jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add split-dns (#59)

Browse source 
* chore: tweak favourites

* chore: hacking

* feat: add nix-serve

* hax

* re-encrypt

* haxing bind

* hacing sonarr/traef

* hack

* hack

* feat: add bind for local dns (manual)

* fix

* hacked up dns

---------

Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
Truxnell 2024-04-06 17:24:47 +11:00 committed by GitHub
parent ad8a1c3a73
commit 9786bc9cd6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
36 changed files with 701 additions and 299 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.sops.yaml
View file

@ -19,7 +19,6 @@ creation_rules:
- path_regex: .*\.sops\.yaml$
key_groups:
- age:
- *dns01
- *dns02
- *citadel

21
flake.lock
View file

@ -93,6 +93,26 @@
"type": "github"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1711854532,
"narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-index-database",
"type": "github"
}
},
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat_2",
@ -198,6 +218,7 @@
"inputs": {
"deploy-rs": "deploy-rs",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",

8
flake.nix
View file

@ -39,6 +39,13 @@
url = "github:nix-community/nix-vscode-extensions";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-index database
# https://github.com/nix-community/nix-index-database
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ self
@ -93,6 +100,7 @@
extraSpecialArgs = {
inherit inputs hostname system;
};
};
}
]

2
nixos/home/modules/programs/de/gnome/default.nix
View file

@ -27,7 +27,7 @@ with lib.hm.gvariant; {
"org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ];
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" "discord.desktop" ];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "icon-view";

43
nixos/home/truxnell/workstation.nix
View file

@ -1,4 +1,4 @@
{ lib, pkgs, self, config, ... }:
{ lib, pkgs, self, config, inputs, ... }:
with config;
{
imports = [
@ -51,29 +51,32 @@ with config;
};
};
home = {
# Install these packages for my user
packages = with pkgs; [
discord
steam
spotify
brightnessctl
prusa-slicer
bitwarden
yubioath-flutter
yubikey-manager-qt
packages = with pkgs;
[
discord
steam
spotify
brightnessctl
prusa-slicer
bitwarden
yubioath-flutter
yubikey-manager-qt
bat
dbus
direnv
git
nix-index
python3
fzf
ripgrep
flyctl # fly.io control line
bat
dbus
direnv
git
nix-index
python3
fzf
ripgrep
flyctl # fly.io control line
];
];
};
}

2
nixos/hosts/citadel/default.nix
View file

@ -12,6 +12,8 @@
mySystem = {
services.openssh.enable = true;
security.wheelNeedsSudoPassword = false;
time.hwClockLocalTime = true; # due to windows dualboot
};
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];

41
nixos/hosts/citadel/hardware-configuration.nix
View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/C634-F571";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp12s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
nixos/hosts/dns01/default.nix
View file

@ -17,6 +17,8 @@
maddy.enable = true;
dnscrypt-proxy.enable = true;
cfDdns.enable = true;
bind.enable = true;
};
networking.hostName = "dns01"; # Define your hostname.

1
nixos/hosts/dns02/default.nix
View file

@ -16,6 +16,7 @@
openssh.enable = true;
dnscrypt-proxy.enable = true;
cfDdns.enable = true;
bind.enable = true;
};
networking.hostName = "dns02"; # Define your hostname.

2
nixos/hosts/rickenbacker/default.nix
View file

@ -11,13 +11,11 @@
services.openssh.enable = true;
security.wheelNeedsSudoPassword = false;
};
mySystem.services.traefik.enable = true;
# TODO build this in from flake host names
networking.hostName = "rickenbacker";
fileSystems."/" =
{
device = "/dev/disk/by-label/nixos";

4
nixos/hosts/shodan/default.nix
View file

@ -15,7 +15,11 @@
openssh.enable = true;
cockpit.enable = true;
podman.enable = true;
traefik.enable = true;
sonarr.enable = true;
homepage.enable = true;
};
mySystem.nfs.nas.enable = true;
boot = {

2
nixos/modules/default.nix
View file

@ -2,4 +2,6 @@
mySystem = import ./nixos;
}

49
nixos/modules/nixos/containers/default.nix
View file

@ -1,49 +0,0 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
# let
# cfg = config.mySystem.xx.yy;
# in
{
imports = [
./traefik
];
options.myLab.containers.fileRoot = mkOption {
type = lib.types.str;
description = "root file path for containers";
default = "/persistence/containers/";
};
# Email
options.myLab.email.adminFromAddr = mkOption {
type = lib.types.str;
description = "From address for admin emails";
default = "";
};
options.myLab.email.adminToAddr = mkOption {
type = lib.types.str;
description = "Address for admin emails to be sent to";
default = "admin@trux.dev";
};
options.myLab.email.smtpServer = mkOption {
type = lib.types.str;
description = "SMTP server address";
default = "";
};
config = mkIf cfg.enable {
# CONFIG HERE
myLab.email.adminFromAddr = "admin@trux.dev";
myLab.email.smtpServer = "dns02"; # forwards to maddy relay
};
}

84
nixos/modules/nixos/containers/traefik/default.nix
View file

@ -1,84 +0,0 @@
{ config, lib, vars, networksLocal, ... }:
let
internalIP = "0.0.0.0"; # TODO fix
directories = [
"${config.myLab.containers.fileRoot}/traefik"
];
files = [
"${config.myLab.containers.fileRoot}/traefik/acme.json"
];
cfg = config.myLab.containers.traefik;
in
{
options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container";
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 9091 ];
sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
services.authelia.instances.default = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
};
settings = {
log.level = "debug";
theme = "dark";
default_2fa_method = "totp";
default_redirection_url = "https://passport.notohh.dev/";
authentication_backend = {
file.path = "/var/lib/authelia-default/user.yml";
};
session = {
domain = "notohh.dev";
expiration = 3600;
inactivity = 300;
};
totp = {
issuer = "authelia.com";
disable = false;
algorithm = "sha1";
digits = 6;
period = 30;
skew = 1;
secret_size = 32;
};
server = {
host = "0.0.0.0";
port = 9091;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "notohh.dev";
policy = "bypass";
}
];
};
regulation = {
max_retries = 3;
find_time = 120;
ban_time = 300;
};
notifier.filesystem = {
filename = "/var/lib/authelia-default/notif.txt";
};
storage.postgres = {
host = "192.168.1.211";
port = 5432;
database = "authelia";
schema = "public";
username = "authelia";
password = "authelia";
};
};
};
};
}

10
nixos/modules/nixos/default.nix
View file

@ -1,3 +1,4 @@
{ lib, ... }:
{
imports = [
./system
@ -6,7 +7,14 @@
./browser
./de
./editor
./containers
./hardware
];
options.mySystem.persistentFolder = lib.mkOption {
type = lib.types.str;
description = "persistent folter for mutable files";
default = "/persistent/nixos/";
};
}

5
nixos/modules/nixos/services/arr/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./sonarr
];
}

50
nixos/modules/nixos/services/arr/sonarr/default.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
port = 8989;
cfg = config.mySystem.services.sonarr;
persistentFolder = "${config.mySystem.persistentFolder}/sonarr";
in
{
options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr";
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.sonarr = {
image = "${image}";
user = "568:568";
environment = {
UMASK = "002";
};
volumes = [
"${persistentFolder}:/config:rw"
"/mnt/nas/natflix/series:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sonarr.entrypoints" = "websecure";
"traefik.http.routers.sonarr.middlewares" = "local-only@file";
"traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}";
"homepage.group" = "Media";
"homepage.name" = "Sonarr";
"homepage.icon" = "sonarr.png";
"homepage.href" = "https://sonarr.${config.networking.domain}";
"homepage.description" = "Series manager";
# "homepage.weight" = -70000;
"homepage.widget.type" = "sonarr";
"homepage.widget.url" = "https://sonarr.${config.networking.domain}";
};
};
};
}

99
nixos/modules/nixos/services/bind/default.nix Normal file
View file

@ -0,0 +1,99 @@
{ lib
, config
, ...
}:
with lib;
let
cfg = config.mySystem.services.bind;
inherit (config.networking) domain;
in
{
options.mySystem.services.bind.enable = mkEnableOption "bind";
config = mkIf cfg.enable {
sops.secrets = {
# configure secret for forwarding rules
"system/networking/bind/trux.dev".sopsFile = ./secrets.sops.yaml;
"system/networking/bind/trux.dev".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes
"system/networking/bind/trux.dev".restartUnits = [ "bind.service" ];
};
networking.resolvconf.useLocalResolver = mkForce false;
services.bind = {
enable = true;
# Ended up having to do the cfg manually
# to bind the port 5353
configFile = builtins.toFile "bind.cfg" ''
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};
acl cachenetworks { 10.8.10.0/24; 10.8.20.0/24; 10.8.30.0/24; 10.8.40.0/24; };
acl badnetworks { };
options {
listen-on port 5353 { any; };
allow-query { cachenetworks; };
blackhole { badnetworks; };
forward first;
forwarders { 10.8.10.1; };
directory "/run/named";
pid-file "/run/named/named.pid";
listen-on port 5353 { any; };
recursion yes;
dnssec-validation auto;
};
logging {
channel stdout {
stderr;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category security { stdout; };
category dnssec { stdout; };
category default { stdout; };
};
acl "trusted" {
10.8.10.0/24; # LAN
10.8.12.0/24; # TRUSTED
10.8.20.0/24; # SERVERS
10.8.30.0/24; # IOT
10.8.40.0/24; # KIDS
10.8.50.0/24; # VIDEO
10.8.60.0/24; # VIDEO
10.8.11.0/24; # WIREGUARD
10.5.0.0/24; # CONTAINERS
};
zone "trux.dev." {
type master;
file "${config.sops.secrets."system/networking/bind/trux.dev".path}";
allow-transfer {
};
allow-query { any; };
};
'';
};
};
}

60
nixos/modules/nixos/services/bind/secrets.sops.yaml Normal file
View file

@ -0,0 +1,60 @@
system:
networking:
bind:
trux.dev: ENC[AES256_GCM,data:SQhmIVtugJlUfrjuIG8+ceDknOeqKj+nNenKg9YZyukcuqPMVRHGeESEchjjhZ3rhaicXfeUNthLnxNZgvacoACsI0zjBjeN36MkSyLq9cORbpLdiOM9x4UIFLxlIhVBqKkQSj6ntLX979k8bVzq30O+iGmUmoDW1z7A28hfaf65YuiZMp2e/AM/hNm1V6EP3EZ7M0tNv26c1/75NKo27C97zIL0eOEJmdiM3oGeyYpyPMAFnQGrkbIgJyjQ1ebo4f3isp+2r+VqO77iPx6KSLkHGmza4opQh/GAj7iSSvVtm6ULp7wxQXIqV+n+nArmPZMV0FCJ3LOXKtj2tOR8HyEMaDp+oxAEdtimu2x+5vTC5Bjc5tUgK9n2bLiDql+NYMUS9ZhW3zRZO0qF1wiPPp2gknT3XLkksdFnwfxscd80oP4jWwx0eoLIir+1iI7gnZgoLLhVuuP6298YgB092+F93RRRmkBbbIHDMh5z2CtPSs1xAPSn75PWR993PsgPKLJGwZtFJwGs3/hWY31ia1UChZ7Qe0cq43ErNJE/bJ8QN0WgHB61TlhDRZi+8XxRAJviuf0KBOoxyIXqcwDxLS6KD9/goD0XW0zhsS4Kwwy2pSQP6PgCKx2GllREMUtXBeyTH+v2hjpSCiM5gwosUPx0J+OYNtlj5Q0Ne5mISsNa0wAUPZglV3yGxcmtywCg/bzmMYHZbD9CQgL8uW5KXa9/vvAWPOqoVJboz9C/Tum9obcFMu9n29qmuYRfl91egFWriJv6hE6iMrFgMIe5erfA7/pr6chxerw214A4GSSu1U6KXPjEiV5jCElgthg8tButnBHaH4vaMtSFQ4P21d23wZ9D/OLDJFah9miClFqNjxYz5S3bOuUt3s2Cd/0jAUKoWNxGRWyBH1piiJx8VosrafDYVaIiXmM+7wFbfeE/72XePmUc3bJ4Zp1nhgyuaJxlcmeL4XaqZnJiclkwplB8ZEZHsEdRK21YjJqtGG6vSoK5FplGaPMCRpHEluQlJzt1bVVYllD6oHC3PrwZHHSFDTle5UjxvCLc6iRRZGyXVp6NjLWbdPyue1kwKI7x8AIOYLvQFyK+1nJHPlppVXcgR4HVJ2o84BDnDEXPhu+hS3QSZH5v+hQ1kZzDG8mzdd6jnuCFBS4oW87j5sS3pcCISIL/DOIX+MaIBbuogEevJSAUbqz+W2fRXDguoCALlC8QEDrTCzjLVu6GFI/vKdqP9BC64YEcBell+nyiOQ0ksyXGagsRwUqp3IhxPVXISO95awPo1eCqh72u4/kvUEg+SjSM626eS3T4QJ/0fu/LQOMJ8btdYLSdO5EYHBLbRFo2sj7EbIVXOaYp8zPuEdY8TS1e7aJUyOIfbf8JK3Y5ttbx+T64a1y+6GBPBjBLJaUFdOj685AkymNnC7yZXLNKB78FpDT2hDAlthuh3M/6sYNnwGDINxDcKH61y3AfTHPoox+HkbqCoKoL8a1FN7pDvc4eSmuNiVUuJjL+9kcPluEIMR4NbOsbpQzqHy6p3L8PlCaRxVytQF4b1mhMJ2hCvtZGQeyB4wYlj+pEpSvLXTW2vlNXaFUvD4t7Nwjw7OowPb5nX3y4/zoVo5+JtEYZolrWs3HRGlegCkBctPARTqMRp2g1zUUZU17yOmmZ8m/NA0myosfnL8yXKuLlQtFDEVIJN6sOVru/6QuiLntTGiDPoc95lK1MLeXzTd4hZf2gkiX5so4yoqV2VH9NQBSz2h0xoRhSO+1cvpSXJjIhsI8dNhPDHFfH0rCm97XEKAWTPaDx7HeielgnH0nO/y8oCettuSW1ImE1QowXsyM9olJMII1MlHTSxCOZ2f1y0my2AJ9KBLN+FBHPYY03NKxjLzoeNWyB1z0Pi0GUyih/8NPe/jB8G87tRbODeWa9AtS4+13U07JsjDnLJtS9oPafxv4FxQYI2qnPSaUjzL3LFC80Cmj9YAfx+wyzB+gJlby09FxUO8DMy9efgjKQaQT1vZ6lA4ziE+B+SM1KHHvglQNEETKOlOUa0yq9hF5QWG/2nxIphjRo7Uq9plO1QBzJj80D5IoGouzZTL7RH+qzsO3KZz3i8Be7PfUTVORp/DE1f1emlRN4YWK0MrVcYRP6rFJGKwrDmaGi3R+FCHBWB7vW1CcnDxg6BwK2W6y1HTx5iz44++ez/AkHONFaNW2GtWN8LBtkfZN13VQY1XgH4F9w3L35p+L/vhpevccwi8yGmF9g7R7LjjhDvhSsnCk6f1wrlpon0MjI3q4hbv6QD9iIAQIsR1+cXTD7GfqZNnNgLk3MMslCTjQn0+aiQDjbxfcS16tsLyrkZxAmQrDK9M/xoFFqjF/RiVs5fh8/Bpe8CiNtx3TxVY8jMZZI3xKuofJPNaTt7UjNkxju4qCXF5MX4xIyc5YeU7JNcbMYa6Msnp8eb2TUsERgGeLOuNlu/bFfctzmiaRdbUasaxN9VhdQFv0+0oGP9fhlsRcpyJO6skQnCEnml/txg8dZoRNc1G6626n2GqMazf5CKcW5KlYhBEVHR8IpuPxRcdo8ZrsANUiWGS0iFh47EKe9QK7ZGyUAbGxxupoj1AK1Bz9qjYoQEynCOwNZ+4i9YUIAUXkmhowr0CV+DWbH22/Gglj5b0l0b71rqw39Vudtr1VbK80J1qbyYBqdXdAFiXi5J0JJGu9dk8dWAoK8feILR1aGpiYvvTLLjzJ/aZ5m8FKwnDZFA4zTr8a/F+AWbNgt2rrg/yEo1tgcnrmcYWVQ9pxToAoqq6DrB0PuyNbmrFgFcFpE2TCrf0bs576kbJn4IZHQUkg9fIPJhH78mvkd0SLcTlQCbaKBtmrsvfegxrugi1cAo/4X1cVKJ/MZP8gssVbzwH9zhzgliJL3GZJ6CjNHwnHO2T303QsXoosrmLqSJADdinbHw68Ag2do3nPokJMnTsA97YtslUBMRoF+vDyxmMP8DvseuicKe8WvOupILto182ThrWbn1Ws2xx9ZksrSPd2Xa7EwjOLIg/E205OSD1w+Q/wMAA/qyaC6uQhHqop1o5yivh4ZiQJtbPLjsd4x9Hn1hM7/yW/kwWMeggPYYnlfHraJ78vW5Yu1kIQ4H1xKoIdZf7y1VnIIAb4Lg1xxJ2IM,iv:OzXHST/zSMD0lD2qroK92wTPFnt4o9GO5KGp4AgDHvw=,tag:+i/7/aFsqW2GafFmt70GIQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNENody9xYlF1aEgzbWxH
NE5GM1JXNldrMUh2UFk3aWR5akJ6ZW5TNVJJCjFQRFNITEVtZ21FNG51V2xqdWRD
aTdUQ2sxTjNqOFdmUmduM081UVlJSVUKLS0tIEE5QXdmcWxtL2hrazZIQU1idWww
YjFlNTVCZnlQUzRvWDRWdmpnTTV1TncKNVl5mho/SaNCJroRUNGWLJWekOineIP1
I4OsWaMoICMFFFYmNzK0hJW9De6YEHJUT9lQKN2Zjemx3g8lUOTxEQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVFpCYnBQR0luVVlYM2Rt
dFdBMzhLVTJrRmNvYkFKdFAvVUg2SjRRbndrCkVZbVVwMG9aTWJ6bkkzbDdhU1lo
eE1uN2lwRFRTREFIYWFlTm1KVCtPblEKLS0tIGpvdDZUYjY3RzFoaGthVzRJMDE5
dnZtWkZmVzJSV0hKTXRFdEttOFVaQ0EK+stoUbxm5lfUZwe2ffSdVOZ1ChkUfgDd
pnNCxN+wRT09yo3CsZ/cqV870ZPBHsdA2BKHsS7rFzrZXPszvrDN8Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZUNmSTQ0NytJcXRxSVFv
aWF5eHc3UnNCUklHSjJpbWxRcUk5QitTb3pvClZIZ2tRL3dQT0xSOWoxVGFPVDUx
QXZGeDhqUXRqdzlqUkd4WUtDbHpVRTAKLS0tIGF5MTVoMkZ6RDg0dEp3Z3hqUWxw
R244RzJyNFFGRXZEVzI0Mk5QMytGTTAKTnrkumPqwdldpAqX9OUInJJhjsdV4ggh
9FJPNdDlA7KZycfBvqEoo/j43rFjOQg36/FzWTjOtzmbX1NsylZZMg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ1ppWjRVQTE3R2NZQ2lB
L3pFbzhiMXZpaVArb3JOWWhuVkFDazFJUFY4CjI1OHZGN3dvbkdMN2tsTmNSMFlY
dm9kY2wvb0FzRi83eTlhdnNWVWpHWGMKLS0tIEI5WVlEOHAreEd5UzVDYWdQZGtR
dFZLZlMvUFVqSVVqYUIxQjYrNktsMGcKQrTtLyUKlSXZLntmB5COm1jG9sZqNuH+
j5DJ9yTKyrl5Gosb8FcrX4sOcOj5aJKGihL+p7wLgFgr+EYW1ely2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dFpRcGVHK0RMVFN1cWpl
WWxFTEs0MTZndEtHKzJpWHMxeXZwYzFSbFZvCjRvdWVBcFZxd1RiaW5xb0hhZzFs
dENYSU1NOGxsdEhER1VyWWRiZGlaQjgKLS0tIHpnd2dQTHV6RllVMSs4Smt2d3g3
Y094Y3dnRFEveFphV3J0LzUvK1dTMmsKHjpR7GViKdsR/Qx4/JKoVSWBi4DyujHj
nLMa1eEND32OwLg1VAK4m10toVl+wU5TAO0yZXx3tA132WNNtVRbUA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T06:13:02Z"
mac: ENC[AES256_GCM,data:g5mOOzAO8X009EzCY8dn1Ao+XXcEBwmjrlQyEp0KXapEnP+mntCokjxt3tJZ7U1T7SKkaVDweWbGWBwPqxm2WHDmJrFF7SHLaZ1GcIZ1TjBPGwOG5dQeDxspdU1eK2gS3E/JtMbIOKoDxD12dpH6jLJ3dlq+6Lcm8XoC8elNkWM=,iv:Wsby2DQXUnE9+7Bjk3Vp6/93uF5HoxKrzgcGKHTuW0A=,tag:F1z942D0nf8cBnMBeUEiSQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

0
nixos/modules/nixos/services/bind/zone Normal file
View file

58
nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
View file

@ -1,8 +1,8 @@
system:
networking:
#ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment]
#ENC[AES256_GCM,data:B4f24DoMFOdKQrn9G/XVtZb+mT/9kXJnFZY8ND+pd/fLJkXxhrFAFbGKHPWxJXabIv1eehKe9a6F1752/HsNK05xo6fzPLZv9WJ6xQ==,iv:xFIa58J4DhIG8vHSZVXj6EXGmzoKU9DSHAlnrjx3dZ4=,tag:yYITOfuPBAOnymwl+8DziQ==,type:comment]
cloudflare-dyndns:
apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str]
apiTokenFile: ENC[AES256_GCM,data:G342sbp0A6oXl5IycaBdb8LV0cdFlZFDNV6JKZJPIBH13VRviGvygyFX3RoGfJif5qLQGHcHpZk2jFKcOWcFHaORHnLvQdwGSFMk4dPZ8Vwzm7hy4oQZg5gEmPA6U1ctyk4utaUOMD9QLwVMEhgE1+UlUw==,iv:KqV5yd03zt7yjUlCz9c0dba8BSnvkYahemezLWyf2Vg=,tag:FPHnsHHaSLs5wl8Sj6ChAg==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,50 +12,50 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw
aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL
UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu
QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx
Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNkY1RU14VW1ycStweStL
Vm1sN28xblNhRmI1WXRYcnRuQVBMczJnQVhZCittbFc5djZsN3dKaklWY1V2ZHBl
R0RpVW1OSWQrVlFuNjNWOTNzMUdEVDAKLS0tIG1FZEdMZ1FlR0FEcWFXV2hlYnhv
SG9abFJVb3pnQ1hleG8vc3E3TmhZTzAK9Qk1Kb4nesOa+OFdf0YfXEMAlvronAfs
reC3efYY5u1fWCqaYqJScXdDOhFDcBQD77CXZqo3N5EIlwJESHmpSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD
eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3
Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ
bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV
LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTVJueFpVWXkrc25vcU9R
YzVwT243UnM4RVJzVFNWZGdCNUFzZUgwaEcwCnVMMDJ4NHdkUGNOQ2kzdXAwV2l3
dEFvdUc4STZ5bFNSNmQ1L2x4UUZDQUEKLS0tIER6dEZRcENFaFRRUTZNaWErTHN2
b3VuYmhmdnduN215YitkTzZvVzFYTlUKG3SZTp7lJ9JoQhN+CobDui5z/9f60OL+
4mhi6bl4TNDCpJNgG0yy56iAwbs281es22QGerXv2Y8u2fofllHCtg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky
bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n
T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ
MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx
ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK0tvZXdhMjJSMzNwUURG
SEtVdU1IdExIcXh1RWdYUzUwaWV5U2hmcmlFCkNEYkxLWWhTeTBLNC9DL0FIMy9s
SzhoR1FJeGl3Znc0YnFCdW5OTnViRGcKLS0tIEUrZmxlMHFkazZWMm5QWmFJalhW
V2JLSTJlc2RIK0VFTENsUThJQ1ZtcVUK3fG8sPMGg2OdHS44H1kg9DaUnWrDcB+y
WtvxjeW0esEcZffZlzJmgeswwUVKamoN4A7lTMf8llq4ZBm+z8u8Zw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj
L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq
RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O
VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg
EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VnNuSURxQ0V5ZC9XVEdC
OXNwZHVsamJRR0ZxdFZodk51Slpqc2pjbHhvCnBHZ2plT0dxUzVDQUVtSnlYUVdj
VWZjaUdIVWRmQkRwZ2VVemZvOXgrUFUKLS0tIGdvTW1sK2VlNWRESE9Hc0ZBcHQx
SjNnWXhBMnNqZEhUMHdUbmJrdUFUTGMK43zbm2VyKcRpSRkhaf4BrWKiyyQbiKgY
fYAo9DwMjf/EQgeMv8n6c8zn2HLKWcs2+Oz/XrWOzypinrSl9TOZOw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD
b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR
dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o
MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo
A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UUx2ZWpCYVRlQUx6QUVG
WVl1NllRTXRnSDNTeTNXUWo2VFNuN0J1TW00CnFjTTlhUUJuMHczN21LaG9mZUlH
REJnU0k5R25hNU5mTkxiSzBKNW95d00KLS0tIFBFS1g1MDU1dDVwWXhtTjRJenVH
T0YySjh5dFAwcXo0QlhaRzB5S21yS0UKl0Cn8UMqk/TPkbVMp9ngj/gcpueQ3l4Y
83m99p7uw+1kFbmI3lcxlflFcZXgVBreFM2wF+Ogb7T2zikg0q8FTQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-01T00:26:19Z"
mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str]
lastmodified: "2024-04-05T05:23:21Z"
mac: ENC[AES256_GCM,data:UbhMGGRrG1MBJUEoEX+22y3C3A2dLBhfnxod8+wH1FQgDfZYwIAiCHGfLVbIzkC7ANS6453FeXRNBBH5TW2ELsDDo4W8S13lSwA/1MUUK7st42nNXvOVIMeLHtCrRU++LwYWhEfOR9OIb6au9pk+hwCo1Z0V6nlcAv1bf0uDQNU=,iv:a2GZw4HMp4DCOe8BfA3HgqZIJ9iUmXbttmGoXAMnQZE=,tag:w8VUc2K+f3/Vg7eBu3VREA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

2
nixos/modules/nixos/services/cloudflare-dyndns/default.nix
View file

@ -25,7 +25,7 @@ in
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml;
# Restart when secret changes
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ];
sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns.service" ];
networking.firewall = {
allowedUDPPorts = [ 53 ];

4
nixos/modules/nixos/services/default.nix
View file

@ -9,5 +9,9 @@
./podman
./traefik
./nfs
./nix-serve
./bind
./arr
./homepage
];
}

2
nixos/modules/nixos/services/dnscrypt-proxy2/default.nix
View file

@ -30,7 +30,7 @@ in
"system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
"system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2.service" ];
};
services.dnscrypt-proxy2 = {

56
nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml
View file

@ -1,7 +1,7 @@
system:
networking:
dnscrypt-proxy2:
forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str]
forwarding-rules: ENC[AES256_GCM,data:P5GAwlcuUI2hXcJBzAPSQBviqi8z0ccz29sv1bsSx7lkD9isTaurylD07v3tlXFN,iv:lPIbdMpUMzyhnkakw4FSxvHolyNXMVuciwKK7jz9MMY=,tag:0pKhfclkbWbPBJ6/vs5a3w==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,50 +11,50 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX
SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w
LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV
VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r
SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU2V4cmpHZ0hhRUlDNTU4
c0FGTGxCTzNTTUJxN2lkZmZQUVlCRFVxZld3ClU2TmpxcHFvR0lZeVUxZ0x1YmFC
bFZ4QlQvajNxYTByenlDVXNJb0dGNEEKLS0tIFQvaUhCYnE4MWc1bFZtSlB6cDFq
aTJyS2RGWFJTNEd3Rlo3dVN6UjhlUVEKZvaWNTcKkSzLDsQ99S3/d9eQ350QM+e0
R19K1QHuljx3vKV+LhnJ+fCUL5bnIhvDCFVnWBWGirVzJNp4iwfuWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO
ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY
OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5
NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU
LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbnR4T1d4M3pKdExGYUZZ
Y0R4WVNLZnZJTmhqVW4vSzJwZjkxdk92N3lNCk9iWmJNZHVZVDFINEErRi9JZjBZ
MDEyM1Q3cGZDWkUyZEZhaVo3K2FpUjgKLS0tIEhHR0dTak43T3pDcUtvYk02aFZZ
M2w2RDV4UmY1Zll5WjdxSWIxZVhVMUUKAvOmavnidng3QxxHaVqQKwq9TMgbusOE
SnBx1ShiX0m7ZBLHPzcHuwzEOxYRvpKuV1tVDVbROPfaOYusgIMa+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr
NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD
M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt
dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu
+bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaWV0VGZFc0toUXJURURF
eDRKMGV6UktYWVRUcFJKVTdiQ3h6LzhlV2tRCjVMZkFqWGZCV1Q5OFBkOW1lWnFj
NGFMVXBNbVF4azlUV3dLZFB3aHdnZk0KLS0tIEFObC9ING4wRUtwZXhOS2VRcnR3
NnkrVjdGcFE0cGtEY0Vub3Z5R09zVWcKEjgqoO+4n02mwa8idy1FdASqoCkB4Ooe
j04tUVa0xufui6gITvO9DBgXbSdni5wbtabZNJ13S3dgWVY4CiDuYw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda
WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4
ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn
UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM
wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aC9hTTB1enJYcUpiUHZS
eENnaEhPL3JIeGp5QmczQ1pSMTRmejZ1L0FNCldzM2FFSm9NaTNGTHVmNTJwVW9F
YXIrSGFsWG05U0NXdWg2VUQ1NDVyYWsKLS0tIFQxd2hpMXJRWXhJclFzQjVzZWFI
VHdoVHJnNit3OE5mU2YvTjYxSmxkcXcKBips96WiE/NI7GWZVUOzdJSTIyoG4U4R
haVYaHJJ1xW/E7WqJKn/E+wiMHFNcQJFOi6/JkWGLCkEE5tDLSDibw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr
bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq
TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT
dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw
H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY0pEaVR5NWMzR29YQUFY
R1p2ZFdEaVN1NXYzMW9oR3V2aXJxdDR2QlFvCmxsVDBCQUZnRllvY3NEMm1DQXpj
aDRCZjlnM0xZaVpTVlpXd08wU1VIR3cKLS0tIHo5TGNmMXZHSXpYQW5ITHpwTWJE
a1hDZXkxSG9FR0laYW9nZXFnN0NyUUUKa9dtMzPzZqWi1Z6gBxOh355Om8865AT5
j0SjD1Zl00RvaC6mZQrhOB6Aq+eYHe3w29jkmkAGvIHXH8p1fNt8Hg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-01T00:26:19Z"
mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str]
lastmodified: "2024-04-06T05:12:13Z"
mac: ENC[AES256_GCM,data:JVJ58TeYh66P6PuhSeCAZpXS5tu4H33rG5GZcJYorhT8Bldn72CTo9AhyhNzVHhfK1fIPI6VLyQM5rBUxBQVHWufx8hnYDrhBQdR9d3po8KKnyfpNgYS0rhifYyon5GUl4BW89RaD45+ZbrE1kIsqCYwwim/bcVYqXuRh1CGYeA=,iv:lRU08rccGMH5ykhSE8bREkog4ftXUporCj+YMsOmUN8=,tag:tIekpP6QIp1Ce2s4a2qO8Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

49
nixos/modules/nixos/services/homepage/default.nix Normal file
View file

@ -0,0 +1,49 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
app = "homepage";
image = "ghcr.io/gethomepage/homepage:v0.8.10";
user = "568"; #string
group = "568"; #string
port = 3000; #int
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
cfg = config.mySystem.services.homepage;
in
{
options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard";
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
UMASK = "002";
PUID = "${user}";
PGID = "${group}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.${app}.entrypoints" = "websecure";
"traefik.http.routers.${app}.middlewares" = "local-only@file";
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
};
# mount socket for service discovery.
volumes = [
"${persistentFolder}:/app/config:rw"
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket
];
};
};
}

2
nixos/modules/nixos/services/maddy/default.nix
View file

@ -18,7 +18,7 @@ in
group = "maddy";
};
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ];
sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy.service" ];
services.maddy = {
enable = true;

56
nixos/modules/nixos/services/maddy/maddy.sops.yaml
View file

@ -1,7 +1,7 @@
system:
mail:
maddy:
envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str]
envFile: ENC[AES256_GCM,data:dHk1pvPlQ46sKDKoZE3OCZ6OxL9gwRpPnu7Q8o9BNmLB8tkxbEudc03Tj956Tf2waghH395O4/Ab2/clyXBZA735+3s0R8ZZX9LDPr47i0MxEhlB9Am/Sa8dg9ivjK8gvlp6oipuvlDmdmfKdP1/DiRd4a+PO9APVPTvFvPTHd9Jy8Y=,iv:x6uZU4XRdtSellvLUTr8aydrLL6k5jhgLoG1n1Zo0P0=,tag:0y2FPDz6psEQglQvus+BuA==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,50 +11,50 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2
bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC
UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi
VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/
5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd3VjeUxzR3d1S0NFQ1dI
YVJHNjZKYnZneHJ4RG1NclJySThiVXBNd1JVCkVTc0tjWUpnQmxKS0hhalVzN1N0
ZFNqZzFFbWYxU2ZrV2RnK01yTEk1eGsKLS0tIElRREpyM2F4L2cvNnhHMG9HcU8y
SGVyeWlUR2RrNElwKzlzdXVsMG5QRWsKnZQXvig6jOCam2Pzt/TxXn6KqbNicvyN
FXm6ObTz7FXj3AcSAWs+Pvsh/BQyk+87iHtgMIgaZnV1WQi7GybW8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj
czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs
SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt
eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz
aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQ3l0a1VvcFhLTHBqTTVy
emhuK05yaXE4NlNIRmJvdklBZFczdlJtbnlNCmlXa0ttU1dFZGFJSE9TQittQjhv
S2h5NkZnQmQ3L0grUmNRY3lueDNKZVUKLS0tIFNDWlRUaTZxa1RRUUxIand6d3Na
dURrcTgvVVVnYWxYS2ZXNHI2dXB6RW8KQ2ApgWJ9bvpxwSV5ppwFT8pRyalqs5Wf
4p28ICtASrX58mOkITr3otZUlvHUMCWApr/ued8PSL6k3UoNOnTp4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz
dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx
WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4
azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX
W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UkRaVzJxaFYxWmY2SFNl
c1UyQ25tNmFuNFlRRDQvRHlrZitsak9GSVNnCnUvYzVOaUh3T0hTMitKd3ltdG9q
M0YrVTFEYk1SMDczODhiWVdZYTRqREkKLS0tIEEwWFhCOVJ6M3J2dEsvamx0empa
a01rRENJcGx1d2xHVWpubnJvaFNETTAKqVlKYvpowONBqJMPli43L/l6mklsj2eM
9H9JLhg9QYvbMIYy7X4UsMZWAW9OqrSQGi/BvL1L72LSjfT7BWRuRg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj
U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y
Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk
T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p
s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMEpQc3RVTDVOWlI5OFZE
RGZsU3RUUWxtY3Z1SGFkNU5GeGdsZmROcUNBCnc1MGZ5eFBobmUyMThCVmJUelp5
UW1JZUZJaFlPelExeGNmWXlNTzVwZm8KLS0tIFljK2c4RzFDVlZHek1oM2c5SU5j
VE1OUXBHeHEvZzVpSDF5OE9GaWxhNjQKo+m+AThAjdBXjy266bIVRbpJ9STSAvkK
6h1MRpK2CpFjNOJWL5Yv7wGIOqYyx++y2Sz3TOD842PEzNdpAmrf/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3
TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm
OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX
bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy
MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YzhHRXl6Yyt5QVFNZzlV
N1l6ZmRoMTl6WGZPQlduYTRyWVVweWtDL1NrCnIxejdvaFNDNHo5RnZUZ1NPako5
QmxVd3IyUXFXNGZpWVRpMTNsaFFCa0UKLS0tIGR0V2tYUkw3NjZsd29tbTl0U2Y5
UGZ5SUUvbEdOcm9ZZ2FPeEJNQTJmeVkK9e4K6Zz7oaLWo66pLDJu5fCtJlpjE+gz
dApChQV1+oPnTynpCQ4PCxC4X4L5sfxCqIR8uwRAkse6I/DUNWhiDA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-01T00:26:19Z"
mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str]
lastmodified: "2024-04-05T05:23:21Z"
mac: ENC[AES256_GCM,data:2zzSM4qqG/8XSm5gxBE8V4b4eRF46SNuOrXbDzK8ovGRu+BzbhYg1f2duf+p1m3flNu6n9WoR5HltjVDpdetg8ut85j/4AEnDKIVgPJPcjcJaVk0TKUdIGp/DAJ9hs8U6gTmKavxByBfOzhQiX/U7ewzC9GeQbU/MfdNrmC2qVI=,iv:wbjpidsVF6p4rLlGHgSQISA0JjK6MfogFrjhVkl1Sw0=,tag:9CXy2SnEBY9xLjC2UfL2kg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

24
nixos/modules/nixos/services/nix-serve/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
cfg = config.mySystem.services.nix-serve;
in
{
options.mySystem.services.nix-serve.enable = mkEnableOption "nix-serve";
# enable nix serve binary cache
# you can test its working with `nix store ping --store http://10.8.20.33:5000`
config.services.nix-serve = mkIf cfg.enable {
enable = true;
package = pkgs.nix-serve-ng;
openFirewall = true;
};
}

3
nixos/modules/nixos/services/podman/default.nix
View file

@ -15,6 +15,7 @@ in
{
virtualisation.podman = {
enable = true;
dockerCompat = true;
extraPackages = [ pkgs.zfs ];
defaultNetwork.settings = {
@ -25,6 +26,8 @@ in
backend = "podman";
};
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
};
}

154
nixos/modules/nixos/services/traefik/default.nix
View file

@ -3,6 +3,7 @@
, pkgs
, ...
}:
# ref: https://github.com/rishid/nix-config/blob/be0d5cbbe4df79ed2b2ba4714456f21777c72b38/modules/traefik/default.nix#L170
with lib;
let
cfg = config.mySystem.services.traefik;
@ -10,18 +11,159 @@ in
{
options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
# TODO add to homepage
# modules.homepage.infrastructure-services = [{
# Traefik = {
# icon = "traefik.svg";
# description = "Reverse proxy";
# href = "https://traefik.dhupar.xyz:444";
# };
# }];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets."system/services/traefik/apiTokenFile".sopsFile = ./secrets.sops.yaml;
# Restart when secret changes
sops.secrets."system/services/traefik/apiTokenFile".restartUnits = [ "traefik.service" ];
systemd.services.traefik = {
serviceConfig.EnvironmentFile = [
config.sops.secrets."system/services/traefik/apiTokenFile".path
];
};
services.traefik = {
enable = true;
staticConfigOptions = {
api.dashboard = true;
api.insecure = true;
group = "podman"; # podman backend, required to access socket
serversTransport = {
# Disable backend certificate verification.
insecureSkipVerify = true;
dataDir = "${config.mySystem.persistentFolder}/traefik/";
# Required so traefik is permitted to watch docker events
# group = "docker";
staticConfigOptions = {
global = {
checkNewVersion = false;
sendAnonymousUsage = false;
};
api.dashboard = true;
log.level = "DEBUG";
# Allow backend services to have self-signed certs
serversTransport.insecureSkipVerify = true;
providers.docker = {
endpoint = "unix:///var/run/podman/podman.sock";
# endpoint = "tcp://127.0.0.1:2375";
exposedByDefault = false;
defaultRule = "Host(`{{ normalize .Name }}.${config.networking.domain}`)";
# network = "proxy";
};
# Listen on port 80 and redirect to port 443
entryPoints.web = {
address = ":80";
http.redirections.entrypoint.to = "websecure";
};
# Run everything SSL
entryPoints.websecure = {
address = ":443";
http = {
tls = {
certresolver = "letsencrypt";
domains.main = "${config.networking.domain}";
domains.sans = "*.${config.networking.domain}";
};
};
http3 = { };
};
certificatesResolvers.letsencrypt.acme = {
dnsChallenge.provider = "cloudflare";
keyType = "EC256";
storage = "${config.services.traefik.dataDir}/acme.json";
};
# };
};
# Dynamic configuration
dynamicConfigOptions = {
http.middlewares = {
# Whitelist local network and VPN addresses
local-only.ipWhiteList.sourceRange = [
"127.0.0.1/32" # localhost
"192.168.0.0/16" # RFC1918
"10.0.0.0/8" # RFC1918
"172.16.0.0/12" # RFC1918 (docker network)
];
# authelia = {
# # Forward requests w/ middlewares=authelia@file to authelia.
# forwardAuth = {
# # address = cfg.autheliaUrl;
# address = "http://localhost:9092/api/verify?rd=https://auth.dhupar.xyz:444/";
# trustForwardHeader = true;
# authResponseHeaders = [
# "Remote-User"
# "Remote-Name"
# "Remote-Email"
# "Remote-Groups"
# ];
# };
# };
# authelia-basic = {
# # Forward requests w/ middlewares=authelia-basic@file to authelia.
# forwardAuth = {
# address = "http://localhost:9092/api/verify?auth=basic";
# trustForwardHeader = true;
# authResponseHeaders = [
# "Remote-User"
# "Remote-Name"
# "Remote-Email"
# "Remote-Groups"
# ];
# };
# };
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration
# auth-headers = {
# browserXssFilter = true;
# contentTypeNosniff = true;
# forceSTSHeader = true;
# frameDeny = true;
# sslHost = domain;
# sslRedirect = true;
# stsIncludeSubdomains = true;
# stsPreload = true;
# stsSeconds = 315360000;
# };
};
tls.options.default = {
minVersion = "VersionTLS13";
sniStrict = true;
};
# Set up wildcard domain certificates for both *.hostname.domain and *.local.domain
http.routers = {
traefik = {
entrypoints = "websecure";
rule = "Host(`traefik.${config.networking.domain}`)";
tls.certresolver = "letsencrypt";
tls.domains = [{
main = "${config.networking.domain}";
sans = "*.${config.networking.domain}";
}];
middlewares = "local-only@file";
service = "api@internal";
};
};
};
};
};

61
nixos/modules/nixos/services/traefik/secrets.sops.yaml Normal file
View file

@ -0,0 +1,61 @@
system:
services:
#ENC[AES256_GCM,data:L5ZUZZoFkMaTErRqwkG03SVET5x6AVL+4OvX6ukQlvFX+P9ICYY6lDGDmJARUXDm2yW6hllqA2FxoteFXT5LEikraLywI5jGDgQMGw==,iv:fHYZ9LBvFVT24xeN7HSjlNhFse/MIhb6/3XCUbdCppA=,tag:tq+MbSt+jhvNJfdpuQ5ddg==,type:comment]
traefik:
apiTokenFile: ENC[AES256_GCM,data:hVIUCHU/AU6SOGt7JEVYuE55LlT7AhSuRpkCEWrsKxhy0K5jRZhYb4G30sXrOv80gb8T82ItYjpi5ytckGq325A4Uzn2dYQ4P9sv1uRxrcJrSOuMvpeWnijT33wbxn/fcg==,iv:5065MjT63rYvx/+ivfVha/+VxaTaHicfmshPI/9qfYw=,tag:S7t/Fr5R30lwO3KvuDjHWw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbVBCZGdUU3dJR0VXMUQ2
ZUhYcEZkYVBRZkxteGkzaXdDNUVzNjdFUWxrCkgwcXZYZlZ2Wk1KbDg2VGpmZXQ5
K3ZxR21FZGpJWFpSakltdzN6MUh0b28KLS0tIHRDK2dKQ1Q0UGpBM2oyYzhuSGo2
TWFTYnpYbDZPeUVtbTdXNm84RFJoaDQKFB0HX9yJ6D5jQRd8qUsLUy4ZcweYv1Qh
BJlQJOlMi+OliSiWOPsI8L8SJSTWJvy6ZX/LcebuQ0tlXeNd3HYAQQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTXp6aExQTVh4OFVKV1Nz
UU0zbEJnR3Nvb256TllyYXg4OTVOektoSURnCllWZUpwc3ZObjlWT0YyLzRiQ0dM
Sy9GSCtsTkZyVkJ1dDJnbmh2ZHdrZG8KLS0tIDRPakxzRWt6ckRzZzVZQzN6RVlU
MEhwbFpIK3hTeGttS0x3Q0dHdHZhNG8KovgKj2k7N/lpGT2j+e1u+3uX3EAMwAwt
uHI2LqEtfaMJZQvsP409G4QkEy+o7GJ7N3LpAXFAPvnJbH5/n7WxiA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjFiSDIzMVVNMmk3ZlBn
SFFpbE10Q0ZZMlhGbElMTURjeDFhUmlnNmdrCk55ZHY0Y3o2SGtaM2ZOTE5QOFo1
WVdEWGtzWTIxbWtXMmF5V3JvVjBpVFEKLS0tIEtVMldydlRvdHJLYzVnQy9kUnNZ
OHJUSlBlQ3Rhb1RYUVNQSWNLWU5NOGcKEHjjav+ACT+HQ9haoMfRei7cAOPugMDs
JsSRPWnVBYPx+9AxDY030Aw6vMw9+rFSuCp3PMH4mNbCcCucaIWWSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQWhCM2dpZDFkVVE4SVJq
SXY1ZVh2ZWlDRnN4d2hsREpwU0tYMmpKK0hzCmhkSllSM0NGdHZiV0o4dWVac2Ft
Y01nUlBKUHg4eE1YZWZlU29Vd2lEelEKLS0tIG9DdmdoaWVBMTJ2WnBnWXI5d1ZX
VGtCSTdPcDZHeVdUL1Z6S3hoUE9IR2sK8WyNXZDiJG3ox+nBcwTXdn3fmd4kS2z/
aUV6ql3vLdsu3/BxLq3v00AXXYNOnWmVrUxTJ9Lv1j0FM5Gh5LupQw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdU9TeFlSUWZISytBTnNn
RWlITURiQnY2Ni9LMWZ4R0pBWDJmaHpTZDJ3ClVackV1UHNYUXFmeUliT0h1aHNR
S0M4NWg0NkYrL2V4NXlIUDJ6RE8rODgKLS0tIGEwdGpxNVNtVDc0M0k1ejl1ZmFX
c2VQSk53WEFoTFdFUTM3eWNVamxwNTgKBYqQy+ILW9MdRPDgRBVw8sOyYF40rhYz
yP+Bu6EBAjJDOP/Ywx6I7u6AmlTRcOtk8PmJ8eo3raP07at+jrXsaw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-05T08:20:07Z"
mac: ENC[AES256_GCM,data:a/J87IQL0X7XQycpZXWg2otlBe7/W7Ebe0CAKunnyF8Gm9RRMWdECrFeBDtAyVAHl2F6gqlNTyEMsOVE+aR6+xu91rXr332k66SnSQcMOjQ987+r+t3b1hUZ9Cz+qNbtepXaGTuCNQ0JH+o3ezkA1D6BDIvf6S4IRWRT9psOiHI=,iv:2TXiGQDDK2nSTAb+n3baFfng9jDPoe7Ts9Au9dTRclA=,tag:MZFBEcpOmoX0TN33OMoApg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

11
nixos/profiles/global.nix
View file

@ -29,12 +29,17 @@ with lib;
# But wont enable plugins globally, leave them for workstations
};
# required for yubico
services.udev.packages = [ pkgs.yubikey-personalization ];
services.pcscd.enable = true;
environment.systemPackages = with pkgs; [
curl
wget
dnsutils
];
networking.useDHCP = lib.mkDefault true;
networking.domain = "trux.dev"; # TODO make variable

5
nixos/profiles/global/nix.nix
View file

@ -1,6 +1,5 @@
{ lib, config, pkgs, nixpkgs, ... }:
{ lib, config, pkgs, nixpkgs, self, ... }:
{
## Below is to align shell/system to flake's nixpkgs
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
@ -31,12 +30,14 @@
"https://cache.garnix.io"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
"https://deploy-rs.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
];
# Fallback quickly if substituters are not available.

1
nixos/profiles/hw-rpi4.nix
View file

@ -19,7 +19,6 @@ with lib;
};
nixpkgs.hostPlatform.system = "aarch64-linux";
nixpkgs.buildPlatform.system = "x86_64-linux";
console.enable = false;

26
nixos/profiles/role-worstation.nix
View file

@ -23,6 +23,7 @@ with config;
binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
plymouth.enable = true; # hide console with splash screen
};
nix.settings = {
@ -35,6 +36,24 @@ with config;
# set xserver videodrivers if used
services.xserver.enable = true;
services = {
fwupd.enable = config.boot.loader.systemd-boot.enable; # fwupd does not work in BIOS mode
thermald.enable = true;
smartd.enable = true;
# required for yubikey
udev.packages = [ pkgs.yubikey-personalization ];
pcscd.enable = true;
};
hardware = {
enableAllFirmware = true;
sensor.hddtemp = {
enable = true;
drives = [ "/dev/disk/by-id/*" ];
};
};
environment.systemPackages = with pkgs; [
@ -47,12 +66,19 @@ with config;
dnsutils
nix
# Sensors etc
lm_sensors
cpufrequtils
cpupower-gui
# TODO Move
nil
nixpkgs-fmt
statix
nvd
gh
bind # for dns utils like named-checkconf
];
i18n = {