clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:509cd2f117cfb5ada8f5dd0c91788dcfe4e03175
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-12-16-02-03 clerie:updated-inputs-2025-12-15-02-03 clerie:updated-inputs-2025-12-14-02-03 clerie:updated-inputs-2025-12-10-02-03 clerie:updated-inputs-2025-12-08-02-03 clerie:updated-inputs-2025-12-07-02-03 clerie:updated-inputs-2025-12-06-02-03 clerie:updated-inputs-2025-12-05-02-03 clerie:updated-inputs-2025-12-04-02-03 clerie:updated-inputs-2025-12-02-02-03 clerie:updated-inputs-2025-11-29-02-03 clerie:updated-inputs-2025-11-26-02-03 clerie:updated-inputs-2025-11-25-02-03 clerie:updated-inputs-2025-11-24-02-03 clerie:updated-inputs-2025-11-23-02-03 clerie:updated-inputs-2025-11-22-02-03 clerie:updated-inputs-2025-11-21-02-03 clerie:updated-inputs-2025-11-19-02-03 clerie:updated-inputs-2025-11-18-02-03 clerie:updated-inputs-2025-11-17-02-03 clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
...
compare: clerie:updated-inputs-2025-12-16-02-03
Branches Tags
clerie:updated-inputs clerie:updated-inputs-2025-12-16-02-03 clerie:master clerie:updated-inputs-2025-12-15-02-03 clerie:updated-inputs-2025-12-14-02-03 clerie:updated-inputs-2025-12-10-02-03 clerie:updated-inputs-2025-12-08-02-03 clerie:updated-inputs-2025-12-07-02-03 clerie:updated-inputs-2025-12-06-02-03 clerie:updated-inputs-2025-12-05-02-03 clerie:updated-inputs-2025-12-04-02-03 clerie:updated-inputs-2025-12-02-02-03 clerie:updated-inputs-2025-11-29-02-03 clerie:updated-inputs-2025-11-26-02-03 clerie:updated-inputs-2025-11-25-02-03 clerie:updated-inputs-2025-11-24-02-03 clerie:updated-inputs-2025-11-23-02-03 clerie:updated-inputs-2025-11-22-02-03 clerie:updated-inputs-2025-11-21-02-03 clerie:updated-inputs-2025-11-19-02-03 clerie:updated-inputs-2025-11-18-02-03 clerie:updated-inputs-2025-11-17-02-03 clerie:updated-inputs-2025-11-15-02-03 clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

124 Commits
509cd2f117 ... updated-in

Author SHA1 Message Date
Flake Update Bot
045c9abfb6 Update nixpkgs 2025-12-16-02-03 2025-12-16 03:04:07 +01:00
clerie
93107849d1 hosts/carbon: Remove network bridges 2025-12-15 22:30:56 +01:00
clerie
398fcc74b7 hosts/carbon: Disable mdns support 2025-12-15 22:01:06 +01:00
clerie
5fb579b9ed hosts/carbon: Remove NAT as it is obsolete 2025-12-15 21:51:52 +01:00
clerie
e4f1f35b0e hosts/carbon: Remove unused modules 2025-12-15 21:51:07 +01:00
clerie
65fc81e082 hosts/carbon: Set rps_cpus for ppp interface 2025-12-15 20:31:51 +01:00
clerie
7e30b6e408 configuration/common: Add hardware inspection tools 2025-12-14 21:37:18 +01:00
clerie
91ee2cc15b hosts/carbon: Reduce overhead by not using network bridges 2025-12-14 21:36:39 +01:00
clerie
9b3d9993f4 profiles/desktop: Give desktop users special permisions for networkmanager 2025-12-14 13:13:54 +01:00
clerie
f152e1c60d hosts/dn42-il-gw1: Add peer jonas 2025-12-07 12:35:30 +01:00
clerie
da282e48f7 Merge remote-tracking branch 'origin/updated-inputs-2025-12-05-02-03' 2025-12-05 12:24:46 +01:00
clerie
75c8c3e6e2 hosts/dn42-il-gw1: Add peer c4tg1rl5 2025-12-05 12:23:56 +01:00
clerie
ccdf9ceb0e hosts/dn42-il-gw1: Sort peering correctly 2025-12-05 12:06:39 +01:00
clerie
ff21771fe3 hosts/dn42-il-gw1: Add missing ports to open in firewall 2025-12-05 11:58:46 +01:00
clerie
9406b9b18d hosts/dn42-il-gw1: Add peer iedon 2025-12-05 11:57:54 +01:00
Flake Update Bot
ac50736dc3 Update nixpkgs 2025-12-05-02-03 2025-12-05 03:03:03 +01:00
clerie
d4f6812f70 hosts/dn42-il-gw1: Add tbspace peering 2025-12-04 16:36:27 +01:00
clerie
c6322949fe hosts/dn42-il-gw1: Add darkpoint peering 2025-12-04 16:22:39 +01:00
clerie
eb20ced361 hosts/dn42-il-gw1: Add peering with pilz 2025-12-03 21:51:12 +01:00
clerie
8b947f26ad hosts/dn42-il-gw1: Remove obsolte wireguard private key 2025-12-03 21:39:23 +01:00
clerie
0d5d98a5ba hosts/dn42-il-gw1: Remote second peering of prefixlabs 2025-12-03 21:27:58 +01:00
clerie
241ea69e11 hosts/dn42-il-gw1: Fix ip address assignment for wg1240 2025-12-03 21:27:36 +01:00
clerie
7cf15e05bd profiles/common-webserver: Terminate http sessions for unknown vhosts immediately 2025-12-03 21:13:19 +01:00
clerie
4fb86e3e1e hosts/dn42-il-gw1: Display dn42 peering page 2025-12-03 20:34:51 +01:00
clerie
7403159730 profiles/dn42-router: Automatically generate peering documentation 2025-12-03 20:23:44 +01:00
clerie
b768bf6deb hosts/dn42-il-gw1: Add prefixlabs peering 2025-12-03 19:10:38 +01:00
clerie
90636b14b5 profiles/common-ssh: Configure GlobalKnownHosts manually so we avoid import from derivation 2025-12-03 18:44:27 +01:00
clerie
cfe26d87c3 profiles/desktop: Add gnome-decoder 2025-11-26 18:13:01 +01:00
clerie
5ad658bd78 profiles/common-nix: Collect garbage more aggressively, too much trash laying around 2025-11-24 18:16:39 +01:00
clerie
e0815c725a profiles/ds-lite: Rebind dhcp6 with reload 2025-11-24 17:32:02 +01:00
clerie
44e6eac850 pkgs/well-known-ssh-known-hosts: Add ssh.gitlab.gnome.org 2025-11-23 15:21:25 +01:00
clerie
3ddbfb19a6 pkgs/nixfiles-docs-generate-pkgs-md: Automatically generate package documentation 2025-11-23 11:56:45 +01:00
clerie
9faabcd01e pkgs/nixfiles-docs-generate-options-md: Automatically generate module options docs 2025-11-23 10:56:23 +01:00
clerie
abca7b69d6 flake.nix: Remove reference to patched nixpkgs for carbon, as the issue is patched upstream now 2025-11-22 22:55:48 +01:00
clerie
77268f9243 hosts/carbon: Disable use of service.wg-clerie 
"Oh this is where I still used the old wg-clerie module"
 2025-11-22 22:54:37 +01:00
clerie
87884154eb pkgs/nixfiles-docs: Add hydra link to build output 2025-11-22 22:45:37 +01:00
clerie
7ed74d376b pkgs/nixfiles-docs: Init docs 2025-11-22 22:39:27 +01:00
clerie
7c8832c1cd pkgs/nixfiles-docs-options: Generate docs for module options 2025-11-22 21:55:32 +01:00
clerie
7c9fe54051 pkgs/nixfiles-docs-options: Remove file added by accident 2025-11-22 21:53:37 +01:00
clerie
8760cd7832 modules/minecraft-server: Fix syntax errors in options specification 2025-11-22 21:40:00 +01:00
clerie
079934aaeb modules/policyrouting: Remove obsolte module policyrouting 2025-11-22 21:33:07 +01:00
clerie
b1787611f5 modules/wg-clerie: Remove modules.wg-clerie as it is replaced by profiles.clerie.wg-clerie 2025-11-22 21:31:47 +01:00
clerie
69a04cac3f hosts/krypton,profiles/firefox,profiles/desktop: Migrate options to new nixpkgs version 2025-11-21 20:28:39 +01:00
clerie
6e8adf8eb5 Merge remote-tracking branch 'origin/updated-inputs-2025-11-21-02-03' 2025-11-21 19:43:29 +01:00
clerie
626834c2a4 profiles/desktop: Migrate logind option rename 2025-11-21 19:09:22 +01:00
clerie
bd1716eb23 hosts/carbon: Don't send IPv4 to ppp tunnel 2025-11-21 18:33:42 +01:00
clerie
a5125e92a6 profiles/router: Add applications to debug conntrack more 2025-11-21 18:28:42 +01:00
Flake Update Bot
50f2f01437 Update nixpkgs 2025-11-21-02-03 2025-11-21 03:03:17 +01:00
clerie
2606338b56 pkgs/ds-lite-dhcpcd-hook: Netcologne can't handle Tunnel Encapsulation Limit, so don't send these options in the DS-Lite tunnel 2025-11-20 20:03:38 +01:00
clerie
f43eba0036 hosts/clerie-backup: Replicate backups with restic instead of borgbackup 2025-11-16 19:40:33 +01:00
clerie
971fb88d97 pkgs/clerie-backup: Support sftp backend for restic 2025-11-16 19:38:50 +01:00
clerie
1ab3ae3769 pkgs/clerie-ssh-known-hosts: Pin some more SSH host keys that can net be retrieved automatically 2025-11-16 16:05:57 +01:00
clerie
bc8d681956 pkgs/fem-ssh-known-hosts: Pin FeM ssh known hosts globally 2025-11-16 15:32:29 +01:00
clerie
fc4bc6ca41 pkgs/well-known-ssh-known-hosts: Pin some regularly used SSH host keys 2025-11-16 15:00:05 +01:00
clerie
f17a94c578 profiles/common-ssh: Migrate common SSH config to profile and pin SSH public hosts keys for net.clerie.de 2025-11-16 14:22:50 +01:00
clerie
2d9836f793 pkgs/clerie-ssh-known-hosts: Pin SSH host keys to FQDN only 2025-11-16 14:09:24 +01:00
clerie
0de7471ac0 profiles/hetzner-storage-box-client: Globally pin Hetzner Storage Box SSH public keys 2025-11-16 14:02:54 +01:00
clerie
db9ea1ea5c flake.lock: Update nixpkgs and lix 2025-11-08 12:40:53 +01:00
clerie
930be1c50c monitoring/targets.json: Add reichart.uber.space to monitoring 2025-11-06 20:54:52 +01:00
clerie
f3629c2653 profiles/ds-lite: Connect to Netcologne with PPP DS-Lite 2025-10-27 21:26:28 +01:00
clerie
44afbff445 hosts/carbon: Change DSL uplink to netcologne 2025-10-24 21:36:41 +02:00
clerie
92817fdcad hosts/clerie-backup: Export metrics for backup replication to Hetzner 2025-10-24 18:13:24 +02:00
clerie
e8cca7b1b6 pkgs/http.server: Add shortcut command for python3 http.server 2025-10-07 19:11:22 +02:00
clerie
102509b9a8 hosts/krypton: Add tuba and flare apps 2025-09-27 18:43:16 +02:00
clerie
eaa4ee6d05 hosts/storage-2: Provide mixcloud directory listing as json too 2025-09-26 15:51:55 +02:00
clerie
9659885079 pkgs/grow-last-partition-and-filesystem: Add missing dependency reference 2025-09-21 18:02:14 +02:00
clerie
50b575dcb3 hosts/storage-2: Convert em to mp3 2025-09-21 18:01:46 +02:00
clerie
165839be07 pkgs/convert-flac-dir-to-mp3: Use tmpfile for ffmpeg so we don't have broken files laying around 2025-09-21 17:18:08 +02:00
clerie
ce99bb114b pkgs/convert-flac-dir-to-mp3: Add script for coverting music libraries 2025-09-21 17:06:36 +02:00
clerie
23629e0662 pkgs/build-support: writePythonScript add runtimeInput option 2025-09-21 16:58:15 +02:00
clerie
6954e75a5c pkgs/grow-last-partition-and-filesystem: Automatically move GPT backup header to end of device 2025-09-21 14:36:04 +02:00
clerie
539502cea0 flake.lock: Update mu5001tool 2025-09-12 00:10:03 +02:00
clerie
00a7eee2af hosts/astatine: Update mu5001tool and restart on failure 2025-09-11 12:39:04 +02:00
clerie
e82132b86e hosts/astatine: Add stack to monitor zte hypermobile 5g 2025-09-08 23:32:57 +02:00
clerie
503dca182e pkgs/curl-timings: Add curl shortcut to show connection timings 2025-09-03 13:05:55 +02:00
clerie
82f8064956 pkgs/grow-last-partition-and-filesystem: Add command to easily grow a filesystem on a disk resized by Proxmox 2025-08-30 11:11:57 +02:00
clerie
342d50d936 pkgs/bijwerken-system-upgrade: Copy system store path from any configured nix cache 2025-08-30 09:52:25 +02:00
clerie
dd76691f7d pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name 2025-08-17 21:49:24 +02:00
clerie
72cdef91d9 profiles/common-nix: Remove guests group from trusted nix users 2025-08-17 20:02:34 +02:00
clerie
22c7cb451b pkgs/nixfiles: Add helper script to trigger system upgrades 2025-08-17 19:05:22 +02:00
clerie
9357981ff3 hosts/monitoring-3: Alert on fem.social unavailable 2025-08-17 10:39:01 +02:00
clerie
eddb365ae5 hosts/monitoring-3: Alert nadja.top down after 15min only 2025-08-17 10:17:43 +02:00
clerie
d01de7fc4a hosts/monitoring-3: Add dashboards to deployment 2025-08-16 22:01:06 +02:00
clerie
a1ca9313b9 hosts/monitoring-3: Add Nginx Grafana dashboard 2025-08-15 20:50:24 +02:00
clerie
217ede0307 modules/monitoring: Extract metrics from nginx logs 2025-08-15 18:14:41 +02:00
clerie
643478b724 pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules 2025-08-14 20:20:33 +02:00
clerie
13b8ccd087 hosts/krypton: don't use onlyoffice anymore 2025-08-09 14:59:03 +02:00
clerie
7c3a97a90a hosts/web-2: Update legal.clerie.de 2025-08-09 11:42:04 +02:00
clerie
40338d9b85 hosts/monitoring-3: Monitor alertmanager 2025-08-09 11:41:34 +02:00
clerie
7f6f6281cc profiles/desktop: Migrate from configuration 2025-07-29 23:03:58 +02:00
clerie
2d4acb5a49 flake.lock: Update lix 2025-07-29 18:04:22 +02:00
Flake Update Bot
905682cf17 Update nixpkgs 2025-07-29-01-03 2025-07-29 03:04:11 +02:00
clerie
f5ec777e9b flake/hydraJobs.nix: Track additional packages in hydra 2025-07-28 22:48:59 +02:00
clerie
944bced757 pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers 2025-07-28 22:36:49 +02:00
clerie
5bd15927d5 hosts/web-2: Block Alibaba Cloud because of scraper bots 2025-07-18 23:55:33 +02:00
clerie
9b05a008bb configuration/desktop: Add helvum audio routing gui 2025-07-15 19:39:46 +02:00
clerie
871ba5ea43 pkgs/uptimestatus: Explicitly specify build system 2025-07-15 19:26:50 +02:00
clerie
560e53f77b hosts/krypton: Add drune3d program 2025-07-12 13:21:30 +02:00
clerie
03aa425038 hosts/web-2: Add traveldrafter.clerie.de 2025-07-06 18:17:31 +02:00
clerie
751efd02bb hosts/porter: Enable system auto upgrade 2025-07-05 20:16:01 +02:00
clerie
43d1133772 modules/clerie-system-upgrade: Always reboot after an update 2025-06-30 18:35:57 +02:00
clerie
4245ae84ed hosts/carbon: Don't make kea depend on non existend network-setup.service anymore 2025-06-29 22:25:19 +02:00
clerie
b9f47fc30c flake.nix: Use patched nixpkgs for carbon 2025-06-29 17:29:01 +02:00
clerie
ce54f06fd0 flake/nixosConfigurations.nix: Handle host specific nixpkgs input again 2025-06-29 17:28:38 +02:00
clerie
457fa2ca6f lib/mkNixpkgs.nix: Add function to import nixpkgs with overlays 2025-06-29 16:56:41 +02:00
clerie
60e80ab2e9 profiles/gpg-ssh: Move gpg-ssh to profiles 2025-06-29 11:51:27 +02:00
clerie
4bf030c006 profiles/common-nix: Migrate nix common config zu profile 2025-06-29 11:34:11 +02:00
clerie
0204773d27 lib/nixosSystem.nix: Wrap nixpkgs.lib.nixosSystem and include nixfiles modules and overlays by default 2025-06-28 16:43:03 +02:00
clerie
a66da6cac9 lib/link-local-wireguard.nix: Remove obsolete functions 2025-06-28 16:27:06 +02:00
clerie
691d671420 pkgs/clerie-ssh-known-hosts: Expose function as package 2025-06-28 16:25:38 +02:00
clerie
fef845117e flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again 2025-06-28 16:10:46 +02:00
clerie
11970e287c pkgs/build-support: Move clerie-build-support attribute name to overlay 2025-06-28 15:32:58 +02:00
clerie
cdc1a1e6de flake.nix: Add unused helper variable 2025-06-28 15:31:38 +02:00
clerie
e9b5dce77f flake.nix: Common naming scheme for overlays and no default overlays anymore 2025-06-28 15:22:16 +02:00
clerie
23190f0777 pkgs/overlay.nix: Get rid of pkgs/pkgs.nix and move overrides to separate overlay 2025-06-28 15:14:36 +02:00
clerie
1d927638c5 flake.nix: Exclude build support from flake exported packages and make pkgs/pkgs.nix obsolete again 2025-06-28 15:03:46 +02:00
clerie
a754af1ee9 configuration/desktop: Update renamed option name 2025-06-28 14:14:11 +02:00
clerie
617a27d4fe flake.lock: Update lix 2025-06-28 14:05:39 +02:00
clerie
eace2fabb2 pkgs/build-support: Add writePytonScript helper function 2025-06-28 14:03:57 +02:00
Flake Update Bot
721f6681e1 Update nixpkgs 2025-06-27-01-03 2025-06-27 03:04:09 +02:00
clerie
86bfe85982 hosts/porter: Resolve nginx proxy upstreams via unbound 2025-06-24 16:42:03 +02:00
clerie
e24190ae08 hosts/dn42-il-gw1: Open firewall for wireguard tunnel ports 2025-06-11 08:07:13 +02:00
clerie
9755550435 hosts/dn42-il-gw1: AS4242421718 fix link local peer address 2025-06-11 08:06:42 +02:00
clerie
0dfc013122 hosts/dn42-il-gw1: Add peer AS4242421718 2025-06-10 23:08:38 +02:00
161 changed files with 3851 additions and 1229 deletions
Expand all files Collapse all files

2
configuration/common/default.nix
View File

@@ -7,9 +7,7 @@
./initrd.nix
./locale.nix
./networking.nix
./nix.nix
./programs.nix
./ssh.nix
./systemd.nix
./user.nix
];

70
configuration/common/nix.nix
View File

@@ -1,70 +0,0 @@
{ lib, pkgs, ... }:
{
clerie.nixfiles.enable = true;
clerie.system-auto-upgrade.enable = true;
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = {
"nixpkgs" = lib.mkForce {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
"templates" = {
from = {
type = "indirect";
id = "templates";
};
to = {
type = "git";
url = "https://git.clerie.de/clerie/flake-templates.git";
};
};
};
documentation.doc.enable = false;
environment.systemPackages = with pkgs; [
nix-remove-result-links
];
}

4
configuration/common/programs.nix
View File

@@ -6,6 +6,10 @@
# My system is fucked
gptfdisk
parted
grow-last-partition-and-filesystem
pciutils
lshw
ethtool
# Normal usage
htop

16
configuration/common/ssh.nix
View File

@@ -1,16 +0,0 @@
{ lib, ... }:
{
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
};
services.openssh.hostKeys = lib.mkForce [
# Only create ed25519 host keys
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
}

19
configuration/desktop/audio.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
};
}

19
configuration/desktop/default.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
security.sudo.wheelNeedsPassword = true;
}

7
configuration/desktop/firmware.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

13
configuration/desktop/fonts.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, ... }:
{
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-emoji
comfortaa
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
}

61
configuration/desktop/gnome.nix
View File

@@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services.gnome = {
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
}

43
configuration/desktop/inputs.nix
View File

@@ -1,43 +0,0 @@
{ ... }:
{
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
mic-mute = [ "<Control>Print" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
}

14
configuration/desktop/networking.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
}

7
configuration/desktop/polkit.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
security.polkit.enable = true;
}

42
configuration/desktop/power.nix
View File

@@ -1,42 +0,0 @@
{ lib, config, ... }:
{
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
services.upower = {
percentageLow = 20;
percentageCritical = 10;
percentageAction = 8;
};
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
}

7
configuration/desktop/printing.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
}

34
configuration/desktop/ssh.nix
View File

@@ -1,34 +0,0 @@
{ pkgs, ... }:
{
imports = [
../../configuration/gpg-ssh
];
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
}

11
configuration/desktop/xserver.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
}

51
configuration/gpg-ssh/default.nix
View File

@@ -1,51 +0,0 @@
{ pkgs, lib, ... }:
let
custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
# Make sure scdaemon never ever again tries to use its own ccid driver
"--disable-ccid-driver"
];
});
in {
programs.gnupg.package = custom_gnupg;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
};
environment.systemPackages = with pkgs; [
custom_gnupg
yubikey-personalization
openpgp-card-tools
# Add wrapper around ssh that takes the gnupg ssh-agent
# instead of gnome-keyring
ssh-gpg
];
services.pcscd.enable = true;
# pcscd sometimes breaks and seem to need a manual restart
# so we allow users to restart that service themself
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units"
&& action.lookup("unit") == "pcscd.service"
&& action.lookup("verb") == "restart"
&& subject.isInGroup("users")
) {
return polkit.Result.YES;
}
});
'';
services.udev.packages = with pkgs; [
yubikey-personalization
];
}

14
docs/mkdocs.yml Normal file
View File

@@ -0,0 +1,14 @@
docs_dir: pages
site_name: clerie's nixfiles
repo_url: https://git.clerie.de/clerie/nixfiles
repo_name: clerie/nixfiles
edit_uri: src/branch/master/docs/pages/
theme:
name: material
features:
- content.action.edit
- navigation.indexes
- navigation.tabs
palette:
primary: deep purple

3
docs/pages/Options.md Normal file
View File

@@ -0,0 +1,3 @@
# Options
This page is generated on build time.

3
docs/pages/Packages.md Normal file
View File

@@ -0,0 +1,3 @@
# Packages
This page is generated on build time.

6
docs/pages/index.md Normal file
View File

@@ -0,0 +1,6 @@
---
hide:
- navigation
---
# Home

154
flake.lock generated
View File

@@ -269,11 +269,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1748520450,
"narHash": "sha256-thTwt6c/qdLg65urUWSENbmwf/ofvujpFNNTcF+iZvI=",
"lastModified": 1759516991,
"narHash": "sha256-esoe/uYPyy4a6hAwZq1QgkSe7dnZ5c0zHHXDq/JG9Yk=",
"ref": "lix-2.93",
"rev": "509c94cdb7e11d48e67a5a68c0d5fadfcda7bad5",
"revCount": 4257,
"rev": "b1328322a49e8e153635ea8b3b602db363de727f",
"revCount": 4284,
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
},
@@ -290,6 +290,9 @@
"flake-compat"
],
"nix2container": "nix2container",
"nix_2_18": [
"hydra"
],
"nixpkgs": [
"hydra",
"nixpkgs"
@@ -298,11 +301,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1747597901,
"narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
"lastModified": 1757791921,
"narHash": "sha256-83qbJckLOLrAsKO88UI9N4QRatNEc3gUFtLMiAPwK0g=",
"ref": "release-2.93",
"rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
"revCount": 17846,
"rev": "b7c2f17e9133e8b85d41c58b52f9d4e3254f41da",
"revCount": 17892,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
},
@@ -324,11 +327,11 @@
]
},
"locked": {
"lastModified": 1748254718,
"narHash": "sha256-Uf6HNA0JctJH4ZdrZ/xb185mT0/XusLxnric9Xhg7Es=",
"lastModified": 1756125859,
"narHash": "sha256-6a+PWILmqHCs9B5eIBLg6HSZ8jYweZpgOWO8FlyVwYI=",
"ref": "release-2.93",
"rev": "3855614ceafe562393472cca5fb2005297889a75",
"revCount": 143,
"rev": "d3292125035b04df00d01549a26e948631fabe1e",
"revCount": 156,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
@@ -342,6 +345,7 @@
"inputs": {
"flake-compat": "flake-compat_2",
"nix2container": "nix2container_2",
"nix_2_18": "nix_2_18",
"nixpkgs": [
"nixpkgs"
],
@@ -349,11 +353,11 @@
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1747597901,
"narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
"lastModified": 1759940703,
"narHash": "sha256-/dXDCzYnQbkqCsvUDIxgIH4BS/fyxIu73m2v4ftJLXQ=",
"ref": "release-2.93",
"rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
"revCount": 17846,
"rev": "75c03142049242a5687309e59e4f356fbc92789a",
"revCount": 17894,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
},
@@ -363,6 +367,22 @@
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"mitel-ommclient2": {
"inputs": {
"nixpkgs": [
@@ -384,6 +404,26 @@
"url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
}
},
"mu5001tool": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1757627777,
"narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
"ref": "refs/heads/main",
"rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
"revCount": 9,
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
}
},
"nix2container": {
"flake": false,
"locked": {
@@ -416,6 +456,34 @@
"type": "github"
}
},
"nix_2_18": {
"inputs": {
"flake-compat": [
"lix",
"flake-compat"
],
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_4",
"nixpkgs-regression": [
"lix",
"nixpkgs-regression"
]
},
"locked": {
"lastModified": 1730375271,
"narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
"owner": "NixOS",
"repo": "nix",
"rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.18.9",
"repo": "nix",
"type": "github"
}
},
"nixos-exporter": {
"inputs": {
"nixpkgs": [
@@ -550,11 +618,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1748437600,
"narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
"lastModified": 1759281824,
"narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
"rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
"type": "github"
},
"original": {
@@ -566,11 +634,27 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1748190013,
"narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
"lastModified": 1705033721,
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1765779637,
"narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
"type": "github"
},
"original": {
@@ -663,16 +747,18 @@
"hydra": "hydra",
"lix": "lix_2",
"lix-module": "lix-module",
"mu5001tool": "mu5001tool",
"nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
"nurausstieg": "nurausstieg",
"rainbowrss": "rainbowrss",
"scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix",
"ssh-to-age": "ssh-to-age"
"ssh-to-age": "ssh-to-age",
"traveldrafter": "traveldrafter"
}
},
"scan-to-gpg": {
@@ -787,6 +873,26 @@
"type": "github"
}
},
"traveldrafter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751817360,
"narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
"ref": "refs/heads/main",
"rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [

32
flake.nix
View File

@@ -39,6 +39,10 @@
inputs.nixpkgs.follows = "nixpkgs";
};
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
mu5001tool = {
url = "git+https://git.clerie.de/clerie/mu5001tool.git";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-exporter = {
url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
inputs.nixpkgs.follows = "nixpkgs";
@@ -67,11 +71,13 @@
url = "github:Mic92/ssh-to-age";
inputs.nixpkgs.follows = "nixpkgs";
};
traveldrafter = {
url = "git+https://git.clerie.de/clerie/traveldrafter.git";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
lib = import ./lib inputs;
helper = lib.flake-helper;
localNixpkgs = import ./flake/nixpkgs.nix inputs;
in {
clerie.hosts = {
aluminium = {
@@ -135,14 +141,24 @@
};
overlays = {
nixfilesInputs = import ./flake/overlay.nix inputs;
clerie = import ./pkgs/overlay.nix;
default = self.overlays.clerie;
clerie-inputs = import ./flake/inputs-overlay.nix inputs;
clerie-pkgs = import ./pkgs/overlay.nix;
clerie-build-support = import ./pkgs/build-support/overlay.nix;
clerie-overrides = import ./pkgs/overrides/overlay.nix;
};
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
pkgs = localNixpkgs.${system};
in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix));
nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
lib.mkNixpkgs {
inherit system;
}
);
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs (
(builtins.attrNames (self.overlays.clerie-pkgs null null))
++ (builtins.attrNames (self.overlays.clerie-overrides null null))
) (name: self.nixpkgs."${system}"."${name}")
);
inherit lib self;

6
flake/hydraJobs.nix
View File

@@ -10,6 +10,12 @@ let
in {
inherit (self)
packages;
extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs [
"hydra"
"lix"
] (name: self.nixpkgs."${system}"."${name}")
);
nixosConfigurations = buildHosts self.nixosConfigurations;
iso = self.nixosConfigurations._iso.config.system.build.isoImage;
}

6
flake/overlay.nix → flake/inputs-overlay.nix
View File

@@ -5,10 +5,12 @@
, chaosevents
, harmonia
, hydra
, mu5001tool
, nurausstieg
, rainbowrss
, scan-to-gpg
, ssh-to-age
, traveldrafter
, ...
}@inputs:
final: prev: {
@@ -24,6 +26,8 @@ final: prev: {
harmonia;
inherit (hydra.packages.${final.system})
hydra;
inherit (mu5001tool.packages.${final.system})
mu5001tool;
inherit (nurausstieg.packages.${final.system})
nurausstieg;
inherit (rainbowrss.packages.${final.system})
@@ -32,4 +36,6 @@ final: prev: {
scan-to-gpg;
inherit (ssh-to-age.packages.${final.system})
ssh-to-age;
inherit (traveldrafter.packages.${final.system})
traveldrafter;
}

23
flake/nixosConfigurations.nix
View File

@@ -11,33 +11,14 @@ let
modules ? [],
}: let
localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
in localNixpkgs.lib.nixosSystem {
in self.lib.nixosSystem {
system = system;
nixpkgs = localNixpkgs;
modules = modules ++ [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: {
# Set hostname
networking.hostName = lib.mkDefault name;
# Apply overlays
nixpkgs.overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
# Expose host group to monitoring
clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };

17
flake/nixpkgs.nix
View File

@@ -1,17 +0,0 @@
{ self
, nixpkgs
, ...
}@inputs:
let
mkNixpkgs = { system, ... }@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
};
in
nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

2
hosts/_iso/configuration.nix
View File

@@ -3,9 +3,9 @@
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
../../configuration/gpg-ssh
];
profiles.clerie.gpg-ssh.enable = true;
profiles.clerie.network-fallback-dhcp.enable = true;
# systemd in initrd is broken with ISOs

14
hosts/astatine/configuration.nix
View File

@@ -4,6 +4,10 @@
imports =
[
./hardware-configuration.nix
./grafana.nix
./mu5001tool.nix
./prometheus.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
terminal_output serial
";
sops.secrets.monitoring-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

45
hosts/astatine/grafana.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "grafana.astatine.net.clerie.de";
root_url = "https://grafana.astatine.net.clerie.de";
http_port = 3001;
http_addr = "::1";
};
"auth.anonymous" = {
enabled = true;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
{
type = "prometheus";
name = "Prometheus";
url = "http://[::1]:9090";
isDefault = true;
}
];
};
};
services.nginx = {
virtualHosts = {
"grafana.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:3001/";
locations."= /api/live/ws" = {
proxyPass = "http://[::1]:3001";
proxyWebsockets = true;
};
};
};
};
}

18
hosts/astatine/mu5001tool.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, lib, ... }:
{
systemd.services."mu5001tool" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
Restart = "on-failure";
RestartSec = "15s";
};
script = ''
${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
'';
};
}

46
hosts/astatine/prometheus.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, ... }:
{
services.prometheus = {
enable = true;
enableReload = true;
listenAddress = "[::1]";
scrapeConfigs = [
{
job_name = "prometheus";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"[::1]:9090"
];
}
];
}
{
job_name = "mu5001tool";
scrape_interval = "20s";
static_configs = [
{
targets = [
"[::1]:9242"
];
}
];
}
];
};
services.nginx = {
virtualHosts = {
"prometheus.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:9090/";
};
};
};
}

10
hosts/astatine/secrets.json
View File

@@ -1,19 +1,17 @@
{
"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-21T16:03:13Z",
"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
"lastmodified": "2025-09-08T21:03:41Z",
"mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
"pgp": [
{
"created_at": "2024-04-21T16:02:41Z",

22
hosts/carbon/configuration.nix
View File

@@ -6,18 +6,14 @@
./hardware-configuration.nix
./dns.nix
./mdns.nix
./ds-lite-ncfttb.nix
./net-dsl.nix
./net-gastnetz.nix
./net-heimnetz.nix
./net-iot.nix
./net-lte.nix
./net-mgmt.nix
./net-printer.nix
./net-voip.nix
./ntp.nix
./ppp.nix
./scan-to-gpg.nix
./ppp-ncfttb.nix
./wg-clerie.nix
];
@@ -36,14 +32,6 @@
networking.useDHCP = false;
networking.nat = {
enableIPv6 = true;
enable = true;
externalInterface = "ppp-dtagdsl";
internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
};
services.radvd.enable = true;
services.kea.dhcp4 = {
@@ -63,10 +51,10 @@
systemd.services.kea-dhcp4-server = {
after = [
"network-setup.service"
"network.target"
];
requires = [
"network-setup.service"
wants = [
"network.target"
];
};

18
hosts/carbon/ds-lite-ncfttb.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
{
profiles.clerie.ds-lite = {
enable = true;
wanInterfaceName = "ppp-ncfttb";
tunnelInterfaceName = "ds-lite-ncfttb";
lanInterfaces = [
{
name = "enp2s0";
sla_id = 201;
prefix_len = 64;
}
];
};
}

17
hosts/carbon/mdns.nix
View File

@@ -1,17 +0,0 @@
{ pkgs, ... }:
{
services.avahi = {
enable = true;
nssmdns4 = true;
allowInterfaces = [
"net-heimnetz"
"net-iot"
];
reflector = true;
};
}

12
hosts/carbon/net-dsl.nix
View File

@@ -3,17 +3,9 @@
{
## DSL-Uplink
networking.vlans."enp1s0.7" = {
id = 7;
interface = "enp1s0";
};
networking.vlans."enp3s0.7" = {
id = 7;
networking.vlans."enp3s0.10" = {
id = 10;
interface = "enp3s0";
};
networking.bridges."net-dsl".interfaces = [
"enp1s0.7"
"enp3s0.7"
];
}

69
hosts/carbon/net-gastnetz.nix
View File

@@ -1,69 +0,0 @@
{ ... }:
{
## Gastnetz
networking.vlans."enp1s0.202" = {
id = 202;
interface = "enp1s0";
};
networking.bridges."net-gastnetz".interfaces = [
"enp1s0.202"
];
networking.interfaces."net-gastnetz".ipv6.addresses = [
{ address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
];
networking.interfaces."net-gastnetz".ipv4.addresses = [
{ address = "192.168.32.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-gastnetz {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-gastnetz" ];
};
subnet4 = [
# Gastnetz
{
id = 202;
subnet = "192.168.32.0/24";
pools = [
{
pool = "192.168.32.100 - 192.168.32.240";
}
];
option-data = [
{
name = "routers";
data = "192.168.32.1";
}
{
name = "domain-name-servers";
data = "9.9.9.9,149.112.112.112"; # Quad 9
}
];
}
];
};
};
# net-gastnetz can only access internet
clerie.firewall.extraForwardFilterCommands = ''
ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
ip46tables -A forward-filter -i net-gastnetz -j DROP
ip46tables -A forward-filter -o net-gastnetz -j DROP
'';
}

16
hosts/carbon/net-heimnetz.nix
View File

@@ -3,24 +3,16 @@
{
## Heimnetz
networking.vlans."enp1s0.201" = {
id = 201;
interface = "enp1s0";
};
networking.bridges."net-heimnetz".interfaces = [
"enp1s0.201"
"enp2s0"
];
networking.interfaces."net-heimnetz".ipv6.addresses = [
networking.interfaces."enp2s0".ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:152:152:4::1"; prefixLength = 64; }
];
networking.interfaces."net-heimnetz".ipv4.addresses = [
networking.interfaces."enp2s0".ipv4.addresses = [
{ address = "10.152.4.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-heimnetz {
interface enp2s0 {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
@@ -35,7 +27,7 @@
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-heimnetz" ];
interfaces = [ "enp2s0" ];
};
subnet4 = [
# Heimnetz

19
hosts/carbon/net-iot.nix
View File

@@ -6,22 +6,19 @@
id = 205;
interface = "enp1s0";
};
networking.bridges."net-iot".interfaces = [
"enp1s0.205"
];
networking.interfaces."net-iot".ipv6.addresses = [
networking.interfaces."enp1s0.205".ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:152:152:205::1"; prefixLength = 64; }
];
networking.interfaces."net-iot".ipv4.addresses = [
networking.interfaces."enp1s0.205".ipv4.addresses = [
{ address = "10.152.205.1"; prefixLength = 24; }
];
# Enable NTP
networking.firewall.interfaces."net-iot".allowedUDPPorts = [ 123 ];
networking.firewall.interfaces."enp1s0.205".allowedUDPPorts = [ 123 ];
services.radvd.config = ''
interface net-iot {
interface enp1s0.205 {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
@@ -36,7 +33,7 @@
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-iot" ];
interfaces = [ "enp1s0.205" ];
};
subnet4 = [
{
@@ -72,9 +69,9 @@
clerie.firewall.extraForwardFilterCommands = ''
# Allow access from Heimnetz to IOT devices
ip46tables -A forward-filter -i net-heimnetz -o net-iot -j ACCEPT
ip46tables -A forward-filter -i net-iot -j DROP
ip46tables -A forward-filter -o net-iot -j DROP
ip46tables -A forward-filter -i enp2s0 -o enp1s0.205 -j ACCEPT
ip46tables -A forward-filter -i enp1s0.205 -j DROP
ip46tables -A forward-filter -o enp1s0.205 -j DROP
'';
}

11
hosts/carbon/net-lte.nix
View File

@@ -1,11 +0,0 @@
{ ... }:
{
## LTE-Uplink
networking.vlans."enp1s0.102" = {
id = 102;
interface = "enp1s0";
};
}

17
hosts/carbon/net-mgmt.nix
View File

@@ -6,19 +6,16 @@
id = 203;
interface = "enp1s0";
};
networking.bridges."net-mgmt".interfaces = [
"enp1s0.203"
];
networking.interfaces."net-mgmt".ipv6.addresses = [
networking.interfaces."enp1s0.203".ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:152:152:203::1"; prefixLength = 64; }
];
networking.interfaces."net-mgmt".ipv4.addresses = [
networking.interfaces."enp1s0.203".ipv4.addresses = [
{ address = "10.152.203.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-mgmt {
interface enp1s0.203 {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
@@ -31,7 +28,7 @@
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-mgmt" ];
interfaces = [ "enp1s0.203" ];
};
subnet4 = [
{
@@ -55,9 +52,9 @@
clerie.firewall.extraForwardFilterCommands = ''
# Allow access from Heimnetz to MGMT network
ip46tables -A forward-filter -i net-heimnetz -o net-mgmt -j ACCEPT
ip46tables -A forward-filter -i net-mgmt -j DROP
ip46tables -A forward-filter -o net-mgmt -j DROP
ip46tables -A forward-filter -i enp2s0 -o enp1s0.203 -j ACCEPT
ip46tables -A forward-filter -i enp1s0.203 -j DROP
ip46tables -A forward-filter -o enp1s0.203 -j DROP
'';
}

17
hosts/carbon/net-printer.nix
View File

@@ -5,17 +5,14 @@
id = 206;
interface = "enp1s0";
};
networking.bridges."net-printer".interfaces = [
"enp1s0.206"
];
networking.interfaces."net-printer".ipv4.addresses = [
networking.interfaces."enp1s0.206".ipv4.addresses = [
{ address = "10.152.206.1"; prefixLength = 24; }
];
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-printer" ];
interfaces = [ "enp1s0.206" ];
};
subnet4 = [
{
@@ -37,15 +34,11 @@
};
};
# Enable scan-to-gpg
networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];
clerie.firewall.extraForwardFilterCommands = ''
# Allow access from Heimnetz to printer
ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
ip46tables -A forward-filter -i net-printer -j DROP
ip46tables -A forward-filter -o net-printer -j DROP
ip46tables -A forward-filter -i enp2s0 -o enp1s0.206 -j ACCEPT
ip46tables -A forward-filter -i enp1s0.206 -j DROP
ip46tables -A forward-filter -o enp1s0.206 -j DROP
'';
}

105
hosts/carbon/net-voip.nix
View File

@@ -1,105 +0,0 @@
{ ... }:
{
## VoIP
networking.vlans."enp1s0.204" = {
id = 204;
interface = "enp1s0";
};
networking.interfaces."enp1s0.204".ipv4.addresses = [
{ address = "10.152.33.1"; prefixLength = 24; }
];
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "enp1s0.204" ];
};
option-def = [
{
space = "dhcp4";
name = "vendor-encapsulated-options";
code = 43;
type = "empty";
encapsulate = "sipdect";
}
{
space = "sipdect";
name = "ommip1";
code = 10;
type = "ipv4-address";
}
{
space = "sipdect";
name = "ommip2";
code = 19;
type = "ipv4-address";
}
{
space = "sipdect";
name = "syslogip";
code = 14;
type = "ipv4-address";
}
{
space = "sipdect";
name = "syslogport";
code = 15;
type = "int16";
}
{
space = "dhcp4";
name = "magic_str";
code = 224;
type = "string";
}
];
subnet4 = [
# VoIP
{
id = 204;
subnet = "10.152.33.0/24";
pools = [
{
pool = "10.152.33.10 - 10.152.33.200";
}
];
option-data = [
{
name = "routers";
data = "10.152.33.1";
}
];
reservations = [
{
hostname = "iridium";
hw-address = "00:30:42:1B:8C:7C";
ip-address = "10.152.33.11";
option-data = [
{
name = "host-name";
data = "iridium";
}
{
name = "vendor-encapsulated-options";
}
{
space = "sipdect";
name = "ommip1";
data = "10.152.33.11";
}
{
name = "magic_str";
data = "OpenMobilitySIP-DECT";
}
];
}
];
}
];
};
};
}

109
hosts/carbon/ppp-ncfttb.nix Normal file
View File

@@ -0,0 +1,109 @@
{ config, pkgs, lib, ... }:
{
services.pppd = {
enable = true;
peers.ncfttb = {
config = ''
plugin pppoe.so enp3s0.10
user "''${PPPD_NETCOLOGNE_USERNAME}"
ifname ppp-ncfttb
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
mtu 1492
hide-password
defaultroute
+ipv6
debug
'';
};
};
environment.etc."ppp/peers/ncfttb".enable = false;
systemd.services."pppd-ncfttb".serviceConfig = let
preStart = ''
mkdir -p /etc/ppp/peers
# Created files only readable by root
umask u=rw,g=,o=
# Copy config and substitute username
rm -f /etc/ppp/peers/ncfttb
${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
# Copy login secrets
rm -f /etc/ppp/pap-secrets
cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
rm -f /etc/ppp/chap-secrets
cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
'';
preStartFile = pkgs.writeShellApplication {
name = "pppd-ncfttb-pre-start";
text = preStart;
};
in {
EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
ExecStartPre = [
# "+" marks script to be executed without priviledge restrictions
"+${lib.getExe preStartFile}"
];
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.systemd}/bin/systemctl restart --no-block "ppp-setup-interface-queues@''${IFNAME}.service"
${pkgs.systemd}/bin/systemctl restart --no-block ds-lite-dhcpcd.service
'';
mode = "555";
};
systemd.services."ppp-setup-interface-queues@".serviceConfig = let
setup-interface-queues = pkgs.clerie-build-support.writePythonScript {
name = "setup-interface-queues";
text = ''
import multiprocessing
from pathlib import Path
import sys
interface_name = sys.argv[1]
print(f"New ppp interface: {interface_name}")
num_cpus = multiprocessing.cpu_count()
print(f"Detected {num_cpus} cpus")
bitmask = "1" * num_cpus
hexmask = "{:x}".format(int(bitmask, 2))
rps_cpus = Path(f"/sys/class/net/{interface_name}/queues/rx-0/rps_cpus")
rps_cpus.write_text(hexmask)
print(f"Wrote hexmask {hexmask} to {rps_cpus}")
'';
};
in {
Type = "oneshot";
ExecStart = "${lib.getExe setup-interface-queues} %i";
};
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
'';
networking.firewall.extraCommands = ''
# Reject all IPv4 traffic that tries to enter and leave the PPP tunnel
iptables -I INPUT -i ppp-ncfttb -j DROP
iptables -I OUTPUT -o ppp-ncfttb -j DROP
'';
}

63
hosts/carbon/ppp.nix
View File

@@ -1,63 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.pppd = {
enable = true;
peers.dtagdsl = {
config = ''
plugin pppoe.so net-dsl
user "''${PPPD_DTAGDSL_USERNAME}"
ifname ppp-dtagdsl
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
mtu 1492
hide-password
defaultroute
+ipv6
debug
'';
};
};
environment.etc."ppp/peers/dtagdsl".enable = false;
systemd.services."pppd-dtagdsl".serviceConfig = let
preStart = ''
mkdir -p /etc/ppp/peers
# Created files only readable by root
umask u=rw,g=,o=
# Copy config and substitute username
rm -f /etc/ppp/peers/dtagdsl
${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
# Copy login secrets
rm -f /etc/ppp/pap-secrets
cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
rm -f /etc/ppp/chap-secrets
cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
'';
preStartFile = pkgs.writeShellApplication {
name = "pppd-dtagdsl-pre-start";
text = preStart;
};
in {
EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
ExecStartPre = [
# "+" marks script to be executed without priviledge restrictions
"+${lib.getExe preStartFile}"
];
};
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
'';
}

11
hosts/carbon/scan-to-gpg.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.scan-to-gpg = {
enable = true;
gpgkey = "${pkgs.clerie-keys}/gpg/clerie@clerie.de.asc";
};
users.users."clerie".extraGroups = [ "scan-to-gpg" ];
}

14
hosts/carbon/secrets.json
View File

@@ -1,21 +1,17 @@
{
"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
"pppd-ncfttb-username": "ENC[AES256_GCM,data:vyOCNm23xsD3Kj+R7zqnBjH4jEIfYpx/YUUGPcVzqMs9pnFEembahtFTl2sNzOFXLfYCYg==,iv:gMfi/6jldkXCnfdvhu5X1VKj58sVsPR8IX8iEECPfgk=,tag:PJGyIASP6RPAdVULEnn+Gg==,type:str]",
"pppd-ncfttb-secrets": "ENC[AES256_GCM,data:IEAguET78vdzRo47UvxbDdz+kKgYWVxYakPPu5rNAZ4BCui7DUG3qm2X9bBdHSMA,iv:Q8D58HXkCoVbqwFoYk+dizXNcEP1J63uMaDSNEzfg2g=,tag:R/xG3owmbVDOLM79sfBQjA==,type:str]",
"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-08-13T14:06:43Z",
"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
"lastmodified": "2025-10-24T19:16:49Z",
"mac": "ENC[AES256_GCM,data:ADhCQ7JxrEq+5ssevuuQVf3uyHcrcNVSzdT8bkFfDFVEE1hKv8q9QsGxhIaKtv4N2gt079fy0YA+WFKH6H8zWb5ONepH4H/mAek2SYgAtmVsxwdWY13zswsJUPi2CfbaCWOqppb9IiDb8+RCbzY2u/8Qqwk8gx/0uw2hr3IJrhM=,iv:c1/TS+W4pQgh2oPT77LX+dUL929YppRYdZCmMl2yN+M=,tag:fTk1sxdeT9xFjDMhqiHZAg==,type:str]",
"pgp": [
{
"created_at": "2024-05-10T13:05:56Z",
@@ -24,6 +20,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.10.2"
}
}

12
hosts/carbon/wg-clerie.nix
View File

@@ -1,10 +1,10 @@
{ ... }:
{
services.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
ipv4s = [ "10.20.30.111/32" ];
defaultViaVPN = false;
};
# services.wg-clerie = {
# enable = true;
# ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
# ipv4s = [ "10.20.30.111/32" ];
# defaultViaVPN = false;
# };
}

20
hosts/clerie-backup/configuration.nix
View File

@@ -5,6 +5,7 @@
[
./hardware-configuration.nix
./replication.nix
./restic-server.nix
];
@@ -36,25 +37,6 @@
};
};
# fix borgbackup primary grouping
users.users.borg.group = "borg";
services.borgbackup.jobs = {
backup-replication-hetzner = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
encryption = {
mode = "none";
};
environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
compression = "auto,lzma";
startAt = "*-*-* 04:07:00";
};
};
clerie.monitoring = {
enable = true;
id = "204";

23
hosts/clerie-backup/replication.nix Normal file
View File

@@ -0,0 +1,23 @@
{ lib, ... }:
with lib;
{
clerie.backup = {
enable = true;
targets = mkForce {
hetzner-storage-box = {
serverUrl = "sftp://u275370-sub2@u275370.your-storagebox.de:23";
sshKeyFile = "/var/src/secrets/ssh/borg-backup-replication-hetzner";
};
};
jobs.replication = {
paths = [
"/mnt/clerie-backup/cyan"
];
exclude = [
"/mnt/clerie-backup/cyan/.htpasswd"
];
};
};
}

11
hosts/clerie-backup/secrets.json
View File

@@ -1,19 +1,16 @@
{
"clerie-backup-job-replication": "ENC[AES256_GCM,data:J9zWkW1xGUiK73M=,iv:0PCJW1qrOMlX0Twy2HXGmqFzyXknE4dVdpJnnEbW36U=,tag:yxIdsqMHZgHLUIN+JCcZ6A==,type:str]",
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1px682xeu0xfkr49qdqe95er040p2vv3ugekk04e36jj2wqs7tyfs8mhclh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-16T18:13:34Z",
"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
"lastmodified": "2025-11-16T16:13:47Z",
"mac": "ENC[AES256_GCM,data:ksW2wq/EWTi9dKppGhEheVQ74G6riy1asiDmdsC78bfeAJHTbXqlni5u11DIbo67sdpZE+xXJiB1woLEcG0B4wS92r5MIWhQrul+ot95UnwVFceYLkO4KLxgOjlJzgHKuWq/ccOoKnucd/vmagQ5E/4ubBXMOHvHVLL4dNYOsDo=,iv:unLO6F/b1mAIefWfvD0PW840pTWUULgwJSl6mh637q4=,tag:0dlOFTAmLZc7oXJ25SeH1A==,type:str]",
"pgp": [
{
"created_at": "2024-05-05T12:12:27Z",
@@ -22,6 +19,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.11.0"
}
}

237
hosts/dn42-il-gw1/configuration.nix
View File

@@ -4,6 +4,8 @@
imports =
[
./hardware-configuration.nix
./documentation.nix
];
profiles.clerie.mercury-vm.enable = true;
@@ -41,6 +43,28 @@
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# dn42-router-general-wireguard-key public key:
# r38qvXqu26x4f6yUGxg44Ji4db/g2HK7RZwG7Boh+38=
# darkpoint
wg0150 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg0150 fe80::2574/128 peer fe80::150/128
'';
listenPort = 50150;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "fra.darkpoint.xyz:22574";
publicKey = "nfoxTtmJdBdxNR3TmfVLG13KA5E+ZtU+uIGCegxrxxw=";
}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
# e1mo
wg0565 = {
ips = [
@@ -62,6 +86,45 @@
];
privateKeyFile = config.sops.secrets.wg0565.path;
};
# pilz
wg0663 = {
ips = [
"fe80::1111/128"
];
postSetup = ''
ip addr replace dev wg0663 fe80::1111/128 peer fe80::acab/128
'';
listenPort = 50663;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "dn42.ams1.as214958.net:163";
publicKey = "NxHkdwZPVL+3HdrHTFOslUpUckTf0dzEG9qpZ0FTBnA=";
}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
# prefixlabs
# https://prefixlabs.net/
wg1240 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg1240 fe80::2574/128 peer fe80::1240:11/128
'';
listenPort = 51240;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "de-01.prefixlabs.net:22574";
publicKey = "ixeEBfac1BXpjNKbxcgL6Beg9HTgtmq6CjHIfMwNSDw=";
}
];
privateKeyFile = config.sops.secrets.wg1240.path;
};
# fooker
wg1271 = {
ips = [
@@ -120,6 +183,85 @@
];
privateKeyFile = config.sops.secrets.wg1280.path;
};
# c4tg1rl5
# https://catgirls.systems/peering/
wg1411 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg1411 fe80::2574/128 peer fe80::1411/128
'';
listenPort = 51411;
allowedIPsAsRoutes = false;
peers = [
#{
# allowedIPs = [ "fe80::/10" "fd00::/8" ];
# endpoint = "";
# publicKey = "";
#}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
# zaphyra
wg1718 = {
ips = [
"fe80::2574/128"
# peer fe80::6b61/64
];
postSetup = ''
ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
'';
listenPort = 51718;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "router-a.dn42.zaphyra.eu:51831";
publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
}
];
privateKeyFile = config.sops.secrets.wg1718.path;
};
# iedon
# https://iedon.net/
wg2189 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg2189 fe80::2574/128 peer fe80::2189:e9/128
'';
listenPort = 52189;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "de-fra.dn42.iedon.net:42463";
publicKey = "FHp0OR4UpAS8/Ra0FUNffTk18soUYCa6NcvZdOgxY0k=";
}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
# jona / cryne
wg3402 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg3402 fe80::2574/128 peer fe80::3402/128
'';
listenPort = 53402;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "dn42.cryne.me:42574";
publicKey = "YsKInIp90is8ysnQDHGoKnz2CqlTMWMZDmQ+vwvN2C0=";
}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
# lutoma
wg4719 = {
ips = [
@@ -140,7 +282,43 @@
];
privateKeyFile = config.sops.secrets.wg4719.path;
};
# tbspace
wg6190 = {
ips = [
"fe80::2574/128"
];
postSetup = ''
ip addr replace dev wg6190 fe80::2574/128 peer fe80::1299:e/128
'';
listenPort = 56190;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "dn42.tbspace.de:49168";
publicKey = "skvyDl81J8Zu3Ziem+7JKeU4UYLhhWt7gWelg8nEbzQ=";
}
];
privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path;
};
};
networking.firewall.allowedUDPPorts = [
50150 # wg0150
50565 # wg0565
50663 # wg0663
51240 # wg1240
51241 # wg1241
51271 # wg1271
51272 # wg1272
51280 # wg1280
51411 # wg1411
51718 # wg1718
52189 # wg2189
53402 # wg3402
54719 # wg4719
56190 # wg6190
];
profiles.clerie.dn42-router = {
enable = true;
@@ -163,6 +341,13 @@
];
wireguardPeers = [
{
peerName = "peer_0150";
remoteAddress = "fe80::150";
interfaceName = "wg0150";
remoteAsn = "4242420150";
localAddress = "fe80::2574";
}
{
peerName = "peer_0565";
remoteAddress = "fe80::565";
@@ -170,6 +355,20 @@
remoteAsn = "4242420565";
localAddress = "fe80::2574";
}
{
peerName = "peer_0663";
remoteAddress = "fe80::acab";
interfaceName = "wg0663";
remoteAsn = "4242420663";
localAddress = "fe80::1111";
}
{
peerName = "peer_1240_de_01";
remoteAddress = "fe80::1240:11";
interfaceName = "wg1240";
remoteAsn = "4242421240";
localAddress = "fe80::2574";
}
{
peerName = "peer_1271_north";
remoteAddress = "fe80::2";
@@ -191,6 +390,34 @@
remoteAsn = "4242421280";
localAddress = "fde3:4c0d:2836:ff00::21";
}
{
peerName = "peer_1411_de_fsn";
remoteAddress = "fe80::1411";
interfaceName = "wg1411";
remoteAsn = "4242421411";
localAddress = "fe80::2574";
}
{
peerName = "peer_1718";
remoteAddress = "fe80::6b61";
interfaceName = "wg1718";
remoteAsn = "4242421718";
localAddress = "fe80::2574";
}
{
peerName = "peer_2189_de_fra";
remoteAddress = "fe80::2189:e9";
interfaceName = "wg2189";
remoteAsn = "4242422189";
localAddress = "fe80::2574";
}
{
peerName = "peer_3402";
remoteAddress = "fe80::3402";
interfaceName = "wg3402";
remoteAsn = "4242423402";
localAddress = "fe80::2574";
}
{
peerName = "peer_4719";
remoteAddress = "fe80::acab";
@@ -198,11 +425,17 @@
remoteAsn = "64719";
localAddress = "fe80::1";
}
{
peerName = "peer_6190";
remoteAddress = "fe80::1299:e";
interfaceName = "wg6190";
remoteAsn = "76190";
localAddress = "fe80::2574";
}
];
};
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

21
hosts/dn42-il-gw1/documentation.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
{
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts = {
"${config.networking.fqdn}" = {
enableACME = true;
forceSSL = true;
root = pkgs.writeTextFile {
name = "dn42-router-documentation";
text = config.profiles.clerie.dn42-router.htmlDocumentation;
destination = "/index.html";
};
};
};
}

13
hosts/dn42-il-gw1/secrets.json
View File

@@ -1,25 +1,24 @@
{
"dn42-router-general-wireguard-key": "ENC[AES256_GCM,data:z1qOABBiObnWgcJDSnCHCfttJdDXQ3LO+Y/uHblJg49wrxTostamnP6GuvE=,iv:0KTyNqMOLQue8UODWXF2I+sY4pVKVe0aNiVETC9zOzk=,tag:KOzS9HaR6plPA0HlMT8jhQ==,type:str]",
"wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]",
"wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]",
"wg1240": "ENC[AES256_GCM,data:ta0FRxhDGeta6TpWghWP2ogqymtiVsnWvuwzOhqhGN6zyK/GYd5b+SgSYAI=,iv:9gxEtK+ZOFj0D/SNWV7GyWHkBXjGgofJPmqcu3CMMKo=,tag:MFE/bhGk6oLeOK4TaEoXgQ==,type:str]",
"wg1271": "ENC[AES256_GCM,data:NPcFMxVNpwoPkLsb6NvZVxGxw+Og3RzlYx7TAL9nT95x6I8aDRpOnR5tY5w=,iv:gYuem6vX+jRQvirrt3lZQb5gKnN/z32W/MgmGuzQ/Ks=,tag:I9qZJSNKFEM3Vx4Yugxy1w==,type:str]",
"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-28T09:28:04Z",
"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
"lastmodified": "2025-12-03T20:44:07Z",
"mac": "ENC[AES256_GCM,data:GL2GWM7YcGxfKWh9Vt0wm6YqbXTgqskkVHzsTTWqcQWhzbtqyWfFebli77UsDYoCYSR+yiPhi2opF1oMJl6Jr44PtmpPk+WGPUrcjuVDuf0NueaW8j++nzJzSFEnHeTbIg8qNpb9FwapWM0jlHVkGo6RVwVa9E597U/AKdES9ww=,iv:s3ABxKoCcEUOjtnvDGcrJoEiwXC0imLLO0kEXT+/69s=,tag:Vzk6aKDRwD6T60G0pDF9Jw==,type:str]",
"pgp": [
{
"created_at": "2024-04-28T09:25:37Z",
@@ -28,6 +27,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.11.0"
}
}

3
hosts/dn42-il-gw5/configuration.nix
View File

@@ -111,8 +111,7 @@
'';
};
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
startAt = "*-*-* 06:22:00";
};

3
hosts/dn42-il-gw6/configuration.nix
View File

@@ -105,8 +105,7 @@
'';
};
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
startAt = "*-*-* 07:22:00";
};

3
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -161,8 +161,7 @@
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

3
hosts/dn42-ildix-service/configuration.nix
View File

@@ -70,8 +70,7 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

1
hosts/gatekeeper/configuration.nix
View File

@@ -131,6 +131,7 @@
clerie.nginx-port-forward = {
enable = true;
resolver = "127.0.0.53";
tcpPorts."443" = {
host = "localhost";
port = 22;

9
hosts/krypton/android.nix
View File

@@ -1,9 +0,0 @@
{ pkgs, ... }:
{
services.udev.packages = [
pkgs.android-udev-rules
];
}

9
hosts/krypton/configuration.nix
View File

@@ -5,9 +5,6 @@
[
./hardware-configuration.nix
../../configuration/desktop
./android.nix
./backup.nix
./etesync-dav.nix
#./initrd.nix
@@ -15,6 +12,12 @@
./programs.nix
];
profiles.clerie.desktop.enable = true;
profiles.clerie.desktop.users = [
"clerie"
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

6
hosts/krypton/programs.nix
View File

@@ -11,17 +11,21 @@
signal-desktop
dino
fractal
tuba
flare-signal
tio
xournalpp
onlyoffice-bin
libreoffice
krita
inkscape
dune3d
wireshark
tcpdump
nmap
pkgs."http.server"
kdePackages.okular
chromium-incognito

77
hosts/monitoring-3/dashboards/home.json Normal file
View File

@@ -0,0 +1,77 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 10,
"links": [],
"panels": [
{
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"includeVars": false,
"keepTime": false,
"maxItems": 10,
"query": "",
"showFolderNames": true,
"showHeadings": false,
"showRecentlyViewed": false,
"showSearch": true,
"showStarred": false,
"tags": []
},
"pluginVersion": "12.0.2+security-01",
"title": "Dashboards",
"type": "dashlist"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"hidden": true
},
"timezone": "browser",
"title": "Home",
"uid": "OqTN9p2nz",
"version": 1
}

355
hosts/monitoring-3/dashboards/nginx-exporter.json Normal file
View File

@@ -0,0 +1,355 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 16,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Total requests",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: {{method}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Status codes",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 10
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: HTTP {{status}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Response codes",
"type": "timeseries"
}
],
"preload": false,
"refresh": "30s",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": [
"$__all"
]
},
"definition": "label_values(nginxlog_http_response_count_total,server_name)",
"includeAll": true,
"label": "vHost",
"multi": true,
"name": "server_name",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginxlog_http_response_count_total,server_name)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-3h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Nginx Exporter",
"uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
"version": 7
}

135
hosts/monitoring-3/dashboards/nixos-status.json Normal file
View File

@@ -0,0 +1,135 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 15,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-RdYlGr"
},
"custom": {
"axisPlacement": "auto",
"fillOpacity": 70,
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineWidth": 0,
"spanNulls": false
},
"mappings": [
{
"options": {
"0": {
"index": 1,
"text": "mismatch"
},
"1": {
"index": 0,
"text": "sync"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"alignValue": "left",
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"mergeValues": true,
"rowHeight": 0.9,
"showValue": "auto",
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "builder",
"expr": "nixos_current_system_is_sync",
"legendFormat": "{{instance}}",
"range": true,
"refId": "A"
}
],
"title": "Config is Sync",
"type": "state-timeline"
}
],
"preload": false,
"refresh": "5m",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-7d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "NixOS Status",
"uid": "W4j3nz1Vz",
"version": 3
}

211
hosts/monitoring-3/dashboards/smokeping.json Normal file
View File

@@ -0,0 +1,211 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 11,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 22,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
"interval": "",
"legendFormat": "IPv6 {{target}} ({{instance}})",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
"hide": false,
"interval": "",
"legendFormat": "IPv4 {{target}} ({{instance}})",
"range": true,
"refId": "B"
}
],
"title": "Smokeping",
"type": "timeseries"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"includeAll": true,
"label": "Target:",
"multi": true,
"name": "target",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": [
"All"
],
"value": [
"$__all"
]
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"includeAll": true,
"label": "Instance:",
"multi": true,
"name": "instance",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Smokeping",
"uid": "IytTVZL7z",
"version": 9
}

35
hosts/monitoring-3/prometheus.nix
View File

@@ -52,6 +52,12 @@ let
attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
monitoringHosts);
nginxlogMonitoringTargets = mapAttrsToList (name: host:
"${host.config.networking.hostName}.mon.clerie.de:9117")
(filterAttrs (name: host:
attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
monitoringHosts);
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in {
@@ -104,6 +110,21 @@ in {
relabelAddressToInstance
];
}
{
job_name = "alertmanager";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9093"
];
}
];
relabel_configs = [
relabelAddressToInstance
];
}
{
job_name = "node-exporter";
scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
}
];
}
{
job_name = "nginxlog-exporter";
scrape_interval = "20s";
static_configs = [
{
targets = nginxlogMonitoringTargets;
}
];
relabel_configs = [
relabelAddressToInstance
];
}
];
alertmanagers = [
{
static_configs = [ {
targets = [
"[::1]:9093"
"monitoring-3.mon.clerie.de:9093"
];
} ];
}

17
hosts/monitoring-3/rules.yml
View File

@@ -89,9 +89,24 @@ groups:
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
- alert: NadjaTopIPv4ProxyBroken
expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
for: 5m
for: 15m
labels:
severity: critical
annotations:
summary: "blog.nadja.top unreachable via IPv4"
description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
- alert: AlertmanagerNotificationRequestsFailed
expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
labels:
severity: critical
annotations:
summary: "Too many notification requests failed"
description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
- alert: FemSocialDown
expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
for: 5m
labels:
severity: critical
annotations:
summary: "fem.social unavailable via HTTP"
description: "fem.social is not fully reachable via HTTP"

3
hosts/nonat/configuration.nix
View File

@@ -41,8 +41,7 @@
networking.firewall.allowedUDPPorts = [];
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

15
hosts/porter/configuration.nix
View File

@@ -28,8 +28,19 @@
profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "127.0.0.1" ];
};
};
};
clerie.nginx-port-forward = {
enable = true;
resolver = "127.0.0.1";
tcpPorts."80" = {
host = "baikonur.dyn.weimarnetz.de";
port = 80;
@@ -47,6 +58,10 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [];
services.bijwerken = {
autoUpgrade = true;
};
clerie.monitoring = {
enable = true;
id = "102";

3
hosts/storage-2/configuration.nix
View File

@@ -52,8 +52,7 @@
};
};
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

21
hosts/storage-2/em.nix
View File

@@ -11,7 +11,28 @@ with lib;
};
users.groups.data-em = {};
users.users.data-em-mp3 = {
group = "data-em-mp3";
home = "/data/em-mp3";
useDefaultShell = true;
isSystemUser = true;
};
users.groups.data-em-mp3 = {};
systemd.tmpfiles.rules = [
"d /data/em - data-em data-em - -"
"d /data/em-mp3 - data-em-mp3 data-em-mp3 - -"
];
systemd.services.convert-flac-dir-to-mp3 = {
serviceConfig = {
Type = "oneshot";
ExecStart = "${lib.getExe pkgs.convert-flac-dir-to-mp3} /data/em /data/em-mp3";
StateDirectory = "convert-flac-dir-to-mp3";
WorkingDirectory = "/var/lib/convert-flac-dir-to-mp3";
User = "data-em-mp3";
Group = "data-em-mp3";
};
startAt = "*-*-* 03:47:00";
};
}

10
hosts/storage-2/mixcloud.nix
View File

@@ -53,17 +53,23 @@ in {
"mixcloud.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
locations."/" = {
alias = "/data/mixcloud/";
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
extraConfig = ''
autoindex on;
autoindex_exact_size off;
'';
};
locations."/api/" = {
alias = "/data/mixcloud/";
extraConfig = ''
autoindex on;
autoindex_format json;
'';
};
locations."/media/" = {
alias = "/data/media/";
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
extraConfig = ''
autoindex on;
autoindex_exact_size off;

195
hosts/web-2/blocked-prefixes.txt Normal file
View File

@@ -0,0 +1,195 @@
ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

5
hosts/web-2/clerie.nix
View File

@@ -27,7 +27,7 @@
root = pkgs.clerie-keys;
};
locations."= /ssh/known_hosts" = {
alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
extraConfig = ''
types { }
default_type "text/plain; charset=utf-8";
@@ -53,9 +53,6 @@
'';
return = "200 ''";
};
extraConfig = ''
access_log /var/log/nginx/clerie.de.log combined_anon;
'';
};
};
}

3
hosts/web-2/configuration.nix
View File

@@ -24,6 +24,7 @@
./public.nix
./radicale.nix
./reichartstrasse.nix
./traveldrafter.nix
./uptimestatus.nix
./wetter.nix
];
@@ -51,6 +52,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;

3
hosts/web-2/gitea.nix
View File

@@ -83,9 +83,6 @@
proxyPass = "http://[::1]:3000";
};
};
extraConfig = ''
access_log /var/log/nginx/git.clerie.de.log combined_anon;
'';
};
};
}

9
hosts/web-2/ip.nix
View File

@@ -53,9 +53,6 @@
types { } default_type "text/html; charset=utf-8";
'';
};
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
};
"ip4.clerie.de" = {
enableACME = true;
@@ -67,9 +64,6 @@
add_header Access-Control-Allow-Origin *;
'';
};
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
};
"ip6.clerie.de" = {
enableACME = true;
@@ -81,9 +75,6 @@
add_header Access-Control-Allow-Origin *;
'';
};
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
};
};
}

4
hosts/web-2/legal.nix
View File

@@ -7,8 +7,8 @@
forceSSL = true;
root = pkgs.fetchgit {
url = "https://git.clerie.de/clerie/legal.clerie.de.git";
rev = "c6900226e3107a2e370a32759d83db472ab5450d";
sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
rev = "b271b9729f4545c340ce9d16ecbca136031da409";
sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
};
locations."/impressum" = {
return = ''301 https://legal.clerie.de/#impressum'';

9
hosts/web-2/secrets.json
View File

@@ -4,19 +4,16 @@
"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-05-10T13:32:34Z",
"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]",
"lastmodified": "2025-07-06T16:08:39Z",
"mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
"pgp": [
{
"created_at": "2024-05-10T13:29:58Z",

40
hosts/web-2/traveldrafter.nix Normal file
View File

@@ -0,0 +1,40 @@
{ pkgs, lib, config, ... }: {
services.update-from-hydra.paths.traveldrafter = {
enable = true;
hydraUrl = "https://hydra.clerie.de";
hydraProject = "clerie";
hydraJobset = "traveldrafter";
hydraJob = "packages.x86_64-linux.traveldrafter";
nixStoreUri = "https://nix-cache.clerie.de";
resultPath = "/srv/traveldrafter";
};
sops.secrets.traveldrafter-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx.virtualHosts = {
"traveldrafter.clerie.de" = {
enableACME = true;
forceSSL = true;
root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
locations."/api" = {
proxyPass = "http://[::1]:3001";
};
};
};
systemd.services."traveldrafter" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "traveldrafter";
DynamicUser = true;
};
environment = {
HTTP_PORT = "3001";
};
script = lib.getExe pkgs.traveldrafter;
};
}

4
hosts/zinc/configuration.nix
View File

@@ -5,12 +5,12 @@
[
./hardware-configuration.nix
../../configuration/desktop
./initrd.nix
./programs.nix
];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

2
lib/default.nix
View File

@@ -8,6 +8,8 @@ let
lib = {
clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
mkNixpkgs = callLibs ./mkNixpkgs.nix;
nixosSystem = callLibs ./nixosSystem.nix;
};
in

22
lib/link-local-wireguard.nix
View File

@@ -1,22 +0,0 @@
{ ... }:
rec {
llIPv6 = localIP: peerIP: interface: {
ips = [
"${localIP}/128"
];
postSetup = ''
ip -6 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
'';
};
llIPv4 = localIP: peerIP: interface: {
ips = [
"${localIP}/32"
];
postSetup = ''
ip -4 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
'';
};
}

27
lib/mkNixpkgs.nix Normal file
View File

@@ -0,0 +1,27 @@
{
inputs,
self,
...
}:
/*
Loads a version of nixpkgs with nixfiles overlays loaded
*/
{
system,
nixpkgs ? inputs.nixpkgs,
overlays ? [],
...
}@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.clerie-inputs
self.overlays.clerie-pkgs
self.overlays.clerie-build-support
self.overlays.clerie-overrides
] ++ overlays;
}

42
lib/nixosSystem.nix Normal file
View File

@@ -0,0 +1,42 @@
{
inputs,
self,
...
}:
/*
nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
with nixfiles overlays and modules already populated
*/
{
system ? null,
nixpkgs ? inputs.nixpkgs,
pkgs ? null,
modules ? [],
...
}@args:
nixpkgs.lib.nixosSystem ({
system = system;
pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
inherit system nixpkgs;
});
modules = [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: {
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
})
] ++ modules;
} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )

13
lib/ssh-known-hosts.nix
View File

@@ -1,13 +0,0 @@
let
stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
sshkeyList = map (hostname: {
name = hostname;
sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
}) hostsWithSshPubkey;
knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
${name} ${sshPubkey}
${name}.net.clerie.de ${sshPubkey}
'') sshkeyList);
in
knownHosts

13
modules/backup/default.nix
View File

@@ -60,16 +60,19 @@ let
config.sops.secrets."clerie-backup-job-${jobName}".path;
repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath;
targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else
config.sops.secrets."clerie-backup-target-${targetName}".path;
config.sops.secrets."clerie-backup-target-${targetName}".path or null;
targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
in {
"clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
"clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
"clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
"clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
"clerie-backup/${jobName}-${targetName}/excludes".text = concatStringsSep "\n" jobOptions.exclude;
}
} // (if targetPasswordFile == null then {} else {
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
}) // (if targetOptions.sshKeyFile == null then {} else {
"clerie-backup/${jobName}-${targetName}/ssh_key".source = targetOptions.sshKeyFile;
})
) jobTargetPairs);
targetOptions = { ... }: {
@@ -85,6 +88,10 @@ let
serverUrl = mkOption {
type = types.str;
};
sshKeyFile = mkOption {
type = with types; nullOr str;
default = null;
};
};
};

24
modules/clerie-system-upgrade/default.nix → modules/bijwerken/default.nix
View File

@@ -3,18 +3,13 @@
with lib;
let
cfg = config.clerie.system-auto-upgrade;
cfg = config.services.bijwerken;
in
{
options = {
clerie.system-auto-upgrade = {
enable = mkEnableOption "clerie system upgrade";
allowReboot = mkOption {
type = types.bool;
default = false;
description = "Monitor NixOS";
};
services.bijwerken = {
enable = mkEnableOption "Automatic system upgrades";
autoUpgrade = mkOption {
type = types.bool;
default = false;
@@ -25,10 +20,15 @@ in
default = null;
description = "Systemd time string for starting the unit";
};
nodeExporterTextfilePath = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to node exporter textfile for putting metrics";
};
};
};
config = mkIf cfg.enable {
systemd.services.clerie-system-auto-upgrade = {
systemd.services.bijwerken-system-upgrade = {
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
@@ -38,10 +38,10 @@ in
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
};
};
systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
after = [ "network-online.target" ];
};
environment.systemPackages = with pkgs; [
clerie-system-upgrade
bijwerken-system-upgrade
];
};
}

4
modules/default.nix
View File

@@ -2,19 +2,17 @@
{
imports = [
./policyrouting
./akne
./backup
./bijwerken
./clerie-firewall
./clerie-gc-dir
./clerie-system-upgrade
./dhcpcd-prefixdelegation
./minecraft-server
./monitoring
./nginx-port-forward
./nixfiles
./update-from-hydra
./wg-clerie
./wireguard-initrd
];
}

4
modules/minecraft-server/default.nix
View File

@@ -42,7 +42,7 @@ let
default = null;
description = ''
Directory to store Minecraft database and other state/data files.
When null defaulting to /var/lib/minecraft-server-${name}
When null defaulting to /var/lib/minecraft-server-''${name}
'';
};
@@ -50,7 +50,7 @@ let
type = types.package;
default = pkgs.papermc;
defaultText = "pkgs.papermc";
example = literalExample "pkgs.minecraft-server_1_12_2";
example = literalExpression "pkgs.minecraft-server_1_12_2";
description = "Version of minecraft-server to run.";
};

31
modules/monitoring/default.nix
View File

@@ -75,6 +75,8 @@ in
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true;
};
@@ -102,6 +104,33 @@ in
listen = "[::]:9152";
};
services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
enable = true;
settings = {
namespaces = [
{
name = "nginxlog";
format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
source = {
files = [
"/var/log/nginx/access.log"
];
};
relabel_configs = [
{
target_label = "server_name";
from = "server_name";
}
];
}
];
};
};
systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
SupplementaryGroups = "nginx";
};
networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
9100 # node-exporter
9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter
] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
config.services.prometheus.exporters.nginxlog.port
] else []);
};
}

6
modules/nginx-port-forward/default.nix
View File

@@ -9,7 +9,7 @@ let
mkServerBlock = isUDP: port: forward: ''
server {
resolver 127.0.0.53 ipv4=off valid=30s;
resolver ${cfg.resolver} ipv4=off valid=30s;
listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -54,6 +54,10 @@ in
options = {
clerie.nginx-port-forward = {
enable = mkEnableOption "Nginx Port Forward";
resolver = mkOption {
type = types.str;
description = "IP address of the resolver to use for upstream hostnames";
};
tcpPorts = mkOption {
type = with types; attrsOf (submodule portOpts);
default = {};

50
modules/policyrouting/default.nix
View File

@@ -1,50 +0,0 @@
{ config, lib, ... }:
with lib;
let
cfg = config.petabyte.policyrouting;
ruleOpts = { ... }: {
options = {
prio = mkOption {
type = types.int;
};
rule = mkOption {
type = types.str;
};
};
};
in {
options = {
petabyte.policyrouting = {
enable = mkEnableOption "Declarative Policy-Routing";
rules = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
};
rules6 = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
};
rules4 = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
};
};
};
config = mkIf cfg.enable {
petabyte.policyrouting.rules = [
{ rule = "lookup main"; prio = 32000; }
];
networking.localCommands = ''
set -x
ip -6 rule flush
ip -4 rule flush
${concatMapStringsSep "\n" ({ prio, rule }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)}
${concatMapStringsSep "\n" ({ prio, rule }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)}
'';
};
}

94
modules/wg-clerie/default.nix
View File

@@ -1,94 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.wg-clerie;
in
{
options = {
services.wg-clerie = {
enable = mkEnableOption "VPN for public static IP";
privateKeyFile = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to file containing private key for wireguard interface";
};
ipv6s = mkOption {
type = with types; listOf str;
default = [];
description = "IPv6 interface addresses";
};
ipv4s = mkOption {
type = with types; listOf str;
default = [];
description = "IPv4 interface addresses";
};
defaultViaVPN = mkOption {
type = types.bool;
default = true;
description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
};
};
};
config = mkIf cfg.enable {
networking.iproute2.enable = true;
networking.iproute2.rttablesExtraConfig = ''
200 wg-clerie
'';
petabyte.policyrouting = {
enable = true;
rules6 = (concatMap (ip: [
{ rule = "from ${ip} lookup wg-clerie"; prio = 19000; }
{ rule = "from ${ip} unreachable"; prio = 19001; }
]) cfg.ipv6s) ++ [
# Do not reach VPN server via VPN
{ rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 lookup main"; prio = 20000; }
{ rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 unreachable"; prio = 20001; }
# Try direct routing first, fallback to VPN
{ rule = "lookup main"; prio = 21000; }
] ++ (if cfg.defaultViaVPN then [
{ rule = "lookup wg-clerie"; prio = 21001; }
] else []) ++ [
{ rule = "unreachable"; prio = 22000; }
];
rules4 = (concatMap (ip: [
{ rule = "from ${ip} lookup wg-clerie"; prio = 19000; }
{ rule = "from ${ip} unreachable"; prio = 19001; }
]) cfg.ipv4s) ++ [
# Do not reach VPN server via VPN
{ rule = "to 78.47.183.82/32 ipproto udp dport 51820 lookup main"; prio = 20000; }
{ rule = "to 78.47.183.82/32 ipproto udp dport 51820 unreachable"; prio = 20001; }
# Try direct routing first, fallback to VPN
{ rule = "lookup main"; prio = 21000; }
] ++ (if cfg.defaultViaVPN then [
{ rule = "lookup wg-clerie"; prio = 21001; }
] else []) ++ [
{ rule = "unreachable"; prio = 22000; }
];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg-clerie = {
privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
config.sops.secrets.wg-clerie.path;
ips = cfg.ipv6s ++ cfg.ipv4s;
table = "wg-clerie";
peers = [
{
# Fallback to legacy IP if there is no route to VPN server
endpoint = "$(ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null && echo '[2a01:4f8:c0c:15f1::1]:51820' || echo '78.47.183.82:51820')";
persistentKeepalive = 25;
dynamicEndpointRefreshSeconds = 5;
allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
}
];
};
};
};
}

3
monitoring/targets.json
View File

@@ -48,5 +48,8 @@
},
"cleriewi.uber.space": {
"clerie-uberspace": { "enable": true }
},
"reichart.uber.space": {
"clerie-uberspace": { "enable": true }
}
}

5
pkgs/bijwerken-poke/bijwerken-poke.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

10
pkgs/bijwerken-poke/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "bijwerken-poke";
text = builtins.readFile ./bijwerken-poke.sh;
runtimeInputs = with pkgs; [
pssh
];
}

14
pkgs/clerie-system-upgrade/clerie-system-upgrade.sh → pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
View File

@@ -2,16 +2,11 @@
set -euo pipefail
ALLOW_REBOOT=
NO_CONFIRM=
NODE_EXPORTER_METRICS_PATH=
while [[ $# -gt 0 ]]; do
case $1 in
--allow-reboot)
ALLOW_REBOOT=1
shift
;;
--no-confirm)
NO_CONFIRM=1
shift
@@ -45,7 +40,7 @@ if [[ -z $NO_CONFIRM ]]; then
fi
echo "Download ${STORE_PATH}"
nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
nix copy --to daemon "${STORE_PATH}"
echo "Add to system profile"
nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -55,7 +50,7 @@ echo "Set as boot target"
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
echo "Write monitoring check data"
echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
fi
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
echo "Reboot is required"
if [[ -n "$ALLOW_REBOOT" ]]; then
echo "Rebooting system now"
shutdown -r +1 "System update requires reboot"
else
echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
echo "The system upgrade is staged, please reboot manually soon"
fi
else
echo "No reboot is required"
echo "Activating system now"

Some files were not shown because too many files have changed in this diff Show More