiX aUpEeW1xWTI2RVJza09DU2lhdzcwWlUKdZjovENidw2gsdhrwd2CfBVW8Sghx2x9
Co11IqKudC80CM5KKlAmYcgzQNQvHJ+mDJHUG4Da7Q1aSBvu7nO/4w== oZCM5u6089go+wQuhyURhyG8ZFSwAylA65VPTH9mm9hpV7AMSbS6Bw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTlZJNHpvcXorR29iWW83 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOUs0ejBMN0YyVjR4Q3cz
REVMUXBXSENia0ovcldKS2dxUGdyYTJ0akZZCjAxS1RyeTZ4SStyeWdoOVlRT1NF YnhLZ1d5Sk1tbnRMWmZlR01zY0owaWlaeEMwCjlKZ09pSjdob1NKL2FuRzlXTkdq
UE8wMFZwRGhIUkxKTVd4ZHdmeTArMlUKLS0tICtBdk8xd01zT2pNdjE5d292bjJu a0c4YjhGZytHTERvaWg2bEZCQjNiL0EKLS0tIGttdDE4VG0xYUEzc0pOM25ZVXBi
NENlVVV1SWpWWDJ0R3BDR08yUjdISWsKl/57RicdIvCDEfa2tgfJgWG+H0Iokx0T ZnZ6TzBjeXdGSnVsTktGN0k3WkJsOWsKg6vWDZA9fScS2Vw5Iz+jt9TcUMK/K8/G
5fOtsbLFx79pHGiuOaUMBXL9LuEAcoIpTJrK8XrythIIfPQNST0P+w== /Y+SYNoRP90Iov6idl4LJugsRRjY3X+AjAy+ThHEzanIFMOUSkdQ+g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ME53U3RUb3pKdDNhTm5o YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUVNxQldIaXk2WU5hR2RF
eWRDWDZGVGJPVWIvSnpQUkRRcXdVclppMFFzCjF4YVpRS1dCYk1VQi9FYmJuc2VI R1Q2QnJIY1JLcDE4QWZjeHdBQlRHZE9BTHhnCkhZQkppWHIxR1N4MGFVWjNlbk11
YUJrNWRTaE5UWm9OWVJ2UzJDaE9jVjAKLS0tIE0zWmFmSlhGN241QVJoUWpqTUpu UldBMllITk1Tekl4MVY0MXpQT092cG8KLS0tIDRaYVdwT3VYRHJzVVlueW8xL3hQ
dmN6ZWs1THZ4bWViK2dJeTh2Q1dnQ2cKg7BQoyElsRF3Udx1aHLSK+dGVcyZUnLe UGU5SGJVSU50OW1OS3hRRGNKSnI0WjgKR22yT/87dDaUnUn5p66Mp/sAkaFofHJ4
+4inhxJj07J0rfIhME5hY0FDf4z6uJ4VhmQOoDSL82FML5GGBrS79A== k9tYGeZ0ASqRG0FMOZO6er41M6MzBt66jDxnkeJsa8ZW/qa4tx4MCA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNTE1ZjJlVzNSMm8zZzRZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKSU55S1B1QXl5UElqbHRX
alNBaGFSOHRxWE9LdHI3azFienk1OTRnTURZCjU4enpTcHFlOXBzalZqbGFXQXB6 WmVMcFNOZXVjVDhzeTRJVWJUV2JVeUhqc0RFCjJYT2wyem45Vlh1WkpTR3BsSnVt
c3FON0FsQStDOUtaQm1xNVBIWWdiMTAKLS0tICt5MVBDNGJGMVhBaWhRUW5LeWsw T0VxbEExVGlySENJQXVSRmZXMDAzZnMKLS0tIFpLZHJQekdGRTZrYys2cXlVTmVv
VExYT3BiNThraEM2Y0EvdGFDUU9OZW8K8feLH4aFtQB+AypdriaS6HyX2T/Ziz/E RElIUFZURktLd2trcnRKVXArV0pkQUUKXwaXOUQWDqJhtgIKz0wwTIyh9bED87mm
7vROXS8BoU60RXcCcUE8v8HnrZ+eslWgR91Jw1Uvc0j1jqm5+A2yDw== E/0dYsbdMcpguk3FRT4g3mcuU2w4b57l/0pcGWui1QwHWsA3X/tkJA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUUFUQXBvVkN5aVB4cGhG YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R0VlSGRuK2g2d0xUODFq
Q3Z0RFc1ajJCbEhWUWVKVCtRTGs5NVRDaDNZCmVXbldRbm5CT0tQZDhXei9IQ0E3 YVBCU0tqaG96Z1RhSWJ5KzAxcGtPeDc2UTNnClVtb0NnazJuZFhFdzhoVzY2cXcw
YS8rTnNsQkVtU3NTWnNCUEx2U1grT2MKLS0tIEVlaFlieGVWQ3hnWWQzMElaeG4z a3k0c0s5OVRPeFQzazcyTjVXVG4ySjgKLS0tIFVlSU1QUlRPSFcvcDVBNWo1b0cv
NWRYMDhnNURKUldQUzhhNXR4MC93OVEKrm6N5Nvr0ywLwzT24eTSlKotBuE2u+2O QS9jZWNuYlE4U3FhTmNWZFNvT3lzZkkKsQDEqNUUUcNXKvAip9a0SSEIVglgHrmI
7EXddIRuKEg1Lc0DporbE1eXAehKSofp10pmzXfLlp6dF82asIro9Q== qvfv8dGMxmh55RYJ6+jOypMhwD2HcIqBBUvSUIAW31K0k9SqmrNx8g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-08T01:59:36Z" - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
mac: ENC[AES256_GCM,data:GtTLqVnxurgGZNIXBNJ0P+huf24hwVOzabFJUZ+E8vBfV3sebV/V20K/rPKX84USpAh+7D59x8iVI5ZsBZEpAPXemYkDQk/6qfeGso514prPS8HqjQJxQ0NHqC7bv16/b5WltJEGjL+AkpJLJnWdBSzO7x7LgVMKtnpc+r3qm3Q=,iv:lbZ8OQS5MdSwj1Usag6UUR+4Yo51d2lglSknWH0UD5s=,tag:lZFGSPWrnJLIX5EqLTxYdw==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZlhXY1ZReloxODlRWVdr
SFh5eDhWS0pGV0xYcGxicHhFZ0JxUkF4RkVRCmRhaGl0ZktiY3ZKSm1uTS9VWFFQ
Z2Q3V1lKNldHaVUxWC9rUS9scFB3UncKLS0tIGJ3NnZUNnhxWjRseTdGQW9oakhj
SkZnMHhDRENkSExNWkFKUU9XOTVQb0UKzCbZsDqSwbtHRkKH7oXOITHJ5LHU3pzp
7pEsBGmhk8PyNHlaJlAWXunqBW+zD7tuhJgH+hSA/Wr46y2Hck5P1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:5of7TtrBQXrreK6yxAZ4zddm0byWbAyvWmJSDQ1LC7GmIxJOWHeY0Mvy/oUqioz5HbEjQIt84ftQLpPeJHed3qfsqujV4lXWyb66R+lXw9JvkCx02KgM3Jli82etjv91EzPv1HolfSv6e6pQd6xjhpPQTGucp4Ombu4PvzU9Q3Y=,iv:JINmbJloNXcF503e6Iwvp8+zrjfXTmRBNXX8KPqIDo4=,tag:zo8IjbFb5zsNVi0sCfhNKw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

3
nixos/modules/nixos/services/podman/default.nix
View file

@ -35,12 +35,11 @@ in
# extra user for containers # extra user for containers
users.users.kah = { users.users.kah = {
uid = 568; uid = 568;
group = "kah"; group = "kah";
}; };
users.groups.kah = { }; users.groups.kah = { };
users.users.truxnell.extraGroups = [ "kah" ];
}; };
} }

66
nixos/modules/nixos/services/traefik/default.nix
View file

@ -11,17 +11,34 @@ in
{ {
options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy"; options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
# TODO add to homepage
# modules.homepage.infrastructure-services = [{
# Traefik = {
# icon = "traefik.svg";
# description = "Reverse proxy";
# href = "https://traefik.dhupar.xyz:444";
# };
# }];
config = mkIf cfg.enable { config = mkIf cfg.enable {
lib.mySystem.mkTraefikLabels = options: (
let
inherit (options) name;
subdomain = if builtins.hasAttr "subdomain" options then options.subdomain else options.name;
# created if port is specified
service = if builtins.hasAttr "service" options then options.service else options.name;
middleware = if builtins.hasAttr "middleware" options then options.middleware else "local-ip-only@file";
in
{
"traefik.enable" = "true";
"traefik.http.routers.${name}.rule" = "Host(`${options.name}.${config.networking.domain}`)";
"traefik.http.routers.${name}.entrypoints" = "websecure";
"traefik.http.routers.${name}.middlewares" = "${middleware}";
} // lib.attrsets.optionalAttrs (builtins.hasAttr "port" options) {
"traefik.http.routers.${name}.service" = service;
"traefik.http.services.${service}.loadbalancer.server.port" = "${builtins.toString options.port}";
} // lib.attrsets.optionalAttrs (builtins.hasAttr "scheme" options) {
"traefik.http.routers.${name}.service" = service;
"traefik.http.services.${service}.loadbalancer.server.scheme" = "${options.scheme}";
} // lib.attrsets.optionalAttrs (builtins.hasAttr "service" options) {
"traefik.http.routers.${name}.service" = service;
}
);
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml; sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml;
@ -35,6 +52,9 @@ in
]; ];
}; };
# add user to group to view files/storage
users.users.truxnell.extraGroups = [ config.services.traefik.group ];
services.traefik = { services.traefik = {
enable = true; enable = true;
group = "podman"; # podman backend, required to access socket group = "podman"; # podman backend, required to access socket
@ -95,7 +115,7 @@ in
http.middlewares = { http.middlewares = {
# Whitelist local network and VPN addresses # Whitelist local network and VPN addresses
local-only.ipWhiteList.sourceRange = [ local-ip-only.ipWhiteList.sourceRange = [
"127.0.0.1/32" # localhost "127.0.0.1/32" # localhost
"192.168.0.0/16" # RFC1918 "192.168.0.0/16" # RFC1918
"10.0.0.0/8" # RFC1918 "10.0.0.0/8" # RFC1918
@ -158,13 +178,35 @@ in
main = "${config.networking.domain}"; main = "${config.networking.domain}";
sans = "*.${config.networking.domain}"; sans = "*.${config.networking.domain}";
}]; }];
middlewares = "local-only@file"; middlewares = "local-ip-only@file";
service = "api@internal"; service = "api@internal";
}; };
};
};
}; };
}; mySystem.services.homepage.infrastructure-services = [
{
Traefik = {
icon = "traefik.png";
href = "https://traefik.${config.networking.domain}/dashboard/";
description = "Reverse Proxy";
widget = {
type = "traefik";
url = "https://traefik.${config.networking.domain}";
}; };
}; };
} }
];
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = "traefik";
group = "infrastructure";
url = "https://traefik.${config.networking.domain}";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
};
}

67
nixos/modules/nixos/services/traefik/secrets.sops.yaml
View file

@ -1,8 +1,8 @@
system: system:
services: services:
#ENC[AES256_GCM,data:L5ZUZZoFkMaTErRqwkG03SVET5x6AVL+4OvX6ukQlvFX+P9ICYY6lDGDmJARUXDm2yW6hllqA2FxoteFXT5LEikraLywI5jGDgQMGw==,iv:fHYZ9LBvFVT24xeN7HSjlNhFse/MIhb6/3XCUbdCppA=,tag:tq+MbSt+jhvNJfdpuQ5ddg==,type:comment] #ENC[AES256_GCM,data:VQrWiLlHkqKk80oZqXVyLJt8JBaLIoqKr7tGlXxaRD4Dny8/ZlOy6qw4Bdj6vEUmawBDlHEK+sn93+XnmwzHgnWtUdzgzbAklBSnoA==,iv:Pq3DN3+iWW4mnFSiRhqo+SI3HNZoqjvsuQYaPXKYTZg=,tag:G0yjrWrpnHBn/TB+HUEL3Q==,type:comment]
traefik: traefik:
apiTokenFile: ENC[AES256_GCM,data:hVIUCHU/AU6SOGt7JEVYuE55LlT7AhSuRpkCEWrsKxhy0K5jRZhYb4G30sXrOv80gb8T82ItYjpi5ytckGq325A4Uzn2dYQ4P9sv1uRxrcJrSOuMvpeWnijT33wbxn/fcg==,iv:5065MjT63rYvx/+ivfVha/+VxaTaHicfmshPI/9qfYw=,tag:S7t/Fr5R30lwO3KvuDjHWw==,type:str] apiTokenFile: ENC[AES256_GCM,data:ja9KJ7/jhEJnEyI7Nj/9CtnP+VOP0Xpv2ZSmxAvHcRhcE3JG4NSHN1YgxzbzCwa0xvy1vMf4Qw0R/zHbmdgytgzBPuWHoML+GJndY6LDJlihda5gXG909KWOTuTIbuGqvw==,iv:zmDwzHpYdpBuhEHieJxiSRSkHWaHgshysaJkbGGpMzM=,tag:QErXZHxZKPsWhuJProt0Tg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -12,50 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbVBCZGdUU3dJR0VXMUQ2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVHcyRjRJZW9ZQlZBa3py
ZUhYcEZkYVBRZkxteGkzaXdDNUVzNjdFUWxrCkgwcXZYZlZ2Wk1KbDg2VGpmZXQ5 djV5THprVjhPT3JGT1Z0MjhkNlFKdFZnNFhjCkpmUVhGTmlyQXJVOExxQ2ZaNjEx
K3ZxR21FZGpJWFpSakltdzN6MUh0b28KLS0tIHRDK2dKQ1Q0UGpBM2oyYzhuSGo2 TllocWNOSjBmVUtCblNUb3V3TkVuSWcKLS0tIDh6T1FKZmx6K1dWZEVlMUU3S2RC
TWFTYnpYbDZPeUVtbTdXNm84RFJoaDQKFB0HX9yJ6D5jQRd8qUsLUy4ZcweYv1Qh MG10QTAzU2l2azg2Tlh5L0dxRG1aQ0kKED5IgaOfb4rBbfpd2XzCbzF7wXyNj+6T
BJlQJOlMi+OliSiWOPsI8L8SJSTWJvy6ZX/LcebuQ0tlXeNd3HYAQQ== VYYAnxILFNm0FcqeV9sCva40KidCBGL9FRaURJLOIK6Nl8vtGO61Ew==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTXp6aExQTVh4OFVKV1Nz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybm9lWS9JWXZybnVKR1Q1
UU0zbEJnR3Nvb256TllyYXg4OTVOektoSURnCllWZUpwc3ZObjlWT0YyLzRiQ0dM UDB0djBKdTQ1aFdUM1dScDFFOGMyeGM5Nm53ClpzbVBWZjZydkY4NVVQT3lMK3l5
Sy9GSCtsTkZyVkJ1dDJnbmh2ZHdrZG8KLS0tIDRPakxzRWt6ckRzZzVZQzN6RVlU NjRkbHFxZlYvOXBoWGNPVGJQQkxsclUKLS0tIDFiR1IzZEhxbUFSUzV0Qzh3aFBs
MEhwbFpIK3hTeGttS0x3Q0dHdHZhNG8KovgKj2k7N/lpGT2j+e1u+3uX3EAMwAwt WFYwa3NsR0VHb2RkQ1JyZnhMR2Rkc1UKi3X1ZzzMzr565t889tCM1duwqu+HlXAS
uHI2LqEtfaMJZQvsP409G4QkEy+o7GJ7N3LpAXFAPvnJbH5/n7WxiA== G/4aaaqJr+7TMmjuNIVh2o19XNv0SquW1RWbv1dJ7fc4maXnaJBxSw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjFiSDIzMVVNMmk3ZlBn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUVBUMmp1NVNsRldvS0Ns
SFFpbE10Q0ZZMlhGbElMTURjeDFhUmlnNmdrCk55ZHY0Y3o2SGtaM2ZOTE5QOFo1 Vk9Sd1JzS1REdGMxMWNaNnNEWVpCWVFIY0dFCjlLc0w0T01Oc0RUTXQ2eFNjMjBF
WVdEWGtzWTIxbWtXMmF5V3JvVjBpVFEKLS0tIEtVMldydlRvdHJLYzVnQy9kUnNZ ZGFjOHc0czREcTF5L1QvWWc1TWpxK28KLS0tIHpHUnlhbC9SbTEzUGtNQ2U1aXk4
OHJUSlBlQ3Rhb1RYUVNQSWNLWU5NOGcKEHjjav+ACT+HQ9haoMfRei7cAOPugMDs bFZQbm1HYTRoUlFrVVdRcUt1Sk83eTAKhtrNaITlaCSJaIlN93SwsTIX6IoKtO0W
JsSRPWnVBYPx+9AxDY030Aw6vMw9+rFSuCp3PMH4mNbCcCucaIWWSA== 2rJWmtVzZ2gpgBpqGUS+do/mJ09ltmsz0dc9/wbSTNgVKC+kcef0Cg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWhCM2dpZDFkVVE4SVJq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZkpjNm1nbm5nR3V3RFhy
SXY1ZVh2ZWlDRnN4d2hsREpwU0tYMmpKK0hzCmhkSllSM0NGdHZiV0o4dWVac2Ft WTIrMjZOMHozS0JiNHZGZFRQa0Q3aDhGeldnCmtmUC9NSFFsdnozOGZuR1hyWU5Z
Y01nUlBKUHg4eE1YZWZlU29Vd2lEelEKLS0tIG9DdmdoaWVBMTJ2WnBnWXI5d1ZX b0t4Y3lyNVVodWxPaXlYandkYXlON0UKLS0tIGNrR1dmSU1LNS91d09GbkdmZkFj
VGtCSTdPcDZHeVdUL1Z6S3hoUE9IR2sK8WyNXZDiJG3ox+nBcwTXdn3fmd4kS2z/ S2lxSGlNWHltUFhaQ1lRQ01aalNPWDgKmRpcodDVgO9Rb2zpRKmIUaS00FoAyCif
aUV6ql3vLdsu3/BxLq3v00AXXYNOnWmVrUxTJ9Lv1j0FM5Gh5LupQw== izDG6Tcsf4fa4wnMVwKBRnmJHJ8OTyDThk5RIv96ZlAVrZJAn7p77w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdU9TeFlSUWZISytBTnNn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVXRjRHV5NStlU2Q4Qzhw
RWlITURiQnY2Ni9LMWZ4R0pBWDJmaHpTZDJ3ClVackV1UHNYUXFmeUliT0h1aHNR ZHBhUzYydlB5TlUzQzJKQ0dtRFZSYTZMNml3CkRqSkRKYWdTWFlJYm9aNlAzdjg0
S0M4NWg0NkYrL2V4NXlIUDJ6RE8rODgKLS0tIGEwdGpxNVNtVDc0M0k1ejl1ZmFX Q2Urc2QzRkV3SG9UZ0U4b0RmcE9qOUEKLS0tIFM0bG1hSWV1bGRUTDBNaWVaOGFk
c2VQSk53WEFoTFdFUTM3eWNVamxwNTgKBYqQy+ILW9MdRPDgRBVw8sOyYF40rhYz eWFqK2taVTN2aE5yVWQvTXhPQXN0SEEKUtgEBN5hxt+8N0/CuuqrFfTVlb4WGieR
yP+Bu6EBAjJDOP/Ywx6I7u6AmlTRcOtk8PmJ8eo3raP07at+jrXsaw== Ww8jDkzXsmaYcbTRv0lajyxdTlfhubhDcKSWguP5PzqRC5cdJxXpqg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-05T08:20:07Z" - recipient: age1se7am4c5dh35aulf5zt38ymf600hz8gah4eudr9ml4fmr8h2eqxszuel73
mac: ENC[AES256_GCM,data:a/J87IQL0X7XQycpZXWg2otlBe7/W7Ebe0CAKunnyF8Gm9RRMWdECrFeBDtAyVAHl2F6gqlNTyEMsOVE+aR6+xu91rXr332k66SnSQcMOjQ987+r+t3b1hUZ9Cz+qNbtepXaGTuCNQ0JH+o3ezkA1D6BDIvf6S4IRWRT9psOiHI=,iv:2TXiGQDDK2nSTAb+n3baFfng9jDPoe7Ts9Au9dTRclA=,tag:MZFBEcpOmoX0TN33OMoApg==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmK2FjbGJkbmFqekUwOFkx
d2ZDN2ZZRU5pMENNbjlVRTIrZGlGNEtpanhvClBDbndLcHFTbldlZlZ1aGpHMDFP
ZW53Y1pBbGJ6dFR1Y1ZWbU01Q2lKdUUKLS0tIGRoSDdSbmIzSjBEamZIQ2Q4KzBK
emttN0Jmak5DU0R1cDlxdmkzL2tQT3cKW/3h9EQnwzw0AvLKv5yPc3boXKcgqFv+
rLyBO0sTld1T8JQ5tpw9dX/H8RgKXu+9E2zVdHWkPrnEpRlK11TyRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-10T07:18:45Z"
mac: ENC[AES256_GCM,data:mVVRkH+oCh+V/witg8XWh9pfDSOMc3nRCxnyqoE3DVA1XEiX3T7dC9bbJspAUGI+fte19u0FafbswmRUO1K70zfXkRhK4GKDRyAysBmdCZXpcf3IIlEaP/XblR6jHtuEE68hNXfA15SEPk3x3+P5kNBXIQwKl5nPCah7ZOugJao=,iv:uK19ZNnejxWGu5dLKDFLGP6gLZ3GOteWWYsCPkxZ0pU=,tag:1F2eU32hP2dV4ssWQBh4KQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

1
nixos/modules/nixos/system/default.nix
View file

@ -5,5 +5,6 @@
./security.nix ./security.nix
./systempackages.nix ./systempackages.nix
./nix.nix ./nix.nix
./zfs.nix
]; ];
} }

43
nixos/modules/nixos/system/zfs.nix Normal file
View file

@ -0,0 +1,43 @@
{ lib
, config
, ...
}:
let
cfg = config.mySystem.system.zfs;
in
with lib;
{
options.mySystem.system.zfs = {
enable = lib.mkEnableOption "zfs";
mountPoolsAtBoot = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
impermanenceRollback = lib.mkEnableOption "Rollback root on boot for impermance";
};
config = lib.mkIf cfg.enable {
boot = {
supportedFilesystems = [
"zfs"
];
zfs = {
forceImportRoot = false;
extraPools = cfg.mountPoolsAtBoot;
};
initrd.postDeviceCommands = lib.mkIf cfg.impermanenceRollback (lib.mkAfter ''
zfs rollback -r rpool/local/root@blank
'');
};
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
};
}

1
nixos/profiles/global/default.nix
View file

@ -5,4 +5,5 @@
./system.nix ./system.nix
./users.nix ./users.nix
]; ];
} }

8
nixos/profiles/role-server.nix
View file

@ -15,6 +15,14 @@ with lib;
mySystem.services.rebootRequiredCheck.enable = true; mySystem.services.rebootRequiredCheck.enable = true;
mySystem.security.wheelNeedsSudoPassword = false; mySystem.security.wheelNeedsSudoPassword = false;
mySystem.services.cockpit.enable = true; mySystem.services.cockpit.enable = true;
mySystem.services.gatus.monitors = mkIf config.mySystem.services.gatus.enable [{
name = config.networking.hostName;
group = "servers";
url = "icmp://${config.networking.hostName}.l.trux.dev";
interval = "30s";
conditions = [ "[CONNECTED] == true" ];
}];
nix.settings = { nix.settings = {
# TODO factor out into mySystem # TODO factor out into mySystem

5
shell.nix
View file

@ -11,7 +11,8 @@
in in
import nixpkgs { inherit system overlays; } import nixpkgs { inherit system overlays; }
, ... , ...
}: pkgs.mkShell { }: {
default = pkgs.mkShell {
# Enable experimental features without having to specify the argument # Enable experimental features without having to specify the argument
NIX_CONFIG = "experimental-features = nix-command flakes"; NIX_CONFIG = "experimental-features = nix-command flakes";
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
@ -23,5 +24,7 @@
go-task go-task
sops sops
pre-commit pre-commit
gitleaks
]; ];
};
} }

20
zone Normal file
View file

@ -0,0 +1,20 @@
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
; https://www.epochconverter.com/
; you can check this file with the tool 'named-checkzone' from 'bind' package
; SOA Records
$TTL 3600
$ORIGIN natallan.com.
@ 3600 IN SOA gateway.natallan.com. gateway.natallan.com. (
1682790203 ; serial number (epoch timestamp)
7200 ; refresh period
3600 ; retry period
1209600 ; expire time
3600 ; minimum ttl
)
; NS Records
@ IN NS unifi.l.trux.dev.
; Metallb
hegira IN A 10.8.20.30