jahanson/nix-config-tn
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Feat: docs (#98)

Browse source 
* hacking at dns

* hack

* hax

* start dics!

* hacking

* feat: docs!

---------

Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
Truxnell 2024-04-16 15:14:06 +10:00 committed by GitHub
parent 80e008a1ec
commit ccd8e800df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
83 changed files with 1617 additions and 708 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.github/renovate.json5 vendored
View file

@ -17,6 +17,7 @@
"lockFileMaintenance": {
"enabled": "true",
"automerge": "true",
"schedule": [ "before 4am on Sunday" ],
},
"regexManagers": [

12
.github/renovate/autoMerge.json5 vendored
View file

@ -1,29 +1,33 @@
{
// auto update up to major
"packageRules": [
{
// auto update up to major
"matchDatasources": ['docker'],
"automerge": "true",
"automergeType": "branch",
"schedule": [ "before 4am on Sunday" ],
"matchUpdateTypes": [ 'minor', 'patch', 'digest'],
"matchPackageNames": [
'ghcr.io/onedr0p/sonarr',
'ghcr.io/onedr0p/readarr',
'ghcr.io/onedr0p/radarr',
'ghcr.io/onedr0p/lidarr',
'ghcr.io/onedr0p/prowlarr',
'ghcr.io/twin/gatus',
'ghcr.io/onedr0p/prowlarr'
],
},
// auto update up to minor
{
"matchDatasources": ['docker'],
"automerge": "true",
"automergeType": "branch",
"schedule": [ "before 4am on Sunday" ],
"matchUpdateTypes": [ 'patch', 'digest'],
"matchPackageNames": [
'ghcr.io/twin/gatus',
"ghcr.io/gethomepage/homepage",
],
]
},
{

55
.github/workflows/docs-release.yaml vendored Normal file
View file

@ -0,0 +1,55 @@
---
name: "Docs: Release to GitHub pages"
on:
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/docs-release.yaml"
- ".mkdocs.yml"
- "docs/**"
permissions:
contents: write
jobs:
release-docs:
name: Release documentation
runs-on: ubuntu-22.04
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
steps:
- name: "Generate Short Lived OAuth App Token (ghs_*)"
uses: actions/create-github-app-token@v1.9.3
id: app-token
with:
app-id: "${{ secrets.TRUXNELL_APP_ID }}"
private-key: "${{ secrets.TRUXNELL_APP_PRIVATE_KEY }}"
- name: Checkout main branch
uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install requirements
run: pip install -r docs/requirements.txt
- name: Build and publish docs
run: mkdocs build -f mkdocs.yml
- name: Deploy
uses: peaceiris/actions-gh-pages@v4.0.0
if: ${{ github.ref == 'refs/heads/main' }}
with:
github_token: ${{ steps.app-token.outputs.token }}
publish_dir: ./site
destination_dir: docs
user_name: "Trux-Bot[bot]"
user_email: "Trux-Bot[bot] <19149206+trux-bot[bot]@users.noreply.github.com>"

2
.sops.yaml
View file

@ -14,7 +14,7 @@ keys:
- &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
- &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
- &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
- &daedalus age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- &daedalus age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
creation_rules:
- path_regex: .*\.sops\.yaml$

6
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,6 @@
{
"cSpell.words": [
"homelab",
"Seafile"
]
}

33
README.md
View file

@ -38,37 +38,16 @@ To Install
- [ ] Bring over hosts
- [x] DNS01 Raspi4
- [x] DNS02 Raspi4
- [ ] NAS
- [x] NAS
- [x] Latop
- [x] Gaming desktop
- [ ] WSL
- [ ] JJY emulator Raspi4
- [ ] Documentation!
- [ ] ssh_config build from computers?
- [ ] Modularise host to allow vm builds and hw builds
- [ ] Add license
- [ ] Add taskfiles
## Network map
TBC
## Hardware
TBC
## Manifesto
Taking lead from the zen of python:
- Minimise dependencies, where required, explicitly define dependencies
- Use plain nix to solve problems over additional tooling
- Stable channel for stable machines. Unstable only where features are important.
- Modules for a specific service - Profiles for broad configuration of state.
- Write readable code - descriptive variable names and modules
- Keep functions/dependencies within the relevant module where possible
- Errors should never pass silently - use assert etc for misconfigurations
- Flat is better than nested - use built-in functions like map, filter, and fold to operate on lists or sets
- [x] Documentation!
- [x] ssh_config build from computers?
- [x] Modularise host to allow vm builds and hw builds
- [x] Add license
- [x] Add taskfiles
## Checklist

0
docs/administration/cockpit.md Normal file
View file

0
docs/administration/deployment.md Normal file
View file

0
docs/administration/taskfile.md Normal file
View file

8
docs/includes/abbreviations.md Normal file
View file

@ -0,0 +1,8 @@
*[CI]: Continuous Integration
*[PR]: Pull Request
*[HASS]: Home-assistant
*[k8s]: Kubernetes
*[YAML]: Yet Another Markup Language
*[JSON]: JavaScript Object Notation
*[ZFS]: Originally 'Zettabyte File System', a COW filesystem.
*[COW]: Copy on Write

BIN
docs/includes/assets/ci-checks-garnix.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
docs/includes/assets/ci-checks.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
docs/includes/assets/cockpit-systemd-notifications.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
docs/includes/assets/home-cluster-pr.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 6.1 KiB

BIN
docs/includes/assets/no-backup-warning.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
docs/includes/assets/pushover-failed-backup.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
docs/includes/assets/renovate-pr.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 122 KiB

19
docs/index.md Normal file
View file

@ -0,0 +1,19 @@
👋 Welcome to my NixoOS home and homelab configuration. This monorepo is my personal :simple-nixos: nix/nixos setup for all my devices, specifically my homelab.
This is the end result of a recovering :simple-kubernetes: k8s addict - who no longer enjoyed the time and effort I **personally** found it took to run k8s at home.
## Why?
Having needed a break from hobby's for some health related reasons, I found coming back to a unpatched cluster a chore, which was left unattented. Then a cheap SSD in my custom VyOS router blew, leading me to just put back in my Unifi Dreammachine router, which broke the custom DNS I was running for my cluster, which caused it issues.
During fixing the DNS issue, a basic software upgrade for the custom k8s OS I was running k8s on broke my cluster for the 6th time running, coupled with using a older version of the script tool I used to manage its machine config yaml, which ended up leading to my 6th k8s disaster recovery :octicons-info-16:{ title="No I don't want to talk about it" }).
Looking at my boring :simple-ubuntu: Ubuntu ZFS nas which just ran and ran and ran without needing TLC, and remembering the old days with Ubuntu + Docker Compose being hands-off :octicons-info-16:{ title="Too much hands off really as I auto-updated everything, but I digress" }), I dove into nix, with the idea of getting back to basics of boring proven tools, with the power of nix's declarative system.
## Goals
One of my goals is to bring what I learnt running k8s at home with some of the best homelabbers, into the nix world and see just how much of the practices I learnt I can apply to a nix setup, while focussing on having a solid, reliable, setup that I can leave largely unattended for months without issues cropping up.
The goal of this doc is for me to slow down a bit and jot down how and why I am doing what im doing in a module, and cover how I have approached the faucets of homelabbing, so **YOU** can understand, steal with pride from my code, and hopefully(?) learn a thing or two.
To _teach me_ a thing or two, contact me or raise a Issue. PR's may or may not be taken as a personal attack - this is my home setup after all.

109
docs/maintenance/backups.md Normal file
View file

@ -0,0 +1,109 @@
# Backups
Nightly Backups are facilitated by NixOS's module for [restic](https://search.nixos.org/options?channel=23.11&from=0&size=50&sort=relevance&type=packages&query=services.restic.) module and a helper module ive written.
This does a nightly ZFS snapshot, in which apps and other mutable data is restic backed up to both a local folder on my NAS and also to Cloudflare R2 :octicons-info-16:{ title="R2 mainly due to the cheap cost and low egrees fees" }). Backing up from a ZFS snapshot ensures that the restic backup is consistent, as backing up files in use (especially a sqlite database) will cause corruption. Here, all restic jobs are backing up as per the 2.05 snapshot, regardless of when they run that night.
Another benefit of this approach is that it is service agnostic - containers, nixos services, qemu, whatever all have files in the same place on the filesystem (in the persistant folder) so they can all be backed up in the same fashion.
The alternative is to shutdown services during backup (which could be facilitaed with the restic backup pre/post scripts) but ZFS snapshots are a godsend in this area, and im already running them for impermanence.
!!! info "Backing up without snapshots/shutdowns?"
This is a pattern I see a bit too - if you are backing up files raw without stopping your service beforehand you might want to check to ensure your backups aren't corrupted.
The timeline then is:
| time | activity |
| ------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| 02.00 | ZFS deletes prior snapshot and creates new one, to `rpool/safe/persist@restic_nightly_snap` |
| 02.05 - 04.05 | Restic backs up from new snapshot's hidden read-only mount `.zfs` with random delays per-service - to local and remote locations |
## Automatic Backups
I have added a sops secret for both my local and remote servers in my restic module :simple-github: [/nixos/modules/nixos/services/restic/](https://github.com/truxnell/nix-config/blob/main/nixos/modules/nixos/services/restic/default.nix). This provides the restic password and 'AWS' credentials for the S3-compatible R2 bucket.
Backups are created per-service in each services module. This is largely done with a `lib` helper ive written, which creates both the relevant restic backup local and remote entries in my nixosConfiguration.
:simple-github: [nixos/modules/nixos/lib.nix](https://github.com/truxnell/nix-config/blob/main/nixos/modules/nixos/lib.nix)
!!! question "Why not backup the entire persist in one hit?"
Possibly a hold over from my k8s days, but its incredibly useful to be able to restore per-service, especially if you just want to move an app around or restore one app. You can always restore multiple repos with a script/taskfile.
NixOS will create a service + timer for each job - below shows the output for a prowlarr local/remote backup.
```bash
truxnell@daedalus ~> systemctl list-unit-files | grep restic-backups-prowlarr
restic-backups-prowlarr-local.service linked enabled
restic-backups-prowlarr-remote.service linked enabled
restic-backups-prowlarr-local.timer enabled enabled
restic-backups-prowlarr-remote.timer enabled enabled
```
NixOS (as of 23.05 IIRC) now provides shims to enable easy access to the restic commands with the correct env vars mounted same as the service.
```bash
truxnell@daedalus ~ [1]> sudo restic-prowlarr-local snapshots
repository 9d9bf357 opened (version 2, compression level auto)
ID Time Host Tags Paths
---------------------------------------------------------------------------------------------------------------------
293dad23 2024-04-15 19:24:37 daedalus /persist/.zfs/snapshot/restic_nightly_snap/containers/prowlarr
24938fe8 2024-04-16 12:42:50 daedalus /persist/.zfs/snapshot/restic_nightly_snap/containers/prowlarr
---------------------------------------------------------------------------------------------------------------------
2 snapshots
```
## Manually backing up
They are a systemd timer/service so you can query or trigger a manual run with `systemctl start restic-backups-<service>-<destination>` Local and remote work and function exactly the same, querying remote it just a fraction slower to return information.
```bash
truxnell@daedalus ~ > sudo systemctl start restic-backups-prowlarr-local.service
< no output >
truxnell@daedalus ~ [1]> sudo restic-prowlarr-local snapshots
repository 9d9bf357 opened (version 2, compression level auto)
ID Time Host Tags Paths
---------------------------------------------------------------------------------------------------------------------
293dad23 2024-04-15 19:24:37 daedalus /persist/.zfs/snapshot/restic_nightly_snap/containers/prowlarr
24938fe8 2024-04-16 12:42:50 daedalus /persist/.zfs/snapshot/restic_nightly_snap/containers/prowlarr
---------------------------------------------------------------------------------------------------------------------
2 snapshots
truxnell@daedalus ~> date
Tue Apr 16 12:43:20 AEST 2024
truxnell@daedalus ~>
```
## Restoring a backup
Testing a restore (would do --target / for a real restore)
Would just have to pause service, run restore, then re-start service.
```bash
truxnell@daedalus ~ [1]> sudo restic-lidarr-local restore --target /tmp/lidarr/ latest
repository a2847581 opened (version 2, compression level auto)
[0:00] 100.00% 2 / 2 index files loaded
restoring <Snapshot b96f4b94 of [/persist/nixos/lidarr] at 2024-04-14 04:19:41.533770692 +1000 AEST by root@daedalus> to /tmp/lidarr/
Summary: Restored 52581 files/dirs (11.025 GiB) in 1:37
```
## Failed backup notifications
Failed backup notifications are baked-in due to the global Pushover notification on SystemD unit falure. No config nessecary
Here I tested it by giving the systemd unit file a incorrect path.
<figure markdown="span">
![Screenshot of a pushover notification of a failed backup](../includes/assets/pushover-failed-backup.png)
<figcaption>A deliberately failed backup to test notifications, hopefully I don't see a real one.</figcaption>
</figure>
## Disabled backup warnings
Using [module warnings](https://nlewo.github.io/nixos-manual-sphinx/development/assertions.xml.html), I have also put in warnings into my NixOS modules if I have disabled a warning on a host _that isnt_ a development machine, just in case I do this or mixup flags on hosts. Roll your eyes, I will probably do it.
This will pop up when I do a dry run/deployment - but not abort the build.
<figure markdown="span">
![Screenshoft of nixos warning of disabled backups](../includes/assets/no-backup-warning.png)
<figcaption>It is eye catching thankfully</figcaption>
</figure>

122
docs/maintenance/software_updates.md Normal file
View file

@ -0,0 +1,122 @@
# Software updates
Its crucial to update software regularly - but a homelab isn't a google play store you forget about and let it do its thing. How do you update your software stack regular without breaking things?
## Continuous integration
Continuous integration (CI) is running using :simple-githubactions: [Github Actions](https://github.com/features/actions) and [Garnix](https://Garnix.io). I have enabled branch protection rules to ensure all my devices successfully build before a PR is allowed to be pushed to main. This ensures I have a level of testing/confidence that an update of a device from the main branch will not break anything.
<figure markdown="span">
![Screenshot of passed CI checks on GitHub Repository](../includes/assets/ci-checks.png)
<figcaption>Lovely sea of green passed checks</figcaption>
</figure>
## Binary Caching
Binary caching is done for me by [Garnix](https://Garnix.io) which is an amazing tool. I can then add them as [substituter](https://wiki.nixos.org/wiki/Binary_Cache#Binary_cache_hint_in_Flakes). These run each push to _any_ branch and cache the build results for me. Even better, I can hook into them as above for CI purposes.
No code to show here, you add it as an app to your github repo and it 'Just Works :tm:'
```nix
# Substitutions
substituters = [ "https://cache.garnix.io" ];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
```
<figure markdown="span">
![Screenshot of Garnix Cache build tests passing](../includes/assets/ci-checks-garnix.png)
<figcaption>Lovely sea of green passed checks</figcaption>
</figure>
## Flake updates
Github repo updates are provided by :simple-renovatebot: [Renovate](https://www.mend.io/renovate/) by [Mend](https://mend.io). These are auto-merged on a weekly schedule after passing CI. The settings can be found at :simple-github: [/main/.github/renovate.json5](https://github.com/truxnell/nix-config/blob/main/.github/renovate.json5)
The primary CI is a Garnix build, which Is already building and caching all my systems. Knowing all of the systems have built and cached goes a huge way toward ensuring main is a stable branch.
## Docker container updates
Container updates are provided by :simple-renovatebot: [Renovate](https://www.mend.io/renovate/) by [Mend](https://mend.io). These will either be manually merged after I have checked the upstream projects notes for breaking changes _or_ auto-merged based on settings I have in :simple-github: [/.github/renovate/autoMerge.json5](https://github.com/truxnell/nix-config/blob/dev2/.github/renovate/autoMerge.json5).
!!! info "Semantic Versioning summary"
Semantic Versioning blurb is a format of MAJOR.MINOR.PATCH:<br>
MAJOR version when you make incompatible API changes (e.g. 1.7.8 -> 2.0.0)<br>
MINOR version when you add functionality in a backward compatible manner (e.g. 1.7.8 -> 1.8.0)<br>
PATCH version when you make backward compatible bug fixes (e.g. 1.7.8 -> 1.7.9)<br>
The auto-merge file allows me to define a pattern of which packages I want to auto-merge based on the upgrade type Renovate is suggesting. As many packages adhere to [Semantic Versioning](https://semver.org/ "A standard for version numbers to indicate type of upgrade"), I can determine how I 'feel' about the project, and decide to auto-merge specific tags. So for example, Sonarr has been reliable for me so I am ok merging all digest, patch and minor updates. I will always review a a major update, as it is likely to contain a breaking change.
!!! warning "Respect pre-1.0.0 software!"
Semantic Versioning also specifies that all software before 1.0.0 may have a breaking change **AT ANY TIME**. Auto update pre 1.0 software at your own risk!
The rational here is twofold. One is obvious - The entire point of doing Nix is reproducibility - what is the point of having flakes and SHA tags to provide the ability
Also, I dont wan't a trillion PR's in my github repo waiting, but I also will not blindly update everything. There is **a balance** between updating for security/patching purposes and avoiding breaking changes. I know its popular to use `:latest` tag and a auto-update service like [watchtower](https://github.com/containrrr/watchtower) - trust me this is a bad idea.
<figure markdown="span">
![Alt text](../includes/assets/home-cluster-pr.png)
<figcaption>I only glanced away from my old homelab for a few months...</figcaption>
</figure>
!!! info "Automatically updating **all versions** of containers will break things eventually!"
This is simply because projects from time to time will release breaking changes - totally different database schemas, overhaul config, replace entire parts of their software stack etc. If you let your service update totally automatically without checking for these you will wake up to a completely broken service like I did many, many years ago when Seafile did a major upgrade.
Container updates are provided by a custom regex that matches my format for defining images in my nix modules.
```yaml
"regexManagers": [
{
fileMatch: ["^.*\\.nix$"],
matchStrings: [
'image *= *"(?<depName>.*?):(?<currentValue>.*?)(@(?<currentDigest>sha256:[a-f0-9]+))?";',
],
datasourceTemplate: "docker",
}
],
```
And then I can pick and choose what level (if any) I want for container software. The below gives me brackets I can put containers in to enable auto-merge depending on how much I much i trust the container maintainer.
```yaml
"packageRules": [
{
// auto update up to major
"matchDatasources": ['docker'],
"automerge": "true",
"automergeType": "branch",
"matchUpdateTypes": [ 'minor', 'patch', 'digest'],
"matchPackageNames": [
'ghcr.io/onedr0p/sonarr',
'ghcr.io/onedr0p/readarr',
'ghcr.io/onedr0p/radarr',
'ghcr.io/onedr0p/lidarr',
'ghcr.io/onedr0p/prowlarr'
'ghcr.io/twin/gatus',
]
},
// auto update up to minor
{
"matchDatasources": ['docker'],
"automerge": "true",
"automergeType": "branch",
"matchUpdateTypes": [ 'patch', 'digest'],
"matchPackageNames": [
"ghcr.io/gethomepage/homepage",
]
}
]
```
Which results in automated PR's being raised - and **possibly** automatically merged into main if CI passes.
<figure markdown="span">
![Alt text](../includes/assets/renovate-pr.png)
<figcaption>Thankyou RenovateBot!</figcaption>
</figure>

89
docs/monitoring/systemd.md Normal file
View file

@ -0,0 +1,89 @@
# SystemD pushover notifications
Keeping with the goal of simple, I put together a `curl` script that can send me a pushover alert. I originally tied this to individual backups, until I realised how powerful it would be to just have it tied to every SystemD service globally.
This way, I would never need to worry or consider _what_ services are being created/destroyed and repeating myself _ad nauseam_.
!!! question "Why not Prometheus?"
I ran Prometheus/AlertManager for many years and well it can be easy to get TOO many notifications depending on your alerts, or to have issues with the big complex beast it is itself, or have alerts that trigger/reset/trigger (i.e. HDD temps).
This gives me native, simple notifications I can rely on using basic tools - one of my design principles.
Immediately I picked up with little effort:
- Pod ~~crashloop~~ failed after too many quick restarts
- Native service failure
- Backup failures
- AutoUpdate failure
- etc
<figure markdown="span">
![Screenshot of Cockpit web ui showing various pushover notification units](../includes/assets/cockpit-systemd-notifications.png)
<figcaption>NixOS SystemD built-in notifications for all occasions</figcaption>
</figure>
## Adding to all services
This is accomplished in :simple-github:[/nixos/modules/nixos/system/pushover](https://github.com/truxnell/nix-config/blob/main/nixos/modules/nixos/system/pushover/default.nix), with a systemd service `notify-pushover@`.
This can then be called by other services, which I setup with adding into my options:
```nix
options.systemd.services = mkOption {
type = with types; attrsOf (
submodule {
config.onFailure = [ "notify-pushover@%n.service" ];
}
);
```
This adds into every systemd NixOS generates the "notify-pushover@%n.service", where the [systemd specifiers](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers") are injected with `scriptArgs`, and the simple bash script can refer to them as `$1` etc.
```nix
systemd.services."notify-pushover@" = {
enable = true;
onFailure = lib.mkForce [ ]; # cant refer to itself on failure (1)
description = "Notify on failed unit %i";
serviceConfig = {
Type = "oneshot";
# User = config.users.users.truxnell.name;
EnvironmentFile = config.sops.secrets."services/pushover/env".path; # (2)
};
# Script calls pushover with some deets.
# Here im using the systemd specifier %i passed into the script,
# which I can reference with bash $1.
scriptArgs = "%i %H"; # (3)
# (4)
script = ''
${pkgs.curl}/bin/curl --fail -s -o /dev/null \
--form-string "token=$PUSHOVER_API_KEY" \
--form-string "user=$PUSHOVER_USER_KEY" \
--form-string "priority=1" \
--form-string "html=1" \
--form-string "timestamp=$(date +%s)" \
--form-string "url=https://$2:9090/system/services#/$1" \
--form-string "url_title=View in Cockpit" \
--form-string "title=Unit failure: '$1' on $2" \
--form-string "message=<b>$1</b> has failed on <b>$2</b><br><u>Journal tail:</u><br><br><i>$(journalctl -u $1 -n 10 -o cat)</i>" \
https://api.pushover.net/1/messages.json 2&>1
'';
```
1. Force exclude this service from having the default 'onFailure' added
2. Bring in pushover API/User ENV vars for script
3. Pass SystemD specifiers into script
4. Er.. script. Nix pops it into a shell script and refers to it in the unit.
!!! bug
I put in a nice link direct to Cockpit for the specific machine/service in question that doesnt _quite_ work yet... (:octicons-issue-opened-16: [#96](https://github.com/truxnell/nix-config/issues/96))
## Excluding from a services
Now we may not want this on ALL services. Especially the pushover-notify service itself. We can exclude this from a service using Nix `nixpkgs.lib.mkForce`
```nix
# Over-write the default pushover
systemd.services."service".onFailure = lib.mkForce [ ] option.
```

33
docs/monitoring/warnings.md Normal file
View file

@ -0,0 +1,33 @@
I've added warnings and assertations to code using nix to help me avoid misconfigurations. For example, if a module needs a database enabled, it can abort a deployment if it is not enabled. Similary, I have added warnings if I have disabled backups for production machines.
!!! question "But why, when its not being shared with others?"
Because I guarentee ill somehow stuff it up down the track and accidently disable things I didnt mean to. Roll your eyes, Ill thank myself later.
> Learnt from: [Nix Manual](https://nlewo.github.io/nixos-manual-sphinx/development/assertions.xml.html)
## Warnings
Warnings will print a warning message duyring a nix build or deployment, but **NOT** stop the action. Great for things like reminders on disabled features
To add a warning inside a module:
```nix
# Warn if backups are disable and machine isn't a dev box
config.warnings = [
(mkIf (!cfg.local.enable && config.mySystem.purpose != "Development")
"WARNING: Local backups are disabled!")
(mkIf (!cfg.remote.enable && config.mySystem.purpose != "Development")
"WARNING: Remote backups are disabled!")
];
```
<figure markdown="span">
![Alt text](../includes/assets/no-backup-warning.png)
<figcaption>Oh THATS what I forgot to re-enable...</figcaption>
</figure>
## Abort/assert
Warnings bigger and meaner brother. Stops a nix build/deploy dead in its tracks. Only useful for when deployment is incompatiable with running - i.e. a dependency not met in options.

43
docs/motd.md Normal file
View file

@ -0,0 +1,43 @@
# Message of the day
Why not include a nice message of the day for each server I log into?
The below gives some insight into what the servers running, status of zpools, usage, etc.
While not show below - thankfully - If a zpool error is found the status gives a full `zpool status -x` debrief which is particulary eye-catching upon login.
![Alt text](motd.png)
Code TLDR
:simple-github:[/nixos/modules/nixos/system/motd](https://github.com/truxnell/nix-config/blob/462144babe7e7b2a49a985afe87c4b2f1fa8c3f9/nixos/modules/nixos/system/motd/default.nix])
Write a shell script using nix with a bash motd
```nix
let
motd = pkgs.writeShellScriptBin "motd"
''
#! /usr/bin/env bash
source /etc/os-release
service_status=$(systemctl list-units | grep podman-)
<- SNIP ->
printf "$BOLDService status$ENDCOLOR\n"
'';
in
```
This gets us a shells script we can then directly call into systemPackages - and after that its just a short hop to make this part of the shell init.
!!! note
Replace with your preferred shell!
```nix
environment.systemPackages = [
motd
];
programs.fish.interactiveShellInit = ''
motd
'';
```

BIN
docs/motd.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 149 KiB

12
docs/overview/design.md Normal file
View file

@ -0,0 +1,12 @@
# Design principles
Taking some lead from the [Zen of Python](https://peps.python.org/pep-0020/):
- Minimise dependencies, where required, explicitly define dependencies
- Use plain Nix & bash to solve problems over additional tooling
- Stable channel for stable machines. Unstable only where features are important.
- Modules for a specific service - Profiles for broad configuration of state.
- Write readable code - descriptive variable names and modules
- Keep functions/dependencies within the relevant module where possible
- Errors should never pass silently - use assert etc for misconfigurations
- Flat is better than nested - use built-in functions like map, filter, and fold to operate on lists or sets

10
docs/overview/features.md Normal file
View file

@ -0,0 +1,10 @@
# Features
Some things I'm proud of. Or just happy they exist so I can forget about something until I need to worry.
<div class="grid cards" markdown>
- :octicons-copy-16: [__Nightly Backups__](/maintenance/backups/)<br>A ZFS snapshot is done at night, with restic then backing up to both locally and cloud. NixOS wrappers make restoring a single command line entry.<br><br>ZFS snapshot before backup is important to ensure restic isnt backing up files that are in use, which would cause corruption.
- :material-update: [__Software Updates__](/maintenance/software_updates/)<br>Renovate Bot regulary runs on this Github repo, updating the flake lockfile, containers and other dependencies automatically.<br><br> Automerge is enabled for updates I expect will be routine, but waits for manual PR approval for updates I suspect may require reading changelog for breaking changes
- :ghost: __Impermance__:<br>Inspried by the [Erase your Darlings](https://grahamc.com/blog/erase-your-darlings/) post, Servers run zfs and rollback to a blank snapshot at night. This ensures repeatable NixOS deployments and no cruft, and also hardens servers a little.
- :material-alarm-light: __SystemD Notifications__:<br>Systemd hook that adds a pushover notification to __any__ systemd unit failure for any unit NixOS is aware of. No worrying about forgetting to add a notification to every new service or worrying about missing one.
</div>

19
docs/overview/goals.md Normal file
View file

@ -0,0 +1,19 @@
# Goals
When I set about making this lab I had a number of goals - I wonder how well I will do :thinking:?
A master list of ideas/goals/etc can be found at :octicons-issue-tracks-16: [Issue #1](https://github.com/truxnell/nix-config/issues/1)
<div class="grid cards" markdown>
- __:material-sword: Stability__ <br>NixOS stable channel for core services unstable for desktop apps/non-mission critical where desired. Containers with SHA256 pinning for server apps
- __:kiss: KISS__<br>Keep it Simple, use boring, reliable, trusted tools - not todays flashy new software repo
- __:zzz: Easy Updates__<br>Weekly update schedule, utilizing Renovate for updating lockfile and container images. Autoupdates enabled off main branch for mission critical. Aim for 'magic rollback' on upgrade failure
- __:material-cloud-upload: Backups__<br>Nightly restic backups to both cloud and NAS. All databases to have nightly backups. _Test backups regulary_
- __:repeat: Reproducability__<br>Flakes & Git for version pinning, SHA256 tags for containers.
- __:alarm_clock: Monitoring__<br>Automated monitoring on failure & critical summaries, using basic tools. Use Gatus for both internal and external monitoring
- __:clipboard: Continuous Integration__<br>CI against main branch to ensure all code compiles OK. Use PR's to add to main and dont skip CI due to impatience
- __:material-security: Security__<br>Dont use containers with S6 overlay/root (i.e. LSIO :grey_question:{ title="LSIO trades security for convenience with their container configuration" }). Expose minimal ports at router, Reduce attack surface by keeping it simple, review hardening containers/podman/NixOS
- __:fontawesome-solid-martini-glass-citrus: Ease of administration__<br>Lean into the devil that is SystemD - and have one standard interface to see logs, manipulate services, etc. Run containers as podman services, and webui's for watching/debugging
- __:simple-letsencrypt: Secrets__ _~ssshh~.._<br>[Sops-nix](https://github.com/Mic92/sops-nix) for secrets, living in my gitrepo. Avoid cloud services like I used in k8s (i.e. [Doppler.io](https://doppler.io))
</div>

1
docs/overview/options.md Normal file
View file

@ -0,0 +1 @@
Explain mySystem and myHome

34
docs/overview/structure.md Normal file
View file

@ -0,0 +1,34 @@
# Repository Structure
!!! note inline end
Oh god writing this now is a horrid idea, I always refactor like 50 times...
Here is a bit of a walkthrough of the repository structure so ~~you~~ I can have a vague idea on what is going on. Organizing a monorepo is hard at the best of times.
<br><br><br>
```
├── .github
│ ├── renovate Renovate modules
│ ├── workflows Github Action workflows (i.e. CI/Site building)
│ └── renovate.json5 Renovate core settings
├── .taskfiles go-task file modules
├── docs This mkdocs-material site
│ nixos Nixos Modules
│ └── home home-manager nix files
│ ├── modules home-manager modules
│ └── truxnell home-manager user
│ ├── hosts hosts for nix - starting point of configs.
│ ├── modules nix modules
│ ├── overlays nixpkgs overlays
│ ├── pkgs custom nix packages
│ └── profiles host profiles
├── README.md Github Repo landing page
├── flake.nix Core flake
├── flake.lock Lockfile
├── LICENSE Project License
├── mkdocs.yml mkdocs settings
└── Taskfile.yaml go-task core file
```
Whew that wasnt so hard right... right?

6
docs/requirements.txt Normal file
View file

@ -0,0 +1,6 @@
mkdocs~=1.5,>=1.5.3
mkdocs-material~=9.4
mkdocs-material-extensions~=1.2
pygments~=2.16
pymdown-extensions~=10.2
mkdocs-minify-plugin~=0.7

3
docs/security/containers.md Normal file
View file

@ -0,0 +1,3 @@
## Container images
Dont use LSIO!

5
docs/tips.md
View file

@ -2,4 +2,7 @@
* Dont make conditional imports (nix needs to resolve imports upfront)
* can pass between nixos and home-manager with config.homemanager.users.<X>.<y> and osConfig.<x?
* when adding home-manager to existing setup, the home-manager service may fail due to trying to over-write existing files in `~`. Deleting these should allow the service to start
* yaml = json, so using nix + builtins.toJSON a lot (and repl to vscode for testing)
* yaml = json, so using nix + builtins.toJSON a lot (and repl to vscode for testing)
checking values:
# https://github.com/NixOS/nixpkgs/blob/90055d5e616bd943795d38808c94dbf0dd35abe8/nixos/modules/config/users-groups.nix#L116

3
docs/todo.md
View file

@ -1,3 +0,0 @@
sops-nix for secrets
nixos substituters
nix nvd post build

52
docs/vm/backups.md
View file

@ -1,52 +0,0 @@
Nightly Backups are facilitated by nixos restic module & a helper module ive written.
These run to my NAS 'local' and cloudflare R2 'remote'
They are a systemd timer/service so you can query or trigger a manual run with
```bash
truxnell@daedalus ~> systemctl status restic-backups-lidarr-local.timer
● restic-backups-lidarr-local.timer
Loaded: loaded (/etc/systemd/system/restic-backups-lidarr-local.timer; enabled; preset: enabled)
Active: active (waiting) since Sat 2024-04-13 19:50:23 AEST; 12h ago
Trigger: Mon 2024-04-15 03:03:22 AEST; 18h left
Triggers: ● restic-backups-lidarr-local.service
truxnell@daedalus ~> systemctl status restic-backups-lidarr-local.service
○ restic-backups-lidarr-local.service
Loaded: loaded (/etc/systemd/system/restic-backups-lidarr-local.service; linked; preset: enabled)
Active: inactive (dead) since Sun 2024-04-14 04:20:02 AEST; 4h 14min ago
TriggeredBy: ● restic-backups-lidarr-local.timer
Process: 774197 ExecStartPre=/nix/store/vw03a7pxjj1sf59rk1p65nbv1jjwba1b-unit-script-restic-backups-lidarr-local-pre-start/bin/restic-backups-lidarr-local-pre-start (code=exited, status=0/SUCCESS)
Process: 774210 ExecStart=/nix/store/cbg69gn45canlna2fsy7y9g72kv5q9y3-restic-0.16.4/bin/restic backup --exclude-file=/nix/store/bk1cxh78aaxbnh22jcxw18jadhk7j2b7-exclude-patterns --files-from=/run/restic-backups-lidarr-local/includes >
Process: 774239 ExecStart=/nix/store/cbg69gn45canlna2fsy7y9g72kv5q9y3-restic-0.16.4/bin/restic forget --prune --keep-daily 7 --keep-weekly 5 --keep-monthly 12 (code=exited, status=0/SUCCESS)
Process: 774251 ExecStart=/nix/store/cbg69gn45canlna2fsy7y9g72kv5q9y3-restic-0.16.4/bin/restic check (code=exited, status=0/SUCCESS)
Process: 774381 ExecStopPost=/nix/store/nk9a304p38yxfgb6f63s6nq1c4icjplb-unit-script-restic-backups-lidarr-local-post-stop/bin/restic-backups-lidarr-local-post-stop (code=exited, status=0/SUCCESS)
Main PID: 774251 (code=exited, status=0/SUCCESS)
IP: 0B in, 0B out
CPU: 21.961s
```
Checking snapshots
```bash
truxnell@daedalus ~ [3]> sudo restic-lidarr-local snapshots
repository a2847581 opened (version 2, compression level auto)
ID Time Host Tags Paths
----------------------------------------------------------------------------
aef44e7c 2024-04-13 19:56:14 daedalus /persist/nixos/lidarr
b96f4b94 2024-04-14 04:19:41 daedalus /persist/nixos/lidarr
----------------------------------------------------------------------------
```
Testing a restore (would do --target / for a real restore)
Would just have to pause service, run restore, then re-start service.
```bash
truxnell@daedalus ~ [1]> sudo restic-lidarr-local restore --target /tmp/lidarr/ latest
repository a2847581 opened (version 2, compression level auto)
[0:00] 100.00% 2 / 2 index files loaded
restoring <Snapshot b96f4b94 of [/persist/nixos/lidarr] at 2024-04-14 04:19:41.533770692 +1000 AEST by root@daedalus> to /tmp/lidarr/
Summary: Restored 52581 files/dirs (11.025 GiB) in 1:37
```

8
docs/vm/features.md
View file

@ -1,8 +0,0 @@
stable channel for reliable services, with unstable for desktop apps, containers for 'server' apps
renovate for automated lockfile and container updates
strong CI on all PR's to ensure system updates from main branch are reliable
leans into systemd, meaning everything can be managed, viewed and debugged with a consistent interface (Ive come around to loving systemd...)
cockpit on all servers for easy viewing of stauts logs, etc
sops-nix for secrets
nightly restic backups (diff) to local and cloud, with failure notifications and simple command-line wrapper for restores
gatus monitoring for apps, dns and servers, dynamicaly built from nix across all enabled nodes

11
docs/vm/servers.md
View file

@ -1,11 +0,0 @@
SHODAN = lab01
XERXES = lab02
DURANDAL = dns01
dns02
pikvm
CITADEL = gaming pc
HYPERION = laptop

94
mkdocs.yml Normal file
View file

@ -0,0 +1,94 @@
site_name: Truxnell's NixOS homelab
site_author: truxnell
# Repository
repo_name: truxnell/nix-config
repo_url: https://github.com/truxnell/nix-config
docs_dir: ./docs
site_dir: ./site
copyright: Copyright &copy; 2024 Nat Allan
theme:
name: material
# custom_dir: ../../docs/overrides
features:
- announce.dismiss
- content.code.annotate
- content.code.copy
- navigation.expand
- navigation.indexes
- navigation.path
# - navigation.sections
- navigation.footer
# - navigation.tabs
- navigation.top
- search.suggest
palette:
- scheme: slate
media: "(prefers-color-scheme: light)"
primary: black
accent: indigo
toggle:
icon: material/brightness-4
name: Switch to light mode
- scheme: default
media: "(prefers-color-scheme: dark)"
toggle:
icon: material/brightness-7
name: Switch to dark mode
font:
text: Roboto
code: Roboto Mono
icon:
logo: simple/nixos
annotations: material/chat-question
# Plugins
plugins:
- search:
separator: '[\s\u200b\-_,:!=\[\]()"`/]+|\.(?!\d)|&[lg]t;|(?!\b)(?=[A-Z][a-z])'
- minify:
minify_html: true
# Extensions
markdown_extensions:
- admonition
- abbr
- attr_list
- md_in_html
- pymdownx.emoji:
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
- pymdownx.highlight:
anchor_linenums: true
line_spans: __span
pygments_lang_class: true
- pymdownx.inlinehilite
- pymdownx.caret
- pymdownx.tilde
- pymdownx.snippets:
check_paths: true
auto_append:
- ./docs/includes/abbreviations.md
- pymdownx.superfences
- toc:
permalink: true
toc_depth: 3
nav:
- readme.md: index.md
- Overview:
- Goals: overview/goals.md
- Features: overview/features.md
- Design Principals: overview/design.md
- Structure: overview/structure.md
- Maintenance:
- Software Updates: maintenance/software_updates.md
- Backups: maintenance/backups.md
- Monitoring:
- SystemD failures: monitoring/systemd.md
- Nix Warnings: monitoring/warnings.md
- Other Features:
- MOTD: motd.md

6
nixos/hosts/daedalus/default.nix
View file

@ -11,25 +11,25 @@
];
mySystem.purpose = "Network Attached Storage";
mySystem.services = {
openssh.enable = true;
#containers
podman.enable = true;
traefik.enable = true;
homepage.enable = true;
sonarr.enable = true;
radarr.enable = true;
lidarr.enable = true;
readarr.enable = true;
gatus.enable = true;
sabnzbd.enable = true;
qbittorrent.enable = true;
prowlarr.enable = true;
backrest.enable = true;
};
mySystem.nasFolder = "/tank";
mySystem.system.resticBackup.local.location = "/tank/backup/nixos/nixos";
mySystem.system = {
zfs.enable = true;

17
nixos/hosts/durandal/default.nix
View file

@ -6,21 +6,34 @@
, pkgs
, ...
}: {
mySystem.purpose = "Development";
mySystem.services = {
openssh.enable = true;
podman.enable = true;
traefik.enable = true;
gatus.enable = true;
homepage.enable = true;
backrest.enable = true;
plex.enable = true;
tautulli.enable = true;
syncthing.enable = true;
};
mySystem.nfs.nas.enable = true;
mySystem.persistentFolder = "/persistent/nixos";
mySystem.persistentFolder = "/persistent";
mySystem.system.motd.networkInterfaces = [ "eno1" ];
# Dev machine
mySystem.system.resticBackup =
{
local.enable = false;
remote.enable = false;
};
boot = {
initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];

2
nixos/modules/default.nix
View file

@ -2,6 +2,4 @@
mySystem = import ./nixos;
}

9
nixos/modules/nixos/containers/arr/lidarr/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8686; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -85,11 +86,13 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups."${app}-local" = config.lib.mySystem.mkRestic
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app;
user = builtins.toString user;
excludePaths = [ "Backups" ];
paths = [ persistentFolder ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

68
nixos/modules/nixos/containers/arr/lidarr/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
lidarr:
env: ENC[AES256_GCM,data:CNeLt9d/2eZhiazlJXKJzr3oLRvtMRLCJbNQ3ZEapLj3DwswxkC8SH4003DCCyyw98eDNzcTTwFpeu26nAuCmChJqNbyaD7j9k87xGgr+k+OjYdzUfaW3kNnz0dh2Ip2ryg7XTws9q/2laWlqyY=,iv:H2VVi2j0JI8WhawPXQKdMoHCK3S6SH1N9fwRXsz+sAw=,tag:o9ZEB1Pxogere0/gV9uHZQ==,type:str]
env: ENC[AES256_GCM,data:vRK+rty1lXFeqJZdVIsJolPn+LNNwx6nNEOUgXgXoj+o1apFvoAV1JnoYhq2/RR1V4LjmL32q1pZVjI/1YI+87HWh9q7dHwnP1sN5FYCzYZOcyIaGZ6E51dEUQ+CloYchTGAJAV5PruLjP9bsg4=,iv:5Pf3o2ujfdwhb6dBUq/QIWmW1nP6oAoE7E6F0dMlroY=,tag:a6RpL4QZ9PaVGAxMiynxVw==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4N1p4aFNmbit6ODBacUVO
bUh1Sk1oQWZwaUF0RW5UVTN5b1RHdnRjRXhVCm95cndpQjdmdGRTd1gxV3ZVS3NF
WUxrY1FyNkpKb0MzS0d0bjJvVFdVazQKLS0tIElPN0JqMkUvbmM0aWxVOFY3TkZh
dDRjb1l1dHcwNXpqY3YwVHdRR3FTYTQKlklHK/ARZQvcDBFa/am6aza1NdUl1mmP
bvP437PbtoSTZJNQCcRE1tv+3i4xC+OPVmuE7e5BJ/BBdHGSdyziPA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSDZ0WnQxOU8wMlZ2bVFJ
QjRZN0EraklXQW5xck9IcG1ScjhGZzFQaVJRCllvcWVBQ3RWMGlLZG5MTzZBandy
RzhFNEJ4bHBnUXdLN3VGa1QxRkR0ak0KLS0tIG9MN0U1OXdYRjB4WkErTDJBL0ZC
SUhkckh1ZzVINndGcnJCajAzUzZwS3MKCy97fJlRCEhNKWivBLLZZgw6EIk+3AVR
GF31FXc1KiBeRwJcLUS91yh9QCr8VxapND3QlDLd/QU1iZ5Ig1xa2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuLy9zY216TDBaTmdDcnJo
NWR0QzRXb3NyaDdHVExsSnJ4NlFKc1lMUnh3CjM2VGpBdjNMY3RJOGVMS054Z3Ji
elJPMzV3ZHA2anZUbmpXaDhoMnE3WjgKLS0tIFZndDQvcWhlVDM3U1piZnhOQzBu
bGpPemtXY1Z6NXNjc29JMDNBOG5Kc2cKcavrDAWBVmzjY7kO4PFve7oP/mSkrtLN
by6Y4jFH6ndySi5dZlPX+GeyVhlgOtV3CXIcojtVFSVSY4x6DxUARw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMnEvS1F0bk1JdytNQko5
aVZWMm42NENSVVNhSXZkbmdyaGYrY3RXc1VzCjNpM0poQytQakxRSzlZaHR1Y3hy
TWdubElidlRIN0RpU2psN2E4SEtpUlEKLS0tIGxVZWUzdXh1SWdIeFF0bXRZTUMw
K0hPamkycVRNenBwZkwvaS9TSmR2ZEEKbORtRe2a2/5JR0eJprF4dTVPNJXNfbTv
ylzP9391GAJF+f0yDGxbrQAAwhtV0qsxDM8FPhs29sNZsWMl5MkPxQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cktRZHlHMjFPa2x1QTJW
Y1RPS0lVRTQ3MmhRNW1zaEhxTkFzVWtIcFVrCkRFWHpTMU15bkFib1lHWkFJMGJ1
TStXaWN6eE9tU2RvNmNpMnQyWkdaM3MKLS0tIHhhQjBtd1FLcHlOV1Q1NG12MFlI
T2hpS1hYWnJUaUE3ZGFzVzFza0tjSEEKhnpYBWngmgWQfn756hmclB3oeEyFye70
Kd4PdabjMOECpMWAuFbPe/4tZW7K4Y/wqylQ+Z2oz3TkcLxrm6S+zQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUEgvNENua0NRdlVVWEZD
ZFpCTUpVYWJTR0Q2ZmJzVXZaUml4NkNxaTFzCkpZME1Ga0FoOVpHWmJpWHNvVEFV
d1V2VTUrdWZORTc0UWpSSFV2OTJaeFEKLS0tIGxGMnlxWTF1aTVLdUhWVExsNklJ
d1V6MFFobTZkVkRCay9VSnFBcVdZWkEKUOAmq6IEH1o+YAxlMgHVQCwJoBidbfF1
OWYrY90/uq5j0ntnLjEAKnKLzoMaQf/HmyFS6mciza/EGAUBBWKedQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6RmlSZHI5byszTkducW9l
aUk4cTY4dWhILytpb0c3SElBTnZvdTBIT3pVCkxZYUJzb09DQzNCK2QzYno1bmR4
ajFVL3V1WkdUN3MzRGxaNHRVQUVZbTQKLS0tIGU2TWdtSXBpRTB4N0t3YzR4ZVhi
NHc1Q0dmWXJLYlFpOXdJVS9NY0FuVHcKjdqOjcj9lO/cAjAR9IC8MHhWwsZLASEW
dLXvW2Uq9yemF+X/lVh5FcWdZH9/GzaRVSIF7dtJquMD7QPie9tUzg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbGJ5aGpGWkgzYzJmR0NU
eHduWEhlQ1cycHJIaVNLV1JpNG5tNDNTT2pjCkhqdmZtYm1PR2s3WUo3UWtzZm1U
TS93ME9rTFJtUDJIbUgxMTRwS3o2cUUKLS0tIHFYWnNRUVJ0YXM3K2gyelNoN0F0
a0U1QXp0Yy9RZ1lkYVY2aEIwMmsvQ1UKUciQghqwTYohsg9a951ZqXIsftaSrUGi
BdCv5QEFLnBdayildvrL0G7vrLfCFyPjHGE8qeVxfOvz3Sli/FpXew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTHhDU2ZCK3EyWkdBQ3Mx
MmZzT1B5Ukt2QkhVOVorQVdnTHI3MnRwTENrClgwWXg3cHpocDAwcGJNRnJXajY4
b3QvcUZia1JZc0d2VUJnOC9Pamw1WTgKLS0tIE04dDEwVUREVkFpaGZPU3U0NHRL
cG15eUk4TDJPZ2VwYUlweEVWS09yWUEKygFWuuYw7T30P83Ds6dJo6yU5UkcTGl0
w04upLLxzCTZW141ACNS1s2ydTrs/tfFvzgmP/Hm8AoBrfBbSgVObA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTjlaUkg2eENIakdsdzRm
eVo3MHYvSk10a054eDUyd3Z0dG9ncWlYTTBnClVSalRuRjVhc1dNTkNNdEl6OUJv
QVBabTN4U1VURyt5UXJPZ2pOQmtwRTQKLS0tIFQyY3pDTmpZdkoyR0xRaUpMNUxN
dmZOT0VNNW1JOHpjVG9LNVQ1NVJVcUUKUispQJXiy+R0L2K1HbqtURYY5ExV7Abk
5dIVkjf6kMQ2czMDh+MrD7MFdaVOgepFWHLTkkVjECJF4+l6yi66LA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MHl6N2pPdUMzUzV6YVY3
TzB4UmRFc3hmSk1MQURUakZReExZMVZLd1VFCmN6MWxHVFFJcEgvdFFYZ2lsRllD
Rkd4ZjVMdXlmYll1cXVWdS9SRXNWZ1kKLS0tIGxodVM3Q3c3K1p0UVBLa2Vpc3FP
ZXZscmZZN0VRdlVqdnlSWkx4WHMzOHMKbixVd4tn+cmwDp0Fw2/05Q+k0VxLqeqn
E7PSrCkdxnW5x8fJO9JUKsXeisif2AqCNOXQTuH5PXN43QWEsfKdng==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2eWh3L2dGL0ZRRHZkVGdS
M211TlNCOVdQT1llVHY0Rmh0bmg5MFM5YmxBCk56dDBUS1Y1VTgzdU9TWnVNdVR2
a2pWcll2KysxTlJhQy9CQU4wamNGZ1UKLS0tIDREdFJSaUdWQXp4TyswNExjR3ZW
UUF6dU84WGFTZ0NHTW5tV1hWWkNyZ28KVr7eWZsce+ROlH/8E4NmflUXhMHG+fBa
WWH1opJP/0nQDCzTXkoZXcsyepGetORIJT96ObBuVIcJi04wD5EIqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:9HRLNEt7he7qoSTHCi0wAHkuzLoAg0JOFbr4syvomYy5TAIH1PzVgX9AUrZCz90pUBQdHx+JDbnsfjP3EcVNwxdABHAlF6GzA1RsfVne4nRr2W9rFeQtREGPuNH8imTMitxEo2C+42tnLr4oYneawNZ2EHrBKlQRhIcxQCylQWg=,iv:kmnE66eFBI7ggNYfknktB06tVwn82y/9Y4NGrUqpAMQ=,tag:8U1IiM0ofEnRHSy6Zz6W5g==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:XWR5HjvPG/G/ASK3vhxdUfD91v85sHQ1kpE3lXAV/PHKADckqYl8q93RQ3Q6/AUy+/10sxLxqud6z/NCa53LiPn5fHET7F6RVsVRUSNnhsUGHX9+Vu4dy3SHEmKM0S08lisJ7rj8/BBi6sC14mlPJMIpQaQs9lRKW2GQKdMD6Ts=,iv:Ui+2dNDKR8VPkkFs6FF6u3fJwbJJqBl3AoCXhtQqrKc=,tag:XP3nYa3fArpkwkkkhddaVQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

12
nixos/modules/nixos/containers/arr/prowlarr/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 9696; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -47,7 +48,6 @@ in
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:/config:rw"
"${persistentFolder}:/config:rw"
"/etc/localtime:/etc/localtime:ro"
];
@ -83,5 +83,13 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

68
nixos/modules/nixos/containers/arr/prowlarr/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
prowlarr:
env: ENC[AES256_GCM,data:tosSq3uaBG3aWTf2HjIbYDwwgi4HcbRjZ+yU5udmgueraBcdgGkbzftziFOXaMJAsXQTuWl1xBRMYf7/oLKQFpS6ZsqyV8jpCOY4aDCb9g7AiNmBiqzYEoCNhorARX2o0CHDwUruU5TxSanx/ahT3GVU,iv:VY9n7WgNHyQDUfhgcjcx50w/5dJSdh94WPhnjHumCT8=,tag:JRArtemWaxiEweBS4MQpDw==,type:str]
env: ENC[AES256_GCM,data:98zXlyIkwXpOJOlk6UQ2udfdRqD0nJXOC8eAfyaUyoPDokV4x0wcqGanYdSZ/GihqwQNBzH3phdlgQO+sgGqXF9reSLXGJ4UOd79P3iUZxTO5+ZWYTm27hDCH4JQH6z6UQfVlM9HaPRoOHfX+mSrg0NQ,iv:PjcmrgnFkxpJtAA71YBBM3PvRlMYeWJVlNvzvfJ5TwY=,tag:cPrQk6I/Bp0miTs6JiUwjg==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WVRlOGV6QVdtYXRxenN4
dmI2LzVYNEZSdnBDWmdYbXlJcVQzdlYrQ0ZrCmRiUlZnVXdLOTZXNEV6ODdQM1p3
dWxCL2VhdjcrSHdwT3kvbWR3cHVaSE0KLS0tIDdEbzY3TmFJSWJKSmtaZ3dzc2dL
TG5sU29veFBObjZackhtcE5WczI5eDgKpUFMN37YWaUbpu6kuNr25CkJvI3O1CNe
jmcJQOW5QwSbIZbmk6U3TvELBvz766RlK66heE5KGx10Li9AJBXaEA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZjJJSERkeEdZWkdnZC95
cVVXbVdDQitMY3NhcnAxZld3cko4d0lySVFrCmtjRWlIVlBqeGNhZ212MWxmQ0hJ
eHdnQ2dUSmt1R1ZvamhDd1ZPWHpvTTQKLS0tIFdzeGtJWjVDRkF3R3haVGttR1FY
VEtHLzNkRm1IZ1J6Y2VHZGRxbWlwOEEKdEMchAgVHqO/TBc5b9QDU/pdltFlp3oM
Kqi7HkJVwfbTDk5a1SIzkdwLiGylv1d31qBDczqcJIv+V+4zbPqWng==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SkYxd3RRcHJlTE9Sb2Ry
VXJtVDB1RTN3ZnNPV05FQ2RCSTZPT0xUdWtzCmRaMWhsVjBFNTlZcGtpWi91RDM4
dlZIcDl4NVFUOElPY293aUg5NE1BaVUKLS0tIDlnMGhkdXV3S1dMS1F3NDBha05K
QStGQlgvT2JuZzk1eFQ1MEhRd2RCUWsKJ4Rbbye9WKsMfmsFSrzKp4EsCc46/CQB
X6AqxkIi/fvwy9ZWrqDzLZn2iq4O2Zt8g6wEYaUDudxEWlR1C4JGcQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ZS8yMDBmRjA3WGJOazBy
SkJYdlo5emtFblZibTB4bHUyeFhvSXF0bEJVCm5nZ09aODlKU0FsbDlyaTBDSW00
TVA3ZExUQ2RtSmtRak13SkhmM1VxTDAKLS0tIE5OU05oaCtkUjZRUFJwaEJmNjhO
UlBQZC96S2xJMkhpUjhXRE1IaU9aNk0K3/OwLltfYQ4hmfIIMhgDLt3r+CKSpmhV
BZZFNRdoABwVa9jaVXB+5+r58Va8OPQnUmwZKP8HLj4Wp5ZXCJcjoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVzFFRkExbkw2c3JqVHcy
ZUl0azlTeC9JTkNMdGdPamVVbVZBZ2tOcHdZClpQcVdISUlEcUE1UEtrVlpISlNx
RytnSEFua2h1Yy9rRkFxNkJldHBDNm8KLS0tIENKcE9vZHJUek5jdkUrSmVDSzlF
M05MN2RQajhPR1oyaTM2YWRLWm1LcmsK3m970XSRhwIbMaSjd2OnH7Wm+qVkI0qA
5HhJ0EsGCQIDVrSFCnCV85mcgUlglCnRaSu0tWL7lH/qIvzNOG1YUQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNU10S21Vd2R3SjZCUzdr
aUMrWEE0TjZWOVFmRW5JZEMxRHNUTlRiVW5jCkxUVENsZHcxSnRQR0d3dE9IZVA0
OHR0T2tSOVJ0VGZqcUtHamR4UHNCRjAKLS0tIHhXRDBydlkwN1grTVRlSCs4VG9L
ZkJycWRkcUJMd1RINVRldVBZa1RzNlEKhu9+VjthTHOFzxw0GmdG7ZFgIxlYd5qI
6ZyU1bZbISBwBGhfqbe27Pd5HazXP+7Q22Zanxjj+EJgy5jAmxRK3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WFVmWXgyZGpseXVIK2FV
bTZuSFdXTUNET290UGRDZ2d2OWZ1WGZXeFM4CnRNNHc5eWtSWnNvMHBEMnBXTll4
NDhrL1NrNFRXR0dlYXdYWjliaVVsVkEKLS0tIE5yUVE1dFQ2bzBSYnZiNzRmNjk5
ZmNrNjJFWDVYT0M5Nms4aFAzd3E0SUUKL5cKrLsmk9zZGCmPhlo9LTH+dZicq2GQ
/lcvE5Zr7H9QfaAfXIjgc4g5DLvCbxq0tQxzbUdg0mtCuhIUXpTSsg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTXVxVXBQQjdVQmNIZkZX
QXBKTWs0Yk5lOXlMUXVYakdBQytmK1RSVUNBCldyUVFWd3Rmd0h3N0x4MkZTOFdZ
NVoydjdPQk4zeXJaMmc3RFF0bHhlZ28KLS0tIDdDVmIvTDhka0FxaHRGRy9JSml6
WmZWWEZHQkNQdVhzRzRpNUdDaTVJb3MKtCN8iYEBaCCLFuJ88tKQ9Iq4ayO0P5th
2/D+LnpOXYu2JV/LWmB+5t42gwGhW7PSK05pfhD4WR+KnFs8OA0X8g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbnMrS3FZUWsrOFNhU3R2
bGtnMjVzRXpxWVRUb2NqQm9YRlJPS0hyY1hzCjc5Vk5iMXZNcFpZdWxMM21qNmI0
UzhWSTYyZ1BuOVdjQVFBUU9BNCtrQnMKLS0tIGtFdFlObDdYSkRpUkdTaS93eGM5
eUJldE5jRURQUmM5Ykd2eXJXbExxdDgKQUOwrK0wbhqXMTEtV4FUMZdHsXaXf8kT
lzhAovOKimF2Q47Zr58QFnJTAk7HBGoZ4sBEAa9dfvG6jRg4B3NVkQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaTBtUmxocEYvWGlQeVBM
NXl3NUtkUDF6RWozVWxuK2ZNNGdPYVQzN2pRCnZobXJucVpINFhqY2o5dUNCampn
TWxVTkpZS250TEpLbXR5YVo1bFhwSTQKLS0tIEw1eU1TMzRqQUYybXBjTStuSDM5
MkoyV3c0T2lCa1lYcHBCQ01vVzZOajAKGT/nFwLOE0hkiI8Idvlw1qQX/D7+QaWc
LngqAaUYv2AYT09Vi2u+hUs6RUhpCyY9VPQzO1Lo8jClHbnfw3YG/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M2FqSkpKZkZ1QW9UYXNQ
enVIdzlldXVJZXVWdVRmMEpkWHpVOHlObURZCk9xTWh5MVl5UjJxZnplMC9lN1Qw
cDJ3ZDBsWWN2R2xWR09NU3VFT3hueUUKLS0tIHhmMGNBWkRZNGQ1TitIbG1ZVFJF
ZXFacDJYeUdjbUk2QjhuWVV1dEpNdk0KU+zEg4KPciFx+H8/W2ajrlLPHL+WX2fL
q0ULbEBieZ0SrCqrnRl/XR1ZxKi5RlJJKKIIfOjEDryy6AtlEU+3SQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbXY0by9od3dkQnNrZFBa
YnpodTVJa2lhUk1aL3cyOWlSTkprbmZDMWdJCmtqNDNLWlhxb1FoZkh6ZHJ4cjdC
VjRuYmh2NUxscE81MCtyaUF5bzk4eWsKLS0tIHV2L1NETzJ3NE9JVklFYUhXNk1y
bnJSYks3QnJtZXdTdUtLN1Mxais2b1kKYEJqbgsYOqG35XbQXvgSwNLtDhsXEC5r
k+kriZXxD4bsYfH9HcoYouP3/JMmHjmE411bF5I7lVzPH0T393g+dw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:m3pQR6lC0DzLOi6ZFK9DPWfjKnROPcFXdlukUP7f/udjLhqWeZSl9HDs7d+xS+o/MdSeoV7BnMs6NcMhzXHz5//AB1pG0eNxxO0mALZKRqjEcs4ZRrnTeYb7TPOVLpGh+nDCe+RzJ81xqM2cDXC+ajZlnJpZ5XLalxGBu/vXupg=,iv:ZW2yiNKrm2TwZVqhR6vtAuc0/Dy2mPSN8z6ey8dcpJ4=,tag:DzxtOSRMUP5LDMEvJavy0w==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:UYgyJHY5dPoJlFocTPkTYkUC0C42NIZIiii5+EXDUx4man5CAxkohqrLaqdo4SjAZKz1oTdUnNUeerJDdbdb+X11lsfEtOilmD8/MyBA1+pQd6V7FfXCaXnkves4utiNxDiZYdr3ymm/zMrr5GQxI7cPrl98xufbYpxn8DG7jqs=,iv:eKLL0lzUi9YHGoSwQj5/qD/PlJSGxoyy2XCsxTezq0s=,tag:TZ+cLrLqCvPLyEmOS14bXQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

12
nixos/modules/nixos/containers/arr/radarr/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 7878; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -84,5 +85,14 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

68
nixos/modules/nixos/containers/arr/radarr/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
radarr:
env: ENC[AES256_GCM,data:xNR1zU9Il+jeL2uuKtiMxQV3IHDZ6uAAOnP8/odiQIlysPpcKMrP23z6iKSeUgLha+WtYYk61FmtR9gr5QcLl6WK1EWcyVfiw7ndbZgczWUr1irGCNAGGbKcyqoohUFg9aPcOUBz4MQOpdPK9gc4Uk2QAAB63HxcZxfLDQCHc9M/U6Tm8Mu81x0DtFa6gzAGeAPjeydofrY8/ZnMIkAIVxuCKOw9N6pFSCeF6YS4YsGGC0pcXSyRelnF30SuJewLm1NmE6ub0e7+FW+0Y5nO,iv:XzoK7NaQjmi/8smaJTyWLAoUENVG4DRkYL12Bb09AT8=,tag:jFAHyoSjrp1CBSG0SDlADA==,type:str]
env: ENC[AES256_GCM,data:m2JW9nylMHJTMHCJgdPIDhCDdx2u9f1kpK7dhFQLdvchS3PHZt2rT3Z9quxRpbxsnA4eaxi9regl62BlBaPCIyoFzMtUdorHfdu+LCkkzDZ/Sa4giyzjQd6XBB+Mme+RMGT6GqKWCGMB6mSxcKdeZ75TmNBtY1psLjko5zntgK4X57+99ThQ5kozYWkmxSuASYA7yH9nr+ds/3ZCGyzYrpJ9Lo+FTrrccZUpJoOU+2NjnvWy2bobDXaPwY60DGpuktP4ZnINiUWVXt1W/ePK,iv:wRxtvBSEW9Mt+pr9Vm+3Bng2gYsTYJ013OCNGbSC0WI=,tag:Q97JtwOFV1zJE93UMMChnQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSkhzTTg5MTgxMS9pbm1q
cTdERTJwU281YXF0N0NQNmIwMWw3T05ZMHpnCmttbmcwdjEzNVVXZGN3WXNwcll2
bUxmRlhIbnJ4aDNFM3Y0ekVReFNuTWcKLS0tIEdCSDI4MzY2b3d0M055d2lMN0kw
NzEwbkJTd0d1WWxvUHFNUTNiMVVhSDQKvq54ESh7DU/VGOu4Oe9D1esq+mbVOeKy
7xcX7vU4cI1dqMBRciigwfV/45Aq/fhcZWDY+gv77claD18BgjXZjw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIb1dPSlEzYVplNTlJVC9K
RnRJbC9NdkdlUGQrWU5jT3dDV1o5WUVKclNrClBBU1V3ZjNxKzdmYlBxSFJSYUwy
OVRYSkw3a2dUU1VZMGxzczFnZm1MaHcKLS0tIFp3ZE1UWlNocmk3MGYxOE80NW1h
Y3Z6WVNuQ0k0NGNnaHp1K25Jakd0NzAK5Pqg0fy+VcFkw2vabhx6I5qBuCDM8Ws1
z26fKKzz08w2HdMuyhewsopEDeDtpHutrZ0OFbrxLEGlMyf9UnLxsg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsamdmNnpaTjdUdklxNlhm
U3BEVVJJZWxlQ0hUQlAxVmV6MnNUaWpaTVhVCk5PL24vcUsxeVM2aGtxZ3JlN2VN
STF5VW5aeTRrbHFGNDFXeGE5akx6LzAKLS0tIGRzbXVvTUs5ak0zd0Ewd2JYM21u
cjFRTjFVNzFyZzI1Ti9kK1E1U01zcTQK7a5HVOPOQ6dEjjc6fLIiR0gPBQp2sl65
bZnjLPl4OW1C1vQisk2c+jw8setNdtHZ1cNEX/Tpp5jMRvG6wfFdDQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TUpYWXlVZjdkOHpLM21y
a0FYR2FtMDUrN3RJaGhnMnRQOGtVNWRyc1JNCjZLdTk5UXppM09iNWg0VVRUL0FQ
MXhiNUUxUDU4ZkV1L1BtR0ExL0xQdzgKLS0tIGdqZHdxYTd5MU9BanN0MjBjUGhs
MTdiUjhqWllKTzhIQkhUME9FdVVTSjgKYi/+umfok2OFHjwirp7ANhfPxPpkmxbs
QgtZLs8ImWxStbc6V1/iq2kgRZMBqzynVLqejTO/SOUyFG+amgeBPg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTU0JWZlV0WnptcWk0V2tW
RGp4NXU0TlVrcThnY1ovcnFCT0tFYk5qWVI4CmxPWVdNd2pjNndKQzlpVjdzRndU
VC9GRFkxK1dZakc4VWJTK3dhNFI1dWsKLS0tIEVKQkxmK3BCcVlCTExxaytWc3p4
ZWJWaWlQUE5panE2UExRdk5VTXFLVTQK7b+YCdLJfBuDGjdTT3+jBrt/UtLgqopl
Eyu8qA1vcANG/nHyWNIsv9ogXXPns5tx/EjHoDWFtmK+xYb35elahQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2c1lYZjY1d09rSUo4MEJH
VkRkRFpkaktZS3M3dTlQb0E0MGtDeXNEZm1jClpPWGd5YTFwMnhSZ2VhSnBqZGV5
UXFHeFY0czN5QUdMa3J6ckdFUEdvUkEKLS0tIGFIU2o4S3V2K0tpZXZETW5TQjQz
dCtNVmsrUnBlSDhyendNOXV4bkQ2SmMKvVIv5IPoNVVS2BoJ5SnQ0tQcIxIuu35d
knE5yHkNnwUWcIuMAqPempkqcQRomBKnEPcQFnt6mAeJ0cAWqtcShg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYT2ljZ0l4ZXNKQnNvcExW
dWxnaURiTWx4Ykt6M0VueVRLREh0NEkrR3k4ClYxR3F3a3hDazV6ZWpYZ3lZUmJY
OFZBeFc0YXBvWUU4TVBPWjR3WDM4NTgKLS0tIFJUTzNmZXBPbFhZZG10cWNQK2pW
ZVBpZmFMeGswNUVOa1k1WVdmeFdrVW8KXjm74fFrEhWTP81MVpGxT8DOPGdfldFV
6AmRLlon/j4LFfhHEa+mMQyRBQ4Yf3ddA1ZGkMENpmYaZANEMK27VQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNDkyQmRrZHYyVm1wNDFH
NmFaZXV4enNsS1RqQ0xnbVZPREF6cjdNdVdvCk5Nc3JrRklncTBIT2h1eGdrQnlK
ZFpaMlc0ZWJtQWFYSXVubzQ0MkFZdEEKLS0tIE1MS0Z1TnBpWDN5V0FydFZidi9G
T3o2UkxtckIzL0EwNHZjNGtGejRHdDQK/fGgZJNiuDrJjQJ4AgQ0NZ1xtfiMqDjo
Ip1tNE54juYI6BB+JxRcN38fsT5dbtrzf9iYCREDg83sLA3lyJsZsw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMzViTnhNSVpuNGRQUmZI
ZmVicEIzb3VEYU12K1JFWC9lTlh2NzEyVUZjCk9qQUFmSm5od1pKQ1hOMEZ1dzV5
U1BxcDB2RjFndTBKV1BxWWRqbHZYVjAKLS0tIE0rMDJuMWFzQzRUL3Q5aHB3WDI4
b1JJOFNxYVBPdHc5Q0FvYTBYdG1pQ2MKClJdJIeOlCsZbV5crlNWb0ibIRo4jgb1
x2qfjH4kcyyxueYaYQmVAsJwus+mF5DphQH6GLyEBWhecWU7hd13+A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VElqNEJYSFo1a1k0aUlt
Znc1TnVZa2JTdDhlTmtOeGRBKzlPckdITVJrCkwyRUhwSkZsMzlmK3RwUlUwcFZa
cjcvTGd0K29KaVNMNFJUenh5OVBoL3cKLS0tIFlvb281dmpHQyt2dVM2OW52dVVP
SjU3bkwxQWZ3UVRvenllbFJDUkNWQlUKmucLPz3oNUNXceZqDvxY1bj0/tctf9Lh
yjMu1Cgeq7W5EPHyiT3IUXEc6utx6P+AtBIrtz1zSAVt8tiJP9JpJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Z2ttbFphWEJOZGlXbTAx
ejAvSW5RQ0ZtZnY2R3hZcFQ1dEpZVjlabFZrCnVCZzMzSlpJcmhLVUNaRXdZUDRq
OEhqbkRxT1lvN3l3K0VuZ01aeEZBTGsKLS0tIEszd0ZjbGxJc3BJYVdIeDVCSnFC
S1lZN3NiQlZYclVQeHBheFpnS0dHNlkKnm38ebqxyazFs2f3R+Z9JxBDi05fMmgL
7zt4SrK5puEz6Tps+Uzxc3tIw72s3IKjiolJ5NTLggVDxJC5RTHK6w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSU2pKYjdjMGQ4MGIwYW9S
RTZQZzVFMVZXUlNVeUF3b0tyWDNDd3FWUlg0Cm80VVA1bEJoYURyTkx5QXJhWmZV
TWRlbktpZHNHaVBnRVRMcGtOOXpIaTgKLS0tIGFjZzlPSGFIdzRTL3VxblpDeU53
NHJhbjFLUStTY2JtNnNWOGNiU2hia28Kd2NSudZf8zK6Mp/Ex03vynqwCRB/9oNb
1vdM4crUH41v9MooO2B3RfqO91TCqlH5abVSqwwJBEfP33Y7jX2y8Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:eBU8ATyScttrDfc8M17qCGrNVNxpfnW+u2f3JTiuKl79+KgVLF958K7BUiYGZ3J+BrmWHsV8YeAso6hjHS/3JLJJyRGlMeQ+ywJxglnj87TKVitqRMk0Kx+BVE24SjGxJ97/IsDUhBmLVxphv49aeiaHtPAPQ97+OfFKwFOaHwQ=,iv:0KvN1Xc25QQd9/v7apuM22Dyr5VRCwiP7eRTPi6Jrcs=,tag:lyiiNPo/Y9+RWiBzV3RmMg==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:g8XzK09/2IOwMK8h8Dh0trroyeSPXmTuPa+e4CQmHtnjYjwcX0/Pn88BS24vo2WV384ASu2OcCFBtqPfmyTQZKmnq2q6J+wZ0TkKzY8bOOhoOY7Gz3x8RFAeolw9+FGwPNj24fVl5HnxjR/+df4WrzAb8W0HmBR3B1nWJWQhm7E=,iv:ubXMRgIqgP3kOjWpf/OzhdUBTLd9lc2R0B/UmW0Gq2s=,tag:tCGq+2xdWbA0YnJG/rkT9g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

11
nixos/modules/nixos/containers/arr/readarr/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8787; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -83,5 +84,13 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

68
nixos/modules/nixos/containers/arr/readarr/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
readarr:
env: ENC[AES256_GCM,data:YrtC84SDPVC/pWrKeg1kmA5T3QKOqxt+y9x0rnYC0pErta9v8xGU+pgC1jVZfqh4Dp81tRohhmQBMC9KZz4bmmn/5YsAHAB8Y4xJSwm/kZ3LNjVRuZ+PmvEh2ggfwvs2nFDRbMx/TLETbSZ9t6NGtg==,iv:ZwvHaREcEkFSXyL+VBDFFKgZZwg7+utMs8qZex7pzHU=,tag:+3GdLnxxo63XxvMQ3UwK+A==,type:str]
env: ENC[AES256_GCM,data:2S5NsdywH+nAEAghKp6AsTw6FDpxk2gC9lW6KK1OQXqMID7ERW8LlyCRuIBMFQSXllSNSKHb7Q8QM8rZDv9KNshnIXZjuI3iuecNOmDh3fkF6psUnWhO3vxiK/ssyZfAiQQCKxrGb/8U0eZkXSZYTg==,iv:I4aTJ4lGeht6d/j3lDpMA1RddjbqXxxjfX03pJaTQ9s=,tag:XayNGtD7rxeXI33Q+rOQBQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTd1pGYXZCeG9RTm9pTmhC
dVc4MHYvZE9leHF3L1JwS3ZwVXRaY1VZOEE4CmVVeW04TWRNVXFFbmNFMkZvMEEv
ZUdLUmZjSXppeG9zT2xjWGlMVTVISlkKLS0tIDh3YXk2MzQyMnozbkdXQmx0NmpZ
ZTlicGQ3WlhkTk81dHlhUUhNNGl2bEUKziPthUL3m69WSsKwAblDeQff3kyoUOp6
3e8h1C/+rAx7LZIlQaMvBKFy2IiAb2bb47tb7L3k3BLx38FP2g7a2g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNEdEeXpIZWFUdEpHc3JJ
QW4vYkFocTdHaGt2T2czTWdUVXQvUllKQXg0CmZtYitxQkJ6ZVRZS0tVRktiRVJ1
Q0lEZmpIQ1JqSEhRNnRzVjdnY1NxbU0KLS0tIHVCSllmTDlKdnZvdlVtdnRNVVVE
REJkb0kyNUhoZFlCbmJScExLTjhOK28KiRaZJRnHkMiX/3m3gvLq7it02sGP2ToF
6p1dKNXRbDNplTbU3juOGbX1rpqyWD/St1L3EsZCSGomAa8tixM29g==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZUoyeTFycXZuZTJnblJY
cDNxUk5YWWVMRHlHUXZPYmdVUmNvS0tadlN3CmlFbjNuU2t3OENySmNqenlLSnlD
ZnRNZnJnN052eHJUNzYwbG5SWTZTWU0KLS0tIFd2bk54RWV4TzVheXRyekpreElR
YmVoVVM1T1Zwb0hOVzVpemwvOTY2WE0KjfJ8ertgqaFEEN6lgWNOVTv2UdL2/+uD
5W68LANkIHbVNuY6IFE6HEeBUww7BfshW/D3NjJ9/GHMdVyO0MFs3A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWjkwcFBUOWtTRUtWMVdj
Smc1K0RidTM2UGJUcFlrSzkxcHFydVVjSGhzCmQ3Szh0bFcydDJtRHU5N1RIUUxk
aVpRYXpKaUpMd2tVZ0hpRlRxKy9uWjAKLS0tIFkwaGJibzFnQ1kyTzA1UUtsNnVn
emJlK3hRcTlzd2MyZVF1Q3gzdEJ5OFEKuykXtBmmPoGCg9mN+LjQH+NNBybxVA06
knurupbZSa0Ha4aKqtqt0vK/5PeEchVx8AddN0PwRKdKT1djUXJgzQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dTFNSUVQRmpaL1FrSFkr
cXQzRFAvcUNsSUIyT2piZHJyR25hMTYwQ3hnCjdFbjFvNlBFSkVzMXdJd2U5ZE1s
U2srMktJSnVVQjVDZnpFYUtKL2QwR3MKLS0tIEd5eUlJbnB6NmJvcXh2ODY5cGhk
VlBldU5pRXdiK0NwYWtPOThOYllyQmsK/onUlwfcxSA1uj7UeO0Al5SDrOnlnY+q
A/8BRBjvc4NZbmQRqQFL1jAbnjWGKkr8nga68+Po41o5HGK7bQLjLA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b2k5aDJQUVduWWQxbDgv
VFlBZHlwcGlBYWtxQUQvYnJ1dGlpMVdpbmcwCm1EajJYY2pKTGlMWit5NGNSZTdn
QWFkMFFXYmQ1ZDBqaUlEdTlKeEdETDAKLS0tIGlieEUxem1uUk16eGRWdGNPUjdL
YzQzd0xHWjFYZ1Nob3JaZit2azIyaTQKDUVGD5YuNMJFjvYv7vnI6fDrqoYCbR1L
14Eqrh7mpA/GKUh7JepVZBshaGtbWe+QzBvrV3d2l8gd4PouRUH+9w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d3V1RUVjNTRzUm1scTAx
aE81TUtFZkJxK1kvelY5UzFDdm4yY3RDNVRJCmNnZmpyWkNMZXNUNlZNenFtVzAz
b0tSVnBmMEhzQ1ZCeVFlZE45aFpsVHcKLS0tIDBLYXBrblpwUDZHdXBkU05WeUM0
S0R5dWM1Z21vVDdYZTVPdzZybGdKNDQKKMGfvicyhJLtRljF8+2aN7B05lOQdVue
9fbkdQqmyjlDBzgcpXlWYEiFXAGQw47QursiRgi5IWNrPIYUsNUGVg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRm9UUktLSGhxN0NqK0Ru
aE9JS3N3Smd6NWhGdWZ1eXlmWTJiUDlqcXlzCnhnTUVseDNWcWg1M0twdjcvVmJ4
RmNBWmdneFpwVFFScDFHSHJXV1VrRncKLS0tIFd0eUhJWVVkZ1pPRC9HTlhSdnV0
Y2VPSElSY1B1K1dHUEF0WEtNK25CWEEKGVdXV7E/O/Hf0nqWGkGvsOYIenKQlpuu
Szi5QozDnAzUxuvGi/PASYghbDPRi74yTCwPPVyZAaHWIN4HZuyJxA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnazdub1l5SHZrakNJem1Y
R2Y4dUdLYUNYekZUaTF6UGp0NThSRStRdEM0CmtZajZkaURXSXdwQ0xyYVBxMGox
Wm8reDU0SklpQVlwN0FVUWphUU41Rm8KLS0tIEFvem1QckhSLzdZUzFYU1lkeU52
bHEvamFnRm1hQzhWVzc2NlpMdDZjamsKHw2l5wMqtMHgOlDa40+3RWMrFrC1I23i
rXFmm5x6BR1xfHFfor5rJK2CrIEhgWoRLSqcj4CN2lv1CQ9Q3CZchw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRmFKS1d5Z0RQRHdZVE1i
T1dYVC9pS05Lb0MweFJtNlBLZGhyVnF4MjBjCnZWUFA5b1hueG1hUGtHUlVXUUhj
VWxGdXdjSHhHajFEN2lPaHRnRWxnRmMKLS0tIGs1MG8xRWxXdXBDNHV6b3dXcVQz
Nk13K3hiemcwYnBHMmQxTS9WZUhVNmcKrYVQyAtuaHdkK3xNqwRFxtkWFnKo8KuA
QZA55CVYBkM15cLRm9QqIsWBMuJ6zhhsOsuF2S4H963X3ZFzWokuBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMWZDOTdvY3ZtVWIxYXEw
YlFwcjA2ay9ySDRuRmFuOURUQ2lOUlA5SGhRClZhY3FCZENHWkFNeDBIeEw1M21N
QS9OcmhSVzhTZmdvZG83aWZqRkZUQXMKLS0tIE04elFzaWlTYlBBNDJIcXg4b2hy
UENsWnZLZXZwUlZkOElHazM0aHJvNHMKtc3HGsZ6jmAZEapTWNGCfUmSpjpH7bIl
dClmX+63ZVOL++SrUMRh9gZJF4utXzFbwgJsh8WrVpbg1SNplA+tKA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTWZuUlNQRDIvZDhIM2lp
RE41TVFucWRORmVCbmFVaDEyWmFDZUZkTGhNClBHeW9ZS0RhaklzWGZwNUtoejc4
bmZPSk1tcFRvamxqQ2xkc1pRSTFJS1UKLS0tIEkvcHVIMzg5d1ZVZ3JkcktSMGdz
bGVQdHNlS29jaFZ2OUo1Tkg3Z0RGM2MK6eCZ4J9XK/9Y5IO1pkgcaczI1Rp4ahA6
xqU29l0Mprpkc5cahylNET3+zXm6mHdd7kPCfxgR8SOFfywfC+XOPQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:etgC8IZtH6YGGhbDoGK3tKjbrtIyu9mYwXRMDygCVK0uJfrktW8I7OJwKa2PAHLDzG6ffIQRJdgDNFIgVobK5hFx2MgY1mR4dwopmClovBD6H2OvXT8IdzVjAUW5xJY7rk9L9tmeackKp+sWnAxlfVtZ8rWl+i5vBYxm08UrHv4=,iv:ITUc8sDSyP/uYUSyC+B4pEjlxJ7gheTk2Wk7ibmuIyw=,tag:khG/fPxlCl/ru68iBAZntA==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:/aLPFReAY8RhctcbZyH+AJ5JCWS8p4Rqy2b4lC+Y2pd/fRDd4NFlO/KkzCcW0olxRcVsO5VDnycrgu7USLdJ14MxB7/sH1ZlGfeFxDnLW/PL+gA6y6FnKPJ1f/MtfuM8ZKajvLpcEQL81riAlimmhYbhD5XyM4zCGfNPhKIwwEM=,iv:I72VZN/3aPXEiq+xSUoV658a0gvlBQ3/nxBklSUxz34=,tag:pleR0yUN6HZrqxxZqP+Fpw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

14
nixos/modules/nixos/containers/arr/sonarr/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8989; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
containerPersistentFolder = "/config";
in
{
@ -50,7 +51,7 @@ in
};
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
volumes = [
"${persistentFolder}:${containerPersistentFolder}:rw"
"${persistentFolder}:/config:rw"
"${config.mySystem.nasFolder}/natflix:/media:rw"
"/etc/localtime:/etc/localtime:ro"
];
@ -86,5 +87,14 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

68
nixos/modules/nixos/containers/arr/sonarr/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
sonarr:
env: ENC[AES256_GCM,data:oMGIe0t1e23S1W/7XbarR/fb53VB9AnUFHOl/RVy6tQxLanVgnvupexvWzwgCAHV5RTvbqm4leOw/ho/PUoCsh9HKgTNgzZnsDctoaXxnZ/r+z2uzl4VNWhpPW6WIBMHA2tkK+93972hNWrxhttmNAC/iIn7dymByWrqCIFt6BE4uQwDmetb4pgwlbPDkF/qfrZlcrAESQhJht73jk1TuRCP1oTnZFCY8O1mqiwVbdt43d/wXG+lQ0TmrPQ5LafNbnx2meL6BZbwZzMDPYEP,iv:e8+AfvHozU8V0yu0nD9foriv3ButNPuKUWJ6m2L322o=,tag:ElYdWzj5VLgWZyeLpjXGLg==,type:str]
env: ENC[AES256_GCM,data:svh3G89gV3hrWwJAWRZqf3s5dgw+m8tZRl8fJ+uWax1l2kUphmkrOCA/u0gXxw+wQGxdnUTHZj+DBCOmbtVkOavc15/xuBIlTro0H/WVolIfag+k4fYjIU0fDtEtzUnrRTtUd/lznwT16RndCxaz0iJY8/GhiahHoN+sa3T8mZZKyHNfWoXkhIK+KfaJ1OIqMvPxIK21urAE1CkHVx+q1WLu05dCj4xCrIcA2ZpqiByrKdpGPe5gleU3F5i22jKudTwUzzTF0glY3RHUCSKK,iv:1U8RH6ML5yzH85fui4URONvUyWfbiLFHUZzkUK7EUkA=,tag:JEpZ8BEI5BZuDdS5ou85Jg==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWTFZWFNZTWRxMm5qRmRk
MXNmSEJnZEZSWHpBTjk5ZU1Ld3pQUGNFVGhBCk9PMWdlbm1adGE5UXo0NERqT2c3
V0ZpN2FIYzBkSEVXQ2lyUitoUkphczAKLS0tIDBsTXFBMDY5YldLLy9iaTFvbVFD
MU02RVF2dXRFcElhM3JVeFJKK2tTTWcKb2WurFhZ0ANk+iyyMVjk26Ldo25cO2cH
DMfkmK5NEy7iKrZZdNYQR8gBkO1GgQfI1Wm4JPaLc0vIBT9CXVDlLg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZVRYb2hIUFA4RkdMNmpk
U0xuNTFsaUJJc2tvT05SRk9rNE1IRUpEWGx3CnJaRUs5Ulk3QTFSRjBqR1RwVkll
ckwrRjA2U2pza0VFbmhFK2hOZTFVWlEKLS0tIHpxaWlPTzQ1Uy8yVnNtMFlBbHFR
Y3M0SlRuLzRnK0RtQXVLVHR3NVhGSGcKaaEbOqwxniCNGimCBi4N/BMEon0RuOBA
DOzpGCUAZubMGHodianqI9pkCof2glbuwQ/g1+W5JHGmtDWzHGmXsQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRitPYkxWOHJ1WkFRbndv
NklNS0JZaXJEQ2ZkOG9SUzlySFR3ZFVvWUZVCnFXY1czNURBY3hINllEWVJpNXA2
RHp0VlYzN2ZlMkNnMmhPOXlPNCtpQ1kKLS0tIGg5cU5Nc2k2bEtOSmx1NmhJWVVD
dmtjSWxjN0xRYWtNbzhUQ0FNaFVpTFEKM9wSMsEYgJErzO79L6YOXfZpGnd57Xcy
jxrwzFhZ9AVVtPjGmyozYWY3uGlMzJtxDCNNRV7BbK4m+AsjtYJ9fQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiVmdSeUJ6Q3dDclRDZXk5
L283SFF1Tk1aRkg4Y2dVUXRlYlFlVldDamtvCjB3U2tGdmlOV2lBWEUreWdROXQ4
Mis4NWxRTHpOMkNhQ1B3ZzU1eG8yaGMKLS0tIFRyYnA5UjdxZlppUG5pSHFrck1i
aS81QTMwc3h1MGYrV3NBY3lGd1JnUW8KMxUqu+mNFXvj3eOuQtiMZdttzQbXhLD5
z4dUPriAfjVQRAgJTKyOR75IZNmle+XfK9g7JcDVCYX2D0tPHSOwSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaldmZW0zQkZkNG1sTzFp
UTRUMEtwRCsxdGZFbmdiUWdVVjNsd2F0WUJJCjFRNnBVcU1GWTQ2NGFheHkvZytC
TkgwVm4rWlN1NklIeS9YTGh1dXNQVnMKLS0tIGZ2UlNXWUM5cnVLaWxDNXdzSE1P
TTVEanZuVyt6SkE2RWRQOEprbi9mVk0Kjrh4oB+EfFVDx4CW3h3be61X+RNDrZ8O
IDNFRznHaYUM757C16GMLx3We/pAinPvDlZd1eDBj8kpHGGMjIU+Ew==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYXVYUmZXNFpUQVY5bm1U
bW4zcmhlKzU2V1RjamVyRnFlL0tPemtjOXpZCmVLWm01UmdVYzg4VnVKbEhteXkw
Mk0zZytWYitnMWZKMmIzcGtPcFFyWUEKLS0tIExFZFFnWUdDNEIyWGViZGpaQ2pB
d1dYWXpoTzNHRW1YZDZUT2t4Sm90bHcKVcGR4gyNz1He2hDMGOVVZS1+JMxZ7cUo
9M7I6T/FkYfquK3HddV9alToppT0rl6BTwLN0z2uvVyHt/n5elh/6Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQ29URGpEUHRJb1NzbitL
MGFFUFJLQjhxQWtoMXRIRnlkZUpmRkhERnhrCjFqNnRwc3VoZEIxZlh0UG1UaDI2
M0pFSzdLcmI1MU5NcVpRdEx0c01kaTAKLS0tIGZSRXdDZUtNRXhjbHJtSTNJRkxh
SGJOR0E5N3NkZFhuMkd5L05veUx5Ym8KEVUDZCs151SwCfDC7b9vb/xK++/TftWK
9FdCeNNEMEpTOuX8Z2Osmh003aoMpCk61VOYPBVUMrf43oSQFSb+mA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNkRqSjgrMUk4NzZ4R1Vm
N2d6VjhGVThoVEEvSkJWOXJlbVl0eFJ4OEE0CkNETzJSVVYrd3NPcnRVUVl1TnA3
SnAxTi95d2EzZ3k1RUZ6WGRyQ252SzgKLS0tIHFZdFpYbGpNMlBSN1doY2RvOGtk
bDVhWGdOMmdaSUVmNWYwWXBMSGlWL0UKIjcUoqSJnEhsR9uE3ny2dUyxrdkELXou
Dn14l36OqUYpvVkY6hR9yMIwEX9iK/4jmkSVinTMhEzIzPOft0Lhvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YW83VGI5WXNhOGg4S0hF
eGk4c0o1R1ZEc2dwcjJqNFdQVEFQN2JGNmxjCmJQUkRFcmY0cWVLV3R5NzBKaGlJ
b2Z5QW5RSXlpR0g1M2gzYk80THQwSm8KLS0tIEtHc0VFTWVKSlVWV2xTLytVNWlo
blBoaFdETkw5T2R0S1RQN2RFZmgyK2MKz7PDVFyumWboD3OgPQgmPSR9dk4xQi3V
ivvJsiV6eb0rv2T9kp3Zs3Zfbj4G4o/GhBrTNka7SkqsNPV2h3c7Kw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaHcxSHlUWWxLMkpXOFIr
bGZxME8yK3o0c3hQUnpieVd5dkN6eFJrYlZRCnJKY0VwaHpUSWFXa0MrQkZBQjgv
bGYvbTUzeFhaL2VRL0lZRUU2NldwTE0KLS0tIDRpbUFVUWU4U3JXNzlzUVhxSG5i
S21ZeWpiRlpGMDRSak1ucnlpNWNwcVEKb9d0wzgtD50XCg0BGivMBcKysgXL8kn0
VtqWRLxVDtCBRMSJzzPx/9QqPsguaWrd7VaLO5nqqlyLq8VsX8uPnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMMGxWR1Z3MmQrZWQ4aVlJ
QmVtZkwzbXRxckVDRnN4TGd6em51MXRzYmlRCkx6OVczMTBwZklXSkhxbFdHR1Bs
OVFlMTB3REY3N3pEU0FqTSt1TUp3U1kKLS0tIFFiK2dxSVd1OHVqcEdWMDNIUGZm
dDlCa1Z0Sm1Yeko0Qm00R012NzdobVEKOwMKLmb5khE1oh+Gr22UxeGrV7nDWSrC
7WJy9NFYrfZpRveRAoIDJoZsQjsGE41J5e7oRguocmmz6K1oLazxwQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlF4RVRCTXJRTFdscVAy
SlRscnN1UllGYTFEeXdTQzQvR05wQlNESVJ3ClF3NzVWdmdMQ2d0a1c2Q01iUmlR
R0tSWVV3Wjd6UVdINXhKMkU4QWh4YWsKLS0tIHpUeW9DMzhtVjczOXR5aXgzUlB3
eVU3ZUJVazB5N0VVckhndzdhVEROVkkK9Ue4O286MnHWbqlTulIDAHymyQVXfeAU
trSdNjqs7LZniHDY4MsVSZuR48r6kkfxrfCtjNXD/PKd8sGeihHCfw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:qUGaCVWO8S6XHkm/bnwi7ICZsVdKyLHV2HF0BmuBci0qaINuP6316TB81Fsi362acXnd1kAQLWtpT6OVg4/sTQw7gXO6K6Hu4VhtpDf56MrTqvfkzbro3en24mrEtGqaPm4AE90TjbWQcgo1TVfPOuxmYBKvlEsBWB+GRwGWweI=,iv:Exqcdd0HhLG3Rb2+Wz5qhafPnJbjRPJBwTGd+iyGUag=,tag:aQzhUOz+XUIV5BYuxHViPw==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:P/8MV9dsLpg/ygzluIKwi+zBTjCRXQBuQA7R7I0qcClKIVHLTjJzI+C5YCHG4NcemT/Z+nKMsUHFqRlgxh0qBH+ZnDmjQS9qwKa8a32YDxJRcCAgbpO3xp62/ogbSKSrqx4O/qXQiKUitGv6K+UaowCQdoArob+dnE+I9m98r4M=,iv:oQXdqQ1J4pF0ZX3QD+d9Z/jQkW0+3daPYmhnXHC6Agk=,tag:8eussYTJvpMTkd1cULezhg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

9
nixos/modules/nixos/containers/backrest/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -38,9 +39,9 @@ in
XDG_CACHE_HOME = "/cache";
};
volumes = [
"${persistentFolder}/config:/config:rw"
"${persistentFolder}/data:/data:rw"
"${persistentFolder}/cache:/cache:rw"
"${persistentFolder}/nixos/config:/config:rw"
"${persistentFolder}/nixos/data:/data:rw"
"${persistentFolder}/nixos/cache:/cache:rw"
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
"/etc/localtime:/etc/localtime:ro"
];

3
nixos/modules/nixos/containers/cross-seed/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
configFile = builtins.toFile "config.js" (builtins.toJSON configVar);
in

3
nixos/modules/nixos/containers/gatus/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
containerPersistentFolder = "/config";
extraEndpoints = [
{

68
nixos/modules/nixos/containers/gatus/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
gatus:
env: ENC[AES256_GCM,data:77RkFJ6MfTxdVu2QbKHLvIRHxB18oUKJ/Jq0bxHKCAZkbQ0DqJ+npjTchX9aAHp54oROApBQklk3Rf4E7Wjn04BirxI1yh42I9AgfoRphlLB6JFAhWPmsRZIMWUjjLdA81gH,iv:odRx/Ht6Nku7WSakECHEbjZbRtLiT1HtLCv8LkLbDWg=,tag:ZFL1u/Kg3+TdGOpby40Ndw==,type:str]
env: ENC[AES256_GCM,data:iocxxwf7Iu2mD/Ita8kYQjnSIa5eG6r6waZUHrZxq+Zr02rUZS3ypvtA60fdpxtCFre4nOEMTI0k6XkaW3xoma3cMbm4cjs+bn85dNeUdlDkcKdo20pE95+jPqLnB/jmxyc8,iv:uynRN38mYtrkO2HBr2hp8PTWECZn1MKRJKFegQX9slQ=,tag:gk3c/BO9+KYblGLbmtDYYQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCL096VEdTdzE3ZnpTU1M2
NngxUEY5d0FNd1cwR0VrN1E3eWJmOEVEOWtVCjNOQUErL2NvOERJR0x5NVFYcHJH
ekdVNVc5TnIrQ0E2OFI3K3VIdFo0RWMKLS0tIGtEcFBWQ29KbmkyRng0bXovUTB6
NWJBdDJYU2JjU2Y2KzZPaERyZE1HdEUKHOJMtRFmWNTzwr/j7cxL6E8BnaZk75Dr
RYW+8oGT905PMP0jh6dFKuUIsxAuCGQXZUfnUXlbCBUJjYIjeCNGOQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOWZEMVJVd25Hc0E4SkIw
Y2ZnZlFsZnE5MitTbWMrb1c3WDI5QmxjdVYwClUrRXBjY0lYd1Y3T0F6ZUxHY243
OUZTK2ZxYXJ2UjdNMUN6d0ZSdFZyOFkKLS0tIGFXOHptSzF0a0pqRE1QM291KzJx
ZDJDWCtMZVRXTG9pNkl4VXg0WkpJSDAKs5QHQkoKXpdJcVnHcNLeeq2wUNh3LIUH
TU3SLK4yhbKBS6zL/LKOWN1XL21B3YrSHVOWQzMb/Vih4MFrPLchDQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ck00a0xwOER3SmZ6OTM5
WGEwVjZ6ZUJhUit6SU1KTmtqak9uTHJDT2xRCjcrMHlvRkw3SGMyNE50WXRjcUtw
bldUSUdTZlhRUGVPQ1FaTWFva015RmcKLS0tIERrd0F5eVBMYllYS3BCZkt3bW1v
VFlYQVp5cURqWXV2ZmczWFF2UlpYKzQKWlw1CxLh2LwA9z92ZVbkZPhJuleUZHdN
hOfpFEfd/nP2Mh22NW41ZN1X5nT6hG+0N5LANmjzGoRUCS7pYaPTGw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y3BwMkJ3dGpteDZCVzBE
bk5rLytHSlJDS0ErZjJKaEtTWkJzY3o0dnlBCnp0SU1vVndZbXk4TGdTSjNyNTBv
MUVOWUJHSnowUjFVWEpNMUpiMjA2eTAKLS0tIEIvYmNCWDA5bGtvRGQ1SmpQdFp1
VEVFb1BsSitHV09PZlB6d1hCNHpvOWMKr0kc8AI0jRpx4vRKC/CcQblF2aTaAYT8
MBPbbv1rFJBJ63fv1tGb/EmxKWl12HIsjFTxn4R9HLMuqoeheLTkEg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVR3U1OTJncTgvcVdrUSs1
VDBBaHpUU283QVFRZVNhMHJEUDZYaUZTTlNzCnFyMHYvbGwzb2VmL2Y1dnREdEpl
Z0ZkbGwzTUpoWEVQaTlPMnNFN3ArNkUKLS0tIGxtSS81TVF1SVVHcCtVZHhES015
YVBza2hzM1ZaVjFIbWhoOW9QRVZEamcKImmazw+OsTpec1pJMrmHlSS6R3MBFDPc
j6I/7AKS0mdspo9T/csjLVQWTXYgCe2x0gHhqY6I4997Dagqc8SaHw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTm1oZXA1eUpaYi9WSHlG
T25hVmUrRFV6a3NXcldRMERkU2FWMmptTFVjCjd3MUlhcVBGK2JhSjdkTDZpQXBz
L016NnQ3bzRocmNrUk1nR3FqeHI2cnMKLS0tIHI1aVNvcmtKYTBNVGg4RS90NXNW
ZWlnUU0vditwbWtKOEY1di9Jb1hHK2MKjqe7nRCUzXm39YxCLlp0zTPk+gCYFzg7
QwfsZuSQphKUrmO/IgIUpv5H1q6WKCN5GhfH6gLwxX/Jn104xvapWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMTUrQXJpWVQ0OGpkS21p
eWVURUJGbkE2SStmbE5oSE02Tll6YXl4ekFjClNjTGtMNWFkdzh2TXlndEl2ZjZG
K21KOFRCdUJHMml2TlVHUXU5cnVpUGsKLS0tIHE4NS9ob2JoREU5QU4xYkN0c3BY
YXBQeXNnWVEzaGF0WjNKaWhmK2dtTVkKoSxBOjZmZeucQrHob3wEr69L7535zN/N
rpZqBmmTnLPuD0+fuYhLVbsRVp3cEULepRfltpQuutEJbhDAhWpTKg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd2puUE1lVnp2Z3Y1TDdK
aDdRb3FtTzJQSlBXQ1hZcnJXa2ltWVFtZ0hNCkZqRDQ3Q0xkTDk3OTVlWXRhbmxs
Q2k1cW1aQmRMODBZUDJVanFRK0dkbUUKLS0tIGVxZ3VxRklMUWpBa0JweHNENG5T
T3hKT0F1NUpBMkdYelA5VFBMNkRyVVEKYUNocPAY8bAm17EbPdqnGT5LjKj6t5X0
zkVdSGPG+l7UzGCzZHEG9mnLpAQq+ED0cMWA7gOz+m+zAj7o4qLe3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBazAyNmswaTdnclNpMDkz
c1BDTFQyTFNiYlpPVU1zR05DaEQ0U2tDVXpFCkttdFNSL292eDErbzJ3VFZEUHhm
THRJWWhadW95VTFxZmtsQVl1d1RiUzQKLS0tIHNrQW5WVWF0TlFvN3JJM01PT0dl
dUxBa3FuM3JFMlVMa3Nobkh0bjFBQjAK+WhiuurDU3OwT+kuWJ/+kZOdIYwjsjgn
DkcUNWEt6IP8CKWJws6RoqlkH1cO+6JsKd/LWMwI14UhzaQI7zms8A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRDNNMWU2Ly9TcTFYbzhx
ZnRXSmZNZkZtV29KRGR3ZmhwT2VhN2FOZDNjCm9Lc3BEUUJuekh0RkxoazBNSU9u
UmRUV1B3cGpGMWFKaXFmWVZBT2RaM3cKLS0tIFNWaGFsZE5Jc1NKTGc0amRUMlZR
NHd6RllGdEQxeEZRb2xyd0hOMXBFYncKAh/6llh1uBOqRz4L7SiDsevTZYKyoKoh
SSPqIycuhyotPpwHtFsRaOoa6YxHQnnYc57UJXqrwi1d2DWM1REIiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucWtiUkhlVTBDRHQrYWlV
elcxeFJ2Y2Vxd0tTUERCaVRvQUZCaTU1U0FjCngrZ2sza0NzNWFZNkk1Vnc5VTJY
WjF4MU1jcHorc09IdDFlU0FRT3hhUnMKLS0tIEUrYU9aTkcwTVhCbmQ1Unp4eEpU
R2RkZnZaNTBPTWJMdjlTSjhCK0tuMU0KsSsbacU86FneM4NHNYxd6YEBvOW2Pcmm
dzIaD9ZlQGQEEwqTFFHmXI1pMVibMNG8I2LlNml4xM8J8yH+e/7YzQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUmM0bkN5WjN3ell6TGxP
Zzk1MDVHZEUzQ3lLSHN2SWRjNnlzZjBFRkNBCmdXMjAyNml6SDZQNzNSNGFsY0lD
NzY2MHJrWGVheXlQRFlpdFJ3RXNPOWMKLS0tIHB6YmZJTUZ3ZW1OZy9LVFhCNlpK
VmVCMTVRRlVLclBGSnZuVzdydTFkTVkKYgtuNHfTXgGMWzJGALPEOU2aEY2AFnsq
cH09C/mdOWmPOuJrzqLRD2zuQeUExc7nPLH9DumHPcVpXoAWSAE2ww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:cELSGJgfHkR0RPVZAJxTd3jmaYNHb+HBNPccSZ+pD5dBsa7WBhlcdTVy+O/XkhQkiYvcVcpXZZgODcv9SwvJM24yA6s2+5nhcs6mJzVtYT15hSzH0YepAe2OHk8rR5S7ucUZZYIJzjFOTxWPvExx2ntsBVngZhHCrLm/EyjWbv0=,iv:yTDtfR1R9SVmCvwiLgdiMX4Eso6PIK1eiqlPtwW++lY=,tag:wxSrF/qz04Cdw9VATtnd3w==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:ZOuz/fdCiBKmqYdumQq2njK6wGiAtPPwLZphPfTwdCaWYnNHLuCE83CaDzBhrsR4nTR/03Uy0XDvNsv7Yvid5WivzrcsilNcriVQ025nNm6ucRCMdg1phm6sNXOkdWnWA65kro9a8C3g6j6EYAohvn/TZmS0XK1zp/PjJ9xggKs=,iv:T6O4nsrptfJJNzEFWeHKGBOGsBmvZQi7WU0uIrhat0E=,tag:7Cp6NCzh0j8ONXkNKgcTbg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

6
nixos/modules/nixos/containers/homepage/default.nix
View file

@ -10,9 +10,9 @@ let
user = "568"; #string
group = "568"; #string
port = 3000; #int
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
cfg = config.mySystem.services.homepage;
cfg = config.mySystem.services.${app};
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
# TODO refactor out this sht
settings =

68
nixos/modules/nixos/containers/homepage/secrets.sops.yaml
View file

@ -1,6 +1,6 @@
services:
homepage:
env: ENC[AES256_GCM,data:eC/ML1lypdxqPKmSpry9C46qD8h+LFhLXF47Z3qmeW6R/KOsyjVA7LwHFJ2JMZa2dq1G27FVGwDFSc0BBFjSEAq4QEHrHINf2kotSkS4bLHgnI+x7ZbO4EQezJqQQSstpaflJbX5SC/lTox7xhSjMYF9+9RUKu1FShv8buLNCc3TyQI7JCM21nXo3st4xOxTsPWDeFyOR7uvXi/kj04+2LQJveNGkN45+foc73VXD0jMA0mBJihwLRqL6PpAM64dQfwspDZ4dThNTGJzSQpnVfb1zDw/u8KWZeHZ8NMdT4SB0DjuOtaxQ6elIXzu96NOQYV/ncE9tZiAhjhpTleJsV/KWM9RhAKV7SEWT7x+vEmvmiZkwwz2wKWKgM1SKOplAupk3EsJ/NeDJAP+NltYWymN9qeOnFqcqXT2EWNkrCgHJwiVIuuMf1eh5l9xuxj5u0Es+a4plpbKiuNi8Ws/3IvL/ClJ1LU9ONZj4TSReOzuqJWvSKtAAx/kXeSP+H1bU4qyK+oOzJ6KUphZHctRX7H+c1jovkPKhRMit90/G31ydKo41MJwhV59lEr0pvz3BXrw8INJrBxgGRCylC55vgbJmgeZlIE4x+UpU+GNB0HnFC1PUxELOxBX7jTAN9mf48K58VLNH+kvvXuE4+tZt7sSJMw6HFlsQPxNoTFg3XxqVWB2FrFpf4mCd9K8cZUxEz0OtyLHDRuLgNtAv2cP4J8azvjhtH3rTKZOFrVtNB3K3mE2B6nyeeMCrpXoj+qpbApqfDInToz96CQSzx7GPkG7hrZkGr/nVd5U1LrLg3eulg==,iv:ntzX/uBd2wShWGAm+oOOYRZtZBazeVR6r8Jjp/ewLsU=,tag:Rsb3/GLTBnvv98bUicJRTw==,type:str]
env: ENC[AES256_GCM,data:Oz5OZipRWFnZx4kEvSSHKEOG8YipOc4m4JMA5fd3RZ7nRwSSotADxM8z/6Va6lsjde2OcN3IckJ09MJYT0+a3+WnWsR48E7Uh9H5617H6bb1a5h0BZaHMKkulLIWsWS1K+qNlt45bGsTeLQNdDJTekcgzzHRB3GGwt0Qj+pmDXyaUmMLFLjdulfT9IlBW3QAjjtZx/jBwzpwNG4kBTuRC9pKik8L/OjqZ2Wrx/TmQ45RLQ4o2Vne86CB2/NBj7xLXH7jE7/UhcJY68Mr6DEevecA0cw0c99Ytble1GdpCcj0mb0pL9aD9USighjtIjhljnFKBx+ZvO1UVqA9L5wlSIQeGrBpn45oHOgKG/KTBYRLgCYSHOfUhAA+Zp3vWdajiQ2LPsLpNp1AGROu7ea2iJuim7AYfaXdO320i8jnZCLSPiBXd2DOo+AeqpV+9kbg3Vx4tt0SgIWtSA88oMzm5Lz4Wd5ddIuvuCBUEMnYcdzXBtOO3DgIOvi4AUcV4l2VHCp4iU+ZSvEybF0M54omYsw/yeXkIeYyTY7SLqKxhenrSkG/KXVdPB50zYpXu19/r2qccgPTFj37kxdDCX4Nz64r9ecikqZu5g2paNMINOV/ha/UbehkzdJY/RsPKgU4GSuHxqWEmPzREcUPHpx4HQP6EvS4IPzelg0ZZ0qe77f6hdQAXDux3WYuvy+00PAN+iIhxy4ozE0y8kKtEyFnfqowlzyrjIAyIN6JDiQzQnJyU7sRu6kMkX4K3zJoIdNKkEthJYeOsrcmB67hWD7INtPCy62gc4mgUVux+huZuBBjqw==,iv:fGF0WzgDIR/Z4s7/njbPtP8kk7h1VGz2g3MLN5v7gSw=,tag:n9NAbizmQh2lDf6B+fDGKw==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +10,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MXN2MXZZdWk0QzZvUUtR
bytQUmxVZXh3cHg2dUhaNFNMM2FxbjU5Z1JVCjhDVlZEWXZYV1R5UlBXL0ZrN2FF
dFkxZnE4QzBaWnZvYWp4bUxzdzJCMlUKLS0tIERCeis3eGVpSWZiMnNkUzFDMWlv
MEUvelQ0d1BETW94eTIwb3FYRU05SHcKIwkwqn+/TQYPD2E9Y8Y5CKYWWOOlOqNX
INWN0DgzQb3pVn/L3HD6R7rpCIujQhV/KE42p4theakT56cEFMpjaQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb2JCV1BpWXMrWXdxaElB
TDBrb0UxVXBxaHhWNDdPVUt6dk9lOVYxYmxjCit3OGVvVytmM0xoMUgyL0pYU3VW
engydEpENEJpdGJGMFBiWTcyWGtpeFEKLS0tIDJPMjM2cnFSdDVoWU1mMEl0bHZX
YUEwR2hmNHdDZDdxcmc3OW9rN0J5Q1UK7YIJgv4mNUUJZd+1jJBcYdBLB/g+NEJW
8nLi1IgSHRMryYOviyu1lJ7zd27pMhjjTkajaIymwi2T1txug7xwAQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UWYwVWlGWUtENWhuQlpY
THhSbnJkaENaUnNVekE2UndKeUpsRElpNFdZCmoxODUxQ1FvVW9UcFFiN3M1TFh6
UzRRbkdzQWs1SXVCUyt2ZTlPaDlwK0UKLS0tIEJSdk4rU1M0bmR4QTlEeFRwbUxT
dlpkaW13VkNCWVcvcGlVT0JSVm1jd2sKxDSwNVZkt+1VrEIEkSDFSL6XpkmRU0UZ
bsRYQjTxdqMxAVtyeKVIocMizGQIcsbjrwxL2RMnUev73wjNEKjAJA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3b0RTRHd0enhXcEFtZXZ5
Tk8zRWRYbm1UOHRjMFgyRGRQb016bzYzWVRJCjFWbVhZT3p2ZjhCcjFRR05TZnRK
KzkxT1plTWVzSythQWFsZXh1Z0ZzRjAKLS0tIEU1cWxZcWg1bTRrYkpWSFFNUkJ2
NlROTG9YZWhZeTQ1djEvaUw3NWpKZWsKvWkqBd2nMSnSlwsMf9Y/H/7lZu3TYR6C
S2DayCyLe6JfE3sgTIDiFo9awwTZYM9z+HXdMffnlKdBd1UTGRvH0Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSVowcEdHQVV5U1h3Szky
Wk9zTSsyZU5lWUxXNXlGcGNBQUd6dTBXSkI4Cndsb05DUy9QYUl5K1VGT3NLOFVl
NzdCeG5wSjZ2SG0xSlVSZ29EQzlzT1kKLS0tIForSGZzWWdsYlJVSXhRUzMxS2dO
ZG5SbFo5VzdsZ3BHMlhpUWVYajNVUm8KIL/y0lbYiYruyLRmdgj7/4bP4NLdL/uU
/bR46RvXfAhgyncp+4hXrhh1CdPUwkg4Bh6WfwYaO+0kp/4FU47u+A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQS9jQUJDU2xHVFM5YXFU
alBvZjh0TnZEb2ZRTnNHazFEcU9JOHRGWFhnCnpWYlhpVWZHTFQ4S2k5NERNNDE1
bTF5U1htYTRtQjFmclJCNXhCcnFlS0UKLS0tIHpGaE1odmJCSWdRWU1zWnpxRFJo
cWJXQWpFWVk1N3JFeS9zZkt3RGRlMHcKieWN/vbbTCscmY+jAoY2qU46+N+susmN
AlIHI5B65LlHZ8oAVsfGDrSb4u81dM2sPqg28iY+Ij32AuWBCTWfIQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdjJZMmhqTzNrZWk4SGJ5
bkVaOHdCOXRwT2V3VEd4Q2VDRzlCMDFDelFZCk5LMWZoK0g5YUt1ck1jQlZONDRS
MDFpSzRQaDRmMDg5YWk4NnBtU2RXcDQKLS0tIHZ1aWxjcS9mejRaTnVKV3pDUmgx
RGJFZHhsME96WFFOWUx4QUtZeWpCSDAKX6odRaFPR8vHTSZ+YD5POCeFVMeWk+Q0
f4zjiGN1HXOk4pwH286z66VAZ9Eem+c15mb60ZmKFRhxTeJc0Xvq6g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMFZLS1IrT3BzelZYVlAw
M1ExNXVPcDlqNzIvREFOMDVzYk82L0h5YUNBClVvWkxDdnFrU2RDSTBWOWNiVWVL
bmprdEJsT2Yvcnc2cGdpUEllYS9adDQKLS0tIHdxT3JPd0tkakNpalVKU2NMUjln
bCs4S2ZyZDJZRUFqY3JRcHI1UDZGTzAKlW2nKct0J9LpE1WNE73fp0OUpLXesgNx
V8QJ4cNix3V1TX7pPsGOt+driC83kGEjj/jukvrUCiT9IHscDOpY3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMy9OYWdsNjRXZ0YwdjJI
YmtJK0krNm1XamU3bGlyWDVPL3FscmNqREhJCmtQR255bkcxMEFheEZ5WXFvUjVJ
NWNQOVc3YnVZNVBSSkRZMGxCVjhsdFkKLS0tIGNyQS9BbnFJclFtYjlYZ1h1dFhi
bUEzWmRZUzZIYjJJQ09YVU4wVUgrV1UK+PmTnYJ67rUGld61S0/GMa3ZQYSAePul
+a/5BKlvLgPJVua6Fv5LIoA0zzmFLEpOOsnLarbmRfWm9XpQDD5wEg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySG54VVEzOVY2TGNGTGdn
bVVaMUtqamwwamRRQk9qYmpzdk9YbzEvYTAwCkpIb1pXb3VKdUxPNUdyRnZVNWJU
cGIzVDNHQWlSSkkxMXJ0RGp1MFNRckEKLS0tIHNSQ0t6SkJYVWZramkwZkUxRGpw
SnZRYUJzMGJwZTFYc0J3Slcrd2ZPYVEKfQ263loKlS0MGe/CCgAiu29trQbR0z/9
l7ehDvRN+POsckFL12xs/gapkOFIuY9MJ5ngibKVUqVWwGG8cedkRA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaGdWWVgzQUwwbVlHZVgr
U2NDSk9SV2FRQS9GSUUxK010WTFaK3g1dmg0Ck5Ld0Y4ZEticFhoTDFNb0x1NDk1
SWxXcFk0RDh3V0xQUS94ZjRoK2xESnMKLS0tIE15LzRjYXVjS01JTEEwcDNuS2lz
YWR3NnNjbjUrTTVCS0t3TzRydnlSNkkKKIi0I49zJ574JR7aVu4x7PZcaRvxnzvm
Z2IXLciMBKkiIQNf0eRocSjfSumToBAhXORJVklAxW9j67haSuKZMA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcmN3UXRGRlJrODQ3MEpr
SkdaWUJENXVmRG9tZ2I4ZEVXUTJQOVlrRkdFCk5TUWNtZFk4L0MxeVhvQW1sMllP
bHp2cyt2V1R0UmJOQ0laSUpqWEtZcFkKLS0tIGU4c0s5blJPRWIvU1JZTGtURkZh
U2NXcDlaWUNJbm5lV0lVQklwTXowajQK3Sdo0OcVXThYTWBZMd/t7hey2ITfKIDT
pyKaJc2xDzsgKx/bc2DxjElsROPBF+7Z0gYMv7/aOIhkcGEU3lPKsA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:7IBluUr6uRBeQoaIG4LG3CFEUa42UEl2NMUS/V01W/fKlEBb97Jog2dpdivMQ0P4Az3MSzPqfq0Y7b4XBcU/LnSGNBNKFAXO75rBwvmuKF5qcw7X8MUl28qgTyS6DImDL33r+ydA731lTzQazntAzgqquFTtjNqixkF/2qDTgeY=,iv:ROdwE2T5M6zofyP/vxJRhvRj1X3BCKiG0Kjmfp1Jd1A=,tag:oOs4LF7RHxEb40w7KvFFcA==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:AeluQaUlgrC4iYyG/Yqjk4bVv3TWmFYy2uRRN/kFuytjN+TmDlevkWAbQpg9rtJn0f0FohWYvsDB/NNF5uvbDrwwMCqqcUUNs581fxa6QQr89IfXCIlSOCgBKVUtAqH/M1SjHh6K0LxVAlDW5mvr0OvW2WFURDBo45YMMfvoPVs=,iv:1ia1N+rkoTKXmtvEuVyKtZ758PDOfh7FuKOMaoxq49o=,tag:Au6rcmAKcYLzCvEkWiC2Qg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

11
nixos/modules/nixos/containers/plex/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 32400; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -77,5 +78,13 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

27
nixos/modules/nixos/containers/qbittorrent/default.nix
View file

@ -10,14 +10,20 @@ let
user = "568"; #string
group = "568"; #string
port = 8080; #int
qbit_port = 32189;
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
openFirewall = mkEnableOption "Open firewall for ${app}" // {
default = true;
};
};
config = mkIf cfg.enable {
@ -30,8 +36,9 @@ in
image = "${image}";
user = "${user}:${group}";
environment = {
QBITTORRENT__BT_PORT = "32189";
QBITTORRENT__BT_PORT = builtins.toString qbit_port;
};
ports = [ "${builtins.toString qbit_port}:${builtins.toString qbit_port}" ];
volumes = [
"${persistentFolder}:/config:rw"
"${config.mySystem.nasFolder}/natflix:/media:rw"
@ -42,6 +49,13 @@ in
inherit port;
};
};
# gotta open up that firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ qbit_port ];
allowedUDPPorts = [ qbit_port ];
};
mySystem.services.homepage.media-services = mkIf cfg.addToHomepage [
{
@ -68,5 +82,14 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

12
nixos/modules/nixos/containers/sabnzbd/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8080; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -69,5 +70,14 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

12
nixos/modules/nixos/containers/tautulli/default.nix
View file

@ -11,7 +11,8 @@ let
group = "568"; #string
port = 8181; #int
cfg = config.mySystem.services.${app};
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
appFolder = "containers/${app}";
persistentFolder = "${config.mySystem.persistentFolder}/${appFolder}";
in
{
options.mySystem.services.${app} =
@ -67,5 +68,14 @@ in
conditions = [ "[CONNECTED] == true" "[STATUS] == 200" "[RESPONSE_TIME] < 50" ];
}];
services.restic.backups = config.lib.mySystem.mkRestic
{
inherit app user;
excludePaths = [ "Backups" ];
paths = [ appFolder ];
inherit appFolder;
};
};
}

7
nixos/modules/nixos/default.nix
View file

@ -15,7 +15,7 @@ with lib;
options.mySystem.persistentFolder = mkOption {
type = types.str;
description = "persistent folder for nixos mutable files";
default = "/persist/nixos";
default = "/persist";
};
options.mySystem.nasFolder = mkOption {
@ -33,6 +33,11 @@ with lib;
description = "domain for local devices";
default = "";
};
options.mySystem.purpose = mkOption {
type = types.str;
description = "System purpose";
default = "Production";
};
config = {

2
nixos/modules/nixos/editor/vscodium.nix
View file

@ -23,6 +23,8 @@ in
[
bbenoist.nix
mkhl.direnv
streetsidesoftware.code-spell-checker
oderwat.indent-rainbow
]
++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [

47
nixos/modules/nixos/lib.nix
View file

@ -1,4 +1,5 @@
{ lib, config, ... }:
{ lib, config, pkgs, ... }:
with lib;
{
# build up traefik docker labesl
@ -27,29 +28,49 @@
}
);
# build a restic restore set
# build a restic restore set for both local and remote
lib.mySystem.mkRestic = options: (
let
excludePath = if builtins.hasAttr "excludePath" options then options.excludePath else [ ];
in
{
passwordFile = config.sops.secrets."services/restic/password".path;
initialize = true;
user = "nah";
repository = "/tank/backup/nixos/nixos/${options.app}";
exclude = options.excludePaths;
inherit (options) paths;
timerConfig = {
OnCalendar = "01:05";
OnCalendar = "02:05";
Persistent = true;
RandomizedDelaySec = "4h";
RandomizedDelaySec = "3h";
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
];
initialize = true;
backupPrepareCommand = ''
# remove stale locks - this avoids some annoyance
${pkgs.restic}/bin/restic unlock || true
'';
in
{
# local backup
"${options.app}-local" = mkIf config.mySystem.system.resticBackup.local.enable {
inherit pruneOpts timerConfig initialize backupPrepareCommand;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.persistentFolder}/.zfs/snapshot/restic_nightly_snap/${x}") options.paths;
passwordFile = config.sops.secrets."services/restic/password".path;
exclude = options.excludePaths;
repository = "${config.mySystem.system.resticBackup.local.location}/${options.appFolder}";
inherit (options) user;
};
# remote backup
"${options.app}-remote" = mkIf config.mySystem.system.resticBackup.remote.enable {
inherit pruneOpts timerConfig initialize backupPrepareCommand;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.persistentFolder}/.zfs/snapshot/restic_nightly_snap/${x}") options.paths;
environmentFile = config.sops.secrets."services/restic/env".path;
passwordFile = config.sops.secrets."services/restic/password".path;
repository = "${config.mySystem.system.resticBackup.remote.location}/${options.appFolder}";
exclude = options.excludePaths;
inherit (options) user;
};
}
);

10
nixos/modules/nixos/services/bind/default.nix
View file

@ -88,14 +88,20 @@ in
10.5.0.0/24; # CONTAINERS
};
key "tsig-key" {
algorithm hmac-sha512;
secret "iZhi4kaPJBvqxyW73aKYRnNy5e7N2A+7WczxAMcCvDl8QpAc0HFjfI1Q+0g1SBUQBZXqAvGFViegPsK9lZ3bkA==";
};
zone "trux.dev." {
type master;
file "${config.sops.secrets."system/networking/bind/trux.dev".path}";
allow-transfer {
tsig-key;
};
update-policy {
grant tsig-key zonesub ANY;
};
allow-query { any; };
};

70
nixos/modules/nixos/services/bind/secrets.sops.yaml
View file

@ -1,8 +1,8 @@
system:
networking:
bind:
trux.dev: ENC[AES256_GCM,data:yItoqCfF/QsOPjCdnQa//+3ULoSFaufvFp1v9i9hKOr2yg+Ep/NzUZ9GzDvpBEqKXwlOPV4TV5YIcHX0RFPioQ8LY4snLRwNSmHs3UjvvIw/jpJpUM8iCHMDzl1xcwZFJ3gnNuS5chRQmO19auMe8YQtYL7f6E28g0uQJE5Pcl2K/flVUut7mKVLJAqXM7VZ8Cua3jgctTnx37zyJsxWLfEK9iAzf4rcZoloGM7eyOW1b2eI0b74FQptxUtsAQSCmjuGVlJBp51RZzvLdxGutDZJXWHe6j6fzNj0lOs0vpMRo7/9exbz2q1yw5xC4XAZQN1vuD61Wx/qGyK8vxYNzrwaYLXBVvE67LivMNzayCXapEr3LducDBdwecwS7SPgao4OGIJMmJERIUUMSxvZIlaY6nQUNBkw9aI8CtrHq1bJ+46juJZtJDfjoKmIVgWpaYcq7k8qKKOHhxqJZ+7755TR7m8vcBe520Mj5QnebX4RwK3bLI9WFRv8vKlXDtcvO+zfutRO2hkc8VSb9tuCw75p8vDPCmD1NdVMgX69RvZMxq9NJgF0aPne+8dnoE0aKCSKbEI/bhy3bE07MJ9CWD9BUBHnt+77CALPF0gWOGkVuE+DWccbaVB0waOeJ/+7bM/9y1/PAIV/avfS2durbMCE9bk+LB7bvNSEzNm7ub8Kb+zQP4w2tgKq0RhopmUoVB8X5NkwwCZ5SPcernIjZcOI1O90avjvIh6H+/jdnEFjNplpxzV+BxZjd36f+qgISmNUm3Fbe/+dVAEQUDVt9hB+llXeou/YUA3Av53ncgImgXt9PaXHUtnpHrZin30eIB181Ysx7JKEp8UA7N72b0dh2/kWG7HJgbBnLNTuQdMU7u9hQMt/pFgH8ezqEO9m8XlDh1A6lw8o5ca9XVcPKD65u4Qfu8hCwH4Luq1QwuNFltc+cZPX68v2+Heq9H9zsnBw+odc4zd+XF0FnTNSdvxi2JAbRZ8tMhltAaxrZbjUiR6HkI1XLGhZaAl+L8t1xlwr9jqNIiM/6FrlGAekZlNgchz7IFO5l1VBHQLF6IAomvQEi3av4ttw0HBi9OqWzaM5IuIo/ZeImjLZpM/HQMn/gKAvvpMIOAK9pEKk5kvU2PCkrXzWStQXUYxGRIp8NRjeDXcs4sfygxtMRKnVDoNRMJzYCg+4bQBplLzLsBe7GTQRsVZJYrdOvf1kWMP4cG7MtddFQIBb2MzG4/z0n/KrDVT5Yxlv6NiTK9NZalONQW7wznSn/siReWIjtgJiHaDTg319rbkcyFvkjujAARnvVqkkIiKi2yxm9psG7JKi7gN6MgUaTUqTEuIvapHg0CzvUqUkhE6V39xLEDC+YwATGKrX+SfQwEUXe8QoCNJpArbIrjhJWDB45FMRawP7U6E3GvM/mwS9GK1ZhVnoxvQZPC6CHYaRTYaEh/L+wMoK91c0fHiS0ATghQYhS5W3oPW3kuZeYStIZBRI7ZxFn5Lv1QhJhgBqZSbSvYRB0tWhQmCx074twY2yANEZH24b/7qPo+plSUuj7r29sQwekh7OULXy9YzaNI6apBPKX3YlorJm1BgZ1k3tTuqwq62spY3niK/vlSIHWpaNKOD4vSar4mwcWnjvLHu3fE7cZnK8HKDKbUdO72O+AH2zeEXWi+njg/548RWKv7+03aSciMU096VCvb4z3OUbp0XRqTQDAyuOI3/1x1f3+AXRdAyD0XZDinnhGeiQ9lAIqfYQJblxE7JxVP4EIm0KM6YyIGySajOf9+Q22pZz3IdsHpoOTMekIK0/Z/DQzgzxvtNnXYhoyOUBCpz5tS2C1FMJ9g9ko71WK2yXApu6Dk3sAPG7zJyoqbK7Y7kPjQGTOLTOdSPK++z42U9QjZDJGAwQ9wgESBJG4k28TPlYthrL84e4kdalo+p056ZzmUmGRGfHdGKt4ufDJtFW/tXpAWfXt72tmxb0mqNgiCxyY5LzRI6iaDmYZkN5L8nL0ZNqJ1MLsqOWLKIP/CiDDtfwZBWCdx++KlEkGxJSG6H/6DqQ3u67DRUCRxv/XGtDWCLqRzhpQsD9ZoFMNesB72TNA+1TR0DoTZnn/TI1BTnK2MsSQHds8KzRXIJhBMlfYTIH7ruJtkUEqpkhWDK9PrGH/vm8dbV72YoGGy32jVy+Kllo3OBuK/xXOcU0AH5dgXdLgoN0qxA3SOYf0AINeAGO4g4zvc8YCTHfgqIJkb/An4HmdZGgGQQSTMsXzXy5EFVmhiTiJHDvNjMklQQKDgJfIbzU+bDtQydDnYEdRxyPWQb4T1SPatEmHlt52uYMyGt/G8fXfkU0lxLn7ZRSuac1Xjax3fKvGHECbWYcE8WLQFwWUFPhThSz+e6vUx7+VrjdX7P/yCF25xPxnDFj+O+enMu2eX0RCuF6AlLkapewdivNlGz/qth9Wa3+sd6Ew3AXfJ3oBwkMFM8JjB8gJPmc7PM+LQKcspcnI6icLdEOIIpOaA2oljra8+xlzOWOSYaQr7hv/BQ5jpSSl+m07NHn8ROrjAololWY6jP6fOcnrWwXRkt83qypKrO8nMf6gWlDybb6QY3hY/rfmm0CGLhywle825DbcDqsXRf8nFWu3vII3kOvcrGtVQ4MaHsWBdywlHMajYUSe40dNx6Z3tefzFruz9LHQ7xD1hJz82M7iZ0QLWP3VODgHzi28/uosOlwKEZ0atn27/ceooGbxGDMZMammpE/ov4jh+i8stFX9rn7Jp/fgJnVwIGABRfOX30VRp71nzcAQbCZiYYeNTtOhsSseFSmOC9t9fnOUH6BmefGtU3thnHfnj31b8UPEditCSAcJfiaggtr4VoCqJNA8pR+gKWz6GEDrou9Ow5F1xV2hBXeHcwEXoDmfKs4ElOqKDXagKuFhVrd9wbChn54J5DlNk0Hicwktvx63bB+5g130pVHuEyuaxSAUyJPnr+0zXaPdmXXcKrtkzC5XgU3o/YkR5BKXhomrYgm91e5yhLUIvgW1SdDWF68P0TRBuUZdH8jgbOJ4CGvHETNIIkiZWw16QGeiieZCQcZlRqKSpHFqcqOAyiHko5vTmBanlcH39tdrqtbf+A2z/N/qUbEPSA1j1pJXBjO8hNni04AM8Rdjh882LF2VBV40EBegLAvdQeNcxhzpD6k+64y/Gg6C/nZZq+tu2F3p2UgKnTyieFJv4YRO3LU+7BinogaFTGQDgGQvAPX0S+Ylo5zlruuRAHsX3nNxPwq2qx31uUIvWPuXY8Vc/Kq8TFQuR2bBL0ouyv/yIj9o8GrFqPw2nbQBzrofUhzVrkiQNYp8S7cwNqNNJyCVRdCHDpsXZsHzQdYMm9CxrK1huGX/IQ+oD9DwqOEZDjkp9bmnToeP4+pwOHivw==,iv:BEhQs3Di4Ot5fUpg8jyoRk8IwUf3cErHt1cL8EBKvwQ=,tag:PFalLUWo5cn/tVXMzdaemg==,type:str]
natallan.com: ENC[AES256_GCM,data:idIBv+9XJ+nVbTFJ5EkWI4IxEw/Fh4gCXLdg10fft7IM2JLHmBObjwSEqly9CZ9AKAPJCZ/WeXKkG+Ul6wRxk8A1juFdDrOOdCXKJXpyrL7cBgSJWDylvKi7tqs9rV30SgU5hAsKNncPIWVWQApO923GKDzVVRMh8HZKTSy5ZZ8bCNQrlPr8DmkGa5VsUcz//scz1qdxnQeyAMJsrzg5bJPvR+bPjWXb06Q0oW8D4jM/gcm2HBq7POwg6DLEmX86mcYrvVw5LR2PDSXeG+32wugIaNvjHoUM62kB8b/OohTe5yqJcMfiGfEeMPlWAOdOfTZWZjS59BKPU7Ay0KUGKpVNHZv4W1G1Ebn6BCMOz4tNF1fmLdX0IcZSaX/0R58VwezKMBvaBj9t+Xmprx4fhrms4dfGpEzEM6LaeZp+dPH0MzIDPTEbrU28Oi49ppaMCQUG2HxOVoqvUNwAq/cA18WTFcEXTXjVdRo8CGo6eYU5lTK21xS6M/6ciANQtDcAPND6AaH/gJWrOFvHw8a++pLPiLK/7xT4k2TSEYMH1K4EdhVAxAc6sAPSQxvluABEsO3P8JdoLiAHI36lIN6RAkaT+gF7QvJWJtxcNqZbgwV448rcSBkWE82sNDrvcEzUpgrT2r2o+ljAX7NtXTBWps2xEjrg6NfdO3qlnW1TvLNmQTuAoezCUBQvlqNWOoSfM4qi4fqpQsnwFwy1jscYVftmI+W0cmI1dvVDJrudGJf6TtKn8Z6it+dmKCx1rRzUKA75JfC3K66FznsvqlC4TSa02nZxyUz1NxgL+bBCn8Z4PFakskxeFg==,iv:dsbNsqKBpedJuaaKZ9fPukQncCaDda8X1YEvm4ITTsU=,tag:ZRfLQ4yhjuvtiulqW1PCFQ==,type:str]
trux.dev: ENC[AES256_GCM,data:+4mZg26mT4V0+ugHOyhuXUl+WdpBju+Nd222jDKMZBQzIrw1ab9J3yBd5X55yT57sdm10AMh78qg/tvoOjMjFSjnU7ftyoTmT4IaKJ64feFX01v02iaH3Qs5WS18qDpQ3WcY2qe2UlACe35jhEzC9jXn+dHM5evwkkVou+BfTbFOTaqmAJnZ4d2q1vzxMQFjTEUm8z5no5c2wOacQJ6zZUQC0q80kLsfuh+dlrMyC6Pb8gpxkvWxGNZM3JkpjA0QOlMhmANAAC5Jo34Cr2tdaM/P2yeo8iiM6UAbBdzX49fc9TBSByQN2NALG5tEpW4/SEBkUAAo2NKXPaWcsQLiQxNFfEPtRKFKeADtc88SE65YsDwr9dtt09YV/0cPoUOo7fI0YLqtdMLKkljYKRTI1hyeyAcZ5uMPfcAcKRs7r+REWn6PRueAF3ncP6aSYEgLUTft3qkrfeJRB/yWtrW/ixQ/0/C66Rm2DQOpZGyVBx7PBUkMb2r9SHRJa/sTpjDTt18/En36qIkhuJjjnTJ93GO1WnnSo3rlUmWVHKBon8Bwegr53qc/j3tEePs1jzwcVDkaRZpiNPG7DVTzC7Z1pY9HiAPNTDR90Odb8WBZGIbm2vuX8ZKOVhbGyX0KJn2x4Z0bgRIAAub8gTn3nvYa0QM0IWM3RhPa3Bng9Q3rCU7TT2k4584sMlz+n3TwARM4k2lR9tuS4g73UpqYX7zzN3tjRdyzaX43R3PtIv3fVES5bStoYssVqih6k6nqwU/osUIgFsag8qC17//d2WNiEltewm5aPEFI3uPT9HIU1ItklUnbvS4rg84nZ2+LPUe3+XjRMGs03CbxFpqifMjM/cqVvx8iWg+OMxph3yhCaiIMA75lXNA59bxrEbLD1kFyq1q/ivwLAiYg6XSRL9pL93MHmQu8MG6zRHDXwV5VyTJ1TndPY13ayFflrdu2eaaE9VxG20j1V9F2+dIVPKRBeX3FAGcDIxxp6KHOyYfl8dgEIrYtPMcdwPxFJebxtvJtj26+RraeP78US7XyUYxlJr4R9lK8rN3VHb5bYSkBk+OoDsEWDQoN/xaPbrAeMPk+sFyXXNG2fp9tSOCdisMkYo0iyuaQ3Vu2ZHdANNrnWmcKpXMFm4R2ro5LGPKeVrDwCXMVX8oa7ahmYTvg0ItE73ocn3jlfITccY6zJ7P3nq/AmF4p17iQI3mri9on8hi5jRkcjieiZZnG995d5YmoG4LPpgzlgrDt5b3lpVeAQHSd+cR/QKiXomYU4rJb/+fuoA5TbuA+/nhY4FzYAteWafeYrboK6GHHkMSMoyudV4apYvanpAUSAvYoAxRiNsy7WRkWrmsEVqCE6ynuNBEYYufp7rUfkSAIuI0u6Jr1RGmzZ0i7KlU524rs2WfiNf/7pu9UCVrvmRmDXXCauLYtoz0I/97746pMdeHENE5lPn8yWRnAL22l6uakYGTXpqgitu7OSwoMHCGPeC1EWkOBTaE+WC9rtI4ERvcaLbAOuT4y9YlmxZo5cRBmGcgaQMWbjFnZ/+Bt9xVPfbchD4+UO6BtxtVHvghny4RP5U+n4HrJyrQTyc02ac8gdUjqDBumNR0iGaxD4lisEu+QqwT4ZDOs+6l6mxdCtKzkqHIquEmwzDO0TAM9UnPbEtcjnVGdxR/k58FqNdPffi4iFouordGgt8neqoK9W72pyVnT/lX1ZFFkSTnj1CiR4UNmQ3ezkWazfaswNKwi5ockF033qpDZQe00nej7AN6WKPDQjPuKDsyftN9Wgr1cFyZsCw9qH4WFJux9lI4rNGEhyTe7oDx8nnLfi8Sj4G49sDCKUqgVgGWKXngI+OfvGnh5nSGe7zzRRzDltCgaWAZYBmZxqUb2odHw2UnI/dyvQzvf76U4wVSF06kef/EaPRsuzYUKCMi6e++tXxXJRlh7GSzz5tDaENhP6G+WTrHBq/harf6+sUhRSmI7fKOR1BJZXv8VOMt1rU6EnWJhusOPsh6GwbmdNvh4nMcZ6Xc2dmPFBJMyYsb2zh1l55bn0ICOZzz0mbQdRJnfwKYvEQPbyJvVGnqN+RP+EUFXsUGXR97ajNJIImeFWM9NI7OLVTs9qk6y9EHNEVXUXszT63eaVrAB3x+GBGuk3ZngWzS4KTnTdhwAX0+6uGYWpKgIPVQpdWVPOoGMcs5aVLTgUNYmfDiDncC671YjNA4qhMo2sD8D/9ClAOrmyamRcZbGN2LKBKUk4UPCN/Pj8Ci5rdc+8qHzzPhuZVosB/qsw5bwB4xDeno/YW5edupvdzYKCETp6rNbK+a5bSP5sD9EliksJa5czAevezR252XcI6JO1Q3PYaBzyzRw6BKRz+5+JMg+4oxdCKTTo4LEvBjwvYQuIveiRwlg211JraswTQbGfGsXhaJJAZFaET5ysAjiuzlIEkvJmv7pG3u8jw9Nd34re5a7NNkwFjGe6m7B+x6Uy2SG6+apzv71QsCOSkbAXZDgmId98Gq3T7+oZqESII9xXTA5usuB3cJiVcdTdw5muj6fYDTqcKYTjzb5pAz6TUSEUbNgm4ft1Iprs/cibiZ7zTm3mRrdOelxGHSGyAHDvhBP4fW1vbXhH+F7nar41gT6EfIgIck4mEaPnnXN9cA7fhvdgK4HZQQ5VGeVpEtOcIuDZa1dZzzxSqekDYylI9KaoNnslLB/vuZkakehU1A9TJrK83ZQMxABRLjMrcPzrgmFawz+qQgx6QgOQBE39RnLh58AuomNc3yqU6FRf8UMsubAOMM9U3yS3eVD1OuyaU8cFa3TqSJkidJoTSr83TwMVca74fn6S6RfBXDMScAUs23zRiaXbcX4rccha/gZj60UHdLrou+fxLKancInp/stqjFyHZH4Xge7Lm9Vx2Go/jxvDzHA4/B02AM5l1KudphXKPBJ1POdcMStCSBQg7ist7NuGquujZKwDlJO78wczqoqegXnzfZTBz5lcgsVd8NZTCuDMcbmgYIZsC1gX8K1+7N++mcvBx2DrmQ2Hh8FpEp58yrsDAyTy8jwv3+tX5vDiKJpl6K9+5bkbx5g3YxPpGR4gUBzKHF3Ze//aAnl8PEls3AvD3a/wwvIi6GLyhQ/+gSwkj2xbAjYi3u57sJZ7A8vjjHiORqmTdBSXndV1WL9qxpVFW6TXMw3A3JgCF5AK/hwVJUIaIXCbv5/nVUo+YtKghTlOiuLUeYKJaEMaZjOBf6EXyCLYs5b9OYx8mNIwqqsQyDhdW+nnZ9BhXytwA1olUccI/oOLxfoqcipj3tHXyMLzvNLNKOyRzknfqRpcfLQTihdm0G6VFB6vUndYdvOZoQgcfluo92TpSUAz+YwSMSINm9DzSXbMbH5ObdBiDiE+QGmXQ0yB2aH/upe0A==,iv:zQXRmnAz6eYEdi1CvPELMLtBDlAn5DJ16Q5GCQ8gBjM=,tag:gLfa8MFwLN64HXhGRP1LpA==,type:str]
natallan.com: ENC[AES256_GCM,data:xyWDDIp6tSuJt0ESUeCnpzQFhzQ/AzrTSVGO8kAR2I3kAGgcuBYRiyWMhMo7dUYYeFSBtybzyB+fWldBbcdi/pXr4SpSCTzM7dRKi2ICbGDc5Uvm7NHHo69KDcG0ZX/xuw5uAkt7kq4D49t5DwaWPUb9fQj9s5TWj6kY3YTDOdGvlpVum7M2T5c4+HQnN3U8EfPRntq3bApzWLpytkS8fb9INFPo1zmf7dC19xwIszPzafHB6VNVlkuHydxD35y9a2gjHmR9pYmdHMrd/ObYsx5+mhXKQTgAuLEqIe9LqOxlJ17LcrcKgPc9x6bxo3AAe5iELIXguqfYYc0zLKMqnB2wba+gBHkpHhPNkNglvuemevi+CyXNHtNoV9SSfU2+UwactGqm04SlNyri7Nl6vqBi1lfQGxthD2PPAW34y0t6Pahdd4HbGk8Zn+nvq74HwiOcbH0pDBh/G3ODbfBk+gfrCvnPr2QNF6Rns9SBj82J84qPMvCr4+ZN0GqTPE0+SU9s8ihzsfmOYBw5KbA6wnTZL6no1+HMMXaffcGJ9oz646WjMvcnRCbY4pS3ACcHa3ReQBpBkbTHiauyYyYEJp3FEis4H75usZyv8qKWey7/nXFRSE+UBwyIXDNRNuzxDG/3xfvfEB3vdY68lFGhP2YswiAfeluGjtG2zLEPrWyWrlA4kyzQOsTTY3fQSyHOOt4BDLYz+c0kogHfvypqEl+5/hLWmnnUOWhf5pO/jAFkU3tnJCqWp7cncyjY1vJfPBHr4pFprAIyDplRzdAYErrji8ZvVHSXDdtYGDhsDq+4ua5/b4kvFw==,iv:BaKS5fV/9FTn6+XV0FOWhJ/qTZKwZbjFkzrOhZWSaIA=,tag:6swVM+KhxffMmFbOzU+6OQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,59 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUStiaEppZFByY1BSTDJM
a2tGZFIrWnhIRzJnTmVjeVQzR2NkdUVKczFvCnp4MjN5dlpVcEw0WjhoWTVvRXds
bkxNM2hpdGlOb3dIbnVsWGplTXNjcVUKLS0tIEdHbUtxL1ZsdEdwaHArcnhrYXkw
TkRWdG1YQWlJdjZoM3l3dmlpbjdaVW8Kx7BcZHC7gglnTijk5fhHsk0oMdPIs3Xr
CPeOTnfAMh5unDqmzIlGi+rS8siDcf4QrkjQWRZK9tJynjzkqv0brw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsVmk1WUJNMlJZeUJYV0xJ
a01wZ05OeE1vRjEydGg5cmdzVzlWZ05uZTJRCitHdm9sWmFYY3A4eVNZSGpSMzFu
emRtc0xIYUlxbnNpeW45c3ZRem5LUXcKLS0tIFdad25hbktKYkVoQWtLVGJvU1hE
clJPcm9jbHA4dk5vYzBHTDJvOCtTczAKkFuEWjBNgoVhfsMmmfM8+LEOq1ZQYzWK
NzAHoA0tzMV1775qmxbrYjd4296QwPBpmda/6LFgCbeZVTj2yKNQvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaVhkTEJMRVBsYkwyVnp6
VE4xMmFBaWVIbGZHS2RVYjJkSjFrK2M3OVV3CjdaQ21HTUdEbmlralJnTU5hTk9t
RUNjKzNPRjZTdFA3b1ZObm1mS2hjRjgKLS0tIElyOGNMSHVkNVRIT3d4OURka1BF
NnVNS3EyVkNKd1FKMHBhbzM4V2lnNW8Kz92lN5MJrHkRM48nxfXgkRKX8ARWNDqg
sNqyXIDX9C+Nq2TqpLYNH7Rw06U35QTHQu7NLd/63/dxJUCcpQIpHg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQVUxRHpsQ1F2ZnFCYitj
dWtnVmpsZnFuT3ZuL1dsQWY3a28rYzdEdERNCjJhYTBKZmsyQzdJMXo0N1lrUXo2
ZzdETDA1cUlFcUx6QVQ2c21JSVRYS1UKLS0tIGFMM3VTaUJMR1d4ekhFVVFVeTBN
NW5EWHIxVDNQV28yMktmUGRKRllEVEkKKrt+lmoGUdzzBQj5xQ3W2XasgWREBuuw
TjjW+1Xcq6CfczAtxAAsr8C5nyIFJO9EUcDsMYabAQyZZp0/tvAy9w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCanhjZCt1c3Y3aHJaV2lx
eWNhRE1ja1F2dlJTNG9zbS91Q1FVNWE2L2t3CmFxK0p3S3d1dm5NRGhnMWI5QkND
VG9jeXNWTXFKKzJIYXhvWkZ2bm8wYmsKLS0tIG1nUzlaVXNLbmNjSVI5dVBDME9D
MTh3bjNvWmFWbGRXSVEyWjlpM215QW8KSen/lWbnH1SbP7qOWARwInwXnI0GUx2m
ZlWTGZPh5/Q+n6LAC64wRLKAQ+0lw7aE/b0Mf9Ht9XGDg3VizS4Ycw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVVJTZjV1bVpPemtPSjRO
ZHRDRHBraXk5YXV6SDB0QVY1bXIvSnBQRjM4Cms3aWdrQ2NyelB0ODMxclI0ai9v
dWVGUThkV2kvOGlQdXI1bjBPRC9uVFEKLS0tIFRDVGhZRWx2NEhFcHJ4U0lJRlky
QXMwK1pkSTAwYWZnREY3OEx3TU0yamcKHAr9joyZgv8w1QXdIjgsBtwEE75nil2P
HSQ0LRfRln71JMarqaCvrX3HjCi94yT5+toT+MOor7kovb+o4GEwcQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RjFNVXJnTk9pTjZ4TFZs
L3Z1THlRZXErQnJ0UjkvblZTR3ZoKzJYNVFnCnJWWDBiSEFzeWdXcVFNb01wTFpG
eUVvNGNYVk92MDdMckdKemZjRDdpb2cKLS0tIHdQSEpaRzRsa3JDamE3c1VYKy9D
MkIyMzNuOEV5TVVSTHB6KzVLS1ZGZncKk6cU+7KIwhVG6pbdifpxu8BSD8vW5WJ3
WOdwHZdbQ69c8VHeoI9WVVDXD5/ubvU15VNHvDqc0+TgM9epmSxThg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZ0ZaY1dEUlhCNzRiMFNu
dkRyWGRoTzFJblNHV2trVkdsMVhlMlNzMFYwCkhZUmJRdjAwZTFhcCtlV1hKUE5u
RzUxckNEOFNqSnR6UVdhWTdaY25VWHMKLS0tIGpWNjRKNnJKc3g0R0NtQ09uQnRT
SC93Unl6TEh0ZVlzaTFpSEwrMHRuWkEKAcZRLzyOzTOUbZw4Rr6McFVDnZO1U+Ha
HkAd9qJ+n0YSd4NKdHitnL25NXxPs3r0z9gZlPXdgIlT2XbK4RR9uA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUEVjRm1udU1QakNsY21x
a2p5dnk3NElVWXNoWmxROEp4S0prN2djY21NCnJySUF1eWFIZENMVVZ6MWVSN3hJ
bHZ4eWN6SnVTdUxsdDd3OThOcmtTNm8KLS0tIFU5dkdsQWlKdDZzSFBGa3dZUG9q
eittWnRlbnhJZ1A5M3o3amY2VFZyMFkKxhqNvCHSVUedEWCeuqIWNLomspQhamzo
0uCqZxCgdkCZjt9aehlI/i+rlHs97+IsZoWILxHMnVN2fGiP1WWhiA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsN0VwWDNid1c4SmVZQVVI
UmlFVHhwWHc2ZGMxY0lSNER6Wkt3TzR1QlFzCmo0amJqTHFEYXc1dzQ4d2JrYlhU
N3Z4dWdSeGFqUi8vTzU5eE9rOWp5dUUKLS0tIGZhcVhXQzFEZUJhOVdRMXpPeTFF
QnZ3Vmt6WkpEdHhWeGJ1YURhd3NZdHcKySPUb9MGFyNmy1EZySRjE4RL8KvbltVO
PRUdEwurrCp9ZBq87JfeUbHVvPw5+S0ha+aP8yPefXJGFs4yZBQnSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QmFId1pnU1VTZTJhblNm
M2Qvbkkyc2wxNFRLVnRoT0UyL0ozeXNuOVV3CmEzUjlFVGh5dEtQV3R5NzgycjVy
QlQrMjJ1NWFUNTlPUHBGRmZPS1dwU1EKLS0tIGpGTnFKYnd1enV5V1JsQ3dmTU5R
MkppYkdxMmQvdVJJaFZ3S3B4ckJDMVEKZQblDxIC5opkR92DupfwI1XdEHlnVsYy
JKxg0pbC/ENrT+uBLjSh9cFyuHMk80V4BQ6xZvzvKX+WLJlEsHrgTA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQVJmTWxzSzNDT1d1NzFX
UnFFbHF6YkVjUmRYTm5VVkhRbXF1SzJuT1NvCmROeFRQNkJpNkE2UWVYeW45b0Zt
dW9Ld3NVend5cEdyN20rV3EzczdHK2MKLS0tIGJYK041RVBBN0IzMC9KRUY1UFNk
REM3YnFBaGY1ejRQeldlc0JJSW5aWjQK3ZYIRxiLOx88kimDGq8GoDMVNbpLvOPz
EVtii9SHQWk4lTVqyqo2WAIc/2PMM8P7Je9xgc/sigR1i8rLQlAyTg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-13T11:28:15Z"
mac: ENC[AES256_GCM,data:R5uGODnxJC3ihSrzdjzxDHTKC+yXXjAOFbUAEOU67P8eM94RUnr8smP1ZDL2fnjCmzJdTMRDuBpjCtXxUeivNMTg/kK6r56VmQ2i2MDKiX49yPtGYfdUiLPBF/ZG/iwNJZ4m/3GZXAzvW2tYYkVzUU3cvsVdCFuWr1tnbsg9o1Y=,iv:kD0QdKbcr4yt+Ol3EK7O76czbYirgDx3pzPgyNB5GcU=,tag:fJsUOKQm3wUGjtqnO3574Q==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:cIXRUz3h2+PCdp0HLs1WjKPQOeGqgxpKfEXflMMUkX5GspOsrDZZYTF2A6bALaGqWAoqvHp5kxN8exTyl8fGM4x1i/eXQiZmTq/DICfCR890buSWAf83bP3X5+H1FJwR9NX37HZlmFVNWxnrKq4DTkC5Yn750LDd9aMls4EjkWA=,iv:ZDF4tgnUE6sfB7NaCouH3jd5IA5fZhZA9++jgBhg3A8=,tag:7gO7vrpkC+EI6ERjFUSy0A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

70
nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
View file

@ -1,8 +1,8 @@
system:
networking:
#ENC[AES256_GCM,data:rMKS8YbaNQi7RL9FcxPX9GrbYQ56yzosmLzzL3AZeZvEVQTInKbbWR6tcj3AW5bBntzNRomeKMH83cdqQ2xtkqLH1RsTUmV/mr+8Ng==,iv:+bFJXtcz7kpOeRVUvco8MuwH6y6bb0HqS+R1urbbqQ4=,tag:9yexHkeG5jGtL9Q4tEr4+g==,type:comment]
#ENC[AES256_GCM,data:vOHBtHt86amLNDKm7ED9P6SW7I4IJ1k0Wl9/9bOBYH6W+DYQX5NXiefNoseaq/LjrT2ZlF/mI0+7mLRU4SU9x7a2oScSlZHqNglsoA==,iv:eaxxZ4rP7vP8utOsyhNhEueS+e2CmUk+ywdM66v1vHk=,tag:rMdipaMTEVpo3bqh8d6SNQ==,type:comment]
cloudflare-dyndns:
apiTokenFile: ENC[AES256_GCM,data:ImeFlc6BAwq+1X1K8PWegOIJDJzEW63VING8lH0aYgpRbInckoarJ6a2OfYD38Powynl8mLqkcDYrlvgTDF57sRzEMGBa8mybhYZKn4ORFZPkbTpon5GuAz55Vbt9nMgoLDwiwOaE+DN2bbLVND3absLfQ==,iv:rN81afwtVNZtFqwI7s1ZA+OGNp7236IvprPE6pBSVvY=,tag:ekjTmihMMhCuBYFXpgxkDg==,type:str]
apiTokenFile: ENC[AES256_GCM,data:fWAyXn25z02ZkVtsBJLFVQNTGq9a3mSU1LQg2Qbgu6bPaszFozhJ/FqeWpF7b0V9UyXD0xJsXsBJGrUoWHq7sijOK6bn5mmwP+wuijvgosQAliAL8cqsQ+eT+nVgKX2QHThPQserWFzYn97CyPMHh+VDrA==,iv:JfL/WMOfHjHJviJrrerGcq5YDkHLsR3GIGTrNr8Y/nA=,tag:xjXKVBUWbMTMxuMfzw0CgA==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,59 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva09IMGhuSXQ5dVVqZmtx
bm5UNjRVN0tKSytuc3dBdTdrUG9DZDBGVEJnCnNTclg1cUUxVFE5UCt4K1BobDZi
QllLTXFmY205cVlsMDI1cks4TEkxaTQKLS0tIGtjek5OZ21OREl5ZElmY3MzUEcr
YTNyZUtHTFhWYWRhcFNoN3ZCYjYwNHMK6wyDzfQAJe+722HF1f3DegqcdGsj2y1j
ZK3wfCxqo7X39goywNcbnVbugHUltMvd1KW7nEKMuCF/YV9EK521xA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NjVNSmVHaG1jZnBVSXNZ
dUVPejVzaUZrYnZVVmRRVUYxN1pmVlVnRDFVCmhxRXQ5aEM3Ti9qeWNTRXdXMmRa
ZGlDaU8xY2NlMEZnRnBzTCtmMCtmbW8KLS0tIDhhYzlWeTVURUpqVnl2bVlBNG9C
emM2b2VKRGtJNlpKWGdpVkFsSzlBK0UKzjN4PkVurOHGwVRuFaWTWP2DS31pDYRw
egd7g4MeddRPwvpg1M233XUvhYb2LHKUGZY/RoyPWn7yB3V10G98rA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzVrU25Qcnppd1pzYU44
Qm4yTlJkSEZhajJBTmFXdk53b0lPYUU2TmdJCmNTUDBQT0dIT0RnZ3UzQUFFbW82
aTd4T0JKU0p3NFQ2NzJHR1VMbG5BWGsKLS0tIGZPa1hqUzFNaDZVWjhFRi8rZXRL
U2RtMjFSbGRIS1FaWFVOSHArWWFJYU0K34Ct6CN5d96bBB0XBYYoVwL+i8+/pAJl
qpSxekXpw8K1nuHLy5102Vws0AEEMCHNAkEHsjesMXjV3S/cjJWMig==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMEo3Um5NdWxLUEpzWHpp
RndQeVNUOG1DTHE2Q20vc2M3SFZQbVg1ZDJzCmJNT2ZpVnlsaEg1cnQ3NTBYVzcw
SjZHd0hlUnhtdGFRdmxtcmozZ2RYR2sKLS0tIHVTNFFSVFVCTCs5L2hmeCtxdGxU
eXdOcGVZa2N3UWJPekVWN2RtRFZVNzQKGg0Cgk0sXsJ3lEcEzEukFcu0BTPd7kqa
FWWgwVXZeAX6z9YV6y25ZgyK7g9hkDVHyBzrAG+MijxymdnmyotXGQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRVJmcE5VYngvUGRBMSt3
dHRod0FMWmVOTlN6eHlvUE50dHNiMzRuZ1V3CmpCamdobFhoNVc0amI5TUxHck9y
MHo3RkdPMnduK3QzZFlxYVV1VWZKQVUKLS0tIDFFR2U4cVdRN2RaeFFuUmtCSkFE
MnZVeElOTFJGc3kxS0NxZ2xvaXdOQjgKOPZe0NQpG02tsAFFpyfDQVsCw2lZeSOr
sOPOXV/zPxCGYqs4dxzx33RG/YaiAVtqA6wp00BE5y8jrxWU6HOv4A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUWZycjBJZ20yNkYzaFl6
eEVXSmlmRjRQZFlsemRCY1FOWmNVSmFveWc0CmordGxwdmR4eTZsUzFSOTRuY25O
ZUdUODMxTWxJZUdIc0NlaGVmRTNieUUKLS0tIDByOGQvck1lVEtEaHd6a2NuTnZ6
SlRiZmR6YUlGbXJZbjljdVJXWC9yeGMKepDCX4KM8MGcuawDjx6ztV2LvLbutsAp
21zvBz1zRSnuuMV8C8/KilRA6JsffJ91JLJIKnICwohNS6M/oI9/jg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRW9mcnJjVU01Ky9PUFdT
TmNHVS85ekhSTGE4aWlnK05oUWFIdTBnVGo0ClYrNzh5WEp0UTJmdFFkSzdhYTdj
d2hOVWNhQmJQNERSdEpBMDJNbEMwdDgKLS0tIEtrV2NFTTNDSS9rL1l5cWRvdlAv
RWg4VUoyLy9WTis0N2hKSXNVRW1wdDQKIpSGvd5Npk0RrfpgvkFI3VCaMmoMd/uX
J4ci1P2jMb8Q+oeNi5MulBOJMx6P83BLqzTZC2rbniZJH/ItUZL1ow==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK1Z6T1VnZk45aE4xQ3FS
cFNQSGFXWUJYVkJxZXhxbUpGbldOT2lHMmo0Ckpoa3lIb09uZFduYlhXTkowV0ly
MFJRaHJzczNnRmxMVnRuSmRFVkgxdVkKLS0tIG10TDFpelF1QmlibFJQYnhHbGNG
OGFvQkhxOXVMVStsczJsaDFGZUhIN1EKYCTExNCNSYM3W2DPPnJ828b3yya8UgOO
Wc5qClkwbC2zjf9ePtHO6wFB2Czo2QItPTRS9odBduwAOtCftyubwg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMjExWXkxbjYybkE2NEs0
c3hpV05oMU9PWEFMQW9OUXN5SzJYZTJZVVg4Cm9nWmlKVU15OFM2YjM3WVdrYm1w
NTA3QVZsMUFzR0psdWg2N2N0VjhlOUkKLS0tIExCbXZoSTJwMW0wSzZuYWQ5VDV6
d2tnMXJPY2kxcFJKNDdWY1dVb3pYVVUKVCfLKncZvTagMZ5pLnzryIPxvILaXo9l
I004nyoMSOasctN6+TbVV+qshTa4pTZsn3czjOgTMb3fg1QCVLLb8Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWHY5amtKSFhabUJMdkhS
QlBHQWMrT3h3QUtIUUYyWFFtZG1aVG80eVdrCjRDVklGSjZCNGVhRExDdERiRkg4
Wk00RzFFT1VlNUZwWjB0N0s2bzRCdzQKLS0tIGJCZTdPU1ExNjRiOG9hR1I4S2w4
UWtmdXZFclNMdUxzZkhyZVIxTW53S0EKpRwMpsriY1mI7mTo39iUBtrIAMyeI4Ll
RqxTl7k67n5Gt8todiH6LWn/pDugRfaWyZ+9zhPily37mxP6RJxnhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcTBhemdHcEdrbTQ0SFVQ
K2h0MmpRZmNtTG9GWm1jaDFnT0grbmk2N0IwCkt4THh6OFRNdUltZEc2VXQ2a3Fs
alQyUW1NMGtVYVFtYzNNT3hYdzZEV2cKLS0tIGVyK0hPUWRPUFRCdGFscXFRVXB2
QStyYVowM3NDZVErSzlkVGV1WXRndFEKdJdRlJp6W9ZgSihAwDnw75mnj1JtZns7
v9DG0nl9+O3Z+e7HXX/LKg7DhjizfNjrwXlh7YeuYvQqTS2Hw9F9KA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVEZaWG9ZL2NuNDgzRjAv
dXd6NTRYT2I0OGFmUU40cjFHWEthWWgvS2tJCmNnZFJ6b3cvYjVZYlA0OHh6NFcy
cFdPYm9IT2o0WStLWCttL0lqdXEvNncKLS0tIE1wbTl1U1krNjRJR2hjdjZMdmdP
bDdhZkoyRDdVNDFwS1d4RzZtaTk2eXMKW4XWLG21M4KLX00rJ2wAx/RP6V/xDj88
n84u+tJ/mVQLkLERvTVI46GFwjkElK63eN2M5FXFBqvDJcJK4qNXTg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:OEzJ9yXtbBf89s7d780P7Zy/bTH9WJbimuW7MPh4VVy0V+O23EEkEg+veCsJqNyqwCGZc7jfHkgBDglMKk/rcF6zYFOpxq359kLdXrbtdsb/74SRylN2ux7YwWMZNIlGN8eIMo4nqd/47SH4ALmH01DqztFjaXQZhe0tvUT1t0w=,iv:WVzo5MR7tmFqYGL0SpiDAkXkC3kS/+rUemw617bcR7Y=,tag:94M7kvTQjuO1dSdl9ytAGw==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:y8OLIhYUNHOIK9PMT0mMq5fGKVFZzH/AvZk5o3HA2ZOKel2DK3k2Bud78axBDXWQ2PHuA4cDLKAS9BzmgioQFo0VF6s+XFGQfPV0t5Uq9X9U8AlV81KyOV/obgD/jn/OcsDIbs3bl2wSFqs+Wu20J3GMVM1PJcJufM0t35z3ojY=,iv:MRE4s2oUM/x/QGZEs5GzWp8pX03OVdMvlyvE2nJUdf4=,tag:FuSpsQWt1OjGW6cncn6O5w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

68
nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml
View file

@ -1,7 +1,7 @@
system:
networking:
dnscrypt-proxy2:
forwarding-rules: ENC[AES256_GCM,data:XsHHK0gDDDi0Vjxytx64QXtX+CEb6BoPCbfg3TnAnpG6uFaor3/YEJHNnlmguVlThIjbXAf4B1TeJf1Mch95y3iN1EG2iw+ginzejXUFfWPahOOvKnnb+rXSsdiqX3bXKbmcx2IrSINKhQw=,iv:MMccx35r0sQz5irLHmeZLQbAFNZZq49nP7CKmMPLg+w=,tag:xCAKUdgPIpSKky0WTpsqKQ==,type:str]
forwarding-rules: ENC[AES256_GCM,data:+asWXfABR/5PXtPdHUBDdK3JcdQ7WkhF3wj9jjXuEBguR5WK3gEGOuFXU+8+eGAWrotFUdPr0iqsIcgeMdjxJA+gd2NNVdk6C9joemT1kIihYL7O9BRzdZ5lEw093llmrzHsMuLqOfOeNwg=,iv:PKWm/G2F5ngygjeI9gLhiH2p6yRB+LYkybJ9OcJa+jw=,tag:GkaGYKRfUiXk04qAZ7E3Iw==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,59 +11,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXb0hRQjJKNEJncWRTUGw5
QjRFSkk4WXVmdG9XNE03V2NYb0pnUCs5QVQ0Ck1aWVVGTmtmQ2pZVUVyRk83WXlI
VkcyTis4UU1SOWdFTGRIOHhYQnhVdjQKLS0tIDRLS0dTNk9mOVByK1BTSm50SUds
eVRPSkdFRGFUaWJZMzFjakt1aXVRYkUKmi3m1Shpz+nMJ0lGZ8/JBJQyZ4y/CWwL
yb2U4SZFEzBsxszKCBl0rk90Hpx7HduS0hDVauhmfWzpYzr55bEh9g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYU05iQlp3Y1IvR3czdWlm
M05FRDdHQWNDT05oVHpvd2NsL1BaRUdZejMwCjZTdEZiTjYxRnZWVDV2ZG1iSU9K
MEtERFBmZUZ0WnhXcHplbkRpZzZnVzgKLS0tIFdoSERjckVKVndwZmtWUTVUVExS
NmdWMEJEQ1BMZE5rZkpKWkJsbFprWmcK1ySkcnK4NaBc7DrZO61YuWgMSdAWA1nB
5gWOP6adfGvHwbeUVWEvvQlnLLvmLm/sJPgqUSdGFycfLPXMVWeXSQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSFpKdTVBUUE0UjhRM3hK
NDB5KzNJOWozK3cySEZYbFdJSSsxTWdVWUJJCkJ5WjY4Y0xEY0RPcGplM0xsUWRY
bWZEaFpBMnd6Rll3MVhlNi9pQlA5VGcKLS0tIFlSdVVLTzd5RGlPY2RSN2JRdldN
UFdXSklWd3UwbHZlRVR4RmZ4VzF5aU0KsAwJJimAUcW7pGJfZ5RIHNHQtAwy0HZj
oaaeV704j6VtFUhv2Bcf8OYjA0dH8RIn8psYS0j2WCnNrC19q3Nwrw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbHdkYWlPVnJoTGFxT04v
MlNSUVBKSTJEWjh6Q1pzeENmOUZhL0NEYkFvCnhRV0ZlTldyT0hpV1RRUlp0T0FB
a1pHbzMwckFFeDMxcUZzNWhBQjZ3YlkKLS0tIERlNEpKK0k5Qi9lVzk3NE95ZUxN
UlJLdCtPdkxUZC9EbURyczE1R3NkSmcKe0wy4vkQcaT6peLp5XNjqutMQu1nLS6Z
gVxf2Pt3sXf8QeSyQzQQ6/5czgw2hFdjv/klh7f9odrQ0a/UqHapzQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5K3Q5VlNZaXVNdklybDF6
QUFuNDZtOFJINzUxdWNLU0YxL3JQT1lJcjFrCnJoZ3Y5NFNMd3grTll2QktIQVhp
Nkc5dU5uVks4MVlRVTM0S1RFVlo0aU0KLS0tIFFpV2w3M2xwU1k1ODVxVU5pMnpE
ZWp5ODJYVkZjekFkSTcvRU45MjZJcTQKCX9kK2wNXJJOLNJnDcvJ5zBumLZeU5Fe
2yUJJFfZe9mkzXz9++muE3LpBh9rlyXvnuOMD+0V3+Tgqbax0tA5qw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWm1JaVBaaHAzeWV5dFRP
M0t2Z0lFa3dKSm4raVNVcDRGWVJSUHptQ0FRCnBweHh5d0pFZk00cTNiNlc0aFhH
bXlrd3dtTWdhSUZFNE5Tb0ZTY21MS1UKLS0tIFlRczdVdkhkU0xTQkdjUkhldW1R
U2E1b25rWnhDMkJwOUhwbEVVVWtpR00KD1BUYervShefpJEu73LdNb+bAFoVojuI
xXYFkI/IomZCkFVg8h5lCwsHdDmnG4JN0zKbt80GBZ4oz5qpaaqVZg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcXZVK05oV1BRK3U1dHFp
OVZoTlpDdm52SHFDZ1ZobldKM3IrTi8wYTEwCmhNNFlZc2NNejZwK1FxbEdvMFJC
M09DSFJKK0dyWk1mVXdHZDlnSS85R2cKLS0tIDdkZm1uaXR0U3NOWlJ6WDkrK2Zu
RVZ2UUJ0RWo4UzlsSUhWejZySHFGZmsKOXFJVA3AHLgSyIPEn+RtDo0f2oNBUHuV
pgjTtjD7bsrlCuhH/mMPFCHf7PH8XZA8PMDfU3hNvpVWxOB2io4RvA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHU3VTZ2dSYUM2S3hGaUlE
Tjd6ako4UU5oRnFvMUxKeXpCSWd6MDRTbDJRCjd5U0Q3QUl4ejl0VEJobW5CVzVQ
cG9LUk5WczJXRlBmYXBFRzdFcGp4ZTQKLS0tIHUyZWhKeGtIVzU3R0tzUGZuNnZQ
WDRQS2x0STgrN0lvc29wUnVWN1F5bDgKRixHMNg9boG19t1USNdB/VyL+sTXBjiS
3b4xZ2mFJLBvJYzmWikAHq7vSFDYdttcgQADE26DLJb1JlOxifDVcQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1WUMzeXFmcW5WcFdnOWZI
UDBYZyt4Y0hQRkhCaE9MMVducVBRU2szZENJCkFHNnJCc2Q4RlJlUlpKTnZLM0w2
aTgxeUNCRmpWZ001UVRLNElwcWxUNkkKLS0tIFBFNnVOUldOcUVIVDk1TjgyRGJJ
UlgrT0VwaGJISUxpeUxuS1hiamJsVTAKVZKDd0naQHxadHsd0eRNWqweRb/7z6Q1
Mf3NbnkQOKTMILntxousk8ZszvDQVZ87wyZ3mzmGay1B2B19QrPkGQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNEdJN0lvTU85dTFUNFlE
RjNhRjRvYjNKQmVLeFRtQXZOT2pNNEI1U1JzCkVkK3hyR3lZWTArVGhBSzJJbnNu
UllPWUllQ0o3S1VHeEV4TTBJZ0d0SGMKLS0tIGgxSnR1NUQ2UFA4ZXJBQnRkK24w
MFRKZXdVN0dHb0xjdm5GUnVMQzdkZW8KTioBz2zJxkLIaPgpYe6yrBm12l6tpo/c
vXRBwHo7GTUt498MZ+zhv75+BVcYqFEXMT6Sr7Eze4fVtShFYC2iDQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVb2R2YzV3eHF5UGNPZmE0
MWcyK0NwNFdFVXpzbENFZkM1dDFMbElRUWg4Cm9ORXk5TCtzdXRxcEhQcURmaCtI
R1BRZVE0WHF6THh1VGhUVVEyTFZHemsKLS0tIFpGVFJGZFpSenVLNkloZlhvK0Nz
QThCYlc3N0ZtSnBES2dCWm1PMW42L00KSmKKlPDzs4sUYoVZOzW4pAsbQP4m2gu3
mPTtlyqZrSbhGSgtwEw8C+p+LZOqQXnelkhGb8I759TpR7DASrqP8Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNzEvLzltOHk4SEtPWU83
WjBwWGhadHUzM1REREtVQiszVVRVOEZ6RGpZClcxOTUwbEc3bnZaWEtkR0Rodk5S
VGQ0VnhlYVZ4bFU0cUdieTAxQ1NLR1UKLS0tIG52UlBWMXgzVmtuWnZqOFgyNHl6
b040T2wyTFhuMkd1eEVkdXRuOWNCb2MKstTjjHhENspSzl0IwsG3lWccARz5kl0M
NdVjb/mi4y56bH7ujzqpGlcNe1oSKwkxiFGxPKXwFF8Kpgr95MSkTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T23:56:52Z"
mac: ENC[AES256_GCM,data:z4v5yRXeB/MCa3ltyf9KZl6NEXqsiIfSmEzzZAJRchOreJ1aIjWj2te5DM0n/08iW2ijFi/bekpcsl3U+5UJkwAjA+82zlvRnw91ppmb7mtnojEq25yhpB6tAUXoimLmT21saY3PnrHx/DFeVqg/P6cX/pGo9iGB2izwH7oCfUI=,iv:NDr9ypPZlTXS5npdrRGCwI51zhU0qCkvEUZfx3JxhUU=,tag:v3NLWsekZlxRyLsCCNR/Vw==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:UpebeTZNDRyv8Z/4/t8C26D9PVej+2B4Q85CvM/bj3w5+6c3u4knwNFRLufI6y3vVAxjo0OEvdEVZQIziwpdIVpyW/O7g8nmWNGn0iI8VbNsXcqrlG6QVP0dGJqy/7DhJR4VyoMHZSoobxCyg74ZUzrYIjsQCv2NRkaJkP10WP4=,iv:SHZi8pVrySV6BAEQsVmyVyafpfuSjQ2QkJxa2QYTDok=,tag:TrxqyZRMXprhaS4C1L9QPA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

68
nixos/modules/nixos/services/maddy/maddy.sops.yaml
View file

@ -1,7 +1,7 @@
system:
mail:
maddy:
envFile: ENC[AES256_GCM,data:QIP7YvY/kYYkqwxwLsrRC6ptExf2tzw7/+t4fdkyDwOUqWM4dI0TpjKr1LXfASCjHrVwb2a6+iqt7N+9ievD4MsrEEsoRYMYIjOlpsmPiHam85ql5WJlfTbOy91VebN35Q2aThC2NmeGcptJ7UX7cigO2KcmYPa5i4evIE+grruoQhM=,iv:0x8ezgw3xDkhQRYbASpz4IAw4hE7nRzImB/5rrs63Rg=,tag:Azm6Fn1gwLibRh7wjD6rWw==,type:str]
envFile: ENC[AES256_GCM,data:NaSPuxf5PzfOrDfHrdaMdQpkOyrhtjBObyCQ89XBCHyQeWizneznto9/nQ+3n+QoE7NLuI9rKomkoioTZklserbE3EzrwSvoG7L/cF5pq/G5ToxcY2sMuhCuCoZjdj9xD9mq0WLt7azQ9nOGIzaP2EphCPFXNJLZBFjhk52zRY9okqg=,iv:zNFZlUWru4BwQOWTDEv6KDN1K9iKTrl0PvQ+gg/VXXk=,tag:zkfRRe7+x/lpgJ9Yhzj2vw==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,59 +11,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdFBMdFg0aVdXVTFWSHY4
STNQcFM1VnVnNHhkVmhhMGZpb3V0ZnJBOGxzClcyQlBOMXo1UXRTYVkyQ1FxSU52
K0h4SjJCUHdZcS8xQStSTFU3S0trTDAKLS0tIGV3WW8rOE8rSmhLc0MwYW9tVDZO
ZGdpbmovK3NBMms1Yy9WTkk5eE9mem8KXnwaEyS2Ztwd8NVY9R+B70AwMukAeFmf
3Gvj3C57EivrRLDTgot5Sh8TSni5VAlzXJPwwSfgEIiia4qiSUkkXg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRzZYckxMUkpSNU1jQmhv
RjV1MlpTMGhZT2I4b0VYNDNZZEIxbHVIZjMwCldjZHRrSUNhK2NtOTFnMVlQWjJ0
ejVXMWxxQnNFb1ZVRUl5ZXcwWmY5VDQKLS0tIER3em9OVTRRMUQ3eGNLM2kwYm9E
MmdqMjBpYnIvSlVyV3EvbU5RMmNrRkkK71rsp/TVbkVchu1gBMztRzcaLYG6Xrvv
5NeKmrctU7GzaMCtMDWx6AcApNKt/1LamRZ2wElSCytuMy+jIRMP7w==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6YnlzaXRjMElRM1djdkNx
UmprK3N2UmxyL295UmhoRC9DS2FvNGk4eEU4CkdiK0xVWWt6dWJEcHpjSHQ4elpq
WHJhazhveUgxUW1ObWRmaTE4N1ZUMkUKLS0tIDVYekQ0OE1vSVl4YVFmZTV2VEl0
amQ4NnU3WFRyc0FBTUk2NmZqdm9haVEKZ67m9O3CLBrF0U2q/1x1KQYx1gxs747t
KDNfjNXQgIx3VI6xgIVOflzK4vePUWWQ4OMr3M5h5qSCKmHImIMCvQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNFBLelY0TkliT1p0L1h2
ekdlM3pvMWdBVVNRNWdXZHlwL1JXM0RTbGo4CnVBbUR1VUpMRytLVDBjL0FxcHIr
cU9QRE5lYUNmZjJqM290SW10K09uZHcKLS0tIHg1VmtvaEYwTGZEN2E1czBNaExN
bC9EZ1hKa0VrYnB2b2s5dktBRnpwQzgK9zz2Q270y1SVpx5Ao4/XVusRqfWnn9+j
D6I8qHJA3uYOhEBdGClkBZiwbgCh0ww2EOZv30PmbHtUy8K8MLB1+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbUh2TFR5c3d6MWdmeHBr
QjNpN1EyZTFINVc3b0xaMHB4dzdoWUVzUkJBCnBYKzhNRHF0L3JiSlpaM09STlg2
V0RiYTRWUDhPV0xVK3d0VFFVeWZzemMKLS0tIE9kMys2QlZ5VFc1UnI5RTdSdVRX
dmNZL3IrSFRSQXFnTTBzMVEwMVg3UlEKxf+eHlF4Lq5XbnT89fel8+332gYNKv0O
toOh5OJvN591LAk/NFy32BYXuxL1Fj3AE6wFvpx5Bkl5UYrWmwbHjw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRG9UUUkwM1N0SVJYUFV3
dWViNjg5elFja2dibm1rUGlHalR1Q2MyUVU0CjlvalZGSGs4bTBBQXROL1REeDM4
d3dBN3llZUsrd1VseW1LSmQrRWJ1ZXcKLS0tIEVWVnltMkVIQ2xQMGtQYnBmUmpB
aXNPaHRQUUVRYXJBdFlJSmVFL3Q1MnMKZ2TMq99uVFic9g0pMhTYrZCkaTB3NZ6i
jeQS7f0ikATurSr56MJcz1i3wwgfruo9SS8spRnK1+pKMxq+CsU3Ng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON25iQlpWK290UkxHK0Fr
dWxCRnd5bEsxL0F1Q0NWd0NCV0ZJeFlXaUhNClVVTFhsZzIvRk5vQXpaSDdOT0VN
UDFTTGF1N1VMU3g5ZTVUWStmRGtLQjQKLS0tIHV3ZkpnbHcwai84NS8xaVAwUG1G
TzlsSkdWZUF5TnNMRXFKL3dXN1Z6QzQK8JCT3nzdHwkpoQE3tvSPSzoRYd/gwdpr
63jF28zhmEY8hoMxof6rfiqk9souAobIzwbnfW/CkF86L5iS/1iepQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK1FHNGk4YnAxQ3RMZXBw
NVg1aG95MzV5blJpYmZDaklMcmZCTVRiSVFrCktEenBQSEdaQU4vQWlnazlRSko0
dTFvNXl3TVR5dEJ4dmhaK085Rkw1Y28KLS0tIEg0ajRlUmlXajhmWFJELytLcTcw
ZDkyWEpXNTFkN0NHQXlXcm5qM3JveGsKvZovxyg/qG10UbELb6s2Is4vuxjTNPf8
28jD2axQfs4IxYdwDfybjgiIvZN5NyZ8cE/eSsiOJdm2cUxEQLSLXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSzdsa3Q0SUQ1RDBsN2s0
bnBPM0dwUFRoalVqS2d1bVVQbUNOaVh6M21jCm9VYlRydlZtV3MwZ1BPR2g4dThu
TW5hZHYyc1VFOW1YSURRN0RiRFJyR2sKLS0tIGF4NkZmQ1F0WTcwaFB0d3c1V0Zv
Ynduc3pCcEVhQmdoZWZvZDg2NXRWWHcK884kU6xQiLuJ8foQY2rdZHEWzqGo1FGd
/Xfj8A7EGJWOSdi/n4dJZ6AWB7Z6rPAAzNBr4Her1yckG7JVxv4Oww==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkxxQkpsRGtTVWNpck51
UUlHUzFNY3RDZnpYcFVHWHV1MlBGQjUzQjBzCjFLOU03bDR0cjlST25nd1VudmYr
aTRhaEdSdFpyZmR5d1pSUW95RXgyWjgKLS0tIGQvdEVRZDZORzhIYTFPbU9RRTNi
elUxTUMvV3dKUTlIWG1YdW5Qbms1SUEKEW0xqUEwitR0+4Rx9HcjAFx5lcCpAckb
2oAj6fvFH4kEPzaL+m4R81YRDnJv4mrcZ6wGHGwMQJoNPtuaLsak0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxa1RkMmtaS0pSOGU0bWJN
R283VWU1cSs2eGF3dkJVejI2RUhManJMRUNJCkpRV2NCYklzeVdYZ3VySzZ6MjBq
QTlpRWRDTUx2YjZIREhyb2pMcmFKeEkKLS0tIEtNKy9DQjJBa0VZeGxpUzI4TlJl
THlORDQwdXJ3RGZmVTFtaWNlODhVYzAKKDvNETiOrLrrE6eiYM45c7JRa3UCx1iF
soxcSqU7iKhr+bvo2X8idMQlwS9EhkPerFMWcON7ubcW4IznSMCXhQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrb1JmZ0RjSUxFWERSZWl2
UThsM0F1M2c2bG5hbVkxYkI0bFYxYkR5T2xzCkxvRStjUmc1bmxwUDk5c0xOZ3lP
K0s2dVdyUTVsOExVNWhSUWdJTU1vRUEKLS0tIGgyMjVHR0FsSzJrSlc4cmtsNEFJ
SDFBY2hpS2tYRjJrZmE1Q05mclFQYVkK24BJZoxm7F2L4xYE6zar0Mw4ZRS+JXyW
2slJVLRUY4llS3y+Acxhif+xGpASGMS0HrBlPjXc/8dk7xnwDTQvKA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:QmlccYlL5IJD0OJ8CGfpma6fXSsrLISvBIlv8yvCFMitPnrFowWYzwN5EDOFIEGq1bIKef0tygBC2JDua+mH2xK5ZKftC9tTjhavZZpw4w3nWq1PP2zZWuPh2NmoSk1RtpQ760XTs1U+AloTJGIiCIUxhO/OT9fLo8WW2GyMJ1A=,iv:zXfkO1vJc1EtKgOz3Qs8BtwFQPGCvvWzLu60seO04WM=,tag:kzUS6IPrz4I2ke8kVviPgA==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:vNYnOvEhIpQ1ufxpLRKa/H1duYNDzKHY8vykpJy/4cwFLrMVy8UfTf4HdZe+kTja3WxfKEkigFZ6KOJC2HKPnQFX08yH8W6TznlU3t2q02SAXdEp8ycEoWsn8gvIGQqiJICR0Scb6M6guaP/y2n2DoPfS7vmIPpGdHIatW+crqk=,iv:C0y3+j+Nxj0NGlL3y/54/AijGo0tDC7USoDlzijmLzQ=,tag:5powWCaUDxOhhyy8FqLDfg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

21
nixos/modules/nixos/services/powerdns/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
cfg = config.mySystem.services.powerdns;
in
{
options.mySystem.services.powerdns.enable = mkEnableOption "powerdns";
config = mkIf cfg.enable {
services.powerdns = {
enable = true;
};
};
}

97
nixos/modules/nixos/services/restic/default.nix
View file

@ -8,31 +8,84 @@ let
cfg = config.mySystem.system.resticBackup;
in
{
options.mySystem.system.resticBackup.local = {
enable = mkEnableOption "Local backups" // { default = true; };
location = mkOption
{
type = types.str;
description = "Location for local backups";
default = "";
};
};
options.mySystem.resticBackup.remote = {
enable = mkEnableOption "remote backups";
location = mkOption
{
type = types.str;
description = "Location for remote backups";
default = "";
};
options.mySystem.system.resticBackup = {
local = {
enable = mkEnableOption "Local backups" // { default = true; };
location = mkOption
{
type = types.str;
description = "Location for local backups";
default = "";
};
};
remote = {
enable = mkEnableOption "Remote backups" // { default = true; };
location = mkOption
{
type = types.str;
description = "Location for remote backups";
default = "";
};
};
};
config = mkIf (cfg.local.enable or cfg.remote.enable) {
sops.secrets."services/restic/password" = {
sopsFile = ./secrets.sops.yaml;
owner = "kah";
group = "kah";
config = {
# Warn if backups are disable and machine isnt a dev box
warnings = [
(mkIf (!cfg.local.enable && config.mySystem.purpose != "Development") "WARNING: Local backups are disabled!")
(mkIf (!cfg.remote.enable && config.mySystem.purpose != "Development") "WARNING: Remote backups are disabled!")
];
sops.secrets = mkIf (cfg.local.enable || cfg.remote.enable) {
"services/restic/password" = {
sopsFile = ./secrets.sops.yaml;
owner = "kah";
group = "kah";
};
"services/restic/env" = {
sopsFile = ./secrets.sops.yaml;
owner = "kah";
group = "kah";
};
};
# useful commands:
# view snapshots - zfs list -t snapshot
# below takes a snapshot of the zfs persist volume
# ready for restic syncs
# essentially its a nightly rotation of atomic state at 2am.
# this is the safest option, as if you run restic
# on live services/databases/etc, you will have
# a bad day when you try and restore
# (backing up a in-use file can and will cause corruption)
# ref: https://cyounkins.medium.com/correct-backups-require-filesystem-snapshots-23062e2e7a15
systemd = mkIf (cfg.local.enable || cfg.remote.enable) {
timers.restic_nightly_snapshot = {
description = "Nightly ZFS snapshot timer";
wantedBy = [ "timers.target" ];
partOf = [ "restic_nightly_snapshot.service" ];
timerConfig.OnCalendar = "2:00";
timerConfig.Persistent = "true";
};
services.restic_nightly_snapshot = {
description = "Nightly ZFS snapshot for Restic";
path = with pkgs; [ zfs ];
serviceConfig.Type = "simple";
script = ''
zfs destroy rpool/safe/persist@restic_nightly_snap || true && \
zfs snapshot rpool/safe/persist@restic_nightly_snap
'';
};
};
};
}

70
nixos/modules/nixos/services/restic/secrets.sops.yaml
View file

@ -1,6 +1,8 @@
services:
restic:
password: ENC[AES256_GCM,data:gq4WW/IwIYQ=,iv:jVVSGQhUhAOOv7tTHOxJgYiw8e9Jfgeg8veeirn4510=,tag:eJPAgiYbTPfW7gnuvCv7JQ==,type:str]
password: ENC[AES256_GCM,data:2SKwstsawlM=,iv:/09fCnQm+2p+n/dmHTiZ4ZZO6Wy41DEJGdsDnIBKOBY=,tag:J4cgLGzDzQeDYZCeJwDtPw==,type:str]
repository: ENC[AES256_GCM,data:IzQGzl/ldZnSLT5qVY8JSYNzVy8ceIeO6CkrPyUUj9z1U8K+rcDJAF/CpVPG9jlf0Zla9a+kh4ryP3PAQ+trAUmO2rg2H60Ps/PoNPPD2urc,iv:8w2D4B/CjolnEw6v/XYBiujDfqQRa5aa/tJwXD5B6aw=,tag:tDm9oodDieyOJR3ICRcmeA==,type:str]
env: ENC[AES256_GCM,data:Riy/EpztAUvGw7EufBfU/+/gHFFnNVa73GvZyphsW8pzqpXJI1hkjdrVt9xsGWpwJ8smzVBvdZGcTtklqyUVduY5IzC5uCzMFpf4XGu1HHSmmsoOMYYCYhd9eYDMcxyG3EQUfNSDQcbZq5MmBjII72NVRFcn9qy4cYTtwbi2pFa7qgixk2eJTis=,iv:caLrFMMcV4WvA6/cXSHbBZYWqYQyN48m46nvncahU8I=,tag:QxE7uTe0+ybS7SWfkXkYWQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -10,59 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYnpDMGhaM1FvUjFDazNk
QkNCbnhmSFludTFYU2l0WDZaOFhsZ2lCT2kwClNoSDNvaXNydmxubm5ZbUZZNW9W
cmJVOWtHdjBvcXBuNTdwSXV6NUo4WDAKLS0tIDZzdk9YTGNyS3gyV21hRXo5WVhW
aTRyVmdlYVVGbHJjL1BGdWxqNkxQWHMK29GOjS0tCNOECToZPSUZeyt/cElsynqy
Ky1ByYdCkYZ+3IiCFjN2fChA58khWg3mRUuSpYrTZKIcdBFw6oKfhA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMGw1SVJRcmFEVEJwbzBY
TERnb3p6UlB6L3B6aGgrZ0ZQdmZPZjl4TUJnClhPWG56c1k1TVlCOHRIR010dWVT
bzdtaEhwQUZtZlV3aTBQbFN4ZlpYZ2cKLS0tIDJtMXBIbnZMOEpTS1BNemJmTnVh
OVlwMWQ0VU5OVi9ZZm1ERzcycTVISGcKqccg1LvWhgjLkqIKn+qmtUw/RCZUxIZP
WwFiA8F19C0SRQ8X+q5vFYG1L9uFP4wGCE9tP1BndY/8IplwohGSpA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQXdQcGE3anREVHFuMTh1
enI0OHVYRDllYVdQNGllTnAyZ1lOU2RrMnk4CnNQUWt2ZUZsd25YWmdKcC9UNHJu
V2FZRURibS8yd0ZQZnFaYUhFWVVUdVEKLS0tIGNyTjVJRWo2ODFZUmhTRzJxdWZ0
Y3N6V0ZXRFZpUG5ablhKM29ma2ZOMFEKpCHKEiEx8lGNs9WufBZ1zyajgyBm2hWV
DW9Z6FB/Y0pvPLs3tF05qQEQ3LVjcLJ3lJ4fcrbqspNhcfV5vN6sZA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U0xIOWpCa2oyOUxTMDdt
NGdNdi9QQnVWWXNGN21pTlJQSkhpWXdPdjJ3Ck5CcFIwUVVQYnFCMmVYYk04VW5K
L2FtdXdxbEV1MVdVY1hKRHlCVHFITncKLS0tIExPeTNJNi93NExlTW1RaXBiSFVr
MWc1UUt2L2FSRGxyQnBQZDFhSU1SYlUKCVHYwQcgTDS0jOmtjwKuz0ScPRQEMXoE
u+0MOSi4681hSXbG+sUShQ3ZQAqPK6NkiVr5cg37ci69R3wGUicMug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSGloUkI3UnY3S010MlI3
UWwyc1I2SmZEdWhWVVlsYysrMDIxdzZaQW5vCjJ1WWlVZ0xRWmMxTGh2S1k1MkVE
UTJJWlBvR1R6V1RXcjlSbm4rQmFZcTgKLS0tIDAzRUtNenB1cW10ZFdMY285aVFZ
MjVZOWM3SFkvMUtoTEZGZkx4V1ZEcFUK2tDvX173EYvGqLxfsKxrKVv8BDorYJk4
etatqb+5KQnEYFgxY3qY4nMdsir74VqdHKkg9rP0/eUbNL0exBTjFA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcVFZQi96eHBSSkxLUmtO
VEZ5QmNLaHNDaTZick1TM3RNeHFKV3lYc0NRCnpEblNJTW14N05oNWtmL05DZVlW
bExTaVl2Yy9UV2lWM1Zuei9KOHAvdEkKLS0tIDMvZGNvR0pzY1YzaDl5TWZZNE5I
bVlTNmNGSlMwaitZc2Z2OFdGU1NUTW8Kp8uFin0TRg+/i0+pthiBVW+aKQ+tZ3P+
WqygYHM586cJcPz6veLcK8Icb+WP3/UC9VyUSTHb8oD14IUMs1jo8w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUzlLNVhaMW94YjI5TU5k
S2ZIRVBxRVBUT1Jta3hydndUVzZxbDA4ZldzClUzMUJWQ2JWZk9kQU5LVVRJNWlT
U0p5ZnphelExSXU4MHh2d3RxNVo5WmsKLS0tIDNHSC9tM3FaRTYybmJtWUxFYVpD
ZU9GTUVpSGVzOWZuZWZTZjR1NWFVY2MKy1od9yzs5BJJF/b5TPsqn5ZGWAVdt6nz
lX1owv3vRz9VBjOi9omDKbnSPViOBk8C2+5as52nUdWO/xTsNgO1+A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNDZDeWNpcFl5dVg0dnoz
VDMxUFM1V2N6QUhpalBkU0NOVDVuZkR0d3pnCkJmQ3h6c21ZRUgyMUNvYTQxOFlX
LzlqMzM2eTJHTnFRMHdQVi9iclBISmMKLS0tIDBFSWUwS0UyWWhUcWxSNXIvakNz
TGRYN2N1OTdHeGtqMnZiSElleTc0T1kK5BYxEgbaeo/MwLQNXkQRitT8ocgTrEVD
VdqGTlPwNMWP9dA7JPTd2f+kwr7yDGG7FZUS95ZEVQ+euMYE+6MWNQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMVU0UHZMdVJXRW5uMkVz
OU9PbzZRRW1aanB3b0xLK1ZsYjZGbElqQm13CjRrbUVxamhvMUdGb1FBU2VyNDl1
RmNESmNIYWRaYTBpSnZmQ1dYc1NycHMKLS0tIDlmUFZqKzdETUNrWk1qUkM0NUdo
eTBWa1kvUjArK2lEbTJtTm4xQUpGTWcKbpujwUOxwcghfWbP9XWHzfhfGtQhjC63
qnZJSKGoFT/DxJiGaF70gQk+Gn+db1MaPKZzQ492lqCSX+T22z7+oQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ODRhZTI3bFhaMHdvQ2Uw
eUZOWDJyWFoyWjBxcTZCUkkyM1pTbnBZbTJJCmRoeDgvRTUwb1pMVCsrMGZlU2dF
YURsV3ZBMmF6a0hmakNadU11ZGFoNlEKLS0tIFFyMmZHTlJ1UWtwRnBXbW8wZml2
d3ppbFZScS9vaVhDYjQyRnZYaldOckkKiVqc1Q10ypwk2VxVwRyJ908L4OhZirMI
gmc8AocV2oQwgjWp9K/U/XVrKyqq1SjZPcTGsgls8DFy/4hM6Tc3uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZkJsK1ZXRGo3NVVPaktD
M3JHVTByYzlOcGtXTklKSSswNlM2R0E4OFJJCk9ab21TbWJORTJuZHZxcVJrUVZw
cDNPb25EQmEzRFRXOE9CUG12UzJQYjAKLS0tIG4rWHY5SjBZNW5qb1kyVGNXN1ls
SDNRdTJlL0p5UmREU1ExVm9Nay9laE0KPidvFK33/M1v1/62g3/nO6DdHaM7od3F
mXCwxArAEZo738AM88Si9xJAyvXNI2yc+cOJzijtXrUBgvmE8DdoIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UGpjak9Yd1ZOL0x0OUlJ
a0R6N0VVWHhRUjNhdlExNmZnNFJkbU0za2tBCjdJTVJwZDYzemd4c09TZTlXUGFr
MDhzVG9qZTV3dDRnTUo0dmErRjJHQUkKLS0tIHlzdnlKTnFoZ0JWQkJaYTlOdDNG
OVdKZTUwVEtlTGtGbFFLRlp1eS9ZS0kKZTZPjYzlMjx+Pv2BTL4AhjfOjtdq3PuJ
6cE/adCo9nPJLoZrWuXCqUje4fsAfH1pstShyOBf3O6daG5w2k9qkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-13T09:09:34Z"
mac: ENC[AES256_GCM,data:VOB3F3+ssvI+2EucvZ+LX1Hl+702vhB5RVSVeSzQbgmnN+zwuYLksO4rdgOpegPGlENcj5M2CzyRqsiGhyuy9THm/u09Ac2PbPEfWGm72pzuSMPymZQrUJmZDU/Gl0IlIfxQGGOfFdaVnzVl4ynIZuseJDjOZP9ymT8G8/ewSYY=,iv:Czjr4i9JuIO+2Ftl3ENE/XAzsca9rfYCvgy+tggMihY=,tag:4BlY8d29AUh4FluA6eUNeg==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:U1qcGw8jMdJxuARQzmV1OywQoO6y3uUy46wwWnqerXsmOVQxy86/FWHP6embT00xzn/WjZNywqoiF9PlR2c9dw9usA/qHa679rkQ24xeN8Kj6GBil8WG+Z0y8NowXGY/3xqJHNZ6lsEjV8g/0TWRPVTe8XdryDoxdw7uWFk4h84=,iv:7NiANxV9y+/v6/77z06bEwrZAZRhAQ2F+Td1I6kXO1c=,tag:0OgqqX0MwewveOGKkgHdJg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

70
nixos/modules/nixos/services/traefik/secrets.sops.yaml
View file

@ -1,8 +1,8 @@
system:
services:
#ENC[AES256_GCM,data:XPfrPhKBn7rS7oL1ob3KqOuGprzSsdfnEKHm8ep6Lr2qWgKUpnLyiOqkPapooPO0E2RnHXDv1GeLpl6+NbHQRWUCcfP0ypEko0ZZPw==,iv:R/sUawRMIts93Gdz8dRBJz7VWdK3nFXQfaGk+rWXK2c=,tag:xwONcjRqD05CiSyg8u7Yvw==,type:comment]
#ENC[AES256_GCM,data:ig832PtvXK2tqQLw9C2AbtNPK5JnaAZ3SB8gQzfagtnc/60NG2/R7kGTi0dt1/BGGy5GxaPmrarJ/egix2D0J4sHBNs+IE+HoaEQLQ==,iv:CqZ/xQj1ayLwR8yWFpjpszn6WjKFnlH9BKgPidz9DQs=,tag:GVI7/X0h4fC3HqQ6WALpzw==,type:comment]
traefik:
apiTokenFile: ENC[AES256_GCM,data:qFz1VRqM6Jfu33ImmglKp2L1WihYbZE86zx0BuXvgUSLrHodcgQ8ft8vpy0ur+I8I0i2/HLNKSrdz9bAdfDWdqqBpLwQA5SSu3pod/pxXTMvVEqZqYGwvXD24SifSHLKLA==,iv:YXah2ezPGDVJ9FWL5TJdqIT/ZPSEW6MxlKSqb33MNzE=,tag:UjJOl0g1UltdGicLDxqJQA==,type:str]
apiTokenFile: ENC[AES256_GCM,data:NPmV586NTWCO1pntbqHZ8BinJ6Qk/WiwD6H9YVcyv+rDOc6lLkNm/vodV8RoYTtE+QF2/Ozcaqs5UkzyNNt6kgC3hHJNHcHoH7xaqLX/M8lNuTWwhwGigfb8ZjS0yx+jSg==,iv:agGj/FI/BwJ3loD/PqGuRT1jgIYoE4fqv6BMdBJ1Ch0=,tag:dPk71zXp+1rV/R7G1Zpwiw==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,59 +12,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVME1FckowdTFIaFByNFk4
cHM4WnprZk55WUdlcUlkcSsxQXIrRjloTXhJCm1GMWw4UGU4WnpaQmUycUxCci9i
WmtmbzdPSTZ5Q2l6QTZVdHkxajlpTE0KLS0tIDVxQ1ZMaFlSS3d0akQ1UDM5TFJG
T096em14d1FRUjF3dm85MkthRVh6UnMKelOf2qNobndcxX5QR+iTt4sSIsngRbvj
wy6W5s53x2bqe4K21RSNhAUkUO3AshotN/caiYKzYx/kBZk2kRcVXw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OERwMmdQZ0xWY0xqSFhu
U1pHRjJSbWsyRmgzUFdjVE84V0tPQXRQWURjCkJtM1VwZHo2cmpyNTdOYmh6c0VO
MzJIOERQeC9IUTFoY0w5a1g1aTdyYlEKLS0tIDNid1ExOVhCcFo5b0dOWUxHOElE
T2U5U0ZTMVZvaC9Dd0RjTXRaN1ZGNTAKvQahfr4FGBpHZ3REaG742Q0mnUe1JCwl
TXRMJ3qWnpwk465R++g9BIJxkjW+GPCad0ZYCYqVhoFS4etmVqVXkg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTHczMFY1Rm5IQlV0TTJV
Sk5lKyswTlBteVZRRVE0TWY2Zm5uNXFjalNZCmVVU3FQZENSOUNtb0FGbEtqSmtG
SnYyNEgyeDIvaW94U0wyV2dFd3g2VFUKLS0tIDN0Vmg2RjNkanp4b2wvK1RVbTU1
ZzQ4Q2VLNXI0M3hXL1pyV2gvbzhuUTgK4MjauT0PDEBn9HJicK3J8FXamsoSdqGA
5F0E6ettiC80jYV7Cp48cyQ1vo18glFSvQ1IrJ1x0z5Oznr+ZPXK2g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiV2hIMStCM0J5V2pZZy9I
NWlPczBBMjVxY2RMR3FrSnR2TzQ5NVJkakZjCmxvZ0hsK1lpaDlUYlVrR1NQSXVv
ME0rMnozYUExN09SUzBzUFlNbHZMcXMKLS0tIFd4VHdJcStJZTBxYWVoaU1FenVh
QWdhelhBQ3pIR09kY1VMY0IzSUYxelUKCV4gHAq3zyM4Z21ZoObPm+VaoaOVLfVB
AsJtfwjor2x0KWNCmn8WlQ47fgCkiK6lCkKbliR6QviAL8dtTmlL6Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOFpvYnRWY2F1bTAvbmpC
SEh2SmhaeEVEK2ZLbzBPeE1YVlkxM1FlQTBRClRNRWNZQ3BZcVE0VTF0bDUwWk1k
Q1l5RWtYSy93V09EeGUxcVBzOVd0eDAKLS0tIDd3QlBQcHovWDlsdEg3eDlmVWtn
OUhNMWxENzhqNmdaZTFkQWNVM3I0cW8KKeEKoG+e+rClRk8bWWtdGEjcyYiIPF3u
24flOm0iStrfy4b0Cf33sTzozFR6cdG3DZ1bqQLR3rwKAh9XdWbAhg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMFRrb0piUVNaam5aeG12
eDFHeXNsTUFQQm1sSmF6VkVOSi9hL0RBYml3CkhVYUxpaUlvakhHV0UrY3VnU3Nh
b3hKdHNMVHo2cUgzcXVjdnVRY2EyNlkKLS0tIEw5UnZLZ2dmZ2VQV2MwTDVXKzc0
NUQrUkxoR3MwUEpRLzZONmpNT2UvZG8KCp00YqFS9OD5PUA17UbknOLUd/HWmpoA
GrE7uAFUoOf2l36UpNSlX8NENOAnNrptTMxTkWKsMVur80Bt6hxZYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjakxOcDBvcm05ckYzekIw
Mm54a1k2U0Q3SkNtWVpqNGlnOWprK21lbVFnCnNZa0FReG54MFhPQVJESmM5eklS
Zlpxeml3QnZVY2V1U1VRRXJsd05jajgKLS0tIGYxTjZkNk40eG91aHZOa1AvWHl5
L2JqS0FjVzF1a1dZb29lM2dIVitiVWcKtyN9D5aqvwr5wKI7cZ+6ARZ2ntFN77bb
xRS99lmHiOzEHoDK7KaU0trdeCLiUCGdVUye8RgPbe/SUXa8Nb36pw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZUhyWUZJV2FPdjhrNHVQ
N3hlNGZaaXJjbGtjNmtaWE51S1RETlVHUlY4Cm1hL0NjdGxWbyt3YlBPR1JWbUdt
OGF3eEwrMXFEdXdLaEZBUXRKdXN3WU0KLS0tIGtBM2JNY2NlZnBpdFh6L25QK29Z
eXdUZlE1Zkxab0tkODFYSFRoYzZwbk0KFMY2z2I7Dry1AU9bDmmqfIX1U8iZwkvE
SZ90PAWg2anSKDNRC76H2RurwnM60i453YDBYOTpdBighLYHuMWP2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWERTcWZNZlM2Wm10aUps
dGQ5eEFVTkVBYVJCdlN5WFZKUUI4MzBwL1I0CnAxbUNocHFCZFZHRnVmbzhwd0xY
aGcyelVJREh5MzBSUXNKaklXdGRFb1kKLS0tIFRvLzhsNFNvNGVvZWFPVXVFTC9H
NGQ5ZTk2dFVKNGdiQTJaNjZtR0d3YjgKz2AluV3wR0Cz7bJEXAUqBwHbdk7zmD5P
nux9nLQfoD9YDfbp2DIBDktHPL5KjY5H4/zn+Obo3fPeq+PrZMNZZw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYlVveFRrZEErUGo1R0Ja
ZU5keFJZcEw4aGVic292RnhyYlBrV3lsV0RjCjlGRU4xSGZpRzNON3VncEl3aTZr
NnVWdUkrWlY0UVh2eG1kQmxHdDlHZjQKLS0tIHYyMk1tRTRkMFA5WDgyZXVTZUFh
cTM5WncwekN0YTh0SlB3NmQyd0lmbmcKf355+V5bKlNwS9wPl2wq3SUNi6+xDFu2
UJ+0Uqk6S43L3964PFENGWsymmKS4DfP6OotX466k3BM4/jT32pmdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WDhQckJCdW1tTXBEalE5
VTJNL3dJWlIzMm9LTjVaUFl3SlNNVERwM3lRCmhCT25UWkxCYkdUNytjUjZCVWF2
NjY5ZU5xWkxRZ2tIUzRNTzl4Mk5RK3cKLS0tIGxJamh0SnJIZWIxTjZzSEtHaXdy
M1V2S01iclNnMzZta2lYY29HM1dMVXMK6omDe7Pgb57Q/zA6KUQV3mt/QQN3NlUZ
QESTtrrtDveuK/GBeiTQZpOdetYja3V2UHnePR5IHuMw3QexIKUlKw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQXp1eDM4eHFDeXUwR2Y0
SnUxakdqZWZzK29xT1lVeXozT0N2UHBwRFc0ClQvU2cvL3MvVHUvQXNsR0tENWRm
WkJRQW5GMmlQdzRBQkkyamMzZXMrM2sKLS0tIHFtZXRkVExVWnBGcVZValFreUFY
NzZtTzBuS2lYR2hOUzVmcVovQlJSOVUKnyI5GF6cHeQUQ9rftfQCObESLNds09dE
lZXG3k1bUecsV6H0vExHzc9ZMYDw4Iz1YamS9KuzePCU2j9hCboMEQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-11T11:56:37Z"
mac: ENC[AES256_GCM,data:ZIOBc6KR2K5ttfx3EvZTL4Iod8aJCxHB90g+5cIMG0Cx5X6sf9RNVznab7/fTuCDcqEzG9KOrWhaSI1fx8NN1xbNY3GZ3iKFa8NEXlg6mO+7Kyir9GPBQaRTjCAUVKQnCukEq/50KPQsFRETyx4lOt9VFnd1GXpc1QgIXg8jnaQ=,iv:+TQstFomD658x6QYyY49Y7y2CduD16Bl8uhcIW09g6Y=,tag:bcfwfk3xfQsXom44OJq81g==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:klTr+hWUvdrJLcWPrSSvdz4Q9dspXmD9FTCUVfhbs+LfWYvk9dY0LaKb+3pMknWztyWBXqyLAvQ7sHgfXwUzagLuExHLNdFNYUk9egup55wsQvnxy/9WF7qlpvjLz0tBGMtLnHONo63z2ose3sbJoWuJvKurqVI9ozqmQa8S+7M=,iv:MJihHHTtvUA+yr2caVZjmxhJU1+IKhM77tg9GUXzb/8=,tag:7lpoz8E1gvdjKbPhDL73iQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
nixos/modules/nixos/system/default.nix
View file

@ -9,5 +9,6 @@
./nfs
./motd
./pushover
./technitium-dns
];
}

16
nixos/modules/nixos/system/motd/default.nix
View file

@ -32,16 +32,26 @@ let
upMins=$((uptime/60%60))
upSecs=$((uptime%60))
printf "$BOLD Welcome to $(hostname)!$ENDCOLOR\n"
figlet "$(hostname)" | lolcat -f
printf "$BOLD %-20s$ENDCOLOR %s\n" "Role:" "${config.mySystem.purpose}"
printf "\n"
${lib.strings.concatStrings (lib.lists.forEach cfg.networkInterfaces (x: "printf \"$BOLD * %-20s$ENDCOLOR %s\\n\" \"IPv4 ${x}\" \"$(ip -4 addr show ${x} | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}')\"\n"))}
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Release" "$PRETTY_NAME"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Kernel" "$(uname -rs)"
[ -f /var/run/reboot-required ] && printf "$RED * %-20s$ENDCOLOR %s\n" "A reboot is required"
printf "\n"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "CPU usage" "$LOAD1, $LOAD5, $LOAD15 (1, 5, 15 min)"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Memory" "$MEMORY"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "System uptime" "$upDays days $upHours hours $upMins minutes $upSecs seconds"
printf "\n"
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool status: $ENDCOLOR\n"
zpool status -x | sed -e 's/^/ /'
fi
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool usage: $ENDCOLOR\n"
zpool list -Ho name,cap,size | awk '{ printf("%-10s%+3s used out of %+5s\n", $1, $2, $3); }' | sed -e 's/^/ /'
fi
printf "\n"
printf "$BOLDService status$ENDCOLOR\n"
@ -76,6 +86,8 @@ in
config = lib.mkIf cfg.enable {
environment.systemPackages = [
motd
pkgs.lolcat
pkgs.figlet
];
programs.fish.interactiveShellInit = lib.mkIf config.programs.fish.enable ''
motd

10
nixos/modules/nixos/system/pushover/default.nix
View file

@ -17,9 +17,13 @@ in
);
};
config = mkIf cfg.enable {
config = {
# Warn if backups are disable and machine isnt a dev box
warnings = [
(mkIf (!cfg.enable && config.mySystem.purpose != "Development") "WARNING: Pushover SystemD notifications are disabled!")
];
systemd.services."notify-pushover@" = {
systemd.services."notify-pushover@" = mkIf cfg.enable {
enable = true;
onFailure = lib.mkForce [ ]; # cant refer to itself on failure
description = "Notify on failed unit %i";
@ -32,6 +36,7 @@ in
# Script calls pushover with some deets.
# Here im using the systemd specifier %i passed into the script,
# which I can reference with bash $1.
scriptArgs = "%i %H";
script = ''
${pkgs.curl}/bin/curl --fail -s -o /dev/null \
--form-string "token=$PUSHOVER_API_KEY" \
@ -46,7 +51,6 @@ in
https://api.pushover.net/1/messages.json 2&>1
'';
scriptArgs = "%i %H";
};
};

86
nixos/modules/nixos/system/technitium-dns/default.nix Normal file
View file

@ -0,0 +1,86 @@
{ lib
, config
, pkgs
, ...
}:
with lib;
let
stateDir = "/var/lib/technitium-dns-server";
cfg = config.mySystem.system.technitium-dns;
in
{
options.mySystem.system.technitium-dns.enable = mkEnableOption "technitium-dns";
config = mkIf cfg.enable {
networking.firewall = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [
53
80
443
5380
53443
];
};
systemd.services.technitium-dns-server = {
description = "Technitium DNS Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.unstable.technitium-dns-server}/bin/technitium-dns-server ${stateDir}";
User = "technitiumdns";
Group = "technitiumdns";
StateDirectory = "technitium-dns-server";
WorkingDirectory = stateDir;
BindPaths = stateDir;
Restart = "always";
RestartSec = 10;
TimeoutStopSec = 10;
KillSignal = "SIGINT";
# Harden the service
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
};
users = {
users = {
technitiumdns = {
group = "technitiumdns";
isSystemUser = true;
};
};
groups = {
technitiumdns = { };
};
};
};
}

14
nixos/modules/nixos/system/zfs.nix
View file

@ -1,5 +1,6 @@
{ lib
, config
, pkgs
, ...
}:
let
@ -17,12 +18,14 @@ with lib;
};
config = lib.mkIf cfg.enable {
# setup boot
boot = {
supportedFilesystems = [
"zfs"
];
zfs = {
forceImportRoot = false;
forceImportRoot = false; # if stuck on boot, modify grub options , force importing isnt secure
extraPools = cfg.mountPoolsAtBoot;
};
@ -34,6 +37,15 @@ with lib;
trim.enable = true;
};
# Pushover notifications
environment.systemPackages = with pkgs; [
busybox
];
services.zfs.zed.settings = {
ZED_PUSHOVER_TOKEN = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-api-key.path})";
ZED_PUSHOVER_USER = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-user-key.path})";
};
};
}

1
nixos/profiles/global.nix
View file

@ -37,6 +37,7 @@ with lib;
shell.fish.enable = true;
# But wont enable plugins globally, leave them for workstations
system.resticBackup.remote.location = "s3:https://f3b4625a2d02b0e6d1dec5a44f427191.r2.cloudflarestorage.com/nixos-restic";
};
environment.systemPackages = with pkgs; [

72
nixos/profiles/global/secrets.sops.yaml
View file

@ -1,7 +1,9 @@
services:
pushover:
env: ENC[AES256_GCM,data:nkiW4SDRCjmKrXTDSOolV1+WJorodjF+2FvBpXRa7PsXMQM+4pgP1Ll4TRZHkrwJ5hpD0X9hnb1wdVUcm/2DU/o4qkFl/ZUGQIiOZRbyirxINeYq7G/0TWJmtx/vw48L,iv:2pqzQDEfXkkA+GCXdk4+2NFOi3OASFqefzVf0YcWkUc=,tag:tNeYcgfsLAaKGVmOsTLPdg==,type:str]
truxnell-password: ENC[AES256_GCM,data:SQhRB9eQRLbyTF1ebUoGPhWOdfcX3+yMTsIxY+/Tb0dNYAYvFojc+vcULevKS7DteLlRHSOFZS5MaPkgv4+agF8ZCC1Wy6A6KyMd4NGxzt27mE1/tjla2OVIyqoo3ye7hpxLZxW9Feh+Pg==,iv:684OoJRCiLmnfzjijz2CEdFpvlBkGzlTYIpKqbLAgtQ=,tag:5YyHnnX9/i3kp8yZjdP4XQ==,type:str]
env: ENC[AES256_GCM,data:OxFpyEUrGBeeIJU0/m/r4snCuFq4N3EAQ2KGReEgSDZvlTro8xyTpbypzXxFHJIYhCNbQPLKb2LTX7Rzk9c0xHc9YNcZWxD5kybJniOjFIKarhmi3GaBzJGzzQKRLt40,iv:ZP4ioZx8jR6R0AIdZE0SWEm6VLzGa+dCYn3SceAJ7R8=,tag:okcd/omsRKwr9TXzbmkAug==,type:str]
pushover-user-key: ENC[AES256_GCM,data:hOVjnl/zAaWDurVds46lXeyokK/3fl1xpwRVIWwZ,iv:lWcTsz3PdQ3ifoKWaLmOpMbwq1FhiGEzCtqiLzFk/jA=,tag:EVni7WBVqL/lXqXGtQlErg==,type:str]
pushover-api-key: ENC[AES256_GCM,data:8QdwA0csJhpQIoa0one0hFOLuQRi1hcrfBrPaU1r,iv:xxQyQY+m++qEEaR7gaDnYbA/Btc0PvLFYF0aTuJD/wI=,tag:t714Gv9xwxvI1ceOdmbTCQ==,type:str]
truxnell-password: ENC[AES256_GCM,data:cqsquP1mfRJ+VijAV7F/eBwF1o5YedV2i7P05QibtAJWnKnTI4tzDz5iYo/0cWnlKD3xpAvqph47bwkeBfJatD6Q/ccO4rV9PfpVgD3/W+aBJk1GyTaljqCU3IINyGiT4y6lh01vmOOJ2w==,iv:Er2beJsdw71QFJCmmaSOb5IsJXBG6ZV1vw5SM/ZrWwY=,tag:Lb62auMyURsJzFLuG798Kg==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,59 +13,59 @@ sops:
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbjFLVktzVVNSeDVuOVpx
OXVrcU5vK01JbjZvMlh0bi9INFlPU2VTZUFrClRzVGlSSzljcldnVFhZTHhKcWYz
MHdGdEZBeU1tMDJOU1FVVVlMSFRNUGMKLS0tIGtRdGFaMC83MUc2VDdEOUJKcFYy
ZGorL2orMXJ1K3VNek5WaTdkcXpyUDAKUrd8OXnSEvOEHeKY02aMEnQEAK3dHWUg
/zPECgCQwStiE11erj+mfYhgSeHDx0szQieRj4a+x4KaEItydVOMng==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK3RSK2wyQWVGUThCMFlL
RjY1TEJrZEcyUjlzeU4vdUJqL0pwLzRyZFNNCmVoVjJ0OW96YTRZOVNlSk9GWjMz
cVh4VGMyK0ZtUmtpZmhVcDRjK0FzRDQKLS0tIENFdnRuNFFWaXUvOXFPcjkxaC9E
RUZZMzZ3OVhVYU1lODU3OWtVaU9yMW8Kmo1RgsC2hAXOMbevLSecIRtWVgCaKe5c
DiVVL0BZaAxEFLkrdSS+yv8717LnCyGHI9rtzB+MQxcZBiUmx/8/Pg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYmM1cDFHd2JKMlhHU0tu
VSthQnB0Q1VBVjEyRlJzZUtXYW1sSUordml3ClZQQnNQWFFmTnNkeEI2cjJ4OGhW
VWRqZWU1aFpZc1c4dzdPcWxWek43OEEKLS0tIHNvc0NmalFZWHY1a1I2RkJYR3pR
c1JwckUvQTRxZDlsQThsUHd2VndvQ1kKQAJhEKLV3AcLDhk3BEbjwsLmEC+FFYZt
AZXPbhJVZ2n62yU97IcEZOEs7tcaPFqRQmuEk0caMEj4F3RgF0naOg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTkMvS3MxV2NUTjVJci94
UlVjZDVLMzNTdG5sVWhNVGphTVJIZ0g1d2dzCmRrcHpHbDlINjJ1eDZKU0k3QUd1
NWdGN1RPSUF3aGFJNTBoSTNFVjF6YkEKLS0tIFpud29YSXBHTGg1NTdvYW5pMm8x
eGtkMGdqcEFibm5oUjE3TXVLQ3NrSm8KRp2ee/xnaouuqOwMa+ICXhN1iFc68pQO
vbHn3j9HhCCA0q5w6/JngkuIktQSqP64Tp5lRtt7ko/dNM0uySFXJQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaDdXV2FrMHA0dkxkN2F4
dCszUG42bkI5bGlzMFJmVy9RV1R1QjZsNjNJCnBBMWVpYWdnN2MzOGZXT2UzRXZw
VVlVVmJaUHhQcVNXYVJqdnkzSTJ3TUUKLS0tIFdwUU0wR0c2eXp2NEFxV29DMDIx
K2d1UXZTenZnV0ViR3NOZE5YK1RNRkkK5ForFTQ9G7dvy3gri/nSVkYl4GViM4Ni
MiTQCriWOb8y0Fbdidc61NHOuGF3Ji3HUE7V065+DpWb43M8Y+w93g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWUxzQnR5K2ZNWkprdlh0
Nnp3K3JVa0YzMFhNbHFqWTEzNDFBVk91dVJ3CnM1aW5OL1VOSFZST3hLSktzb3Jn
andkSmhvdjFxbG9HTFpoeTluMHRacFUKLS0tIFJMQjIrSndFVlpDOUJiZFU4eHEw
S1NEU29PS21McXBpMTJOVU42bTMzQTQKVHP0zHRsR/r0zbU3uLjgHs0pMvGmtXgf
fwTiFZcRxYdR4T/Pv1lqGYYMvA94bgSFXI+mJNYni9pvP4jNIg/wuA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuV0diWWZLOEdVVXhHRzZP
TWtmLzQyR1N4ZHRMVVpLVWwrdXlHWjgzVkdJCld6NExvWGVXVzR3cjl2eVJTY01E
ZzJjcWJWWklJMUpjUjFJOURLMTBZNG8KLS0tIHpEMzA3enZMNXpmeVNtUjl0Y3lF
RUR2alVhVC9rbXdYYlB4THRYRTVYSUEK9jiP+9/IMTTEQlWwn+MvL7NgI4Z97YEY
C+U3mvXVOQ/FA/3hCaD1HALr6WHIV3DGcxacblYT4awAbN4crtfnIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQckF0ZzA0SE9jcTJrTkE3
bXYvSUYrWmR4Z3ZoV0NIc3lobmZJcDU1WW5JCjRUbEZXa2xrMzNRaEQ1UXRLWFJP
VlRZZFg0VnpZcG0wYzh6cEdha3E2SE0KLS0tIFYzbDZXNWE1QXkwRmdZMnVBeGZt
RXhSclcrZ29BVU5Ra2NRTFJkUnpyaEEK2ajXl7W2R4MEuhWwvekVk8U7KobthOhR
gsXgwcWrQmC7c/5s6WD3y6OPhKLzUZb5mhohbm023+8WH0koODZs3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b01SMXJtTHhib2VrQ0hq
YW5JQU85L3dXbDh5b3paZElCOWpwMG9QODBNCkR3UTJLSFZOOEFKUW1jbG5YNmJo
ZGNaamlsZVJ2K2dxMjRKcFUxY3Y2NncKLS0tIEErUkN1WDgwajd1TjBFOURxQTdK
aW0rSUVwbnJqaHdUTWxYWWRGNm5reDAKlQG5maCq2K8aFJRbuuzv9SyNhrxzjbFQ
jtO2KoFX2gLFw90YFCsMFbaVO+xTcZQ7FQv0s4ktffudnT5zjuzFAg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMGs5Z0VmckdzWGdtdG5T
U1cxYTMwRGplcUMzY1BsUTFmSnRLM296VmhRCk5ZaXQ0OGdUYlNyOTJYUjFYUFhI
dFBEMnlhQ0RiMnRZRHdVVzVRSFJWNTQKLS0tIDFDSTRvdE1sWmNiWnJhcHJ0bFBo
WWdxOG9qQmRuRnpkN2J2VVQwR3dsb0kKaQb/fAAoEMB1BKOtxDdTh3xkehNGBgLn
L1payadZY8VaMOY76f/hLSNIvZ1qMidnFNXr1aWFw1dsFMeKyBmbrw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3jtd4lecn2ng8qxantw33qxl2uasfqfjfpx45u6uweexwtxyq4spwssmh
- recipient: age1jpeh4s553taxkyxhzlshzqjfrtvmmp5lw0hmpgn3mdnmgzku332qe082dl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TzlkSHYwc1F6VWozTUhq
dVZWVFVPc0F1V1gvV3d0M1NzT3dubWx6OFhRCmlaVHJuRDVRZnUwd0ttWkdYck51
NUdFOThuSWhLRE1lUW5aOU85TmhXVzgKLS0tIFJXVkc3Q3hmQjNQay9BV3lVZ3Jk
a2NDeTRTWGtxT0wyWEF1djlyQlhQYmcKy/liFdZyxuUp6eI7s+lANV0mcQWHOLFe
4Cg92W0Xppv+J3W4W+rVwzyFWUrkTnBFfZHnN3nhz18Lm7FR7vs7oQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUK1dvYjIvbE1mOHFncnho
Z0Rpbi9MT0xBTmZVREtqbkcyVC8zTFBRbzBrCkt3WGYvT0lyYXlodFgvelVONjl4
b1dISURYR0s2c0swUEZZMHhwajdvVHMKLS0tIHpRT2hFTzRpSUdMdzB5Q281ejYx
OGNIQk1mNjhjVSt4RkxaUVdhMGFtbVEKerfg6ALWIr35TYfv/BI4E4UQ8sN2CmJU
T3hNcp0m6Vm+0kBZ+pBTA5OOm32/tg0szySf2FNrHT4ask+iueN2og==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-14T00:18:09Z"
mac: ENC[AES256_GCM,data:S4QbCTp+rxSPumolno0FuSNvtvEZpA4E77S2mSliI5y4GJ5n/mx8SY07xbwqMzB3W9EgO0ZT+vvsx4N7jkZPBtr+m12/KwG8NcHZsBdXNi2TRi8CGZlCXFzRNQSjJRiYBMsdKwVCdm6Wxlf/PuCnNj0ShSU0IWaTzlSc0FhSeYM=,iv:Nv+rbtRCXZFAnDi0wzq2/qjdvr7535BkCogBqllmPGQ=,tag:OwTPYR4e8N/qGQvvOjh7SA==,type:str]
lastmodified: "2024-04-15T06:36:15Z"
mac: ENC[AES256_GCM,data:wf7GOhVD9CeVVRnnrdw/Mj98X8hRbQ0hEDHMEJ5H01vwoeA6hnum8sVaiqvypfuD1HAHQRsfrfiBArx0QA6WU8xBUHe3hZopwuTdsX8NhiUCSymSCjC2b6oINxuFcZ7GiAeSR3BAx/Gr5XPN9lq2SQYMPcxr+CkwPNCPULNKUOY=,iv:6zmP02tTF0jwiFaIB1lFwz2ZSHx4pGtLdkmA9D/+lC0=,tag:92hv/RMEETV9qD6oh5p/1g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

7
nixos/profiles/global/sops.nix
View file

@ -4,7 +4,12 @@
sops.age.sshKeyPaths = [ "${config.mySystem.system.impermanence.sshPath}/ssh_host_ed25519_key" ];
# Secret for machine-specific pushover
sops.secrets."services/pushover/env" = {
sopsFile = ./secrets.sops.yaml;
};
sops.secrets.pushover-user-key = {
sopsFile = ./secrets.sops.yaml;
};
sops.secrets.pushover-api-key = {
sopsFile = ./secrets.sops.yaml;
};

3
nixos/profiles/role-worstation.nix
View file

@ -18,6 +18,9 @@ with config;
services.cockpit.enable = true;
nfs.nas.enable = true;
system.resticBackup.local.enable = false;
system.resticBackup.remote.enable = false;
};
boot = {

30
partition.sh
View file

@ -1,30 +0,0 @@
## STILL WIP
## Wanted to avoid bringing in complexity of disko
#!/usr/bin/env bash
set -x
# Define variables
drive="/dev/mmcblk1" # Change this to the desired drive, e.g., "/dev/sdb"
swap_size="100MB" # Change this to the desired swap size
# Partitioning
parted "${drive}" -- mklabel gpt -s
parted "${drive}" -- mkpart root ext4 512MB -s# -"$swap_size"
#parted "${drive}" -- mkpart swap linux-swap -"$swap_size" 100%
parted "${drive}" -- mkpart ESP fat32 1MB 512MB -s
parted "${drive}" -- set 3 esp on -s
# Formatting
mkfs.ext4 -L nixos "${drive}p1"
#mkswap -L swap "${drive}p2"
mkfs.fat -F 32 -n boot "${drive}p3"
# Mounting disks for installation
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon "${drive}p2"
# Generating default configuration
nixos-generate-config --root /mnt

53
shell.nix
View file

@ -8,23 +8,44 @@
};
system = builtins.currentSystem;
overlays = [ ]; # Explicit blank overlay to avoid interference
in
import nixpkgs { inherit system overlays; }
, ...
}: {
default = pkgs.mkShell {
# Enable experimental features without having to specify the argument
NIX_CONFIG = "experimental-features = nix-command flakes";
nativeBuildInputs = with pkgs; [
nix
home-manager
git
nil
nixpkgs-fmt
go-task
sops
pre-commit
gitleaks
];
};
}:
let
# setup the ssssnaaake
my-python = pkgs.python311;
python-with-my-packages = my-python.withPackages
(p: with p; [
mkdocs-material
mkdocs-minify
pygments
]);
in
pkgs.mkShell {
# Enable experimental features without having to specify the argument
NIX_CONFIG = "experimental-features = nix-command flakes";
buildInputs = [
python-with-my-packages
];
shellHook = ''
PYTHONPATH=${python-with-my-packages}/${python-with-my-packages.sitePackages}
'';
nativeBuildInputs = with pkgs; [
nix
home-manager
git
nil
nixpkgs-fmt
go-task
sops
pre-commit
gitleaks
mkdocs
];
}