diff --git a/.sops.yaml b/.sops.yaml index c5600d9..80c5f71 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,7 @@ keys: - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - - &dns01 age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t + - &dns01 age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc diff --git a/flake.nix b/flake.nix index 6a9d31c..403f585 100644 --- a/flake.nix +++ b/flake.nix @@ -41,8 +41,10 @@ forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" - ]; + + # import overlays, ready for wrapping in nixossystem + in rec { # Use nixpkgs-fmt for 'nix fmt' @@ -50,6 +52,7 @@ nixosModules = import ./nixos/modules/nixos; + nixosConfigurations = with self.lib; let @@ -61,6 +64,7 @@ specialArgs = { inherit inputs outputs; }; + overlays = import ./nixos/overlays { inherit inputs; }; # generate a base nixos configuration with the # specified overlays, hardware modules, and any extraModules applied @@ -81,6 +85,17 @@ inherit system; modules = baseModules ++ hardwareModules ++ profileModules; specialArgs = { inherit self inputs nixpkgs; }; + # Add our overlays + + pkgs = import nixpkgs { + inherit system; + overlays = builtins.attrValues overlays; + config = { + allowUnfree = true; + allowUnfreePredicate = _: true; + }; + }; + }; in { diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index 53453dc..cfabdef 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -1,8 +1,8 @@ system: networking: - #ENC[AES256_GCM,data:h8SY+XsXfzixGkqLuVnQBikWXNUuu/98WcrkQ8KneR1ubCIBURXgThZBV1z3EoR9YzpbUdoP0vgC35h+4G+QyzsReVewvqnIVK1biQ==,iv:zXrpHY5OTcZrGflL8bSwxBqejU+NrJjN4cI2F/39su4=,tag:/j3qmOUslX2m/tnPKc3szw==,type:comment] + #ENC[AES256_GCM,data:WxRtq7uNi6m6b4GMGqvt+qkj1X4BZaynNDeEWMOH2u09x+IuYMiXXTJEGeKkf70eKjLZo0cD3HIzXNUr54SPP8jPmLqyRoS3Z+ggJg==,iv:EJPZQ9YSgs1JTKsZG1P6oMgxqNp2T7yha7UZwqAwzB4=,tag:toctJWuRe2viNF2crW1n4w==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:apI38KT46dnwf3padK8d/NbGve4KIHZ1EFZD8t3XbKkMSFsYayb1zBowl4e0/A2wlkx4QMD1NYC2wPcQCHBk6mSZ1ILRwsXtzSm7TdPn7hCWn9+cp9T7qc7MRtuPoIvD+reNR/IgTysvfmDQtIaJxweLGQ==,iv:9+E6bqXlapDgi+zQr3Y4bAzrRR3/hltFb8vlA9Vs6Sg=,tag:kN+M9tXOALkqKBdNNtG7SA==,type:str] + apiTokenFile: ENC[AES256_GCM,data:yTuSA7Zteaq4ufbLq0Ri+JDosNtVHudtRGSnLXzX2IFtGlzPNfrU0shIHpbicFZ+JS9x71a37sNt7gab1AZ5dJLxe2YVNVeJ3GFCFf7QNSI4GjOjzIUFSdHHhV+xGhtrL6h4SZTnh6iKqdU2iY1pAGT9Kw==,iv:gns8r/UhIXRIO+x08ZcrpuCFtwcUcC8HWjPfdJbkfRg=,tag:FAhAsUXzNOhEix+VBSu0Dg==,type:str] sops: kms: [] gcp_kms: [] @@ -12,50 +12,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnd1YyVEhwOWJPWGVxcEFv - WXRnU1RKK1JTblRkQW9ZekYyOGRNc3RrVFRnCmNFL3M5K1RHRXROdmVlekM4ZUhL - b1dYaEcvVXFocDV4MTMrbVdqbWJKWUUKLS0tIG5YcDZsZXRjSkVoN1RSdWw3NHNw - aWZPalNwWkF0ZGR1SGNqTHVOalFrVzgKLdfR3P7xXfv091K/fQ1kotEVjL7lubKO - S24E1Z0q48mXozZ4hfH3k1+ZKLkEJE6emuOZNfIf66/gRQ0WWwovSQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YlEvN1JNa01odlZTeDhB + Y3ZEdlIvbUlFZm96NDZBeWc2MnRMMzlRYmxvCkh0L2NsNUdFbnM2OW8xSUlpQmwz + NjAyRnRLV1JRRkhyL2xLNXExS25MUGsKLS0tIDVwYmhkNXp3WVhNVkhkaTk1UDZn + UFNhQXJ5akZIY0ZiRmdDMUJGZXdCMlkKf3zA9MkZ/J2CUURvzZdtn4vSeYwiIAR9 + SLWB6O7ykkjZyhe40lJMdVb7OVqXUnAf4Ic0VpYVwLeAXjPEi2anBA== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZzJSZ0l0MTFpYklFd2tp - M2xoNndjWHNCVGVMM1hsdkpiOTM2aHAwNmtRClMrWTVVZWF3SjVEUWNaTHluNkdr - QTlzN1lNem1ZVndYOUZrL2ZEd2UwaEUKLS0tIEhmVS9NWStpeGVLNHRjK2ZzcCt4 - V285bFUwdXgzUy9Ndi8yTCtsYlRHVGsKzSx+eyIrJKgZCL2VoS4fEcp6iVpDiqF6 - 7czaNhQhT0doqRm3QddMlD+o/7t7xOGhQEraq4q+i/JD4iYkSQp4zw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSXBZZzBkdWFVT2tYZTZh + cVhIOUgzeUZ5QWQ4d0oxMGdxb2c0ZGpITVFBCkdRV00zSU1QYy9heHk2VlA1YjZI + VEFlTHhZN3VKTExEQmRJYmJleDNIY28KLS0tIFpjM0lIdDdIaTJoemNvUlEyWjFI + cDNuaXc0QXgrNGpaV1kvWXpBL2pwZWcKkde/Ka84e6AVbzxr9zY0zVIYotZEofei + rPzQMsJ8x2+PLKRnOtny+He18E3AXN4G2KdbkkAaulFtPnodaXCWvw== -----END AGE ENCRYPTED FILE----- - - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x + - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnR0JCdUJubzRLRFY1ZGdp - SWl0Q3JHRU1tZ2ExRWVTYXlQTHN4TXFwYWk0Cm9ONVh1TjlMTzk3M21HYncyMmNy - aWNqMERxN3FGREQ2cUdVQ1pHakdXMEEKLS0tIFZKdHRWemUvQXUxSmJHSFlqalhp - bkpHMHEvb1c5d1NrMXNDdllvR3NPRlEK/toh+FUgXJX3FOgECX76vBzMunPOvwC5 - OXHrNBbr8r+4lraPucGKgDIiYqrb2upUUr2Y1n3+BaiMaRIxLIETww== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsN1l4MWE3Wm9qZzN5TWNJ + MG9QN1J6SW1GNHFxSW4rdHFTWG40emthL1RRCmFiaGU3dVJTNzhaL0dabExRWVB2 + V0tLd1kzZjVIWDFrdURtRTJDck41SVEKLS0tIHJvRmg3Uk1BWmRMcnFMTDRoM0Fq + aWE3ZVRqczl6NklQMEZpTnpvbzhMYWsKzTdBC6weGhLESyrGZXbaFclG0lo3aqoi + NHD2vuWcJexro3FPsBEce8yTCKi6VIBYQqntst0K4rE/7SLuMaqJVg== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTjVVdkd0VjlTQ3VqS1pm - bXNtUEdlSXl4V2NlT2xxeWVBQUc1dW5ZSVJBClBJeE5JNGs2TE40azJzWUFER3pF - MHdEUTlkcUl3dVFoY2VaTHpCY1B4OXcKLS0tIFpkdnBVYU1Na3p3VFJSb3RBYkdt - NUtxRjZhdWtnTGd1R01oTGdVbHNrblEKikD0L3r1K1GaXOPiu6/sJR8yPJ5j3y9f - KWnFrx4hKOFlsclwrXchnU4v28BJuPE2yM/n4dgRoVCuJs1R2QKqpA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTGxCNmhYRnQ5elRMV0Nt + bG1aZ255Y0pyYXhXWllVbDR0dWErUmRWWWlFCllRQm1jUU81MkhpdHdSdGhEWWpK + Zm5JaVE4LzJrRmVRR0ZQR0VuYmpLYlUKLS0tIEVIVVg2WVRnVEFQbXBGZDVLWTY0 + NXpWZHc1NzVoWEN3cWlPZmRtdW9MWkkKi6DbXhf5+zZH4rdnksT8swUHF9ZHu5Gp + jWbed3DahkwWAyMFD9SufGlgndRjqxHuyRa5EbBA4kyjYXvF5KjeCQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZEVLdGwvTFZIYlJBMkU2 - d0xGZzhjZGVzOEtWL09RQWRTSjVzcVc4ZzF3CjhzelppS3A4YmVmcnNFZDcyNFJh - eThPazczUG9zUnZEbHFzdUJVaDRqcWsKLS0tIHhvTThHVWF2TnMyOU9GVzQwVDBt - aWxlcTNjSTVBLzhiblo5WEJCMGRlcDQKb2pymltKgZw4708Hi2oAD+eMQ07BhDWq - QRPnTFD/DbScDjfe58UC9izrXKf1Y5/rT36hSe8CI6NNU7uYaFMLcQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajM2QjlyMzlHMDh0WjZP + eTBIWGpFVzl1MHpkWUUxMnovaHhGZnNPK3hRCm1NamVabWY0RjZ6Tm5Lbjg3eXBn + ZWVSMVUyRm1kc3dTbDl5YWx6ZnNhVlEKLS0tIFA0UU43ZnBMdDUyYXV1dlZNRVJZ + VE1jekkrU0FEVWVSaHI0OUtMRk9Za0EKZWiqeBmuKDQK4mSUWptPoMIYNQdTtxoy + /6Wr7QlnduC9Z+8OQuNNx5EC47DUSLmT8Zt2aP1wuolbEcQQkpNm2g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-26T10:54:18Z" - mac: ENC[AES256_GCM,data:v1TqCr38V1oTszNi+xp5chepaGavVn9zIxhsAlS782g+SxfSTLeV+NoYgUHXgMNQbHhLb9NRdyzwcwoc9QlW2yfoysvwG7fR8DAzQSJKoOqeLCcBKSAQqHfmYCvjvhQCjrV2QBCBMCODrYBV/+vszMyEQmvCK8r6baQ+zLNnZzA=,iv:nSJPlPCBsUSyzk9Xmh1sJT+N97Gs0v98aiyCJZqzbs4=,tag:qv0Wn7ZvMB/wl7IKNOQ5Xw==,type:str] + lastmodified: "2024-03-29T12:22:04Z" + mac: ENC[AES256_GCM,data:kPlrDIly/XpIlocuyviHIhtts6GZaslNH5F5Pnm0fiwXm/cDGxDftkpIE1eEEVxkhkOd5Vml5ppfhngMu1pJgoyEgZnW+Ej0yGc7wa1cM3Iu5yqzDy60V/D638S58wiyi4wP+MN/hXbKjC/jh05hh3vDH1b6OH3YRCRIS4R+ZSE=,iv:cy2Hgnww4u/4FqlnoYa/E1vbmx+spIRgkiSfCdIqie4=,tag:iugVVWzxDxbR0tIRnjzD3g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix index 4334f3c..e146c5f 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix +++ b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix @@ -27,6 +27,11 @@ in # Restart when secret changes sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; + networking.firewall = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; + }; + # Cloudflare dynamic dns to keep my DNS records pointed at home services.cloudflare-dyndns = { enable = true; diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index cdba971..01d7f3a 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -1,7 +1,7 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:r5q3U7iK6j6r+eydBNeAYzbA1oLHi4B5hTWknp0abBwpCLwnq0DWC5CDEt2Uv4CgkdOkvUXRlJBYexwHQ1Bs9afjsT4KT8Edy+ELu5FvP4kfg7LjjOoOFSdDhYHovhxXDMzd/ftH4HdPwO6JNMoc+n2WqBd9pLHGf9AvVJC+UQQnkv+xrLZyVcgWKNnMSjksknsWdM2L9OzQjnrWxt3aIGkMsCCR42ECX+G4rV4BtK0la3YHx/KQqMtquYiYtTuoPc/4qBGYEnbmlfDPuCPG6qaqvELca1SVmgakgxVvj+ZvxVYWyXsWpmhIJ56JHRJwQwzGTOPObROZMiQzs9Qm4uGwbBF/WgQS7gH016n3+9Mc1nBD1RBBXPsdc7Lygv1OPfdwmqJrDdC1AhK/SzR52V/OT8Pkp+EX2dMqxHYQdoiWQpmg2FxJ4zCrQFK1pPa5sztgLENepNsB2LEABDms3E4=,iv:I5+MsOlT/w4+2Q/x8KJPNCa4AKBCamv9xtDaaLROqbU=,tag:pFVyjd1V7WwKHoENE7E2cA==,type:str] + forwarding-rules: ENC[AES256_GCM,data:7TUg3UiXZG25FhvxS8Mkg2ZlvLpMx05u+8yqQ3EyBXwFtXrVUvI3TM3L0NJr8c1MmimslpK7w+Xs9GphJfr4UaNV6m5A2kipA1v85AbL/rrEAvi9xRty3yqX1+vYtN1xa5Il3p0PeWkR3Q/LMW1ZfWXLu7FHyuitJaOIfySwyeK5njcHHsBtjQGNZcyg6oWxs6XdTLhrPwYMQvxrZ/l7mhxFOLIwuq9rlyVTw+SenKaZisW7TjksQtGvi3NmFARCPYSmyCH2/X/1OfPIomoUFTOAXC56mTFXrAf3TytkyOyysJsl/8S2mx6xrgbT+J09SRL9JTtQHi4iZaXS6tPFiCL6JtOzPMBdMrWdqWC/gI4Av8EemNVYu37oP5BUYsCOGOoKFMwuHSxiJCqNmR/im+cnP2tXwYwOhHmDxRNeVA6Wxt/4AktKhTHWkm/TLHshceOm+3liS+D0t+Q2/ybdy28=,iv:ejTYzQ/6qjX77GJmUKz/L/8/66fh0P7ORNqeKK4sgdE=,tag:fWugmMTlzLwdtx0sOrcv5Q==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VzFCVlh5K1YvbmlKQ0R0 - NlpOdk4wV05HMFlRVHJZSW9sWTNtQ0p0YVI0ClpXaTFneVUwZyt1eUx2SnpVK2JI - MW56S1dmTWpFUmVNWnpiTFFvOTQ4T0kKLS0tIExqcW5DUkxYWWdBSzFHcVozVkV6 - eXdhNlRlQ0syR1g5dXRpYy93djBOeDQK9TMoalWZS2fvPrfq+F8RITp9IqEOWG7p - jg5H7gsdz5O/w1GMIYif5124gDgyCFkfVRPmAjdJvtN/owqhwaRGXw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWm9iUWwvbWZNSCs2SUVw + ZUxDNFFoQXRPVUg0bmN3dDlnNzBBRUNUNWp3CnhheUloZzFOZzc5S3pmaDQybGlX + TnEyMi9XbGgyRkdpditQVkdMb2RMMk0KLS0tIFpveHp6STZWc0NRK3JlRm01NE8z + R1dRdnNmeDBRVmMwMzNnMHZBNE54T1UKEMjcJFqKoBvw5PA4HkGrhMXDG3RABwNI + S084C00I8qvLn769vsaaSMYm5He31CQ9qDGhDhMXFTIsBbI+jegWKA== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UVhEVHJoaVAzSiszNDJ5 - VGNCOW5UVUMxaTgrQjdQVFoveE5pcVhmL3lvCmFQejUwSzNvK3FDQnFWWjBHdTk0 - ZVJrNkk0ZWZxVGtEYXU3eUZsWk41TUUKLS0tIDBYNjFoYU1mbzdtVEdHVW96TDFR - VjhyZ3FqSkhtZHZ3S0xPVXZBNEtZOHMKCW9YMMwPXaDO23WdbW+NMmYVYau6Nw3i - I4J+xRLDe8N8Ty8sVql7xPYmA2UtI/Vf12sJxrH+YZA3x7Ip1RnM5A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdUlWK3A5TjhOUW1mbm5X + SVFac2o3eU5NUTVkVVBqcjgvTVdlU2N0U1hBCjRrY1dGNU1UOVpWN2gzdXBUejdR + VmF6VUIxdnBEODI1dnVVQ0FXaE4rcXMKLS0tIDg0NmVyYTg2bFozcjQvMWoyU0FK + QmtYTHUrL3RxOEQ4aE5vNi9IVWRvbmcKZEP7E8756mvvZOdhCstv2DzUsmEeZcp6 + Ts88FAsQHsF4RZLfFodKx+C1QGfA/O50MGTE5e4c2tpIuMjmCuPRLg== -----END AGE ENCRYPTED FILE----- - - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x + - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR1h3aDZqMmtWYkE4ZFBo - emx6S2tDRVRBK0Y1R1ZrUDFWa1JkSmI1SkRjCkxYbUIvcFFkbWxIYTBEbXdFVy9j - UGZaMWtITU5IMzNSSTJTMGZqZnlmWGcKLS0tIFIrdEpKZEs2c0VKdytzcjBoVUIv - dzc5eEZ0ZlVQQmVaY2cwM09GcDFURFEKojQ8gD2ZG0WiXEHwKpE+/X0mtS3plSwZ - RGDObWrg1MrlanAnHn/sh2A73uuWhsYiupurUZiFfFe2wqEUtiV7vw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLL1NkWkd0L29WbnNpQTh1 + Rkp1MmRqTkN4WGNMMHJhR0YvL2Y0eEtIWGgwCmlQZTAxei9aa3FPTWZLTXAvK3VF + WXk3NzMzd0hHNlJvd1dmckcvRm5rZGMKLS0tIHQ2bVRrRkJrV2E5MXc5Vm1tVWxj + RWhoMkVhVzdyaEtZVk9Ncll4S0VqOVkKwmcv1yi15ZUIUuamKXX9Ye76jGb3UMYY + tM0dcX49n4jCzexhU5wu2Fax4EADpiJzGVK0iZ+8+oWedbBHyVudJA== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeGNaMmRYbEJrUkl3b0o5 - aU1SWGpCRGMrQ2s1OTM2ekJaMitmUTh5aFRNCmVubjdTK0xQdUhYTXRhTFBMRUZ2 - dy9YelU0OWhIY09PdUVZTXFmTUphM0kKLS0tIHFkSmRGdDdyRlpXTTNzQW5LNjBZ - cmFrQ2pxQ1lJRFdCbktyQW52K2Y5b00KCumqPgPDoCw/tPUM14C0D7/O7xUiqkLC - hujl+o9IRhDf+XvmA3QhyR/4uAJ+1S2EfxnOWpRXJwCmeW3QQDZ2Gw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU1A0OTFYSUVPV3R3b0N4 + aE00UEZRTE1wN1NGdzhkdkJEQ2NuYzN3VDNRCldQTEN4Umw1ZnlhV1k3dVBjamxK + Qk9qenlsZDQ5dVdjenU0cHVlVXkzTjQKLS0tIDhaMHRuZWhrWlMrMDRuY2xnTDNy + M0Z0SHJZTi9tYXU3cEdrc2Y1NUtrY0UKt4y5CrmBbhTqB4Ksdf4fO69aukVUlz19 + 9yFqWtsnt97jldYKXG8WH9koyJvW6ZLIX+he89s0JCue518tf00bJA== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycjVCakRONzRSbndhVHh1 - U095TURxSDhpUGNwRzZ0ak5ndXo0TjJFYmtNCmJnZUR2TlFUUzdNWVdBUDlHMFZB - dmtOcTJnY3pURVJzazBpWEVmb2h0UW8KLS0tIHRZc04zdUVhUEgyQ2hxaTVTbmxV - S29OdkNqTm5acXc2V2d4b1lGbHRITkUKRj7Fttqdf113T1zu+SE2SnA2ya149VU/ - 0NBQU3DNFX/5SsPUT6N/HAqjkObvzG02Sv6Un/rrzZExnXF9aKh3aA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNXloZlZ6ak40ckdCZjV1 + OWlhaHp5M2tpMTEyN05DcHJvZGlLbXFBaHdzCnZ4ZHROZkRUMGplNmpQa1ZiUC9w + RVNIVWRqSTZFUHNFQ3JDdXd4dStPdDQKLS0tIEhqamZ5cm9aak1OV2lwTW9MMnZw + dFNyUENxTUQrUWI5ZHZhekp6d1o5T3cKDxaiMjGDb1EbdobP2E9WDn7YfO6J7BMU + sFAh+u38crXiEG24wxNl/Ps7z3oMPtmM7KRQ3hM753lBenuL7vXvMA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-26T10:54:18Z" - mac: ENC[AES256_GCM,data:plqgZV6lT1FT/pVt6O2KMXg4sAnJRGpDznyudk9Zmeye7FLEaqfAl696h0FoJoYsw7QnQ5KkWqJMFPerUyCauiNgyPXKgES2Inn15ZkRcT6+qqHWZGwYIBEhw5tKQ7173IW6pyiU9ZajWZnV3FrZGmMxgGSwXU94EwnI2uhxXxY=,iv:j/GMktQDyEoa5/gSmrTvu/WDGCS/etX/IYtun60SgYA=,tag:Ld+uw+RNd6kD93OiZy9flQ==,type:str] + lastmodified: "2024-03-29T12:22:04Z" + mac: ENC[AES256_GCM,data:hsDY1SO1nIe7J3mpMNJsxG2R+3N7AgUxoqqfvs2V4pO8SZnx5SvBqyIdGKcUOFgY66jtvAxwXULkl0J/TFj8A+MG5BkH/IAjDrWD0czYuUogtxik4DstyUXLSSM5zFP9niOmowsvK+1u/VpBrb+OlZNYiEHYKtY7+DhVJqDnQVc=,iv:iBxfpElahoJTXld45hpZXblTStQjm0WQpYmmv5wlpNg=,tag:caPwVlvCmRzm2as7ECbXgA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/maddy/default.nix b/nixos/modules/nixos/services/maddy/default.nix index 37cc87e..7850d22 100644 --- a/nixos/modules/nixos/services/maddy/default.nix +++ b/nixos/modules/nixos/services/maddy/default.nix @@ -24,6 +24,7 @@ in enable = true; secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ]; config = builtins.readFile ./maddy.conf; + openFirewall = true; }; }; diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml index 28d59e3..afd6dcc 100644 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -1,7 +1,7 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:wPYvV1sq7LkeD35JOyzBTVIOo/ZmzO2tODKAR1tzGfO87OZg8soFsFP13yIQyMvFu++wJ+ope6gOC6GtYvqD//JMpwg4FGn8lIE49rLAkUdAu/rWGjHiu4m2DWElVGGM2IjAu63TxhC7WGNSxLMsEVnObOcfV4xVeeVld1ubVS2slM0=,iv:3BCqTSIttd8RHmPZqdIliDn4HX03nHBuGodUaU81Q+8=,tag:Tlh4n5iJZu2RRPl3ASCxag==,type:str] + envFile: ENC[AES256_GCM,data:pGs56ZvCfX42FcmOSQvg/hXIWDs/HrLrto50lP8DxWHBBrE1Mm/BJ1GWlz8CHrwTIwDOTZCbxfbZlQhr0ofuusf3AIYdTX3dtckCK+K0FVPIXenc/b0QotKeCWCbQj4mMZJCmlu3Yot2yP+SnxXQsl41yUEQsjiXmUVnbiXGlTnvLg4=,iv:V8sOvvt2lqXRpzbL6UilZE4PdwEOnX+LPJygVy0wmk0=,tag:1EEjTETv7ADYx8H2suxM6Q==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHYVFNWjFKU09MZ3g2UFdj - Z3RUMnd5dXozVW5uaGtDYWRGUmFOeW5pNzNVCkI5MVhUc0VvbnVTMXM0WmhrVk10 - ZzFDVjN4ZzlxaVQvTG4xTkNZalZKcGsKLS0tIEdVL0Z1K1B0OEJVMjhTYTBjenF5 - LzM4dlJMd3NKS3FBVENMbDhGQzFJOUkKKFW1AOm7StnaAExDzEWmVNrYqr/bDE/e - X8EPG5xN9IkkjpjhuHY9WgRAfpemWipDRzdEKH/qHB0oZR7+Pd9IAA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTEx5K29rV2Z3TmFZNG1h + NnR5UFJjWnFNMkYzN05WaVhsUmxHZkVwMURZCjVCMFRFcGJyMmlsVDNKL0FhSmFG + RHh4NVlNQWJzTGxLTkRrTkZWdll3blUKLS0tIGxqckF0cWlhMGpyanhPM29YMDVr + Zi9ZRXZiUVZzOUlwU094eDNTaC80UVUKNovl0feqw/7Yv8TjKdj8tCXkWvUqC76/ + VX64fgAiC+BGbygPJ5wEVkQKH8OWSmgOIvqfvSYrga8AHsLgYPMm3A== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVmlqNzRabC9zOTBFWWRk - a2s0ZEF2S2NBam1FeEZFNnpMNjlmd2JMSkZRCkRDcHdzT0I2R3NURTZXQlQrQjFn - NzZBeVZncVlqdllOZG4wNDB2YnNkaVUKLS0tIEFRY0FnVEllUW5NNTBMbGxTSlR5 - bVoxd0FvWjEyeHlKM2IyS1c2ajlhMncKJjDktmjOisjdUecV/bhI00fp6jA2puGD - mOuASUhxGGN1c805vLmLnJA0llLtaN8C2iQC/H14IjG1U7QObbnrEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRURSNjVydlVRdGFEcDFL + U2lLWW0xNkhTR3NtRUN0OUE3UjViYW9RNVRnCmo4Tks1NWgzTHV2QXlZVmJESU9i + cVZ0ekJCTHdhVWVyTTRFMEJJa080MDAKLS0tIG5CVE84K1dQMTg2WHhnYnBMdDZT + dloxME9lajd3YW9Bbk9qUzVVa2UrYVEKUMlgxX2REGuvkpXwFhClOllkuUf/8E3v + 9QpcjUSWmExHTJcxvSUkEYL5C6lODL4172PfnQLt9QkdX7sYQUOFuw== -----END AGE ENCRYPTED FILE----- - - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x + - recipient: age1k3u3yn3adntn36cpnsqdze7gd029utgkndcw0zwck03ms3wegusshuav6y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMjkrcHFZTXQ3QjZKWksw - ZXNRbmNnSVhpWVdCL1NLQXhabGZVNGMydVE4CjdDVllwTHZyM2JZK1JaWVU0L0Qr - NlRyeTFCajJLL0VWcVk1R3R0QTZYc2sKLS0tIG1hSDRkMkdlOTNiS2I2anVjeDZI - UkJjTEhQQVdLVE11dmdES1hBYWNTZEUKVfi1F6rehBUrQB2AOHoPnhI16RzUA2T9 - NZ3b52xZUR3uAvLxqL9auLPxf1HC334zV5kEf0vmFyvD2DFWF9wjeQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMTZRRlRUOVowT01vUVVm + aGNUQVllVVNKcVVoVXIyWmRLUEd5bzFVSjEwCm5iUUo3WWtEdHA4Wm1kSk8vcmRM + ZzJGSk51UnU5d2pjVzZiZGt3dlZETHMKLS0tIGw3cDdnNWxiZXdtMmhuRUpwV1Y4 + RXRvL2F0TkxGNm1LejR1bHFCYjkyU2cKn7QMPuwZ8ermG59uK3rHrJkuDZ2US0JG + Oj/ts8DXuu71TpTiiCXumThs+IjKQgARyv5P/jP/Souq9LppDtEDnQ== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqc0RYWGFBWjJjSG5NUG15 - cVp3MlB6MXp3alZid2hxMksrUG9KU1F1cmtVCnB0YVJtZHYvVG13bUhqWTEwZzhR - a2xnSjFMVHIvZHA2TjVBSmQ3TkpKckEKLS0tIEFaZ3RzZFpoQjlqN2NYTkZFRXNi - OWpSVVVuTFlMRnNTdEJLakRYdzdENVEKYaMBFCD/pr2UhpczDOS3qKTeI9v6PSNF - +m0y3MXomdDy52ozw5NxS9N96l8IVcqaXmr/vXqFGrpm1hNKmznzjQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSlVlMG14cUxUcDRseDBC + YXBtRk5oRlJ3dS83TDFicFM4WVZMT1VwelZrCkl5V01BbzRVa3RLWTF4U0ExRmR3 + cU9XMFZRQ2l6V0k1aFlucjlGL0d3V3cKLS0tIDJGWlE1Y1hhcjhUT1BsTXBtQTFH + bEJka0pvUUM0OTV3QWdNWWRhcldTSEkK/yRrMYy2YC7NTzir/LL97PV9LxvW/fm1 + 2YQIlSs6amPT32U46tnpqytVs0iR9Jobd153oAJjfhrAsGGP/msgsQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFZaeEM0Nlc3bjZPcXpH - M2VReCswUHhvMDU5LzdLMkJYcHFXdnNQRjJBCjZNS2pmZ1JTTWdFckk2TzA2bmFK - NWdVV0tPVVRtZzYwTkcrc2RxdXpjM0UKLS0tIHlrU2ZRdndmWmhTUnVQb3BRSDYy - aGEwYmdrWW81eTc4K0ZlTmRyL2dqelkKrecN4dFiuRhBCecPa0oaBnvjy5pbvaXL - aaWmkTlSh2ny0BbrotfG2poX2A1x3GqdCd1KNVGRghdTyS1g8GUfNQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUTJvUnE5V3NYNmZ0dERi + emh0ell0N0xBMkhjL3kxdkIyRWs4UWpYTVFNCnlqaVhiWUNXa0l1Qk1peHlxdDdQ + aEdkdFdFWW5zUlVBT1F0aERVQndheTgKLS0tIE83UXA1V21qbzFiQ3NFRnRiaS9i + TXEvWDRXMTZuellnT1BKRWs4a1VkaFkK8Sls0BOhgCj36HhFIlRclBltqXrcR7cU + POkvvHVfEXzZ8GzKOx3tyZZ7fnksNM9XFbofZ9/apGR9FP9mepnrdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-26T10:54:18Z" - mac: ENC[AES256_GCM,data:3bRXHo7YE4IlcH+ke1+cxuBU4jPZ/DSZaOHtMN+dmdLuxfwNnEBBgPwFxYPHHmhH86Xyh42pKGNlOtmU/nGsKFeaMJBbB9bW7zmtR8gwij6pKVK7MoFfKQcqI08EozgaFeYvS5xwUnf9t0q7afTTmMCc3k9154a4f/D/nxJdg4Q=,iv:wsAwTClGPR7sKp0agXgBnmRrkjLAcYfEh0Y8dozh3v0=,tag:QbXAYgh5DXqar58nsb71kA==,type:str] + lastmodified: "2024-03-29T12:22:04Z" + mac: ENC[AES256_GCM,data:XncWerMNxizmY29/ktbk6qyENQ75RJ11x7STemdtds9+0g24pyRpuHV0oocetDRLmUN6Cg6qXwCkJ2cgR5MMzjUYsYRP2VlzGPwQpr+L6dmvYp+j+70X9Qk7bRfj0cRJn+gHhfkWSxpAvows0/9+wJcsFhowS/vihVoz2xjLoZU=,iv:yH0wEYRX0uuJeyf9+5E9qpwr8S5lUXpB9K5aWnHJShY=,tag:6aIhVuQOtfbWggdnF7zw2g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix index 592c3ea..8b4f7b2 100644 --- a/nixos/modules/nixos/system/openssh.nix +++ b/nixos/modules/nixos/system/openssh.nix @@ -29,6 +29,7 @@ in config = mkIf cfg.enable { services.openssh = { enable = true; + openFirewall = true; # TODO: Enable this when option becomes available # Don't allow home-directory authorized_keys # authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"]; diff --git a/nixos/overlays/README.md b/nixos/overlays/README.md new file mode 100644 index 0000000..4317124 --- /dev/null +++ b/nixos/overlays/README.md @@ -0,0 +1,9 @@ +### Adding overlays + +Overlays should be added as individual nix files to `./nixos/overlays` with format + +```nix +final: prev: { + hello = (prev.hello.overrideAttrs (oldAttrs: { doCheck = false; })); +} +``` \ No newline at end of file diff --git a/nixos/overlays/default.nix b/nixos/overlays/default.nix index e888d1a..cfb2cbb 100644 --- a/nixos/overlays/default.nix +++ b/nixos/overlays/default.nix @@ -1,4 +1,12 @@ -{ inputs, ... }: { +{ inputs +, ... +}: +{ + # deploy-rs overlay + deploy-rs = inputs.deploy-rs.overlay; + + # The unstable nixpkgs set (declared in the flake inputs) will + # be accessible through 'pkgs.unstable' unstable-packages = final: _prev: { unstable = import inputs.nixpkgs-unstable { inherit (final) system; diff --git a/nixos/profiles/global/default.nix b/nixos/profiles/global/default.nix index 506ca28..395d6ee 100644 --- a/nixos/profiles/global/default.nix +++ b/nixos/profiles/global/default.nix @@ -1,7 +1,6 @@ { imports = [ ./nix.nix - ./nixpkgs.nix ./sops.nix ./system.nix ./users.nix diff --git a/nixos/profiles/global/nixpkgs.nix b/nixos/profiles/global/nixpkgs.nix deleted file mode 100644 index e4e4c71..0000000 --- a/nixos/profiles/global/nixpkgs.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: -{ - nixpkgs = { - # Configure your nixpkgs instance - config = { - # Disable if you don't want unfree packages - allowUnfree = true; - }; - }; -} diff --git a/nixos/profiles/role-server.nix b/nixos/profiles/role-server.nix index c4052db..b5324f8 100644 --- a/nixos/profiles/role-server.nix +++ b/nixos/profiles/role-server.nix @@ -10,6 +10,7 @@ with lib; # Enable monitoring for remote scraiping mySystem.services.promMonitoring.enable = true; mySystem.services.rebootRequiredCheck.enable = true; + mySystem.security.wheelNeedsSudoPassword = false; nix.settings = { # TODO factor out into mySystem @@ -32,7 +33,7 @@ with lib; services.udisks2.enable = mkDefault false; xdg = { - autostart.enable = mkDefault false; + autostart.enable = mkDefault true; icons.enable = mkDefault false; mime.enable = mkDefault false; sounds.enable = mkDefault false; diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 10e3667..263101b 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -38,7 +38,7 @@ with config; jq yq btop - vim + unstable.vim git dnsutils nix