clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:508d65a4d77ee58be2791e5bf0ab5b550d1cf05d
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
..
compare: clerie:master
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

52 Commits
508d65a4d7 ... master

Author SHA1 Message Date
clerie
f43eba0036 hosts/clerie-backup: Replicate backups with restic instead of borgbackup 2025-11-16 19:40:33 +01:00
clerie
971fb88d97 pkgs/clerie-backup: Support sftp backend for restic 2025-11-16 19:38:50 +01:00
clerie
1ab3ae3769 pkgs/clerie-ssh-known-hosts: Pin some more SSH host keys that can net be retrieved automatically 2025-11-16 16:05:57 +01:00
clerie
bc8d681956 pkgs/fem-ssh-known-hosts: Pin FeM ssh known hosts globally 2025-11-16 15:32:29 +01:00
clerie
fc4bc6ca41 pkgs/well-known-ssh-known-hosts: Pin some regularly used SSH host keys 2025-11-16 15:00:05 +01:00
clerie
f17a94c578 profiles/common-ssh: Migrate common SSH config to profile and pin SSH public hosts keys for net.clerie.de 2025-11-16 14:22:50 +01:00
clerie
2d9836f793 pkgs/clerie-ssh-known-hosts: Pin SSH host keys to FQDN only 2025-11-16 14:09:24 +01:00
clerie
0de7471ac0 profiles/hetzner-storage-box-client: Globally pin Hetzner Storage Box SSH public keys 2025-11-16 14:02:54 +01:00
clerie
db9ea1ea5c flake.lock: Update nixpkgs and lix 2025-11-08 12:40:53 +01:00
clerie
930be1c50c monitoring/targets.json: Add reichart.uber.space to monitoring 2025-11-06 20:54:52 +01:00
clerie
f3629c2653 profiles/ds-lite: Connect to Netcologne with PPP DS-Lite 2025-10-27 21:26:28 +01:00
clerie
44afbff445 hosts/carbon: Change DSL uplink to netcologne 2025-10-24 21:36:41 +02:00
clerie
92817fdcad hosts/clerie-backup: Export metrics for backup replication to Hetzner 2025-10-24 18:13:24 +02:00
clerie
e8cca7b1b6 pkgs/http.server: Add shortcut command for python3 http.server 2025-10-07 19:11:22 +02:00
clerie
102509b9a8 hosts/krypton: Add tuba and flare apps 2025-09-27 18:43:16 +02:00
clerie
eaa4ee6d05 hosts/storage-2: Provide mixcloud directory listing as json too 2025-09-26 15:51:55 +02:00
clerie
9659885079 pkgs/grow-last-partition-and-filesystem: Add missing dependency reference 2025-09-21 18:02:14 +02:00
clerie
50b575dcb3 hosts/storage-2: Convert em to mp3 2025-09-21 18:01:46 +02:00
clerie
165839be07 pkgs/convert-flac-dir-to-mp3: Use tmpfile for ffmpeg so we don't have broken files laying around 2025-09-21 17:18:08 +02:00
clerie
ce99bb114b pkgs/convert-flac-dir-to-mp3: Add script for coverting music libraries 2025-09-21 17:06:36 +02:00
clerie
23629e0662 pkgs/build-support: writePythonScript add runtimeInput option 2025-09-21 16:58:15 +02:00
clerie
6954e75a5c pkgs/grow-last-partition-and-filesystem: Automatically move GPT backup header to end of device 2025-09-21 14:36:04 +02:00
clerie
539502cea0 flake.lock: Update mu5001tool 2025-09-12 00:10:03 +02:00
clerie
00a7eee2af hosts/astatine: Update mu5001tool and restart on failure 2025-09-11 12:39:04 +02:00
clerie
e82132b86e hosts/astatine: Add stack to monitor zte hypermobile 5g 2025-09-08 23:32:57 +02:00
clerie
503dca182e pkgs/curl-timings: Add curl shortcut to show connection timings 2025-09-03 13:05:55 +02:00
clerie
82f8064956 pkgs/grow-last-partition-and-filesystem: Add command to easily grow a filesystem on a disk resized by Proxmox 2025-08-30 11:11:57 +02:00
clerie
342d50d936 pkgs/bijwerken-system-upgrade: Copy system store path from any configured nix cache 2025-08-30 09:52:25 +02:00
clerie
dd76691f7d pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name 2025-08-17 21:49:24 +02:00
clerie
72cdef91d9 profiles/common-nix: Remove guests group from trusted nix users 2025-08-17 20:02:34 +02:00
clerie
22c7cb451b pkgs/nixfiles: Add helper script to trigger system upgrades 2025-08-17 19:05:22 +02:00
clerie
9357981ff3 hosts/monitoring-3: Alert on fem.social unavailable 2025-08-17 10:39:01 +02:00
clerie
eddb365ae5 hosts/monitoring-3: Alert nadja.top down after 15min only 2025-08-17 10:17:43 +02:00
clerie
d01de7fc4a hosts/monitoring-3: Add dashboards to deployment 2025-08-16 22:01:06 +02:00
clerie
a1ca9313b9 hosts/monitoring-3: Add Nginx Grafana dashboard 2025-08-15 20:50:24 +02:00
clerie
217ede0307 modules/monitoring: Extract metrics from nginx logs 2025-08-15 18:14:41 +02:00
clerie
643478b724 pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules 2025-08-14 20:20:33 +02:00
clerie
13b8ccd087 hosts/krypton: don't use onlyoffice anymore 2025-08-09 14:59:03 +02:00
clerie
7c3a97a90a hosts/web-2: Update legal.clerie.de 2025-08-09 11:42:04 +02:00
clerie
40338d9b85 hosts/monitoring-3: Monitor alertmanager 2025-08-09 11:41:34 +02:00
clerie
7f6f6281cc profiles/desktop: Migrate from configuration 2025-07-29 23:03:58 +02:00
clerie
2d4acb5a49 flake.lock: Update lix 2025-07-29 18:04:22 +02:00
Flake Update Bot
905682cf17 Update nixpkgs 2025-07-29-01-03 2025-07-29 03:04:11 +02:00
clerie
f5ec777e9b flake/hydraJobs.nix: Track additional packages in hydra 2025-07-28 22:48:59 +02:00
clerie
944bced757 pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers 2025-07-28 22:36:49 +02:00
clerie
5bd15927d5 hosts/web-2: Block Alibaba Cloud because of scraper bots 2025-07-18 23:55:33 +02:00
clerie
9b05a008bb configuration/desktop: Add helvum audio routing gui 2025-07-15 19:39:46 +02:00
clerie
871ba5ea43 pkgs/uptimestatus: Explicitly specify build system 2025-07-15 19:26:50 +02:00
clerie
560e53f77b hosts/krypton: Add drune3d program 2025-07-12 13:21:30 +02:00
clerie
03aa425038 hosts/web-2: Add traveldrafter.clerie.de 2025-07-06 18:17:31 +02:00
clerie
751efd02bb hosts/porter: Enable system auto upgrade 2025-07-05 20:16:01 +02:00
clerie
43d1133772 modules/clerie-system-upgrade: Always reboot after an update 2025-06-30 18:35:57 +02:00
114 changed files with 2672 additions and 486 deletions
Expand all files Collapse all files

1
configuration/common/default.nix
View File

@@ -8,7 +8,6 @@
./locale.nix ./locale.nix
./networking.nix ./networking.nix
./programs.nix ./programs.nix
./ssh.nix
./systemd.nix ./systemd.nix
./user.nix ./user.nix
]; ];

1
configuration/common/programs.nix
View File

@@ -6,6 +6,7 @@
# My system is fucked # My system is fucked
gptfdisk gptfdisk
parted parted
grow-last-partition-and-filesystem
# Normal usage # Normal usage
htop htop

16
configuration/common/ssh.nix
View File

@@ -1,16 +0,0 @@
{ lib, ... }:
{
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
};
services.openssh.hostKeys = lib.mkForce [
# Only create ed25519 host keys
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
}

19
configuration/desktop/audio.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
};
}

19
configuration/desktop/default.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
security.sudo.wheelNeedsPassword = true;
}

7
configuration/desktop/firmware.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

13
configuration/desktop/fonts.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, ... }:
{
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-emoji
comfortaa
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
}

61
configuration/desktop/gnome.nix
View File

@@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services.gnome = {
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
}

43
configuration/desktop/inputs.nix
View File

@@ -1,43 +0,0 @@
{ ... }:
{
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
mic-mute = [ "<Control>Print" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
}

14
configuration/desktop/networking.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
}

7
configuration/desktop/polkit.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
security.polkit.enable = true;
}

42
configuration/desktop/power.nix
View File

@@ -1,42 +0,0 @@
{ lib, config, ... }:
{
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
services.upower = {
percentageLow = 20;
percentageCritical = 10;
percentageAction = 8;
};
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
}

7
configuration/desktop/printing.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
}

33
configuration/desktop/ssh.nix
View File

@@ -1,33 +0,0 @@
{ pkgs, ... }:
{
profiles.clerie.gpg-ssh.enable = true;
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
}

11
configuration/desktop/xserver.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.xserver.enable = true;
services.displayManager.gdm.enable = true;
services.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
}

88
flake.lock generated
View File

@@ -269,11 +269,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1750779764, "lastModified": 1759516991,
"narHash": "sha256-JTvJf12NfmiJg+k8zPAvvJIHWA8lzL5SBssQxkwZTwE=", "narHash": "sha256-esoe/uYPyy4a6hAwZq1QgkSe7dnZ5c0zHHXDq/JG9Yk=",
"ref": "lix-2.93", "ref": "lix-2.93",
"rev": "175d4c80943403f352ad3ce9ee9a93475a154b91", "rev": "b1328322a49e8e153635ea8b3b602db363de727f",
"revCount": 4259, "revCount": 4284,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/lix-project/hydra.git"
}, },
@@ -301,11 +301,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1750762203, "lastModified": 1757791921,
"narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", "narHash": "sha256-83qbJckLOLrAsKO88UI9N4QRatNEc3gUFtLMiAPwK0g=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "38b358ce27203f972faa2973cf44ba80c758f46e", "rev": "b7c2f17e9133e8b85d41c58b52f9d4e3254f41da",
"revCount": 17866, "revCount": 17892,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix" "url": "https://git.lix.systems/lix-project/lix"
}, },
@@ -327,11 +327,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1750776670, "lastModified": 1756125859,
"narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", "narHash": "sha256-6a+PWILmqHCs9B5eIBLg6HSZ8jYweZpgOWO8FlyVwYI=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", "rev": "d3292125035b04df00d01549a26e948631fabe1e",
"revCount": 146, "revCount": 156,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
@@ -353,11 +353,11 @@
"pre-commit-hooks": "pre-commit-hooks_2" "pre-commit-hooks": "pre-commit-hooks_2"
}, },
"locked": { "locked": {
"lastModified": 1750762203, "lastModified": 1759940703,
"narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", "narHash": "sha256-/dXDCzYnQbkqCsvUDIxgIH4BS/fyxIu73m2v4ftJLXQ=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "38b358ce27203f972faa2973cf44ba80c758f46e", "rev": "75c03142049242a5687309e59e4f356fbc92789a",
"revCount": 17866, "revCount": 17894,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
}, },
@@ -404,6 +404,26 @@
"url": "https://git.clerie.de/clerie/mitel_ommclient2.git" "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
} }
}, },
"mu5001tool": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1757627777,
"narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
"ref": "refs/heads/main",
"rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
"revCount": 9,
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
}
},
"nix2container": { "nix2container": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -614,11 +634,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1750622754, "lastModified": 1759281824,
"narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -646,11 +666,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1751011381, "lastModified": 1761114652,
"narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7", "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -743,6 +763,7 @@
"hydra": "hydra", "hydra": "hydra",
"lix": "lix_2", "lix": "lix_2",
"lix-module": "lix-module", "lix-module": "lix-module",
"mu5001tool": "mu5001tool",
"nixos-exporter": "nixos-exporter", "nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_5",
@@ -753,7 +774,8 @@
"scan-to-gpg": "scan-to-gpg", "scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm", "solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"ssh-to-age": "ssh-to-age" "ssh-to-age": "ssh-to-age",
"traveldrafter": "traveldrafter"
} }
}, },
"scan-to-gpg": { "scan-to-gpg": {
@@ -868,6 +890,26 @@
"type": "github" "type": "github"
} }
}, },
"traveldrafter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751817360,
"narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
"ref": "refs/heads/main",
"rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

8
flake.nix
View File

@@ -40,6 +40,10 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
mu5001tool = {
url = "git+https://git.clerie.de/clerie/mu5001tool.git";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-exporter = { nixos-exporter = {
url = "git+https://git.clerie.de/clerie/nixos-exporter.git"; url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -68,6 +72,10 @@
url = "github:Mic92/ssh-to-age"; url = "github:Mic92/ssh-to-age";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
traveldrafter = {
url = "git+https://git.clerie.de/clerie/traveldrafter.git";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
lib = import ./lib inputs; lib = import ./lib inputs;

6
flake/hydraJobs.nix
View File

@@ -10,6 +10,12 @@ let
in { in {
inherit (self) inherit (self)
packages; packages;
extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs [
"hydra"
"lix"
] (name: self.nixpkgs."${system}"."${name}")
);
nixosConfigurations = buildHosts self.nixosConfigurations; nixosConfigurations = buildHosts self.nixosConfigurations;
iso = self.nixosConfigurations._iso.config.system.build.isoImage; iso = self.nixosConfigurations._iso.config.system.build.isoImage;
} }

6
flake/inputs-overlay.nix
View File

@@ -5,10 +5,12 @@
, chaosevents , chaosevents
, harmonia , harmonia
, hydra , hydra
, mu5001tool
, nurausstieg , nurausstieg
, rainbowrss , rainbowrss
, scan-to-gpg , scan-to-gpg
, ssh-to-age , ssh-to-age
, traveldrafter
, ... , ...
}@inputs: }@inputs:
final: prev: { final: prev: {
@@ -24,6 +26,8 @@ final: prev: {
harmonia; harmonia;
inherit (hydra.packages.${final.system}) inherit (hydra.packages.${final.system})
hydra; hydra;
inherit (mu5001tool.packages.${final.system})
mu5001tool;
inherit (nurausstieg.packages.${final.system}) inherit (nurausstieg.packages.${final.system})
nurausstieg; nurausstieg;
inherit (rainbowrss.packages.${final.system}) inherit (rainbowrss.packages.${final.system})
@@ -32,4 +36,6 @@ final: prev: {
scan-to-gpg; scan-to-gpg;
inherit (ssh-to-age.packages.${final.system}) inherit (ssh-to-age.packages.${final.system})
ssh-to-age; ssh-to-age;
inherit (traveldrafter.packages.${final.system})
traveldrafter;
} }

14
hosts/astatine/configuration.nix
View File

@@ -4,6 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./grafana.nix
./mu5001tool.nix
./prometheus.nix
]; ];
profiles.clerie.network-fallback-dhcp.enable = true; profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
terminal_output serial terminal_output serial
"; ";
sops.secrets.monitoring-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
profiles.clerie.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

45
hosts/astatine/grafana.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "grafana.astatine.net.clerie.de";
root_url = "https://grafana.astatine.net.clerie.de";
http_port = 3001;
http_addr = "::1";
};
"auth.anonymous" = {
enabled = true;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
{
type = "prometheus";
name = "Prometheus";
url = "http://[::1]:9090";
isDefault = true;
}
];
};
};
services.nginx = {
virtualHosts = {
"grafana.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:3001/";
locations."= /api/live/ws" = {
proxyPass = "http://[::1]:3001";
proxyWebsockets = true;
};
};
};
};
}

18
hosts/astatine/mu5001tool.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, lib, ... }:
{
systemd.services."mu5001tool" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
Restart = "on-failure";
RestartSec = "15s";
};
script = ''
${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
'';
};
}

46
hosts/astatine/prometheus.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, ... }:
{
services.prometheus = {
enable = true;
enableReload = true;
listenAddress = "[::1]";
scrapeConfigs = [
{
job_name = "prometheus";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"[::1]:9090"
];
}
];
}
{
job_name = "mu5001tool";
scrape_interval = "20s";
static_configs = [
{
targets = [
"[::1]:9242"
];
}
];
}
];
};
services.nginx = {
virtualHosts = {
"prometheus.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:9090/";
};
};
};
}

12
hosts/astatine/secrets.json
View File

@@ -1,19 +1,17 @@
{ {
"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]", "wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv", "recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-04-21T16:03:13Z", "lastmodified": "2025-09-08T21:03:41Z",
"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]", "mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-04-21T16:02:41Z", "created_at": "2024-04-21T16:02:41Z",
@@ -24,4 +22,4 @@
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.8.1"
} }
} }

5
hosts/carbon/configuration.nix
View File

@@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./dns.nix ./dns.nix
./ds-lite-ncfttb.nix
./mdns.nix ./mdns.nix
./net-dsl.nix ./net-dsl.nix
./net-gastnetz.nix ./net-gastnetz.nix
@@ -16,7 +17,7 @@
./net-printer.nix ./net-printer.nix
./net-voip.nix ./net-voip.nix
./ntp.nix ./ntp.nix
./ppp.nix ./ppp-ncfttb.nix
./scan-to-gpg.nix ./scan-to-gpg.nix
./wg-clerie.nix ./wg-clerie.nix
]; ];
@@ -39,7 +40,7 @@
networking.nat = { networking.nat = {
enableIPv6 = true; enableIPv6 = true;
enable = true; enable = true;
externalInterface = "ppp-dtagdsl"; externalInterface = "ppp-ncfttb";
internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"]; internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ]; internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
}; };

18
hosts/carbon/ds-lite-ncfttb.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
{
profiles.clerie.ds-lite = {
enable = true;
wanInterfaceName = "ppp-ncfttb";
tunnelInterfaceName = "ds-lite-ncfttb";
lanInterfaces = [
{
name = "net-heimnetz";
sla_id = 201;
prefix_len = 64;
}
];
};
}

12
hosts/carbon/net-dsl.nix
View File

@@ -3,17 +3,17 @@
{ {
## DSL-Uplink ## DSL-Uplink
networking.vlans."enp1s0.7" = { networking.vlans."enp1s0.10" = {
id = 7; id = 10;
interface = "enp1s0"; interface = "enp1s0";
}; };
networking.vlans."enp3s0.7" = { networking.vlans."enp3s0.10" = {
id = 7; id = 10;
interface = "enp3s0"; interface = "enp3s0";
}; };
networking.bridges."net-dsl".interfaces = [ networking.bridges."net-dsl".interfaces = [
"enp1s0.7" "enp1s0.10"
"enp3s0.7" "enp3s0.10"
]; ];
} }

2
hosts/carbon/net-gastnetz.nix
View File

@@ -61,7 +61,7 @@
# net-gastnetz can only access internet # net-gastnetz can only access internet
clerie.firewall.extraForwardFilterCommands = '' clerie.firewall.extraForwardFilterCommands = ''
ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT ip46tables -A forward-filter -i net-gastnetz -o ppp-ncfttb -j ACCEPT
ip46tables -A forward-filter -i net-gastnetz -j DROP ip46tables -A forward-filter -i net-gastnetz -j DROP
ip46tables -A forward-filter -o net-gastnetz -j DROP ip46tables -A forward-filter -o net-gastnetz -j DROP
''; '';

22
hosts/carbon/ppp.nix → hosts/carbon/ppp-ncfttb.nix
View File

@@ -4,11 +4,11 @@
services.pppd = { services.pppd = {
enable = true; enable = true;
peers.dtagdsl = { peers.ncfttb = {
config = '' config = ''
plugin pppoe.so net-dsl plugin pppoe.so net-dsl
user "''${PPPD_DTAGDSL_USERNAME}" user "''${PPPD_NETCOLOGNE_USERNAME}"
ifname ppp-dtagdsl ifname ppp-ncfttb
persist persist
maxfail 0 maxfail 0
holdoff 5 holdoff 5
@@ -24,9 +24,9 @@
}; };
}; };
environment.etc."ppp/peers/dtagdsl".enable = false; environment.etc."ppp/peers/ncfttb".enable = false;
systemd.services."pppd-dtagdsl".serviceConfig = let systemd.services."pppd-ncfttb".serviceConfig = let
preStart = '' preStart = ''
mkdir -p /etc/ppp/peers mkdir -p /etc/ppp/peers
@@ -34,22 +34,22 @@
umask u=rw,g=,o= umask u=rw,g=,o=
# Copy config and substitute username # Copy config and substitute username
rm -f /etc/ppp/peers/dtagdsl rm -f /etc/ppp/peers/ncfttb
${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
# Copy login secrets # Copy login secrets
rm -f /etc/ppp/pap-secrets rm -f /etc/ppp/pap-secrets
cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
rm -f /etc/ppp/chap-secrets rm -f /etc/ppp/chap-secrets
cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
''; '';
preStartFile = pkgs.writeShellApplication { preStartFile = pkgs.writeShellApplication {
name = "pppd-dtagdsl-pre-start"; name = "pppd-ncfttb-pre-start";
text = preStart; text = preStart;
}; };
in { in {
EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path; EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
ExecStartPre = [ ExecStartPre = [
# "+" marks script to be executed without priviledge restrictions # "+" marks script to be executed without priviledge restrictions
"+${lib.getExe preStartFile}" "+${lib.getExe preStartFile}"

16
hosts/carbon/secrets.json
View File

@@ -1,21 +1,17 @@
{ {
"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]", "pppd-ncfttb-username": "ENC[AES256_GCM,data:vyOCNm23xsD3Kj+R7zqnBjH4jEIfYpx/YUUGPcVzqMs9pnFEembahtFTl2sNzOFXLfYCYg==,iv:gMfi/6jldkXCnfdvhu5X1VKj58sVsPR8IX8iEECPfgk=,tag:PJGyIASP6RPAdVULEnn+Gg==,type:str]",
"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]", "pppd-ncfttb-secrets": "ENC[AES256_GCM,data:IEAguET78vdzRo47UvxbDdz+kKgYWVxYakPPu5rNAZ4BCui7DUG3qm2X9bBdHSMA,iv:Q8D58HXkCoVbqwFoYk+dizXNcEP1J63uMaDSNEzfg2g=,tag:R/xG3owmbVDOLM79sfBQjA==,type:str]",
"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]", "wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857", "recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-08-13T14:06:43Z", "lastmodified": "2025-10-24T19:16:49Z",
"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]", "mac": "ENC[AES256_GCM,data:ADhCQ7JxrEq+5ssevuuQVf3uyHcrcNVSzdT8bkFfDFVEE1hKv8q9QsGxhIaKtv4N2gt079fy0YA+WFKH6H8zWb5ONepH4H/mAek2SYgAtmVsxwdWY13zswsJUPi2CfbaCWOqppb9IiDb8+RCbzY2u/8Qqwk8gx/0uw2hr3IJrhM=,iv:c1/TS+W4pQgh2oPT77LX+dUL929YppRYdZCmMl2yN+M=,tag:fTk1sxdeT9xFjDMhqiHZAg==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-10T13:05:56Z", "created_at": "2024-05-10T13:05:56Z",
@@ -24,6 +20,6 @@
} }
], ],
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.10.2"
} }
} }

20
hosts/clerie-backup/configuration.nix
View File

@@ -5,6 +5,7 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./replication.nix
./restic-server.nix ./restic-server.nix
]; ];
@@ -36,25 +37,6 @@
}; };
}; };
# fix borgbackup primary grouping
users.users.borg.group = "borg";
services.borgbackup.jobs = {
backup-replication-hetzner = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
encryption = {
mode = "none";
};
environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
compression = "auto,lzma";
startAt = "*-*-* 04:07:00";
};
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;
id = "204"; id = "204";

23
hosts/clerie-backup/replication.nix Normal file
View File

@@ -0,0 +1,23 @@
{ lib, ... }:
with lib;
{
clerie.backup = {
enable = true;
targets = mkForce {
hetzner-storage-box = {
serverUrl = "sftp://u275370-sub2@u275370.your-storagebox.de:23";
sshKeyFile = "/var/src/secrets/ssh/borg-backup-replication-hetzner";
};
};
jobs.replication = {
paths = [
"/mnt/clerie-backup/cyan"
];
exclude = [
"/mnt/clerie-backup/cyan/.htpasswd"
];
};
};
}

13
hosts/clerie-backup/secrets.json
View File

@@ -1,19 +1,16 @@
{ {
"clerie-backup-job-replication": "ENC[AES256_GCM,data:J9zWkW1xGUiK73M=,iv:0PCJW1qrOMlX0Twy2HXGmqFzyXknE4dVdpJnnEbW36U=,tag:yxIdsqMHZgHLUIN+JCcZ6A==,type:str]",
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]", "restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh", "recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-02-16T18:13:34Z", "lastmodified": "2025-11-16T16:13:47Z",
"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]", "mac": "ENC[AES256_GCM,data:ksW2wq/EWTi9dKppGhEheVQ74G6riy1asiDmdsC78bfeAJHTbXqlni5u11DIbo67sdpZE+xXJiB1woLEcG0B4wS92r5MIWhQrul+ot95UnwVFceYLkO4KLxgOjlJzgHKuWq/ccOoKnucd/vmagQ5E/4ubBXMOHvHVLL4dNYOsDo=,iv:unLO6F/b1mAIefWfvD0PW840pTWUULgwJSl6mh637q4=,tag:0dlOFTAmLZc7oXJ25SeH1A==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-05T12:12:27Z", "created_at": "2024-05-05T12:12:27Z",
@@ -22,6 +19,6 @@
} }
], ],
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.11.0"
} }
} }

3
hosts/dn42-il-gw1/configuration.nix
View File

@@ -237,8 +237,7 @@
]; ];
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

3
hosts/dn42-il-gw5/configuration.nix
View File

@@ -111,8 +111,7 @@
''; '';
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 06:22:00"; startAt = "*-*-* 06:22:00";
}; };

3
hosts/dn42-il-gw6/configuration.nix
View File

@@ -105,8 +105,7 @@
''; '';
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 07:22:00"; startAt = "*-*-* 07:22:00";
}; };

3
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -161,8 +161,7 @@
} }
''; '';
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

3
hosts/dn42-ildix-service/configuration.nix
View File

@@ -70,8 +70,7 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

4
hosts/krypton/configuration.nix
View File

@@ -5,8 +5,6 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./android.nix ./android.nix
./backup.nix ./backup.nix
./etesync-dav.nix ./etesync-dav.nix
@@ -15,6 +13,8 @@
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

6
hosts/krypton/programs.nix
View File

@@ -11,17 +11,21 @@
signal-desktop signal-desktop
dino dino
fractal fractal
tuba
flare-signal
tio tio
xournalpp xournalpp
onlyoffice-bin libreoffice
krita krita
inkscape inkscape
dune3d
wireshark wireshark
tcpdump tcpdump
nmap nmap
pkgs."http.server"
kdePackages.okular kdePackages.okular
chromium-incognito chromium-incognito

77
hosts/monitoring-3/dashboards/home.json Normal file
View File

@@ -0,0 +1,77 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 10,
"links": [],
"panels": [
{
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"includeVars": false,
"keepTime": false,
"maxItems": 10,
"query": "",
"showFolderNames": true,
"showHeadings": false,
"showRecentlyViewed": false,
"showSearch": true,
"showStarred": false,
"tags": []
},
"pluginVersion": "12.0.2+security-01",
"title": "Dashboards",
"type": "dashlist"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"hidden": true
},
"timezone": "browser",
"title": "Home",
"uid": "OqTN9p2nz",
"version": 1
}

355
hosts/monitoring-3/dashboards/nginx-exporter.json Normal file
View File

@@ -0,0 +1,355 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 16,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Total requests",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: {{method}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Status codes",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 10
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: HTTP {{status}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Response codes",
"type": "timeseries"
}
],
"preload": false,
"refresh": "30s",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": [
"$__all"
]
},
"definition": "label_values(nginxlog_http_response_count_total,server_name)",
"includeAll": true,
"label": "vHost",
"multi": true,
"name": "server_name",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginxlog_http_response_count_total,server_name)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-3h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Nginx Exporter",
"uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
"version": 7
}

135
hosts/monitoring-3/dashboards/nixos-status.json Normal file
View File

@@ -0,0 +1,135 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 15,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-RdYlGr"
},
"custom": {
"axisPlacement": "auto",
"fillOpacity": 70,
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineWidth": 0,
"spanNulls": false
},
"mappings": [
{
"options": {
"0": {
"index": 1,
"text": "mismatch"
},
"1": {
"index": 0,
"text": "sync"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"alignValue": "left",
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"mergeValues": true,
"rowHeight": 0.9,
"showValue": "auto",
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "builder",
"expr": "nixos_current_system_is_sync",
"legendFormat": "{{instance}}",
"range": true,
"refId": "A"
}
],
"title": "Config is Sync",
"type": "state-timeline"
}
],
"preload": false,
"refresh": "5m",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-7d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "NixOS Status",
"uid": "W4j3nz1Vz",
"version": 3
}

211
hosts/monitoring-3/dashboards/smokeping.json Normal file
View File

@@ -0,0 +1,211 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 11,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 22,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
"interval": "",
"legendFormat": "IPv6 {{target}} ({{instance}})",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
"hide": false,
"interval": "",
"legendFormat": "IPv4 {{target}} ({{instance}})",
"range": true,
"refId": "B"
}
],
"title": "Smokeping",
"type": "timeseries"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"includeAll": true,
"label": "Target:",
"multi": true,
"name": "target",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": [
"All"
],
"value": [
"$__all"
]
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"includeAll": true,
"label": "Instance:",
"multi": true,
"name": "instance",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Smokeping",
"uid": "IytTVZL7z",
"version": 9
}

35
hosts/monitoring-3/prometheus.nix
View File

@@ -52,6 +52,12 @@ let
attrByPath ["clerie" "monitoring" "blackbox"] false host.config) attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
monitoringHosts); monitoringHosts);
nginxlogMonitoringTargets = mapAttrsToList (name: host:
"${host.config.networking.hostName}.mon.clerie.de:9117")
(filterAttrs (name: host:
attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
monitoringHosts);
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b)))); eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in { in {
@@ -104,6 +110,21 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "alertmanager";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9093"
];
}
];
relabel_configs = [
relabelAddressToInstance
];
}
{ {
job_name = "node-exporter"; job_name = "node-exporter";
scrape_interval = "20s"; scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
} }
]; ];
} }
{
job_name = "nginxlog-exporter";
scrape_interval = "20s";
static_configs = [
{
targets = nginxlogMonitoringTargets;
}
];
relabel_configs = [
relabelAddressToInstance
];
}
]; ];
alertmanagers = [ alertmanagers = [
{ {
static_configs = [ { static_configs = [ {
targets = [ targets = [
"[::1]:9093" "monitoring-3.mon.clerie.de:9093"
]; ];
} ]; } ];
} }

17
hosts/monitoring-3/rules.yml
View File

@@ -89,9 +89,24 @@ groups:
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks" description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
- alert: NadjaTopIPv4ProxyBroken - alert: NadjaTopIPv4ProxyBroken
expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"} expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
for: 5m for: 15m
labels: labels:
severity: critical severity: critical
annotations: annotations:
summary: "blog.nadja.top unreachable via IPv4" summary: "blog.nadja.top unreachable via IPv4"
description: "blog.nadja.top unreachable IPv4, but reachable via IPv6" description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
- alert: AlertmanagerNotificationRequestsFailed
expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
labels:
severity: critical
annotations:
summary: "Too many notification requests failed"
description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
- alert: FemSocialDown
expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
for: 5m
labels:
severity: critical
annotations:
summary: "fem.social unavailable via HTTP"
description: "fem.social is not fully reachable via HTTP"

3
hosts/nonat/configuration.nix
View File

@@ -41,8 +41,7 @@
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

4
hosts/porter/configuration.nix
View File

@@ -58,6 +58,10 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
services.bijwerken = {
autoUpgrade = true;
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;
id = "102"; id = "102";

3
hosts/storage-2/configuration.nix
View File

@@ -52,8 +52,7 @@
}; };
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

21
hosts/storage-2/em.nix
View File

@@ -11,7 +11,28 @@ with lib;
}; };
users.groups.data-em = {}; users.groups.data-em = {};
users.users.data-em-mp3 = {
group = "data-em-mp3";
home = "/data/em-mp3";
useDefaultShell = true;
isSystemUser = true;
};
users.groups.data-em-mp3 = {};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /data/em - data-em data-em - -" "d /data/em - data-em data-em - -"
"d /data/em-mp3 - data-em-mp3 data-em-mp3 - -"
]; ];
systemd.services.convert-flac-dir-to-mp3 = {
serviceConfig = {
Type = "oneshot";
ExecStart = "${lib.getExe pkgs.convert-flac-dir-to-mp3} /data/em /data/em-mp3";
StateDirectory = "convert-flac-dir-to-mp3";
WorkingDirectory = "/var/lib/convert-flac-dir-to-mp3";
User = "data-em-mp3";
Group = "data-em-mp3";
};
startAt = "*-*-* 03:47:00";
};
} }

10
hosts/storage-2/mixcloud.nix
View File

@@ -53,17 +53,23 @@ in {
"mixcloud.clerie.de" = { "mixcloud.clerie.de" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
locations."/" = { locations."/" = {
alias = "/data/mixcloud/"; alias = "/data/mixcloud/";
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
extraConfig = '' extraConfig = ''
autoindex on; autoindex on;
autoindex_exact_size off; autoindex_exact_size off;
''; '';
}; };
locations."/api/" = {
alias = "/data/mixcloud/";
extraConfig = ''
autoindex on;
autoindex_format json;
'';
};
locations."/media/" = { locations."/media/" = {
alias = "/data/media/"; alias = "/data/media/";
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
extraConfig = '' extraConfig = ''
autoindex on; autoindex on;
autoindex_exact_size off; autoindex_exact_size off;

195
hosts/web-2/blocked-prefixes.txt Normal file
View File

@@ -0,0 +1,195 @@
ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

3
hosts/web-2/clerie.nix
View File

@@ -53,9 +53,6 @@
''; '';
return = "200 ''"; return = "200 ''";
}; };
extraConfig = ''
access_log /var/log/nginx/clerie.de.log combined_anon;
'';
}; };
}; };
} }

3
hosts/web-2/configuration.nix
View File

@@ -24,6 +24,7 @@
./public.nix ./public.nix
./radicale.nix ./radicale.nix
./reichartstrasse.nix ./reichartstrasse.nix
./traveldrafter.nix
./uptimestatus.nix ./uptimestatus.nix
./wetter.nix ./wetter.nix
]; ];
@@ -51,6 +52,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;

3
hosts/web-2/gitea.nix
View File

@@ -83,9 +83,6 @@
proxyPass = "http://[::1]:3000"; proxyPass = "http://[::1]:3000";
}; };
}; };
extraConfig = ''
access_log /var/log/nginx/git.clerie.de.log combined_anon;
'';
}; };
}; };
} }

9
hosts/web-2/ip.nix
View File

@@ -53,9 +53,6 @@
types { } default_type "text/html; charset=utf-8"; types { } default_type "text/html; charset=utf-8";
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip4.clerie.de" = { "ip4.clerie.de" = {
enableACME = true; enableACME = true;
@@ -67,9 +64,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip6.clerie.de" = { "ip6.clerie.de" = {
enableACME = true; enableACME = true;
@@ -81,9 +75,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
}; };
} }

4
hosts/web-2/legal.nix
View File

@@ -7,8 +7,8 @@
forceSSL = true; forceSSL = true;
root = pkgs.fetchgit { root = pkgs.fetchgit {
url = "https://git.clerie.de/clerie/legal.clerie.de.git"; url = "https://git.clerie.de/clerie/legal.clerie.de.git";
rev = "c6900226e3107a2e370a32759d83db472ab5450d"; rev = "b271b9729f4545c340ce9d16ecbca136031da409";
sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU="; sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
}; };
locations."/impressum" = { locations."/impressum" = {
return = ''301 https://legal.clerie.de/#impressum''; return = ''301 https://legal.clerie.de/#impressum'';

11
hosts/web-2/secrets.json
View File

@@ -4,19 +4,16 @@
"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]", "clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]", "radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az", "recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-05-10T13:32:34Z", "lastmodified": "2025-07-06T16:08:39Z",
"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]", "mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-10T13:29:58Z", "created_at": "2024-05-10T13:29:58Z",
@@ -27,4 +24,4 @@
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.8.1"
} }
} }

40
hosts/web-2/traveldrafter.nix Normal file
View File

@@ -0,0 +1,40 @@
{ pkgs, lib, config, ... }: {
services.update-from-hydra.paths.traveldrafter = {
enable = true;
hydraUrl = "https://hydra.clerie.de";
hydraProject = "clerie";
hydraJobset = "traveldrafter";
hydraJob = "packages.x86_64-linux.traveldrafter";
nixStoreUri = "https://nix-cache.clerie.de";
resultPath = "/srv/traveldrafter";
};
sops.secrets.traveldrafter-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx.virtualHosts = {
"traveldrafter.clerie.de" = {
enableACME = true;
forceSSL = true;
root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
locations."/api" = {
proxyPass = "http://[::1]:3001";
};
};
};
systemd.services."traveldrafter" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "traveldrafter";
DynamicUser = true;
};
environment = {
HTTP_PORT = "3001";
};
script = lib.getExe pkgs.traveldrafter;
};
}

4
hosts/zinc/configuration.nix
View File

@@ -5,12 +5,12 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./initrd.nix ./initrd.nix
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

13
modules/backup/default.nix
View File

@@ -60,16 +60,19 @@ let
config.sops.secrets."clerie-backup-job-${jobName}".path; config.sops.secrets."clerie-backup-job-${jobName}".path;
repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath; repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
config.sops.secrets."clerie-backup-target-${targetName}".path; config.sops.secrets."clerie-backup-target-${targetName}".path or null;
targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
in { in {
"clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile; "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
"clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}"; "clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
"clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername; "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
"clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths; "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
"clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude; "clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
} } // (if targetPasswordFile == null then {} else {
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
}) // (if targetOptions.sshKeyFile == null then {} else {
"clerie-backup/${jobName}-${targetName}/ssh_key".source = targetOptions.sshKeyFile;
})
) jobTargetPairs); ) jobTargetPairs);
targetOptions = { ... }: { targetOptions = { ... }: {
@@ -85,6 +88,10 @@ let
serverUrl = mkOption { serverUrl = mkOption {
type = types.str; type = types.str;
}; };
sshKeyFile = mkOption {
type = with types; nullOr str;
default = null;
};
}; };
}; };

24
modules/clerie-system-upgrade/default.nix → modules/bijwerken/default.nix
View File

@@ -3,18 +3,13 @@
with lib; with lib;
let let
cfg = config.clerie.system-auto-upgrade; cfg = config.services.bijwerken;
in in
{ {
options = { options = {
clerie.system-auto-upgrade = { services.bijwerken = {
enable = mkEnableOption "clerie system upgrade"; enable = mkEnableOption "Automatic system upgrades";
allowReboot = mkOption {
type = types.bool;
default = false;
description = "Monitor NixOS";
};
autoUpgrade = mkOption { autoUpgrade = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -25,10 +20,15 @@ in
default = null; default = null;
description = "Systemd time string for starting the unit"; description = "Systemd time string for starting the unit";
}; };
nodeExporterTextfilePath = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to node exporter textfile for putting metrics";
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.clerie-system-auto-upgrade = { systemd.services.bijwerken-system-upgrade = {
requires = [ "network-online.target" ]; requires = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
@@ -38,10 +38,10 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}"; ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
}; };
}; };
systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade { systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt; OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
after = [ "network-online.target" ]; after = [ "network-online.target" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
clerie-system-upgrade bijwerken-system-upgrade
]; ];
}; };
} }

2
modules/default.nix
View File

@@ -5,9 +5,9 @@
./policyrouting ./policyrouting
./akne ./akne
./backup ./backup
./bijwerken
./clerie-firewall ./clerie-firewall
./clerie-gc-dir ./clerie-gc-dir
./clerie-system-upgrade
./dhcpcd-prefixdelegation ./dhcpcd-prefixdelegation
./minecraft-server ./minecraft-server
./monitoring ./monitoring

31
modules/monitoring/default.nix
View File

@@ -75,6 +75,8 @@ in
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ]; systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
services.prometheus.exporters.bird = mkIf cfg.bird { services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true; enable = true;
}; };
@@ -102,6 +104,33 @@ in
listen = "[::]:9152"; listen = "[::]:9152";
}; };
services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
enable = true;
settings = {
namespaces = [
{
name = "nginxlog";
format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
source = {
files = [
"/var/log/nginx/access.log"
];
};
relabel_configs = [
{
target_label = "server_name";
from = "server_name";
}
];
}
];
};
};
systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
SupplementaryGroups = "nginx";
};
networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [ networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
9100 # node-exporter 9100 # node-exporter
9152 # nixos-exporter 9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
9324 # bird-exporter 9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [ ] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter 9115 # blackbox-exporter
] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
config.services.prometheus.exporters.nginxlog.port
] else []); ] else []);
}; };
} }

3
monitoring/targets.json
View File

@@ -48,5 +48,8 @@
}, },
"cleriewi.uber.space": { "cleriewi.uber.space": {
"clerie-uberspace": { "enable": true } "clerie-uberspace": { "enable": true }
},
"reichart.uber.space": {
"clerie-uberspace": { "enable": true }
} }
} }

5
pkgs/bijwerken-poke/bijwerken-poke.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

10
pkgs/bijwerken-poke/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "bijwerken-poke";
text = builtins.readFile ./bijwerken-poke.sh;
runtimeInputs = with pkgs; [
pssh
];
}

18
pkgs/clerie-system-upgrade/clerie-system-upgrade.sh → pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
View File

@@ -2,16 +2,11 @@
set -euo pipefail set -euo pipefail
ALLOW_REBOOT=
NO_CONFIRM= NO_CONFIRM=
NODE_EXPORTER_METRICS_PATH= NODE_EXPORTER_METRICS_PATH=
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
--allow-reboot)
ALLOW_REBOOT=1
shift
;;
--no-confirm) --no-confirm)
NO_CONFIRM=1 NO_CONFIRM=1
shift shift
@@ -45,7 +40,7 @@ if [[ -z $NO_CONFIRM ]]; then
fi fi
echo "Download ${STORE_PATH}" echo "Download ${STORE_PATH}"
nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}" nix copy --to daemon "${STORE_PATH}"
echo "Add to system profile" echo "Add to system profile"
nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}" nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -55,7 +50,7 @@ echo "Set as boot target"
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
echo "Write monitoring check data" echo "Write monitoring check data"
echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH" echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
fi fi
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
echo "Reboot is required" echo "Reboot is required"
if [[ -n "$ALLOW_REBOOT" ]]; then echo "Rebooting system now"
echo "Rebooting system now" shutdown -r +1 "System update requires reboot"
shutdown -r +1 "System update requires reboot"
else
echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
echo "The system upgrade is staged, please reboot manually soon"
fi
else else
echo "No reboot is required" echo "No reboot is required"
echo "Activating system now" echo "Activating system now"

4
pkgs/clerie-system-upgrade/clerie-system-upgrade.nix → pkgs/bijwerken-system-upgrade/default.nix
View File

@@ -1,8 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeShellApplication { pkgs.writeShellApplication {
name = "clerie-system-upgrade"; name = "bijwerken-system-upgrade";
text = builtins.readFile ./clerie-system-upgrade.sh; text = builtins.readFile ./bijwerken-system-upgrade.sh;
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [
curl curl
jq jq

37
pkgs/build-support/writePythonScript.nix
View File

@@ -1,6 +1,7 @@
{ {
python3, python3,
writeTextFile, makeWrapper,
runCommand,
lib, lib,
}: }:
@@ -9,6 +10,7 @@
text, text,
runtimePackages ? ps: [], runtimePackages ? ps: [],
pythonPackage ? python3, pythonPackage ? python3,
runtimeInputs ? [],
meta ? {}, meta ? {},
passthru ? {}, passthru ? {},
derivationArgs ? {}, derivationArgs ? {},
@@ -18,13 +20,17 @@ let
pythonWithPackages = pythonPackage.withPackages runtimePackages; pythonWithPackages = pythonPackage.withPackages runtimePackages;
in writeTextFile { in runCommand name ({
inherit passAsFile = [ "text" ] ++ (derivationArgs.passAsFile or []);
name
meta meta = {
passthru mainProgram = name;
derivationArgs } // meta // (derivationArgs.meta or {});
;
passthru = passthru // (derivationArgs.passthru or {});
nativeBuildInputs = [ makeWrapper ] ++ (derivationArgs.nativeBuildInputs or []);
executable = true; executable = true;
destination = "/bin/${name}"; destination = "/bin/${name}";
allowSubstitutes = true; allowSubstitutes = true;
@@ -34,4 +40,17 @@ in writeTextFile {
${text} ${text}
''; '';
} } // (
builtins.removeAttrs derivationArgs [ "passAsFile" "meta" "passthru" "nativeBuildInputs" ]
))
''
mkdir -p $out/bin
target=$out/bin/${lib.escapeShellArg name}
cp "$textPath" "$target"
chmod +x "$target"
wrapProgram "$target" --prefix PATH : "${lib.makeBinPath runtimeInputs}"
''

29
pkgs/clerie-backup/clerie-backup.sh
View File

@@ -45,30 +45,39 @@ if [[ ! -f "${CONFIG_DIR}/auth_username" ]]; then
echo "File ${CONFIG_DIR}/auth_username not found" echo "File ${CONFIG_DIR}/auth_username not found"
ISSUE_EXIST=1 ISSUE_EXIST=1
fi fi
if [[ ! -f "${CONFIG_DIR}/auth_password" ]]; then
echo "File ${CONFIG_DIR}/auth_password not found"
ISSUE_EXIST=1
fi
if [[ -n "${ISSUE_EXIST}" ]]; then if [[ -n "${ISSUE_EXIST}" ]]; then
exit 1 exit 1
fi fi
RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password" RESTIC_PASSWORD_FILE="${CONFIG_DIR}/repo_password"
export RESTIC_PASSWORD_FILE export RESTIC_PASSWORD_FILE
RESTIC_REPOSITORY="rest:$(cat "${CONFIG_DIR}/repo_url")" REPO_URL="$(cat "${CONFIG_DIR}/repo_url")"
if [[ "${REPO_URL}" == http* ]]; then
RESTIC_REPOSITORY="rest:${REPO_URL}"
else
RESTIC_REPOSITORY="${REPO_URL}"
fi
export RESTIC_REPOSITORY export RESTIC_REPOSITORY
RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")" RESTIC_REST_USERNAME="$(cat "${CONFIG_DIR}/auth_username")"
export RESTIC_REST_USERNAME export RESTIC_REST_USERNAME
RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")" if [[ -e "${CONFIG_DIR}/auth_password" ]]; then
export RESTIC_REST_PASSWORD RESTIC_REST_PASSWORD="$(cat "${CONFIG_DIR}/auth_password")"
export RESTIC_REST_PASSWORD
fi
RESTIC_PROGRESS_FPS="0.1" RESTIC_PROGRESS_FPS="0.1"
export RESTIC_PROGRESS_FPS export RESTIC_PROGRESS_FPS
RESTIC_CACHE_DIR="/var/cache/restic" RESTIC_CACHE_DIR="/var/cache/restic"
export RESTIC_CACHE_DIR export RESTIC_CACHE_DIR
EXTRA_OPTIONS=()
if [[ -e "${CONFIG_DIR}/ssh_key" ]]; then
EXTRA_OPTIONS+=("-o" "sftp.args='-o IdentityFile=${CONFIG_DIR}/ssh_key'")
fi
case "${ACTION}" in case "${ACTION}" in
restic) restic)
restic "$@" restic "${EXTRA_OPTIONS[@]}" "$@"
;; ;;
backup) backup)
ISSUE_EXIST= ISSUE_EXIST=
@@ -84,9 +93,9 @@ backup)
exit 1 exit 1
fi fi
restic snapshots --latest 1 || restic init restic "${EXTRA_OPTIONS[@]}" snapshots --latest 1 || restic "${EXTRA_OPTIONS[@]}" init
restic backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files" restic "${EXTRA_OPTIONS[@]}" backup --exclude-file "${CONFIG_DIR}/excludes" --files-from "${CONFIG_DIR}/files"
;; ;;
*) *)
echo "Unsupported ACTION: ${ACTION}" echo "Unsupported ACTION: ${ACTION}"

10
pkgs/clerie-ssh-known-hosts/additional-ssh-known-hosts Normal file
View File

@@ -0,0 +1,10 @@
backup.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ
git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL
mercury.net.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4HbnxUyBAxidh88rIvG9tf61/VWjndMLOSvx9LZY+u
clerie.uber.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT6gukzAjyu8ST6ndP5TgXWEfdksxyqmMz4ngQkyVLr
cleriewi.uber.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3k7sMhABfQr9CufavOY6BCXJPpDH5OFkRpz/vJ2gSF
ceea.uber.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg2Vr3/SucAM13pZGR36W/LPFcTI9nCQAIIATIZGL9A
reichart.uber.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhafJF7TZPAhX1hj4saom21RqkOMVFF7bLVKaEC+vcB

7
pkgs/clerie-ssh-known-hosts/default.nix
View File

@@ -10,7 +10,6 @@ let
sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub")); sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
}) hostsWithSshPubkey; }) hostsWithSshPubkey;
knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: '' knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
${name} ${sshPubkey}
${name}.net.clerie.de ${sshPubkey} ${name}.net.clerie.de ${sshPubkey}
'') sshkeyList); '') sshkeyList);
in writeTextFile { in writeTextFile {
@@ -18,5 +17,9 @@ in writeTextFile {
destination = "/known_hosts"; destination = "/known_hosts";
allowSubstitutes = true; allowSubstitutes = true;
preferLocalBuild = false; preferLocalBuild = false;
text = knownHosts; text = ''
${knownHosts}
${builtins.readFile ./additional-ssh-known-hosts}
'';
} }

109
pkgs/convert-flac-dir-to-mp3/convert-flac-dir-to-mp3.py Normal file
View File

@@ -0,0 +1,109 @@
#!/usr/bin/env python
import argparse
from pathlib import Path
from progress.bar import Bar
import shutil
import subprocess
def files_and_dirs_for_directory(path):
filepaths = []
dirpaths = []
for dirpath, dirnames, filenames in path.walk():
dirpaths.append(dirpath)
for filename in filenames:
filepath = dirpath / filename
filepaths.append(filepath)
return set(filepaths), set(dirpaths)
def make_paths_relative(paths, relative_to_path):
return set(path.relative_to(relative_to_path) for path in paths)
def replace_suffix(path, suffix):
return path.with_name(path.stem + suffix)
def convert_filepath(path):
if path.suffix == ".flac":
return replace_suffix(path, ".mp3")
return path
def ffmpeg_flac_to_mp3(in_path, out_path):
print("")
subprocess.run(["ffmpeg", "-hide_banner", "-loglevel", "warning", "-stats", "-i", in_path, "-ab", "320k", "-map_metadata", "0", "-id3v2_version", "3", out_path], check=True)
print("")
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog="convert-flac-dir-to-mp3")
parser.add_argument("from_dir", type=Path)
parser.add_argument("to_dir", type=Path)
args = parser.parse_args()
from_path = args.from_dir.absolute()
to_path = args.to_dir.absolute()
if not from_path.exists():
raise Exception("from_path does not exist")
if not to_path.exists():
raise Exception("to_path does not exist")
if not from_path.is_dir():
raise Exception("from_path is not a directory")
if not to_path.is_dir():
raise Exception("to_path is not a directory")
print(f"Converting {from_path} to {to_path}")
from_filepaths, from_dirpaths = files_and_dirs_for_directory(from_path)
to_filepaths, to_dirpaths = files_and_dirs_for_directory(to_path)
relative_from_filepaths = make_paths_relative(from_filepaths, from_path)
relative_to_filepaths = make_paths_relative(to_filepaths, to_path)
converted_from_filepaths = set(convert_filepath(filepath) for filepath in relative_from_filepaths)
filepaths_missing_in_to_path = converted_from_filepaths - relative_to_filepaths
relative_from_dirpaths = make_paths_relative(from_dirpaths, from_path)
relative_to_dirpaths = make_paths_relative(to_dirpaths, to_path)
dirpaths_missing_in_to_path = relative_from_dirpaths - relative_to_dirpaths
print(f"Missing {len(filepaths_missing_in_to_path)} files and {len(dirpaths_missing_in_to_path)} directories")
if len(dirpaths_missing_in_to_path) > 0:
for dirpath in Bar("Creating directories").iter(dirpaths_missing_in_to_path):
(to_path / dirpath).mkdir(parents=True, exist_ok=True)
if len(filepaths_missing_in_to_path) > 0:
for filepath in Bar("Creating files").iter(filepaths_missing_in_to_path):
if filepath in relative_from_filepaths:
# Just copy the file
shutil.copy(from_path / filepath, to_path / filepath)
elif filepath.suffix == ".mp3" and replace_suffix(filepath, ".flac") in relative_from_filepaths:
# Convert from flac
print("")
print(f"Converting {to_path / filepath}")
# Tempfile for ffmpeg
tmpfilepath = filepath.with_name(".~" + filepath.name)
(to_path / tmpfilepath).unlink(missing_ok=True)
print(f"Using tempfile for ffmpeg {to_path / tmpfilepath}")
# Convert
ffmpeg_flac_to_mp3(from_path / replace_suffix(filepath, ".flac"), to_path / tmpfilepath)
# Rename tempfile
(to_path / tmpfilepath).rename(to_path / filepath)
else:
raise Exception("Unable to figure out how to get {to_path / filepath} from {from_path}")

8
pkgs/convert-flac-dir-to-mp3/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ pkgs, ... }:
pkgs.clerie-build-support.writePythonScript {
name = "convert-flac-dir-to-mp3";
runtimePackages = ps: with ps; [ progress ];
runtimeInputs = [ pkgs.ffmpeg-headless ];
text = builtins.readFile ./convert-flac-dir-to-mp3.py;
}

16
pkgs/curl-timings/curl-timings.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
curl -w "Request to %{url}
time_namelookup: %{time_namelookup}s
time_connect: %{time_connect}s
time_appconnect: %{time_appconnect}s
time_pretransfer: %{time_pretransfer}s
time_starttransfer: %{time_starttransfer}s
time_posttransfer: %{time_posttransfer}s
time_queue: %{time_queue}s
time_redirect: %{time_redirect}s
time_starttransfer: %{time_starttransfer}s
time_total: %{time_total}s
" -o /dev/null -s "$@"

12
pkgs/curl-timings/default.nix Normal file
View File

@@ -0,0 +1,12 @@
{
curl,
writeShellApplication,
}:
writeShellApplication {
name = "curl-timings";
text = builtins.readFile ./curl-timings.sh;
runtimeInputs = [
curl
];
}

12
pkgs/ds-lite-dhcpcd-hook/default.nix Normal file
View File

@@ -0,0 +1,12 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "ds-lite-dhcpcd-hook";
text = builtins.readFile ./ds-lite-dhcpcd-hook.sh;
runtimeInputs = with pkgs; [
iproute2
jq
dig
gawk
];
}

102
pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/usr/bin/env bash
set -euo pipefail
# Setting up required environment variables
# shellcheck disable=SC2154
WAN_INTERFACE_NAME="${DS_LITE_WAN_INTERFACE_NAME}"
# shellcheck disable=SC2154
TUNNEL_INTERFACE_NAME="${DS_LITE_TUNNEL_INTERFACE_NAME}"
log_dhcp () {
echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME}: $1"
}
log_tunnel () {
echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME} (${TUNNEL_INTERFACE_NAME}): $1"
}
# Check if the event calling this hook is for the wan interface
# exit immediately if not
# shellcheck disable=SC2154
if [[ "$interface" != "$WAN_INTERFACE_NAME" ]]; then
exit
fi
# Make sure the event calling this hook carries the environment variable
# in question. The environment variable is not provided with every call
# and we just want to exit if it is not provided
# shellcheck disable=SC2154
if [[ ! -v new_dhcp6_aftr_name ]]; then
# Variable is not set
exit
fi
# shellcheck disable=SC2154
if [[ -z "${new_dhcp6_aftr_name}" ]]; then
# Variable is empty, can't do anything
exit
fi
# shellcheck disable=SC2154
AFTR_NAME="$new_dhcp6_aftr_name"
log_dhcp "Received new AFTR_NAME ${AFTR_NAME}"
# Make sure we have a nameserver to resolve aftr name against
# shellcheck disable=SC2154
if [[ ! -v new_dhcp6_name_servers ]]; then
# Variable is not set
exit
fi
# shellcheck disable=SC2154
if [[ -z "${new_dhcp6_name_servers}" ]]; then
# Variable is empty, can't do anything
exit
fi
# shellcheck disable=SC2154
NAME_SERVERS="$new_dhcp6_name_servers"
log_dhcp "Received new NAME_SERVERS ${NAME_SERVERS}"
# Select first nameserver
NAME_SERVER="$(echo "${NAME_SERVERS}" | awk '{print $1;}')"
log_dhcp "Selected NAME_SERVER ${NAME_SERVER}"
# Figure out a usable IPv6 address on the wan interface, to origin our DNS requests and tunnel
WAN_INTERFACE_ADDRESS="$(ip --json address show "${WAN_INTERFACE_NAME}" | jq -r '.[0].addr_info[] | select(.family == "inet6" and .scope == "global" and .mngtmpaddr == true) | .local')"
log_dhcp "Using WAN_INTERFACE_ADDRESS ${WAN_INTERFACE_ADDRESS}"
AFTR_ADDRESS="$(dig "@${NAME_SERVER}" -b "${WAN_INTERFACE_ADDRESS}" AAAA "${AFTR_NAME}" +short | head -1)"
log_dhcp "Resolved AFTR_NAME ${AFTR_NAME} to ${AFTR_ADDRESS}"
# Check if there is already a tunnel interface
if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")"; then
TUNNEL_INTERFACE_OPERSTATE="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].operstate')"
TUNNEL_INTERFACE_ORIGIN_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].address')"
TUNNEL_INTERFACE_REMOTE_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].broadcast')"
# Reconfigure tunnel interface, if not already in state we want
if [[ "${TUNNEL_INTERFACE_ORIGIN_ADDRESS}" != "${WAN_INTERFACE_ADDRESS}" || "${TUNNEL_INTERFACE_REMOTE_ADDRESS}" != "${AFTR_ADDRESS}" || "${TUNNEL_INTERFACE_OPERSTATE}" != "UNKNOWN" ]]; then
log_tunnel "Bad configuration, fixing tunnel parameter"
ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
ip link set "$TUNNEL_INTERFACE_NAME" up
else
log_tunnel "Tunnel already configured"
fi
else
log_tunnel "Setting up DS-Lite tunnel"
ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
ip link set "$TUNNEL_INTERFACE_NAME" up
fi
log_tunnel "Setting default route"
ip route replace default dev "${TUNNEL_INTERFACE_NAME}"
log_tunnel "Tunnel setup finished"

6
pkgs/fem-ssh-known-hosts/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{ runCommand, ... }:
runCommand "fem-ssh-known-hosts" {} ''
mkdir -p $out
cp ${./fem-ssh-known-hosts} $out/known_hosts
''

47
pkgs/fem-ssh-known-hosts/fem-ssh-known-hosts Normal file
View File

@@ -0,0 +1,47 @@
# FeM FeM SSH Known Hosts
# Gitlab
gitlab.fem-net.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7jb0VQpEJD+Xf9Odb0ROK9BWvm1bI0JW92zVOewnSO
# Jumphost Mgmt-VLAN
grumpy.fem.tu-ilmenau.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCQ/8cqTuuAY2YaC0nLX9RexBeMbXEhvczpTSmzYqob3ke4NAUnVFRU/vnCQQDHG3sNtpEErKlE2/MyyGrqSssI=
# Webhosting
web-1.fem.tu-ilmenau.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO1ErxOUxu501CDKZokoLzky4e0LGm+wsrOhWfG1iq1vRkHf+nANMzR0XwTdUOZBJ2NnU2ReorGVzdBzEP3YDOo=
web-1.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH2vZqsv/5w2PKFccBZUmkBQDHNJmkwGTu0kIC1t146
# FeM Office
officevm.fem.tu-ilmenau.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBhquVgaKqQC3OaYW6kXpPOhkoLptTTeuWf5P43XaWszzCt6Wyu4gXcp/+6vLUE/QubiMoqBzBBsibsLjRQWxrk=
# Xen Virt oberer Campus
[chrom.net.fem.tu-ilmenau.de]:1022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMAM+QrJTssQZJ3hJUHtjxUd0jBRMyWzPr/dCJ/X9Nyx+xfklyIw301aDKnbdLp3kKDJB5/oj1Zc2f9HsP9yO1w=
[chrom.net.fem.tu-ilmenau.de]:1022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8SGRtJw7crcNS2+gmD3Qel/oKkaY/ZFa+72mHe7TDveUBfgi6dWM0BW4Se3uIqxEStlbYoE/GxVA8SnmTUJx2xyqC43gGT8uYdKZBF3rZ2d6U39jTH7aKkuO96DDMj+0oKnMK22MRWLCdIwyrrY3sWXsedc0aC0nTsO8D3LIiQHYQ1C4eCyYt7qntc7jU+5T5/HkWwCouyMajHZyDMpyzWD35mt0pSdOaqtbKnplYTLSEQ3xQ2CFFplaPe3ZafR8J0sdxpHogrXnKcIkpsm2qNInzF/gX7vUFWNCdmvBmwbz5ThFaE8Rlw6W8jO741Zgxp6RLdTpBk9KxsbG9oKWlBaZ5rqkrWvHLjLDOINFhlqeTJrjmqBmaDGBzc/JDAG96wUtkWzbRluyFD+j9MKcCb5T2VB3AMDAQ4WA6ykPWvekmiAADjg0sxiNZ8q/JkxbW0H9zMNNLpxfoVxS5DLIQk7Ee8tuJNJ9h4DSHl3pb0zwugblvI0wPCDtTUnrB5d0=
[chrom.net.fem.tu-ilmenau.de]:1022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOePZRlNv7ZeOhX6kwNjT1dIm3n91Vn19pUtERupHPvQ
[flavino.net.fem.tu-ilmenau.de]:1022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOhhOUnBBoozLULy/Q2VAoXD1/dlruEYFKlCJLPBZ87
[flavino.net.fem.tu-ilmenau.de]:1022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnhmna9iIWp74LfvkdesvaGidMC2Uadz0w3hYGdu88tpQrc7CE21Vp+/8koSSubE6nGYV5JuZAL5mHW8xjq87POSkX2El6V0AyCWOofarmIciWDdlxszMxmk/rJnW8s/noZpUQWP2s9AGy7NqCHnzcxrNLCeQkAMdJw5KwKJ6dPNc8H3/FwdYgYipOb/WOZQrTn3MZEA9h6vPm/MN+zfzl4hKBSzmt9qSL546PiREgVkk/cIrAq6xDilSGHjGT+EiIC8p+0QsiLdhvD4bnn4fHisVzypY9BXAeF9DE0RivUEkP9HwuH61dwQKT90UPiifg0LFSPegd+vM/WwuZghPz
[flavino.net.fem.tu-ilmenau.de]:1022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFZGrjTt9YiErgspJsEgA8uYse7OyD9EeTa8FvGNZJyALbQIVp5LW4XLsUmFcl3utx4wJD4VaCf62T9ocq1odY=
[flavino.fem.tu-ilmenau.de]:1022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOhhOUnBBoozLULy/Q2VAoXD1/dlruEYFKlCJLPBZ87
# pgsql-2 database cluster
pgsql-2-node-1.net.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICd/uXtoDNL4YIh1hF8z95dJ9p9at6dilrSkuuiL8Mz+
pgsql-2-node-1.net.fem.tu-ilmenau.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyYxSGd+/eO5gzQDvzJQzt66Lw12XuTrnZwQxfoK4ziiy20uVj+3Jv+6vX9HmqVpFPmdj0HZX9b8K6SzAF32e6AvZo8cShG9K1S8nefJHAeRXf7st/tGf5BUd5J2tfGOs7187dabofcsEGlqy7qxPQz/DXoR9jjZeiVfVhTXURWSEDOwkuS19yYkMd6HDng3ptk3eIM0XBZBXiMty+kt/elLf5tbLOgaEkP73qefHCGjE2qnErRg5yfYSKD+tjSZoVHM2wjpyy+jW1zvo0GGwhmA58GN5/J4EiHTEi7FIF/IwopjvCQ3YU6i/XqmgbYPLJRXDRLJNgfJITueTovHHHgwcm6Vg8bOnO0p/+syrZFw015CeucY0rhbjw0tmEMLgxgdLuztlWwop0RmwIjzbUs2w7Dg7T8J/bshOQgpzGHE6eLcp1ptu5lIz0xH0ltiiLCV5Lx1MKZakZKhLCvnHkfF9fMMH1F2U2NOnBej0RnappWmbYv2W4fY6EhK5cu1Wreh1XCrhbOXp9CVfcaqt238lTNx2qtJrL6X7dNLloIeEDQ/zzCI0bea8okelOO7R0/LBVnqGN5zUAdJL+5B0a25UZF+fudnwuqwwjA8TCqTFDvPTm4/jWrCMbpHaICT/+w/53rKn8UOHfSF2u+4HEPAbL5X0HC97d2SwLZs001w==
pgsql-2-node-2.net.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmr+R1DBuIDrV4WfUsBQJ7KmkLY5DLFJyDJjfWBU2Vx
pgsql-2-node-2.net.fem.tu-ilmenau.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNg8/SXPdAKkYaqc0N+MoJcikAi3u3hxPiDNHOKGvvf7NtnoWg36y89KQAm3Qv7jZ++WOgUZzGeG8uQDibRQKZheAPbVC6lSnlV5gXLxfm6KpEyJKqGHzj8PW+gldPVB/EuLJSMncfmSPnD660COdyaNztvI8LSyWoWnL5bPb8rcCJaFydfO/yf8jvGrJHf7rKBTb21w8jsqhIGev55PrIqZZCR2UuyoLyqEAVD0oSGAvVFwrWp2il2ufZvy4Qq809KGDjbNoDQMIcAOek0PWVjrSF0k9/qHB3XJoaqwki4kwNKLL8vwgr/3RM2EiWtSObh+1xdLWFbt4QA8Cjq5UAquCwG36vx43rR2TY77ldJ2VAY+SAwxn3JGBzCPOASp7LaRtHL6VVqHxA7Zi6yOGIH39dXeSPK/UzXMF6dOcQqx7hFB8Zgl8En9mNNjVAoneJ4Hr45CO0e3/Adv6zBEsXtkmbb/1TyUoOdli/ZQM9++AzB+T9hO7D2/CzUL8IU6Qid+Dqo90IqvhC8S3HDUQvGXkVSh6cLd0wSI7LtSUVs/ypd8gGiOGtlyDo/d85gl7fZA4bIaQ0ohJtDAtGbwVowk0ZQfUfHSJIZqZdNEPWy5ooGWJRlVVCenBXvAu1Bx3QPccY/O/NoB2Hyr4aooh/YEpkFFPyqo5G/KoMdJ5qEQ==
pgsql-2-node-3.net.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsJOfaJut0w+Aey4HSjlFDWRp5z2rBRYh0yhwZG8ORK
pgsql-2-node-3.net.fem.tu-ilmenau.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCswxmPwXiboy03LltFgoGW2/AMm+wM37nwLI/2dtdkCaICn95krMo3JTKNdq810UiaB0UUp5/FB090Lye1GmSWTHy8/vbEhW9bmf0+V9olvum3k4BT/mKRhvfpkTRlslDlRYgFMOhYuFpBZOn3h0iUJg2MwWWY8Ce6KymzUwwfOsSTDDiPY6Tcdt0OML6fRvUxCe9EOD82FO+PuAO44uoEC84YT3qNufzt4/O/Xy71lIiTFyEv2isJJ3MWFTyLnAg+KT18ztzYvCBAa9AXXsZpE/M/hh0tcKdUqNw2gscgLkELA0olQbi4rGYAkKEcn/QIRPRrKTx3I43vDBiZZkQXeTLnvtJjcK38W6rcqJ9B5tFyAWzpBh767Yr0BbgfkgOJ4EcZhFuH5Y2uCZnFB6HlwehhQq0vGgE04zzGsW3ODIdiE15aoHBl9vrDXKr84hmZ8+/FU8+ds3IOSoQgK8ZXMB/Bat9MmNLcdzwpxRgeZIHl0w1Z6OPOm5qAPSAR5PtqLo69nhb3cc/VoK9S41e5zeBx7o8eYcPkKUeWNI+wV5aw3fbzk5RQQX4YImFaYVqYJw+NxkKQns3Wcr1+TbpX/mYY2uobZHvMzdqbhheBMyKS6vIhxcZEUc0+1qgjqrgp7TkXU/kXN9huULeZ3OQNJkuEPm7OWTcZElJohokflQ==
# Video Storage
[video-storage.fem.tu-ilmenau.de]:1022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6J6Mn14zjBoAJyiaLg+76x6eedM/NUrKcpMltP6DwY
[video-storage.fem.tu-ilmenau.de]:1022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMvUAbPLQrDJYgL2wCvNrxdgZU65J0dU9vCwIwGYVXRvKv9S9RyDuDZvWLTZl26KIrVy94pnlySK0Zi2wJ6oOtg=
# NixOS build server
fuedra.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvofCx3KMN+A0G58akpp1BMsmY6731YrYBWntEC9LQ1
fuedra.fem.tu-ilmenau.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9eiienHWTqncnsI0Ttnkb68rCwnublqU8rki/JmCZ8Yl2+QP8bOYvqRIf3Pq+4WTYCxmzOCaaHJRzYCB1wiohdxsmxj0qNgMfyzmY6rf38Cjby0QpBEq31sHc+4oeKKGqFiM5mdBq/69DKs0aY8hob0Iy1dqwjMfDNcRXz08Uzq7S08YNXB0nkuMFaS7WYj+m0aX8SPanu0G7+OKzjzXfRWJlWUrAoj1flV723SyCGTRXdugsBjxpuudwoo17UNDZw7J7w63WqiUW4LfktB8mu+UaLbUzR2YK3IQLrEq42k9IB1LBknS8gKKd0FX56nJKCN0HrgbjSQZlw1x1S5wxfxbaSfOpZUblk+4PNSmpv/ca4S/Hdq7UlNrq2lJnoXj1nd+qrKGZ96or0dxYIHP1qH3WkExO8ywEkoazOG7khFqxddLzPMdhrhp93EHN9QEKgpSpm2YbP416I64Pu77+DtCCXS8ywnl9rf4JO8Kr1v4JdiG34yL14mvq4saI1f4X+bCWuotf45cRezqlB5WVz/2FywYQKHj6wFMM4ew+6beSgFx/0TUdkDQYZPKp6xmb7A5wxdhZ9nZfYa3p0neJTDe1gTpin3xs9Byexoe/jEtiWBwZ+3SvZ9z1DK4QnHaa7FiGa8KxQwEiUUfs45GjxnpT9J0b3wgaJTlbDZNTMQ==
# fem.social
mastodon.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzI1QoVPrwaJnbwA5PmmtGsiKBhV4ZO/q8Vb07r8I1w
mastodon.fem.tu-ilmenau.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDXMGscT9g55wT/rzkNzO8ScOh9Kw049Fu9ocAWvkDauiVJPtLE+7C16JQyzHKeMcuXCRpgv6g4BJQhPYoD1C4Gq7zjiYvIyiAFLcqvdK4ROhiJw5vxYvcEUNLTmydcsaS/GWOIRzLeZo1DOsDG/jiMcmVq2hRUc32QJroMci5fSvNC+6lNjxomZE/gnwATdjV0TTgIaQy0EkgSn7vyD3qpNSax0StPCLIFxPSy1fP3IQmYIsObiaSlcvdVH4bE0DUPe1gzIufTGEINVdlUl5847cIr+ZGOSaS0SP8fP7qXYqrwFt83ROspTr9UnyhmJayqIODu2RMpvrhHITlm5Lo5wazw2GLormWxVmhtDIqypKOUG93hdZ8a55x1Z7nnfS6cnPoZA5QwY02zjKaAvDkw1NN7Ud/LCfv/Vpu+EwsNJSoxSK6yx7k6X2qd99KTVzDm9AkXlzzOYZhAOQSskp5mOfb82mCFk/YImoDQ7tVcy9PLnxhcQ2b/OY/akobjYhitlmPENAY/KhrqE26lwmzA5V0jEi5SqJXYNQcTktNPUDBCc0maS8azroDmom5dlozPTLcR/9+/BgzR1cEtiyqajJFkuKUSkwA3x9D07wJSquu5CDO+Wf5U15k60cBRICxlh5n0w19sybZn9jffPg5v7IPBa6hhKdFynHyec1/M3w==
# FeM XMPP
xmpp-2.fem.tu-ilmenau.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMfNNj/nEYDeF8I7ds/yyQ+fJ+2AGZkGFNh3y3ZUReW
xmpp-2.fem-net.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMfNNj/nEYDeF8I7ds/yyQ+fJ+2AGZkGFNh3y3ZUReW

7
pkgs/generate-blocked-prefixes/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
pkgs.clerie-build-support.writePythonScript {
name = "generate-blocked-prefixes";
runtimePackages = ps: with ps; [ requests ];
text = builtins.readFile ./generate-blocked-prefixes.py;
}

39
pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py Executable file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env python3
import ipaddress
import requests
blocked_asns = [
"45102", # Alibaba (US) Technology Co., Ltd.
]
r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
"User-Agent": "https://git.clerie.de/clerie/nixfiles",
})
selected_ipv6_prefixes = []
selected_ipv4_prefixes = []
for line in r.iter_lines(decode_unicode=True):
prefix_string, asn_string = line.split()
if asn_string in blocked_asns:
prefix = ipaddress.ip_network(prefix_string)
if prefix.version == 6:
selected_ipv6_prefixes.append(prefix)
else:
selected_ipv4_prefixes.append(prefix)
selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
selected_ipv6_prefixes.sort()
selected_ipv4_prefixes.sort()
with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
for ipv6_prefix in selected_ipv6_prefixes:
blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
for ipv4_prefix in selected_ipv4_prefixes:
blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")

19
pkgs/grow-last-partition-and-filesystem/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{
e2fsprogs,
gptfdisk,
jq,
parted,
writeShellApplication,
}:
writeShellApplication {
name = "grow-last-partition-and-filesystem";
text = builtins.readFile ./grow-last-partition-and-filesystem.sh;
runtimeInputs = [
e2fsprogs
gptfdisk
jq
parted
];
}

32
pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh Executable file
View File

@@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -euo pipefail
if [[ $# -ne 1 ]]; then
echo "Pass device to grow as first argument:"
echo "grow-last-partition-and-filesystem DEVICE"
exit 1
fi
DEVICE="$1"
echo "Move GTP backup header to end of disk"
sgdisk "${DEVICE}" --move-second-header
PARTITIONDATA="$(parted --script --json --fix "${DEVICE}" print)"
PARTNUMBER="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .number')"
PARTNAME="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .name')"
echo "Growing partition ${DEVICE}${PARTNUMBER} (${PARTNAME})"
echo
parted "${DEVICE}" resizepart "${PARTNUMBER}" 100%
echo
echo "Resizing filesystem"
echo
resize2fs "${DEVICE}${PARTNUMBER}"
echo "Done."

14
pkgs/http.server/default.nix Normal file
View File

@@ -0,0 +1,14 @@
{
python3,
writeShellApplication,
}:
writeShellApplication {
name = "http.server";
text = ''
python3 -m http.server "$@"
'';
runtimeInputs = [
python3
];
}

12
pkgs/overlay.nix
View File

@@ -1,30 +1,40 @@
final: prev: { final: prev: {
bijwerken-poke = final.callPackage ./bijwerken-poke {};
bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
clerie-backup = final.callPackage ./clerie-backup {}; clerie-backup = final.callPackage ./clerie-backup {};
clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {}; clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
clerie-keys = final.callPackage ./clerie-keys {}; clerie-keys = final.callPackage ./clerie-keys {};
clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {}; clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {}; clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {}; clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {}; clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {}; clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {}; clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {}; clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
chromium-incognito = final.callPackage ./chromium-incognito {}; chromium-incognito = final.callPackage ./chromium-incognito {};
convert-flac-dir-to-mp3 = final.callPackage ./convert-flac-dir-to-mp3 {};
curl-timings = final.callPackage ./curl-timings {};
ds-lite-dhcpcd-hook = final.callPackage ./ds-lite-dhcpcd-hook {};
factorio-launcher = final.callPackage ./factorio-launcher {}; factorio-launcher = final.callPackage ./factorio-launcher {};
feeds-dir = final.callPackage ./feeds-dir {}; feeds-dir = final.callPackage ./feeds-dir {};
fem-ssh-known-hosts = final.callPackage ./fem-ssh-known-hosts {};
generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {}; git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
git-diff-word = final.callPackage ./git-diff-word {}; git-diff-word = final.callPackage ./git-diff-word {};
git-pp = final.callPackage ./git-pp {}; git-pp = final.callPackage ./git-pp {};
git-show-link = final.callPackage ./git-show-link {}; git-show-link = final.callPackage ./git-show-link {};
grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
"http.server" = final.callPackage ./http.server {};
nix-remove-result-links = final.callPackage ./nix-remove-result-links {}; nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {}; nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {}; nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
print-afra = final.callPackage ./print-afra {}; print-afra = final.callPackage ./print-afra {};
run-with-docker-group = final.callPackage ./run-with-docker-group {}; run-with-docker-group = final.callPackage ./run-with-docker-group {};
ssh-gpg = final.callPackage ./ssh-gpg {}; ssh-gpg = final.callPackage ./ssh-gpg {};
update-from-hydra = final.callPackage ./update-from-hydra {}; update-from-hydra = final.callPackage ./update-from-hydra {};
uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {}; uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
well-known-ssh-known-hosts = final.callPackage ./well-known-ssh-known-hosts {};
} }

20
pkgs/overrides/ds-lite-dhcpcd.nix Normal file
View File

@@ -0,0 +1,20 @@
final: prev:
prev.dhcpcd.overrideAttrs (finalAttrs: prevAttrs: {
configureFlags = [
"--sysconfdir=/etc/ds-lite-dhcpcd"
"--localstatedir=/var"
"--disable-fork"
"--disable-privsep"
"--dbdir=/var/lib/ds-lite-dhcpcd"
"--rundir=/var/run/ds-lite-dhcpcd"
"--with-default-hostname=ds-lite"
"--disable-ipv4"
"--disable-arp"
"--disable-arpping"
"--disable-ipv4ll"
"--disable-ntp"
];
})

1
pkgs/overrides/overlay.nix
View File

@@ -1,4 +1,5 @@
final: prev: { final: prev: {
dino = import ./dino.nix final prev; dino = import ./dino.nix final prev;
ds-lite-dhcpcd = import ./ds-lite-dhcpcd.nix final prev;
xmppc = import ./xmppc.nix final prev; xmppc = import ./xmppc.nix final prev;
} }

29
pkgs/pipewire-all-bluetooth/all-bluetooth.conf Normal file
View File

@@ -0,0 +1,29 @@
context.modules = [
{ name = libpipewire-module-combine-stream
args = {
combine.mode = sink
node.name = "all-bluetooth"
node.description = "All Bluetooth devices"
combine.latency-compensate = false
combine.props = {
audio.position = [ FL FR ]
}
stream.props = {
}
stream.rules = [
{
matches = [
{
node.name = "~bluez_output.*"
media.class = "Audio/Sink"
}
]
actions = {
create-stream = {
}
}
}
]
}
}
]

9
pkgs/pipewire-all-bluetooth/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{
runCommand,
... }:
runCommand "pipewire-all-bluetooth" {} ''
mkdir -p $out/share/pipewire/pipewire.conf.d
cp ${./all-bluetooth.conf} $out/share/pipewire/pipewire.conf.d/all-bluetooth.conf
''

5
pkgs/uptimestatus/default.nix
View File

@@ -4,6 +4,7 @@
flask, flask,
requests, requests,
python, python,
setuptools,
}: }:
let let
@@ -19,6 +20,10 @@ let
in buildPythonPackage rec { in buildPythonPackage rec {
inherit src pname version; inherit src pname version;
pyproject = true;
build-system = [ setuptools ];
propagatedBuildInputs = [ propagatedBuildInputs = [
flask flask
requests requests

6
pkgs/well-known-ssh-known-hosts/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{ runCommand, ... }:
runCommand "well-known-ssh-known-hosts" {} ''
mkdir -p $out
cp ${./well-known-ssh-known-hosts} $out/known_hosts
''

30
pkgs/well-known-ssh-known-hosts/well-known-ssh-known-hosts Normal file
View File

@@ -0,0 +1,30 @@
# List of SSH Public Keys that should be pinned everywhere
# Check fingerprints with:
# ssh-keygen -l -f ./well-known-ssh-known-hosts
# Github
# From: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
# SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
# SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
# SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
# GitLab.com
# From: https://docs.gitlab.com/user/gitlab_com/#ssh-host-keys-fingerprints
# SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
# SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
# SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
# Codeberg
# From: https://docs.codeberg.org/security/ssh-fingerprint/
# SHA256:T9FYDEHELhVkulEKKwge5aVhVTbqCW0MIRwAfpARs/E
codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2pDxWr18SoiDJCGZ5LmxPygTlPu+cCKSkpqkvCyQzl5xmIMeKNdfdBpfbCGDPoZQghePzFZkKJNR/v9Win3Sc=
# SHA256:6QQmYi4ppFS4/+zSZ5S4IU+4sa6rwvQ4PbhCtPEBekQ
codeberg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8hZi7K1/2E2uBX8gwPRJAHvRAob+3Sn+y2hxiEhN0buv1igjYFTgFO2qQD8vLfU/HT/P/rqvEeTvaDfY1y/vcvQ8+YuUYyTwE2UaVU5aJv89y6PEZBYycaJCPdGIfZlLMmjilh/Sk8IWSEK6dQr+g686lu5cSWrFW60ixWpHpEVB26eRWin3lKYWSQGMwwKv4LwmW3ouqqs4Z4vsqRFqXJ/eCi3yhpT+nOjljXvZKiYTpYajqUC48IHAxTWugrKe1vXWOPxVXXMQEPsaIRc2hpK+v1LmfB7GnEGvF1UAKnEZbUuiD9PBEeD5a1MZQIzcoPWCrTxipEpuXQ5Tni4mN
# SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g
codeberg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVIC02vnjFyL+I4RHfvIGNtOgJMe769VTF1VR4EB3ZB

4
profiles/common-nix/default.nix
View File

@@ -19,10 +19,10 @@ in {
clerie.nixfiles.enable = true; clerie.nixfiles.enable = true;
clerie.system-auto-upgrade.enable = true; services.bijwerken.enable = true;
nix.settings = { nix.settings = {
trusted-users = [ "@wheel" "@guests" ]; trusted-users = [ "@wheel" ];
auto-optimise-store = true; auto-optimise-store = true;
# Keep buildtime dependencies # Keep buildtime dependencies
keep-outputs = true; keep-outputs = true;

31
profiles/common-ssh/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.profiles.clerie.common-ssh = {
enable = mkEnableOption "Common ssh config";
};
config = mkIf config.profiles.clerie.common-ssh.enable {
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
};
services.openssh.hostKeys = lib.mkForce [
# Only create ed25519 host keys
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
programs.ssh.knownHostsFiles = [
(pkgs.clerie-ssh-known-hosts + "/known_hosts")
(pkgs.fem-ssh-known-hosts + "/known_hosts")
(pkgs.well-known-ssh-known-hosts + "/known_hosts")
];
};
}

7
profiles/common-webserver/default.nix
View File

@@ -40,7 +40,12 @@ in {
log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] ' log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'; '"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined_anon; log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$server_name" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log vcombined_anon_monitoring;
''; '';
virtualHosts = mkIf cfg.httpDefaultVirtualHost { virtualHosts = mkIf cfg.httpDefaultVirtualHost {

4
profiles/common/default.nix
View File

@@ -11,11 +11,11 @@ with lib;
config = mkIf config.profiles.clerie.common.enable { config = mkIf config.profiles.clerie.common.enable {
profiles.clerie.common-dns.enable = mkDefault true; profiles.clerie.common-dns.enable = mkDefault true;
profiles.clerie.common-networking.enable = mkDefault true; profiles.clerie.common-networking.enable = mkDefault true;
profiles.clerie.common-nix.enable = mkDefault true; profiles.clerie.common-nix.enable = mkDefault true;
profiles.clerie.common-ssh.enable = mkDefault true;
profiles.clerie.common-webserver.enable = mkDefault true; profiles.clerie.common-webserver.enable = mkDefault true;
profiles.clerie.hetzner-storage-box-client.enable = mkDefault true;
}; };
} }

4
profiles/default.nix
View File

@@ -7,13 +7,17 @@
./common-dns ./common-dns
./common-networking ./common-networking
./common-nix ./common-nix
./common-ssh
./common-webserver ./common-webserver
./cybercluster-vm ./cybercluster-vm
./desktop
./dn42-router ./dn42-router
./ds-lite
./fem-net ./fem-net
./firefox ./firefox
./gpg-ssh ./gpg-ssh
./hetzner-cloud ./hetzner-cloud
./hetzner-storage-box-client
./hydra-build-machine ./hydra-build-machine
./mercury-vm ./mercury-vm
./monitoring-server ./monitoring-server

31
profiles/desktop/audio.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
configPackages = [
pkgs.pipewire-all-bluetooth
];
};
environment.systemPackages = with pkgs; [
helvum # pipewire routing gui
];
};
}

Some files were not shown because too many files have changed in this diff Show More