clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:gpg-test
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
..
compare: clerie:updated-inputs-2025-08-30-01-03
Branches Tags
clerie:updated-inputs clerie:updated-inputs-2025-08-31-01-03 clerie:master clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

238 Commits
gpg-test ... updated-in

Author SHA1 Message Date
Flake Update Bot
e9dfde7106 Update nixpkgs 2025-08-30-01-03 2025-08-30 03:04:04 +02:00
clerie
dd76691f7d pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name 2025-08-17 21:49:24 +02:00
clerie
72cdef91d9 profiles/common-nix: Remove guests group from trusted nix users 2025-08-17 20:02:34 +02:00
clerie
22c7cb451b pkgs/nixfiles: Add helper script to trigger system upgrades 2025-08-17 19:05:22 +02:00
clerie
9357981ff3 hosts/monitoring-3: Alert on fem.social unavailable 2025-08-17 10:39:01 +02:00
clerie
eddb365ae5 hosts/monitoring-3: Alert nadja.top down after 15min only 2025-08-17 10:17:43 +02:00
clerie
d01de7fc4a hosts/monitoring-3: Add dashboards to deployment 2025-08-16 22:01:06 +02:00
clerie
a1ca9313b9 hosts/monitoring-3: Add Nginx Grafana dashboard 2025-08-15 20:50:24 +02:00
clerie
217ede0307 modules/monitoring: Extract metrics from nginx logs 2025-08-15 18:14:41 +02:00
clerie
643478b724 pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules 2025-08-14 20:20:33 +02:00
clerie
13b8ccd087 hosts/krypton: don't use onlyoffice anymore 2025-08-09 14:59:03 +02:00
clerie
7c3a97a90a hosts/web-2: Update legal.clerie.de 2025-08-09 11:42:04 +02:00
clerie
40338d9b85 hosts/monitoring-3: Monitor alertmanager 2025-08-09 11:41:34 +02:00
clerie
7f6f6281cc profiles/desktop: Migrate from configuration 2025-07-29 23:03:58 +02:00
clerie
2d4acb5a49 flake.lock: Update lix 2025-07-29 18:04:22 +02:00
Flake Update Bot
905682cf17 Update nixpkgs 2025-07-29-01-03 2025-07-29 03:04:11 +02:00
clerie
f5ec777e9b flake/hydraJobs.nix: Track additional packages in hydra 2025-07-28 22:48:59 +02:00
clerie
944bced757 pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers 2025-07-28 22:36:49 +02:00
clerie
5bd15927d5 hosts/web-2: Block Alibaba Cloud because of scraper bots 2025-07-18 23:55:33 +02:00
clerie
9b05a008bb configuration/desktop: Add helvum audio routing gui 2025-07-15 19:39:46 +02:00
clerie
871ba5ea43 pkgs/uptimestatus: Explicitly specify build system 2025-07-15 19:26:50 +02:00
clerie
560e53f77b hosts/krypton: Add drune3d program 2025-07-12 13:21:30 +02:00
clerie
03aa425038 hosts/web-2: Add traveldrafter.clerie.de 2025-07-06 18:17:31 +02:00
clerie
751efd02bb hosts/porter: Enable system auto upgrade 2025-07-05 20:16:01 +02:00
clerie
43d1133772 modules/clerie-system-upgrade: Always reboot after an update 2025-06-30 18:35:57 +02:00
clerie
4245ae84ed hosts/carbon: Don't make kea depend on non existend network-setup.service anymore 2025-06-29 22:25:19 +02:00
clerie
b9f47fc30c flake.nix: Use patched nixpkgs for carbon 2025-06-29 17:29:01 +02:00
clerie
ce54f06fd0 flake/nixosConfigurations.nix: Handle host specific nixpkgs input again 2025-06-29 17:28:38 +02:00
clerie
457fa2ca6f lib/mkNixpkgs.nix: Add function to import nixpkgs with overlays 2025-06-29 16:56:41 +02:00
clerie
60e80ab2e9 profiles/gpg-ssh: Move gpg-ssh to profiles 2025-06-29 11:51:27 +02:00
clerie
4bf030c006 profiles/common-nix: Migrate nix common config zu profile 2025-06-29 11:34:11 +02:00
clerie
0204773d27 lib/nixosSystem.nix: Wrap nixpkgs.lib.nixosSystem and include nixfiles modules and overlays by default 2025-06-28 16:43:03 +02:00
clerie
a66da6cac9 lib/link-local-wireguard.nix: Remove obsolete functions 2025-06-28 16:27:06 +02:00
clerie
691d671420 pkgs/clerie-ssh-known-hosts: Expose function as package 2025-06-28 16:25:38 +02:00
clerie
fef845117e flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again 2025-06-28 16:10:46 +02:00
clerie
11970e287c pkgs/build-support: Move clerie-build-support attribute name to overlay 2025-06-28 15:32:58 +02:00
clerie
cdc1a1e6de flake.nix: Add unused helper variable 2025-06-28 15:31:38 +02:00
clerie
e9b5dce77f flake.nix: Common naming scheme for overlays and no default overlays anymore 2025-06-28 15:22:16 +02:00
clerie
23190f0777 pkgs/overlay.nix: Get rid of pkgs/pkgs.nix and move overrides to separate overlay 2025-06-28 15:14:36 +02:00
clerie
1d927638c5 flake.nix: Exclude build support from flake exported packages and make pkgs/pkgs.nix obsolete again 2025-06-28 15:03:46 +02:00
clerie
a754af1ee9 configuration/desktop: Update renamed option name 2025-06-28 14:14:11 +02:00
clerie
617a27d4fe flake.lock: Update lix 2025-06-28 14:05:39 +02:00
clerie
eace2fabb2 pkgs/build-support: Add writePytonScript helper function 2025-06-28 14:03:57 +02:00
Flake Update Bot
721f6681e1 Update nixpkgs 2025-06-27-01-03 2025-06-27 03:04:09 +02:00
clerie
86bfe85982 hosts/porter: Resolve nginx proxy upstreams via unbound 2025-06-24 16:42:03 +02:00
clerie
e24190ae08 hosts/dn42-il-gw1: Open firewall for wireguard tunnel ports 2025-06-11 08:07:13 +02:00
clerie
9755550435 hosts/dn42-il-gw1: AS4242421718 fix link local peer address 2025-06-11 08:06:42 +02:00
clerie
0dfc013122 hosts/dn42-il-gw1: Add peer AS4242421718 2025-06-10 23:08:38 +02:00
clerie
3c85462f46 monitoring/targets.json: Check fem.social http 2025-06-03 15:43:05 +02:00
clerie
cc1790bf30 modules/nginx-port-forward: Proxy upstream DNS is only reresolved when referenced as a variable 2025-06-03 15:41:56 +02:00
clerie
c97799b97c hosts/monitoring-3: Alert on broken IPv4 to IPv6 proxy 2025-06-02 18:46:43 +02:00
clerie
3b0986cc57 modules/nginx-port-forward: Hardcode dns response caching time to 30s 2025-06-02 18:30:35 +02:00
clerie
89a96632a2 pkgs/overrides: Disable openpgp support in dino 2025-06-02 18:16:33 +02:00
clerie
a7950d2466 pkgs/overrides: Deactivate notification sounds in dino 2025-06-02 18:04:25 +02:00
clerie
c31b68d96a flake.lock: Update bij 2025-06-01 22:20:33 +02:00
clerie
c49e26d828 modules/nginx-port-forward: Resolve upstream hostnames as IPv6 only 2025-06-01 20:32:50 +02:00
clerie
5add1baa8d flake.nix: Update lix 2025-06-01 14:50:29 +02:00
clerie
ff4b3579b3 monitoring/targets.json: Monitor some more websites 2025-06-01 14:25:38 +02:00
clerie
16f709b7aa monitoring/targets.json: Don't ping matrix hosts 2025-06-01 14:19:22 +02:00
clerie
096fe1dc03 profiles/monitoring-server: Monitor http 2025-06-01 14:08:57 +02:00
clerie
e475e46e3c profiles/monitoring-server: Fetch monitoring targets from json file 2025-06-01 13:31:43 +02:00
clerie
92f8495111 modules/nginx-port-forward: Automatically reresolve hostnames 2025-05-31 13:03:00 +02:00
clerie
50ca6f03ee hosts/porter: Proxy port 80 and 443 to baikonur 2025-05-31 13:02:18 +02:00
clerie
1a9475ad7f profiles/common-webserver: Migrate webserver config to profile 2025-05-31 13:00:43 +02:00
clerie
fae30a0fc5 hosts/monitoring-3: Don't alert for /nix/store disk full 2025-05-29 12:16:26 +02:00
clerie
f70421d8f9 Revert "pkgs/overrides: Dino uses OMEMO by default for new conversations" 
Fixed upstream

This reverts commit 1c087b0c9f.
 2025-05-27 16:35:34 +02:00
Flake Update Bot
3f2c0fc244 Update nixpkgs 2025-05-27-01-03 2025-05-27 03:04:02 +02:00
clerie
cddd9b1a1e pkgs/git-show-link: Improve linking to directory 2025-05-25 20:48:07 +02:00
clerie
efad5a6cbb pkgs/git-show-link: Normalize paths 2025-05-25 20:21:51 +02:00
clerie
d334a1a73c pkgs/git-show-link: Link to files directly 2025-05-25 19:59:59 +02:00
clerie
4fa4c8d669 configuration/common: Don't force requests ca bundle environment var 2025-05-25 14:15:54 +02:00
clerie
46d23fb98a pkgs/git-show-link: Specify URL format using --remote-type 2025-05-23 14:51:20 +02:00
clerie
4e56adef58 pkgs/git-show-link: Display error message when not executed in a git repo 2025-05-23 14:28:03 +02:00
clerie
b93dc9f16b configuration/common: Make Python requests always use system CA 2025-05-19 18:43:38 +02:00
clerie
44d1a444ba pkgs/git-show-link: Handle branch names with slashes properly 2025-05-19 10:49:32 +02:00
clerie
d0c6ecff4c flake.lock: Update nixos-exporter 2025-05-08 21:50:31 +02:00
clerie
1042cf279f profiles/hydra-build-machine: Migrate configuration to profile 2025-05-08 17:17:01 +02:00
clerie
fe23b7745f configuration/dn42: Remove obsolete configuration 2025-05-08 16:31:33 +02:00
clerie
ced991b911 profiles/router: Migrate configuration to profile 2025-05-08 16:17:26 +02:00
clerie
fa1220dcf8 configuration/router: All hosts using this config don't do BGP and OSPF 2025-05-08 15:55:59 +02:00
clerie
802a731a57 Merge remote-tracking branch 'origin/updated-inputs-2025-05-06-01-03' 2025-05-08 12:19:02 +02:00
clerie
8b9acbb9b1 hosts/monitoring-3: Display pretty scraping address for nixos-validator 2025-05-08 12:13:54 +02:00
clerie
0b6d9623bc modules/monitoring: Migrate firewall from iptables to NixOS declarative 2025-05-08 12:03:35 +02:00
clerie
69ccc0c692 profiles/wg-clerie: Convert systemd timer into a service with sleep 2025-05-08 11:34:05 +02:00
clerie
1c087b0c9f pkgs/overrides: Dino uses OMEMO by default for new conversations 2025-05-07 18:33:59 +02:00
clerie
8d3057758f pkgs/pull-scans: Add script 2025-05-06 21:43:41 +02:00
Flake Update Bot
87b0c38260 Update nixpkgs 2025-05-06-01-03 2025-05-06 03:03:05 +02:00
clerie
70cde0e367 hosts/storage-2: Allow frank access to em 2025-05-05 12:24:26 +02:00
clerie
593739120a hosts/storage-2: Add location em 2025-05-05 12:24:00 +02:00
clerie
1e810adc51 users/frank: Add user 2025-05-05 12:23:15 +02:00
clerie
891b8ae718 hosts/clerie-backup: Update hardware configuration 2025-04-29 17:26:29 +02:00
clerie
f33b8c0cdf hosts/clerie-backup: Move VM to different region 2025-04-28 15:54:28 +02:00
clerie
dffebb92e8 profiles/firefox: Use webcam through pipewire 2025-04-27 14:12:44 +02:00
clerie
ecdb362f60 profiles/firefox: Provide default configuration 2025-04-27 13:55:33 +02:00
clerie
074ab4befc flake.lock: Update rainbowrss 2025-04-26 13:58:55 +02:00
clerie
35d572e414 hosts/dn42-ildix-service: Disable mimalloc in fernglas so it builds with current nixpkgs 2025-04-26 13:45:49 +02:00
Flake Update Bot
0e0bb82ebd Update nixpkgs 2025-04-24-01-03 2025-04-24 03:03:06 +02:00
clerie
4777fb2eae flake.lock: Update fernglas 2025-04-23 20:02:47 +02:00
clerie
c285e4db89 flake.lock: Update lix 2025-04-22 00:03:40 +02:00
clerie
6e2b11e696 pkgs/uptimestatus: Use python instead of python3 2025-04-21 23:30:51 +02:00
clerie
04f8df6c08 pkgs/iot-data: Remove package 2025-04-21 22:32:53 +02:00
clerie
ae8f8961ea flake.lock: Update rainbowrss 2025-04-21 22:29:43 +02:00
clerie
414402561b hosts/backup-4: Replicate backup to palladium 2025-04-18 11:24:06 +02:00
clerie
fed00bd41b modules/backup: Specify backup server as full URL 2025-04-16 22:03:38 +02:00
clerie
c0a8f8116e hosts/nonat: Enable DHCPv6 to try out NTP 2025-04-16 21:05:01 +02:00
clerie
e9210d4ada hosts/backup-4,hosts/palladium: Setup direct VPN tunnel for backups 2025-04-15 20:55:56 +02:00
clerie
47921ea988 hosts/palladium: Enable monitoring 2025-04-15 20:02:38 +02:00
clerie
3fdf10641b hosts/palladium: Enable wg-clerie 2025-04-15 19:52:24 +02:00
clerie
e9695286b6 pkgs/clerie-sops: Write config to temp file as sops can't read config from pipe 2025-04-15 19:32:21 +02:00
clerie
e125d5d3bf hosts/monitoring-3: Alert when GPG key is about to expire 2025-04-14 21:45:09 +02:00
clerie
cc00e92b51 hosts/web-2: asc file type is already in default mime types 2025-04-14 21:28:08 +02:00
clerie
aaf7bb8871 users/clerie: Extend GPG expiry date 2025-04-14 20:07:53 +02:00
clerie
84dffed418 profiles/wg-clerie: Send host originating traffic to targets reachable via wg-clerie via wg-clerie 2025-04-14 19:11:42 +02:00
clerie
83a094bbd0 hosts/*: Disable DHCPv6Client on every host 2025-04-13 17:05:37 +02:00
clerie
32ec59e303 pkgs/clerie-update-nixfiles: Add script to delete old update-nixfiles branches 2025-04-07 21:37:47 +02:00
clerie
8af0eb2386 profiles/common: Make common-networking the default 2025-04-07 21:27:03 +02:00
clerie
323018daaa profiles/common-dns: Fix typo 2025-04-07 21:11:53 +02:00
clerie
98b4cde2e4 pkgs/git-show-link: Pass format args as dataclass 2025-04-07 17:16:00 +02:00
clerie
f9359f4d50 hosts/dn42-ildix-service: Migrate to systemd-networkd 2025-03-24 21:39:04 +01:00
clerie
a44dfd1e65 hosts/dn42-ildix-clerie: Migrate to systemd-networkd 2025-03-24 20:48:17 +01:00
clerie
1d7eb45286 profiles/serial-console: Add profile for serial console and enable on mercury VMs be default 2025-03-23 14:30:17 +01:00
clerie
c100f6e95b hosts/dn42-il-gw1: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:51:03 +01:00
clerie
d304a47f89 profiles/dn42-router: Fix defaults and decryption of module options 2025-03-22 17:49:52 +01:00
clerie
58f7ba4518 hosts/dn42-il-gw6: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:27:39 +01:00
clerie
cfbeab8706 profiles/dn42-router: Take over config from configuration/dn42 2025-03-22 17:11:59 +01:00
clerie
032987bce5 hosts/dn42-il-gw5: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:05:02 +01:00
clerie
89ec7e8394 profiles/dn42-router: Add module for dn42 router 2025-03-22 17:04:16 +01:00
clerie
2e35c7955e hosts/dn42-il-gw1: Remove disconnected AS4242420197 n0emis 2025-03-22 14:40:42 +01:00
clerie
6d774cc8ba hosts/dn42-il-gw1: Remove disconnected AS4242421302 perflyst 2025-03-22 14:38:54 +01:00
clerie
75777aa68c profiles/common-dns,profiles/common: Enable systemd-resolved everywhere 2025-03-22 14:34:40 +01:00
clerie
552d2a964c profiles/wg-clerie: Refresh endpoint selection with systemd timer 2025-03-21 18:19:44 +01:00
clerie
9e7deadfb5 hosts/krypton,hosts/zinc: Migrate to systemd-network 2025-03-20 20:07:06 +01:00
clerie
de3bc903ef profiles/common-networking: Centralize new network config 2025-03-20 20:03:39 +01:00
clerie
fed25f02d8 profiles/wg-clerie: Don't let NetworkManager touch the VPN interface 2025-03-20 19:55:17 +01:00
clerie
7a210b13be hosts/_iso: Migrate to systemd-network 2025-03-20 19:46:54 +01:00
clerie
a29978c95a hosts/astatine: Migrate to systemd-network 2025-03-20 19:44:35 +01:00
clerie
2d6afc2093 profiles/wg-clerie: wg-clerie not required for online 2025-03-20 19:43:57 +01:00
clerie
5a719c2f01 hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to profiles.clerie.wg-clerie 2025-03-20 19:30:47 +01:00
clerie
effb386e51 profiles/wg-clerie: Only configure sops secret if we want to use that 2025-03-20 19:30:10 +01:00
clerie
3ec00be4d0 profiles/wg-clerie: Migrate wg-clerie to systemd-networkd 2025-03-20 19:06:51 +01:00
clerie
006877c4ae hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to 
systemd-networkd

Policy routing clashed with the fallback dhcp on any interface module
for some unknown reason, therefore wg-clerie is disabled on all of these
devices
 2025-03-19 20:07:37 +01:00
clerie
3efc575902 hosts/astatine: Remove unused services 2025-03-19 16:48:11 +01:00
clerie
6beb19b93d hosts/krypton: Use okular from kdePackages 2025-03-18 16:33:38 +01:00
Flake Update Bot
f75393544d Update nixpkgs 2025-03-17-02-03 2025-03-17 03:03:59 +01:00
clerie
2f84edcd99 hosts/palladium: Migrate to systemd-network 2025-03-16 19:09:27 +01:00
clerie
3deb7383e1 hosts/storage-2: Migrate to systemd-network 2025-03-16 18:44:55 +01:00
clerie
f79d99be54 hosts/osmium: Migrate to systemd-network 2025-03-16 18:37:08 +01:00
clerie
ca2f13f765 hosts/nonat: Migrate to systemd-network 2025-03-16 18:29:21 +01:00
clerie
604c30edea hosts/monitoring-3: Migrate to systemd-network 2025-03-16 18:21:35 +01:00
clerie
7141a7fadd hosts/hydra-2: Migrate to systemd-network 2025-03-16 18:12:39 +01:00
clerie
f96326de36 hosts/hydra-1: Migrate to systemd-network 2025-03-16 18:00:16 +01:00
clerie
0cb1c4105a hosts/clerie-backup: Enable systemd-networkd 2025-03-16 17:50:59 +01:00
clerie
e6be0bd7a6 hosts/clerie-backup: Remove a lot of deprecated backup automation 2025-03-16 17:46:20 +01:00
clerie
dd164c1284 hosts/backup-4: Migrate to systemd-networkd 2025-03-16 17:07:07 +01:00
clerie
21fa57545b flake.nix: Update lix 2025-03-16 12:20:25 +01:00
clerie
a0a298689e profiles/mercury-vm,profiles/cybercluster-vm: Add profiles for Proxmox VMs 2025-03-16 12:19:08 +01:00
clerie
97d826ef89 hosts/gatekeeper,hosts/mail-2,hosts/web-2: Migrate Hetzner VMs to systemd-networkd 2025-03-13 19:07:31 +01:00
clerie
8eaf11fb57 profiles/hetzner-cloud: Migrate Hetzner VMs to Hetzner Cloud profile 2025-03-13 18:46:11 +01:00
clerie
ec6390be3f profiles/netcup: Add profile for Netcup VM 2025-03-13 18:04:19 +01:00
clerie
e4dc3bdc1f hosts/porter: Migrate to systemd-networkd 2025-03-13 17:42:16 +01:00
clerie
87466f0ac9 hosts/palladium: Fresh system install 2025-03-12 22:18:10 +01:00
clerie
29da5a77c8 pkgs/overlay.nix: Generate overlay from attrset we can use to automatically get the package names for our own packets from 2025-03-12 20:50:49 +01:00
clerie
9bb1d93db7 hosts/palladium: Remove services 2025-03-10 19:18:56 +01:00
clerie
a8b084628f hosts/monitoring-3: Monitor uberspace hosts 2025-03-07 22:03:34 +01:00
clerie
7254525c8e pkgs/git-show-link: Match names with special chars too 2025-03-06 20:14:27 +01:00
clerie
dbd16ed438 pkgs/git-show-link: Add helper to display links to local git objects 2025-03-06 20:05:08 +01:00
clerie
26d1ddfaee hosts/monitoring-3: Enable websockets with Grafana 2025-03-06 18:40:43 +01:00
clerie
3f07e7dbd7 hosts/dn42-il*: Migrate bird config to new module name 2025-03-02 17:36:49 +01:00
clerie
d257df7939 Merge remote-tracking branch 'origin/updated-inputs-2025-02-22-02-03' 2025-03-02 15:06:54 +01:00
clerie
360dbe0a07 hosts/tungsten: Add to monitoring and to wg-clerie 2025-02-25 19:01:57 +01:00
clerie
c4f6bd926e hosts/tungsten: Add storage 2025-02-25 18:14:35 +01:00
Flake Update Bot
07b0f70747 Update nixpkgs 2025-02-22-02-03 2025-02-22 03:03:06 +01:00
clerie
99c82a2898 pkgs/clerie-system-remote-install: Install NixOS system remotely without evaluating anything on remote 2025-02-21 20:33:01 +01:00
clerie
427820aa37 hosts/tungsten: Init host 2025-02-21 20:26:02 +01:00
clerie
822763abe4 hosts/_iso: Allow clerie to log in to root directly with SSH keys 2025-02-21 20:25:39 +01:00
clerie
9ae31d6786 hosts/_iso: Make iso bootable again by disabling systemd in initrd 2025-02-20 20:20:12 +01:00
clerie
12a5d4b816 hosts/clerie-backup,hosts/backup-4: Add backup repo for cleriewi.uber.space 2025-02-16 19:20:35 +01:00
clerie
638721cceb pkgs/nixfiles,pkgs/clerie-sops: Allow htpasswd edit the htpasswd file directly and therefor update existing entries 2025-02-16 18:59:47 +01:00
clerie
5345828a56 pkgs/nixfiles: Display generated backup secrets and make configureing hosts optional 2025-02-16 18:34:15 +01:00
clerie
5b03dd5ef9 hosts/backup-4,hosts/clerie-backup: Add backup targets for clerie.uber.space 2025-02-16 12:11:32 +01:00
clerie
141f956e9a pkgs/clerie-backup: Fix typos 2025-02-15 01:33:12 +01:00
clerie
61a7d64452 modules/backup: Migrate automatic backups to clerie-backup backend 2025-02-14 13:17:26 +01:00
clerie
d17c2855ac pkgs/clerie-backup: Add script to unify backup configs 2025-02-14 13:09:59 +01:00
clerie
f353d7b494 configuration/common: Content-Type utf-8 everywhere 2025-02-05 19:11:48 +01:00
clerie
420e9a65f2 configuration/common: Serve nix files with mime type text/plain over nginx 2025-01-31 21:54:31 +01:00
clerie
df96b9070d configuration/desktop: Update renamed options 2025-01-31 21:53:10 +01:00
clerie
3b7f59a66e hosts/monitoring-3: Warn if storages are almost full 2025-01-21 17:18:41 +01:00
clerie
fd2987c9fe flake.lock: Update harmonia 2025-01-16 22:06:50 +01:00
clerie
9f7517c75c hosts/_iso: Overwrite nixos defaults 2025-01-16 19:15:06 +01:00
Flake Update Bot
a2d4f6a803 Update nixpkgs 2025-01-14-02-03 2025-01-14 03:04:10 +01:00
clerie
b0e19708c0 flake.lock: Update scan-to-gpg 2025-01-11 15:39:50 +01:00
clerie
13dd689240 hosts/web-2: Read feeds from different directory 2025-01-06 18:38:16 +01:00
clerie
e70ff56b28 hosts/web-2: Add feeds.clerie.de 2025-01-05 16:26:46 +01:00
clerie
1b86f094c8 hosts/web-2: Redirect to admin interface of etebase 2025-01-03 22:50:42 +01:00
clerie
aad53d5072 hosts/krypton: Add etesync-dav 2025-01-03 16:15:57 +01:00
clerie
df7fba921f hosts/web-2: Add etebase.clerie.de 2025-01-03 15:49:22 +01:00
clerie
c091d4a952 pkgs/clerie-update-nixfiles: Fix changed nix command 2025-01-03 15:01:09 +01:00
clerie
091abaea4a Merge branch 'migrate-to-lix' 2025-01-01 11:54:16 +01:00
clerie
bea417fe8e flake.nix: Use lix hydra 2024-12-31 20:38:22 +01:00
clerie
1f373851d1 flake.nix: Add lix 2024-12-31 19:24:16 +01:00
clerie
a6e2d7a78d flake.lock: Update solid-xmpp-alarm 2024-12-17 18:38:39 +01:00
clerie
cc89b20a2c pkgs/overrides/xmppc: patch to read password from file 2024-12-16 17:31:57 +01:00
clerie
75af9b7383 pkgs/factorio-launcher: Add wrapper to launch factorio 2024-12-09 20:34:07 +01:00
clerie
36c6ada07c flake.lock: Update scan-to-gpg 2024-12-09 18:53:17 +01:00
clerie
962acece38 hosts/carbon: Fix broken per start script generation 2024-12-09 18:34:32 +01:00
clerie
be1fc59843 configuration/desktop: Tune upower tresholds 2024-12-01 20:11:42 +01:00
clerie
3cff496e74 Merge remote-tracking branch 'origin/updated-inputs-2024-11-27-02-03' 2024-11-29 19:15:51 +01:00
clerie
45e14d65ec hosts/web-2: Upgrade to postgresql 16 2024-11-29 19:14:14 +01:00
Flake Update Bot
c54004b102 Update nixpkgs 2024-11-27-02-03 2024-11-27 03:04:05 +01:00
clerie
a76e8cf3c0 hosts/carbon: Add scan-to-gpg 2024-11-24 20:43:27 +01:00
clerie
6dc38cf21e hosts/carbon: Add net-printer 2024-11-23 23:00:19 +01:00
clerie
dff6bb1a4e configuration/desktop: Add global mic mute shortcut 2024-11-22 09:46:02 +01:00
clerie
c63a781dc6 pkgs/clerie-sops: regenerate clerie-sops-config on every call to clerie-sops 2024-11-21 22:31:42 +01:00
clerie
0e00c74ba7 configuration/desktop: Handle renamed font in future releases 2024-11-21 13:45:26 +01:00
clerie
923229dc00 configuration/common: Allow overriding nix version per host 2024-11-21 13:25:27 +01:00
clerie
cfe722a3cb hosts/monitoring-3: Remove some ping targets 2024-11-20 22:31:52 +01:00
clerie
9dc9c7aebe hosts/monitoring-3: Remove XMPP Alerter Prometheus scrape target 2024-11-20 22:30:43 +01:00
clerie
8e43e4db39 hosts/web-2: Remove nogo2024.clerie.de 2024-11-20 22:23:22 +01:00
clerie
113a14cb9b hosts/web-2: Remove iot-data.clerie.de 2024-11-20 22:21:30 +01:00
clerie
75f691061b hosts/web-2: Remove tap.clerie.de 2024-11-20 22:18:24 +01:00
clerie
11e6ed35cc hosts/web-2: Remove bubblesort.clerie.de 2024-11-20 22:17:39 +01:00
clerie
5265e6234e hosts/web-2: Update clerie.de 2024-11-20 22:13:50 +01:00
clerie
d946d31c81 configuration/common: Pin nix version to 2.18 2024-11-20 20:40:27 +01:00
clerie
5f6c3b9258 configuration/common: Remove nix experimental feature repl-flake 2024-11-20 20:32:41 +01:00
clerie
54dc097b44 hosts/carbon: Enable mDNS reflection between net-heimnetz and net-iot 2024-11-12 21:09:45 +01:00
clerie
684c5e9ac5 hosts/zinc: Add mumble 2024-11-10 20:05:18 +01:00
clerie
6840548833 hosts/carbon: Readvertise prefixes often enough 
Advertise current prefixes more often than claimed addresses expire.
Also increased lifetimes for claimed addresses.
 2024-11-10 19:52:47 +01:00
clerie
bf294bee3a flake.nix: Update harmonia 2024-10-25 15:02:40 +02:00
clerie
b779a75969 hosts/zinc: Remove cura 2024-10-25 14:40:34 +02:00
clerie
edc2461e5a pkgs/git-pp: Git pull and push in one go 2024-10-25 13:31:16 +02:00
clerie
f9ab9b4136 hosts/hydra-1: Migrate to modules harmonia signKeyPaths implementation 2024-10-24 21:01:48 +02:00
clerie
5d45d3aac1 configuration/gpg-ssh: Custom gnupg without builtin ccid driver in scdaemon 2024-10-22 18:01:37 +02:00
clerie
09f54a05ee hosts/carbon: Do not fall back IPv6 traffic via VPN, if no native IPv6 is available 2024-10-20 17:06:36 +02:00
clerie
24472aec49 hosts/monitoring-3: Enable Synapse Monitoring for matrix.fachschaften.org 2024-10-20 16:42:27 +02:00
clerie
db3824b5b8 hosts/carbon: Clamp MSS to path MTU 2024-09-23 17:00:33 +02:00
clerie
fee4892479 hosts/carbon: Remove broken dhcpv6 profixdelegation 2024-09-23 16:21:07 +02:00
clerie
f3cdba6ee4 hosts/carbon: Remove regular reboot 2024-09-16 20:37:05 +02:00
clerie
04eb86fe14 pkgs/run-with-docker-group: Add common env vars 2024-09-12 09:44:38 +02:00
204 changed files with 5912 additions and 2160 deletions
Expand all files Collapse all files

4
configuration/common/backup.nix
View File

@@ -4,8 +4,8 @@
clerie.backup = {
targets = {
cyan.serverName = "cyan.backup.clerie.de";
magenta.serverName = "magenta.backup.clerie.de";
cyan.serverUrl = "https://cyan.backup.clerie.de";
magenta.serverUrl = "https://magenta.backup.clerie.de";
};
};

11
configuration/common/certificates.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, lib, ... }:
with lib;
{
environment.sessionVariables = {
REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
};
}

3
configuration/common/default.nix
View File

@@ -3,15 +3,14 @@
{
imports = [
./backup.nix
./certificates.nix
./initrd.nix
./locale.nix
./networking.nix
./nix.nix
./programs.nix
./ssh.nix
./systemd.nix
./user.nix
./web.nix
];
services.fstrim.enable = true;

71
configuration/common/nix.nix
View File

@@ -1,71 +0,0 @@
{ lib, pkgs, ... }:
{
clerie.nixfiles.enable = true;
clerie.system-auto-upgrade.enable = true;
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
"repl-flake"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = {
"nixpkgs" = lib.mkForce {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
"templates" = {
from = {
type = "indirect";
id = "templates";
};
to = {
type = "git";
url = "https://git.clerie.de/clerie/flake-templates.git";
};
};
};
documentation.doc.enable = false;
environment.systemPackages = with pkgs; [
nix-remove-result-links
];
}

50
configuration/common/web.nix
View File

@@ -1,50 +0,0 @@
{ ... }:
{
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
server_names_hash_bucket_size 64;
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]*:[^:]*(:[^:]*)?): $ip::;
default ::;
}
log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined_anon;
'';
virtualHosts = {
"default" = {
default = true;
rejectSSL = true;
locations."/" = {
return = ''200 "Some piece of infrastructure\n"'';
extraConfig = ''
types { } default_type "text/plain; charset=utf-8";
'';
};
};
};
};
services.logrotate.settings.nginx = {
frequency = "daily";
maxage = 14;
};
security.acme = {
defaults.email = "letsencrypt@clerie.de";
acceptTerms = true;
};
}

19
configuration/desktop/audio.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
};
}

19
configuration/desktop/default.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
security.sudo.wheelNeedsPassword = true;
}

7
configuration/desktop/firmware.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

14
configuration/desktop/fonts.nix
View File

@@ -1,14 +0,0 @@
{ pkgs, ... }:
{
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
comfortaa
];
}

61
configuration/desktop/gnome.nix
View File

@@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services.gnome = {
tracker-miners.enable = false;
tracker.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
}

42
configuration/desktop/inputs.nix
View File

@@ -1,42 +0,0 @@
{ ... }:
{
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
}

14
configuration/desktop/networking.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
}

7
configuration/desktop/polkit.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
security.polkit.enable = true;
}

36
configuration/desktop/power.nix
View File

@@ -1,36 +0,0 @@
{ lib, config, ... }:
{
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
}

7
configuration/desktop/printing.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
}

34
configuration/desktop/ssh.nix
View File

@@ -1,34 +0,0 @@
{ pkgs, ... }:
{
imports = [
../../configuration/gpg-ssh
];
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
}

11
configuration/desktop/xserver.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
}

22
configuration/dn42/default.nix
View File

@@ -1,22 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
# Open Fireall for OSPF
networking.firewall.extraCommands = ''
ip6tables -A INPUT -p ospfigp -j ACCEPT
iptables -A INPUT -p ospfigp -j ACCEPT
'';
}

41
configuration/gpg-ssh/default.nix
View File

@@ -1,41 +0,0 @@
{ pkgs, lib, ... }:
{
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
};
environment.systemPackages = with pkgs; [
gnupg
yubikey-personalization
openpgp-card-tools
# Add wrapper around ssh that takes the gnupg ssh-agent
# instead of gnome-keyring
ssh-gpg
];
services.pcscd.enable = true;
# pcscd sometimes breaks and seem to need a manual restart
# so we allow users to restart that service themself
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units"
&& action.lookup("unit") == "pcscd.service"
&& action.lookup("verb") == "restart"
&& subject.isInGroup("users")
) {
return polkit.Result.YES;
}
});
'';
services.udev.packages = with pkgs; [
yubikey-personalization
];
}

8
configuration/hetzner-cloud/default.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
networking.useDHCP = false;
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
networking.nameservers = [ "2a01:4ff:ff00::add:2" "2a01:4ff:ff00::add:1" "185.12.64.2" "185.12.64.1" ];
}

16
configuration/hydra-build-machine/default.nix
View File

@@ -1,16 +0,0 @@
{ ... }:
{
# Allow Hydra to fetch remote URLs in restricted mode
nix.settings.allowed-uris = "http: https: git+https: github:";
services.openssh.settings= {
PermitRootLogin = "yes";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
];
}

5
configuration/proxmox-vm/default.nix
View File

@@ -1,5 +0,0 @@
{ ... }:
{
services.qemuGuest.enable = true;
}

27
configuration/router/default.nix
View File

@@ -1,27 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
networking.firewall.allowedTCPPorts = [
# Open Firewall for BGP
179
];
networking.firewall.extraCommands = ''
# Open fireall for OSPF
ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
# Open firewall for GRE
ip46tables -A nixos-fw -p gre -j nixos-fw-accept
'';
}

543
flake.lock generated
View File

@@ -27,11 +27,11 @@
]
},
"locked": {
"lastModified": 1724513039,
"narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=",
"lastModified": 1748808701,
"narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
"ref": "refs/heads/main",
"rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6",
"revCount": 4,
"rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
"revCount": 5,
"type": "git",
"url": "https://git.clerie.de/clerie/bij.git"
},
@@ -58,19 +58,36 @@
"url": "https://git.clerie.de/clerie/chaosevents.git"
}
},
"communities": {
"flake": false,
"locked": {
"lastModified": 1739635166,
"narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
"type": "github"
},
"original": {
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"type": "github"
}
},
"fernglas": {
"inputs": {
"communities": "communities",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700408128,
"narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=",
"lastModified": 1741172718,
"narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
"owner": "wobcom",
"repo": "fernglas",
"rev": "407325681e3ad344f6fd05334984a40074aa6347",
"rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
"type": "github"
},
"original": {
@@ -98,6 +115,37 @@
"url": "https://git.clerie.de/clerie/fieldpoc.git"
}
},
"flake-compat": {
"locked": {
"lastModified": 1746162366,
"narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@@ -106,11 +154,11 @@
]
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
@@ -145,11 +193,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@@ -158,6 +206,39 @@
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"harmonia": {
"inputs": {
"flake-parts": "flake-parts",
@@ -167,20 +248,141 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1716301230,
"narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=",
"owner": "clerie",
"lastModified": 1733771848,
"narHash": "sha256-tqkTzUdwnTfVuCrcFag7YKgGkiR9srR45e4v0XMXVCY=",
"owner": "nix-community",
"repo": "harmonia",
"rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad",
"rev": "c26731351ca38f4953a23ef5490358ffba955ab6",
"type": "github"
},
"original": {
"owner": "clerie",
"ref": "clerie/multiple-signing-keys",
"owner": "nix-community",
"ref": "harmonia-v2.0.1",
"repo": "harmonia",
"type": "github"
}
},
"hydra": {
"inputs": {
"flake-compat": "flake-compat",
"lix": "lix",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1751801455,
"narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
"ref": "lix-2.93",
"rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
"revCount": 4261,
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
},
"original": {
"ref": "lix-2.93",
"type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git"
}
},
"lix": {
"inputs": {
"flake-compat": [
"hydra",
"flake-compat"
],
"nix2container": "nix2container",
"nix_2_18": [
"hydra"
],
"nixpkgs": [
"hydra",
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1751235704,
"narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
"ref": "release-2.93",
"rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
"revCount": 17874,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
},
"original": {
"ref": "release-2.93",
"type": "git",
"url": "https://git.lix.systems/lix-project/lix"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": [
"lix"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1753282722,
"narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
"ref": "release-2.93",
"rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
"revCount": 149,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
"original": {
"ref": "release-2.93",
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
}
},
"lix_2": {
"inputs": {
"flake-compat": "flake-compat_2",
"nix2container": "nix2container_2",
"nix_2_18": "nix_2_18",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression_2",
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1753306924,
"narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
"ref": "release-2.93",
"rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
"revCount": 17884,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
},
"original": {
"ref": "release-2.93",
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"mitel-ommclient2": {
"inputs": {
"nixpkgs": [
@@ -202,6 +404,66 @@
"url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
}
},
"nix2container": {
"flake": false,
"locked": {
"lastModified": 1724996935,
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
"type": "github"
},
"original": {
"owner": "nlewo",
"repo": "nix2container",
"type": "github"
}
},
"nix2container_2": {
"flake": false,
"locked": {
"lastModified": 1724996935,
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
"type": "github"
},
"original": {
"owner": "nlewo",
"repo": "nix2container",
"type": "github"
}
},
"nix_2_18": {
"inputs": {
"flake-compat": [
"lix",
"flake-compat"
],
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_4",
"nixpkgs-regression": [
"lix",
"nixpkgs-regression"
]
},
"locked": {
"lastModified": 1730375271,
"narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
"owner": "NixOS",
"repo": "nix",
"rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.18.9",
"repo": "nix",
"type": "github"
}
},
"nixos-exporter": {
"inputs": {
"nixpkgs": [
@@ -209,11 +471,11 @@
]
},
"locked": {
"lastModified": 1683625533,
"narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
"lastModified": 1746733297,
"narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
"ref": "refs/heads/main",
"rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
"revCount": 19,
"rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/nixos-exporter.git"
},
@@ -254,6 +516,70 @@
"type": "github"
}
},
"nixpkgs-0dc1c7": {
"locked": {
"lastModified": 1725718979,
"narHash": "sha256-TNj62uDY5ilnYu0Jne8/IIunfh1kf6kDPY9KdS+Eotw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0dc1c7294c13f5d1dd6eccab4f75d268d7296efe",
"type": "github"
}
},
"nixpkgs-carbon": {
"locked": {
"lastModified": 1751206202,
"narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
"owner": "clerie",
"repo": "nixpkgs",
"rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
"type": "github"
},
"original": {
"owner": "clerie",
"ref": "clerie/always-setup-netdevs",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-regression_2": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1713434076,
@@ -288,11 +614,43 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1725983898,
"narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
"lastModified": 1751582995,
"narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
"rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1705033721,
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1756386758,
"narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb2f12e899db4876308eba6d93455ab7da304cd",
"type": "github"
},
"original": {
@@ -322,6 +680,58 @@
"url": "https://git.clerie.de/clerie/nurausstieg.git"
}
},
"pre-commit-hooks": {
"flake": false,
"locked": {
"lastModified": 1733318908,
"narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"flake": false,
"locked": {
"lastModified": 1733318908,
"narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"rainbowrss": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1745667868,
"narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
"ref": "refs/heads/main",
"rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
"revCount": 15,
"type": "git",
"url": "https://git.clerie.de/clerie/rainbowrss.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/rainbowrss.git"
}
},
"root": {
"inputs": {
"berlinerbaeder-exporter": "berlinerbaeder-exporter",
@@ -330,13 +740,41 @@
"fernglas": "fernglas",
"fieldpoc": "fieldpoc",
"harmonia": "harmonia",
"hydra": "hydra",
"lix": "lix_2",
"lix-module": "lix-module",
"nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_5",
"nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
"nixpkgs-carbon": "nixpkgs-carbon",
"nurausstieg": "nurausstieg",
"rainbowrss": "rainbowrss",
"scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix",
"ssh-to-age": "ssh-to-age"
"ssh-to-age": "ssh-to-age",
"traveldrafter": "traveldrafter"
}
},
"scan-to-gpg": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736606141,
"narHash": "sha256-cIGSrY3tNwOamqt41IPRRw5SPlBtljWZvcXDfCkreUc=",
"ref": "refs/heads/main",
"rev": "9f1aa15509c9b0284774be95ef020f612c385353",
"revCount": 18,
"type": "git",
"url": "https://git.clerie.de/clerie/scan-to-gpg.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/scan-to-gpg.git"
}
},
"solid-xmpp-alarm": {
@@ -346,11 +784,11 @@
]
},
"locked": {
"lastModified": 1675686574,
"narHash": "sha256-+Xww9mfKbUP4VRPtAJKZ6+YdBYL/0vgGoBXVC9AvmQw=",
"lastModified": 1734450899,
"narHash": "sha256-SyUOl5YUl/nlZNNM2/vSuFWFdxOCKmTO4BxjIxwVcjQ=",
"ref": "refs/heads/main",
"rev": "79730bd7df798d80c526c42bbd526506f0235ea3",
"revCount": 4,
"rev": "4bfa8ec27b99e774906c82e6d51d13b32a3ff161",
"revCount": 6,
"type": "git",
"url": "https://git.clerie.de/clerie/solid-xmpp-alarm.git"
},
@@ -416,6 +854,41 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"traveldrafter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751817360,
"narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
"ref": "refs/heads/main",
"rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
@@ -424,11 +897,11 @@
]
},
"locked": {
"lastModified": 1711963903,
"narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=",
"lastModified": 1733662930,
"narHash": "sha256-9qOp6jNdezzLMxwwXaXZWPXosHbNqno+f7Ii/xftqZ8=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac",
"rev": "357cda84af1d74626afb7fb3bc12d6957167cda9",
"type": "github"
},
"original": {

86
flake.nix
View File

@@ -1,6 +1,9 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
# for etesync-dav
nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
berlinerbaeder-exporter = {
url = "git+https://git.clerie.de/clerie/berlinerbaeder-exporter.git";
@@ -19,7 +22,21 @@
inputs.nixpkgs.follows = "nixpkgs";
};
harmonia = {
url = "github:clerie/harmonia/clerie/multiple-signing-keys";
url = "github:nix-community/harmonia/harmonia-v2.0.1";
inputs.nixpkgs.follows = "nixpkgs";
};
hydra = {
url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
#inputs.lix.follows = "lix";
#inputs.nixpkgs.follows = "nixpkgs";
};
lix = {
url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
inputs.nixpkgs.follows = "nixpkgs";
};
lix-module = {
url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs";
};
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -31,6 +48,14 @@
url = "git+https://git.clerie.de/clerie/nurausstieg.git";
inputs.nixpkgs.follows = "nixpkgs";
};
rainbowrss = {
url = "git+https://git.clerie.de/clerie/rainbowrss.git";
inputs.nixpkgs.follows = "nixpkgs";
};
scan-to-gpg = {
url = "git+https://git.clerie.de/clerie/scan-to-gpg.git";
inputs.nixpkgs.follows = "nixpkgs";
};
solid-xmpp-alarm = {
url = "git+https://git.clerie.de/clerie/solid-xmpp-alarm.git";
inputs.nixpkgs.follows = "nixpkgs";
@@ -43,11 +68,13 @@
url = "github:Mic92/ssh-to-age";
inputs.nixpkgs.follows = "nixpkgs";
};
traveldrafter = {
url = "git+https://git.clerie.de/clerie/traveldrafter.git";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
lib = import ./lib inputs;
helper = lib.flake-helper;
localNixpkgs = import ./flake/nixpkgs.nix inputs;
in {
clerie.hosts = {
aluminium = {
@@ -85,7 +112,12 @@
osmium = {};
palladium = {};
porter = {};
storage-2 = {};
storage-2 = {
modules = [
./users/frank
];
};
tungsten = {};
web-2 = {};
zinc = {
modules = [
@@ -101,41 +133,29 @@
nixosModules = {
nixfilesInputs = import ./flake/modules.nix inputs;
clerie = import ./modules;
profiles = import ./profiles;
default = self.nixosModules.clerie;
};
overlays = {
nixfilesInputs = import ./flake/overlay.nix inputs;
clerie = import ./pkgs/overlay.nix;
default = self.overlays.clerie;
clerie-inputs = import ./flake/inputs-overlay.nix inputs;
clerie-pkgs = import ./pkgs/overlay.nix;
clerie-build-support = import ./pkgs/build-support/overlay.nix;
clerie-overrides = import ./pkgs/overrides/overlay.nix;
};
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let
pkgs = localNixpkgs.${system};
in {
inherit (pkgs)
clerie-keys
clerie-system-upgrade
clerie-merge-nixfiles-update
clerie-update-nixfiles
clerie-sops
clerie-sops-config
clerie-sops-edit
chromium-incognito
git-checkout-github-pr
git-diff-word
iot-data
nix-remove-result-links
nixfiles-auto-install
nixfiles-generate-config
nixfiles-generate-backup-secrets
nixfiles-update-ssh-host-keys
print-afra
run-with-docker-group
ssh-gpg
update-from-hydra
uptimestatus;
});
nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
lib.mkNixpkgs {
inherit system;
}
);
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs (
(builtins.attrNames (self.overlays.clerie-pkgs null null))
++ (builtins.attrNames (self.overlays.clerie-overrides null null))
) (name: self.nixpkgs."${system}"."${name}")
);
inherit lib self;

6
flake/hydraJobs.nix
View File

@@ -10,6 +10,12 @@ let
in {
inherit (self)
packages;
extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs [
"hydra"
"lix"
] (name: self.nixpkgs."${system}"."${name}")
);
nixosConfigurations = buildHosts self.nixosConfigurations;
iso = self.nixosConfigurations._iso.config.system.build.isoImage;
}

20
flake/overlay.nix → flake/inputs-overlay.nix
View File

@@ -1,24 +1,38 @@
{ self
, nixpkgs-0dc1c7
, berlinerbaeder-exporter
, bij
, chaosevents
, harmonia
, hydra
, nurausstieg
, rainbowrss
, scan-to-gpg
, ssh-to-age
, traveldrafter
, ...
}@inputs:
final: prev: {
inherit (nixpkgs-0dc1c7.legacyPackages.${final.system})
etesync-dav;
inherit (berlinerbaeder-exporter.packages.${final.system})
berlinerbaeder-exporter;
inherit (bij.packages.${final.system})
bij;
inherit (chaosevents.packages.${final.system})
chaosevents;
harmonia = harmonia.packages.${final.system}.harmonia.override {
nixForHarmonia = final.nixVersions.nix_2_21;
};
inherit (harmonia.packages.${final.system})
harmonia;
inherit (hydra.packages.${final.system})
hydra;
inherit (nurausstieg.packages.${final.system})
nurausstieg;
inherit (rainbowrss.packages.${final.system})
rainbowrss;
inherit (scan-to-gpg.packages.${final.system})
scan-to-gpg;
inherit (ssh-to-age.packages.${final.system})
ssh-to-age;
inherit (traveldrafter.packages.${final.system})
traveldrafter;
}

4
flake/modules.nix
View File

@@ -1,7 +1,9 @@
{ self
, fernglas
, fieldpoc
, lix-module
, nixos-exporter
, scan-to-gpg
, solid-xmpp-alarm
, sops-nix
, ...
@@ -12,7 +14,9 @@
imports = [
fernglas.nixosModules.default
fieldpoc.nixosModules.default
lix-module.nixosModules.default
nixos-exporter.nixosModules.default
scan-to-gpg.nixosModules.scan-to-gpg
solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
sops-nix.nixosModules.sops
];

25
flake/nixosConfigurations.nix
View File

@@ -11,32 +11,14 @@ let
modules ? [],
}: let
localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
in localNixpkgs.lib.nixosSystem {
in self.lib.nixosSystem {
system = system;
nixpkgs = localNixpkgs;
modules = modules ++ [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
({ config, lib, ... }: {
# Set hostname
networking.hostName = lib.mkDefault name;
# Apply overlays
nixpkgs.overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
# Expose host group to monitoring
clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
@@ -51,6 +33,9 @@ let
{};
in
secrets;
# Enable clerie common config
profiles.clerie.common.enable = true;
})
# Config to be applied to every host

17
flake/nixpkgs.nix
View File

@@ -1,17 +0,0 @@
{ self
, nixpkgs
, ...
}@inputs:
let
mkNixpkgs = { system, ... }@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
};
in
nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

21
hosts/_iso/configuration.nix
View File

@@ -1,15 +1,30 @@
{ pkgs, lib, modulesPath, ... }:
{ pkgs, lib, modulesPath, config, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
../../configuration/gpg-ssh
];
profiles.clerie.gpg-ssh.enable = true;
profiles.clerie.network-fallback-dhcp.enable = true;
# systemd in initrd is broken with ISOs
# Failed to mount /sysroot/iso
# https://github.com/NixOS/nixpkgs/issues/327187
boot.initrd.systemd.enable = false;
networking.hostName = "isowo";
isoImage.isoBaseName = "nixos-isowo";
isoImage.isoBaseName = lib.mkForce "nixos-isowo";
environment.systemPackages = with pkgs; [
nixfiles-auto-install
];
# Allow user clerie to log in as root directly with ssh keys
users.users.root.openssh.authorizedKeys.keys = config.users.users.clerie.openssh.authorizedKeys.keys;
services.openssh.settings = {
PermitRootLogin = lib.mkForce "yes";
};
}

2
hosts/aluminium/configuration.nix
View File

@@ -18,7 +18,7 @@
terminal_output serial
";
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
ipv4s = [ "10.20.30.106/32" ];

17
hosts/astatine/configuration.nix
View File

@@ -4,30 +4,21 @@
imports =
[
./hardware-configuration.nix
./ppp.nix
./programs.nix
./users.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
#networking.firewall.enable = false;
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
ipv4s = [ "10.20.30.108/32" ];

90
hosts/astatine/ppp.nix
View File

@@ -1,90 +0,0 @@
{ pkgs, ... }:
{
# Make space for VLAN header in containing ethernet segment
networking.interfaces."enp1s0".mtu = 1518;
## DSL-Uplink
networking.vlans."enp1s0.7" = {
id = 7;
interface = "enp1s0";
};
services.pppd = {
enable = true;
peers.lns-test = {
config = ''
plugin pppoe.so enp1s0.7
user "criese#regiotest@bsa-vdsl"
ifname ppp-lns-test
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
hide-password
nodefaultroute
+ipv6
debug
'';
};
};
/*
networking.interfaces.lo.useDHCP = true;
networking.interfaces.ppp-lns-test.useDHCP = true;
networking.dhcpcd = {
enable = true;
extraConfig = ''
interface ppp-lns-test
ipv6rs
ia_pd 0 lo/0
'';
};*/
environment.etc."ppp/ip-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ip-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
'';
mode = "555";
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ipv6-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
'';
mode = "555";
};
petabyte.policyrouting = {
enable = true;
rules4 = [
{ rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
{ rule = "from 212.218.16.237/32 unreachable"; prio = 19001; }
];
};
}

9
hosts/astatine/programs.nix
View File

@@ -1,9 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tcpdump # for remote wireshark
];
}

10
hosts/astatine/users.nix
View File

@@ -1,10 +0,0 @@
{ ... }:
{
users.users.criese-nethinks = {
extraGroups = [
"wheel"
];
};
}

21
hosts/backup-4/configuration.nix
View File

@@ -4,19 +4,32 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./backup.nix
./replication.nix
./restic-server.nix
./wg-b-palladium.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffcb::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

20
hosts/backup-4/replication.nix Normal file
View File

@@ -0,0 +1,20 @@
{ lib, ... }:
with lib;
{
clerie.backup = {
enable = true;
targets = mkForce {
palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
};
jobs.replication = {
paths = [
"/mnt/backup-4/magenta"
];
exclude = [
"/mnt/backup-4/magenta/.htpasswd"
];
};
};
}

11
hosts/backup-4/secrets.json
View File

@@ -1,5 +1,8 @@
{
"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:QxdmemBB/iuU+fvc2QRRkbOHO5Ef8ZJqfTdFCnlOqKog5krZ2oIpURuttH9YeggJXV2Cr+kJDGI0b9Ca6BtCkOhahfWicTeFhuODJsSyZJqzw36Ba8pX3nIpqoa7StTydK1Dx5chOi2g8oB4895SvWqDa/qP10yDtBQAYURHYfodb9/tiKzfjJAGDlqsR2h+qmdbAkvR3/oAquBO8Nb493G2sixs20XIG85moYv6l0MPnZtWEXhDT8lM5tw0PCgpSfYaUeMWnmFuzFBj3MQSo3zAjGPeOSYVFlbwbLqFWL507z0dlRgzsxMYB1F4OL38nOpO2CP2/VvbidgbQZjKCfiHMJtWLQfzZIfNEhcF8kq2uhhOwRSKN3G7u1/ezzu+9UlUVMV6PY2jjbZHJ79Knu5SJ3KqphygjjIhdHufqI03BP/aJa0QkE/mGg9is3H0myW5rG9ElA1C4stF,iv:1Ue/H48af3ECUZ5GC0hrMMBfOuCZSuX9wOSAd5XG7Fk=,tag:HchM/ZJEDG4pWQdDanC9cA==,type:str]",
"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
"sops": {
"kms": null,
@@ -12,8 +15,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-06-03T18:16:25Z",
"mac": "ENC[AES256_GCM,data:hWCI1hWTbbasov9Si0JDI39rUuBOEqrz+qxTKrNN4S/r9Ktofrk46b3rxSQF3+bC03HrbCMLk9/7XkvIFJXQj5pa9I1aG8MuMbgF0Z8Ft/uNdHPUUyLJwo/4aav4zXVpdg7zNtPdwjk66pw7iRO5XBmYgnQlnXotHM6S9s7RzuA=,iv:VJmLD1SImGtreceQP+DofnzOGp3sm12iCzbPsqzw6SI=,tag:aUryi0xUG7sd/EOmqrMQCg==,type:str]",
"lastmodified": "2025-04-18T08:37:08Z",
"mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
"pgp": [
{
"created_at": "2024-05-04T12:30:52Z",
@@ -22,6 +25,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

40
hosts/backup-4/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
ListenPort = 51844;
};
wireguardPeers = [
{
PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::1/64"
];
linkConfig.RequiredForOnline = "no";
};
networking.firewall.allowedUDPPorts = [ 51844 ];
}

38
hosts/beryllium/configuration.nix
View File

@@ -6,6 +6,8 @@
./hardware-configuration.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;
@@ -20,39 +22,11 @@
networking.firewall.enable = false;
networking.iproute2.enable = true;
networking.iproute2.rttablesExtraConfig = ''
200 wg-clerie
'';
petabyte.policyrouting = {
profiles.clerie.wg-clerie = {
enable = true;
rules6 = [
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; }
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
];
rules4 = [
{ rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
{ rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg-clerie = {
ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
table = "wg-clerie";
peers = [
{
endpoint = "vpn.clerie.de:51820";
persistentKeepalive = 25;
allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
}
];
privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
};
ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
ipv4s = [ "10.20.30.107/32" ];
privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
};
clerie.monitoring = {

20
hosts/carbon/configuration.nix
View File

@@ -4,21 +4,26 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
./dns.nix
./mdns.nix
./net-dsl.nix
./net-gastnetz.nix
./net-heimnetz.nix
./net-iot.nix
./net-lte.nix
./net-mgmt.nix
./net-printer.nix
./net-voip.nix
./ntp.nix
./ppp.nix
./scan-to-gpg.nix
./wg-clerie.nix
];
profiles.clerie.common-networking.enable = false;
profiles.clerie.router.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;
@@ -58,20 +63,13 @@
systemd.services.kea-dhcp4-server = {
after = [
"network-setup.service"
"network.target"
];
requires = [
"network-setup.service"
wants = [
"network.target"
];
};
systemd.services."system-reboot" = {
script = ''
${pkgs.systemd}/bin/reboot
'';
startAt = "*-*-* 1/3:13:14";
};
clerie.firewall.enable = true;
clerie.monitoring = {

17
hosts/carbon/mdns.nix Normal file
View File

@@ -0,0 +1,17 @@
{ pkgs, ... }:
{
services.avahi = {
enable = true;
nssmdns4 = true;
allowInterfaces = [
"net-heimnetz"
"net-iot"
];
reflector = true;
};
}

5
hosts/carbon/net-gastnetz.nix
View File

@@ -20,9 +20,10 @@
services.radvd.config = ''
interface net-gastnetz {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
};

5
hosts/carbon/net-heimnetz.nix
View File

@@ -22,9 +22,10 @@
services.radvd.config = ''
interface net-heimnetz {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
RDNSS fd00:152:152::1 {};
DNSSL net.clerie.de {};

5
hosts/carbon/net-iot.nix
View File

@@ -23,9 +23,10 @@
services.radvd.config = ''
interface net-iot {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
RDNSS fd00:152:152::1 {};
DNSSL iot.clerie.de {};

5
hosts/carbon/net-mgmt.nix
View File

@@ -20,9 +20,10 @@
services.radvd.config = ''
interface net-mgmt {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
};
'';

51
hosts/carbon/net-printer.nix Normal file
View File

@@ -0,0 +1,51 @@
{ ... }:
{
networking.vlans."enp1s0.206" = {
id = 206;
interface = "enp1s0";
};
networking.bridges."net-printer".interfaces = [
"enp1s0.206"
];
networking.interfaces."net-printer".ipv4.addresses = [
{ address = "10.152.206.1"; prefixLength = 24; }
];
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-printer" ];
};
subnet4 = [
{
id = 206;
subnet = "10.152.206.0/24";
pools = [
{
pool = "10.152.206.100 - 10.152.206.240";
}
];
option-data = [
{
name = "routers";
data = "10.152.206.1";
}
];
}
];
};
};
# Enable scan-to-gpg
networking.firewall.interfaces."net-printer".allowedTCPPorts = [ 2121 ];
networking.firewall.interfaces."net-printer".allowedTCPPortRanges = [ { from = 2130; to = 2134; } ];
clerie.firewall.extraForwardFilterCommands = ''
# Allow access from Heimnetz to printer
ip46tables -A forward-filter -i net-heimnetz -o net-printer -j ACCEPT
ip46tables -A forward-filter -i net-printer -j DROP
ip46tables -A forward-filter -o net-printer -j DROP
'';
}

35
hosts/carbon/ppp.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, utils, ... }:
{ config, pkgs, lib, ... }:
{
@@ -44,41 +44,20 @@
cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
'';
preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart;
preStartFile = pkgs.writeShellApplication {
name = "pppd-dtagdsl-pre-start";
text = preStart;
};
in {
EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
ExecStartPre = [
# "+" marks script to be executed without priviledge restrictions
"+${preStartFile}"
"+${lib.getExe preStartFile}"
];
};
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
'';
networking.dhcpcd-prefixdelegation = {
enable = true;
interfaces = {
"ppp-dtagdsl" = {
iaid = 1;
interfaces = {
"net-heimnetz" = {
sla_id = 201;
prefix_len = 64;
};
};
};
};
};
environment.etc."ppp/ipv6-up" = {
text = ''
#!${pkgs.runtimeShell}
set -euo pipefail
${pkgs.dhcpcd}/bin/dhcpcd --renew $1
'';
};
}

11
hosts/carbon/scan-to-gpg.nix Normal file
View File

@@ -0,0 +1,11 @@
{ pkgs, ... }:
{
services.scan-to-gpg = {
enable = true;
gpgkey = "${pkgs.clerie-keys}/gpg/clerie@clerie.de.asc";
};
users.users."clerie".extraGroups = [ "scan-to-gpg" ];
}

1
hosts/carbon/wg-clerie.nix
View File

@@ -5,5 +5,6 @@
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
ipv4s = [ "10.20.30.111/32" ];
defaultViaVPN = false;
};
}

80
hosts/clerie-backup/configuration.nix
View File

@@ -4,20 +4,26 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./restic-server.nix
];
profiles.clerie.ruby-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2a00:fe0:1:21f::a/64"
];
routes = [
{ Gateway ="2a00:fe0:1:21f::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;
@@ -28,10 +34,6 @@
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-ceea";
};
uberspace-cleriewi = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-cleriewi";
};
};
# fix borgbackup primary grouping
@@ -51,62 +53,6 @@
compression = "auto,lzma";
startAt = "*-*-* 04:07:00";
};
backup-replication-palladium = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
compression = "auto,lzma";
startAt = "*-*-* 06:23:00";
};
backup-replication-external-drive = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = {
BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
};
compression = "auto,lzma";
startAt = "*-*-* 08:37:00";
};
};
users.users.backup-replication = {
isNormalUser = true;
group = "backup-replication";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
#"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
];
};
users.groups.backup-replication = {};
environment.systemPackages = with pkgs; [
bindfs
];
fileSystems."/clerie-backup-replication" = {
device = "/mnt/clerie-backup";
fsType = "fuse.bindfs";
options = [
"ro"
"force-user=backup-replication"
"force-group=backup-replication"
"perms=0000:ug=rD"
];
};
clerie.monitoring = {

7
hosts/clerie-backup/hardware-configuration.nix
View File

@@ -8,7 +8,7 @@
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
@@ -19,7 +19,7 @@
};
fileSystems."/mnt/clerie-backup" =
{ device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf";
{ device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
fsType = "ext4";
};
@@ -33,4 +33,7 @@
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.swraid.enable = true;
}

6
hosts/clerie-backup/secrets.json
View File

@@ -1,5 +1,5 @@
{
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:ZKrEv/bU1X+iO7GLlxsM8HhUy6B2+EXRA8JO2X8E8X5nt8Ydwa+wAqTea3hGyW/QNFrNg/nnAFaVg+VNa6UEqOuF0eg4Nf0LOYTtTpNt4uqDHomfFpvFxDfVCbk4a3fnjnJzk51XnZqeVlvuH2JKg9uD6QzTghTuZfysdGePZdD4WRfY+qHsZg2jREgA26WKsRnD1zU4ZnbRAA1s0Lzf5gG4kFciIzovt0x5MYEiVERFeM+HG1a117EvSlsijPNJVLTaFRLTVOlTOYLKXt4KcRJq9KwoZR/LgEz++rUE4DN5f7iQs+Sb9epH9sV/V06R6AKE5ZFcyi5Y+ipt8B4sWX8PQUeFxNlpljXHro8szGNnLnSxxieg10SEwfIEw+nTGVMHToUpvybzdoI4VPUHZGF+kpqv8ejEzhrKZXyPrd7ZCWGDsTdl8gGSefimpEUR8IwuPqImgu2UU8gT,iv:Y/G/odtZ4enBtNc2Wj7bZjsJ3nur5huYAqlu1PgnWlo=,tag:tg3ut7R2jJd+TVvYHIiTdA==,type:str]",
"restic-server-cyan-htpasswd": "ENC[AES256_GCM,data:Fe6lcXXy0Hu27Y2LtwQRbk+78+unSGkII144jtstOgK0pyjlJqG2mo8ZG7L+3mmthuu+leZ6XXadEcRGpby3eCwyVEYd3lDr930pPC8hChWYMC5mGkkRUAobYED63iVxcsc36PVFQYMCDbYvtcPk8uQTXfQmhs9kSzCrONrL1Id0L9D+sGoU0snpE+eCNXyiLwuyc1qocchhuHIwkGi4dyVJWgMsKGummF5Pf9zK4KzHmT6RuPouEUAfwHkdPwtOSJ8OqZof/C/CuPYmJQyfOFAqtw8xD9OXUpvyxjC1Kta89sL5cRAE0R15oPvNUmYGaXputm9iMycPjMacpouycx1TXMTEDB0caryX9uEFAyTfPm7keHT86qA1UfImWqEE9QqJ3uCeiwW698SbTZVeKLDBqDCPP+nP/L+N412d+HHyGugPOnTj1gXY50xeOay8Wryw87iDZ9rnJxcn0u5D4+JjOIbjWvydqBXacMD/o0NG2CcQu6LVRAHRiDKoSQWEwx25tzVwn2dsgFV8c3oQ0xQI7050R11Z3M9QWOvPmOZCvYV5VSoxu7r1jMu5asrcPbbhXKatbrabEHCAbDGsBpDkqts3BVUfUaHwboXVR0DxqOC6CHVE34J99SVTGI0kIHXyNqpeUJ36tCXFg7eNPNsu8cra9whjyUUHtw==,iv:Gfg3t3YPw2hz0LJ5hovPftMYOADN2Xjc93VmT2fFVQI=,tag:k6KH4qDPrFYIU2PGgW3F9Q==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:rOpBlDt9K//zlgWo1Bw9IX5jmpLbnit5zi60Ulz8f6tHwqVsKJv5NkxYc9A=,iv:Jlo0QZP6R1CEE20iLa7M/LV/ZX2/33oMv/FzBBo6nvY=,tag:Ttqo7BKd6RuUiMksW6rZnw==,type:str]",
"sops": {
"kms": null,
@@ -12,8 +12,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UCtUZ3NZQWxOK1FUNDhL\nbWhaanN2OEJIVmpMOURzWU1vcGhuODdtcDJnCm9Nb01NaVVpWDJ6Q3JCbXRkRUJP\nUVdFaGVScUdxRnlpSnRNOG1RalNRaFUKLS0tICs0cW1WR0JMUmdaVWVzdTh2bjFm\nenBzaERpb1hCS1E3TUo3cmxpZFUxWmcKcLL5/YTGyZEVLwHSpbEI5XfWGklkI7h+\n0uhCww8Wh23EpUYFslZ0Nnbf5HX5/Z34qBwf20cvN8eLToTAQvTdeg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-06-03T18:16:18Z",
"mac": "ENC[AES256_GCM,data:kWeyNv82yc6H+FJjhTh8vkuxjZ4YFEqmZbqzZr+pEXxXeMUEGi9hr7cauGDNxnRMgWJz9KG1M4tzUyEK8rfVQWLc+Wcf/5Pjsxn1Zg0yJiJAxVFV7AcvGdKUeQuBKgOT5L+Z5+cFdvq9+CU/0M+6/e8jB6OdQWcuy0emBaCut4U=,iv:3w5arXHKapwwo7kgLtHcKfO+dhH22opVP+fjagize0c=,tag:+cCaX2FUG+5UYqutE9IsAA==,type:str]",
"lastmodified": "2025-02-16T18:13:34Z",
"mac": "ENC[AES256_GCM,data:io2WVxTxHSlxrk7JaN6/fUI7YotvPfgbXTD1lEf1tN7QhuGRH/iZrji/VQlhJ8tk2dAS1Pe0rsTuxCMXcXcxRIh4EYbQky5IZj5jpfPcslQOquTcXzmPYdijPUWSqu6leGc0GG/7KccjSFD8TfwAgeuVrc2Br57yfqKoPf+M0fY=,iv:iYp73PrFnLZoI9014mbqQQERhFtfhb5YmzV6HiUi+YM=,tag:2AZEzhVVdEos5FLkg8cr5w==,type:str]",
"pgp": [
{
"created_at": "2024-05-05T12:12:27Z",

332
hosts/dn42-il-gw1/configuration.nix
View File

@@ -4,49 +4,43 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ];
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens19 = {};
# IPv6 Uplink
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffc9::7/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.23/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# n0emis
wg0197 = {
ips = [
"fe80::42:1/128"
# peer fe80::42:42:1/128
];
postSetup = ''
ip -6 route flush dev wg0197
ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
'';
listenPort = 50197;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "himalia.dn42.n0emis.eu:52574";
publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
}
];
privateKeyFile = config.sops.secrets.wg0197.path;
};
# e1mo
wg0565 = {
ips = [
@@ -126,27 +120,6 @@
];
privateKeyFile = config.sops.secrets.wg1280.path;
};
# perflyst
wg1302 = {
ips = [
"fe80::a14e/128"
# peer fe80::a14d/128
];
postSetup = ''
ip -6 route flush dev wg1302
ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
'';
listenPort = 51302;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "[2a03:4000:6:f6ed::1]:22574";
publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
}
];
privateKeyFile = config.sops.secrets.wg1302.path;
};
# lutoma
wg4719 = {
ips = [
@@ -167,167 +140,104 @@
];
privateKeyFile = config.sops.secrets.wg4719.path;
};
# zaphyra
wg1718 = {
ips = [
"fe80::2574/128"
# peer fe80::6b61/64
];
postSetup = ''
ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
'';
listenPort = 51718;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "router-a.dn42.zaphyra.eu:51831";
publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
}
];
privateKeyFile = config.sops.secrets.wg1718.path;
};
};
petabyte.policyrouting = {
networking.firewall.allowedUDPPorts = [
50565 # wg0565
51271 # wg1271
51272 # wg1272
51280 # wg1280
54719 # wg4719
51718 # wg1718
];
profiles.clerie.dn42-router = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
loopbackIp = "fd56:4902:eca0:1::1";
routerId = "192.168.10.23";
ospfInterfaces = [
"ens19"
];
ibgpPeers = [
{
peerName = "gw5";
remoteAddress = "fd56:4902:eca0:5::1";
}
{
peerName = "gw6";
remoteAddress = "fd56:4902:eca0:6::1";
}
];
wireguardPeers = [
{
peerName = "peer_0565";
remoteAddress = "fe80::565";
interfaceName = "wg0565";
remoteAsn = "4242420565";
localAddress = "fe80::2574";
}
{
peerName = "peer_1271_north";
remoteAddress = "fe80::2";
interfaceName = "wg1271";
remoteAsn = "4242421271";
localAddress = "fe80::1";
}
{
peerName = "peer_1271_south";
remoteAddress = "fe80::1:2";
interfaceName = "wg1272";
remoteAsn = "4242421271";
localAddress = "fe80::1:1";
}
{
peerName = "peer_1280_wg1";
remoteAddress = "fde3:4c0d:2836:ff00::20";
interfaceName = "wg1280";
remoteAsn = "4242421280";
localAddress = "fde3:4c0d:2836:ff00::21";
}
{
peerName = "peer_4719";
remoteAddress = "fe80::acab";
interfaceName = "wg4719";
remoteAsn = "64719";
localAddress = "fe80::1";
}
{
peerName = "peer_1718";
remoteAddress = "fe80::6b61";
interfaceName = "wg1718";
remoteAsn = "4242421718";
localAddress = "fe80::2574";
}
];
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
ipv6 table ospf6;
ipv6 table bgp6;
protocol direct {
interface "lo";
ipv6 {
table ospf6;
};
}
protocol static {
ipv6 {
table bgp6;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp bgp_peer {
local as 4242422574;
graceful restart on;
ipv6 {
table bgp6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
};
}
protocol bgp peer_0197_himalia from bgp_peer {
neighbor fe80::42:42:1%wg0197 as 4242420197;
source address fe80::42:1;
}
protocol bgp peer_0565 from bgp_peer {
neighbor fe80::565%wg0565 as 4242420565;
source address fe80::2574;
}
protocol bgp peer_1271_north from bgp_peer {
neighbor fe80::2%wg1271 as 4242421271;
source address fe80::1;
}
protocol bgp peer_1271_south from bgp_peer {
neighbor fe80::1:2%wg1272 as 4242421271;
source address fe80::1:1;
}
protocol bgp peer_1280_wg1 from bgp_peer {
neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
source address fde3:4c0d:2836:ff00::21;
}
protocol bgp peer_1302 from bgp_peer {
neighbor fe80::a14d%wg1302 as 4242421302;
source address fe80::a14e;
}
protocol bgp peer_4719 from bgp_peer {
neighbor fe80::acab%wg4719 as 64719;
}
protocol device {
scan time 10;
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

13
hosts/dn42-il-gw1/secrets.json
View File

@@ -5,21 +5,18 @@
"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-28T09:28:04Z",
"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]",
"lastmodified": "2025-06-10T20:51:10Z",
"mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
"pgp": [
{
"created_at": "2024-04-28T09:25:37Z",
@@ -28,6 +25,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.10.2"
}
}
}

258
hosts/dn42-il-gw5/configuration.nix
View File

@@ -4,184 +4,114 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens19 = {};
# Lokales Netz
networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
# Ildix
networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens21";
address = [
"2001:638:904:ffc9::a/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.25/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-lokales-netz" = {
# Aktuell nicht verwendet, da in lo-dn42 umgezogen
matchConfig.Name = "ens20";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens22";
address = [
"fd81:edb3:71d8:ffff:2574::5/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
profiles.clerie.dn42-router = {
enable = true;
loopbackIp = "fd56:4902:eca0:5::1";
routerId = "192.168.10.25";
ipv6 table ospf6;
ipv6 table bgp6;
ospfInterfaces = [
"ens19"
];
protocol direct {
interface "ens20";
ipv6 {
table ospf6;
};
}
ibgpPeers = [
{
peerName = "gw1";
remoteAddress = "fd56:4902:eca0:1::1";
}
{
peerName = "gw6";
remoteAddress = "fd56:4902:eca0:6::1";
}
];
protocol static {
ipv6 {
table bgp6;
bgpPeers = [
{
peerName = "peer_ildix_clerie";
localAddress = "fd81:edb3:71d8:ffff:2574::5";
remoteAddress = "fd81:edb3:71d8:ffff::13";
remoteAsn = "4242422953";
}
{
peerName = "peer_ildix_nex";
localAddress = "fd81:edb3:71d8:ffff:2574::5";
remoteAddress = "fd81:edb3:71d8:ffff::14";
remoteAsn = "4242422953";
}
];
birdExtraConfig = ''
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::5;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:5::1;
accept;
};
import none;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:5::1;
accept;
};
import none;
export filter {
accept;
};
kernel table 2342;
}
};
}
'';
};
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::5;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
}
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::5;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
export filter {
accept;
};
};
}
protocol device {
scan time 10;
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
startAt = "*-*-* 06:22:00";
};

252
hosts/dn42-il-gw6/configuration.nix
View File

@@ -4,184 +4,108 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
];
profiles.clerie.cybercluster-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ];
# Ildix
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
# VM Nat Netz mercury
networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens21 = {};
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc9::9/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens20";
address = [
"192.168.10.26/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens21";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2574::6/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address };
profiles.clerie.dn42-router = {
enable = true;
loopbackIp = "fd56:4902:eca0:6::1";
routerId = "192.168.10.26";
ipv6 table ospf6;
ipv6 table bgp6;
ospfInterfaces = [
"ens21"
];
protocol direct {
interface "lo";
ipv6 {
table ospf6;
};
}
ibgpPeers = [
{
peerName = "gw1";
remoteAddress = "fd56:4902:eca0:1::1";
}
{
peerName = "gw5";
remoteAddress = "fd56:4902:eca0:5::1";
}
];
protocol static {
ipv6 {
table bgp6;
bgpPeers = [
{
peerName = "peer_ildix_clerie";
localAddress = "fd81:edb3:71d8:ffff:2574::6";
remoteAddress = "fd81:edb3:71d8:ffff::13";
remoteAsn = "4242422953";
}
{
peerName = "peer_ildix_nex";
localAddress = "fd81:edb3:71d8:ffff:2574::6";
remoteAddress = "fd81:edb3:71d8:ffff::14";
remoteAsn = "4242422953";
}
];
birdExtraConfig = ''
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::6;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
#route fd56:4902:eca0::/48 via "lo";
#route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:6::1;
accept;
};
import none;
export filter {
accept;
};
kernel table 1337;
}
};
}
'';
};
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:6::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens21" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::6;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
}
# Internal
protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574;
neighbor fd81:edb3:71d8:ffff:2953::1 port 1179 as 4242422953;
source address fd81:edb3:71d8:ffff:2574::6;
multihop 64;
ipv6 {
table bgp6;
igp table ospf6;
next hop keep;
add paths tx;
import filter {
reject;
};
export filter {
accept;
};
};
}
protocol device {
scan time 10;
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
startAt = "*-*-* 07:22:00";
};

61
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -4,26 +4,47 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ];
# Ildix
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ];
# Route to dn42-ildix-service
networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ];
# public address
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffcb::4/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.27/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff::13/64"
];
routes = [
# Route to dn42-ildix-service
{ Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
@@ -33,9 +54,10 @@
iptables -A INPUT -p ospfigp -j ACCEPT
'';
services.bird2.enable = true;
services.bird2.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
services.bird.enable = true;
services.bird.package = pkgs.bird2;
services.bird.config = ''
router id 192.168.10.27;
protocol direct {
interface "ens19";
@@ -139,8 +161,7 @@
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

11
hosts/dn42-ildix-service/bird.nix
View File

@@ -1,12 +1,13 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 179 ];
# something doesn't work right
services.bird2.enable = false;
services.bird2.config = ''
router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address};
services.bird.enable = false;
services.bird.package = pkgs.bird2;
services.bird.config = ''
router id 192.168.10.28;
ipv6 table bgp6;
@@ -21,7 +22,7 @@
ipv6 {
table bgp6;
export filter {
krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address};
krt_prefsrc=fd81:edb3:71d8::1;
accept;
};
import none;

66
hosts/dn42-ildix-service/configuration.nix
View File

@@ -4,11 +4,13 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./bird.nix
./fernglas.nix
];
profiles.clerie.mercury-vm.enable = true;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
@@ -17,28 +19,58 @@
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
networking.useDHCP = false;
networking.interfaces.lo.ipv6.addresses = [
{ address = "fd81:edb3:71d8::1"; prefixLength = 128; }
{ address = "fd81:edb3:71d8::53"; prefixLength = 128; }
];
# VM Nat Netz mercury
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
# ildix peering lan
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];
systemd.network.netdevs."10-lo-dn42" = {
netdevConfig = {
Kind = "dummy";
Name = "lo-dn42";
};
};
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-lo-dn42" = {
matchConfig.Name = "lo-dn42";
address = [
"fd81:edb3:71d8::1/128"
"fd81:edb3:71d8::53/128"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffc9::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.28/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2953::1/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

11
hosts/dn42-ildix-service/fernglas.nix
View File

@@ -5,20 +5,21 @@
services.fernglas = {
enable = true;
useMimalloc = false;
settings = {
api.bind = "[::1]:3000";
collectors = [
{
collectors = {
bgp_any = {
collector_type = "Bgp";
bind = "[::]:1179";
default_peer_config = {
asn = 4242422953;
router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}";
router_id = "192.168.10.28";
route_state = "Accepted";
add_path = true;
};
}
];
};
};
};
};

25
hosts/gatekeeper/configuration.nix
View File

@@ -4,19 +4,20 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
];
profiles.clerie.hetzner-cloud.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
# Network
networking.interfaces.ens3.ipv4.addresses = [ { address = "78.47.183.82"; prefixLength = 32; } ];
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:15f1::1"; prefixLength = 64; } ];
networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; };
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ];
systemd.network.networks."10-wan" = {
address = [
"2a01:4f8:c0c:15f1::1/64"
"78.47.183.82/32"
];
};
networking.nat = {
enable = true;
@@ -73,7 +74,7 @@
{
# palladium
allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
}
#{
# allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
@@ -114,6 +115,11 @@
allowedIPs = [ "2a01:4f8:c0c:15f1::8111/128" "10.20.30.111/32" ];
publicKey = "o6qxGKIoW2ZSFhXeNRXd4G9BRFeYyjZsrUPulB3KhTI=";
}
{
# tungsten
allowedIPs = [ "2a01:4f8:c0c:15f1::8112/128" "10.20.30.112/32" ];
publicKey = "OI5/psr3ShrwRqKTTr3Kv92OVRietTcMFNVXtsYybRo=";
}
];
listenPort = 51820;
allowedIPsAsRoutes = false;
@@ -125,6 +131,7 @@
clerie.nginx-port-forward = {
enable = true;
resolver = "127.0.0.53";
tcpPorts."443" = {
host = "localhost";
port = 22;

33
hosts/hydra-1/configuration.nix
View File

@@ -4,14 +4,15 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
./build-machines.nix
./hydra.nix
./nix-cache.nix
];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -21,12 +22,28 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ];
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffcb::a/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.36/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;

16
hosts/hydra-1/nix-cache.nix
View File

@@ -5,18 +5,10 @@
services.harmonia = {
enable = true;
settings.bind = "[::1]:5005";
};
systemd.services.harmonia = {
environment = {
SIGN_KEY_PATHS = "%d/key1 %d/key2";
};
serviceConfig = {
LoadCredential = [
"key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
"key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
];
};
signKeyPaths = [
config.sops.secrets."sign-key-nix-cache.clerie.de".path
config.sops.secrets."sign-key-cache.nix.clerie.de".path
];
};
services.nginx.virtualHosts = {

24
hosts/hydra-2/configuration.nix
View File

@@ -4,10 +4,11 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
];
profiles.clerie.cybercluster-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -17,12 +18,19 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ];
networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; };
networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc1::100/64"
"141.24.50.112/24"
];
routes = [
{ Gateway = "2001:638:904:ffc1::1"; }
{ Gateway = "141.24.50.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
clerie.monitoring = {
enable = true;

5
hosts/krypton/configuration.nix
View File

@@ -5,15 +5,16 @@
[
./hardware-configuration.nix
../../configuration/desktop
./android.nix
./backup.nix
./etesync-dav.nix
#./initrd.nix
./network.nix
./programs.nix
];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

10
hosts/krypton/etesync-dav.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }:
{
services.etesync-dav = {
enable = true;
apiUrl = "https://etebase.clerie.de";
};
}

2
hosts/krypton/network.nix
View File

@@ -1,7 +1,7 @@
{ ... }:
{
services.wg-clerie = {
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
ipv4s = [ "10.20.30.11/32" ];

12
hosts/krypton/programs.nix
View File

@@ -1,9 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
firefox-wayland
];
profiles.clerie.firefox.enable = true;
users.users.clerie.packages = with pkgs; [
keepassxc
@@ -16,19 +14,23 @@
tio
xournalpp
onlyoffice-bin
libreoffice
krita
inkscape
dune3d
wireshark
tcpdump
nmap
okular
kdePackages.okular
chromium-incognito
print-afra
git-show-link
factorio-launcher
];
# Wireshark

11
hosts/mail-2/configuration.nix
View File

@@ -4,16 +4,21 @@
imports =
[
./hardware-configuration.nix
../../configuration/hetzner-cloud
./mailcow.nix
];
profiles.clerie.hetzner-cloud.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:1c1c:9577::1"; prefixLength = 64; } ];
networking.interfaces.ens3.ipv4.addresses = [ { address = "5.75.187.112"; prefixLength = 32; } ];
systemd.network.networks."10-wan" = {
address = [
"2a01:4f8:1c1c:9577::1/64"
"5.75.187.112/32"
];
};
clerie.backup = {
enable = true;

12
hosts/monitoring-3/alertmanager.nix
View File

@@ -63,6 +63,18 @@
"instance"
];
}
{
target_matchers = [
''alertname = "StorageAlmostFull"''
];
source_matchers = [
''alertname = "StorageFull"''
];
equal = [
"instance"
"mountpoint"
];
}
];
};
};

42
hosts/monitoring-3/blackbox.nix
View File

@@ -25,6 +25,48 @@
fail_if_not_ssl: true
fail_if_body_not_matches_regexp:
- "Synapse is running"
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
http4:
prober: http
http:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
fail_if_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
http6:
prober: http
http:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
fail_if_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
https4:
prober: http
http:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
fail_if_not_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
https6:
prober: http
http:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
fail_if_not_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
'';
};
}

32
hosts/monitoring-3/configuration.nix
View File

@@ -4,25 +4,43 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./alertmanager.nix
./berlinerbaeder-exporter.nix
./blackbox.nix
./grafana.nix
./nixos-validator.nix
./prometheus.nix
./targets.nix
./uptimestatus.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ];
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens19";
address = [
"2001:638:904:ffca::7/64"
];
routes = [
{ Gateway = "2001:638:904:ffca::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.32/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.prometheus.exporters.node.enable = true;

77
hosts/monitoring-3/dashboards/home.json Normal file
View File

@@ -0,0 +1,77 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 10,
"links": [],
"panels": [
{
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"includeVars": false,
"keepTime": false,
"maxItems": 10,
"query": "",
"showFolderNames": true,
"showHeadings": false,
"showRecentlyViewed": false,
"showSearch": true,
"showStarred": false,
"tags": []
},
"pluginVersion": "12.0.2+security-01",
"title": "Dashboards",
"type": "dashlist"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"hidden": true
},
"timezone": "browser",
"title": "Home",
"uid": "OqTN9p2nz",
"version": 1
}

355
hosts/monitoring-3/dashboards/nginx-exporter.json Normal file
View File

@@ -0,0 +1,355 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 16,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Total requests",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: {{method}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Status codes",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 10
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: HTTP {{status}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Response codes",
"type": "timeseries"
}
],
"preload": false,
"refresh": "30s",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": [
"$__all"
]
},
"definition": "label_values(nginxlog_http_response_count_total,server_name)",
"includeAll": true,
"label": "vHost",
"multi": true,
"name": "server_name",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginxlog_http_response_count_total,server_name)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-3h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Nginx Exporter",
"uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
"version": 7
}

135
hosts/monitoring-3/dashboards/nixos-status.json Normal file
View File

@@ -0,0 +1,135 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 15,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-RdYlGr"
},
"custom": {
"axisPlacement": "auto",
"fillOpacity": 70,
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineWidth": 0,
"spanNulls": false
},
"mappings": [
{
"options": {
"0": {
"index": 1,
"text": "mismatch"
},
"1": {
"index": 0,
"text": "sync"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"alignValue": "left",
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"mergeValues": true,
"rowHeight": 0.9,
"showValue": "auto",
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "builder",
"expr": "nixos_current_system_is_sync",
"legendFormat": "{{instance}}",
"range": true,
"refId": "A"
}
],
"title": "Config is Sync",
"type": "state-timeline"
}
],
"preload": false,
"refresh": "5m",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-7d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "NixOS Status",
"uid": "W4j3nz1Vz",
"version": 3
}

211
hosts/monitoring-3/dashboards/smokeping.json Normal file
View File

@@ -0,0 +1,211 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 11,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 22,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
"interval": "",
"legendFormat": "IPv6 {{target}} ({{instance}})",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
"hide": false,
"interval": "",
"legendFormat": "IPv4 {{target}} ({{instance}})",
"range": true,
"refId": "B"
}
],
"title": "Smokeping",
"type": "timeseries"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"includeAll": true,
"label": "Target:",
"multi": true,
"name": "target",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": [
"All"
],
"value": [
"$__all"
]
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"includeAll": true,
"label": "Instance:",
"multi": true,
"name": "instance",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Smokeping",
"uid": "IytTVZL7z",
"version": 9
}

4
hosts/monitoring-3/grafana.nix
View File

@@ -38,6 +38,10 @@
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3001/";
locations."= /api/live/ws" = {
proxyPass = "http://[::1]:3001";
proxyWebsockets = true;
};
};
};
};

265
hosts/monitoring-3/prometheus.nix
View File

@@ -52,9 +52,20 @@ let
attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
monitoringHosts);
nginxlogMonitoringTargets = mapAttrsToList (name: host:
"${host.config.networking.hostName}.mon.clerie.de:9117")
(filterAttrs (name: host:
attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
monitoringHosts);
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in {
sops.secrets.uberspace-monitor-password = {
owner = "prometheus";
group = "prometheus";
};
networking.hosts = {
"::1" = [ "monitoring-3.mon.clerie.de" ]; # fd00:327:327:327::1
}
@@ -99,6 +110,21 @@ in {
relabelAddressToInstance
];
}
{
job_name = "alertmanager";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9093"
];
}
];
relabel_configs = [
relabelAddressToInstance
];
}
{
job_name = "node-exporter";
scrape_interval = "20s";
@@ -126,6 +152,42 @@ in {
relabelAddressToInstance
];
}
{
job_name = "node-exporter-uberspace";
scrape_interval = "20s";
metrics_path = "/.node-exporter/metrics";
basic_auth = {
username = "monitor";
password_file = config.sops.secrets.uberspace-monitor-password.path;
};
static_configs = [
{
targets = map (target: "${target};infra") config.profiles.clerie.monitoring-server.probeTargets.node-exporter-uberspace;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
regex = "(.+);(.+)";
target_label = "service_level";
replacement = "\${2}";
}
{
source_labels = [ "__address__" ];
regex = "(.+);(.+)";
target_label = "__address__";
replacement = "\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "instance";
}
{
target_label = "job";
replacement = "node-exporter";
}
];
}
{
job_name = "nixos-exporter";
scrape_interval = "1m";
@@ -156,7 +218,7 @@ in {
relabelAddressToInstance
{
target_label = "__address__";
replacement = "[::1]:9153";
replacement = "monitoring-3.mon.clerie.de:9153";
}
];
}
@@ -181,16 +243,7 @@ in {
};
static_configs = [
{
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
"clerie.de"
"tagesschau.de"
"google.com"
"achtbaan.nikhef.nl"
"fluorine.net.clerie.de"
"www.fem.tu-ilmenau.de"
"www.heise.de"
"dyon.net.entr0py.de"
];
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp6;
}
];
relabel_configs = [
@@ -222,26 +275,7 @@ in {
};
static_configs = [
{
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [
"clerie.de"
"tagesschau.de"
"google.com"
"achtbaan.nikhef.nl"
"www.fem.tu-ilmenau.de"
"www.heise.de"
"pe10-fd2.nodes.nethinks.com"
"pe20-fd2.nodes.nethinks.com"
"pe10-pet1.nodes.nethinks.com"
"pe20-pet1.nodes.nethinks.com"
"pe10-ffm1.nodes.nethinks.com"
"ie10-ffm2.nodes.nethinks.com"
"pe10-ffm2.nodes.nethinks.com"
"ie10-due1.nodes.nethinks.com"
"pe10-due1.nodes.nethinks.com"
"matrix.bau-ha.us"
"dyon.net.entr0py.de"
"matrix.entr0py.de"
];
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp4;
}
];
relabel_configs = [
@@ -273,9 +307,7 @@ in {
};
static_configs = [
{
targets = [
"matrix.entr0py.de"
];
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-synapse;
}
];
relabel_configs = [
@@ -356,42 +388,118 @@ in {
];
}
{
job_name = "zimmer-temp";
scrape_interval = "20s";
scheme = "https";
metrics_path = "/data/zimmer-temp/";
job_name = "blackbox_local_http6";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "http6" ];
};
static_configs = [
{
targets = [
"iot-data.clerie.de"
];
}
];
}
{
job_name = "outdoor-temp";
scrape_interval = "20s";
scheme = "https";
metrics_path = "/data/outdoor-temp/";
static_configs = [
{
targets = [
"iot-data.clerie.de"
];
}
];
}
{
job_name = "xmpp-alerts";
scrape_interval = "20s";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9199"
];
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "http://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_http4";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "http4" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "http://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_https6";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "https6" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "https://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_https4";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "https4" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "https://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
@@ -421,12 +529,37 @@ in {
relabelAddressToInstance
];
}
{
job_name = "clerie_keys";
scrape_interval = "5m";
scheme = "https";
metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
static_configs = [
{
targets = [
"clerie.de"
];
}
];
}
{
job_name = "nginxlog-exporter";
scrape_interval = "20s";
static_configs = [
{
targets = nginxlogMonitoringTargets;
}
];
relabel_configs = [
relabelAddressToInstance
];
}
];
alertmanagers = [
{
static_configs = [ {
targets = [
"[::1]:9093"
"monitoring-3.mon.clerie.de:9093"
];
} ];
}

49
hosts/monitoring-3/rules.yml
View File

@@ -17,14 +17,22 @@ groups:
annotations:
summary: "Current system of {{ $labels.instance }} not in sync with config"
description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
- alert: BackupStorageFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5
- alert: StorageFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 5
for: 30m
labels:
severity: critical
annotations:
summary: "Storage of {{ $labels.instance }} is full"
description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
- alert: StorageAlmostFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 10
for: 30m
labels:
severity: warning
annotations:
summary: "Storage of {{ $labels.instance }} is almost full"
description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is almost full"
- alert: ClerieBackupJobLastSuccessfulRunBehind
expr: time() - last_over_time(clerie_backup_last_successful_run_time{}[5m]) >= 9000
for: 5m
@@ -65,3 +73,40 @@ groups:
annotations:
summary: "Synapse of {{ $labels.target }} unavailable"
description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
- alert: ClerieKeysExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
labels:
severity: critical
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
- alert: ClerieKeysAlmostExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
labels:
severity: warning
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring soon"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
- alert: NadjaTopIPv4ProxyBroken
expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
for: 15m
labels:
severity: critical
annotations:
summary: "blog.nadja.top unreachable via IPv4"
description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
- alert: AlertmanagerNotificationRequestsFailed
expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
labels:
severity: critical
annotations:
summary: "Too many notification requests failed"
description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
- alert: FemSocialDown
expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
for: 5m
labels:
severity: critical
annotations:
summary: "fem.social unavailable via HTTP"
description: "fem.social is not fully reachable via HTTP"

7
hosts/monitoring-3/secrets.json
View File

@@ -1,4 +1,5 @@
{
"uberspace-monitor-password": "ENC[AES256_GCM,data:NfM9jxZAMkSGFlPYxreP7LJkr9gA2llyVw96okIKNUQ=,iv:z/LW643T36HpKo/xhHcVnF0EqhEXdoiEkDMH6NQzN9A=,tag:KXR2+kizv3To0EvZ66ak9w==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:kYFhMbqL7b0rwE2XIaR4QVT8ahoODmpXKzK5gvkODFJVklubwCmq2bLJk94=,iv:eR+VjxdtS4et9I4okzHyA+if1Rxj2/MuiC0CrWXd0Bg=,tag:rMaYMTvO6gWw6WegehDBFQ==,type:str]",
"xmpp-password": "ENC[AES256_GCM,data:eBZsBYqo+juLrYZjBqTcKFirHViRsul+wt6kkOmMhCp4xU7Ou8eJAPCOuhvHcUGxRE44L0yIyUObhRgAj0T5QA==,iv:DsLJ3qCZyrdolJBZFT9FJUNQ75pc8Vz32K2a8RJHuLc=,tag:wOxs2Ulw1aSMadWfjGSKsw==,type:str]",
"sops": {
@@ -12,8 +13,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOGNMcm9vRWxMZjBwcmVS\nVGVoS2kwSmZjOHdGMXQwUmlzV3hhbGhhOVhzCkljQi94aUtORldKOFdqeVNXYnJQ\ndS9Vc0hRRisyL1dESk1NOTQ1dVJyMDgKLS0tIE54VlU1cVRXWXRlVGU5RzR5dXkv\nSEZJeElpWDdJYW9WNWxGLzdjdGR1YUUKGZwFPOc4MD97FBRtj1Py4A9Tz/HlzHcK\nX6nYgkYSUycM4g4d3+N+1NKutfWJ7KheuTlhNRDftyLYmmo5wyEtrw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-04-21T17:08:58Z",
"mac": "ENC[AES256_GCM,data:UucT7OiO9S3FcO9b1UKPQYXi7v3Ak7/J/VkDN4P9fssS4nky6PyX4oV5UvGcuR3p0pxLAHGJ4rOXj5QbnOqwDqmHfCnoqdItAlXRT1YPdSrelQ/gHyOfexsuV1XLOUS/OXJoYEi3ymKtza4rMIZow+du0YkRxrJQjwM0y8XSa3I=,iv:mDBaVhbHCLdxx5DC7urPPDdVPsCPYqKgLRwfqjLFdnU=,tag:Wpq6ihxIr/eceG12gpOJwQ==,type:str]",
"lastmodified": "2025-03-07T20:23:25Z",
"mac": "ENC[AES256_GCM,data:6GY06rVSKtQqaV5kLgTU4Wlu+e+dkNhxaPkJqKE8hrfJzO85WU6/iLvuv4ai0u+cUeWcOZatskzUeaVL/NjrRZnsNnxUqWbljLs8//0uUln71D/DWE4Vpb6Uz9I2iHG2Gftv3iyYF3nucrHiSTvyLzb9fDL+eGv0CHa/KmYk97g=,iv:f6xqDtHoBy7h7KRr2J0kYcaf6indqnRrJsYdcv9EHJs=,tag:uliCg2x92qY9SN9hg08Iuw==,type:str]",
"pgp": [
{
"created_at": "2024-04-21T17:08:30Z",
@@ -22,6 +23,6 @@
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

7
hosts/monitoring-3/targets.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
profiles.clerie.monitoring-server.targets = builtins.fromJSON (builtins.readFile ../../monitoring/targets.json);
}

42
hosts/nonat/configuration.nix
View File

@@ -4,28 +4,33 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/router
];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
# Network
networking.interfaces.ens18.ipv4.addresses = [
{ address = "141.24.46.169"; prefixLength = 24; }
];
networking.interfaces.ens18.ipv6.addresses = [
{ address = "2001:638:904:ffca::6"; prefixLength = 64; }
];
networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
networking.interfaces.ens19.ipv4.addresses = [
{ address = "192.168.10.1"; prefixLength = 24; }
];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffca::6/64"
"141.24.46.169/24"
];
routes = [
{ Gateway = "141.24.46.1"; }
{ Gateway = "2001:638:904:ffca::1"; }
];
linkConfig.RequiredForOnline = "routable";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.1/24"
];
linkConfig.RequiredForOnline = "no";
};
networking.nat = {
enableIPv6 = true;
@@ -36,8 +41,7 @@
networking.firewall.allowedUDPPorts = [];
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

31
hosts/osmium/configuration.nix
View File

@@ -4,12 +4,13 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./nixfiles-updated-inputs.nix
./polkit-test.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
@@ -19,12 +20,28 @@
"aarch64-linux"
];
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ];
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens19";
address = [
"2001:638:904:ffc7::6/64"
];
routes = [
{ Gateway = "2001:638:904:ffc7::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.29/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
environment.systemPackages = with pkgs; [
git

44
hosts/palladium/backup-scripts.nix
View File

@@ -1,44 +0,0 @@
{ pkgs, ... }:
let
cb-mount = pkgs.writeScriptBin "cb-mount" ''
#!${pkgs.bash}/bin/bash
DEVICE=/dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
${pkgs.cryptsetup}/bin/cryptsetup luksOpen ''${DEVICE} external-drive
mkdir -p /mnt/external-drive
mount /dev/mapper/external-drive /mnt/external-drive
mkdir -p /mnt/external-drive/clerie-backup
chown borg:borg -R /mnt/external-drive/clerie-backup
'';
cb-unmount = pkgs.writeScriptBin "cb-unmount" ''
#!${pkgs.bash}/bin/bash
umount /mnt/external-drive
${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
'';
cb-prepare = pkgs.writeScriptBin "cb-prepare" ''
echo "Formatting disk"
sgdisk -Z /dev/disk/by-path/pci-0000:00:12.0-ata-2
sgdisk -N 1 /dev/disk/by-path/pci-0000:00:12.0-ata-2
partprobe /dev/disk/by-path/pci-0000:00:12.0-ata-2
echo "Creating encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksFormat -c aes-xts-plain64 --hash=sha256 -s 256 /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1
echo "Opening encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-path/pci-0000:00:12.0-ata-2-part1 external-drive
echo "Creating file system"
mkfs.ext4 /dev/mapper/external-drive
echo "Closing encrypted partition"
${pkgs.cryptsetup}/bin/cryptsetup luksClose external-drive
'';
in {
environment.systemPackages = [ cb-mount cb-unmount cb-prepare ];
}

71
hosts/palladium/configuration.nix
View File

@@ -5,52 +5,61 @@
[
./hardware-configuration.nix
./backup-scripts.nix
./restic-server.nix
./wg-b-palladium.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
networking.useDHCP = false;
networking.interfaces.enp3s0.ipv6.addresses = [
{ address = "fd00:152:152:4::11"; prefixLength = 64; }
{ address = "2001:4cd8:100:1337::11"; prefixLength = 64; }
];
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; };
networking.nameservers = [ "fd00:152:152::1" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input console serial
terminal_output gfxterm serial
";
boot.initrd.luks = {
devices.lvm = {
device = "/dev/disk/by-uuid/f5597381-b59b-4f19-94b7-fd69aac43d6f";
bypassWorkqueues = true;
};
devices.crypt-storage-palladium = {
device = "/dev/disk/by-uuid/c54396c0-b5d3-4e61-9ef7-483fa2b4a56d";
};
};
boot.swraid.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "enp3s0";
address = [
"fd00:152:152:4::11/64"
];
networkConfig.DHCP = true;
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
# Keeping the harddrives quiet
services.udev.extraRules = ''
KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
'';
services.borgbackup.repos = {
clerie-backup = {
path = "/mnt/palladium/clerie-backup";
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyk716RnbenPMkhLolyIkU8ywUSg8x7hjsXFFQoJx4I root@clerie-backup"
];
};
external-drive = {
path = "/mnt/external-drive/clerie-backup";
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuh74Esdp8JPgIZzM372DaCwtAl2QNtRratnIFG0NRB root@clerie-backup"
];
};
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
ipv4s = [ "10.20.30.103/32" ];
};
# Disable automatic directory creation for external-drive repo
# The directory gets created by the disk formatting script
# Correct permissons will be set right after mounting
# This prevents borg from filling up the root drive when no drive is mounted
systemd.services.borgbackup-repo-external-drive.enable = false;
clerie.monitoring = {
enable = true;
id = "206";
pubkey = "fHOYNZ5I3E2JPrd9dUrNBmu75weX4KbDih5q+GCk8Xk=";
pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
};
system.stateVersion = "21.03";
system.stateVersion = "25.05";
}

25
hosts/palladium/hardware-configuration.nix
View File

@@ -9,26 +9,37 @@
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b217f1e1-1337-4ef0-bad5-15829ba32c7a";
{ device = "/dev/disk/by-uuid/fbd14cd4-e402-4ad6-b801-8826d6cfc0fb";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7A6B-3444";
{ device = "/dev/disk/by-uuid/8B45-EBB4";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/mnt/palladium" =
{ device = "/dev/disk/by-uuid/f20d20ca-6be5-4b16-81fe-e66f31ffd108";
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/e7c41c4d-89d8-4083-ac6e-abbccbebf551";
fsType = "ext4";
};
swapDevices = [ ];
swapDevices =
[ { device = "/dev/disk/by-uuid/6ca5e48f-9b99-4722-b21b-c6f298610157"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

20
hosts/palladium/restic-server.nix Normal file
View File

@@ -0,0 +1,20 @@
{ ... }:
{
services.restic.server = {
enable = true;
privateRepos = true;
dataDir = "/data/backup";
listenAddress = "[::]:43242";
};
# restic rest server does not support --htpasswd-file in the current version of nixpkgs
# until then we copy the secrets to the common location
sops.secrets.restic-server-backup-htpasswd = {
path = "/data/backup/.htpasswd";
owner = "restic";
group = "restic";
};
networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
}

19
hosts/palladium/secrets.json
View File

@@ -1,5 +1,8 @@
{
"wg-monitoring": "ENC[AES256_GCM,data:ip6L61RXAVxaPqizhNTr6zVvKgd40CAsgeNFoAXMARM1nl146ayHK2q7mhc=,iv:G4WLmcPpJOxTcW0bHuEwWmth6u8fYoH7GmpkMo8Z3TQ=,tag:xJ+wCVEUMdqfXPcwgr9WSw==,type:str]",
"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -7,20 +10,20 @@
"hc_vault": null,
"age": [
{
"recipient": "age1tl2cd730ctn6jcgg0vf8c5gg9722umk30zwvcwxhejh26p3gt3ds92msyx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNHllOHpoYkNyQXMwL002\nRDR4eFVRemc4bW8vYS9GWHFkcmpRbWFFc2tzCmFjV1ZNTzhOYjM4VWltRGhaQ0RP\naC9vN2hrM3NSTDlSd1ZJTldXamJ4NUUKLS0tIDFuUzRKWWQrUFU1SXNqdEV2R1lM\nWXU1by9rYTBINTVralo0TTJmSEZHMm8KYEggCHnOyMcQSdJ9+Ujf61OANuja0ZIf\n+wa9ugc2OZrOYepkjN5X/bETdKfU33pIAL208N9HcOttfhcZq70yUQ==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-05-10T13:25:28Z",
"mac": "ENC[AES256_GCM,data:fLw0q9h+rlAAiXjtCJeGPi0COEt/UvApRiOpE+ydSrD/jXy+vh2OVW57UZPRBCP1mWtqfUJLiT1BZyOWor7dsPfTvaxCQmYhGcKBLucFEaiUovGgVjxJloD8hDJvSG9SJnlIiDobMsG87MsEWpi70oAbQu3/d4JT1BPSaRpvsjI=,iv:iS7tFqZMa0OzA5ASKPS6CSNTJYYJ0zhjLmBcipjLapg=,tag:Lspazw8Pi5Dxqcrk35A6tA==,type:str]",
"lastmodified": "2025-04-18T08:56:54Z",
"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
"pgp": [
{
"created_at": "2024-05-10T13:25:16Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+KsEUiNCgfajBMEEFsqHqNG3utLNQSLOd6VX/Rk56CjT9\nUtfiCdZCSzrtyT3Anu72auTJ+PHNAVhhHPcDiUcwY9JYXEXNETzEn0U/byS+kvOD\nNTpcpR1gSxJCj1aDqDDpfQQ02hSpKO4iw0B71gKcekUXcD2AQeeW0Djq60CusWVk\nRgC3odnyTr1CN1+JRtKVZKIa78rfOkyhmFP2G2gvsSHhUBd5RtMhJdfYVUTMIKXO\nQFB2IGCoIzE0zDitCcAZ8q6Dc8lBuAvNSiVkFanJn7e7etU3JwDhYsZKRO7jvNX3\nmjHnQ9vf0idCWAi0oabZQ1OGdwPbtjssxmQkzzR8R/paw+iRB50i1UG3/5ehXTV4\nTp/2rEwrsF8jO1bahTcrJirR7RPLEy2BvJ4ALzmEYrIoEwWuCIexrY+e2C2rXpy5\nK2+9Ch0YCaz8sc700bgO5ZkyvnmnbVJxGCaMGQtT9LXiEWvc36sUXhbEGJ0K782Z\n7uVFRs4xWsrUQHo8lFTfW/vLZDq7FvkGnDf5xnoEJp4BNYvYmMmsFiaygkbbqEdH\n2aHRCam9q5zcuBq+aA40KI1P4adIFgij+fijwQ+019JrfaMEXcmwgtOfkb2OZNOF\nXQ3tRgYLaxSae7BYJA4uTaFq60kpp1c8qgxw3WKPEiHywtl/SaPcx1XD9VJoVTGF\nAgwDvZ9WSAhwutIBD/9O0inQ/HmpwtD1AnE89SuZNuGQty71LVhX2PQQWsUdQOuz\ndKZN1wy6UxIImFGisBodUH+48k1DjbkDjL5cLSAUOt9OhAxW2Ubp6HA6wDJPqWj1\nYQMHKmHlf2zh5G1qTUXV3NNw6hSaWejVDS73WNODv1WfUFXrPN9DVLaPsS/RJo2Q\nAoDG/iedeQhIIBwrLIcQ8ttjv9MTI1GzsNRC/CjxQpDnHabqQzFzenjnVRLDXcmr\nwfw0HeTPeNh+pLYb+sBqzGUP0j1GWui99/6NUeo/TloBWJbIung4wq23gYZbHn+K\nbWJSxSy980mvjCXiRukzXlNJMwLZDVoBlPQSbe/pOApHM9HTScZ+3VcLlYOPjgZk\nhnCvFNm+4/00ZgF+tcvLOugIfqwxvOuqW4gGGhNAycHinJZuSfDHYe6zCfEiqc7t\nnHlbhNvlhC8zDu+fOurC2ju5eGv8LqFiobfsBFVdKpl9Gj7yg00S+QmjBcz0lkE9\n1BftwEQaj+r4EDa4cJHSgP+K76utv4Xzt9hHZZJo7hvii+lGxFI7rBm0xbV5bSuY\ntOhN6d98HH2++AoXufIW5vmnydGk2NXu7O8vi6sQWzoqed84ZHbJDWLQawQ8YQlR\nkbht2PzH4+rq1oOVHbLslxWkYF9WMsQRUef6ALNpys/Dj8N54gEN4RTV+SxIVoUC\nDAM1GWv08EiACgEP/1eiG0aASQogSByxl8ZbRjRg768YVR1fwTa8GG5tE7wfcGiI\njZF2TI+yQWt7gRS4AKNm1gfWEEjCH1tBOj53/Wfwn9ZuGoNqboA2jgsh2rnVVSXR\nOdXK3is/FMh9JREr669be83nnQ8fNP8nIz3snEvKVYVGcdsdkDXBz4GKmJx52NNb\nauL+4w14/0PydCVH/njsFY8FyWqP9lUFgpJU8jHjX28oTB3khwWrDs0THwqilTFn\nhFjgeCy555zeh5rDpBDPdPbLUNd094RB15zaKzn2dC15F8DMCLoA9ASNET7S/+u3\n1SjvI4XnOpxK9hyETcwjzbWJc2gV7U38VqxhQW9Vch3AvXOufMMTm6cobLjiwxjF\nl3XTMJ5GvHDZXCwrGEapy9GbHQjbd9yi0iFgfSGV4nkNmCj1jtAMUngdCqELDVU2\nZe3a8IeJswlTteGlXAM5mwnDaegMsiD/vwsq5Rtl0gs3iI3uIN4RFXuvxP+UeJ/c\ndJWqpF8vcQI4qGN3kxgB30I7mUiz1aggv5uw6nDWRJHTQKLeOkV8ssTq4FLs4XYL\n4z4qmMT5i+8bGu575py/LRDjvXBldeitnQj1jAN2y/uPNVWsZqU3S+OkEosYIgSQ\njAe3N0EyH5k3j7j43x91toYOCAkulAuPkox6GyUKKq4dCPWxg9fqQ8u4PaSN1GYB\nCQIQ3+GP0DNWupTIkTS4Bk1LwbT99lyr2DyExqb2pgXmzn05Qs6CE4+jcIxXnmUQ\nzCl6PLiw+DJ1nq5gKtTrkO96HtHGyfPiUunDZXty1/zNltYjedk7ebkWF3LNXBhE\nK38c6yE=\n=w0Nn\n-----END PGP MESSAGE-----",
"created_at": "2025-04-15T17:32:56Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
"version": "3.9.4"
}
}

2
hosts/palladium/ssh.pub
View File

@@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBc/YTf80MjyVeApOecOlxORIlwCaWtJNWtfggc0B374
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0ZrGvZqxqsGEl2+YNnL5JNpeRc3y0DgqZAkuayfeso

38
hosts/palladium/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
};
wireguardPeers = [
{
PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
Endpoint = "backup-4.net.clerie.de:51844";
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::2/64"
];
linkConfig.RequiredForOnline = "no";
};
}

49
hosts/porter/configuration.nix
View File

@@ -4,22 +4,51 @@
imports =
[
./hardware-configuration.nix
../../configuration/router
];
profiles.clerie.netcup.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
# Network
networking.interfaces.ens3.ipv4.addresses = [ { address = "5.45.100.191"; prefixLength = 22; } ];
networking.interfaces.ens3.ipv6.addresses = [ { address = "2a03:4000:6:48d::1"; prefixLength = 64; } ];
networking.defaultGateway = { address = "5.45.100.1"; interface = "ens3"; };
networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
networking.nameservers = [ "46.38.255.230" "46.38.252.230" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens3";
address = [
"2a03:4000:6:48d::1/64"
"5.45.100.191/22"
];
routes = [
{ Gateway = "fe80::1"; }
{ Gateway = "5.45.100.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "127.0.0.1" ];
};
};
};
clerie.nginx-port-forward = {
enable = true;
resolver = "127.0.0.1";
tcpPorts."80" = {
host = "baikonur.dyn.weimarnetz.de";
port = 80;
};
tcpPorts."443" = {
host = "baikonur.dyn.weimarnetz.de";
port = 443;
};
tcpPorts."2022" = {
host = "nonat.net.clerie.de";
port = 22;
@@ -29,6 +58,10 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [];
services.bijwerken = {
autoUpgrade = true;
};
clerie.monitoring = {
enable = true;
id = "102";

35
hosts/storage-2/configuration.nix
View File

@@ -4,22 +4,40 @@
imports =
[
./hardware-configuration.nix
../../configuration/proxmox-vm
./em.nix
./firmware.nix
./mixcloud.nix
./syncthing.nix
./users.nix
];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ];
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffc0::4/64"
];
routes = [
{ Gateway = "2001:638:904:ffc0::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.35/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true;
@@ -34,8 +52,7 @@
};
};
clerie.system-auto-upgrade = {
allowReboot = true;
services.bijwerken = {
autoUpgrade = true;
};

17
hosts/storage-2/em.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
{
users.users.data-em = {
group = "data-em";
home = "/data/em";
useDefaultShell = true;
isSystemUser = true;
};
users.groups.data-em = {};
systemd.tmpfiles.rules = [
"d /data/em - data-em data-em - -"
];
}

1
hosts/storage-2/users.nix
View File

@@ -2,4 +2,5 @@
{
users.users.clerie.extraGroups = [ "data-firmware" ];
users.users.frank.extraGroups = [ "data-em" ];
}

38
hosts/tungsten/configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/disk/by-id/ata-InnoDisk_Corp._DRPS-08GJ30AC1QS-A88_20120705AAB200000505";
boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial
terminal_output serial
";
networking.hostName = "tungsten";
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
ipv4s = [ "10.20.30.112/32" ];
};
clerie.monitoring = {
enable = true;
id = "216";
pubkey = "bDmf4xndBNwzcvIGCMq6dhyzjdEZOV2ckhv/37V/PWg=";
serviceLevel = "event";
};
system.stateVersion = "25.05";
}

46
hosts/tungsten/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7ed9e29c-d771-49a1-ae8a-8894f347c648";
fsType = "ext4";
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/95122f15-5621-457c-972c-c057ca416212";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/02a2afe4-ee00-4d3d-884a-e195b9814bfd";
fsType = "ext4";
};
fileSystems."/mnt/storage-tungsten" =
{ device = "/dev/disk/by-uuid/3d386e15-9d64-42a6-8d6d-571272d5e78e";
fsType = "ext4";
};
boot.initrd.luks.devices."crypt-storage-tungsten".device = "/dev/disk/by-uuid/e4142245-4c69-42e6-9b1f-fa4dc7fef7d8";
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
hosts/tungsten/secrets.json Normal file
View File

@@ -0,0 +1,27 @@
{
"wg-clerie": "ENC[AES256_GCM,data:OtSzmacWH9leDuykr7Tp5lR2FDoNGQ61V/9z6xBD1eCDSLOvt8UdILMETJU=,iv:NNGqR7UG3bZWETpZRwEdS4O1nRO4cBT72fljpqSbtyc=,tag:mea+5E8B655ljRzk63IDOw==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:+k7ATUbPnEfb4O4lUs8d4ZlvMPlsxC5mrCi1bXOje47XDcpioDwzRTQNPrU=,iv:p4JdSMbBcb/8Uh/9RuUSs64VBRQJHu6k5FB50UsxXVU=,tag:NRyBs1CO77AV4CbD6a6gig==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1dvl2pylf9vs4vt27g8z8nzpuwt88zl5fj7a68papsmenze7gd3mstyalks",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOGRQMDhycnViTVR5M1Aw\nbjFGbXBINTJsTEdKU1ZoMDVIMUQrU1R2M2hFCk9XY0NxMlZoZXJhMVIvZ1hLUXJt\nSVdzWEpraGc3aUFBUWU2Uk9WK2J1cncKLS0tIEZPUVY1V2Z0RDhJR2VweVFsZnY5\nREp1cERaVzcrTTRhL0tpVWpMc1pCdWcKB3ZbqB8tGdXgXra3fRL/gw4IEpNHBqp+\nKnw9XYYV2MDiL02+HF+bABVHbjngG85EGDRTDZMWnJtlxV4l+vzTVw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-25T17:46:27Z",
"mac": "ENC[AES256_GCM,data:EvbkM81pIqbYkvcBSWtyov5GN8D0PauWAiMmRYgWl2fijlH7zEpsCh0XU544prqpb7vh8ShAuCecVpWsdWUIAIT62ToB28NdefDhX2HDl4B1XeIy2X9i+jhnaXLjbwc+r8IhTHOJ/uWeVrNQyb4g9nOaijzDGVJbwKnJ6M+O7fU=,iv:WAIwdemTsTHLnGtFtg/KgyjId3+RpivNDc1LFZjG3jY=,tag:YmaYFT9smKChwd5vVisfLQ==,type:str]",
"pgp": [
{
"created_at": "2025-02-25T17:27:17Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/+In2YZByknfnhl2zYmOUTQCrjpiyXbf8/ai0Ko8TZZCRy\nhrpxyvKP+/u7CMS+giouoxKJ4XLDbHacoz06qF1I9i9iSVelXxQ5epSHk4BLLocw\nP5S6ZnE3jQO4G5goC/LU7nARN2IMwYq2rRZe8o8SLDMTZqGnlk9vBihcE4rN4lpd\nLbSb+cT6wDba32xKNZuP9IRPU2gqjOAg99gbh7Se2zB4Q7AxpgUl6EZZ7OMqVl/C\nbgSQFgwJxFPoH8KBS4wICbHTyWGvg2iEQyh1zNElUwbW112kyfBxGHKFukfEapIj\n2Cv0+Jme3VA750rZmJ4xcOZeoz0n7THBHdFjE122dkXhUdkQmohKzjngIZySUqDI\nuaDf43ebi6tPgCdC6gKLbYUUml+WEOmIRcgmIEswG9iRF/vjOYLK9OxclAKLDDar\nN9zgRFW1qR0HZhAbC61L1CqhKZzjQpNpjYn2pwmR+NnU/DDrlSdJLnHnrMdPeG6l\nBVp7oLhct2DwrypEYOvccrEwRakJSjCyC6cPWbUv7upjovTvcSAh21XNLnHJaMsY\n+sbJf5vshnALIkEXRyMBa5to7RZQvWx9qdklykjbXUEheM9RQATjGdnFQHuM05LI\npWKX038xlEaPe4nJa4PBGub23GZ1zuP3zE+N0W4XTR3r3ZGsMncqntiPJaaBgzWF\nAgwDvZ9WSAhwutIBEADMfdHvINLP6Gu7/DeLUboRnTHpP8x+rfTy9lcIW2RmQHbz\nLeAwBbeqyvLUi9ObjwclVWvPHqbPyGwibt96mTgGnkAEwXCgcXfWz/vCRZ0UHcvT\nimFM4H+ecOKws7t+sf31PAMPE0eSSJIYXVU9pej0qaKzR3zMBvQi6CsB0F1e2Fkz\n0HbilJMELaKFbJJsTXtDyl9Afi8OtVcBoG8P/1ImM/gcJLU548WTwPtzYUufHt5q\nkb45PjEId3m/g6CF6nh4GCQtRwOWjah49Zsk5cuI1aO/Q0gPyndgzFL5fYOfPlGN\nPTQ2KFMUh1dkvVVzyNFFC1vqXx2KH5l2gdTRkzaFQ3Qjjx1kluM5AlEl2Ynx4sbQ\nVaFZHFjQnoFtDn08BzNS7Cu/5SOdXejihen4sg0bGjEz6aVGwHXQJcp0BigH2y3f\n/OtnCK5KjFSQsdgTV5trstQgFQMqbMiVEqd3u+3lTxGJ/dQ7NXerFroITUC4J3Uu\n3VRdWTlgPED8hiA1NQaOiy2bbMzAgaR86qHK6JhxnP/6ETaByPPb27Oisblhhq9p\nCDw4eNGws1WsAyjZkyatzLZwUs2zOt4ZKjDlim8EikdGJpDcHnameRtI97QgPDO/\nzA5zHMrDuMN1iMw92WIAQyEQtJgyy4m3YvUsnlpHqKOgSNpwG/8j1zXHLH2p1IUC\nDAM1GWv08EiACgEQALEoa50qGjadZkaHI2tXFVv8RF1d8nR+L946DyMImjuMObei\n6Sx/Nc3bHzHSMsf27T120EUU0yUERdncoOQTRWBemMoB6tWYGTIAG0uDhrHl6rzW\nOUC5G7023H3cHStXbFFBp+JargnE1XgcapHM0p29GgUCE21UDBXzm7MB6x+9AKdd\nsc6qXD1xNPWc7RSqLL6anvcT/eLZW5Y1Ep2T7r5gQ81Fbxh4RicCphmApDC91Dii\nfZ/Va3JUeFm/82edeE4FqJUO9Akk2sPmVnXBYWPRq55/Uyk61J8u2b8tY7OcLSmr\nw/eaJq2bgDda3MBVzF3G9nr3BGhl8g7lCSCPS3gCFfs7C3Djp/YP0L8rMsH2ym1Q\nEj7rWC3K1xwtqowDx+EcYDMwmUtJqkia6o3WVM1qJM25QuCg2mnv9anMTgWuLpQo\nk1Av4FR+zV6aK3A7mxxjG0BsSUGjrrzoJC5DV1DSZ335lqlZxmthJoF0mda02nbh\nUlzpHEpG3/eWXjfDSbEYU8iVK2HWX9/i2gnXbpREuEnt5xpuSQ/sBT6tmit1FwK2\ntYZ+wtCMjWKkeZtvbP9Fx0nLYhVyMXvLhR1VLosCymKqWCIBj8VINagmPLiToEMd\nfpVs8m35neD4258CZOvBgqFvmxlGb9e27p8PHmlg9UNb/v7sYmSgm4IH0zi11GgB\nCQIQbpoXf1EJlriSHiqcUZCIvY/H37TWSJ6+tCcUSUipA+dLgt4pnKBjeM6RFSPG\n81eTm0AZIpmRDx/i31knPNh5JL6RYm5t66ncM46VkO1FIatkdKDfJbYe9J6ezWCs\nMDYTejoBhQ==\n=EuYe\n-----END PGP MESSAGE-----",
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

1
hosts/tungsten/ssh.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJq5WWALjFHvmUdcWdKN5BBRS1F/EWaBet6oftrbxt1F

Some files were not shown because too many files have changed in this diff Show More